Security Plus - Chapter 10

Question 1

Cloud Computing

Answer 1

Companies that provide computing services to their customers over the Internet. NIST definition: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Question 2

Multitenancy

Answer 2

Many different users sharing resources in the same cloud infrastructure.

Question 3

Oversubscription

Answer 3

The ability of a cloud provider to have sufficient resources, knowing that all their users will not access the resources all at the same time. This achieves economies of scale.

Question 4

Cloud Computing Benefits

Answer 4

On-demand self-service computing - Cloud resources are available when and where you need them.
Scalability - Customers can manually or automatically increase the capacity of their operations.
- Vertical scaling - Increases the capacity of existing servers.
- Horizontal scaling - Adding more servers to a pool of clustered servers
Elasticity - The capacity should expand and contract as needs change to optimize costs.
Measured service - Providers track many statistics which allows them to provide the appropriate resources when changes are needed.
Agility and Flexibility - The speed to provision cloud resources and the ability to use them for time periods as long as they are needed.

Question 5

Cloud Roles

Answer 5

Cloud service provider - The firms that offer cloud computing services to their customers.
Cloud consumers - The organizations or individuals that utilize cloud services from the providers.
Cloud partners (brokers) - Organizations that offer ancillary products or services that support or integrate with the offerings of the cloud provider. Ex. Training, consulting for the cloud environment or software that integrates with the cloud services.
Cloud auditors - Independent organizations that provide third-party assessments of cloud services and operations.
Cloud carriers - Serve as intermediaries that provide the connectivity that allows the delivery of cloud services from the provider to the consumer.

Question 6

Cloud Service Models

Answer 6

Infrastructure as a Service (IaaS) - Allow customers to purchase and interact with the basic building blocks of a technology infrastructure. Computing, storage, and networks.

Software as a Service (SaaS) - Provide customers with access to fully managed applications running in the cloud. The provider is responsible for everything from the operation of the physical datacenters to the performance management of the application. Customer is only responsible for limited configuration, what data will be included in the software, and access controls for who can have access to the application.

Platform as a Service (PaaS) - The middle ground between IaaS and SaaS. The service provider offers a platform where customers may run applications that they have developed themselves. Teh provider offers an execution environment.

Function as a Service (FaaS) - Allows customers to upload their own code functions to the provider and the provider will execute those functions on a scheduled basis in response to events and/or on demand. Serverless computing environments. Customer does not see the servers.

Question 7

Managed Service Providers (MSPs)

Answer 7

Service organizations that provide information technology as a service to their customers. They may handle the IT needs completely, or they may offer focused services such as network design and implementation, application monitoring, or cloud cost management. Managed Security Service Providers (MSSPs) are also an available option for outsourcing cybersecurity services.

Question 8

Cloud Deployment Models

Answer 8

Describe how a cloud service is delivered to customers and whether the resources used to offer those services to one customer are shared with other customers.

Public Cloud - Cloud service providers deploy infrastructure and then make it accessible to any customers who wish to take advantage of it in a multitenant model.

Private Cloud - Any cloud infrastructure that is provisioned for use by a single customer. Not as cost efficient as the public cloud.

Community Cloud - Shares characteristics of both the public and private cloud deployment models. They run in multitenant environment, but the tenants are limited to members of a specifically designed community. Community membership is usually based on a shared mission, similar security and compliance requirements, or other commonalities.

Hybrid Cloud - A catch-all term to describe any cloud deployments that blend both public, private, and/or community cloud service models together. Requires the use of technology that unifies the different cloud offerings into a single coherent platform.
Ex. Firm operating in the private cloud but leverages the public cloud capacity when demand exceeds the capacity of the private cloud. Another reason for hybrid cloud is the desire to move away from a centralized approach to computing with everything in a single environment to a decentralized approach which reduces the single point of failure by spreading technology across multiple providers.

Question 9

Shared Responsibility Model

Answer 9

Cloud customers must divide responsibilities between one or more service providers and the customers own cybersecurity teams. A Responsibility Matrix is created to determine how the responsibilities for certain services are divided between the entities. This differentiates based on the type of service model being used; IaaS, PaaS, and SaaS.
IaaS - Customer takes responsibility for everything from the OS, application, and data that is on the system.
PaaS - The customer retains responsibility for a shared portion of the application and then all of the data on the system. Shared responsibility is based on the agreement between the customer and provider.
SaaS - The provider takes on almost all security responsibilities with shared responsibility regarding the data. That is also based on the agreement between the customer and the provider.

Question 10

Cloud Standards and Guidelines

Answer 10

NIST Cloud Reference Architecture SP 500-292 offers a high level of taxonomy for cloud services.
Cloud Security Alliance is focused on developing and promoting best practices in cloud security. They developed the cloud security matrix (CCM).

Question 11

Edge Computing

Answer 11

Usually performed in Internet of Things scenarios. Places some processing power on the remote sensors, which allows the sensors to preprocess the data before shipping it back to the cloud. The computing is being pushed out to sensors that are located at the edge of the network.
Fog computing - The processing is performed on IoT gateway devices that located near the remote sensors.

Question 12

Virtulaization

Answer 12

Allows multiple guest systems to share the same underlying hardware. The virtual host will run an operating system called the hypervisor that mediates access to the underlying hardware resources. Multiple virtual machines then run the operating systems and other services as needed by the organization.

Question 13

Hypervisors

Answer 13

Enforces the isolation between virtual machines. It must present each VM with the illusion of a completely separate physical environment dedicated for use by that VM. Isolation ensures that VMs will not interfere with each other’s operations.

Type I hypervisor (bare-metal) - Operate directly on top of the underlying hardware. This hypervisor then supports the guest OSs for each VM.

Type II hypervisor - Run as an application on top of an existing OS. The OS supports the hypervisor and the hypervisor requests resources for each guest OS from the host. Less efficient.

Question 14

Cloud Infrastructure Components

Answer 14

Used in the IaaS service model to provide organizations with access to computing resources including compute capacity, storage, and networking.

Question 15

Cloud Compute Resources

Answer 15

Computing capacity is one of the primary needs of organizations moving to the cloud.

Virtualization - The basic building blocks of compute capacity in the cloud.
Containerization - Provides application-level virtualization. Containers package applications and allow them to be treated as units of virtualization that become portable across OS and hardware platforms.

Question 16

Container Security Guidelines

Answer 16

NIST recommendations:
- Use container-specific host operating systems, which are built with reduced features to reduce attack surfaces
- Segmenting containers by risk profile and purpose
- Using container-specific vulnerability management security tools

Question 17

Cloud Storage Resources

Answer 17

Infrastructure providers also offer customers storage resources, both coupled with their computing offerings and independent storage offerings for use in building other cloud architectures. 2 types, block and object storage.

Question 18

Block Storage

Answer 18

Allocates large volumes of storage for use by virtual server instances. The volumes are formatted as virtual disks by the OS on the server instances and used as they would a physical drive. You pay for the full amount you requested even if you are not using the full amount.

Question 19

Object Storage

Answer 19

Provides customers with the ability to place files in buckets and treat each file as an independent entity that may be accessed over the web or through the provider’s API. Hides the storage details from the end user, who does know or care about the underlying disks. You pay for only the amount of storage that you are using.

Question 20

Cloud Storage Security Concerns

Answer 20

Set Permissions properly - Pay attention to the access policies. Especially for object storage, an incorrect permission change can publish a sensitive file to the web.

Consider high availability and durability options. Cloud providers hide implementation details from users, but they are not immune from hardware failures. Use replication capabilities for availability and integrity requirements.

Use encryption to protect sensitive data - Apply your own encryption to individual files stored in the cloud or use the full-disk encryption options offered by the provider.

Question 21

Cloud Networking

Answer 21

Cloud consumers are provided access to networking resources to connect their other infrastructure components and are able to provision bandwidth as needed to meet their needs.
Software-defined networking (SDN)- Allows engineers to interact with and modify cloud resources through their APIs.
Software-defined visibility (SDV) - Offers insight into the traffic on their virtual network.

Question 22

Cloud Security Groups

Answer 22

Security groups that define permissible network traffic. These take the place of firewall rules, since changes to firewall rules may cause a disruption of service to other customers. The groups consist of a set of rules for network traffic that are similar to a firewall ruleset.

Question 23

Virtual Private Cloud

Answer 23

An on-demand configurable pool of shared resources allocated within a public cloud environment, providing a certain level of isolation between the different organizations using the resource. Grouped systems, possibly of different security levels and functions and possibly placed on different subnets.
VPCs group systems into subnets and designate those subnets as public or private depending on whether access to them is permitted from the Internet.
VPC endpoint offerings allow the connection of VPCs to other VPCs using the provider’s secure network backbone. Transit gateways extend this model by allowing direct interconnection of cloud VPCs with on-premises VLANs for hybrid cloud operations.

Question 24

Segmentation

Answer 24

A method of dividing a remote computing environment into smaller, isolated segments. Each segment can have its own security policies, access rights, and controls, which can be tailored to the data or applications within it. Isolates individual customers of the provider into their own isolated environment.

Question 25

Separation of Development and Operations Challenges

Answer 25

Isolates Operations teams from the development process inhibits the development team from understanding the business requirements.
Isolating developers from operational considerations leads to designs that are wasteful in terms of processor, memory, and network consumption.
Requiring clear hand-offs from development to operations reduces agility and flexibility by requiring a lengthy transition phase.
Increasing the overhead associated with transitions encourages combining many small fixes and enhancements into one major release, increasing the time to requirement satisfaction.

Question 26

DevOps

Answer 26

The approach to technology management that brings the development and operations teams together in an agile approach to software development. The software testing and release process becomes highly automated and collaborative, enabling organizations to move from lengthy release management processes to a world where they might release dozens of updates on a daily basis.

Question 27

Infrastructure as a Code (IaC)

Answer 27

The process of automating the provisioning. management, and deprovisioning of infrastructure services through a scripted code rather than human intervention. Depends on the use of application programming interfaces (APIs). These programmatically provision, configure, modify, and deprovision cloud resources. APIs are helpful with cloud environments that provide microservices, cloud service offerings that provide very granular functions to other services. Often provided through the FaaS model.

Question 28

Cloud Security Issues

Answer 28

Availability - Advantage is that the cloud provider may operate in different geographical areas, provided high availability, but this may be only when increasing service agreements to pay for that service.

Data Sovereignty - The data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. This could cause an organization that performs no activity in a region to have to submit to additional regulations due to the cloud provider storing data in that region.

Virtualization Security
- VM escape vulnerabilities is when an attacker has access to a single virtual host and then manages to leverage that access to intrude upon the resources assigned to a different virtual machine. The hypervisor normally prevents this by restricting a VM’s access to only those resources assigned to the machine.
- Virtual machine sprawl - When IaaS users create virtual service instances and then forget about them or abandon them, leaving the services to accrue costs and accumulate security issues over time.
- Resource reuse - When cloud providers take hardware resources that were originally assigned to one customer and reassign them to another customer. If data was not properly removed from the hardware, the new customer may inadvertently gain access to that data.

Application Security - Cloud applications rely on APIs to provide interoperability so security analysts should implement API inspection technology that scrutinizes API requests for security issues. Secure web gateways (SWG) also provide a layer of security by monitoring web requests made by internal users and evaluate them against the organizations security policy, blocking access to potential malicious content but may also enforce content filtering restrictions.

Question 29

Governance and Auditing of Cloud Providers

Answer 29

Vet the vendors being considered for cloud partnerships
Manage vendor relationships and monitor for early warning signs of vendor stability issues.
Oversee an organizations portfolio of cloud activities
Auditability - Include in agreements language guaranteeing the right of the customer to audit cloud service providers. The use of auditing is essential to providing customers with the assurance that the provider is operating in a secure manner and meeting its contractual data protection obligations.

Question 30

Hardening Cloud Infrastructure

Answer 30

Securing your system’s cloud configuration and settings to reduce IT vulnerabilities and the risk of compromise. Providers often provide cloud-native controls that provide hardening of the environment to prevent attacks.

Cloud Access Security Brokers (CASB) - Software tools that serve as intermediaries between cloud service users and cloud service providers. The placement allows the tool to monitor user activity and enforce policy requirements.
- Inline CASB - Physically or logically reside in the connection path between the user and service. Can be through a hardware appliance or an endpoint agent. Requires configuration of the network and/or endpoint devices. Requests are seen before they are sent to the cloud service.
- API-based CASB - Do not interact directly with the user but with the cloud provider through the provider’s API. Provides direct access to the cloud service and does not require any user device configuration. Does not allow the CASB to block requests that violate policy. Only provide monitoring of user activity and reporting or correcting policy violations after the fact.

Resource policies - Customers can use to limit the actions that users of their accounts may take. This can limit damage caused by an accidental command or compromised account. These are coded into the system configuration.

Secrets management - Hardware security modules (HSMs) are special purpose computing devices that manage encryption keys and also perform cryptographic operations in a highly efficient manner. HSMs are expensive to purchase and operate but provide a high level of security. They can create and manage encryption keys without exposing them to a single human being, reducing the likelihood that they will be compromised.