Cloud Application Security (Chapter 6)

Question 1

What are the Common Cloud Application Deployment Pitfalls?

Answer 1

• Performance
• Scalability
• Interoperability
• Portability
• Availabiltiy and Reliability
• API Security

Question 2

Common Cloud Application Deployment Pitfalls: Explain Performance pitfalls.

Answer 2

Cloud software development often relies on loosely coupled services. That means that designing for performance and ensuring performance goals are met can be complex, as multiple components may interact in unexpected ways, even in relatively simple designs.

The same complexity that can lead to performance issues can also allow developers to operate at almost any scale without maintaining infrastructure for the highest use cases, even when the solution is not being heavily used.

Question 3

Common Cloud Application Deployment Pitfalls: Explain Scalability Pitfalls.

Answer 3

One of the key features of cloud environments is the ability to scale, allowing applications and services to grow and shrink as need and demands fluctuate.

It needs to be able to run across many instances at once, to retain state regardless of which instance or server is handling requests, and to handle faults with individual servers cleanly.

At the same time, developers need to ensure that data remains secure in transit at rest in an environment that is scaling as needed.

Question 4

Common Cloud Application Deployment Pitfalls: Explain Interoperability Pitfalls.

Answer 4

Interoperability, or the ability to work across platforms, services, or systems, can be very important for cloud environments.

If you are providing a service, being able to interoperate with the systems that customers rely on can be a business advantage. If you are running your own services, being able to work on multiple platforms or in different cloud provider environments can help control costs and increase your options for hosting and service provider choice.

Question 5

Common Cloud Application Deployment Pitfalls: Explain Portability Pitfalls.

Answer 5

Designing software that can move between on-premises and cloud environments, or between cloud providers, requires that the software be portable.

Portability concerns in cloud software development typically center around avoidance of components specific to certain cloud vendors, like APIs or internal tools.

At the same time, avoiding use of those APIs and tools can require additional work or may make it harder to leverage the advantages that the cloud environment can offer to applications and services that leverage their native tools.

Question 6

Common Cloud Application Deployment Pitfalls: Explain Availability and Reliability Pitfalls.

Answer 6

At the same time, cloud providers do experience outages, and those outages can have a widespread impact. Even an outage that impacts a different cloud service provider than your own, or one that is centered in a different region or availability zone, can cause issues for your infrastructure or applications.

The interwoven and complex nature of cloud services means that understanding dependencies and how they may impact the reliability and availability of your own services can be challenging. In fact, they may be close to impossible to fully document in many organizations.

Question 7

Why is Cryptography important in the cloud scenario?

Answer 7

Cryptography is a key element of [[3. Cloud Data Security|data security in the cloud]], and application designs and architecture need to take into account where cryptography will be used throughout the [[3.1 Cloud Data Lifecycle|data lifecycle]].

Question 8

What kind of encryptions do you have in the cloud?

Answer 8

• Encryption of Data at Rest
• Encryption of Data in Transit
• Whole-Instance Encryption - Full Disk Encryption
• Volume Encryption

Question 9

Explain encryption of data at rest.

Answer 9

Data at rest, whether it be short-term or long-term storage, should be protected from potential issues created by the use of shared infrastructure (multitenancy) in cloud environments.

Encrypting data at rest is a great way to prevent unauthorized access to data and to prevent breaches if inadvertent access occurs or if remenant data is accessible to future users of the shared infrastructure.

Question 10

What is the primary requirement for security for any encryption scheme?

Answer 10

Keep in mind that the primary requirement for security any encryption scheme is the safe storage and management of the keys used to encrypt and decrypt.

Question 11

Explain Full-Disk Encryption and Whole-Instance Encryption.

Answer 11

Also known as full-disk encryption (FDE), whole-instance encryption involves encrypting a complete system’s disk or storage.

Full-disk encryption protects data on the device in the event the device itself is lost or stolen, including if a shutdown instance or snapshot is stolen or breached.

Question 12

Explain Volume Encryption.

Answer 12

Much like encrypting an entire device, volume encryption refers to encrypting only a partition on a hard drive or cloud storage that is presented as a volume, as opposed to an entire disk.

This is useful when the entire disk does not need to be encrypted because only the protected sections have data of any value, such as underlying operating system files that do not contain sensitive data.

Question 13

Explain Encryption of Data in Transit.

Answer 13

Encryption of data in transit helps prevent attacks on the network path between systems or users.

The most common means of protecting data in transit is via Transport Layer Security (TLS), a protocol designed to ensure privacy when communicating between applications.

Question 14

Is SSL and TLS the same?

Answer 14

You may here TLS referred to as SSL (Secure Sockets Layer), the protocol was used before TLS. In almost all modern cases, references to SSL actually mean TLS; but as a security practitioner you will have to make sure you check. SSL is outmoded and shouldn’t be in actual use!

Question 15

What does the term unencrypted protocol describe?

Answer 15

The term unencrypted protocols describes systems that attempt to encrypt traffic whenever they can, only falling back to unencrypted when they don’t succeed.

This often means wrapping communications using TLS.

Question 16

What is Sandboxing?

Answer 16

Sandboxing places systems or code into an isolated, secured environment where testing can be performed. Cloud sandboxing architectures often take advantage of the ability to quickly create independent, short-lived environments with built-in instrumentation and code-based infrastructure to allow sandbox testing.

Question 17

What is application virtualization

Answer 17

Application virtualization allows applications to be run without being directly linked to the underlying operating system. Unlike [[1.8.1 Hypervisors|hypervisors]] for system virtualization, application virtualization does not virtualize the entire system.

Instead, application virtualization tools insert themselves between applications and the operating system and virtualize that interface. This allows for greater [[6.1.1.4 Cloud Deployment Pitfalls - Portability|portability]] and segmentation while consuming fewer resources than a full virtual machine.

Common examples of application virtualization include Amazon’s AppStream, Citirx’s XenApp, Microsoft’s App-V, and VMware’s ThinApp.

Question 18

What are the high level differences between each type of virtualization?

Answer 18

Image

Question 19

What are the different virtualization types?

Answer 19

• Virtualization
• Containerization
• Application Virtualization

Question 20

What are the two common types of APIs?

Answer 20

• REST (Representational State Transfer)
• SOAP (Simple Object Access Protocol)

Question 21

What is Representational State Transfer (REST) used for?

Answer 21

The first is RESTful APIs. REST stands for Representational State Transfer. It is a software approach designed to scale the capabilities of web-based applications and is based on guidelines and best practices for creating scalable web applications.

Question 22

Name some characterists of the REST approach:

Answer 22

• Low processing/traffic overhead (“lightweight”)
• Uses simple URLs/URIs
• Not reliant on any single programming language
• Scalable
• Offers outputs in many formats (XML, JSON, and others)
• Uses HTTP verbs like:
  
  • POST to create an object
  • GET to read data
  • PUT to update or replace data
  • PATCH to update or modify an object
  • DELETE to delete an object

Question 23

What are the situations in which REST works well?

Answer 23

• when bandwidth is limited
• when stateless operations are used
• when caching is neede

Question 24

What is the Simple Object Access Protocol (SOAP)?

Answer 24

SOAP is the other common API approach you should be familiar with. Simple Object Access Protocol (SOAP) is a protocol specification providing for the exchange of structured information or data in web services. It also works over other protocols such as SMTP, FTP, and HTTP.

Question 25

Name a few characteristics of Simple Object Access Protocol (SOAP).

Answer 25

SOAP also has the following characteristics:
- Standards based
- Reliant on XML
- Highly intolerant of errors
- Slower
- Built-in error handling

Question 26

What is Simple Object Access Protocol (SOAP) well suited for?

Answer 26

SOAP is well suited to:
- asynchronous processing,
- format contracts,
- and stateful operations.

Question 27

Name the three different API models.

Answer 27

• Public APIs
• Partner APIs
• Private, or Internal, APIs

Question 28

Explain Public APIs.

Answer 28

Public APIs, which are provided to those outside the organization, allowing for integration by third parties. These are often licensed or have a pay-per-use model and need to be secured against misuse and overuse.

Question 29

Explain Partner APIs.

Answer 29

Partner APIs are provided to business partners or other organizations that your organization has an established relationship with. They are often used as part of shared business processes. Since they are exposed outside the organization, they often require additional security and monitoring.

Question 30

Explain Private, or Internal APIs.

Answer 30

Private, or Internal, APIs which are used for internal uses and are not made available to third parties. Private APIs are often exposed via an internal API directory and can leverage internal authentication and authorization capabilities more easily than a public or partner API.

Question 31

What are the 6 common API threats?

Answer 31

The following API threats are common:
- Injection attacks
- Denial-of-service (DOS) attacks
- Poorly secured API servers or services
- On-Path attacks
- Credential attacks, including
- stolen credentials
- accidental API key exposure
- brute force attacks
- Poor API key generation techniques

Question 32

What are API keys for?

Answer 32

API keys are unique identifies used for authentication and authorization to an API.
API keys may be associated with privileges or resource restrictions, and API key breaches can allow third parties to gain unauthorized access to an API, so keeping API keys secure is a critical security task.

Question 33

What are common security practices around API keys?

Answer 33

• avoiding API keys in code or in code repositories
• restricting their use
• deleting unneeded API keys
• ## regenerating keys so that long-lived keys aren’t useful to malicious actors who acquire them.