3.6 Given a Scenario, apply Cybersecurity Solutions to the cloud Flashcards
High availability and high availability across zones.
High availability indicates a system or service remains operational with almost zero downtime. It’s typically achieved by using multiple load-balancing nodes. High availability across zones indicates that the nodes are located in different cloud locations, such as separate geographic locations. If one node fails, other nodes can take on its load.
Resources policies
In this context, resources refer to cloud-based resources such as folders, projects, and virtual machine instances. Customers rent access to resources, and the CSP resource policies ensure customers don’t create more resources than their plan allows.
secret’s management
Secrets refer to passwords and encryption keys that users create. A secrets management system stores and manages secrets, including keeping them secure.
Integration and auditing.
The CSP integrates security controls into the cloud-based resources, and auditing methods help customers identify the effectiveness of security controls at protecting the confidentiality, integrity, and availability of cloud-based resources.
Storage
Cloud-based storage allows customers to store data in the cloud. AWS stores data in buckets. Google uses Google Drive and allows users to store files in a hierarchical format similar to folders in Windows.
Permissions
Permissions identify who can access the data. While the processes differ with different CSPs, the concepts are similar to file system permissions
Encryption.
Encryption protects the confidentiality of data, and CSPs commonly provide encryption services. This prevents unauthorized personnel from accessing data.
Replication
Data replication is the process of creating a copy of data and storing it in a different location. For example, you can replicate data on a desktop computer to a removable drive. Cloud data replication creates a copy of data in the cloud.
High availability
High availability indicates a system or service remains operational with almost zero downtime.
Networks
CSPs provide entire networks to organizations that need them.
Virtual Networks
A CSP creates virtual networks for customers that need them. These typically use software-defined network technologies (described later in this chapter) instead of physical routers and switches. A single server can host an entire virtual network.
Public and private subnets.
Public subnets have public IP addresses and are accessible via the Internet. Private subnets have private IP addresses and aren’t directly accessible via the Internet. Organizations typically use screened subnets for any public subnets that need to be accessible via the Internet. Virtual networks can mimic this design with both public and private subnets.
Segmentation.
Just as local networks support segmentation with virtual local area networks (VLANs) and screened subnets, cloud-based networks can segment computers or networks.
API inspection and integration
Compute
The CSPs compute engine lets customers create and run a variety of solutions from single websites to full virtual networks
Security groups.
Security groups are similar to groups used in Windows and described in the role-based access control model, Administrators assign permissions to a group and add users to the account.
Dynamic resource allocation
Cloud-based resources typically support elasticity. Elasticity indicates the CSP can dynamically allocate additional resources, such as more processors, more memory, or more disk space to a cloud-based resource when it’s needed. When the additional resources are no longer needed, the CSP can dynamically remove them.
Instance awareness.
Instance awareness refers to the ability of the CSP to know and report how many instances of cloud-based resources an organization is renting. This can help an organization avoid VM sprawl.
Virtual private cloud (VPC) endpoint.
A VPC endpoint is a virtual device within a virtual network. Users or services can connect to the VPC endpoint and then access other resources via the virtual network instead of accessing the resources directly via the Internet. This can significantly reduce the bandwidth required to access resources directly.
Container security.
Container virtualization (described earlier) runs services or applications within containers. CSPs commonly use containers with cloud resources, and container security protects these containers.
CASB
A CASB is a software tool or service deployed between an organization’s network and the cloud provider.
Application Security
Next-Generation Secure Web Gateway
A next-generation secure web gateway (SWG) is a combination of a proxy server and a stateless firewall. The SWG is typically a cloud-based service, but it can be an on-site appliance.
Firewall Considerations in a cloud environment
When creating virtual networks in the cloud, there are some additional items to consider. Just as physical networks need firewalls to prevent unauthorized access, virtual networks also need firewalls. It’s common to use two firewalls to create a screened subnet, This provides segmentation and helps reduce an attacker’s success when attacking the virtual network.
Cost
The cost of cloud-based firewalls varies depending on how they’re used. Smaller organizations can rent access to a firewall for employees on a per-user basis. This relieves the organization from managing the firewall.
Need for segmentation
Open systems
Interconnection (OSI) layers
Cloud-based firewalls typically operate on all seven layers of the Open Systems Interconnection (OSI) model, allowing them to filter traffic on the application layer. Appendix D, “The OSI Model,” provides a refresher on the OSI model if you need it.
Cloud native control vs. third-party solutions
CSPs employ native controls to protect cloud-based resources. This may be enough for some customers, but other customers want more security features and seek third-party solutions, such as a cloud access security broker (CASB).
