Exam Prep

Question 0

What is commoditisation?

Answer 0

Resources are customisable, configurable and reconfigurable for any number of “measured services”. Resources are allocated dynamically in response to varying demand.

Question 1

What is multi tenancy?

Answer 1

Fundamental concept in CC. Resources are organised into multiple portions or “measured services” and allocated in the form of commodities dynamically between providers and consumers. (In demand service/elastic resources)

Question 2

What are the five essential characteristics of cloud computing as outlined by NIST?

Answer 2

• On demand services
• Broad network access
• Resource Pooling
• Rapid Elasticity
• Measured service

Question 3

What is “On-demand service”?

Answer 3

Users can unilaterally provision resources from the providers as require without the need for human interaction.

Question 4

What is “Broad network access”

Answer 4

Capabilities are available over the network and can be accessed via standard means, E.g a thin client.

Question 5

What is “Resource Pooling”?

Answer 5

Providers resources are organised into pools and assigned and reassigned to consumers as required. Users do not know the physical location of resources.

Question 6

What is “Rapid elasticity”?

Answer 6

Resources can be elastically provisioned and released, sometimes automatically.
Scales quickly outward and inward
User perceives resourced as unlimited

Question 7

What is “Measured service”?

Answer 7

Resource usage can be monitored and controlled providing transparency for the provider and consumer.

Question 8

What are the cloud deployment models?

Answer 8

Public
Private
Community

Question 9

What is the Public cloud?

Answer 9

Provisioned for use by the general public.
On premises of the provider
Managed/owned by a business or government for example
Off site
Untrusted

Question 10

What is the Private cloud?

Answer 10

Provisioned for use by one organisation or consortium only
On site of organisation or provider
May be owned/managed by organisation or third party
Trusted

Question 11

What is the Community cloud?

Answer 11

Provisioned for use by a group of organisations with shared interests.
Managed/owned by one of the organisations or third party
On or off premises
Trusted

Question 12

What is the Hybrid Cloud?

Answer 12

Combination of any toe infrastructures (public, private, community) which are bound by standardised or proprietary technology, allowing data and app portability.

Question 13

What is IaaS?

Answer 13

Infrastructure as a service: hardware platform only.
Provides: storage, networking, processing and essential resources
User does not control underplaying hardware
User can deploy arbitrary software, including OS
User controls software, storage, data, and some networking components (firewall etc).

Question 14

What is PaaS?

Answer 14

Platform as a service: users are given access to an IDE/API where they can develop apps in an environment controlled by the provider.
Users have no control over underlying cloud infrastructure
Users have control over apps and potential control over app hosting environment.

Question 15

What is SaaS?

Answer 15

Software as a service: users are given access to a fully functional application.
No control over underlying infrastructure or software
Only minimal control over limited app configuration
Eg drop box

Question 16

What is a hypervisor?

Answer 16

• Virtualisation platform that allows multiple os to run on one set of H/W
• controls host resources
• allocates resources to VMs
• prevents VMs from distrusting each other
• two types

Question 17

What is a type 1 Hypervisor?

Answer 17

• Runs on “bare metal”. I.e directly on hardware
• better performance then type 2
• any VM problems are isolated
• VMs run in top

Question 18

What is a type 2 Hypervisor?

Answer 18

• Runs on top of host OS
• Better control of policies than type 1
• Any problems in host os affects whole infrastructure

Question 19

Why is a service orientated architecture/layer important?

Answer 19

Provides a unified way so different customers and providers can interact ( provide / demand ) with each other in a unified manner.

Question 20

Outsourcing vs cloud computing

Answer 20

Outsourcing is stand alone / CC Isn’t
Workloads are known with outsourcing not with CC
Workload placement is static with outsourcing not with CC
Data location known/ unknown
Outsourcing uses dedicated Hardware, CC does not.
Data replication isn’t allowed in outsourcing - unknown in CC
CC has multi tenancy and multi jurisdiction - outsourcing doesn’t

Question 21

What are the basic components of the reference architecture?

Answer 21

Horizontal: Hypervisor, Middleware, Service layer

Vertical: security, system administrator

Question 22

What are some security threats to Cloud Computing?

Answer 22

• Data breaches, leaks and loss
• malicious insiders
• Traffic hijacking
• Insecure APIs

Question 23

What is identity federation?

Answer 23

Allows users to authenticate with a central server and access resources from different providers without signing in to each.

• Organisations don’t need legal agreements
• allows single sign on
• Central managed access control
• easier credential management for all
• vulnerable to single point if failure ( auth server )
• eg Shibboleth

Question 24

What are the IAM components?

Answer 24

Authentication
Authorisation
Auditing

Question 25

What are the IAM Processes?

Answer 25

• User management
• Authentication management
• Authorisation management
• Access management
• Access management
• propagation of identity to resources
• Monitoring and auditing

Question 26

SAML: Security assertion markup language Uses in FIDM and IAM?

Answer 26

• Used to package users security credentials
• Avoid duplication of credentials,attributes
• Provides single sign on experience

Question 27

SPML: security provisioning markup language

Uses in FIDM and IAM?

Answer 27

Automatically provision user accounts with cloud services and automate the process of provisioning and deprovisioning

Question 28

XACML: eXtensabile access control markup language

Uses in FIDM and IAM?

Answer 28

Provision user accounts with appropriate privileges and manage entitlements

Question 29

OpenAuth uses in FIDM and IAM?

Answer 29

Allows cloud service X to access cloud service Y without disclosing credentials

Question 30

Criteria used to describe different deployment models?

Answer 30

Who owns the cloud: cloud customer itself or cloud provider;
Where the cloud is located: on-premise or off
Who operates/administrates the cloud: cloud customer itself or cloud provider;
To what users affiliation scope the cloud is intended to be used/accessed eg public, organisation, employee of org, general public

Question 31

New security threats the the cloud?

Answer 31

Accountability: who is responsible?
No security perimeter: no control over physical or network location
Larger attack surface: potential for more vulnerabilities
New side channels: you don’t know who’s VM shares physical machine with yours
Data security: is users data secure?
Lack of auditability: only provider has full access to logs etc

Question 32

Discuss the consumers concerns of security in CC

Answer 32

Loss of governance: relinquishes some control of infrastructure trust in provider is imperative
Compliance risk: the way in which the provider manages the infrastructure affects the consumers compliance to regulations
Malicious insiders: can they trust?
Data handling: data protection and secure deletion?
Isolation failure: exploiting VMs etc, leakage

Question 33

Discuss three reasons why IAM is fundamental for CC security

Answer 33

Allows dynamic trust boundaries
Manages access for diverse user groups
Meets the need for security elements AAA

Question 34

Steps in SSO

Answer 34

1. User logs on to authentication server
2. Authentication server returns users ticket
3. User sends ticket to intranet server
4. Intranet server sends ticket back to authentication server
5. Authentication server sends back user credentials to intranet server

Question 35

Message flows in identity federation

Answer 35

1. User enter authentication dialogue with IDP in same domain user provides attribute values associated with identity.
2. Some attributes are provided by administrator in same domain
3. Service provider, which user is trying to interact with, obtains Id, and associated permissions and info from the IDP in source domain
4. SP opens session with user and enforces restrictions based on user’s ID

Question 36

Role of service provide and identity provider in FIDM

Answer 36

IDP: creates, maintains and manages user identity. Creates SAML assertions.

SP: controls access to a service or resources, consumes SAML assertions