3.1 Flashcards
Cloud infrastructures, network infrastructure concepts, other infrastructure concepts, infrastructure considerations
When using a cloud responsibility matrix, how do you know who is responsible for security?
Each CSP has their own policies
Contractual agreements
5 security considerations when using a hybrid cloud (more than one CSP for additional clouds)
Authentication across platforms
Firewall configurations
Server settings
^These 3 things need to match between clouds
Log monitoring - each CSP might have different types of logs using different terminology
Data leakage - data is constantly transferred from one cloud to another across the public internet
Enables the management and maintenance of security for third-party technologies/applications implemented in your organization’s private cloud
Vendor risk management policy
True/False
You must perform a third-party impact assessment for incident response
True
True/False
You can trust third party process to have robust security practices, so you don’t need to constantly monitor them for unusual activity or changes in availability
False
You cannot trust that third parties have not been compromised, so you always need to be monitoring them.
A method of defining cloud infrastructure (servers, networks, application instances, databases) as code, rather than as hardware.
This allows the administrator to quickly build, modify, and create versions of the infrastructure
Infrastructure as code
True/False
IaC allows an administrator to build out code and then copy/paste this layout to other CSPs. This way, the administrator can create their perfect layout and use it again and again.
True
FaaS stands for
Function as a Service
A cloud computing service where an application instance is serverless.
Instead of accessing the application, you are accessing only the individual, autonomous functions of the application. The microservices.
This method removes the emphasis on the OS. These microservices can run on any OS needed.
FaaS
How does serverless FaaS work?
Developers separate applications into individual, autonomous functions that are stored in the cloud server
Once the function is no longer needed, it is removed from the cloud
Why is it called serverless?
Because the developers do not need to worry about server infrastructure or server space.
Backend computing is provided on an as-used basis.
Difference between IaaS, PaaS, and serverless
IaaS is paid for as pre-purchased units of capacity. The client can set up a data collection system, etc.
PaaS charges the client for the resources used. However, the client must request the provider for more resources. The client does not have to set up the OS or anything about the underlying infrastructure. It is used for building apps.
Serverless is paid for as an as-used basis. Resources are automatically scaled. There is no backend/resource management at all. Serverless microservices are much more lightweight than PaaS applications, so it is faster.
True/False
In serverless architecture, ALL security concerns are the responsibility of the third party
True
True/False
In serverless architecture, microservices can be triggered and ephemeral
True
An application that is built as a single unified unit. It does everything, and all code needs to be present for the application to execute correctly. Takes care of user interface, business logic, I/O, etc.
It is self-contained and independent from other application. It is made from ONE code base.
Monolithic application
What enables the use of microservices in cloud architecture? It acts as the “glue” between microservices.
It allows you to programmatically control the way that an application works
APIs
True/False
In comparison to a monolithic architecture, microservice architecture is more secure, more resilient, and more scalable.
True
A physical or digital separation that prevents a system from being reached by anyone or anything.
This means that this device also cannot connect to other computers or networks either wirelessly or physically.
Air gap
Why would an organization utilize airgapping?
Separate database servers and web servers
A managed service provider might use it to put one customer on one switch, and a different customer on another, physically isolated switch
It prevents attackers from gaining access
Describe physical segmentation
Each segment has its separate physical devices and infrastructure. Not easily scalable, since more segments means more hardware needed.
Describe logical segmentation
VLANs are used. You can configure one switch to have a group of interfaces belong to VLAN A, and the other group of interfaces to belong to VLAN B. This saves on hardware costs and is more scalable than physical segmentation.
True/False
Because logical segments are connected by the same physical switch, the VLANs have an inherent ability to communicate with each other.
False
The segmented VLANs need a Layer 3 device/router to communicate.
SDN stands for
Software-Defined Networking
The 3 functional planes involved in SDN
Data plane
Control plane
Management plane
The functional plane that:
Processes network frames and packets
Forwards packets
Enables trunking, encrypting, and NAT
Data plane
The functional plane that:
Manages routing tables, session tables, NAT tables
Executes dynamic routing protocol updates
Tells the data plane how to get data from point A to point B
Control plane