Seek 7: Security the Cloud - Architecture Flashcards

1
Q

Building and operating a cloud securely and efficiently entails a great deal of planning
–Ingredients: A data center, hardware, a set of enabling software, a staff with broad and deep experience, and processes to make it work
–At a high level, we start with a ___ and redundant ___to a cloud ingress
–Then we add a massive amount of gear that is racked and cabled following well-defined ___

A

data center, Internet connections

patterns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

NIST defined cloud computing as an IT model for “enabling convenient, on-demand network access to a ____that can be rapidly ____with minimal management effort or service provider interaction”

A

shared pool of configurable computing resources

provisioned and released

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Failing to plan cloud deployment appropriately will typically lead to ___

A

higher ongoing costs due to inefficiencies in design and processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A reasonable approach to cloud deployment entails prudent architecture that considers the need for ___

A

inevitable evolution and reserves flexibility for such evolution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Factors Driving the Cloud Deployment Requirements

A
Costs and Resources
Reliability
Performance
The Security Triad
Legal and regulatory constraints
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Cloud facility physical security

A

The scope of physical security involves a range of measures to prevent, detect, and respond to unauthorized access to the facility

Physical security should be viewed as a system for protection, with individual security elements complementing each other in a multifaceted and layered defense

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

AWS physical security

A

AWS’s world-class, highly secure data centers utilize state-of-the art electronic surveillance and multi-factor access control systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

All aspects of security should be captured in a ___

A

cloud security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

cloud security policy

A

–A formal document that has the complete approval of management
–Should not provide technical details, but rather spell out all security requirements from an organizational or business standpoint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

cloud security policy supporting documents

A

guidelines
acceptable use policy
security standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

cloud security policy supporting documents - guidelines

A

A set of guidelines for enabling security in the development of infrastructure software, infrastructure management processes, and operational procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

cloud security policy supporting documents - acceptable use policy

A

This policy should specify what the consequences for violations are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Security standards for a cloud should address…

A
Access Controls
Incident Response and Management
System and Network Configuration Backups
Password Policies
Security Testing
Data and Communications Encryption
Continuous Monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security standards for a cloud - access control

A

Should be at a granularitynecessary to guide implementation of physical access to facilities and logical access to systems and applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Security standards for a cloud - Incident Response and Management

A

Should detail all rolesand responsibilitiesof various parties along with proceduresand timelinesfrom detection through postmortem reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Security standards for a cloud - System and Network Configuration Backups

A

It is critical to have current and authoritative copies of all configurations including infrastructure components, servers, and switches as well as for all hosted systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Security standards for a cloud - Password Policies

A

Should detail the qualitiesthat acceptable passwords must comply with

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Security standards for a cloud - Security Testing

A
  • The cloud provider must perform and document the results of initial and periodic security testing
  • This standard should include rolesand responsibilitiesas well as detailing when third-party testing or reviews should be performed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Security standards for a cloud - Data and Communications Encryption

A

Should detail functional areas (such as web server traffic), the approved cryptographic algorithms and the required key lengths

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Security standards for a cloud - Continuous Monitoring

A

Should detail how configuration management and change control are performed to support ongoing security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The correct operationof systems and authoritative system logs depends on the___

A

correct time

Correct and synchronized time becomes especially important with communicating computers residing in different locations, which need to have their record and event timestamps synchronized to a single source

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Synchronized Time Source

A

Network Time Protocol (NTP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Network Time Protocol provides____

A

Coordinated Universal Time (UTC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Requirements –Identity Management

A

Consider using a federated identity system to allow for identity portability for the user population and to present a single mechanism for internal access as well as tenant and user access
•A federated identity management system will allow for interoperability with customer and third-party identity providers or domains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Assure that when identities are de-provisioned, historical information for users___

A

is maintainedto allow for future legal investigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Implement ___ for all remote control or remote access by operations personnel

A

whitelisted source IP addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

A key escrow implementing ___ control can be used to protect keys

A

M of N
M of N control requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

In a cloud, audit events will be generated in fundamentally different ___

A

trust zones

Security events are recognized as having different degrees of integrity

29
Q

Security monitoring must be a ___ and ___service that is accessible internally or remotely in a secure manner

A

highly available

hardened

30
Q

Security monitoring must include generation of alerts based on ___

A

automated recognition of critical security events

31
Q

Implementing a cloud-wide ___and expressing this as a service for tenants or users

A

intrusion and anomaly detection capability

32
Q

Incident management and response must be in line with ___

There must be a process in place to ___to incidents

A

SLAs and the security policy

detect, identify, assess, and respond

33
Q

Ensure that incident management includes clear and reliable means for customers and tenants to ___

A

report situations or events to the provider

34
Q

To be most effective, vulnerability and penetration testing should be coordinated with ___

A

monitoring and configuration management

35
Q

General Infrastructure Security Requirements

A

Maintain open ports to a minimum

Implement the means to assure continuity of operations in line with SLAs

Ensure that network connectivityis maintained by use of multiple pathways to the cloud services

Ensure that the facility has ample power recovery capabilitiesand power is distributed to the infrastructure in a manner that allows for redundant infrastructure in the event that power is lost

Ensure that de-provisioned internal IP addresses, such as one previously assigned to a tenant’s VM, are sufficiently aged before being recycled for use by another tenant

36
Q

Example of defense in depth

A

VPN, whitelisted source IP, security token

37
Q

Honeypots

A

can be used by CSP network, tenant networks

CSPs could use a honeypot VM for each physical server to detect intrusions at the hypervisor level

38
Q

Sandboxing uses a form of ___or ___between applications and the OSin which they are running

A

virtualization

abstraction

39
Q

Public clouds face several challenges in ensuring sufficient ___ between tenants, especially when VMs assigned to different tenants are ___

A

network isolation

co-located on a physical server

40
Q

The switching infrastructure in the cloud ___traffic between VMs that reside on a single hardware platform

A

can’t isolate

41
Q

Isolation of VMs - Security patterns

A

Select VM technology that affords network isolation between VMs

Encrypt communication traffic into VMs

Harden security controls on VMs

Filter traffic to a VM by using a software firewall

42
Q

Network isolation can be achieved to some extent by using ____, but this is subjected to vulnerabilities and misconfiguration

A

network virtualization

43
Q

___and ___traffic should be physically separated

A

Administrative

operational

44
Q

It should be pointed out that having multiple networks to support isolation may drive up ___

A

infrastructure costs

45
Q

A typical rack has ___rack units(RU), servers will require one or several RUs and a typical 1RU switch as ___ports

A

42 48

46
Q

Use of in-rack switches to consolidate traffic

A

Additional hardware introduces a potential point for failure

Although the consequence of a single switch failing may be limited to the connectivity of a single rack, there are other factors to consider

47
Q

Given the number of racks required to implement a cloud, the in-rack switch arrangement may experience more frequent failurethan the use of a ___

A

centralized core switching arrangement

carrier-grade core switches are significantly more reliable than the aggregate reliability of a higher number of in-rack switches

48
Q

Another network pattern is the use of ___components,
___balancing, and multiple___ between critical components
to improve reliability and availability

A

redundant
load
links

for examples - redundant ingress devices

49
Q

A different and more cost-effective approach would be to architect the infrastructure in ___

A

repeating patterns

Each additional block expands the amount of processing and storage for the cloud

50
Q

Configuration Management Database (CMDB)

A

A Configuration Management Database (CMDB)is an information repository for managing the configuration of an IT system’s components

A CMDB can be used to create and manage an accurate and complete representation of the IT environment

51
Q

Cloud management software should operate based on information in the ___and update the ___with relevant information as it operates

A

CMDB CMDB

52
Q

One area where a CMDB offers advantages is ___

A

security

53
Q

Often overlooked in small systems, ___contribute to a faster and more reliable implementationof infrastructure

A

cabling patterns

This becomes far more critical when infrastructure is scaled

54
Q

Cabling patters other considerations

A

–Many modern data center servers, especially cloud friendly blade servers, have multiple power supplies and multiple power cords
–Furthermore, the typical data center delivers power to racks from at least two separate circuits

55
Q

Finally, it would be a significant improvement if both ends of all cables came with ___that are both visually unique and that can be scanned by a hand-held reader

A

unique factory encodings

56
Q

The term resilience refers to ___

A

the ability to maintain an acceptable level of service when a system is subjected to faults

57
Q

Possible patterns should include reserving RUs in ___ or ___to allow for future expansion

A

infrastructure management

security racks

58
Q

Change can also come in the form of drastic changes to the physical networkthat implements the cloud

One approach to minimize this is to__

A

run Ethernet cables from core switches to patch panelsabove server racks and from there run patch cables to server ports

59
Q

To some, the security of a cloud computing architecture can be summarized in one phrase

Everything in a cloud is ___

A

at scale

60
Q

It appears that the technology that powers the cloud is progressing at a rate that is faster than the technology used to ___clouds

A

secure

61
Q

In the information security space, the maturity of a particular technology relates to ___ actually is(the test of time)

A

how secure it

62
Q

3DES

A

3DESis a widely used encryption cipher, an evolutionof the Data Encryption Standard (DES)cipher originally developed in the early 1970s

63
Q

DES was selected as the official ___ for the United States in 1976 after a long vetting period

A

Federal Information Processing Standard

64
Q

What might work best to manage the risk of IT failures is to adopt an encompassing enterprise ___coupled with clear___ and a plan to address ___

A

risk framework
business objectives
contingencies

65
Q

In the view of the Jericho Forum, it is necessary to identify___and ensure that they are adequately secured, whether that is from an external or an internal threat

A

critical components

66
Q

Jumphost & VPN

A

Jumphost& VPN:a security team-only set of mechanisms, to access the security network

67
Q

Virtual SOC

A

Virtual SOC: a series of user interfaces for monitoring, scanning, reporting, and analysis

68
Q

Collection & Analysis

A

Collection & Analysis:a set of capabilities that starts with the collection of security informationrouted to the syslogarchive andthen relayed to the analysis, alerting, and IDS components

69
Q

Directed Network Monitoring

A

Directed Network Monitoring:forms of monitoring that in part involve inspection of network trafficand in part involve the periodicvulnerability scanningof systems in the environment