Lesson 12: Applying Security Solutions for Cloud and Automation

Which development environment mirrors the production environment?

Staging Staging is a mirror of the production environment but may use test or sample data and will have additional access controls so that it is only accessible to test users. Testing at this stage will focus more on usability and performance.

A cloud access security broker (CASB) has enterprise management software designed to mediate access to cloud services by users across all types of devices. Which functions does a CASB provide? Select all that apply.

B. Single sign-on authentication C. Malware scan A CASB can enable single sign-on authentication and enforce access controls and authorizations from the enterprise network to the cloud provider. As a CASB sits between an on-premise and cloud platform, it can scan for malware and rogue or non-compliant devices before allowing access.

A cloud engineer manages a web server farm. Developers routinely upload new applications to these servers. While performing maintenance on one server, the engineer notices that the server is not handling XML requests properly. The engineer suspects an exploit with the Simple Object Access Protocol (SOAP). Evaluate the exploit types and determine which an attacker may be using.

Coercive parsing SOAP parses XML-based requests. With coercive parsing, an attacker can modify those requests so that the SOAP web service parses them in a harmful way.

A systems engineer wishes to automate a sequence of tasks in a development environment. The goal is for developers to share code and collaborate. Which solution does the engineer deploy?

Github Github is a service that allows developers to share code and collaborate on apps. Both public and private code repositories are available.

A number of tools are available to perform automated vulnerability and penetration testing assessment of cloud infrastructure. A security analyst has specific needs and looks for a tool that is open-source and written in python. Which tool does the analyst select?

Scoutsuite ScoutSuite is an open-source tool written in Python and used to audit instances and policies created on multi-cloud platforms, including Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

A systems administrator implements best practices for API key management. Considering the approaches, which of the following will the systems administrator utilize with a whitelist?

Apply the most restrictive hardening policies to client hosts. A best practice is to apply the most restrictive hardening policies to client hosts and development workstations. These systems should run only whitelisted applications and access only whitelisted websites.

Developers at an organization are working on a new application. Which approach do the developers use to test the infrastructure that supports the application?

Continuous delivery Continuous delivery is about testing all of the infrastructure that supports the app, including networking, database functionality, client software, and so on.

Which areas might an engineer possibly misconfigure in a cloud service when dealing with cloud storage containers? Select all that apply.

A. Incorrect permissions D. Incorrect origin settings When creating storage containers, the containers may default to public read/write permissions. If such default permissions are left configured, not only can any data uploaded to the container be freely accessed, but the container can also be misused as a repository for malware. Data in cloud storage can serve as static web content, such as HTML pages, images, and videos across a content delivery network (CDN). Weakly-configured cross origin resource (CORS) policies in a CDN may expose a site to vulnerabilities, such as XSS.

A cloud deployment model classifies cloud service ownership and provisioning. Which model exists through shared ownership?

Community When multiple organizations share ownership of a cloud service, they deploy the service as a community cloud. This is usually done to pool resources for a common concern, like standardization and security policies.

A security engineer for an organization implements a cloud access security broker (CASB) solution. Which function does the engineer enable by performing a configuration at a cloud network's edge?

Reverse proxy A reverse proxy, positioned at the cloud network edge, directs traffic to cloud services if the contents of that traffic comply with policy. This does not require configuration of users' device.