Seek 7: Security the Cloud - Architecture Flashcards
Building and operating a cloud securely and efficiently entails a great deal of planning
–Ingredients: A data center, hardware, a set of enabling software, a staff with broad and deep experience, and processes to make it work
–At a high level, we start with a ___ and redundant ___to a cloud ingress
–Then we add a massive amount of gear that is racked and cabled following well-defined ___
data center, Internet connections
patterns
NIST defined cloud computing as an IT model for “enabling convenient, on-demand network access to a ____that can be rapidly ____with minimal management effort or service provider interaction”
shared pool of configurable computing resources
provisioned and released
Failing to plan cloud deployment appropriately will typically lead to ___
higher ongoing costs due to inefficiencies in design and processes
A reasonable approach to cloud deployment entails prudent architecture that considers the need for ___
inevitable evolution and reserves flexibility for such evolution
Factors Driving the Cloud Deployment Requirements
Costs and Resources Reliability Performance The Security Triad Legal and regulatory constraints
Cloud facility physical security
The scope of physical security involves a range of measures to prevent, detect, and respond to unauthorized access to the facility
Physical security should be viewed as a system for protection, with individual security elements complementing each other in a multifaceted and layered defense
AWS physical security
AWS’s world-class, highly secure data centers utilize state-of-the art electronic surveillance and multi-factor access control systems
All aspects of security should be captured in a ___
cloud security policy
cloud security policy
–A formal document that has the complete approval of management
–Should not provide technical details, but rather spell out all security requirements from an organizational or business standpoint
cloud security policy supporting documents
guidelines
acceptable use policy
security standards
cloud security policy supporting documents - guidelines
A set of guidelines for enabling security in the development of infrastructure software, infrastructure management processes, and operational procedures
cloud security policy supporting documents - acceptable use policy
This policy should specify what the consequences for violations are
Security standards for a cloud should address…
Access Controls Incident Response and Management System and Network Configuration Backups Password Policies Security Testing Data and Communications Encryption Continuous Monitoring
Security standards for a cloud - access control
Should be at a granularitynecessary to guide implementation of physical access to facilities and logical access to systems and applications
Security standards for a cloud - Incident Response and Management
Should detail all rolesand responsibilitiesof various parties along with proceduresand timelinesfrom detection through postmortem reporting
Security standards for a cloud - System and Network Configuration Backups
It is critical to have current and authoritative copies of all configurations including infrastructure components, servers, and switches as well as for all hosted systems
Security standards for a cloud - Password Policies
Should detail the qualitiesthat acceptable passwords must comply with
Security standards for a cloud - Security Testing
- The cloud provider must perform and document the results of initial and periodic security testing
- This standard should include rolesand responsibilitiesas well as detailing when third-party testing or reviews should be performed
Security standards for a cloud - Data and Communications Encryption
Should detail functional areas (such as web server traffic), the approved cryptographic algorithms and the required key lengths
Security standards for a cloud - Continuous Monitoring
Should detail how configuration management and change control are performed to support ongoing security
The correct operationof systems and authoritative system logs depends on the___
correct time
Correct and synchronized time becomes especially important with communicating computers residing in different locations, which need to have their record and event timestamps synchronized to a single source
Synchronized Time Source
Network Time Protocol (NTP)
Network Time Protocol provides____
Coordinated Universal Time (UTC)
Requirements –Identity Management
Consider using a federated identity system to allow for identity portability for the user population and to present a single mechanism for internal access as well as tenant and user access
•A federated identity management system will allow for interoperability with customer and third-party identity providers or domains
Assure that when identities are de-provisioned, historical information for users___
is maintainedto allow for future legal investigations
Implement ___ for all remote control or remote access by operations personnel
whitelisted source IP addresses
A key escrow implementing ___ control can be used to protect keys
M of N
M of N control requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks