3.6 - 3.7 Flashcards
Ha across zones for cloud services
Avaialbity zones (az) for cloud services (lime a diff for diff countries) its self contained with independent power, network configs and doesn’t affect other zones from one zone
Need ha high availability can use load balancer
Resource policies
Iam identity and access management
Groups like admins, and users and peoples assigned depending on policies ip address groups date and time.
Centralize users roles and access
Cloud storage
Has public and private clouds. For public clouds can set up data in different regions and availability
First step is permissions on data in the cloud set to private : Iam, bucket policies, globally blocked public access, put on cloud only if need be
Second is to encrypt server-side to give another layer or protection so the cloud has encrypted data or client side encryption where its received encrypted
Thirdly is replication, to maintain uptime has same data in multiple clouds acts as a backup or a copy for analysis
Securing cloud storage
Cloud networks either public or through remote vpn as private can create virtually and have virtual switches and new instances.
Public and private subnets with private can connect with vpn but public has external ip, theres also a hybrid
Then use segmentation for different containers or micro-services
Computing cloud instance
Computing instance like with a virtual machine or container connected through security groups and firewalls
Has dynamic resource allocation lime load balancing but is called rapid elasticity
Irtial private cloud endpoints
Private data fileshare for high level access needs vpc gateway endpoint internet but requires but can be used with gateway to internet including cloud storage or can bypass internet with vpc endpoint
Container security
Careful of bugs and misconfiguration or insufficient security controls
So group containers, and use container specific os, having same
Types limits Scope of intrusions
Cloud access security broker
Casb maintain security of data even if it may not be stored on site
Enforces sec policies by
Visibility, compliance, threat prevention, data security via transfer
Swg
Secure network gateway protects users and devices regardless of connection location
Query checking , Examine api, instance aware security and json strings
Identity provider (idp)
Authentication as a service since third party is controlling this.
Uses attributes like name, employee id, phone, email, job title etc
Can also see who that person is through certificates depends on permissions can be Put in smart cards or usb tokens
Can also use ssh, that allows for authentication with personal and
Private keys rather than passwords
Account types
User accounts
Shared accounts
Guest accounts
Service accounts
Privilege accounts
Account policies
User name pw, with pw policies or outside logins,
Perform periodic policies audits to ensure they are being used
Consider lockouts but not for service accounts also consider disabling account if not wanting to delete
Location based policies, geolocation considerations and then geofencing and geotagging
