Lesson 6: Secure Cloud Network Architecture Flashcards
Define a ‘cloud deployment model’
Classifying the ownership and management of a cloud as public, private, community, or hybrid.
Define a ‘Public (or multi-tenant)’ cloud model
A cloud that is deployed by cloud service providers (CSPs) for shared use by multiple independent tenants; Subscriptions or pay-as-you-go financing.
Define ‘Multi-cloud architecture’
Cloud deployment model where the cloud consumer uses multiple public cloud services.
Define a ‘Hosted Private’ cloud model
Hosted by a third party for the exclusive use of an organization.
Define a ‘Private’ cloud model
A cloud that is deployed for use by a single entity.
Define a ‘Community’ cloud model
A cloud that is deployed for shared use by cooperating tenants/organizations.
Define ‘Single-tenant architecture’
Dedicated infrastructure to a single customer, ensuring that only that customer can access the infrastructure; More secure but most expensive.
Define ‘Multi-tenant architecture’
Multiple customers share the same infrastructure, with each customer’s data and applications separated logically from other customers.
What are positives/negatives of Multi-tenant architecture?
Cost-effective but can increase the risk of unauthorized access or data leakage if not properly secured.
Define ‘Hybrid architecture’
Combination of public and private cloud.
Define ‘Serverless architecture’
Cloud provider manages the server infrastructure and automatically scales resources up or down based on demand.
Define a ‘Cloud service model’
Classifying the provisioning of cloud services and the limit of the cloud service provider’s responsibility as software, platform, infrastructure, and so on.
Define ‘anything as a service (XaaS)’
The concept that most types of IT requirements can be deployed as a cloud service model.
Define ‘Software as a service (SaaS)’
A cloud service model that provisions fully developed application services to users; O365, Salesforce; RingCentral.
Define ‘Platform as a service (PaaS)’
Between SaaS and IaaS; Cloud service model that provisions application and database services as a platform for development of apps.
Define ‘Infrastructure as a service (IaaS)’
A cloud service model that provisions virtual machines and network infrastructure.
Define a ‘Third-party vendor’
External entities that provide organizations with goods, services, or technology solutions.
How do organizations manage 3rd party vendor (CSP) agreements?
By adopting SLAs (Service Level Agreements) to mitigate cloud platform risks, ensure service quality, and optimize cloud deployments.
Define a ‘Service Level Agreement (SLA)’
Contractual agreement between organizations and service providers that outline the expected levels of service delivery.
What is the purpose of a Service-level agreement (SLA)?
Provide a framework to hold vendors accountable for delivering services at required performance levels.
What components of Service-level agreements (SLAs) determine service levels?
Metrics, such as uptime, performance, and support response times, along with penalties or remedies if service levels are not met.
Define ‘Centralized computing architecture’
A model where all data processing and storage is performed in a single location, typically a single server.
Define ‘decentralized computing architecture’
A model in which data processing and storage are distributed across multiple locations or devices.
What are examples of Centralized computing architecture?
Mainframe computers and client-server architectures.
What are examples of decentralized computing architecture?
Blockchain, Peer-to-peer (P2P) networks, Content delivery networks (CDNs), IoT devices, Tor, Distributed databases.
What is the foundation of cloud services?
Virtualization
Define ‘high availability (HA)’
Metric that defines how closely systems approach the goal of providing service/data availability 100% of the time while maintaining a high level of system performance.
How is high high availability (HA) achieved?
Redundancy of hardware/links; Replication
Define ‘Replication’
Automatically copying data between two processing systems.
Define ‘synchronous replication’
Data is copied from one system to another simultaneously.
Define ‘asynchronous replication’
Data is copied from a primary system to a secondary system.
Define ‘hot storage’
CSP storage performance tier; Data is retrieved quickly at a high rate.
Define ‘cold storage’
CSP data storage performance tier where data is retrieved at a slower at a rate.
What is the best replication solution for a cloud database?
Low-latency hot storage with synchronous replication.
How can an organization provide a lower latency service to customers utilizing a cloud service?
Provisioning resources in multiple availability zones and regions.
List the 3 cloud service provider replication tiers
- Local replication
- Regional replication
- Geo-redundant storage
Define ‘local replication’
Replicates customer data within a single datacenter in the region where you created your storage account.
Define ‘Regional replication/zone-redundant storage’
Replicates customer data across multiple datacenters within one or two regions.
Define ‘Geo-redundant storage (GRS)’
Replicates customer data to a secondary region that is distant from the primary region.
Define ‘Application virtualization’
A software delivery model where the code/application runs on a server and is streamed to a client.
What protocol is the foundation of Application virtualization?
HTLM5 because users can access them through ordinary web browser software.
Define ‘Containerization’
Enforces resource separation at the operating system level and containing everything required to run a service, application, or microservice.
How does an OS separate containers?
OS defines isolated “cells” for each user instance to run in and is allocated CPU and memory resources.
Define a ‘virtual private cloud (VPC)’
A private network segment made available to a single cloud consumer on a public cloud.
What are typical services of a virtual private cloud (VPC)?
Authentication, web applications, and communications.
What is the infrastructure used to support a virtual private cloud (VPC)?
Applications are developed as functions and microservices, each interacting with other functions to facilitate client requests.
Define a ‘Microservice’
An independent, single-function module with well-defined and lightweight interfaces and operations.
What is the purpose of a ‘Microservice’
Architectural approach to building software applications as a collection of small and independent services focusing on a specific business capability.
Define ‘Infrastructure as Code (IaC)’
Deployment/management of infrastructure is performed by scripted automation and orchestration using machine-readable definition files.
List different file types that contain code that is read and executed by machines in Infrastructure as Code (IaC)
YAML, JSON, and HCL (HashiCorp Configuration Language.)
What is defined in files like YAML, JSON, and HCL (HashiCorp Configuration Language)?
Configuration settings, networking requirements, security policies, and other settings.
What is the main purpose of Infrastructure as Code (IaC)?
Infrastructure can be deployed and managed automatically and consistently, reducing the risk of errors caused by manual intervention.
What is a secondary benefit of Infrastructure as Code (IaC)?
Replicate infrastructure across different environments, such as development, staging, and production, to ensure that the environments are consistent.
Define ‘Edge Computing’
Cloud networking concept utilizing distributed computing resources to minimize the distance data needs to travel.
What is the purpose of edge computing?
To reduce network latency and improve responsiveness.
Define ‘software-defined networking (SDN)’
Networking model with APIs and compatible network appliances enabling programmable networking.
What are the 3 ‘planes/levels’ of software-defined networking (SDN)?
- Control Plane
- Data Plane
- Management Plane
Define the ‘Control Plane’
Makes decisions about how traffic should be prioritized, secured, and where it should be switched.
Define the ‘Data Plane’
Handles the switching and routing of traffic and enforcement of security access controls.
Define the ‘Management Plane’
Monitors traffic conditions and network status.
What is the management plane comprised of?
Administrators and their devices along with front end management.
How are decisions from the control plane processed at the data plane?
A network controller application, which interfaces with the network devices using APIs.
Define a ‘northbound API’
Interface between the SDN applications and the SDN controller (Control plane to Management plane).
Define ‘southbound API’
Interface between the SDN controller and the SDN appliances (Control plane to Data plane).
Define an ‘Interconnection Security Agreement (ISA)’
Establishes the security requirements and responsibilities between the organization and the cloud service provider.
What is the purpose of an Interconnection Security Agreement (ISA)
To define encryption methods, access controls, vulnerability management, data segregation techniques, specify data ownership, audit rights, and data backup, recovery, and retention procedures.
What are the two main cloud security considerations?
Data protection and pathing of services.
Define ‘Software-Defined Wide Area Network (SD-WAN) ‘
Services that use software-defined mechanisms and routing policies to implement virtual tunnels and overlay networks over transport networks.
What is the purpose of an organization implementing Software-Defined Wide Area Network (SD-WAN)?
Enables organizations to connect their various branch offices, datacenters, and cloud infrastructure over a wide area network (WAN).
Define ‘Secure Access Service Edge (SASE)’
Combines security services like firewalls, identity and access management, and secure web gateway with networking services such as SD-WAN to provide access to cloud applications.
Define an ‘Embedded system’
Electronic system that is designed to perform a specific, dedicated function.
What are examples of items that use embedded systems?
Smartphones, Automotive systems, medical devices, aerospace and defense.
Define a ‘Real-Time Operating Systems (RTOS)’
A type of OS high levels of stability and processing speed to ensure consistent response.
Define ‘Internet of Things (IoT)’
The network of physical devices, and other objects embedded with sensors, software, and connectivity, enabling them to collect and exchange data.
How does oversaturation of IoT devices cause security risk?
Too many devices to manage securely; IoT devices are designed with limited processing power and memory, making it difficult to implement strong security controls.
Define ‘zero trust’
Security design paradigm where every/any request (host-to-host or container-to-container) must be authenticated before being allowed.
Define ‘Deperimeterization’
Security approach that shifts the focus from defending a network’s boundaries to protecting individual resources and data within the network.
How is deperimeterization achieved?
Authentication, encryption, access control, and continuous monitoring to maintain the security of critical resources regardless of location.
What are the 3 fundamental concepts of zero trust architecture?
- Adaptive Identity
- Threat scope reduction
- Policy-driven access control
Define ‘Adaptive Identity’
Recognizes that user identities are not static and that identity verification must be continuous and based on a user’s current context and the resources they are attempting to access.
Define ‘Threat scope reduction’
Similar to role based access/least privilege; access is limited to only those resources required to complete a specific task.
Define ‘Policy-driven access control’
Attribute Based Access Control (ABAC); Access control policies enforce access restrictions based on user identity, device posture, and network context.
Define ‘device posture’
Refers to the security status of a device, including its security configurations, software versions, and patch levels.
Combining a software defined networking, and zero trust architecture, what is the role of the control plane?
Defines/manages policies that dictate how users and devices are authorized to access network resources.
Combining a software defined networking, and zero trust architecture, what is the role of the data plane?
Systems in the data plane establish sessions for secure information transfers between resources.
