6. Management Plane & business continuity - DONE

Question 1

Reminder what is the metastructure and what is the management plane?

The management plane is the most important area that you need to secure tightly and it is solely your responsibility to secure access to it.
”

Answer 1

the metastructure is the virtual world for which you need virtual tools. The management plane is the area where the virtual infrastructure of your cloud is built, configured, and destroyed. Remember that the management plane is a part of the metastructure. The management plane is your single interface to view, implement, and configure all of your resources in this virtual world.

you (or anyone) can connect to the management plane supplied by a cloud provider across the Internet using APIs or web browsers.

Question 2

Anyone with full access to the management plane quite simply has the power to build or destroy anything in your virtual world. Proper implementation and management of restricting access to the management plane is job number 1 as far as securing any cloud implementation.

“As you know, the cloud is a shared responsibility model, and this applies to the management plane as well.”

Answer 2

The provider is responsible for building a secure management plane for you to access, and you are responsible for ensuring that only appropriate people have appropriate qualifications to manage your virtual world and that every user has least privileges, and nothing more, to do only what they need to do.

Question 3

The management plane is often accessible via multiple methods. In general, you can expect to have access to command-line interface (CLI) tools, a web interface, or APIs.

When you’re considering these different access methods from a security perspective, be aware that quite often different credentials will be involved.

What credentials are needed for the web browser?

Answer 3

For example, when you’re connecting via the web browser, standard credentials such as a username and password are generally used. These credential sets can be stored within the cloud provider’s environment, or you can use identity federation to keep the credentials on your side and not on the provider’s side.

Question 4

The management plane is often accessible via multiple methods. In general, you can expect to have access to command-line interface (CLI) tools, a web interface, or APIs.

When you’re considering these different access methods from a security perspective, be aware that quite often different credentials will be involved.

What credentials are needed for the API?

Answer 4

accessing via the API generally uses either HTTP request signing or the OAuth protocol

Some providers will use an access key and secret access key as the credentials as part of authenticating and signing REST requests. The access key itself acts like your username, and the secret access key is like your password. Behind the scenes, the secret access key is used to sign the request.

Think of the API as being the engine that runs everything. Whether you use the web interface, the CLI, or any SDK, you’re likely having your request translated to the provider API, and that, in turn, is executed at the provider.

“You can generally consider that anything available via the web console will also be available via the API. If something is exposed via an API, it can be accessed programmatically. And if it can be accessed programmatically, it can be automated. A provider may offer some functionality to either method first, but these encounters should be rare with any established provider.”

Question 5

When you first register with a cloud provider, you will create an initial account that is considered the master account (some providers may call this the root account).

This account needs to be tightly locked down and used only to establish proper identity and access management. Here is some guidance regarding the creation and securing of this initial master account:”

Answer 5

1. Create the account using a unique corporate e-mail address. This e-mail address will be the user ID for the master account and may serve as how your provider will engage with your company. This account should never be created by someone using their personal e-mail address or corporate e-mail address.

2.Set up a distribution list for this master account e-mail. This will prevent several problems (e.g., the original creator leaves the company and all e-mails wind up in /dev/null [a UNIX term for a garbage bin], or someone vital doesn’t see an urgent message from the provider).

3.Establish a strong password that meets your security policy and establish multifactor authentication (MFA). Many providers will support the time-based one-time password (TOTP), a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors. Other providers may support a newer MFA method, Universal 2nd Factor (U2F), a safer MFA method than TOTP.

Question 6

When you first register with a cloud provider, you will create an initial account that is considered the master account (some providers may call this the root account).

This account needs to be tightly locked down and used only to establish proper identity and access management. What is the last step you do once the account, password and MFA for the master account are set up?

Answer 6

you need to set up a new super-admin account you can use to access the management plane. Once that’s done, you should write down the master account logon ID and password, put them in an envelope along with the MFA device, and lock these in a safe. From this point forward, the master account should be used only in emergencies, and all activity performed should use appropriate accounts.

Question 7

How will you secure the management plane properly?

Answer 7

“To secure the management plane properly, you need two things:”

a solid plan of who is allowed to do what (entitlements) and a provider that has a robust identity and access management (IAM) system that supports identification, authentication, and authorization with appropriate granularity.

This granularity will enable you to implement a least-privilege approach to restrict who is permitted to perform specific actions in your cloud environment.

Question 8

So far we have been looking at what the customer can do to secure their use of the management plane. What should the provider focus on when building the management plane, and what should customers be inspecting prior to using a provider?

Answer 8

*Perimeter security - How has the provider implemented controls to protect its network from attacks, both lower-level network defences and the application stack, for both web consoles and API gateways?

*Customer authentication - Does the provider allow the use of MFA? What types of MFA are supported, and what systems in the provider’s environment can use MFA? Does the provider support cryptographically secure methods of authentication such as OAuth or HTTP request signing?

*Internal authentication and credential passing - How does the provider allow for access within the environment? Do they support temporary credentials through the” “implementation of IAM roles, for example?

*Authorization and entitlements - How granular are the permissions that customers can use to support the least privilege? Does the provider simply grant anyone logging on with administrative privileges? If so, you won’t be able to create job-specific permissions

*Logging, monitoring, and alerting - How can you collect artefacts of compliance if you have no ability to log failed and successful logins, or to log what actions are taken by particular IAM accounts? The ability to log actions can lead to the discovery of malicious actions, and if appropriate orchestration is possible in the environment, this can be used to support event-driven security to lower response times to seconds thanks to automated response capabilities.

Question 9

What is architecting for failure?

Answer 9

“If you fail to plan, you plan to fail. BCP/DR in the cloud is like everything else we’ve covered in this book, in that it involves a shared responsibility. The provider gives you the tools for DR, but you need to perform the BIA to understand the critical systems and implement appropriately to meet recovery objectives. That’s what architecting for failure is all about.”

Question 10

Some companies refer to DR sites in the cloud (IaaS, most appropriately) as a “pilot light” site. If a site is properly planned and continuously tested, you can go from nothing to a completely available site in minutes through the beauty of infrastructure as code (IaC).

What is IaC and what can it do?
What si a benefit of using it?

Answer 10

IaC is essentially the creation (and maintenance) of a script that uses templates that will build anything you want, ranging from networking to systems. Using IaC, you have the ability not only to rebuild a virtual infrastructure programmatically in minutes instead of hours but also to remove the potential of human error that is often introduced when people are under pressure and trying to do things as quickly as possible.

Question 11

BCP/BR

traditional vs cloud

Answer 11

“BCP/DR in a cloud environment differs from BCP/DR in a traditional IT world, because the cloud environment offers a pay-as-you-go model. Every decision you make has an associated cost and likely additional complexity.

Let’s consider an IaaS example: Implementing BCP/DR in a single region is often easier and less costly than implementing BCP/DR in multiple regions. Providers may charge additional fees to copy data from one region to another, and you may need to create region-specific scripts to reflect changes in asset IDs.

Then there are the jurisdictional challenges, as discussed in previous chapters, and how they may impact BCP/DR legally.

Question 12

How may BCP/DR be impacted by the IaaS service model?

Answer 12

DR options in IaaS range from running everything in a single data center to using IaC to build an infrastructure very quickly and restoring data from snapshots, to building a secondary hot site in a different geographical region while data is continuously copied from one region to another. How do you determine what is appropriate?

Question 13

How may BCP/DR be impacted by the Paas service model?

Answer 13

How do you store your data and application code within a provider’s environment? Did you bake encryption into your application, or are you relying on the provider for that service? The answer directly impacts your lock-in potential with a provider. (Vendor lock-in refers to the inability to move from one environment to another without significant effort on the customer side.) Finally, how do you export this data if a provider goes out of business or is sold to another company?

Question 14

How may BCP/DR be impacted by the Saas service model?

Answer 14

your BCP/DR plans may be as simple as exporting data on a regular basis. When considering SaaS, however, consider data availability. Make sure your provider allows you to export data in a common format at acceptable times to support your RTO/RPO requirements. For example, imagine you have an RTO of one hour, but the provider allows you to export data only once a week. How are you going to meet your RTO if the provider goes bankrupt and stops communicating with you, the latest export is five days old, and data is stored in a proprietary format? How portable is data that can be used only with provider tools when those tools are unavailable?

Question 15

What is RTO and RPO?

Answer 15

the recovery time objective (RTO) and the recovery point objective (RPO). The RTO is simply the acceptable amount of time required to restore function and is usually measured in hours or days.

The RPO is the acceptable amount of recent data loss that would be tolerated.

Question 16

Why should you not use multiple cloud providers as part of your IaaS BCP/DR planning?

Answer 16

Building a single IaaS environment properly is hard enough on its own. Securing the metastructure of additional providers to the same level is much harder. First, every provider needs to expose controls (and how they do so will likely differ from how your primary CSP does it, if at all). Then you need people who are experts in the target CSP to implement the required controls. Do you really think there’s a mass of people out there who know everything there is to know about the security of a single provider, let alone two or three?

It’s not just about the data. Copying the data from one provider to another is the easy part; you must consider the entire logical model of the cloud and all the layers to understand what’s at stake:

Question 17

Consider the metastructure as to why you should not use multiple cloud providers as part of your IaaS BCP/DR planning.

Answer 17

As you know, this is your entire virtual infrastructure. Creating a properly secured environment is a challenge on its own. Why would you want to do it all over again in a different environment that may not even offer the same controls?

You have to manage multiple environments continuously so there’s no configuration drift between the two. I think that’s just crazy talk. Sure, there’s IaC, but all the commands are different, so you can’t use one script from one vendor in another vendor’s environment. The metastructure makes a properly secured and maintained multi-cloud failover approach to DR unrealistic for most companies. This is a leading reason why the CSA Guidance includes a section specifically dealing with business continuity within the cloud provider. Get that done properly before considering using multiple providers.

Question 18

Consider the Software-defined infrastructure as to why you may use multiple cloud providers as part of your IaaS BCP/DR planning.

Answer 18

Software-defined infrastructure (SDI) enables you to define and implement an infrastructure through software orchestration, which can help greatly with recovery efforts. This capability is leveraged by using IaC.

Question 19

Consider the infrastructure as to why you should not use multiple cloud providers as part of your IaaS BCP/DR planning.

Answer 19

Your provider will likely make multiple regions available for you to leverage as part of your BCP/DR plans. Having geo-redundancy is a very viable approach and may be warranted (or even mandated) depending on the criticality of particular systems and/or data. Even the biggest cloud providers have experienced times when entire regions became unavailable. When considering geo-redundancy, you need to understand what services are available across different portions of the provider’s infrastructure (not all services may be available in all regions, for example) and the costs associated with copying data from one region to another.

You also need to consider items that must be addressed when moving something from one region to another (such as copying of images and resulting resource IDs changes).

Question 20

Consider the infostructure as to why you should not use multiple cloud providers as part of your IaaS BCP/DR planning.

Answer 20

If you plan on implementing real-time replication of data—not just from one server instance to another, but from one side of North America to the other, for example—you must consider latency and continuously test it.

Question 21

Consider the applistructure when it comes to the use multiple cloud providers as part of your IaaS BCP/DR planning.

Answer 21

“The applistructure includes the full range of everything included in an application. If everything required for an application is self-contained in a single server, it will be much easier to move than if, for example, your application is tied into other services supplied by the cloud provider. Containers, microservices, and serverless computing are great examples of application code leveraging other services.”

Question 22

Other than the cloud logical mode,l what should you consider about your DR plans?

Answer 22

“consider provider guidance on your DR plans”

Question 23

What is chaos engineering?

Answer 23

Chaos engineering is the disciplined approach to experimenting on a system to build confidence in its ability to withstand turbulent and unexpected conditions in production

Question 24

Business Continuity for loss of the cloud provider:

The potential for a provider’s entire environment to be unavailable obviously depends on the provider itself. This scenario is extremely rare for leading IaaS providers, however.

it’s not that rare for a PaaS or SaaS provider to go out of business or be sold to another provider that may not meet contractual obligations or that changes the terms and conditions on you with little advance notice. With that in mind, you should be aware of a few important terms if you are considering moving data or applications from one cloud provider to another:

Answer 24

*Interoperability - The ability for system components to work together to deliver a service.

• Portability - The ability to move from one environment to another with minimal changes required.

*Lock-In - Providers can lock in clients not just from a contractual perspective but from a technical one as well—for example, by not supporting the exporting of data in a common format (which, as you may recall from our legal discussion, may impact the admissibility of evidence as well).

Question 25

If you are responsible for your company’s private cloud, how do your interactions with BCP/DR change?

Answer 25

all aspects of BCP/DR apply, from the facilities up to the applications and data stored. You could determine that a public cloud is the best secondary site, or you could have a traditional spare site that is cold, warm, or hot. As always, plan and test, test, test.

Question 26

If you are a cloud service provider, how do your interactions with BCP/DR change?

Answer 26

If you are a cloud service provider, the importance of BCP/DR is highly critical—to the point at which the viability of the company as a whole can depend on proper BCP/DR capabilities. You could, for example, lose your business as a result of inappropriate BCP/DR capabilities.

Or, if your system is perceived as being undependable by prospective clients, they won’t use your service. If you break service-level agreements, you could face penalties. Or if your DR includes failing over to a different jurisdiction, you may be breaking contractual obligations and even potentially data residency laws.

Answer 27

When thinking of SaaS portability specifically, remember that this is essentially a custom application. If you’ve ever been involved with migrating from Lotus Notes to Microsoft Exchange, for instance, you know all too well the difficulties that can be encountered during application migration, and SaaS migration is no different. Before you adopt a particular SaaS vendor for production use, you should understand how you can get your data exported and what format that data will be in.

Answer 28

“*Master accounts should use MFA and be treated as emergency access only.
*Establish accounts using a least-privilege approach.
*All accounts should use MFA when possible to access the management plane.
*Ensure that strong perimeter security exists for API gateways and web consoles.
*BCP and DR are risk-based activities. Remember that not all systems are equally important to business continuity.
*Always architect for failure with regard to BCP and DR.
*Remember that downtime is always an option.”
*When considering BCP/DR, consider the entire logical stack.
*Using multiple providers as part of DR can be very difficult, if not impossible, from a metastructure perspective. Strongly consider failover within a single provider before contemplating adding another provider.
*Understand the importance of portability and how it is impacted in BCP/DR.”

Question 29

“Which of the following needs to be part of business continuity planning by the customer?”

Answer 29

You need to consult your vendor to determine guaranteed availability in the region. Not all regions have the same amount of capacity and may be over-subscribed in the event of failure in another region. An IaaS provider will not address issues with your own applications. Although data residency regulations may be critical to some companies in certain lines of business, not all companies will face this issue, so C is not the best answer. Chaos engineering may not be for everyone.

Question 30

“Alice wants to update, but not replace, a file via a REST API. What method should Alice use?

Answer 30

“Alice should use the PATCH method to update, but not replace, a file. The PUT method creates a new file. POST is similar to PATCH, but a POST will update and delete the file.”