Lesson 15 Secure Cloud Solutions Flashcards

1
Q

CASB

A

Could Access Security Brokers

Enterprise management SW used to mediate access to cloud services by users across all types of devices

controls how your users interact with the application (on the CSP) and how the application interacts with the user

Functions provided:

  • enable single sign-on authentication, access controls, and authorizations
  • scan for malware and rogue access points (APs)
  • monitor and audit user and resource activity
  • mitigate data exfiltration through prevention of access to unauthorized could services
  • prevent unauthorized application and plugin updates

implemented using

  • forward proxy at the client net edge (user config)
  • reverse proxy at the cloud net edge (no user config)
  • application programming interface (API) using connections between the cloud service and cloud consumer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Data Bias

A

a problem with Machine Learning in which attackers can skew data points to ‘teach’ bad things or trend bad things to the norm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Community cloud service

A

A community cloud service is shared by a group of similar organizations with similar needs

Example: a cloud service built to serve hospitals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

MSSP

A

Managed Security Service Provider

A third party organization hired to manage another companies security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SWG - Secure Web Gateway

A

Secure Web Gateway

a class of products used to perform content filtering

an on premise SWG is a proxy-based firewall, content filter, and IDS/IPS system that mediates user access to internet sites and services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Security Groups

A

provides stateful inbound and outbound filtering at layer 4 transport layer

A security group is a set of firewall rules that control traffic for your instance

multiple instances (of a compute instances) can be assigned to the same security group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Cloud Deployment Models

A

Classifies how the service is owned and provisioned

  • Public or multi-tenant
  • Hosted Private
  • Private
  • Community

Can have a hybrid of these

Flexibility is key advantage of cloud computing but must watch for data risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Public or Multi-tenant Deployment model

A

Using shared resources in the cloud

Multi-cloud is where you use services from multiple CSPs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Hosted Private Deployment model

A

a 3rd party hosted cloud deployment offering better level of performance at a cost

gives exclusive use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Private Deployment model

A

cloud infrastructure completely owned and operated by the organization

gives organization more control over privacy and security

geared toward banking and government services

can be on-site, better for performance and less likely to have outages

can be off-site if need to be shared between business units

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Community Deployment model

A

Several organizations share the cost of the either hosted private or fully private cloud

Done to pool resources for a common concern

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Cloud Service Models

A

Infrastructure as a Service (IaaS)
- CSP provides IT resources

Software as a Service (SaaS)
- CSP provides software applications

Platform as a Service (PasS)

  • CSP provides a mix of IaaS and SaaS allowing for developers to create applications
  • Includes a multi-tier database
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

XaaS Anything as a Service

A

Can provision almost anything in the cloud

Security concern is where the responsibility lie

Security in the cloud (you) vs security of the cloud (CSP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security as a Service

A

Depending on 3rd party support for security
3 tiers:
Consultants - use for big picture framework analysis and alignment or for specific product focused projects

Managed Security Services Provider (MSSP) - fully outsourced responsibility for information assurance
- expensive and requires great trust

Security as a Service (SECaaS) - typically means implementing a particular security control, such as virus scanning or SIEM-like functionality in the cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Virtualization

A

Installing and running multiple OSs on a single host computer

Requires three components:

  • host hardware as the platform
  • hypervisor or virtual machine monitor (VMM) to manage the vm environment and facilitates interaction with host hw and network
  • Guest OSs, Virtual Machines (VM) or instances of operating systems under the virtual environment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Virtual platforms

A

Type 1 - Bare metal - the hypervisor is installed directly onto the computer and manages access to the host hw without going through a host OS

Type 2 - Guest OS system - the hypervisor is installed onto the host operating system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

VDI and Thin Clients

A

Virtual Desktop Infrastructure (VDI)

  • using a VM to provision corporate desktops
  • allows for use of thin clients

Thin Client

  • minimal OS to startup
  • connects to VM stored on corporate infrastructure
  • uses Remote Desktop protocol
  • all work is done in the virtual desktop environment (VDE) is on the server side

Provides better data security, easier support, and can offload IT infrastructure to 3rd party

Failure of server and network can cause outage to the user, downtime is more costly in terms of lost productivity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

App Virtualization

A

a more limited VDI

think Citrix

client access the application from the server or streams the app from the server for local processing

Used with HTML5 Remote Desktop apps and referred to as clientless as they are accessed via the web browser

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Container Virtualization

A

Containers do away with the hypervisor

enforces resource separation at the OS level

Think Docker

supports micro services and serverless architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

VM Escape Protection

A

VM Escape is malware running on a guest OS jumping to another guest or to the host

Attackers use timing of certain actions to determine if on VM
Attackers then compromise the hypervisor

This is a concern if another guest OS has the malware and the attackers can then gain access to your guest OS and make a copy of the your server image

Patching in a timely manner is key to preventing VM escape

Reduce the impact of VM escape by using effective service design and network placement when deploying VMs

Think Internet - firewall - web host - firewall - middleware/backend services - LAN

21
Q

VM Sprawl

A

This happens when a system has many VMs which are not properly managed.

Users bring up a VM for just a minute to test something but never really destroy it.

These VMs then are undocumented and unpatched leaving them vulnerable to attacks. This increases the attack surface of the network.

Policies and procedures for tracking, securing, and when no longer used, destroying virtualized assets should be put in place and enforced

Also tightly control the VM image since they are easy targets for logic bombs or backdoors or any malicious code for insider threats.

22
Q

XssS diagram from class

A

SaaS
client - Data
CSP - brings App, OS, HW
example - webmail

PaaS
client - Data and Apps
CSP - OS, HW
example - Azure Dev Platform

IaaS
client - Data Apps OS
CSP - HW
example - AWS

23
Q

Cloud Security Controls

A

App Security and Identity and Access Management (IAM)

  • similar to on-premise solutions
  • enables the creation of user and user security groups plus role based management and policy
24
Q

Secrets Management

A

Enforce strong authentication policy

  • do not use root CSP user for day to day logon activity
  • require strong MFA for interactive logons
  • use conditional authentication to deny or warn of risky account activity
  • keep programmatic secrets safe after generation put on host
25
Q

Container Security (between containers)

A

Namespaces prevent one container from reading or writing processes in another

Control groups ensure one container cannot overwhelm others in a DoS type attack

26
Q

API Inspection and Integration

A

API usage gives warning of system overload or allows for detection of unauthorized usage or attempted usage

  • number of requests
  • latency watch for high values as could be compute resources are insufficient or a DoS attack
  • error rates watch for authentication/access denied type errors
  • unauthorized and suspicious endpoints
27
Q

Instance (VM & Container) Awareness - Security managed instances

A

Instances should be monitored to avoid sprawl

Should restrict rights to launch instances

Configure logging and monitoring to track usage

28
Q

Could Storage security

A

Permissions & Resource Policies

  • allow read/writes only from authorized endpoints
  • like an ACL for an object
  • can be an attack vector if misconfigured
  • watch for wildcard entries for permissions and/or prinicpals (accounts) - breaks least privilege principle

Encryption

  • in the Cloud this is equivalent to FDE for the on-premise system
  • uses an AES key and must be available to the VM or container using the storage object
  • keys are stored on the HSM in the cloud
  • use encrypted protocols, HTTPS or IPSec
29
Q

Cloud High Availability

A

CSPs use redundancy for this

  • Replication to copy data to where it best utilized
    • hot storage is lower retrieval rates
    • cold storage is higher retrieval rates
  • HA across Zones
    • local replication, data is located in region you created the data
    • regional replication, data is replicated across multiple data centers; safeguards data if a single data center goes offline
    • geo-redundant storage (GRS), replicates data to a secondary region distant from primary regions to provide safeguards in the event of a disaster
30
Q

VPCs

A

Virtual Private Clouds (VPCs) (like a VLAN in the cloud) is isolated from other CSP accounts and from other VPCs operating in the same account

  • isolates the workload for each VPC
  • a resource pool created in a public cloud
  • common to create multiple application clouds
31
Q

Public and Private Subnets

A

VPC can either be a public or private subnet

  • defaults to private
  • public must be configured within the VPC
    • requires two things to be public/internet access
      • connection to internet gateway
      • internet gateway must be the VPCs default gateway
32
Q

Transit Gateway

A

A means of connecting multiple VPCs together

  • similar to a router, a cloud ‘router’
  • connects users to VPCs
  • users connect using a VPN connection
33
Q

VPC Endpoints

A

a means of publishing a service making it available to to other VPCs

  • means the traffic is never exposed to the internet
  • two types: gateway and interface
34
Q

VPC Gateway Endpoint

A

configured as router to the service in the VPC’s route table

35
Q

VPC Interface Endpoints

A

Allows private access to custom services

36
Q

Cloud Firewall security

A

cloud firewalls filter traffic within and to and from the cloud and can be implemented several ways

  • as sw running on an instance as a sort of host based firewall, similar to a stateful packet filtering or web app firewall with rulesets tuned to prevent malicious attacks
  • as a service at the virtualization layer to filter the traffic between VPC subnets and instances, similar to a network firewall
37
Q

Security Groups aws

A

An AWS implementation
provides a stateful inbound and outbound filtering at layer 4
- default security groups allows all traffic
- custom security group sets the ports and endpoints which are allowed for in/outbound traffic - only allowed traffic is permitted, all other traffic is dropped

38
Q

Next-generation SWG

A

Next generation Secure Web Gateway (SWG) combines the functionality of a SWG with the data loss prevention (DLP) and a cloud access secure broker (CASB) providing a cloud-hosted platform for client access to websites and cloud apps

Supports secure access service edge (SSAE)

39
Q

SOA vs microservices

A

Service Oriented Architecture (SOA) allows from a service to be built from other services
- loose coupling

Microservices should be capable of being developed, tested, and deployed independently
- highly decoupled

40
Q

Orchestration

A

performing a sequence of automated tasks

  • run in proper sequence
  • consider dependencies
  • provide credentials at each step
41
Q

Service API

A

the means by which external entities interact with the service, calling the service with expected parameters and receiving the expected output
To test and create web APIs:
- SOAP (simple object access protocol) uses XML and is tightly specified
- REST (Representational State Transfer) uses a URL and is a looser framework than SOAP

42
Q

Serverless Architecture (FaaS)

A

All architecture is hosted in the cloud

  • different than VPCs
  • services are developed as functions and microservices each interacting to facilitate a client request
  • a request will spin up a container to run the code and then destroy the container
  • also known as Function as a Service (FaaS)
  • depends on event-driven orchestration to facilitate operations
  • all underlying architecture is managed by the service provider
  • security is then based on ensuring the client is not compromised when accessing the service
  • guard against impersonation
43
Q

IaC and Snowflake system

A

Infrastructure as Code is an approach to infrastructure management where automation and orchestration fully replaces manual configuration

A snowflake is a configuration or build that is different from any other
This lack of consistency or drift in the platform leads to security issues, unstable systems

The goal of IaC is to eliminate snowflake systems by ensuring idempotence

idempotenece is making the same call with the same parameters will produce the same result.

44
Q

Cloud network functional model using planes

A

Cloud networks are complex containing many devices. A model is used to simplify the required functions found in a network
Control Plane
- makes decisions about how traffic is prioritized and secured, and where it should be switched

Data Plane
- handles the actual switching and routing of traffic and imposition of security access controls

Management Plane
- monitors traffic conditions and network status

45
Q

SDN

A

Software Defined Networking (SDN) is an application used to define policy decisions on the control plane

46
Q

NFV

A

Network Functions Virtualization is the architecture supporting rapid deployment of virtual networking general purpose VMs and containers

47
Q

SDV

A

Software Defined Visibility (SDV) supports assessment and incident response functions

  • gathers statistics from forwarding systems
  • applies classifications to those systems
  • detect network traffic that deviates from baseline levels
48
Q

Fog computing

A

Address the need to prioritize sensor data for analysis
A fog node will perform aggregation of sensor data, analyzes and remediates alertable conditions and backhauls remaining data to the data center for storage and low priority analysis

Target of DoS and data exfoliation attacks

49
Q

Edge computing

A

Edge devices are those that collect and depend on data for their operation

Edge gateways preform pre-processing of data to and from edge devices to enable prioritization.

  • will forward the data for trending on to the fog node
  • are targets of DoS and data exfoliation attacks