Lesson 6: Secure Cloud Network Architecture

Question 1

Define a ‘cloud deployment model’

Answer 1

Classifying the ownership and management of a cloud as public, private, community, or hybrid.

Question 2

Define a ‘Public (or multi-tenant)’ cloud model

Answer 2

A cloud that is deployed by cloud service providers (CSPs) for shared use by multiple independent tenants; Subscriptions or pay-as-you-go financing.

Question 3

Define ‘Multi-cloud architecture’

Answer 3

Cloud deployment model where the cloud consumer uses multiple public cloud services.

Question 4

Define a ‘Hosted Private’ cloud model

Answer 4

Hosted by a third party for the exclusive use of an organization.

Question 5

Define a ‘Private’ cloud model

Answer 5

A cloud that is deployed for use by a single entity.

Question 6

Define a ‘Community’ cloud model

Answer 6

A cloud that is deployed for shared use by cooperating tenants/organizations.

Question 7

Define ‘Single-tenant architecture’

Answer 7

Dedicated infrastructure to a single customer, ensuring that only that customer can access the infrastructure; More secure but most expensive.

Question 8

Define ‘Multi-tenant architecture’

Answer 8

Multiple customers share the same infrastructure, with each customer’s data and applications separated logically from other customers.

Question 9

What are positives/negatives of Multi-tenant architecture?

Answer 9

Cost-effective but can increase the risk of unauthorized access or data leakage if not properly secured.

Question 10

Define ‘Hybrid architecture’

Answer 10

Combination of public and private cloud.

Question 11

Define ‘Serverless architecture’

Answer 11

Cloud provider manages the server infrastructure and automatically scales resources up or down based on demand.

Question 12

Define a ‘Cloud service model’

Answer 12

Classifying the provisioning of cloud services and the limit of the cloud service provider’s responsibility as software, platform, infrastructure, and so on.

Question 13

Define ‘anything as a service (XaaS)’

Answer 13

The concept that most types of IT requirements can be deployed as a cloud service model.

Question 14

Define ‘Software as a service (SaaS)’

Answer 14

A cloud service model that provisions fully developed application services to users; O365, Salesforce; RingCentral.

Question 15

Define ‘Platform as a service (PaaS)’

Answer 15

Between SaaS and IaaS; Cloud service model that provisions application and database services as a platform for development of apps.

Question 16

Define ‘Infrastructure as a service (IaaS)’

Answer 16

A cloud service model that provisions virtual machines and network infrastructure.

Question 17

Define a ‘Third-party vendor’

Answer 17

External entities that provide organizations with goods, services, or technology solutions.

Question 18

How do organizations manage 3rd party vendor (CSP) agreements?

Answer 18

By adopting SLAs (Service Level Agreements) to mitigate cloud platform risks, ensure service quality, and optimize cloud deployments.

Question 19

Define a ‘Service Level Agreement (SLA)’

Answer 19

Contractual agreement between organizations and service providers that outline the expected levels of service delivery.

Question 20

What is the purpose of a Service-level agreement (SLA)?

Answer 20

Provide a framework to hold vendors accountable for delivering services at required performance levels.

Question 21

What components of Service-level agreements (SLAs) determine service levels?

Answer 21

Metrics, such as uptime, performance, and support response times, along with penalties or remedies if service levels are not met.

Question 22

Define ‘Centralized computing architecture’

Answer 22

A model where all data processing and storage is performed in a single location, typically a single server.

Question 23

Define ‘decentralized computing architecture’

Answer 23

A model in which data processing and storage are distributed across multiple locations or devices.

Question 24

What are examples of Centralized computing architecture?

Answer 24

Mainframe computers and client-server architectures.

Question 25

What are examples of decentralized computing architecture?

Answer 25

Blockchain, Peer-to-peer (P2P) networks, Content delivery networks (CDNs), IoT devices, Tor, Distributed databases.

Question 26

What is the foundation of cloud services?

Answer 26

Virtualization

Question 27

Define ‘high availability (HA)’

Answer 27

Metric that defines how closely systems approach the goal of providing service/data availability 100% of the time while maintaining a high level of system performance.

Question 28

How is high high availability (HA) achieved?

Answer 28

Redundancy of hardware/links; Replication

Question 29

Define ‘Replication’

Answer 29

Automatically copying data between two processing systems.

Question 30

Define ‘synchronous replication’

Answer 30

Data is copied from one system to another simultaneously.

Question 31

Define ‘asynchronous replication’

Answer 31

Data is copied from a primary system to a secondary system.

Question 32

Define ‘hot storage’

Answer 32

CSP storage performance tier; Data is retrieved quickly at a high rate.

Question 33

Define ‘cold storage’

Answer 33

CSP data storage performance tier where data is retrieved at a slower at a rate.

Question 34

What is the best replication solution for a cloud database?

Answer 34

Low-latency hot storage with synchronous replication.

Question 35

How can an organization provide a lower latency service to customers utilizing a cloud service?

Answer 35

Provisioning resources in multiple availability zones and regions.

Question 36

List the 3 cloud service provider replication tiers

Answer 36

1. Local replication
2. Regional replication
3. Geo-redundant storage

Question 37

Define ‘local replication’

Answer 37

Replicates customer data within a single datacenter in the region where you created your storage account.

Question 38

Define ‘Regional replication/zone-redundant storage’

Answer 38

Replicates customer data across multiple datacenters within one or two regions.

Question 39

Define ‘Geo-redundant storage (GRS)’

Answer 39

Replicates customer data to a secondary region that is distant from the primary region.

Question 40

Define ‘Application virtualization’

Answer 40

A software delivery model where the code/application runs on a server and is streamed to a client.

Question 41

What protocol is the foundation of Application virtualization?

Answer 41

HTLM5 because users can access them through ordinary web browser software.

Question 42

Define ‘Containerization’

Answer 42

Enforces resource separation at the operating system level and containing everything required to run a service, application, or microservice.

Question 43

How does an OS separate containers?

Answer 43

OS defines isolated “cells” for each user instance to run in and is allocated CPU and memory resources.

Question 44

Define a ‘virtual private cloud (VPC)’

Answer 44

A private network segment made available to a single cloud consumer on a public cloud.

Question 45

What are typical services of a virtual private cloud (VPC)?

Answer 45

Authentication, web applications, and communications.

Question 46

What is the infrastructure used to support a virtual private cloud (VPC)?

Answer 46

Applications are developed as functions and microservices, each interacting with other functions to facilitate client requests.

Question 47

Define a ‘Microservice’

Answer 47

An independent, single-function module with well-defined and lightweight interfaces and operations.

Question 48

What is the purpose of a ‘Microservice’

Answer 48

Architectural approach to building software applications as a collection of small and independent services focusing on a specific business capability.

Question 49

Define ‘Infrastructure as Code (IaC)’

Answer 49

Deployment/management of infrastructure is performed by scripted automation and orchestration using machine-readable definition files.

Question 50

List different file types that contain code that is read and executed by machines in Infrastructure as Code (IaC)

Answer 50

YAML, JSON, and HCL (HashiCorp Configuration Language.)

Question 51

What is defined in files like YAML, JSON, and HCL (HashiCorp Configuration Language)?

Answer 51

Configuration settings, networking requirements, security policies, and other settings.

Question 52

What is the main purpose of Infrastructure as Code (IaC)?

Answer 52

Infrastructure can be deployed and managed automatically and consistently, reducing the risk of errors caused by manual intervention.

Question 53

What is a secondary benefit of Infrastructure as Code (IaC)?

Answer 53

Replicate infrastructure across different environments, such as development, staging, and production, to ensure that the environments are consistent.

Question 54

Define ‘Edge Computing’

Answer 54

Cloud networking concept utilizing distributed computing resources to minimize the distance data needs to travel.

Question 55

What is the purpose of edge computing?

Answer 55

To reduce network latency and improve responsiveness.

Question 56

Define ‘software-defined networking (SDN)’

Answer 56

Networking model with APIs and compatible network appliances enabling programmable networking.

Question 57

What are the 3 ‘planes/levels’ of software-defined networking (SDN)?

Answer 57

1. Control Plane
2. Data Plane
3. Management Plane

Question 58

Define the ‘Control Plane’

Answer 58

Makes decisions about how traffic should be prioritized, secured, and where it should be switched.

Question 59

Define the ‘Data Plane’

Answer 59

Handles the switching and routing of traffic and enforcement of security access controls.

Question 60

Define the ‘Management Plane’

Answer 60

Monitors traffic conditions and network status.

Question 61

What is the management plane comprised of?

Answer 61

Administrators and their devices along with front end management.

Question 62

How are decisions from the control plane processed at the data plane?

Answer 62

A network controller application, which interfaces with the network devices using APIs.

Question 63

Define a ‘northbound API’

Answer 63

Interface between the SDN applications and the SDN controller (Control plane to Management plane).

Question 64

Define ‘southbound API’

Answer 64

Interface between the SDN controller and the SDN appliances (Control plane to Data plane).

Question 65

Define an ‘Interconnection Security Agreement (ISA)’

Answer 65

Establishes the security requirements and responsibilities between the organization and the cloud service provider.

Question 66

What is the purpose of an Interconnection Security Agreement (ISA)

Answer 66

To define encryption methods, access controls, vulnerability management, data segregation techniques, specify data ownership, audit rights, and data backup, recovery, and retention procedures.

Question 67

What are the two main cloud security considerations?

Answer 67

Data protection and pathing of services.

Question 68

Define ‘Software-Defined Wide Area Network (SD-WAN) ‘

Answer 68

Services that use software-defined mechanisms and routing policies to implement virtual tunnels and overlay networks over transport networks.

Question 69

What is the purpose of an organization implementing Software-Defined Wide Area Network (SD-WAN)?

Answer 69

Enables organizations to connect their various branch offices, datacenters, and cloud infrastructure over a wide area network (WAN).

Question 70

Define ‘Secure Access Service Edge (SASE)’

Answer 70

Combines security services like firewalls, identity and access management, and secure web gateway with networking services such as SD-WAN to provide access to cloud applications.

Question 71

Define an ‘Embedded system’

Answer 71

Electronic system that is designed to perform a specific, dedicated function.

Question 72

What are examples of items that use embedded systems?

Answer 72

Smartphones, Automotive systems, medical devices, aerospace and defense.

Question 73

Define a ‘Real-Time Operating Systems (RTOS)’

Answer 73

A type of OS high levels of stability and processing speed to ensure consistent response.

Question 74

Define ‘Internet of Things (IoT)’

Answer 74

The network of physical devices, and other objects embedded with sensors, software, and connectivity, enabling them to collect and exchange data.

Question 75

How does oversaturation of IoT devices cause security risk?

Answer 75

Too many devices to manage securely; IoT devices are designed with limited processing power and memory, making it difficult to implement strong security controls.

Question 76

Define ‘zero trust’

Answer 76

Security design paradigm where every/any request (host-to-host or container-to-container) must be authenticated before being allowed.

Question 77

Define ‘Deperimeterization’

Answer 77

Security approach that shifts the focus from defending a network’s boundaries to protecting individual resources and data within the network.

Question 78

How is deperimeterization achieved?

Answer 78

Authentication, encryption, access control, and continuous monitoring to maintain the security of critical resources regardless of location.

Question 79

What are the 3 fundamental concepts of zero trust architecture?

Answer 79

1. Adaptive Identity
2. Threat scope reduction
3. Policy-driven access control

Question 80

Define ‘Adaptive Identity’

Answer 80

Recognizes that user identities are not static and that identity verification must be continuous and based on a user’s current context and the resources they are attempting to access.

Question 81

Define ‘Threat scope reduction’

Answer 81

Similar to role based access/least privilege; access is limited to only those resources required to complete a specific task.

Question 82

Define ‘Policy-driven access control’

Answer 82

Attribute Based Access Control (ABAC); Access control policies enforce access restrictions based on user identity, device posture, and network context.

Question 83

Define ‘device posture’

Answer 83

Refers to the security status of a device, including its security configurations, software versions, and patch levels.

Question 84

Combining a software defined networking, and zero trust architecture, what is the role of the control plane?

Answer 84

Defines/manages policies that dictate how users and devices are authorized to access network resources.

Question 85

Combining a software defined networking, and zero trust architecture, what is the role of the data plane?

Answer 85

Systems in the data plane establish sessions for secure information transfers between resources.