Cloud Security

Question 1

Cloud Computing

Answer 1

§ A way of offering on-demand services that extend the traditional capabilities of a computer or network
§ Cloud computing relies on virtualization to gain efficiencies and cost savings

Question 2

Hyperconvergence

Answer 2

Hyperconvergence allows providers to fully integrate the storage, network, and
servers

Question 3

Virtual Desktop Infrastructure

Answer 3

VDI allows a cloud provider to offer a full desktop operating system to an end user from a centralized server

Question 4

Virtual Desktop Infrastructure

Answer 4

VDI allows a cloud provider to offer a full desktop operating system to an end user from a centralized server

Question 5

secure enclave

Answer 5

A secure enclave provides CPU hardware-level isolation and memory encryption on every server, by isolating application code and data from anyone with privileges, and encrypting its memory.

Question 6

Cloud Types

Answer 6

• Public Cloud
• Private Cloud
• Hybrid Cloud
• Community Cloud

Question 7

Public Cloud

Answer 7

A service provider makes resources available to the end users over the Internet

Question 8

Private Cloud

Answer 8

§ A company creates its own cloud environment that only it can utilize as an internal enterprise resource
§ A private cloud should be chosen when security is more important than cost

Question 9

Community Cloud

Answer 9

Resources and costs are shared among several different organizations who have common service needs

Question 10

Software as a Service

Answer 10

Provides all the hardware, operating system, software, and applications needed for a complete service to be delivered

Question 11

Infrastructure as a Service

Answer 11

Provides all the hardware, operating system, and backend software needed in order to develop your own software or service

Question 12

Platform as a Service

Answer 12

Provides your organization with the hardware and software needed for a specific service to operate

Question 13

Security as a Service

Answer 13

§ Provides your organization with various types of security services without the need to maintain a cybersecurity staff
§ Anti-malware solutions were one of the first SECaaS products

Question 14

File Servers

Answer 14

Servers are used to store, transfer, migrate, synchronize, and archive files for your organization

Question 15

FTP Server

Answer 15

§ A specialized type of file server that is used to host files for distribution across the web
§ FTP servers should be configured to require TLS connections

Question 16

Domain Controller

Answer 16

A server that acts as a central repository of all the user accounts and their associated passwords for the network

Question 17

Virtual Private Cloud

Answer 17

o A private network segment made available to a single cloud consumer within a public cloud
o The consumer is responsible for configuring the IP address space and routing within the cloud
o VPC is typically used to provision internet-accessible applications that need to be accessed from geographically remote sites
o On-premise solutions maintain their servers locally within the network
o Many security products offer cloud-based and on-premise versions
o Consider compliance or regulatory limitations of storing data in a cloud-based security solution
o Be aware of the possibility of vendor lock in

Question 18

Cloud Access Security Broker

Answer 18

Enterprise management software designed to mediate access to cloud services by users across all types of devices
• Single sign-on
• Malware and rogue device detection
• Monitor/audit user activity
• Mitigate data exfiltration

Question 19

Forward Pro

Answer 19

o A security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy
o WARNING: Users may be able to evade the proxy and connect directly

Question 20

Reverse Proxy

Answer 20

o An appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy
o WARNING: This approach can only be used if the cloud application has proxy support

Question 21

Application Programming Interface

Answer 21

o A method that uses the brokers connections between the cloud service and the cloud consumer
o WARNING: Dependent on the API supporting the functions that your policies demand

Question 22

Function as a Service

Answer 22

A cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language

Question 23

Serverless

Answer 23

§ A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances
§ Everything in serverless is developed as a function or microservice

Question 24

Cloud Threats

Answer 24

Insecure Application Programming Interface (API)
Improper Key Management
Insufficient Logging and Monitoring
Unprotected Storage
Cross Origin Resource Sharing (CORS) Policy

Question 25

Secure Application Programming Interface (API)

Answer 25

§ WARNING: An API must only be used over an encrypted channel (HTTPS)
§ Data received by an API must pass service-side validation routines
§ Implement throttling/rate-limiting mechanisms to protect from a DoS

Question 26

Proper Key Management

Answer 26

§ APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data
§ WARNING: Do not hardcode or embed a key into the source code
§ Do not create one key with full control to access an application’s functions
§ Delete unnecessary keys and regenerate keys when moving into a production environment

Question 27

Sufficient Logging and Monitoring

Answer 27

§ WARNING: Software as a service may not supply access to log files or monitoring tools
§ Logs must be copied to non-elastic storage for long-term retention

Question 28

Protected Storage

Answer 28

§ WARNING: Access control to storage is administered through container policies, IAM authorizations, and object ACLs
§ Incorrect permissions may occur due to default read/write permissions leftover from creation
§ Incorrect origin settings may occur when using content delivery networks

Question 29

Cloud storage containers are referred to as _______________

Answer 29

Cloud storage containers are referred to as buckets or blobs