19 - Cloud Computing Flashcards
What is cloud computing?
An on-demand delivery of IT capabilities where IT infrastructure and applications are provided to subscribers as a metered service over a network. Common characteristics are:
- On demand service
- Distributed Storage
- Rapid Elasticity
- Automated Management
- Broad Network Access
- Resource Pooling
- Measured Service
- Virtualization Technology
What are the types of cloud computing?
-
Infrastructure-as-a-Service (IaaS): Provides VM’s and other abstracted hardware and OS’s which may be controlled through a service API.
- Advantages: Dynamic scaling, guaranteed uptime, elastic load balancing
- Disadvantages: High risk, performance issues.
-
Platform-as-a-Service (PaaS): Offers development tools, config management, and deployment platforms on-demand that can be used by subscribers to develop custom applications.
- Advantages: Simplified deployment, Instant community
- Disadvantages: Vendor lock in, data privacy
-
Software-as-a-Service (SaaS): Offers software to subscribers like Google Docs. Etc.
- Advantages: Low cost, global accessibility
- Disadvantages: Security and latency issues, Total dependency on the internet
What are the different types of cloud deployment models?
- Public Cloud: Services that are rendered over a network that is open for public use.
- Private (Corporate) Cloud: Cloud infrastructure operated solely for a single organization
- Community Cloud: Shared infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.)
- Hybrid Cloud: Composition of two or more clouds that remain unique entities but are bound together.
What is the NIST Cloud Deployment Reference Architecture?
Defines five major factors:
- Cloud Consumer: User of cloud computing services.
- Cloud Provider: Person or organization providing services
- Cloud Carrier: An intermediary for providing connectivity and transport services between cloud consumers and providers
- Cloud Auditor: A party for making independent assessments of cloud service controls.
-
Cloud Broker: An entity to manage cloud services in terms of use, performance, and delivery.
- Service Intermediation: Improves a given function by a specific capability.
- Service Aggregation: Combines and integrates multiple services into one or more services
- Service Arbitrage: Similar to service aggregation, but services are not fixed.
What are the benefits of cloud computing?
- Economic: Less maintenance costs, less total cost of ownership
- Operational: Flexible and efficiency, scale as needed, deploy apps quickly
- Staffing: Less IT staff, good use of resources
- Security: standardized, effective patch management
What is virtualization?
The ability to run multiple OS on a single physical system and share the underlying resources such as a server, a storage device or a network. Involves partitioning, isolation, and encapsulation. Improves efficiency, business continuity, and reduces set up costs.
What are the types of Virtualization?
- Storage Virtualization: Combines storage devices from multiple networks into a single storage device
- Network Virtualization: Combines all network resources into a single virtual network.
- Server Virtualization: Splits a physical server into multiple smaller virtual servers.
What are some cloud computing threats?
- Data Breach/Loss
- Abuse and Nefarious Use of Cloud Services: Hosting malicious data, hosting exploits, password and key cracking
- Insecure Interfaces and APIs: Circumvents user defined polices, Unknown API dependancies, insufficient input data validation
- Insufficient Due Diligence: Ignorance of CSP’s cloud environment poses risk
- Shared Technology Issues: Most underlying components do not offer strong isolation properties.
- Unknown Risk Profile: Clients are unaware of the risks with the environment
- Unsynchronized System Clocks: Can affect automated tasks, can affect log analyzing
- Inadequate Infrastructure Design and Planning: poor design and shortage of resources can affect performance
- Conflicts Between Client Hardening Procedures and Cloud Environment
- Loss of Operational and Security Logs: poses a risk for investigation
- Malicious Insiders: Users can misuse their access to compromise the information available in the cloud.
- Illegal Access to the Cloud: Weak authentication and auth controls
- Loss of Business Reputation due to Co-tenant Activities: Malicious activity on one tenant can affect another
- Privilege Escalation: More access rights than needed can mistakenly be allowed
- Natural Disasters
- Hardware Failure: hardware failure can make the cloud inaccessible
- Supply Chain Failure: Security in the cloud is directly proportional to security of each link.
- Modifying Network Traffic: traffic can be modified due to flaws while provisioning
- Isolation Failure: Attackers try to control operations and gain illegal access
- Cloud Provider Acquisition
- Management Interface Compromise: The access of the management consoles are a risk.
- Network Management Failure: Poor management leads to congestion, misconnection, and misconfiguration
- Authentication Attacks: Weak auth mechanisms can allow attacks
- VM-Level Attacks: Vulnerabilities in hypervisors
- Lock-In: Inability of the client to migrate to another cloud provider
- Licensing Risks: fees that can be incurred
- Loss of Governance: Customers sacrifice control to cloud providers concerning security.
- Loss of Encryption Keys: Attacker can potentially get unauthorized access
- Improper Data Handling and Disposal: Difficult to control data when handled by cloud providers
- Loss/Modification of Backup Data: attackers gain access to data backups by exploiting vulnerabilities
- Compliance Risks: Risk of CSP not providing proof of compliance
- Economic Denial of Sustainability: Legit account holder can be sued for malicious service that consumes a lot of resources.
What are some cloud computing attacks?
- Service Hijacking using Social Engineering: Attacker targets CSP to reset password or other ways of access
- Service Hijacking using Network Sniffing: Packet sniffing used to capture sensitive data
- Session Hijacking using XSS Attack: Attacker uses XSS to steal cookies that are used to authenticate. Involves injecting malicious code into the website that is subsequently executed by the browser.
- Session Hijacking using Session Riding: Attacker rides an active computer session by sending an email or tricking the user to visit a malicious webpage while they are logged into the targeted site.
-
Domain Name System (DNS) Attacks:
- DNS Poisoning: Diverting users to a spoofed website
- Cybersquatting: Conducting phishing scams by registering a domain name that is similar to CSP
- Domain Hijacking: Stealing a CSP’s domain name
- Domain Snipping: Registering an elapsed domain name
- Side Channel Attacks or Cross-Guest VM Breaches: Attacker runs malicious VM on same physical host of the victim’s VM and takes advantage of shared physical resources to steal data.
- SQL Injection Attack
- Cryptanalysis Attack: Insecure or obsolete encryption makes cloud services susceptible
- Wrapping Attack: Performed during the translation of SOAP message in the TLS layer where attackers duplicate the body of the message and send it to the server as a legitimate user.
-
DoS/DDoS:
- Flooding the server with multiple requests
- Passing malicious input to the server that crashes app
- Entering wrong passwords continuously so that user is locked
- Botnets are referred to as a DDoS
- Man-in-the-Cloud Attack: Advanced version of MitM, where an attacker intercepts communications by abusing cloud services. Attacker tricks victim to install malicious code which plants attackers synchronization token on the victim’s drive.
What are the Cloud Security Control Layers?
- Applications
- Information
- Management
- Network
- Trusted Computing
- Computer and Storage
- Physical
What are the cloud computing security considerations?
- Cloud computing services should be tailor-made
- CSP’s should provide multi-tenancy
- CSP should have a disaster recovery plan
- SLA’s should be maintained
- Data should be stored securely
- Cloud service should be fast, reliable, and have a fast response
- Symmetric and asymmetric algos must be implemented
- Load balancing should be incorporated
What are the types of security controls in the cloud?
- Deterrent Controls: Reduce attacks on the cloud
- Preventative Controls: Strengthen the system against incidents by minimizing vulnerabilities
- Detective Controls: Detect and react appropriately to the incidents that happen
- Corrective Controls: Controls minimize the consequences of an incident, probably by limiting the damage.
What are the best practices for Securing the Cloud?
- Enforce data protection, backup, and retention mechanisms
- Enforce SLAs for patching and vulnerability remediation
- Enforce legal contracts in employee behavior policy
- Prohibit user cred sharing among users, apps, and services
- Implement strong authentication, authorization, and auditing
- Check for data protection
- Implement strong key gen and management practices
- Prevent unauthorized server access
- Disclose applicable logs and data to customers
- Analyze cloud provider security polices
- Access security of cloud API’s and log customer network traffic
- Ensure physical security
- Ensure storage, memory, and network access is isolated
- Leverage strong 2FA techniques
- Baseline security breach notification
- Enforce stringent registration and validation process
- Perform vulnerability and config risk assessment
- Enforce strict supply chain management
- Employ security devices such as IDS, IPS, and FW
- Use VPNs to secure clients
- Ensure SSL is used for sensitive and confidential data transmission
- Understand Terms and Conditions
What are the NIST recommendations for Cloud Security?
- Assess risk posed to data, software, and infrastructure
- Select appropriate deployment model according to needs
- Ensure audit procedures are in place
- Renew SLAs in case security gaps found
- Establish appropriate incident detection and reporting mechanisms
- Analyze what are the security objectives of organization
- Enquire about who is responsible of data privacy and security issues in cloud
What is the Cloud Storage Architecture?
Cloud storage is the storage medium used to store digital data in logical pools. Consists of 3 main layers:
- Front-End: Accessed by end user, provides APIs
- Middleware: Performs several functions such as data de-duplication and replication of data.
- Back-End: Where the hardware is implemented