Cloud Platform, Infrastructure, and Operations Flashcards
- infrastructure and systems/services in use
- how systems will communicate
- securing network traffic in shared environment
- securing the management plane
Cloud security considerations
- network/communication capabilities allowing customers to transfer data in and out of cloud vendor’s environment
- compute (VMs, CPUs, storage, serverless computing, containers, etc.)
- management plane (controls network, communications, compute, etc.)
Cloud components
In what environment does most security work occur?
IaaS
IaaS Shared Responsibility
Securing infrastructure
PaaS costumer responsibility
Security, apps, data, risk management
SaaS customer data responsibility
Access and administration
What are virtual firewalls used in cloud environments?
Network security groups
Security groups use _____ to control traffic
Rules
Tracking requests/responses to allow responses to return to systems that make an allowed request
Stateful (security groups and firewalls)
AWS VPC traffic monitoring capability allows you to _____ traffic.
See, capture, and analyze
Correlating logins and activity to the locations where they originate to ensure credentials aren’t being misused and to identify unexpected traffic patterns based on geoIP info:
Geofencing
Relying on identities and authorization to ensure users and entities are validated before they access data:
Zero Trust
Why is packet capture and traffic inspection harder in the cloud?
Cloud environments operate at Layer 3 of OSI model, while traditional networks can be accessed at Layers 1 and 2
Tools that limit communications based on some criteria.
Firewalls
In cloud environments, _____ are often the first firewall capability deployed.
(Network) security groups
Criteria for determining which traffic is allowed is handled by _____.
Rules
Firewalls
IPS
Access Control
Gateways
WAFs
Backup and Recovery
Network security tools
Firewalls determine which traffic is allowed by using _____.
Rules
_____ are designed to identify malicious traffic and alert on it.
Intrusion Detection System (IDS)
_____ can detect and respond to malicious traffic by stopping it or alerting on it.
Intrusion Prevention System (IPS)
Tool used to detect, identify, isolate, and analyze attacks by distracting attackers.
Honeypot
Because many systems in the cloud are ephemeral, your scans need to:
- validate the original system
- validate changes that occur due to code and component updates
Allows admins to access a private network from a lower security zone.
Bastion hosts (jump servers/jump boxes)
The process by which an identity is validated as belonging to a user
Identity proofing
Used to generate, store, and manage cryptographic keys as well as for other cryptographic uses in support of hashing and digital signatures, encryption, and decryption of data thru offloading.
Hardware Security Modules (HSMs)
Hardware device used to secure, store, and manage cryptographic keys for disk encryption, trusted boot, hardware validation, and password management for devices.
Trusted Platform Module (TPM)
- Using built-in tools
- Least privilege
- Encrypting data at rest and in transit
- Blocking public access by default
- Ensuring wildcard or broad access to storage buckets is not allowed
- Building secure default access control list
- Versioning and replication
-Monitoring, auditing, and alerting
Ways to keep cloud storage secure
- configuration requirements
- patches and updates
- security and notification
- software composition analysis tools
- package management tools
Checklist for 3P software management
- Provide cryptographic hashes for integrity checks
- Signing with developer’s certificate
- GPG or PGP signature
Ways to validate open-source software
How to validate signatures:
You need the provider’s public key and ensure key provided is actually theirs.
The organization’s standard for how a system should be configured to meet functional and security goals.
Baselines
