SECURITY Architecture 3.1 Flashcards
Who is responsible for the security of a cloud based service?
Responsibility matrix will determine who between the customer and the provider are responsible the security for each aspects of the cloud
What are hybrid cloud consideration
- There is more than one Public or private cloud. Adds additional complexity.
-Network protection mismatches (Authentication across platforms, firewall configuration)
-Different security monitoring between different clouds
-Data leakage - Data is shared across the public internet.
Third-Party Vendors in the cloud
The use of third party security software such as firewalls to protect cloud based appliances should be considered. There should be on going vendor risk assessment and consider incident response.
Infrastructure as code
Describe a portion of the infrastructure as code. Allows you easily built out and modify the infrastructure as needed.
Server less Architecture
Faas - Function as a service
Instead of accesses a application we access individual functions which are handled by that application.
Microservices and API’S
Application programming interfaces. Instead of having one single executable that handles everything you can break up individual services and run them as separate instances in the cloud.
Done for scale ability
Done for resilient
Security is more focused as it is tailored for each mircservice.
Network appliances - VLANs
Physical isolation - Network devices should be physically isolated to prevent an attcker being able to move from one to another. Two separate physical situations.
Network Appliances - Logical segmentation
Each device being separated by a physical switch becomes unscalable very quickly. Vlans are used to achieve logical segmentation.
SDN (Software Defined Networking)
?
What is premises data
Security technology is local and on premises. There is a cost associated with managing and securing these data centres.
On-Premises Security considerations
Full control when everything is in house
On-site IT team which can manage security (can be expensive and difficult to staff)
Local team maintains uptime and availability.
Security changes can take time.
Centralised vs Decentralised.
Most organisations are physically decentralised. Difficult to manage and protect so many diverse systems.
Difficult to manage but made easier with a centralised approach which correlated alerts, log files and analysis.
A centralised system creates one point of failure and has performance issues.
Virtualisation
A technology used in organisations where separate virtual machines can run at the same time with their own operating system and applications.
Hypervisor is the software which manages the resources between the separate virtual machines.
Containerisation
Another way to have multiple applications running all on one piece of hardware. This is more efficient than Virtualisation because all applications share the same host operating system.
Virtualisation vs Containerisation
Infrastructure: both have physical device that everything runs on.
Hypervisor: The technology which runs on the infrastructure in a virtualised environment.
Host operating system: The
technology which runs on the infrastructure in a containerised environment.
Docker: The containerisation software which runs on top of the host operating system. - manages the different applications running on the host operating system.
IoT
Internet of things:
Sensors, Smart devices, Wearable technology, facility automation. Often have weak security and be a vulnerable that are
SCADA/ICS
Supervisory Control and data Acquisition System /Industrial control system.
A control system where IT professionals can manage and control IT in a segmented and secure off site environment.
RTOS
Real-Time Operating System.
An operating system with a deterministic processing schedule.
Self contained and difficult to breach the security of these systems. Extremely sensitive to security issues.
Embedded Systems
Hardware and software designed for a specific function.
High Availability (HA)
Configure systems so once one fails there is a contingency plan where traffic could be directed to maintain availability and reduce downtime.
More and more cost associated with increasing HA to avoid downtime.
Infrastructure considerations - Availability
System uptime, foundation of IT security success of a system is often determined by its availability.
Infrastructure considerations - Resilience
How quickly can you recover once there is downtime. MTTR - Mean time to repair (The length of time that is would take to replace something that is unavailable with something that is available).
Infrastructure consideration - Cost
How much money is required?
Installation cost?
Maintenance cost?
Replacement cost
Tax implications
Infrastructure consideration - Responsiveness
How quickly can we get a response, Humans are sensitive to delays. Speed is an important metric.
Infrastructure considerations -Scalability
How quickly can we easily can we increase or decrease capacity.
Infrastructure considerations - Ease of deployment
How easy can we deploy an application.
Orchestration - Build out an entire application easily.
Consider change control?
Infrastructure considerations Risk Transference?
Moving risk to a third party.
Cybersecurity insurance
Recover internal losses, Outages and business downtime.
Protect against legal issues from customers - limit the cost associated with legal proceeding.
Ease of Recovery -Infrastructure considerations
How long does it take or how easy is it to get back up and running. Easiest way to recover.
Patch Recovery - Infrastructure considerations
Patch availability to prevent bugs and security updates.
Normal part of the IT process.
Liability to patch - Infrastructure considerations
embedded systems likely do not have a patch. May need to add a firewall.
Power - Infrastructure considerations
A foundation element. The power for a data centre vs office building will be very different.
UPS - Uninterruptible power supply.
Compute engine - Infrastructure considerations
The part of the process which processes the data. Multiple CPU’s across multiple cloud based technologies.
