Security + Cert Prep 6: Cloud security design and implementation
This is a type of hypervisor that is commonly used on home operating systems that has its own host operating system and the hypervisor runs as an application on top of the OS.
Type 2 hypervisor
In cloud computing, actions one customer takes should never impact the actions of the other customers.
Isolation
What is the most critical container security issue?
Isolation of the applications
True or false: Desktop and application virtualization enable to use of thick client devices
False, it enables use of thin client devices
True or false: Some cloud models are inherently superior to other approaches.
False, no cloud model is inherently superior to the other approaches as it all depends on the context.
True or false: If isolation breaks down from the cloud provider, then this increases performance.
False, performance would suffer
This is a cloud specific operation where we can move workloads between cloud vendors
Portability
True or false: cloud providers will spread data across multiple geographic regions.
True, This protects against regional failures
As opposed to a security concern, this is an operational concern related to how much demand can be handled
Performance
True or false: MSSP relationships should be carefully documented when using CASB's (Cloud access security brokers)
True
True or false: Reference architecture's using ISO cloud reference architecture provide a useful framework, but they're just a starting point.
True
True or false: accessing web based email is cloud computing.
True
True or false: cloud orchestration solutions access resources through the vendors API.
True
True or false: running scripts on salesforce.com is cloud computing
True
True or false: storing data in multiple locations subjects it to multiple jurisdictions
True
True or false: virtualization platforms must be patched against security vulnerabilities
True
This is anytime, anywhere access to the cloud
Broad network access
In cloud computing this means it is available when you need it
On demand self service
This is a type of cloud access security broker (CASB) that regularly queries the cloud service via API and may not be able to block requests, depending up on API capabilities.
API-based CASB
What technology do cloud orchestration services used to interact with cloud service providers?
APIs, Cloud orchestration services interact with cloud service providers through API calls.
Which Amazon service offers block storage volumes?
Amazon EBS (elastic block store)
This is a type of object storage that has low cost but may be several hours before you can retrieve your files
Archival
This is a virtualization that streams applications to the users desktop
Application virtualization
As opposed to a security concern, this is an operational concern related to how much up time is required
Availability
Service-level agreements (SLAs) take these three operational concerns and codes them into vendor obligations.
Availability, resiliency, and performance
This is a type of cloud storage that allocates a large chunk of storage for access as a disk volume managed by the operating system
Block storage
This type of storage is generally used to create a virtual disk drives for cloud servers
Block storage
What are the two types of cloud storage?
Block storage and object storage
The cloud provides many database hosting options. Name a few of them.
Build a database server on top of the virtualized cloud servers, use a managed database service, use a cloud native database platform
This is the cloud computing role that provides identity and access management (IAM) services
Cloud access security broker (CASB)
This type of service provider is a third-party security that adds a security layer to the interactions that users have with other cloud services
Cloud access security brokers (CASBs)
This is delivering computing resources to a remote customer over a network.
Cloud computing
In this cloud computing role, it purchases cloud computing services from one or more cloud service providers
Cloud customer
This describes the cloud environment types that organizations might use.
Cloud deployment models
Which cloud database hosting option Allows use of relational databases, Quay value stores, Graff data base, and other options. It also offers high degree of cloud optimization and places management burden on the provider and required refueling existing applications to work with a new database platform
Cloud native database platform
Creates automated workflows for managing cloud environments
Cloud orchestration
This is the cloud computing role that provides add-on services
Cloud service partner
In this cloud computing role, it offers cloud computing services for sale to third parties.
Cloud service provider
This is where organizations share with other other organizations in a common community within the cloud
Community cloud
Cloud providers serving regulated customers must support this
Compliance efforts
This is a lightweight way alternative of packaging up an entire application and make it portable so it can be easily moved between hardware platforms. Uses the hosts OS w/o the added burden of the hypervisor and additional OS's.
Containers
This is where data is subject to the legal restrictions of where it is collected, stored, or processed
Data sovereignty
Which cloud database hosting option resembles on premise operations and requires customer management of servers and databases?
Database is built on virtualized servers in the cloud
This is computing on the endpoint. It brings the advancements of the cloud to the edge of the network where the processing power is on the remote sensor (IoT) because it is too far out to connect directly to the network.
Edge computing
In cloud computing this means expanding and contracting quickly as short term needs fluctuate.
Elasticity
This is computing near the endpoint where gateways contain the computing power and are placed near sensors (IoT)
Fog computing
This type of service is also known as serverless computing
Function as a service (FaaS)
This ensures effective oversight of cloud use in an organization
Governance
This is a type of object storage where you can get immediate access to your files
High availability
This is using cloud compute resources across different zones to insulate against failure in a single zone
High availability
What is the difference between horizontal scaling and vertical scaling?
Horizontal is simply adding more servers to meet increased demand while vertical scaling just adds more resources to the existing servers to meet increased demand.
In cloud computing there are two types of scaling. What are they called?
Horizontal scaling and vertical scaling
This is where organizations use both private and public cloud
Hybrid cloud
This is a cloud specific operation where our cloud solutions from different vendors work together
Interoperability
And a cost benefit analysis, moving to the cloud has intangible benefits, what are a few of these benefits?
Increased productivity and agility, improved scalability and elasticity, faster access to emerging technologies, transition from capital to operational expenditures, fun.
This is a type of service where customers purchase servers/storage.
Infrastructure as a service (IaaS)
Manages clouds programmatically so that administrators should never build or manage resources using the command line or graphical interfaces. Instead they should write code that performs those actions for them.
Infrastructure as code
This reduces VM sprawl by being conscious of the instances you have open in your cloud computing resources
Instance awareness
What are the advantages of containers in a cloud environment?
It reduces the overhead of having multiple operating systems loaded and running on the system
This is a class a block storage that is slower but less expensive
Magnetic
Identify some managed security service providers (MSSP) service examples
Manage an entire security infrastructure, monitor system logs, manage firewalls or networks, perform identity and access management.
These are service providers that provide security services for other organizations as a managed service.
Manage security service providers (MSSPs)
Which cloud database hosting option request database from the cloud provider using platform of choice and transfers maintenance responsibility to the cloud provider?
Managed database service
These service providers offer information technology services to customers in a more efficient way than the customers
Managed service providers (MSPs)
This means paying only for what you consume in cloud services
Measured service
In cloud computing, this means many different customers share use of same computing resources
Multitenancy
This is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
NIST definition of cloud computing
This is a type of cloud access security broker (CASB) that intercepts traffic between the user and the cloud service, monitoring for security issues and can block requests
Network-based CASB
This is a type of cloud storage that stores files as individual objects managed by the cloud service provider
Object storage
This type of storage is used to maintain files for websites, build large data storage, and let somebody else worry about management
Object storage
Which type of storage is less expensive lock storage or object storage?
Object storage because you only pay for the storage space being used
This is where cloud providers have sold capacity that exceeds actual capacity
Oversubscription
This is a service were vendors provide customers with a platform where they can run their own application code without worrying about server configuration
Platform as a service (PaaS)
This is another dimension of the CIA triad that protects the confidentiality rights of individuals whose information we store, process, or transmit
Privacy
This is where organizations use a dedicated cloud infrastructure
Private cloud
This is where organizations use a multi tenancy infrastructure
Public cloud
These are used to verify cloud service providers are for filling their security and operational obligations
Regular audits
As opposed to a security concern, this is an operational concern related to how many failures are tolerable
Resiliency
In multitenancy, this is where CPU and memory are shared among users
Resource pooling
This is a cloud specific operation where we can roll back operations to the original state prior to a cloud transition
Reversibility
These are three cloud specific operational considerations when moving to the cloud.
Reversibility, portability, interoperability
In cloud computing this means customers can easily increase capacity with demand
Scalability
MSSPs may also be referred to as this
Security as a service (SECaaS)
Name three key cloud storage security issues
Set permissions properly, make use of encryption for sensitive data, replicate data to multiple data centers to help create high availability
Public cloud computing uses this type of responsibility model
Shared responsibility model
This is where the customer purchases an entire app as a service
Software as a service (SaaS)
This requires integrating the cloud providers API into your operations stack in an infrastructure as code approach
Software defined networking (SDN)
Allows you to use the providers API to gain insight into network traffic.
Software defined visibility (SDV)
This is a type of block storage that is faster and more expensive
Solid state
This is a fundamental building block of cloud computing
Storage
Instead of a hypervisor, containers run on this platform.
They contain application code in a standardized format that runs on containerized platforms using the native operating system as the interface to the hardware.
For a cloud orchestration solution, what is the primary advantage of using a third-party vendor instead of one of the cloud providers directly?
Third-party vendors often support many different cloud providers and can work across different cloud solutions
This is the most common type of hypervisor that sits right on top of the physical hardware and then hosts guest virtual machines
Type 1 hypervisor
What is not a common cloud deployment option for relational databases?
VDI service, VDI environments are not a good choice for hosting relational databases as they are just used to store and allow retrieval of structured info.
In a virtual environment this is an attack that attempts to break out of the guest environment
VM escape attacks
This is a term used to describe unused and unmaintained servers that is wasteful and a security risk due to not being properly maintained.
VM sprawl
These provide secure VPC interconnection without requiring use of open internet
VPC endpoints
This provides network-based access to a virtual desktop computing environment
Virtual desktop infrastructure (VDI)
Cloud providers use these as a VLAN in the cloud.
Virtual private cloud's (VPCs)
This is warehouse machines run on physical hardware, house machines provide services to several virtualized gas machines, and the hypervisor tricks each gas into thinking it is running on dedicated hardware
Virtualization