Chapter 5 - Security In The Cloud Flashcards
What are csp and cc responsibilities in the different service models
CC: Security governance, Risk and compliance; data security; application security (IaaS & PaaS); Platform Security (IaaS)
CSP: Physical Security; Infrastructure Security (PaaS & SaaS), Platform Security (SaaS)
Shares: application security (SaaS), platform security (PaaS), Infrastructure Security (IaaS)
What are common risks in public cloud?
Vendor lock in
Vendor lock out
Multitenant Environments
What are common risks in IaaS
Personnel threats
External threats
Lack of specific skillset
What are common risks in PaaS
Interoperability issues e.g. software and OS which is maintained by CSP
Persistence backdoors used by developers for test purposes
Virtualization
Resource sharing: information bleed and side channel attacks
What are common risks in SaaS
Proprietary formats
Virtualization
Web application security (API)
What are common risks for virtualization?
Attacks on hypervisors : preferred are type 2 attacks as OS, Hypervisor and Host is affected. OS additionalem include more vulnerabilities because of complexity
Guest escape : user escapes from vom and accesses other VMs (host escape is same for escaping the complete host)
Information bleed: processed information can be detected
Data Seizure: legal action and seizing of host machine where your vm is located
Which types of hypervisors exist?
Type 1 and 2
1: baremetal or hardware hypervisor that resides on host
2: software hypervisor that resides on OS which resides in host
What are threats by private cloud
Malware Internal threats External threats Man in the middle attacks Social engineering Theft or loss of devices Regulatory violations Natural disasters
What are threats in the community cloud
All of private cloud threats plus…
Loss of policy because of distributed ownership
Lots of physical control
Lack of audit access
Threats in public cloud
All of community and private plus…
Rogue administrator: like internal threats but with enhanced access
Escalation of privilege
Contractual failure
What are cloud specific BIa concerns?
New dependencies e.g. upstream and downstream
Regulatory failover: privet can’t meet regulatory requirements
Data breaches or inadvertent disclosure: liability cannot be transferred
Vendor lock in and lock out: should be per of cost benefit analysis
BR and BC responsibilities customer and provider
Private architecture and cloud service as backup
Cloud operations and cloud provider as backup
Cloud operations and third party cloud backup provider: hard to align because of two negotiation partners
DR and BC declaration
There should be a Preußen or office responsible for declaring a disaster. There shortly be a defined process and also a process for back to normal declaration
Testing in DR and BC
Backups should be tested to secure Data can be recovered or bento System can properly be used in case of disaster
