3.6

Question 1

High Availability across zones

Answer 1

These zones are physical locations that may hold two or more data centers and provide high availability within their zone. They are independent of each other with their own networks. Inside each network, they have their own power and Heating Ventilation and Air Conditioning (HVAC) systems that regulate their own cooling using hot and cold aisles. Applications can be distributed across multiple zones so that if one zone fails, the application is still available.

Question 2

Resource Policies

Answer 2

These are policies that state what access level or actions someone has to a particular resource. This is crucial for resource management and audit. We need to apply the principle of least privilege.

Question 3

Secrets Management

Answer 3

Secrets Management is the process of managing digital authentication to secure applications. It could be called a vault where the keys, tokens, passwords, and SSH keys used by privileged accounts are stored. It could be a vault that is heavily encrypted to protect these items.

Question 4

Integration and auditing

Answer 4

Integration is the process of how data is being handled from input to output. A cloud auditor is responsible for ensuring that the policies and controls that the cloud provider has put in place are being adopted.

Audits may include:

Encryption Levels
Access Control Lists
Privilege Account Use
Password Policies
Anti-Phishing Protection
Data Loss Prevention Controls

Question 5

Storage Permissions

Answer 5

Users have a storage identity and are put into different storage groups that have different rights.

Question 6

Storage Encryption

Answer 6

With cloud storage, you may need to have more than one type of encryption. You would use symmetric encryption as there will be a large amount of data; normally, AES-256 will be used. Microsoft uses RSA 2048 for blob storage. You will also need encryption for data in transit, such as TLS or SSL. Microsoft uses Transport Data Encryption (TDE) to access resources in the cloud using RSA 2048 or 3072.

Question 7

Storage Replication

Answer 7

Replication is a method wherein data is copied from one location to another immediately.

a. Local Redundant Storage (LRS): Three copies of your data are replicated at a single physical location. Not good for high availability. It is the cheapest solution, but if the power goes then everything has gone.
b. Zone Redundant Storage (ZRS): Data is replicated between three separate zones within your region. It should be used in your primary region; however, if a disaster affects the region, then you have no access to data.
c. GEO Redundant Storage (GRS): Three copies of your data are replicated in a single physical location in the primary region using LRS, then one copy is replicated to a single location in a secondary region.
d. GEO Zone Redundant Storage (GZRS): Data is replicated between three separate zones within your primary region, then one copy is replicated to a single location in a secondary region.

Question 8

High Availability Storage

Answer 8

High availability ensures that copies of your data are held in different locations.

Question 9

Virtual Networks

Answer 9

A virtual network is very similar to a physical network in many ways but, for the Security+ exam, we must know the concept of virtualization. To be able to host a virtual environment, we must install a hypervisor on a computer hosting the VMs. A hypervisor is software that runs on a virtual host that lets the host run virtual machines.

Question 10

Public and private subnets

Answer 10

Our cloud environment needs to be broken down into public subnets that can access the internet directly or private subnets that have to go through a NAT gateway and then an internet gateway to access the internet.

Question 11

Segmentation

Answer 11

The security of services that are permitted to access or be accessible from other zones has a strict set of rules controlling this traffic. These rules are enforced by the IP address ranges of each subnet. Within a private subnet, VLANs can be used to carry out departmental isolation.

Question 12

API inspection and integration

Answer 12

Representational State Transfer, known as REST, refers to a new way to write web service APIs so that different languages can be transported using HTTP.

Question 13

Security Groups

Answer 13

A compute security group profile is allocated by using a security group template that also states the cloud account, the location of the resource, and the security rules.

Question 14

Dynamic Resource Allocation

Answer 14

This uses virtualization technology to upgrade and downscale the cloud resources as the demand grows or falls.

Question 15

Instance Awareness

Answer 15

We must monitor VM instances so that an attacker cannot place an unmanaged VM that would lead to VM sprawl and then ultimately VM escape. We must use tools like a Network Intrusion Detection System (NIDS) to detect new instances, and the IT team must maintain a list of managed VMs.

Question 16

Virtual Private Cloud (VPC) endpoint

Answer 16

This allows you to create a private connection between your VPC and another cloud service without crossing over the internet.

Question 17

Container Security

Answer 17

This is the implementation of security tools and policies that ensures that your container is working as it was intended.

Question 18

CASB

Answer 18

The CASB enforces the company’s policies between the on-premises situation and the cloud. There is no group policy in thecloud. CASB has visibility of all cloud clients and is responsible for their security and rolling out updates.

Question 19

Application Security

Answer 19

This is using products such as Cloud WAF and Runtime Application Self-Protection (RASP) to protect against a zero-day attack.

Question 20

Next-generation secure web gateway (SWG)

Answer 20

An SWG acts like a reverse proxy, content filter, and an inline NIPS. An example of this is Netskope, which provides advanced web security with advanced data and threat protection with the following features: Cloud Security, Remote Data Access, Managed Cloud Applications, Monitor and Assess, Control Cloud Applications, Acceptable Use, Protect Against Threats, and Protect Data Everywhere.

Question 21

Firewall Consideration in a cloud environment

Answer 21

The reason that we need a good firewall is to block incoming traffic and put up a barrier to protect the internal cloud resources against hackers or malware. The cloud firewalls tend to be Web Application Firewalls. The best cloud firewalls in 2020 were CloudFlare and Amazon Cloud Service Firewall.

Question 22

Need for Segmentation

Answer 22

The cloud environment uses a Zero-Trust model where each individual needs to provide their identity and location to gain access to the cloud environment. The firewall controls access to each of the cloud regions andzones.

Question 23

Open Systems Interconnection (OSI) layers

Answer 23

A network firewall works on Layer 3 of the OSI controlling IP traffic, but most of the cloud firewalls are Web Application Firewalls working at Layer 7 of the OSI.

Question 24

Cloud native Controls vs. third-party solutions

Answer 24

Vendors such as Microsoft and Amazon Web Services (AWS) have their own tools, such as Azure Resource Manager (ARM) and AWS Cloud Formation. These tools make managing Microsoft and AWS cloud resources easy. Using third-party tools adds moreflexibility.