SYO 601 - Chapter 4 - Concepts
Virtual Network - VM Escape Protection
1. To ensure that the patches on the hypervisor and all VMs are always up to date. 2. To ensure that guest privileges are low. 3. The servers hosting the critical services should have redundancy and not be on a single host so that if one host is attacked, all of the critical services are set up as a single point of failure 4. A snapshot is necessary for all servers and need to use VM migration so another copy is held in another location. 5. HIPS can be placed inside each VM to protect against an attack.
Software-Defined Network (SDN)
A SDN is where packets are routed through a controller rather than traditional routers, which improves performance. It has three different planes: the control plane prioritizes the traffic, the data plan does switching and routing, and the management plane deals with monitoring the traffic.
Cloud Security Control - Networks - Private Subnets
A VPC contains three private subnets. Each of these subnets has its own CIDR IP address range and cannot connect directly to the internet. They must go through the NAT gateway, which in turn uses the internet gateway to access the internet. In each of the subnets, a default route with an IP address of 0.0.0.0 must be directed to go to the internet gateway. If routing tables do not know where to send traffic, they follow the default route. Client VMs and database servers would be stored in the private subnet. The private subnet will use one of the following IP address ranges: 10.0.0.0, 172.16.x.x - 172.31.x.x, 192.168.0.0. Private subnets will hold the domain infrastructure, such as domain controllers, mail servers, and database servers that you don't want to communicate directly with the internet.
Cloud Security Control - Networks - Virtual Private Cloud (VPC)
A VPC is a virtual network that consists of shared resources with a public cloud, where the VMs for one company are isolated from the resources of another company.
Cloud Security Control - Auditing
A cloud auditor is responsible for ensuring that the policies and controls that the cloud provider has put in place are being adopted. They will test that these controls and the system integration are working as expected. Encryption Levels, Access Control Lists, Privilege Account Use, Password Policies, Anti-Phishing Protection, Data Loss Prevention Controls
Cloud Security Control - Compute - Security Groups
A compute security group profile is allocated by using a security group template that also states the cloud account, the location of the resource, and the security rules.
Containers
A container allows the isolation of an application and its files and libraries so that they are not dependent on anything else. It allows software developers to deploy applications seamlessly across various environments. Containers are used by Platform as a Service (PaaS) products.
Storage Area Network (SAN)
A hardware device that contains a large number of fast disks, such as Solid-State Drives (SSDs), and is isolated from the LAN as it has its own network servers.
Server farm
A massive network of computer servers running software to coordinate their collective use. Server farms provide the infrastructure backbone to SaaS and hardware cloud efforts, as well as many large-scale Internet services.
Cloud deployment model - Hybrid cloud
A mixture of both on-premises and the cloud is known as a hybrid model. It is known as cloud bursting.
Cloud service model - Anything as a Service (XaaS)
A multitude of other cloud services that are available, such as Network as a Service (NaaS), providing network resources; Desktop as a Service (DaaS); Backup as a Service (BaaS); and many more.
Thin Client
A thin client is a client that has limited resources that are insufficient to run applications. It connects to a server and processes the application on its resources.
Virtual Network - Virtual Switch
A virtual switch can create three different types of network: internet, external, and private. For each external network, the host needs a physical network card. If you have two external networks, the host needs a minimum of two physical network cards. An internal network can create VLANs within this network.
Edge computing
All the processing of data storage is closer to the sensors rather than being thousands of miles away on a server at a data center.
Cloud Security Control - Solutions - Next Generation Secure Web Gateway (SWG)
An SWG acts like a reverse proxy, content filter, and an inline NIPS.
Virtual Network - Containers
An isolated guest machine. Like Docker. It is vendor neutral and will allow you to run applications that have autonomy. It means that they are easy to transfer between different hosts.
Location-Independent
Are you are accessing the cloud through a browser, it is location-independent, therefore it offers faster recovery if your premises have a disaster.
Serverless architecture
Backend as a Service, where a third-party vendor hosts your applications as a pay-as-you-go model based on the compute time that you use. You will lease servers or data storage from them.
Binary Large Object (BLOB)
Binary data, like images, videos, or audio files
Cloud Security Control - Storage - Replication - GEO Zone Redundant Storage (GZRS)
Data is replicated between multiple separate zones within your primary region, then one copy is replicated to a single location in a secondary region.
Cloud Security Control - Storage - Replication - Zone Redundant Storage (ZRS)
Data is replicated between three separate zones within your region. It should be used in your primary region; however, if a disaster affects the region then you have no access to data.
Cloud Service Provider (CSP)
Entities that resell cloud services to customers. They can provide infrastructure, software, VMs and other services that a customer needs.
Cloud Security Controls - High Availability Access Zones
High Availability Access Zones: Physical locations that may hold two or more data centers and provide high availability within their zone. They are independent from each other with their own networks. Inside each network, they have their own power and Heating Ventilation and Air Conditioning (HVAC) systems that regulate their own cooling using hot and cold aisles. Applications can be distributed across multiple zones so that if one zone fails, the application is still available.
Cloud service model - Infrastructure as a Service (IaaS)
IaaS is where you will install the operating system and patch it. This is the service under IaaS you have more control over. The private cloud is the cloud model that gives you more control.
Virtualization
In a cloud environment the infrastructure is built on a virtual environment. The storage for these machines normally comes from a Storage Area Network (SAN).
Cloud Security Control - Compute - VPC Endpoint
It allows you to create a private connection between your VPC and another cloud service without crossing over the internet.
Virtual Network - Guest
It can be replaced in a disaster recovery situation within a couple of minutes.
Fog computing
It complements cloud computing by processing data from IoT devices. It allows you to analyze the data before committing to the cloud. The data is put in a location between the device and the cloud. It brings cloud computing nearer to the sensor; it also reduces the cost of data moving back and forth between the device and the cloud.
Cloud Access Security Broker (CASB)
It enforces the company's policies between the on-premises situation and the cloud.
Cloud Security Control - Solutions - Cloud Access Security Broker (CASB)
It enforces the company's policies between the on-premises situation and the cloud. There is no group policy in the cloud.
Cloud Security Control - Storage - High Availability
It ensures that copies of your data are held in different locations. ZRS + GRS / ZRS + GZRS
Software-Defined Visibility (SDV)
It gives you visibility of the network traffic use. It can collect and aggregate the data on the network traffic and provide good reports to the network administrators.
Cloud Security Control - Compute - Container Security
It is the implementation of security tools and policies that ensures that your container is working as it was intended.
Virtual Network - Host
It is the main server in a virtual environment. It needs storage that normally uses a SAN, memory, and processor cores. These can be increased through time and so the host is scalable.
Cloud Security Control - Integration
It is the process of how data is being handled from input to output.
Cloud Security Control - Solutions - Application Security
It is using products such as Cloud WAF and Runtime Application Self-Protection (RASP) to protect against a zero-day attack.
Virtual Network - Sandboxing
It is where an application is placed in its own VM for patching and testing, or because it is a dangerous application that you don't want to roam across your network. In the Linux environment, this is known as a chroot jail.
Virtual Network - System Sprawl
It is where the virtual host is running out of resources or is overutilizing resources. It could end up with the host crashing the taking out the virtual network. It can be avoided by using thin provisioning: allocating the minimum amount of resources that your VM needs, gently increasing the resources required.
Fiber channel
It needs expensive fiber channel switches and fiber cables.
Cloud service model - Platform as a Service (PaaS)
It provides the environment for developers to create applications. The platform provides a set of services to support the development and operation of applications. You could migrate your bespoke software applications under PaaS.
iSCSi Connector
It runs Small Computer System Interface (SCSI) commands over Ethernet, and can connect through normal Ethernet switches and still offer good speed.
Cloud Security Control - Compute - Dynamic Resource Allocation
It uses virtualization technology to upgrade and downscale the cloud resources as the demand grows or fails
Managed Cloud Service Provider (MCSP)
It will also take over the day-to-day running of your cloud as they have the expertise to do so.
Managed Security Service Provider (MSSP)
It will maintain the security environment for companies that will include enterprise firewalls, intrusion prevention and detection systems, and SIEM systems.
Cloud Security Control - Storage - Replication - GEO Redundant Storage (GRS)
Multiple copies of data are replicated in a single physical location in the primary region using LRS, then a copy is replicated to a single location in a secondary region.
Cloud Security Control - Storage - Replication - Local Redundant Storage (LRS)
Multiple copies of your data are replicated at a single physical location.
Cloud Security Control - Networks - Public and Private Subnets
Our cloud environment needs to be broken down into public subnets that can access the internet directly or private subnets that have to go through a NAT gateway and then an internet gateway to access the internet.
TIP - 1
Private cloud = single tenant Public cloud = multitenant Community cloud = same industry and sharing resources
Cloud Security Control - Networks - API Inspection and Integration
Representational State Transfer, known as ReST, refers to a new way to write web service APIs so that different languages can be transported using HTTP.
Cloud Security Control - Networks - Public Subnets
Resources on the public subnet can connect directly to the internet. Therefore, public-facing web servers will be placed within this subnet. The public subnet will have a NAT gateway for communicating with the private subnets, an internet gateway, and a managed service to connect to the internet.
Cloud service model - Security as a Service (SECaaS)
SECaaS provides Identity and Access Management (IAM), which provides identity management that allows people to have secure access to applications from anywhere at any time.
Cloud service model - Software as a Service (SaaS)
SaaS is a bespoke vendor application that cannot be modified and you use it with a pay-per-use model, as a subscription, and you cannot migrate any applications or services to any SaaS environment.
Scalability of cloud computing
Scalability is the ability of a company to grow while maintaining a resilient infrastructure. The cloud enables a company to do so and grow without the worry of needing to make capital expenditure while doing so.
No Disaster Recovery Site Required
The CSP provides 99.999% availability of its IT systems, therefore, once your data is in the cloud, there is no requirement for a disaster recovery site as the CSP provides that as part of the contract.
No Maintenance Fees
The CSP provides ongoing maintenance, so when the cloud contract is signed there are no hidden costs.
Elasticity of cloud computing
The cloud is like pay-as-you-go model where one day you can increase resources and then the next day you can scale down the resources.
Regional Storage of Data
The cloud is regulated, therefore data from a country must be stored within that region as laws on data compliance can change from region to region.
Cloud deployment model - Community cloud
The community cloud is where companies from the same industry collectively pay for a bespoke application to be written, and the cloud provider manufacturers host it.
Cloud deployment model - Public cloud
The most common model, where the CSP provides cloud services for multiple tenants.
Cloud Security Control - Networks - Segmentation
The security of services that are permitted to access or be accessible from other zones has a strict set of rules controlling this traffic. These rules are enforced by the IP address ranges of each subnet. Within a private subnet, VLANs can be used to carry out departmental isolation.
Resource Policies
These are policies that state what access level or actions someone has to a particular resource.
Cloud Security Control - Resource Policies
These are policies that state what access level or actions someone has to a particular resource. This is crucial for resource management and audit. The principle of least privilege.
Cloud Security Control - Networks - NAT Gateway
This allows the private subnets to communicate with other cloud services and the internet, but hides the internal network from internet users. The NAT gateway has the Network Access Control List (NACL) for the private subnets.
Microservices / API
This allows you to define individual services that can then be connected by using an application program interface. They are loosely coupled and can be reused when creating applications.
Transit Gateway
This is a network hub that acts as a regional virtual router to interconnect virtual private clouds (VPC) and VPN connections.
Cloud Security Control - Secret Management
This is a secure application, and it could be called a vault where the keys, tokens, passwords, and SSH keys used by privileged accounts are stored. It could be a vault that is heavily encrypted to protect these items. Microsoft uses RSA 2048-bit keys to protect Azure secret management.
Virtual Network - Type 1 Hypervisor
This is an enterprise version that can be installed on a computer without an operating system, called bare metal.
Cloud Security Control - Storage - Replication
This is in case there are power or hardware failures or environmental disasters such as hurricanes. The data cannot be located outside of the region where it is created.
Virtual Network - VM Sprawl
This is where an unmanaged VM has been placed on your network. It will not be patched, and over a period of time it will become vulnerable and could be used for a VM escape attack.
Services Integration
This is where the provision of several business service is combined with different IT services and are integrated to provide a single solution for a business.
Infrastructure as a Code
This is where you manage your computer infrastructure with configuration files rather than by a physical method. This is very common with cloud technologies making it easier to set up computers and roll out patches.
Virtual Network - Type 2 Hypervisor
This needs an operating system, such as Server 2016 or Windows 10, and then the hypervisor is installed like an application.
Virtual Network - Snapshot
To capture the virtual machine's setting. You can take a snapshot before you carry out a major upgrade of a VM and roll back.
Cloud Security Control - Networks - VPN Connection
To create a secure connection to your VPC, you can connect a VPN using L2TP/IPsec to the public interface of the NAT gateway.
Virtual Network - Sprawl Avoidance
To have robust security policies for adding VMs to the network and use either a NIDS or Nmap to detect new hosts.
Cloud Security Control - Storage - Permissions
Users have a storage identity and are put into different storage groups that have different rights.
Virtual Network - VM Escape
VM escape is where an attacker gains access to a VM, then attackers either the host machine that holds all of the VMs, the hypervisor, or any of the other VMs.
Cloud Security Control - Solutions - Firewall Considerations in a Cloud Environment
We need a good firewall is to block in-coming traffic and put up a barrier to protect the internal cloud resources against hackers or malware. It is usually Web Application Firewall. Cost, Need for Segmentation, Interconnection OSI Layers, Cloud Native Controls versus Third Party Solutions
Cloud Security Control - Compute - Instance Awareness
We need to monitor VM instances so that an attacker cannot place an unmanaged VM that would lead to VM sprawl and then ultimately VM escape. We must use tools like a Network Intrusion Detection System (NIDS) to detect new instances, and the IT team must maintain a list of managed VMs.
No Capital Expenditure (CAPEX)
When you move your infrastructure to the cloud, there is no capital expenditure; normally, IT resources have a maximum lifespan of 3-5 years.
Cloud deployment model - Private cloud
Where a company purchases all of its hardware. This gives them more control than other cloud models. They normally host their own cloud because they do not want to share resources with anyone else, but at the same time, their workforce has all the mobile benefits of the cloud.
Cloud Security Control - Storage - Encryption
With cloud storage, you may need to have more than one type of encryption. Data encryption: Symmetric encryption like AES-256 or RSA 2048-bit for blob storage Data in transit: TLS or SSL or Transport Data Encryption (TDE)