Chapter 10: Cloud and Virtualization Security

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Virtualized Servers

Allows organizations to provision servers with a specific number of CPU cores, amount of RAM, and storage capacity, and then interact with them in the same way they would a server running in their own datacenter

Type 1 Hypervisors

Also know as bare metal hypervisors Operate directly on top of the underlying hardware

Virtual Machine Escape

An exploit in which malicious code is run on the VM that allows the guest operating system to break out of its environment and interact directly with the hypervisor

Vertical Scaling

Increases the capacity of existing servers by adding more In the physical world, this entails opening a server and adding physical hardware In the could, you just click a few buttons and add memory or computing capacity

Inline CASB

Reside physically or logically in the connection path between user and the cloud service, in the form of a hardware appliance or endpoint agent that reroutes requests through the CASB Can block requests that violate policy before sending them to the CASB

Type II Hypervisors

Run as an application on top of an existing operating system The operating system supports the hypervisor and the hypervisor requests resources for each guest operating system from the host operating system. Common for personal computers and technologists Less efficient than a bare metal hypervisor

Disadvantages of separating development and IT operations

1) Inhibits the operations team's understanding of business requirements 2) Leads to designs that are wasteful in terms of processor, memory, and network consumption 3) Requires a lengthy transition phase in handing off development to operations 4) Leads to many small enhancements and fixes getting lumped into a major release, which increases time to requirement satisfaction

Cloud Computing

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction

Cloud Security Alliance (CSA)

A nonprofit organization with a mission to promote best practices for using cloud computing securely

"Private Public" Cloud

A prime example is AWS Commercial Cloud Services (C2S), which is a cloud region that is operated by AWS but physically resides at the CIA and is completely air gapped from the internet Other examples: AWS Secret Region (for broader government use), Microsoft Azure Government Secret

Data Sovereignty

A principle that states that data is equally subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. Therefore, a customer may wind up subject to the legal requirements of a jurisdiction where they have no involvement because of where datacenters are stored Security professionals should understand how data is stored, processed, and transmitted in the cloud. They may choose to encrypt data using keys that remain outside the providers control

Cloud Controls Matrix (CCM)

A reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory standards

Agility and Flexibility

Ability to quickly provision cloud resources and use them for a short period of time

Horizontal scaling

Adding more servers, can be done with a few clicks with cloud computing

Block Storage

Allocates large volumes of storage for use by virtual server instance(s). These volumes are then formatted as virtual disks by the operating system on those server instances and used as they would a physical drive. The customer pays for the amount of storage they are allocated, regardless of how much they use. Much more expensive than Object storage AWS offers block storage through their Elastic Block Storage (EBS) service

Cloud transit gateways

Allow direct interconnection of cloud VPCs with on-premises VLANs for hybrid cloud operations

VPC Endpoints

Allow the connection of VPCs to each other using the cloud provider's secure network backbone

Object Storage

Allows customers to place files in buckets and access them as independent entities through the provider's API. Hides the storage details from the end user, and the customer only pays for the amount of storage that they use AWS Simple Storage Service (S3) in an example

Segmenation

Allows network engineers to place systems of differing security levels and functions on different network subnets On a physical network, Virtual LANs (VLANs) are used. In a cloud network, virtual private clouds (VPCs) are used. With VPCs, subnets can be designated as public or private, depending on whether internet access is needed

Software Defined Visibility (SDV)

Visualization combined with the capability to dynamically respond to events across software-defined networks

API Inspection

Cloud applications rely heavily upon the use of APIs to provide service integration and interoperability. Therefore, API inspection technology should be used, because it scrutinizes API requests for security issues

Virtualization

Cloud computing providers use virtualization to allow multiple guest systems to share the same underlying hardware. A special operating system called a hypervisor mediates access to the underlying resources Virtual machines may not be aware that they are running in a virtualized environment because the hypervisor tricks them into thinking they have normal access to the computer's underlying hardware. Hypervisors enforce isolation between virtual machines

Hybrid Cloud

Cloud deployments that blend public, private, and/or community cloud services together, and require the use of technology that unifies the different cloud offerings into one single coherent platform

Shared Responsibility in a Iaas environment

Customer responsible for everything that isn't infrastructure (i.e. the operating system, applications, and the data that they run in the Iaas)

Platform as a Service (PaaS)

Cloud provider offers an environment where clients can build and run applications and have access to code libraries, services, and tools that facilitate code execution

On-demand self-service computing

Cloud resources are available when and where you need them. This provides developers and technologists with incredible agility, reducing cycle times and increasing the speed of deployment

Cloud Roles

Cloud service providers Cloud customers Cloud partners - Organizations that offer ancillary products or services that support or integrate with the offerings of a cloud service provider (i.e. training, development and integration services) Cloud auditors - Independent organizations that provide third party assessments of cloud services and operations Cloud carriers - Serve as intermediaries that provide the connectivity that allows the delivery of cloud services from providers to customers The same organization may take on multiple roles

Security Groups

Cloud service providers do not provide customers with direct access to firewalls because doing so would violate the isolation principle Instead, cloud providers offer the use of security groups that define permissible network traffic. They are often considered a feature of a provider's virtual servers and do not incur additional costs

Cloud Security Controls

Cloud-native controls offered by service provider - offer direct integration with the provider and are more cost effective Third party solutions - more costly, but can be integrated with a variety of cloud providers A customer may combine the two

DevOps

Combines development and IT operations into an agile process Software testing and release becomes highly automated Reduces the lengthy release process and allows for many frequent releases

AWS Outposts

Customers receive a rack of equipment that they install in their own datacenters. The equipment is maintained by AWS but provisioned by the customer An example of hybrid cloud because customers can manage both their on-premises AWS Outposts and public cloud AWS services through the same platform

Edge Computing

In areas where internet access isn't strong, Edge Computing places some processing power on the remote sensors, allowing them to preprocess data before shipping it back to the cloud Computing is being done by sensors that are on the "edge" of the network

Infrastructure as a Service (Iaas)

Delivers hardware networking capabilities, including the use of servers, networking, computing and storage, over the cloud using a pay-per-use revenue model Major providers: AWS, Microsoft Azure, Google Cloud Platform (GCP)

Private Cloud

Describes any cloud infrastructure that is provisioned for use by a single customer May be built and managed by the organization that will be using the infrastructure, or it may be built and managed by a third party Due to only being used by one customer, private clouds have unused capacity and aren't as cost efficient

Anything as a Service (XaaS)

Describes the wide variety of services that are available in the cloud, where 'X' indicates the nature of the specific service

API-based CASB

Interact directly with the cloud provider through the provider's API, rather than interacting directly with the user Provides direct access to to cloud services and does not require end user configuration Does not block requests, but monitors and reports on activity

Secure Web Gateways (SWG)

Monitor web requests made by internal users, evaluate them against the organization's security policy, and block them if needed Serve to block malicious content and implement content filtering restrictions

Oversubscription

Occurs when more users are connected to a system than can be fully supported at the same time. This is possible with cloud computing because not everyone will use all their resources at the same time

Resource policies

Offered by cloud providers to limit the actions that users of their accounts may take. May limit the damage caused by an accidental command, a compromised account, or a malicious insider

Infrastructure as Code (IaC)

One of the key enabling technologies behind DevOps Automates provisioning, management, and deprovisioning of infrastructure A key feature of all major IaaS environments, such as Microsoft Azure, AWS, and Google Cloud Platform May either be a feature offered by a cloud service provider or a functionality enabled by a third-party cloud management platform IaC depends on APIs, which allow developers to use the cloud provider APIs to programmatically provision, configure, modify, and deprovision cloud resources

Managed Service Providers (MSPs)

Organizations that provide information technology as a service to their customers. MSPs may handle an organization's IT needs completely, or may offer specific services such as network design and implementation, application monitoring, or cloud cost management. They may also be a cloud provider MSPs that offer security services are known as Managed Security Service Providers (MSSPs)

Software as a Service (SaaS)

Provide a fully managed application running in the cloud. The provider manages the physical datacenters and the performance management of the application itself. The customer just handles limited configuration, the data they wish to use, and access controls to the data Examples: email, enterprise resource planning (ERP), and customer relationship management (CRM) Paid for via a subscription model

Containers

Provide application-level virtualization that package applications and allow them to be treated as units of virtualization that become portable across operating systems Containerization platforms provide standardized interfaces to operating system resources which remain consistent regardless of the underlying operating system or hardware. Must enforce isolation

Public Cloud

Public cloud service providers deploy infrastructure and then make it accessible to any customers who wish to take advantage of it in a multitenant model Examples: AWS, Microsoft Azure, Google Compute Platform

Three Key Security Considerations for Cloud Storage

Set permissions properly Consider high availability and durability options: Use the provider's replication capabilities or implement your own to accommodate availability and integrity requirements (in case the provider's hardware fails) Use encryption to protect sensitive data: Either apply your own encryption to individual files stored in the cloud or use full disk encryption options offered by the provider

Community Cloud

Shares the same characteristics of both public and private models. They do run in a multitenant environment, but the tenants are limited to members of a specifically designed community with a shared mission Example - HathiTrust digital library, which was formed by a consortium of academic research libraries to provide a collection of books

Cloud Access Security Broker (CASB)

Software tools that serve as intermediaries between cloud service users and cloud service providers, allowing them to monitor user activity and enforce policy requirements

Hardware Security Modules (HSM)

Special purpose computing devices that manage encryption keys and perform cryptographic operations in a highly efficient manner Expensive to purchase and operate, but provide a high level of security when configured properly. They can create and manage encryption keys without human intervention May be used internally by the cloud provider or offered as a service for their customers (which doesn't expose the keys to the provider)

Shared Responsibility in a SaaS environment

The cloud provider takes on almost all security responsibility The customer has responsibility over the data they put into the application and the configuration of access controls

Elasticity

The concept that capacity should expand and contract as needs change to optimize costs Scalability, by contrast, is focused on rapidly increasing capacity

Multitenancy

The fact that many different users share resources in the same cloud infrastructure. All customers operate without any knowledge of or interaction with their fellow customers

Virtual Machine Sprawl

The widespread proliferation of virtual machines without proper oversight or management, leading them to accrue costs and security issues

Fog Computing

Uses IoT devices that are located close to sensors. The sensors don't have processing power, but they send data to their local gateway that performs preprocessing before sending the results to the cloud

Software Defined Networking (SDN)

Using a central control program separate from network devices to manage the flow of data on a network. Allows engineers to interact with and modify cloud resources through their APIs

Shared Responsibility in a PaaS environment

Vendor responsible for OS Customer responsible for the data being placed into the environment and configuring its security Responsibility for the application layer is shared between the service provider and the customer

Cloud Governance Efforts

Vetting vendors Managing vendor relationships Overseeing the organization's portfolio of cloud activities Cloud computing contracts should include language guaranteeing the right of the customer to audit cloud service providers, thereby providing customers with assurance that the provider is operating in a secure manner and meeting contractual data protection obligation

Cloud Bursting

When a company uses its own computing infrastructure for normal usage and accesses the cloud when it needs to scale for peak load requirements Cloud bursting is a form of a hybrid cloud

Shared Responsibility Model

When cloud customers must divide responsibilities between one or more service providers and the customers' own cybersecurity teams

Function as a Service (FaaS)

When cloud providers execute code written by customers on a scheduled basis. Customers are not exposed to the actual server instances executing their code, so FaaS is often known as a serverless computing environment Examples: the AWS Lamda service

Measured Service

When cloud providers measure how much you use and charge you based off of it The amount you use includes amount of processing time, amount of storage, amount of log entries, etc.


Ensembles d'études connexes

Chapter 51 Quiz Practice Questions

View Set

Agency and Partnership (LLC) - Barbri

View Set

ECN-102: Introductory Microeconomics FINAL EXAM

View Set

CompTIA Linux+ Guide to Linux Certification Chapter 9

View Set

Week 7 Chapters 12 and 13 Health Economics

View Set