Sec+ Chapter 10: Cloud and Virtualization Security Flashcards
Cloud computing
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction
Key benefits provided by the cloud
Can you explain each one?
1) On-demand self-service computing
2) Scalability: vertical and horizontal scaling
3) Elasticity
4) Measured service
5) Agility and flexibility
5 key roles in the cloud
Can you explain each one?
1) Cloud service providers
2) Cloud consumers
3) Cloud partners
4) Cloud auditors
5) Cloud carriers
IaaS
Infrastructure as a service, AKA hardware as a service
This is essentially providing you with the hardware required to get your services up and running
CSP gives you a system with storage, CPU, and networking
You’re responsible for app and OS running on the infrastructure as well as data security
You could encrypt your data and the CSP wouldn’t be able to look at your private data
EX: Web service provider that gives you a server, but nothing else
SaaS
Software as a service
Fully managed apps running in the cloud, you don’t need to load an OS, configure or write software, update or patch system, etc
You just log in and use the service they provide
CSP manages both apps and data
EX: Payroll or email services like Gmail or Classy
PaaS
Platform as a service
CSP gives you a platform for you to develop your own apps
They provide the OS, infrastructure underneath, virtualizations services, and the building blocks to write your own apps customized just for you
They have access to your apps, data, and anything else that makes up the app
Think of it as a CSP giving you the building blocks to create a modular app instead of you writing them from scratch
If you need a login or inventory screen, it’s all ready for you to use
EX: Salesforce
FaaS
Function as a service
An example of PaaS computing
Take the OS out of the equation and instead perform individual tasks based on the functions requested by the app
The app dev takes each function of the app and deploys it into a stateless compute container, which are processors that respond to API requests
Our app sends API request to the compute container, and the results are sent back to the client
We can have compute containers that are only available as we need them
EX: As people do inventory management we can have inventory computer containers that are being built and torn down as people access those services
If nobody is using those features, you don’t need to keep a server running and maintained for something not in use
If a user does need to perform a function, you can spin up an individual computer container, perform the req, and disable the compute container—it’s ephemeral
These containers may run for a single event and when it’s done they disappear
Common to have this running at a third party, who would be in charge of the security of data and apps used
MSP
Managed service provider
Organizations that provide IT services to customers
May handle IT completely, or focused services like network design, network connectivity management, backup and disaster recovery, app monitoring, cloud cost management, growth management and planning, etc
MSSP
Managed security service provider
A niche of MSP
MSPs who offer security services like general monitoring, vulnerability management, incident response, patch management, emergency response, and firewall management
Cloud deployment models
Can you explain them?
1) Public cloud: available to everyone on the internet
2) Private cloud: your own virtualized local data center
3) Community cloud: several orgs share the same resources
4) Hybrid cloud: a mix where you determine what parts of your app are public and private
Public cloud bursting
Using private cloud as primary, but leveraging public cloud capacity when demand exceeds private cloud infrastructure capacity
Shared responsibility model
Where cloud customers divide responsibilities between one or more service providers and the customers’ own cybersecurity teams
Always document the division of responsibilities very clearly
CSA
Cloud security alliance
Org focused on developing and promoting best practices in cloud security
CCM
Cloud controls matrix
Developed by CSA, serves as a ref doc to help orgs understand the appropriate use of cloud security controls and map those controls to regulatory standards
Hypervisor
A type of computer software, firmware, or hardware that creates and runs virtual machines
Enforces isolation between VMs, VMs and hosts, etc
Virtualization
A technology that allows the hardware resources of a single computer to be divided into multiple VMs
Bare metal hypervisor
Type 1 hypervisor
Operates directly on top of underlying hardware and supports guest OS for each VM.
Most common in datacenter virtualization because it’s highly efficient
Type 2 hypervisor
Runs as an app on top of an existing OS
OS supports the hypervisor and hypervisor requests resources for each guest OS from the host
Less efficient than type 1
Containerization
Provides application-level virtualization
Instead of creating complex VMs that require their own OS, containers package apps and allow them to be treated as units of virtualization that become portable across OS and hardware platforms
Cloud storage offerings
Can you explain them?
1) Block storage: allocates large volumes of storage for use by virtual server instances
2) Object storage: provides customers with the ability to place files in buckets and treat each as an independent entity that can be accessed over the web or thru an API
Three key cloud security considerations
Can you explain them?
1) Set permissions properly
2) Consider high availability and durability options
3) Use encryption to protect sensitive data
SDN
Software defined networking
Where you separate the functionality of networking devices into two instances:
Control plane: The management and ongoing config of the devices
Data plane: The actual operation
EX: Router has a control plane that allows you to config the router and set up routing tables, and the data plane performs the router forwarding
EX: You can dynamically deploy firewalls or IPS, and they’re all software
SDV
Software defined visibility
This allows us to deploy NGFW, WAF, IPS, etc while also understanding exactly what data is flowing between all of our systems
Almost always includes SIEM that consolidates all the data into one centralized database
SDV must also understand the VXLAN (virtual extensible LAN) and what data is encrypted using SSL/TLS
Security groups
A firewall for computer instances that controls inbound and outbound traffic flows
Works at OSI layer 4 for TCP / UDP, and also works at OSI layer 3 with individual IPs
VPC
Virtual private cloud
Cloud based systems located at a global provider with no public access to any resources
These have all internal or private IP addressing, and the only way you can connect is using a VPN
It allows you to have advantages of c cloud based system with all the privacy since nobody on the internet has direct access to your data
VPC Endpoint
Allows you to have private access between the application instance and the data, and restrict access from anyone else
You don’t need internet connectivity to access these apps
Transit gateway
Think of this as a router that’s in the cloud
It provides us with connectivity to connect all of our users by using a VPN
Users at home or in-office can connect thru VPN and into a transit gateway where they have access to all of the apps running on the multiple VPCs
DevOps
An approach to technology management where devs and ops teams are brought together instead of isolated from one another
Often work in agile approach to software dev
IaC
Infrastructure as code
A key enabling technology behind DevOps
The process of automating the provisioning, management, and deprovisioning of infrastructure services through scripted code instead of human intervention
Every time we deploy an app instances, we use this code description to deploy it identically every single time
Data sovereignty
A principle that states data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed
VM Escape
An attack that exploits a vulnerability allowing attackers on one VM to gain access to resources on another VM
That should never happen, because this person would have full control of your virtual environment, apps, and all of your data
VM Sprawl
When IaaS users create virtual service instances and forget about them, leaving them to accrue major costs, and pose security risks
Always make sure every virtual object is identified and you can track it from when it’s created until its deprovisioned
SWG
Secure web gateway
Monitors web requests made by internal users and evaluates them against an org’s security policy, blocking reqs that don’t fit
EX: Monitor API usage for detailed information about how they’re queried and what queries are being made
API inspection
Use of technology to scrutinize API requests for security issues
3 cloud governance efforts
1) Vetting vendors being considered for cloud partnerships
2) Managing vendor relationships for stability
3) Overseeing an org’s portfolio for cloud activities
Auditability
Cloud computer contracts should always include language that guarantees the right of the customer to audit the cloud service provider
CASB
Cloud access security brokers
Software tools, security appliances, or cloud based solutions that help enforce the security policies you’ve created with data you’re storing in the cloud
Inline CASB
Physically or logically reside in the connection path between user and cloud service
Requires configuration of the network and/or endpoint devices
Advantage is seeing requests before they’re sent to the cloud service
API based CASB
Interact directly with the cloud provider through their API
Doesn’t require any user device configuration
Doesn’t allow CASB to block reqs that violate policy
Resource policies
Offered by cloud providers to their customers to limit the actions that can be taken in a customer’s account
Protects the data from the apps as well as the apps themselves
API security
Orgs want additional security for APIs, especially for authentication
There will be limited use of the API to only apps or users authorized to use it and you will only use comms to the API over encrypted protocols
WAF to apply rules to API comms
API should have security controls that limit what the API can do based on the user’s rights and permissions
EX: If a user is read only, that’s the only API calls accessible to that user
XaaS
Anything as a service
A broad description of any type of service provided over the cloud, usually those available on the public cloud vs private cloud in your own data center
Pricing is flexed to pay for what you use
Anything you’re doing in house with tech could potentially be outsourced into a cloud system, which makes IT more of a focus on taking the tech needed and applying it into the cloud
Edge computing
The apps running and the decisions being made from the data created by these apps occur on the local system and don’t go out to the internet
EX: IoT devices are all collecting data in your environment and processing it locally
Fog computing
Cloud + IoT
A distributed cloud architecture that lets us send info into the cloud for processing without requiring it all be consolidated in one single place
Any data our IoT device needs to make local decisions can stay local on the device
But we might want to take some data and move it to cloud for additional processing, and we can compare what we’re seeing with what others see and make our devices more effective
SIAM
Service integration and management
How we consolidate the view of all cloud services into one, single management interface
EX: Connect Azure, AWS, and Rackspace
Orchestration
Helps us automate the provisioning and deprovisioning of an app, and a central key to the success of cloud computing
Provision an app instantly with no human intervention (servers, network configs, security components, or anything associated with that app)
You can also orchestrate where the app instance is provisioned (EU when EU is awake, US when US is awake)
Security components should always be a part of the orchestration
AZ
Availability zone
Locations within a cloud region (geographical location), and each is self contained with independent power, HVAC, network configs, etc
Anything that happens in one AZ has no effect on another AZ
IAM
Identity and access management
Who gets access, what they get access to, combine users into groups, set granular policies, synchronize all user roles across all platforms