Cloud Security Flashcards
Hyperconvergence
Allows providers to fully integrate the storage, network, and servers
VDI
Virtual Desktop Infrastructure:
VDI allows a cloud provider to offer a full desktop operating system to an end user from a centralized server
Secure Enclaves & Secure Volumes
Secure Enclaves:
Utilize 2 distinct areas that the data may be stored/accessed from
Can only be accessed by the proper processor
Secure Volumes:
A method of keeping data at rest secure form prying eyes
When data is needed, secure volume is mounted & decrypted to allow access
Once no longer needed, it’s re-encrypted & unmounted from virtual server
SECaaS
Security as a Service:
Provides your organization with various types of security services without the need to maintain a cybersecurity staff
Anti-malware solutions were one of the first SECaaS products
Sandboxing
Utilizes separate virtual networks to allow security professionals to test suspicious or malicious files
VPC
Virtual Private Cloud:
A private network segment made available to a single cloud consumer within a public cloud
The consumer is responsible for configuring the IP address space and routing within the cloud
VPC is typically used to provision internet-accessible applications that need to be accessed from geographically remote sites
Be aware of the possibility of vendor lock in
CASB
Cloud Access Security Broker:
Enterprise management software designed to mediate access to cloud services by users across all types of devices
• Single sign-on
• Malware and rogue device detection
• Monitor/audit user activity
• Mitigate data exfiltration
Cloud Access Service Brokers provide visibility into how clients and other network nodes use cloud services
CASB: Forward Proxy
A security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy
An “internal proxy”
Used to protect/control user access to the Internet
WARNING: Users may be able to evade the proxy and connect directly
CASB: Reverse Proxy
An appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy
Inbound traffic from the Internet to your internal service
WARNING: This approach can only be used if the cloud application has proxy support
CASB: API
Application Programming Interface:
A method that uses the brokers connections between the cloud service and the cloud consumer
WARNING: Dependent on the API supporting the functions that your policies demand
API
A library of programming utilities used to enable software developers to access functions of another application
APIs allow for the automated administration, management, and monitoring of a cloud service
FaaS
Function as a Service:
A cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language
Serverless
A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances
Everything in serverless is developed as a function or microservice
Serverless eliminates the need to manage physical or virtual servers
• No patching
• No administration
• No file system monitoring
The underlying architecture is managed by the cloud service provider
Ensure that the clients accessing the services have not been compromised
Serverless depends on orchestration
Cloud Threats: Insecure API
WARNING: An API must only be used over an encrypted channel (HTTPS)
Data received by an API must pass service-side validation routines
Implement throttling/rate-limiting mechanisms to protect from a DoS
Cloud Threats: Improper Key Management
APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data
WARNING: Do not hardcode or embed a key into the source code
Do not create one key with full control to access an application’s functions
Delete unnecessary keys and regenerate keys when moving into a production environment