Week 11: Security Criteria - Building an Internal Cloud Flashcards
Why would an enterprise invest in a private cloud
Increased flexibility and increased security
In general, nothing prevents public cloud providers from offering customers exclusive and separate sections “carved out” of overall infrastructure to implement a remotely hosted private cloud
However, doing so might undermine their ___
economic model
such exclusive sections of a public cloud infrastructure can be systematically and securely carved out of the combined hardware, storage, and network fabric
these exclusive sections can be forced to fall on sufficiently safe boundaries
An organization can implement an ___as a proof of concept or to develop skills and experience
exploratory cloud
exploratory cloud can be useful for
develop a hands-on understanding of the technical issues and possible complications that might be faced before making a larger commitment to an operational cloud
The potential for better security with a ___ is ___at a ___overall cost than with traditional private IT
private cloud
greater
lower
Before the recent rise of virtualization and more powerful servers, individual business applications resided on individual servers
This resulted in a chaotic and undisciplined landscape: ___
server sprawl
With the rise of virtualization, this situation has evolved into one where the number of physical servers can be reduced
Without enforced discipline, server sprawl has become___
VM sprawl
At the department level, the move to server virtualization seems to be a return to the ___mix of pooled and centrally managed resources
mainframe
Cloud computing brings back the ___, and ___ model that marked the mainframe era
pooled
centrally managed
While there is a good deal of overlap between mainframe and cloud computing, cloud is still unique in several ways
Cloud computing is far more services oriented than the mainframe model
The cloud model is more server failure tolerant than mainframes and more readily resource augmented as well
If the private cloud is sized to both minimize excess capacity and to allow for peak demands, then ongoing cost reductions will include
Lower equipment cost
Lower than typical data center-related costs
- Lower power consumption (equipment and cooling)
Infrastructure deviations to support the specific needs of internal customers (private cloud) fall into four main categories
Hardware Platform Variation
- Where users require different hardware for computing or storage, this cannot be economically supported unless these needs are sufficiently common to warrant dedicating a pool of identical resources
Network Variation
- Where network patterns are customized for small sets of servers, the cloud will give up some of its cost savings, unless there is a large enough need to deviate from the norm
Software Platform Variation
- It is significantly less difficult to support users who need a specialized operating system or software stack than it is to add additional hardware
Allocation Boundaries
- Allocation and provisioning of user and department usage should provide for segregation where confidentiality is a major concern
To begin with, it is useful to analyze the use of ___in an internal data center and discern the level of usage at various times of the day, week, or month
existing servers
Because of the ___population of cloud consuming users and applications in a private enterprise, a private cloud may not meet the advantages that a public cloud may
smaller
Unless there is off-peak load to consume otherwise idle cloud resources, a private cloud may lie largely idle for the remaining hours
When individual servers are pooled together into a centrally managed private cloud, there are going to be opportunities to improve security in terms of
operational security
implementing future security capabilities
When ___ is implemented at an enterprise level, more robust and capable solutions can be used in a cost-effective manner
identity
An enterprise might use a public cloud for the bulk of its computing needs but still run a small in-house private cloud for ___
secure applications
Reason for using private cloud
run a small in-house private cloud for secure applications
they may need to run a few older applications
- Another approach would be the use of virtualization or emulators to virtualize the nonstandard hardware platform that the application requires
When there is no business need for making data from one group accessible to another group, the private cloud must enforce ___
separation
A private cloud may also express some services to ___
external users
- for instance, customers of the enterprise - Connectivity for customers must be secured and separated
In summary, a private cloud must enforce various kinds of separation between sets of ___ and between ___and ___users
internal users
internal
external
Exposing the cloud to either internal or external users must be done in response to a clear ___and a solid understanding of the ___
business need
risk factors
To begin with, the ___to the cloud is the best place to filter out unwanted inbound traffic - for example
ingress
Blacklisted IP addresses
Whitelisted IP addresses
Limiting Access to the Edge - two ways
To begin with, the ingress to the cloud is the best place to filter out unwanted inbound traffic
Secondly, we may authenticate inbound traffic by use of various means, including IPSec tunnels or VPN solutions
When offering services to both internal and external users it is critical to avoid opportunities for non-enterprise users to gain access to enterprise data - methods of separation
Mixing enterprise and external user traffic must be avoided
Generally, SaaS traffic is terminated at a proxy or web service with data being passed to other services not directly reachable by users
Storage of enterprise and Internet users must be segregated
All user data should be encrypted
Sensitive enterprise data should not be processed by the same app instances that are processing public users’ data
Isolation between realms can be effected through various means, including
physically separated networks
virtual local area networks (VLANs)
Such isolation should be reinforced via other mechanisms such as a firewall
Network isolation can also be achieved by using encryption
A best practice in physical isolation is to contain separate categories of use (internal users, public Internet users, and so on) within groups of ___ (sometimes referred to as pods or compartments)
separate racks
For higher assurance, it is a best practice to isolate these physical zones by physically surrounding them with ___
cages
An overall production cloud infrastructure will most likely be logically divided for a number of distinct uses:
Development
Testing and Staging
Production
Degree of assurance in isolation techniques (lowest to highest)
Software –> Cryptography –> Virtualization –> Physical Separation
It is a best practice to maintain a separate network for ___
management traffic
Among many important initial steps in setting up a private cloud is effectively addressing the need for ___ that will bridge your physical and virtual infrastructure
management tools
It may be more cost effective to locate a private cloud in a professionally staffed and certified ___
hosting center
Only your organization would have physical access to your cages
Data Center Sensors
Smoke, Motion, Power, Water, Door, Temperature, Humidity
Operational Security Considerations (Private Cloud)
Antimalware
Device Configuration
Intrusion and Anomaly Detection
Data Backup and Storage
Private Cloud Regulations
Location of Data
Data Retention