3.6 - Given a scenario, apply cybersecurity solutions to the cloud.

Question 1

Cloud security controls

Answer 1

Cloud-native security controls
– Integrated and supported by the cloud provider
– Many configuration options
– Security is part of the infrastructure
– No additional costs

Question 2

High availability across zones

Answer 2

*
Availability zones (AZ)
– Isolated locations within a cloud region (geographical location)
– AZ commonly spans across multiple regions
– Each AZ has independent power, HVAC, and networking
*
Build applications to be highly available (HA)
– Run as active/standby or active/active
– Application recognizes an outage and moves to the other AZ
*
Use load balancers to provide seamless HA
– Users don’t experience any application issues

Question 3

Resource policies

Answer 3

*
Identity and access management (IAM)
– Who gets access, what they get access to
*
Map job functions to roles
– Combine users into groups
*
Provide access to cloud resources
– Set granular policies - Group, IP address, date and time
*
Centralize user accounts, synchronize across all platforms

Question 4

Secrets management

Answer 4

*
Cloud computing includes many secrets
– API keys, passwords, certificates
*
This can quickly become overwhelming
– Difficult to manage and protect
*
Authorize access to the secrets
– Limit access to the secret service
*
Manage an access control policy
– Limit users to only necessary secrets
*
Provide an audit trail
– Know exactly who accesses secrets and when

Question 5

Integration and auditing

Answer 5

*
Integrate security across multiple platforms
– Different operating systems and applications
*
Consolidate log storage and reporting
– Cloud-based Security Information and Event
Management (SIEM)
*
Auditing - Validate the security controls
– Verify compliance with financial and user data

Question 6

Storage

Answer 6

*
Data is on a public cloud
– But may not be public data
*
Access can be limited
– And protected
*
Data may be required in different geographical locations
– A backup is always required
*
Availability is always important
– Data is available as the cloud changes?

Question 7

Permissions

Answer 7

*
A significant cloud storage concern
– One permission mistake can cause a data breach
– Accenture, Uber, US Department of Defense
*
Public access
– Should not usually be the default
*
Many different options
– Identity and Access Management (IAM)
– Bucket policies
– Globally blocking public access
– Don’t put data in the cloud unless it really
needs to be there

Question 8

Encryption

Answer 8

*
Cloud data is more accessible than non-cloud data
– More access by more people
*
Server-side encryption
– Encrypt the data in the cloud
– Data is encrypted when stored on disk
*
Client-side encryption
– Data is already encrypted when it’s sent to the cloud
– Performed by the application
*
Key management is critical

Question 9

Replication

Answer 9

*
Copy data from one place to another
– Real-time data duplication in multiple locations
*
Disaster recovery, high availability
– Plan for problems
– Maintain uptime if an outage occurs
– Hot site for disaster recovery
*
Data analysis
– Analytics, big data analysis
*
Backups
– Constant duplication of data

Question 10

High availability

Answer 10

Availability zones (AZ)
– Isolated locations within a cloud region (geographical location)
– AZ commonly spans across multiple regions
– Each AZ has independent power, HVAC, and networking

Build applications to be highly available (HA)
– Run as active/standby or active/active
– Application recognizes an outage and moves to the other AZ

Use load balancers to provide seamless HA
– Users don’t experience any application issues

Question 11

Virtual networks

Answer 11

*
A cloud contains virtual devices
– Servers, databases, storage devices
*
Virtual switches, virtual routers
– Build the network from the cloud console
– The same configurations as a physical device
*
The network changes with the rest of the infrastructure
– On-demand
– Rapid elasticity

Question 12

Public and private subnets

Answer 12

Private cloud
– All internal IP addresses
– Connect to the private cloud over a VPN
– No access from the Internet

Public cloud
– External IP addresses
– Connect to the cloud from anywhere

Hybrid cloud
– Combine internal cloud resources with external
– May combine both public and private subnets

Question 13

Segmentation

Answer 13

The cloud contains separate VPCs, containers,
and microservices
– Application segmentation is almost guaranteed
*
Separation is a security opportunity
– Data is separate from the application
– Add security systems between application
components
*
Virtualized security technologies
– Web Application Firewall (WAF)
– Next-Generation Firewall (NGFW)
*
Intrusion Prevention System (IPS)

Question 14

API inspection and integration

Answer 14

Microservice architecture is the
underlying application engine
– A significant security concern

API calls can include risk
– Attempts to access critical data
– Geographic origin
– Unusual API calls

API monitoring
– View specific API queries
– Monitor incoming and outgoing data

Question 15

Compute

Question 16

Security groups

Answer 16

*
A firewall for compute instances
– Control inbound and outbound traffic flows
*
Layer 4 port number
– TCP or UDP port
*
Layer 3 address
– Individual addresses
– CIDR block notation
– IPv4 or IPv6

Question 17

Dynamic resource allocation

Answer 17

*
Provision resources when they are needed
– Based on demand - Provisioned automatically
*
Scale up and down
– Allocate compute resources where and
when they are needed
– Rapid elasticity
– Pay for only what’s used
*
Ongoing monitoring
– If CPU utilization hits a particular threshold, provision
a new application instance

Question 18

Instance awareness

Answer 18

*
Granular security controls
– Identify and manage very specific data flows
– Each instance of a data flow is different
*
Define and set policies
– Allow uploads to the corporate box.com file share
*
Corporate file shares can contain PII
*
Any department can upload to the
corporate file share
– Deny certain uploads to a personal box.com file share
*
Allow graphics files
*
Deny any spreadsheet
*
Deny files containing credit card numbers
*
Quarantine the file and send an alert

Question 19

VPC endpoint

Answer 19

Virtual private cloud endpoint

Microservice architecture is the
VPC gateway endpoints
– Allow private cloud subnets to communicate to other
cloud services
*
Keep private resources private
– Internet connectivity not required
*
Add an endpoint to connect VPC resources

Question 20

Container security

Answer 20

Containers have similar security concerns as any other
application deployment method
– Bugs, insufficient security controls, misconfigurations
*
Use container-specific operating systems
– A minimalist OS designed for containers
*
Group container types on the same host
– The same purpose, sensitivity, and threat posture
– Limit the scope of any intrusion

Question 21

Solutions

Answer 21

*
Third-party solutions
– Support across multiple cloud providers
– Single pane of glass
– Extend policies outside the scope of the cloud provider
– More extensive reporting

Question 22

CASB

Answer 22

Cloud access security broker

Clients are at work, data is in the cloud
– How do you keep everything secure?
– The organization already has well-defined
security policies
*
How do you make your security policies
work in the cloud?
– Integrate a CASB
– Implemented as client software, local security
appliances, or cloud-based security solutions
*
Visibility
– Determine what apps are in use
– Are they authorized to use the apps?
*
Compliance
– Are users complying with HIPAA? PCI?
*
Threat prevention
– Allow access by authorized users, prevent attacks
*
Data security
– Ensure that all data transfers are encrypted – Protect the transfer of PII with DLP

Chapple 314
Gibson 164
Weiss 128-129, 428-429

Question 23

Application security

Answer 23

*
Secure cloud-based applications
– Complexity increases in the cloud
*
Application misconfigurations
– One of the most common security issues
– Especially cloud storage
*
Authorization and access
– Controls should be strong enough for access
from anywhere
*
API security - Attackers will try to exploit interfaces and APIs

Question 24

SWG

Answer 24

Next-generation secure
web gateway

*
Protect users and devices
– Regardless of location and activity
*
Go beyond URLs and GET requests
– Examine the application API
– Dropbox for personal use or corporate use?
*
Examine JSON strings and API requests
– Allow or disallow certain activities
*
Instance-aware security
– A development instance is different than production

Question 25

Firewall considerations in a cloud environment

Answer 25

Firewalls in the cloud

Control traffic flows in the cloud
– Inside the cloud and external flows

Cost
– Relatively inexpensive compared to appliances
– Virtual firewalls
– Host-based firewalls

Segmentation
– Between microservices, VMs, or VPCs

OSI layers
– Layer 4 (TCP/UDP), Layer 7 (Application)

Question 26

Cost (Firewall considerations in a cloud environment)

Answer 26

– Relatively inexpensive compared to appliances
– Virtual firewalls
– Host-based firewalls

Question 27

Need for segmentation (Firewall considerations in a cloud environment)

Answer 27

– Between microservices, VMs, or VPCs

Question 28

OSI (Firewall considerations in a cloud environment)

Answer 28

Open Systems Interconnection layers

– Layer 4 (TCP/UDP), Layer 7 (Application)

Question 29

Cloud native controls vs. third-party solutions

Answer 29

Cloud-native security controls
– Integrated and supported by the cloud provider
– Many configuration options
– Security is part of the infrastructure
– No additional costs

Third-party solutions
– Support across multiple cloud providers
– Single pane of glass
– Extend policies outside the scope of the cloud provider
– More extensive reporting