Lesson 15 + 16 Implementing Secure Cloud Solutions Flashcards

Question

Cloud firewalls can be implemented in several ways to suit different purposes:

Answer 1

* As software running on an instance. | * As a service at the virtualization layer to filter traffic between VPC subnets and instances.

Answer 2

A security group provides stateful inbound and outbound filtering at layer 4. The stateful filtering property means that it will allow established and related traffic if a new connection has been accepted. The default security group allows any outbound traffic and any inbound traffic from instances also bound to the default security group A custom security group sets the ports and endpoints that are allowed for inbound and outbound traffic. There are no deny rules for security groups; any traffic that does not match an allow rule is dropped. Consequently, a custom group with no rules will drop all network traffic.

Answer 3

cloud access security broker (CASB) is enterprise management software designed to mediate access to cloud services by users across all types of devices. CASBs provide you with visibility into how clients and other network nodes are using cloud services. Some of the functions of a CASB are: * Enable single sign-on authentication and enforce access controls and authorizations from the enterprise network to the cloud provider. * Scan for malware and rogue or non-compliant device access. * Monitor and audit user and resource activity. * Mitigate data exfiltration by preventing access to unauthorized cloud services from managed devices.

Answer 4

CASBs are implemented in one of three ways: * Forward proxy—this is a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy. * Reverse proxy—this is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy * Application programming interface (API)—rather than placing a CASB appliance or host inline with cloud consumers and the cloud services, an API-based CASB uses brokers connections between the cloud service and the cloud consumer.

Answer 5

Enterprise networks often make use of secure web gateways (SWG). An on-premises SWG is a proxy-based firewall, content filter, and intrusion detection/prevention system that mediates user access to Internet sites and services.

Answer 6

A next-generation SWG combines the functionality of an SWG with that of data loss prevention (DLP) and a CASB to provide a wholly cloud-hosted platform for client access to websites and cloud apps.

Answer 7

For orchestration to work properly, automated steps must occur in the right sequence, taking dependencies into account; it must provide the right security credentials at every step along the way; and it must have the rights and permissions to perform the defined tasks. Orchestration can automate processes that are complex, requiring dozens or hundreds of manual steps.

Answer 8

Cloud orchestration platforms connect to and provide administration, management, and orchestration for cloud platforms and services.

Answer 9

The service API is the means by which external entities interact with the service, calling it with expected parameters and receiving the expected output. There are two predominant "styles" for creating web application APIs: * Simple Object Access Protocol (SOAP)—uses XML format messaging and has a number of extensions in the form of Web Services (WS) standards that support common features, such as authentication, transport security, and asynchronous messaging. SOAP also has a built-in error handling. * Representational State Transfer (REST)—where SOAP is a tightly specified protocol, REST is a looser architectural framework, also referred to as RESTful APIs. Where a SOAP request must be sent as a correctly formatted XML document, a REST request can be submitted as an HTTP operation/verb (GET or POST for example).

Answer 10

With serverless, all the architecture is hosted within a cloud.

Answer 11

infrastructure as code (IaC). infrastructure management where automation and orchestration fully replace manual configuration

Answer 12

Idempotence means that making the same call with the same parameters will always produce the same result

Answer 13

SDN can be provided in three planes: * Control plane—makes decisions about how traffic should be prioritized and secured, and where it should be switched. * Data plane—handles the actual switching and routing of traffic and imposition of security access controls. * Management plane—monitors traffic conditions and network status

Answer 14

Software-defined networking (SDN) application can be used to define policy decisions on the control plane. These decisions are then implemented on the data plane by a network controller application, which interfaces with the network devices using APIs.

Answer 15

The interface between the SDN applications and the SDN controller "northbound" API between the controller and appliances (Data plane) is the "southbound" API.

Answer 16

network functions virtualization (NFV) The architecture supporting rapid deployment of virtual networking using general-purpose VMs and containers

Answer 17

software-defined visibility (SDV) supports assessment and incident response functions. Visibility is the near real- time collection, aggregation, and reporting of data about network traffic flows and the configuration and status of all the hosts, applications, and user accounts participating in it. It can detect network traffic that deviates from baseline levels.

Answer 18

placing fog node processing resources close to the physical location for the IoT sensors. The sensors communicate with the fog node, using Wi-Fi, ZigBee, or 4G/5G, and the fog node prioritizes traffic, analyzes and remediates alertable conditions “Processed Locally”`

Answer 19

* Edge devices are those that collect and depend upon data for their operation. ie) Thermometer in a HVAC system. * Edge gateways perform some pre-processing of data to and from edge devices to enable prioritization. They also perform the wired or wireless connectivity to transfer data to and from the storage and processing networks. * Fog nodes can be incorporated as a data processing layer positioned close to the edge gateways, assisting the prioritization of critical data transmission. * The cloud or data center layer provides the main storage and processing resources, plus distribution and aggregation of data between sites. In security terms, the fog node or edge gateway layers represent high-value targets for both denial of service and data exfiltration attacks.

Answer 20

information life cycle model identifies discrete steps to assist security and privacy policy design. * Creation/collection—data may be generated by an employee or automated system, or it may be submitted by a customer or supplier. At this stage, the data needs to be classified and tagged. * Distribution/use—data is made available on a need to know basis for authorized uses by authenticated account holders and third parties. * Retention—data might have to be kept in an archive past the date when it is still used for regulatory reasons. * Disposal—when it no longer needs to be used or retained, media storing data assets must be sanitized to remove any remnants.

Answer 21

data governance policy describes the security controls that will be applied to protect data at each stage of its life cycle.

Answer 22

• Data owner—a senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. The owner is responsible for labeling the asset (such as determining who should have access and determining the asset's criticality and sensitivity) and ensuring that it is protected with appropriate controls (access control, backup, retention, and so forth)

Answer 23

• Data steward—this role is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.

Answer 24

Data custodian—this role handles managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures.

Answer 25

Data Privacy Officer (DPO)—this role is responsible for oversight of any personally identifiable information (PII) assets managed by the company. The privacy officer ensures that the processing, disclosure, and retention of PII complies with legal and regulatory frameworks.

Answer 26

Data processor—an entity engaged by the data controller to assist with technical collection, storage, or analysis tasks. A data processor follows the instructions of a data controller with regard to collection or processing.

Answer 27

Data controller—the entity responsible for determining why and how data is stored, collected, and used and for ensuring that these purposes and means are lawful. The data controller has ultimate responsibility for privacy breaches, and is not permitted to transfer that responsibility.

Answer 28

Public (unclassified) Confidential (secret) Critical (top secret)

Answer 29

Personally identifiable information (PII) is data that can be used to identify, contact, or locate an individual. A Social Security Number (SSN) is a good example of PII.

Answer 30

Personal health information (PHI)— refers to medical and insurance records, plus associated hospital and laboratory test results.

Answer 31

EU's General Data Protection Regulation (GDPR), means that personal data cannot be collected, processed, or retained without the individual's informed consent.

Answer 32

Data retention refers to backing up and archiving information assets in order to comply with business policies and/or applicable laws and regulations.

Answer 33

Data sovereignty refers to a jurisdiction preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction.

Answer 34

data breach occurs when information is read or modified without authorization. "Read" in this sense can mean either seen by a person or transferred to a network or storage media. A data breach is the loss of any type of data

Answer 35

privacy breach refers specifically to loss or disclosure of personal and sensitive data.

Answer 36

Health Insurance Portability and Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media

Answer 37

Service level agreement (SLA)—a contractual agreement setting out the detailed terms under which a service is provided.

Answer 38

Interconnection security agreement (ISA) An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls.

Answer 39

Nondisclosure agreement (NDA)—legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies.

Answer 40

Data sharing and use agreement—under privacy regulations such as GDPR or HIPAA, personal data can only be collected for a specific purpose.

Answer 41

Data at rest—this state means that the data is in some sort of persistent storage media. In this state, it is usually possible to encrypt the data, using techniques such as whole disk encryption, database encryption, and file- or folder-level encryption. It is also possible to apply permissions

Answer 42

Data in transit (or data in motion)—this is the state when data is transmitted over a network. Examples of types of data that may be in transit include website traffic, remote access traffic, data being synchronized between cloud repositories. Data can be protected by a transport encryption protocol, such as TLS or IPSec.

Answer 43

• Data in use (or data in processing)—this is the state when data is present in volatile memory, such as system RAM or CPU registers and cache. Examples of types of data that may be in use include documents open in a word processing application, database data that is currently being modified, event logs being generated while an operating system is running.

Answer 44

Data exfiltration Unauthorized copying or retrieval of data from a system is referred to as data exfiltration. Data exfiltration attacks are one of the primary means for attackers to retrieve valuable data, such as personally identifiable information (PII) or payment information, often destined for later sale on the black market.

Answer 45

Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without a proper authorization. Such solutions will usually consist of the following components: * Policy server—to configure classification, confidentiality, and privacy rules and policies, log incidents, and compile reports. * Endpoint agents—to enforce policy on client computers, even when they are not connected to the network. * Network agents—to scan communications at network borders and interface with web and messaging servers to enforce policy.

Answer 46

Remediation is the action the DLP software takes when it detects a policy violation. The following remediation mechanisms are typical: • Alert only—the copying is allowed, but the management system records an incident and may alert an administrator. * Block—the user is prevented from copying the original file but retains access to it. The user may or may not be alerted to the policy violation, but it will be logged as an incident by the management engine. * Quarantine—access to the original file is denied to the user (or possibly any user). This might be accomplished by encrypting the file in place or by moving it to a quarantine area in the file system. * Tombstone—the original file is quarantined and replaced with one describing the policy violation and how the user can release it again.

Answer 47

Data minimization is the principle that data should only be processed and stored if that is necessary to perform the purpose for which it is collected.

Answer 48

anonymized data set is one where individual subjects can no longer be identified, even if the data set is combined with other data sources. Identifying information is permanently removed

Answer 49

Pseudo-anonymization modifies or replaces identifying information so that reidentification depends on an alternate data source, which must be kept separate.

Answer 50

Data masking can mean that all or part of the contents of a field are redacted, by substituting all character strings with "x" for example. irreversible deidentification technique.

Answer 51

Tokenization means that all or part of data in a field is replaced with a randomly generated token. The token is stored with the original value on a token server or token vault, separate from the production database. Also used as a substitute for encryption.

Answer 52

Hashing is used for two main purposes within a database: * As an indexing method to speed up searches and provide deidentified references to records. * As a storage method for data such as passwords where the original plaintext does not need to be retained.

Answer 53

A salt is an additional value stored with the hashed data field. The purpose of salt is to frustrate attempts to crack the hashes. It means that the attacker cannot use pre- computed tables of hashes using dictionaries of plaintexts. These tables have to be recompiled to include the salt value.