Implementing Cloud Security Ch 22
Security Groups
( ) are composed of the set of rules and policies associated with a cloud instance. A means of managing permissions in a limited granularity mode.
Permissions
( ) for data access and modifications are handled in the manner as in an on-premises IT environments. Identity access management (IAM) systems are employed to managed the details of who can do what with each object.
Public and Private Subnets
( )/Internet can interact with servers. ( ) subnets access is limited to specific addresses, preventing direct access to secrets such as datastores.
Virtual Networks
Can be used and manipulated by users, while the actual network underneath cannot.
Exam Tip
Cloud based computing has requirements to define who can do what (security groups) and what can happen and when (dynamic resource allocation) as well as to manage the security of embedded entities such as containers.
Dynamic Resource Allocation
Cloud has the ability to grow as the load increases and shrink (saving cost) as the load decreases. ( ) monitors the levels of performance.
Exam Tip
Cloud security controls provide the same functionality as normal network controls; they just do it in a different environment. The cloud is not a system without controls.
Storage
Cloud-based data ( ) was one of the first uses of cloud computing. Security requirements related to ( ) in the cloud environment is based on the same fundamentals as in the enterprise environment.
Resource Policies
Cloud-based resources are controlled via a set of policies. This is basically your authorization model projected into the cloud space.
Network
Cloud-based systems are made up of machines connected using a ( ). Typically this ( ) is under the control of the cloud service provider (CSP).
List of Considerations
Cost, Need for Segmentation, and Open Systems Interconnection (OSI) Layers. OSI Layers acts as a means of describing the different levels of communication across a network.
Replication
Data may ( ) across the cloud as part of a variety of cloud-based activities. Data can move across multiple physical systems.
Encryption
Data should be encrypted when stored in the cloud, and keys should be maintained by the enterprise, not the cloud provider.
High Availability
Having multiple different physical systems working together to ensure your data is redundantly and resiliently stored is one of the clouds advantages.
Next-Generation Secure Web Gateway (SWG)
Is a network security service located between the users and the Internet. Inspects web requests against company policy to ensure malicious applications and websites are blocked and inaccessible.
~Cloud Security Controls~
Is a shared issue shared between the user and the cloud provider. Shared responsibilities include software updates, access control, encryption, and other key security controls.
Segmentation
Is the network process of separating network elements into segments and regulating traffic between the segments.
Exam Tip
Modern next-generation firewalls and secure web gateways operate higher in the OSI model, using application layer data to make access decisions.
Application Security
Necessary and a shared responsibility based on the cloud deployment model chosen.
API Inspection and Integration
Refers to the examination of the contents of a request to an API by applying rules to determine whether a request is legitimate and should be accepted.
CASB (exam tip) Cloud access security broker
Remember that a ( ) is a security policy enforcement point that is placed between cloud service consumers and cloud service providers to manage enterprise security policies a cloud-based resources are accessed.
Exam Tip
Remember that zones can be used for replication and provide load balancing as well as high availability.
Secrets Management
Term used to denote the policies and procedures employed to connect the IAM systems of the enterprise and the cloud to enable communications with the data. Is important aspect of maintaining cloud security.
Compute
The ( ) aspects of a cloud system have the same security issues as a traditional IT system.
~Firewall Considerations in a Cloud Environment~
The cloud needs a firewall blocking all unauthorized connections to the cloud instance. Built in or up to the enterprise to implement.
Exam Tip
Use of secrets manager can enable secrets management by providing a central trusted storage location for certificates, passwords, and even application programming interface (API) keys.
High Availability Across Zones
When something experiences an error or failure, the failover process moves the processing performed by the failed component to the backup component elsewhere in the cloud. This process is transparent to users.
Instance Awareness
is the name of a capability that must be enabled on firewalls, secure web gateways, and cloud access security brokers (CASBs) to determine if the next system in a communication chain is legitimate or not.
Container Security
is the process of implementing security tools and policies to ensure your container is running as intended.
Integration and Auditing
pg. 401
Cloud-Native Controls vs. Third-Party Solutions
pg. 408
~Solutions~
...
Virtual Private Cloud (VPC) Endpoint
A ( ) provides a means to connect a VPC to other resources without going out over the Internet. - Virtual elements that can scale. - Redundant and typically highly available.
