Cloud Security Flashcards

1
Q

Hyperconvergence

A

Allows providers to fully integrate the storage, network, and servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

VDI

A

Virtual Desktop Infrastructure:
VDI allows a cloud provider to offer a full desktop operating system to an end user from a centralized server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Secure Enclaves & Secure Volumes

A

Secure Enclaves:
Utilize 2 distinct areas that the data may be stored/accessed from
Can only be accessed by the proper processor

Secure Volumes:
A method of keeping data at rest secure form prying eyes
When data is needed, secure volume is mounted & decrypted to allow access
Once no longer needed, it’s re-encrypted & unmounted from virtual server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SECaaS

A

Security as a Service:
Provides your organization with various types of security services without the need to maintain a cybersecurity staff

Anti-malware solutions were one of the first SECaaS products

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Sandboxing

A

Utilizes separate virtual networks to allow security professionals to test suspicious or malicious files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

VPC

A

Virtual Private Cloud:
A private network segment made available to a single cloud consumer within a public cloud

The consumer is responsible for configuring the IP address space and routing within the cloud

VPC is typically used to provision internet-accessible applications that need to be accessed from geographically remote sites

Be aware of the possibility of vendor lock in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CASB

A

Cloud Access Security Broker:
Enterprise management software designed to mediate access to cloud services by users across all types of devices
• Single sign-on
• Malware and rogue device detection
• Monitor/audit user activity
• Mitigate data exfiltration

Cloud Access Service Brokers provide visibility into how clients and other network nodes use cloud services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

CASB: Forward Proxy

A

A security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy

An “internal proxy”
Used to protect/control user access to the Internet

WARNING: Users may be able to evade the proxy and connect directly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CASB: Reverse Proxy

A

An appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy

Inbound traffic from the Internet to your internal service

WARNING: This approach can only be used if the cloud application has proxy support

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CASB: API

A

Application Programming Interface:
A method that uses the brokers connections between the cloud service and the cloud consumer

WARNING: Dependent on the API supporting the functions that your policies demand

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

API

A

A library of programming utilities used to enable software developers to access functions of another application

APIs allow for the automated administration, management, and monitoring of a cloud service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

FaaS

A

Function as a Service:
A cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Serverless

A

A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances

Everything in serverless is developed as a function or microservice

Serverless eliminates the need to manage physical or virtual servers
• No patching
• No administration
• No file system monitoring

The underlying architecture is managed by the cloud service provider
Ensure that the clients accessing the services have not been compromised
Serverless depends on orchestration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Cloud Threats: Insecure API

A

WARNING: An API must only be used over an encrypted channel (HTTPS)

Data received by an API must pass service-side validation routines

Implement throttling/rate-limiting mechanisms to protect from a DoS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Cloud Threats: Improper Key Management

A

APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data

WARNING: Do not hardcode or embed a key into the source code

Do not create one key with full control to access an application’s functions

Delete unnecessary keys and regenerate keys when moving into a production environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Cloud Threats: Insufficient Logging/Monitoring

A

WARNING: Software as a service may not supply access to log files or monitoring tools

Logs must be copied to non-elastic storage for long-term retention

17
Q

Cloud Threats: CORS Policy

A

Cross Origin Resource Sharing Policy:
A content delivery network policy that instructs the browser to treat requests from nominated domains as safe

WARNING: Weak CORS policies expose the site to vulnerabilities like XSS

18
Q

Security Groups

A

Firewall for compute instances
Layer 4 (TCP/UDP)
Layer 3 address

19
Q

Instance Awareness

A

Granular security controls
Identify/manage specific data flows

Define & set policies
Allows uploads to the corporate file share
Deny certain uploads to personal file share
Deny files with sensitive data
Quarantine file & send alert

20
Q

Next-gen SWG (Secure Web Gateway)

A

Protect users & devices
Monitor API usage
Examine JSON strings & API requests
Allow/disallow certain activities
Instance-aware security

Combines CASB, DLP, & Web Security