Cloud Concepts, Architecture, and Design Flashcards by Natasha WrightPope

What service model is an application like DropBox and Office 365?

SaaS

How well did you know this?

Not at all

Perfectly

What does the customer have access to in SaaS?

Enterprise apps, Desktop apps, and Mobile apps

How well did you know this?

Not at all

Perfectly

What service model is a platform like Windows Server?

PaaS

How well did you know this?

Not at all

Perfectly

What does the customer have access to in PaaS?

Development/runtime tools/environment

How well did you know this?

Not at all

Perfectly

What service model offers processing, storage, or networking resources like a vDC (Virtual Data Center)?

IaaS

How well did you know this?

Not at all

Perfectly

What does the customer have access to in IaaS?

CPU, disk drives, networks, and data centers

How well did you know this?

Not at all

Perfectly

What service category supports real-time interaction and collaboration? Examples include voice over IP (VoIP or Internet telephony), IM, collaboration and videoconference applications using fixed and mobile devices.

CaaS - Communications as a Service

How well did you know this?

Not at all

Perfectly

What service category supports processing resources to run software?

CompaaS - Compute as a service

How well did you know this?

Not at all

Perfectly

Concepts and objects related to software computation. Refers to processing power, memory, networking, storage, and other resources required for the computational success of any program.

Compute

How well did you know this?

Not at all

Perfectly

What can version control be used for?

Tracking versions worked on by developers and track configuration of systems and apps.

How well did you know this?

Not at all

Perfectly

What is it called when you have the ability to reverse original operations and a move?

Reversibility

How well did you know this?

Not at all

Perfectly

What is it called when you design workloads that don’t leverage vendor specific features?

Portability

How well did you know this?

Not at all

Perfectly

What is it called when a vendor can easily support solution integrations?

Interoperability

How well did you know this?

Not at all

Perfectly

What is it called when data science and statistics are used to uncover hidden knowledge in data accumulated each day?

Machine learning

How well did you know this?

Not at all

Perfectly

Uncover trends, categorize records, and run biz efficiently.

What ML analyzes data to do

How well did you know this?

Not at all

Perfectly

What are a collection of techniques designed to mimic human thought processes in computers?

How well did you know this?

Not at all

Perfectly

What is descriptive analytics?

Describing data.

How well did you know this?

Not at all

Perfectly

Using existing data to predict future events.

Predictive analytics

How well did you know this?

Not at all

Perfectly

Optimizing our behavior by simulating many scenarios.

Prescriptive analytics

How well did you know this?

Not at all

Perfectly

Storing records to distribute among many different systems in a manner that prevents anyone from tampering with them in a ledger.

Blockchain technology

How well did you know this?

Not at all

Perfectly

What is connecting nontraditional devices to the internet for collection, analysis, and control?

IoT - Internet of Things

How well did you know this?

Not at all

Perfectly

What is a lightweight way to package an app to make it portable to move easily b/w hardware platforms?

Containers

How well did you know this?

Not at all

Perfectly

Instead of running hypervisors, systems supporting containers run a…

Containerization platform

How well did you know this?

Not at all

Perfectly

What is the major benefit of containers over virtual machines?

They don’t have their own OS kernel - they use the host’s OS kernel.

How well did you know this?

Not at all

Perfectly

What technology seeks to replace the binary 1 and 0 bits of digital computing?

Quantum computing

What involves putting processing power on remote sensors and allowing them to perform the heavy lifting required to process data before transmitting a small subset of that data back to the cloud?

Edge computing

What involves placing gateway devices out in the field to collect info from sensors and perform that correlation centrally at the remote location before returning data to the cloud?

Fog computing

What are edge and fog computing for?

Increasing our ability to connect IoT devices to the cloud.

Guarantee that no outside process can view or alter the data being handled within the environment.

What trusted execution environments (TEEs) do

Enables scalability, reduces error through use of immutable servers, and makes testing easy.

3 things Infrastructure as Code does

Broad network access, on-demand self-service, resource pooling, rapid elasticity and scalability, and metered service.

Common cloud characteristics

When services are consistently accessible over the network.

Broad network access

When customers can scale their compute and/or storage needs w/ little or no intervention from or prior communication with the provider.

On-demand self-service

Allows CP to meet various demands from customers while remaining financially viable, and apportion resources as needed so resources aren’t underutilized or overtaxed.

Resource pooling

What is rapid elasticity and scalability?

Allows customer to grow/shrink IT footprint to meet operational needs without excess capacity.

All cloud activity is metered so you only pay for what you use.

Measured/metered service

What is scalability?

Ability of system to grow as demand increases.

What is elasticity?

Ability of system to dynamically grow/shrink based on current demand.

Aspects of device, process, or employee that are not necessary for accomplishing task but desired.

Non-functional requirements

Performance aspects of device, process, employee that are necessary for the business task to be accomplished.

Functional requirements

Interviewing functional managers, users, senior mgmt., observing employees, surveying customers, collecting network traffic, inventorying assets, collecting financial/insurance records, marketing data and regulatory mandates.

Methods of gathering business requirements

An assessment of the priorities given to each asset and process within the org and the effect harm or loss of asset has to org.

BIA

What are important things to consider during BIA?

Critical paths and single points of failure.

Routers and servers are examples of _____ assets.

Tangible

Software code, ideas, and business methodologies are examples of _____ assets.

Intangible

To gain an understanding of what benefits the org might derive from cloud migration and associated costs.

Purpose of a cost-benefit analysis

When an organization can experience dramatic/rapid/significant demand without being overwhelmed, and allows customer to dictate volume of resource usage.

Rapid elasticity

Augmenting internal/private data center capabilities with managed services during times of increased demand.

Cloud bursting

To bring all an organization’s cloud activities under more centralized control, ensure services meet technical, functional, and security requirements, and monitor for duplicative services.

Purpose of a cloud governance program

What is Shadow IT?

When BLs provision cloud services on their own to satisfy unmet technical needs.

What is a personnel benefit of moving to the Cloud?

Not having to pay expensive salaries for Internal IT.

The cloud benefit realized when CP offers holistic, targeted regulatory compliance packages.

Regulatory

What’s true about PII?

You’re responsible for the data regardless of if you’re using a Cloud service and any breaches from negligence of CP.

Cost-benefit calculations are driven by what?

Security concerns.

How do you calculate ROI?

Net Profit/Net Assets

What is the service category where the provider delivers an entire app – configuring servers – and customer just uses service?

SaaS

What are some SaaS examples?

Google Apps, Microsoft Office 365, Dropbox

What is the service category where the customer purchases basic computing resources to create customized IT solutions?

IaaS

Compute capacity and data storage are things _____ vendors might provide.

IaaS

What are the 4 largest IaaS vendors?

AWS, Azure, Google Compute Engine, and Alibaba.

What are these: Virtualized server, block storage, object storage, networking capacity, orchestration of automation to administer the cloud infrastructure.

Types of infrastructure capability for IaaS

What is the service category where customers can run their own app code w/out worrying about server config?

PaaS

What is the common PaaS capability where customer creates specialized functions that run on a schedule or in response to events?

FaaS – Function as a Service

What are the cloud deployment models?

Private, public, hybrid, multi-cloud, and community cloud.

What is it called when many different customers share use of the same computing resources?

Multitenancy

What is it when a CP can sell customers a total capacity that exceeds the physical capacity of their infrastructure b/c customers will never use all capacity simultaneously?

Oversubscription

Multitenancy works because of…

Resource pooling.

They offer some product or service that interacts with the primary offerings of a CSP.

Cloud service partner

CSPs who offer managed IAM services to cloud customers that integrates security requirements across cloud services.

CASB

Use cloud services, perform service trials, monitor services, administer service security, provide billing and usage reports, handle problem reports, administer tenancies, perform biz admin, select/purchase service, request audit reports.

Customer responsibilities

Prepare systems and provide cloud services, monitor/administer services, manage assets/inventories, provide audit data, manage customer relationships and handle customer requests, perform peering w/ other cloud providers, ensure compliance, provide network connectivity.

CSP responsibilities

Who fulfills the following: Design, create, maintain service component, test services, perform audits, set up legal agreements, acquire and assess customers, and assess marketplace.

Cloud Service Partners

When many different virtual servers make use of the same underlying hardware.

Virtualization

Virtualization involves the use of…

A host machine that has physical hardware that then hosts several virtual guest machines.

Manages the guest VMs and tricks them to think they’re running on its own hardware instead of shared hardware of host machine.

Hypervisors

Also called a bare metal hypervisor, runs directly on top of the hardware and then hosts guest OS on top of that.

Type 1 hypervisor

Physical machine runs an OS of its own and the hypervisor runs as a program on top of that OS.

Type 2 hypervisor

When a hacker is able to break out of a virtualized guest operating system.

VM escape attack

What is virtualization technology designed to do?

Strictly enforce isolation.

What does virtualization make it easy to do?

Create new servers in a data center.

What is it called when there are large numbers of unused and abandoned servers on the network?

VM sprawl

Why is VM sprawl dangerous?

B/c unused and abandoned servers accumulate serious security vulns if they’re not properly patched.

What is it called when you can create computing resources to solve a problem and then get rid of them when they’re no longer needed?

Ephemeral computing

What is protecting assets from unauthorized access?

Confidentiality

What is protecting assets against unauthorized modification?

Integrity

What is ensuring assets are available for authorized use w/out disruption?

Availability

Protecting personal info we store, process, and transmit

Privacy

Working through existing and planned cloud relationships to ensure they comply with security, legal, business, and other constraints.

Governance

When contracts specify customer has the right to audit cloud providers.

Auditability

Ability of the cloud infrastructure to withstand disruptive events.

Resiliency

Third party that can conduct an independent assessment of cloud services, information system operations, performance, and security of the cloud implementation.

Cloud Service Auditor

An entity that manages the use, performance and delivery of cloud services and negotiates relationships between cloud providers (CSPs) and cloud consumers.

Cloud broker

Service intermediation - enhances service Service aggregation - combines and integrates services Service arbitrage - choose services from multiple agencies

functions of cloud broker

Responsible for business agreement, pricing for the cloud customer.

cloud service manager

The ability of a system to automatically *grow and shrink* based on app demand

elasticity

Ability to grow as demand increases.

scalability

Number of minutes of virtual server compute time Amount of disk space you consume Number of function calls you make Amount of network egress and ingress

common metrics for measured service

5 building block technologies of the cloud

compute, databases, network, storage, orchestration

CSP provides the server, storage, and networking hardware and its virtualization. Customer installs middleware and applications.

compute

All virtualized to allow customers to design and customize to their needs. Enables customers to segment and restrict access however they would like.

network

A network architecture approach that enables the network to be intelligently and centrally controlled, or ‘programmed,’ using software

storage defined network (sdn)

3 layers of sdn

management, control, data

The business applications that manage the underlying control plane are exposed with _____.

northbound interfaces

Control of network functionality and programmability is made directly to devices at this layer.

control plane

The network switches and routers located at this plane are associated with the underlying network infrastructure.

data plane

Ensures only trusted, authorized applications access critical network resources.

Northbound interface

OpenFlow protocol interfaces with devices through _____

southbound interfaces

_____storage maps a logical unit number (LUN) on a storage area network (SAN) to a VM.

raw

Offered by some CSPs, this is tailored to the needs of data archiving. This may include features like search, immutability, and data lifecycle management. Typically use either Volume or Object storage infrastructure.

long-term storage

Volume storage is also called:

block

Examples of object storage

S3 and azure blob

Ensures that all copies of the data have been duplicated among all relevant copies before finalizing the transaction to increase availability.

strict consistency

Consistency of data is relaxed, which reduces the number of replicas that must be accessed during read and write operations before the transaction is finalized.

eventual consistency

Where content is stored in object storage, then replicated to multiple geographically distributed nodes to improve internet consumption speed

content delivery network (cdn)

Builds on the foundation of Infrastructure as Code (IaC), reducing manual admin tasks.

orchestration

— virtual machines (VM) — virtual desktop infrastructure (VDI) — software defined networks (SDN) — virtual storage area networks (SAN)

virtual assets

T/F: Both hypervisors and VMs need to be patched

True

The cloud service provider (CSP) provides the least amount of maintenance and security in the _____ model.

IaaS

What hypervisor: More secure if implemented properly Commonly used for QA, load testing, and production scenarios Typically, more expensive

Type 1: Bare metal

What hypervisor: Increased attack surface (due to the host operating system) Commonly used for individual development and lab scenarios Typically, less expensive

Type 2: Hosted

Use cloud services Perform service trials Monitor services Administer service security Provide billing and usage reports Handle problem reports Administer tenancies Perform business administration Select and purchase service Request audit reports

customer responsibilities

Prepare systems and provide cloud services Monitor and administer services Manage assets and inventories Provide audit data Manage customer relationships Handle customer requests Perform peering with other cloud service providers Ensure compliance Provide network connectivity

csp responsibilities

Design, create, and maintain service components Test services Perform audits Set up legal agreements Acquire and assess customers Assess the marketplace

partner responsibilities

Provides guidance in implementing and managing customer usage of a platform

partner

Application capability types - reduced support costs and licensing fees Platform capability types - reduces lock in Infrastructure capability types - high reliability and resilience

benefits of public cloud

CSP provides building blocks, like networking, storage and compute

IaaS

Usage is metered Eases scale (scale up, out, and down) Reduced energy and cooling costs

benefits of IaaS

Customer is responsible for deployment and management of apps CSP manages provisioning, configuration, hardware, and OS

PaaS

Core infrastructure updated by provider Global collaboration for app development Running multiple languages seamlessly

key benefits of PaaS

Customer just configures features CSP is responsible for management, operation, and service availability.

SaaS

Limited administration responsibility Limited skills required Service always up to date Global access

key benefits of SaaS

Devs have to write code No server management

things PaaS and Serverless have in common

Less control over deployment environment Application scales automatically Application code only executes when invoked

Serverless

More control over deployment environment Application has to be configured to auto scale Application takes a while to spin up

PaaS

A cloud computing execution model where the cloud provider dynamically manages the allocation and provisioning of servers. Hosted as a pay as you go model based on use. Resources are stateless, servers ephemeral and often capable of being triggered.

serverless architecture

Provisioning of multiple business services is combined with different IT services to provide a single business solution.

services integration

Cloud is cost effective, global, secure, scalable, elastic, and always current

benefits of cloud computing

Everything runs on your cloud provider's hardware Advantages include scalability, agility, PAYG, no maintenance, and low skills

public cloud

A cloud environment in your own datacenter A cloud environment dedicated to a single customer Advantages include legacy support, control, and compliance

private cloud

Combines public and private clouds, allowing you to run your apps in the right location. Advantages include flexibility in legacy, compliance, and scalability scenarios

hybrid cloud

Similar to private clouds in that they are not open the general public But they are shared by several related organizations in a common community

community cloud

Combines resources from two or more public cloud providers Allows orgs to take advantage of service and price differences, but at the cost of added complexity

multi cloud

Access controls help ensure that only authorized subjects can access objects

confidentiality

Ensures that data or system configurations are not modified without authorization

integrity

Authorized requests for objects must be granted to subjects within a reasonable amount of time

availability

Ability of one cloud service to interact with other cloud services by exchanging information according to a prescribed method and obtain predictable results.

interoperability

Process for cloud service customers to retrieve their data and application artifacts AND for the CSP to delete all cloud service customer data and contractually specified cloud service derived data after an agreed period.

reversibility

Policy - interoperate while complying w/ gov laws/regs Behavioral - results of exchanged info matches expected outcome Transport - commonality of communication b/w cloud consumer, provider, and other providers Syntactic - two or more system understand other system's structure of exchanged info thru encoding syntaxes Semantic Data - ability of systems exchanging info to understand meaning of data model w/in context

5 facets of cloud interoperability

Syntactic - using formats that can be decoded Semantic - data model is understood Policy - laws/regs/mandates followed

3 facets of cloud data portability

Ability of a cloud services data center and its associated components, including servers, storage, and so on, to continue operating in the event of a disruption.

resiliency

A discrete market, typically containing two or more regions, that preserves data residency and compliance boundaries

geography

A set of datacenters deployed within a latency defined perimeter and connected through a dedicated regional low latency network.

regions

A relationship between 2 Azure Regions within the same geographic region for disaster recovery purposes.

region pairs

Unique physical locations within a region with independent power, network, and cooling. Comprised of one or more datacenters Tolerant to datacenter failures via redundancy and isolation

availability zones

The duty to ensure private information is kept secret to the extent possible. A legal obligation in regulatory scenarios, and a due care obligation in U.S. law

confidentiality - focus on data

The right of an individual to have some control over how their personal information (PII,PHI) is collected, used, and potentially disclosed.

privacy - focus on rights of person

Ability of a service to remain responsive to requests to that service with an acceptable level of response latency or processing time.

performance

Enforcement of security policies and regulatory requirements, often through policy controls and regular audits.

governance

Ability to provide clear documentation of the actions in a data event.

auditability

Ability to determine who caused the event. This is known sometimes called “identity attribution”.

Accountability

Ability to track down all events related to the investigated event.

traceability

A technical or contractual constraint that prevents a customer from moving from a provider.

vendor lock-in

The practice of applying data science to prevent, detect, and remediate cybersecurity threats. Data is collected from selected cyber security sources and then analyzed to provide timely, data driven patterns at scale.

cybersecurity data science

To create a new block on the chain, the computer that wishes to add the block solves a cryptographic puzzle and sends the solution to the other computers participating in that blockchain.

proof of work

A class of devices connected to the internet in order to provide automation, remote control, or AI processing in a home or business setting

internet of things

wearables, facility automation, sensors

internet of things

Examples include Docker and Kubernetes

containerization

A lightweight, granular, and portable way to package applications for multiple platforms. Reduces overhead of server virtualization by enabling containerized apps to run on a shared OS kernel. Share many concerns of server virtualization: isolation at host, process, network, and storage levels

containerization

Replaces the binary one and zero bits of digital computing with multidimensional quantum bits known as qubits.

quantum computing

The practice of harnessing the principles of quantum mechanics to improve security and to detect whether a third party is eavesdropping on communications. Leverages fundamental laws of physics such as the observer effect, which states that it is impossible to identify the location of a particle without changing that particle.

quantum cryptography

The most common example of quantum cryptography. By transferring data using photons of light instead of bits, a confidential key transferred between two parties cannot be copied or intercepted secretly.

Quantum Key Distribution

Cryptographic algorithms (usually public key algorithms) that are thought to be secure against an attack by a quantum computer. Post quantum cryptography focuses on preparing for the era of quantum computing by updating existing mathematical based algorithms and standards.

Post quantum cryptography

Post quantum algorithms are sometimes called _____ cryptographic algorithms

“quantum resistant”

Some compute operations require processing activities to occur locally, far from the cloud. All the processing of data storage is closer to the sensors rather than in the cloud data center.

edge computing

Complements cloud computing by processing data from IoT devices. Often places gateway devices in the field to collect and correlate data centrally at the edge. Generally, brings cloud computing nearer to the sensor to process data closer to the device.

fog computing

Sensitive data must be encrypted in memory before an app can process it, leaving the data vulnerable is a problem that ____ solves by isolating sensitive data in a protected _____ during processing - also called a _____.

confidential computing / CPU enclave / trusted execution environment (TEE)

This is the management of cloud infrastructure (networks, VMs, load balancers, and connection topology) described in code. Just as the same source code generates the same binary, code in this model results in the same environment every time it is applied. This is a key DevOps practice and is used in conjunction with CI/CD.

IaC

A chip that resides on the motherboard of the device. Multi purpose, like storage and management of keys used for full disk encryption (FDE) solutions. Provides the operating system with access to keys, but prevents drive removal and data access

trusted platform module

A physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions.

hardware security module

generation - in secure cryptographic module distribution - encrypt key w/ separate encryption key storage - keys protected at rest use revocation destruction

encryption key lifecycle

In PKI, you would revoke the certificate on the issuing

Certificate Authority (CA)

Encryption keys must be secured _____ as the data they protect.

at the same level of control or higher

A _____ is anything that you want to control access to, such as API keys, passwords, certificates, tokens, or cryptographic keys.

secret

Something you know (pin or password) Something you have (trusted device) Something you are (biometric)

mfa

— Phishing — Spear phishing — Keyloggers — Credential stuffing — Brute force and reverse brute force attacks — Man in the middle (MITM) attacks

all prevented by mfa

A _____ is a type of administrator account used to run an application.

service account

A solution that helps protect the privileged accounts within a tenant, preventing attacks

privileged access management

erasing, clearing (overwriting), purging

less secure data destruction

most secure data destruction

crypto shredding

Data cannot be recovered from any remnants. High CPU and performance overhead

pro and con of crypto shredding

degaussing, shredding, pulverizing

hard drive media destruction methods - not reusable or recoverable

Act as a virtual firewall for virtual networks and resource instances. Carries a list of security rules (IP and port ranges) that allow or deny network traffic to resource instances. Provides a virtual firewall for a collection of cloud resources with the same security posture.

network security group

Restricting services that are permitted to access or be accessible from other zones using rules to control inbound/outbound traffic. Rules are enforced by the IP address ranges of each subnet. Within a virtual network, this can be used to achieve isolation .

segmentation

Port filtering through a network security group

example of segmentation

What is the modern approach to writing web service APIs.

Representational State Transfer (REST)

Enables multi language support, can handle multiple types of calls, return different data formats. APIs published by an organizations should include encryption, authentication, rate limiting, throttling, and quotas.

API inspection and integration

Traffic is often sent direct to resources and promiscuous mode on a VM NIC not possible or effective. EXAMPLES: Network Watcher (Azure), VPC traffic mirroring (AWS)

traffic inspection

Uses the Global Positioning System (GPS) or RFID to define geographical boundaries. Once the device is taken past the defined boundaries, the security team will be alerted.

geofencing

Treats user identity as the control plane. Assumes compromise / breach in verifying every request.

zero trust security

verify explicitly use lease privilege access assume breach

zero trust principles

Network Security Group (NSG) Network Firewalls Inbound and outbound traffic filtering Inbound and outbound traffic inspection Centralized security policy management and enforcement

zero trust network architecture

Orchestration/scheduling controller Network, storage Container host Container images Container registry

Core components in a container platform (Docker, Kubernetes)

Container security shares many of the concerns of server virtualization, but must enforce _____ of network, data, storage access at container level.

isolation

These are cloud-based VMs where containers run

container hosts

Use API gateways as security buffers (to avoid DDoS attacks) Configure secure authentication (Oauth, SAML, OpenID Connect, MFA) Separate dev and prod environments, implement least privilege

serverless technology

REST uses the _____ protocol for web communications to offer API end points

HTTPS

Security mechanisms for _____ include API gateway, authentication, IP filtering, throttling, quotas, data validation

APIs

When attacks are designed to steal or wedge themselves into the middle of a conversation in order to gain control.

traffic hijacking

Process/effort to collect and analyze information before making a decision or conducting a transaction.

due diligence

Doing what a reasonable person would do in a given situation. It is sometimes called the “prudent person rule”.

due care

do detect is ______ and do correct is _____

due diligence / due care

Research Planning Evaluation

due diligence

Implementation Operation (upkeep) Reasonable measures

due care

Knowledge and research of: Laws and Regulations Industry standards Best practices

due diligence

Delivery or execution including: * Reporting security incidents * Security awareness training * Disabling access in a timely way

due care

Helps reduce outages or weakened security from unauthorized changes to the baseline configuration

Change Management

Uses a labeling or numbering system to track changes in updated versions of baseline (image, application, system,

Versioning

Performed to determine whether a particular patch or update applies to a system.

applicability assessment

To ensure it’s handled properly, it’s important to ensure data is _____ as soon as possible.

classified

Data should be protected by adequate security controls based on its _____.

classification

Refers to anytime data is in use or in transit over a network

Commonly protected with TLS or tunneled through VPN

data in transit

In storage (on disk, in database, etc) and protected through encryption

data at rest

In memory. Should be flushed from memory when transaction is complete or system is powered down

data in use

Helps you encrypt Windows and Linux IaaS VMs disks using BitLocker (Windows) and dm crypt feature of Linux to encrypt OS and data disks.

full disk encryption

Helps protect SQL Database and data warehouses against threat of malicious activity with real time encryption and decryption of database, backups, and transaction log files at rest without requiring app changes.

Transparent data encryption (TDE)

Ensure the data’s context and meaning are understood, and business rules governing the data’s usage. Use that knowledge to ensure the data they are responsible for is used as intended.

data steward

The person or entity that controls processing of the data.

data controller

A natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller.

data processor

Responsible for day-to-day: safe custody, transport, and storage of data, and implementation of business rules, technical controls. Does not decide what controls are needed, but does implement controls for data owner

data custodian

focuses on the whole business

bcp

focuses more on the technical aspects of recovery

drp

T/F: BCP is an umbrella policy and DRP is part of it

True

addresses site level failure

region pairs

These address datacenter failures within a cloud region.

Availability zones

address rack level failures within a regional datacenter

availability sets

Contains two important items: ✓ a cost-benefit analysis (CBA) AND ✓ a calculation of the return on investment (ROI)

BIA

Can be strictly quantitative: adding the financial benefits and subtracting the associated costs to determine whether a decision will be profitable.

CBA

Define a system or its component and specifies what it must do. Captured in use cases, defined at a component level .

Functional security requirements

Specify the system’s quality, characteristics, or attributes. Apply to the whole system (system level)

Non functional security requirements

VM attacks Virtual network Hypervisor attacks VM-based rootkits Virtual switch attacks Colocation DoS attack

security considerations for IaaS

System and Resource Isolation User-Level Permissions Access Management Protection Against Malware, Backdoors, and Trojans

security considerations for PaaS

Data Segregation Data Access and Policies Web Application Security

security considerations for SaaS

When unmanaged VMs have been deployed on your network. Because IT doesn't know it is there, it may not be patched and protected, and thus more vulnerable to attack

vm sprawl

Enforcement of security policies for adding VMs to the network, as well as periodic scanning to identify new virtualization hosts is how to avoid _____.

vm sprawl

Ensure patches and hypervisor and VMs are always up to date, guest privileges are low. Server level redundancy and HIPS/HIDS protection also effective.

how to protect against vm escape

Freely available on the internet and exploit known vulnerabilities in various operating systems enabling attackers to elevate privilege.

Rootkit (escalation of privilege) - avoid by keeping security patches up to date, anti malware software, EDR/XDR

Undocumented command sequences that allow individuals with knowledge of the back door to bypass normal access restrictions. Often used in development and debugging.

back door - counter with firewalls, anti malware, network monitoring, code review

Volume based attacks targeting flaws in network protocols, often using botnets, using techniques such as UDP, ICMP flooding, or SYN flooding (TCP based).

network DDoS

Exploit weaknesses in the application layer (Layer 7) by opening connections and initiating process and transaction requests that consume finite resources like disk space and available memory.

application DDoS

Targets the weaknesses of software and hardware devices that control systems in factories, power plants, and other industries, such as IoT devices.

operational technology (ot) DDoS

These are countermeasures for _____ IDS, IPS, rate limiting, firewall ingress/egress filters

DDoS

Automated software scanning Automated vulnerability scanning Web application firewall Software dependency management Access and activity logging Application performance management Are all _____ technical controls.

DevOPS

Developer application security training Documented policies and procedures Code review, approval gates

DevOPS admin controls

Provides guidelines for information security controls applicable to the provision and use of cloud services. Provides cloud based guidance on several ISO/IEC 27002 controls, along with seven cloud controls that address: 1) Who is responsible for what between the cloud service provider and the cloud customer 2) The removal/return of assets when a contract is terminated 3) Protection and separation of the customer’s virtual environment 4) Virtual machine configuration 5) Administrative operations and procedures associated with the cloud environment 6) Customer monitoring of activity within the cloud 7) Virtual and cloud network environment alignment

ISO 27017

> a secure network must be maintained in which transactions can be conducted > cardholder information must be protected wherever it is stored > systems should be protected against the activities of malicious hackers > cardholder data should be protected physically as well as electronically. > networks must be constantly monitored and regularly tested > a formal information security policy must be defined, maintained, and followed

PCI DSS objectives

Ensures customers that security products they purchase have been thoroughly tested by independent third-party testers and meets customer requirements.

ISO 15408

– Level 1: Lowest level of security. – Level 2: Specifies the security requirements for cryptographic modules that protect sensitive information. – Level 3: Requires physical protections to ensure a high degree of confidence that any attempts to tamper are evident and detectable

FIPS 140-2 security levels

AWS Well Architected Framework Azure Well Architected Framework Google Cloud Architecture Framework

cloud provider architecture reference

Microsoft Cybersecurity Reference Architecture AWS Security Reference Architecture Google Cloud Security Foundations Guide

cloud provider security reference