Cloud Security Flashcards
Cloud Computing
§ A way of offering on-demand services that extend the traditional capabilities of a computer or network
§ Cloud computing relies on virtualization to gain efficiencies and cost savings
Hyperconvergence
Hyperconvergence allows providers to fully integrate the storage, network, and
servers
Virtual Desktop Infrastructure
VDI allows a cloud provider to offer a full desktop operating system to an end user from a centralized server
Virtual Desktop Infrastructure
VDI allows a cloud provider to offer a full desktop operating system to an end user from a centralized server
secure enclave
A secure enclave provides CPU hardware-level isolation and memory encryption on every server, by isolating application code and data from anyone with privileges, and encrypting its memory.
Cloud Types
- Public Cloud
- Private Cloud
- Hybrid Cloud
- Community Cloud
Public Cloud
A service provider makes resources available to the end users over the Internet
Private Cloud
§ A company creates its own cloud environment that only it can utilize as an internal enterprise resource
§ A private cloud should be chosen when security is more important than cost
Community Cloud
Resources and costs are shared among several different organizations who have common service needs
Software as a Service
Provides all the hardware, operating system, software, and applications needed for a complete service to be delivered
Infrastructure as a Service
Provides all the hardware, operating system, and backend software needed in order to develop your own software or service
Platform as a Service
Provides your organization with the hardware and software needed for a specific service to operate
Security as a Service
§ Provides your organization with various types of security services without the need to maintain a cybersecurity staff
§ Anti-malware solutions were one of the first SECaaS products
File Servers
Servers are used to store, transfer, migrate, synchronize, and archive files for your organization
FTP Server
§ A specialized type of file server that is used to host files for distribution across the web
§ FTP servers should be configured to require TLS connections
Domain Controller
A server that acts as a central repository of all the user accounts and their associated passwords for the network
Virtual Private Cloud
o A private network segment made available to a single cloud consumer within a public cloud
o The consumer is responsible for configuring the IP address space and routing within the cloud
o VPC is typically used to provision internet-accessible applications that need to be accessed from geographically remote sites
o On-premise solutions maintain their servers locally within the network
o Many security products offer cloud-based and on-premise versions
o Consider compliance or regulatory limitations of storing data in a cloud-based security solution
o Be aware of the possibility of vendor lock in
Cloud Access Security Broker
Enterprise management software designed to mediate access to cloud services by users across all types of devices • Single sign-on • Malware and rogue device detection • Monitor/audit user activity • Mitigate data exfiltration
Forward Pro
o A security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy
o WARNING: Users may be able to evade the proxy and connect directly
Reverse Proxy
o An appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy
o WARNING: This approach can only be used if the cloud application has proxy support
Application Programming Interface
o A method that uses the brokers connections between the cloud service and the cloud consumer
o WARNING: Dependent on the API supporting the functions that your policies demand
Function as a Service
A cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language
Serverless
§ A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances
§ Everything in serverless is developed as a function or microservice
Cloud Threats
Insecure Application Programming Interface (API)
Improper Key Management
Insufficient Logging and Monitoring
Unprotected Storage
Cross Origin Resource Sharing (CORS) Policy
Secure Application Programming Interface (API)
§ WARNING: An API must only be used over an encrypted channel (HTTPS)
§ Data received by an API must pass service-side validation routines
§ Implement throttling/rate-limiting mechanisms to protect from a DoS
Proper Key Management
§ APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data
§ WARNING: Do not hardcode or embed a key into the source code
§ Do not create one key with full control to access an application’s functions
§ Delete unnecessary keys and regenerate keys when moving into a production environment
Sufficient Logging and Monitoring
§ WARNING: Software as a service may not supply access to log files or monitoring tools
§ Logs must be copied to non-elastic storage for long-term retention
Protected Storage
§ WARNING: Access control to storage is administered through container policies, IAM authorizations, and object ACLs
§ Incorrect permissions may occur due to default read/write permissions leftover from creation
§ Incorrect origin settings may occur when using content delivery networks
Cloud storage containers are referred to as _______________
Cloud storage containers are referred to as buckets or blobs
