Security in the Cloud Flashcards

1
Q

Who has the ultimate legal responsibility for the data?

A

The customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Breaches, failures, and lack of availability most affect the _____ ?

A

customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the provider most concerned with?

A

Security and operation of the data center

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  • Imposing policy
  • Getting log data
  • Auditing the performance and security of the data center
A

Customer involvement with the data center

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  • List of security controls
  • Procedures
  • Live monitoring of equipment and data
A

things the provider wants to protect from malicious purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A distributed computing environment with only one customer.

A

Private cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the two ways private cloud can be implemented?

A
  • By an org running its own data center and supplying services to itself
  • Hosted by a provider
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is another name for the provider’s data center?

A

Co-lo (co-location)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Private cloud might be a more appropriate option for:

A
  • Orgs in highly-regulated industries
  • Orgs that process a significant amount/degree of sensitive info
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Drawback of private cloud.

A
  • More expensive
  • Less elastic/scalable (will reach natural capacity of dedicated components)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  • Personnel threats
  • Natural disasters
  • External attacks (unauth access, DoS, DDoS)
  • Regulatory non-compliance
  • Malware
A

Private cloud risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Resources are shared and dispersed among an affinity group.

A

Community cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  • Shared ownership (but increases entry and decision points)
  • Shared cost (but also shared access and control)
  • No need for centralized admin and perf monitoring (but also loss of reliability of centralized standards)
A

Community cloud benefits with associated risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A company offers cloud services to any entity that wants to become a cloud customer.

A

Public cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  • Vendor lock-in
  • Vendor lock-out
  • Multitenant environments
  • Conflict of interest
  • Escalation of privilege
  • Information bleed
  • Legal activity
A

Public cloud risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

General level of ease or difficulty when transferring data out of a provider’s data center.

A

Portability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  • Ensure favorable contract terms
  • Avoid proprietary formats
  • Ensure there are no physical/technical limitations
  • Check for regulatory constraints

Are all ways to increase _____.

A

portability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  • Longevity
  • Core competency
  • Jurisdictional suitability
  • Supply chain dependencies
  • Legislative environment
A

Things to consider when selecting a provider to reduce risk of vendor lock-out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A combination of two or more of the other models.

A

Hybrid cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  • Personnel threats
  • External threats
  • Lack of specific skillsets
A

IaaS Risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  • Interoperability issues
  • Persistent backdoors
  • Virtualization
  • Resource sharing
A

PaaS Risks

22
Q
  • Proprietary formats
  • Virtualization
  • Web app weaknesses
A

SaaS Risks

23
Q

The system that acts as the interface and controller b/w the virtualized instances and resources of the given host devices on which they reside.

A

Hypervisor

24
Q

Bare-metal or hardware hypervisors that reside directly on the host machine.

A

Type 1

25
Q

Software hypervisors that run on top of the OS that runs on a host device.

A

Type 2

26
Q

Attackers prefer Type 2 hypervisors because:

A

Of the larger surface area. (They can attack the hypervisor, OS, and machine directly)

27
Q

When a user leaves the confines of their own virtualized instance.

A

Guest escape

28
Q

When a user can leave their virtualized instance and the host machine, accessing other devices on the network.

A

Host escape

29
Q

Processing performed on one virtualized instance may be detected by other instances on the same host.

A

Information bleed

30
Q

When an attacker narrows down a list of possible attack vector to only those that will function in that circumstance, or gain insight into what types of material might be acquired for a successful attack.

A

Side channel or covert channel attack

31
Q

Why are cloud data centers considered to be similar to DMZs?

A

Because everything in the cloud can be accessed remotely and exposed to the internet.

32
Q
  • Malware
  • External attackers
  • Man in the middle attacks
  • Theft/loss of device
  • Regulatory violations
  • Natural disasters
  • Loss of policy control
  • Loss of physical control
  • Lack of audit access
  • Rogue administrator
  • Escalation of privilege
  • Contractual failure
A

Types of cloud threats

33
Q

A main advantage of migrating to public cloud config.

A

Security offered by fast replication, regular backups, and distributed, remote processing and storage of data offered by CPs.

34
Q

Host-based and network based anti-malware apps and agents employed in actual host devices and virtualized instances.

A

Risk mitigation for malware

35
Q

Background checks, resume confirmation, skills and knowledge testing.

A

Risk mitigation for internal threats

36
Q

Hardening physical devices, hypervisors, and VMs w/ solid baseline config and change mgmt protocols, and strong access control. Possibly even using a CASB.

A

Risk mitigation for external attackers

37
Q

Risk mitigation for man in the middle/on-path attacks.

A

Encrypt data in transit and secure session technology.

38
Q

Risk mitigation for social engineering.

A

Training

39
Q

Encryption, strict access controls, no usb, inventory control, remote wipe/kill switch

A

Risk mitigation for data loss from theft.

40
Q

Hiring knowledgeable personnel is the risk mitigation for ___ violations.

A

Regulatory

41
Q

Risk mitigation for natural disasters.

A

Redundancy

42
Q

Risk mitigation for loss of policy control.

A

Strong contractual terms.

43
Q

Encryption, strict access controls, no usb, inventory control, remote wipe/kill switch, song contractual terms.

A

Risk mitigation for loss of physical control

44
Q

Risk mitigation for lack of audit access.

A

Contractual protections.

45
Q

Physical, logical, and admin controls for all privileged accounts.

A

Risk mitigation for rogue admin

46
Q

Risk mitigation for escalation of privilege.

A

Access control.

47
Q

Risk mitigation for contractual failure.

A

Full offsite backups.

48
Q

Risk mitigation for legal seizure.

A

Encryption or employing data dispersion.

49
Q
  • New dependencies
  • Reg failure
  • Data breach
  • Vendor lock in/out
A

BIA concerns

50
Q
  • Private architecture, cloud service as backup
  • Cloud operations, cloud provider as backup (backup solutions for redundancy)
  • Cloud operations, 3P cloud backup provider
A

Ways of using cloud backups for BC/DR

51
Q

How often should failover testing occur:

A

At least annually.