Lesson 15 + 16 Implementing Secure Cloud Solutions Flashcards
Cloud Deployment Models
• Public (or multi-tenant)
• Public (or multi-tenant)—a service offered over the Internet by cloud service providers (CSPs) to cloud consumers.
businesses can offer subscriptions or pay-as-you-go financing, while at the same time providing lower-tier services free of charge.
Cloud Deployment Model
Hosted Private
Hosted Private—hosted by a third-party for the exclusive use of the organization.
Cloud Deployment Model
Private
Private—cloud infrastructure that is completely private to and owned by the organization
geared more toward banking and governmental services that require strict access control
Cloud Deployment Model
Community
Community—this is where several organizations share the costs of either a hosted private or fully private cloud.
This is usually done in order to pool resources for a common concern
Cloud Deployment Model
hybrid public/private/community/hosted/onsite/offsite solution
For example, a travel organization may run a sales website for most of the year using a private cloud but break out the solution to a public cloud at times when much higher utilization is forecast
Infrastructure as a service (IaaS)
Infrastructure as a service (IaaS)
provisioning IT resources such as servers, load balancers, and storage area network (SAN) components quickly.
you rent them on an as-needed basis from the service provider’s data center
Software as a service (SaaS)
Software as a service (SaaS)
Rather than purchasing software licenses for a given number of seats, a business would access software hosted on a supplier’s servers on a pay-as-you- go or lease arrangement (on-demand)
Platform as a service (PaaS)
Platform as a service (PaaS) provides resources somewhere between SaaS and IaaS.
A typical PaaS solution would provide servers and storage network infrastructure (as per IaaS) but also provide a multi-tier web application/database platform on top.
Security in the cloud
security of the cloud is the things the CSP manages.
Security as a Service
Consultants
Consultants—the experience and perspective of a third-party professional can be hugely useful in improving security awareness and capabilities in any type of organization (small to large)
Security as a Service
Managed Security Services Provider (MSSP)
Managed Security Services Provider (MSSP)—a means of fully outsourcing responsibility for information assurance to a third party.
Security as a Service
Security as a Service (SECaaS)
Security as a Service (SECaaS)—
a means of implementing a particular security control, such as virus scanning or SIEM-like functionality, in the cloud.
Virtualization
Virtualization - multiple operating systems can be installed and run simultaneously on a single computer.
A virtual platform requires at least three components:
- Host hardware—the platform that will host the virtual environment. Optionally, there may be multiple hosts networked together.
- Hypervisor/Virtual Machine Monitor (VMM)—manages the virtual machine environment and facilitates interaction with the computer hardware and network.
- Guest operating systems, Virtual Machines (VM), or instances—operating systems installed under the virtual environment.
Virtual desktop infrastructure (VDI)
Virtual desktop infrastructure (VDI) refers to using a VM as a means of provisioning corporate desktops.
In a typical VDI, desktop computers are replaced by low-spec, low-power thin client computers
Application virtualization
Application virtualization - limited type of VDI.
Rather than run the whole client desktop as a virtual platform, the client either accesses an application hosted on a server or streams the application from the server to the client for local processing
Application cell/container virtualization
Application cell/container virtualization dispenses with the idea of a hypervisor and instead enforces resource separation at the operating system level. ie) Docker
VM escaping
VM escaping refers to malware running on a guest OS jumping to another guest or to the host.
VM Sprawl
VM Sprawl - Configuration vulnerability where provisioning and deprovisioning of virtual assets is not properly authorized and monitored.
Virtual machine life cycle management (VMLM) software
Virtual machine life cycle management (VMLM) software can be deployed to enforce VM sprawl avoidance.
VMLM solutions provide you with a centralized dashboard for maintaining and monitoring all the virtual environments in your organization.
Application security in the cloud
Application security in the cloud refers both to the software development process and to identity and access management (IAM) features designed to ensure authorized use of applications.
Namespaces
Namespaces prevent one container reading or writing processes in another, while control groups ensure that one container cannot overwhelm others in a DoS-type attack.
CSPs offer several tiers of replication representing different high availability service levels:
- Local replication—replicates your data within a single data center in the region where you created your storage account.
- Regional replication (also called zone-redundant storage)—replicates your data across multiple data centers within one or two regions. This safeguards data and access in the event a single data center is destroyed or goes offline.
- Geo-redundant storage (GRS)—replicates your data to a secondary region that is distant from the primary region. This safeguards data in the event of a regional outage or a disaster.
transit gateway
transit gateway is a virtual router that handles routing between the subnets in each attached VPC and any attached VPN gateways
Cloud Firewall Security
Filtering decisions can be made based on packet headers and payload contents at various layers, identified in terms of the OSI model:
- Network layer (layer 3)—the firewall accepts or denies connections on the basis of IP addresses or address ranges and TCP/UDP port numbers (the latter are actually contained in layer 4 headers, but this functionality is still always described as basic layer 3 packet filtering).
- Transport layer (layer 4)—the firewall can store connection states and use rules to allow established or related traffic. Because the firewall must maintain a state table of existing connections, this requires more processing power (CPU and memory).
- Application layer (layer 7)—the firewall can parse application protocol headers and payloads (such as HTTP packets) and make filtering decisions based on their contents.
Cloud firewalls can be implemented in several ways to suit different purposes:
- As software running on an instance.
* As a service at the virtualization layer to filter traffic between VPC subnets and instances.
security groups
A security group provides stateful inbound and outbound filtering at layer 4. The stateful filtering property means that it will allow established and related traffic if a new connection has been accepted.
The default security group allows any outbound traffic and any inbound traffic from instances also bound to the default security group
A custom security group sets the ports and endpoints that are allowed for inbound and outbound traffic.
There are no deny rules for security groups; any traffic that does not match an allow rule is dropped. Consequently, a custom group with no rules will drop all network traffic.
cloud access security broker (CASB)
cloud access security broker (CASB) is enterprise management software designed to mediate access to cloud services by users across all types of devices. CASBs provide you with visibility into how clients and other network nodes are using cloud services. Some of the functions of a CASB are:
- Enable single sign-on authentication and enforce access controls and authorizations from the enterprise network to the cloud provider.
- Scan for malware and rogue or non-compliant device access.
- Monitor and audit user and resource activity.
- Mitigate data exfiltration by preventing access to unauthorized cloud services from managed devices.
CASBs are implemented in one of three ways:
CASBs are implemented in one of three ways:
- Forward proxy—this is a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy.
- Reverse proxy—this is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy
- Application programming interface (API)—rather than placing a CASB appliance or host inline with cloud consumers and the cloud services, an API-based CASB uses brokers connections between the cloud service and the cloud consumer.
secure web gateways (SWG)
Enterprise networks often make use of secure web gateways (SWG).
An on-premises SWG is a proxy-based firewall, content filter, and intrusion detection/prevention system that mediates user access to Internet sites and services.
next-generation SWG
A next-generation SWG combines the functionality of an SWG with that of data loss prevention (DLP) and a CASB to provide a wholly cloud-hosted platform for client access to websites and cloud apps.
orchestration performs a sequence of automated tasks
For orchestration to work properly, automated steps must occur in the right sequence, taking dependencies into account; it must provide the right security credentials at every step along the way; and it must have the rights and permissions to perform the defined tasks.
Orchestration can automate processes that are complex, requiring dozens or hundreds of manual steps.
Cloud orchestration
Cloud orchestration platforms connect to and provide administration, management, and orchestration for cloud platforms and services.
service API
The service API is the means by which external entities interact with the service, calling it with expected parameters and receiving the expected output.
There are two predominant “styles” for creating web application APIs:
- Simple Object Access Protocol (SOAP)—uses XML format messaging and has a number of extensions in the form of Web Services (WS) standards that support common features, such as authentication, transport security, and asynchronous messaging. SOAP also has a built-in error handling.
- Representational State Transfer (REST)—where SOAP is a tightly specified protocol, REST is a looser architectural framework, also referred to as RESTful APIs. Where a SOAP request must be sent as a correctly formatted XML document, a REST request can be submitted as an HTTP operation/verb (GET or POST for example).
Serverless Architecture
With serverless, all the architecture is hosted within a cloud.
infrastructure as code (IaC).
infrastructure as code (IaC).
infrastructure management where automation and orchestration fully replace manual configuration
Idempotence
Idempotence means that making the same call with the same parameters will always produce the same result
SDN can be provided in three planes:
SDN can be provided in three planes:
- Control plane—makes decisions about how traffic should be prioritized and secured, and where it should be switched.
- Data plane—handles the actual switching and routing of traffic and imposition of security access controls.
- Management plane—monitors traffic conditions and network status
Software-defined networking (SDN)
Software-defined networking (SDN) application can be used to define policy decisions on the control plane.
These decisions are then implemented on the data plane by a network controller application, which interfaces with the network devices using APIs.
northbound
southbound
The interface between the SDN applications and the SDN controller “northbound” API
between the controller and appliances (Data plane) is the “southbound” API.
network functions virtualization (NFV)
network functions virtualization (NFV)
The architecture supporting rapid deployment of virtual networking using general-purpose VMs and containers
software-defined visibility (SDV)
software-defined visibility (SDV)
supports assessment and incident response functions.
Visibility is the near real- time collection, aggregation, and reporting of data about network traffic flows and the configuration and status of all the hosts, applications, and user accounts participating in it.
It can detect network traffic that deviates from baseline levels.
Fog Computing
placing fog node processing resources close to the physical location for the IoT sensors.
The sensors communicate with the fog node, using Wi-Fi, ZigBee, or 4G/5G, and the fog node prioritizes traffic, analyzes and remediates alertable conditions
“Processed Locally”`
Edge computing Concepts
- Edge devices are those that collect and depend upon data for their operation. ie) Thermometer in a HVAC system.
- Edge gateways perform some pre-processing of data to and from edge devices to enable prioritization. They also perform the wired or wireless connectivity to transfer data to and from the storage and processing networks.
- Fog nodes can be incorporated as a data processing layer positioned close to the edge gateways, assisting the prioritization of critical data transmission.
- The cloud or data center layer provides the main storage and processing resources, plus distribution and aggregation of data between sites.
In security terms, the fog node or edge gateway layers represent high-value targets for both denial of service and data exfiltration attacks.
information life cycle model stages
information life cycle model identifies discrete steps to assist security and privacy policy design.
- Creation/collection—data may be generated by an employee or automated system, or it may be submitted by a customer or supplier. At this stage, the data needs to be classified and tagged.
- Distribution/use—data is made available on a need to know basis for authorized uses by authenticated account holders and third parties.
- Retention—data might have to be kept in an archive past the date when it is still used for regulatory reasons.
- Disposal—when it no longer needs to be used or retained, media storing data assets must be sanitized to remove any remnants.
data governance policy
data governance policy describes the security controls that will be applied to protect data at each stage of its life cycle.
Data Owner
• Data owner—a senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. The owner is responsible for labeling the asset (such as determining who should have access and determining the asset’s criticality and sensitivity) and ensuring that it is protected with appropriate controls (access control, backup, retention, and so forth)
Data steward
• Data steward—this role is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.
Data custodian
Data custodian—this role handles managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures.
Data Privacy Officer (DPO)
Data Privacy Officer (DPO)—this role is responsible for oversight of any personally identifiable information (PII) assets managed by the company.
The privacy officer ensures that the processing, disclosure, and retention of PII complies with legal and regulatory frameworks.
protecting personal privacy
Data processor
Data processor—an entity engaged by the data controller to assist with technical collection, storage, or analysis tasks. A data processor follows the instructions of a data controller with regard to collection or processing.
protecting personal privacy
Data controller
Data controller—the entity responsible for determining why and how data is stored, collected, and used and for ensuring that these purposes and means are lawful. The data controller has ultimate responsibility for privacy breaches, and is not permitted to transfer that responsibility.
Data classification
Public (unclassified)
Confidential (secret) Critical (top secret)
Personally identifiable information (PII)
Personally identifiable information (PII) is data that can be used to identify, contact, or locate an individual. A Social Security Number (SSN) is a good example of PII.
Personal health information (PHI)
Personal health information (PHI)— refers to medical and insurance records, plus associated hospital and laboratory test results.
General Data Protection Regulation (GDPR)
EU’s General Data Protection Regulation (GDPR), means that personal data cannot be collected, processed, or retained without the individual’s informed consent.
Data retention
Data retention refers to backing up and archiving information assets in order to comply with business policies and/or applicable laws and regulations.
Data sovereignty
Data sovereignty refers to a jurisdiction preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction.
data breach
data breach occurs when information is read or modified without authorization. “Read” in this sense can mean either seen by a person or transferred to a network or storage media.
A data breach is the loss of any type of data
privacy breach
privacy breach refers specifically to loss or disclosure of personal and sensitive data.
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA)
sets out reporting requirements in legislation, requiring breach notification to the affected individuals, the Secretary of the US Department of Health and Human Services, and, if more than 500 individuals are affected, to the media
Service level agreement (SLA)
Service level agreement (SLA)—a contractual agreement setting out the detailed terms under which a service is provided.
Interconnection security agreement (ISA)
Interconnection security agreement (ISA)
An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls.
Nondisclosure agreement (NDA)
Nondisclosure agreement (NDA)—legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies.
Data sharing and use agreement
Data sharing and use agreement—under privacy regulations such as GDPR or HIPAA, personal data can only be collected for a specific purpose.
Data at rest
Data at rest—this state means that the data is in some sort of persistent storage media.
In this state, it is usually possible to encrypt the data, using techniques such as whole disk encryption, database encryption, and file- or folder-level encryption.
It is also possible to apply permissions
Data in transit (or data in motion)
Data in transit (or data in motion)—this is the state when data is transmitted over a network.
Examples of types of data that may be in transit include website traffic, remote access traffic, data being synchronized between cloud repositories.
Data can be protected by a transport encryption protocol, such as TLS or IPSec.
Data in use (or data in processing)
• Data in use (or data in processing)—this is the state when data is present in volatile memory, such as system RAM or CPU registers and cache.
Examples of types of data that may be in use include documents open in a word processing application, database data that is currently being modified, event logs being generated while an operating system is running.
Data exfiltration
Data exfiltration
Unauthorized copying or retrieval of data from a system is referred to as data exfiltration.
Data exfiltration attacks are one of the primary means for attackers to retrieve valuable data, such as personally identifiable information (PII) or payment information, often destined for later sale on the black market.
DLP
Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without a proper authorization.
Such solutions will usually consist of the following components:
- Policy server—to configure classification, confidentiality, and privacy rules and policies, log incidents, and compile reports.
- Endpoint agents—to enforce policy on client computers, even when they are not connected to the network.
- Network agents—to scan communications at network borders and interface with web and messaging servers to enforce policy.
Remediation
Remediation is the action the DLP software takes when it detects a policy violation.
The following remediation mechanisms are typical:
• Alert only—the copying is allowed, but the management system records an incident and may alert an administrator.
- Block—the user is prevented from copying the original file but retains access to it. The user may or may not be alerted to the policy violation, but it will be logged as an incident by the management engine.
- Quarantine—access to the original file is denied to the user (or possibly any user). This might be accomplished by encrypting the file in place or by moving it to a quarantine area in the file system.
- Tombstone—the original file is quarantined and replaced with one describing the policy violation and how the user can release it again.
Data minimization
Data minimization is the principle that data should only be processed and stored if that is necessary to perform the purpose for which it is collected.
anonymized data
anonymized data set is one where individual subjects can no longer be identified, even if the data set is combined with other data sources. Identifying information is permanently removed
Pseudo-anonymization
Pseudo-anonymization modifies or replaces identifying information so that reidentification depends on an alternate data source, which must be kept separate.
Data masking
Data masking can mean that all or part of the contents of a field are redacted, by substituting all character strings with “x” for example.
irreversible deidentification technique.
Tokenization
Tokenization means that all or part of data in a field is replaced with a randomly generated token.
The token is stored with the original value on a token server or token vault, separate from the production database.
Also used as a substitute for encryption.
Hashing is used for two main purposes within a database:
Hashing is used for two main purposes within a database:
- As an indexing method to speed up searches and provide deidentified references to records.
- As a storage method for data such as passwords where the original plaintext does not need to be retained.
salt
A salt is an additional value stored with the hashed data field. The purpose of salt is to frustrate attempts to crack the hashes. It means that the attacker cannot use pre- computed tables of hashes using dictionaries of plaintexts.
These tables have to be recompiled to include the salt value.
