Lesson 15 Flashcards

Question

Virtual desktop infrastructure (VDI)

Answer 1

refers to using a VM as a means of provisioning corporate desktops. In a typical VDI, desktop computers are replaced by low-spec, low-power thin client computers. When the thin client starts, it boots a minimal OS, allowing the user to log on to a VM stored on the company server infrastructure. The user makes a connection to the VM using some sort of remote desktop protocol(Microsoft Remote Desktop or Citrix ICA, for instance). The thin client has to find the correct image and use an appropriate authentication mechanism. There may be a 1:1 mapping based on machine name or IP address or the process of finding an image may be handled by a connection broker.

Answer 2

All application processing and data storage in the virtual desktop environment (VDE) or workspace is performed by the server.

Answer 3

Application virtualization is a more limited type of VDI. Rather than run the whole client desktop as a virtual platform, the client either accesses an application hosted on a server or streams the application from the server to the client for local processing. * Hosting or streaming individual software applications on a server * XenApp, App-V, ThinApp

Answer 4

* Resource separation at the OS level * Cannot run different OS VMs * Docker (uses docker engine instead of hypervisor)

Answer 5

VM use hypervisor Container Application cell/container virtualization dispenses with the idea of a hypervisor and instead enforces resource separation at the operating system level. - uses docker engine

Answer 6

VM escaping refers to malware running on a guest OS jumping to another guest or to the host. (Can be really bad)

Answer 7

* Reduce impact of successful exploits * Ensure careful placement of VM services on hosts/within network * Respect security zones (DMZ)

Answer 8

OS environment must still be maintained, patched, etc.

Answer 9

when guest machines are not tracked, not used, etc. Introduces security problems because the systems aren't maintained or secured.

Answer 10

Virtual machine life cycle management (VMLM) software can be deployed to enforce VM sprawl avoidance. VMLM solutions provide you with a centralized dashboard for maintaining and monitoring all the virtual environments in your organization

Answer 11

VMs should conform to an applicationspecific template with the minimum configuration needed to run that application (that is, not running unnecessary services).

Answer 12

Cloud-based services must be integrated within regular security policies and procedures and audited for compliance. Where indicators of on-premises attacks are found in local application logs and network traffic, indicators of cloud-based attacks are found in API logs and metrics.

Answer 13

* Security of the cloud * Security in the cloud As with any contracted service, cloud computing is a means of transferring risk. As such, it is imperative to identify precisely which risks you are transferring, to identify which responsibilities the service provider is undertaking, and to identify which responsibilities remain with you. This should be set out in a service level agreement (SLA) with a responsibility matrix.

Answer 14

Where critical tasks are the responsibility of the service provider, you should try to ensure that there is a reporting mechanism to show that these tasks are being completed, that their disaster recovery plans are effective, and so on.

Answer 15

Another proviso is that your company is likely to still be directly liable for serious security breaches; if customer data is stolen, for instance, or if your hosted website is hacked and used to distribute malware. You still have liability for legal and regulatory requirements. You might be able to sue the service provider for damages, but your company would still be the point of investigation. You may also need to consider the legal implications of using a cloud provider if its servers are located in a different country.

Answer 16

You must also consider the risk of insider threat, where the insiders are administrators working for the service provider. Without effective security mechanisms such as separation of duties and M of N control, it is highly likely that they would be able to gain privileged access to your data. Consequently, the service provider must be able to demonstrate to your satisfaction that they are prevented from doing so.

Answer 17

Same types of security controls •IAM, endpoint protection, resource policies, firewalls, logging, … Clouds use the same types of security controls as on-premises networks, including identity and access management (IAM), endpoint protection (for virtual instances), resource policies to govern access to data and services, firewalls to filter traffic between hosts, and logging to provide an audit function.

Answer 18

The controls can be deployed and configured using either the CSP's web console, or programmatically via a command line interface (CLI) or application programming interface (API) third-party solution would typically be installed as a virtual instance within the cloud. For example, you might prefer to run a third-party next-generation firewall.

Answer 19

* Secure development/coding * Security accounts/groups/roles Application security in the cloud refers both to the software development process and to identity and access management (IAM) features designed to ensure authorized use of applications. Just as with on-premises solutions, cloud-based IAM enables the creation of user and user security groups, plus role-based management of privileges.

Answer 20

* Block use of root account * Use MFA for privileged accounts * Protect API keys A cloud service is highly vulnerable to remote access. A failure of credential management is likely to be exploited by malicious actors. You must enforce strong authentication policies to mitigate risks: • Do not use the root user for the CSP account for any day-to-day logon activity. • Require strong multifactor authentication (MFA) for interactive logons. Use conditional authentication to deny or warn of risky account activity. • Principals—user accounts, security groups, roles, and services—can interact with cloud services via CLIs and APIs. Such programmatic access is enabled by assigning a secret key to the account. Only the secret key (not the ordinary account credential) can be used for programmatic access. When a secret key is generated for an account, it must immediately be transferred to the host and kept securely on that host.

Answer 21

Compute •Processing resources for cloud workloads (CPU and RAM) •Virtual machines and containers •Dynamic resource allocation The compute component provides process and system memory (RAM) resource as required for a particular workload. The workload could be a virtual machine instance configured with four CPUs and 16 GB RAM or it could be a container instance spun up to perform a function and return a result within a given timeframe.

Answer 22

The workload could be a virtual machine instance configured with four CPUs and 16 GB RAM or it could be a container instance spun up to perform a function and return a result within a given timeframe. The virtualization layer ensures that the resources required for this task are made available on-demand. This can be referred to as dynamic resource allocation.

Answer 23

A container uses many shared components on the underlying platform, meaning it must be carefully configured to reduce the risk of data exposure. In a container engine such as Docker, each container is isolated from others through separate namespaces and control groups (docs.docker.com/engine/security/security). Namespaces prevent one container reading or writing processes in another, while control groups ensure that one container cannot overwhelm others in a DoS-type attack.

Answer 24

``` API inspection and integration •Number of requests •Latency •Error rates •Unauthorized and suspicious endpoints ``` The API is the means by which consumers interact with the cloud infrastructure, platform, or application. The consumer may use direct API calls, or may use a CSPsupplied web console as a graphical interface for the API. Monitoring API usage gives warning if the system is becoming overloaded (ensuring availability) and allows detection of unauthorized usage or attempted usage. •Number of requests •Latency •Error rates •Unauthorized and suspicious endpoints

Answer 25

Number of requests—this basic load metric counts number of requests per second or requests per minute. Depending on the service type, you might be able to establish baselines for typical usage and set thresholds for alerting abnormal usage. An unexplained spike in API calls could be an indicator of a DDoS attack, for instance.

Answer 26

Latency—this is the time in milliseconds (ms) taken for the service to respond to an API call. This can be measured for specific services or as an aggregate value across all services. High latency usually means that compute resources are insufficient. The cause of this could be genuine load or DDoS, however.

Answer 27

Error rates—this measures the number of errors as a percentage of total calls, usually classifying error types under category headings. Errors may represent an overloaded system if the API is unresponsive, or a security issue, if the errors are authorization/access denied types.

Answer 28

Unauthorized and suspicious endpoints—connections to the API can be managed in the same sort of way as remote access. The client endpoint initiating the connection can be restricted using an ACL and the endpoint's IP address monitored for geographic location.

Answer 29

Instance awareness •Logging and monitoring to mitigate cloud sprawl As with on-premises virtualization, it is important to manage instances (virtual machines and containers) to avoid sprawl, where undocumented instances are launched and left unmanaged. As well as restricting rights to launch instances, you should configure logging and monitoring to track usage.

Answer 30

Where the compute component refers to CPU and system memory resources, the storage component means the provisioning of peristent storage capacity

Answer 31

Storage profiles will have different performance characteristics for different applications, such as fast SSD-backed storage for databases versus slower HDD-backed media for archiving.

Answer 32

The principal performance metric for cloud storage is the number of input/output operations per second (IOPS) supported

Answer 33

As with on-premises systems, cloud storage resources must be configured to allow reads and/or writes only from authorized endpoints **In a resource policy, permissions statements are typically written as a JavaScript Object Notation (JSON) strings

Answer 34

Might want to read this section again.... * Symmetric media encryption key * CSP-managed keys versus customer-managed * Separation of duties for CSP-managed keys

Answer 35

High availability •Virtualization layer provisions dynamic allocation and redundancy •99.99%+ uptime Can be specified in the SLA

Answer 36

Replication •Copying data between media, servers, or sites •Performance tiers - hot or cold storaage. hot storage is faster but costs more Data replication allows businesses to copy data to where it can be utilized most effectively. The cloud may be used as a central storage area, making data available among all business units. Data replication requires low latency network connections, security, and data integrity.

Answer 37

High availability across zones •Local •Regional •Geo-redundant storage (GRS) CSPs divide the world into regions. Each region is independent of the others. The regions are divided into availability zones. The availability zones have independent data centers with their own power, cooling, and network connectivity.

Answer 38

•Local replication—replicates your data within a single data center in the region where you created your storage account. The replicas are often in separate fault domains and upgrade domains. • Regional replication (also called zone-redundant storage)—replicates your data across multiple data centers within one or two regions. This safeguards data and access in the event a single data center is destroyed or goes offline. • Geo-redundant storage (GRS)—replicates your data to a secondary region that is distant from the primary region. This safeguards data in the event of a regional outage or a disaster.

Answer 39

Not sure i understand this • Networks by which the cloud consumer operates and manages the cloud systems. • Virtual networks established between VMs and containers within the cloud. • Virtual networks by which cloud services are published to guests or customers on the Internet.

Answer 40

Virtual private clouds (VPCs) •Segmented virtual networks •Can contain multiple IPv4 and IPv6 subnets Each customer can create one or more virtual private clouds (VPCs) attached to their account. By default, a VPC is isolated from other CSP accounts and from other VPCs operating in the same account. This means that customer A cannot view traffic passing over customer B's VPC. The workload for each VPC is isolated from other VPCs.

Answer 41

Each subnet within a VPC can either be private or public. To configure a public subnet, first an Internet gateway (virtual router) must be attached to the VPC configuration. Secondly, the Internet gateway must be configured as the default route for each public subnet. If a default route is not configured, the subnet remains private, even if an Internet gateway is attached to the VPC. Each instance in the subnet must also be configured with a public IP in its cloud profile. The Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance.

Answer 42

• NAT gateway—this feature allows an instance to connect out to the Internet or to other AWS services, but does not allow connections initiated from the Internet. • VPN—there are various options for establishing connections to and between VPCs using virtual private networks (VPNs) at the software layer or using CSP-managed features.

Answer 43

Routing between subnets •Can use traditional access control lists •Can use vendor security appliance instances Routing can be configured between subnets within a VPC. This traffic can be subject to cloud native ACLs allowing or blocking traffic on the basis of host IPs and ports. Alternatively, traffic could be routed through a virtual firewall instance, or other security appliance.

Answer 44

Multiple VPCs for segmentation •Between VPCs in the same account •Between different accounts •To on-premises networks Connectivity can also be configured between VPCs in the same account or with VPCs belonging to different accounts, and between VPCs and on-premises networks. **Configuring additional VPCs rather than subnets within a VPC allows for a greater degree of segmentation between instances. A complex network might split segments between different VPCs across different cloud accounts for performance or compliance reasons.

Answer 45

Peering relationships •One-to-one connections Traditionally, VPCs can be interconnected using peering relationships and connected with on-premises networks using VPN gateways. These one-to-one VPC peering relationships can quickly become difficult to manage, especially if each VPC must interconnect in a mesh-like structure.

Answer 46

Transit gateways •Virtual router A transit gateway is a simpler means of managing these interconnections. Essentially, a transit gateway is a virtual router that handles routing between the subnets in each attached VPC and any attached VPN gateways

Answer 47

* Publishing a service over cloud internal network * Avoids exposing traffic to the Internet A VPC endpoint is a means of publishing a service so that it is accessible by instances in other VPCs using only the AWS internal network and private IP addresses (d1.awsstatic. com/whitepapers/aws-privatelink.pdf). This means that the traffic is never exposed to the Internet. There are two types of VPC endpoint: **gateway and interface.

Answer 48

Gateway endpoint •Connect instances to S3 and DynamoDB services •Added as route A gateway endpoint is used to connect instances in a VPC to the AWS S3 (storage) and DynamoDB (database) services. A gateway endpoint is configured as a route to the service in the VPC's route table.

Answer 49

Interface endpoint •AWS PrivateLink •Service VPC or default Amazon service published with a DNS name •VPC endpoint interface added to each service consumer VPC •Instances within the consumer VPC access the service via the VPC endpoint interface An interface endpoint makes use of AWS's PrivateLink feature to allow private access to custom services: • A custom service provider VPC is configured by publishing the service with a DNS host name. Alternatively, the service provider might be an Amazon default service that is enabled as a VPC interface endpoint, such as CloudWatch Events/Logs. • A VPC endpoint interface is configured in each service consumer VPC subnet. The VPC endpoint interface is configured with a private IP address within the subnet plus the DNS host name of the service provider. • Each instance within the VPC subnet is configured to use the endpoint address to contact the service provider.

Answer 50

As in an on-premises network, a firewall determines whether to accept or deny/discard incoming and outgoing traffic. Firewalls work with multiple accounts, VPCs, subnets within VPCs, and instances within subnets to enforce the segmentation required by the architectural design. Need for segmentation •Load balancing workloads •Isolating data processing •Compartmentalizing data access Open Systems Interconnection (OSI) layers •Network layer (layer 3) •Transport layer (layer 4) •Application layer (layer 7) Cloud native versus vendor controls •Deploy host-based firewall within instance •Deploy vendor firewall/security appliance as instance •Transaction and volume costs for cloud native solutions

Answer 51

Need for segmentation (using firewalls) •Load balancing workloads •Isolating data processing •Compartmentalizing data access Segmentation may be needed for many different reasons,including separating workloads for performance and load balancing, keeping data processing within an isolated segment for compliance with laws and regulations, and compartmentalizing data access and processing for different departments or functional requirements.

Answer 52

Open Systems Interconnection (OSI) layers •Network layer (layer 3) •Transport layer (layer 4) •Application layer (layer 7) Filtering decisions can be made based on packet headers and payload contents at various layers, identified in terms of the OSI model: • Network layer (layer 3)—the firewall accepts or denies connections on the basis of IP addresses or address ranges and TCP/UDP port numbers (the latter are actually contained in layer 4 headers, but this functionality is still always described as basic layer 3 packet filtering). • Transport layer (layer 4)—the firewall can store connection states and use rules to allow established or related traffic. Because the firewall must maintain a state table of existing connections, this requires more processing power (CPU and memory).\ • Application layer (layer 7)—the firewall can parse application protocol headers and payloads (such as HTTP packets) and make filtering decisions based on their contents. This requires even greater processing capacity (or load balancing), or the firewall will become a bottleneck and increase network latency.

Answer 53

Cloud native versus vendor controls •Deploy host-based firewall within instance •Deploy vendor firewall/security appliance as instance •Transaction and volume costs for cloud native solutions Native cloud application-aware firewalls incur transaction costs, typically calculated on time deployed and traffic volume. These costs might be a reason to choose a thirdparty solution instead of the native control.

Answer 54

•Basic stateful packet filtering for instances - In AWS, basic packet filtering rules managing traffic that each instance will accept can be managed through security groups •Default security group allows any outbound traffic and any inbound traffic frominstances also bound to the default security group * Custom groups * Custom group with no rules drops all network traffic * Can be assigned to multiple instances * Instances in the same subnet can be assigned different security groups * Multiple security groups can be assigned to the same instance

Answer 55

* Mediate access to cloud services by enterprise users across all types of devices * Implemented as proxy or via API * Next-Generation Secure Web Gateway * Secure access service edge (SASE) A cloud access security broker (CASB) is enterprise management software designed to mediate access to cloud services by users across all types of devices. CASBs provide you with visibility into how clients and other network nodes are using cloud services. Some of the functions of a CASB are: • Enable single sign-on authentication and enforce access controls and authorizations from the enterprise network to the cloud provider. • Scan for malware and rogue or non-compliant device access. • Monitor and audit user and resource activity. Mitigate data exfiltration by preventing access to unauthorized cloud services from managed devices.

Answer 56

* Next-Generation Secure Web Gateway * Secure access service edge (SASE) Enterprise networks often make use of secure web gateways (SWG). An on-premises SWG is a proxy-based firewall, content filter, and intrusion detection/prevention system that mediates user access to Internet sites and services. A next-generation SWG, as marketed by Netskope (netskope.com/products/next-gen-swg), combines the functionality of an SWG with that of data loss prevention (DLP) and a CASB to provide a wholly cloud-hosted platform for client access to websites and cloud apps. This supports an architecture defined by Gartner as secure access service edge (SASE)

Answer 57

Virtualization gets us away from monolithic client/server applications In the early days of computer networks, architecture was focused on the provision of server machines and intermediate network systems (switches and routers). Architectural choices centered around where to place a "box" to run monolithic network applications such as routing, security, address allocation, name resolution, file sharing, email, and so on. With virtualization, the provision of these applications is much less dependent on where you put the box and the OS that the box runs. Virtualization helps to make the design architecture fit to the business requirement rather than accommodate the business workflow to the platform requirement

Answer 58

Service-oriented architecture (SOA) •Atomic services with defined input/output interfaces •Loosely decoupled Service-oriented architecture (SOA) conceives of atomic services closely mapped to business workflows. Each service takes defined inputs and produces defined outputs. The service may itself be composed of sub-services. The key features of a service function are that it is self-contained, does not rely on the state of other services, and exposes clear input/output (I/O) interfaces. Because each service has a simple interface, interoperability is made much easier than with a complex monolithic application. The implementation of a service does not constrain compatibility choices for client services, which can use a different platform or development language. This independence of the service and the client requesting the service is referred to as loose coupling.

Answer 59

(as part of SOA) The implementation of a service does not constrain compatibility choices for client services, which can use a different platform or development language. This independence of the service and the client requesting the service is referred to as loose coupling.

Answer 60

Microservices •Each service capable of independent development and deployment •Highly decoupled The main difference between SOA and microservices is that SOA allows a service to be built from other services. By contrast, each microservice should be capable of being developed, tested, and deployed independently. The microservices are said to be highly decoupled rather than just loosely decoupled.

Answer 61

* Enterprise service bus versus orchestration * Automating automation * Uses scripts and service APIs to provision a workflow * Cloud orchestration platforms

Answer 62

Services integration refers to ways of making these decoupled service or microservice components work together to perform a workflow.

Answer 63

Where SOA used the concept of a enterprise service bus, microservices integration and cloud services/virtualization/ automation integration generally is very often implemented using orchestration tools. Where automation focuses on making a single, discrete task easily repeatable, orchestration performs a sequence of automated tasks.

Answer 64

orchestrated steps would have to run numerous | automated scripts or API service calls.

Answer 65

Cloud orchestration platforms connect to and provide administration, management, and orchestration for many popular cloud platforms and services. One of the advantages of using a third-party orchestration platform is protection from vendor lock in. If you wish to migrate from one cloud provider to another, or wish to move to a multi-cloud environment, automated workflows can often be adapted for use on new platforms. Industry leaders in this space include Chef (chef.io), Puppet (puppet.com), Ansible (ansible.com), and Kubernetes (kubernetes.io).

Answer 66

Whether based SOA or microservices, service integration, automation, and orchestration all depend on application programming interfaces (APIs). The service API is the means by which external entities interact with the service, calling it with expected parameters and receiving the expected output.

Answer 67

* Simple Object Access Protocol (SOAP) * XML format messaging * Web Services (WS) standards * Representational State Transfer (REST) * RESTful APIs * HTTP operation/verb * Noun endpoints accessed as URLs • Simple Object Access Protocol (SOAP)—uses XML format messaging and has a number of extensions in the form of Web Services (WS) standards that support common features, such as authentication, transport security, and asynchronous messaging. SOAP also has a built-in error handling. • Representational State Transfer (REST)—where SOAP is a tightly specified protocol, REST is a looser architectural framework, also referred to as RESTful APIs. Where a SOAP request must be sent as a correctly formatted XML document, a REST request can be submitted as an HTTP operation/verb (GET or POST for example). Each resource or endpoint in the API, expressed as a noun, should be accessed via a single URL.

Answer 68

* All configuration and provisioning is performed by scripting/automation/orchestration * Elimination of inconsistency (snowflakes and configuration drift) * Idempotence * Making the same call with the same parameters will always produce the same result The use of cloud technologies encourages the use of scripted approaches to provisioning, rather than manually making configuration changes, or installing patches. An approach to infrastructure management where automation and orchestration fully replace manual configuration is referred to as infrastructure as code (IaC).

Answer 69

•Elimination of inconsistency (snowflakes and configuration drift) One of the goals of IaC is to eliminate snowflake systems. A snowflake is a configuration or build that is different from any other. The lack of consistency—or drift—in the platform environment leads to security issues, such as patches that have not been installed, and stability issues, such as scripts that fail to run because of some small configuration difference

Answer 70

Idempotence means that making the same call with the | same parameters will always produce the same result.

Answer 71

* Physical and virtual appliances that can be fully automated * Control plane/policy definitions * Data plane/network controller * Management plane * SDN policy > northbound API > network controller > southbound API > firewall appliance * Network functions virtualization (NFV)

Answer 72

• Control plane—makes decisions about how traffic should be prioritized and secured, and where it should be switched. • Data plane—handles the actual switching and routing of traffic and imposition of security access controls. • Management plane—monitors traffic conditions and network status.

Answer 73

A software-defined networking (SDN) application can be used to define policy decisions on the control plane. These decisions are then implemented on the data plane by a network controller application, which interfaces with the network devices using APIs. The interface between the SDN applications and the SDN controller is described as the "northbound" API, while that between the controller and appliances is the "southbound" API. SDN can be used to manage compatible physical appliances, but also virtual switches, routers, and firewalls. The architecture supporting rapid deployment of virtual networking using general-purpose VMs and containers is called network functions virtualization (NFV)

Answer 74

The architecture supporting rapid deployment of virtual networking using general-purpose VMs and containers is called network functions virtualization (NFV)

Answer 75

* Near real-time collection, aggregation, and reporting of data * Baseline monitoring and anomaly detection * Supports east/west and zero trust * Security orchestration and automated response (SOAR) Where SDN addresses secure network "build" solutions, software-defined visibility (SDV) supports assessment and incident response functions. Visibility is the near realtime collection, aggregation, and reporting of data about network traffic flows and the configuration and status of all the hosts, applications, and user accounts participating in it.

Answer 76

(I think if you just remember that is it is good for IoT devices, it will be fine) * Embedded and IoT devices deployed at the network edge * Strong requirements for availability and low latency * Fog computing * Provision greater processing resource between the edge and data center * Prioritize data for analysis and alert conditions * Edge computing * Defines additional zones and processing nodes * Edge device zone * Edge gateways * Fog nodes * Data center

Lesson 15 Flashcards

(100 cards)