SEC+ Chapter 6 Flashcards
What are Cloud Deployment Models?
They classify how cloud services are owned and provisioned, impacting threats and vulnerabilities. The main types are Public (Multi-Tenant) Cloud, Hosted Private Cloud, Private Cloud, Community Cloud, and Hybrid Cloud.
What is a Public (Multi-Tenant) Cloud?
Offered over the Internet by Cloud Service Providers (CSPs) to multiple consumers. Characteristics include subscription or pay-as-you-go models and shared resources. Risks include performance issues and security vulnerabilities. Multi-Cloud involves using services from multiple CSPs for flexibility and redundancy.
What is a Hosted Private Cloud?
A cloud environment hosted by a third party exclusively for one organization. It offers enhanced security and performance but comes with higher costs.
Define Private Cloud.
A completely private infrastructure owned by the organization, providing greater control over privacy and security. Use cases include banking and governmental services requiring strict access control. Deployment can be on-premises or off-site.
What is a Community Cloud?
Shared by several organizations with common concerns, pooling resources for standardization and security policies.
Describe a Hybrid Cloud.
Combines public and private (or other) cloud infrastructures, offering flexibility, scalability, and cost savings. Use cases include switching between private and public clouds based on demand. Challenges involve data risk when moving between environments and maintaining consistent security policies.
What is Single-Tenant Architecture in cloud security?
Dedicated infrastructure for a single customer, offering the highest security and complete control but at a higher cost with customer-managed security.
What is Multi-Tenant Architecture in cloud security?
Shared infrastructure among multiple customers, making it cost-effective but increasing the risk of unauthorized access or data leakage.
What defines Hybrid Architecture in cloud security?
Combines public and private clouds, offering flexibility and control over sensitive data but posing challenges in managing multiple environments and maintaining consistent security policies.
What is Serverless Architecture?
The cloud provider manages the infrastructure and automatically scales resources. Advantages include enhanced security managed by the provider, while customers are responsible for securing access to applications and data.
What are the advantages of Hybrid Cloud?
Flexibility and scalability by utilizing public cloud resources when needed, cost savings by optimizing resource usage based on demand, and data redundancy by replicating data across on-premises and cloud environments.
What are the challenges of Hybrid Cloud?
Security management for consistent policies across environments, ensuring compliance with regulatory requirements, mitigating vendor lock-in with multi-cloud strategies, and addressing network latency issues due to data transfers between environments.
What are the Cloud Service Models (XaaS)?
Differentiates based on complexity and pre-configuration. The main types are Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
What is Software as a Service (SaaS)?
Access software applications hosted by CSPs on a subscription basis. Examples include Microsoft Office 365, Salesforce, and Google G Suite. Advantages include quick provisioning and no need for local installations. CSP manages infrastructure security, while users manage application-level security.
What is Platform as a Service (PaaS)?
Provides infrastructure plus a platform for developing and deploying applications. Examples include Oracle Database, Microsoft Azure SQL Database, and Google App Engine. Advantages include simplified development and scalable resources. Shared responsibility model where CSP manages platform security and users secure their applications.
What is Infrastructure as a Service (IaaS)?
Provides virtualized computing resources over the Internet. Examples include Amazon EC2, Microsoft Azure Virtual Machines, Oracle Cloud, and OpenStack. Advantages include high flexibility and scalable infrastructure. CSP manages physical infrastructure, while users manage OS, applications, and data security.
What are Third-Party Vendors in Cloud Computing?
External entities providing cloud services (IaaS, PaaS, SaaS). Considerations include vendor selection based on security practices and compliance, contract negotiation to define SLAs and responsibilities, service performance reliability, compliance with regulations, mitigating vendor lock-in through multi-cloud or hybrid strategies, and ensuring data portability and interoperability.
What is the Shared Responsibility Model in cloud security?
Division of security responsibilities between the Cloud Service Provider (CSP) and the customer. CSP handles physical security, infrastructure security, data center backup and recovery, resource isolation, infrastructure monitoring, and incident response. Customers are responsible for user identity management, configuring data storage locations, access controls, data and application security configurations, securing operating systems, managing encryption and key protection.
What is the difference between Centralized and Decentralized Computing?
Centralized Computing: All data processing and storage in a single location (e.g., mainframes, client-server models). Advantages include strict control and centralized management. Disadvantages include a single point of failure and scalability limitations.
Decentralized Computing: Data processing and storage distributed across multiple locations or devices. Advantages include improved fault tolerance, scalability, and flexibility. Examples include Blockchain, Peer-to-Peer (P2P) Networks, Content Delivery Networks (CDNs), Internet of Things (IoT), Distributed Databases, and TOR (The Onion Router).
What are Resilient Architecture Concepts in cloud services?
Cloud services designed to withstand and recover from failures at various levels. Key features include a virtualization layer for resource pooling and redundancy, data replication across multiple servers/datacenters, and High Availability (HA) guaranteeing 99.99% uptime using redundant hardware and failover mechanisms.
What are the types of Data Replication in cloud architectures?
Local Replication: Within a single datacenter, protecting against localized failures.
Regional Replication (Zone-Redundant Storage): Across multiple datacenters within a region, protecting against datacenter outages.
Geo-Redundant Storage (GRS): Across multiple regions, protecting against regional disasters.
What are the best practices for Resilient Architecture in cloud services?
Implement redundancy by ensuring multiple copies of data and resources, use automated failover to quickly switch to backup systems in case of failure, and regularly test disaster recovery (DR) plans to ensure effectiveness.
What is Application Virtualization?
Runs applications hosted on a server or streamed to clients without full desktop virtualization. Examples include Citrix XenApp, Microsoft App-V, and VMware ThinApp. Advantages include simplified application deployment and reduced client-side management. Use cases include remote access to applications via web browsers (clientless solutions).
What is Container Virtualization?
Isolates applications at the OS level using containers instead of full virtual machines. Key features include resource separation (allocating CPU and memory to containers) and a shared OS kernel for isolated processes. Examples include Docker and Kubernetes. Advantages are lightweight and efficient support for microservices and serverless architectures. Risks involve integration issues and complexity in managing distributed containers. Best practices include using Infrastructure as Code (IaC) and implementing security best practices like isolating containers and managing secrets securely.
What are the key features of Cloud Architecture?
High Availability through data replication and redundancy, auto-scaling; Disaster Recovery with monitoring, alerting, and SLAs; Compute Capabilities like elastic compute and serverless computing; Networking with secure communication and CDNs; Identity and Access Management (IAM) with advanced security features; and Containerization & Orchestration supporting microservices.
What are Cloud Security Considerations?
Data protection through access controls and encryption, patch management aligning with CSP policies, secure communication and access using SD-WAN and SASE, and best practices like implementing strong IAM policies, regularly auditing and monitoring, and adopting Defense in Depth.
What is Infrastructure as Code (IaC) in Cloud Automation?
Manages infrastructure using machine-readable definition files (YAML, JSON, HCL). Benefits include automation reducing manual configuration errors, consistency ensuring reproducible deployments, and version control treating infrastructure configurations as code. Tools include Terraform, Ansible, and CloudFormation.
What are Responsiveness Mechanisms in Cloud Automation?
Load Balancing to distribute traffic across servers, Edge Computing to place resources closer to data sources reducing latency, and Auto-Scaling to automatically adjust resources based on demand, optimizing performance and reducing costs.
What is Software-Defined Networking (SDN)?
Abstracts network functions into three planes—Control Plane (decision-making for traffic prioritization and routing), Data Plane (execution of routing and switching based on Control Plane decisions), and Management Plane (monitoring traffic conditions and network status). Functionality includes network controllers implementing policies via northbound APIs, automation through APIs and scripting, and Network Functions Virtualization (NFV). Advantages are simplified management, flexibility, and scalability.
What are Embedded Systems?
Specialized computing systems that perform dedicated functions within larger systems. Applications include home appliances, smartphones, automotive systems, industrial automation, medical devices, and aerospace and defense equipment.
What are Real-Time Operating Systems (RTOS)?
Operating systems designed for applications requiring real-time processing and response. Characteristics include high stability and processing speed, purpose-specific for critical applications. Examples are VxWorks, FreeRTOS, AUTOSAR, and Siemens SIMATIC WinCC Open Architecture. Risks include complexity, system-level attacks, and severe consequences in critical applications.
What are Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA)?
ICS: Systems for workflow and process automation in critical infrastructure like power, water, and health services.
SCADA: Advanced ICS for large-scale, multiple-site operations. Components include PLCs (Programmable Logic Controllers), HMIs (Human-Machine Interfaces), Data Historians, and SCADA Servers. Applications span energy, industrial, fabrication and manufacturing, logistics, and facilities sectors. Security considerations involve historically lacking IT security, prioritizing Availability and Integrity over Confidentiality, and implementing cybersecurity measures like network segmentation, access controls, IDS, encryption, and continuous monitoring. Notable incidents include the Stuxnet Worm and the Casino Fish Tank Thermometer Hack.
What is the Internet of Things (IoT)?
A network of physical devices embedded with sensors, software, and connectivity to collect and exchange data. Components include sensors and actuators, communicating with each other and cloud-based systems. Cloud integration provides computational power for data analytics on large datasets. Examples include smart homes, smart cities, healthcare, agriculture, manufacturing, and more. Factors driving adoption are cost reduction, connectivity advances, data explosion, and pandemic impacts. Security risks involve inadequate security measures, lack of standardization, data volume challenges, and notable attacks like Mirai Botnet and Spy Devices. Best practices include following frameworks and standards from organizations like IoTSF, IIC, CSA, and ETSI.
What is Deperimeterization in cloud security?
Shifts focus from defending network boundaries to protecting individual resources and data within the network. Approach includes implementing multiple security measures around data, applications, and services, such as robust authentication, encryption, access control, and continuous monitoring.
What is Zero Trust Architecture (ZTA)?
A security model based on the principle ‘Never trust, always verify.’ It assumes no inherent trust for any user, device, or application, regardless of location. Key features include continuous verification and authorization, granular access controls, microsegmentation, and least privilege access.
What trends are driving Deperimeterization?
Cloud adoption, remote workforces, mobile devices, outsourcing and contracting, and wireless networks (Wi-Fi).
What are the benefits of Zero Trust Architecture?
Greater security through continuous authentication and verification, better access controls based on need-to-know, improved governance and compliance with enhanced visibility and control, and increased granularity in access decisions.
What are the components of Zero Trust Architecture?
Network and Endpoint Security, Identity and Access Management (IAM), Policy-Based Enforcement, Cloud Security, Network Visibility, Network Segmentation, Data Protection, and Threat Detection and Prevention.
What are some Zero Trust Architecture examples?
Google BeyondCorp, Joint Enterprise Defense Infrastructure (JEDI), Cisco Zero Trust Architecture, and Palo Alto Networks Prisma Access.
What are the fundamental concepts of Zero Trust Security?
Adaptive Identity, Threat Scope Reduction, and Policy-Driven Access Control.
What is Device Posture in Zero Trust Security?
Assessing the security status of devices (configurations, software versions, patch levels) to determine compliance with security requirements.
What are the Control and Data Planes in Zero Trust Architecture?
Control Plane: Manages policies for authentication and authorization through a centralized policy engine and policy administrator.
Data Plane: Establishes secure data pathways based on control plane decisions, implemented via Policy Enforcement Points (PEP) and Implicit Trust Zones.
