Sec+ Chapter 10: Cloud and Virtualization Security

Question 1

Cloud computing

Answer 1

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction

Question 2

Key benefits provided by the cloud

Can you explain each one?

Answer 2

1) On-demand self-service computing

2) Scalability: vertical and horizontal scaling

3) Elasticity

4) Measured service

5) Agility and flexibility

Question 3

5 key roles in the cloud

Can you explain each one?

Answer 3

1) Cloud service providers

2) Cloud consumers

3) Cloud partners

4) Cloud auditors

5) Cloud carriers

Question 4

IaaS

Answer 4

Infrastructure as a service, AKA hardware as a service

This is essentially providing you with the hardware required to get your services up and running

CSP gives you a system with storage, CPU, and networking

You’re responsible for app and OS running on the infrastructure as well as data security

You could encrypt your data and the CSP wouldn’t be able to look at your private data

EX: Web service provider that gives you a server, but nothing else

Question 5

SaaS

Answer 5

Software as a service

Fully managed apps running in the cloud, you don’t need to load an OS, configure or write software, update or patch system, etc

You just log in and use the service they provide

CSP manages both apps and data

EX: Payroll or email services like Gmail or Classy

Question 6

PaaS

Answer 6

Platform as a service

CSP gives you a platform for you to develop your own apps

They provide the OS, infrastructure underneath, virtualizations services, and the building blocks to write your own apps customized just for you

They have access to your apps, data, and anything else that makes up the app

Think of it as a CSP giving you the building blocks to create a modular app instead of you writing them from scratch

If you need a login or inventory screen, it’s all ready for you to use

EX: Salesforce

Question 7

FaaS

Answer 7

Function as a service

An example of PaaS computing

Take the OS out of the equation and instead perform individual tasks based on the functions requested by the app

The app dev takes each function of the app and deploys it into a stateless compute container, which are processors that respond to API requests

Our app sends API request to the compute container, and the results are sent back to the client

We can have compute containers that are only available as we need them

EX: As people do inventory management we can have inventory computer containers that are being built and torn down as people access those services

If nobody is using those features, you don’t need to keep a server running and maintained for something not in use

If a user does need to perform a function, you can spin up an individual computer container, perform the req, and disable the compute container—it’s ephemeral

These containers may run for a single event and when it’s done they disappear

Common to have this running at a third party, who would be in charge of the security of data and apps used

Question 8

MSP

Answer 8

Managed service provider

Organizations that provide IT services to customers

May handle IT completely, or focused services like network design, network connectivity management, backup and disaster recovery, app monitoring, cloud cost management, growth management and planning, etc

Question 9

MSSP

Answer 9

Managed security service provider

A niche of MSP

MSPs who offer security services like general monitoring, vulnerability management, incident response, patch management, emergency response, and firewall management

Question 10

Cloud deployment models

Can you explain them?

Answer 10

1) Public cloud: available to everyone on the internet

2) Private cloud: your own virtualized local data center

3) Community cloud: several orgs share the same resources

4) Hybrid cloud: a mix where you determine what parts of your app are public and private

Question 11

Public cloud bursting

Answer 11

Using private cloud as primary, but leveraging public cloud capacity when demand exceeds private cloud infrastructure capacity

Question 12

Shared responsibility model

Answer 12

Where cloud customers divide responsibilities between one or more service providers and the customers’ own cybersecurity teams

Always document the division of responsibilities very clearly

Question 13

CSA

Answer 13

Cloud security alliance

Org focused on developing and promoting best practices in cloud security

Question 14

CCM

Answer 14

Cloud controls matrix

Developed by CSA, serves as a ref doc to help orgs understand the appropriate use of cloud security controls and map those controls to regulatory standards

Question 15

Hypervisor

Answer 15

A type of computer software, firmware, or hardware that creates and runs virtual machines

Enforces isolation between VMs, VMs and hosts, etc

Question 16

Virtualization

Answer 16

A technology that allows the hardware resources of a single computer to be divided into multiple VMs

Question 17

Bare metal hypervisor

Answer 17

Type 1 hypervisor

Operates directly on top of underlying hardware and supports guest OS for each VM.

Most common in datacenter virtualization because it’s highly efficient

Question 18

Type 2 hypervisor

Answer 18

Runs as an app on top of an existing OS

OS supports the hypervisor and hypervisor requests resources for each guest OS from the host

Less efficient than type 1

Question 19

Containerization

Answer 19

Provides application-level virtualization

Instead of creating complex VMs that require their own OS, containers package apps and allow them to be treated as units of virtualization that become portable across OS and hardware platforms

Question 20

Cloud storage offerings

Can you explain them?

Answer 20

1) Block storage: allocates large volumes of storage for use by virtual server instances

2) Object storage: provides customers with the ability to place files in buckets and treat each as an independent entity that can be accessed over the web or thru an API

Question 21

Three key cloud security considerations

Can you explain them?

Answer 21

1) Set permissions properly

2) Consider high availability and durability options

3) Use encryption to protect sensitive data

Question 22

SDN

Answer 22

Software defined networking

Where you separate the functionality of networking devices into two instances:

Control plane: The management and ongoing config of the devices

Data plane: The actual operation

EX: Router has a control plane that allows you to config the router and set up routing tables, and the data plane performs the router forwarding

EX: You can dynamically deploy firewalls or IPS, and they’re all software

Question 23

SDV

Answer 23

Software defined visibility

This allows us to deploy NGFW, WAF, IPS, etc while also understanding exactly what data is flowing between all of our systems

Almost always includes SIEM that consolidates all the data into one centralized database

SDV must also understand the VXLAN (virtual extensible LAN) and what data is encrypted using SSL/TLS

Question 24

Security groups

Answer 24

A firewall for computer instances that controls inbound and outbound traffic flows

Works at OSI layer 4 for TCP / UDP, and also works at OSI layer 3 with individual IPs

Question 25

VPC

Answer 25

Virtual private cloud

Cloud based systems located at a global provider with no public access to any resources

These have all internal or private IP addressing, and the only way you can connect is using a VPN

It allows you to have advantages of c cloud based system with all the privacy since nobody on the internet has direct access to your data

Question 26

VPC Endpoint

Answer 26

Allows you to have private access between the application instance and the data, and restrict access from anyone else

You don’t need internet connectivity to access these apps

Question 27

Transit gateway

Answer 27

Think of this as a router that’s in the cloud

It provides us with connectivity to connect all of our users by using a VPN

Users at home or in-office can connect thru VPN and into a transit gateway where they have access to all of the apps running on the multiple VPCs

Question 28

DevOps

Answer 28

An approach to technology management where devs and ops teams are brought together instead of isolated from one another

Often work in agile approach to software dev

Question 29

IaC

Answer 29

Infrastructure as code

A key enabling technology behind DevOps

The process of automating the provisioning, management, and deprovisioning of infrastructure services through scripted code instead of human intervention

Every time we deploy an app instances, we use this code description to deploy it identically every single time

Question 30

Data sovereignty

Answer 30

A principle that states data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed

Question 31

VM Escape

Answer 31

An attack that exploits a vulnerability allowing attackers on one VM to gain access to resources on another VM

That should never happen, because this person would have full control of your virtual environment, apps, and all of your data

Question 32

VM Sprawl

Answer 32

When IaaS users create virtual service instances and forget about them, leaving them to accrue major costs, and pose security risks

Always make sure every virtual object is identified and you can track it from when it’s created until its deprovisioned

Question 33

SWG

Answer 33

Secure web gateway

Monitors web requests made by internal users and evaluates them against an org’s security policy, blocking reqs that don’t fit

EX: Monitor API usage for detailed information about how they’re queried and what queries are being made

Question 34

API inspection

Answer 34

Use of technology to scrutinize API requests for security issues

Question 35

3 cloud governance efforts

Answer 35

1) Vetting vendors being considered for cloud partnerships

2) Managing vendor relationships for stability

3) Overseeing an org’s portfolio for cloud activities

Question 36

Auditability

Answer 36

Cloud computer contracts should always include language that guarantees the right of the customer to audit the cloud service provider

Question 37

CASB

Answer 37

Cloud access security brokers

Software tools, security appliances, or cloud based solutions that help enforce the security policies you’ve created with data you’re storing in the cloud

Question 38

Inline CASB

Answer 38

Physically or logically reside in the connection path between user and cloud service

Requires configuration of the network and/or endpoint devices

Advantage is seeing requests before they’re sent to the cloud service

Question 39

API based CASB

Answer 39

Interact directly with the cloud provider through their API

Doesn’t require any user device configuration

Doesn’t allow CASB to block reqs that violate policy

Question 40

Resource policies

Answer 40

Offered by cloud providers to their customers to limit the actions that can be taken in a customer’s account

Protects the data from the apps as well as the apps themselves

Question 41

API security

Answer 41

Orgs want additional security for APIs, especially for authentication

There will be limited use of the API to only apps or users authorized to use it and you will only use comms to the API over encrypted protocols

WAF to apply rules to API comms

API should have security controls that limit what the API can do based on the user’s rights and permissions

EX: If a user is read only, that’s the only API calls accessible to that user

Question 42

XaaS

Answer 42

Anything as a service

A broad description of any type of service provided over the cloud, usually those available on the public cloud vs private cloud in your own data center

Pricing is flexed to pay for what you use

Anything you’re doing in house with tech could potentially be outsourced into a cloud system, which makes IT more of a focus on taking the tech needed and applying it into the cloud

Question 43

Edge computing

Answer 43

The apps running and the decisions being made from the data created by these apps occur on the local system and don’t go out to the internet

EX: IoT devices are all collecting data in your environment and processing it locally

Question 44

Fog computing

Answer 44

Cloud + IoT

A distributed cloud architecture that lets us send info into the cloud for processing without requiring it all be consolidated in one single place

Any data our IoT device needs to make local decisions can stay local on the device

But we might want to take some data and move it to cloud for additional processing, and we can compare what we’re seeing with what others see and make our devices more effective

Question 45

SIAM

Answer 45

Service integration and management

How we consolidate the view of all cloud services into one, single management interface

EX: Connect Azure, AWS, and Rackspace

Question 46

Orchestration

Answer 46

Helps us automate the provisioning and deprovisioning of an app, and a central key to the success of cloud computing

Provision an app instantly with no human intervention (servers, network configs, security components, or anything associated with that app)

You can also orchestrate where the app instance is provisioned (EU when EU is awake, US when US is awake)

Security components should always be a part of the orchestration

Question 47

AZ

Answer 47

Availability zone

Locations within a cloud region (geographical location), and each is self contained with independent power, HVAC, network configs, etc

Anything that happens in one AZ has no effect on another AZ

Question 48

IAM

Answer 48

Identity and access management

Who gets access, what they get access to, combine users into groups, set granular policies, synchronize all user roles across all platforms