Security in the Cloud

Question 1

Who has the ultimate legal responsibility for the data?

Answer 1

The customer

Question 2

Breaches, failures, and lack of availability most affect the _____ ?

Answer 2

customer

Question 3

What is the provider most concerned with?

Answer 3

Security and operation of the data center

Question 4

• Imposing policy
• Getting log data
• Auditing the performance and security of the data center

Answer 4

Customer involvement with the data center

Question 5

• List of security controls
• Procedures
• Live monitoring of equipment and data

Answer 5

things the provider wants to protect from malicious purposes

Question 6

A distributed computing environment with only one customer.

Answer 6

Private cloud

Question 7

What are the two ways private cloud can be implemented?

Answer 7

• By an org running its own data center and supplying services to itself
• Hosted by a provider

Question 8

What is another name for the provider’s data center?

Answer 8

Co-lo (co-location)

Question 9

Private cloud might be a more appropriate option for:

Answer 9

• Orgs in highly-regulated industries
• Orgs that process a significant amount/degree of sensitive info

Question 10

Drawback of private cloud.

Answer 10

• More expensive
• Less elastic/scalable (will reach natural capacity of dedicated components)

Question 11

• Personnel threats
• Natural disasters
• External attacks (unauth access, DoS, DDoS)
• Regulatory non-compliance
• Malware

Answer 11

Private cloud risks

Question 12

Resources are shared and dispersed among an affinity group.

Answer 12

Community cloud

Question 13

• Shared ownership (but increases entry and decision points)
• Shared cost (but also shared access and control)
• No need for centralized admin and perf monitoring (but also loss of reliability of centralized standards)

Answer 13

Community cloud benefits with associated risks

Question 14

A company offers cloud services to any entity that wants to become a cloud customer.

Answer 14

Public cloud

Question 15

• Vendor lock-in
• Vendor lock-out
• Multitenant environments
• Conflict of interest
• Escalation of privilege
• Information bleed
• Legal activity

Answer 15

Public cloud risks

Question 16

General level of ease or difficulty when transferring data out of a provider’s data center.

Answer 16

Portability

Question 17

• Ensure favorable contract terms
• Avoid proprietary formats
• Ensure there are no physical/technical limitations
• Check for regulatory constraints

Are all ways to increase _____.

Answer 17

portability

Question 18

• Longevity
• Core competency
• Jurisdictional suitability
• Supply chain dependencies
• Legislative environment

Answer 18

Things to consider when selecting a provider to reduce risk of vendor lock-out

Question 19

A combination of two or more of the other models.

Answer 19

Hybrid cloud

Question 20

• Personnel threats
• External threats
• Lack of specific skillsets

Answer 20

IaaS Risks

Question 21

• Interoperability issues
• Persistent backdoors
• Virtualization
• Resource sharing

Answer 21

PaaS Risks

Question 22

• Proprietary formats
• Virtualization
• Web app weaknesses

Answer 22

SaaS Risks

Question 23

The system that acts as the interface and controller b/w the virtualized instances and resources of the given host devices on which they reside.

Answer 23

Hypervisor

Question 24

Bare-metal or hardware hypervisors that reside directly on the host machine.

Answer 24

Type 1

Question 25

Software hypervisors that run on top of the OS that runs on a host device.

Answer 25

Type 2

Question 26

Attackers prefer Type 2 hypervisors because:

Answer 26

Of the larger surface area. (They can attack the hypervisor, OS, and machine directly)

Question 27

When a user leaves the confines of their own virtualized instance.

Answer 27

Guest escape

Question 28

When a user can leave their virtualized instance and the host machine, accessing other devices on the network.

Answer 28

Host escape

Question 29

Processing performed on one virtualized instance may be detected by other instances on the same host.

Answer 29

Information bleed

Question 30

When an attacker narrows down a list of possible attack vector to only those that will function in that circumstance, or gain insight into what types of material might be acquired for a successful attack.

Answer 30

Side channel or covert channel attack

Question 31

Why are cloud data centers considered to be similar to DMZs?

Answer 31

Because everything in the cloud can be accessed remotely and exposed to the internet.

Question 32

- Malware - External attackers - Man in the middle attacks - Theft/loss of device - Regulatory violations - Natural disasters - Loss of policy control - Loss of physical control - Lack of audit access - Rogue administrator - Escalation of privilege - Contractual failure

Answer 32

Types of cloud threats

Question 33

A main advantage of migrating to public cloud config.

Answer 33

Security offered by fast replication, regular backups, and distributed, remote processing and storage of data offered by CPs.

Question 34

Host-based and network based anti-malware apps and agents employed in actual host devices and virtualized instances.

Answer 34

Risk mitigation for malware

Question 35

Background checks, resume confirmation, skills and knowledge testing.

Answer 35

Risk mitigation for internal threats

Question 36

Hardening physical devices, hypervisors, and VMs w/ solid baseline config and change mgmt protocols, and strong access control. Possibly even using a CASB.

Answer 36

Risk mitigation for external attackers

Question 37

Risk mitigation for man in the middle/on-path attacks.

Answer 37

Encrypt data in transit and secure session technology.

Question 38

Risk mitigation for social engineering.

Answer 38

Training

Question 39

Encryption, strict access controls, no usb, inventory control, remote wipe/kill switch

Answer 39

Risk mitigation for data loss from theft.

Question 40

Hiring knowledgeable personnel is the risk mitigation for ___ violations.

Answer 40

Regulatory

Question 41

Risk mitigation for natural disasters.

Answer 41

Redundancy

Question 42

Risk mitigation for loss of policy control.

Answer 42

Strong contractual terms.

Question 43

Encryption, strict access controls, no usb, inventory control, remote wipe/kill switch, song contractual terms.

Answer 43

Risk mitigation for loss of physical control

Question 44

Risk mitigation for lack of audit access.

Answer 44

Contractual protections.

Question 45

Physical, logical, and admin controls for all privileged accounts.

Answer 45

Risk mitigation for rogue admin

Question 46

Risk mitigation for escalation of privilege.

Answer 46

Access control.

Question 47

Risk mitigation for contractual failure.

Answer 47

Full offsite backups.

Question 48

Risk mitigation for legal seizure.

Answer 48

Encryption or employing data dispersion.

Question 49

- New dependencies - Reg failure - Data breach - Vendor lock in/out

Answer 49

BIA concerns

Question 50

- Private architecture, cloud service as backup - Cloud operations, cloud provider as backup (backup solutions for redundancy) - Cloud operations, 3P cloud backup provider

Answer 50

Ways of using cloud backups for BC/DR

Question 51

How often should failover testing occur:

Answer 51

At least annually.