Chapter 4: Exploring Virtualization and Cloud Concepts

Question 1

There are many good reasons why cloud computing has become popular:

Answer 1

Elasticity

Scalability

No Capital Expenditure

Location-Independent

Regional Storage of Data

No Maintenance Fees

No Disaster Recovery Site Required.

Question 2

TIP

Private cloud = single tenant Public cloud = multitenant Community cloud = same industry, and sharing resources

Answer 2

TIP

Question 3

The most common model, where the CSP provides cloud services for multiple tenants.

Answer 3

Public Cloud

Question 4

This model is where the company purchases all of its hardware. They will normally host their own cloud because they so not want to share resources with anyone else, but at the same time, their workforce has all the benefits to the cloud.

Answer 4

Private cloud

Question 5

This cloud model is where companies from the same industry collectively pay for a bespoke application to be written, and the cloud provider manufacturers host it.

Answer 5

Community cloud

Question 6

Companies that decide not to host their company in the cloud are known as on-premises, but during their peak time they may expand into the cloud. This is known as cloud bursting.

Answer 6

Hybrid Cloud

Question 7

Enforces the company’s policies between the on-premises situation and the cloud.

Answer 7

Cloud Access Security Broker

Question 8

You need to preconfigure these devices, install an operating system, and maintain the patch management.

Answer 8

(Cloud Service)

Infrastructure as a Service(IaaS)

Question 9

Will allocate the load across multiple servers to ensure that no single server is overburdened.

Answer 9

Load Balancer

Question 10

TIP

IaaS is where you will install the operating system and patch it. This is the service under IaaS you have more control over. The private cloud is the cloud model that gives you more control.

Answer 10

TIP

Question 11

This is where the CSP hosts a bespoke software application that is accessed through a web server.

Answer 11

(Cloud Service)

Software as a Service(SaaS)

Question 12

TIP

SaaS is a bespoke vendor application that cannot be modified and you use it with a pay-per-use model, as a subscription, and you cannot migrate any applications or services to any SaaS environment.

Answer 12

TIP

Question 13

This provides the environment for developers to create applications. This cloud service provides a set of services to support the development and operations of applications, rolling them out to IOS, Android devices, as well as Windows devices. You could Migrate your bespoke software application under this cloud service.

Answer 13

(Cloud Service)

Platform as a Service(PaaS)

Question 14

This cloud service provides Identity and Access Management (IAM), which provides identity management that allows people to have secure access to application from anywhere at any time.

Answer 14

(Cloud Service)

Security as a Service(SECaaS)

Question 15

Provides identity management that allows people to have more secure access to applications from anywhere at any time.

Answer 15

Identity and Access Management (IAM)

Question 16

Describes a multitude of other cloud services that are available, such as Network as a Service(NaaS), providing network resources; Desktop as a Service(DaaS); Backup as a Service(BaaS); and many more

Answer 16

(Cloud Service)

Anything as a Service(XaaS)

Question 17

These cloud computing concepts are entities that resell cloud services to customers. They can provide infrastructure, software, VMs, and other services that a customer needs.

Answer 17

Cloud Service Provider (CSP)

Question 18

Will also take over the day-to-day running of your cloud as they have the expertise to do so.

Answer 18

Managed Cloud Service Providers (MCSP)

Question 19

These cloud service concepts will maintain the security environment for companies that will include enterprise firewalls, intrusion prevention and detection systems, and SIEM systems. These concepts have a very highly skilled workforce who will take this headache away from a company.

Answer 19

Managed Security Service Provider (MSSP)

Question 20

All the computing of data storage is closer to the sensors rather than being thousands of miles away on a server at a data center.

Answer 20

Edge Computing

Question 21

This cloud concept is a client that has limited resources that are insufficient to run applications. It connects to a server and process the application on its resources.

Answer 21

Thin Client

Question 22

A container allows the isolation of an application and its files and libraries so that they are not dependent on anything else. It allows software developers to deploy applications seamlessly across various environments. The cloud concepts are used by Platform as a Service (PaaS) products.

Answer 22

Containers

Question 23

This allows you to define individual services that can then be connected by using an application program interface. They are loosely coupled and can be reused when creating applications.

Answer 23

Microservices/API

Question 24

This is where you manage your computer infrastructure with configuration files rather than by a physical method. This is very common with cloud technologies making it easier to set up computers and roll out patches. This ensures that each computer has the same setup, in contrast with the human errors that may be encountered when setting up a computer manually.

Answer 24

Infrastructure as Code

Question 25

Ensures that there is no deviation from the required setting.

Answer 25

Desired State Configuration (DSC)

Question 26

Traditional networks route packets via a hardware router and are decentralized; however, in today’s networks, more and more people are using virtualization, including cloud providers.

This cloud computing concept is where packets are routed through a controller rather than traditional routers, which improves performance.

It has three different planes: the control plane prioritizes the traffic, the data plane does switching, the data plane does switching and routing, and the management plane deal with monitoring the traffic.

Answer 26

Software-Defined Network ( )

Question 27

This gives you visibility of the network traffic use. It can collect and aggregate the data on the data on the network traffic and provide good reports to the network administrators.

Answer 27

Software-Defined Visibility (SDV)

Question 28

This is where you will use the backend as a Service, when a third-party vendor hosts your applications as a pay-as-you-go model based on the compute time that you use. You will lease servers or data storage from them.

Answer 28

Serverless Architecture

Question 29

This is where the provision of several business services is combined with different IT services and are integrated to provide a single solution for business,

Answer 29

Services integration

Question 30

These are the policies that state what access level or actions someone has to a particular resource.

Answer 30

Resource Policies

Question 31

This is a network hub that acts as a regional virtual router interconnect virtual private clouds (VPC) and VPN connections.

Answer 31

Transit Gateway

Question 32

In a cloud environment the infrastructure is built on a virtual environment. The storage for these machines normally comes from a Storage Area Network (SAN).

Answer 32

Virtualization

Question 33

Fast but expensive, as it needs fiber channel switches and fiber cables, which is expensive.

Answer 33

Fiber Channel

Question 34

Runs Small Computer System Interface (SCSI) commands through normal Ethernet switches and still offer good speed. This is a much cheaper option.

Answer 34

iSCSi Connector

Question 35

These zones are physical locations that may hold two or more data centers and provide high availability within their zone. They are independent from each other with their own networks. Applications can be distributed across multiple ones so that if one zone fails, the application is still available.

Answer 35

(Cloud Security Controls)

High Availability Access Zones

Question 36

These are the policies that state what access level or actions someone has to a particular resource. This is crucial for resource management and audit. We need to apply the principle of least privilege.

Answer 36

(Cloud Security Controls)

Resource Policies

Question 37

This is a secure application, and it could be called a vault where the keys, tokens, passwords, and SSH keys used by privileged accounts are stored. It could be a vault that is heavily encrypted to protect these items.

Answer 37

(Cloud Security Controls)

Secret Management

Question 38

Integration is the process of how data is being handled from input to output. A cloud audit is responsible for ensuring that the policies and controls that the cloud provider has put in place are being adopted.

Answer 38

(Cloud Security Controls)

Integration and Auditing

Question 39

Storage that can be used as a large storage area for a database or large amounts of binary or text data. It can be also used for images that can be used by browser or video and audio files for streaming or gaming.

Answer 39

Binary Large OBject (BLOB)

Question 40

Storage:
Permissions
Encryption
Replication

Answer 40

(Cloud Security Controls)

Storage

Question 41

Three copies of your data are replicated at a single physical location. Not good for high availability. It is the cheapest solution, but if the power then everything has gone.

Answer 41

(Cloud Security Controls)

Storage:
Local Redundant Storage (LRS)

Question 42

Data is replicated between three separate zones within your region. It should be used in your primary region; however, if a disaster affects the region then you have no access to data.

Answer 42

(Cloud Security Controls)

Storage:
Zone Redundant Storage

Question 43

Three copies of your data are replicated in a single physical location in the primary region using LRS, then one copy is replicated to a single location in a secondary region.

Answer 43

(Cloud Security Controls)

Storage:
GEO Redundant Storage (GRS)

Question 44

Data is replicated between three separate zones within your primary region, then one copy is replicated to a single location in a secondary region.

Answer 44

GEO Zone Redundant Storage (GZRS)

Question 45

This cloud concept ensures that copies of your data are held in different locations.

Answer 45

High Availability

Question 46

This is a virtual network that consists of shared resources with a public cloud, where the VMs for one are isolated from the resources of another company. These virtual networks can be isolated using public and private networks or segmentation.

Answer 46

Virtual Private Cloud (VPC)

Question 47

Our cloud environment needs to be broken down into _____ ______ that can access the internet directly or _____ ______ that have to go through a NAT gateway and then an internet gateway to access the internet.

Answer 47

Public or Private Subnets

Question 48

10. 0.0.0
11. 16.X.X - 172.31.X.X
12. 168.0.0

Answer 48

Private Subnets

Question 49

169.254.X.X

Answer 49

APIPA IP

Question 50

This allows the private subnets to communicate with other cloud services and the internet, but hides the internal network from internet users.

Answer 50

NAT Gateway

Question 51

Resources on thee public subnet can connect directly to the internet. Therefore, public-facing web servers will be placed within this subnet. They will have a NAT gateway for communicating with private subnets, and internet gateway, and a managed service to connect to the internet.

Answer 51

Public Subnets

Question 52

To create a secure connection to your VPC, you can connect a VPN using L2TP/IPSec to the public interface of the NAT gateway.

Answer 52

VPN Connection

Question 53

The security of services that are permitted to access or be accessible from other zones has a strict set of rules controlling this traffic. These rules are enforced by the IP address ranges of each subnet. Within a private subnet, VLANs can be used to carry out departmental isolation.

Answer 53

Segmentation

Question 54

Refers to a new way to write web service APIs so that different languages can be transported using HTTP.

Answer 54

API inspection and integration:Representational State Transfer (REST)

Question 55

A compute _____ _______ profile is allocated by using a ______ _______ template that also states the cloud account, the location of the resource, and the security rules.

Answer 55

Security Groups

Question 56

This uses virtualization technology to upgrade and downscale the cloud resources a the demand grows or falls.

Answer 56

Dynamic Resource Allocation

Question 57

We must monitor VM instances so that an attacker cannot place an unmanaged M that would lead to VM sprawl and then ultimately VM escape. We must use tools like a Network Intrusion Detection System (NIDS) to detect new instances, and the IT team must maintain a list of managed VMs.

Answer 57

Instance Awareness

Question 58

This allows you to create a private connection between your VPC and another cloud service without crossing over the internet.

Answer 58

VPC Endpoint

Question 59

This is the implementation of security tools nd policies that ensures that your container is working as it were intended,

Answer 59

Container Security

Question 60

This enforces the companies policies between the on-premises situation and the cloud. There is no group policy in the cloud.

Answer 60

Cloud Access Security Broker (CASB)

Question 61

This is using products such as Cloud WAF and Runtime Application Self-Protection (RASP) to protect against a zero-day attack.

Answer 61

Application Security

Question 62

This Gateway acts like a reverse proxy, content filter, and an inline NIPS.

An example of this is Netskope has the following: Cloud Security, Remote Data Access, Managed Cloud Applications, Monitor and Assess, Control Cloud Applications, Acceptable Use, Protect Against Threats, and Protect Data Everywhere.

Answer 62

Next Generation Secure Web Gateway (SWG)

Question 63

The reason we need a good firewall is to block incoming traffic that we need to put up a good barrier to protect the internal cloud resources against hackers or malware. The cloud firewalls tend to be Web Application Firewalls.

A. cost
B. Need for Segmentation
C. Interconnection OSI Layers
D. Cloud Native Controls vs. Third-party Solutions

Answer 63

Firewall Considerations in a Cloud Environment

Question 64

This is an enterprise version that can be installed on a computer without an operating system, called bare metal. Examples are VMWare ESX, Microsoft’s Hyper-V, or Zen, which is used by AWS.

Answer 64

Type 1 Hypervisor

Question 65

This needs an operating system, such as Server 2016 or Windows 10, and then the hypervisor is installed like an application. An example of a Type 2 hypervisor is Oracle’s VM VirtualBox or Microsoft’s virtual machine as a product.

Answer 65

Type 2 Hypervisor

Question 66

This is where the virtual host is running out of resources or is overutilizing resources. This could end up with a host crashing and taking out the virtual network. A way to avoid this is to use thin provisioning; this means only allocating the minimum amount of resources that your VMs needs, gently increasing the resources that your VM needs, gently increasing the resources required. The IT administrator should also produce a daily report on the usage of VMs so any increase can be identified.

Answer 66

System Sprawl

Question 67

This is where unmanaged VM has been placed on your networks. Because the IT administrator doesn’t know it is there, it will not be patched and, therefore, over a period of time it will become vulnerable and could be used for a VM escape attack.

Answer 67

VM Sprawl

Question 68

One of the best ways to protect against VM sprawl is to have robust security policies for adding VMs to the networks and use either a NIDS or Nmap to detect new hosts.

Answer 68

Sprawl Avoidance

Question 69

VM escape is where an attacker gains access to a VM, then attacks either the host machine that holds all of the VMs, the hypervisor, or any

Answer 69

VM Escape

Question 70

One of the best ways to protect against VM escape is to ensure that the patches on the hypervisor and all VMs are always up to date. Ensure that guest privileges are low. The servers hosting the critical services should have redundancy and not be on a single host so that if one host is attacked, all of the critical services are set up as a single point of failure. We also need a snapshot for all servers and need to use VM migration so another copy is held in another location. We could also place a HIPS inside each VM to protect against an attack.

Answer 70

VM Escape Protection