Lesson 6: Secure Cloud Network Architecture

Multi-cloud

A cloud deployment model where the cloud consumer uses multiple public cloud services.

hybrid cloud

A cloud deployment that uses both private and public elements.

Platform as a service (PaaS)

A cloud service model that provisions application and database services as a platform for development of apps. Provides a platform that allows developers to build, deploy, and manage applications without dealing with the underlying infrastructure like servers, storage, and networking. (Ex. Microsoft Azure SQL Database)

Software as a service (SaaS)

A cloud service model that provisions fully developed application services to users. Instead of installing and maintaining software on individual machines, users can access these applications via a web browser. (Ex. Microsoft Office 365)

Infrastructure as a service (IaaS)

A cloud service model that provisions virtual machines and network infrastructure. A means of provisioning IT resources such as servers, load balancers, and storage area network (SAN) components quickly. Rather than purchase these components and the Internet links they require, you rent them as needed from the service provider's datacenter. It is designed for IT administrators and developers who need to manage and control the infrastructure themselves (Ex. OpenStack)

Community cloud

A cloud that is deployed for shared use by cooperating tenants.

Public (or multi-tenant)

A cloud that is deployed for shared use by multiple independent tenants.

Private cloud infrastructure

A cloud that is deployed for use by a single entity.

virtualization

A computing environment where multiple independent operating systems can be installed to a single hardware platform and run simultaneously.

high availability (HA)

A metric that defines how closely systems approach the goal of providing data availability 100% of the time while maintaining a high level of system performance.

decentralized computing architecture

A model in which data processing and storage are distributed across multiple locations or devices.

Centralized computing architecture

A model where all data processing and storage is performed in a single location.

Secure Access Service Edge (SASE)

A networking and security architecture that provides secure access to cloud applications and services while reducing complexity. It combines security services like firewalls, identity and access management, and secure web gateway with networking services such as SD-WAN.

on-premises/off-site

A private cloud could be ____ or ____ relative to the other business units.

virtual private cloud (VPC)

A private network segment made available to a single cloud consumer on a public cloud.

Application virtualization

A software delivery model where the code runs on a server and is streamed to a client. Rather than run the whole client desktop as a virtual platform, the client either accesses an application hosted on a server or streams the application from the server to the client for local processing. Most of these solutions are based on Citrix XenApp (formerly MetaFrame Presentation Server), though Microsoft has developed an App-V product with its Windows Server range and VMware has the ThinApp product. These solution types are often used with HTML5 remote desktop apps, referred to as "clientless" because users can access them through ordinary web browser software.

Real-Time Operating Systems (RTOS)

A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks. They are purpose-specific operating systems designed for high levels of stability and processing speed.

software-defined networking (SDN)

APIs and compatible hardware/virtual appliances allowing for programmable network appliances and systems. Can be used to define policy decisions on the control plane. These decisions are then implemented on the data plane by a network controller application, which interfaces with the network devices using APIs.

content delivery networks (CDN)

Additionally, Cloud platforms provide advanced _______ that optimize web traffic by caching content, and object storage provides massive, unstructured data storage services that often replace traditional file servers.

programmable logic controllers (PLCs)

An ICS comprises plant devices and equipment with embedded ______

distributed control system (DCS)

An ICS that manages process automation within a single site is usually referred to as a ______

on-site link

An ____ can obviously deliver better performance and is less likely to be subject to outages (loss of an Internet link, for instance).

Embedded systems

An electronic system that is designed to perform a specific, dedicated function, such as a microcontroller in a medical drip or components in a control system managing a water treatment plant.

"hands-off"

An important core concept when using cloud resources is that the implementation and management of security controls is not a ______ endeavor, and identifying the boundary between customer and CSP responsibilities requires a conscious effort.

Microservices

An independent, single-function module with well-defined and lightweight interfaces and operations. Typically this style of architecture allows for rapid, frequent, and reliable delivery of complex applications.

Containerization

An operating system virtualization deployment containing everything required to run a service, application, or microservice. Isolating software in this way ensures consistent application behavior regardless of the underlying platform on which it runs.

replication

Automatically copying data between two processing systems either simultaneously on both systems (synchronous) or from a primary to a secondary location (asynchronous).

availability zones

CSPs divide the world into regions. Each region is independent of the others. The regions are divided into _________. They have independent datacenters with their own power, cooling, and network connectivity. You can choose to host data, services, and VM instances in a particular region to provide a lower latency service to customers. Provisioning resources in multiple zones and regions can also improve performance and increases redundancy, but it requires an adequate level of replication performance.

cloud deployment model

Classifying the ownership and management of a cloud as public, private, community, or hybrid. classifies how the service is owned and provisioned.

cloud service models

Classifying the provision of cloud services and the limit of the cloud service provider's responsibility as software, platform, infrastructure, and so on.

Cost, Scalability, Resilience, Ease of deployment, Ease of recovery, SLA and ISA, Power, Compute, Data protection, Patching

Cloud Architecture Features

cloud computing

Computing architecture where on-demand resources provisioned with the attributes of high availability, scalability, and elasticity are billed to customers on the basis of metered utilization.

low latency

Data replication requires _____ network connections, security, and data integrity.

Load Balancing

Distributes network traffic across multiple servers or services to improve performance and provide high availability. In the cloud, load balancers are intermediaries (proxies) between users and back-end resources like virtual machines or containers. They distribute incoming requests to different resources using sophisticated algorithms and handle server capacity, response time, and workload.

Home appliances, Smartphones and tablets, Automotive systems, Industrial automation, Medical devices, Aerospace and defense

Embedded systems are used in various specialized applications, including consumer electronics, industrial automation, automotive systems, medical devices, and more. Some examples include the following

Serverless computing

Features and capabilities of a server without needing to perform server administration tasks. Serverless computing offloads infrastructure management to the cloud service provider—for example, configuring file storage capability without the requirement of first building and deploying a file server. Essentially a cloud computing model in which the cloud provider manages the infrastructure and automatically allocates resources as needed, charging only for the actual usage of the application.

responsibility matrix

Identifies that responsibility for the implementation of security as applications, data, and workloads are transitioned into a cloud platform are shared between the customer and the cloud service provider (CSP).

elastic compute and auto-scaling

Important cloud architectural services include offerings like ________, which enable dynamic shifts in computing power in response to demand fluctuations.

decentralized architecture

In contrast, ________ is used in situations where resilience and flexibility are more important than central control.

OpEx

In contrast, cloud services are typically paid on a pay-as-you-go basis, allowing organizations to convert CapEx into

patient monitoring systems, medical imaging, and automated drug delivery systems

In medical devices, RTOS is used for applications such as

Auto-Scaling

Is an automated process that adjusts the computing resources allocated to an application based on demand. Auto-scaling allows cloud infrastructure to dynamically scale resources up or down to match the real-time workload requirements. For example, during periods of high demand, additional resources are provisioned automatically to handle the increased load, ensuring optimal performance and responsiveness. In contrast, when demand decreases, unnecessary resources are released back into a shared pool to reduce operating costs or to make them available to other workloads.

Industrial control systems (ICSs)

Network managing embedded devices (computer systems that are designed to perform a specific, dedicated function). Provide mechanisms for workflow and process automation. These systems control machinery used in critical infrastructure, like power suppliers, water suppliers, health services, telecommunications, and national security services.

off-site facility

On the other hand, a dedicated ____ may provide better shared access for multiple users in different locations.

Edge Computing

Optimizes the geographic location of resources and services to enable faster processing and reduced latency. Instead of routing all data to a centralized cloud datacenter, edge computing utilizes distributed computing resources to minimize the distance data needs to travel, reducing network latency and improving responsiveness. Edge computing is particularly beneficial for applications that require real-time or low-latency processing, such as IoT devices, content delivery networks (CDNs), and latency-sensitive applications.

cloud service providers (CSPs)

Organization providing infrastructure, application, and/or storage services via an "as a service" subscription-based, cloud-centric offering.

Infrastructure as Code (IaC)

Provisioning architecture in which deployment of resources is performed by scripted automation and orchestration. A software engineering practice that manages computing infrastructure using machine-readable definition files. These files contain code written in a specific format that can be read and executed by machines. These files manage and provision computing infrastructure. Machine-readable definition files are written in formats like YAML, JSON, and HCL (HashiCorp Configuration Language.) They contain information about the desired infrastructure state, including configuration settings, networking requirements, security policies, and other settings.

network functions virtualization (NFV)

Provisioning virtual network appliances, such as switches, routers, and firewalls, via VMs and containers.

event-driven orchestration

Serverless architecture depends heavily on ______ to facilitate operations. For example, multiple services are triggered when a client connects to an application.

"monolithic"

Serverless architecture depends heavily on event-driven orchestration to facilitate operations. For example, multiple services are triggered when a client connects to an application. The application needs to authenticate the user and device, identify the location of the device and its address properties, create a session, load authorizations for the action, use application logic to process the action, read or commit information from a database, and log the transaction. This design logic differs from applications written in a ______ server-based environment.

Software-Defined Wide Area Network (SD-WAN)

Services that use software-defined mechanisms and routing policies to implement virtual tunnels and overlay networks over multiple types of transport network. Enables organizations to connect their various branch offices, datacenters, and cloud infrastructure over a wide area network (WAN).

virtualization

The CSP uses a ______ layer to ensure that computer, storage, and network provisions meet the availability criteria set out in its SLA.

operational technology (OT)

The PLCs are linked either by an _______ fieldbus serial network or by industrial Ethernet to actuators that operate valves, motors, circuit breakers, and other mechanical components, plus sensors that monitor some local state, such as temperature.

shared responsibility model

The ______ describes the balance of responsibility between a customer and a cloud service provider (CSP) for implementing security in a cloud platform.

securing their applications and data

The cloud provider is responsible for securing the underlying infrastructure while the customer is responsible for ______.

anything as a service (XaaS)

The concept that most types of IT requirements can be deployed as a cloud service model.

"northbound" API/"southbound" API

The interface between the SDN applications and the SDN controller is described as the ________, while that between the controller and appliances is the ______.

"hot storage"/"cold storage"

The terms ______ and _____ refer to how quickly data is retrieved.

Scale-up (vertical scaling) and Scale-out (horizontal scaling)

There are two basic ways in which services can be scaled

Type 1 and Type 2

There are two main types of hypervisors:

A software engineering practice that manages computing infrastructure using machine-readable definition files. These files contain code written in a specific format that can be read and executed by machines

What is IaC?

Software that manages virtual machines and is installed on a host operating system

What is a Type II hypervisor?

A cloud that is deployed for shared use by multiple independent tenants. This cloud solution has the greatest security concerns.

What is a public cloud?

IaaS

What type of cloud solution could be used to implement SAN?

shared

When using cloud infrastructure, security risks are not transferred but ____ between the cloud provider and the customer.

functions and microservices

With serverless, all the architecture is hosted within a cloud, but unlike "traditional" virtual private cloud (VPC) offerings, services such as authentication, web applications, and communications aren't developed and managed as applications running on VM instances within the cloud. Instead, the applications are developed as _______, each interacting with other functions to facilitate client requests.

Management plane, Control plane, Data plane

With so many devices to configure, it is better to take a step back and consider an abstract model of how the network functions. In this model, network functions can be divided into three "planes":

Microservices and Infrastructure as Code (IaC)

_____ are related technologies, and Microservices architecture is often implemented using IaC practices.

Type 1

_____ hypervisors, also known as bare-metal hypervisors, run directly on the physical hardware, offering high performance and efficiency, which makes them ideal for enterprise environments. Examples include VMware ESXi and Microsoft Hyper-V.

Type 2

_____ hypervisors, or hosted hypervisors, run on top of a host operating system and are often used for development and testing purposes. Examples of Type 2 hypervisors include VMware Workstation and Oracle VirtualBox.

Hypervisors

_____ play a critical role in virtualization by managing multiple virtual machines (VMs) on a single hardware platform.

Hot storage

_____ retrieves data more quickly than cold, but the quicker the data retrieval, the higher the cost.

Interconnection Security Agreements (ISAs)

______ establish the security requirements and responsibilities between the organization and the cloud service provider to safeguard sensitive data and ensure compliance with industry regulations to help ensure the confidentiality, integrity, and availability of data and systems within the cloud environment.

Third-party vendors

are external entities that provide organizations with goods, services, or technology solutions.

Peer-to-peer (P2P) networks

are networks designed to distribute processing and data storage among participating nodes instead of relying on a central server.

Internet of Things (IoT) devices

can be connected in a decentralized network to share data and processing power.

Standardized

configurations, templates, and images simplify deployment and ensure consistency.

Scale-out (horizontal scaling)

describes adding additional resources, such as more instances (or virtual machines) to work in parallel and increase performance

Scale-up (vertical scaling)

describes adding capacity to an existing resource, such as a processor, memory, and storage capacity

Content delivery networks (CDNs)

distribute content across multiple servers to improve performance, reliability, and scalability.

Distributed databases

distribute data across multiple servers, ensuring that data is always available, even if one server goes down.

Portability

ensures that applications and services can be easily moved between different cloud infrastructures, avoiding vendor lock-in and providing greater flexibility.

service-level agreements (SLAs)

formally outline all performance, availability, and support expectations between the cloud service provider and the organization.

Data plane

handles the switching and routing of traffic and imposition of security access controls.

CapEx

includes up-front costs for purchasing hardware, software licenses, and infrastructure setup in traditional on-premises IT infrastructure.

Blockchain

is a distributed ledger technology that allows for secure, transparent, and decentralized transactions.

Power usage effectiveness (PUE)

is a metric used to measure datacenter energy efficiency. Cloud providers strive for low PUE values, indicating efficient utilization of energy. A lower PUE signifies that a larger proportion of the energy supplied to the datacenter is used for computing purposes rather than supporting infrastructure.

Tor (The Onion Router)

is a network that enables anonymous communication and browsing. Tor routes traffic through a network of volunteer-operated servers, or nodes, to hide a user's location and internet activity.

Hosted Private

is hosted by a third party for the exclusive use of the organization. This is more secure and can guarantee better performance but is correspondingly more expensive.

Centralized architecture

is often used in large organizations with a need for strict control and management.

Multi-tenant architecture

is when multiple customers share the same infrastructure, with each customer's data and applications separated logically from other customers. This model is cost-effective but can increase the risk of unauthorized access or data leakage if not properly secured.

Serverless architecture

is when the cloud provider manages the infrastructure and automatically scales resources up or down based on demand. This model can be more secure than traditional architectures because the cloud provider manages and secures the infrastructure. However, customers must still take steps to secure access to their applications and data.

Control plane

makes decisions about how traffic should be prioritized, secured, and where it should be switched.

Management plane

monitors traffic conditions and network status.

Single-tenant architecture

provides dedicated infrastructure to a single customer, ensuring that only that customer can access the infrastructure. This model offers the highest level of security as the customer has complete control over the infrastructure. However, it can be more expensive than multi-tenant architecture, and the customer is responsible for managing and securing the infrastructure.

Regional replication (also called zone-redundant storage)

replicates your data across multiple datacenters within one or two regions. This safeguards data and access in the event a single datacenter is destroyed or goes offline.

Geo-redundant storage (GRS)

replicates your data to a secondary region that is distant from the primary region. This safeguards data in the event of a regional outage or a disaster.

Local replication

replicates your data within a single datacenter in the region where you created your storage account. The replicas are often in separate fault domains and upgrade domains.

Automating

the deployment and management of cloud resources reduces the need for manual intervention and is often achieved using configuration management, container orchestration, and infrastructure as code.

Hybrid architecture

uses public and private cloud infrastructure. This model provides greater flexibility and control over sensitive data and applications by allowing customers to store sensitive data on private cloud infrastructure while using public cloud infrastructure for less sensitive workloads. However, it also requires careful management to ensure proper integration and security between the public and private clouds.