Domain 7 - Infrastructure Security Flashcards
_______ is the foundation for operating securely in the cloud. Is the glue of computers and networks that we build everything on top of. encompasses the lowest layers of security, from physical facilities through
the consumer’s configuration and implementation of infrastructure components. These are
the fundamental components that everything else in the cloud is built from, including compute
(workload), networking, and storage security.
Infrastructure security
Two macro layers to infrastructure
- The fundamental resources pooled together to create a cloud. This is the raw, physical and
logical compute (processors, memory, etc.), networks, and storage used to build the cloud’s
resource pools. - The virtual/abstracted infrastructure managed by a cloud user. That’s the compute, network,
and storage assets that they use from the resource pools.
What are the 3 common networks isolated onto different dedicated hardware in the cloud?
- Management Network
- Storage Network
- Service Network
2 Major categories of Virtualisation?
- VLAN
- SDN
Is a type of virtualisation designed for single tenant network and not designed for cloud virtualisation scale
VLAN
Is a type of virtualisation that decouples network plane from data plane and can offer much flexibility and isolation
SDN
True/False: Traditional Network Intrusion Detection Systems, where communications between hosts are are
mirrored and inspected by the virtual or physical Intrusion Detection Systems will not be supported
in cloud environments; customer security tools need to rely on an in-line virtual appliance, or
a software agent installed in instances. This creates either a chokepoint or increases processor
overhead, so be sure you really need that level of monitoring before implementing.
True
What are the challenges of virtual appliances in the cloud?
- Virtual Appliances can become bottleneck
- May take significant resource and increase cost
- Should be cloud aware and designed to handle velocity of change
- Limited Auto scale capabilities
SDN Security Benefits
- Isolation is easier
- SDN Firewalls provide better flexible criteria than hardware FW
________________ (also sometimes referred to as hypersegregation) leverages virtual network topologies to run more, smaller, and more isolated networks without incurring additional hardware costs that historically
make such models prohibitive
Microsegmentation
3 Components of CSA Software Defined Perimiter Working Group (SDP)
- SDP Client
- SDP Controller
- SDP Gateway
True/False: Cloud users are responsible for implementing perimeter security that protects the
environment, but minimizes impact on customer workloads,
False. It is Cloud Provider responsibility
_________ connect an enterprise private cloud or data center to a public cloud provider, typically using either a dedicated Wide Area Network (WAN) link or VPN.
Hybrid clouds
_____ is an emergin architecture for hybrid connectivity which allows to connect to multiple cloud network using single hybrid connection
Bastion or Transit network
A ______ is a unit of processing, which can be in a virtual machine, a container, or other
abstraction.
Workload
True/False: It’s important to remember that every cloud workload runs on a hardware stack, and the integrity of
this hardware is absolutely critical for the cloud provider to maintain.
True
Some Multiple Compute abstraction types
- Virtual Machines
- Containers
- Platform-based workload
- Serverless Computing
______ are the most-well known form of compute abstraction, and
are offered by all IaaS providers. They are commonly called instances in cloud computing
since they are created (or cloned) off a base image.
Virtual machines
_______ are code execution environments that run within an operating system
(for now), sharing and leveraging resources of that operating system. While a VM is a full
abstraction of an operating system, this one is a constrained place to run segregated
processes while still utilizing the kernel and other capabilities of the base OS
Containers
________ is a more complex category that covers workloads running on a shared platform that aren’t virtual machines or containers, such as logic/procedures running
on a shared database platform. Isolation and security are totally the responsibility of the platform provider, although the provider may expose certain security options and controls.
Platform-based workload
_________ is a broad category that refers to any situation where the
cloud user doesn’t manage any of the underlying hardware or virtual machines, and just
accesses exposed functions. Under the hood, these still utilize capabilities such as containers, virtual
machines, or specialized hardware platforms. From a security perspective, is merely a
combined term that covers containers and platform-based workloads, where the cloud provider
manages all the underlying layers, including foundational security functions and controls.
Serverless Computing
True/False: The burden to maintain workload
isolation is on the cloud provider and should be one of their top priorities.
True
True/False: To reconfigure or change an immutable instance you update the underlying image, and then rotate
the new instances by shutting down the old ones and running the new ones in their place.
True
Security benefits of immutable workload
- You no longer patch running systems
- Disabled logins when running workloads
- Much faster to roll out updated version
- Easier to disable services
- Security testing can be managed during image creation
Some requirements of immutable workloads
- Need of consistent image creation process for updates
- Security testing must be integrated on the image creation process
- Need configuration to disable login and restrict services
- May want process to enable login on some processes
- Increased complexity to manage service catalogs
True/False: Immutable workloads typically require fewer additional security tools, due to their hardened nature.
True
True/False: Cloud workloads running in isolation are typically less resilient than on physical infrastructure,
due to the abstraction. Providing disaster recovery for these is extremely important.
True
True/False: For workloads, IP addresses in logs won’t necessarily reflect a particular workflow since multiple virtual
machines may share the same IP address over a period of time, and some workloads like
containers and serverless may not have a recognizable IP address at all.
True
