Domain 7 - Infrastructure Security Flashcards

1
Q

_______ is the foundation for operating securely in the cloud. Is the glue of computers and networks that we build everything on top of. encompasses the lowest layers of security, from physical facilities through
the consumer’s configuration and implementation of infrastructure components. These are
the fundamental components that everything else in the cloud is built from, including compute
(workload), networking, and storage security.

A

Infrastructure security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Two macro layers to infrastructure

A
  • The fundamental resources pooled together to create a cloud. This is the raw, physical and
    logical compute (processors, memory, etc.), networks, and storage used to build the cloud’s
    resource pools.
  • The virtual/abstracted infrastructure managed by a cloud user. That’s the compute, network,
    and storage assets that they use from the resource pools.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the 3 common networks isolated onto different dedicated hardware in the cloud?

A
  • Management Network
  • Storage Network
  • Service Network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

2 Major categories of Virtualisation?

A
  • VLAN

- SDN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Is a type of virtualisation designed for single tenant network and not designed for cloud virtualisation scale

A

VLAN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Is a type of virtualisation that decouples network plane from data plane and can offer much flexibility and isolation

A

SDN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

True/False: Traditional Network Intrusion Detection Systems, where communications between hosts are are
mirrored and inspected by the virtual or physical Intrusion Detection Systems will not be supported
in cloud environments; customer security tools need to rely on an in-line virtual appliance, or
a software agent installed in instances. This creates either a chokepoint or increases processor
overhead, so be sure you really need that level of monitoring before implementing.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the challenges of virtual appliances in the cloud?

A
  • Virtual Appliances can become bottleneck
  • May take significant resource and increase cost
  • Should be cloud aware and designed to handle velocity of change
  • Limited Auto scale capabilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SDN Security Benefits

A
  • Isolation is easier

- SDN Firewalls provide better flexible criteria than hardware FW

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

________________ (also sometimes referred to as hypersegregation) leverages virtual network topologies to run more, smaller, and more isolated networks without incurring additional hardware costs that historically
make such models prohibitive

A

Microsegmentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

3 Components of CSA Software Defined Perimiter Working Group (SDP)

A
  • SDP Client
  • SDP Controller
  • SDP Gateway
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

True/False: Cloud users are responsible for implementing perimeter security that protects the
environment, but minimizes impact on customer workloads,

A

False. It is Cloud Provider responsibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

_________ connect an enterprise private cloud or data center to a public cloud provider, typically using either a dedicated Wide Area Network (WAN) link or VPN.

A

Hybrid clouds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

_____ is an emergin architecture for hybrid connectivity which allows to connect to multiple cloud network using single hybrid connection

A

Bastion or Transit network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A ______ is a unit of processing, which can be in a virtual machine, a container, or other
abstraction.

A

Workload

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

True/False: It’s important to remember that every cloud workload runs on a hardware stack, and the integrity of
this hardware is absolutely critical for the cloud provider to maintain.

A

True

17
Q

Some Multiple Compute abstraction types

A
  • Virtual Machines
  • Containers
  • Platform-based workload
  • Serverless Computing
18
Q

______ are the most-well known form of compute abstraction, and
are offered by all IaaS providers. They are commonly called instances in cloud computing
since they are created (or cloned) off a base image.

A

Virtual machines

19
Q

_______ are code execution environments that run within an operating system
(for now), sharing and leveraging resources of that operating system. While a VM is a full
abstraction of an operating system, this one is a constrained place to run segregated
processes while still utilizing the kernel and other capabilities of the base OS

A

Containers

20
Q

________ is a more complex category that covers workloads running on a shared platform that aren’t virtual machines or containers, such as logic/procedures running
on a shared database platform. Isolation and security are totally the responsibility of the platform provider, although the provider may expose certain security options and controls.

A

Platform-based workload

21
Q

_________ is a broad category that refers to any situation where the
cloud user doesn’t manage any of the underlying hardware or virtual machines, and just
accesses exposed functions. Under the hood, these still utilize capabilities such as containers, virtual
machines, or specialized hardware platforms. From a security perspective, is merely a
combined term that covers containers and platform-based workloads, where the cloud provider
manages all the underlying layers, including foundational security functions and controls.

A

Serverless Computing

22
Q

True/False: The burden to maintain workload

isolation is on the cloud provider and should be one of their top priorities.

A

True

23
Q

True/False: To reconfigure or change an immutable instance you update the underlying image, and then rotate
the new instances by shutting down the old ones and running the new ones in their place.

A

True

24
Q

Security benefits of immutable workload

A
  • You no longer patch running systems
  • Disabled logins when running workloads
  • Much faster to roll out updated version
  • Easier to disable services
  • Security testing can be managed during image creation
25
Q

Some requirements of immutable workloads

A
  • Need of consistent image creation process for updates
  • Security testing must be integrated on the image creation process
  • Need configuration to disable login and restrict services
  • May want process to enable login on some processes
  • Increased complexity to manage service catalogs
26
Q

True/False: Immutable workloads typically require fewer additional security tools, due to their hardened nature.

A

True

27
Q

True/False: Cloud workloads running in isolation are typically less resilient than on physical infrastructure,
due to the abstraction. Providing disaster recovery for these is extremely important.

A

True

28
Q

True/False: For workloads, IP addresses in logs won’t necessarily reflect a particular workflow since multiple virtual
machines may share the same IP address over a period of time, and some workloads like
containers and serverless may not have a recognizable IP address at all.

A

True