Cloud Computing Final Study Guide

¡Supera tus tareas y exámenes ahora con Quizwiz!

Role Assignment - in Azure AD

defines the connection of a user to a role within that user's scope and must be completed for access to be granted to a user

Authorization

determines what you can do once you gain access to a system - Each cloud platform manages IAM permissions in different ways

Drawback to digital signature system

if someone discovers your private key, a digital signature could be forged, or if someone doesn't have a public or private key pair

What are digital certificates primarily used for:

used to certify and secure websites where financial and other sensitive information is exchanged

DAC (discretionary access control)

users decide for themselves who has access to their resources. Least secure of the methods.

Synchronized identity - Azure

with the synchronized authentication option, identities exist both on-prem and in the cloud, and password hashes are shared between the two locations

Once an account is created, it can be _____, ______, or ________

Modified, deactivated, or deleted

LDAP (Lightweight Directory Access Protocol)

a protocol that helps users find data about organizations, persons, and more.

Identity vault

a repository that stores all user's identities and their credentials for every time they have to access their accounts.

Authorization issues

caused by misconfigured permissions, groups, or roles

Service vs user accounts

Service accounts: accounts assigned to resources (such as a server instance) user accounts: assigned human users

Effective account management policies can help ensure that the following tasks occur reliably and consistently:

- Accounts are set up, or provisioned, in a timely manner for new users - Compromised accounts are locked out for protection - Privilege creep, the gradual increase of disorganized and unmonitored privileges, is limited - Unused accounts are closed to further activity, or deprovisioned

What is triple-A

- Authentication: gets you into a system - Authorization: lets you do things while you're there - Accounting: tracks what you're doing for later review

What does a RESTful system conform to:

- Client and server systems run independently of each other (can change/update one without affecting the other) - The server saves no client data (session info is stored only on the client system)

Password policies should meet certain requirements:

- Complexity: certain number of character types (upper, lower case, numbers, special characters) - Length: a long & simple password is better than a short & complex password - Expiration: changing passwords somewhat frequently to resist hacking - Lockout: 5 failed tries, you are OUT

What services does Azure AD offer for an on-prem network:

- Domain Services (AD DS): provides authentication and authorization support for users and devices on an organization's network - Certificate Services (AD CS): creates, distributes, and manages secure certificates - Lightweight Directory Services (AD LDS): Supports applications that rely on LDAP - Federation Services (AD FS): Supports SSO single sign on) - Rights Management Services (AD RMS): provides IRM (information rights management) protection of data by enforcing data access policies

What are the 5 "Something's" of MFA

- Something you know: a pin, password, or biographical data - Something you have: An ATM card, ID badge, key, or smartphone with authentication app - Something you are: your fingerprint, facial pattern, or iris pattern - Somewhere you are: your location in a specific geopolitical area, a company's building - Something you do: the specific way you type, speak, or walk

How can you create accounts in AWS

- Through the IAM dashboard - you set the username, password, permissions, or create other credentials like keys or a certificate

RBAC (Role Based Access Control)

- a network administrator receives from a user's supervisor a detailed description of the roles or jobs from the user performs for the organization - The admin is responsible for assigning exactly the privileges necessary for the user to perform these roles - Azure relies on RBAC (role-based access control) to manage users' access to resources

3 steps of a digital signature

1. Document is hashed using a hashing algorithm like SHA-3. 2. The hash is encrypted using your private key. The encrypted hash becomes the digital signature and is either stored with the document or transmitted with the document (or both) 3. Later, when someone needs to verify this is the document you signed, a new hash is created from the document. The original hash is decrypted with your public key and the two hashes are compared. If the two hashes agree, then your digital signature is valid.

LDAP two main goals:

1. To store data in the LDAP directory 2. Authenticate users to access the directory

Security precautions that might be taken for sensitive user accounts:

1. limited use: these accounts should only be used when higher privileges are necessary to accomplish a task. Employees should also have a lower-level account for normal activities 2. Limited location: only on-premise access so that no one can access the device remotely and make high-level changes from the outside-in. 3. Limited duration: privileged accounts should be carefully accounted for and disabled as soon as they're not needed, like when an employee is terminated or transferred. 4. Limited access: the passwords for these accounts should be extremely secure and hard to crack. Should be stored securely, and when possible, multi-factor authentication should be required. 5. Limited privacy: every user should be logged in and every user action should be taken note of by someone who isn't the owner of that account. Privileged accounts can be used for malicious activity.

Permission - in Azure AD

defines an action an identity is allowed to take

Incremental

Alexandra has scheduled a full backup of one of the servers she manages for the first day of every month. Every week after that, any data that has changed since the previous backup of any kind is backed up. Which of the following describes these weekly backups? a. Additive b. Differential c. Piecemeal d. Incremental

Privilege escalation attack

An unauthorized attempt to increase permission levels. - attackers can use existing privileges to perform this type of attack

False positive

At 9pm, Sandra receives a text message informing her that one of the servers she is in charge of has a problem when she is at home. It is a significant concern, according to the statement. Quickly grabbing her laptop, she goes into the VPN to check on the issue and begin troubleshooting, but discovers that everything seems to be working as it should. Which of the following statements best sums up the current circumstance? a. False negative b. True positive c. False positive d. True negative

Privilege escalation

Blake has been examining the logs on one of the servers that he is responsible for that is hosted on a CSP. He finds an instance where one of the employees has managed to give himself unauthorized administrative access on the server. Which of the following has occurred? a. Federation b. SSO c. Internal role change d. Privilege escalation

Vertical scaling

Bob pulls up the company's dashboard and sees that one of the VMs is running low on storage space. He logs into the cloud provider's portal and increases the size of the virtual disk so that it will not run out unexpectedly and start causing errors. Which of the following processes has Bob just performed? a. Horizontal scaling b. Linear scaling c. Vertical scaling d. Triangular scaling

The site's digital certificate has expired

Caroline is trying to access one of her company's custom cloud-based web applications. She sees a bright red screen advising that there is a security problem with the site and that she should not trust its contents. Which of the following most likely occurred that an administrator should probably check first? a. The site has been hacked b. A disgruntled employee has taken the site down c. The site's digital certificate has expired d. The certificate authority has revoked the certificate due to suspected fraud

Something you do

Fictional Corp. is trying out a new experimental technology that analyzes how users type as part of a multifactor authentication implementation. Which of the following categories of authentication factors would this fall into? a. Something you are b. Something you do c. Something you know d. Something you have

IAM

Fictional Corp. uses a cloud service provider that provides a framework of techniques and tools for managing the identities of people and applications that allow for access to cloud resources. Which of the following describes this framework? a. MAC b. IAM c. DM d. DRM

The account is now locked after three failed attempts, so the error message has most likely changed from a failed password to one reflecting a locked account

Emily is analyzing the logs for one of the servers in her organization. She sees three failed attempts to log in with an incorrect password. She then sees continued attempts to log in with a different error message. Which of the following could be the reason the error message changed? a. The server configuration has changed b. The account is now locked after three failed attempts, so the error message has most likely changed from a failed password to one reflecting a locked account c. The server was compromised after the third failed password attempt d. The server's time was changed so the authentication attempts failed because of a different reason

Which authentication technique bridges the gap across idPs and SPs? - Secrets management - Active directory - Federation - Password vault

Federation

Which of the following is the most difficult configuration for extending IAM across a hybrid cloud? - Synchronization - Federation - Pass-through (i.e. authentication occurs in the cloud) - Extension

Federation

SMS

Fictional Corp currently has an alert system set up to e-mail notifications to administrators. However, it has been pointed out that it may take a while for an administrator to see one of those emails, so they would like to have notifications sent to their mobile phones instead. Which of the following settings should they look for in the configuration of their alert system? a. SMS b. TMS c. STS d. TXS

CAS

Fictional Corp has an on premises data center where content is written once and then referred by its content rather than by its location on a disk. Which of the following types of storage are they most likely using? a. NAS b. SaaS c. DAS d. CAS

Identity

Fictional Corp has assigned each user within their Active Directory implementation a username. This username is a form of: a. Accounting b. Authorization c. Authentication d. Identity

CloudWatch

Fictional Corp has chosen to use AWS as its CSP. One of the key benefits that it liked about the platform was a service that allows technicians to monitor metrics across AWS services by collating data in one or more dashboards, tracking events, or generating alerts. Which of the following AWS services were they impressed by? a. CloudWatch b. Monitor c. Dashboard d. Stackdriver

Somewhere you are

Fred is trying to access the company's cloud-based CRM system while traveling abroad in Europe. He receives a message that access to this application is not allowed from the country he is currently in and lists the IP address detected by his connection. Which of the following factors of authentication is the CRM system using? a. Something you have b. Something you do c. Something you know d. Somewhere you are

What are the various status of certificates?

Good - a secret is good, or trusted, during the timeframe when it was approved Retired - once a certificate reaches its expiration date, it is retired and can no longer be used Revoked - if there is any indication the secret has been compromised or destroyed, the secret must be revoked

Using the IAM (identity & access mgmt)

How can you set up cloud user accounts?

Offline

Ivan is responsible for making tape backups of one of the on-premises servers in the data center and then taking the tapes to a lockbox at a local bank for safe keeping. Which of the following describes the type of backup that he is doing? a. Offline b. Remote c. Local d. Online

Cloning

Sid wants to create a new copy of a server so that he can test some patches to the server outside of the production environment. Which of the following describes the method described? a. Synchronous replication b. Asynchronous replication c. Cloning d. Storage mirroring

Add more VCPUs and memory to the virtual machine

Jack gets an alert that one of his web servers is receiving more requests than it can handle given its current resources. He has decided to implement vertical scaling to resolve the issue. Which of the following could he do to meet his objective? a. Add more virtual machines to the cluster b. Migrate the web server to the company's on-premise data center c. Add more VCPUs and memory to the virtual machine d. Migrate the web server to another CSP

Increased the number of servers available to the application

Jed has just spent some time analyzing some of the applications on the CSP that his company uses. He found that one of the applications was using a lot of resources between the servers that it was deployed on and implemented horizontal scaling to resolve the issue. Which of the following did Jed do? a. Increased the capacity of the existing servers b. Migrated the application to another CSP c. Migrated the application to an on-premise data center d. Increased the number of servers available to the application

Implementing RAID 1 exclusively to back-up the organization's data

Jennifer manages the IT department at a huge corporation. After a catastrophic resource failure 8 months ago, the IT department was tasked with developing a plan to avoid such an event from happening again. Jennifer's team decides to start this project with a brainstorming session where any idea can be suggested and the team will then discuss if the solution is logistically possible and will help avoid another catastrophic failure. Which suggestion is Jennifer's team most likely to throw out first because it will not address the issue? a. Integrating a hyper converged infrastructure (HCI) to manage their hybrid on-prem/cloud-based storage b. Applying a RAID 6 technique to back up the organization's data c. Transitioning to a cloud-based. Object storage system for archiving data d. Implementing RAID 1 exclusively to back-up the organization's data

Asynchronous replication

Joe has been asked about one of the storage systems his company maintains. This system writes the data to storage in one region and periodically copies the data to another region. What term can he use to describe this configuration? a. Synchronous replication b. Always On replication c. Duplicating replication d. Asynchronous replication

Synchronous replication

Juanita wants to create a data replication system where the data is constantly written to two locations at the same time. Which of the following describes this type of configuration? a. Asynchronous replication b. Always On replication c. Duplicating replication d. Synchronous replication

Which protocol defines how most authentication directories work? - LDAP - OCSP - HTTPS - MFA

LDAP

Mirroring

Martin wants to maintain an exact copy of the data from one of the data storage locations in a separate location for disaster recovery purposes. The copy of the data will not be actively used unless the systems have to failover to the copy. Which of the following describes the type of redundancy he is wanting to implement? a. Duplexing b. Tokenization c. Mirroring d. Snapshot

False negative

Niles is analyzing a server and finds a problem with one of the applications. He didn't receive any notifications and thinks that perhaps it got lost in his spam folder or something else happened. After scouring the logs, he doesn't see any notifications or alerts in the system at all. Which of the following describes this situation? a. False positive b. True negative c. False negative d. True positive

AWS users receive long-term permissions through an attached _____ - Service - Policy - Root - role

Policy

PKI

Sarah has deployed a private cloud infrastructure that requires users to insert a smart card into their computer or into their card reader in order to authenticate them to use the applications. The smart card is associated with a certificate for each user, which is verified against a certificate authority. Which of the following has she deployed? a. PKI b. PII c. PCI DSS d. PSK

What access control method does Azure use? - AD - RBAC - DAC - MAC

RBAC

If a certificate is included in a CRL, what is its status? - Retired - Revoked - Trusted - Renewed

Revoked

What resource defines a set of permissions in GCP? - Group - Policy - Service account - Role

Role

What kind of applications use SSO

SAML (Security Assertion Markup Language) or OpenID Connect

SLA

Sam is reviewing the agreements that Cheers, Inc. has with their chosen CSP. One of those agreements states that the RTO is two hours, and that the system will maintain a 99.9 percent uptime. Which of the following describes the guarantee that Sam is currently reviewing? a. SLA b. BCP c. HAP d. DRP

Complexity

Stan is walking past a row of cubicles when he notice's someone's password written down on a sticky note attached to a monitor. The password is passwordpassword3. Besides the obvious problem of the word password repeated followed by a single number, which of the following policies isn't in place that should be? a. Re-use b. Expiration c. Length d. Complexity

RBAC

Steven has been tasked with planning the move from an infrastructure where administrators and users add permissions to resources individually to one where users are assigned to groups based upon the department they work in and what they do in the department and then assigning the groups to the resources. Which of the following has he been tasked with planning? a. JAC b. DAC c. MAC d. RBAC

Event correlation

Syed is implementing an event monitoring system that will be able to look at all events and determine if there is a pattern established by the different events that occur. Which of the following would be a feature of this monitoring system? a. Event correlation b. Event triggering c. Event interaction d. Event patternization

Horizontal scaling

Teri logs into the cloud service provider's portal and reviews the reports that are available as part of her monthly analysis. She sees that one of the web applications currently using four web servers is experiencing an increase in traffic after a recent marketing campaign by the company, and she decides to add another two virtual machines to act as more web servers to help ease the load on the existing ones. Which of the following describes the procedure Teri performed? a. Horizontal scaling b. Linear scaling c. Triangular scaling d. Vertical scaling

Blast radius

The extent of system vulnerability to a destructive event such as a security breach or device failure.

Logical access control

The management of access to logical resources, such as a network or workstations - often refers more specifically to remote access compared to physical access control

Root account

This is the account created by default, should not be used for other tasks. - bad idea from a security perspective - root account should not be used again except when absolutely necessary.

Thick provisioning

Tracey has built a private cloud in her organization with restrictions in place to prevent provisioning more disk space than is physically available. Which of the following describes this principle? a. Thin provisioning b. Thick provisioning c. SOS provisioning d. JIT provisioning

NAS

Trent is designing the technology infrastructure to use at his company's small new office in the Caribbean. After researching the ISPs in the area, he sees that the amount of bandwidth available at that specific location is going to be rather limited. Which of the following may he want to install in order to provide local file storage for the office? a. NAS b. SAN c. SAD d. DAS

Policy - in AWS

a collection of permissions and is assigned to an identity - Different kinds of policies: - identity-based policy: grants permissions to identities - ACL (access control list): assigned to a resource to identify who from outside the account can access that resource

AD (Active Directory)

a collection of services on Windows Server that manages access to resources on a network

Group - in Azure AD

a collection of users

Identity

a digital identity that can be given access to resources through roles and permissions - both users and resources can have an identity - a user is given permissions based on what job responsibilities the user needs to fulfill

IAM (identity and access mgmt)

a framework of techniques and tools for managing the identities of people and applications that allow for access to cloud resources.

Permission - in AWS

a permission defines a specific action that an identity is allowed to take

Authentication

a process usually managed by a server that proves the identity of a client and determines whether that client is allowed to access a secured system answers the question: "Who are you?"

Role - in Azure AD

a role definition, or role for short, is a collection of permissions: - Owner: complete access to all resources and can give access to others - Administrator: full access to resources within that role - Contributor: can create and manage resources but can't give access to others - Reader: can view existing resources but can't make changes

Role - in AWS

a role is an identity that provides a way to assign policies to other resources for a short duration

Digital signature

a security procedure that uses public key cryptography and assigns a code to a document for which you alone have the key (used to authenticate electronic documents as yours)

Digital Certificate

a small file containing verified identification information and the public key of the entity whose identity is being authenticated - similar to your passport

PAM (privileged access management)

a subset of IAM that applies stricter rules and safety precautions specifically to users who are given elevated permissions to do their jobs

REST (Representational State Transfer)

an architecture standard that requires certain characteristics for HTTP or HTTPS communications

Service principal - in Azure AD

an identity for an application or service

Group - in AWS

an identity that represents a collection of users - a user can belong to multiple groups, but groups cannot contain other groups

User - in AWS

an identity that represents a person or an application that needs to interact with AWS resources. - a user has a name, an ARN (Amazon Resource Number), password, access keys (access key ID and a secret access key), or a server certificate

RESTful APIs

can be used to perform basic, standardized functions across the web to interact with an authentication directory. - this allows the organizations to set up relationships between various services or app and the authentication service, knowing the communication standards will allow these different systems to reliable understand each other

Authentication issues

caused by expired credentials, mistyped passwords, misconfigured certificates, or misconfigured trust relationships

Federated identity - Azure

federated authentication is the more complicated and expensive option, offering more complete SSO functionality and immediate synchronization between locations

Single Sign-On (SSO)

form of authentication in which a client signs in one time to access multiple systems or resources - SSO offers the simplicity of using a single source of truth so user data isn't duplicated through multiple systems

Secret management systems

handle the security and distribution of keys, passwords, authorization tokens, and other files (these are secrets) used to secure access to resources - AWS offers Secrets Manager

User - in Azure AD

identity associated with a person's profile

Principle of least privilege

means to limit access to the least privilege needed. Users are given enough access and privileges to do their jobs, and these privileges are terminated as soon as the person no longer needs them

Federation

process of managing user identities across organizations on the foundation of the trust relationship

Multifactor Authentication (MFA)

requires two or more pieces of information - called factors - from across two or more categories of authentication factors

MAC (mandatory access control)

resources are organized into hierarchical classifications, like "confidential", "top secret", etc. - User is only given access if its classification and category match those of a resource. Most restrictive method.

How do you revoke a certificate

the CA (certificate authority) that issued the certificate requires submission of a revocation request, and sometimes, supporting evidence is needed - Once revoked, the certificate is added to a CRL (certificate revocation list), which other entities can confirm whether a certificate has become invalidated.

Horizontal attack

the attacker uses typical user privileges to access information available to the compromised account. This attack type is typically used for reconnaissance

Azure AD (Active Directory)

the cloud-native cousin of Active Directory found in Windows Server for on-prem networks - Azure AD uses a flat-like structure, no container hierarchy like OUs (organizational units)

Root User - in AWS

the original identity from when you first create an AWS account - never use your root user for day-to-day activities - AWS recommends you use the root user only until you create the first IAM user, then store the root user in credentials in a secure location for emergency access only

Cloud Identity - Azure

the pass-through authentication option consists of all IAM services residing in the cloud and includes limited synchronization of passwords or other credentials

Scope - in Azure AD

the set of resources that a user might have access to

Public Key Infrastructure (PKI)

the use of certificate authorities to associate public keys with certain users


Conjuntos de estudio relacionados

HIST 2162 - Soviet History - Quotes List With Questions

View Set

Chapter 3 Life Insurance Policies- Provisions, Options and Riders (Exam 2)

View Set