Chapter 6

Question 1

Cloud Computing

Answer 1

Is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Question 2

Multitenancy

Answer 2

Many different customers share access to the same physical resources

Question 3

Isolation Controls

Answer 3

Cloud provider is responsible for implementation isolation controls that prevent the actions of one customer from interfering with or accessing data from another customer.

Question 4

Software as a Service (SaaS)

Answer 4

Offerings provide a customer with a complete application that is built and maintained by the service provider and runs in an infrastructure that is either operated or procured by the service provider. The customer of an SaaS offering typically accesses the service through a web browser and performs only limited application configuration. Almost all the responsibility for operating the service rests in the hands of the cloud service provider and, possibly, other cloud service providers who offer the SaaS provider access to underlying infrastructure resources. Example: Gmail

Question 5

Infrastructure as a Service (IaaS)

Answer 5

Offerings operate under a very different service model. SaaS offerings endeavor to hide implementation details from the customer, but IaaS offerings expose basic infrastructure building blocks that customers may use to design and implement their own service offerings. These offerings include compute processing, storage, networking, and other basic components of a technology infrastructure. Includes greater responsibility for monitoring, management and security. Examples: AWS, Azure and Google Compute Platform.

Question 6

Platform as a Service (PaaS)

Answer 6

Approaches occupy a middle ground between SaaS and IaaS services. In this approach, the service provider operates an infrastructure that is fully managed and configurable to run customer applications. Customers then deploy applications that they either developed themselves or purchased from vendors onto the service provider’s platform, where they run with minimal customer management. Example: Heroku

Question 7

Function as a Service (FaaS)

Answer 7

Cloud customers are increasingly embracing a technology called FaaS that allows for a serverless application architecture. Developers write functions in common programming languages and can then configure the FaaS platform to execute (or “trigger”) those functions in response to events. Functions deployed in this manner are discrete units of code that are easily scaled to millions, or even billions, of executions per day. Example: Lambda

Question 8

Public Cloud

Answer 8

Public cloud service providers deploy infrastructure and then make it accessible to any customers who wish to take advantage of it in a multitenant model. A single customer may be running workloads on servers spread throughout one or more datacenters, and those servers may be running workloads for many different customers simultaneously.

Question 9

Private Cloud

Answer 9

Used to describe any cloud infrastructure that is provisioned for use by a single customer. This infrastructure may be built and managed by the organization that will be using the infrastructure, or it may be built and managed by a third party. The key distinction here is that only one customer uses the environment. For this reason, private cloud services tend to have excess unused capacity to support peak demand and, as a result, are not as cost efficient as public cloud services.

Question 10

Community Cloud

Answer 10

Service shares characteristics of both the public and private models. Community cloud services run in a multitenant environment, but the tenants are limited to members of a specifically designed community. Community membership is normally defined based on shared mission, similar security and compliance requirements, or other commonalities.

Question 11

Hybrid Cloud

Answer 11

Is a catch-all term used to describe cloud deployments that blend public, private, and/or community cloud services together. It is not simply purchasing both public and private cloud services and using them together. Hybrid cloud requires the use of technology that unifies the different cloud offerings into a single coherent platform.

Question 12

Bursting

Answer 12

For example, a firm might operate their own private cloud for the majority of their workloads and then leverage public cloud capacity when demand exceeds the capacity of their private cloud infrastructure. This approach is known as public cloud bursting.

Question 13

Shared Responsibility Model = Security of IaaS, PaaS, SaaS - Data -> Application -> OS -> Hardware -> Datacenter

Answer 13

IaaS = Data, Application, OS - Customer Responsbilities
Hardware & Datacenter = Shared Responsibilities
PaaS = Data - Customer Responsibility
Application - Shared Responsiblities
OS, Hardware, DataCenter - Shared Responsiblity
SaaS = Data - Shared
Application, OS, Hardware, Datacenter - Vendor Responsiblities

Question 14

Infrastructure as a Code (IaC)

Answer 14

Is one of the key enabling technologies behind the DevOps movement and is also a crucial advantage of cloud computing solutions. IaC is the process of automating the provisioning, management, and deprovisioning of infrastructure services through scripted code rather than human intervention. IaC is one of the key features of all major IaaS environments, including AWS, Microsoft Azure, and Google Cloud Platform.

Question 15

Advantages of using IaC

Answer 15

• Increasing the reusability of code
• Reducing the time spent by operations team creating infrastructure components
• Increasing the speed of infrastructure creation
• Reducing the likelihood of configuration errors by leveraging common templates

Question 16

API

Answer 16

APIs are standard interfaces used to interact with web-based services in a programmatic fashion. Cloud service providers create APIs and then expose them to their customers to allow customer code to provision, manage, and deprovision services.

Question 17

API Keys

Answer 17

Similar to passwords. When a user sends a request through an API, they also send their API key to authenticate the request. Cloud provider validates the API key and checks that the user, system, or application associated with that key is authorized to perform the requested action.

Question 18

Three Open Source Cloud Assessment Tools

Answer 18

ScoutSuite, Pacu and Prowler

Question 19

ScoutSuite

Answer 19

Is a multicloud auditing tool that reaches into the users accounts with cloud service providers and retrieves configuration information using those services API’s. Deeply probes the service configuration and searches for potential security issues

Question 20

Pacu

Answer 20

Is not a scanning tool but rather a cloud-focused exploitation framework, similar to Metasploit. Works specifically with AWS accounts and is designed to help attackers determine what they can do with the access they have to an existing AWS account.

Question 21

Prowler

Answer 21

Is a security configuration testing tool, quite similar to ScoutSuite in purpose. Prowler performs deeper testing of some parameters, but it is limited to scanning AWS environments.

Question 22

Cloud Access Security Brokers (CASBs)

Answer 22

Software tools that serve as intermediaries between cloud service users and cloud service providers. This positioning allows them to monitor user activity and enforce policy requirements.

Question 23

Inline CASB Solution

Answer 23

Physically or logically reside in the connection path between the user and the service. They may do this through a hardware appliance or an endpoint agent that routes requests through the CASB. This approach requires configuration of the network and/or endpoint devices. It provides the advantage of seeing requests before they are sent to the cloud service, allowing the CASB to block requests that violate policy.

Question 24

API-based CASB

Answer 24

Do not interact directly with the user but rather interact directly with the cloud provider through the provider’s API. This approach provides direct access to the cloud service and does not require any user device configuration. However, it also does not allow the CASB to block requests that violate policy. API-based CASBs are limited to monitoring user activity and reporting on or correcting policy violations after the fact.

Question 25

Describe the 4 Types of Cloud Services

Answer 25

Infrastructure as a service (IaaS) offerings provide customers with access to storage, computing, and networking capabilities—the basic building blocks of technology solutions. Software as a service (SaaS) offerings provide customers with a complete application, built and managed by the provider. Platform as a service (PaaS) offerings allow customers to run their own applications on an infrastructure managed by the provider. Function as a service (FaaS) offerings allow customers to execute discrete units of code on the provider’s infrastructure.