Security in Cloud Computing

Question 1

Infrastructure as a Service (IAAS)

Answer 1

Provides virtualized computing resources over the Internet. A third party provider hosts infrastructure components, applications and services on behalf of its subscribers with a hypervisor (VMware, Virtualbox, Xen or KVM) running the virtual machines as guests.

Question 2

Platform as a Service (PAAS)

Answer 2

Geared toward software development hosted in the cloud.

Question 3

Software as a Service

Answer 3

A software distribution model providing on-demand applications to subscribers over the Internet. SAAS provides easier administration, automated patch management, compatibility and version control.

Question 4

Cloud Deployment Models

Answer 4

1. Public - over the Internet
2. Private - private to a company
3. Community - shared by several organizations
4. Hybrid - composed of two or more deployment models

Question 5

NIST Cloud Computing Reference Architecture 500-292 - Major Cloud Roles

Answer 5

1. Cloud Carrier - data transfer between subscriber and provider
2. Cloud Consumer - uses cloud services
   3, Cloud Provider - purveyor of cloud services
3. Cloud Broker - manages relationships between providers and subscribers
4. Cloud Auditor - independent assessor of cloud services

Question 6

Cloud regulatory

Answer 6

FEDRAMP: Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
PCI
FIPS
Cloud Security Alliance (CSA)

Question 7

Trusted Computing Model

Answer 7

An attempt to resolve computer security problems through hardware enhancements and associated software modifications.
Trusted Computing Group - made up of hardware and software providers who cooperate to come up with specific plans
Roots of Trust (RoT) - set of functions with the Trusted Computing model that are always trusted by the Computer’s operating system

Question 8

Cloud Control Layers

Answer 8

1. Applications: Web app firewalls, SDLC, binary analysis, application scanners
2. Information: Database monitoring, encryption, data loss prevention, content management framework
3. Management: Patch and configuration management, governance and compliance, virtual machine administration, identity and access management
4. Network: Firewalls, network intrusion detection/prevention, quality of service, DNS, security
5. Trusted Computing: Hardware and software roots of trust and APIs
6. Compute and Storage: Host based intrusion detection, and firewalls, log management, file integrity efforts, encryption, etc
7. Physical: physical security measures, video monitoring, guards, etc.

Question 9

Cloud Security Tools

Answer 9

CloudInspect - penetration testing
CloudPassage Halo
Dell Cloud Manager
Qualsys CLoud Suite
Trend Micros Instant-On Cloud Security
Panda Cloud Office Protection

Question 10

Cloud Attacks

Answer 10

Data Breach of Loss
Abuse of cloud resources - leveraging the cloud for crypto key cracking for example
Insecure Interfaces and APIs
Insufficient Due Diligence
Shared technology issues in multitenant environments not providing proper isolation
Unknown risk profiles - users don’t know what security providers are using in the background
Malicious Insiders
Inadequate Design
DDOS
Wrapping attack - SOAP message is intercepted and the data in the envelope is changed and then sent/replayed
Session Riding - CSFR under a different name
Side Channel attack - Cross-guest VM breach deals with virtualization itself

Question 11

Shadow IT

Answer 11

IT systems and solutions that are developed to handle an issue but aren’t necessarily taken through proper organizational approval chains.