Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CCSP -2022 > Domain 1: Cloud Concepts, Architecture and Design > Flashcards

Domain 1: Cloud Concepts, Architecture and Design Flashcards

1
Q

What are the cloud computing roles?

A

Cloud Service Customer: Company or person the consumes a cloud service

Cloud Service Provier (CSP): Company offering cloud services, e.g AWS, Azure, or GCP

Cloud Service Partner: Third party offering a variety of cloud based services (infrastructure, storage, application services, and platform services) using the assoicated CSP. Some partners provide their own or most of their own infrastructure and extend the service areas they can reach through the use of partnerships. e.g Dropbox can be deployed within AWS

Cloud service Broker: Find solutions to their cloud computing needs. Adds value through aggregation of services from multiple parties, integration of services with a company’s existing infrastructure, and customisations of services that a CSP cannot or will not make.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the Key Cloud Computing Characteristics?

A
  • On Demand Self-Service: Rapidly provisioned and released with minimal management effort or service provider interaction. Requires vendor management.
  • Broad Network Access: For public and community clouds. the internet provides the network access. For private cloud, this could include corporate network.
  • Multitenancy: Server may have more than one company purchase access, like an apartment building. Each tenant’s data remains private and secure in the same belongings (data) in an apartment isloated from neighbour (data). However, if the hypervisor is comprimised, this could lead to loss of data.
    • Resource pooling: Multiple customers share a set of resources including servers, storage, application services. Inability to ensure data erasure can mean that remants of sensitive files could exist on storage allocated to another user.
  • Rapid Elasticity and Scalability:
  • Measured service: In private cloud, allow an organisation to charge each department based on their usage. For public cloud, each customer to pay for the resources consumed - and pay for metered service for peak peroids e.g Black Friday sales, and etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the building block technologies for Cloud Computing?

A
  • Virtualisation: Allows the sharing of servers, by leveraging existing hardware and running multiple different isolated servers. CSPs leverage this idea, by creating tenants - independant and seperate environments. This allows CSPs spread over many locations to spin up /down services easily. However, this has securitty implications over data residency requirements. In addition, the Hypervisor is critical to keeping the data segmented, and if comprimised comprimises all VMs - its security is the responsibility of the CSP.
  • Storage: Two types Storage area Networks (SAN) or Network attached storage (NAS). SAN provides secure storage acoss the domain, and appears like a single disk, which the storage is spread across multiple locations. NAS uses TCP/IP and allows file level access, and appears as single file system. Security of the storage is the responsibility of the CSP. Major security issues, if file fragments exist on a disk after it has been deallocated from one customer to another.
  • Networking:
  • Databases: Adminstration of the underlying database is the CSP’s responsibilty. A number of different database options, and types including data warehouse, data lakes, etc.
  • Orchestration: the glue that ties all the other pieces together through programming and automation. It is able to manage many CSPs, in various deployment models. e.g. IBM Cloud Orchestration, AWS Cloud formation, and etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the NIST 500-292 cloud reference architecture?

A

A role based architecture, is a reference architecture centred around the 5 core roles that creates a framework or mapping of cloud computing activities and cloud capabilites.

Cloud Consumer: Procuremurement and use of cloud services.

Cloud Provider: Entity that makes services available, including service deployment, orchestration, management, security and privacy.

Cloud Auditor: Independant examination and evaluation of cloud service controls - focused compliance, security or privacy.

Cloud Broker: Entity involved in 3 primary activities: aggregation of services from several CSPs, integration with existing infrastructure, and customisation of services.

Cloud carrier: entity provides the network or telecommunication connectivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the cloud service capabilities?

A

Application capabilities: access an application over the network from multiple devices & locations. Users do not have the abilitiy to control or modify underlying cloud infrastructure. Supporting all of the different types of devices is the responsibility of the CSP.

Platform capabilities: allows for the development and deployment of solutions. Users can modfy the solutions they deploy (ones they develop & customise). No capabilities to modify the underlying infrastructure.

Infrastructure capabilities: users can control over the OS, installed tools, solutions installed, provisioning of infrastructure compute, storage, and network other computing resources - with the only exception of hardware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is set of transformative technolgies that has led to increased capabilities of cloud computing?

A
  • Machine Learning: component of AI to create solutions that learn and improve without programming. As a result of large inexpensive data storage and technologies (data warehouse, data lake), and computing power inceases the effectiveness of ML. Risks include data storage with all data stored in single location, privacy concerns include what can be learnt from the data, and how that knowledge will be learnt.
  • Artifical Intelligence: goal of AI to create a machine that cannot be distinguished from humans - and impact lower skill workforces. This greater ability to aggregate and manipulate data through tools created through AI research impacts security and privacy.
  • Block Chain: open distributed ledger of transactions, often financial, between two parties. Transaction is recorded in a permanent and verifiable manner. Blocks are linked cryptographically distributed across a set of computers.
  • Internet of things: great deal of data is being generated and stored from IOT devices, which is mined from the cloud. Not always the data that are targeted, device can be part of DDoS, or the technology itself can be used as part of the attack e.g cameras.
  • Containers: In traditional virtualisation - the hypervisor sits atop the host OS, VM sits atop of the hypervisor, with VM contains the guest OS. However, containerisation no hypervisor, and no guest OS with. A container runtime sits above the host OS, and uses it to access needed system resources and with the virtualisation occuring higher in the stack requiring fewer resources and no additional OS. Containers are like priviledged users.
  • Quantum Computing: uses quantum physics to build powerful computers - and when combined with cloud make AI & ML more powerful. Has the ability to transform modeical research, AI, and computing technologies. Security concern includes breaking encryption/decryption as computing increases.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the security concepts relevant to cloud computing relevant to encryption and access control?

A

Cryptography and Key management: In multi-tenancy there is an ability to securely wipe the physical drive. Also, it will required to deteremine if a VM or container has been unaltered after deployment. Another issue is key management, and ensure keys stored seperately from data.

Access Control: Can be physical, technical or administrative. Phyiscal is the responsibility of the CSP. Administrative controls are policies, procedures, including access control, logging & monitoring. Customers, are responsible for determining the right administrative controls. Technical controls are a shared responsibility. e.g CSP will federate a customers IAM with the responsibility of the integration whilst the customer is responsible for the maintance of the IAM system.

Data Media santisation: Overwriting, is the idea that data marked for deletion will eventually be cleared once that sector is written over. Encrypting all the data would ensure that data even if marked for deletion is secure. Cryptographic erase, is taking the encryption keys and zeroising them, ensuring data is not retrievable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the network security considerations for cloud security?

A
  • Network Security Groups: provides a set of security rules or virtual firewall for a group of cloud resources. It is applied as a layer around the VM, subnet, or other cloud resource.
  • Cloud gateways: keeps communication between the customer and the CSP off the internet.
  • Contextual based security: Context includes things such as identity, determined through IAM system, location, time of days, or endpoint type. e.g. connecting from the corporate network though a VPN or from public or user connects from an endpoint not registered.
  • Ingress and Egress montioring: ingress controls can block all or some external access. Inbound connections can be limited to those that are in response to a request. Egress controls prevent internal resources from connecting to malicious locations, e.g. command & control.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the virtual security considerations for cloud security?

A
  • Hypervisor security: Type 1 hypervisor is faster and more secure, but difficult to set up more than type 11 such as VMware or VirtualBox. Hypervisor is a natural target of malicious users as they control all the resources to the VM. For the customer, security is controlled by limiting admin access. All access to the hypervisor should be logged and audited. Hyervisor must remain current.
  • Container securirty: containers provide efficiency, portability, easier scaling. Improves security by islating cloud solution, and host sytem. Security risks occur through inadequate IAM, and through misconfigured containers. Traditional DevOps practices requires education and training. Specialised container OS is benefical as limits capabilities of the underlying OS to those required, e.g similar to disabling ports, and OS functionality.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the design principles of secure cloud computing?

A
  • Cloud Secure Data Lifecycle: broken down into 6 steps:
    • Create - creation of new content
    • Store - storing new content
    • Use - data activities such as viewing, processing & changing
    • Share - exchange of data between two entities
    • Archive - data is no longer used but is stored
    • Destroy - data has reached end of its life defined in a data retention policy. Deleted.
    • At each step in the lifecycle, there is a possibility of breach or leakage. General tools for preventing these are encryption and use of DLP
  • DR & Business Continuity: BCP may focus on critical business process neccessary to keep the business going while DR takes place. Availability zones in a region protect from DC failures. Multiregion availability zones, provide enhanced coverage. DRPs rely heavilty on data backups. DRP is about returning to normal operations. Cloud backups works only if you have network access and sufficient bandwidth.
  • Cost -benefit analysis: Cloud computing benefits reduce capital costs, but have higher operational costs. The tax benefits for capex vs opex may also need to be considered.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some functional security requirements for moving to cloud safer for customers information and/or processes?

A
  • Portability: Frequent moves between CSPs, and CSP to on-prem can result in data loss or modification impacting availability and integrity. Portability refers to data and services moving seamlessly and can be automated.
  • Interopability: refers to the ability to share data between tools and cloud environments, and between cloud and on-prem soltions. A way to bridge the gaps is via APIs.
  • Vendor Lock-in: Solving portability and interoprability will go a long way to solving vendor lock in. Another issue is if one CSP provides functionality that others do not, e.g AWS cloudtrail which supports auditing of your AWS account supporing governance and risk managment, and if the organisation was to move away from AWS, the GRC functionality has to be built into the new solution.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is Cloud Computing?

A
  • Ubiquitous
  • Convenient
  • Self Service model
  • that allows for on Demand network access to shared pool of computing resources
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the four cloud deployment models?

A

  • Public
  • Private
  • Community
  • Hybrid
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the key Characteristics of Public Cloud?

A
  • Available to anyone who purchases the services
  • Multi-tenant

Concern:

  • Privacy, security, & Vendor lock in
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the key Characteristics of Private Cloud?

A
  • Single-Tenant: Available only to a single organisation
  • Maybe located on-prem or hosted by a CSP
  • Ideal for files and data that are too senstive to put on a public cloud (percieved to be more secure).
  • Secure wipe of data is possible

Concern:

  • More expensive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the key Characteristics of Community Cloud?

A
  • Multi-tenat but limited to a group of comapnies or individuals (e.g. Universityes of Governments)
  • Maybe hosted by one organisation with access provided to others.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the key Characteristics of Hybrid Cloud?

A
  • Normally a combination of private and public clouds in whatever way makes sense to the business.
  • Example, primary system is in a private cloud with backups stored in a public cloud (OR) sensitive data in a private cloud, with less sensitive data (email) in public cloud.
  • Orchestration becomes important to keep it manageable.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the various cloud computing roles?

A

  • Cloud Service Customer
  • Cloud Service Provider
  • Cloud Service Partner
  • Cloud service broker
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Who is a cloud Service Provider?

A
  • Company or entity offering Cloud services (e.g. AWS)
  • May offer SaaS, PaaS, and IaaS
20
Q

Who is a cloud Service Partner?

A
  • A third party offering cloud based services using the associated CSP.
  • Introduces customers to the cloud more easily
  • Example: dropbox using its infra mostly and extending to AWS in regions where it does not have presense.
21
Q

Who is a cloud Service Broker?

A
  • Broker packages services in a manner that benefits customer making cloud adoption easier for customer making cloud adoption easier for customer.
  • Three primary tasks:
    • Aggregate services from multiple CSPs
    • Integration with existing infrastructure (cloud / non-cloud)
    • Customization of services that a CSP may not do.
22
Q

What are the characteristics of Cloud Computing per NIST definition?

A
  • On Demand Service: near instantaneous, self service automated. Problem with Shadow IT.
  • Broad Network Access: (needed to access cloud); Problem of insecure protocols (e.g FTP, HTTP)
  • Multi-tenancy: allow effective utilisation of resources Problem risk of one tenant’s actions impacting another.
  • Rapid Elasticity and Scalability: resources scale; pay-as-you-go; Problem for CSP who must plan enough capability.
  • Resource pooling: customers share a set of resources including servers, storage, application services. Problem Inability to ensure data erasure
  • Measured service: metered service for peak peroids e.g Black Friday sales, and etc.
23
Q

What is the NIST Reference Architecture (RA)?

A
  • Defined in SP 500-292. RAs enable interoperability of cloud services from different vendors
  • NIST RA is role based - 5 Roles
    1. Cloud Consumer (can consume Saas, PaaS or IaaS services)
    2. Cloud Provider
    3. Cloud Auditor
    4. Cloud Broker
    5. Cloud Carrier (provider of connectivity to cloud)
  • Note: that it does not mention Cloud Partner; it also has an extra Cloud Auditor role.
24
Q

What are the building block technologies of cloud computing?

A
  • Virtualisation: Hypervisor is critical to keeping the data segmented, and if comprimised comprimises all VMs - its security is the responsibility of the CSP.
  • Storage: Two types Storage area Networks (SAN) or Network attached storage (NAS). SAN provides secure storage acoss the domain, and appears like a single disk. NAS uses TCP/IP and allows file level access, and appears as single file system. Security is responsibility of the CSP. Major security issues risks data deletion in shared storage.
  • Networking: use of internet to access cloud; data encryption in transit needed
  • Databases: Adminstration of the underlying database is the CSP’s responsibilty. A number of different database options, and types including data warehouse, data lakes, etc.
  • Orchestration: the glue that ties all the other pieces together through programming and automation. It is able to manage many CSPs, in various deployment models. e.g. IBM Cloud Orchestration, AWS Cloud formation, and etc.
25
Q

What are cloud service capabilities?

A
  • A different way to look at cloud service models (SaaS, PaaS, Iaas)
  • While SaaS, PaaS, IaaS is defined by Nist, the cloud service capabilities are defined by ISO /IEC.
  • Three types:
    • Application Capability
    • Platform Capability
    • Infrastructure Capability
26
Q

Under cloud service capability, what is platform capability type?

A
  • A platform has capabiliy of deploying solutions through the cloud e.g AWS Elastic Beanstalk.
  • User can modify the solution, but not the underlying infrastructure
  • User has access to dev tools tailored to that cloud environment
27
Q

Under cloud service capability, what is application capability type?

A
  • Ability to access an application from a variety of device types - e.g. thin client, web etc.
  • Responsibility of supporting various device types belongs to the application.
  • User gets a seamless experience
28
Q

Under cloud service capability, what is Infrastructure capability type?

A
  • An infrastructure customer cannot control the underlying HW, but can control OS, installed tools, solutions, and provisioning of compute, storage, network, etc.
  • Example of EC2 customer.
29
Q

What are key set of concerns or considerations with respect to consuming cloud services?

A
  • Interoperability - avoiding vendor lock-in
  • Portability - move data and architectures between clouds; no loss of metadata
  • Reversibility - measures the extent cloud services can be moved between clouds
  • Availability (Service availability, elasticity, scalability)
  • Security (data, application and infrastructure)
  • Privacy
  • Resiliency (BCP, DR)
  • Performance (measured thru SLA)
  • Governance (Policies, procedures, controls)
  • Maintenance and Versioning
  • Service Levels and SLAs (mostly standard for all but the largest customers who can negotiate).
  • Auditability (verifies effectiveness of controls)
  • Regulatory (governance needed to ensure requirements are met) - three types a) law b) contracts and c) standards
30
Q

What are some of the transformative technologies made possible by the cloud?

A
  • Machine Learning: component of AI to create solutions that learn and improve without programming. As a result of large inexpensive data storage and technologies (data warehouse, data lake), and computing power inceases the effectiveness of ML.Risks include data storage with all data stored in single location, privacy concerns include what can be learnt from the data, and how that knowledge will be learnt.
  • Artifical Intelligence: goal of AI to create a machine that cannot be distinguished from humans - and impact lower skill workforces. This greater ability to aggregate and manipulate data through tools created through AI research creates security and privacy.
  • Block Chain: open distributed ledger of transactions, often financial, between two parties. Transaction is recorded in a permanent and verifiable manner. Blocks are linked cryptographically distributed across a set of computers.
  • Internet of things: great deal of data is being generated and stored from IOT devices, which is mined from the cloud. Not always the data that are targeted, device can be part of DDoS, or the technology itself can be used as part of the attack e.g cameras.
  • Containers: In traditional virtualisation - the hypervisor sits atop the host OS, VM sits atop of the hypervisor, with VM contains the gues OS. However, containerisation no hypervisor, and no guest OS with. A container runtime sits above the host OS, and uses it to access needed system resources and with the virtualisation occuring higher in the stack requiring fewer resources and no additional OS. Containers are like priviledged users.
  • Quantum Computing: uses the cloud to spin more resources to make more use of AI and ML. Has the ability to transform modeical research, AI, and computing technologies. Security concern includes breaking encryption/decryption as computing increases.
31
Q

What are the three types of access controls?

A

Physical, Administrative and Technical.

  • Physical - CSP’s domain. Protects access to data centers
  • Administrative- customer’s domain. Determines who can access the system, how access is logged etc.
  • Technical controls - shared. CSP Provides IAM system, customer is responsible for provisioning/deprov.
32
Q

What is contextual based security?

A

Level of access determined by identity, location, time of day, endpoint type, corporate network/external network, and other such factors.

33
Q

What are the benefits of ingress/egress monitoring?

A
  • Ingress control - prevents unwanted external access attempts, allows only response to initiated requests
  • Egress control - prevents data loss; malware cannot reach C&C servers.
34
Q

What’s the difference between type 1 & type 2 hypervisors?

A
  • Type 1 - runs directly on the host’s hardware - e.g. Hyber-V, VMWare EXSi, or Cytrix Xen-server. Also called Bare Metal hypervisors. Difficult to setup.
  • Type 2 - runs on an operation system atop the OS. Easier to setup, but less secure. e.g. VMWare Workstation/Player, VirtualBox. Also called Host OS Hypervisor.
35
Q

What are the tradeoffs with containerization technologies?

A
  • Containers are lightweight, portable, scale easily, and lend themselves to agile development.
  • However, they are prone to security issues as a result of inadequate IAM and mis-configurations.
  • Requires specalised container OS to limit functionality similar to disabling services and ports.
36
Q

What’s the difference between BCP and DRP?

A

  • Business Continuity Planning - focus on keeping the business running following a disaster. BCP focuses on space, personnel, technology, processes and data.
  • Disaster Recovery Planning - focus on returning to normal business operations. Focus on data backups.
37
Q

What are the layers of an architecture stack?

A
  • Data
    API

Applications/Solutions
Middleware
Operating System
Virtualization (VMs, Virtual LANs)
Hypervisor
Compute & Memory
Data Storage
Networks
Physical Infrastructure

Hypervisor on down, security responsibility rests with the CSP.

38
Q

What are the security responsibility in a SaaS service?

A

  • Customer is responsible for the data, and APIs.
    User is responsible for secure transfer of data to SaaS provider; login creds/MFA etc.

May also be responsible for customization.

39
Q

What are the security responsibility in a PaaS service?

A

  • PaaS provider responsible for infra, OS, networking, virtualization and platform tools etc.
  • Developer responsible for security of application, data used by the application, user access, APIs etc.
40
Q

What are the security responsibility in a IaaS service?

A

  • CSP responsible for physical security of hw components, networking, virtualization (e.g.hypervisor).
  • Customer responsible for OS level and up.
    This includes safely configuring the SW (OS, Tools and Apps), responsibility for patching and updating tools and OS they install, IAM, user data, security of data at rest and in motion.
41
Q

What are a few key global standards for the cloud?

A

  • ISO/IEC 27001 - Security Management Standard
  • ISO/IEC 27017 - Cloud Specific Controls
  • ISO/IEC 27018 - Personal Data Protection
  • ISO/IEC 27701 - Privacy Information Management
42
Q

What is Common Criteria?

A

  • CC is an international set of guidelines (ISO/IEC 15408) and specifications to evaluate information security products.
  • CC has two parts: Protection Profile & Evaluation Assurance Level
  • PP: defines standard set of security requirements for specific product type such as firewall. It is pre-defined template.
  • EAL: Levels 1 through 7; measures amount of testing done on product
  • Testing done by independent labs.
43
Q

In the FIPS 140-2 standard, what’s the difference between FIPS validated and FIPS compilant?

A

  • FIPS validation requires testing by external labs - there are four levels of testing.

There are 21 “Cryptographic Module Testing Laboratories” that are accredited by NIST under the National Voluntary Laboratory Accreditation Program to perform such validations.

44
Q

What class of information does the FIPS-140-2 standard designed for?

A

  • Sensitive but unclassified information (SBU).
  • Not to be used for Secret, Top Secret or Sensitive Compartmentalized Information (SCI).
45
Q

What are the stages of data in a data life cycle?

A

Six stages:

  1. Create
  2. Store
  3. Use
  4. Share
  5. Archive
  6. Destroy

CCSP -2022 (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions