Domain 3: Security Engineering; Virtualization and Distributed Computing Flashcards
What is virtualization?
Virtualization adds a software layer between the operating system and the underlying computer hardware. This allows multiple guest operating systems to run on a physical host computer. Popular products include VMware, QEMU, Xen.
What is transparent virtualization?
Transparent virtualization runs stock operating systems, such as Windows 10 or Ubuntu Linux 15.04, as virtual guests. No changes to the guest OS are required.
What is paravirtualization?
Paravirtualization runs specially modified operating systems, with modified kernel system calls. Paravirtualization can be more efficient, but requires changing the guest OS which may not be possible for closed OSes such as the Microsoft Windows family.
The key to virtualization security is the hypervisor, which does what?
Controls access between the virtual guests and the host hardware.
What is the difference between a Type 1 and Type 2 hypervisor?
A Type 1 hypervisor (also called bare metal) is part of an operating system that runs directly on host hardware. A Type 2 hypervisor runs as an application on a normal operating system, such as Windows 10. VMware ESX is a Type 1 hypervisor, and VMware Workstation is Type 2.
What is VMEscape?
Where an attacker exploits the host OS or guest from another guest.
What is cloud computing?
Public cloud computing outsources IT infrastructure, storage, or applications to a 3rd party provider. A cloud also implies geographic diversity of computer resources. The goal of cloud computing is to allow large providers to leverage their economies of scale to provide computing resources to other companies that typically pay for these services based on their usage.
What are the three commonly available levels of service provided by cloud providers?
Infrastructure as a Service
Platform as a Service
Software as a Service
What is a private cloud?
Private clouds house data for a single organization, and may be operated by a 3rd party, or by the organization itself.
What is a government cloud?
Government clouds are designed to keep data and resources geographically contained within the borders of one crountry, designed for the government of the respective country.
What are the benefits of cloud computing?
Reduced upfront capital expenditure, reduced maintenance costs, robust levels of service, and overall operational cost-savings.
What are the concerns of cloud computing?
One concern is the compromise of one cloud customer could lead to the compromise of other customers.
What is the risk of using a pre-configured image?
Any vulnerability associated with the pre-configured image can introduce risk to every organization that uses the image.
What are some rights an organization should negotiate before signing a contract with a cloud computing provider?
The right to audit, the right to conduct a vulnerability assessment, and the right to conduct a penetration test (both electronic and physical) of data and systems placed in the cloud.
When data needs to comply with US-based laws, should a public cloud be used?
Data in public clouds could be moved to another country. US-based laws such as HIPAA or GLBA have no effect outside the US. Private or Government clouds should be used in these cases.