Cloud Infrastructure Flashcards
Key Drivers for Virtualization
- SHARING underlying resources to enable more efficient and agile use of hardware
- Easier management through REDUCED personnel and maintenance
Why is virtualization a key enabling technologies for cloud computing?
virtualization enables multitenancy and scalability; it separates compute environments from the physical hardware so that multiple operating systems and applications can run on a single machine
Virtualization System Controls (Primary Features)
- Traffic Isolation - by using a specific security group and transmission encryption
- Guest Security - provided through ISOLATION concepts of hypervisor
- File and Volume Encryption
- Control of Image Provenance - image creation, distribution, storage, use, retirement and destruction
hypervisor
hypervisor is a computing layer that allows multiple operating systems to run simultaneously on the same piece of hardware, with each operating system seeing the machine’s resources as its own dedicated resources
In other words, hypervisors virtually divide a computer’s resources amongst several virtual machines (VMs) and manages the sharing of those resources between each VM.
Guest VMs are isolated software instances
List and describe the types of Hypervisors?
Type 1 hypervisors (also called bare metal hypervisors) run directly on the hardware
Type 2 hypervisors are software-based and run on an operating system
What type of Hypervisor is generally more vulnerable and why?
What makes other Hypervisor(s) more secure?
Type 2 hypervisors
OS and application vulnerabilities can be exploited and used to attack Type 2 hypervisors and their virtual machines
Type 1 hypervisors, however, generally have embedded operating systems that are tightly controlled by the vendor. This control lends itself to creating hardened operating systems that only have functionality necessary to operate the hypervisors.
What are security considerations with containers?
- Access to containers must be tightly controlled
- Images must be validated to ensure integrity (not tampered with)
- Have a process to patch and routinely update containers
Cloud Orchestration
The end to end automation workflow or process that coordinates multiple lower level automations to deliver a resource or set of resources
Software Defined Network (SDN)
System that allows VIRTUALIZATION of the network configuration and infrastructure
Allows reconfiguring the network through software
Layers/Planes of Software Defined Network
Management Plane
Control Plane
Data or Forwarding Plane
Software Defined Network Management Plane
Used to provision, configure, and de-provision all cloud resources external and internal CSP customers
Integrates authentication, access control, while also monitoring and logging of resources used
The business applications that manage the underlying Control plane are exposed with northbound interfaces (e.g. exposes control plane to applications that will consume via API)
If compromised then the whole infrastructure could be compromised
Software Defined Network Control Plane
Connects provisioned resources to each other as specified by each individual tenant into segregated networks
Used to interface with devices in the Data plane through southbound interfaces
Software Defined Network Data/Forwarding Plane
Used to transfer individual tenant data to and from the specific tenants provisioned virtual compute and storage resources
Software Defined Wide Area Network (SD-WAN)
What are the benefits of SD-WAN
An extension of SDN that tis used to connect entities via the internal network (internet)
Benefits:
- Minimizes on-premise hardware procurement and management
- Micro-segmentation of traffic types (broadband, MPLS, customer/corporate facing, etc.) for greater performance
- Support for security integration
What are compute resources of a CSP
Number of CPUs
Amount of RAM
What can be used to help administrators allocate compute resources to a host? How does it/they do so?
Reservation - guarantees MINIMUM for resources allocation
Limit - MAXIMUM ceiling for resource allocation, this can be fixed or expandable
Shares - a way to manage issues with computer resources during contention situations by using PRIORITIZATION
Network Attached Storage (NAS)
Storage array/enclosure to allow USERS to store and retrieve data LOCALLY (on the LAN)
Uses common data transfer protocols such as SMB and CIFS
Storage Area Network (SAN)
Network of storage devices (disks, tapes, CD’s, etc.) for SERVERS to access
Not user facing (e.g no direct user access), Users request data from server, servers use SAN storage to retrieve
SAN users higher end faster protocols such as iSCSI, Fibre Channel or FCoE (Fibre-Channel over Ethernet)
Virtual Storage Area Network (SAN)
Using Fibre-Channel switch to separate a SNA into different logical networks similar to transitional VLANs
Hyper Converged Infrastructure (HCI)
The combining or clustering of storage, compute, and networking nodes for high availability, load balancing, and centralized management
Cloud Interoperability Goal
Provide seamless service consumption and management between standalone services and CSPs
List and describe facets of Cloud Interoperability
- Policy - having multiple systems interoperate while complying with laws, regulations, and organizational mandates (governance)
- Behavioral - the exchange of information matches the expected outcome
- Transport - using communication standards between cloud consumers and CSP (e.s. using HTTPS)
- Syntactic - multiple systems understanding each others exchange of information through encoding syntaxes (e.g. using JSON and XML)
- Semantic data - the systems exchanging information can understand the meaning of the data model within the context (ex VM, containers, storage, network concepts)
Cloud Data Portability Goal
to enable cloud customers to move their data/application between standalone services and CSPs
List and describe facets of Cloud Portability
- Policy - transfer of data from source to target system so that governance is being followed
- Syntactic - transfer of data from source to target system using formats that the target system can understand (e.g. XML or JSON)
- Semantic - transfer of data from source to target system so the data model is understood within the context of the subject area by the target
Physical Data Center Environment Goal
No single point of failure should exist in the system
List Features of Cloud Computing Network Functionality
Address Allocation Access Control Bandwidth Allocation Rate Limiting Filtering Routing
List main types of fire detectors
- Flame detector (photoelectric - ultraviolet, infrared, visible light)
- Smoke detector (photoelectric or ionization)
- Heat detector ( rate of rise or fixed temperature)
List class of fire and appropriate/popular suppression agent
Class A (Hint: Ash) - Common Combustibles > suppressants: Water and foam
Class B (Hint: Boil) - Combustible Liquids > suppressants: Gas, foam, dry chemicals, etc.
Class C (Hint: Current) - Electric Equipment > Gas, dry chemicals, etc.
Class D (Hint: Dentable) - Combustible Metal > suppressants: Dry powders, Dry sand, etc.
Class E (Hint: Kitchen) - Cooking Media > suppressants: Wet chemicals like Potassium Acetate - creates soapy foam layer to hold in vapors and steam in order to smother the fire
What will each of the following suppress/stop?
a. water
b. soda acid
c. C02
d. dry power
e. Halon
f. Foam
a. temperature
b. fuel supply
c. oxygen
d. fuel supply
e. chemical reaction
f. flammable or combustible vapors
List Gas Suppressants that are used to starve fire of oxygen along with if they are safe for exposure to people
- Halon - was widely used but is known to leave RESIDUE and depletes the ozone layer; not safe for people
- Aero-K - an aerosol POTASSIUM compound. Does not damage metals or electronics or media; safe for people
- FM-200 - a colorless liquefied compressed gas that leaves no residue; Permissible for use around people at designated concentration
List and describe Water Sprinkler system
- Wet pipe - contains water under pressure
- Dry pipe - contains air under pressure - fire causes sprinkler to open, air pressure drops and opens water valve
- Pre-action - contains air under pressure to detect pipe leak - two detectors to release the water valve
- Deluge - pipes empty, not pressurized, all sprinkler heads are open and ready to deploy water when activated; used in hazardous areas where fire is catastrophic (think gun manufacturing plant or chemical plant)
Data Center Best Practices
- Data center should not touch first floor or outside walls; should be in the center of building
- Safe location to prevent outside access - higher floor
- If it does touch outside walls be sure windows are shatter proof and one way glass to conceal contents
- Recommended height for a raised floors in a data center is 24”
Environmental Hot and Cold Aisles
racks of equipment face opposite direction, back to back forming aisles
cold air enters the aisles in the front of the servers so it can be drawn into them
hot air goes to the back of the machines forming the hot aisles and heat is pulled back into the HVAC system to be cooled and recirculated
Positive Pressuriztion
Air pressure in data center is higher inside than the outside
Net effect is that you are blowing contaminants outward
What is the recommended humidity for computers?
+50%, -10%
40% - 60%
What does low and high humidity for computers cause?
Low - static discharge, which could degrade or destroy sensitive electronics
High - condensation which could lead to data loss due to short circuits or corrosion
Recommended temperature setting for data centers according to ASHRAE?
What would allow temperature to be higher and how much higher, what is the benefit?
64-81° Fahrenheit
18-27° Celcius
New economization specifications for data center HVAC systems allow for higher ambient air temperature settings of either A3 - 104° F and A4 - 116° F; saving the data center from high air cooling costs
List and describe types of Data Center cooling systems
Latent cooling - HVAC system removes moisture
Sensible cooling - HVAC system removes heat that is measured by a thermometer
Zero Trust Steps
- Identify the protect surface
- Map the transaction (data) flow for your sensitive data
- Build zero trust architecture (ZTA)
- Create zero trust policy (automated rule base)
- Continuously monitor and maintain
Micro-segmentation
A principle design and activity of the Zero Trust Model, which aids in the protecting against dynamic threats
Fundamental design requirement is to understand the protection requirements for both:
east-west - traffic within the data center
north-south - traffic to and from the internet traffic flwos
List Cloud Attack Vectors
- Guest Escape
- Identity Compromise
- API Compromise
- Attacks on providers infrastructure and facilities
- Attacks on the intermediary infrastructure (cloud carrier)
Cyber Kill Chain
A framework for the identification and prevention of cyber intrusions activity
Enterprise, AHEAD OF TIME, needs to implement controls that deter, detect, prevent, correct malicious activity
List Seven Steps in the Cyber Kill Chain model
- Reconnaissance - identify the targets
- Weaponization - prepare the operation
- Delivery - launch the operation
- Exploitation - gain access to victim
- Installation - established foothold at the victim
- Command and Control (C2) - remotely control the implants
- Actions of Objective - achieve the mission’s goal