Security Plus - Chapter 10 Flashcards

1
Q

Cloud Computing

A

Companies that provide computing services to their customers over the Internet. NIST definition: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Multitenancy

A

Many different users sharing resources in the same cloud infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Oversubscription

A

The ability of a cloud provider to have sufficient resources, knowing that all their users will not access the resources all at the same time. This achieves economies of scale.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Cloud Computing Benefits

A

On-demand self-service computing - Cloud resources are available when and where you need them.
Scalability - Customers can manually or automatically increase the capacity of their operations.
- Vertical scaling - Increases the capacity of existing servers.
- Horizontal scaling - Adding more servers to a pool of clustered servers
Elasticity - The capacity should expand and contract as needs change to optimize costs.
Measured service - Providers track many statistics which allows them to provide the appropriate resources when changes are needed.
Agility and Flexibility - The speed to provision cloud resources and the ability to use them for time periods as long as they are needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Cloud Roles

A

Cloud service provider - The firms that offer cloud computing services to their customers.
Cloud consumers - The organizations or individuals that utilize cloud services from the providers.
Cloud partners (brokers) - Organizations that offer ancillary products or services that support or integrate with the offerings of the cloud provider. Ex. Training, consulting for the cloud environment or software that integrates with the cloud services.
Cloud auditors - Independent organizations that provide third-party assessments of cloud services and operations.
Cloud carriers - Serve as intermediaries that provide the connectivity that allows the delivery of cloud services from the provider to the consumer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Cloud Service Models

A

Infrastructure as a Service (IaaS) - Allow customers to purchase and interact with the basic building blocks of a technology infrastructure. Computing, storage, and networks.

Software as a Service (SaaS) - Provide customers with access to fully managed applications running in the cloud. The provider is responsible for everything from the operation of the physical datacenters to the performance management of the application. Customer is only responsible for limited configuration, what data will be included in the software, and access controls for who can have access to the application.

Platform as a Service (PaaS) - The middle ground between IaaS and SaaS. The service provider offers a platform where customers may run applications that they have developed themselves. Teh provider offers an execution environment.

Function as a Service (FaaS) - Allows customers to upload their own code functions to the provider and the provider will execute those functions on a scheduled basis in response to events and/or on demand. Serverless computing environments. Customer does not see the servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Managed Service Providers (MSPs)

A

Service organizations that provide information technology as a service to their customers. They may handle the IT needs completely, or they may offer focused services such as network design and implementation, application monitoring, or cloud cost management. Managed Security Service Providers (MSSPs) are also an available option for outsourcing cybersecurity services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Cloud Deployment Models

A

Describe how a cloud service is delivered to customers and whether the resources used to offer those services to one customer are shared with other customers.

Public Cloud - Cloud service providers deploy infrastructure and then make it accessible to any customers who wish to take advantage of it in a multitenant model.

Private Cloud - Any cloud infrastructure that is provisioned for use by a single customer. Not as cost efficient as the public cloud.

Community Cloud - Shares characteristics of both the public and private cloud deployment models. They run in multitenant environment, but the tenants are limited to members of a specifically designed community. Community membership is usually based on a shared mission, similar security and compliance requirements, or other commonalities.

Hybrid Cloud - A catch-all term to describe any cloud deployments that blend both public, private, and/or community cloud service models together. Requires the use of technology that unifies the different cloud offerings into a single coherent platform.
Ex. Firm operating in the private cloud but leverages the public cloud capacity when demand exceeds the capacity of the private cloud. Another reason for hybrid cloud is the desire to move away from a centralized approach to computing with everything in a single environment to a decentralized approach which reduces the single point of failure by spreading technology across multiple providers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Shared Responsibility Model

A

Cloud customers must divide responsibilities between one or more service providers and the customers own cybersecurity teams. A Responsibility Matrix is created to determine how the responsibilities for certain services are divided between the entities. This differentiates based on the type of service model being used; IaaS, PaaS, and SaaS.
IaaS - Customer takes responsibility for everything from the OS, application, and data that is on the system.
PaaS - The customer retains responsibility for a shared portion of the application and then all of the data on the system. Shared responsibility is based on the agreement between the customer and provider.
SaaS - The provider takes on almost all security responsibilities with shared responsibility regarding the data. That is also based on the agreement between the customer and the provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Cloud Standards and Guidelines

A

NIST Cloud Reference Architecture SP 500-292 offers a high level of taxonomy for cloud services.
Cloud Security Alliance is focused on developing and promoting best practices in cloud security. They developed the cloud security matrix (CCM).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Edge Computing

A

Usually performed in Internet of Things scenarios. Places some processing power on the remote sensors, which allows the sensors to preprocess the data before shipping it back to the cloud. The computing is being pushed out to sensors that are located at the edge of the network.
Fog computing - The processing is performed on IoT gateway devices that located near the remote sensors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Virtulaization

A

Allows multiple guest systems to share the same underlying hardware. The virtual host will run an operating system called the hypervisor that mediates access to the underlying hardware resources. Multiple virtual machines then run the operating systems and other services as needed by the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Hypervisors

A

Enforces the isolation between virtual machines. It must present each VM with the illusion of a completely separate physical environment dedicated for use by that VM. Isolation ensures that VMs will not interfere with each other’s operations.

Type I hypervisor (bare-metal) - Operate directly on top of the underlying hardware. This hypervisor then supports the guest OSs for each VM.

Type II hypervisor - Run as an application on top of an existing OS. The OS supports the hypervisor and the hypervisor requests resources for each guest OS from the host. Less efficient.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Cloud Infrastructure Components

A

Used in the IaaS service model to provide organizations with access to computing resources including compute capacity, storage, and networking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Cloud Compute Resources

A

Computing capacity is one of the primary needs of organizations moving to the cloud.

Virtualization - The basic building blocks of compute capacity in the cloud.
Containerization - Provides application-level virtualization. Containers package applications and allow them to be treated as units of virtualization that become portable across OS and hardware platforms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Container Security Guidelines

A

NIST recommendations:
- Use container-specific host operating systems, which are built with reduced features to reduce attack surfaces
- Segmenting containers by risk profile and purpose
- Using container-specific vulnerability management security tools

17
Q

Cloud Storage Resources

A

Infrastructure providers also offer customers storage resources, both coupled with their computing offerings and independent storage offerings for use in building other cloud architectures. 2 types, block and object storage.

18
Q

Block Storage

A

Allocates large volumes of storage for use by virtual server instances. The volumes are formatted as virtual disks by the OS on the server instances and used as they would a physical drive. You pay for the full amount you requested even if you are not using the full amount.

19
Q

Object Storage

A

Provides customers with the ability to place files in buckets and treat each file as an independent entity that may be accessed over the web or through the provider’s API. Hides the storage details from the end user, who does know or care about the underlying disks. You pay for only the amount of storage that you are using.

20
Q

Cloud Storage Security Concerns

A

Set Permissions properly - Pay attention to the access policies. Especially for object storage, an incorrect permission change can publish a sensitive file to the web.

Consider high availability and durability options. Cloud providers hide implementation details from users, but they are not immune from hardware failures. Use replication capabilities for availability and integrity requirements.

Use encryption to protect sensitive data - Apply your own encryption to individual files stored in the cloud or use the full-disk encryption options offered by the provider.

21
Q

Cloud Networking

A

Cloud consumers are provided access to networking resources to connect their other infrastructure components and are able to provision bandwidth as needed to meet their needs.
Software-defined networking (SDN)- Allows engineers to interact with and modify cloud resources through their APIs.
Software-defined visibility (SDV) - Offers insight into the traffic on their virtual network.

22
Q

Cloud Security Groups

A

Security groups that define permissible network traffic. These take the place of firewall rules, since changes to firewall rules may cause a disruption of service to other customers. The groups consist of a set of rules for network traffic that are similar to a firewall ruleset.

23
Q

Virtual Private Cloud

A

An on-demand configurable pool of shared resources allocated within a public cloud environment, providing a certain level of isolation between the different organizations using the resource. Grouped systems, possibly of different security levels and functions and possibly placed on different subnets.
VPCs group systems into subnets and designate those subnets as public or private depending on whether access to them is permitted from the Internet.
VPC endpoint offerings allow the connection of VPCs to other VPCs using the provider’s secure network backbone. Transit gateways extend this model by allowing direct interconnection of cloud VPCs with on-premises VLANs for hybrid cloud operations.

24
Q

Segmentation

A

A method of dividing a remote computing environment into smaller, isolated segments. Each segment can have its own security policies, access rights, and controls, which can be tailored to the data or applications within it. Isolates individual customers of the provider into their own isolated environment.

25
Q

Separation of Development and Operations Challenges

A

Isolates Operations teams from the development process inhibits the development team from understanding the business requirements.
Isolating developers from operational considerations leads to designs that are wasteful in terms of processor, memory, and network consumption.
Requiring clear hand-offs from development to operations reduces agility and flexibility by requiring a lengthy transition phase.
Increasing the overhead associated with transitions encourages combining many small fixes and enhancements into one major release, increasing the time to requirement satisfaction.

26
Q

DevOps

A

The approach to technology management that brings the development and operations teams together in an agile approach to software development. The software testing and release process becomes highly automated and collaborative, enabling organizations to move from lengthy release management processes to a world where they might release dozens of updates on a daily basis.

27
Q

Infrastructure as a Code (IaC)

A

The process of automating the provisioning. management, and deprovisioning of infrastructure services through a scripted code rather than human intervention. Depends on the use of application programming interfaces (APIs). These programmatically provision, configure, modify, and deprovision cloud resources. APIs are helpful with cloud environments that provide microservices, cloud service offerings that provide very granular functions to other services. Often provided through the FaaS model.

28
Q

Cloud Security Issues

A

Availability - Advantage is that the cloud provider may operate in different geographical areas, provided high availability, but this may be only when increasing service agreements to pay for that service.

Data Sovereignty - The data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. This could cause an organization that performs no activity in a region to have to submit to additional regulations due to the cloud provider storing data in that region.

Virtualization Security
- VM escape vulnerabilities is when an attacker has access to a single virtual host and then manages to leverage that access to intrude upon the resources assigned to a different virtual machine. The hypervisor normally prevents this by restricting a VM’s access to only those resources assigned to the machine.
- Virtual machine sprawl - When IaaS users create virtual service instances and then forget about them or abandon them, leaving the services to accrue costs and accumulate security issues over time.
- Resource reuse - When cloud providers take hardware resources that were originally assigned to one customer and reassign them to another customer. If data was not properly removed from the hardware, the new customer may inadvertently gain access to that data.

Application Security - Cloud applications rely on APIs to provide interoperability so security analysts should implement API inspection technology that scrutinizes API requests for security issues. Secure web gateways (SWG) also provide a layer of security by monitoring web requests made by internal users and evaluate them against the organizations security policy, blocking access to potential malicious content but may also enforce content filtering restrictions.

29
Q

Governance and Auditing of Cloud Providers

A

Vet the vendors being considered for cloud partnerships
Manage vendor relationships and monitor for early warning signs of vendor stability issues.
Oversee an organizations portfolio of cloud activities
Auditability - Include in agreements language guaranteeing the right of the customer to audit cloud service providers. The use of auditing is essential to providing customers with the assurance that the provider is operating in a secure manner and meeting its contractual data protection obligations.

30
Q

Hardening Cloud Infrastructure

A

Securing your system’s cloud configuration and settings to reduce IT vulnerabilities and the risk of compromise. Providers often provide cloud-native controls that provide hardening of the environment to prevent attacks.

Cloud Access Security Brokers (CASB) - Software tools that serve as intermediaries between cloud service users and cloud service providers. The placement allows the tool to monitor user activity and enforce policy requirements.
- Inline CASB - Physically or logically reside in the connection path between the user and service. Can be through a hardware appliance or an endpoint agent. Requires configuration of the network and/or endpoint devices. Requests are seen before they are sent to the cloud service.
- API-based CASB - Do not interact directly with the user but with the cloud provider through the provider’s API. Provides direct access to the cloud service and does not require any user device configuration. Does not allow the CASB to block requests that violate policy. Only provide monitoring of user activity and reporting or correcting policy violations after the fact.

Resource policies - Customers can use to limit the actions that users of their accounts may take. This can limit damage caused by an accidental command or compromised account. These are coded into the system configuration.

Secrets management - Hardware security modules (HSMs) are special purpose computing devices that manage encryption keys and also perform cryptographic operations in a highly efficient manner. HSMs are expensive to purchase and operate but provide a high level of security. They can create and manage encryption keys without exposing them to a single human being, reducing the likelihood that they will be compromised.