Domain 7 - Infrastructure Security

Question 1

_______ is the foundation for operating securely in the cloud. Is the glue of computers and networks that we build everything on top of. encompasses the lowest layers of security, from physical facilities through
the consumer’s configuration and implementation of infrastructure components. These are
the fundamental components that everything else in the cloud is built from, including compute
(workload), networking, and storage security.

Answer 1

Infrastructure security

Question 2

Two macro layers to infrastructure

Answer 2

• The fundamental resources pooled together to create a cloud. This is the raw, physical and
  logical compute (processors, memory, etc.), networks, and storage used to build the cloud’s
  resource pools.
• The virtual/abstracted infrastructure managed by a cloud user. That’s the compute, network,
  and storage assets that they use from the resource pools.

Question 3

What are the 3 common networks isolated onto different dedicated hardware in the cloud?

Answer 3

• Management Network
• Storage Network
• Service Network

Question 4

2 Major categories of Virtualisation?

Answer 4

• VLAN

- SDN

Question 5

Is a type of virtualisation designed for single tenant network and not designed for cloud virtualisation scale

Answer 5

VLAN

Question 6

Is a type of virtualisation that decouples network plane from data plane and can offer much flexibility and isolation

Answer 6

SDN

Question 7

True/False: Traditional Network Intrusion Detection Systems, where communications between hosts are are
mirrored and inspected by the virtual or physical Intrusion Detection Systems will not be supported
in cloud environments; customer security tools need to rely on an in-line virtual appliance, or
a software agent installed in instances. This creates either a chokepoint or increases processor
overhead, so be sure you really need that level of monitoring before implementing.

Answer 7

True

Question 8

What are the challenges of virtual appliances in the cloud?

Answer 8

• Virtual Appliances can become bottleneck
• May take significant resource and increase cost
• Should be cloud aware and designed to handle velocity of change
• Limited Auto scale capabilities

Question 9

SDN Security Benefits

Answer 9

• Isolation is easier

- SDN Firewalls provide better flexible criteria than hardware FW

Question 10

________________ (also sometimes referred to as hypersegregation) leverages virtual network topologies to run more, smaller, and more isolated networks without incurring additional hardware costs that historically
make such models prohibitive

Answer 10

Microsegmentation

Question 11

3 Components of CSA Software Defined Perimiter Working Group (SDP)

Answer 11

• SDP Client
• SDP Controller
• SDP Gateway

Question 12

True/False: Cloud users are responsible for implementing perimeter security that protects the
environment, but minimizes impact on customer workloads,

Answer 12

False. It is Cloud Provider responsibility

Question 13

_________ connect an enterprise private cloud or data center to a public cloud provider, typically using either a dedicated Wide Area Network (WAN) link or VPN.

Answer 13

Hybrid clouds

Question 14

_____ is an emergin architecture for hybrid connectivity which allows to connect to multiple cloud network using single hybrid connection

Answer 14

Bastion or Transit network

Question 15

A ______ is a unit of processing, which can be in a virtual machine, a container, or other
abstraction.

Answer 15

Workload

Question 16

True/False: It’s important to remember that every cloud workload runs on a hardware stack, and the integrity of
this hardware is absolutely critical for the cloud provider to maintain.

Answer 16

True

Question 17

Some Multiple Compute abstraction types

Answer 17

• Virtual Machines
• Containers
• Platform-based workload
• Serverless Computing

Question 18

______ are the most-well known form of compute abstraction, and
are offered by all IaaS providers. They are commonly called instances in cloud computing
since they are created (or cloned) off a base image.

Answer 18

Virtual machines

Question 19

_______ are code execution environments that run within an operating system
(for now), sharing and leveraging resources of that operating system. While a VM is a full
abstraction of an operating system, this one is a constrained place to run segregated
processes while still utilizing the kernel and other capabilities of the base OS

Answer 19

Containers

Question 20

________ is a more complex category that covers workloads running on a shared platform that aren’t virtual machines or containers, such as logic/procedures running
on a shared database platform. Isolation and security are totally the responsibility of the platform provider, although the provider may expose certain security options and controls.

Answer 20

Platform-based workload

Question 21

_________ is a broad category that refers to any situation where the
cloud user doesn’t manage any of the underlying hardware or virtual machines, and just
accesses exposed functions. Under the hood, these still utilize capabilities such as containers, virtual
machines, or specialized hardware platforms. From a security perspective, is merely a
combined term that covers containers and platform-based workloads, where the cloud provider
manages all the underlying layers, including foundational security functions and controls.

Answer 21

Serverless Computing

Question 22

True/False: The burden to maintain workload

isolation is on the cloud provider and should be one of their top priorities.

Answer 22

True

Question 23

True/False: To reconfigure or change an immutable instance you update the underlying image, and then rotate
the new instances by shutting down the old ones and running the new ones in their place.

Answer 23

True

Question 24

Security benefits of immutable workload

Answer 24

• You no longer patch running systems
• Disabled logins when running workloads
• Much faster to roll out updated version
• Easier to disable services
• Security testing can be managed during image creation

Question 25

Some requirements of immutable workloads

Answer 25

• Need of consistent image creation process for updates
• Security testing must be integrated on the image creation process
• Need configuration to disable login and restrict services
• May want process to enable login on some processes
• Increased complexity to manage service catalogs

Question 26

True/False: Immutable workloads typically require fewer additional security tools, due to their hardened nature.

Answer 26

True

Question 27

True/False: Cloud workloads running in isolation are typically less resilient than on physical infrastructure,
due to the abstraction. Providing disaster recovery for these is extremely important.

Answer 27

True

Question 28

True/False: For workloads, IP addresses in logs won’t necessarily reflect a particular workflow since multiple virtual
machines may share the same IP address over a period of time, and some workloads like
containers and serverless may not have a recognizable IP address at all.

Answer 28

True