10. Cloud and Virtualization Security Flashcards
What domain covers threats, vulnerabilities, and mitigations in the CompTIA Security+ exam?
Domain 2.0
This domain includes various types of vulnerabilities and their implications.
What are two types of vulnerabilities mentioned in Domain 2.3?
Virtualization (VM escape, Resource reuse) and Cloud-specific
These vulnerabilities present unique challenges in security.
What domain focuses on security architecture in the CompTIA Security+ exam?
Domain 3.0
This domain includes concepts related to different architecture models.
Name two architecture concepts compared in Domain 3.1.
- Cloud
- Infrastructure as code (IaC)
Other concepts may include Serverless, Microservices, and Containerization.
What is a key general data consideration mentioned in Domain 3.3?
Data sovereignty
This pertains to the legal and regulatory considerations surrounding data storage and processing.
What domain addresses security operations in the CompTIA Security+ exam?
Domain 4.0
This domain includes applying common security techniques to computing resources.
What is meant by hardening targets in Domain 4.1?
Cloud infrastructure
This involves implementing security measures to protect cloud environments.
What advantages does cloud computing offer organizations?
- Agility
- Flexibility
- Cost-effectiveness
- Scalability
These advantages have led to widespread adoption across industries.
What approach do new businesses often take regarding cloud computing?
Born in the cloud
This approach allows businesses to operate without managing physical servers.
What are the main concerns for security professionals regarding cloud computing?
Common cloud security concerns and security controls
These are essential for ensuring the confidentiality, integrity, and availability of cloud operations.
Fill in the blank: The chapter discusses aspects of cloud computing most important for _______.
security professionals
This is crucial for those preparing for the Security+ exam.
What is cloud computing?
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources.
What are the key characteristics of cloud computing?
- Ubiquitous access
- On-demand self-service
- Rapid provisioning and releasing
- Minimal management effort
- Shared pool of resources
What does multitenancy mean in cloud computing?
A cloud infrastructure where multiple users share the same physical hardware without knowledge of each other.
What is the difference between scalability and elasticity?
- Scalability: Rapidly increasing capacity
- Elasticity: Expanding and contracting capacity as needs change
What is measured service in cloud computing?
Cloud providers track resource usage, allowing customers to pay only for what they use.
What are the five key roles in cloud computing?
- Cloud service providers
- Cloud consumers
- Cloud partners (brokers)
- Cloud auditors
- Cloud carriers
What are the three major cloud service models?
- Infrastructure as a Service (IaaS)
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
What is Infrastructure as a Service (IaaS)?
A model allowing customers to purchase and manage basic computing resources like storage and networks.
What is Software as a Service (SaaS)?
A model providing fully managed applications running in the cloud accessible via a web browser.
What is Platform as a Service (PaaS)?
A model that offers a platform for customers to run their own applications, including execution environments and tools.
What is the role of Managed Service Providers (MSPs)?
Organizations that provide IT services, potentially across both cloud and on-premises deployments.
What defines a public cloud?
Infrastructure accessible to any customers under a multitenant model.
What is a private cloud?
Cloud infrastructure provisioned for use by a single customer, either managed by them or a third party.
What is a community cloud?
A multitenant cloud service shared among members of a specific community with shared missions or compliance requirements.
What does hybrid cloud refer to?
Cloud deployments that blend public, private, and/or community cloud services together.
Fill in the blank: In cloud computing, _______ allows customers to quickly increase or decrease their resource capacity.
[elasticity]
True or False: Cloud consumers are the organizations that provide cloud services.
False
What is the primary advantage of cloud computing regarding resource provisioning?
On-demand self-service computing enables resources to be available when and where needed.
List two major players in the IaaS market.
- Amazon Web Services (AWS)
- Microsoft Azure
True or False: SaaS applications typically require significant user management of the underlying infrastructure.
False
What is an example of Function as a Service (FaaS)?
AWS Lambda
What is the HathiTrust digital library an example of?
Community cloud
HathiTrust is a consortium of academic research libraries providing access to their collections.
Define hybrid cloud.
A blend of public, private, and/or community cloud services unified into a single platform.
What is public cloud bursting?
Using public cloud capacity when demand exceeds private cloud capacity.
What is the primary reason for adopting hybrid cloud environments?
To reduce single points of failure by decentralizing technology components.
What are AWS Outposts?
A hybrid cloud service where customers manage on-premises AWS equipment.
What is the shared responsibility model in cloud computing?
A division of cybersecurity responsibilities between service providers and customers.
In an IaaS environment, what security responsibilities does the customer have?
Security for the operating system, applications, and data.
True or False: In a PaaS solution, the vendor is responsible for the operating system.
True
What is the primary responsibility of the provider in a SaaS environment?
Most operational tasks, including cybersecurity.
Why is documenting the division of responsibilities important?
For compliance with external regulations.
What does the Cloud Reference Architecture by NIST provide?
A high-level taxonomy for cloud services.
What organization developed the Cloud Controls Matrix (CCM)?
Cloud Security Alliance (CSA).
What is edge computing?
Processing data close to the sensor to minimize data transferred to the cloud.
What does fog computing utilize?
IoT gateway devices located near sensors for preprocessing data.
Fill in the blank: Hybrid cloud requires technology that ______ different cloud offerings.
unifies
List the three types of cloud services mentioned.
- IaaS
- PaaS
- SaaS
What is a significant challenge of traditional cloud models in IoT applications?
Poor network connectivity in remote locations.
True or False: In the shared responsibility model, cloud providers are responsible for the security of hardware.
True
What technology allows multiple guest systems to share the same underlying hardware?
Virtualization
Virtualization is essential for modern datacenters, particularly in cloud computing.
What is the special operating system that runs on virtual host hardware?
Hypervisor
The hypervisor mediates access to underlying hardware resources.
What do virtual machines run on top of in a virtualized datacenter?
Virtual infrastructure provided by the hypervisor
Virtual machines can run standard operating systems like Windows and Linux.
What is the primary responsibility of a hypervisor?
Enforcing isolation between virtual machines
This ensures that virtual machines do not interfere with each other’s operations.
What illusion must the hypervisor present to each virtual machine?
A completely separate physical environment
This illusion is crucial for both operational and security aspects.
What are the two primary types of hypervisors?
Type I and Type II hypervisors
Each type has different operational mechanisms and efficiencies.
What is a Type I hypervisor also known as?
Bare-metal hypervisor
Type I hypervisors operate directly on the underlying hardware.
How do Type II hypervisors operate?
As an application on top of an existing operating system
This model introduces inefficiencies compared to Type I hypervisors.
Which type of hypervisor is most commonly used in datacenter virtualization?
Type I hypervisor
Type I hypervisors are preferred for their efficiency.
Fill in the blank: Type II hypervisors are less efficient than _______.
Type I hypervisors
This is due to the additional layer of the host operating system.
True or False: Virtual machines are aware they are running in a virtualized environment.
False
The hypervisor tricks virtual machines into thinking they have normal hardware access.
What does IaaS stand for?
Infrastructure as a Service
What are the primary resources provided by IaaS environments?
- Compute capacity
- Storage
- Networking
What is the main benefit of dynamic resource allocation in cloud computing?
Allows administrators to add and remove resources as needs change
What are virtual machines in the context of cloud computing?
The basic building block of compute capacity in the cloud
How is the cost of a server instance typically calculated?
Based on an hourly rate, varying by compute, memory, and storage resources
What is the purpose of containerization?
Provides application-level virtualization, allowing applications to be portable across systems
Name a popular containerization platform.
Docker
What security considerations should be enforced for containers?
- Isolation between containers
- Container-specific vulnerability management
- Segmenting by risk profile
What are the two major categories of cloud storage offerings?
- Block storage
- Object storage
What is block storage?
Allocates large volumes of storage for use by virtual server instances, formatted as virtual disks
How does object storage differ from block storage?
Files are treated as independent entities and storage is not preallocated
What is a key difference in cost between block storage and object storage?
Block storage is significantly more expensive than object storage
What are three key security considerations for cloud storage?
- Set permissions properly
- Consider high availability and durability
- Use encryption to protect sensitive data
What is the role of security groups in cloud networking?
Define permissible network traffic using a set of rules similar to a firewall ruleset
What is a Virtual Private Cloud (VPC)?
A method to achieve network segmentation in cloud environments by grouping systems into subnets
What is the purpose of Infrastructure as Code (IaC)?
Automates the provisioning, management, and deprovisioning of infrastructure services through scripted code
True or False: Security groups incur additional costs in cloud environments.
False
What is the advantage of integrating APIs in cloud environments?
Allows programmatic provisioning, configuration, and management of cloud resources
Fill in the blank: Containers provide _______ virtualization.
application-level
What is the function of AWS CloudFormation?
Allows developers to specify infrastructure requirements in formats like JSON and YAML
What major disadvantage arises from isolating operations teams from the development process?
Inhibits understanding of business requirements
What does SDN stand for in cloud networking?
Software-Defined Networking
What is the main feature of cloud service providers’ firewalls?
They do not provide direct access to customers to maintain isolation
What is the relationship between microservices and APIs in cloud environments?
Microservices communicate with each other through APIs in response to environmental events
What does IaaS stand for?
Infrastructure as a Service
What are the primary resources provided by IaaS environments?
- Compute capacity
- Storage
- Networking
What is the main benefit of dynamic resource allocation in cloud computing?
Allows administrators to add and remove resources as needs change
What are virtual machines in the context of cloud computing?
The basic building block of compute capacity in the cloud
How is the cost of a server instance typically calculated?
Based on an hourly rate, varying by compute, memory, and storage resources
What is the purpose of containerization?
Provides application-level virtualization, allowing applications to be portable across systems
Name a popular containerization platform.
Docker
What security considerations should be enforced for containers?
- Isolation between containers
- Container-specific vulnerability management
- Segmenting by risk profile
What are the two major categories of cloud storage offerings?
- Block storage
- Object storage
What is block storage?
Allocates large volumes of storage for use by virtual server instances, formatted as virtual disks
How does object storage differ from block storage?
Files are treated as independent entities and storage is not preallocated
What is a key difference in cost between block storage and object storage?
Block storage is significantly more expensive than object storage
What are three key security considerations for cloud storage?
- Set permissions properly
- Consider high availability and durability
- Use encryption to protect sensitive data
What is the role of security groups in cloud networking?
Define permissible network traffic using a set of rules similar to a firewall ruleset
What is a Virtual Private Cloud (VPC)?
A method to achieve network segmentation in cloud environments by grouping systems into subnets
What is the purpose of Infrastructure as Code (IaC)?
Automates the provisioning, management, and deprovisioning of infrastructure services through scripted code
True or False: Security groups incur additional costs in cloud environments.
False
What is the advantage of integrating APIs in cloud environments?
Allows programmatic provisioning, configuration, and management of cloud resources
Fill in the blank: Containers provide _______ virtualization.
application-level
What is the function of AWS CloudFormation?
Allows developers to specify infrastructure requirements in formats like JSON and YAML
What major disadvantage arises from isolating operations teams from the development process?
Inhibits understanding of business requirements
What does SDN stand for in cloud networking?
Software-Defined Networking
What is the main feature of cloud service providers’ firewalls?
They do not provide direct access to customers to maintain isolation
What is the relationship between microservices and APIs in cloud environments?
Microservices communicate with each other through APIs in response to environmental events
What are the advantages of cloud computing?
Operational and financial advantages
These advantages include scalability, cost efficiency, and flexibility.
What is a significant availability issue in cloud environments?
High availability is not always guaranteed with base-level cloud services
Organizations often need to purchase or configure high availability services.
Define data sovereignty.
Data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed
What must security professionals understand regarding data in cloud services?
How their data is stored, processed, and transmitted across jurisdictions
What is a virtual machine (VM) escape vulnerability?
An attack where an attacker leverages access to a virtual host to intrude upon resources assigned to a different virtual machine
What is virtual machine sprawl?
When IaaS users create virtual service instances and forget about them, leading to accumulated costs and security issues
What is resource reuse in cloud computing?
When cloud providers reassign hardware resources originally assigned to one customer to another customer
What type of technology should security analysts implement for API-based applications?
API inspection technology
What is the function of secure web gateways (SWGs)?
Monitor web requests made by internal users and evaluate them against the organization’s security policy
What role does technology governance play in cloud computing?
Guides IT organizations’ work to ensure consistency with organizational strategy and policy
What is an important component of cloud governance?
Auditability
True or False: Cloud computing contracts should guarantee the customer’s right to audit cloud service providers.
True
Fill in the blank: Cloud applications depend heavily on the use of ______ to provide service integration and interoperability.
APIs
What is the primary purpose of controls offered by cloud service providers?
Hardening the cloud infrastructure against attack
These controls help organizations achieve their security objectives in the cloud.
What are the advantages of using cloud-native controls?
Cost-effective and user-friendly
They integrate directly with the provider’s offerings.
What is a disadvantage of third-party solutions for cloud security?
More costly
However, they can integrate with a variety of cloud providers.
What role do Cloud Access Security Brokers (CASBs) play?
Serve as intermediaries between cloud service users and cloud service providers
They monitor user activity and enforce policy requirements.
What are the two approaches CASBs operate using?
- Inline CASB solutions
- API-based CASB solutions
How do inline CASB solutions function?
Physically or logically reside in the connection path between the user and the service
They can block requests that violate policy.
What is a limitation of API-based CASB solutions?
Cannot block requests that violate policy
They only monitor user activity and correct policy violations post-factum.
What are resource policies in cloud security?
Policies that limit the actions users of accounts may take
They help mitigate risks from accidental commands, compromised accounts, or malicious insiders.
What is an example of a restriction that a service control policy can impose?
Prohibit access to resources outside certain regions
Example regions: US-East and EU-West.
What is a Hardware Security Module (HSM)?
A special-purpose computing device that manages encryption keys and performs cryptographic operations
HSMs provide high security when configured properly.
What is a key benefit of using HSMs for encryption key management?
Creates and manages keys without exposing them to humans
This dramatically reduces the risk of key compromise.
Do cloud service providers use HSMs for their own operations?
Yes
They also offer HSM services to customers for secure key management.
Fill in the blank: The purpose of cloud access security brokers is to _______.
monitor user activity and enforce policy requirements
True or False: Inline CASB solutions require configuration of network devices.
True
True or False: API-based CASBs can block requests that violate policy.
False
What changes does cloud computing bring to the cybersecurity landscape?
It requires cooperation between cybersecurity professionals and cloud service providers.
What is the shared responsibility model in cloud security?
It is a model where cloud customers and providers must understand their responsibilities in meeting security control requirements.
What types of security controls may organizations adopt in the cloud?
Organizations may implement:
* Cloud-native security controls from providers
* Third-party controls that work across environments
* A mixture of both
What is a cloud access security broker (CASB)?
A CASB allows consistent enforcement of security policies across diverse cloud platforms.
What vulnerabilities may appear in cloud environments?
Vulnerabilities include:
* Virtual machine escape
* Resource reuse
What data sovereignty concerns may arise when using cloud services in different jurisdictions?
Using cloud services in different jurisdictions may introduce data sovereignty concerns.
True or False: Cybersecurity professionals are solely responsible for meeting security control requirements in cloud environments.
False
