Virtualization and Cloud Computing Flashcards
.You work for a data security firm. Your cloud deployment must ensure that the company’s data is always available even in the event of a natural disaster. Which aspect of cloud computing BEST addresses this need?
A)Encryption
B)Connectivity
C)Automation
D)Replication
D)Replication
Replication best addresses the need for the company’s data to be always available, even in the event of a natural disaster. Replication is the copying of data across multiple data centers. A typical replication setup involves a main data center that has the data, which is then replicated in separate backup centers. A subset of replication is file synchronization. Cloud environments now enable users to synchronize the files on their local device with the files stored in the cloud to ensure that both file sets are congruent with each other.
Virtualization via cloud technology allows you to replicate entire virtual machine setups, including exact configurations of servers, applications, and service packs remotely.
Synchronous replication involves replicating data in real-time where the entire cloud deployment for a consumer is backed up to a remote facility. This means an entire deployment can be reset swiftly with very little loss of data.
Asynchronous replication involves backing up data remotely, not in real-time but at certain scheduled intervals. Asynchronous replication is more cost effective than synchronous replication as it doesn’t have to be done real-time and can even work over slow networks.
Encryption provides confidentiality, not availability. Various compliance regulations and company policies need data at rest and data in transit to be encrypted for security. Data in storage not passing over a network is called “data at rest.” The data is encrypted using keys that are managed either by the cloud service provider or by the end user. This depends on the cloud offering in use. When data is encrypted, its backed-up or mirrored versions need to be encrypted as well.
Connectivity covers the ability of a customer to access cloud management services remotely and does not involve data recovery. Cloud providers give customers access to the cloud via a virtual private network (VPN). VPNs provide safe and encrypted communication. A VPN in context of cloud computing allows customers to access their cloud applications remotely and securely over an unsafe public network like the Internet. A cloud consumer can monitor or manage the cloud deployment using the VPN. The VPN itself can be provided either by the cloud management center or a service provider.
Automation allows consumers to manage their cloud deployment. It does not cover how data is backed up or recovered. Various orchestration platforms provide an automated solution for consumers to manage the services of their cloud deployment. This is done through a dashboard that can be accessed with a web browser. The dashboard allows for the rapid deployment of new cloud services and applications as needed by the cloud users.
Which cloud computing term refers to a feature that allows a provider to dynamically adjust resource allocation, based on demand?
A)metered service
B)on demand
C)rapid elasticity
D)resource pooling
For the A+ exam, you must also understand the following basic cloud concepts:
SaaS – Software as a Service. Instead of installing software on their computers, users can access the software over the Internet, typically paying a subscription fee for use. An example is Microsoft Office 365.
IaaS – Infrastructure as a Service. Instead of buying servers, storage, and other hardware components that make up the company’s infrastructure, organizations can subscribe to a service over the Internet. The service host maintains the infrastructure components and makes them available on a per-use or subscription basis. An example is Amazon Web Services.
PaaS – Platform as a Service. The provider makes hardware and software available over the Internet on a per-use or subscription basis. PaaS is often used in application development.
Public vs. Private vs. Hybrid vs. Community – Public clouds are those that are made available to (typically) anyone that can pay. Private clouds are used by a single organization. Community clouds are for groups of subscribers that have common usage and requirements. Hybrid clouds are comprised of more than one type of cloud.
C)rapid elasticity
Rapid elasticity is a cloud computing term that refers to a feature that allows a provider to dynamically adjust resource allocation, based on demand. Examples of such resources include CPU allocation, memory, storage, and bandwidth.
Resource pooling allows the provider to service multiple customers using the same resources. This means that the consumers share the physical devices on which they reside. Organizations should research the security implications of such a deployment scenario.
Metered (or measured) service is a term that applies to paying for services on a per-use basis, such as CPU time, GB of storage, or network bandwidth use. Your cell phone data plan, measured in GB of data transferred per month, could be an example of a metered service.
On demand is a term that refers to a cloud provider’s ability to make resources available to clients when needed. Amazon Web Services (AWS) is an example of an on-demand service.
You are responsible for managing the virtual computers on your network. Which guideline is important when managing virtual computers?
A)Isolate the host computer and each virtual computer from each other.
B)Install and update the antivirus program only on the host computer.
C)Update the operating system and applications only on the host computer.
D)Implement a firewall only on the host computer.
A)Isolate the host computer and each virtual computer from each other.
You should isolate the host computer and each virtual computer from each other.
None of the other statements is correct when managing virtual computers. You should update the operating system and application on the host computer and all virtual computers. You should implement a firewall on the host computer and all virtual computers. You should install and update the antivirus program on the host computer and all virtual computers.
Virtual computers allow you to use a single physical computer to host multiple operating systems environments. The main purpose of virtual machines is to better utilize resources. To the end user, the virtual machines appear as a physical computer. However, when implementing virtualization, you need to keep the following in mind:
Resource requirements – Depending on which environments you want to create, you will have specific hardware requirements. The hardware in the physical machine must provide at least the minimum requirements for each of the operating system and applications that it will host. In addition, virtualization software will be needed. It is recommended that you use MUCH more than the hardware minimums to ensure that your virtualization environment operates at optimum levels. Also, the limitations of the virtual machines are enforced by the limitations of the physical computers.
Emulator requirements – Some emulators require specialized motherboards or BIOS versions. This is referred to as hardware-assisted virtualization. Emulators that require hardware assistance can dynamically allocate memory and CPU resources.
Security requirements – All virtual machines have the same security requirements as the physical computer. Security updates, patches, and all service packs should be kept up-to-date on ALL virtual machines, not just the host computer. In addition, each virtual machine will need anti-virus and anti-malware software.
Network requirements – Each virtual machine may need network access. Network administrators will need to decide if each virtual machine gets its own IP address or if each machine will use the same IP address with a different port.
Hypervisor – This is the management software that allows a physical computer to host multiple virtual machines. While there are many options available, each organization will have to decide which option is best based on their organization’s requirements, performance needs, and cost constraints.
You work for a data mining company. All the company’s servers are in the office complex in Palo Alto, California. Because the company is planning an expansion in the next financial year, you have been asked to migrate all on-premises operations to a cloud-based system.
Which of the following actions will you need to do BEFORE performing the actual migration?
A)Allocate time for performing the migration.
B)Create documentation of all existing systems.
C)Document IP numbering, routing, and security protocols for the office network.
D)All of these options are required.
D)All of these options are required.
All of these options are required. Before you migrate to a cloud-based solution, certain preparations need to take place, including documenting the office network, allocating time for the migration, and documenting existing systems. Some of the key aspects of a cloud migration process include:
Change management – For any kind of system transition, whether it is from a data center to a cloud system or from one cloud to another, the change can cause an outage that impacts the company’s operations. Change management helps mitigate the impact.
Reviewing and approving all necessary changes – Changes must be approved by the change control board before the migration can be implemented because a change can impact non-IT activities, such as human resources, finance, and administration.
Scheduling a migration timeline – During the planning stage of the migration, the company will need to schedule a migration timeline. This usually is scheduled during the time that is set aside for system outages and repairs.
Completing documentation – All existing documentation of the on-premises systems needs to be reviewed and updated if necessary. This includes the complete documentation of the office network.
Designing cloud workflows – Design the cloud infrastructure and set up the workflows.
Setting automation – A cloud service provider has automation tools in place for consumers to control the automation systems using command line interfaces, web-based dashboards, or programming APIs.
Deploying to production – After designing the cloud infrastructure and migrating the company’s data and applications to a sandbox environment for testing, the new cloud can be deployed to a live environment.
Setting monitoring tools – After the company’s applications are completely deployed onto the cloud, there needs to be tools to monitor the system to ensure that it is performing as expected per pre-established metrics and norms.
What is the term for an application that is accessed over the Internet as opposed to being installed on a local device?
A)SaaS
B)Resource pooling
C)IaaS
D)PaaS
A)SaaS
Software as a Service (SaaS) is the term for an application that is accessed over the Internet as opposed to being installed on a local device. Instead of installing software on their computers, users can access the software over the internet, typically paying a subscription fee for use. An example of this is Microsoft Office 365.
Infrastructure as a Service (IaaS) is a cloud deployment model that makes infrastructure components (servers, storage, and other hardware) available on a per-user or subscription basis. The service host maintains the infrastructure components and makes them available on a per-use or subscription basis. An example is Amazon Web Services.
Platform as a Service (PaaS) is a cloud deployment model that makes hardware and software available on a per-user or subscription basis. PaaS is often used in application development.
Resource pooling makes SaaS, IaaS, and PaaS available to multiple consumers simultaneously. This means that the consumers share the physical devices on which they reside. Organizations should research the security implications of such a deployment scenario.
You are working with a company that develops projects for the government and hosts a lot of sensitive data. Its other projects require a large server farm and processing that may need to be scaled from a few hundred to a few million users at a time. You need a cloud model to allocate cloud resources appropriately to meet these needs. Which cloud deployment model should you use?
A)Public
B)Hybrid
C)Private
D)Community
B)Hybrid
You would use a hybrid cloud deployment model. This allows you to have the scalability offered by public cloud providers while keeping certain data secure in a private cloud. Cloud computing provides elasticity of resources, meaning resources can be added as needed, providing virtually unlimited computing power.
Hybrid – A hybrid cloud combines two or more cloud models (community, public, or private) in a centrally managed infrastructure. A hybrid cloud can support a situation where a private cloud’s peak processing shoots up beyond a normal threshold and must draw extra compute resources from a public cloud without needing to add infrastructure to the private cloud. This is also called a burstable capacity. Hybrid is also a good choice when part of the cloud solution must be hosted internally, often for security reasons, while other parts can be hosted outside the organization’s network.
Which term refers to a cloud infrastructure that provides services to many related organizations?
A)private cloud
B)community cloud
C)public cloud
D)hybrid cloud
B)community cloud
A community cloud refers to a cloud infrastructure that provides services to many related organizations. As an example, Ohio government agencies could share cloud infrastructure resources to manage data about Ohio citizens. Another example could be an infrastructure to support a retailer and its suppliers.
Your company has decided to use a public cloud deployment. Which statement is correct regarding the security implications?
A)Surges in demand require that company resources will need to be adjusted accordingly.
B)Other tenants could gain physical access to the resources that store your company’s data.
C)The local ISP and power grid can impact the availability of resources stored on the cloud.
D)Security issues are the sole responsibility of your company’s personnel.
B)Other tenants could gain physical access to the resources that store your company’s data.
When using a public cloud deployment, there is a risk that other tenants can gain physical access to the resources that store your company’s data.
All of the other statements are security implications of implementing a private cloud, not a public cloud.
Security issues are the sole responsibility of your company’s personnel for a private cloud. Public cloud deployments share the responsibility between the cloud provider’s personnel and organizational personnel, depending on the guidelines set out in the service level agreement (SLA) and other contracts.
The local ISP and power grid can impact the availability of resources stored on the cloud for a private cloud. The local outage would affect any attempt to access the data. Whereas a local outage might affect cloud access from that location, but personnel could go to an alternate location or might could access the data via other means, such as via using a mobile device’s hotspot.
Surges in demand that affect company resources would concern a private cloud. Demand surges in a public cloud deployment would affect the cloud service provider’s resources rather than the company resources.
For the A+ exam, you need to understand the different security methods and considerations for each cloud deployment. In most cases, a private cloud will have the opposite security implications and considerations of a public cloud. For example, with a private cloud, you retain complete physical control of the data, while with a public cloud, the physical control of the data rests with the cloud provider.
Whenever considering implementing and using cloud services, organizations need to be aware of several key elements: multitenancy, elasticity, scalability, and security implications. Multitenancy is when several different cloud users are accessing the same computing resource, which often happens when different cloud tenants store data within the same server. It is critical to cloud availability that providers have servers that can handle these types of large workloads. Cloud elasticity refers to the degree a system can adapt to workload changes by provisioning and de-provisioning resources automatically. Cloud scalability refers to a cloud system being able to allocate more resources automatically to handle greater workloads as more users and organizations utilize various cloud services and applications.
Cloud security implications depend on the type of cloud being used. Public clouds are often seen as the riskiest form of clouds, as they are open for public connection and give greater exposure to malicious attackers. A private cloud only allows specific and authorized users to gain access, making it far harder to breach and easier to manage.
You are creating a fleet of virtual servers for your cloud deployment. Your team has been working for a week to configure an ideal virtual machine with all of the required applications and settings. Now you need to create 100 additional identical virtual machines. What is the most efficient way to do this?
A)Cloning
B)Patching
C)Snapshots
D)Hotfixes
A)Cloning
Cloning is the most efficient way to create identical virtual machines. The cloning process takes a master image of a virtual machine and duplicates it to create identical new virtual machines. Each of the cloned VMs receives a different universally unique identifier (UUID) and media access control (MAC) address to prevent any conflict with the original server it was cloned from.
The key difference between cloning and taking a snapshot is that a snapshot is used to revert a virtual machine to an older state, while cloning is used to create new virtual machines based on an existing one. To create a new VM from a snapshot, you must first convert the snapshot into a master image. Snapshots are created using management tools provided for working in the cloud’s virtual environment. The snapshot is stored as a file and contains a copy of the virtual machine’s state, including its operating system and application state. It also includes the data stored on the virtual machine at that time and its complete configuration. A snapshot is created as the virtual machine is running. Snapshots can be used for rollbacks and backups as well as point-in-time restores.
You should not create a hotfix. A hotfix is a software update aimed at resolving an immediate issue with the software. Hotfixes do not have to be public releases, but can be made for specific customers. Hotfixes are usually geared towards fast deployment for rectifying bugs, meaning that they do not follow the same quality assurance (QA) and testing procedures as with a formal software release or version update. Because hotfixes can sometimes introduce new bugs into the application, you need to weigh the severity of the existing bug with the risk of new bugs that may be introduced. It might be better to defer the fix until the next proper version update, which should have a full QA testing process.
You should not create a patch. A patch is an update that fixes a known problem with the software application or operating system. Patches are intended to address security issues or improve the performance of the software. They do not add additional features, but remove undesirable behavior in the software and improve usability.
You are responsible for managing your company’s virtualization environment. Which feature should NOT be allowed on a virtualization host?
A)browsing the Internet
B)implementing a firewall
C)implementing IPsec
D)monitoring the event logs
A)browsing the Internet
You should not allow browsing the Internet on a virtualization host. This can present a possible security breach through the introduction of spyware or malware. Anything that affects a virtualization host also affects all virtual computers on the host. Virtual servers have the same information security requirements as physical servers.
You should implement IPsec, implement a firewall, and monitor the event logs of a virtualization host. IPsec helps by encrypting data as it transmits across the network. Firewalls prevent unauthorized access to a physical or virtual computer. Event logs help administrators to detect when security breaches have occurred or are being attempted.
Keep in mind that all virtual machines and their host computers have the same security requirements as any other system. You will need to implement the same controls on them as for a physical machine, including antimalware, ACLs, and firewalls, to fully protect them.
Which of these terms refers to a foundation service upon which the other two foundation services are built?
A)hybrid cloud
B)IaaS
C)PaaS
D)SaaS
B)IaaS
Infrastructure as a Service (IaaS) refers to a foundation service upon which the other two are built, as demonstrated in the following exhibit:
Instead of buying servers, storage, and other hardware components that make up the company’s infrastructure, organizations can subscribe to a service over the Internet. The service host maintains the infrastructure components and makes them available on a per-use or subscription basis. An example is Amazon Web Services.
Software as a Service (SaaS) makes software available through the cloud. Instead of installing software on their computers, users can access the software over the Internet, typically paying a subscription fee for use. An example is Microsoft Office 365.
Platform as a Service (PaaS) it makes software development platforms available through the cloud. The provider makes hardware and software available over the Internet on a per-use or subscription basis. PaaS is often used in application development.
A hybrid cloud is comprised of more than one type of cloud, including private clouds, public clouds, and community clouds. Public clouds are those that are made available to (typically) anyone that can pay. Private clouds are used by a single organization. Community clouds are for groups of subscribers that have common usage and requirements. Hybrid clouds are comprised of more than one type of cloud.
For the A+ exam, you must understand SaaS, IaaS, PaaS, and hybrid clouds, as well as the following basic cloud concepts:
Rapid elasticity – allows the provider to quickly scale resources to the need of the subscriber. Examples include increased bandwidth, storage, or memory requirements.
On-demand – makes the resource available whenever it is desired by the client. Amazon Web Services (AWS) is an example of an on-demand service.
Resource pooling – makes the resources (SaaS, IaaS, PaaS) available to multiple consumers simultaneously. This means that the consumers share the physical devices on which they reside. Organizations should research the security implications of such a deployment scenario.
Metered (measured) service – a service that is billed based on the resource usage, such as CPU time, GB of storage, or network bandwidth use. Your cell phone data plan, measured in GB of data transferred per month, could be an example of a metered service.
You performed an operating system patch on your virtual server. Now your server is not performing as per its initial baseline, and you have found are several new security issues. What will you need to do to rectify this issue?
A)Make a runbook.
B)Deploy a hotfix.
C)Perform a rollback.
D)Automate the workflow.
C)Perform a rollback.
You will need to perform a rollback. A rollback is an operation that returns a system to the state it was in before a patch, update, hotfix, transaction, or upgrade. This can be required in situations where the update failed or introduced new errors into the system. Rollbacks can be done using snapshots on virtual machines. If an upgrade fails, the pre-upgrade snapshot is simply made active on the virtual machine. Although scripts exist for performing rollbacks, in some cases it may be that the original software is simply reinstalled. Rollbacks are common in database systems when database transactions do not occur correctly or are corrupted and invalid, causing transactions to be rolled back to the point before the issues began.
You should not automate the workflow. Workflow automation provides a formal process for defining a sequence of steps needed to complete a process. On a cloud, workflow services allow for the creation of a workflow where each step is tracked before the next step is activated. This automation removes the risk of human error and provides consistency. When upgrades need to be performed for large systems, workflow automation can help create templates, making the procedure predictable and correct. Workflow automation is essential in situations where software patches need to be installed in a particular order, thus satisfying key dependencies without a risk of error. Note that automating the workflow helps with patch deployment, but does not help in a situation where a patch needs to be removed or uninstalled because of issues.
You should not make a runbook. Runbooks use scripts to perform automation of repetitive tasks such as a software package or patch installation, event responses, or even system maintenance. You can create a different runbook for each task you want to automate. When an event happens, automation or orchestration tools will execute a runbook that performs the necessary tasks for that event. For example, if the event is a virtual machine failure, the cloud management software will call the runbook that runs diagnostic analysis of the failed virtual machine, restarts the virtual machine, tests it, or installs a new virtual machine from a snapshot. Similarly, when you create a new virtual machine, you can run a different runbook to install all its necessary software and applications.
You should not create a hotfix. A hotfix is a software update aimed at resolving an immediate issue with the software. Hotfixes do not have to be public releases, but can be made for specific customers. Hotfixes are usually geared towards fast deployment for rectifying bugs, meaning that they do not follow the same quality assurance (QA) and testing procedures as with a formal software release or version update. Because hotfixes can sometimes introduce new bugs into the application, you need to weigh the severity of the existing bug with the risk of new bugs that may be introduced. It might be better to defer the fix until the next proper version update, which should have a full QA testing process.
You have many virtual machines running on a single hypervisor on your cloud deployment. For maintenance, you need to update the hypervisor. You need to ensure that the virtual machines are still available to the cloud consumers while this is happening. What should you do?
A)Create a snapshot of the memory state of the hypervisor.
B)Move the virtual machines to a different server.
C)Do nothing.
D)Run a firewall on the hypervisor.
B)Move the virtual machines to a different server.
You will need to temporarily move all the virtual machines to a different server while the hypervisor is being patched. Virtual machines (VMs) are managed by a hypervisor, which acts as a bridge between the VMs and the actual physical hardware working behind the scenes. The hypervisor dynamically allocates or deallocates physical resources based on requirements or service levels. This makes the hypervisor a critical component in cloud technology that needs to be patched on priority. When a hypervisor is patched, it needs to be taken offline, and this will affect all the VMs running on that hypervisor. If you need the VMs still to be available for consumers, all the virtual machines on the hypervisor need to be moved to a different server temporarily to prevent any disruption of services.
Of the terms below, which is the term for the cloud computing concept that allows the provider to share services with multiple subscribers, as opposed to the subscriber having a dedicated cloud service?
A)community cloud
B)metered utilization
C)rapid elasticity
D)resource pooling
D)resource pooling
Resource pooling is the term for the cloud computing concept that allows the provider to share services with multiple subscribers, as opposed to the subscriber having a dedicated cloud service.
Your company develops both application software and customized operating systems. The company is migrating to a cloud-based system to house all of its physical hardware, but will continue to use its own proprietary software and applications in the cloud.
Which cloud service model would you deploy based on this system requirement?
A)SaaS
B)DaaS
C)PaaS
D)IaaS
D)IaaS
You would deploy the Infrastructure as a Service (IaaS) service model. This model provides the necessary hardware via cloud that the company can then use to run its applications and even install a customized operating system.
None of the other models would allow the installation and use of a customized OS. They are better suited for needs related to consumers who want an existing software environment.
Cloud computing is the provision of computational services made available to consumers by cloud providers based on their need or consumption. These services cover both the use of platforms and applications as well as physical hardware resources. PaaS, SaaS, and IaaS are the three primary cloud service models that provide services accessible by web browsers, cell phones, and similar devices.
The Platform as a Service (PaaS) service model allows consumers to bring their own applications and data to a cloud platform that provides compute services, operating systems, networking, storage, and all the necessary hardware. This allows consumers to quickly deploy their own applications without the burden of first establishing their infrastructure and operating environment.
The Software as a Service (SaaS) model lets customers use software applications that run on a provider’s cloud infrastructure. These applications can be accessed using thin client interfaces, including cell phones and web browsers. An example of this is email accessible from a web browser, such as Gmail. The advantage of this model is that a consumer can use the application without locally installing it or being concerned about the infrastructure needed to run it. The cloud provider takes full responsibility for running the application and managing it. Other examples of SaaS include enterprise resource planning (ERP), software development programs, customer relationship management (CRM) systems, and human resources (HR) applications. Software applications for storage, networking, and processing also comprise the SaaS model.
The Infrastructure as a Service (IaaS) cloud service model provides barebones computing resources, such as physical hardware and networking services, so that consumers can install operating systems of their choice and run any applications they wish. The advantage of this model is that a company’s existing data center hardware resources can be completely replaced with a cloud-based solution. IaaS service models provide networking, storage, processing, and other basic computing resources for consumers.
Other cloud service models include:
Communications as a Service (CaaS) – This service model includes video conferencing, chat, voice calling, emailing, and other means of collaboration.
Anything as a Service (XaaS) – This service model includes the provision of complete IT solutions as a consolidated unified package covering end-to-end services.
Desktop as a Service (DaaS) – This service model provides a virtual desktop that can be accessed by a variety of devices, including laptops, tablets, and cell phones. The desktop has all of the applications typically required by business workflows, including word processors and spreadsheets.
Business Process as a Service (BPaaS) – This service model provides applications supporting routine business operations such as shipping, orders, inventory, and payroll.
You have completed a successful migration of your shopping portal’s data center to the cloud. You need a system to ensure that only the appropriate users are allowed to perform actions on the stored data and access the applications. Which system of cloud security should you implement for this?
A)Software patches
B)Authorization
C)Firewalls
D)Authentication
B)Authorization
You will need to implement authorization to objects in the cloud. Cloud objects can include files on a storage system, virtual machines, load balancers, firewalls, and other resources that can be accessed and used. This access needs to be controlled for ensuring maximum security for your cloud. For individual objects, you will need to configure an access control list (ACL) that allows or denies access or privileges. Authorization is based on the user’s role, and the access provided is limited to specific cloud resources that are relevant to the user’s sphere of work. Authorization also extends to actual devices, such as servers, storage arrays, or applications, that are allowed access to databases. Cloud providers allow you to provide your own authentication and authorization configurations through an online assessment tool. Then an automated script checks your configuration with recommended industry configurations and a report generates an outlining an optimized configuration.
You are in the process of creating an SLA with a cloud service provider. Your company runs a women’s accessories store online and experiences varying traffic with peaks during the holidays. You must scale your services dynamically to meet the varied network demands. Which component of your cloud deployment will fulfill this requirement?
A)Sizing
B)Performance
C)Lifecycle
D)Connectivity
A)Sizing
You would need to fulfill this requirement via sizing. Sizing and scaling occur dynamically in a cloud deployment, and are one of its major benefits. Sizing is accomplished through elasticity, pay-as-you-go computing, and just-in-time provisioning.
The pay-as-you-go option means that customers only pay for the resources that they consume. Scaling is the ability to add or subtract cloud resources. There are two types of scaling: horizontal and vertical. With horizontal scaling, an organization scales out or in, which controls the number of provisioned resources. With vertical scaling, an organization scales up or down, which controls the power and capacity of an individual resource. So horizontal adds more servers, while vertical add more components (CPUs, RAM, and so on) to an existing server.
As an example, consider an online shopping portal. The portal may require two web servers to run its operation. However, during the holiday season, sales may grow exponentially, and the portal may need more resources to handle the demand. In a cloud-based system, the new resources will be added dynamically as the network demand increases. The consumer company is billed for the extra resources, and then billing reverts to the lower amount when sales decrease again. This way, the shopping portal does not have to go through the process and cost of acquiring new physical servers and setting them up just for a limited time. The new computing resources are simply added ahead of time virtually through a hypervisor.
Connectivity covers how you can access cloud management applications, but it does not cover the scalability required for varying network demands. Cloud providers give customers access to the cloud via a virtual private network (VPN). VPNs provide safe and encrypted communication. A VPN in context of cloud computing allows customers to access their cloud applications remotely and securely over an unsafe public network like the Internet. A cloud consumer can monitor or manage the cloud deployment using the VPN. The VPN itself can be provided either by the cloud management center or a service provider.
Lifecycle covers the entire deployment of a cloud but not specifications related to network demands and scaling. The lifecycle of a cloud deployment can be split into three distinct phases also referred to as networks:
Development – This is a network used by developers for creating new services for the cloud and testing them.
Production – This is the network that has all the applications currently in use by the public.
QA – This is the network that contains all the maintenance work that goes on offline where applications and systems can be tested.
Performance includes the overall cloud performance, not just scalability and sizing. You can increase cloud performance and not necessarily increase sizing or scale. The performance of a cloud deployment depends on the implementation of various underlying components that include:
Applications
Cache memory
Network bandwidth and latency
Filesystem speed
Database efficiency
Sizing and scalability
Availability across zones
Swap file usage
Storage I/O
You have recently moved your company’s web server to a cloud deployment. You previously had over one million users accessing the web server from across the world. Before the server is made available to the public, you need to verify that the server will meet its performance standards after the deployment to the cloud. Which testing technique should you use?
A)Load testing
B)Simulation testing
C)Penetration testing
D)Vulnerability testing
A) Load Testing
You should use load testing. Load testing will help ascertain if the web server can perform as expected under the load of servicing usual network traffic.
Vulnerability and penetration testing do not test system performance under loads. They are used for checking the security of a system.
After a company’s operations are deployed into a cloud environment, you must test it to verify that the deployment is working as expected. There are three key testing techniques that are used:
Vulnerability testing or vulnerability scanning − This involves checking the cloud deployment for any objects that may be unsecure. The scanner has a database of known exploits and checks each object in the cloud environment against these, including operating systems and applications. After the scan is complete, a report is generated on all detected security threats.
Penetration testing – This involves testing the accessibility of a cloud from outside the cloud to ensure that it is secure from illegal access. Penetration testing helps identify any vulnerability that may be exploited by a hacker to allow access from outside the cloud.
Load testing − This involves placing your cloud system under a load to determine its capacity for dealing with computational demands. This way, you can identify exactly how your cloud deployment will behave when there is a heavy load on the system. Both average use and peak use is considered when performing load testing. Because each system is expected to fail eventually when placed under a severe load, load testing helps to pinpoint issues in the system’s design and fix any bugs that may be causing performance issues.
You should use simulation testing. Simulation testing is a form of walkthrough drill that a company can use to test its preparedness for a disaster as per its Disaster Recovery Plan (DRP).
You have been asked by your company to investigate a suitable solution for upgrading the entire IT infrastructure. Which of the following can you expect to have in a cloud-based solution?
A)VPN
B)All of these components
C)Firewall
D)None of these components
E)Web server
B)All of these components
You can expect all of the listed components to be included in a cloud-based solution for an IT infrastructure.
Cloud architecture consists of multiple users accessing cloud services remotely. These services are provided using servers that can be located in various global regions while operating as a single unified entity. This way, the same computing resource is shared by various consumers.
Hosts on a network are computers that can interact with each other. These include clients and servers. A cloud host can be a collection of servers that perform as a single entity to provide services. This allows cloud consumers to target hosts that are required specifically for their needs. An example of this is a web server, which can be implemented via cloud computing with the actual servers located in different geographical regions.
Certain cloud elements are found in every cloud implementation; this includes network components and services, application components, storage components, compute components, and security components. Depending on the service model implement, the level of control over and responsibility for these components will be distributed between the client and the cloud provider.
Network components and services include network routing and switching services, including Domain Name Systems (DNS), Dynamic Host Configuration Protocol (DHCP), Virtual Private Networks (VPNs), and load balancing services.
Application components include all software applications that are required by end users, including email, web servers, databases, large data storage, and business application programs.
Storage components include magnetic storage devices and solid-state drives (SSDs). Cloud storage systems have file-based, block-based, and even object-based systems for storage. Storage options range from high performance and high availability storage to less expensive options better suited for archiving purposes. Cloud storage components and services are made available via massive storage arrays and networks dedicated to storage.
Compute components include resources that provide centralized processing of data using physical or virtual servers that run various operating systems.
Security components include the means of securing data, such as access control mechanisms, encryption services, firewalls, and intrusion detection systems.
You need to ensure that each employee at your finance company has limited access to employee records on your company’s cloud. You also need to minimize administrative effort for configuring this access. What will you need to use for this?
A)Multifactor authentication
B)Firewalls
C)SSO
D)User groups
D)User groups
You will need to create user groups. In a cloud-based system, users have accounts, and each account has certain rights and access levels associated with it. A user account can be assigned to an employee or even to a device, such as a server. Either way, there are limitations on the resources that a user can access and what the user can do with those resources. A common practice is to place users into groups to simplify administration. A user group is a collection of user accounts that have their access rights managed as a single unit. Groups are created based on departments or some other grouping criteria, and then access rights are granted at the group level based on their needs. For example, the network administrators group will need to access firewall settings, but the database administrators group will not. Groups can be used for ordinary users, authenticated users, anonymous users, and admins.
Access control lists (ACLs) are a means to regulate access to storage resources on a cloud. Each resource on a cloud can have an ACL associated with it that explicitly states which users or user groups can have access to it as well as the degree of access. For example, certain user groups may only be permitted read access to storage volumes on a cloud, while other user groups, such as system administrators, can have both read and write access.
Multi-factor authentication (MFA) will not limit user access to specific resources. MFA provides an additional layer of security by using multiple factors, including something you know (username and password), something you have (token or smart card), and something you are (biometrics). As an example, when withdrawing money at a bank’s automated teller, you use the ATM card (something you have) and the numeric PIN (something you know). Similarly, MFA systems can generate an electronic token that is valid for a short period of time and must be entered when authenticating along with the existing username and password. Token generators can exist as hardware, as keychain-based devices, or as software that executes on laptops and smartphones.
Firewalls will not limit user access to specific resources. Firewalls can be used to separate segments in a network or to protect an internal network from an external one. Rules can be configured on the firewalls that specifically allow or deny certain traffic based on various factors including protocol, IP address, and MAC address.
SSO is a system whereby a user signs in once and is granted access to multiple systems based on these credentials. The user will not need to re-authenticate each time a different system is accessed. SSO greatly simplifies user administration. An example of SSO is a directory server that utilizes Lightweight Directory Access Protocol (LDAP), which allows a user to log in once at the network level to access all applications. One advantage of SSO is that users do not have to remember usernames and passwords. Also, when a session is terminated in SSO, a user is automatically logged out of multiple systems.
The services operational on a cloud system need to be secured from unauthorized access. For this, you specify access rights to each of these services with user groups. For example, you would create a specific user group that would allow its members to access and control firewall settings. The users who are not in this group would not be allowed to manage the firewall. Similarly, finer settings for access control can be made for machine-to-machine authorization. This way, a granular approach can be taken to limit the accessibility of cloud objects and resources.
You are working for a multinational consultancy that has recently moved its operations to the cloud. You are asked to create a secure login to the cloud system for employees using both usernames and passwords as well as an electronic token that they carry on a keychain. Which of the following security measures should you use to implement this?
A)SSO
B)MFA
C)ACL
D)MAC
B)MFA
You will use multifactor authentication (MFA). This scenario provides an additional layer of security to an existing username and password combination by using a token-based authentication. This follows the “something you know” and “something you have” model of authentication. There is also a third factor, something you are (biometrics), that can be used. As an example, when withdrawing money at a bank’s automated teller machine (ATM), you use the ATM card (something you have) and the numeric PIN (something you know). Similarly, MFA systems can generate an electronic token that is valid for a short period of time and must be entered when authenticating along with the existing username and password. Token generators can exist as hardware, as keychain-based devices, or as software that executes on laptops and smartphones.
What is the term for an application that is accessed over the Internet as opposed to being installed on a local device?
A)PaaS
B)Resource pooling
C)SaaS
D)IaaS
C)SaaS
Software as a Service (SaaS) is the term for an application that is accessed over the Internet as opposed to being installed on a local device. Instead of installing software on their computers, users can access the software over the internet, typically paying a subscription fee for use. An example of this is Microsoft Office 365.
Infrastructure as a Service (IaaS) is a cloud deployment model that makes infrastructure components (servers, storage, and other hardware) available on a per-user or subscription basis. The service host maintains the infrastructure components and makes them available on a per-use or subscription basis. An example is Amazon Web Services.
Platform as a Service (PaaS) is a cloud deployment model that makes hardware and software available on a per-user or subscription basis. PaaS is often used in application development.
Resource pooling makes SaaS, IaaS, and PaaS available to multiple consumers simultaneously. This means that the consumers share the physical devices on which they reside. Organizations should research the security implications of such a deployment scenario.
Which of the following are valid uses for virtual machines (VMs) within a cloud environment? (Choose three.)
A)Threat hunting
B)Sandboxing
C)Test development
D)Application virtualization
B)Sandboxing
C)Test development
D)Application virtualization
Virtual machines (VMs) are capable of being used for sandboxing, test development, and application virtualization.
Sandboxing is an isolated testing environment that enables security teams to observe, analyze, and block suspicious elements that try to gain access to or traverse within a network. VMs can be configured to function as a sandbox to better secure network environments.
VMs can also be configured to enable users to test their applications and software in a safe and secured environment. The test development process enables users to be able to run their software in a “live” environment for quality assurance purposes. This configuration can help users to detect bugs, vulnerabilities, and other similar items so they can be patched to ensure that the product is safe and stable for general usage.
Application virtualization is the process of running an application without any of the physical hardware limitations or dependencies required of an operating system. Rather, the application thinks it is interfacing with the operating system directly when it is engaging with a hypervisor to run the application. One important use of app virtualization is virtualizing legacy software. VMs allow users to run software and applications that are no longer supported by the vendor or operate on modern OSes, but that still meet a vital business need. VMs can be configured to run these legacy systems virtually enabling users to operate them without needing to utilize outdated, unsupported, and obsolete equipment, software, or firmware.
Threat hunting should not be used within a cloud environment. Threat hunting is a cybersecurity practice that is used to track various threat actors to monitor their behaviors and detect incoming cyber threats.
VMs can also support cross-platform virtualization. Cross-platform virtualization allows software to be compiled for a specific instruction set and operating system to run unmodified on computers that have different CPUs and/or different operating systems, such as running a Windows program on a Linux machine.
You are using a cloud-based system for your online gaming portal. Some of your users need an increase in their available network bandwidth. Where in the cloud architecture will this configuration be made?
A)Documentation
B)Virtual machine
C)Hypervisor
D)Physical hardware
C)Hypervisor
You would make the necessary configuration in the hypervisor. The hypervisor controls the amount of physical computing resources that are available to each virtual machine.
Physical hardware is used by the hypervisor to provide computing power to virtual machines. When any kind of reallocation of resources is needed for a virtual machine, the physical hardware is not modified, but the settings on the hypervisor are.
The configuration of the number of resources available for a virtual machine is done on a hypervisor, and not the virtual machine itself.
Before a migration can be made successfully to a cloud, you must review and update, if necessary, the existing documentation. This includes ensuring all the current systems have their associated diagrams and configurations recorded separately from items being migrated to the cloud. This will ensure a clear and accurate record of the system as it stood before the migration occurred.
Cloud computing works on the concept of shared components. This involves taking physical hardware resources and providing them for use via a virtualized environment. In this way, resources can be shared through a cloud environment, which is referred to as resource pooling. A cloud service provider creates a virtual pool of resources that are virtually shared across various consumers. The hypervisor manages the virtual machines and dynamically allocates or deallocates actual physical resources based on requirements or service levels. This is an advantage over a traditional data center approach where computing was locked down by whatever was physically available for use at a time.
The actual physical hardware being used is hidden, so consumers only see what they need from the resource pool and do not have to worry about availability or maintenance. The virtual machines used by the customer are managed by a hypervisor, which acts as a bridge between the virtual machines and the actual physical hardware working behind the scenes. This is summarized in the architecture described below:
Which of these cloud services typically provides the hardware and software necessary for application development?
A)IaaS
B)PaaS
C)public cloud
D)SaaS
B)PaaS
Platform as a Service (PaaS) typically provides the hardware and software necessary for application development. The provider makes hardware and software available over the Internet on a per-use or subscription basis.
Infrastructure as a Service (IaaS) provides various services such as hardware, operating systems, application software, and storage. Instead of buying servers, storage, and other hardware components that make up the company’s infrastructure, organizations can subscribe to a service over the Internet. The service host maintains the infrastructure components and makes them available on a per-use or subscription basis. An example is Amazon Web Services.
Software as a Service (SaaS) makes software available through the cloud. Instead of installing software on their computers, users can access the software over the Internet, typically paying a subscription fee for use. An example is Microsoft Office 365.
You are in the process of setting up access control systems for the cloud deployment of your computer graphics company. You want that access control to be specified for certain users who can work limited graphics applications, but should be prevented from accessing others. Which access control method will you need to use?
A)Compute system access control
B)Firewalls
C)Storage access control
D)Network-based access control
A)Compute system access control
You will need to use compute system access control. Compute systems on a cloud include virtual machines (VMs) and applications running on the VM, and they can be assigned accessibility rights based on their usage. Access rights for a compute resource will limit the people, resources, or services that can access them. By defining security groups and access rights for each group, authorization can be defined at a very granular level for each cloud compute system resource.
An access control system, or ACS, is any system designed to restrict user access to a computer system according to predefined rules. For example, on most computer systems, users must enter a valid name and password to log in to the system. And, after they log in, those users are allowed to view, create, and modify only some files and directories in the file system.
Access control enables multiple users to access a single system, maintaining the privacy and security of each user’s files. It also protects the critical system files from being altered or tampered with, reducing the likelihood that the operating system will malfunction.
Examples of access control systems
Password - A word or set of letters, numbers, and symbols.
Access card - Size of a credit card, with a magnetic strip or computer chip, swiped through or placed next to a card reader.
Security fob - A device with a RF security chip inside, placed next to security fob reader.
Fingerprint reader - Scans a person’s fingerprint, which is different for each person.
Palm reader - Scans the palm of a person’s hand, which is unique for each person.
Voice recognition - Usually requires a person to say their name, a specific sentence or series of words, to recognize the person’s unique voice pattern.
Retina scan - A scan of the eye, specifically the retina, which is unique for each person.
DNA scan - Much more sophisticated and futuristic, requiring sample of saliva or blood to check for and verify the person’s DNA.
Network-based access control limits the accessibility of cloud resources at the network level, not the application level. This includes logins required to access a network or access control lists (ACLs) that limit network traffic based on IP addresses or port numbers. This is different from access control at the application or server level.
You should not use storage access control. Storage access control can be implemented at either the storage volume level or array level, limiting the users or services that can access or mount them. This access control is implemented at the storage area network (SAN) level using virtual storage area networks (vSANs) and also at the storage controller level using logical unit number (LUN) masking. LUN masking permits certain hosts to access the LUN and denies access to other hosts. This implementation is not visible to a cloud user. File system access control is implemented at the operating system level where files have certain access rights that include creation, read, write, and deletion.
You should not use firewalls. The services operational on a cloud system, such as firewalls, load balancers, caching, and DNS, need to be secured from unauthorized access. For this, you specify access rights to each of these services by the use of user groups. For example, you could create a user group called Firewall-Control that would allow its members to access and control firewall settings. The users who are not in this group would not be allowed to access the firewall. Similarly, finer settings for access control can be made for machine-to-machine authorization. This way, a granular approach can be taken to limit the accessibility of cloud objects and resources.
Which cloud computing term refers to the availability of a resource as it is needed by the client?
A)on demand
B)metered utilization
C)rapid elasticity
D)resource pooling
A)on demand
On-demand refers to the availability of a resource as it is needed by the client. Amazon Web Services (AWS) is an example of an on-demand service.
Resource pooling allows the provider to service multiple customers using the same resources. This means that the consumers share the physical devices on which they reside. Organizations should research the security implications of such a deployment scenario.
Rapid elasticity allows the provider to dynamically allocate resources based on demand. Examples include increased bandwidth, storage, or memory requirements.
Metered utilization (or measured service) is a term that applies to paying for services on a per-use basis, such as CPU time, GB of storage, or network bandwidth use. Your cell phone data plan, measured in GB of data transferred per month, could be an example of a metered service.
You also need to understand the following cloud service concepts:
- Off-site/Commercial email applications – Google Mail is an example of an off-site email application, which allows corporations to issue personnel an email address without having to manage the email servers internally.
- Cloud file storage services – Google Drive is an example of a cloud file storage service. Any such services will allow customers to store their files on a remote cloud so that data can be accessed from the Internet. Most cloud file storage services include synchronization apps that allow users to synchronize the files between their desktop and the cloud.
- High availability – Cloud environments provide high levels of uptime, enabling users to always be able to connect to them and use their resources. Cloud environments frequently employ clusters of servers that act as a single server, providing high degrees of fault tolerance.
- File synchronization – Cloud environments now enable users to synchronize the files on their local device with the files stored in the cloud to ensure that both file sets are congruent with each other.
- Virtual application streaming/cloud-based applications – Cloud services can include virtual application streaming and cloud-based applications. Giving users access to the applications is as easy as configuring them a cloud account and granting access. Applications do not need to be installed individually on each computer. Applications include applications for cell phones/tablets and applications for laptops/desktops.
- Virtual desktop / NIC – A virtual desktop is a virtual machine that a user can access remotely. A virtual network-interface card (NIC) is a software-based NIC that masquerades as a physical NIC using virtualization software. With virtual desktops becoming increasingly more mainstream, there have become two primary methods of deployment, either through the cloud or through on-premises servers.
- Shared resources – Cloud deployments allow resources to be shared. Internal resources are those that are owned by the consumer and integrated into the cloud deployment. External resources are those that are owned by the cloud service provider.
You have contracted with a cloud service provider prior to migrating your online shopping company to a cloud deployment. You have opted for an IaaS model. When you test the system post-migration, what should you use to verify that the services provided to you by the cloud company are in line with the expectations and baseline performance?
A)SLA
B)BCP
C)Documentation
D)DRP
A)SLA
You will need to refer to the SLA. A Service Level Agreement (SLA) is a documented commitment that binds a cloud service provider to provide a specified set of services and operations to the consumer(s) of the cloud deployment. An SLA specifies the responsibility, quality, and availability of the services provided. A typical SLA might guarantee that your virtual environment will be available for operations at least 99.95% of the time, and that live customer support will be provided 24 hours a day.
However, the actual operation of the cloud is a shared responsibility between the cloud service consumer and the provider. Both parties need a clear understanding of which services are provided and which level of service is expected. As an example, if you opted for Platform as a Service (PaaS) from your cloud service provider, you can expect the cloud service to include an operating system as well as underlying infrastructure but not applications. The SLA would state in that case that the performance of self-hosted applications is the sole responsibility of the customer.
You are responsible for managing a host computer that hosts several Windows 10 virtual computers. You need to install the latest patches for the operating system. Where should you install the patches?
A)on the host computer only
B)on the physical computer only
C)on both the host computer and all Window 10 virtual computers
D)on each Windows 10 virtual computer only
C)on both the host computer and all Window 10 virtual computers
In the process of implementing security for your cloud deployment, you need to specify access rights for the users. Your company has a large number of employees and several levels of management where an employee may need to delegate responsibility and grant access to other employees dynamically. What kind of access control will you need for this?
A)Discretionary
B)Mandatory
C)Non-discretionary
D)Multifactor authentication
A)Discretionary
You would use discretionary access control. Discretionary access control (DAC) differs from mandatory access control (MAC) in that users can specify access rights to resources themselves as opposed to the centrally controlled security policy with MAC. This way, users who own resources like files or directories can then extend rights to other users based on their discretion. These users will then be able to take actions on these resources, which can include executing, reading, or writing.