Chapter 4: Exploring Virtualization and Cloud Concepts Flashcards

1
Q

There are many good reasons why cloud computing has become popular:

A

Elasticity

Scalability

No Capital Expenditure

Location-Independent

Regional Storage of Data

No Maintenance Fees

No Disaster Recovery Site Required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

TIP

Private cloud = single tenant Public cloud = multitenant Community cloud = same industry, and sharing resources

A

TIP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The most common model, where the CSP provides cloud services for multiple tenants.

A

Public Cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

This model is where the company purchases all of its hardware. They will normally host their own cloud because they so not want to share resources with anyone else, but at the same time, their workforce has all the benefits to the cloud.

A

Private cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

This cloud model is where companies from the same industry collectively pay for a bespoke application to be written, and the cloud provider manufacturers host it.

A

Community cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Companies that decide not to host their company in the cloud are known as on-premises, but during their peak time they may expand into the cloud. This is known as cloud bursting.

A

Hybrid Cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Enforces the company’s policies between the on-premises situation and the cloud.

A

Cloud Access Security Broker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You need to preconfigure these devices, install an operating system, and maintain the patch management.

A

(Cloud Service)

Infrastructure as a Service(IaaS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Will allocate the load across multiple servers to ensure that no single server is overburdened.

A

Load Balancer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

TIP

IaaS is where you will install the operating system and patch it. This is the service under IaaS you have more control over. The private cloud is the cloud model that gives you more control.

A

TIP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

This is where the CSP hosts a bespoke software application that is accessed through a web server.

A

(Cloud Service)

Software as a Service(SaaS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

TIP

SaaS is a bespoke vendor application that cannot be modified and you use it with a pay-per-use model, as a subscription, and you cannot migrate any applications or services to any SaaS environment.

A

TIP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

This provides the environment for developers to create applications. This cloud service provides a set of services to support the development and operations of applications, rolling them out to IOS, Android devices, as well as Windows devices. You could Migrate your bespoke software application under this cloud service.

A

(Cloud Service)

Platform as a Service(PaaS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

This cloud service provides Identity and Access Management (IAM), which provides identity management that allows people to have secure access to application from anywhere at any time.

A

(Cloud Service)

Security as a Service(SECaaS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Provides identity management that allows people to have more secure access to applications from anywhere at any time.

A

Identity and Access Management (IAM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Describes a multitude of other cloud services that are available, such as Network as a Service(NaaS), providing network resources; Desktop as a Service(DaaS); Backup as a Service(BaaS); and many more

A

(Cloud Service)

Anything as a Service(XaaS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

These cloud computing concepts are entities that resell cloud services to customers. They can provide infrastructure, software, VMs, and other services that a customer needs.

A

Cloud Service Provider (CSP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Will also take over the day-to-day running of your cloud as they have the expertise to do so.

A

Managed Cloud Service Providers (MCSP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

These cloud service concepts will maintain the security environment for companies that will include enterprise firewalls, intrusion prevention and detection systems, and SIEM systems. These concepts have a very highly skilled workforce who will take this headache away from a company.

A

Managed Security Service Provider (MSSP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

All the computing of data storage is closer to the sensors rather than being thousands of miles away on a server at a data center.

A

Edge Computing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

This cloud concept is a client that has limited resources that are insufficient to run applications. It connects to a server and process the application on its resources.

A

Thin Client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A container allows the isolation of an application and its files and libraries so that they are not dependent on anything else. It allows software developers to deploy applications seamlessly across various environments. The cloud concepts are used by Platform as a Service (PaaS) products.

A

Containers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

This allows you to define individual services that can then be connected by using an application program interface. They are loosely coupled and can be reused when creating applications.

A

Microservices/API

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

This is where you manage your computer infrastructure with configuration files rather than by a physical method. This is very common with cloud technologies making it easier to set up computers and roll out patches. This ensures that each computer has the same setup, in contrast with the human errors that may be encountered when setting up a computer manually.

A

Infrastructure as Code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Ensures that there is no deviation from the required setting.

A

Desired State Configuration (DSC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Traditional networks route packets via a hardware router and are decentralized; however, in today’s networks, more and more people are using virtualization, including cloud providers.

This cloud computing concept is where packets are routed through a controller rather than traditional routers, which improves performance.

It has three different planes: the control plane prioritizes the traffic, the data plane does switching, the data plane does switching and routing, and the management plane deal with monitoring the traffic.

A

Software-Defined Network ( )

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

This gives you visibility of the network traffic use. It can collect and aggregate the data on the data on the network traffic and provide good reports to the network administrators.

A

Software-Defined Visibility (SDV)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

This is where you will use the backend as a Service, when a third-party vendor hosts your applications as a pay-as-you-go model based on the compute time that you use. You will lease servers or data storage from them.

A

Serverless Architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

This is where the provision of several business services is combined with different IT services and are integrated to provide a single solution for business,

A

Services integration

30
Q

These are the policies that state what access level or actions someone has to a particular resource.

A

Resource Policies

31
Q

This is a network hub that acts as a regional virtual router interconnect virtual private clouds (VPC) and VPN connections.

A

Transit Gateway

32
Q

In a cloud environment the infrastructure is built on a virtual environment. The storage for these machines normally comes from a Storage Area Network (SAN).

A

Virtualization

33
Q

Fast but expensive, as it needs fiber channel switches and fiber cables, which is expensive.

A

Fiber Channel

34
Q

Runs Small Computer System Interface (SCSI) commands through normal Ethernet switches and still offer good speed. This is a much cheaper option.

A

iSCSi Connector

35
Q

These zones are physical locations that may hold two or more data centers and provide high availability within their zone. They are independent from each other with their own networks. Applications can be distributed across multiple ones so that if one zone fails, the application is still available.

A

(Cloud Security Controls)

High Availability Access Zones

36
Q

These are the policies that state what access level or actions someone has to a particular resource. This is crucial for resource management and audit. We need to apply the principle of least privilege.

A

(Cloud Security Controls)

Resource Policies

37
Q

This is a secure application, and it could be called a vault where the keys, tokens, passwords, and SSH keys used by privileged accounts are stored. It could be a vault that is heavily encrypted to protect these items.

A

(Cloud Security Controls)

Secret Management

38
Q

Integration is the process of how data is being handled from input to output. A cloud audit is responsible for ensuring that the policies and controls that the cloud provider has put in place are being adopted.

A

(Cloud Security Controls)

Integration and Auditing

39
Q

Storage that can be used as a large storage area for a database or large amounts of binary or text data. It can be also used for images that can be used by browser or video and audio files for streaming or gaming.

A

Binary Large OBject (BLOB)

40
Q

Storage:
Permissions
Encryption
Replication

A

(Cloud Security Controls)

Storage

41
Q

Three copies of your data are replicated at a single physical location. Not good for high availability. It is the cheapest solution, but if the power then everything has gone.

A

(Cloud Security Controls)

Storage:
Local Redundant Storage (LRS)

42
Q

Data is replicated between three separate zones within your region. It should be used in your primary region; however, if a disaster affects the region then you have no access to data.

A

(Cloud Security Controls)

Storage:
Zone Redundant Storage

43
Q

Three copies of your data are replicated in a single physical location in the primary region using LRS, then one copy is replicated to a single location in a secondary region.

A

(Cloud Security Controls)

Storage:
GEO Redundant Storage (GRS)

44
Q

Data is replicated between three separate zones within your primary region, then one copy is replicated to a single location in a secondary region.

A

GEO Zone Redundant Storage (GZRS)

45
Q

This cloud concept ensures that copies of your data are held in different locations.

A

High Availability

46
Q

This is a virtual network that consists of shared resources with a public cloud, where the VMs for one are isolated from the resources of another company. These virtual networks can be isolated using public and private networks or segmentation.

A

Virtual Private Cloud (VPC)

47
Q

Our cloud environment needs to be broken down into _____ ______ that can access the internet directly or _____ ______ that have to go through a NAT gateway and then an internet gateway to access the internet.

A

Public or Private Subnets

48
Q
  1. 0.0.0
  2. 16.X.X - 172.31.X.X
  3. 168.0.0
A

Private Subnets

49
Q

169.254.X.X

A

APIPA IP

50
Q

This allows the private subnets to communicate with other cloud services and the internet, but hides the internal network from internet users.

A

NAT Gateway

51
Q

Resources on thee public subnet can connect directly to the internet. Therefore, public-facing web servers will be placed within this subnet. They will have a NAT gateway for communicating with private subnets, and internet gateway, and a managed service to connect to the internet.

A

Public Subnets

52
Q

To create a secure connection to your VPC, you can connect a VPN using L2TP/IPSec to the public interface of the NAT gateway.

A

VPN Connection

53
Q

The security of services that are permitted to access or be accessible from other zones has a strict set of rules controlling this traffic. These rules are enforced by the IP address ranges of each subnet. Within a private subnet, VLANs can be used to carry out departmental isolation.

A

Segmentation

54
Q

Refers to a new way to write web service APIs so that different languages can be transported using HTTP.

A

API inspection and integration:Representational State Transfer (REST)

55
Q

A compute _____ _______ profile is allocated by using a ______ _______ template that also states the cloud account, the location of the resource, and the security rules.

A

Security Groups

56
Q

This uses virtualization technology to upgrade and downscale the cloud resources a the demand grows or falls.

A

Dynamic Resource Allocation

57
Q

We must monitor VM instances so that an attacker cannot place an unmanaged M that would lead to VM sprawl and then ultimately VM escape. We must use tools like a Network Intrusion Detection System (NIDS) to detect new instances, and the IT team must maintain a list of managed VMs.

A

Instance Awareness

58
Q

This allows you to create a private connection between your VPC and another cloud service without crossing over the internet.

A

VPC Endpoint

59
Q

This is the implementation of security tools nd policies that ensures that your container is working as it were intended,

A

Container Security

60
Q

This enforces the companies policies between the on-premises situation and the cloud. There is no group policy in the cloud.

A

Cloud Access Security Broker (CASB)

61
Q

This is using products such as Cloud WAF and Runtime Application Self-Protection (RASP) to protect against a zero-day attack.

A

Application Security

62
Q

This Gateway acts like a reverse proxy, content filter, and an inline NIPS.

An example of this is Netskope has the following: Cloud Security, Remote Data Access, Managed Cloud Applications, Monitor and Assess, Control Cloud Applications, Acceptable Use, Protect Against Threats, and Protect Data Everywhere.

A

Next Generation Secure Web Gateway (SWG)

63
Q

The reason we need a good firewall is to block incoming traffic that we need to put up a good barrier to protect the internal cloud resources against hackers or malware. The cloud firewalls tend to be Web Application Firewalls.

A. cost
B. Need for Segmentation
C. Interconnection OSI Layers
D. Cloud Native Controls vs. Third-party Solutions

A

Firewall Considerations in a Cloud Environment

64
Q

This is an enterprise version that can be installed on a computer without an operating system, called bare metal. Examples are VMWare ESX, Microsoft’s Hyper-V, or Zen, which is used by AWS.

A

Type 1 Hypervisor

65
Q

This needs an operating system, such as Server 2016 or Windows 10, and then the hypervisor is installed like an application. An example of a Type 2 hypervisor is Oracle’s VM VirtualBox or Microsoft’s virtual machine as a product.

A

Type 2 Hypervisor

66
Q

This is where the virtual host is running out of resources or is overutilizing resources. This could end up with a host crashing and taking out the virtual network. A way to avoid this is to use thin provisioning; this means only allocating the minimum amount of resources that your VMs needs, gently increasing the resources that your VM needs, gently increasing the resources required. The IT administrator should also produce a daily report on the usage of VMs so any increase can be identified.

A

System Sprawl

67
Q

This is where unmanaged VM has been placed on your networks. Because the IT administrator doesn’t know it is there, it will not be patched and, therefore, over a period of time it will become vulnerable and could be used for a VM escape attack.

A

VM Sprawl

68
Q

One of the best ways to protect against VM sprawl is to have robust security policies for adding VMs to the networks and use either a NIDS or Nmap to detect new hosts.

A

Sprawl Avoidance

69
Q

VM escape is where an attacker gains access to a VM, then attacks either the host machine that holds all of the VMs, the hypervisor, or any

A

VM Escape

70
Q

One of the best ways to protect against VM escape is to ensure that the patches on the hypervisor and all VMs are always up to date. Ensure that guest privileges are low. The servers hosting the critical services should have redundancy and not be on a single host so that if one host is attacked, all of the critical services are set up as a single point of failure. We also need a snapshot for all servers and need to use VM migration so another copy is held in another location. We could also place a HIPS inside each VM to protect against an attack.

A

VM Escape Protection