3. Security Architecture Flashcards
(26 cards)
3.1 Cloud Architecture Concepts
Responsibility Matrix: outlines division of responsibilities between CSP and customer. Inlcudes things such as data protection and infrastructure management
Hybrid considerations: offers flexibility and scalability, but also complexity
Third-party Cloud Services: SaaS, PaaS, IaaS. Do security assessments and compliance checks to make sure these services meet security requirements
3.1 Types of Cloud Environments
Public: internet-facing cloud environments (google services)
Private: Cloud services for a specific group or endpoint. Isolated access to the cloud network.
Community: infrastructure is shared between groups with like-concerns
3.1 Infrastructure as Code
automates security management which can reduce human error, but introduces large scale risk if code has a vulnerability
3.1 Network Infrastructure
Logical segmentation: use VLANs and subnets. limits spread of attacks
SDN: Software defined networking. Centralizes network control and offers consistent policy enforcement, but the SDN controller can be compromised
3.1 Serverless
Replaces a server on your network with something else, such as a cloud service like Azure. Reduces the attack surface but introduces risks if the API is insecure.
3.1 Centralized vs. decentralized
Centralized is easier to manage but causes a single point of failure.
3.1 Containerization
containers provide isolated environments for applications, but require careful management
3.1 Virtualization
improves resource utilization but introduces hypervisor vulnerabilities and VM escape
3.1 ICS/SCADA
Critical for industrial operations but often run as legacy systems which can be vulnerable
3.1 RTOS
Real-Time operating system: used in systems requiring high reliability and real-time processing, they need to operate without interruption
3.1 Embedded systems
Specialized computing systems that have limited resources, difficult to implement robust security measures
3.2 Name some infrastructure considerations for secure enterprise environments
Device Placement
Security Zones
Attack Surfaces
Connectivity
Failure Modes
Device Attributes
Network Appliances
Port Security
Firewall Types
3.2 Define failure-modes
fail-open (focuses on availability)
fail-closed (focuses on security)
3.2 Device Attributes
Active
Passive
Inline
Tap/Monitor
3.2 Network Appliances
Jump Server
Proxy Server
IDPS
Load Balancers
Sensors
3.2 Active/Active vs. Active/Passive Load Balancing
Active/Passive: a primary load balancer distributes network traffic, the second one monitors and steps in on failure
Active/Active: Two or more load balancers distribute network traffic together, and maintain caches for speed purposes
3.2 Firewall types
WAF (web application firewall)
UTM (unified threat management)
NGFW (next-gen firewall)
Layer 4 firewalls (Transport protocols)
Layer 7 firewalls (WAF for example)
3.2 Tunneling
Two endpoints that can decrypt the encrypted data. Headers are encrypted as well.
TLS: used for things like HTTPS
IPSec: Used for VPN traffic
3.2 IPsec modes of connection
Transport mode: Data is encrypted, but not IP header. Used for end-to-end between trusted networks.
Tunnel mode: Encrypts the header as well, used for transferring data on public networks, or when one endpoint is a security gateway to a private network (but not the other)
3.2 SASE
Secure Access Service Edge
A cloud-native network solution that relies on zero-trust for providing access to network resources regardless of geographical location.
3.2 Affinity Scheduling
Allocation or scheduling of computational tasks to different computer nodes, based on required resources or node appropriation.
3.3 Data Types
Regulated, Trade secret, intellectual property, Legal information, Financial information, Human and non-human readable
3.3 Data Classification
Sensitive, Confidential, Public, Restricted, Private, Critical
3.3 Data Sovereignty
How data is impacted by laws when transmitted across borders/legal areas
