Chapter 15 : Implementing Secure Cloud Solutions

A third party hosts this deployment model and shares it with other subscribers. This is the most known form of cloud computing and is the least secure.

Public cloud

This refers to the cloud being able to scale quickly to meet peak demand.

Rapid elasticity

Connections to other services such as storage or services running in other VPCs are possible with ________________ configurations.

VPC endpoint

This refers to malware running on a guest Operating System (OS) jumping to another guest or to the host.

Virtual Machine (VM) escaping

This is a security appliance or host, positioned at the client network edge, that forwards user traffic to the cloud network if the contents of that traffic comply with policy. This requires configuration of users' devices.

A forward proxy

A ___________________________________solution replicates data to a secondary region that is distant from the primary region. Cross-country or around the globe are other terms for this type of solution.

Geo-redundant storage (GRS)

This is a looser architectural framework, also referred to as RESTful APIs. While SOAP is a tightly specified protocol

Representational State Transfer (REST)

Refers to creating and using containers when needed. It depends heavily on the concept of event-driven orchestration with many services involved to facilitate operations.

Serverless architecture

It is imperative to identify precisely which risks are transferring to the cloud, which risks the service provider is undertaking, and which risks remain with the organization. A _________________________ outlines those risks and responsibilities

Service level agreement (SLA)

This conceives of atomic services closely mapped to business workflows. Each service takes defined inputs and produces defined outputs.

Service-oriented architecture (SOA)

This refers to ways of making these decoupled service or microservice components work together to perform a workflow.

Services integration

A company conducts file sharing via a hosted private cloud deployment model. Which scenario accurately depicts this type of file sharing? A.) A cloud hosted by a third party for the exclusive use of the organization. B.) A cloud hosted by a third party and shared with other subscribers. C.) A cloud that is completely private to and owned by the company that utilizes it. D.) A cloud where several organizations share the costs of a cloud in order to pool resources for a common concern.

A

An organization plans a move of systems to the cloud. In order to identify and assign areas of risk, which solution does the organization establish to contractually specify cloud service provider responsibilities? A.) Service level agreement B.) Trust relationship C.) Responsibilities matrix D.) High availability

A

A developer considers using an API for service integration and automation. If choosing Representational State Transfer (REST) as the API, which features can the developer expect? (Select all that apply.) A.) The ability to submit a request as an HTTP operation/verb B.) It is a looser architectural framework C.) It uses XML format messaging D.) It has built-in error handling

A and B

A security team suspects the unauthorized use of an application programming interface (API) to a private web-based service. Which metrics do the team analyze and compare to a baseline for response times and usage rates, while investigating suspected DDoS attacks? (Select all that apply.) A.) Number of requests B.) Error rates C.) Latency D.) Endpoint connections

A and C

This application can manage the aspects of all "planes" in the abstract model. It can manage compatible physical appliances, but also virtual switches, routers, and firewalls.

A software-defined networking (SDN)

This is a full-fledged operating system that runs in a virtual environment and considered a server, not serverless.

A virtual machine

Rather than placing a CASB appliance or host inline with cloud consumers and the cloud services, an ______________________connections between the cloud service and the cloud consumer.

API-based CASB brokers

A large sales organization uses a cloud solution to store large amounts of data. One afternoon, the data becomes inaccessible due to an outage at a data center. Which replication service level is currently in use? A.) Regional B.) Local C.) Geo-redundant D.) Zone

B

An engineer utilizes infrastructure as code to deploy and manage a network. When considering an abstract model that represents network functionality, how does the engineer make control decisions? A.) By managing compatible physical appliances B.) By prioritizing and securing traffic C.) By monitoring traffic conditions D.) By using security access controls

B

A company has many employees that work from home. The employees obtain data and post data to a shared file they access through a link on the Internet. Consider the types of virtualization and conclude which the company is most likely utilizing. A.) Rapid elasticity B.) Measured service C.) Cloud computing D.) Resource pooling

C

A startup designs a new online service and uses a serverless approach for some business functions. With this approach, how does the startup perform these functions? (Select all that apply.) A.) Virtual machines B.) Containers C.) Single service D.) Orchestration

B and D

Analyze and select the accurate statements about threats associated with virtualization. (Select all that apply.) A.) Virtualizing switches and routers with hypervisors make virtualization more secure. B.) VM escaping occurs as a result of malware jumping from one guest OS to another. C.) A timing attack occurs by sending multiple usernames to an authentication server to measure the server response times. D.) VMs providing front-end, middleware, and back-end servers should remain together to reduce security implications of a VM escaping attack on a host located in the DMZ.

B and D

A systems administrator configures several subnets within a virtual private cloud (VPC). The VPC has an Internet gateway attached to it, however, the subnets remain private. What does the administrator do to make the subnets public? A.) Configure any VPC endpoints. B.) Create a VPN between VPCs. C.) Configure a default route for each subnet. D.) Create a VPC for each subnet.

C

A security professional is looking to harden systems at an industrial facility. In particular, the security specialist needs to secure an HVAC system that is part of an IoT network. Which areas does the specialist look to secure from data exfiltration exploits? (Select all that apply.) A.) Edge devices B.) Data center C.) Fog node D.) Edge gateway

C and D

What actions are typically recommended when securing virtualized and cloud-based resources? (Select all that apply.) A.) Ensure virtual machines are logging all events for auditing. B.) Enforce the principle of most privilege for access to VMs. C.) Ensure software and hosts are patched regularly. D.) Configure devices to support isolated communications.

C and D

VPCs remain private from each other, the admin can create a ______________________________________, to connect the VPCs and VPNs

CSP-managed feature or a VPN

This is a service that provides on-demand resources such as server instances, data storage, databases, or applications. The service is typically provided over the Internet.

Cloud Computing

When an operation needs processing, by using a ______________, the cloud spins up the this to run the code, performs the processing, and then destroys it.

Container

This plane makes decisions about how to prioritize and secure traffic, as well as where to switch it.

Control plane

When using an abstract model, the engineer can divide the network functions into three "planes," called?

Control, data, management

Several organizations use this cloud model that shares the costs of either a hosted private or fully private cloud. This is usually done in order to pool resources for a common concern, such as standardization and security policies.

Community Cloud

A company has recently started using a Platform as a Service (PaaS). Compare cloud service types to determine what is being deployed. A.) The company has leased servers and a Storage Area Network (SAN). B.) The company has leased a suite of applications that were outside of the budget to purchase outright. C.) The company has outsourced the responsibility for information assurance. D.) The company has leased a server that runs Microsoft Azure SQL Database.

D

A systems administrator deploys a cloud access security broker (CASB) solution for user access to cloud services. Evaluate the options and determine which solution may be configured at the network edge and without modifying a user's system. A.) Single sign-on B.) Application programming interface C.) Forward proxy D.) Reverse proxy

D

When provisioning application services in a network architecture, an engineer uses a microservices approach as a solution. Which description best fits the engineer's implementation? A.) Components working together to perform a workflow B.) Being closely mapped to business workflows C.) The performing of a sequence of automated tasks D.) Each program or tool should do one thing well

D

A security specialist can incorporate ____________s as a data processing layer positioned close to edge gateways, assisting the prioritization of critical data transmission. They are high-value targets for both denial of service and data exfiltration attacks.

Fog node

This plane handles the actual switching and routing of traffic and the imposition of security access controls.

Data plane

_____________collect and depend upon data for their operation. For example, a thermometer in an HVAC system collects temperature data.

Edge devices

_________________________ perform some pre-processing of data to and from edge devices to enable prioritization. They also perform the wired or wireless connectivity to transfer data to and from the storage and processing networks. They are high-value targets to exploit.

Edge gateways

Representational State Transfer (REST) requests, they can be submitted as an ?

HTTP operation/verb (GET or POST for example)

What is an approach to keeping systems functionality at a constant?

High availability

A third party hosts this deployment model for the exclusive use of the organization. This service is more secure and provides guaranteed performance but is more costly than other options.

Hosted private cloud

This is a means of provisioning resources such as servers, load balancers, and Storage Area Network (SAN) components quickly.

IaaS (Infrastructure as a Service)

A_______________________ solution replicates data within a single data center in the region that created the storage account. If the data center experiences an outage, so do all of the replicated copies.

Local replication

Virtual machines should log all critical events versus all events.

Logging all events will be counterproductive as critical events could be missed due to too much data.

This is a means of fully outsourcing responsibility for information assurance to a third party.

Managed Security Services Provider (MSSP)

This plane monitors traffic conditions and the overall network status.

Management plane

A single service would provide a specific output. On the other end

Many services require working together in a serverless environment.

This is described as a cloud service in which the customer pays for the memory, disk, and the network bandwidth resources they are actually consuming rather than paying a monthly fee for a particular service level. This is known as a pay-per-use service. This service falls under the cloud computing type of virtualization.

Measured service

This uses a philosophy that each program or tool should do one thing well. Each service should be capable of developing, testing, and deploying independently, and said to be highly decoupled, rather than just loosely decoupled.

Microservice-based development

The principle of least privilege for access to virtual machines should be utilized for security purposes.

Most privilege would not maximize security for virtualized or cloud-based resources.

This performs a sequence of automated tasks. Its steps run numerous automated scripts or API service calls.

Orchestration

VMs providing front-end, middleware, and back-end services should be separated through __________________. This reduces the security implications of a VM escaping attack on a host in the Demilitarized Zone (DMZ).

Physical Hosts

This provides resources that combine Software as a Service (SaaS) and Infrastructure as a Service (IaaS).

Platform as a Service (PaaS)

This deployment model is completely private to and owned by the company that uses it. This is geared toward companies and services that require strict control, such as banking or government entities.

Private cloud

This is described as the hardware making up the cloud provider's data center is not dedicated or reserved to a particular customer account.

Resource pooling

A ______________________ is a good way to identify what risks exist, and who is responsible for them. The matrix can be part of an SLA.

Responsibility matrix

What is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy? This does not require the configuration of users' devices.

Reverse proxy

This is a different model of provisioning software applications. Rather than purchasing software licenses for a given number of seats, a business can access software hosted on a supplier's servers on a pay-as-you-go or lease arrangement.

SaaS (Software as a Service)

This uses XML format messaging and has a number of extensions in the form of Web Services (WS) standards.

Simple Object Access Protocol (SOAP

This also has built-in error handling and supports common features, such as authentication, transport security, and asynchronous messaging.

Simple Object Access Protocol (SOAP)

This authentication and enforcing access controls and authorizations from the enterprise network to the cloud provider is a feature of a CASB.

Single sign-on

This occurs by sending multiple usernames to an authentication server and measuring the server's response times.

Timing Attack

A __________is an isolated virtual cloud that can contain many subnets. Multiple VPCs are not required.

Virtual private cloud (VPC)

Requests sent as Simple Object Access Protocol (SOAP) must be in a correctly formatted using ?

XML document

A _____________ is a portion of a region that performs replication.

Zone

The ______________________________ provides the main storage and processing resources, plus distribution and aggregation of data.

cloud or data center

If the admin does not configure a __________________, the subnet remains private, even if the VPC has an Internet gateway attached to it.

default route - The administrator must configure the Internet gateway as the default route for each public subnet.

A ____________________________solution (also called zone-redundant storage) replicates data across multiple data centers within one or two regions.

regional replication

A ___________________________ simply defines the relationship with a cloud service provider. The more important the service is to a business, the more risk the business invests in that trust relationship.

trust relationship