Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

3.0 - Implementation > 3.6 Cloud Cybersecurity Solutions > Flashcards

3.6 Cloud Cybersecurity Solutions Flashcards

1
Q

• Availability zones (AZ)
– Isolated locations within a cloud region (geographical location)
– AZ commonly spans across multiple regions
– Each AZ has independent power, HVAC, and networking
• Build applications to be highly available (HA)
– Run as active/standby or active/active
– Application recognizes an outage and moves to the other AZ
• Use load balancers to provide seamless HA
– Users don’t experience any application issues

A

HA across zones

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

• Identity and access management (IAM)
– Who gets access, what they get access to
• Map job functions to roles
– Combine users into groups
• Provide access to cloud resources
– Set granular policies - Group, IP address, date and time
• Centralize user accounts, synchronize across all platforms

A

Resource policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q 
• Cloud computing includes many secrets
– API keys, passwords, certificates
• This can quickly become overwhelming
– Difficult to manage and protect
• Authorize access to the secrets
– Limit access to the secret service
• Manage an access control policy
– Limit users to only necessary secrets
• Provide an audit trail
– Know exactly who accesses secrets and when
A

Secrets management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

• Integrate security across multiple platforms
– Different operating systems and applications
• Consolidate log storage and reporting
– Cloud-based Security Information and Event
Management (SIEM)
• Auditing - Validate the security controls
– Verify compliance with financial and user data

A

Integration and auditing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q 
• Data is on a public cloud
– But may not be public data
• Access can be limited
– And protected
• Data may be required in different geographical locations
– A backup is always required
• Availability is always important
– Data is available as the cloud changes?
A

Cloud storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

• A significant cloud storage concern
– One permission mistake can cause a data breach
– Accenture, Uber, US Department of Defense
• Public access
– Should not usually be the default
• Many different options
– Identity and Access Management (IAM)
– Bucket policies
– Globally blocking public access
– Don’t put data in the cloud unless it really
needs to be there

A

Permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q 
• Cloud data is more accessible than non-cloud data
– More access by more people
• Server-side encryption
– Encrypt the data in the cloud
– Data is encrypted when stored on disk
• Client-side encryption
– Data is already encrypted when it’s sent to the cloud
– Performed by the application
• Key management is critical
A

Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q 
• Copy data from one place to another
– Real-time data duplication in multiple locations
• Disaster recovery, high availability
– Plan for problems
– Maintain uptime if an outage occurs
– Hot site for disaster recovery
• Data analysis
– Analytics, big data analysis
• Backups
– Constant duplication of data
A

Replication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q 
• Connect cloud components
– Connectivity within the cloud
– Connectivity from outside the cloud
• Users communicate to the cloud
– From the public Internet
– Over a VPN tunnel
• Cloud devices communicate between each other
– Cloud-based network
– East/west and north/south communication
– No external traffic flows
A

Cloud Networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

• A cloud contains virtual devices
– Servers, databases, storage devices
• Virtual switches, virtual routers
– Build the network from the cloud console
– The same configurations as a physical device
• The network changes with the rest of the infrastructure
– On-demand
– Rapid elasticity

A

Virtual networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

• Private cloud
– All internal IP addresses
– Connect to the private cloud over a VPN
– No access from the Internet
• Public cloud
– External IP addresses
– Connect to the cloud from anywhere
• Hybrid cloud
– Combine internal cloud resources with external
– May combine both public and private subnets

A

Public and private subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

• The cloud contains separate VPCs, containers,
and microservices
– Application segmentation is almost guaranteed
• Separation is a security opportunity
– Data is separate from the application
– Add security systems between application
components
• Virtualized security technologies
– Web Application Firewall (WAF)
– Next-Generation Firewall (NGFW)
• Intrusion Prevention System (IPS)

A

Segmentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q 
• Microservice architecture is the
underlying application engine
– A significant security concern
• API calls can include risk
– Attempts to access critical data
– Geographic origin
– Unusual API calls
• API monitoring
– View specific API queries
– Monitor incoming and outgoing data
A

API inspection and integration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q 
• The IaaS component for the cloud computing
environment
– Amazon Elastic Compute Cloud (EC2)
– Google Compute Engine (GCE)
– Microsoft Azure Virtual Machines
• Manage computing resources
– Launch a VM or container
– Allocate additional resources
– Disable/remove a VM or container
A

Compute cloud instances

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q 
• A firewall for compute instances
– Control inbound and outbound traffic flows
• Layer 4 port number
– TCP or UDP port
• Layer 3 address
– Individual addresses
– CIDR block notation
– IPv4 or IPv6
A

Security groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

• Provision resources when they are needed
– Based on demand - Provisioned automatically
• Scale up and down
– Allocate compute resources where and
when they are needed
– Rapid elasticity
– Pay for only what’s used
• Ongoing monitoring
– If CPU utilization hits a particular threshold, provision
a new application instance

A

Dynamic resource allocation

17
Q

• Granular security controls
– Identify and manage very specific data flows
– Each instance of a data flow is different
• Define and set policies
– Allow uploads to the corporate box.com file share
• Corporate file shares can contain PII
• Any department can upload to the
corporate file share
– Deny certain uploads to a personal box.com file share
• Allow graphics files
• Deny any spreadsheet
• Deny files containing credit card numbers
• Quarantine the file and send an alert

A

Instance awareness

18
Q

• Microservice architecture is the
VPC gateway endpoints
– Allow private cloud subnets to communicate to other
cloud services
• Keep private resources private
– Internet connectivity not required
• Add an endpoint to connect VPC resources

A

Virtual private cloud endpoints

19
Q

• Containers have similar security concerns as any other
application deployment method
– Bugs, insufficient security controls, misconfigurations
• Use container-specific operating systems
– A minimalist OS designed for containers
• Group container types on the same host
– The same purpose, sensitivity, and threat posture
– Limit the scope of any intrusion

A

Container security

20
Q

• Clients are at work, data is in the cloud
– How do you keep everything secure?
– The organization already has well-defined
security policies
• How do you make your security policies
work in the cloud?
– Integrate a CASB
– Implemented as client software, local security
appliances, or cloud-based security solutions
• Visibility
– Determine what apps are in use
– Are they authorized to use the apps?
• Compliance
– Are users complying with HIPAA? PCI?
• Threat prevention
– Allow access by authorized users, prevent attacks
• Data security
– Ensure that all data transfers are encrypted
– Protect the transfer of PII with DLP

A

Cloud access security broker (CASB)

21
Q 
• Secure cloud-based applications
– Complexity increases in the cloud
• Application misconfigurations
– One of the most common security issues
– Especially cloud storage
• Authorization and access
– Controls should be strong enough for access
from anywhere
• API security - Attackers will try to exploit interfaces and APIs
A

Application security

22
Q 
• Protect users and devices
– Regardless of location and activity
• Go beyond URLs and GET requests
– Examine the application API
– Dropbox for personal use or corporate use?
• Examine JSON strings and API requests
– Allow or disallow certain activities
• Instance-aware security
– A development instance is different than production
A

Next-Gen Secure Web Gateway (SWG)

23
Q 
• Control traffic flows in the cloud
– Inside the cloud and external flows
• Cost
– Relatively inexpensive compared to appliances
– Virtual firewalls
– Host-based firewalls
• Segmentation
– Between microservices, VMs, or VPCs
• OSI layers
– Layer 4 (TCP/UDP), Layer 7 (Application)
A

Firewalls in the cloud

24
Q

• Cloud-native security controls
– Integrated and supported by the cloud provider
– Many configuration options
– Security is part of the infrastructure
– No additional costs
• Third-party solutions
– Support across multiple cloud providers
– Single pane of glass
– Extend policies outside the scope of the cloud provider
– More extensive reporting

A

Security controls

3.0 - Implementation (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions