Domain 7 - Infrastructure Security

Question 1

How are networks generally physically segmented in the cloud?

Answer 1

There are three physically segregated networks
a) Service Network - Internet to compute nodes, instance to instance
b) Storage - Compute to storage nodes
c) Management - API traffic and management traffic.

Question 2

What are some of the challenges in cloud networking?

Answer 2

• Physical appliances for monitoring not possible in a virtual environment.
• Virtual appliances can become choke points and SPOFs.
• VAs need to scale with the resource they monitor
• Resources may have very short life spans -e.g. Lambda.
• Dynamic and fast changing nature of the cloud environment (ephemeral IP addresses, auto-scaling etc.).

Question 3

SDN Benefits?

Answer 3

• Isolation is easier
  -SDN Firewalls are flexible -e.g. Security Groups can be applied to EC2 instances no matter where they are located.
• Security Groups can be applied to Auto-scaling groups.
• SDNs eliminate low-level attacks like ARP spoofing, and packet sniffing

Question 4

What is CSA’s Software Defined Perimeter?

Answer 4

In the SDP architecture, there are three components:
a) SDP client on the connecting asset (e.g. laptop)
b) SDP controller - authN, authZ of SDP clients and configuring connections to the SDP Gateway
c) SDP Gateway - terminates client traffic (data path) and policy enforcement point.

Question 5

What are the different types of compute abstractions?

Answer 5

1. Virtual Machines
2. Containers
3. Platform-based (e.g. PaaS)
4. Serverless (e.g. Lambda).

Question 6

What are the benefits of an immutable workloads?

Answer 6

1. No need to patch running systems; just update images and start a new instance with it.
2. Disable remote logins (much more secure)
3. Updates are faster
4. Disable unused services
5. Security testing is done during image creation, no need for vulnerability testing of running environments.

Question 7

What requirements do immutable workloads bring?

Answer 7

1. Consistent image creation process and automated deployment processes must be in place
2. Security testing must be integrated into the image creation and deployment process
3. Image creation must account for configuration (e.g. turn off logins)
4. Send sufficiently detailed logs to an external collector
5. Service catalog becomes complicated as there may be hundreds of microservices and updates a day.

Question 8

How does the cloud affect workload security controls?

Answer 8

1. Serverless compute- inability to run agents
2. Traditional agents may be too bulky to run on VMs. Need to be redesigned.
3. Static IP addressing may be replaced by dynamic IPs that are reused.
4. Ephemeral nature of cloud resources -e.g. auto scaling, serverless
5. Cloud instances may be less resilient than physical infrastructure.

Question 9

How does cloud affect logging and monitoring?

Answer 9

• Ephemeral nature of cloud resources mean traditional identifiers may not suffice (e.g. IP addresses are dynamic and shared - no longer static)
• Logs may have to be offloaded sooner before the VM/Lambda disappears.
• Logs may incur storage and/or network costs depending on whether you store it in the cloud or bring them back on-prem.

Question 10

How does cloud affect vulnerability assessment?

Answer 10

• Pen tests may not be permitted by cloud provider
• Default deny limits effectiveness of tests - need to open ports
• For immutable workloads - assessments may have to be done at image building time.