Lesson 15 Secure Cloud Solutions

Question 1

CASB

Answer 1

Could Access Security Brokers

Enterprise management SW used to mediate access to cloud services by users across all types of devices

controls how your users interact with the application (on the CSP) and how the application interacts with the user

Functions provided:

• enable single sign-on authentication, access controls, and authorizations
• scan for malware and rogue access points (APs)
• monitor and audit user and resource activity
• mitigate data exfiltration through prevention of access to unauthorized could services
• prevent unauthorized application and plugin updates

implemented using

• forward proxy at the client net edge (user config)
• reverse proxy at the cloud net edge (no user config)
• application programming interface (API) using connections between the cloud service and cloud consumer

Question 2

Data Bias

Answer 2

a problem with Machine Learning in which attackers can skew data points to ‘teach’ bad things or trend bad things to the norm

Question 3

Community cloud service

Answer 3

A community cloud service is shared by a group of similar organizations with similar needs

Example: a cloud service built to serve hospitals

Question 4

MSSP

Answer 4

Managed Security Service Provider

A third party organization hired to manage another companies security

Question 5

SWG - Secure Web Gateway

Answer 5

Secure Web Gateway

a class of products used to perform content filtering

an on premise SWG is a proxy-based firewall, content filter, and IDS/IPS system that mediates user access to internet sites and services

Question 6

Security Groups

Answer 6

provides stateful inbound and outbound filtering at layer 4 transport layer

A security group is a set of firewall rules that control traffic for your instance

multiple instances (of a compute instances) can be assigned to the same security group

Question 7

Cloud Deployment Models

Answer 7

Classifies how the service is owned and provisioned

• Public or multi-tenant
• Hosted Private
• Private
• Community

Can have a hybrid of these

Flexibility is key advantage of cloud computing but must watch for data risks

Question 8

Public or Multi-tenant Deployment model

Answer 8

Using shared resources in the cloud

Multi-cloud is where you use services from multiple CSPs

Question 9

Hosted Private Deployment model

Answer 9

a 3rd party hosted cloud deployment offering better level of performance at a cost

gives exclusive use

Question 10

Private Deployment model

Answer 10

cloud infrastructure completely owned and operated by the organization

gives organization more control over privacy and security

geared toward banking and government services

can be on-site, better for performance and less likely to have outages

can be off-site if need to be shared between business units

Question 11

Community Deployment model

Answer 11

Several organizations share the cost of the either hosted private or fully private cloud

Done to pool resources for a common concern

Question 12

Cloud Service Models

Answer 12

Infrastructure as a Service (IaaS)
- CSP provides IT resources

Software as a Service (SaaS)
- CSP provides software applications

Platform as a Service (PasS)

• CSP provides a mix of IaaS and SaaS allowing for developers to create applications
• Includes a multi-tier database

Question 13

XaaS Anything as a Service

Answer 13

Can provision almost anything in the cloud

Security concern is where the responsibility lie

Security in the cloud (you) vs security of the cloud (CSP)

Question 14

Security as a Service

Answer 14

Depending on 3rd party support for security
3 tiers:
Consultants - use for big picture framework analysis and alignment or for specific product focused projects

Managed Security Services Provider (MSSP) - fully outsourced responsibility for information assurance
- expensive and requires great trust

Security as a Service (SECaaS) - typically means implementing a particular security control, such as virus scanning or SIEM-like functionality in the cloud

Question 15

Virtualization

Answer 15

Installing and running multiple OSs on a single host computer

Requires three components:

• host hardware as the platform
• hypervisor or virtual machine monitor (VMM) to manage the vm environment and facilitates interaction with host hw and network
• Guest OSs, Virtual Machines (VM) or instances of operating systems under the virtual environment

Question 16

Virtual platforms

Answer 16

Type 1 - Bare metal - the hypervisor is installed directly onto the computer and manages access to the host hw without going through a host OS

Type 2 - Guest OS system - the hypervisor is installed onto the host operating system

Question 17

VDI and Thin Clients

Answer 17

Virtual Desktop Infrastructure (VDI)

• using a VM to provision corporate desktops
• allows for use of thin clients

Thin Client

• minimal OS to startup
• connects to VM stored on corporate infrastructure
• uses Remote Desktop protocol
• all work is done in the virtual desktop environment (VDE) is on the server side

Provides better data security, easier support, and can offload IT infrastructure to 3rd party

Failure of server and network can cause outage to the user, downtime is more costly in terms of lost productivity

Question 18

App Virtualization

Answer 18

a more limited VDI

think Citrix

client access the application from the server or streams the app from the server for local processing

Used with HTML5 Remote Desktop apps and referred to as clientless as they are accessed via the web browser

Question 19

Container Virtualization

Answer 19

Containers do away with the hypervisor

enforces resource separation at the OS level

Think Docker

supports micro services and serverless architecture

Question 20

VM Escape Protection

Answer 20

VM Escape is malware running on a guest OS jumping to another guest or to the host

Attackers use timing of certain actions to determine if on VM
Attackers then compromise the hypervisor

This is a concern if another guest OS has the malware and the attackers can then gain access to your guest OS and make a copy of the your server image

Patching in a timely manner is key to preventing VM escape

Reduce the impact of VM escape by using effective service design and network placement when deploying VMs

Think Internet - firewall - web host - firewall - middleware/backend services - LAN

Question 21

VM Sprawl

Answer 21

This happens when a system has many VMs which are not properly managed.

Users bring up a VM for just a minute to test something but never really destroy it.

These VMs then are undocumented and unpatched leaving them vulnerable to attacks. This increases the attack surface of the network.

Policies and procedures for tracking, securing, and when no longer used, destroying virtualized assets should be put in place and enforced

Also tightly control the VM image since they are easy targets for logic bombs or backdoors or any malicious code for insider threats.

Question 22

XssS diagram from class

Answer 22

SaaS
client - Data
CSP - brings App, OS, HW
example - webmail

PaaS
client - Data and Apps
CSP - OS, HW
example - Azure Dev Platform

IaaS
client - Data Apps OS
CSP - HW
example - AWS

Question 23

Cloud Security Controls

Answer 23

App Security and Identity and Access Management (IAM)

• similar to on-premise solutions
• enables the creation of user and user security groups plus role based management and policy

Question 24

Secrets Management

Answer 24

Enforce strong authentication policy

• do not use root CSP user for day to day logon activity
• require strong MFA for interactive logons
• use conditional authentication to deny or warn of risky account activity
• keep programmatic secrets safe after generation put on host

Question 25

Container Security (between containers)

Answer 25

Namespaces prevent one container from reading or writing processes in another

Control groups ensure one container cannot overwhelm others in a DoS type attack

Question 26

API Inspection and Integration

Answer 26

API usage gives warning of system overload or allows for detection of unauthorized usage or attempted usage

• number of requests
• latency watch for high values as could be compute resources are insufficient or a DoS attack
• error rates watch for authentication/access denied type errors
• unauthorized and suspicious endpoints

Question 27

Instance (VM & Container) Awareness - Security managed instances

Answer 27

Instances should be monitored to avoid sprawl

Should restrict rights to launch instances

Configure logging and monitoring to track usage

Question 28

Could Storage security

Answer 28

Permissions & Resource Policies

• allow read/writes only from authorized endpoints
• like an ACL for an object
• can be an attack vector if misconfigured
• watch for wildcard entries for permissions and/or prinicpals (accounts) - breaks least privilege principle

Encryption

• in the Cloud this is equivalent to FDE for the on-premise system
• uses an AES key and must be available to the VM or container using the storage object
• keys are stored on the HSM in the cloud
• use encrypted protocols, HTTPS or IPSec

Question 29

Cloud High Availability

Answer 29

CSPs use redundancy for this

• Replication to copy data to where it best utilized
  
  • hot storage is lower retrieval rates
  • cold storage is higher retrieval rates
• HA across Zones
  
  • local replication, data is located in region you created the data
  • regional replication, data is replicated across multiple data centers; safeguards data if a single data center goes offline
  • geo-redundant storage (GRS), replicates data to a secondary region distant from primary regions to provide safeguards in the event of a disaster

Question 30

VPCs

Answer 30

Virtual Private Clouds (VPCs) (like a VLAN in the cloud) is isolated from other CSP accounts and from other VPCs operating in the same account

• isolates the workload for each VPC
• a resource pool created in a public cloud
• common to create multiple application clouds

Question 31

Public and Private Subnets

Answer 31

VPC can either be a public or private subnet

• defaults to private
• public must be configured within the VPC
  
  • requires two things to be public/internet access
    
    • connection to internet gateway
    • internet gateway must be the VPCs default gateway

Question 32

Transit Gateway

Answer 32

A means of connecting multiple VPCs together

• similar to a router, a cloud ‘router’
• connects users to VPCs
• users connect using a VPN connection

Question 33

VPC Endpoints

Answer 33

a means of publishing a service making it available to to other VPCs

• means the traffic is never exposed to the internet
• two types: gateway and interface

Question 34

VPC Gateway Endpoint

Answer 34

configured as router to the service in the VPC’s route table

Question 35

VPC Interface Endpoints

Answer 35

Allows private access to custom services

Question 36

Cloud Firewall security

Answer 36

cloud firewalls filter traffic within and to and from the cloud and can be implemented several ways

• as sw running on an instance as a sort of host based firewall, similar to a stateful packet filtering or web app firewall with rulesets tuned to prevent malicious attacks
• as a service at the virtualization layer to filter the traffic between VPC subnets and instances, similar to a network firewall

Question 37

Security Groups aws

Answer 37

An AWS implementation
provides a stateful inbound and outbound filtering at layer 4
- default security groups allows all traffic
- custom security group sets the ports and endpoints which are allowed for in/outbound traffic - only allowed traffic is permitted, all other traffic is dropped

Question 38

Next-generation SWG

Answer 38

Next generation Secure Web Gateway (SWG) combines the functionality of a SWG with the data loss prevention (DLP) and a cloud access secure broker (CASB) providing a cloud-hosted platform for client access to websites and cloud apps

Supports secure access service edge (SSAE)

Question 39

SOA vs microservices

Answer 39

Service Oriented Architecture (SOA) allows from a service to be built from other services
- loose coupling

Microservices should be capable of being developed, tested, and deployed independently
- highly decoupled

Question 40

Orchestration

Answer 40

performing a sequence of automated tasks

• run in proper sequence
• consider dependencies
• provide credentials at each step

Question 41

Service API

Answer 41

the means by which external entities interact with the service, calling the service with expected parameters and receiving the expected output
To test and create web APIs:
- SOAP (simple object access protocol) uses XML and is tightly specified
- REST (Representational State Transfer) uses a URL and is a looser framework than SOAP

Question 42

Serverless Architecture (FaaS)

Answer 42

All architecture is hosted in the cloud

• different than VPCs
• services are developed as functions and microservices each interacting to facilitate a client request
• a request will spin up a container to run the code and then destroy the container
• also known as Function as a Service (FaaS)
• depends on event-driven orchestration to facilitate operations
• all underlying architecture is managed by the service provider
• security is then based on ensuring the client is not compromised when accessing the service
• guard against impersonation

Question 43

IaC and Snowflake system

Answer 43

Infrastructure as Code is an approach to infrastructure management where automation and orchestration fully replaces manual configuration

A snowflake is a configuration or build that is different from any other
This lack of consistency or drift in the platform leads to security issues, unstable systems

The goal of IaC is to eliminate snowflake systems by ensuring idempotence

idempotenece is making the same call with the same parameters will produce the same result.

Question 44

Cloud network functional model using planes

Answer 44

Cloud networks are complex containing many devices. A model is used to simplify the required functions found in a network
Control Plane
- makes decisions about how traffic is prioritized and secured, and where it should be switched

Data Plane
- handles the actual switching and routing of traffic and imposition of security access controls

Management Plane
- monitors traffic conditions and network status

Question 45

SDN

Answer 45

Software Defined Networking (SDN) is an application used to define policy decisions on the control plane

Question 46

NFV

Answer 46

Network Functions Virtualization is the architecture supporting rapid deployment of virtual networking general purpose VMs and containers

Question 47

SDV

Answer 47

Software Defined Visibility (SDV) supports assessment and incident response functions

• gathers statistics from forwarding systems
• applies classifications to those systems
• detect network traffic that deviates from baseline levels

Question 48

Fog computing

Answer 48

Address the need to prioritize sensor data for analysis
A fog node will perform aggregation of sensor data, analyzes and remediates alertable conditions and backhauls remaining data to the data center for storage and low priority analysis

Target of DoS and data exfoliation attacks

Question 49

Edge computing

Answer 49

Edge devices are those that collect and depend on data for their operation

Edge gateways preform pre-processing of data to and from edge devices to enable prioritization.

• will forward the data for trending on to the fog node
• are targets of DoS and data exfoliation attacks