Responsibilities In The Cloud Flashcards
What decisions around physical security does the cloud provider have to be concerned about ?
Includes the campus on which the data center facility is located, physical components inside and services supported to connect them.
Decision - Build or Buy
Data Centres often get around Urban restrictions by using remote locations must consider power, customer location and protection from natural disasters.
What are the areas the provider has to consider for physical security ?
Secure Communications
Infrastructure hardening and baselines
Hardware Logging
In a non IAAS model what other considerations around security does the provider have to take on ?
Secure virtualisation configuration
Installation of secure OD
What are the providers networking security considerations ?
Communication Protection - VPN, Encryption, Strong Authentication
Vulnerability Assessments
Firewalls
Honeypots
IDS/IPS based rulesets
Describe an internal audit ?
An audit is performed by employees of organisation - used by management as evidence of due diligence
Describe an external audit ?
Performed by outside auditors - independent normally used as evidence of due diligence and normally take the form of a vulnerability test or pentest
What is the first phase of audit preparation ?
Terms of audit negotiated prior to start - Typical limitations are office location, artifacts, systems - a.k.a scope of the audit
What are the main characteristics of an audit report ?
Audits report on gaps between intended outcomes and the actual environment. Auditors should not recommend solutions as this could be perceived as a conflict of interests. The report should only be published with reservations and qualifications.
Describe the SOC report levels ?
SOC 1 - Deals with auditing and financial reports not really applicable to cloud security
SOC 2 Covers securuty, availability, confientialiy, availability and privacy
SOC 2 - 1 reviews the design of controls not how implemented
SOC 2- 2 covers implementation and maintenance
SOC 3 - Highlevel findings for upper management is just a seal of approval and compliance contains no detail
Describe audit process ?
Audits are not meant to be exhaustive covering every part of the system but should cover a sample size
Describe OS Backup choices ?
Snapshots,
Software tools
Agents
Remember as VMs are stored as files they to need to be patched before bringing them into service. All backups need to be tested.
The provider and the customer have to determine who will be responsible for establishing the secure build of the configuration template as well as performing version control activities.
Describe OS Hardening ?
This should include
Removal of unnecessary services and libraries
Closing unused ports
Limiting Admin access
Ensuring default accounts are removed
Ensuring logging is enabled
With a lack of phyiscal access what do customers have to rely on ?
Customer must rely on SOC, contract and SLA’s
What is software defined networking ?
Switches traditionally had to work out the best routes and stop circular messaging using spanning tree protocol (STP). STP is outdated and SDN is an attempt to alleviate this and routing logic from switches to a server instead and just allow the switch to move data.
The data plane is just the movement of the data from point A to point B by the Switch. The switch must communicate with the server to understand the routing rules via the control plane.
DOS at the switch level has now become possible.
What is another term for SDN data plane ?
Southbound