Cloud Computing Final Study Guide
Role Assignment - in Azure AD
defines the connection of a user to a role within that user's scope and must be completed for access to be granted to a user
Authorization
determines what you can do once you gain access to a system - Each cloud platform manages IAM permissions in different ways
Drawback to digital signature system
if someone discovers your private key, a digital signature could be forged, or if someone doesn't have a public or private key pair
What are digital certificates primarily used for:
used to certify and secure websites where financial and other sensitive information is exchanged
DAC (discretionary access control)
users decide for themselves who has access to their resources. Least secure of the methods.
Synchronized identity - Azure
with the synchronized authentication option, identities exist both on-prem and in the cloud, and password hashes are shared between the two locations
Once an account is created, it can be _____, ______, or ________
Modified, deactivated, or deleted
LDAP (Lightweight Directory Access Protocol)
a protocol that helps users find data about organizations, persons, and more.
Identity vault
a repository that stores all user's identities and their credentials for every time they have to access their accounts.
Authorization issues
caused by misconfigured permissions, groups, or roles
Service vs user accounts
Service accounts: accounts assigned to resources (such as a server instance) user accounts: assigned human users
Effective account management policies can help ensure that the following tasks occur reliably and consistently:
- Accounts are set up, or provisioned, in a timely manner for new users - Compromised accounts are locked out for protection - Privilege creep, the gradual increase of disorganized and unmonitored privileges, is limited - Unused accounts are closed to further activity, or deprovisioned
What is triple-A
- Authentication: gets you into a system - Authorization: lets you do things while you're there - Accounting: tracks what you're doing for later review
What does a RESTful system conform to:
- Client and server systems run independently of each other (can change/update one without affecting the other) - The server saves no client data (session info is stored only on the client system)
Password policies should meet certain requirements:
- Complexity: certain number of character types (upper, lower case, numbers, special characters) - Length: a long & simple password is better than a short & complex password - Expiration: changing passwords somewhat frequently to resist hacking - Lockout: 5 failed tries, you are OUT
What services does Azure AD offer for an on-prem network:
- Domain Services (AD DS): provides authentication and authorization support for users and devices on an organization's network - Certificate Services (AD CS): creates, distributes, and manages secure certificates - Lightweight Directory Services (AD LDS): Supports applications that rely on LDAP - Federation Services (AD FS): Supports SSO single sign on) - Rights Management Services (AD RMS): provides IRM (information rights management) protection of data by enforcing data access policies
What are the 5 "Something's" of MFA
- Something you know: a pin, password, or biographical data - Something you have: An ATM card, ID badge, key, or smartphone with authentication app - Something you are: your fingerprint, facial pattern, or iris pattern - Somewhere you are: your location in a specific geopolitical area, a company's building - Something you do: the specific way you type, speak, or walk
How can you create accounts in AWS
- Through the IAM dashboard - you set the username, password, permissions, or create other credentials like keys or a certificate
RBAC (Role Based Access Control)
- a network administrator receives from a user's supervisor a detailed description of the roles or jobs from the user performs for the organization - The admin is responsible for assigning exactly the privileges necessary for the user to perform these roles - Azure relies on RBAC (role-based access control) to manage users' access to resources
3 steps of a digital signature
1. Document is hashed using a hashing algorithm like SHA-3. 2. The hash is encrypted using your private key. The encrypted hash becomes the digital signature and is either stored with the document or transmitted with the document (or both) 3. Later, when someone needs to verify this is the document you signed, a new hash is created from the document. The original hash is decrypted with your public key and the two hashes are compared. If the two hashes agree, then your digital signature is valid.
LDAP two main goals:
1. To store data in the LDAP directory 2. Authenticate users to access the directory
Security precautions that might be taken for sensitive user accounts:
1. limited use: these accounts should only be used when higher privileges are necessary to accomplish a task. Employees should also have a lower-level account for normal activities 2. Limited location: only on-premise access so that no one can access the device remotely and make high-level changes from the outside-in. 3. Limited duration: privileged accounts should be carefully accounted for and disabled as soon as they're not needed, like when an employee is terminated or transferred. 4. Limited access: the passwords for these accounts should be extremely secure and hard to crack. Should be stored securely, and when possible, multi-factor authentication should be required. 5. Limited privacy: every user should be logged in and every user action should be taken note of by someone who isn't the owner of that account. Privileged accounts can be used for malicious activity.
Permission - in Azure AD
defines an action an identity is allowed to take
Incremental
Alexandra has scheduled a full backup of one of the servers she manages for the first day of every month. Every week after that, any data that has changed since the previous backup of any kind is backed up. Which of the following describes these weekly backups? a. Additive b. Differential c. Piecemeal d. Incremental
Privilege escalation attack
An unauthorized attempt to increase permission levels. - attackers can use existing privileges to perform this type of attack
False positive
At 9pm, Sandra receives a text message informing her that one of the servers she is in charge of has a problem when she is at home. It is a significant concern, according to the statement. Quickly grabbing her laptop, she goes into the VPN to check on the issue and begin troubleshooting, but discovers that everything seems to be working as it should. Which of the following statements best sums up the current circumstance? a. False negative b. True positive c. False positive d. True negative
Privilege escalation
Blake has been examining the logs on one of the servers that he is responsible for that is hosted on a CSP. He finds an instance where one of the employees has managed to give himself unauthorized administrative access on the server. Which of the following has occurred? a. Federation b. SSO c. Internal role change d. Privilege escalation
Vertical scaling
Bob pulls up the company's dashboard and sees that one of the VMs is running low on storage space. He logs into the cloud provider's portal and increases the size of the virtual disk so that it will not run out unexpectedly and start causing errors. Which of the following processes has Bob just performed? a. Horizontal scaling b. Linear scaling c. Vertical scaling d. Triangular scaling
The site's digital certificate has expired
Caroline is trying to access one of her company's custom cloud-based web applications. She sees a bright red screen advising that there is a security problem with the site and that she should not trust its contents. Which of the following most likely occurred that an administrator should probably check first? a. The site has been hacked b. A disgruntled employee has taken the site down c. The site's digital certificate has expired d. The certificate authority has revoked the certificate due to suspected fraud
Something you do
Fictional Corp. is trying out a new experimental technology that analyzes how users type as part of a multifactor authentication implementation. Which of the following categories of authentication factors would this fall into? a. Something you are b. Something you do c. Something you know d. Something you have
IAM
Fictional Corp. uses a cloud service provider that provides a framework of techniques and tools for managing the identities of people and applications that allow for access to cloud resources. Which of the following describes this framework? a. MAC b. IAM c. DM d. DRM
The account is now locked after three failed attempts, so the error message has most likely changed from a failed password to one reflecting a locked account
Emily is analyzing the logs for one of the servers in her organization. She sees three failed attempts to log in with an incorrect password. She then sees continued attempts to log in with a different error message. Which of the following could be the reason the error message changed? a. The server configuration has changed b. The account is now locked after three failed attempts, so the error message has most likely changed from a failed password to one reflecting a locked account c. The server was compromised after the third failed password attempt d. The server's time was changed so the authentication attempts failed because of a different reason
Which authentication technique bridges the gap across idPs and SPs? - Secrets management - Active directory - Federation - Password vault
Federation
Which of the following is the most difficult configuration for extending IAM across a hybrid cloud? - Synchronization - Federation - Pass-through (i.e. authentication occurs in the cloud) - Extension
Federation
SMS
Fictional Corp currently has an alert system set up to e-mail notifications to administrators. However, it has been pointed out that it may take a while for an administrator to see one of those emails, so they would like to have notifications sent to their mobile phones instead. Which of the following settings should they look for in the configuration of their alert system? a. SMS b. TMS c. STS d. TXS
CAS
Fictional Corp has an on premises data center where content is written once and then referred by its content rather than by its location on a disk. Which of the following types of storage are they most likely using? a. NAS b. SaaS c. DAS d. CAS
Identity
Fictional Corp has assigned each user within their Active Directory implementation a username. This username is a form of: a. Accounting b. Authorization c. Authentication d. Identity
CloudWatch
Fictional Corp has chosen to use AWS as its CSP. One of the key benefits that it liked about the platform was a service that allows technicians to monitor metrics across AWS services by collating data in one or more dashboards, tracking events, or generating alerts. Which of the following AWS services were they impressed by? a. CloudWatch b. Monitor c. Dashboard d. Stackdriver
Somewhere you are
Fred is trying to access the company's cloud-based CRM system while traveling abroad in Europe. He receives a message that access to this application is not allowed from the country he is currently in and lists the IP address detected by his connection. Which of the following factors of authentication is the CRM system using? a. Something you have b. Something you do c. Something you know d. Somewhere you are
What are the various status of certificates?
Good - a secret is good, or trusted, during the timeframe when it was approved Retired - once a certificate reaches its expiration date, it is retired and can no longer be used Revoked - if there is any indication the secret has been compromised or destroyed, the secret must be revoked
Using the IAM (identity & access mgmt)
How can you set up cloud user accounts?
Offline
Ivan is responsible for making tape backups of one of the on-premises servers in the data center and then taking the tapes to a lockbox at a local bank for safe keeping. Which of the following describes the type of backup that he is doing? a. Offline b. Remote c. Local d. Online
Cloning
Sid wants to create a new copy of a server so that he can test some patches to the server outside of the production environment. Which of the following describes the method described? a. Synchronous replication b. Asynchronous replication c. Cloning d. Storage mirroring
Add more VCPUs and memory to the virtual machine
Jack gets an alert that one of his web servers is receiving more requests than it can handle given its current resources. He has decided to implement vertical scaling to resolve the issue. Which of the following could he do to meet his objective? a. Add more virtual machines to the cluster b. Migrate the web server to the company's on-premise data center c. Add more VCPUs and memory to the virtual machine d. Migrate the web server to another CSP
Increased the number of servers available to the application
Jed has just spent some time analyzing some of the applications on the CSP that his company uses. He found that one of the applications was using a lot of resources between the servers that it was deployed on and implemented horizontal scaling to resolve the issue. Which of the following did Jed do? a. Increased the capacity of the existing servers b. Migrated the application to another CSP c. Migrated the application to an on-premise data center d. Increased the number of servers available to the application
Implementing RAID 1 exclusively to back-up the organization's data
Jennifer manages the IT department at a huge corporation. After a catastrophic resource failure 8 months ago, the IT department was tasked with developing a plan to avoid such an event from happening again. Jennifer's team decides to start this project with a brainstorming session where any idea can be suggested and the team will then discuss if the solution is logistically possible and will help avoid another catastrophic failure. Which suggestion is Jennifer's team most likely to throw out first because it will not address the issue? a. Integrating a hyper converged infrastructure (HCI) to manage their hybrid on-prem/cloud-based storage b. Applying a RAID 6 technique to back up the organization's data c. Transitioning to a cloud-based. Object storage system for archiving data d. Implementing RAID 1 exclusively to back-up the organization's data
Asynchronous replication
Joe has been asked about one of the storage systems his company maintains. This system writes the data to storage in one region and periodically copies the data to another region. What term can he use to describe this configuration? a. Synchronous replication b. Always On replication c. Duplicating replication d. Asynchronous replication
Synchronous replication
Juanita wants to create a data replication system where the data is constantly written to two locations at the same time. Which of the following describes this type of configuration? a. Asynchronous replication b. Always On replication c. Duplicating replication d. Synchronous replication
Which protocol defines how most authentication directories work? - LDAP - OCSP - HTTPS - MFA
LDAP
Mirroring
Martin wants to maintain an exact copy of the data from one of the data storage locations in a separate location for disaster recovery purposes. The copy of the data will not be actively used unless the systems have to failover to the copy. Which of the following describes the type of redundancy he is wanting to implement? a. Duplexing b. Tokenization c. Mirroring d. Snapshot
False negative
Niles is analyzing a server and finds a problem with one of the applications. He didn't receive any notifications and thinks that perhaps it got lost in his spam folder or something else happened. After scouring the logs, he doesn't see any notifications or alerts in the system at all. Which of the following describes this situation? a. False positive b. True negative c. False negative d. True positive
AWS users receive long-term permissions through an attached _____ - Service - Policy - Root - role
Policy
PKI
Sarah has deployed a private cloud infrastructure that requires users to insert a smart card into their computer or into their card reader in order to authenticate them to use the applications. The smart card is associated with a certificate for each user, which is verified against a certificate authority. Which of the following has she deployed? a. PKI b. PII c. PCI DSS d. PSK
What access control method does Azure use? - AD - RBAC - DAC - MAC
RBAC
If a certificate is included in a CRL, what is its status? - Retired - Revoked - Trusted - Renewed
Revoked
What resource defines a set of permissions in GCP? - Group - Policy - Service account - Role
Role
What kind of applications use SSO
SAML (Security Assertion Markup Language) or OpenID Connect
SLA
Sam is reviewing the agreements that Cheers, Inc. has with their chosen CSP. One of those agreements states that the RTO is two hours, and that the system will maintain a 99.9 percent uptime. Which of the following describes the guarantee that Sam is currently reviewing? a. SLA b. BCP c. HAP d. DRP
Complexity
Stan is walking past a row of cubicles when he notice's someone's password written down on a sticky note attached to a monitor. The password is passwordpassword3. Besides the obvious problem of the word password repeated followed by a single number, which of the following policies isn't in place that should be? a. Re-use b. Expiration c. Length d. Complexity
RBAC
Steven has been tasked with planning the move from an infrastructure where administrators and users add permissions to resources individually to one where users are assigned to groups based upon the department they work in and what they do in the department and then assigning the groups to the resources. Which of the following has he been tasked with planning? a. JAC b. DAC c. MAC d. RBAC
Event correlation
Syed is implementing an event monitoring system that will be able to look at all events and determine if there is a pattern established by the different events that occur. Which of the following would be a feature of this monitoring system? a. Event correlation b. Event triggering c. Event interaction d. Event patternization
Horizontal scaling
Teri logs into the cloud service provider's portal and reviews the reports that are available as part of her monthly analysis. She sees that one of the web applications currently using four web servers is experiencing an increase in traffic after a recent marketing campaign by the company, and she decides to add another two virtual machines to act as more web servers to help ease the load on the existing ones. Which of the following describes the procedure Teri performed? a. Horizontal scaling b. Linear scaling c. Triangular scaling d. Vertical scaling
Blast radius
The extent of system vulnerability to a destructive event such as a security breach or device failure.
Logical access control
The management of access to logical resources, such as a network or workstations - often refers more specifically to remote access compared to physical access control
Root account
This is the account created by default, should not be used for other tasks. - bad idea from a security perspective - root account should not be used again except when absolutely necessary.
Thick provisioning
Tracey has built a private cloud in her organization with restrictions in place to prevent provisioning more disk space than is physically available. Which of the following describes this principle? a. Thin provisioning b. Thick provisioning c. SOS provisioning d. JIT provisioning
NAS
Trent is designing the technology infrastructure to use at his company's small new office in the Caribbean. After researching the ISPs in the area, he sees that the amount of bandwidth available at that specific location is going to be rather limited. Which of the following may he want to install in order to provide local file storage for the office? a. NAS b. SAN c. SAD d. DAS
Policy - in AWS
a collection of permissions and is assigned to an identity - Different kinds of policies: - identity-based policy: grants permissions to identities - ACL (access control list): assigned to a resource to identify who from outside the account can access that resource
AD (Active Directory)
a collection of services on Windows Server that manages access to resources on a network
Group - in Azure AD
a collection of users
Identity
a digital identity that can be given access to resources through roles and permissions - both users and resources can have an identity - a user is given permissions based on what job responsibilities the user needs to fulfill
IAM (identity and access mgmt)
a framework of techniques and tools for managing the identities of people and applications that allow for access to cloud resources.
Permission - in AWS
a permission defines a specific action that an identity is allowed to take
Authentication
a process usually managed by a server that proves the identity of a client and determines whether that client is allowed to access a secured system answers the question: "Who are you?"
Role - in Azure AD
a role definition, or role for short, is a collection of permissions: - Owner: complete access to all resources and can give access to others - Administrator: full access to resources within that role - Contributor: can create and manage resources but can't give access to others - Reader: can view existing resources but can't make changes
Role - in AWS
a role is an identity that provides a way to assign policies to other resources for a short duration
Digital signature
a security procedure that uses public key cryptography and assigns a code to a document for which you alone have the key (used to authenticate electronic documents as yours)
Digital Certificate
a small file containing verified identification information and the public key of the entity whose identity is being authenticated - similar to your passport
PAM (privileged access management)
a subset of IAM that applies stricter rules and safety precautions specifically to users who are given elevated permissions to do their jobs
REST (Representational State Transfer)
an architecture standard that requires certain characteristics for HTTP or HTTPS communications
Service principal - in Azure AD
an identity for an application or service
Group - in AWS
an identity that represents a collection of users - a user can belong to multiple groups, but groups cannot contain other groups
User - in AWS
an identity that represents a person or an application that needs to interact with AWS resources. - a user has a name, an ARN (Amazon Resource Number), password, access keys (access key ID and a secret access key), or a server certificate
RESTful APIs
can be used to perform basic, standardized functions across the web to interact with an authentication directory. - this allows the organizations to set up relationships between various services or app and the authentication service, knowing the communication standards will allow these different systems to reliable understand each other
Authentication issues
caused by expired credentials, mistyped passwords, misconfigured certificates, or misconfigured trust relationships
Federated identity - Azure
federated authentication is the more complicated and expensive option, offering more complete SSO functionality and immediate synchronization between locations
Single Sign-On (SSO)
form of authentication in which a client signs in one time to access multiple systems or resources - SSO offers the simplicity of using a single source of truth so user data isn't duplicated through multiple systems
Secret management systems
handle the security and distribution of keys, passwords, authorization tokens, and other files (these are secrets) used to secure access to resources - AWS offers Secrets Manager
User - in Azure AD
identity associated with a person's profile
Principle of least privilege
means to limit access to the least privilege needed. Users are given enough access and privileges to do their jobs, and these privileges are terminated as soon as the person no longer needs them
Federation
process of managing user identities across organizations on the foundation of the trust relationship
Multifactor Authentication (MFA)
requires two or more pieces of information - called factors - from across two or more categories of authentication factors
MAC (mandatory access control)
resources are organized into hierarchical classifications, like "confidential", "top secret", etc. - User is only given access if its classification and category match those of a resource. Most restrictive method.
How do you revoke a certificate
the CA (certificate authority) that issued the certificate requires submission of a revocation request, and sometimes, supporting evidence is needed - Once revoked, the certificate is added to a CRL (certificate revocation list), which other entities can confirm whether a certificate has become invalidated.
Horizontal attack
the attacker uses typical user privileges to access information available to the compromised account. This attack type is typically used for reconnaissance
Azure AD (Active Directory)
the cloud-native cousin of Active Directory found in Windows Server for on-prem networks - Azure AD uses a flat-like structure, no container hierarchy like OUs (organizational units)
Root User - in AWS
the original identity from when you first create an AWS account - never use your root user for day-to-day activities - AWS recommends you use the root user only until you create the first IAM user, then store the root user in credentials in a secure location for emergency access only
Cloud Identity - Azure
the pass-through authentication option consists of all IAM services residing in the cloud and includes limited synchronization of passwords or other credentials
Scope - in Azure AD
the set of resources that a user might have access to
Public Key Infrastructure (PKI)
the use of certificate authorities to associate public keys with certain users