Module 4 - 03-4 Flashcards
Cloud hardening
Define Cloud network
A collection of servers or computers that stores resources and data in a remote data center that can be accessed via the internet.
They can host company data and applications using cloud computing to provide on-demand storage, processing power, and data analytics.
What services can cloud networks usually provide to their customers?
- Host company data and applications
- Fix security vulnerabilities within company applications
- Eliminate the need to set cloud configurations
- Store servers on company premises
Host company data and applications
Cloud networks can host company data and applications using cloud computing to provide on-demand storage, processing power, and data analytics.
What is one distinction between cloud network hardening and traditional network hardening?
The use of a server baseline image for all server instances stored in the cloud.
This allows you to compare data in the cloud servers to the baseline image to make sure there haven’t been any unverified changes.
Similar to OS hardening, data and applications on a cloud network are kept separate depending on their service category.
- older applications should be kept separate from newer applications
- software that deals with internal functions should be kept separate from front-end applications seen by users
Define Cloud computing
A model for allowing convenient and on-demand network access to a shared pool of configurable computing resources
What are some Cloud security considerations (6)?
- Identity access management (IAM)
- Configuration
- Attack surface
- Zero-day attacks
- Visibility and tracking
- Things change fast in the cloud
What does IAM stand for?
Identity access management (IAM)
Define and explain IAM
A collection of processes and technologies that helps organizations manage digital identities in their environment.
This service also authorizes how users can use different cloud resources.
A common problem that organizations face when using the cloud is the loose configuration of cloud user roles.
An improperly configured user role increases risk by allowing unauthorized users to have access to critical cloud operations.
Explain the role of Configuration for Cloud security considerations
The number of available cloud services adds complexity to the network.
Each service must be carefully configured to meet security and compliance requirements.
This presents a particular challenge when organizations perform an initial migration into the cloud.
When this change occurs on their network, they must ensure that every process moved into the cloud has been configured correctly.
If network administrators and architects are not meticulous in correctly configuring the organization’s cloud services, they could leave the network open to compromise.
Misconfigured cloud services are a common source of cloud security issues.
Explain the role of Attack surface for Cloud security considerations
Cloud service providers (CSPs) offer numerous applications and services for organizations at a low cost.
Every service or application on a network carries its own set of risks and vulnerabilities and increases an organization’s overall attack surface.
An increased attack surface must be compensated for with increased security measures.
Cloud networks that utilize many services introduce lots of entry points into an organization’s network.
However, if the network is designed correctly, utilizing several services does not introduce more entry points into an organization’s network design.
These entry points can be used to introduce malware onto the network and pose other security vulnerabilities.
It is important to note that CSPs often defer to more secure options, and have undergone more scrutiny than a traditional on-premises network.
Explain the role of Zero-day attacks for Cloud security considerations
Zero-day attacks are an important security consideration for organizations using cloud or traditional on-premise network solutions.
A zero day attack is An exploit that was previously unknown.
CSPs are more likely to know about a zero day attack occurring before a traditional IT organization does.
CSPs have ways of patching hypervisors and migrating workloads to other virtual machines.
These methods ensure the customers are not impacted by the attack.
There are also several tools available for patching at the operating system level that organizations can use.
Define Zero day attack
An exploit that was previously unknown.
Explain the role of Visibility and tracking for Cloud security considerations
Network administrators have access to every data packet crossing the network with both on-premise and cloud networks. They can sniff and inspect data packets to learn about network performance or to check for possible threats and attacks.
This kind of visibility is also offered in the cloud through flow logs and tools, such as packet mirroring.
CSPs take responsibility for security in the cloud, but they do not allow the organizations that use their infrastructure to monitor traffic on the CSP’s servers.
Many CSPs offer strong security measures to protect their infrastructure.
Still, this situation might be a concern for organizations that are accustomed to having full access to their network and operations.
CSPs pay for third-party audits to verify how secure a cloud network is and identify potential vulnerabilities.
The audits can help organizations identify whether any vulnerabilities originate from on-premise infrastructure and if there are any compliance lapses from their CSP.
Explain the role of Things change fast in the cloud for Cloud security considerations
CSPs are large organizations that work hard to stay up-to-date with technology advancements.
For organizations that are used to being in control of any adjustments made to their network, this can be a potential challenge to keep up with.
Cloud service updates can affect security considerations for the organizations using them.
For example, connection configurations might need to be changed based on the CSP’s updates.
Organizations that use CSPs usually have to update their IT processes.
It is possible for organizations to continue following established best practices for changes, configurations, and other security considerations.
However, an organization might have to adopt a different approach in a way that aligns with changes made by the CSP.
Cloud networking offers various options that might appear attractive to a small company—options that they could never afford to build on their own premises.
However, it is important to consider that each service adds complexity to the security profile of the organization, and they will need security personnel to monitor all of the cloud services.
Define the Shared Responsibility Model
The CSP must take responsibility for security involving the cloud infrastructure, including physical data centers, hypervisors, and host operating systems. The company using the cloud service is responsible for the assets and processes that they store or operate in the cloud.
The shared responsibility model ensures that both the CSP and the users agree about where their responsibility for security begins and ends.
A problem occurs when organizations assume that the CSP is taking care of security that they have not taken responsibility for.
One example of this is cloud applications and configurations.
The CSP takes responsibility for securing the cloud, but it is the organization’s responsibility to ensure that services are configured properly according to the security requirements of their organization.
What are some common cloud security hardening techniques (5)?
- Identity access management (IAM)
- Hypervisors
- Baselining
- Cryptography
- Cryptographic erasure
Explain IAM
Identity access management (IAM) is a collection of processes and technologies that helps organizations manage digital identities in their environment
Explain Hypervisor
A hypervisor Abstracts the host’s hardware from the operating software environment.
There are two types of hypervisors.
Type one hypervisors run on the hardware of the host computer.
An example of a type one hypervisor is VMware®’s ESXi.
Type two hypervisors operate on the software of the host computer.
An example of a type two hypervisor is VirtualBox.
Cloud service providers (CSPs) commonly use type one hypervisors.
CSPs are responsible for managing the hypervisor and other virtualization components.
Vulnerabilities in hypervisors or misconfigurations can lead to virtual machine escapes (VM escapes).
A VM escape is an exploit where a malicious actor gains access to the primary hypervisor, potentially the host computer and other VMs.
How many types of hypervisors are there?
There are two types of hypervisors.
- Type one
- Type two
Explain Type One hypervisors
Type one hypervisors run on the hardware of the host computer.
An example of a type one hypervisor is VMware®’s ESXi.
Explain Type Two hypervisors
Type two hypervisors operate on the software of the host computer.
An example of a type two hypervisor is VirtualBox.
Define a VM Escape
An exploit where a malicious actor gains access to the primary hypervisor, potentially the host computer and other VMs.
Explain Baselining
Baselining for cloud networks and operations cover how the cloud environment is configured and set up.
A baseline is a fixed reference point.
This reference point can be used to compare changes made to a cloud environment. Proper configuration and setup can greatly improve the security and performance of a cloud environment.
Examples of establishing a baseline in a cloud environment include: restricting access to the admin portal of the cloud environment, enabling password management, enabling file encryption, and enabling threat detection services for SQL databases.
Explain Cryptography in the cloud
Cryptography uses encryption and secure key management systems to provide data integrity and confidentiality.
Cryptographic encryption is one of the key ways to secure sensitive data and information in the cloud.
Encryption is the process of scrambling information into ciphertext, which is not readable to anyone without the encryption key.
Encryption primarily originated from manually encoding messages and information using an algorithm to convert any given letter or number to a new value.
Modern encryption relies on the secrecy of a key, rather than the secrecy of an algorithm.
Cryptography is an important tool that helps secure cloud networks and data at rest to prevent unauthorized access.
Explain Cryptographic erasure
Cryptographic erasure is a method of erasing the encryption key for the encrypted data.
When destroying data in the cloud, more traditional methods of data destruction are not as effective.
Crypto-shredding is a newer technique where the cryptographic keys used for decrypting the data are destroyed.
This makes the data undecipherable and prevents anyone from decrypting the data.
When crypto-shredding, all copies of the key need to be destroyed so no one has any opportunity to access the data in the future.
Explain Key Management
Modern encryption relies on keeping the encryption keys secure.
Below are the measures you can take to further protect your data when using cloud applications:
- Trusted platform module (TPM).
TPM is A computer chip that can securely store passwords, certificates, and encryption keys. - Cloud hardware security module (CloudHSM).
CloudHSM is A computing device that provides secure storage for cryptographic keys and processes cryptographic operations, such as encryption and decryption.
What does TPM stand for?
Trusted platform module (TPM)
Define TPM
A computer chip that can securely store passwords, certificates, and encryption keys.
What does CloudHSM stand for?
Cloud hardware security module (CloudHSM)
Define CloudHSM
A computing device that provides secure storage for cryptographic keys and processes cryptographic operations, such as encryption and decryption.
A key distinction between cloud and traditional network hardening is the use of a server baseline image, which enables security analysts to prevent _____ by comparing data in cloud servers to the baseline image.
- improper resource storage
- damaged data
- slow speeds
- unverified changes
unverified changes
Data and applications on cloud networks do not need to be separated based on their service category, such as their age or internal functionality.
- True
- False
False
Similar to OS hardening, data and applications on a cloud network should be kept separate depending on their service category. For example, older applications should be kept separate from new applications. And software that deals with internal functions should be kept separate from front-end applications seen by users.
Who is responsible for ensuring the safety of cloud networks? Select all that apply.
- Research department
- Individual users
- Cloud service provider
- Security team
- Individual users
- Cloud service provider
- Security team
_____ cloud services are a common source of cloud security issues.
- Misconfigured
- Unauthorized
- Shared
- Managed
Misconfigured
