Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Certified Cloud Security Professional > Domain 3 - Cloud Platform and Information Security > Flashcards

Domain 3 - Cloud Platform and Information Security Flashcards

1
Q

What are key components of the cloud infrastructure?

A

a) Physical Infrastructure (physical components of the cloud - e.g. data centers, servers, routers etc.)
b) Services (Virtualization, Compute, Storage, DBs)
c) Network and Communications (allows customer to reach cloud)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are risks and mitigations associated with physical security?

A

CSPs responsible for physical security. Risks and Mitigations include:

  • Physical Security (security guards, locks, fences, lights)
  • Identity and Access Management (SSO, SAML/OAuth2/MFA)
  • Data confidentiality and integrity (encryption, message digest, digital certs, PKI, TLS, VPN).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who has security responsibilities for network and communications?

A
  • CSP - responsible for network devices on its side
  • Customer - responsible for network devices on their side
  • Both must use secure protocols like HTTPS and/or VPN
  • In IaaS - CSP provides technology, but customer is responsible for configuring the environment and enforcing company policy
  • In PaaS - CSP provides physical components, internal network and tools; customer responsible for proper use and connection to the CSP
  • In SaaS - customer responsible for securely accessing service (e.g. secure data transfer).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who has security responsibilities for compute?

A
  • CSPs responsible for physical security, virtualization/hypervisor (patching and keeping up to date).
  • Customers responsible for data and users
  • In between the two ends, responsibility varies by IaaS, PaaS, SaaS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What kinds of controls do CSPs have for hypervisor security?

A
  • Controlling physical access to servers
  • Ensuring only authN and authZ individuals have access
  • Logging and Monitoring
  • Patching and vulnerability management
  • Network isolation - e.g. keeping virtual networks separate to prevent lateral movement (e.g. VLAN hopping); by using SDNs to create VPCs, subnets, routes.
  • Using encryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who has security responsibilities for storage?

A
  • CSPs responsible for physical security and patching, maintaining data storage technology (e.g. upkeep S3).
  • Customers responsible for security of data they put in it.
  • CSPs provide tools (e.g. IAM, encryption), customers responsible for properly using them
  • Customers also responsible for mitigating risks due to not having physical access to storage medium (e.g. crypto shredding).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the management plane?

A

The Web interface and API used to configure, monitor and control the cloud environment.

Separate from the control plane and data plane.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are controls to secure the management plane?

A
  • Strong password
  • MFA (HW better than SW or SMS based)
  • Not using a root account
  • Role-based access controls (e.g. groups and policies)
  • Limit access to management planes (SCPs)
  • Separate dev, test and prod environments
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is ABAC?

A

Attribute based access control -e.g. using attributes such as user name, device type, point of connection (e.g. internet vs corp network) to provide access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is IDaaS?

A
  • IDentity as a Service.
  • Identity management system is provided by a 3rd party as a SaaS Service.
  • SSO, MFA
  • Integration with existing on-prem Active Directory systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are access control methods in the cloud?

A
  • Use of Federation (single entry point enhances security)

- Use of IDaaS - to keep cloud separate depending on business needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the considerations in designing a secure data center?

A
  1. Logical Design (involves tenant partition and access controls)
  2. Physical Design (involves location/siting and buy-and-hold)
  3. Environmental Design (HVAC, Multivendor Pathway Connectivity).

Most of this is the domain of the CSP. However, customers still have an obligation to properly use the logical separation controls to ensure that their data is secure).

Also to verify that the CSPs have done this properly -e.g. via SOC2 reports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When moving to the cloud, what areas must the risk assessment and analysis of the CSP focus on?

A
  • Privacy and Information Security.
  • Authentication is a key question - a breach of the CSP’s IAM service could mean a breach of on-prem since users reuse passwords.
  • Use of IDaaS vs. Federation with on-prem (each with their own pros and cons)
  • Data Security is another concern
  • Incident response (does CSP have proper tools - e.g. logging/monitoring, vulnerability scans, pen test etc.)
  • Compliance (e.g. handling of PII, PHI data)
  • Downtime due to loss of connectivity

Customer can assess this via SOC2 Type 2 reports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are cloud vulnerabilities, threats and attacks?

A
  • Primary cloud vulnerability : access via Internet.
    Risks: loss of availability due to DoS attacks
  • Multitenancy - breakdown in tenant separation may cause data exposure (control: encryption)
  • Insider threat: unlawful access by CSP employees (encryption, with keys managed by customers)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are virtualization risks?

A
  • Breakdown of tenant isolation due to hypervisor issues (CSPs responsible for this)
  • VM sprawl - users creating VMs and forgetting to shut them down (security and cost issue). Sensitive data may be stored on these VMs.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How should security controls be designed for the cloud infrastructure?

A

Controls fall into the following categories:

  1. Physical and Environmental protections
  2. System and Communication Protections
  3. Virtualization systems protections
  4. ID, AuthZ, AuthN in Cloud Infra
  5. Audit Mechanisms
17
Q

How should Physical and Environmental security controls be designed for the cloud infrastructure?

A
  • Data Center Site selection (done by CSP, but customer should review, examine BCP/DR plans)
  • Power, HVAC
  • Sufficient bandwidth and other capacity
  • Network connectivity redundancy (multiple ISPs)
  • Access Controls (physical and logical)
18
Q

How should Systems and Communication protection security controls be designed for the cloud infrastructure?

A
  • Per NIST 800-53, Systems and Communication Protection (SC) - 51 controls
    a) Policy and Procedures
    b) Separation of system and user functionality
    c) Security Function Isolation
    d) DoS Protection (bandwidth, capacity)
    e) Boundary Protection (prevent malicious traffic entry, data loss/exfiltration)
19
Q

How should Virtualization protection security controls be designed for the cloud infrastructure?

A
  • Secure IAM (foundational control) - determines who access the VMs.
  • Create standard configs for VMs.
  • Configuration guides on how to use cloud services securely; Config enforcement tools (e.g. AWS Config)
  • Monitoring tools (e.g. Cloudwatch/CloudTrail
  • Governance to manage VM sprawl (e.g. AWS Config)
20
Q

How should ID, AuthZ and AuthN security controls be designed for the cloud infrastructure?

A
  • Use of IDaaS, CSP’s IAM System, On-prem are all options based on business needs
  • Generally a SSO is desired (but may not always be feasible)
  • If using CSP’s IAM, verify that it is secure.
21
Q

How should Audit mechanism security controls be designed for the cloud infrastructure?

A
  • Log collection and review essential - especially for privileged account activity
  • Packet captures may be needed to understand network traffic; CSPs may provide tools (VPC Flow Logs and traffic mirroring)
22
Q

What is RTO?

A

Recovery Time Objective (RTO) = maximum tolerable length of time that an application can be down after a failure or disaster occurs.

It is a business decision, not an IT decision!

It is an important consideration in a disaster recovery plan. Mission critical services will have a lower RTO - i.e. they must recover quickly.

RTO is always lower than the Max Allowable Downtime (MAD) - i.e. the maximum downtime before a company goes out of business.

23
Q

What is RPO?

A

Recovery Point Objective (RPO) = Amount of time for which data loss is acceptable.

RPO determines how frequently data backups occur.

24
Q

What is RSL?

A

Recovery Service Level = How much compute power (0 to 100%) is needed for production systems during a disaster.

For example RSL may be 30% (i.e. of the 10 production servers during normal operations, at least 3 needs to be running during a disaster).

Normally excludes dev, test and other environments.

25
Q

What is a BCP?

A

Business Continuity Plan

  • Initiated after a disaster
  • Goal is to keep business running after a disaster/event
  • May use different location, systems or processes
  • Focus is on business processes
26
Q

What is a DRP?

A

Disaster Recovery Plan

  • Plan to return to business as usual (e.g. restoring a data center hit by a tornado)
  • Focus is on technology and data policies.
  • DRP is a subset of BCP.
  • Focus on data backups and IT contingency plans for critical functions and applications.
27
Q

What are the components of a good BCP/DRP?

A
  • Plan Creation
  • Plan Implementation
  • Plan Testing
28
Q

In a good BCP/DRP what is involved in Plan Creation?

A
  • Business Impact Analysis
  • BIA identifies critical, important and support systems
  • Identifies process dependencies;
  • This helps identify restoration priority
  • Determines RTO/RPO
29
Q

In a good BCP/DRP what is involved in Plan Implementation?

A
  • Identification of key personnel
  • Identification of alternate facilities, contracts for services, training of key personnel
  • Architect critical systems in the cloud for HA and resiliency (multiple AZs, LBs, DNS etc.)
  • Active-Active (for critical system)
  • Active-Standby (for important systems)
  • Single AZ deployment for non-critical, support systems
  • Cost is a consideration
30
Q

In a good BCP/DRP what is involved in Plan Testing?

A
  • Annual testing
  • Should cover data breach, data loss, power outage, network failure, environmental, civil unrest, pandemics
  • Scheduled and surprise tests
  • Table top exercises - just verbal walkthroughs
  • Simulation - More detailed than walkthroughs - some parts of the plan are executed
  • Parallel test - Actual steps are performed by key members
  • Cutover - Disaster is simulated in full.

Certified Cloud Security Professional (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions