Chapter 10 - Security in Cloud Computing Flashcards
What are the 3 types of cloud computing?
Infrastructure as a Service, Platform as a Service, Software as a Service
IaaS
Ifrastructure as a Service - Provides virtualized computing resources. Third party hosts the servers with hypervisor running the VMs as a guests. Subscribers usually pay on a per-use basis.
PaaS
Geared towards software development. Hardware and software hosted by provider. Develop without having to worry about hardware or software.
SaaS
Provider supplies on-demand applications to subscribers . Offloads the need for patch management, compatability and version control
Cloud Deployment Model - Public Cloud
Services provided over a network that is open for public to use
Cloud Deployment Model - Private Cloud
Cloud solely for use by one tenant; usually done in larger organziations
Cloud Deployment Model - Community Cloud
Cloud shared by several organizations, but not open to public
Cloud Deployment Model - Hybrid Cloud
A composition of two or more cloud deployment models.
Cloud Carrier
Organization with responsibility of transferring data; akin to power distributor for electric grid.
Cloud Consumer
Aquires and uses cloud products and services
Cloud Provider
Purveyor of products and services
Cloud Broker
Manages use, performance and delivery of services as well as relationships between providers and subscribers
Cloud Auditor
independent assessor of cloud service an security controls
FedRAMP
regulatory effort regarding cloud computing
PCI DSS
Payment Card Industy Data Security Standard - Deals with debit and credit cards, but also has a cloud SIG
Trusted Computing Model
Attempts to resolve computer security problems through hardware enhancements as well as software modifications
Roots of Trust (RoT)
Set of functions within TCM that are always trusted by the OS
CloudInspect
Pen-testing application for AWS EC2 users
CloudPassage Halo
Instant visibility and continuous protection for servers in any cloud
Dell Cloud Manager
Cloud management tool
Qualys Cloud Suite
Cloud management tool
Cloud Threats & Attacks - Data Breach or Loss
Biggest threat; includes malicious theft, erasure or modification
Cloud Threats & Attack - Shadow IT
IT systems or solutions that are developed to handle an issue but aren’t taken through proper approval chains
Cloud Threats & Attack - Abuse of Cloud Resources
Another high threat (usuallly applies to IaaS and PaaS)
Cloud Threats & Attacks - Insecure Interfaces and API
cloud services can’t function without them, but need to make sure they are secure
Service Oriented Architecture
API that makes it easier for application components to cooperate and exchange information.
Cloud Threats & Attacks - Insufficient Due Diligence
Moving an application without knowing the security differences
Cloud Threats & Attacks - Shared Technology Issues
Multitenant environments that don’t provide proper isolation.
Cloud Threats & Attacks - Unknown Risk Profiles
Subscribers simply don’t know what security provisions are made in the background.
Cloud Threats & Attacks - Wrapping Attack
SOAP message intercepted and data in envelope is changed and sent/replayed.
Cloud Threats & Attacks - Session Riding
CSRF under a different name; deals with cloud services instead of traditional data centers
Cloud Threats & Attacks - Side Channel Attack
Using an existing VM on the same physical host to attack another. This is more broadly defined as using something other than the direct interface to attack a system.
