Lesson 15 + 16 Implementing Secure Cloud Solutions Flashcards
Cloud Deployment Models
• Public (or multi-tenant)
• Public (or multi-tenant)—a service offered over the Internet by cloud service providers (CSPs) to cloud consumers.
businesses can offer subscriptions or pay-as-you-go financing, while at the same time providing lower-tier services free of charge.
Cloud Deployment Model
Hosted Private
Hosted Private—hosted by a third-party for the exclusive use of the organization.
Cloud Deployment Model
Private
Private—cloud infrastructure that is completely private to and owned by the organization
geared more toward banking and governmental services that require strict access control
Cloud Deployment Model
Community
Community—this is where several organizations share the costs of either a hosted private or fully private cloud.
This is usually done in order to pool resources for a common concern
Cloud Deployment Model
hybrid public/private/community/hosted/onsite/offsite solution
For example, a travel organization may run a sales website for most of the year using a private cloud but break out the solution to a public cloud at times when much higher utilization is forecast
Infrastructure as a service (IaaS)
Infrastructure as a service (IaaS)
provisioning IT resources such as servers, load balancers, and storage area network (SAN) components quickly.
you rent them on an as-needed basis from the service provider’s data center
Software as a service (SaaS)
Software as a service (SaaS)
Rather than purchasing software licenses for a given number of seats, a business would access software hosted on a supplier’s servers on a pay-as-you- go or lease arrangement (on-demand)
Platform as a service (PaaS)
Platform as a service (PaaS) provides resources somewhere between SaaS and IaaS.
A typical PaaS solution would provide servers and storage network infrastructure (as per IaaS) but also provide a multi-tier web application/database platform on top.
Security in the cloud
security of the cloud is the things the CSP manages.
Security as a Service
Consultants
Consultants—the experience and perspective of a third-party professional can be hugely useful in improving security awareness and capabilities in any type of organization (small to large)
Security as a Service
Managed Security Services Provider (MSSP)
Managed Security Services Provider (MSSP)—a means of fully outsourcing responsibility for information assurance to a third party.
Security as a Service
Security as a Service (SECaaS)
Security as a Service (SECaaS)—
a means of implementing a particular security control, such as virus scanning or SIEM-like functionality, in the cloud.
Virtualization
Virtualization - multiple operating systems can be installed and run simultaneously on a single computer.
A virtual platform requires at least three components:
- Host hardware—the platform that will host the virtual environment. Optionally, there may be multiple hosts networked together.
- Hypervisor/Virtual Machine Monitor (VMM)—manages the virtual machine environment and facilitates interaction with the computer hardware and network.
- Guest operating systems, Virtual Machines (VM), or instances—operating systems installed under the virtual environment.
Virtual desktop infrastructure (VDI)
Virtual desktop infrastructure (VDI) refers to using a VM as a means of provisioning corporate desktops.
In a typical VDI, desktop computers are replaced by low-spec, low-power thin client computers
Application virtualization
Application virtualization - limited type of VDI.
Rather than run the whole client desktop as a virtual platform, the client either accesses an application hosted on a server or streams the application from the server to the client for local processing
Application cell/container virtualization
Application cell/container virtualization dispenses with the idea of a hypervisor and instead enforces resource separation at the operating system level. ie) Docker
VM escaping
VM escaping refers to malware running on a guest OS jumping to another guest or to the host.
VM Sprawl
VM Sprawl - Configuration vulnerability where provisioning and deprovisioning of virtual assets is not properly authorized and monitored.
Virtual machine life cycle management (VMLM) software
Virtual machine life cycle management (VMLM) software can be deployed to enforce VM sprawl avoidance.
VMLM solutions provide you with a centralized dashboard for maintaining and monitoring all the virtual environments in your organization.
Application security in the cloud
Application security in the cloud refers both to the software development process and to identity and access management (IAM) features designed to ensure authorized use of applications.
Namespaces
Namespaces prevent one container reading or writing processes in another, while control groups ensure that one container cannot overwhelm others in a DoS-type attack.
CSPs offer several tiers of replication representing different high availability service levels:
- Local replication—replicates your data within a single data center in the region where you created your storage account.
- Regional replication (also called zone-redundant storage)—replicates your data across multiple data centers within one or two regions. This safeguards data and access in the event a single data center is destroyed or goes offline.
- Geo-redundant storage (GRS)—replicates your data to a secondary region that is distant from the primary region. This safeguards data in the event of a regional outage or a disaster.
transit gateway
transit gateway is a virtual router that handles routing between the subnets in each attached VPC and any attached VPN gateways
Cloud Firewall Security
Filtering decisions can be made based on packet headers and payload contents at various layers, identified in terms of the OSI model:
- Network layer (layer 3)—the firewall accepts or denies connections on the basis of IP addresses or address ranges and TCP/UDP port numbers (the latter are actually contained in layer 4 headers, but this functionality is still always described as basic layer 3 packet filtering).
- Transport layer (layer 4)—the firewall can store connection states and use rules to allow established or related traffic. Because the firewall must maintain a state table of existing connections, this requires more processing power (CPU and memory).
- Application layer (layer 7)—the firewall can parse application protocol headers and payloads (such as HTTP packets) and make filtering decisions based on their contents.