Chapter 10 Cloud and Virtualization Security

Question 1

Describe the differences between scalability and elasticity

Answer 1

Scalability is focused on rapidly increasing capacity whereas elasticity says that capacity should expand and contract as needed to optimize costs.

Question 2

Vertical Scaling vs. Horizontal Scaling

Answer 2

Vertical Scaling increases the capacity of existing servers, such as adding CPU cores or increasing memory.
Horizontal Scaling adds more servers to a pool of clustered servers.

Question 3

Cloud Service Model Acronyms:

1. XaaS
2. IaaS
3. SaaS
4. PaaS
5. FaaS

Answer 3

1. Anything as a Service
2. Infrastructure as a Service
3. Software as a Service
4. Platform as a Service
5. Function as a Service

Question 4

IaaS

Answer 4

Infrastructure as a Service offerings allow customers to purchase and interact with the basic building blocks of a technology infrastructure, including computing, storage, and networks. Customers can then manage those services anyway they need.
- Customer doesn’t have to manage hardware.
- Provider implements security controls.
- Provider bears the LEAST security responsibility.
The customer is responsible for the security of anything that isn’t Infrastructure. (OS, apps, data)

Question 5

SaaS

Answer 5

Software as a Service offerings provide customers with access to fully managed application running in the cloud.
Provider is responsible for everything from physical data centers to performance management to security.
Customer is only responsible for limited configuration of the application itself.
Provider bears the MOST security responsibility in SaaS.

Question 6

PaaS

Answer 6

Platform as a Service offerings fit into a middle ground between SaaS and IaaS solutions. The service provider offers a platform where customers may run applications that they developed themselves.
- provider builds and manages infrastructure and offers customers execution environment with code libraries, services and tools.
Vendor is responsible for the OS, but the customer is responsible for the data and security configuration.

Question 7

FaaS

Answer 7

Function as a Service platforms are an example of PaaS computing. Customers can upload their own code to the provider, then the provider executes code.
- AWS Lambda service

Question 8

MSPs

Answer 8

Managed Service Providers provide IT as a service to their customers.
MSSPs are Managed Security Service Providers are MSPs geared towards security.

Question 9

Public Cloud

Answer 9

Cloud services shared with multiple servers, infrastructure is not dedicated to a single customer.
Supports IaaS, PaaS, SaaS, and FaaS.
More cost efficient than private cloud services because it is a “measured service” (you only pay for the data/storage you use).

Question 10

Private Cloud

Answer 10

Cloud infrastructure provisioned for a use by a single customer. Could be built and managed by the organization or a third party.
NOT cost efficient; private cloud services tend to have excess unused capacity to support peak demand.

Question 11

Community Cloud Service

Answer 11

shares characteristics with both public and private models.
Runs a multi-tenant environment, but they are limited to members of a designated community, typically defined by a shared mission or similar security/compliance requirements.
- HathiTrust digital Library is an example.

Question 12

Hybrid Cloud

Answer 12

catch-all term that describes any combination of public, private, or community cloud services.

Question 13

Public Cloud Bursting

Answer 13

A firm might operate their own private cloud for the majority of their workloads and then leverage public cloud capacity when demand exceeds the capacity of their private cloud infrastructure.
- AWS Outposts are hybrid cloud. Customers receive a rack of equipment that they install in their own data center, but it is still maintained by AWS.

Question 14

Shared Responsibility Model

Answer 14

Cloud providers, customers, and vendors must divide security responsibilities.
- Common in IaaS, PaaS, and SaaS.

Question 15

What is CSA?

Answer 15

Cloud Security Alliance is an industry organization focused on developing and promoting best practices in cloud security. They developed the CCM Cloud Controls Matrix which is a reference document for cloud security.

Question 16

What is Edge Computing?

Answer 16

Bringing computation and data storage closer to data sources to save bandwidth and response time.

Question 17

What is Fog Computing?

Answer 17

Using edge devices to perform substantial computation and storage locally.

Question 18

What is Virtualization?

Answer 18

Allows multiple systems to share the underlying hardware.

Question 19

What is a hypervisor?

What is it’s primary responsibility?

Answer 19

A special operating system that controls VM access to the underlying hardware.
Enforcing ISOLATION between virtual machines.

Question 20

What is the difference between a Type I hypervisor and a Type II hypervisor?

Answer 20

Type I hypervisors operate directly on top of the underlying hardware. Common in data centers because it is highly efficient.
Type II hypervisors run as an application on top of an existing operating system. the host OS introduces a level of inefficiency.

Question 21

What is CASB?

Answer 21

Cloud Access Security Broker is a software that sits between cloud users and cloud apps, and it monitors all activity and enforces security policies.

Question 22

What are Containers?

Answer 22

Containers provide application level virtualization. Instead of creating an entire VM, containers essentially allow for “virtual applications”.

Question 23

What is Block vs. Object Storage?

Answer 23

Block storage allocates large volumes of storage for use by virtual server instances,
Object storage provides customers the ability to place files in buckets and treat files as independent entities.
In block storage, you pay for a set amount of storage. In object storage, you pay for what you use.

Question 24

What is SDN?

Answer 24

Software Defined Networking is a network architecture approach that enables the network to be centrally control or “programmed” using software applications.
- allows engineers to interact with and modify cloud resources through their APIs

Question 25

What is SDV?

Answer 25

Software Defined Visibility is insight into the traffic on virtual networks.

Question 26

What is segmentation?

What is a way to implement it on physical networks and in the cloud?

Answer 26

Segmentation allows network engineers to place systems of differing security levels and functions on different network subnets.
- Physical networks use a VLAN, Cloud networks use VPC, Virtual Private Cloud.

Question 27

What is VPC?

Answer 27

Virtual Private Cloud is the virtual segmentation of systems into subnets, and they can be private or public depending on whether they can be accessed from the internet.

Question 28

What is a VPC endpoint?

Answer 28

Virtual Private Cloud endpoints allow the connection of VPCs to each other using the cloud providers network backbone.

Question 29

How can VPCs be connected to VLANs for hybrid cloud communications?

Answer 29

Cloud Transit Gateways allow for the interconnection of VPCs and VLANs.

Question 30

What is a subnet?

Answer 30

Logical subdivision of an IP network

Question 31

What is subnet masking?

Answer 31

Defining the range of IP addresses that can be used within a subnet.

Question 32

DevOps

Answer 32

The combination of software development and IT operations using the Agile software development model.
IaC is the key tech that allows this.

Question 33

What is IaC?

Answer 33

Infrastructure as Code is key technology behind DevOps. it is the automation of provisioning, management, deprovisioning infrastructure services through scripted code rather than human activity.

Question 34

What is Data Sovereignty?

Answer 34

Means data is subject to the legal restrictions of any jurisdiction in which it is collected stored or processed.

Question 35

What is a Virtual Machine Escape vulnerability?

Answer 35

The attacker has access to a single virtual host then manages to leverage that access to intrude upon the resources assigned to a different VM.
- Escape attacks allow a process running on VM to “escape” those hypervisor restrictions.

Question 36

API Inspection

Answer 36

Cloud apps depend upon APIs for service and interoperability. Security analysts responsible for API-based apps should implement API inspection, which scrutinizes API requests for security issues. Secure Web Gateways (SWG) provide layer of application security for could.

Question 37

What is a CASB?

Answer 37

Cloud Access Security Brokers are software tools that intermediate cloud service users and providers.

Question 38

Inline vs. API-based CASB

Answer 38

Inline Cloud Access Security Brokers physically or logically reside in the connection path between the user and the service. Sees requests before sent to the service.
API-based CASB solutions do not interact with the user but rather directly to the cloud provider through the providers API. This does NOT allow the CASB to block requests.