CASP+ Ch 13

Ace your homework & exams now with Quizwiz!

CON: - Sharing

- Infrastructure elements including 'bandwidth' and 'storage' are potentially shared across a pool of organizations.

Community Cloud

- Involves a 'group of organizations' that collectively 'own, share, or consume' a 'common' cloud computing infrastructure as a result of mutual interests like 'software interfaces', and 'security features'. - NOTE: One of the market leaders in community cloud offerings is the 'Salesforce' Community Cloud.

EXAM TIP

Monitoring and managing a virtualized server farm is a very unique challenge that many security personnel will not be familiar with. The ability to create new instances quickly and with little oversight is a significant security risk that comes from using virtualization.

4) Support for Investigations

- How hard is it to get answers to any questions? You may have difficulty getting support from cloud provider for any future investigations. - Ask provider if your service gets compromised, data gets corrupted, or you suspect foul play, what support can provider offer? - What is it required to offer? - What will it provide 'for an additional fee'?

7) Deprovisioning

- How is a virtual server deprovisioned once you've finished with a project and decide to remove a server from the cloud, migrate from one cloud provider to another, or cancel a line of service? - What steps are taken to ensure those virtual machines are reused? - Are backups purged? - How does the provider make sure your presence is truly gone from that cloud?

CON: - Disaster recovery

- If a data center lacks replication--or an alternate hot site to replicate to--a disaster event can render that site inoperable.

Single Tenancy

- If security requirements dictate increased privacy and isolation of cloud-based resources - The cloud provider will grant each customer its own virtualized software environment to ensure more privacy, performance, and control requirements are upheld to a greater standard. - The prioritization and allocation of resources to a single tenant will increase the cloud provider's costs; therefore, the customer can expect costs to be passed on to them.

Con: - Performance

- Internet connectivity fluctuations - Demands of other cloud tenants can negatively affect performance

PRO: - Reliability

- Internet connectivity, or lack thereof, won't have the same impact as it would a public and hybrid cloud

Privilege Elevation (Vertical Privilege Escalation)

- Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. - Virtual environments do not remove all risk of privilege escalation--unfortunately they actually create additional risk in some cases.

PRO: - Accessibility

- Remote workers can easily reach the public cloud as needed.

Security

- SIGNIFICANT benefits to security - easier to develop production and development baselines because virtual machines use the same 'generic hardware'. - Production servers can be copied or cloned for use in testing of patches, fixes, and so on and then rolled back to a known good configuration in the event of corruption or compromise. - Data centralization (CENTRALIZED STORAGE) is another 'security advantage'. - Centralizing data provides a much 'smaller attack surface' - the fewer places data is stored, the fewer places you have to worry about security and protecting (can also present risks for this same reason). - Another 'security benefit' is the 'hardware abstraction' that virtualization provides. Virtual machines have 'limited direct access' to the actual hardware they are running on. The hardware abstraction offered by 'hypervisors' provides each virtual machine with a more 'generic set of hardware': > a 'virtual network interface card' (NIC) instead of a physical one > filtered (or not) access to peripherals > limited (or no) direct access to disks, etc. > so fewer drivers to patch and maintain > less chance of a rogue or infected drivers being installed > less chance of certain types of attacks being successful > less chance of a hardware failure forcing you to modify the configuration of all the virtual machines running on that hardware. - If the platform running your hypervisor fails or is compromised, you can easily migrate your virtual machines (VMs) over to a different platform. - The hardware abstraction is taken care of at the hypervisor level and should have little to no impact on your VMs.

PRO: - Scalability

- Scaling up and out provisions resources at high and more cost-effective amounts to the customer. - Can improve performance and availability requirements (important triad to CIA triad).

PRO: - Security

- Security posture resembles that of an on-premises infrastructure with in-house equipment, focus, and control

PRO: - Control

- Shares many of the same control benefits of an on-premises infrastructure

CON: - Operational expenses

- Since 'organization owns, operates, and maintains equipment', it incurs all day-to-day costs of business

CON: - Reliability

- Since hackers target cloud networks, their reliability may be reduced.

CON: - Configuration

- Some public clouds limit the configuration options available to tenants

Cost reduction

- The #1 driver behind 'virtualization'. - Virtualized infrastructures consumes less power, can be managed by a smaller workforce, easier to manage and maintain, and more efficient in serving an enterprise. - Of the factors to consider in cost reduction, the two most often examined and quoted to justify 'Return on Investment' (ROI) are: > Reduced power consumption > Reduced headcount

Virtual Server Sprawl

- The ease with which virtual machines can be created represents the very real possibility that your virtual environment can quickly outgrow your organization's ability to manage it. - When you run out of 'memory and disk space', you can't create any more virtual servers.

Private Cloud

- The local organization (3rd party) is the sole beneficiary of the infrastructure - The main component of a private cloud computing is that the local organization does not share the benefits of this cloud network with other organizations - The local organization, or 3rd party, can maintain the 'internal on-premises' cloud infrastructure.

Cloud Service Models

- The particular services being offered to us by the deployment models. - These services are what the customer directly interacts with and benefits from. - A public cloud in itself is really just someone else's data center. What we're looking for are the particular software, platform, and infrastructure services being provided to us by that data center.

3) Proprietary models

- The provider has a right to protect its technology and operations BUT if all your answers to your questions are answered with, "Don't worry, we have that covered, but it's all proprietary so we can't talk about it," consider another provider. Make sure your vendor isn't using proprietary excuses to cover up negligence and incompetence.

PRO: - Universal tools

- The tools are accessible by both suppliers and consumers of the cloud infrastructure.

NIST SP 800-145: Key Aspects

- UBIQUITOUS. Applications and data are accessible from 'anywhere'. - ON-DEMAND. Applications and data are accessible at 'any time'. - SHARED POOL. Resources are allocated or deallocated from a dynamic and large pool that is shared by multiple subscribers. - RAPID PROVISIONING. Resources are provided in a timely fashion to maximize 'performance' and 'cost-effectiveness'. - MINIMAL MANAGEMENT EFFORT. Many cloud vendors provide a comprehensive 'managed service' or 'managed security service' to reduce the management responsibilities of the cloud subscribers.

Disaster Recovery

- can be 'greatly enhanced by' a 'virtualized environment' - *Virtual machines can be cloned, transferred, and redeployed far easier than physical machines because you don't need identical hardware to stand up a cloned virtual machine -- just compatible hardware and correct version of your virtualization software. - can be 'migrated' from one platform to another while they are still running (transferring from one data center to another)

NIST SP 800-145

- defines cloud computing as 'a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interactions.'

PRO: - Accessibility

- immediately available and accessible from clients anywhere at any time

EXAM TIP

How data is managed, protected, replicated, and deleted are major factors to consider when examining cloud services. You must know how your data is managed and be confident that the cloud-based security matches the criticality and sensitivity of your data.

On-Premises vs. Hosted

HOSTED Cloud Computing - Provides greater scalability, availability, elasticity, accessibility, and cost-effective benefits On-Premises (Private) CLOUD - A modernized version of on-premises computing - An on-premises cloud provides some of the benefits of a hosted cloud, but without some risks.

Server Consolidation

- 'Reducing the number of servers' can also be a significant NEGATIVE. - Same physical hardware failures can have a much larger impact when 'multiple virtual servers' are running on a 'single physical platform'. - Failover technologies such as 'RAID', 'redundant power supplies', etc. can mitigate this.

CON: - Security and privacy

- Hackers may target the cloud - Customers lose some control over data - *Inherent vulnerabilities associated with resource sharing - Although many public cloud computing vendors provide considerable behind-the-scenes security benefits, not all of them do.

EXAM TIP

'Multitenancy' has the 'advantages' of cost reduction via resources being shared across clients, single platform management, simplified capacity management and reduced maintenance complexities due to the shared resource ecosystem. - The 'disadvantages' also stem from those shared resources which create a 'single point of failure', 'tenant breaches' potentially affecting multiple tenants, 'reduced flexibility' from a 'configuration standpoint', and the 'greater complexities' that come with creating a 'single environment' for everyone.

Application Isolation

- 'Best practices' is to 'run one critical service on one server' decreasing the attack footprint of that server, reducing the chance of service A getting compromised through an attack on service B, etc. - With a physical server environment, this is not possible. - With virtualization and server consolidation, the concept of dedicating a server to a specific critical service becomes a possible reality. - Separating critical functions such as 'web servers', 'mail servers', and 'DNS servers' onto 'separate virtual systems' allows administrators and security personnel to deploy and configure those virtual servers to support a specific service rather than having to compromise and configure the server to run multiple critical services.

Technical Deployment Models (Outsourcing/Insourcing/Managed Services/Partnership)

- 'Cloud computing' includes a variety of 'deployment models' that permit organizations to strike the best balance between cost, control, responsibility, security, and features. - 'Virtualization' can be thought of as a 'feature' of 'deployment models', particularly in the case of private cloud networks.

Public Cloud

- 'Cost benefits' and 'simplicity' is one of the more common reasons to utilize public cloud computing services. - Offers pay-as-you-go, subscription-based, or non-paying customers. - Paying customers enjoy more features like security - Free-service customers may lose important features like encryption, access control, compliance, and auditing.

CON: - Cost

- 'Expenses' incurred from the 'private' cloud setup 'offset' some of the 'cost-savings' of the 'public' cloud

Hidden Costs

- 'Licenses' for virtualization platforms - New management 'tools' - 'Training costs' to get personnel up to speed - 'Familiarization period' in which the organization will likely see 'decreased performance'

CON: - Accessibility

- 'No ubiquitous access' benefits to remote workers since the cloud is NOT hosted on the Internet

Disadvantages of Virtualizing

- Hidden costs - Personnel - Server consolidation - Virtual server sprawl - Security configuration

Container / container virtualization / operating system virtualization

- *Containers reduce the number of OSs like VMs reduce the number of computers. - Containers are a different form of virtualization where the OS itself (not the hardware) is virtualized into multiple independent OS slices. - Containers isolate applications from one another yet share the same overall OS which provides both isolation and performance benefits. - Virtualize a shared OS kernel into multiple virtualized kernel slices. Think of each slice as a mini operating system being provided to an application.

Hybrid Cloud

- A combination of multiple cloud models such as public, private, and community cloud models - EXAMPLE: > An organization might utilize a local server solution in addition to outsourcing other aspects of that solution to a cloud provider. > Allows an organization to experience best of both worlds > The most critical data is kept on premises to meet organizational security requirements, while still enjoying benefits offered by public cloud. - If two models exist as nonintegrated entities, they do not form a hybrid cloud. - Shares the strengths and weaknesses of both 'private' and 'public' cloud methods.

Leading technology companies that sell 'private' cloud solutions:

- Amazon - Cisco - Dell - HP - IBM - Microsoft - NetApp - Oracle - Red Hat - VMware

Popular PaaS products

- Amazon AWS - Microsoft Azure - Mendix - Oracle Cloud

PRO: - Cloud bursting

- As demands for private cloud resources 'exceed the supply', the organization can redistribute or 'burst' the 'excess demand' onto a 'public' cloud to stabilize performance.

Security Configuration

- As virtualization continues to grow in popularity, they will continue to be a growth in the risks and attacks targeted at virtual environments, including the 'hypervisor' itself. - An organization's security staff must know how to secure and monitor a virtual environment correctly.

7) Better visibility into threat profiles

- At any given moment some servers in the cloud are being scanned, probed, or even attacked. - By monitoring attack traffic carefully, a cloud service provider is able to gain significant visibility into current and rising attack trends. - Depending on how well-trained and competent security staff are, a cloud provider may be able to identify a rising attack trend and neutralize it before it can reach the company's virtual servers, whereas a company may only discover the attack trend when it hits its servers for the first time.

Pros & Cons: Type 2 Hypervisor

- Can run on servers but is more appropriate for 'clients' - Different from Type 1 in that they communicate with a 'host operating system', which communicates with the 'hardware'. - As a result, the 'software's larger footprint' will hurt performance and 'increase the attack surface'. - Attackers can inject 'malware' into the VMs of both Type 1 and Type 2 hypervisors. > 'Type 2' has greater malware potential due to it having both the VM and the host OS at the hacker's disposal.

6) DDos protection

- Cloud services are more resistant to DDoS attacks. - If one part of the cloud is under fire, resources can be shifted to service requests from a different part of the cloud.

5) Dispersal and replication of data

- Cloud services can be designed to disperse and replicate data over a range of virtual instances. - (This may increase the risk of losing some data or having chunks of data compromised but can help ensure the majority of data is always available and accessible to the organization.)

PRO: - Capital expenses

- Cloud subscribers use 'provider's hardware' which reduces the need for local server purchases.

CON: - Capital expense

- Composed of 'locally-owned equipment', increasing costs to the organization

Security Advantages of Virtualization

- Cost reduction - Server consolidation - Utilization of resources - Security - Disaster recovery - Server provisioning - Application isolation - Extended support for legacy applications - Data centralization - (provides a smaller attack service)

PRO: - Pay per use

- Customer billed based on 'resource usage' not necessarily 'resource availability' (the former is more cost effective).

Infrastructure as a Service (IaaS)

- Delivers hardware networking capabilities, including the use of servers, networking, and storage, over the cloud using a pay-per-use revenue model - Provides customers with direct access to the cloud provider's infrastructure. - Like an outsourced data center - You DON'T have direct control of overall cloud infrastructure. - DO have control over host operating systems like storage, and various other networking equipment. Resources include: > Processing > Memory > Storage > Load balancers > Firewalls > VLANs

Multitenancy

- Involves cloud organizations making a shared set of resources available to multiple organizations and customers. - The cloud servers will share out a common virtualized environment to multiple tenants while also providing the logical isolation and control set needed by customers. - The 'primary motivation' behind multitenancy is the 'cost benefits' to the cloud provider in the form of automated software provisioning and shared resources. - When cloud providers save money through these conservation efforts, they pass on those savings to the customers. - NOTE: With cost-effectiveness being a critical factor in choosing a cloud-based solution, most customers will opt for the cheaper multitenancy solutions.

PRO: - Economies of scale

- Large-scale providers can generally produce more output at less cost; therefore, they're better positioned to secure their infrastructure than private organizations. - This enhances their capability to comply with security accreditations like HIPAA, FIPS, PCI DSS, SOX, etc.

PRO: - Outsourced

- Management can be delegated to a 3rd party.

IaaS (Infrastructure as a Service)

- Microsoft Azure (offer PaaS and IaaS) - Amazon AWS (offer PaaS and IaaS) - Google Compute Engine - Rackspace Open Cloud

PRO: - Cost

- More cost-effective than a private cloud.

CON: - Cost

- More expensive than a 'public' cloud.

Cloud and Virtualization Considerations and Hosting Options

- Most 'cloud computing solutions' are Internet based, yet virtualization equally permeates the Internet and on-premises infrastructures of organizations. - All 'cloud computing' involves virtualization, but not all 'virtualization' involves 'cloud computing'. - There are many 'cloud computing hosting' options to choose from--some of which may or may not involve virtualization. These options differ in the following ways: > cost > configuration controls > resource isolation > security features > locations of data > servers > applications - Security practitioners must choose from to balance the cost, productivity, and security requirements of the organization.

'Software' as a Service (Saas)

- Most common - When cloud computing providers offer 'applications' to customers to use Common Features: > Web-based email > file storage and sharing > video conferencing > learning management systems (LMS) > others EXAMPLES of Popular Saas Products: > Microsoft Office 365 > Google G Suite > Salesforce > Slack > Box > DocuSign

CON: - Security

- Not all 'private' organizations are masters of securing private cloud infrastructures

PRO: - Balance

- Organizations can use a private cloud for stricter security requirements and a public cloud for less-strict security requirements.

CON: - Scalability

- Organizations may 'lack sufficient hardware' in regard to spikes in resource demand

8) Use of private clouds

- Private clouds are reserved resources used only for your organization. - They are considerably more 'expensive' but have less exposure and enable your organization to better define the security, processing, handling of data, etc. that occurs within your cloud.

Server consolidation

- Undisputed benefit of virtualization - Reduces the amount of 'physical space' needed to support business functions -- which can be a 'direct cost savings' in overhead if you are leasing data center space. - The more you consolidate your environment, the 'beefier' your virtualization servers will need to be in terms of 'CPU' and 'memory'. > Will run at 'high utilization' and 'produce more heat', which may change the spot cooling requirements for your equipment racks. - Consolidation can also bring 'risks' such as a greater impact when a failure occurs, more users accessing the same resources, and attractiveness of a target with more eggs in one basket.

Popular Type 1 Hypervisor Products

- VMware ESXi - Microsoft Hyper-V Server 2016 - Citrix XenServer

Popular Type 2 Hypervisor Products

- VMware Workstation/Fusion/Player - Microsoft Client Hyper-V - Oracle VirtualBox - Parallels Desktop

Virtualization Basics

- Virtualization is the other side of the coin shared by cloud computing. - Virtualization is the act of creating a virtual or simulated version of real things like computers, devices, OSs, or applications. - A hypervisor software can virtualize hardware into software versions of CPUs, RAM, hard drives, and NICs so we can install and run multiple isolated OSs instances on the same set of physical hardware. - These VMs behave like separate physical computers; therefore, each VM can contain its own OS. - Virtualization can save money, reduce server count, and maximize utilization of hardware.

Server Provisioning

- Virtualization provides 'significant advantages' when it comes to server provisioning. - can quickly deploy a server from a template or clone an existing virtual server in a matter of minutes > With 'master' or 'golden' server images in inventory -- can have a fully patched, production-ready server in no time.

Personnel

- Virtualization requires a 'new knowledge set', learn new management tools, resource planning, management of shared resources such as CPU, disk, and memory, new monitoring tools, etc. so may need to 'hire new personnel' or offer 'training'. - Virtualization also introduces a 'new layer of complexity' with 'troubleshooting issues' or 'performance problems'. - Can make 'root-cause analysis more difficult' and even slow down problem resolution.

EXAM TIP

- Virtualized infrastructures can typically be restored very quickly in response to disasters, security incidents, and so on. - The abstraction used between the hardware and the virtualized systems themselves can greatly reduce recovery times.

8) Data remnants

- What happens when a server, or your data, is deleted in the cloud? - Are file securely deleted with contents overwritten? Does the provider just perform a simple delete that may delete the file record and leave partial file contents on the disk? - Your servers and data probably resided on the same physical drives as other organizations' servers and data; therefore, the data destruction mechanisms may not be super aggressive. The provider is not degaussing drives after you cancel your service or delete your servers, so how can you make sure your data is truly gone and nothing remains behind?

EXAM TIP

- While in theory administrative headcount could be reduced through virtualization, in reality this rarely happens. - Your staff is still maintaining a large number of servers -- they're just not running on individual hardware platforms anymore.

CON: - Complexity

- With multiple cloud models requiring a 'synergistic' setup, more 'knowledge' and 'skills' are required for proper configuration, maintenance, and recovery

Extended Support for Legacy Applications

- You can migrate a server that's running some obscure, customer application over to a virtual environment and potentially extend its use. - Older OSs and applications can be migrated to the virtual environment easier than they can to new physical environments.

Utilization of Resources

- a 'primary goal' of any 'virtualization' project is to increase the utilization of resources - Prime candidates for virtualization include any dedicated server running at '15% or less' average utilization. - RAM can be shared among the same servers.

Hypervisor

- a critical component of virtualization that include their own security considerations - thin layers of software that imitate hardware - Mimic the behavior of 'CPUs' so the 'virtual CPU' behaves like a real CPU - same for 'virtual RAM', 'hard drives', 'network interface cards', 'optical drives', and 'BIOS/UEFI firmware'. - vary by type in how they can act as an intermediary between the 'VMs and the host OS', or between the 'VMs and actual hardware'.

Platform as a Service (PaaS)

- a lower-level virtual environment or platform - can 'host software' of own choosing, including locally developed or cloud-developed applications, guest OSs, web services, databases, and directory services. - do NOT have control over host OS, or its hardware - DO have responsibility over the 'applications' and 'data' contained within

Pros & Cons: Type 1 Hypervisor

- a server-based hypervisor that sits between the 'VMs and the hardware'. - known as 'bare-metal' hypervisor since they 'directly interact with hardware' - Because it doesn't have to communicate through a thick host OS to reach the hardware, the 'physical server' will have 'reduced hardware requirements', 'faster performance', and 'increased capacity to run more VMs'. - The server's smaller footprint 'significantly reduces its attack surface', so 'security is greatly improved'. - primary hypervisor running on servers in 'data centers' -- forming the nexus of private cloud computing networks for countless organizations

6) What happens to your data

-Don't assume all major cloud products like Amazon and Microsoft give you increased control over data security and management. - You must inquire about the nature of the controls and the responsibilities that lie with the provider and subscriber respectively. - You must inquire about encryption of data in use, in transit, and in storage. - How long is the data is archived? - How is it backed up? - What happens to your data when you delete it--is it really gone? - What happens to your data if you cancel the contract? (Knowing exactly how your data is handled in a cloud service environment is important.) - Make sure if you have specific concerns or special requirements, they are addressed ahead of time.

Disadvantages of Cloud Computing:

1) Loss of physical control 2) Must trust the vendor's security model 3) Proprietary models 4) Limited support for investigations 5) Inability to respond to audit findings 6) What happens to your data 7) Deprovisioning 8) Data remnants

ADVANTAGES of Cloud Computing:

1) Time saved 2) Manpower saved 3) Money saved 4) Availability 5) Dispersal and replication of data 6) DDos protection 7) Better visibility into threat profiles 8) Use of private clouds

3) Money saved

Cheaper (because it's virtual) than if your organization were deploying physical servers in multiple locations.

4) Availability

Maximum service 'uptime' and speedy 'recoverability' during outages

2) Must trust the vendor's security model

Must ask cloud provider: - How is the cloud secured? - What technologies is it using? - How is the cloud monitored? - Does the cloud provider comply with any regulations such as HIPAA, FIPS, PCI DSS, GLBA, etc?

Pros and Cons of "Public" Cloud Computing

PROs: - Accessibility - Scalability - Capital expenses - Pay per use - Economies of scale CONs: - Security and privacy - Performance - Configuration - Reliability

Pros and Cons of "Hybrid" Cloud Computing

PROs: - Balance - Cloud bursting - Accessibility CONs: - Cost - Complexity - Security

Pros and Cons of "Private" Cloud Computing

PROs: - Control - Security - Reliability CONs: - Private - Capital expense - Operational expenses - Scalability - Disaster recovery

Pros and Cons of "Community" Cloud Computing

PROs: - Cost - Outsourced - Universal tools CONs: - Cost - Sharing

FIPS

The goal of FIPS is to create a uniform level of security for all federal agencies in order to protect sensitive but unclassified information—a large portion of the electronic data not considered secret or higher.

Exam Tip:

The strongest advantage of virtualization is 'cost savings' from REDUCTION in energy usage, REDUCTION in 'hardware' platforms, and REDUCTION in 'personnel'.

5) Inability to respond to audit findings

When you outsource a critical service, you give up a degree of access and control. You may find you're unable to adequately address or remediate findings from an audit, such as a PCI DSS compliance audit.

1) Loss of physical control:

With a cloud solution - - Can control: > which geographical region hosts your cloud services - Can't control: > How those services are provided > Have no way to know if weather, war, or natural disasters will affect your data center supporting you > Know which data center it is that holds your data and services

Cloud Deployment Models:

public, private, community, hybrid

Gramm-Leach-Bliley Act

requires financial institutions - companies that offer consumers financial products or services like loans, financial or investment advice, or insurance - to explain their information-sharing practices to their customers and to safeguard sensitive data.


Related study sets

Chapter 13.3 Study Guide Questions

View Set

Chapter 10 Online Content and Media M/C

View Set

NUR2261 - Unit 2 - Kidneys (AKI, CKD, Glomerulonephritis)

View Set

Quels sont les avantages et les inconvénients d'Internet? (= What are the pros and cons of the Internet)

View Set

Unit 3: The Age of Enlightenment

View Set

Introduction to Finance Exam 2 Study guide

View Set