W08: Cloud and Virtualization Security
Internet Protocol version 6 (IPv6)
The next generation of the IP protocol that addresses weaknesses of IPv4 and provides several significant improvements (stronger security).
Data Plane
The plane on a networking device such as a router or switch that carries user traffic. Also known as the forwarding plane.
Control Plane
The process of decision making, such as routing, blocking, and forwarding, that is performed by protocols.
Cloud management can be conducted by
local organization performing the work itself or by contracting with a third-party manage-ment service provider.
Virtualization is a means of
managing and presenting computer resources by function without regard to their physical layout or location.
security concerns for virtualized environments
"escape" from the contained environment and directly interact with the host operating system and easily and quickly be created and launched, leading to virtual machine sprawl, or the widespread proliferation of VMs without proper oversight or management, increasing security vulnerabilities.
How many electronic email systems that are in use today?
2 (IMAP (Internet Mail Access Protocol) & Lightweight Directory Access Protocol (LDAP) Simple Mail Transfer Protocol (SMTP) & Post Office Protocol (POP3) were earlier email systems.
FTP Secure (FTPS)
A TCP/IP protocol that uses Secure Sockets Layer or Transport Layer Security to encrypt commands sent over the control port (port 21) in an FTP session.
Fog
A decentralized computing infrastructure in which data, compute capabilities, storage, and applications are located between the data source and the cloud. i.e., Automated guided vehicles on an industrial shop floor
IMAP (Internet Mail Access Protocol)
A more recent and advanced electronic email system for incoming mail.
virtual machine escape protection
A security protection that prevents a virtual machine from directly interacting with the host operating system.
Elements that make up a cloud architecture
A thin client, transit gateway, serverless infrastructure
host virtualization
A type of virtualization in which an entire operating system environment is simulated (VM).
A transit gateway
Amazon Web Services (AWS) technology that allows organizations to connect all existing virtual private clouds (VPC), physical data centers, remote offices, and remote gateways into a single managed source. Considered a "hub-and-spoke" network topology that enables the user to monitor all activity.
Domain Name System Security Extensions (DNSSEC)
An extension to DNS that adds additional resource records and message header information, used to verify that DNS data has not been altered in transmission.
Edge
Computing that is performed at or very near to the source of data instead of relying on the cloud or on-prem for processing. i.e., IoT device
DNS attacks can be thwarted by using
Domain Name System Security Extensions (DNSSEC)
The VM monitor program is called a
Hypervisor
secure network protocols
Simple Network Management Protocol (SNMP), Domain Name System Security Extensions (DNSSEC), File Transfer Protocol (FTP), FTP Secure (FTPS), Secure FTP (SFTP)
Several services models in cloud computing
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), Anything as a Service (XaaS)
virtual machine sprawl
The widespread proliferation of VMs without proper oversight or management
A community cloud
a cloud that is open only to specific organizations that have common concerns.
A hybrid cloud
a combination of a public cloud and a private cloud; A hybrid cloud runs some services on a cloud provider and some services in-house.
Off-premises
a computing resource hosted and supported by a third party. i.e. Remote backup facility
Software-defined visibility (SDV)
a framework that allows users to create programs in which critical security functions that previously required manual intervention can now be automated.
cloud access security broker (CASB) acts as
a gatekeeper
File Transfer Protocol (FTP)
a simple network protocol that allows the transfer of files between two computers on the internet (uses unsecure TCP/IP protocol).
Alicja is working on a project to deploy automated guided vehicles on the industrial shop floor of the manufacturing plant in which she works. What location of computing would be best for this project? a. Fog b. Edge c. Off-premises d. Remote
a. Fog
Which cloud model requires the highest level of IT responsibilities? a. IaaS b. SaaS c. PaaS d. Hybrid cloud
a. IaaS
Which of the following is true about secrets management? a. It provides a central repository. b. It can only be used on-prem for security but has a connection to the cloud. c. It requires AES-512. d. It cannot be audited for security purposes.
a. It provides a central repository.
The CEO is frustrated by the high costs associated with security at the organization and wants to look at a third party assuming part of their cybersecurity defenses. Nikola has been asked to look into acquiring requests for proposal (RFPs) from different third parties. What are these third-party organizations called? a. MSSPs b. MPSs c. MSecs d. MHerrs
a. MSSPs
Zuzana is creating a report for her supervisor about the cost savings associated with cloud computing. Which of the following would she NOT include on her report on the cost savings? a. Reduction in broadband costs b. Resiliency c. Scalability d. Pay-per-use
a. Reduction in broadband costs
Which of the following virtualizes parts of a physical network? a. SDN b. SDV c. SDX d. SDA
a. SDN (software-defined network)
Which type of hypervisor runs directly on the computer's hardware? a. Type I b. Type II c. Type III d. Type IV
a. Type I
Which of these is NOT created and managed by a microservices API? a. User experience (UX) b. Database c. Logs d. Authentication
a. User experience (UX)
Simple Network Management Proto-col (SNMP)
allows network administrators to remotely monitor, manage, and configure devices on the network.
Which of the following is NOT a feature of a next generation SWG? a. DLP b. Send alerts to virtual firewalls c. Analyze traffic encrypted by SSL d. Can be placed on endpoints, at the edge, or in the cloud
b. Send alerts to virtual firewalls
What does the term "serverless" mean in cloud computing? a. The cloud network configuration does not require any servers. b. Server resources of the cloud are inconspicuous to the end user. c. Servers are run as VMs. d. All appliances are virtual and do not interact with physical servers.
b. Server resources of the cloud are inconspicuous to the end user.
A weakness of LDAP is that it can
be subject to LDAP injection attacks.
Which of the following is NOT correct about containers? a. Containers start more quickly. b. Containers reduce the necessary hard drive storage space to function. c. Containers require a full OS whenever APIs cannot be used. d. Containers include components like binary files and libraries.
c. Containers require a full OS whenever APIs cannot be used.
Nadia has been asked to perform dynamic resource allocation on specific cloud computing resources. What action is Nadia taking? a. Creating security groups to segment computing resources into logical groupings that form network perimeters b. Decreasing the network bandwidth to the cloud c. Deprovisioning resources that are no longer necessary d. Expanding the visibility of intrusion prevention devices
c. Deprovisioning resources that are no longer necessary
A serverless infrastructure
capacity planning, installation, setup, and management are all invisible to the user because they are handled by the cloud provider.
Determining which security appliances to implement in a cloud computing infrastructure is more
challenging due to a lack of a cloud conceptual model.
Virtualization is used extensively in
cloud computing environments
A thin client
computer that runs from resources stored on a central cloud server instead of a localized hard drive.
On-premises
computing resources located on the campus of the organization. i.e., Desktop computer, local area network, data center
cloud security audit
conducted by as an independent examination of cloud service controls.
A reduced instance of virtualization
container
A private cloud
created and maintained on a private network.
Security controls are inherent to the cloud computing platforms and offered by the cloud computing providers to ___ and ___
customers (cloud native controls) and external sources (third-party solutions).
Which of the following is NOT a cloud computing security issue? a. System vulnerabilities b. Insecure APIs c. Compliance regulations d. Bandwidth utilization
d. Bandwidth utilization
Aleksandra, the company HR manager, is completing a requisition form for the IT staff to create a type of cloud that would only be accessible to other HR managers like Aleksandra who are employed at manufacturing plants. The form asks for the type of cloud that is needed. Which type of cloud would best fit Aleksandra's need? a. Public cloud b. Group cloud c. Hybrid cloud d. Community cloud
d. Community cloud
Which of the following will NOT protect containers? a. Using a hardened OS b. Using reduced-visibility images to limit the risk of a compromise c. Only using containers in a protected cloud environment d. Eliminating APIs
d. Eliminating APIs
Which of the following is NOT a characteristic of cloud computing? a. Metered services b. Immediate elasticity c. Universal client support d. Invisible resource pooling
d. Invisible resource pooling
Oliwia has been given a project to manage the development of a new company app. She wants to use a cloud model to facilitate the development and deployment. Which cloud model will she choose? a. SaaS b. XaaS c. IaaS d. PaaS
d. PaaS
Which of the following provides the highest level of security? a. FTP b. XFTP c. FTPS d. SFTP
d. SFTP (Simple File Transfer Protocol)
Which of the following is NOT correct about high availability across zones? a. In a cloud computing environment, reliability and resiliency are achieved through duplicating processes across one or more geographical areas. b. An Availability Zone (AZ) is one or more data centers within a Region, each with redundant power, networking, and connectivity. c. They are more highly available, fault tolerant, and scalable than would be possible with a single data center. d. They require that specific security appliances be located on-prem so that the local data center can be considered as a qualified Zone.
d. They require that specific security appliances be located on-prem so that the local data center can be considered as a qualified Zone.
Wiktoria is frustrated that her company is using so many different cloud services that span multiple cloud provider accounts and even different cloud providers. She wants to implement a technology to give full control and visibility over all the cloud resources, including network routing and security. What product does Wiktoria need? a. Thin virtual visibility appliance (TVVA) b. SWG c. CASB d. Transit gateway
d. Transit gateway
Anything as a Service (XaaS)
describes a broad category of subscription services related to cloud computing. XaaS is any IT function or digital component that can be transformed into a service for enterprise or user consumption. (Varies IT responsibilities)
Simple Mail Transfer Protocol (SMTP)
handles outgoing mail from one computer to another
cloud container
hold only the necessary OS components such as binary files and libraries that are needed for that specific application to run
Instances of virtualization are sometimes referred to as ___
infrastructure as code
Mitigating cloud computing has several potential security issues which ____
involves using security controls.
Software as a Service (SaaS)
is a cloud computing hosted software environment. (Low IT responsibility)
Lightweight Directory Access Protocol (LDAP)
is a directory service database stored on the network itself that contains information about users and network devices.
Private cloud
offers the highest level of security and control (because the company must purchase and main-tain all the software and hardware), it also reduces cost savings.
A software-defined network (SDN) virtualizes
parts of the physical network so that it can be more quickly and easily reconfigured by separating the control plane from the data plane.
Platform as a Service (PaaS)
provides a software platform on which the enterprise or users can build their own applications and then host them on the PaaS provider's infrastructure. PaaS can also provide "middleware" services such as database and component services for application use. (Medium IT responsibility)
Infrastructure as a Service (IaaS)
provides unlimited "raw" computing, storage, and network resources that the enterprise can use to build its own virtual infrastructure in the cloud. (High IT responsibilities)
high availability across zones
reliability and resiliency is achieved through duplicating processes across one or more geographical areas (regions and zones).
Cloud
remote facility for computing. i.e., Artificial intelligence processing engine
cloud access security broker (CASB)
set of software tools or services that resides between an enterprise's on-prem infrastructure and the cloud provider's infrastructure.
Cloud computing has three functional areas:
storage, network, and compute.
Secrets management enables
strong security and improved management of a microservices-based architecture.
After a cloud security audit
the auditor renders an objective assessment of the security.
Secrets management allows
the entire cloud infrastructure to remain flexible and scalable without sacrificing security.
A public cloud
the services and infrastructure are offered to all users with access provided remotely through the Internet.
Post Office Protocol (POP3)
used to retrieve incoming emails from a server, holds until download - then deletes from server
Secure FTP (SFTP)
uses only a single TCP port instead of two ports like FTPS and encrypts and compresses all data and commands.