Security + Cert Prep 6: Cloud security design and implementation

This is a type of hypervisor that is commonly used on home operating systems that has its own host operating system and the hypervisor runs as an application on top of the OS.

Type 2 hypervisor

In cloud computing, actions one customer takes should never impact the actions of the other customers.

Isolation

What is the most critical container security issue?

Isolation of the applications

True or false: Desktop and application virtualization enable to use of thick client devices

False, it enables use of thin client devices

True or false: Some cloud models are inherently superior to other approaches.

False, no cloud model is inherently superior to the other approaches as it all depends on the context.

True or false: If isolation breaks down from the cloud provider, then this increases performance.

False, performance would suffer

This is a cloud specific operation where we can move workloads between cloud vendors

Portability

True or false: cloud providers will spread data across multiple geographic regions.

True, This protects against regional failures

As opposed to a security concern, this is an operational concern related to how much demand can be handled

Performance

True or false: MSSP relationships should be carefully documented when using CASB's (Cloud access security brokers)

True

True or false: Reference architecture's using ISO cloud reference architecture provide a useful framework, but they're just a starting point.

True

True or false: accessing web based email is cloud computing.

True

True or false: cloud orchestration solutions access resources through the vendors API.

True

True or false: running scripts on salesforce.com is cloud computing

True

True or false: storing data in multiple locations subjects it to multiple jurisdictions

True

True or false: virtualization platforms must be patched against security vulnerabilities

True

This is anytime, anywhere access to the cloud

Broad network access

In cloud computing this means it is available when you need it

On demand self service

This is a type of cloud access security broker (CASB) that regularly queries the cloud service via API and may not be able to block requests, depending up on API capabilities.

API-based CASB

What technology do cloud orchestration services used to interact with cloud service providers?

APIs, Cloud orchestration services interact with cloud service providers through API calls.

Which Amazon service offers block storage volumes?

Amazon EBS (elastic block store)

This is a type of object storage that has low cost but may be several hours before you can retrieve your files

Archival

This is a virtualization that streams applications to the users desktop

Application virtualization

As opposed to a security concern, this is an operational concern related to how much up time is required

Availability

Service-level agreements (SLAs) take these three operational concerns and codes them into vendor obligations.

Availability, resiliency, and performance

This is a type of cloud storage that allocates a large chunk of storage for access as a disk volume managed by the operating system

Block storage

This type of storage is generally used to create a virtual disk drives for cloud servers

Block storage

What are the two types of cloud storage?

Block storage and object storage

The cloud provides many database hosting options. Name a few of them.

Build a database server on top of the virtualized cloud servers, use a managed database service, use a cloud native database platform

This is the cloud computing role that provides identity and access management (IAM) services

Cloud access security broker (CASB)

This type of service provider is a third-party security that adds a security layer to the interactions that users have with other cloud services

Cloud access security brokers (CASBs)

This is delivering computing resources to a remote customer over a network.

Cloud computing

In this cloud computing role, it purchases cloud computing services from one or more cloud service providers

Cloud customer

This describes the cloud environment types that organizations might use.

Cloud deployment models

Which cloud database hosting option Allows use of relational databases, Quay value stores, Graff data base, and other options. It also offers high degree of cloud optimization and places management burden on the provider and required refueling existing applications to work with a new database platform

Cloud native database platform

Creates automated workflows for managing cloud environments

Cloud orchestration

This is the cloud computing role that provides add-on services

Cloud service partner

In this cloud computing role, it offers cloud computing services for sale to third parties.

Cloud service provider

This is where organizations share with other other organizations in a common community within the cloud

Community cloud

Cloud providers serving regulated customers must support this

Compliance efforts

This is a lightweight way alternative of packaging up an entire application and make it portable so it can be easily moved between hardware platforms. Uses the hosts OS w/o the added burden of the hypervisor and additional OS's.

Containers

This is where data is subject to the legal restrictions of where it is collected, stored, or processed

Data sovereignty

Which cloud database hosting option resembles on premise operations and requires customer management of servers and databases?

Database is built on virtualized servers in the cloud

This is computing on the endpoint. It brings the advancements of the cloud to the edge of the network where the processing power is on the remote sensor (IoT) because it is too far out to connect directly to the network.

Edge computing

In cloud computing this means expanding and contracting quickly as short term needs fluctuate.

Elasticity

This is computing near the endpoint where gateways contain the computing power and are placed near sensors (IoT)

Fog computing

This type of service is also known as serverless computing

Function as a service (FaaS)

This ensures effective oversight of cloud use in an organization

Governance

This is a type of object storage where you can get immediate access to your files

High availability

This is using cloud compute resources across different zones to insulate against failure in a single zone

High availability

What is the difference between horizontal scaling and vertical scaling?

Horizontal is simply adding more servers to meet increased demand while vertical scaling just adds more resources to the existing servers to meet increased demand.

In cloud computing there are two types of scaling. What are they called?

Horizontal scaling and vertical scaling

This is where organizations use both private and public cloud

Hybrid cloud

This is a cloud specific operation where our cloud solutions from different vendors work together

Interoperability

And a cost benefit analysis, moving to the cloud has intangible benefits, what are a few of these benefits?

Increased productivity and agility, improved scalability and elasticity, faster access to emerging technologies, transition from capital to operational expenditures, fun.

This is a type of service where customers purchase servers/storage.

Infrastructure as a service (IaaS)

Manages clouds programmatically so that administrators should never build or manage resources using the command line or graphical interfaces. Instead they should write code that performs those actions for them.

Infrastructure as code

This reduces VM sprawl by being conscious of the instances you have open in your cloud computing resources

Instance awareness

What are the advantages of containers in a cloud environment?

It reduces the overhead of having multiple operating systems loaded and running on the system

This is a class a block storage that is slower but less expensive

Magnetic

Identify some managed security service providers (MSSP) service examples

Manage an entire security infrastructure, monitor system logs, manage firewalls or networks, perform identity and access management.

These are service providers that provide security services for other organizations as a managed service.

Manage security service providers (MSSPs)

Which cloud database hosting option request database from the cloud provider using platform of choice and transfers maintenance responsibility to the cloud provider?

Managed database service

These service providers offer information technology services to customers in a more efficient way than the customers

Managed service providers (MSPs)

This means paying only for what you consume in cloud services

Measured service

In cloud computing, this means many different customers share use of same computing resources

Multitenancy

This is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

NIST definition of cloud computing

This is a type of cloud access security broker (CASB) that intercepts traffic between the user and the cloud service, monitoring for security issues and can block requests

Network-based CASB

This is a type of cloud storage that stores files as individual objects managed by the cloud service provider

Object storage

This type of storage is used to maintain files for websites, build large data storage, and let somebody else worry about management

Object storage

Which type of storage is less expensive lock storage or object storage?

Object storage because you only pay for the storage space being used

This is where cloud providers have sold capacity that exceeds actual capacity

Oversubscription

This is a service were vendors provide customers with a platform where they can run their own application code without worrying about server configuration

Platform as a service (PaaS)

This is another dimension of the CIA triad that protects the confidentiality rights of individuals whose information we store, process, or transmit

Privacy

This is where organizations use a dedicated cloud infrastructure

Private cloud

This is where organizations use a multi tenancy infrastructure

Public cloud

These are used to verify cloud service providers are for filling their security and operational obligations

Regular audits

As opposed to a security concern, this is an operational concern related to how many failures are tolerable

Resiliency

In multitenancy, this is where CPU and memory are shared among users

Resource pooling

This is a cloud specific operation where we can roll back operations to the original state prior to a cloud transition

Reversibility

These are three cloud specific operational considerations when moving to the cloud.

Reversibility, portability, interoperability

In cloud computing this means customers can easily increase capacity with demand

Scalability

MSSPs may also be referred to as this

Security as a service (SECaaS)

Name three key cloud storage security issues

Set permissions properly, make use of encryption for sensitive data, replicate data to multiple data centers to help create high availability

Public cloud computing uses this type of responsibility model

Shared responsibility model

This is where the customer purchases an entire app as a service

Software as a service (SaaS)

This requires integrating the cloud providers API into your operations stack in an infrastructure as code approach

Software defined networking (SDN)

Allows you to use the providers API to gain insight into network traffic.

Software defined visibility (SDV)

This is a type of block storage that is faster and more expensive

Solid state

This is a fundamental building block of cloud computing

Storage

Instead of a hypervisor, containers run on this platform.

They contain application code in a standardized format that runs on containerized platforms using the native operating system as the interface to the hardware.

For a cloud orchestration solution, what is the primary advantage of using a third-party vendor instead of one of the cloud providers directly?

Third-party vendors often support many different cloud providers and can work across different cloud solutions

This is the most common type of hypervisor that sits right on top of the physical hardware and then hosts guest virtual machines

Type 1 hypervisor

What is not a common cloud deployment option for relational databases?

VDI service, VDI environments are not a good choice for hosting relational databases as they are just used to store and allow retrieval of structured info.

In a virtual environment this is an attack that attempts to break out of the guest environment

VM escape attacks

This is a term used to describe unused and unmaintained servers that is wasteful and a security risk due to not being properly maintained.

VM sprawl

These provide secure VPC interconnection without requiring use of open internet

VPC endpoints

This provides network-based access to a virtual desktop computing environment

Virtual desktop infrastructure (VDI)

Cloud providers use these as a VLAN in the cloud.

Virtual private cloud's (VPCs)

This is warehouse machines run on physical hardware, house machines provide services to several virtualized gas machines, and the hypervisor tricks each gas into thinking it is running on dedicated hardware

Virtualization