3. Security Architecture

Question 1

3.1 Cloud Architecture Concepts

Answer 1

Responsibility Matrix: outlines division of responsibilities between CSP and customer. Inlcudes things such as data protection and infrastructure management

Hybrid considerations: offers flexibility and scalability, but also complexity

Third-party Cloud Services: SaaS, PaaS, IaaS. Do security assessments and compliance checks to make sure these services meet security requirements

Question 2

3.1 Types of Cloud Environments

Answer 2

Public: internet-facing cloud environments (google services)

Private: Cloud services for a specific group or endpoint. Isolated access to the cloud network.

Community: infrastructure is shared between groups with like-concerns

Question 3

3.1 Infrastructure as Code

Answer 3

automates security management which can reduce human error, but introduces large scale risk if code has a vulnerability

Question 4

3.1 Network Infrastructure

Answer 4

Logical segmentation: use VLANs and subnets. limits spread of attacks

SDN: Software defined networking. Centralizes network control and offers consistent policy enforcement, but the SDN controller can be compromised

Question 5

3.1 Serverless

Answer 5

Replaces a server on your network with something else, such as a cloud service like Azure. Reduces the attack surface but introduces risks if the API is insecure.

Question 6

3.1 Centralized vs. decentralized

Answer 6

Centralized is easier to manage but causes a single point of failure.

Question 7

3.1 Containerization

Answer 7

containers provide isolated environments for applications, but require careful management

Question 8

3.1 Virtualization

Answer 8

improves resource utilization but introduces hypervisor vulnerabilities and VM escape

Question 9

3.1 ICS/SCADA

Answer 9

Critical for industrial operations but often run as legacy systems which can be vulnerable

Question 10

3.1 RTOS

Answer 10

Real-Time operating system: used in systems requiring high reliability and real-time processing, they need to operate without interruption

Question 11

3.1 Embedded systems

Answer 11

Specialized computing systems that have limited resources, difficult to implement robust security measures

Question 12

3.2 Name some infrastructure considerations for secure enterprise environments

Answer 12

Device Placement
Security Zones
Attack Surfaces
Connectivity
Failure Modes
Device Attributes
Network Appliances
Port Security
Firewall Types

Question 13

3.2 Define failure-modes

Answer 13

fail-open (focuses on availability)
fail-closed (focuses on security)

Question 14

3.2 Device Attributes

Answer 14

Active
Passive
Inline
Tap/Monitor

Question 15

3.2 Network Appliances

Answer 15

Jump Server
Proxy Server
IDPS
Load Balancers
Sensors

Question 16

3.2 Active/Active vs. Active/Passive Load Balancing

Answer 16

Active/Passive: a primary load balancer distributes network traffic, the second one monitors and steps in on failure

Active/Active: Two or more load balancers distribute network traffic together, and maintain caches for speed purposes

Question 17

3.2 Firewall types

Answer 17

WAF (web application firewall)
UTM (unified threat management)
NGFW (next-gen firewall)
Layer 4 firewalls (Transport protocols)
Layer 7 firewalls (WAF for example)

Question 18

3.2 Tunneling

Answer 18

Two endpoints that can decrypt the encrypted data. Headers are encrypted as well.

TLS: used for things like HTTPS
IPSec: Used for VPN traffic

Question 19

3.2 IPsec modes of connection

Answer 19

Transport mode: Data is encrypted, but not IP header. Used for end-to-end between trusted networks.

Tunnel mode: Encrypts the header as well, used for transferring data on public networks, or when one endpoint is a security gateway to a private network (but not the other)

Question 20

3.2 SASE

Answer 20

Secure Access Service Edge

A cloud-native network solution that relies on zero-trust for providing access to network resources regardless of geographical location.

Question 21

3.2 Affinity Scheduling

Answer 21

Allocation or scheduling of computational tasks to different computer nodes, based on required resources or node appropriation.

Question 22

3.3 Data Types

Answer 22

Regulated, Trade secret, intellectual property, Legal information, Financial information, Human and non-human readable

Question 23

3.3 Data Classification

Answer 23

Sensitive, Confidential, Public, Restricted, Private, Critical

Question 24

3.3 Data Sovereignty

Answer 24

How data is impacted by laws when transmitted across borders/legal areas

Question 25

3.3 Methods to Secure Data

Answer 25

Geographic restrictions, encryption, hashing, masking, tokenization, obfuscation, segmentation, permission restrictions

Question 26

3.4 Load Balancing vs. Clustering

Answer 26

Both used for establishing high availability

load balancing: servers do not share resources, they contain copies of applications. Load balancer determines which server to forward traffic to.

Clustering: Servers share resources such as databases and communicate with each other to handle requests. The servers are aware of each other on the network.