Lesson 15

Question 1

Cloud Deployment Models

Answer 1

Public (multi-tenant)
•Cloud service providers (CSPs)
•Shared between subscribers
•Multi-cloud

Hosted private
•Private instance operated by a CSP but dedicated to a single customer

Private
•Wholly owned and operated by the organization
•On-premises vs. off-premises

Community

Hybrid

Question 2

On premise vs off-premises

Answer 2

(referring to Private)
This type of cloud could be on-premise or offsite relative to the other business
units. An onsite link can obviously deliver better performance and is less likely to
be subject to outages (loss of an Internet link, for instance). On the other hand, a
dedicated offsite facility may provide better shared access for multiple users in
different locations.

Question 3

Public cloud

Answer 3

Public (multi-tenant)
•Cloud service providers (CSPs)
•Shared between subscribers
•Multi-cloud

Question 4

Multi-cloud architectur

Answer 4

Multi-cloud architectures are where an organization

uses services from multiple CSPs.

Question 5

Hosted private

Answer 5

Hosted private
•Private instance operated by a CSP but dedicated to a single customer

Hosted Private—hosted by a third-party for the exclusive use of the organization.
This is more secure and can guarantee a better level of performance but is
correspondingly more expensive.

Question 6

Private

Answer 6

• Wholly owned and operated by the organization
• On-premises vs. off-premises

banking or government

Question 7

Community

Answer 7

this is where several organizations share the costs of either a hosted
private or fully private cloud. This is usually done in order to pool resources for a
common concern, like standardization and security policies.

Question 8

hybrid

Answer 8

There will also be cloud computing solutions that implement some sort of hybrid
public/private/community/hosted/onsite/offsite solution. For example, a travel
organization may run a sales website for most of the year using a private cloud
but break out the solution to a public cloud at times when much higher utilization
is forecast.

Question 9

Cloud Service Models

Answer 9

Anything as a service (XaaS)

Infrastructure as a Service (IaaS)
•Unconfigured compute, storage, and network resources
- provisioning IT resources such as
servers, load balancers, and storage area network (SAN) components quickly. Rather
than purchase these components and the Internet links they require, you rent

Software as a Service (SaaS)
•Fully developed applications

Platform as a Service (PaaS)
•Pre-configured OS and database/middleware instances
-A typical PaaS solution would provide servers and storage network infrastructure
(as per IaaS) but also provide a multi-tier web application/database platform on top.

Question 10

InfInfrastructure as a Service (IaaS)

Answer 10

Infrastructure as a Service (IaaS)
•Unconfigured compute, storage, and network resources
- provisioning IT resources such as
servers, load balancers, and storage area network (SAN) components quickly. Rather
than purchase these components and the Internet links they require, you rent

Question 11

Software as a Service (SaaS)

Answer 11

Software as a Service (SaaS)

•Fully developed applications

Question 12

Platform as a Service (PaaS)

Answer 12

•Pre-configured OS and database/middleware instances
-A typical PaaS solution would provide servers and storage network infrastructure
(as per IaaS) but also provide a multi-tier web application/database platform on top.

Question 13

Security

in the cloud

Answer 13

is the things you must take responsibility for

Question 14

Security of the cloud

Answer 14

is the

things the CSP manages.

Question 15

Cloud responsiblity matix

Answer 15

securityh in the cloud and security of the cloud is determined by the type. refer to table in the guide (or slides)

Question 16

Security as a service

Answer 16

Consultants
•Third-party expertise and perspective

Managed Security Services Provider (MSSP)
•Turnkey security solutions (expensice and requires a lot of trust in the MSSP

Security as a Service (SECaaS)
•Cloud-deployed security assessment and analysis
•Cyber threat intelligence and machine learning analytics

Question 17

Virtualization

Answer 17

means that multiple operating systems can be installed and run
simultaneously on a single computer

Question 18

Virtual Platform

Answer 18

requires at least three
components:
• Host hardware—the platform that will host the virtual environment. Optionally,
there may be multiple hosts networked together.
• Hypervisor/Virtual Machine Monitor (VMM)—manages the virtual machine
environment and facilitates interaction with the computer hardware and network.
• Guest operating systems, Virtual Machines (VM), or instances—operating systems
installed under the virtual environment.

Question 19

Host hardware

Answer 19

• Host hardware—the platform that will host the virtual environment. Optionally,
there may be multiple hosts networked together.

Question 20

• Hypervisor/Virtual Machine Monitor (VMM)

Answer 20

• Hypervisor/Virtual Machine Monitor (VMM)—manages the virtual machine
environment and facilitates interaction with the computer hardware and network.

Question 21

Guest operating systems, Virtual Machines (VM

Answer 21

• Guest operating systems, Virtual Machines (VM), or instances—operating systems
installed under the virtual environment.

Question 22

Type II hypervisors (host-based)

Answer 22

In a guest OS (or
host-based) system, the hypervisor application (known as a Type II hypervisor) is itself
installed onto a host operating system.

Examples of host-based hypervisors include
VMware Workstation, Oracle Virtual Box, and Parallels Workstation. The hypervisor
software must support the host OS.

Question 23

Type I hypervisors (bare metal)

Answer 23

A bare metal virtual platform means that the hypervisor (Type I hypervisor) is installed
directly onto the computer and manages access to the host hardware without going
through a host OS. Examples include VMware ESXi Server, Microsoft’s Hyper-V, and
Citrix’s XEN Server. The hardware needs only support the base system requirements
for the hypervisor plus resources for the type and number of guest OSes that will
be installed.
Type

Question 24

Virtual Desktop Infrastructure and Thin Clients

Answer 24

• Virtual Desktop Infrastructure (VDI)
• Storing images of clients (OS + applications) on a central server
• Virtual Desktop Environment (VDE) images are loaded by thin clients
• Allows for low-power client devices
• Centralizes control over client desktops
• Allows for almost completely hosted IT infrastructure

Question 25

Virtual desktop infrastructure (VDI)

Answer 25

refers to using a VM as a means of provisioning
corporate desktops. In a typical VDI, desktop computers are replaced by low-spec,
low-power thin client computers. When the thin client starts, it boots a minimal OS,
allowing the user to log on to a VM stored on the company server infrastructure.
The user makes a connection to the VM using some sort of remote desktop protocol(Microsoft Remote Desktop or Citrix ICA, for instance). The thin client has to find the correct image and use an appropriate authentication mechanism. There may be a 1:1
mapping based on machine name or IP address or the process of finding an image may
be handled by a connection broker.

Question 26

virtual desktop environment

VDE

Answer 26

All application processing and data storage in the virtual desktop environment
(VDE) or workspace is performed by the server.

Question 27

Application Virtualization

Answer 27

Application virtualization is a more limited type of VDI. Rather than run the whole
client desktop as a virtual platform, the client either accesses an application hosted on
a server or streams the application from the server to the client for local processing.

• Hosting or streaming individual software applications on a server
• XenApp, App-V, ThinApp

Question 28

Container virtualization (application cells)

Answer 28

• Resource separation at the OS level
• Cannot run different OS VMs
• Docker (uses docker engine instead of hypervisor)

Question 29

Container vs VMs

Answer 29

VM use hypervisor

Container Application cell/container virtualization dispenses with the idea of a hypervisor and
instead enforces resource separation at the operating system level.
- uses docker engine

Question 30

VM escaping

Answer 30

VM escaping refers to malware running on a guest OS jumping to another guest
or to the host. (Can be really bad)

Question 31

VM escape Protection

Answer 31

• Reduce impact of successful exploits
• Ensure careful placement of VM services on hosts/within network
• Respect security zones (DMZ)

Question 32

•
Guest OS security
•

Answer 32

OS environment must still be maintained, patched, etc.

Question 33

VM sprawl

Answer 33

when guest machines are not tracked, not used, etc. Introduces security problems because the systems aren’t maintained or secured.

Question 34

Virtual machine life cycle management (VMLM)

Answer 34

Virtual machine life cycle management (VMLM) software can be deployed to enforce
VM sprawl avoidance. VMLM solutions provide you with a centralized dashboard for
maintaining and monitoring all the virtual environments in your organization

Question 35

template-based VM creation

Answer 35

VMs should conform to an applicationspecific
template with the minimum configuration needed to run that application
(that is, not running unnecessary services).

Question 36

Obtaining and integrating cloud security data

Answer 36

Cloud-based services must be integrated within regular security policies and
procedures and audited for compliance.

Where indicators of on-premises attacks are
found in local application logs and network traffic, indicators of cloud-based attacks are
found in API logs and metrics.

Question 37

Cloud security Responsibility matrix and SLAs

Answer 37

• Security of the cloud
• Security in the cloud

As with any contracted service, cloud computing is a means of transferring risk. As such,
it is imperative to identify precisely which risks you are transferring, to identify which
responsibilities the service provider is undertaking, and to identify which responsibilities
remain with you. This should be set out in a service level agreement (SLA) with a
responsibility matrix.

Question 38

Cloud security reporting

Answer 38

Where critical tasks are the responsibility of the service provider, you should try
to ensure that there is a reporting mechanism to show that these tasks are being
completed, that their disaster recovery plans are effective, and so on.

Question 39

Cloud security legal and compliance responsibilities

Answer 39

Another proviso is that your company is likely to still be directly liable for serious
security breaches; if customer data is stolen, for instance, or if your hosted website
is hacked and used to distribute malware. You still have liability for legal and
regulatory requirements. You might be able to sue the service provider for damages,
but your company would still be the point of investigation. You may also need to
consider the legal implications of using a cloud provider if its servers are located in a
different country.

Question 40

Cloud security insider threat

Answer 40

You must also consider the risk of insider threat, where the insiders are administrators
working for the service provider. Without effective security mechanisms such as
separation of duties and M of N control, it is highly likely that they would be able to
gain privileged access to your data. Consequently, the service provider must be able
to demonstrate to your satisfaction that they are prevented from doing so.

Question 41

Cloud Security Controls uses what types of controls

Answer 41

Same types of security controls
•IAM, endpoint protection, resource policies, firewalls, logging, …

Clouds use the same types of security controls as on-premises networks, including
identity and access management (IAM), endpoint protection (for virtual instances),
resource policies to govern access to data and services, firewalls to filter traffic
between hosts, and logging to provide an audit function.

Question 42

Cloud native controls vs. third-party solutions

Answer 42

The controls can be deployed and configured using
either the CSP’s web console, or programmatically via a command line interface (CLI) or application programming interface (API)

third-party solution would typically be
installed as a virtual instance within the cloud. For example, you might prefer to run
a third-party next-generation firewall.

Question 43

Application security and IAM

Answer 43

• Secure development/coding
• Security accounts/groups/roles

Application security in the cloud refers both to the software development process and
to identity and access management (IAM) features designed to ensure authorized use
of applications.

Just as with on-premises solutions, cloud-based IAM enables the creation of user and
user security groups, plus role-based management of privileges.

Question 44

Secrets management

Answer 44

• Block use of root account
• Use MFA for privileged accounts
• Protect API keys

A cloud service is highly vulnerable to remote access. A failure of credential
management is likely to be exploited by malicious actors. You must enforce strong
authentication policies to mitigate risks:
• Do not use the root user for the CSP account for any day-to-day logon activity.
• Require strong multifactor authentication (MFA) for interactive logons. Use
conditional authentication to deny or warn of risky account activity.
• Principals—user accounts, security groups, roles, and services—can interact
with cloud services via CLIs and APIs. Such programmatic access is enabled by
assigning a secret key to the account. Only the secret key (not the ordinary account
credential) can be used for programmatic access. When a secret key is generated
for an account, it must immediately be transferred to the host and kept securely on
that host.

Question 45

Cloud Compute

Answer 45

Compute
•Processing resources for cloud workloads (CPU and RAM)
•Virtual machines and containers
•Dynamic resource allocation

The compute component provides process and system memory
(RAM) resource as required for a particular workload. The workload could be a virtual
machine instance configured with four CPUs and 16 GB RAM or it could be a container
instance spun up to perform a function and return a result within a given timeframe.

Question 46

dynamic resource allocation.

Answer 46

The workload could be a virtual
machine instance configured with four CPUs and 16 GB RAM or it could be a container
instance spun up to perform a function and return a result within a given timeframe.
The virtualization layer ensures that the resources required for this task are made
available on-demand. This can be referred to as dynamic resource allocation.

Question 47

Container security

Answer 47

A container uses many shared components on the underlying platform, meaning it
must be carefully configured to reduce the risk of data exposure. In a container engine
such as Docker, each container is isolated from others through separate namespaces
and control groups (docs.docker.com/engine/security/security). Namespaces prevent
one container reading or writing processes in another, while control groups ensure
that one container cannot overwhelm others in a DoS-type attack.

Question 48

API inspection and integration

Answer 48

API inspection and integration
•Number of requests
•Latency
•Error rates
•Unauthorized and suspicious endpoints

The API is the means by which consumers interact with the cloud infrastructure,
platform, or application. The consumer may use direct API calls, or may use a CSPsupplied
web console as a graphical interface for the API. Monitoring API usage
gives warning if the system is becoming overloaded (ensuring availability) and allows
detection of unauthorized usage or attempted usage.
•Number of requests
•Latency
•Error rates
•Unauthorized and suspicious endpoints

Question 49

•Number of requests (api)

Answer 49

Number of requests—this basic load metric counts number of requests per
second or requests per minute. Depending on the service type, you might be able
to establish baselines for typical usage and set thresholds for alerting abnormal
usage. An unexplained spike in API calls could be an indicator of a DDoS attack, for
instance.

Question 50

Latency(api)

Answer 50

Latency—this is the time in milliseconds (ms) taken for the service to respond to an
API call. This can be measured for specific services or as an aggregate value across
all services. High latency usually means that compute resources are insufficient. The
cause of this could be genuine load or DDoS, however.

Question 51

•Error rates (api)

Answer 51

Error rates—this measures the number of errors as a percentage of total calls,
usually classifying error types under category headings. Errors may represent an
overloaded system if the API is unresponsive, or a security issue, if the errors are
authorization/access denied types.

Question 52

•Unauthorized and suspicious endpoints (api)

Answer 52

Unauthorized and suspicious endpoints—connections to the API can be managed in
the same sort of way as remote access. The client endpoint initiating the connection
can be restricted using an ACL and the endpoint’s IP address monitored for
geographic location.

Question 53

Instance awareness

Answer 53

Instance awareness
•Logging and monitoring to mitigate cloud sprawl

As with on-premises virtualization, it is important to manage instances (virtual
machines and containers) to avoid sprawl, where undocumented instances are
launched and left unmanaged. As well as restricting rights to launch instances, you
should configure logging and monitoring to track usage.

Question 54

cloud storage

Answer 54

Where the compute component refers to CPU and system memory resources, the
storage component means the provisioning of peristent storage capacity

Question 55

Performance characteristics for storage tiers

Answer 55

Storage profiles will have different performance characteristics
for different applications, such as fast SSD-backed storage for databases versus slower
HDD-backed media for archiving.

Question 56

Input/output operations per second (IOPS)

Answer 56

The principal performance metric for cloud storage is the number of
input/output operations per second (IOPS) supported

Question 57

Permissions and resource policies

Answer 57

As with on-premises systems, cloud storage resources must be configured to allow
reads and/or writes only from authorized endpoints

**In a resource policy, permissions statements are typically
written as a JavaScript Object Notation (JSON) strings

Question 58

Cloud storage encryption

Answer 58

Might want to read this section again….

• Symmetric media encryption key
• CSP-managed keys versus customer-managed
• Separation of duties for CSP-managed keys

Question 59

High availability

Answer 59

High availability
•Virtualization layer provisions dynamic allocation and redundancy
•99.99%+ uptime

Can be specified in the SLA

Question 60

Replication

Answer 60

Replication
•Copying data between media, servers, or sites
•Performance tiers - hot or cold storaage. hot storage is faster but costs more

Data replication allows businesses to copy data to where it can be utilized most
effectively. The cloud may be used as a central storage area, making data available
among all business units. Data replication requires low latency network connections,
security, and data integrity.

Question 61

High availability across zones

Answer 61

High availability across zones
•Local
•Regional
•Geo-redundant storage (GRS)

CSPs divide the world into regions. Each region is independent of the others. The
regions are divided into availability zones. The availability zones have independent data
centers with their own power, cooling, and network connectivity.

Question 62

• Local
• Regional
• Geo-redundant storage (GRS)

(Zones)

Answer 62

•Local replication—replicates your data within a single data center in the region
where you created your storage account. The replicas are often in separate fault
domains and upgrade domains.

• Regional replication (also called zone-redundant storage)—replicates your data
across multiple data centers within one or two regions. This safeguards data and
access in the event a single data center is destroyed or goes offline.

• Geo-redundant storage (GRS)—replicates your data to a secondary region that is
distant from the primary region. This safeguards data in the event of a regional
outage or a disaster.

Question 63

Cloud networking types

Answer 63

Not sure i understand this
• Networks by which the cloud consumer operates and manages the cloud systems.
• Virtual networks established between VMs and containers within the cloud.
• Virtual networks by which cloud services are published to guests or customers on
the Internet.

Question 64

Virtual Private Clouds (VPCs)

Answer 64

Virtual private clouds (VPCs)
•Segmented virtual networks
•Can contain multiple IPv4 and IPv6 subnets

Each customer can create one or more virtual private clouds (VPCs) attached to their
account. By default, a VPC is isolated from other CSP accounts and from other VPCs
operating in the same account. This means that customer A cannot view traffic passing
over customer B’s VPC. The workload for each VPC is isolated from other VPCs.

Question 65

Public and Private Subnets

Answer 65

Each subnet within a VPC can either be private or public. To configure a public subnet,
first an Internet gateway (virtual router) must be attached to the VPC configuration.
Secondly, the Internet gateway must be configured as the default route for each
public subnet. If a default route is not configured, the subnet remains private, even
if an Internet gateway is attached to the VPC. Each instance in the subnet must also
be configured with a public IP in its cloud profile. The Internet gateway performs 1:1
network address translation (NAT) to route Internet communications to and from the
instance.

Question 66

ways to provision external connectivity for a subnet if it is not appropriate to make it public

Answer 66

• NAT gateway—this feature allows an instance to connect out to the Internet or to
other AWS services, but does not allow connections initiated from the Internet.
• VPN—there are various options for establishing connections to and between VPCs
using virtual private networks (VPNs) at the software layer or using CSP-managed
features.

Question 67

Routing between subnets (in VPC)

Answer 67

Routing between subnets
•Can use traditional access control lists
•Can use vendor security appliance instances

Routing can be configured between subnets within a VPC. This traffic can be subject
to cloud native ACLs allowing or blocking traffic on the basis of host IPs and ports.
Alternatively, traffic could be routed through a virtual firewall instance, or other
security appliance.

Question 68

Multiple VPCs for segmentation

Answer 68

Multiple VPCs for segmentation
•Between VPCs in the same account
•Between different accounts
•To on-premises networks

Connectivity can also be configured between VPCs in the same account or with VPCs
belonging to different accounts, and between VPCs and on-premises networks.

**Configuring additional VPCs rather than subnets within a VPC allows for a greater
degree of segmentation between instances. A complex network might split segments
between different VPCs across different cloud accounts for performance or
compliance reasons.

Question 69

peering relationships

Answer 69

Peering relationships
•One-to-one connections

Traditionally, VPCs can be interconnected using peering relationships and connected
with on-premises networks using VPN gateways. These one-to-one VPC peering
relationships can quickly become difficult to manage, especially if each VPC must
interconnect in a mesh-like structure.

Question 70

Transit gateways

Answer 70

Transit gateways
•Virtual router

A transit gateway is a simpler means of managing
these interconnections. Essentially, a transit gateway is a virtual router that handles
routing between the subnets in each attached VPC and any attached VPN gateways

Question 71

VPC Endpoint

Answer 71

• Publishing a service over cloud internal network
• Avoids exposing traffic to the Internet

A VPC endpoint is a means of publishing a service so that it is accessible by instances in
other VPCs using only the AWS internal network and private IP addresses (d1.awsstatic.
com/whitepapers/aws-privatelink.pdf). This means that the traffic is never exposed to
the Internet. There are two types of VPC endpoint: **gateway and interface.

Question 72

gateway endpoints

Answer 72

Gateway endpoint
•Connect instances to S3 and DynamoDB services
•Added as route

A gateway endpoint is used to connect instances in a VPC to the AWS S3 (storage) and
DynamoDB (database) services. A gateway endpoint is configured as a route to the
service in the VPC’s route table.

Question 73

interface endpoint

Answer 73

Interface endpoint
•AWS PrivateLink
•Service VPC or default Amazon service published with a DNS name
•VPC endpoint interface added to each service consumer VPC
•Instances within the consumer VPC access the service via the VPC endpoint interface

An interface endpoint makes use of AWS’s PrivateLink feature to allow private access to
custom services:
• A custom service provider VPC is configured by publishing the service with a DNS
host name. Alternatively, the service provider might be an Amazon default service
that is enabled as a VPC interface endpoint, such as CloudWatch Events/Logs.
• A VPC endpoint interface is configured in each service consumer VPC subnet. The
VPC endpoint interface is configured with a private IP address within the subnet
plus the DNS host name of the service provider.
• Each instance within the VPC subnet is configured to use the endpoint address to
contact the service provider.

Question 74

Cloud Firewall Security

Answer 74

As in an on-premises network, a firewall determines whether to accept or deny/discard incoming and outgoing traffic. Firewalls work with multiple accounts, VPCs, subnets within VPCs, and instances within subnets to enforce the segmentation required by
the architectural design.

Need for segmentation
•Load balancing workloads
•Isolating data processing
•Compartmentalizing data access

Open Systems Interconnection (OSI) layers
•Network layer (layer 3)
•Transport layer (layer 4)
•Application layer (layer 7)

Cloud native versus vendor controls
•Deploy host-based firewall within instance
•Deploy vendor firewall/security appliance as instance
•Transaction and volume costs for cloud native solutions

Question 75

Need for segmentation in the cloud

Answer 75

Need for segmentation (using firewalls)
•Load balancing workloads
•Isolating data processing
•Compartmentalizing data access

Segmentation may be needed for many different reasons,including separating workloads for performance and load balancing, keeping data
processing within an isolated segment for compliance with laws and regulations,
and compartmentalizing data access and processing for different departments or
functional requirements.

Question 76

Open Systems Interconnection (OSI) layers (firewalls)

Answer 76

Open Systems Interconnection (OSI) layers
•Network layer (layer 3)
•Transport layer (layer 4)
•Application layer (layer 7)

Filtering decisions can be made based on packet headers and payload contents at
various layers, identified in terms of the OSI model:
• Network layer (layer 3)—the firewall accepts or denies connections on the basis of
IP addresses or address ranges and TCP/UDP port numbers (the latter are actually contained in layer 4 headers, but this functionality is still always described as basic layer 3 packet filtering).

• Transport layer (layer 4)—the firewall can store connection states and use rules to
allow established or related traffic. Because the firewall must maintain a state table
of existing connections, this requires more processing power (CPU and memory).\

• Application layer (layer 7)—the firewall can parse application protocol headers
and payloads (such as HTTP packets) and make filtering decisions based on their
contents. This requires even greater processing capacity (or load balancing), or the
firewall will become a bottleneck and increase network latency.

Question 77

Cloud native versus vendor controls

Answer 77

Cloud native versus vendor controls
•Deploy host-based firewall within instance
•Deploy vendor firewall/security appliance as instance
•Transaction and volume costs for cloud native solutions

Native cloud application-aware firewalls incur transaction costs, typically calculated on
time deployed and traffic volume. These costs might be a reason to choose a thirdparty
solution instead of the native control.

Question 78

Security groups

Answer 78

•Basic stateful packet filtering for instances
- In AWS, basic packet filtering rules managing traffic that each instance will accept can
be managed through security groups

•Default security group
allows any outbound traffic and any inbound traffic frominstances also bound to the default security group

• Custom groups
  
  • Custom group with no rules drops all network traffic
  • Can be assigned to multiple instances
  • Instances in the same subnet can be assigned different security groups
  • Multiple security groups can be assigned to the same instance

Question 79

Cloud Access Security Brokers (CASB)

Answer 79

• Mediate access to cloud services by enterprise users across all types of devices
• Implemented as proxy or via API
• Next-Generation Secure Web Gateway
  
  • Secure access service edge (SASE)

A cloud access security broker (CASB) is enterprise management software designed
to mediate access to cloud services by users across all types of devices.

CASBs provide you with visibility into how clients and other network nodes are using
cloud services. Some of the functions of a CASB are:
• Enable single sign-on authentication and enforce access controls and authorizations
from the enterprise network to the cloud provider.
• Scan for malware and rogue or non-compliant device access.
• Monitor and audit user and resource activity.
Mitigate data exfiltration by preventing access to unauthorized cloud services from
managed devices.

Question 80

Next-Generation Secure Web Gateway

Answer 80

• Next-Generation Secure Web Gateway
  
  • Secure access service edge (SASE)

Enterprise networks often make use of secure web gateways (SWG). An on-premises
SWG is a proxy-based firewall, content filter, and intrusion detection/prevention
system that mediates user access to Internet sites and services. A next-generation
SWG, as marketed by Netskope (netskope.com/products/next-gen-swg), combines
the functionality of an SWG with that of data loss prevention (DLP) and a CASB to
provide a wholly cloud-hosted platform for client access to websites and cloud apps.
This supports an architecture defined by Gartner as secure access service edge (SASE)

Question 81

Monolithic client/server applications

Answer 81

Virtualization gets us away from monolithic client/server applications

In the early days of computer networks, architecture was focused on the provision of server machines and intermediate network systems (switches and routers).
Architectural choices centered around where to place a “box” to run monolithic network applications such as routing, security, address allocation, name resolution,
file sharing, email, and so on. With virtualization, the provision of these applications
is much less dependent on where you put the box and the OS that the box runs.
Virtualization helps to make the design architecture fit to the business requirement
rather than accommodate the business workflow to the platform requirement

Question 82

SOA

Answer 82

Service-oriented architecture (SOA)
•Atomic services with defined input/output interfaces
•Loosely decoupled

Service-oriented architecture (SOA) conceives of atomic services closely mapped
to business workflows. Each service takes defined inputs and produces defined
outputs. The service may itself be composed of sub-services. The key features of
a service function are that it is self-contained, does not rely on the state of other
services, and exposes clear input/output (I/O) interfaces. Because each service has a
simple interface, interoperability is made much easier than with a complex monolithic
application. The implementation of a service does not constrain compatibility choices
for client services, which can use a different platform or development language. This
independence of the service and the client requesting the service is referred to as
loose coupling.

Question 83

Loose coupling

Answer 83

(as part of SOA) The implementation of a service does not constrain compatibility choices
for client services, which can use a different platform or development language. This
independence of the service and the client requesting the service is referred to as
loose coupling.

Question 84

Microservices

Answer 84

Microservices
•Each service capable of independent development and deployment
•Highly decoupled

The main difference between SOA and microservices is that SOA allows a service to be
built from other services. By contrast, each microservice should be capable of being
developed, tested, and deployed independently. The microservices are said to be highly
decoupled rather than just loosely decoupled.

Question 85

Services integration and orchestration

Answer 85

• Enterprise service bus versus orchestration
• Automating automation
• Uses scripts and service APIs to provision a workflow
• Cloud orchestration platforms

Question 86

Sevice Integration

Answer 86

Services integration refers to ways of making these decoupled service or microservice
components work together to perform a workflow.

Question 87

Orchestration

Answer 87

Where SOA used the concept of
a enterprise service bus, microservices integration and cloud services/virtualization/
automation integration generally is very often implemented using orchestration
tools. Where automation focuses on making a single, discrete task easily repeatable,
orchestration performs a sequence of automated tasks.

Question 88

how is orchestration run?

Answer 88

orchestrated steps would have to run numerous

automated scripts or API service calls.

Question 89

cloud orchestration platforms

Answer 89

Cloud orchestration platforms connect to and provide administration, management,
and orchestration for many popular cloud platforms and services. One of the
advantages of using a third-party orchestration platform is protection from vendor
lock in. If you wish to migrate from one cloud provider to another, or wish to move to a
multi-cloud environment, automated workflows can often be adapted for use on new
platforms. Industry leaders in this space include Chef (chef.io), Puppet (puppet.com),
Ansible (ansible.com), and Kubernetes (kubernetes.io).

Question 90

Application Programming Interfaces

Answer 90

Whether based SOA or microservices, service integration, automation, and
orchestration all depend on application programming interfaces (APIs). The service API
is the means by which external entities interact with the service, calling it with expected
parameters and receiving the expected output.

Question 91

Two predominant ‘styles for creating web application api’s

Answer 91

• Simple Object Access Protocol (SOAP)
  
  • XML format messaging
  • Web Services (WS) standards
• Representational State Transfer (REST)
  
  • RESTful APIs
  • HTTP operation/verb
  • Noun endpoints accessed as URLs

• Simple Object Access Protocol (SOAP)—uses XML format messaging and has a
number of extensions in the form of Web Services (WS) standards that support
common features, such as authentication, transport security, and asynchronous
messaging. SOAP also has a built-in error handling.
• Representational State Transfer (REST)—where SOAP is a tightly specified protocol,
REST is a looser architectural framework, also referred to as RESTful APIs. Where a
SOAP request must be sent as a correctly formatted XML document, a REST request
can be submitted as an HTTP operation/verb (GET or POST for example). Each
resource or endpoint in the API, expressed as a noun, should be accessed via a
single URL.

Question 92

Infrastructure as code

Answer 92

• All configuration and provisioning is performed by scripting/automation/orchestration
• Elimination of inconsistency (snowflakes and configuration drift)
• Idempotence
  
  • Making the same call with the same parameters will always produce the same result

The use of cloud technologies encourages the use of scripted approaches to
provisioning, rather than manually making configuration changes, or installing patches.
An approach to infrastructure management where automation and orchestration fully
replace manual configuration is referred to as infrastructure as code (IaC).

Question 93

snowflakes and configuration drift

Answer 93

•Elimination of inconsistency (snowflakes and configuration drift)

One of the goals of IaC is to eliminate snowflake systems. A snowflake is a
configuration or build that is different from any other. The lack of consistency—or
drift—in the platform environment leads to security issues, such as patches that
have not been installed, and stability issues, such as scripts that fail to run because of
some small configuration difference

Question 94

Idempotence

Answer 94

Idempotence means that making the same call with the

same parameters will always produce the same result.

Question 95

Software-Defined Networking (SDN)

Answer 95

• Physical and virtual appliances that can be fully automated
  
  • Control plane/policy definitions
  • Data plane/network controller
  • Management plane
• SDN policy > northbound API > network controller > southbound API > firewall appliance
• Network functions virtualization (NFV)

Question 96

SDN conrol plan, data plane, management plane

Answer 96

• Control plane—makes decisions about how traffic should be prioritized and
secured, and where it should be switched.
• Data plane—handles the actual switching and routing of traffic and imposition of
security access controls.
• Management plane—monitors traffic conditions and network status.

Question 97

SDN policy > northbound API > network controller > southbound API > firewall appliance

Answer 97

A software-defined networking (SDN) application can be used to define policy
decisions on the control plane. These decisions are then implemented on the
data plane by a network controller application, which interfaces with the network
devices using APIs. The interface between the SDN applications and the SDN
controller is described as the “northbound” API, while that between the controller
and appliances is the “southbound” API. SDN can be used to manage compatible
physical appliances, but also virtual switches, routers, and firewalls. The architecture
supporting rapid deployment of virtual networking using general-purpose VMs
and containers is called network functions virtualization (NFV)

Question 98

Network functions virtualization (NFV)

Answer 98

The architecture
supporting rapid deployment of virtual networking using general-purpose VMs
and containers is called network functions virtualization (NFV)

Question 99

Software-Defined Visibility

Answer 99

• Near real-time collection, aggregation, and reporting of data
• Baseline monitoring and anomaly detection
• Supports east/west and zero trust
• Security orchestration and automated response (SOAR)

Where SDN addresses secure network “build” solutions, software-defined visibility
(SDV) supports assessment and incident response functions. Visibility is the near realtime
collection, aggregation, and reporting of data about network traffic flows and the
configuration and status of all the hosts, applications, and user accounts participating
in it.

Question 100

Fog and Edge Computing

Answer 100

(I think if you just remember that is it is good for IoT devices, it will be fine)

• Embedded and IoT devices deployed at the network edge
• Strong requirements for availability and low latency
• Fog computing
  
  • Provision greater processing resource between the edge and data center
  • Prioritize data for analysis and alert conditions
• Edge computing
  
  • Defines additional zones and processing nodes
  • Edge device zone
  • Edge gateways
  • Fog nodes
  • Data center