3.6 Given a Scenario, apply Cybersecurity Solutions to the cloud

Question 1

High availability and high availability across zones.

Answer 1

High availability indicates a system or service remains operational with almost zero downtime. It’s typically achieved by using multiple load-balancing nodes. High availability across zones indicates that the nodes are located in different cloud locations, such as separate geographic locations. If one node fails, other nodes can take on its load.

Question 2

Resources policies

Answer 2

In this context, resources refer to cloud-based resources such as folders, projects, and virtual machine instances. Customers rent access to resources, and the CSP resource policies ensure customers don’t create more resources than their plan allows.

Question 3

secret’s management

Answer 3

Secrets refer to passwords and encryption keys that users create. A secrets management system stores and manages secrets, including keeping them secure.

Question 4

Integration and auditing.

Answer 4

The CSP integrates security controls into the cloud-based resources, and auditing methods help customers identify the effectiveness of security controls at protecting the confidentiality, integrity, and availability of cloud-based resources.

Question 5

Storage

Answer 5

Cloud-based storage allows customers to store data in the cloud. AWS stores data in buckets. Google uses Google Drive and allows users to store files in a hierarchical format similar to folders in Windows.

Question 6

Permissions

Answer 6

Permissions identify who can access the data. While the processes differ with different CSPs, the concepts are similar to file system permissions

Question 7

Encryption.

Answer 7

Encryption protects the confidentiality of data, and CSPs commonly provide encryption services. This prevents unauthorized personnel from accessing data.

Question 8

Replication

Answer 8

Data replication is the process of creating a copy of data and storing it in a different location. For example, you can replicate data on a desktop computer to a removable drive. Cloud data replication creates a copy of data in the cloud.

Question 9

High availability

Answer 9

High availability indicates a system or service remains operational with almost zero downtime.

Question 10

Networks

Answer 10

CSPs provide entire networks to organizations that need them.

Question 11

Virtual Networks

Answer 11

A CSP creates virtual networks for customers that need them. These typically use software-defined network technologies (described later in this chapter) instead of physical routers and switches. A single server can host an entire virtual network.

Question 12

Public and private subnets.

Answer 12

Public subnets have public IP addresses and are accessible via the Internet. Private subnets have private IP addresses and aren’t directly accessible via the Internet. Organizations typically use screened subnets for any public subnets that need to be accessible via the Internet. Virtual networks can mimic this design with both public and private subnets.

Question 13

Segmentation.

Answer 13

Just as local networks support segmentation with virtual local area networks (VLANs) and screened subnets, cloud-based networks can segment computers or networks.

Question 14

API inspection and integration

Question 15

Compute

Answer 15

The CSPs compute engine lets customers create and run a variety of solutions from single websites to full virtual networks

Question 16

Security groups.

Answer 16

Security groups are similar to groups used in Windows and described in the role-based access control model, Administrators assign permissions to a group and add users to the account.

Question 17

Dynamic resource allocation

Answer 17

Cloud-based resources typically support elasticity. Elasticity indicates the CSP can dynamically allocate additional resources, such as more processors, more memory, or more disk space to a cloud-based resource when it’s needed. When the additional resources are no longer needed, the CSP can dynamically remove them.

Question 18

Instance awareness.

Answer 18

Instance awareness refers to the ability of the CSP to know and report how many instances of cloud-based resources an organization is renting. This can help an organization avoid VM sprawl.

Question 19

Virtual private cloud (VPC) endpoint.

Answer 19

A VPC endpoint is a virtual device within a virtual network. Users or services can connect to the VPC endpoint and then access other resources via the virtual network instead of accessing the resources directly via the Internet. This can significantly reduce the bandwidth required to access resources directly.

Question 20

Container security.

Answer 20

Container virtualization (described earlier) runs services or applications within containers. CSPs commonly use containers with cloud resources, and container security protects these containers.

Question 21

CASB

Answer 21

A CASB is a software tool or service deployed between an organization’s network and the cloud provider.

Question 22

Application Security

Question 23

Next-Generation Secure Web Gateway

Answer 23

A next-generation secure web gateway (SWG) is a combination of a proxy server and a stateless firewall. The SWG is typically a cloud-based service, but it can be an on-site appliance.

Question 24

Firewall Considerations in a cloud environment

Answer 24

When creating virtual networks in the cloud, there are some additional items to consider. Just as physical networks need firewalls to prevent unauthorized access, virtual networks also need firewalls. It’s common to use two firewalls to create a screened subnet, This provides segmentation and helps reduce an attacker’s success when attacking the virtual network.

Question 25

Cost

Answer 25

The cost of cloud-based firewalls varies depending on how they’re used. Smaller organizations can rent access to a firewall for employees on a per-user basis. This relieves the organization from managing the firewall.

Question 26

Need for segmentation

Question 27

Open systems

Question 28

Interconnection (OSI) layers

Answer 28

Cloud-based firewalls typically operate on all seven layers of the Open Systems Interconnection (OSI) model, allowing them to filter traffic on the application layer. Appendix D, “The OSI Model,” provides a refresher on the OSI model if you need it.

Question 29

Cloud native control vs. third-party solutions

Answer 29

CSPs employ native controls to protect cloud-based resources. This may be enough for some customers, but other customers want more security features and seek third-party solutions, such as a cloud access security broker (CASB).