Section 13 - Cloud Computing

Question 1

This is defined as a way of offering on-demand services that extend the traditional capabilities of a computer or a network out into the internet.

Answer 1

Cloud Computing

Question 2

For cloud computing to gain its intended cost savings and efficiencies though, it relies heavily on the concept of…?

Answer 2

virtualization

Question 3

Through this numerous logical servers can be placed on a single physical server.

Answer 3

virtualization

*** this can help us reduce the amount of physical space, power and cooling that’s needed inside your data center.

Question 4

What is the one key benefit to cloud computing?

Answer 4

The ability to dynamically provision memory and CPU resources

** other benefits include decreased cost, increased scalability and unlimited elasticity.

Question 5

This allows providers to fully integrate the storage, network and servers without having to perform hardware changes.

Answer 5

Hyper-converged infrastructure

** this relies on software and virtualization technology to perform all of the needed integrations which can be managed from a single interface or device

Question 6

This allows a cloud provider to offer a fully desktop operating system to an end user from a centralized server.

Answer 6

VDI

Virtual Desktop Infrastructure

*** this is beneficial because if it is exploited by an attacker, it can be destroyed as soon as the user logs off. This destroys an attacker from remaining persistent on the end user’s desktop.

Question 7

When we look at numerous logical servers being stored on a single physical server, we have to consider a way to keep the data confidential and separated from the other logical servers too. To do this, we use…?

Answer 7

Secure Enclaves
Secure Volumes

Question 8

Secure Enclaves utilizes two distinct areas that the data may be stored and accessed from. Each enclave can be accessed by the proper processor. This is a technique that’s used by…?

Answer 8

Microsoft Azure

Question 9

Secure Volumes is a method of keeping data at rest, secure from prying eyes. When data on the volume is needed, a secure volume is mounted and it’s properly decrypted to allow that access. Once the volume is no longer needed, it’s encrypted again and unmounted from the virtual server. This is the same concept that’s used by…?

Answer 9

BitLocker (on a Windows laptop)

Filevault (on a Macbook)

Question 10

There are four different types of cloud. What are they?

Answer 10

Public
Private
Hybrid
Community

Question 11

The most common type of cloud architecture is the…?

Answer 11

public cloud

Question 12

Under this cloud method, a service provider makes resources available to the end user over the internet.

Answer 12

public cloud

*** Google Drive is an example of this

Question 13

This cloud services requires that a company creates its own cloud environment that only it can utilize as an internal enterprise resource to manage its cloud. This means the organization is responsible for the design, implementation and operation of the cloud resources and the servers that host them.

Answer 13

Private Cloud

** For example, the US government runs a private cloud for use by different organizations within the government. Generally, this option is chosen when security is more important to the organization than cost.

Question 14

This cloud service solution combines the benefit of both the public cloud and the private cloud options. Under this architecture, some resources are developed and operated by the organization itself like a private cloud would be, but the organization can also utilize the publicly-available resources or outsource services to another service provider like a public cloud does!

Answer 14

Hybrid Cloud

Question 15

Under this cloud model, the resources and costs are shared among several different organizations who have a common service need. This is similar to taking several private clouds and connecting them together.

Answer 15

Community Cloud

Question 16

Cloud computing also comes as four different types of services. These are?

Answer 16

Software as a Service

Infrastructure as a Service

Platform as a Service

Security as a Service

Question 17

With this cloud service, you’re going to be provided with a complete solution. This includes the hardware, the operating system, the software, the applications, everything that’s needed for that service to be delivered.

Answer 17

Software as a Service

*** Office 365 for Microsoft is an example of this

Question 18

With this cloud service, you get the benefit of dynamic allocation of additional resources known as elasticity but you don’t have to deal with the headache of long-term commitments and contracts, buying the hardware, and installing the underlying operating systems.

Answer 18

Infrastructure as a Service

*** you’re given everything you need to run a server, including the power, the space, the cooling, the network, the firewall, the physical servers and the virtualization layer.

Question 19

Under this cloud service, the third party vendor will provide your organization with all the hardware and software needed for a specific service to operate.

Answer 19

Platform as a Service

*** in addition to everything given under Infrastructure as a Service, you also receive the operating system and the infrastructure software (infrastructure software includes things like an Apache web server, a MySQL database, programming languages, etc.)

Question 20

This allows smaller organizations that don’t have the necessary security skills to essentially outsource them to some larger company. This is cheaper than hiring a team of cybersecurity professionals.

Answer 20

Security as a Service

Question 21

One of the first security services that began to be offered in the cloud was…?

Answer 21

anti-malware products

*** this is helpful because instead of installing a traditional antivirus or anti-malware program on your desktop or server, the client was instead configured to utilize the cloud to provide these protections which removed the need for installing one on your end client.

Question 22

One of the most effective forms of Security as a Service solutions is found in the form of…?

Answer 22

1. anti-spam products = these products allow all of the organization’s email to be routed through this cloud server first in order to detect any malware or spam.
2. vulnerability scanning = these scanners always remain up to date and the hardware/software needed to conduct the scan is provided to you.
3. sandboxing = utilizes separate virtual networks to allow security professionals to test suspicious or malicious files.
4. content filtering = allows the ability to create policies such as time limits, categories of content that should be blocked, as well as reporting to see any users who attempt to access the websites on your block list

Question 23

Once we begin to rely on virtualization and cloud computing for our deployments, it becomes very important to recognize that…?

Answer 23

our data might be hosted on the same physical server as another organization’s data

Question 24

What security vulnerabilities are introduced when using the cloud?

Answer 24

1. If the physical server crashes, it can affect all of the organizations hosted on that same physical server
2. If one organization does not maintain the security of their virtual environments, there is a possibility the attack can utilize that to the detriment of all other organizations on that same server.

Question 25

The cloud is made up of a lot of different types of servers. Name them:

Answer 25

1. File Servers
2. Email Servers
3. Web server
4. FTP server
5. Domain Controller

Question 26

This type of cloud server is used to store, transfer, migrate, synchronize, and archive your files.

Answer 26

File server

*** any computer can act as a file server. The server might be running Windows, Linux, or Mac OS X as its operating system.

Question 27

A web server is usually hosted by who on Windows and Linux/Mac?

Answer 27

Windows - Internet Information Systems (IIS)

Linux/Mac - Apache Web server

Question 28

The most common type of email server is?

Answer 28

Microsoft Exchange

Question 29

Your web server should always be placed in…?

Answer 29

your organization’s DMZ

Question 30

This type of cloud server is a specialized type of file server that’s used to host files for distribution across the web.

Answer 30

FTP server

Question 31

What is a domain controller called in Windows and Linux?

Answer 31

Windows - Active Directory

Linux - LDAP server

Question 32

This cloud server acts as a central repository of all your user accounts, your computer accounts, and their associated passwords for the network.

Answer 32

Domain controller

Question 33

Active Directory relies on ___ and its ticket granting system to conduct its user authentication functions.

Answer 33

Kerberos

*** For this reason, a common attack against Active Directory servers is known as “the golden ticket.”

Question 34

This attack uses a program known as “mimikatz” to exploit a vulnerability in the Kerberos ticket-granting system to generate a ticket that acts as a skeleton key for all of the devices in the domain.

Answer 34

The golden ticket

Question 35

An enterprise management software designed to mediate access to cloud services by users across all types of devices

Answer 35

CASB

Cloud Access Security Broker

*** essentially a middle man that helps you with your authentication and ensure that people are using the services they’re supposed to use

Question 36

What vendors sell CASB type products?

Answer 36

Symantec uses Blue Coat Proxy

Skyhigh Network which is made by McAfee

Cloudlock by Cisco

Question 37

What are the benefits of using cloud access security brokers?

Answer 37

1. They can enable a single sign-on authentication and enforce access controls and authorizations across your entire enterprise network up to the cloud provider
2. They can help you scan for malware and rogue devices and be able to find any of these devices that might be on your network
3. They can monitor and audit user and resource activity to know exactly what your users are doing on your network at any time
4. They can help you mitigate data exfiltration by performing functions like a data loss prevention system would

Question 38

The important thing to remember about cloud access service brokers is that they…?

Answer 38

provide visibility into how your clients and other network nodes are using your cloud services

Question 39

Setting up a security appliance or host that’s positioned at the client network edge, and then forwarding the user traffic to the cloud network if the contents of that traffic comply with the policy.

Answer 39

forward proxy in terms of a cloud access security broker

Question 40

An appliance that’s positioned at the cloud network edge and directs the traffic to the cloud services if the contents of that traffic comply with the policy.

Answer 40

reverse proxy

*** So, instead of having to go through the proxy to leave the network, you can leave the network, but you can’t get into the cloud network until you hit the proxy. That’s the idea of the reverse proxy.

Question 41

Reverse proxies only work if…?

Answer 41

the cloud application you’re trying to connect to supports proxies. If they don’t have proxy support, you can’t do a reverse proxy.

Question 42

This is a method that uses the broker’s connections between the cloud service and the cloud consumer to make changes.

Answer 42

application programming interface

(API)

*** Now, essentially, when we’re using the application programming interface, we’re sending data between the cloud service and the cloud consumer. And what we’re doing here is we’re being able to send information about those users. So, if I had a user account that’s now been disabled or authorization has been revoked from the local network because they were doing bad things, I can send that using the cloud broker over the API to the cloud service and say, “Hey, don’t let Jason in. We just fired that guy and his account has been disabled.” And so, they can now know not to give him access.

Question 43

This is a library of programming utilities that are used to enable software developers to access functions of another application.

Answer 43

API

Application Programming Interface

*** Through API, it’s allows for automated administration, management, and monitoring of cloud services, as well as lots of other applications.

Question 44

APIs commonly use either __ or __ as their frameworks…?

Answer 44

REST or SOAP

Question 45

APIs allow for ___ between a lot of different cloud services

Answer 45

Integration

*** Cloud service providers allow for us to do provisioning, configuration, deep provisioning, and lots of other things to their services through APIs This allows us to have direct integration of different third-party applications into our own web applications.

Question 46

One of the ways that you can test APIs is using a tool known as…?

Answer 46

CURL

This is a tool to transfer data from one server to another and you can do this using any supportive protocol including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP, or FILE.

Question 47

A newer technology used within the cloud computer world. This is a model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language.

Answer 47

Function As A Service

FAAS

*** essentially instead of running your own server, you would write your code and then run it in a FAAS environment.

Question 48

This is a software architecture that runs functions within virtualized runtime containers in a cloud rather than on a dedicated server instances.

Answer 48

Serverless

*** When you deal with serverless, everything is developed as a function or a microservice and the service should do one and only one thing.

Question 49

This is an example of a serverless company (FAAS).

Answer 49

Netflix

Question 50

What are the benefits of going serverless?

Answer 50

1. There’s no patching because there’s no server
2. There’s no administration
3. There’s no file system monitoring because you’re just running code

Question 51

What is the concern with going serverless?

Answer 51

It’s still relatively new so you’re in uncharted territory

In addition, you’re fully dependent on the underlying service provider.

Question 52

Most vulnerabilities with the cloud are going to happen in terms of…?

Answer 52

identity and access management

Question 53

The major threats with the cloud are broken into four key areas:

Answer 53

1. insecure APIs (application programming interfaces)
2. improper key management
3. improper logging and monitoring
4. unprotected storage

Question 54

When you’re using an API, you should always use it over an…?

Answer 54

encrypted channel

*** This means SSL or TLS using an HTTPS connection

Question 55

There are a lot of ways you can do storage inside the cloud but most storage containers are going to be referred to as one of two things:

Answer 55

buckets - this is something that we use inside of AWS

blobs - usually in Microsoft Azure

*** either way, they’re both cloud storage

Question 56

This is a content delivery network policy that instructs the browser to treat requests from nominated domains as safe

Answer 56

cross origin resource sharing policy

CORS policy

*** essentially, you’re going to put things out into the content delivery network.