Chapter 10 - Security in Cloud Computing

Question 1

What are the 3 types of cloud computing?

Answer 1

Infrastructure as a Service, Platform as a Service, Software as a Service

Question 2

IaaS

Answer 2

Ifrastructure as a Service - Provides virtualized computing resources. Third party hosts the servers with hypervisor running the VMs as a guests. Subscribers usually pay on a per-use basis.

Question 3

PaaS

Answer 3

Geared towards software development. Hardware and software hosted by provider. Develop without having to worry about hardware or software.

Question 4

SaaS

Answer 4

Provider supplies on-demand applications to subscribers . Offloads the need for patch management, compatability and version control

Question 5

Cloud Deployment Model - Public Cloud

Answer 5

Services provided over a network that is open for public to use

Question 6

Cloud Deployment Model - Private Cloud

Answer 6

Cloud solely for use by one tenant; usually done in larger organziations

Question 7

Cloud Deployment Model - Community Cloud

Answer 7

Cloud shared by several organizations, but not open to public

Question 8

Cloud Deployment Model - Hybrid Cloud

Answer 8

A composition of two or more cloud deployment models.

Question 9

Cloud Carrier

Answer 9

Organization with responsibility of transferring data; akin to power distributor for electric grid.

Question 10

Cloud Consumer

Answer 10

Aquires and uses cloud products and services

Question 11

Cloud Provider

Answer 11

Purveyor of products and services

Question 12

Cloud Broker

Answer 12

Manages use, performance and delivery of services as well as relationships between providers and subscribers

Question 13

Cloud Auditor

Answer 13

independent assessor of cloud service an security controls

Question 14

FedRAMP

Answer 14

regulatory effort regarding cloud computing

Question 15

PCI DSS

Answer 15

Payment Card Industy Data Security Standard - Deals with debit and credit cards, but also has a cloud SIG

Question 16

Trusted Computing Model

Answer 16

Attempts to resolve computer security problems through hardware enhancements as well as software modifications

Question 17

Roots of Trust (RoT)

Answer 17

Set of functions within TCM that are always trusted by the OS

Question 18

CloudInspect

Answer 18

Pen-testing application for AWS EC2 users

Question 19

CloudPassage Halo

Answer 19

Instant visibility and continuous protection for servers in any cloud

Question 20

Dell Cloud Manager

Answer 20

Cloud management tool

Question 21

Qualys Cloud Suite

Answer 21

Cloud management tool

Question 22

Cloud Threats & Attacks - Data Breach or Loss

Answer 22

Biggest threat; includes malicious theft, erasure or modification

Question 23

Cloud Threats & Attack - Shadow IT

Answer 23

IT systems or solutions that are developed to handle an issue but aren’t taken through proper approval chains

Question 24

Cloud Threats & Attack - Abuse of Cloud Resources

Answer 24

Another high threat (usuallly applies to IaaS and PaaS)

Question 25

Cloud Threats & Attacks - Insecure Interfaces and API

Answer 25

cloud services can’t function without them, but need to make sure they are secure

Question 26

Service Oriented Architecture

Answer 26

API that makes it easier for application components to cooperate and exchange information.

Question 27

Cloud Threats & Attacks - Insufficient Due Diligence

Answer 27

Moving an application without knowing the security differences

Question 28

Cloud Threats & Attacks - Shared Technology Issues

Answer 28

Multitenant environments that don’t provide proper isolation.

Question 29

Cloud Threats & Attacks - Unknown Risk Profiles

Answer 29

Subscribers simply don’t know what security provisions are made in the background.

Question 30

Cloud Threats & Attacks - Wrapping Attack

Answer 30

SOAP message intercepted and data in envelope is changed and sent/replayed.

Question 31

Cloud Threats & Attacks - Session Riding

Answer 31

CSRF under a different name; deals with cloud services instead of traditional data centers

Question 32

Cloud Threats & Attacks - Side Channel Attack

Answer 32

Using an existing VM on the same physical host to attack another. This is more broadly defined as using something other than the direct interface to attack a system.