Cloud Concepts Architecture and Design

Question 1

What are the main part of the NIST cloud definitions ?

Answer 1

Cloud has five essential characteristics, three service models and four deployment models

Question 2

What are the essential characteristics of the cloud ?

Answer 2

• Broad Network
• Access Resource Pooling
• Multitenancy
• Rapid Elasticity and Scalability
• Metered Service
• On Demand Service

Question 3

What is the idea behind the concept of orchestration in the Cloud ?

Answer 3

It is mainly the responsibility of the Cloud Provider to provide access to the cloud without forcing cloud customer to adopt vendor specfic components such as browser plugins.

Question 4

What is the function of the hypervisor in virtualization ?

Answer 4

To allocate CPU and RAM

Question 5

What are the two types of hypervisor ?

Answer 5

Type 1 : Bare Metal - Runs on Hardware no OS

Type 2: Runs on the OS

Question 6

What is guest escape ?

Answer 6

The ability in a multi tenanted environment to access other customers data or software

Question 7

What is resource pooling ?

Answer 7

Characteristic that allows the cloud provider to meet various demands of customers while remaining financially viable.

Question 8

What are five cost benefits from moving to cloud.

Answer 8

1. Reduction in Capital Expense
2. Reduction in Personnel Costs
3. Reduction in Operation Costs
4. Transfer of Regulatory Costs
5. Reduction in Archival and Backup costs

Question 9

What is a capital expense ?

Answer 9

If an Organisation buys a server for example then that is a capital expense and the company is going to incur a cost from either under utilisation or under capacity. Because buying a service is an operational expense some of this cost is tax deductible as a legal expense.

Question 10

What is the benefit of reducing Personnel costs ?

Answer 10

IT Personnel are expensive to hire and train. By switching to the cloud you can offload some of this expense to the cloud provider.

Question 11

What is the advantage of regulatory transfer costs ?

Answer 11

Some cloud providers will be compliant in their hardware setup for example against certain standards such as PCI DSS this means the cloud customer can save this cost and concentrate on making other areas compliant such as their processes.

Question 12

As a cloud customer can I transfer my PII data responsibility to the cloud provider ?

Answer 12

No ultimately the cloud customer is still responsible for PII data. There may be cases where the cloud customer can sue the provider if they can prove negligence but they are still responsible.

Question 13

What is the difference between elasticity and scalability in Cloud computing ?

Answer 13

Elasticity is about handling short term fluctuations in demand whereas scalability is a more medium too long term ability to cope with increasing customer base of a company.

Question 14

What is the difference between a cloud customer and a cloud user ?

Answer 14

A cloud customer is buying services directly from the cloud provider whereas a cloud user is using those purchased services. For example if I but a cloud enable phone app I am a cloud user not a cloud customer

Question 15

What are the three main service model in the cloud ?

Answer 15

IAAS, PAAS, SAAS

Question 16

What is IAAS ?

Answer 16

Most basic of the offerings basically only the machine it is your responsibility to install the OS. This is a good option if you want to have control over patching and security of the data you put on these machines.

Question 17

What is PaaS ?

Answer 17

PaaS is where the cloud provider gives you the OS and patching and maintains a responsibility for it.

You are responsible for what you install on top of the OS. Software houses like this option as they want to develop software not maintain an OS.

Question 18

What is SaaS ?

Answer 18

Software as a service is where you just consume the service as an end user. You have very little control on the security and placement of the data.

Question 19

What is the Public cloud deployment model ?

Answer 19

Software as a service is where you just consume the service as an end user. You have very little control on the security and placement of the data.

Question 20

What is the private cloud deployment model ?

Answer 20

Resources are dedicated to a single customer. It might be owned and maintained by the customer of its services but it may also be some services offered by the public cloud provider but are made available solely for that customer.

Question 21

What is the community cloud deployment model ?

Answer 21

Cloud is owned and operated by an affinity group. People and organisations come together to perform similar tasks and operations.

An example is the Playstation network.

A community cloud can also be provisioned by a third party on behalf of members of that community.

Question 22

What is the hybrid cloud deployment model ?

Answer 22

A combination of other deployment models

Question 23

What is a cloud service broker

Answer 23

A company that purchases services from the cloud provider who then resells them to its own customers.

Question 24

What does the role Cloud access security broker do ?

Answer 24

A third party entity offering independent IAM services to cloud customers

Question 25

What does the term cloud portability mean >

Answer 25

The ability to move applications and associated data between providers

Question 26

What is FIPS 140-2

Answer 26

Describes the process fir accrediting and describing cryptosystems for use by the federal government

Question 27

What is NIST 800-53

Answer 27

A guidance document with the primary goal of ensuring that appropriate security requirements and controls are applied to all US Federal government information

Question 28

What is the trusted cloud initiative reference model ?

Answer 28

A guide for cloud providers allowing them to create a holistic architecture so that cloud customers can purchase services with confidence.

Question 29

What is vendor lock out

Answer 29

Occurs when a customer is unable to recover access to thier own data

Question 30

What is vendor lock in ?

Answer 30

Vendor lock in when a customer is unable to leave a provider

Question 31

What are the five foundation concepts for the cloud ?

Answer 31

1. Sensitive Data
2. Virtualization
3. Encryption
4. Auditing and Compliance
5. Cloud Service Provider Contracts

Question 32

Why is auditing difficult in the cloud ?

Answer 32

Cloud providers are extremely reluctant to allow physical access to their facilities or to share network diagrams or list of controls. Instead Cloud providers often offer an assertion of thier own audit success

Question 33

What are the Cloud Service Provider Contracts

Answer 33

The SLAs on performance and provision snd penalties for failure to do so

Question 34

What are the capacity issues for private cloud ?

Answer 34

A customer can exceed them

Question 35

How does community cloud and regulation work ?

Answer 35

If a community is bound by a regulation such as HIPPAA then it makes sense for them to pay the cloud provider to create a community cloud where the infrastructure is compliant

Question 36

What are the main cloud considerations ?

Answer 36

1. Auditability
2. Interoperability
3. Regulatory
4. Portability
5. Security
6. Performance
7. Governance
8. Privacy
9. Resiliency
10. Reverability
11. Maintenance
12. Availability
13. SLAs

Question 37

What is the main risk of quantum computing for security ?

Answer 37

Makes many brute force tasks cheap and available

Question 38

For a software company moving to the cloud which is the greatest security concern multitenancy or remote access

Answer 38

multitenancy is the primary concern as it directly affects their core business

Question 39

Under PCI Dss legislation what information can never be stored ?

Answer 39

Card CCV Number

Question 40

What should be covered by a Business Continuity and Disaster Recovery contract ?

Answer 40

Which party is responsible for initiating the recovery

How the response is to be initiated

How much a new cloud provider is to charge if data has to be ported

NOT: How soon data is to be ported to a new provider if current provider cant provide the service

Question 41

Who bears the cost if a customer want to change a current in place SLA ?

Answer 41

Customer

Question 42

Out of the following costs which are the most likely to be reduced when moving from On Prem to cloud ? Utility Costs, Security Costs, Landscaping costs or Travel costs ?

Answer 42

Utility costs

Question 43

Why might security controls and countermeasures be prohibitive to moving from on-premis to cloud ?

Answer 43

The cloud can mandate to use additional security measures and features such as IDS/IPS and SIEM which adds to the base cost of moving to the cloud.

Question 44

Which type of technology does ISO 27001 favour ?

Answer 44

Open Source

Question 45

If I wanted the benefit of international acceptance do I prefer ISO or NIST ?

Answer 45

ISO

Question 46

Why might NIST be an important factor for you in moving to the cloud ?

Answer 46

PRICE To implement NIST on private cloud or community or on premise is expensive but many public vendors offer compliance to this standard out of the box

Question 47

Service Operation control reports are derived from which standard published by American Institute of certifed Public accountants ?

Answer 47

Sherwood Applied Business Security Architecture (SABSA)

Question 48

Which US Federal law covers banking and insurance

Answer 48

Gramm-Leach-Bliley Act (GLBA)

Question 49

What type of organisations are affected by Sarbannes Oxley

Answer 49

Publicaly Traded

Question 50

In encryption what is meant by the term work factor ?

Answer 50

The amount of time and resources used to decrypt without using the key i.e. brute force.

Question 51

In cryptography what is meant by the term initialisation vector ?

Answer 51

The addition of random text to the plaintext prior to encryption.

Adding this randomness stops attackers who are listening from seeing patterns in the encryption process. So if I am seeing the same encryption pattern at specific points in the day I can start to make deductions about it.

Question 52

What is the best practice around initialisation vectors ?

Answer 52

Add a randomized vector everytime when doing encryption.

Question 53

What are the key features of Symmetric cryptography ?

Answer 53

Fast

Only gives Confidentiality

Does not scale well

Out of Band Key Distribution

Question 54

Besides Confidentialty what else does assymetric encryption offer

Answer 54

Non Repudiation

Question 55

How can we use asymmetric cryptography to provide both confidentiality and non-repudiation?

Answer 55

Question 56

What is session key cryptography ?

Answer 56

It represents the best of both worlds we communicate a symmettric public key using assymetric encryption and then we can use with confidence the faster symmetric key protocol

Question 57

What are PCIDSS Merchant levels ?

Answer 57

Merchant Levels are a way of accessing risk and are based on the total amount of transactions within a year.
* Level 1: Merchants with over 6 million transactions a year, across all channels or any merchant that has had a data breach
* Level 2: Merchants with between 1 million and 6 million transactions annually, across all channels
* Level 3: Merchants with between 20,000 and 1 million online transactions annually.
* Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year

Question 58

Can PCIDSS non compliance result in Jail >

Answer 58

No because it is a voluntary standard

Question 59

Does PCIDSS only cover the technical aspects of security requirements ?

Answer 59

No it covers Non Technical as well

Question 60

What are the common criteria evaluation levels ?

Answer 60

The Common Criteria enable an objective evaluation to validate that a particular product or system satisfies a defined set of security requirements.

Question 61

What are the jurisdictional data challenges within the cloud ?

Answer 61

Data and resource are sometimes dynamically spun up and can cross jurisdictional boundaries.

Question 62

What is Information Rights Management ?

Answer 62

The legal controls as to who has rights to the data

Question 63

What is copyright

Answer 63

Copyright is the legal protection for the expressions of ideas. It normally covers books, art, films etc. It does not cover ideas, words or formulae

Question 64

What are the typical time periods covered by copyright ?

Answer 64

70 years after creators death or 120 years after publication of a hired work

Question 65

Is copyright always granted to the person who created the item to be copyrighted ?

Answer 65

In most jurisdictions yes but there are some jurisdictions where copyright is granted to the person who registers

Question 66

What is a trademark ?

Answer 66

Trademarks target specific words and graphics as the representation of an organisations brand. Trademarks last for perpetuity as long as they are still used. Trademark infringement is actionable.

Question 67

What is a patent ?

Answer 67

Patents cover inventions, processes, plant life. It gives the patent owner exclusivity in the production, sale and importation of the patented property.

Patents typically last for twenty years from the time of the application.

You can apply for a patent at the World Intellectual Property Office under the Patent Cooperation Treaty.

Question 68

How long does a patent usually last for

Answer 68

20 years

Question 69

What is a trade secret ?

Answer 69

Trade secrets can be aggregations of information such as a recipe. They cannot be disclosed to the public and effort need to be put in place to maintain this. The legal protection covers illicit stealing of the secret but not if the secret becomes public. The last in perpetuity as long as they are still in use.

Question 70

If I discover a trade secret by accident or other non illegal means am I prosecutable ?

Answer 70

No

Question 71

What are rudimentary reference checks ?

Answer 71

The content itself can check for proper usage and ownership. For example asking for input of a phrase or keyword from a page in the reference manual

Question 72

What are online reference checks ?

Answer 72

With online checks the users enters in for example a product key that the product periodically checks the validity online.

Question 73

What are local agent checks in IRM ?

Answer 73

A local agent check is a piece of downloaded software that checks the users system against an online licensing database. Steam is a gaming platform that uses this form of checking.

Question 74

In IRM what is presence of licensed media ?

Answer 74

The system requires the presence of licensed media such as a CD rom within a drive. The IRM engine is on the media and is often installed with a cryptographic engine that identifies the unique disk.

Question 75

What is support based licensing

Answer 75

This is where the content needs to be supported such as patching which is only accessible by having a valid license.

Question 76

With IRM what is the Replication Restriction problem ?

Answer 76

IRM is often about preventing duplication and cloning and this can become a problem within a cloud based system which spins up and down resources multiple times.

Question 77

In IRM what are the agents issues ?

Answer 77

Software that requires an agent to be running in the background may not work in the dynamic nature of the cloud.

Question 78

In IRM what is the concept of persistent protection ?

Answer 78

In IRM the means to protect rights must always follow the content its protecting.

Question 79

In IRM what is dynamic content control ?

Answer 79

The IRM tool should allow content creators and data owners to modify acls and permissions for the protected data under control.

Question 80

In IRM what is automatic expiration ?

Answer 80

THe IRM restrictions should automatically expire when there is a time limit on the protection

Question 81

What is remote revocation in IRM ?

Answer 81

The content author should be able to revoke rights automatically whenever there has been an infringement.

Question 82

What is a data retention period ?

Answer 82

The retention period is the length of time that an organisation should keep its data. This usually referes to data being stored in long term storage.

Question 83

What is a data retention format requirement ?

Answer 83

This is the format that data is stored in, what type of media and handling considerations. Some regulations for example require data to be stored in an Encrypted manner.

Question 84

What should a data policy say about retention monitoring and enforcement ?

Answer 84

The data policy should list in detail how often data will be reviewed and amended by whom and the consequences for failing to do so and which entity within the organisation is responsible for enforcement.

Question 85

Why is data retention in the cloud difficult ?

Answer 85

It can be very difficult to determine if the cloud provider is holding on to data

Question 86

When in the data lifecycle does data retention kick in ?

Answer 86

Archival

Question 87

What is a legal hold ?

Answer 87

A legal hold is an obligation to hold on to data that supersedes regulatory requirements. Comes into force during an investigation. In the USA the federal rules of evidence sets out the legal hold and this cuts across regulations such as HIPAA.

Question 88

In Data Retention what is data audit ?

Answer 88

This is primarily concerned with logging. There are four main challenges around logging

Log Review and Analysis is often not a priority
Log Review is mundane and repetitive
Log Review needs experienced practitioners
Log Review should be done by those who understand the operations being logged

Although a popular concept is to log everything this is not often a good thing due to increased storage and collection and also the security implications of having large amounts of data stored.

Question 89

Why is data destruction in the cloud difficult?

Answer 89

Because a lot of the techniques require you to have access to the physical hardware

Question 90

What is the physical destruction of hardware in data destruction ?

Answer 90

This is the actual destruction of the storage media. It can be carried out by melting, burning, grinding and drilling. This is the most preferred method of data destruction.

Question 91

What is degaussing

Answer 91

Involves running magnetic waves over the media. Does not word for SSD storage.

Question 92

What is overwriting

Answer 92

Multiple passes of random data with a final pass of all zeros. Very time consuming for large data stores and does not work for SSD drives.

Question 93

What is cryptoshredding ?

Answer 93

Encrypting data with an encryption engine and then encrypting keys with a second encryption engine and deleting the keys from second round of encryption.

Question 94

What is the most viable data destruction technique open to cloud customers ?

Answer 94

Crypto shredding

Question 95

Does a delete operation delete data ?

Answer 95

No it merely removes logical pointers to the data

Question 96

What should the data policy cover with regards data deletion

Answer 96

The process for data disposal

Applicable regulations

When data should be destroyed.

Question 97

Who acts as the data processor in the cloud ?

Answer 97

Cloud Provider