Security in the Cloud Flashcards
Who has the ultimate legal responsibility for the data?
The customer
Breaches, failures, and lack of availability most affect the _____ ?
customer
What is the provider most concerned with?
Security and operation of the data center
- Imposing policy
- Getting log data
- Auditing the performance and security of the data center
Customer involvement with the data center
- List of security controls
- Procedures
- Live monitoring of equipment and data
things the provider wants to protect from malicious purposes
A distributed computing environment with only one customer.
Private cloud
What are the two ways private cloud can be implemented?
- By an org running its own data center and supplying services to itself
- Hosted by a provider
What is another name for the provider’s data center?
Co-lo (co-location)
Private cloud might be a more appropriate option for:
- Orgs in highly-regulated industries
- Orgs that process a significant amount/degree of sensitive info
Drawback of private cloud.
- More expensive
- Less elastic/scalable (will reach natural capacity of dedicated components)
- Personnel threats
- Natural disasters
- External attacks (unauth access, DoS, DDoS)
- Regulatory non-compliance
- Malware
Private cloud risks
Resources are shared and dispersed among an affinity group.
Community cloud
- Shared ownership (but increases entry and decision points)
- Shared cost (but also shared access and control)
- No need for centralized admin and perf monitoring (but also loss of reliability of centralized standards)
Community cloud benefits with associated risks
A company offers cloud services to any entity that wants to become a cloud customer.
Public cloud
- Vendor lock-in
- Vendor lock-out
- Multitenant environments
- Conflict of interest
- Escalation of privilege
- Information bleed
- Legal activity
Public cloud risks
General level of ease or difficulty when transferring data out of a provider’s data center.
Portability
- Ensure favorable contract terms
- Avoid proprietary formats
- Ensure there are no physical/technical limitations
- Check for regulatory constraints
Are all ways to increase _____.
portability
- Longevity
- Core competency
- Jurisdictional suitability
- Supply chain dependencies
- Legislative environment
Things to consider when selecting a provider to reduce risk of vendor lock-out
A combination of two or more of the other models.
Hybrid cloud
- Personnel threats
- External threats
- Lack of specific skillsets
IaaS Risks