Seek 7: Security the Cloud - Architecture

Question 1

Building and operating a cloud securely and efficiently entails a great deal of planning
–Ingredients: A data center, hardware, a set of enabling software, a staff with broad and deep experience, and processes to make it work
–At a high level, we start with a ___ and redundant ___to a cloud ingress
–Then we add a massive amount of gear that is racked and cabled following well-defined ___

Answer 1

data center, Internet connections

patterns

Question 2

NIST defined cloud computing as an IT model for “enabling convenient, on-demand network access to a ____that can be rapidly ____with minimal management effort or service provider interaction”

Answer 2

shared pool of configurable computing resources

provisioned and released

Question 3

Failing to plan cloud deployment appropriately will typically lead to ___

Answer 3

higher ongoing costs due to inefficiencies in design and processes

Question 4

A reasonable approach to cloud deployment entails prudent architecture that considers the need for ___

Answer 4

inevitable evolution and reserves flexibility for such evolution

Question 5

Factors Driving the Cloud Deployment Requirements

Answer 5

Costs and Resources
Reliability
Performance
The Security Triad
Legal and regulatory constraints

Question 6

Cloud facility physical security

Answer 6

The scope of physical security involves a range of measures to prevent, detect, and respond to unauthorized access to the facility

Physical security should be viewed as a system for protection, with individual security elements complementing each other in a multifaceted and layered defense

Question 7

AWS physical security

Answer 7

AWS’s world-class, highly secure data centers utilize state-of-the art electronic surveillance and multi-factor access control systems

Question 8

All aspects of security should be captured in a ___

Answer 8

cloud security policy

Question 9

cloud security policy

Answer 9

–A formal document that has the complete approval of management
–Should not provide technical details, but rather spell out all security requirements from an organizational or business standpoint

Question 10

cloud security policy supporting documents

Answer 10

guidelines
acceptable use policy
security standards

Question 11

cloud security policy supporting documents - guidelines

Answer 11

A set of guidelines for enabling security in the development of infrastructure software, infrastructure management processes, and operational procedures

Question 12

cloud security policy supporting documents - acceptable use policy

Answer 12

This policy should specify what the consequences for violations are

Question 13

Security standards for a cloud should address…

Answer 13

Access Controls
Incident Response and Management
System and Network Configuration Backups
Password Policies
Security Testing
Data and Communications Encryption
Continuous Monitoring

Question 14

Security standards for a cloud - access control

Answer 14

Should be at a granularitynecessary to guide implementation of physical access to facilities and logical access to systems and applications

Question 15

Security standards for a cloud - Incident Response and Management

Answer 15

Should detail all rolesand responsibilitiesof various parties along with proceduresand timelinesfrom detection through postmortem reporting

Question 16

Security standards for a cloud - System and Network Configuration Backups

Answer 16

It is critical to have current and authoritative copies of all configurations including infrastructure components, servers, and switches as well as for all hosted systems

Question 17

Security standards for a cloud - Password Policies

Answer 17

Should detail the qualitiesthat acceptable passwords must comply with

Question 18

Security standards for a cloud - Security Testing

Answer 18

• The cloud provider must perform and document the results of initial and periodic security testing
• This standard should include rolesand responsibilitiesas well as detailing when third-party testing or reviews should be performed

Question 19

Security standards for a cloud - Data and Communications Encryption

Answer 19

Should detail functional areas (such as web server traffic), the approved cryptographic algorithms and the required key lengths

Question 20

Security standards for a cloud - Continuous Monitoring

Answer 20

Should detail how configuration management and change control are performed to support ongoing security

Question 21

The correct operationof systems and authoritative system logs depends on the___

Answer 21

correct time

Correct and synchronized time becomes especially important with communicating computers residing in different locations, which need to have their record and event timestamps synchronized to a single source

Question 22

Synchronized Time Source

Answer 22

Network Time Protocol (NTP)

Question 23

Network Time Protocol provides____

Answer 23

Coordinated Universal Time (UTC)

Question 24

Requirements –Identity Management

Answer 24

Consider using a federated identity system to allow for identity portability for the user population and to present a single mechanism for internal access as well as tenant and user access
•A federated identity management system will allow for interoperability with customer and third-party identity providers or domains

Question 25

Assure that when identities are de-provisioned, historical information for users___

Answer 25

is maintainedto allow for future legal investigations

Question 26

Implement ___ for all remote control or remote access by operations personnel

Answer 26

whitelisted source IP addresses

Question 27

A key escrow implementing ___ control can be used to protect keys

Answer 27

M of N
M of N control requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks

Question 28

In a cloud, audit events will be generated in fundamentally different ___

Answer 28

trust zones

Security events are recognized as having different degrees of integrity

Question 29

Security monitoring must be a ___ and ___service that is accessible internally or remotely in a secure manner

Answer 29

highly available

hardened

Question 30

Security monitoring must include generation of alerts based on ___

Answer 30

automated recognition of critical security events

Question 31

Implementing a cloud-wide ___and expressing this as a service for tenants or users

Answer 31

intrusion and anomaly detection capability

Question 32

Incident management and response must be in line with ___

There must be a process in place to ___to incidents

Answer 32

SLAs and the security policy

detect, identify, assess, and respond

Question 33

Ensure that incident management includes clear and reliable means for customers and tenants to ___

Answer 33

report situations or events to the provider

Question 34

To be most effective, vulnerability and penetration testing should be coordinated with ___

Answer 34

monitoring and configuration management

Question 35

General Infrastructure Security Requirements

Answer 35

Maintain open ports to a minimum

Implement the means to assure continuity of operations in line with SLAs

Ensure that network connectivityis maintained by use of multiple pathways to the cloud services

Ensure that the facility has ample power recovery capabilitiesand power is distributed to the infrastructure in a manner that allows for redundant infrastructure in the event that power is lost

Ensure that de-provisioned internal IP addresses, such as one previously assigned to a tenant’s VM, are sufficiently aged before being recycled for use by another tenant

Question 36

Example of defense in depth

Answer 36

VPN, whitelisted source IP, security token

Question 37

Honeypots

Answer 37

can be used by CSP network, tenant networks

CSPs could use a honeypot VM for each physical server to detect intrusions at the hypervisor level

Question 38

Sandboxing uses a form of ___or ___between applications and the OSin which they are running

Answer 38

virtualization

abstraction

Question 39

Public clouds face several challenges in ensuring sufficient ___ between tenants, especially when VMs assigned to different tenants are ___

Answer 39

network isolation

co-located on a physical server

Question 40

The switching infrastructure in the cloud ___traffic between VMs that reside on a single hardware platform

Answer 40

can’t isolate

Question 41

Isolation of VMs - Security patterns

Answer 41

Select VM technology that affords network isolation between VMs

Encrypt communication traffic into VMs

Harden security controls on VMs

Filter traffic to a VM by using a software firewall

Question 42

Network isolation can be achieved to some extent by using ____, but this is subjected to vulnerabilities and misconfiguration

Answer 42

network virtualization

Question 43

___and ___traffic should be physically separated

Answer 43

Administrative

operational

Question 44

It should be pointed out that having multiple networks to support isolation may drive up ___

Answer 44

infrastructure costs

Question 45

A typical rack has ___rack units(RU), servers will require one or several RUs and a typical 1RU switch as ___ports

Answer 45

42 48

Question 46

Use of in-rack switches to consolidate traffic

Answer 46

Additional hardware introduces a potential point for failure

Although the consequence of a single switch failing may be limited to the connectivity of a single rack, there are other factors to consider

Question 47

Given the number of racks required to implement a cloud, the in-rack switch arrangement may experience more frequent failurethan the use of a ___

Answer 47

centralized core switching arrangement

carrier-grade core switches are significantly more reliable than the aggregate reliability of a higher number of in-rack switches

Question 48

Another network pattern is the use of ___components,
___balancing, and multiple___ between critical components
to improve reliability and availability

Answer 48

redundant
load
links

for examples - redundant ingress devices

Question 49

A different and more cost-effective approach would be to architect the infrastructure in ___

Answer 49

repeating patterns

Each additional block expands the amount of processing and storage for the cloud

Question 50

Configuration Management Database (CMDB)

Answer 50

A Configuration Management Database (CMDB)is an information repository for managing the configuration of an IT system’s components

A CMDB can be used to create and manage an accurate and complete representation of the IT environment

Question 51

Cloud management software should operate based on information in the ___and update the ___with relevant information as it operates

Answer 51

CMDB CMDB

Question 52

One area where a CMDB offers advantages is ___

Answer 52

security

Question 53

Often overlooked in small systems, ___contribute to a faster and more reliable implementationof infrastructure

Answer 53

cabling patterns

This becomes far more critical when infrastructure is scaled

Question 54

Cabling patters other considerations

Answer 54

–Many modern data center servers, especially cloud friendly blade servers, have multiple power supplies and multiple power cords
–Furthermore, the typical data center delivers power to racks from at least two separate circuits

Question 55

Finally, it would be a significant improvement if both ends of all cables came with ___that are both visually unique and that can be scanned by a hand-held reader

Answer 55

unique factory encodings

Question 56

The term resilience refers to ___

Answer 56

the ability to maintain an acceptable level of service when a system is subjected to faults

Question 57

Possible patterns should include reserving RUs in ___ or ___to allow for future expansion

Answer 57

infrastructure management

security racks

Question 58

Change can also come in the form of drastic changes to the physical networkthat implements the cloud

One approach to minimize this is to__

Answer 58

run Ethernet cables from core switches to patch panelsabove server racks and from there run patch cables to server ports

Question 59

To some, the security of a cloud computing architecture can be summarized in one phrase

Everything in a cloud is ___

Answer 59

at scale

Question 60

It appears that the technology that powers the cloud is progressing at a rate that is faster than the technology used to ___clouds

Answer 60

secure

Question 61

In the information security space, the maturity of a particular technology relates to ___ actually is(the test of time)

Answer 61

how secure it

Question 62

3DES

Answer 62

3DESis a widely used encryption cipher, an evolutionof the Data Encryption Standard (DES)cipher originally developed in the early 1970s

Question 63

DES was selected as the official ___ for the United States in 1976 after a long vetting period

Answer 63

Federal Information Processing Standard

Question 64

What might work best to manage the risk of IT failures is to adopt an encompassing enterprise ___coupled with clear___ and a plan to address ___

Answer 64

risk framework
business objectives
contingencies

Question 65

In the view of the Jericho Forum, it is necessary to identify___and ensure that they are adequately secured, whether that is from an external or an internal threat

Answer 65

critical components

Question 66

Jumphost & VPN

Answer 66

Jumphost& VPN:a security team-only set of mechanisms, to access the security network

Question 67

Virtual SOC

Answer 67

Virtual SOC: a series of user interfaces for monitoring, scanning, reporting, and analysis

Question 68

Collection & Analysis

Answer 68

Collection & Analysis:a set of capabilities that starts with the collection of security informationrouted to the syslogarchive andthen relayed to the analysis, alerting, and IDS components

Question 69

Directed Network Monitoring

Answer 69

Directed Network Monitoring:forms of monitoring that in part involve inspection of network trafficand in part involve the periodicvulnerability scanningof systems in the environment