Cloud Concepts Architecture and Design Flashcards
What are the main part of the NIST cloud definitions ?
Cloud has five essential characteristics, three service models and four deployment models
What are the essential characteristics of the cloud ?
- Broad Network
- Access Resource Pooling
- Multitenancy
- Rapid Elasticity and Scalability
- Metered Service
- On Demand Service
What is the idea behind the concept of orchestration in the Cloud ?
It is mainly the responsibility of the Cloud Provider to provide access to the cloud without forcing cloud customer to adopt vendor specfic components such as browser plugins.
What is the function of the hypervisor in virtualization ?
To allocate CPU and RAM
What are the two types of hypervisor ?
Type 1 : Bare Metal - Runs on Hardware no OS
Type 2: Runs on the OS
What is guest escape ?
The ability in a multi tenanted environment to access other customers data or software
What is resource pooling ?
Characteristic that allows the cloud provider to meet various demands of customers while remaining financially viable.
What are five cost benefits from moving to cloud.
- Reduction in Capital Expense
- Reduction in Personnel Costs
- Reduction in Operation Costs
- Transfer of Regulatory Costs
- Reduction in Archival and Backup costs
What is a capital expense ?
If an Organisation buys a server for example then that is a capital expense and the company is going to incur a cost from either under utilisation or under capacity. Because buying a service is an operational expense some of this cost is tax deductible as a legal expense.
What is the benefit of reducing Personnel costs ?
IT Personnel are expensive to hire and train. By switching to the cloud you can offload some of this expense to the cloud provider.
What is the advantage of regulatory transfer costs ?
Some cloud providers will be compliant in their hardware setup for example against certain standards such as PCI DSS this means the cloud customer can save this cost and concentrate on making other areas compliant such as their processes.
As a cloud customer can I transfer my PII data responsibility to the cloud provider ?
No ultimately the cloud customer is still responsible for PII data. There may be cases where the cloud customer can sue the provider if they can prove negligence but they are still responsible.
What is the difference between elasticity and scalability in Cloud computing ?
Elasticity is about handling short term fluctuations in demand whereas scalability is a more medium too long term ability to cope with increasing customer base of a company.
What is the difference between a cloud customer and a cloud user ?
A cloud customer is buying services directly from the cloud provider whereas a cloud user is using those purchased services. For example if I but a cloud enable phone app I am a cloud user not a cloud customer
What are the three main service model in the cloud ?
IAAS, PAAS, SAAS
What is IAAS ?
Most basic of the offerings basically only the machine it is your responsibility to install the OS. This is a good option if you want to have control over patching and security of the data you put on these machines.
What is PaaS ?
PaaS is where the cloud provider gives you the OS and patching and maintains a responsibility for it.
You are responsible for what you install on top of the OS. Software houses like this option as they want to develop software not maintain an OS.
What is SaaS ?
Software as a service is where you just consume the service as an end user. You have very little control on the security and placement of the data.
What is the Public cloud deployment model ?
Software as a service is where you just consume the service as an end user. You have very little control on the security and placement of the data.
What is the private cloud deployment model ?
Resources are dedicated to a single customer. It might be owned and maintained by the customer of its services but it may also be some services offered by the public cloud provider but are made available solely for that customer.
What is the community cloud deployment model ?
Cloud is owned and operated by an affinity group. People and organisations come together to perform similar tasks and operations.
An example is the Playstation network.
A community cloud can also be provisioned by a third party on behalf of members of that community.
What is the hybrid cloud deployment model ?
A combination of other deployment models
What is a cloud service broker
A company that purchases services from the cloud provider who then resells them to its own customers.
What does the role Cloud access security broker do ?
A third party entity offering independent IAM services to cloud customers
What does the term cloud portability mean >
The ability to move applications and associated data between providers
What is FIPS 140-2
Describes the process fir accrediting and describing cryptosystems for use by the federal government
What is NIST 800-53
A guidance document with the primary goal of ensuring that appropriate security requirements and controls are applied to all US Federal government information
What is the trusted cloud initiative reference model ?
A guide for cloud providers allowing them to create a holistic architecture so that cloud customers can purchase services with confidence.
What is vendor lock out
Occurs when a customer is unable to recover access to thier own data
What is vendor lock in ?
Vendor lock in when a customer is unable to leave a provider
What are the five foundation concepts for the cloud ?
- Sensitive Data
- Virtualization
- Encryption
- Auditing and Compliance
- Cloud Service Provider Contracts
Why is auditing difficult in the cloud ?
Cloud providers are extremely reluctant to allow physical access to their facilities or to share network diagrams or list of controls. Instead Cloud providers often offer an assertion of thier own audit success
What are the Cloud Service Provider Contracts
The SLAs on performance and provision snd penalties for failure to do so
What are the capacity issues for private cloud ?
A customer can exceed them
How does community cloud and regulation work ?
If a community is bound by a regulation such as HIPPAA then it makes sense for them to pay the cloud provider to create a community cloud where the infrastructure is compliant
What are the main cloud considerations ?
- Auditability
- Interoperability
- Regulatory
- Portability
- Security
- Performance
- Governance
- Privacy
- Resiliency
- Reverability
- Maintenance
- Availability
- SLAs
What is the main risk of quantum computing for security ?
Makes many brute force tasks cheap and available
For a software company moving to the cloud which is the greatest security concern multitenancy or remote access
multitenancy is the primary concern as it directly affects their core business
Under PCI Dss legislation what information can never be stored ?
Card CCV Number
What should be covered by a Business Continuity and Disaster Recovery contract ?
Which party is responsible for initiating the recovery
How the response is to be initiated
How much a new cloud provider is to charge if data has to be ported
NOT: How soon data is to be ported to a new provider if current provider cant provide the service
Who bears the cost if a customer want to change a current in place SLA ?
Customer
Out of the following costs which are the most likely to be reduced when moving from On Prem to cloud ? Utility Costs, Security Costs, Landscaping costs or Travel costs ?
Utility costs
Why might security controls and countermeasures be prohibitive to moving from on-premis to cloud ?
The cloud can mandate to use additional security measures and features such as IDS/IPS and SIEM which adds to the base cost of moving to the cloud.
Which type of technology does ISO 27001 favour ?
Open Source
If I wanted the benefit of international acceptance do I prefer ISO or NIST ?
ISO
Why might NIST be an important factor for you in moving to the cloud ?
PRICE To implement NIST on private cloud or community or on premise is expensive but many public vendors offer compliance to this standard out of the box
Service Operation control reports are derived from which standard published by American Institute of certifed Public accountants ?
Sherwood Applied Business Security Architecture (SABSA)
Which US Federal law covers banking and insurance
Gramm-Leach-Bliley Act (GLBA)
What type of organisations are affected by Sarbannes Oxley
Publicaly Traded
In encryption what is meant by the term work factor ?
The amount of time and resources used to decrypt without using the key i.e. brute force.
In cryptography what is meant by the term initialisation vector ?
The addition of random text to the plaintext prior to encryption.
Adding this randomness stops attackers who are listening from seeing patterns in the encryption process. So if I am seeing the same encryption pattern at specific points in the day I can start to make deductions about it.
What is the best practice around initialisation vectors ?
Add a randomized vector everytime when doing encryption.
What are the key features of Symmetric cryptography ?
Fast
Only gives Confidentiality
Does not scale well
Out of Band Key Distribution
Besides Confidentialty what else does assymetric encryption offer
Non Repudiation
How can we use asymmetric cryptography to provide both confidentiality and non-repudiation?
What is session key cryptography ?
It represents the best of both worlds we communicate a symmettric public key using assymetric encryption and then we can use with confidence the faster symmetric key protocol
What are PCIDSS Merchant levels ?
Merchant Levels are a way of accessing risk and are based on the total amount of transactions within a year.
* Level 1: Merchants with over 6 million transactions a year, across all channels or any merchant that has had a data breach
* Level 2: Merchants with between 1 million and 6 million transactions annually, across all channels
* Level 3: Merchants with between 20,000 and 1 million online transactions annually.
* Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year
Can PCIDSS non compliance result in Jail >
No because it is a voluntary standard
Does PCIDSS only cover the technical aspects of security requirements ?
No it covers Non Technical as well
What are the common criteria evaluation levels ?
The Common Criteria enable an objective evaluation to validate that a particular product or system satisfies a defined set of security requirements.
What are the jurisdictional data challenges within the cloud ?
Data and resource are sometimes dynamically spun up and can cross jurisdictional boundaries.
What is Information Rights Management ?
The legal controls as to who has rights to the data
What is copyright
Copyright is the legal protection for the expressions of ideas. It normally covers books, art, films etc. It does not cover ideas, words or formulae
What are the typical time periods covered by copyright ?
70 years after creators death or 120 years after publication of a hired work
Is copyright always granted to the person who created the item to be copyrighted ?
In most jurisdictions yes but there are some jurisdictions where copyright is granted to the person who registers
What is a trademark ?
Trademarks target specific words and graphics as the representation of an organisations brand. Trademarks last for perpetuity as long as they are still used. Trademark infringement is actionable.
What is a patent ?
Patents cover inventions, processes, plant life. It gives the patent owner exclusivity in the production, sale and importation of the patented property.
Patents typically last for twenty years from the time of the application.
You can apply for a patent at the World Intellectual Property Office under the Patent Cooperation Treaty.
How long does a patent usually last for
20 years
What is a trade secret ?
Trade secrets can be aggregations of information such as a recipe. They cannot be disclosed to the public and effort need to be put in place to maintain this. The legal protection covers illicit stealing of the secret but not if the secret becomes public. The last in perpetuity as long as they are still in use.
If I discover a trade secret by accident or other non illegal means am I prosecutable ?
No
What are rudimentary reference checks ?
The content itself can check for proper usage and ownership. For example asking for input of a phrase or keyword from a page in the reference manual
What are online reference checks ?
With online checks the users enters in for example a product key that the product periodically checks the validity online.
What are local agent checks in IRM ?
A local agent check is a piece of downloaded software that checks the users system against an online licensing database. Steam is a gaming platform that uses this form of checking.
In IRM what is presence of licensed media ?
The system requires the presence of licensed media such as a CD rom within a drive. The IRM engine is on the media and is often installed with a cryptographic engine that identifies the unique disk.
What is support based licensing
This is where the content needs to be supported such as patching which is only accessible by having a valid license.
With IRM what is the Replication Restriction problem ?
IRM is often about preventing duplication and cloning and this can become a problem within a cloud based system which spins up and down resources multiple times.
In IRM what are the agents issues ?
Software that requires an agent to be running in the background may not work in the dynamic nature of the cloud.
In IRM what is the concept of persistent protection ?
In IRM the means to protect rights must always follow the content its protecting.
In IRM what is dynamic content control ?
The IRM tool should allow content creators and data owners to modify acls and permissions for the protected data under control.
In IRM what is automatic expiration ?
THe IRM restrictions should automatically expire when there is a time limit on the protection
What is remote revocation in IRM ?
The content author should be able to revoke rights automatically whenever there has been an infringement.
What is a data retention period ?
The retention period is the length of time that an organisation should keep its data. This usually referes to data being stored in long term storage.
What is a data retention format requirement ?
This is the format that data is stored in, what type of media and handling considerations. Some regulations for example require data to be stored in an Encrypted manner.
What should a data policy say about retention monitoring and enforcement ?
The data policy should list in detail how often data will be reviewed and amended by whom and the consequences for failing to do so and which entity within the organisation is responsible for enforcement.
Why is data retention in the cloud difficult ?
It can be very difficult to determine if the cloud provider is holding on to data
When in the data lifecycle does data retention kick in ?
Archival
What is a legal hold ?
A legal hold is an obligation to hold on to data that supersedes regulatory requirements. Comes into force during an investigation. In the USA the federal rules of evidence sets out the legal hold and this cuts across regulations such as HIPAA.
In Data Retention what is data audit ?
This is primarily concerned with logging. There are four main challenges around logging
Log Review and Analysis is often not a priority
Log Review is mundane and repetitive
Log Review needs experienced practitioners
Log Review should be done by those who understand the operations being logged
Although a popular concept is to log everything this is not often a good thing due to increased storage and collection and also the security implications of having large amounts of data stored.
Why is data destruction in the cloud difficult?
Because a lot of the techniques require you to have access to the physical hardware
What is the physical destruction of hardware in data destruction ?
This is the actual destruction of the storage media. It can be carried out by melting, burning, grinding and drilling. This is the most preferred method of data destruction.
What is degaussing
Involves running magnetic waves over the media. Does not word for SSD storage.
What is overwriting
Multiple passes of random data with a final pass of all zeros. Very time consuming for large data stores and does not work for SSD drives.
What is cryptoshredding ?
Encrypting data with an encryption engine and then encrypting keys with a second encryption engine and deleting the keys from second round of encryption.
What is the most viable data destruction technique open to cloud customers ?
Crypto shredding
Does a delete operation delete data ?
No it merely removes logical pointers to the data
What should the data policy cover with regards data deletion
The process for data disposal
Applicable regulations
When data should be destroyed.
Who acts as the data processor in the cloud ?
Cloud Provider
