Chapter 10 Cloud and Virtualization Security Flashcards
Describe the differences between scalability and elasticity
Scalability is focused on rapidly increasing capacity whereas elasticity says that capacity should expand and contract as needed to optimize costs.
Vertical Scaling vs. Horizontal Scaling
Vertical Scaling increases the capacity of existing servers, such as adding CPU cores or increasing memory.
Horizontal Scaling adds more servers to a pool of clustered servers.
Cloud Service Model Acronyms:
- XaaS
- IaaS
- SaaS
- PaaS
- FaaS
- Anything as a Service
- Infrastructure as a Service
- Software as a Service
- Platform as a Service
- Function as a Service
IaaS
Infrastructure as a Service offerings allow customers to purchase and interact with the basic building blocks of a technology infrastructure, including computing, storage, and networks. Customers can then manage those services anyway they need.
- Customer doesn’t have to manage hardware.
- Provider implements security controls.
- Provider bears the LEAST security responsibility.
The customer is responsible for the security of anything that isn’t Infrastructure. (OS, apps, data)
SaaS
Software as a Service offerings provide customers with access to fully managed application running in the cloud.
Provider is responsible for everything from physical data centers to performance management to security.
Customer is only responsible for limited configuration of the application itself.
Provider bears the MOST security responsibility in SaaS.
PaaS
Platform as a Service offerings fit into a middle ground between SaaS and IaaS solutions. The service provider offers a platform where customers may run applications that they developed themselves.
- provider builds and manages infrastructure and offers customers execution environment with code libraries, services and tools.
Vendor is responsible for the OS, but the customer is responsible for the data and security configuration.
FaaS
Function as a Service platforms are an example of PaaS computing. Customers can upload their own code to the provider, then the provider executes code.
- AWS Lambda service
MSPs
Managed Service Providers provide IT as a service to their customers.
MSSPs are Managed Security Service Providers are MSPs geared towards security.
Public Cloud
Cloud services shared with multiple servers, infrastructure is not dedicated to a single customer.
Supports IaaS, PaaS, SaaS, and FaaS.
More cost efficient than private cloud services because it is a “measured service” (you only pay for the data/storage you use).
Private Cloud
Cloud infrastructure provisioned for a use by a single customer. Could be built and managed by the organization or a third party.
NOT cost efficient; private cloud services tend to have excess unused capacity to support peak demand.
Community Cloud Service
shares characteristics with both public and private models.
Runs a multi-tenant environment, but they are limited to members of a designated community, typically defined by a shared mission or similar security/compliance requirements.
- HathiTrust digital Library is an example.
Hybrid Cloud
catch-all term that describes any combination of public, private, or community cloud services.
Public Cloud Bursting
A firm might operate their own private cloud for the majority of their workloads and then leverage public cloud capacity when demand exceeds the capacity of their private cloud infrastructure.
- AWS Outposts are hybrid cloud. Customers receive a rack of equipment that they install in their own data center, but it is still maintained by AWS.
Shared Responsibility Model
Cloud providers, customers, and vendors must divide security responsibilities.
- Common in IaaS, PaaS, and SaaS.
What is CSA?
Cloud Security Alliance is an industry organization focused on developing and promoting best practices in cloud security. They developed the CCM Cloud Controls Matrix which is a reference document for cloud security.
What is Edge Computing?
Bringing computation and data storage closer to data sources to save bandwidth and response time.
What is Fog Computing?
Using edge devices to perform substantial computation and storage locally.
What is Virtualization?
Allows multiple systems to share the underlying hardware.
What is a hypervisor?
What is it’s primary responsibility?
A special operating system that controls VM access to the underlying hardware.
Enforcing ISOLATION between virtual machines.
What is the difference between a Type I hypervisor and a Type II hypervisor?
Type I hypervisors operate directly on top of the underlying hardware. Common in data centers because it is highly efficient.
Type II hypervisors run as an application on top of an existing operating system. the host OS introduces a level of inefficiency.
What is CASB?
Cloud Access Security Broker is a software that sits between cloud users and cloud apps, and it monitors all activity and enforces security policies.
What are Containers?
Containers provide application level virtualization. Instead of creating an entire VM, containers essentially allow for “virtual applications”.
What is Block vs. Object Storage?
Block storage allocates large volumes of storage for use by virtual server instances,
Object storage provides customers the ability to place files in buckets and treat files as independent entities.
In block storage, you pay for a set amount of storage. In object storage, you pay for what you use.
What is SDN?
Software Defined Networking is a network architecture approach that enables the network to be centrally control or “programmed” using software applications.
- allows engineers to interact with and modify cloud resources through their APIs
What is SDV?
Software Defined Visibility is insight into the traffic on virtual networks.
What is segmentation?
What is a way to implement it on physical networks and in the cloud?
Segmentation allows network engineers to place systems of differing security levels and functions on different network subnets.
- Physical networks use a VLAN, Cloud networks use VPC, Virtual Private Cloud.
What is VPC?
Virtual Private Cloud is the virtual segmentation of systems into subnets, and they can be private or public depending on whether they can be accessed from the internet.
What is a VPC endpoint?
Virtual Private Cloud endpoints allow the connection of VPCs to each other using the cloud providers network backbone.
How can VPCs be connected to VLANs for hybrid cloud communications?
Cloud Transit Gateways allow for the interconnection of VPCs and VLANs.
What is a subnet?
Logical subdivision of an IP network
What is subnet masking?
Defining the range of IP addresses that can be used within a subnet.
DevOps
The combination of software development and IT operations using the Agile software development model.
IaC is the key tech that allows this.
What is IaC?
Infrastructure as Code is key technology behind DevOps. it is the automation of provisioning, management, deprovisioning infrastructure services through scripted code rather than human activity.
What is Data Sovereignty?
Means data is subject to the legal restrictions of any jurisdiction in which it is collected stored or processed.
What is a Virtual Machine Escape vulnerability?
The attacker has access to a single virtual host then manages to leverage that access to intrude upon the resources assigned to a different VM.
- Escape attacks allow a process running on VM to “escape” those hypervisor restrictions.
API Inspection
Cloud apps depend upon APIs for service and interoperability. Security analysts responsible for API-based apps should implement API inspection, which scrutinizes API requests for security issues. Secure Web Gateways (SWG) provide layer of application security for could.
What is a CASB?
Cloud Access Security Brokers are software tools that intermediate cloud service users and providers.
Inline vs. API-based CASB
Inline Cloud Access Security Brokers physically or logically reside in the connection path between the user and the service. Sees requests before sent to the service.
API-based CASB solutions do not interact with the user but rather directly to the cloud provider through the providers API. This does NOT allow the CASB to block requests.
