Chapter 10 - Cloud and Virtualization Security

Question 1

Cloud Computing

Answer 1

Cloud Computing is where cloud service providers deliver computing services to their customers over the Internet.

Question 2

Multitenancy

Answer 2

Multitenancy is the fact that many different users share resources in the same cloud infrastructure.

Question 3

Scalability

Answer 3

Scalability allows cloud customers to manually or automatically increase the capacity of their operations. In some cloud environments, this can be completely transparent and be performed behind the scenes.

Question 4

Elasticity

Answer 4

Elasticity says that capacity should expand and contract as needs change to optimize costs.

Question 5

Measured Service

Answer 5

Measured Service refers to how everything you do (processing time, storage, log entries) in the cloud is measured by the provider. They use this information to be able to assess charges based on your usage.

Question 6

What are the common Roles in Cloud Computing?

Answer 6

1. Cloud service provider
2. Cloud consumer
3. Cloud partner (offer ancillary products or services that integrate with the offerings of a cloud service provider)
4. Cloud auditor (third-party assessment of cloud services)
5. Cloud carrier (provide connectivity between cloud provider and consumer)

Question 7

Infrastructure as a Service (IaaS)

Answer 7

Infrastructure as a Service offerings allow customers to purchase and interact with the basic building blocks of a technology infrastructure. These include computing, storage, and networks. Some examples of IaaS providers include AWS, Microsoft Azure and Google Cloud Platform (GCP).

Question 8

Software as a Service (SaaS)

Answer 8

Software as a Service offerings provide customers with access to a fully managed application running in the cloud. The provider is responsible for everything from the operation of the physical datacenters to the performance management of the application itself. A common example of SaaS is web-based email.

Question 9

Platform as a Service (PaaS)

Answer 9

Platform as a Service offerings fit into a middle ground between SaaS and IaaS solutions. In PaaS, the service provider offers a platform where customers may run applications that they have developed themselves.

Question 10

Function as a Service (FaaS)

Answer 10

Function as a Service platforms are an example of PaaS computing. This approach allows customers to upload their own code functions to the provider and then the provider will execute those functions on a scheduled basis in response to events and/or on demand. A common example of FaaS would be AWS Lambda.

Question 11

Managed Service Provider (MSP)

Answer 11

Managed Service Providers are service organizations that provide information technology as a service to their customers.

Question 12

Public Cloud

Answer 12

Public Cloud service providers deploy infrastructure and then make it accessible to any customers who wish to take advantage of it in a multitenant model.

Question 13

Private Cloud

Answer 13

Private Cloud describes any cloud infrastructure that is provisioned for use by a single customer. This infrastructure may be built and managed by the organization that will be using the infrastructure, or it may be built and managed by a third party.

Question 14

Community Cloud

Answer 14

Community Cloud services share characteristics of both the public and private models. Community Cloud services do run in a multitenant environment, but the tenants are limited to members of a specifically designed community.

Question 15

Hybrid Cloud

Answer 15

Hybrid Cloud is a catch-all term used to describe cloud deployments that blend public, private, and/or community cloud services together. It is NOT simply purchasing both public and private cloud services and using them together. AWS Outpost is a common Hybrid Cloud technology.

Another example of a Hybrid Cloud is a firm that operates their own private cloud for the majority of their workloads and then leverages public cloud capacity when demand exceeds the capacity of their private cloud infrastructure.

Question 16

Bursting

Answer 16

Bursting is a configuration that allows a private cloud to access additional computing resources from a public cloud when there is a sudden increase in demand.

Question 17

Shared Responsibility Model

Answer 17

Shared Responsibility Model refers to dividing responsibilities between one or more cloud service providers and the cloud customers’ own cybersecurity teams.

Question 18

Edge Computing

Answer 18

Edge Computing is about processing data closer to where it’s being generated, enabling processing at greater speeds and volumes. Only after the data is processed at the edge can it then be sent back to the cloud.

Question 19

Fog Computing

Answer 19

Fog Computing uses IoT gateway devices that are located in close physical proximity to the data generation points. These data generation points themselves don’t necessarily have processing power, but they send data to their local gateway that performs preprocessing before sending the results to the cloud.

Question 20

Isolation

Answer 20

Isolation, in the context of virtualization, is the primary responsibility of the hypervisor. The hypervisor must present each virtual machine with the illusion of a completely separate physical environment dedicated for use by that virtual machine.

Question 21

Containers

Answer 21

Containers provide application-level virtualization. Instead of creating complex virtual machines that require their own operating systems, containers package applications and allow them to be treated as units of virtualization that become portable across operating systems and hardware platforms.

Question 22

Block Storage

Answer 22

In cloud computing, Block Storage allocates large volumes of storage for use by virtual server instances. These volumes are then formatted as virtual disks by the operating system on those server instances and used as they would a physical drive. An example of Block Storage in the cloud is Elastic Block Storage (EBS) by AWS.

Question 23

Object Storage

Answer 23

In cloud computing, Object Storage provides customers with the ability to place files in buckets and treat each file as an independent entity that may be accessed over the web or through the provider’s API. An example of Object Storage in the cloud is AWS Simple Storage Service (S3).

Question 24

What are the three most important security considerations to keep in mind while working with cloud storage?

Answer 24

1. Set permissions properly
2. Consider high availability and durability options
3. Use encryption to protect sensitive data

Question 25

Segmentation

Answer 25

Segmentation allows network engineers to place systems of differing security levels and functions on different network subnets.

Question 26

Virtual Private Cloud (VPC)

Answer 26

Virtual Private Clouds allow teams to group systems into subnets and designate those subnets as public or private, depending on whether access to them is permitted from the Internet. A VPC will have fully dedicated resources rather than potentially sharing the underlying hardware.

Question 27

Infrastructure as Code (IaC)

Answer 27

Infrastructure as Code is one of the key enabling technologies behind the DevOps movement. IaC is the process of automating the provisioning, management, and deprovisioning of infrastructure services through scripted code rather than human intervention. IaC approaches depend on the use of APIs offered by cloud providers.

Question 28

Data Sovereignty

Answer 28

Data Sovereignty is a principle that states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed.

Question 29

Virtual Machine Escape

Answer 29

Virtual Machine Escape attacks are when the attacker has access to a single virtual host and then manages to leverage that access to intrude upon the resources assigned to a different virtual machine.

Question 30

Virtual Machine Sprawl

Answer 30

Virtual Machine Sprawl occurs when IaaS users create virtual service instances and then forget about them or abandon them, leaving them to accrue costs and accumulate security issues over time.

Question 31

Resource Reuse

Answer 31

Resource Reuse occurs when cloud providers take hardware resources that were originally assigned to one customer and reassign them to another customer. If the data was not properly removed from that hardware, the new customer may inadvertently gain access to data belonging to another customer.

Question 32

Secure Web Gateways (SWGs)

Answer 32

Secure Web Gateways provide a layer of application security for cloud-dependent organizations. SWGs monitor web requests made by internal users and evaluate them against the organization’s security policy, blocking requests that run afoul of these requirements.

Question 33

Auditability

Answer 33

Auditability, in the context of the cloud, describes the customers ability to perform audits on cloud service providers either themselves or via third party auditor.

Question 34

Cloud Access Security Broker (CASB)

Answer 34

Cloud Access Security Brokers are software tools that serve as intermediaries between cloud service users and cloud service providers. This positioning allows them to monitor user activity and enforce policy requirements.

Question 35

Inline CASB Solutions

Answer 35

Inline CASB Solutions physically or logically reside in the connection path between the user and the service. They may do this through a hardware appliance or an endpoint agent that routes requests through the CASB.

Question 36

API-Based CASB Solutions

Answer 36

API-Based CASB Solutions do not interact directly with the user but rather interact directly with the cloud provider through the provider’s API. This approach does not allow the CASB to block requests that violate policy. API-Based CASBS are limited to monitoring user activity and reporting on or correcting policy violations after the fact.

Question 37

Resource Policies

Answer 37

Cloud providers offer Resource Policies that customers may use to limit the actions that users of their accounts may take.

Question 38

VPC Endpoint

Answer 38

VPC Endpoints allow connections of VPCs to each other using the cloud provider’s secure network.

Question 39

Cloud Transit Gateways

Answer 39

Cloud Transit Gateways extend the model of VPC endpoints even further, allowing the direct interconnection of cloud VPCs with on-premises VLANs for hybrid cloud operations.