Security+ Chapter 4: Exploring Virtualization and Cloud Concepts
Security Groups
A compute ____________ profile is allocated by using a security group template that also states the cloud account, the location of the resource, and the security rules.
Interconnection OSI Layers
A network firewall works on Layer 3 of the OSI controlling IP traffic, but most of the cloud firewalls are Web Application Firewalls working at Layer 7 of the OSI. (Important Firewall Consideration)
Hypervisor
A(n) __________ is software that runs on a virtual host that lets the host run virtual machines.
Private Cloud
A(n) __________ is where a company purchases all of its hardware. This gives them more control than other cloud models. They normally host their own cloud because they do not want to share resources with anyone else, but at the same time, their workforce has all of the mobile benefits of the cloud.
Next Generation Secure Web Gateway (SWG)
A(n) ___________ acts like a reverse proxy, content filter, and an inline NIPS. An example of this is Netskope, which provides advanced web security with advanced data and threat protection
Containers
A(n) ____________ allows the isolation of an application and its files and libraries so that they are not dependent on anything else. It allows software developers to deploy applications seamlessly across various environments. _________ are used by Platform as a Service (PaaS) products.
Thin Client
A(n) ____________ is a client that has limited resources that are insufficient to run applications. It connects to a server and processes the application on its resources.
Virtual Private Cloud (VPC)
A(n) ____________ is a virtual network that consists of shared resources with a public cloud, where the VMs for one company are isolated from the resources of another company. This is part of IaaS. These separate _________ can be isolated using public and private networks or segmentation.
Managed Security Service Provider (MSSP)
A(n) ____________ will maintain the security environment for companies that will include enterprise firewalls, intrusion prevention and detection systems, and SIEM systems. They have a very highly skilled workforce who will take this headache away from a company.
Edge Computing
All the processing of data storage is closer to the sensors rather than being thousands of miles away on a server at a data center.
Virtual Switch
Although a(n) ___________ can act like a switch connecting all of the machines, it can also create three different types of network: internet, external, and private. For each external network, the host needs a physical network card. Therefore, if you have two external networks, the host needs a minimum of two physical network cards.
Cost
An example of cost as a consideration would be CloudFlare that has a free version with limited features. At the time of publishing, the pro version is $20 per month, the business version is $200, and the enterprise version is Price on Application (POA). (Important Firewall Consideration)
Containers (VM Component)
An isolated guest machine is known as a __________. The best virtual _________ is called Docker. It is vendor neutral and will allow you to run applications that have autonomy.
Location-Independent
As you are accessing the cloud through a browser, it is _________________, therefore it offers faster recovery if your premises have a disaster
Hybrid Cloud
Companies that decide not to host their company in the cloud are known as on-premises, but during their peak time they may expand into the cloud. This is known as cloud bursting. A mixture of both on-premises and the cloud is known as a(n) ____________
GEO Zone Redundant Storage (GZRS)
Data is replicated between three separate zones within your primary region, then one copy is replicated to a single location in a secondary region. (Replication Type)
Zone Redundant Storage (ZRS)
Data is replicated between three separate zones within your region. (Replication Type)
Fiber Channel
Fast but expensive, as it needs fiber channel switches and fiber cables, which are expensive. (Cloud Connection Type)
Virtualization
In a cloud environment the infrastructure is built on a virtual environment. The storage for these machines normally comes from a Storage Area Network (SAN). The benefits of using VMs in the cloud are that you can increase and decrease resources at the drop of a hat.
Replication
In the cloud, multiple copies of your data are always held for redundancy. This is in case of data loss The data cannot be located outside of the region where it is created.
VM Escape Protection
One of the best ways to protect against VM escape is to ensure that the patches on the hypervisor and all VMs are always up to date. Ensure that guest privileges are low. The servers hosting the critical services should have redundancy and not be on a single host so that if one host is attacked, all of the critical services are set up as a single point of failure.
Sprawl Avoidance
One of the best ways to protect against VM sprawl is to have robust security policies for adding VMs to the network and use either a NIDS or Nmap to detect new hosts.
Private Subnets
Our VPC contains three ___________. Each of these subnets has its own CIDR IP address range and cannot connect directly to the internet. They must go through the NAT gateway, which in turn uses the internet gateway to access the internet. In each of the subnets, a default route with an IP address of 0.0.0.0 must be directed to go to the internet gateway.
API inspection and integration
Representational State Transfer, known as REST, refers to a new way to write web service APIs so that different languages can be transported using HTTP.
Public Subnets
Resources on the __________ can connect directly to the internet. Therefore, public-facing web servers will be placed within this subnet. The ___________ will have a NAT gateway for communicating with the private subnets, an internet gateway, and a managed service to connect to the internet.
iSCSi Connector
Runs Small Computer System Interface (SCSI) commands over Ethernet, and can connect through normal Ethernet switches and still offer good speed. This is a much cheaper option. The servers that use SAN storage are diskless but use the SAN storage as if they had disks installed, but you need very fast connection speeds so that the server does not suffer from performance issues. (Cloud Connection Type)
No Disaster Recovery Site Required
The CSP provides 99.999% availability of its IT systems, therefore, once your data is in the cloud, there is no requirement for a ___________________ as the CSP provides that as part of the contract.
No Maintenance Fees
The CSP provides ongoing maintenance, so when the cloud contract is signed there are no hidden costs.
Cloud Access Security Broker (CASB)
The ___________ enforces the company's policies between the on-premises situation and the cloud. There is no group policy in the cloud.
Host
The ___________ may hold 100 VMs and therefore the main resources that the _______ needs are storage that normally uses a SAN, memory, and processor cores
Need for Segmentation
The cloud environment uses a Zero-Trust model where each individual needs to provide their identity and location to gain access to the cloud environment. The firewall controls access to each of the cloud regions and zones. (Important Firewall Consideration)
Elasticity
The cloud is like a pay-as-you-go model where one day you can increase resources and then the next day you can scale down the resources. You can even add more processor power, faster disks, more memory, or dual network cards whenever you want
Regional Storage of Data
The cloud is regulated, therefore data from a country must be stored within that region as laws on data compliance can change from region to region.
Community Cloud
The community cloud is where companies from the same industry collectively pay for a bespoke application to be written, and the cloud provider manufacturers host it.
Firewall Considerations in a Cloud Environment
The reason that we need a good firewall is to block incoming traffic and put up a barrier to protect the internal cloud resources against hackers or malware. The cloud firewalls tend to be Web Application Firewalls.
Segmentation
The security of services that are permitted to access or be accessible from other zones has a strict set of rules controlling this traffic. These rules are enforced by the IP address ranges of each subnet. Within a private subnet, VLANs can be used to carry out departmental isolation.
Resource Policies
These are policies that state what access level or actions someone has to a particular resource.
Resource Policy
These are policies that state what access level or actions someone has to a particular resource. This is crucial for resource management and audit. We need to apply the principle of least privilege.
NAT Gateway
This allows the private subnets to communicate with other cloud services and the internet, but hides the internal network from internet users. The _____________ has the Network Access Control List (NACL) for the private subnets.
Microservices/API
This allows you to define individual services that can then be connected by using an application program interface. They are loosely coupled and can be reused when creating applications.
Anything as a Service (XaaS)
This describes a multitude of other cloud services that are available, such as Network as a Service (NaaS), providing network resources; Desktop as a Service (DaaS); Backup as a Service (BaaS); and many more. As new services appear, they will fall under the category of _______.
Software-Defined Visibility (SDV)
This gives you visibility of the network traffic use. It can collect and aggregate the data on the network traffic and provide good reports to the network administrators.
Transit Gateway
This is a network hub that acts as a regional virtual router to interconnect virtual private clouds (VPC) and VPN connections.
Secret Management
This is a secure application, and it could be called a vault where the keys, tokens, passwords, and SSH keys used by privileged accounts are stored. It could be a vault that is heavily encrypted to protect these items
Type 1 Hypervisor
This is an enterprise version that can be installed on a computer without an operating system, called bare metal. Examples are VMWare ESX, Microsoft's Hyper-V, or Zen, which is used by AWS.
Snapshot
This is like taking a picture with a camera—whatever the virtual machine's setting is at that time is what you capture. You might take a(n) _________ before you carry out a major upgrade of a VM so that, if anything goes wrong, you can roll the machine setting back to the original. You can roll back to a previous setting within seconds
Public Cloud
This is the most common model, where the CSP provides cloud services for multiple tenants. This is like being one of many people who rent an apartment in an apartment block.
Application Security
This is using products such as Cloud WAF and Runtime Application Self-Protection (RASP) to protect against a zero-day attack
VM Sprawl
This is where an unmanaged VM has been placed on your network. Because the IT administrator doesn't know it is there, it will not be patched and, therefore, over a period of time it will become vulnerable and could be used for a VM escape attack.
Software as a Service (SaaS)
This is where the CSP hosts a bespoke software application that is accessed through a web server.
Services Integration
This is where the provision of several business services is combined with different IT services and are integrated to provide a single solution for a business.
System Sprawl
This is where the virtual host is running out of resources or is overutilizing resources. This could end up with the host crashing and taking out the virtual network. A way to avoid this is to use thin provisioning; this means only allocating the minimum amount of resources that your VM needs, gently increasing the resources required.
Infrastructure as Code
This is where you manage your computer infrastructure with configuration files rather than by a physical method. This is very common with cloud technologies making it easier to set up computers and roll out patches. This ensures that each computer has the same setup, in contrast with the human errors that may be encountered when setting up a computer manually.
Serverless Architecture
This is where you will use the Backend as a Service, where a third-party vendor hosts your applications as a pay-as-you-go model based on the compute time that you use. You will lease servers or data storage from them.
Type 2 Hypervisor
This needs an operating system, such as Server 2016 or Windows 10, and then the hypervisor is installed like an application. An example of a Type 2 hypervisor is Oracle's VM VirtualBox or Microsoft's virtual machine as a product.
Platform as a Service (PaaS)
This provides the environment for developers to create applications; an example of this is Microsoft Azure. The platform provides a set of services to support the development and operation of applications, rolling them out to iOS, Android devices, as well as Windows devices.
Dynamic Resource Allocation
This uses virtualization technology to upgrade and downscale the cloud resources as the demand grows or falls.
Local Redundant Storage (LRS)
Three copies of your data are replicated at a single physical location. Not good for high availability. (Replication Type)
GEO Redundant Storage (GRS)
Three copies of your data are replicated in a single physical location in the primary region using LRS, then one copy is replicated to a single location in a secondary region. (Replication Type)
VPN Connection
To create a secure connection to your VPC, you can connect a VPN using L2TP/IPsec to the public interface of the NAT gateway.
Software-Defined Network (SDN)
Traditional networks route packets via a hardware router and are decentralized; however, in today's networks, more and more people are using virtualization, including cloud providers. A(n) ___________ is where packets are routed through a controller rather than traditional routers, which improves performance.
Permissions (Storage)
Users have a storage identity and are put into different storage groups that have different rights.
Cloud Native Controls versus Third-Party Solutions
Vendors such as Microsoft and Amazon Web Services (AWS) have their own tools, such as Azure Resource Manager (ARM) and AWS Cloud Formation. These tools make managing Microsoft and AWS cloud resources easy. Using third-party tools adds more flexibility. (Important Firewall Consideration)
Instance Awareness
We must monitor VM instances so that an attacker cannot place an unmanaged VM that would lead to VM sprawl and then ultimately VM escape. We must use tools like a Network Intrusion Detection System (NIDS) to detect new instances, and the IT team must maintain a list of managed VMs.
Distributive Allocation
When you decide to use an IaaS model, you may install a virtual load balancer to provide a __________________ of some of your server capacity. A load balancer will allocate the load across multiple servers to ensure that no single server is overburdened.
No Capital Expenditure (CAPEX)
When you move your infrastructure to the cloud, there is no capital expenditure; normally, IT resources have a maximum lifespan of 3-5 years. As technology keeps moving and hardware becomes obsolete, this means they may have to find $75-300,000 every five years just for hardware.
Infrastructure as a Service (IaaS)
When you purchase devices, they have a default factory setting and these settings need to be configured. Desktops are bare-bones, meaning that they have no operating system installed. IaaS is the same; you need to preconfigure these devices, install an operating system, and maintain the patch management
Guest
Windows 10 is an example of a _________ machine and it needs the same amount of resources as a physical Windows 10 machine. The benefit of using a ________ machine is you can replace it in a disaster recovery situation within a couple of minutes
Encryption (Storage)
With cloud storage, you may need to have more than one type of encryption. You would use symmetric encryption as there will be a large amount of data. You will also need encryption for data in transit, such as TLS or SSL.
Cloud Service Provider (CSP)
________ are entities that resell cloud services to customers. They can provide infrastructure, software, VMs, and other services that a customer needs. Managed Cloud Service Providers (MCSP) will also take over the day-to-day running of your cloud as they have the expertise to do so.
VM Escape
_________ is where an attacker gains access to a VM, then attacks either the host machine that holds all of the VMs, the hypervisor, or any of the other VMs.
Scalability
___________ is the ability of a company to grow while maintaining a resilient infrastructure. The cloud enables a company to do so and grow without the worry of needing to make capital expenditure while doing so. It enables the company to grow faster than an on-premises company that needs to invest more money into bricks and mortar.
Sandboxing
___________ is where an application is placed in its own VM for patching and testing, or because it is a dangerous application that you don't want to roam across your network. In a Linux environment, this is known as a chroot jail.
Integration and Auditing
____________ is the process of how data is being handled from input to output. A cloud auditor is responsible for ensuring that the policies and controls that the cloud provider has put in place are being adopted. They will test that these controls and the system integration are working as expected.
Cloud Storage
______________ utilizes SAN for the virtual components used in a cloud network. A SAN is a hardware device that contains a large number of fast disks, such as Solid-State Drives (SSDs), and is isolated from the LAN as it has its own network servers. The disks are set up with some form of redundancy, such as RAID 5, so that the storage space is redundant.
Fog Computing
_______________ complements cloud computing by processing data from IoT devices. It allows you to analyze the data before committing it to the cloud. The data is put in a location between the device and the cloud. It brings cloud computing nearer to the sensor; it also reduces the cost of data moving back and forth between the device and the cloud.
High Availability (Storage)
________________ ensures that copies of your data are held in different locations
Security as a Service (SECaaS)
provides Identity and Access Management (IAM), which provides identity management that allows people to have secure access to applications from anywhere at any time.
