Definitions of Cloud Flashcards
SAAS
Software as a Service
Risk Mitigation - Reduced local admin and redundancy
Business Continuity - 24/7 access from any location that has internet, synchronization between local and cloud, doesn’t have to go through email
Efficiency -
Deployment - rapidsimplified data retention and admin is the resposibility of CSP
Hardware Resources -economies of scale, don’t have to pay for upgrades, etc, give flexibility and agility
Cost - based on usage, minimal up front costs, pay as you go.
Scalability - easily scale up or down the storage as they needcan be allocateda nd de-allocated dynamically. Can run slower than an inhouse solution due to redundancy and connection
PAAS
Platform as a Service (Ability to create a testing environment, etc for development)
MAAS
Management as a Service - ability to see status of systems, etc basically monitoring
CAAS
Communication as a Service
IAAS
Infrastructure as a Service - lease hardware, software automatic patch updates
Storage as a Service
lease storage for data warehousing
Security as a Service
lease security services
CAPEX
Capital Expense which ar ecosts associated with acquisition of assets or upgrading existing assets, such as hardare
OPEX
Operational expense refers to the costs associated with the dat to day running of a copany, ie: bandwidth, etc. can be reoccuring expenses,
Traditional Internal IT Infrastrucutre
own server room own infrastructure inhouse
Colocation Facility
owned by a third party that rents out space equipped for housing and running IT infrastructure, also provide network connectivty, backkup power, physical security
Managed Services
package for full outsourcing of IT Infrastructure. instead of purchasing in colocation you rent the infrastructure, software, hardware and database management
Public Cloud
fully outsourced solutions for infrastructure, instead of renting physical harware you rent a virtual coputing environment hoste don shared server clusters in the service provider’s datacenter
Abstraction
system implementation are hidden from the user, applications run on unspecified physical systems and dat is tored in inknown locations ot the end user
VMM
Virtual machine monitor aka hypervisor
VIM
a toll that communicates with multiple hosts and their VMs, allowing for centralized admin and efficient operation of the virutal infrastructure ie: OpenNebula
Virtual platform
VMware Vsphere, Citrix XenServer or Microsoft Hyper V
3 types of virtualization
client
server
storage
Application Packaging Virtualization
method of isolating a specific application from the underlying opertaing system. application can’t modify or interact with o/s. provides protection agaist viruses and malware and you can run incompatible applications on a system
Application Streaming Virtualization
type of client virtualization. hosts necessary applications on servers in a datacetner, and then loads on client demand as if it were locally installed. Also can be used to preven unauthorized software installations from end users
Hardware Emulation Virtualization
Virtualization software is installed on the client o/s
Hypervisor
is a program that allows multiple o/s systems to share a single hardware host, each os appears to hav ethe host’s resources ie: processore, memeory, nic etc all to istself
Hypervisor Type 1
runs directly on top of hardware, provide less overhead and smaller footprint so run more efficiently and also have direct access to hardware resources
Hypervisor Type 2
run ontop of existing o/s software, ie: microsoft virtual server and vmware workstation
DAS
direct attached storage is a traditional storage method and works by connecting hard drives to an actual server
NAS
Network attached storage uses a dedicated storage devicewhich you attach to yoru network. can be scalable, configured to provide redundancy. uses standard protocols to connect to your servers
SAN
Storage Access Netowrk - dedicated hardware and software on a dedicated high performance network to createa more effective data storage solution that less prone to dataqt outages, host bus adapter or HBA connects a server to a fibre SAN
economies of scale
lowering of costs due to an increase in the scale of operations or production
vmware
Has a small footprint and is not dependent on any os to run corrrectly
Citrix Xne Server
Simplifies and speeds up management of the entire application lifecycle
Hyper V
Using os clustering it provides high availability for hosts and their vms
IBMS z/vm is a hypoervisor
which is designed to allow the clients to run hundreds to thousands of linux servers on a single mainframe running with other system z oeprating systems
Core Network
Provides a logical center point in a datacenter
Edge Network
Enables end users to connect to a datacenter
Access netwrok
Enables connections to storage networks and computing resources
Basic Public Internet
end user, most common way of accessing cloud datacenters. cusotmers access the cloud using their own internet connectiosn, sometimes time requirements cannot be met
Accelerated internet
is a set of services and offloads you can add to a standard public internet connection to improve performance, SSL termination and TCP connetion magmt
Optimized Internet overlay
lets users access a cloud via the publick internet with connetivity enhanced at the provider’s points of presence or POPs
site to site vpn
direct connection between a csp and the cloud thorugh a private wan
SOA
Service Oriented Architecture is a distributed system architecture in which services interact using a common defined interface, a collection of related sub-systems, it addresses services, data and processes in an IT architecture
SOA has 4 main benefits
functionality reuse
agility
monitoring
extensibility
Common SOA Architectures
Peer to Peer client Srever Three Tier nTier Tightly coupled Loose coupling
Loose copling
enables you to build update or replace individual participants in a system without changing the participants that intract with it
makes system more reliable
Loose coupling techniques
asynchronous communication where possible
human readable Unifrom Resoruce Idnetifiers or URLs for service and instance addresses
stateless messaging
vendor and platform independent messages
self-describing messages
well-defined extensible interfaces
SOA provides to cloud
testing of a service oriented environment
provides a deployment framework for cloud computing
I enables re-use of the code for particular functions
It provides a high degree of agility
planning cloud deployment involves 3 steps
Perfomring a data analysis
identifying and documenting services
determining future cloud architecture
data analysis consists of 3 things
where data in your organization is locted
what form the data takes
how the data flows through the neterprise and how it relates to core services and business processes
1st step in architectural foundations for good cloud computing begins with
a development of a service directory, which lists the individual services and organization uses
Service diretory
define each hardware scope design dependencies service levels security testing
Process model
link process to the service it uses
defines business processes and how they link to services
steps of migrating data to a cloud
- Establishing where the data is , what form it takes and how the data flows
- Doucmenting each serivce in the organizaiton’s baseline architecture
- Groupiing the services into processes that map to the organization’s business processes
- Identifying processes and the services that can be hosted on the cloud
Coupling
loosely connected , independence of location, off site hosting , dynamic service discouvery
Participant Interfaces
participants that have welldefined interfaces are favorable for a cloud platform. architecture mixture of locally hosted and cloud based systems
Security
root secuirty keys and credit card numbers shouldn’t be transmitted over apublic network.
SAAS Factors to consider before using
Security - Each company has there own, no set standards yet so make sure lines up with company security protocols and guidelines
Liability - SLA’s - contract negotiated liablility
reliability - is the csp dependable, reputable, what do you do if they close their doors, etc. solution is to use more than one provider.
SAAS Providers
Box.net Amazon Simple Storage Service or S3 Internap XIP Cloud Nirvanix DropBox
Storage as a Service vs SAAS
SAAS - usually block storage over Ip
Cloud Stoage and also include file-based systems.
SAAS Governance
Enterprise Risk Legal Issues Compliance Information LifeCycle Portability and Interoperability
DAC
authentication and authorization access of data, need to have someone assigned to setup access and removal
Data Classification
foundation of information security programs, it requires you to evaluate and then classify company data accourding ot its security needs. ie: confidential data may have to be encrypted, or you decided to keep it in house while allowing other types of data to go to the cloud. etc.
Accounting and Auditing
to ensure confidentiality is maintained the csp needs to have appropriate logging adn monitoring facilities for accounting and auditing purposes. This usually means that some form of security info and event magmt system mus tbe in place.
Additionally procedures need to ensure that a separation of duties exists between those who adminiser the sytems and those who monitor the logs within the csp.
Encryption of stored data
auditing and key management and key chages are needed to ensure compliance to security on the csp, can call for more administrative activiites and possibly more cost
Encryption of data in transit
encryption or tunneling may be required. depends on the sensitivity of the data and the security compliance.
OGF
Promotes standardization of distributed high performance computing applications
Open Grid Forum
meets each year grid computing worldwide
Standardizing applied distributed computing environments
CSA
Promotes standards and best practices with the aim of ensuring cloud security
Best practices and shared standards in the area of cloud computing security
OCC
Operates and manages cloud computing testbeds
Open Cloud Cosortium non profit org support the development of a n open standards based interoperability framework
Standards for cloud interoperability
DMTF
Was founded to develop a set of informational standards for managing resources in distributed environments
Is developing standars that facilitate system mgmt in cloud based IT Infrastructures
CIM
is a DMTF standard - Common Informtion Model - defines the language and methodology used to describe data mgmt.
Cloud Security Alliance aka CSA
non profit org promotes best practices and shard standards in the area of cloud computing secuirty. 3 components:
- General agreement regarding secuiryt assurances and requirements between end users and cloud service providers
- Awareness on th eappropriate use of security solutions in a cloud environment
- Independent research into best practices for cloud computing security
- Guidance for cloud security assurance
Cloud Computing Standards
security browsers data virtualization syndication communication solution stacks messaging
Cloud Security Protocols typically used now
Secure Sockets Layer SSL Transport Layer Secuirty or TLS Open Authenitcaiton or OAUth OepnID Secuirty Assertion Markup Language or SAML
Coupling
loose enables participants to function independently of location. May not fail because one part fails. redundancy etc.
It enables location indepenence of participants and dynamic service discovery
Partiicpant Interfaces
well defined interfaces are favorable for a cloud platform. well defined interfaces for inputs and outputs to a system allow for suitable intgration points betwen on premises and cloud based services. Ie: mixture of locally hosted and cloud based systems
Security
sensitive data should not be transmitted over a public network, ie root security keysand customer credit cards You won’t be in control of security mgmt at the cloud level - have to evaluate each situation
Enterprise Health
if your infrastructure is unhealthy and you move to a cloud platform it may exacerbate the issues. ie: firewall not configured properly, the system isn’t ready to deploy to a cloud, etc.
Business factors to consider
online applications deployment urgency the need for user collaboration the availability of funding availability of other business opportunities associated with cloud computintg
Cloud platform categories
dataqbase governance management processes security services storage
Private Cloud
used when concerns about security. internal or enterprise cloud - usyally not pay as you go but pay when setup disadvantages: lose ability to scale on demand legacy apps not suitable securitymay be less effieint ongoing technology costs can be high
virtual private cloud (vpc)
publicly hosted private cloud that is connected to an organizations datacenter via a secure connection
resources are only available to one organization
May connect via vpn
makes sense when resources are grouped by logically grouped ip addresses
ie: Amazon EC2
Hybrid cloud
both private and public cloud solution
Cloud bursting
when the cloud is shutdown when not in use
IAM
Identity and Access Management is the use and managemetn of the same identity inforamation service for all your applications. to authenticate users and grant or deny access rights to data and system resources, to ensure appropriate access to enterprise resources.
IAM is based on 3 concepts
authentication - verifiation of the identity of the user or service
Authorization - user or sytem requests access to a soruce or service, or perfomr an operation and is given necessary permissions
Auditing - records and revieing authentication and authorization actions. tests the competence of the IAM system controls, verifies compliance with existing security procedures and policies, detects breaches and suggests contermeasures
Trust Boundry
virtual perimeter defining hte ara that falls udner the jurisdiction of its IT Department
Identity Federation
the practice of negotiating interactions between entities that are separated by an organization’s internal and external trust relationships
two reasons to use IAM
improved operational efficiency
regulatory compliance management
IAM Operational Areas
Identity mgmt and provisioning Authentication mgmt federated identity mgmt authorization mgmt compliance mgmt
Identity mgmt and provisioning
goal is to ensure that authorized users are securly and efectilvely incorporated into a cloud and that unauthorized users are excluded. on boarding and off boarding
SPML
service provisioning markup language is xml based used for identity mgmt allows automation of usera nd system access
SCIM - Simple Cloud Identity has benefits
simple to use
leveraging representational state transfer or rest
javascript object notation or JSON
exxential create read update and delete statements avoiding the LDAP object class inheritance model
Google and Salesforce.com
Authentication Mgmt
goal is to ensure credentials such as passwrods and digital certs are managed securely .
Also manages trust realationships across all cloud services and delgtes authentication where appropriate
federated identity mgmt
goal is to authenticate cloud service users using the org selected identity provider or idp. Credential and atrtributes are trnamitted
idp - identity life cycle, token formats, authentication methods, non-repudiation presetn several challenges, the last of these holds enormous potntial fo rthe use of deeration ensures identity assertions orgiinated witha trusted idp
SSO part of federated cloud services (Single Sign On)
can be used to authenitcate organizaiotn wide applications and cloud applications to which and organization subscribes
Two federated SSO methods
federated public SSO
federated private SSO
Should use a provider that uses SAML (Security Assertion Markup Language)
Authorization Management
goal establish access rights , establish a trust relationship between the entities and the cloud service and to ensur that the process can be subjected to auditing
XACML - Extensible Access Control Markup Language
basedby OASIs and is used to make authroization policya mgmt and related decisions, uses a schema.
Challenging area of cloud computing because could come from individual, company, etc.
Compliance Mgmt
auditing access and rights, implementing access control policies and standards surrounding reporting, periodic monitoring, segregation of duties and access monitoring.
IAM is needed
when an org IT Admin uses a csp mgmt console,
An org uses and identity federation
to regain control over dynamic trust boundaries and to improve operational efficiency.
csp’s face a number of challenges
protect SAAS user’s accounts from external threats and provide an API for PAAS Authentication
Prevent duplicate LAAS user idnetities from being created.
Orgs that use federated identities to access LAAS Services should ensure that their CSPs support IAM
Considerations in cloud federation are:
using a SSO Scheme
define tunneling technologies
providing computing and storage resources
managing billing and reconciliation
in web services to receive idetnity info from security and identity token services without requiring input from users. must use security token exchange that has to be shared
Authentication services aka is
Identity providers
Relying Parties
web apps or services that consume tokens
Models for identity federation is provided by
WS-Security
WS- Trust
WS-SecurityPolicy standards
2 types of SSO
web based - authenticates across multiple platforms and org boundaries. allows navigation betwen pages without re-authentication. Some countries don’t allow sharing of data across companies so SSO shouldn’t reveal the identity of an authenticating user and the SSO process should be handled anonymously.
Non-Web Based - used to access legacy applicaitons or aren’t supported web based SSO SSO resends the authentication info again to the app
SSO benefits
commercial benefits, ie ecommerce users can setup their own accounts, can be usesd to access services from different websites
Effieciency - speed up the app development life cycle. apps cna call a standard authentication procedure instead of more code
RSA Secuirty
three components:
Authenticator
Authentication Server
Administration Server
IDaas
Identity as a service
Presence Information has 3 parts
Identity - user’s identity is referred to as that user’s presentity. Presentities provide information regarding their whereabouts so others know how and where to contact them.
status - levels of availability ie: online, offline on phone or away. Are they available to communicate and in what context. usually has a graphic indicator
Location - geographical location of a device or entity, as well as what device they are on. can include geo location ifo, gps co-ordinates, in a meeting, on a network, etc, online or offline
Presence Protocols
Session Initiation Protocol
Session Initiation Protocol for IM and Presence Leveraging Extensions
Extensible Messaging and Presence Protocol
Session Initiation Protocol
widely used signaling protocol designed by the internet Engineering Task Force or IETF to control mulitmedia communication sessions that typically take place across one or more media streams. video conferences, Im, presence info, file transfers or multi media
Session Initiation Protocol for Instant Messaging and presence Leveraging Extensions
Aka SIMPLE
is an add on to SIP and uses SIP to leverage presence on the cloud. protocol facilitates real-time, two way communication amoung all cloud users who can be located and identified
Extensible Messaging and Presence Protocol
XMPP aka is a messaging protocol based on xml. originally designed to support real time communication betwwen devices using IM, but now is used in Voice over IP or VoIP systems as well
Presence Services have 3 parts
Presentity
Watcher
Presence Server
publish-and-subscribe or pub-sub
provides info regarding its network status to presence server and then subscribes presence info to relevant subscribers
Presence services rely on applications known as watchers
ie: microsoft office live communication server with im platform like office communicator to communicate. these applications to collaborate in real time and to use the range of presence information available
Presence Engine
acts as a broker between presence publishers and subscribers. collates infofrom data sources, distributes it to subscribers authorized to receive info,
They must channel encryption and provide strong authorization, authentication and access controls to ensure secure info exchange
Securing a presence enabled system
all presence soruces are authenticated before they canupdate an entitiy’s presence info
Only authorized sources can update info
Only a Presentity can create and modify its own privacy rules
Only authenticated presentities can specify privacy filters
Confidentiality and integrity of presence info and privacy filters is maintained
Key Privacy Concerns with the cloud
data Access Compliance Data Storage Data Removal Data Retention Auditing and Monitoring Privacy Breaches
Data Access with Privacy
ensuring clients have access to their data , making it secure and can’t be intercepted
Compliance with Privacy
tricky when clouds cross multiple jusridictions and legislation. have to find out what laws and regs pertain
Data Storage Privacy
on a cloud data can get moved to different geographical locations so can become harder to keep data private
Data Removal Privacy
To ensure data is destroyed without a trace because CSPs store mulitple copies of data across various servers and sites.
Data Retention Privacy
decide retention policies, CSP need to ensure they adhere to relevant regs
Auditing and Monitoring Privacy
CSPs have to reassure stakeholders that privacy requiremtns have been met. can be difficult when data is in different geograqphical locations or on virtual servers
Privacy Breaches
may be hard to determine who is liable
Presence information needs to be kept secure
Privacy Document Components
Authorization of Watchers - must be authorized before having access to info
Selective Notificatons - Criteria allowed to watch
Differential Presence Info - what can be distributed
Local and National Rules - any rules/laws need to be outline if pertain
Authorization of Anonymous subscritpions - should allow presentities to authorize anonymous subscribers. Watchers hsould be allowed to hide their identities in order to maintain privacy during certain sessions
Data Life Cycle Phases (5)
Data Life Cycle Management (DLM)
Data Creation Storage Use Archiving Destruction
key Challenges in regards to security of data
Backup and Recovery Data Discovery Data Overlaps Data Persistence Inference and Aggregation Location Security
ISO 27001
Provides assurance that a CSP is certified and has appropriate and adequate security management processes
ISO27002
Provides assurance that a CSP has processes in place for access control and business continuity management
SysTrust
Provides auditable assurance that CSPs maintain system availability, integrity, privacy, and confidentiality
Cloud implementation requires the client and the CSP to negotiate these items
confidentiality - how will data be transfered and stored? how will it be segregated? Who will have access to the data in the cloud?
Integrity - need to determine permissions - who can modify data in the cloud and specific information on how the CSP hires and monitors its own administrators
Availability - what happens to data if a company goes out of business, is data accessible 24/7, distaster recovery plan of the CSP to ensure rapid recovery.
Authorization - how will access control be handled by CSP and client, only those authorized can access data and apps
Authentication - need to know what authentication measures are in place to ensure only legitimate users are granted access to the data and apps
Auditing - meet regulatory requirements, security measures are in place and the ability to audit the measures to ensure compliance - will they undergo an audit?
3 ways to determine responsibility between CSP and client
- CSPs manage security controls - need to match security compliance of the customer and conform to r3ecognized standards and best practices.
- Customers supply security controls - Cusotmer supply its own secuirty infrastructure to extend to services hosted by the CSP, Customer provides key secuirty controls and ensuring that local controls can interact with cloud based controls via standards-based interfaces.
- CSPs provide security to local client system - csp is responsible for creating and managing the local security used by the customer on the customer’s local network, in this scenario, confidential data is stored locally with the customer. This can help eliminate certain risks with cloud based data storage
SAAS provides organizaitons
email management - anti-malware in the cloud, enforce encryption of outgoing email, catch spam, backing up and archiving email and indexing stored email in a central repository which is useful for e-discovery.
web content filtering - content filtering and virus filtering before entering network and protect against info leakage, can be used to block traffic or reduce bandwidth
Vunerability Management - can be used to identify vulnerabilities and to provide patches and solutions to address them.
3 key security areas to address with prospective CSPs
Data Location
Regulatory Compliance
Investigative Support
SAAS - Software as a service - challenges and risks associated with it
Data Level Security Physical Asset Control Virtualization Risks Mobile Device Security Compliance Standards
Basic Security Measures for Saas
Physical data center security Application Security Virtual Machine Security Risk Management Training Data Security Access Management
Physical data center security
should have multilevel including access control mechanism, ie: biometrics, constant visual monitoring, alarms etc
Environmental controls ie: temperature, air flow, fire suppression, electricity supply
policies processes and procedures
Application Security
web apps should be developed following open web application security project or OWASP guidelines
apps should lock down prots and unnecessary commands on Linux, Apache, MySQL and PHP (LAMP) stacks in the cloud.
Virtual Machine Security
to include integrity monitoring , intrusion detection or prevention systems and log inspection controls good idea to use bi-directional stateful firewalls on VDIs and enable centralized management of server firewall policies
csp and client responsibilities
Owners - authority and accountability for protection requiremnts and information assets.
CSPs are responsible and accountable for implementing integrity, availability, and confidentiality and privacy controls
Risk Management
conducting and documenting a security risk assessment. prioritize risk mitigation and other risk handling strategies and controls
Training
train on security issues and policies, best practices
Data Security
Data Inventory Data Classification Data Analysis Data Protection, retention, and recovery Data Privacy Protocols for destroying data
Access Management
least privilege - lowest possible access granted to those working with data. end to end identity and trust fromt eh cloud to the enterprise needs to be monitored by the CSP, needs to balance security with ease of access
Secure Software Development Life Cycle
SecSDLC involves 6 phases
Investigation Analysis Logical Design Physical Design Implementation Maintenance
Jericho Forum created the Cloud Cube Model
it defines the boundaries of the cloud and the enterprise and consists of:
Internal or External
In House or Outsourced
Proprietary or Open
Perimeterized or deperimeterized
Factors that are an issue when using a cloud infrastructure (IaaS)
Lack of network level auditing and monitoring
Loss of traditional network tiers and segregation
Higher incidence of DNS Attacks
Increase in Denial of Service or DoS attacks
security with IaaS
Customers have full responsibility for securing applications when using this model. CSPs don’t access or review customer apps
custoemrsa are responsible for end point security such as antivirus, account and identity mgmt, browser hardening
CSP should be asked to provide log-in history to facilitate investigations
security with PaaS
CSPs manage customers platforms and runtime engines, security of the model, but custoemr is responsible for esecuring its own apps onteh platform
Security with SaaS
CSP is responsible for managing the entire suite of applications and security
Customers are usually responsible for account management, operational security, access management
Data at Rest
data stored permanently or temporarily within the cloud.
Data on the cloud security issues to consider
Data Provenance - data integretity up a notch
Data Lineage - the tracing of datalocationsover time, impratical in the cloud
Data Remanence - traces of data once information has been deleted or connections and hardware have been discarded ie: cahche stores, trash stores and faulty hard drives may be accessed through unauthorized users so needs to be addressed. Guidelines for media sanitationset out by the national Institute of Standards and Technology or NIST or the guidelines set out by a standard such as ISO 27001.
two stacks used in cloud computing (stacks are programs when used together allow you to put together a web app)
- LAMP - open source
SOAP aka Simple O bject Access Protocol
is used to structure and exchange info between web services, relies on XML
UDDI or Universal Description, Discovery and Integration
XML based directory that businesses can use in conjunction with web services to collaborate, list their organization, find other organizations
WSDL or Web Services Description Language
XML Based language used to describe web services as a collection of ports
Open Source apps used in multi-tier architectures aka n-tier architectures
client server architecture in which three processes - presentation, data management and application processing are represented logically as separate layers or tiers
an example is OpenStack Software cloud o/s - runs on linux
different areas whre open source software is used
application tiers datatcenters database tiers systems and network management tiers web presence
Open Stack consists of three projects
Compute project
Object Storage
Image Service
when adopting VDI you need to consider
Demands from a complex multi-tier architecture Potential for increased downtime User Profiles in an Organization Plans for implementation Design Related Issues
PCoIP
PC over IP protocol designed for the cloud environment. It is remote desktop protocol. Allows users to add a second monitor, change desktop resolution in a vdi environment
clients are still separated from the cloud server by an IP network but client apps and o/s run as if on a standalone pc. doesn’t coompromise session speed or network bandwidth
have to have a monitor that is pcoip processor in it. LCD. can be a software or hardware processor
supported on thin and zero clients
Companies Pano Logic, Teradici, Wyse Technology
