Cloud Concepts, Architecture, and Design Flashcards
What service model is an application like DropBox and Office 365?
SaaS
What does the customer have access to in SaaS?
Enterprise apps, Desktop apps, and Mobile apps
What service model is a platform like Windows Server?
PaaS
What does the customer have access to in PaaS?
Development/runtime tools/environment
What service model offers processing, storage, or networking resources like a vDC (Virtual Data Center)?
IaaS
What does the customer have access to in IaaS?
CPU, disk drives, networks, and data centers
What service category supports real-time interaction and collaboration? Examples include voice over IP (VoIP or Internet telephony), IM, collaboration and videoconference applications using fixed and mobile devices.
CaaS - Communications as a Service
What service category supports processing resources to run software?
CompaaS - Compute as a service
Concepts and objects related to software computation. Refers to processing power, memory, networking, storage, and other resources required for the computational success of any program.
Compute
What can version control be used for?
Tracking versions worked on by developers and track configuration of systems and apps.
What is it called when you have the ability to reverse original operations and a move?
Reversibility
What is it called when you design workloads that don’t leverage vendor specific features?
Portability
What is it called when a vendor can easily support solution integrations?
Interoperability
What is it called when data science and statistics are used to uncover hidden knowledge in data accumulated each day?
Machine learning
Uncover trends, categorize records, and run biz efficiently.
What ML analyzes data to do
What are a collection of techniques designed to mimic human thought processes in computers?
AI
What is descriptive analytics?
Describing data.
Using existing data to predict future events.
Predictive analytics
Optimizing our behavior by simulating many scenarios.
Prescriptive analytics
Storing records to distribute among many different systems in a manner that prevents anyone from tampering with them in a ledger.
Blockchain technology
What is connecting nontraditional devices to the internet for collection, analysis, and control?
IoT - Internet of Things
What is a lightweight way to package an app to make it portable to move easily b/w hardware platforms?
Containers
Instead of running hypervisors, systems supporting containers run a…
Containerization platform
What is the major benefit of containers over virtual machines?
They don’t have their own OS kernel - they use the host’s OS kernel.
What technology seeks to replace the binary 1 and 0 bits of digital computing?
Quantum computing
What involves putting processing power on remote sensors and allowing them to perform the heavy lifting required to process data before transmitting a small subset of that data back to the cloud?
Edge computing
What involves placing gateway devices out in the field to collect info from sensors and perform that correlation centrally at the remote location before returning data to the cloud?
Fog computing
What are edge and fog computing for?
Increasing our ability to connect IoT devices to the cloud.
Guarantee that no outside process can view or alter the data being handled within the environment.
What trusted execution environments (TEEs) do
Enables scalability, reduces error through use of immutable servers, and makes testing easy.
3 things Infrastructure as Code does
Broad network access, on-demand self-service, resource pooling, rapid elasticity and scalability, and metered service.
Common cloud characteristics
When services are consistently accessible over the network.
Broad network access
When customers can scale their compute and/or storage needs w/ little or no intervention from or prior communication with the provider.
On-demand self-service
Allows CP to meet various demands from customers while remaining financially viable, and apportion resources as needed so resources aren’t underutilized or overtaxed.
Resource pooling
What is rapid elasticity and scalability?
Allows customer to grow/shrink IT footprint to meet operational needs without excess capacity.
All cloud activity is metered so you only pay for what you use.
Measured/metered service
What is scalability?
Ability of system to grow as demand increases.
What is elasticity?
Ability of system to dynamically grow/shrink based on current demand.
Aspects of device, process, or employee that are not necessary for accomplishing task but desired.
Non-functional requirements
Performance aspects of device, process, employee that are necessary for the business task to be accomplished.
Functional requirements
Interviewing functional managers, users, senior mgmt., observing employees, surveying customers, collecting network traffic, inventorying assets, collecting financial/insurance records, marketing data and regulatory mandates.
Methods of gathering business requirements
An assessment of the priorities given to each asset and process within the org and the effect harm or loss of asset has to org.
BIA
What are important things to consider during BIA?
Critical paths and single points of failure.
Routers and servers are examples of _____ assets.
Tangible
Software code, ideas, and business methodologies are examples of _____ assets.
Intangible
To gain an understanding of what benefits the org might derive from cloud migration and associated costs.
Purpose of a cost-benefit analysis
When an organization can experience dramatic/rapid/significant demand without being overwhelmed, and allows customer to dictate volume of resource usage.
Rapid elasticity
Augmenting internal/private data center capabilities with managed services during times of increased demand.
Cloud bursting
To bring all an organization’s cloud activities under more centralized control, ensure services meet technical, functional, and security requirements, and monitor for duplicative services.
Purpose of a cloud governance program
What is Shadow IT?
When BLs provision cloud services on their own to satisfy unmet technical needs.
What is a personnel benefit of moving to the Cloud?
Not having to pay expensive salaries for Internal IT.
The cloud benefit realized when CP offers holistic, targeted regulatory compliance packages.
Regulatory
What’s true about PII?
You’re responsible for the data regardless of if you’re using a Cloud service and any breaches from negligence of CP.
Cost-benefit calculations are driven by what?
Security concerns.
How do you calculate ROI?
Net Profit/Net Assets
What is the service category where the provider delivers an entire app – configuring servers – and customer just uses service?
SaaS
What are some SaaS examples?
Google Apps, Microsoft Office 365, Dropbox
What is the service category where the customer purchases basic computing resources to create customized IT solutions?
IaaS
Compute capacity and data storage are things _____ vendors might provide.
IaaS
What are the 4 largest IaaS vendors?
AWS, Azure, Google Compute Engine, and Alibaba.
What are these: Virtualized server, block storage, object storage, networking capacity, orchestration of automation to administer the cloud infrastructure.
Types of infrastructure capability for IaaS
What is the service category where customers can run their own app code w/out worrying about server config?
PaaS
What is the common PaaS capability where customer creates specialized functions that run on a schedule or in response to events?
FaaS – Function as a Service
What are the cloud deployment models?
Private, public, hybrid, multi-cloud, and community cloud.
What is it called when many different customers share use of the same computing resources?
Multitenancy
What is it when a CP can sell customers a total capacity that exceeds the physical capacity of their infrastructure b/c customers will never use all capacity simultaneously?
Oversubscription
Multitenancy works because of…
Resource pooling.
They offer some product or service that interacts with the primary offerings of a CSP.
Cloud service partner
CSPs who offer managed IAM services to cloud customers that integrates security requirements across cloud services.
CASB
Use cloud services, perform service trials, monitor services, administer service security, provide billing and usage reports, handle problem reports, administer tenancies, perform biz admin, select/purchase service, request audit reports.
Customer responsibilities
Prepare systems and provide cloud services, monitor/administer services, manage assets/inventories, provide audit data, manage customer relationships and handle customer requests, perform peering w/ other cloud providers, ensure compliance, provide network connectivity.
CSP responsibilities
Who fulfills the following: Design, create, maintain service component, test services, perform audits, set up legal agreements, acquire and assess customers, and assess marketplace.
Cloud Service Partners
When many different virtual servers make use of the same underlying hardware.
Virtualization
Virtualization involves the use of…
A host machine that has physical hardware that then hosts several virtual guest machines.
Manages the guest VMs and tricks them to think they’re running on its own hardware instead of shared hardware of host machine.
Hypervisors
Also called a bare metal hypervisor, runs directly on top of the hardware and then hosts guest OS on top of that.
Type 1 hypervisor
Physical machine runs an OS of its own and the hypervisor runs as a program on top of that OS.
Type 2 hypervisor
When a hacker is able to break out of a virtualized guest operating system.
VM escape attack
What is virtualization technology designed to do?
Strictly enforce isolation.
What does virtualization make it easy to do?
Create new servers in a data center.
What is it called when there are large numbers of unused and abandoned servers on the network?
VM sprawl
Why is VM sprawl dangerous?
B/c unused and abandoned servers accumulate serious security vulns if they’re not properly patched.
What is it called when you can create computing resources to solve a problem and then get rid of them when they’re no longer needed?
Ephemeral computing
What is protecting assets from unauthorized access?
Confidentiality
What is protecting assets against unauthorized modification?
Integrity
What is ensuring assets are available for authorized use w/out disruption?
Availability
Protecting personal info we store, process, and transmit
Privacy
Working through existing and planned cloud relationships to ensure they comply with security, legal, business, and other constraints.
Governance
When contracts specify customer has the right to audit cloud providers.
Auditability
Ability of the cloud infrastructure to withstand disruptive events.
Resiliency
Third party that can conduct an independent assessment of cloud services, information system operations, performance, and security of the cloud implementation.
Cloud Service Auditor
An entity that manages the use, performance and delivery of cloud services and negotiates relationships between cloud providers (CSPs) and cloud consumers.
Cloud broker
Service intermediation - enhances service
Service aggregation - combines and integrates services
Service arbitrage - choose services from multiple agencies
functions of cloud broker
Responsible for business agreement, pricing for the cloud customer.
cloud service manager
The ability of a system to automatically grow and shrink based on app demand
elasticity
Ability to grow as demand increases.
scalability
Number of minutes of virtual server compute time
Amount of disk space you consume
Number of function calls you make
Amount of network egress and ingress
common metrics for measured service
5 building block technologies of the cloud
compute, databases, network, storage, orchestration
CSP provides the server, storage, and networking hardware and its virtualization. Customer installs middleware and applications.
compute
All virtualized to allow customers to design and customize to their needs. Enables customers to segment and restrict access however they would like.
network
A network architecture approach that enables the network to be intelligently and centrally controlled, or ‘programmed,’ using software
storage defined network (sdn)
3 layers of sdn
management, control, data
The business applications that manage the underlying control plane are exposed with _____.
northbound interfaces
Control of network functionality and programmability is made directly to devices at this layer.
control plane
The network switches and routers located at this plane are associated with the underlying network infrastructure.
data plane
Ensures only trusted, authorized applications access critical network resources.
Northbound interface
OpenFlow protocol interfaces with devices through _____
southbound interfaces
_____storage maps a logical unit number (LUN) on a storage area network (SAN) to a VM.
raw
Offered by some CSPs, this is tailored to the needs of data archiving. This may include features like search, immutability, and data lifecycle management. Typically use either Volume or Object storage infrastructure.
long-term storage
Volume storage is also called:
block
Examples of object storage
S3 and azure blob
Ensures that all copies of the data have been duplicated among all relevant copies before finalizing the transaction to increase availability.
strict consistency
Consistency of data is relaxed, which reduces the number of replicas that must be accessed during read and write operations before the transaction is finalized.
eventual consistency
Where content is stored in object storage, then replicated to multiple geographically distributed nodes to improve internet consumption speed
content delivery network (cdn)
Builds on the foundation of Infrastructure as Code (IaC), reducing manual admin tasks.
orchestration
— virtual machines (VM)
— virtual desktop infrastructure (VDI)
— software defined networks (SDN)
— virtual storage area networks (SAN)
virtual assets
T/F: Both hypervisors and VMs need to be patched
True
The cloud service provider (CSP) provides the least amount of maintenance and security in the _____ model.
IaaS
What hypervisor:
More secure if implemented properly
Commonly used for QA, load testing, and production scenarios
Typically, more expensive
Type 1: Bare metal
What hypervisor:
Increased attack surface (due to the host operating system)
Commonly used for individual development and lab scenarios
Typically, less expensive
Type 2: Hosted
Use cloud services
Perform service trials
Monitor services
Administer service security
Provide billing and usage reports
Handle problem reports
Administer tenancies
Perform business administration
Select and purchase service
Request audit reports
customer responsibilities
Prepare systems and provide cloud services
Monitor and administer services
Manage assets and inventories
Provide audit data
Manage customer relationships
Handle customer requests
Perform peering with other cloud service providers
Ensure compliance
Provide network connectivity
csp responsibilities
Design, create, and maintain service components
Test services
Perform audits
Set up legal agreements
Acquire and assess customers
Assess the marketplace
partner responsibilities
Provides guidance in implementing and managing customer usage of a platform
partner
Application capability types - reduced support costs and licensing fees
Platform capability types - reduces lock in
Infrastructure capability types - high reliability and resilience
benefits of public cloud
CSP provides building blocks, like networking, storage and compute
IaaS
Usage is metered
Eases scale (scale up, out, and down)
Reduced energy and cooling costs
benefits of IaaS
Customer is responsible for deployment and management of apps
CSP manages provisioning, configuration, hardware, and OS
PaaS
Core infrastructure updated by provider
Global collaboration for app development
Running multiple languages seamlessly
key benefits of PaaS
Customer just configures features
CSP is responsible for management, operation, and service availability.
SaaS
Limited administration responsibility
Limited skills required
Service always up to date
Global access
key benefits of SaaS
Devs have to write code
No server management
things PaaS and Serverless have in common
Less control over deployment environment
Application scales automatically
Application code only executes when invoked
Serverless
More control over deployment environment
Application has to be configured to auto scale
Application takes a while to spin up
PaaS
A cloud computing execution model where the cloud provider dynamically manages the allocation and provisioning of servers. Hosted as a pay as you go model based on use. Resources are stateless, servers ephemeral and often capable of being triggered.
serverless architecture
Provisioning of multiple business services is combined with different IT services to provide a single business solution.
services integration
Cloud is cost effective, global, secure, scalable, elastic, and always current
benefits of cloud computing
Everything runs on your cloud provider’s hardware
Advantages include scalability, agility, PAYG, no maintenance, and low skills
public cloud
A cloud environment in your own datacenter
A cloud environment dedicated to a single customer
Advantages include legacy support, control, and compliance
private cloud
Combines public and private clouds, allowing you to run your apps in the right location. Advantages include flexibility in legacy, compliance, and scalability scenarios
hybrid cloud
Similar to private clouds in that they are not open the general public
But they are shared by several related organizations in a common community
community cloud
Combines resources from two or more public cloud providers
Allows orgs to take advantage of service and price differences, but at the cost of added complexity
multi cloud
Access controls help ensure that only authorized subjects can access objects
confidentiality
Ensures that data or system configurations are not modified without authorization
integrity
Authorized requests for objects must be granted to subjects within a reasonable amount of time
availability
Ability of one cloud service to interact with other cloud services by exchanging information according to a prescribed method and obtain predictable results.
interoperability
Process for cloud service customers to retrieve their data and application artifacts AND for the CSP to delete all cloud service customer data and contractually specified cloud service derived data after an agreed period.
reversibility
Policy - interoperate while complying w/ gov laws/regs
Behavioral - results of exchanged info matches expected outcome
Transport - commonality of communication b/w cloud consumer, provider, and other providers
Syntactic - two or more system understand other system’s structure of exchanged info thru encoding syntaxes
Semantic Data - ability of systems exchanging info to understand meaning of data model w/in context
5 facets of cloud interoperability
Syntactic - using formats that can be decoded
Semantic - data model is understood
Policy - laws/regs/mandates followed
3 facets of cloud data portability
Ability of a cloud services data center and its associated components, including servers, storage, and so on, to continue operating in the event of a disruption.
resiliency
A discrete market, typically containing two or more regions, that preserves data residency and compliance boundaries
geography
A set of datacenters deployed within a latency defined perimeter and connected
through a dedicated regional low latency network.
regions
A relationship between 2 Azure Regions within the same geographic region for disaster recovery purposes.
region pairs
Unique physical locations within a region with independent power, network, and cooling. Comprised of one or more datacenters Tolerant to datacenter failures via redundancy and isolation
availability zones
The duty to ensure private information is kept secret to the extent possible. A legal obligation in regulatory scenarios, and a due care obligation in U.S. law
confidentiality - focus on data
The right of an individual to have some control over how their personal information (PII,PHI) is collected, used, and potentially disclosed.
privacy - focus on rights of person
Ability of a service to remain responsive to requests to that service with an acceptable level of response latency or processing time.
performance
Enforcement of security policies and regulatory requirements, often through policy controls and regular audits.
governance
Ability to provide clear documentation of the actions in a data event.
auditability
Ability to determine who caused the event. This is known sometimes called “identity attribution”.
Accountability
Ability to track down all events related to the investigated event.
traceability
A technical or contractual constraint that prevents a customer from moving from a provider.
vendor lock-in
The practice of applying data science to prevent, detect, and remediate cybersecurity threats. Data is collected from selected cyber security sources and then analyzed to provide timely, data driven patterns at scale.
cybersecurity data science
To create a new block on the chain, the computer that wishes to add the block solves a cryptographic puzzle and sends the solution to the other computers participating in that blockchain.
proof of work
A class of devices connected to the internet in order to provide automation, remote control, or AI processing in a home or business setting
internet of things
wearables, facility automation, sensors
internet of things
Examples include Docker and Kubernetes
containerization
A lightweight, granular, and portable way to package applications for multiple platforms. Reduces overhead of server virtualization by enabling containerized apps to run on a shared OS kernel. Share many concerns of server virtualization: isolation
at host, process, network, and storage levels
containerization
Replaces the binary one and zero bits of digital computing with multidimensional quantum bits known as qubits.
quantum computing
The practice of harnessing the principles of quantum mechanics to improve security and to detect whether a third party is eavesdropping on communications. Leverages fundamental laws of physics such as the observer effect, which states that it is impossible to identify the location of a particle without changing that particle.
quantum cryptography
The most common example of quantum cryptography. By transferring data using photons of light instead of bits, a confidential key transferred between two parties cannot be copied or intercepted secretly.
Quantum Key Distribution
Cryptographic algorithms (usually public key algorithms) that are thought to be secure against an attack by a quantum computer. Post quantum cryptography focuses on preparing for the era of quantum computing by updating existing mathematical based algorithms and standards.
Post quantum cryptography
Post quantum algorithms are sometimes called _____ cryptographic algorithms
“quantum resistant”
Some compute operations require processing activities to occur locally, far from the cloud. All the processing of data storage is closer to the sensors rather than in the cloud data center.
edge computing
Complements cloud computing by processing data from IoT devices. Often places gateway devices in the field to collect and correlate data centrally at the edge. Generally, brings cloud computing nearer to the sensor to process data closer to the device.
fog computing
Sensitive data must be encrypted in memory before an app can process it, leaving the data vulnerable is a problem that ____ solves by isolating sensitive data in a protected _____ during processing - also called a _____.
confidential computing / CPU enclave / trusted execution environment (TEE)
This is the management of cloud infrastructure (networks, VMs, load balancers, and connection topology) described in code. Just as the same source code generates the same binary, code in this model results in the same environment every time it is applied. This is a key DevOps practice and is used in conjunction with CI/CD.
IaC
A chip that resides on the motherboard of the device. Multi purpose, like storage and management of keys used for full disk encryption (FDE) solutions. Provides the operating system with access to keys, but prevents drive removal and data access
trusted platform module
A physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions.
hardware security module
generation - in secure cryptographic module
distribution - encrypt key w/ separate encryption key
storage - keys protected at rest
use
revocation
destruction
encryption key lifecycle
In PKI, you would revoke the certificate on the issuing
Certificate Authority (CA)
Encryption keys must be secured _____ as the data they protect.
at the same level of control or higher
A _____ is anything that you want to control access to, such as API keys, passwords, certificates, tokens, or cryptographic keys.
secret
Something you know (pin or password)
Something you have (trusted device)
Something you are (biometric)
mfa
— Phishing
— Spear phishing
— Keyloggers
— Credential stuffing
— Brute force and reverse brute force attacks
— Man in the middle (MITM) attacks
all prevented by mfa
A _____ is a type of administrator account used to run an application.
service account
A solution that helps protect the privileged accounts within a tenant, preventing attacks
privileged access management
erasing, clearing (overwriting), purging
less secure data destruction
most secure data destruction
crypto shredding
Data cannot be recovered from any remnants.
High CPU and performance overhead
pro and con of crypto shredding
degaussing, shredding, pulverizing
hard drive media destruction methods - not reusable or recoverable
Act as a virtual firewall for virtual networks and resource instances. Carries a list of security rules (IP and port ranges) that allow or deny network traffic to resource instances. Provides a virtual firewall for a collection of cloud resources with the same security posture.
network security group
Restricting services that are permitted to access or be accessible from other zones using rules to control inbound/outbound traffic. Rules are enforced by the IP address ranges of each subnet. Within a virtual network, this can be used to achieve
isolation .
segmentation
Port filtering through a network security group
example of segmentation
What is the modern approach to writing web service APIs.
Representational State Transfer (REST)
Enables multi language support, can handle multiple types of calls, return different data formats. APIs published by an organizations should include encryption, authentication, rate limiting, throttling, and quotas.
API inspection and integration
Traffic is often sent direct to resources and promiscuous mode on a VM NIC not possible or effective.
EXAMPLES: Network Watcher (Azure), VPC traffic mirroring (AWS)
traffic inspection
Uses the Global Positioning System (GPS) or RFID to define geographical boundaries. Once the device is taken past the defined boundaries, the security team will be alerted.
geofencing
Treats user identity as the control plane. Assumes compromise / breach in verifying every request.
zero trust security
verify explicitly
use lease privilege access
assume breach
zero trust principles
Network Security Group (NSG)
Network Firewalls
Inbound and outbound traffic filtering
Inbound and outbound traffic inspection
Centralized security policy management and enforcement
zero trust network architecture
Orchestration/scheduling controller
Network, storage
Container host
Container images
Container registry
Core components in a container platform (Docker, Kubernetes)
Container security shares many of the concerns of server virtualization, but must enforce _____ of network, data, storage access at container level.
isolation
These are cloud-based VMs where containers run
container hosts
Use API gateways as security buffers (to avoid DDoS attacks)
Configure secure authentication (Oauth, SAML, OpenID Connect, MFA)
Separate dev and prod environments, implement least privilege
serverless technology
REST uses the _____ protocol for web communications to offer API end points
HTTPS
Security mechanisms for _____ include API gateway, authentication, IP filtering, throttling, quotas, data validation
APIs
When attacks are designed to steal or wedge themselves into the middle of a
conversation in order to gain control.
traffic hijacking
Process/effort to collect and analyze information before making a decision or conducting a transaction.
due diligence
Doing what a reasonable person would do in a given situation. It is sometimes called the “prudent person rule”.
due care
do detect is ______ and do correct is _____
due diligence / due care
Research
Planning
Evaluation
due diligence
Implementation
Operation (upkeep)
Reasonable measures
due care
Knowledge and research of:
Laws and Regulations
Industry standards
Best practices
due diligence
Delivery or execution including:
* Reporting security incidents
* Security awareness training
* Disabling access in a timely way
due care
Helps reduce outages or weakened security from unauthorized changes to the baseline configuration
Change Management
Uses a labeling or numbering system to track changes in updated versions of baseline (image, application, system,
Versioning
Performed to determine whether a particular patch or update applies to a system.
applicability assessment
To ensure it’s handled properly, it’s important to ensure data is _____ as soon as possible.
classified
Data should be protected by adequate security controls based on its _____.
classification
Refers to anytime data is in use or in transit over a network
share
Commonly protected with TLS or tunneled through VPN
data in transit
In storage (on disk, in database, etc) and protected through encryption
data at rest
In memory. Should be flushed from memory when transaction is complete or system is powered down
data in use
Helps you encrypt Windows and Linux IaaS VMs disks using BitLocker (Windows) and
dm crypt feature of Linux to encrypt OS and data disks.
full disk encryption
Helps protect SQL Database and data warehouses against threat of malicious activity
with real time encryption and decryption of database, backups, and transaction log
files at rest without requiring app changes.
Transparent data encryption (TDE)
Ensure the data’s context and meaning are understood, and business
rules governing the data’s usage. Use that knowledge to ensure the data they are responsible for is used as intended.
data steward
The person or entity that controls processing of the data.
data controller
A natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller.
data processor
Responsible for day-to-day: safe custody, transport, and storage of data, and implementation of business rules, technical controls. Does not decide what controls are needed, but does implement controls for data owner
data custodian
focuses on the whole business
bcp
focuses more on the technical aspects of recovery
drp
T/F: BCP is an umbrella policy and DRP is part of it
True
addresses site level failure
region pairs
These address datacenter failures within a cloud region.
Availability zones
address rack level failures within a regional datacenter
availability sets
Contains two important items:
✓ a cost-benefit analysis (CBA) AND
✓ a calculation of the return on investment (ROI)
BIA
Can be strictly quantitative: adding the financial benefits and subtracting the associated costs to determine whether a decision will be profitable.
CBA
Define a system or its component and specifies what it must do. Captured in use cases, defined at a component level .
Functional security requirements
Specify the system’s quality, characteristics, or attributes. Apply to the whole system (system level)
Non functional security requirements
VM attacks
Virtual network
Hypervisor attacks
VM-based rootkits
Virtual switch attacks
Colocation
DoS attack
security considerations for IaaS
System and Resource Isolation
User-Level Permissions
Access Management
Protection Against Malware, Backdoors, and Trojans
security considerations for PaaS
Data Segregation
Data Access and Policies
Web Application Security
security considerations for SaaS
When unmanaged VMs have been deployed on your network. Because IT doesn’t know it is there, it may not be patched and protected, and thus more vulnerable to attack
vm sprawl
Enforcement of security policies for adding VMs to the network, as well as periodic scanning to identify new virtualization hosts is how to avoid _____.
vm sprawl
Ensure patches and hypervisor and VMs are always up to date, guest privileges are low. Server level redundancy and HIPS/HIDS protection also effective.
how to protect against vm escape
Freely available on the internet and exploit known vulnerabilities in various operating systems enabling attackers to elevate privilege.
Rootkit (escalation of privilege) - avoid by keeping security patches up
to date, anti malware software, EDR/XDR
Undocumented command sequences that allow individuals with knowledge of the back door to bypass normal access restrictions. Often used in development and debugging.
back door - counter with firewalls, anti malware, network monitoring, code review
Volume based attacks targeting flaws in network protocols, often using botnets,
using techniques such as UDP, ICMP flooding, or SYN flooding (TCP based).
network DDoS
Exploit weaknesses in the application layer (Layer 7) by opening connections and
initiating process and transaction requests that consume finite resources like disk
space and available memory.
application DDoS
Targets the weaknesses of software and hardware devices that control systems in factories, power plants, and other industries, such as IoT devices.
operational technology (ot) DDoS
These are countermeasures for _____ IDS, IPS, rate limiting, firewall ingress/egress filters
DDoS
Automated software scanning
Automated vulnerability scanning
Web application firewall
Software dependency management
Access and activity logging
Application performance management
Are all _____ technical controls.
DevOPS
Developer application security training
Documented policies and procedures
Code review, approval gates
DevOPS admin controls
Provides guidelines for information security controls applicable to the provision and use of cloud services. Provides cloud based guidance on several ISO/IEC 27002 controls, along with seven cloud controls that address:
1) Who is responsible for what between the cloud service provider and the cloud
customer
2) The removal/return of assets when a contract is terminated
3) Protection and separation of the customer’s virtual environment
4) Virtual machine configuration
5) Administrative operations and procedures associated with the cloud environment
6) Customer monitoring of activity within the cloud
7) Virtual and cloud network environment alignment
ISO 27017
> a secure network must be maintained in which transactions can be conducted
cardholder information must be protected wherever it is stored
systems should be protected against the activities of malicious hackers
cardholder data should be protected physically as well as electronically.
networks must be constantly monitored and regularly tested
a formal information security policy must be defined, maintained, and followed
PCI DSS objectives
Ensures customers that security products they purchase have been thoroughly tested by independent third-party testers and meets customer requirements.
ISO 15408
– Level 1: Lowest level of security.
– Level 2: Specifies the security requirements for cryptographic modules that protect sensitive information.
– Level 3: Requires physical protections to ensure a high degree of confidence that any attempts to tamper are evident and detectable
FIPS 140-2 security levels
AWS Well Architected Framework
Azure Well Architected Framework
Google Cloud Architecture Framework
cloud provider architecture reference
Microsoft Cybersecurity Reference Architecture
AWS Security Reference Architecture
Google Cloud Security Foundations Guide
cloud provider security reference
