Lesson 15 Secure Cloud Solutions Flashcards
CASB
Could Access Security Brokers
Enterprise management SW used to mediate access to cloud services by users across all types of devices
controls how your users interact with the application (on the CSP) and how the application interacts with the user
Functions provided:
- enable single sign-on authentication, access controls, and authorizations
- scan for malware and rogue access points (APs)
- monitor and audit user and resource activity
- mitigate data exfiltration through prevention of access to unauthorized could services
- prevent unauthorized application and plugin updates
implemented using
- forward proxy at the client net edge (user config)
- reverse proxy at the cloud net edge (no user config)
- application programming interface (API) using connections between the cloud service and cloud consumer
Data Bias
a problem with Machine Learning in which attackers can skew data points to ‘teach’ bad things or trend bad things to the norm
Community cloud service
A community cloud service is shared by a group of similar organizations with similar needs
Example: a cloud service built to serve hospitals
MSSP
Managed Security Service Provider
A third party organization hired to manage another companies security
SWG - Secure Web Gateway
Secure Web Gateway
a class of products used to perform content filtering
an on premise SWG is a proxy-based firewall, content filter, and IDS/IPS system that mediates user access to internet sites and services
Security Groups
provides stateful inbound and outbound filtering at layer 4 transport layer
A security group is a set of firewall rules that control traffic for your instance
multiple instances (of a compute instances) can be assigned to the same security group
Cloud Deployment Models
Classifies how the service is owned and provisioned
- Public or multi-tenant
- Hosted Private
- Private
- Community
Can have a hybrid of these
Flexibility is key advantage of cloud computing but must watch for data risks
Public or Multi-tenant Deployment model
Using shared resources in the cloud
Multi-cloud is where you use services from multiple CSPs
Hosted Private Deployment model
a 3rd party hosted cloud deployment offering better level of performance at a cost
gives exclusive use
Private Deployment model
cloud infrastructure completely owned and operated by the organization
gives organization more control over privacy and security
geared toward banking and government services
can be on-site, better for performance and less likely to have outages
can be off-site if need to be shared between business units
Community Deployment model
Several organizations share the cost of the either hosted private or fully private cloud
Done to pool resources for a common concern
Cloud Service Models
Infrastructure as a Service (IaaS)
- CSP provides IT resources
Software as a Service (SaaS)
- CSP provides software applications
Platform as a Service (PasS)
- CSP provides a mix of IaaS and SaaS allowing for developers to create applications
- Includes a multi-tier database
XaaS Anything as a Service
Can provision almost anything in the cloud
Security concern is where the responsibility lie
Security in the cloud (you) vs security of the cloud (CSP)
Security as a Service
Depending on 3rd party support for security
3 tiers:
Consultants - use for big picture framework analysis and alignment or for specific product focused projects
Managed Security Services Provider (MSSP) - fully outsourced responsibility for information assurance
- expensive and requires great trust
Security as a Service (SECaaS) - typically means implementing a particular security control, such as virus scanning or SIEM-like functionality in the cloud
Virtualization
Installing and running multiple OSs on a single host computer
Requires three components:
- host hardware as the platform
- hypervisor or virtual machine monitor (VMM) to manage the vm environment and facilitates interaction with host hw and network
- Guest OSs, Virtual Machines (VM) or instances of operating systems under the virtual environment
Virtual platforms
Type 1 - Bare metal - the hypervisor is installed directly onto the computer and manages access to the host hw without going through a host OS
Type 2 - Guest OS system - the hypervisor is installed onto the host operating system
VDI and Thin Clients
Virtual Desktop Infrastructure (VDI)
- using a VM to provision corporate desktops
- allows for use of thin clients
Thin Client
- minimal OS to startup
- connects to VM stored on corporate infrastructure
- uses Remote Desktop protocol
- all work is done in the virtual desktop environment (VDE) is on the server side
Provides better data security, easier support, and can offload IT infrastructure to 3rd party
Failure of server and network can cause outage to the user, downtime is more costly in terms of lost productivity
App Virtualization
a more limited VDI
think Citrix
client access the application from the server or streams the app from the server for local processing
Used with HTML5 Remote Desktop apps and referred to as clientless as they are accessed via the web browser
Container Virtualization
Containers do away with the hypervisor
enforces resource separation at the OS level
Think Docker
supports micro services and serverless architecture