M10: Cloud, AI and IoT security Flashcards
What is Cloud Computing?
A model for enablish ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources.
NIST definition
What motivates Cloud Computing?
- Efficiency,
- Scalability,
- Agility,
- Resilience
What are the key techniques in creating a cloud?
Abstraction and orchestration.
Essential Charactertistics
Shared resources
* Broad Network Access,
* Rapid Elasticity,
* Measured Service,
* On-Demand Self-Service
Service Models
Sometimes refered to as SPI tiers
* SaaS - Software as a Service
* PaaS - Platform as a Service
* IaaS - Infrastructure as a Service
Often providers dont fall neatly into any one categoy
Deployment Models
- Public
- Private
- Hybrid
- Community
Simple Reference Architecture
SaaS build on PaaS build on IaaS
IaaS
Physical facilities and Hardware. Pooled using abstraction and orchestration. APIs allows remote management of resources and delivery to consumers.
PaaS
A difficult to define middle layer between Infrastructure and Software. It provides abstraction from the underlying infrastructure. Additionally, here software can be deployed without worrying about the complexities.
SaaS
Software as a service. Full, multitenant applications are exposed here through API or web browsers. The Applications are build and maintained by the provider and consumers consume these.
Locical Model
Consists of 4 diffierent layered structures
* Infrastructure - Harware components
* Metastructure - Middleware
* Infostructure - Data
* Applistructure - Applications
Key Difference between Cloud and Traditional Computing
Metastructure. In cloud the Metastructure layer also includes a management plane, which allows remote access and configuration of the infrastructure.
Virtual and physical layers in cloud
In cloud computing each layer often has two separate layers. The infrastructure layer thus has both an actual infrastructure on which the cloud is running, and a virtual layer exposed to the consumers.
Shared Responsibility Model
As Cloud computing is a shared resource, so does Security become a shared responsibility
SaaS security responsibility
Provider (higher) - responsible for almost all security. Perimeter, Logging, Monitoring and Auditing.
Consumer (lower) - Authorzation and Entitlements
PaaS security responsibilities
Provider (equal) - responsible for the platform security.
Consumer (equal) - responsible for all they implement
IaaS security responsibilites
Provider (lower) - is responsible for foundational security
Consumer (Higher) - is responsible for everything they build.
Most important security consideration
Exactly who is responsible for what in any given cloud project.
Shared responsibility correlates to two recommendations
Providers must clearly document their security controls and security features.
Consumers must build a responsibility matrix to document who is implementing which controls and how.
High-level process for Managing cloud security
- Identify necessary security and comliance requirements and existing controls
- Select cloud provider, service and deployment model
- Define Architecture
- Asses security controls
- Identify control gaps
- Design and implement controls to fill gaps
- Manage changes over time
Important to do this on a per provider basis
What are the CSA recommendations
- Understand differences between cloud and traditional. Impact of virtualization, abstration and automation on security
- Become familiar with the NIST and CSA
- Cloud providers should clearly document security controls and features.
- Assess and documnet cloud project security, compliance, controls and responsibilities
- Use a cloud security process model to select providers, design architectures, identify control gaps and implement security and compliance controls
Cloud computing impacts 4 areas
- Governance - how the org is run
- Enterprise risk management - the overall risk management of the org
- Information risk management - the overall management of risk to information
- Information security - the tools and practices used to manage the information risks.
Impact on governance and management
Impacts include
* Governance can never be outsourced
* Cloud provider is (yet) another third party
* Cloud provider is often rigid in their contractual offerings, by necessity.
Managed with
* Contracts
* Provider Assessments
* Compliance Reporting
* Audits
Enterprise Risk Management
Overall risk management for the org, cannot be outsources.
Risk management is based on shared risk model.
Relies on good contracts and documentation. Can delve into technical details.
What is Risk Tolerance?
The amount of risk that leadership and/or stakeholder are willing to accept.
Impact of SaaS on security
Relies heavily on the contracts and on the providers ability to deliver.
Impact of PaaS on security
Less reliance on provider, more on consumer. Providers usually have little room for negotiation in contracts.
Impact of PaaS on security
Much the same security considerations as for a normal data center, with the added complexity of shared resources and the Mangament Plane
Impact of Public Deployment
Shared resourced.
Consumer has greatly reduced ability to govern operations.
Impact of Private Deployment
A private cloud can still be managed by a third party, and while you no longer have a shared resource, you still have a third party to negotiate with.
Impact of Hybrid Deployment
Since hybrid cloud environments span two or more deployment models, both models must be considered.
Impact of Community Deployment
It is not public, but does involve negotiating the community to reach concensus.
Cloud Risk Management Trade-Offs
- Less physical control over assets and their control and processes.
- Greater reliance on contracts, audits and assessments
- Increased requirement for proactive management of relationships and adherence.
- Cloud customer has reduced need to manage risks that Provider accepts.
- Outsources mangement or some risks, but none of the accountability.
What are the LLM kategori
Large Language Model
- Customer/Product LLM
- Company LLM
- Consumer LLM
What is a primary consumer concern
Sharing of proprietary data with the cloud
What are 3 common AI-Security issues
- Attacks on AI
- Theft AI
- Errors
What is a simple model of IaaS, PaaS, SaaS
- IaaS - Ops without hardware
- PaaS - Devs without ops
- Saas - Business without devs
Cloud security tips and tricks
- Design for failure
- Paranoid Architecture
- Update and roll out new instances
- Encryption at rest
What are the legal implications of Cloud Computing?
It is your responsibility to pick a supplider who delivers the necessary level of safety, security and proceedures. It is your responsibility to kontrol that they honor this agreement.
- Data must remain in EU or be compliant
- Use of encryption
- Limit suppliers access to data
- Registered rights
What defines IOT?
- Millions of devices
- Multiple communication protocols
- Simple Cheap (sensorts, meters)
- Fast Expensive (cars, homes)
- Smart Cities, Industry 4.0, Smart Agriculture
