Chapter 4: Exploring Virtualization and Cloud Concepts Flashcards
There are many good reasons why cloud computing has become popular:
Elasticity
Scalability
No Capital Expenditure
Location-Independent
Regional Storage of Data
No Maintenance Fees
No Disaster Recovery Site Required.
TIP
Private cloud = single tenant Public cloud = multitenant Community cloud = same industry, and sharing resources
TIP
The most common model, where the CSP provides cloud services for multiple tenants.
Public Cloud
This model is where the company purchases all of its hardware. They will normally host their own cloud because they so not want to share resources with anyone else, but at the same time, their workforce has all the benefits to the cloud.
Private cloud
This cloud model is where companies from the same industry collectively pay for a bespoke application to be written, and the cloud provider manufacturers host it.
Community cloud
Companies that decide not to host their company in the cloud are known as on-premises, but during their peak time they may expand into the cloud. This is known as cloud bursting.
Hybrid Cloud
Enforces the company’s policies between the on-premises situation and the cloud.
Cloud Access Security Broker
You need to preconfigure these devices, install an operating system, and maintain the patch management.
(Cloud Service)
Infrastructure as a Service(IaaS)
Will allocate the load across multiple servers to ensure that no single server is overburdened.
Load Balancer
TIP
IaaS is where you will install the operating system and patch it. This is the service under IaaS you have more control over. The private cloud is the cloud model that gives you more control.
TIP
This is where the CSP hosts a bespoke software application that is accessed through a web server.
(Cloud Service)
Software as a Service(SaaS)
TIP
SaaS is a bespoke vendor application that cannot be modified and you use it with a pay-per-use model, as a subscription, and you cannot migrate any applications or services to any SaaS environment.
TIP
This provides the environment for developers to create applications. This cloud service provides a set of services to support the development and operations of applications, rolling them out to IOS, Android devices, as well as Windows devices. You could Migrate your bespoke software application under this cloud service.
(Cloud Service)
Platform as a Service(PaaS)
This cloud service provides Identity and Access Management (IAM), which provides identity management that allows people to have secure access to application from anywhere at any time.
(Cloud Service)
Security as a Service(SECaaS)
Provides identity management that allows people to have more secure access to applications from anywhere at any time.
Identity and Access Management (IAM)
Describes a multitude of other cloud services that are available, such as Network as a Service(NaaS), providing network resources; Desktop as a Service(DaaS); Backup as a Service(BaaS); and many more
(Cloud Service)
Anything as a Service(XaaS)
These cloud computing concepts are entities that resell cloud services to customers. They can provide infrastructure, software, VMs, and other services that a customer needs.
Cloud Service Provider (CSP)
Will also take over the day-to-day running of your cloud as they have the expertise to do so.
Managed Cloud Service Providers (MCSP)
These cloud service concepts will maintain the security environment for companies that will include enterprise firewalls, intrusion prevention and detection systems, and SIEM systems. These concepts have a very highly skilled workforce who will take this headache away from a company.
Managed Security Service Provider (MSSP)
All the computing of data storage is closer to the sensors rather than being thousands of miles away on a server at a data center.
Edge Computing
This cloud concept is a client that has limited resources that are insufficient to run applications. It connects to a server and process the application on its resources.
Thin Client
A container allows the isolation of an application and its files and libraries so that they are not dependent on anything else. It allows software developers to deploy applications seamlessly across various environments. The cloud concepts are used by Platform as a Service (PaaS) products.
Containers
This allows you to define individual services that can then be connected by using an application program interface. They are loosely coupled and can be reused when creating applications.
Microservices/API
This is where you manage your computer infrastructure with configuration files rather than by a physical method. This is very common with cloud technologies making it easier to set up computers and roll out patches. This ensures that each computer has the same setup, in contrast with the human errors that may be encountered when setting up a computer manually.
Infrastructure as Code
Ensures that there is no deviation from the required setting.
Desired State Configuration (DSC)
Traditional networks route packets via a hardware router and are decentralized; however, in today’s networks, more and more people are using virtualization, including cloud providers.
This cloud computing concept is where packets are routed through a controller rather than traditional routers, which improves performance.
It has three different planes: the control plane prioritizes the traffic, the data plane does switching, the data plane does switching and routing, and the management plane deal with monitoring the traffic.
Software-Defined Network ( )
This gives you visibility of the network traffic use. It can collect and aggregate the data on the data on the network traffic and provide good reports to the network administrators.
Software-Defined Visibility (SDV)
This is where you will use the backend as a Service, when a third-party vendor hosts your applications as a pay-as-you-go model based on the compute time that you use. You will lease servers or data storage from them.
Serverless Architecture
This is where the provision of several business services is combined with different IT services and are integrated to provide a single solution for business,
Services integration
These are the policies that state what access level or actions someone has to a particular resource.
Resource Policies
This is a network hub that acts as a regional virtual router interconnect virtual private clouds (VPC) and VPN connections.
Transit Gateway
In a cloud environment the infrastructure is built on a virtual environment. The storage for these machines normally comes from a Storage Area Network (SAN).
Virtualization
Fast but expensive, as it needs fiber channel switches and fiber cables, which is expensive.
Fiber Channel
Runs Small Computer System Interface (SCSI) commands through normal Ethernet switches and still offer good speed. This is a much cheaper option.
iSCSi Connector
These zones are physical locations that may hold two or more data centers and provide high availability within their zone. They are independent from each other with their own networks. Applications can be distributed across multiple ones so that if one zone fails, the application is still available.
(Cloud Security Controls)
High Availability Access Zones
These are the policies that state what access level or actions someone has to a particular resource. This is crucial for resource management and audit. We need to apply the principle of least privilege.
(Cloud Security Controls)
Resource Policies
This is a secure application, and it could be called a vault where the keys, tokens, passwords, and SSH keys used by privileged accounts are stored. It could be a vault that is heavily encrypted to protect these items.
(Cloud Security Controls)
Secret Management
Integration is the process of how data is being handled from input to output. A cloud audit is responsible for ensuring that the policies and controls that the cloud provider has put in place are being adopted.
(Cloud Security Controls)
Integration and Auditing
Storage that can be used as a large storage area for a database or large amounts of binary or text data. It can be also used for images that can be used by browser or video and audio files for streaming or gaming.
Binary Large OBject (BLOB)
Storage:
Permissions
Encryption
Replication
(Cloud Security Controls)
Storage
Three copies of your data are replicated at a single physical location. Not good for high availability. It is the cheapest solution, but if the power then everything has gone.
(Cloud Security Controls)
Storage:
Local Redundant Storage (LRS)
Data is replicated between three separate zones within your region. It should be used in your primary region; however, if a disaster affects the region then you have no access to data.
(Cloud Security Controls)
Storage:
Zone Redundant Storage
Three copies of your data are replicated in a single physical location in the primary region using LRS, then one copy is replicated to a single location in a secondary region.
(Cloud Security Controls)
Storage:
GEO Redundant Storage (GRS)
Data is replicated between three separate zones within your primary region, then one copy is replicated to a single location in a secondary region.
GEO Zone Redundant Storage (GZRS)
This cloud concept ensures that copies of your data are held in different locations.
High Availability
This is a virtual network that consists of shared resources with a public cloud, where the VMs for one are isolated from the resources of another company. These virtual networks can be isolated using public and private networks or segmentation.
Virtual Private Cloud (VPC)
Our cloud environment needs to be broken down into _____ ______ that can access the internet directly or _____ ______ that have to go through a NAT gateway and then an internet gateway to access the internet.
Public or Private Subnets
- 0.0.0
- 16.X.X - 172.31.X.X
- 168.0.0
Private Subnets
169.254.X.X
APIPA IP
This allows the private subnets to communicate with other cloud services and the internet, but hides the internal network from internet users.
NAT Gateway
Resources on thee public subnet can connect directly to the internet. Therefore, public-facing web servers will be placed within this subnet. They will have a NAT gateway for communicating with private subnets, and internet gateway, and a managed service to connect to the internet.
Public Subnets
To create a secure connection to your VPC, you can connect a VPN using L2TP/IPSec to the public interface of the NAT gateway.
VPN Connection
The security of services that are permitted to access or be accessible from other zones has a strict set of rules controlling this traffic. These rules are enforced by the IP address ranges of each subnet. Within a private subnet, VLANs can be used to carry out departmental isolation.
Segmentation
Refers to a new way to write web service APIs so that different languages can be transported using HTTP.
API inspection and integration:Representational State Transfer (REST)
A compute _____ _______ profile is allocated by using a ______ _______ template that also states the cloud account, the location of the resource, and the security rules.
Security Groups
This uses virtualization technology to upgrade and downscale the cloud resources a the demand grows or falls.
Dynamic Resource Allocation
We must monitor VM instances so that an attacker cannot place an unmanaged M that would lead to VM sprawl and then ultimately VM escape. We must use tools like a Network Intrusion Detection System (NIDS) to detect new instances, and the IT team must maintain a list of managed VMs.
Instance Awareness
This allows you to create a private connection between your VPC and another cloud service without crossing over the internet.
VPC Endpoint
This is the implementation of security tools nd policies that ensures that your container is working as it were intended,
Container Security
This enforces the companies policies between the on-premises situation and the cloud. There is no group policy in the cloud.
Cloud Access Security Broker (CASB)
This is using products such as Cloud WAF and Runtime Application Self-Protection (RASP) to protect against a zero-day attack.
Application Security
This Gateway acts like a reverse proxy, content filter, and an inline NIPS.
An example of this is Netskope has the following: Cloud Security, Remote Data Access, Managed Cloud Applications, Monitor and Assess, Control Cloud Applications, Acceptable Use, Protect Against Threats, and Protect Data Everywhere.
Next Generation Secure Web Gateway (SWG)
The reason we need a good firewall is to block incoming traffic that we need to put up a good barrier to protect the internal cloud resources against hackers or malware. The cloud firewalls tend to be Web Application Firewalls.
A. cost
B. Need for Segmentation
C. Interconnection OSI Layers
D. Cloud Native Controls vs. Third-party Solutions
Firewall Considerations in a Cloud Environment
This is an enterprise version that can be installed on a computer without an operating system, called bare metal. Examples are VMWare ESX, Microsoft’s Hyper-V, or Zen, which is used by AWS.
Type 1 Hypervisor
This needs an operating system, such as Server 2016 or Windows 10, and then the hypervisor is installed like an application. An example of a Type 2 hypervisor is Oracle’s VM VirtualBox or Microsoft’s virtual machine as a product.
Type 2 Hypervisor
This is where the virtual host is running out of resources or is overutilizing resources. This could end up with a host crashing and taking out the virtual network. A way to avoid this is to use thin provisioning; this means only allocating the minimum amount of resources that your VMs needs, gently increasing the resources that your VM needs, gently increasing the resources required. The IT administrator should also produce a daily report on the usage of VMs so any increase can be identified.
System Sprawl
This is where unmanaged VM has been placed on your networks. Because the IT administrator doesn’t know it is there, it will not be patched and, therefore, over a period of time it will become vulnerable and could be used for a VM escape attack.
VM Sprawl
One of the best ways to protect against VM sprawl is to have robust security policies for adding VMs to the networks and use either a NIDS or Nmap to detect new hosts.
Sprawl Avoidance
VM escape is where an attacker gains access to a VM, then attacks either the host machine that holds all of the VMs, the hypervisor, or any
VM Escape
One of the best ways to protect against VM escape is to ensure that the patches on the hypervisor and all VMs are always up to date. Ensure that guest privileges are low. The servers hosting the critical services should have redundancy and not be on a single host so that if one host is attacked, all of the critical services are set up as a single point of failure. We also need a snapshot for all servers and need to use VM migration so another copy is held in another location. We could also place a HIPS inside each VM to protect against an attack.
VM Escape Protection
