12 - Security Solutions for Cloud and Automation
SAML transaction
1. The principal's User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). 2. If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The redirect (HTTP 302) takes the form of a URL, where dZBBa.. is the XML SAML request encoded as a string. 3. The IdP requests the principal's credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. This will be formatted as an HTML POST form and redirected to the SP's assertion consumer service (ACS) URL (https://sp.foo/saml/acs) 4. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.
Your company has experienced a severe security incident caused by an employee uploading a database to a cloud storage service. What type of security solution will help to mitigate against this type of risk in the future?
A cloud access security broker (CASB) can be used to prevent unauthorized use of cloud services from the local network.
Snowflake Systems
A configuration or build that is different to any other. The lack of consistency—or drift—in the platform environment leads to security issues, such as patches that have not been installed, and stability issues, such as scripts that fail to run because of some small configuration difference.
Development and Operations (DevOps)
A cultural shift within an organization to encourage much more collaboration between developers and system administrators. By creating a highly orchestrated environment, IT personnel and developers can build, test, and release software faster and more reliably. Many consider this approach to administration as the only way organizations can take full advantage of the potential benefits offered by cloud service providers.
Microservices
A design paradigm applied to application development. Uses some of the same general principles as SOA—self-contained service modules, each performing a single function with clearly defined inputs and outputs—and applies them to the design of a network application, such as an order processing system, video streaming service, or email system. This development shares many similarities with Agile software project management. It also shares roots with the Unix philosophy that each program or tool should do one thing well.
How does DevSecOps support continuous integration and continuous delivery/deployment?
A development/operations (DevOps) culture makes provisioning the platform elements of an app a seamless process, by breaking down artificial barriers and silo-based thinking where they are separate teams with separate goals and responsibilities. Adding security (DevSecOps) to this culture encourages "shift left" thinking, where risk assessment, threat modeling, and secure maintenance and monitoring are an integral part of the continuous development life cycle.
Representational State Transfer (REST)
A distributed system framework that uses Web protocols and technologies. This architecture involves client and server interactions built around the transfer of resources. Where SOAP is a tightly specified protocol, this is a looser architectural framework. This allows the service provider more choice over implementation elements.
Data enrichment
A general term that refers to processes used to enhance, refine or otherwise improve raw data. Means that the machine analytics behind the view of a particular alert can deliver more correlating and contextual information with a higher degree of confidence, both from within the local networks data points, and from external threat intelligence. For example, data enrichment might show that a victim IP is that of a database server hosting medical records and that the attacking IP is associated with an ATP. An AI-based system will be better able to combine indicators from multiple threat feeds—such as combining feeds from an ISAC and from a commercial provider—to reduce false positive alerts and false negative omissions.
Serverless Architecture
A modern design pattern for service delivery. It is strongly associated with modern web applications—most notably Netflix (aws.amazon.com/solutions/case-studies/netflix-and-aws-lambda)—but providers are appearing with products to completely replace the concept of the corporate LAN. All the architecture is hosted within a cloud, but unlike "traditional" virtual private cloud (VPC) offerings, services such as authentication, web applications, and communications aren't developed and managed as applications running on servers located within the cloud. Instead, the applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. When the client requires some operation to be processed, the cloud spins up a container to run the code, performs the processing, and then destroys the container.
Deep learning
A powerful refinement of machine learning. ML algorithms often need human intervention to identify features, categories, exceptions, and errors. The shallow neural networks used by ML have an input layer, a hidden layer, and an output layer. With this, the neural networks have a hierarchy of multiple hidden layers, where complex classes of knowledge are defined in relation to simpler classes of knowledge in order to make more informed determinations about an environment.
Public Cloud
A service offered over the Internet by cloud service providers (CSPs) to cloud consumers. With this model, businesses can offer subscriptions or pay-as-you-go financing, while at the same time providing lower-tier services free of charge. CSP can also refer specifically to Microsoft's partner program for cloud solution providers. Are run from multiple physical servers, often located over multiple data centers to maximize performance and availability. Data centers are also likely to be in different countries, with data replicated between them as necessary. A consumer's infrastructure, application code, and data are hosted within private instances, but it is not usually possible to completely control the physical servers on which these instances are hosted. Also described as a multitenant solution because multiple consumers share the same resource pool. This means that there is a risk to the security and privacy of data from other tenants. In theory this risk should be mitigated by the CSP, but security lapses do happen.
GitHub (github.com)
A service that allows developers to share code and collaborate on apps. Both public and private code repositories are available. You can find many public automation and orchestration tools in GitHub, as well as tutorials, example scripts, and other information useful in designing and implementing scripted automation and orchestration.
Infrastructure as Code (IaC)
A type of IT abstraction where professionals provision and manage a technology stack with software, rather than setting up hardware systems. Can be used to provision cloud systems and to virtualize various kinds of software environments. Used to eliminate snowflake systems.
Security Assertions Markup Language (SAML)
An XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. This is often used in conjunction with SOAP. The standard is currently on version 2.0. A solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider IdP) so that the identity of a user (the principal) can be trusted by the SP without the user having to authenticate directly with the SP.
Prowler
An audit tool for use with AWS only. It can be used to evaluate cloud infrastructure against the CIS benchmarks for AWS, plus additional GDRP and HIPAA compliance checks.
Virtual Private Cloud (VPC)
An example of infrastructure as a service (IaaS). _________ lets you provision virtual servers and appliances within a virtual network hosted on a public cloud. As a cloud consumer, you are responsible for configuring the IP address space and routing within the cloud. Similarly, you handle all the administration and security aspects of running a network, including software installation and patching, account management, load balancing, disaster recovery, security monitoring, and backup. This is hosted on publicly available cloud services, but isolated from other customer's instances using technologies such as virtual LANs (VLANs).
Docker (docker.com)
An open platform for developing, shipping, running, and deploying applications quickly using container-based virtualization. Typically used by development teams for rapid build and deployment.
ScoutSuite
An open-source tool written in Python that can be used to audit instances and policies created on multicloud platforms, including Amazon Web Services, Microsoft Azure, and Google Cloud Platform. The tool collects data from the cloud using API calls. It compiles a report of all the objects discovered (VM instances, storage containers, IAM accounts, data, firewall ACLs, and so on). The ruleset can be configured to categorize each object with a severity level, should it violate some sort of policy, such as allowing unauthenticated access to an S3 bucket.
Workflow Orchestration
Automates a sequence of tasks and can automate entire process by deploying and configuring all necessary services. For example, you might orchestrate adding a new VM to a load-balanced cluster. This end-to-end process might include provisioning the VM, configuring it, adding the new VM to the load-balanced cluster, and reconfiguring the load-balancing weight distribution given the new cluster configuration. In doing this, the _________ steps would have to run numerous automated scripts. That is another way of looking at orchestration—as automating the automation—as part of a defined process with a defined workflow.
Chef (chef.io)
Automates configuration, deployment, and management of applications using cookbooks to determine how each node should be configured. Cookbooks consist of multiple recipes, which are configuration files for a particular service written using Ruby. Can manage anything that can run the client, including physical machines, virtual machines, containers, or cloud-based instances. A server provides a central repository for all configuration data, and communications between the server, clients, and notes is done through encrypted communication.
Application Programming Interface (API) for clouds
CSPs provide__________ to allow automated administration, management, and monitoring of their services. Cloud ____ provide for web-based client and server communication. These ____ commonly utilize the Representational State Transfer (REST) and Simple Object Access Protocol (SOAP) frameworks, as well as cross-platform and vendor-specific APIs.
Hybrid Clouds
Can be composed of public cloud, private cloud, and on-premises infrastructure. Interconnections within this hybrid infrastructure are made by software-coded orchestration tools. Since these clouds mix public cloud and private cloud, organizations managing hybrid clouds have some of the management concerns of both of those deployment models.
Scripting for clouds
Cloud automation is the completion of a cloud-related administrative task without human intervention. Depending on the CSP and the tools they provide, task automation steps may be configurable through a GUI control panel, via a command line, or via an API called by scripts. Tasks can be automated to provision resources, add accounts, assign permissions, and any number of cloud tasks.
What steps can be taken to mitigate against unprotected storage?
Cloud storage can use complex permissions from different sources for containers and objects. A cloud infrastructure assessment tool can be used to assess the effect of these settings.
Service-Oriented Architecture (SOA)
Conceives of atomic services closely mapped to business workflows. Each service takes defined inputs and produces defined outputs. The internal working of the service is a cloud or black box to a service consumer. The service may itself be composed of sub-services. The key features of a service function are that it is self-contained, does not rely on the state of other services, and exposes clear input/output (I/O) interfaces. Because each service has a simple interface, interoperability is made much easier than with a complex monolithic application. The implementation of a service does not constrain compatibility choices for client services, which can use a different platform or development language.
Unprotected Storage: Incorrect origin settings
Data in cloud storage can be used to serve static web content, such as HTML pages, images, and videos. In this scenario, the content is published from the container to a content delivery network (CDN). The CDN caches the content to edge locations throughout its network to provide faster access to clients located in different geographic locations. When a site is built this way, it must usually use objects from multiple domains, which is normally blocked by client web browsers. A cross origin resource sharing (CORS) policy instructs the browser to treat requests from nominated domains as safe. Weakly configured CORS policies expose the site to vulnerabilities such as XSS.
Pacu
Designed as an exploitation framework to test the security configuration of an AWS account. It includes modules to attempt exploits such as obtaining API keys or gaining control of a VM instance. If an attacker or pen tester has the credentials of one user within the cloud account, they can attempt to gather information about the other accounts and services that have been configured, and use the attack modules to widen and deepen access.
Open Authorization 2 (OAuth) Protocol
Designed to facilitate sharing of information (resources) within a user profile between sites. The user creates a password-protected account at an identity provider (IdP). The user can use that account to log on to an _______consumer site without giving the password to the consumer site. A user (resource owner) can grant a client an authorization to access some part of their account. A client in this context is an app or consumer site or perhaps a service-to-service interaction in a microservices architecture.
What are the main principles of effective API key management?
Do not embed keys in source code, use least privileges policies for each account/key, delete unused keys and regenerate live keys periodically, and only install keys to hardened developer workstations.
Best practices for API key management
Do not embed the key in source code. Keys in source code are vulnerable to discovery from compromise of developer workstations, access to code in public/ shared development repositories, and so on. Store the key on the client host and call it using an environment variable. Only allocate necessary authorizations and actions to a single key. Do not create one key with "full control" access to the application's functions. Delete keys if they become unused. Regenerate keys in use periodically. Notably, regenerate keys that have been used for development when the app moves into production. Apply the most restrictive hardening policies to client hosts and development workstations. These systems should run only whitelisted applications and access only whitelisted websites and communications channels.
Ansible (ansible.com)
Does not use agents. Instead the master connects to client machines over SSH. Configuration files (playbooks) use Yet Another Markup Language (YAML) (yaml.org).
Cloud Access Security Broker (CASB)
Enterprise management software designed to mediate access to cloud services by users across all types of devices. Some of the functions of a CASB are: Enable single sign-on authentication and enforce access controls and authorizations from the enterprise network to the cloud provider. Scan for malware and rogue or non-compliant device access. Monitor and audit user and resource activity. Mitigate data exfiltration by preventing access to unauthorized cloud services from managed devices.
OpenID Connect (OIDC)
Explicitly designed to authorize claims and not to authenticate users. The implementation details for fields and attributes within tokens are not defined. There is no mechanism to validate that a user who initiated an authorization request is still logged on and present. The access token once granted has no authenticating information. An authentication protocol that can be implemented as special types of OAuth flows with precisely defined token fields.
Development, Security, and Operations (DevSecOps)
Extends the boundary to security specialists and personnel, reflecting the principle that security is a primary consideration at every stage of software development and deployment. This is also known as shift left, meaning that security considerations need to be made during requirements and planning phases, not grafted on at the end. The development team needs to apply principles such as least privilege and use techniques such as threat modeling at the start of a project and throughout its lifetime. The principle of DevSecOps recognizes this and shows that security expertise must be embedded into any development project.
Workload Orchestration
For management of apps and other cloud workloads and the components essential to those workloads.
Hybrid Cloud Concerns: Greater complexity
Hybrid clouds depend on scripted infrastructure and orchestration tools. These are specialist skill sets, which can make recruitment and retention of staff difficult. It exposes a new and potentially unfamiliar attack surface. The decentralized nature of a hybrid solution can make monitoring more difficult.
Insecure Application Programming Interface (API)
If the API isn't secure, attackers can easily take advantage of it to compromise the services and data stored on the cloud. An API must only be used over an encrypted channel (HTTPS). API calls over plain HTTP are not secure and could easily be impersonated or modified by a third party. Ideally, the API should respond to HTTP requests with an error (redirecting to HTTPS is not recommended). APIs should demonstrate good programming practice. Data submitted over the API must be subject to sever-side input validation routines. Error messages, especially those related to authentication and authorization, should not reveal clues to a potential adversary. For example, an authentication error should not reveal whether a valid username has been rejected because of an invalid password. The error should simply indicate an authentication failure. An API can be subjected to a DoS attack where it is bombarded with spurious calls. Protection against this attack can be provided through throttling/rate-limiting mechanisms.
Software Development: Test/integration
In this environment, code from multiple developers is merged to a single master copy and subjected to basic unit and functional tests (either automated or by human testers.) These tests aim to ensure that the code builds correctly and fulfills the functions required by the design.
What type of cloud model provisions unconfigured VM instances with support for the selection of multiple different operating systems?
Infrastructure as a service (IaaS). One key difference between IaaS and platform as a service (PaaS) is where responsibility for patch management and OS configuration lies. With IaaS, the CSP only manages the underlying hypervisor platform. Responsibility for managing each instance lies with the customer.
Hybrid Cloud Concerns: Security management
Managing organizations must ensure that authentication, authorization, and identity management work in both the private and public cloud. This can be done by replicating the security infrastructure in both environments or by using an identity management solution. Communication channels between the cloud components must be secured and monitored.
Infrastructure as a Service (IaaS)
Means of provisioning IT resources such as servers, load balancers, and storage area network (SAN) components quickly. Rather than purchase these components and the Internet links they require, you rent them on an as-needed basis from the CSP's data center. Examples include: Amazon Elastic Compute Cloud Microsoft Azure Virtual Machines Google Cloud Platform (GCP) OpenStack This model means that you have to manage threats and vulnerabilities almost all the way up the stack. The CSP's responsibility is to ensure the confidentiality, integrity, and availability of the resource pool. This means patching hypervisors and preventing insider attacks. You have responsibility for the CIA triad attributes of all the instances you create, including patching and backup, as well as secure communications between components, and authentication and authorization of user accounts.
Why might you select a microservices architecture for a new software development rather than a monolithic tier-based application?
Microservices architecture calls for self-contained modules that can be developed and tested independently on one another. Depending on the nature of the project, that might reduce development times and provide better scope for reuse of modules in different contexts. Microservices are also more scablable than a monolithic app. Performance might only need to be increased in one or two modules, for instance. With a monolithic app, you would still need to provision extra resources for the whole app. With microservices, only the necessary modules can be provisioned with increased resource.
Your CEO is thinking of hiring a couple of programmers to support a switch to an infrastructure as code approach to IT provision. Is this simple approach likely to be successful?
No. While development expertise is essential, successfully deploying infrastructure as code (IaC) requires a comprehensive transition plan. Firstly, a DevSecOps culture has to be established, as IaC will affect all parts of IT service provision. Secondly, scripting, automation, and orchestration tools have to be selected and appropriately configured. Thirdly, IaC needs to replace entirely manual configuration and ad hoc deployments, or it will not really solve any of the problems with configuration drift that it is supposed to address.
JSON Web Tokens (JWTs)
Often used as the format for tokens. Comprises a header, payload, and signature. The header identifies the cryptographic hash algorithm and the token format. The signature is calculated from the header and payload plus a shared secret.
Private Clouds
Operated by a single company or other business entity. The hosting may be done internally, or it may be done offsite, and may be managed directly by the organization or via a service provider. The key distinction between public and ________ clouds is that a private cloud is a single tenant model. Organizations can exercise greater direct control over the privacy and security of their services. This type of delivery method is much more costly, as all the infrastructure and operational costs of running the cloud is incurred. Consequently, it is geared more toward banking and governmental services that require strict access control in their operations.
Hybrid Cloud Concerns: Absence of data redundancy
Organizations with both private cloud and hybrid cloud should have redundant data centers to protect against outages. In a hybrid environment, the public cloud portion of the solution should also be redundant. When planning redundancy, consider that VMs and other components are much more portable and easier to move than large data sets, which may take a long time to move because of their size.
Which cloud infrastructure assessment tool is best suited for use in penetration testing?
Pacu
A cloud script will use the following elements:
Parameters that the script takes as input data (arguments). Logic statements that can alter the flow of execution based on conditions. Validation and error handlers to check inputs and ensure robust execution. Unit tests to ensure that the script returns the expected outputs, given the expected inputs.
SOAP Web Exploit: External references
Poorly configured SOAP services can open the door to several external-based exploits. If the SOAP documentation allows XML input from a third party, that third party can take advantage of this and cause damage, such as using a DoS attack. Attackers can also corrupt the XML schema, which helps parses interpret XML requests if that schema is stored where it can be compromised. Incorrectly parsed XML can lead to a DoS condition or a loss of data integrity.
Kubernetes (kubernetes.io)
Provides a layer of abstraction for managing containers. Ensures that the containers that a script or tasks calls for are reliably provisioned. This saves developers the task of including container provisioning within their code.
Simple Object Access Protocol (SOAP)
Provides a structure for transmitting and receiving information used in web applications to a variety of device types using an application programming interface (API). A heavily specified protocol, with many implementation requirements. It uses XML-format messaging. These requirements add overhead and processing complexity to _________ messaging, however, the protocol is robust and has a number of extensions in the form of Web Services (WS) standards that support common features, such as authentication, transport security, and asynchronous messaging. Has a built-in error handling.
Platform as a Service (PaaS)
Provides resources somewhere between SaaS and IaaS. A typical solution would supply servers and storage network infrastructure (as per IaaS) but also provide a multi-tier web application/database platform on top. This platform could be based on Oracle or MS SQL or PHP and MySQL. Examples include Oracle Database (docs.oracle.com/en/cloud/paas/database-dbaas-cloud/index.html), Microsoft Azure SQL Database (azure.microsoft.com/services/sql-database), and Google App Engine (cloud.google.com/appengine). As distinct from SaaS though, this platform would not be configured to actually do anything. Your own developers would have to create the software (the CRM or e-commerce application) that runs using the platform. The CSP is responsible for the integrity and availability of the platform components, but you are responsible for the security of the application you created on the platform.
Cloud Access Security Broker (CASB): Application programming interface (API)
Rather than placing a CASB appliance or host inline with cloud consumers and the cloud services, an API-based CASB uses brokers connections between the cloud service and the cloud consumer. For example, if a user account has been disabled or an authorization has been revoked on the local network, the CASB would communicate this to the cloud service and use its API to disable access there too. This depends on the API supporting the range of functions that the CASB and access and authorization policies demand. CASB solutions are quite likely to use both proxy and API modes for different security management purposes.
Function as a Service (FaaS)
Refers to cloud services that enable serverless app development and management. This basically means that ______ users are able to conduct their programming (and other tasks) without the hassle of managing their own server(s). Strings of code are triggered by events on the user end, and basically outsourced to remote servers that are able to execute the intended functions.
Puppet (puppet.com)
Requires installation of a master server and client agent in target nodes, and includes an option for a standalone client. Caters more to traditional operations teams and doesn't require as much Ruby programming experience. Configuration definitions are referred to as manifests.
SOAP Web Exploit: Coercive Parsing
SOAP parses XML-based requests. An attacker can modify those requests so that the SOAP web service parses them in a harmful way. For example, a hacker can craft a payload that requests the same thing over and over, send a single payload over and over, or craft a payload that is excessively large to trigger a DoS condition and bring down the web service. Intrusion countermeasures may be unable to pick up on packets crafted maliciously, as the source of the packet and its XML formatting are likely to be valid.
SOAP Web Exploit: SQL injection
SQL statements that access, modify, or delete records in an SQL database should not be transmitted over SOAP. This could allow an attacker to compromise the confidentiality, integrity, and availability of database records.
Cloud versus On-Premises
Security solutions such as SIEM, EDR/EPP, and DLP were historically deployed in a traditional client/server network. An agent or log forwarder runs on endpoint devices and transmits data to a management server and database located on the same network. This can be referred to as an on-premises deployment of security solutions. Most vendors of security solutions have developed cloud-based versions of their software. In this scenario, data may still be collected from local endpoints, but the management server and database are located in the cloud, hosted on the service provider's platform. This might be more cost-effective, as provisioning dedicated local processing and storage resources can be expensive. There is also an added security element, as it will be harder for an adversary who has obtained network access to snoop on security assets. Finally, the solution will be better able to support automated analysis of the data using artificial intelligence (AI) and machine learning techniques. Additionally, many corporate apps are now hosted in the cloud rather than on-premises servers, so data collection is already occurring "outside" of the corporate network.
Continuous Delivery
Testing all of the infrastructure that supports the app, including networking, database functionality, client software, and so on.
Logging and Monitoring
The API should provide sufficient logging and monitoring. Monitoring should provide alerts when an API is being bombarded with requests in a potential DoS attack, or being subject to multiple authentication or other errors, indicating a potential brute force or fuzzing attack.
Where does SAML fit into SOA?
The Security Assertions Markup Language (SAML) is often used for exchange of authentication, authorization, and accounting information in a Simple Object Access Protocol (SOAP)-based service-oriented architecture (SOA). SAML assertions are written in XML and exchanged using HTTPS.
Software Development: Production
The application is released to end users.
How would you use an API and scripting to automate deployment of local agents with a cloud-based security platform?
The application programming interface (API) provides the means of communicating with the platform. For example, the API might allow an agent to be registered with the platform and be authorized to submit reports and receive updates. Scripting allows you to automate use of the API. For example, you might write a Python or PowerShell script to run on local hosts to install the agent and register with the cloud platform, rather than configuring each host manually.
Software Development: Development
The code will be hosted on a secure server. Each developer will check out a portion of code for editing on his or her local machine. The local machine will normally be configured with a sandbox for local testing. This ensures that whatever other processes are being run locally do not interfere with or compromise the application being developed.
Continuous integration (CI)
The principle that developers should commit and test updates often—every day or sometimes even more frequently. This is designed to reduce the chances of two developers spending time on code changes that are later found to conflict with one another. Aims to detect and resolve these conflicts early, as it is easier to diagnose one or two conflicts or build errors than it is to diagnose the causes of tens of them. To be effective, it is important to use an automated test suite to validate each build quickly.
Artificial intelligence (AI)
The science of creating machine systems that can simulate or demonstrate a similar general intelligence capability to humans. Early types use if-then rules to draw inferences from a limited data set, called a knowledge base. This type of AI can derive results very quickly, but is limited to the domain covered by the knowledge base. It does not have any generalized reasoning ability. The rules by which the expert system processes information remain static.
Continuous Deployment
The separate process of actually making changes to the production environment to support the new app version.
SOAP Web Exploit: Probing
This attack is typically a preliminary step to test web services. The attacker relies on brute force to try to find what sort of requests web services are vulnerable to. For example, the open nature of web services documentation may allow an attacker to view all of a web service's functions. Attackers can use this information to craft every variety of operation and request message that applies to the service until it reveals a breach. The attacker can also inject special characters into a request parameter to cause unintended behavior like a systems crash.
Software Development: Staging
This is a mirror of the production environment but may use test or sample data and will have additional access controls so that it is only accessible to test users. Testing at this stage will focus more on usability and performance.
Your company is moving from an on-premises network to hosting copies of its existing client desktops, servers, and business applications as virtual instances in a cloud-based network. What type of cloud model and security solution is being applied in this scenario.
This is a public deployment model, infrastructure as a service (IaaS) service model, and makes use of a virtual private cloud (VPC).
Cloud Access Security Broker (CASB): Forward proxy
This is a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy. This requires configuration of users' devices. In this mode, the proxy can inspect all traffic in real-time, even if that traffic is not bound for sanctioned cloud applications. The problem with this mode is that users may be able to evade the proxy and connect directly. Proxies are also associated with poor performance as without a load balancing solution, they become a bottleneck and potentially a single point of failure.
You are promoting a learning management system (LMS) app in which administrators can configure courses and classes via a cloud app but keep student's registration details in local storage. What type of cloud model is this?
This is a software as a service (SaaS) model and a hybrid deployment model.
Cloud Access Security Broker (CASB): Reverse proxy
This is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy. This does not require configuration of the users' devices. This approach is only possible if the cloud application has proxy support.
Service Orchestration
To deploy services in cloud environments.
Improper Key Management
To invoke an API, the client host must submit a credential. To access confidential data, this process should ideally use a secure authentication and authorization method, such as SAML or OAuth/OIDC. Many APIs use statically generated keys, however. The developer creates a key in the cloud portal and copies it to the client host. The code invokes the key when it makes a call to the cloud app's API. The key is protected by the SSL/TLS encryption established between the client and cloud server, but an adversary gaining an API key would be able to perform any action authorized to that key
Resource Orchestration
To provision and allocate resources to cloud environments or solutions.
Examples how cloud APIs might be used:
To provision resources used in a cloud solution including compute, storage, and networking services. To provide third-party or integrated connectivity for data exchange or interaction with a SaaS software suite. To configure CSP-specific application platform services such as message queuing or other back-end architecture services required for building highly scalable, feature-rich applications.
Machine learning (ML)
Uses algorithms to parse input data and then develop strategies for using that data, such as identifying an object as a type, working out the best next move in a game, and so on. Unlike an expert system, machine learning can use data inputs to modify the algorithms it uses to parse data and develop strategies. It can make gradual improvements in the decision-making processes.
Software as a Service (SaaS)
Uses virtual infrastructure to provision on-demand applications. The CSP handles the security of the platform and infrastructure. The consumer is responsible for application security, including account provisioning and authorizations. The CSP might offer backup tools but leave it to the customer to schedule and test backup jobs. If an attacker uses phishing to steal account credentials or installs malware on a client computer and compromises the session established with the app, it is your security procedures that are at fault. If an attacker exploits an unsecure form to perform XSS or SQL injection, the CSP's security procedures are at fault.
Community Clouds
When multiple organizations share ownership of a cloud service. This is usually done to pool resources for a common concern, like standardization and security policies. Most secure when the organizations involved have strong interoperability agreements in place. This model can have the added disadvantage that responsibility for security design and operation may be blurred between the cooperating organizations. There should be a security plan with clear lines of responsibility between the cooperating organizations, with regular oversight to ensure that security standards are not allowed to lapse.
Unprotected Storage: Incorrect permissions
When storage containers are created, they may default to public read/write permissions. If such default permissions are left configured, not only can any data uploaded to the container be freely accessed, the container can be misused as a repository for malware.
Multicloud
Where an organization uses services from multiple CSPs. An example of a this architecture might be an organization that uses Microsoft's Office 365 productivity suite, Slack messaging for internal communications, Dropbox to share files, and Google Cloud to create and deploy software applications. Using multiple CSPs requires more due diligence and risk assessment effort. You also need to ensure that integration and communication components work securely.
SOAP Web Exploit: Malware
XML messages can surreptitiously include malicious software like viruses and Trojan horses. Typical malware carriers like executables and compressed files can compromise web services and proliferate through their supporting systems, and even word processing documents or spreadsheets can include macros or other content that can cause a whole host of problems.
Hybrid Cloud Concerns: Demonstrating compliance
_________ in a hybrid cloud environment can be more difficult than other cloud deployment models as the managing organization must ensure the public and private portions of the solution are in compliance. It must demonstrate that the means of coordination between the two clouds is compliant. For example, if an organization works with payment card data under PCI DSS regulations in a hybrid environment, it has to prove both the public and private systems meet PCI DSS regulations, and that the data moving between the two sets of systems is compliant with PCI DSS requirements.
Security Orchestration, Automation, and Response (SOAR)
an IT stack helping companies and organizations to deal with security threats. In a collection of physical and digital security tools, provides an architecture for optimal security response. For example, a ________ resource set could include new kinds of software packages that run on top of firewalls or perimeter security hardware, arranging new and more sophisticated processes beyond simple perimeter security.