Cloud security Flashcards
For cloud based applications what are AZ? (availability zones)
Isolated locations within a cloud region.
AZ commonly spans across multiple regions.
Each AZ has independent power, HVAC, and networking.
For example there might be an AZ for north america, south america, europe, etc.
Can configure them to run as active/standby or active/active so that if there is an outage your application can recognize that outage and move to another AZ.
These can be used with a load balancer for seamless availability.
What is IAM? (identity and access management)
IAM is used in cloud environments to determine who gets access to cloud resources and then what particular things inside of that resource they get access to.
This allows us to create different groups and you can map different job functions to these groups.
You can create controls based on IP address, group, date and time, etc.
This is also a way to centralize user accounts.
Which type of encryption would you want to implement in the cloud as an extra security measure? What is the difference between Client side encryption in the cloud and server side encryption?
Server-side encryption.
Data would be encrypted once it arrives to the cloud.
When we need the data it is decrypted server side and sent to us.
Client-side encryption
The data is encrypted before it ever reaches the cloud, they receive it in an already encrypted state. It is saved encrypted on the cloud storage drive. When we receive the data we decrypt it on the client side as well and transmitted back to us fully encrypted.
In a private cloud network that has no normal access from the external internet, how would you have to connect to it?
You would have to connect through a VPN.
There would be a virtualized VPN concentrator inside this private cloud subnet that you would connect to.
What is a compute cloud?
A cloud based service that does computing for you without needing to do it locally on your systems.
This is a part of IaaS
Also called compute engines.
They can be spun up for the thing you need to compute or calculate and then disabled when you are done.
If you wanted to connect a cloud application on a private subnet (not connected to the internet) to another cloud resource such as your cloud storage, how would you achieve this?
VPC endpoint
This is a cloud instance that allows us to connect together a cloud application with no public facing internet access to an external cloud resource even though there is no public internet connection in the middle.
What would be a good strategy for storing containers together in a cloud environment?
To use an operating system that is minimalist and specifically designed for containers, and group together containers together on the same host if they serve the same purpose, or if they have the same sensitivity or threat posture.
This would limit the scope of an intrusion.
What is a CASB?
Cloud access security broker.
A CASB is used to help enforce security policies that we have already created with data that we are storing in the cloud.
This can be a piece of software, a cloud instance, or a physical device at your organization.
A CASB operates on 4 principles:
Visibility - which applications are in use? which users are using them? and are they authorized to do so?
Compliance - enforce compliance regulations on all users to comply with HIPAA, PCI, etc.
Threat Prevention - Allowing users that should be allowed, denying access from everyone else.
Data security - Ensure that all data transfers are encrypted, protect the transfer of PII with DLP.
What is an SWG in cloud security?
Next-Gen Secure Web Gateway.
Protects users and devices regardless of their location and activity.
Goes beyond URLs and GET requests, gets into the details of the data and examines API requests and JSON strings, and understands the type of API requests being made.
Decides to allow or disallow traffic based on what it finds.
