reflection 3
Implementing Secure Cloud Solutions
Lesson 15
1
Summarize Secure Cloud and Virtualization Services
Topic 15A
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
2.2 Summarize virtualization and cloud computing concepts
Syllabus Objectives Covered
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Cloud Deployment Models
Public (multi-tenant)
Cloud service providers (CSPs)
Shared between subscribers
Multi-cloud
Hosted private
Private instance operated by a CSP but dedicated to a single customer
Private
Wholly owned and operated by the organization
On-premises vs. off-premises
Community
Hybrid
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
Cloud Service Models
Anything as a service (XaaS)
Infrastructure as a Service (IaaS)
Unconfigured compute, storage, and network resources
Software as a Service (SaaS)
Fully developed applications
Platform as a Service (PaaS)
Pre-configured OS and database/middleware instances
Screenshot used with permission from Amazon.com.
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
Specific IaaS, PaaS, or SaaS solutions for business needs
Security in the cloud
Security of the cloud
Cloud responsibility matrix
Anything as a Service
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
6
Security as a Service
Consultants
Third-party expertise and perspective
Managed Security Services Provider (MSSP)
Turnkey security solutions
Security as a Service (SECaaS)
Cloud-deployed security assessment and analysis
Cyber threat intelligence and machine learning analytics
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
Virtualization platform
Host hardware
Hypervisor/Virtual Machine Monitor (VMM)
Guest operating systems, Virtual Machines (VM), or instances
Virtualization Technologies and Hypervisor Types
Type II hypervisors (host-based)
Type I hypervisors (bare metal)
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
8
Virtual Desktop Infrastructure and Thin Clients
Virtual Desktop Infrastructure (VDI)
Storing images of clients (OS + applications) on a central server
Virtual Desktop Environment (VDE) images are loaded by thin clients
Allows for low-power client devices
Centralizes control over client desktops
Allows for almost completely hosted IT infrastructure
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Application Virtualization and Container Virtualization
Application virtualization
Hosting or streaming individual software applications on a server
XenApp, App-V, ThinApp
Container virtualization (application cells)
Resource separation at the OS level
Cannot run different OS VMs
Docker
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
VM Escape Protection
Reduce impact of successful exploits
Ensure careful placement of VM services on hosts/within network
Respect security zones (DMZ)
Image © 123RF.com.
Images © 123RF.com.
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
VM Sprawl Avoidance
Guest OS security
OS environment must still be maintained
Rogue VMs
System sprawl and undocumented assets
Virtual machine life cycle management (VMLM)
Use template-based VM creation
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
Secure Cloud and Virtualization Services
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
Review Activity
Apply Cloud Security Solutions
Topic 15B
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
14
1.2 Given a scenario, analyze potential indicators to determine the type of attack (Cloud-based versus on-premises only)
2.2 Summarize virtualization and cloud computing concepts
3.6 Given a scenario, apply cybersecurity solutions to the cloud
Syllabus Objectives Covered
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
Cloud Security Integration and Auditing
Obtaining and integrating cloud security data
Attack indicators and correlation
Responsibility matrix and SLAs
Security of the cloud
Security in the cloud
Reporting
Legal and compliance responsibilities
Insider threat
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
16
Cloud Security Controls
Same types of security controls
IAM, endpoint protection, resource policies, firewalls, logging, …
Cloud native controls vs. third-party solutions
CSP web console, CLI, and API
Vendor virtual instances
Application security and IAM
Secure development/coding
Security accounts/groups/roles
Secrets management
Block use of root account
Use MFA for privileged accounts
Protect API keys
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
17
Cloud Compute Security
Compute
Processing resources for cloud workloads (CPU and RAM)
Virtual machines and containers
Dynamic resource allocation
Container security
API inspection and integration
Number of requests
Latency
Error rates
Unauthorized and suspicious endpoints
Instance awareness
Logging and monitoring to mitigate cloud sprawl
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
18
Storage
Persistent storage capacity
Performance characteristics for storage tiers
Input/output operations per second (IOPS)
Permissions and resource policies
JavaScript Object Notation (JSON)
Encryption
Symmetric media encryption key
CSP-managed keys versus customer-managed
Separation of duties for CSP-managed keys
Cloud Storage Security
"Statement": [ {
"Action": [
"*"
],
"Effect": "Allow",
"Principal": "*",
"Resource": "arn:aws:s3:::515support-courses-data/*"
} ]
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
19
High availability
Virtualization layer provisions dynamic allocation and redundancy
99.99%+ uptime
Replication
Copying data between media, servers, or sites
Performance tiers
High availability across zones
Local
Regional
Geo-redundant storage (GRS)
High Availability
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
20
Cloud Networking Security
Cloud networking types
Operating and managing cloud systems
Virtual networks between VMs and containers within the cloud
Virtual networks publishing cloud services
Virtual private clouds (VPCs)
Segmented virtual networks
Can contain multiple IPv4 and IPv6 subnets
Public and private subnets
Internet gateway and default route
Public IP addresses
NAT gateway
VPN
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
21
VPCs and Transit Gateways
Routing between subnets
Can use traditional access control lists
Can use vendor security appliance instances
Multiple VPCs for segmentation
Between VPCs in the same account
Between different accounts
To on-premises networks
Peering relationships
One-to-one connections
Transit gateways
Virtual router
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
Publishing a service over cloud internal network
Avoids exposing traffic to the Internet
Gateway endpoint
Connect instances to S3 and DynamoDB services
Added as route
Interface endpoint
AWS PrivateLink
Service VPC or default Amazon service published with a DNS name
VPC endpoint interface added to each service consumer VPC
Instances within the consumer VPC access the service via the VPC endpoint interface
VPC Endpoints
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
Need for segmentation
Load balancing workloads
Isolating data processing
Compartmentalizing data access
Open Systems Interconnection (OSI) layers
Network layer (layer 3)
Transport layer (layer 4)
Application layer (layer 7)
Cloud native versus vendor controls
Deploy host-based firewall within instance
Deploy vendor firewall/security appliance as instance
Transaction and volume costs for cloud native solutions
Cloud Firewall Security
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
24
Basic stateful packet filtering for instances
Default security group
Custom groups
Custom group with no rules drops all network traffic
Can be assigned to multiple instances
Instances in the same subnet can be assigned different security groups
Multiple security groups can be assigned to the same instance
Security Groups
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
25
Screenshot used with permission from Amazon.com.
25
Mediate access to cloud services by enterprise users across all types of devices
Implemented as proxy or via API
Next-Generation Secure Web Gateway
Secure access service edge (SASE)
Cloud Access Security Brokers
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
26
26
Cloud Security Solutions
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
27
Review Activity
Summarize Infrastructure as Code Concepts
Topic 15C
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
28
28
2.2 Summarize virtualization and cloud computing concepts
Syllabus Objectives Covered
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
29
Services Integration and Microservices
Monolithic client/server applications
Service-oriented architecture (SOA)
Atomic services with defined input/output interfaces
Loosely decoupled
Microservices
Each service capable of independent development and deployment
Highly decoupled
Services integration and orchestration
Enterprise service bus versus orchestration
Automating automation
Uses scripts and service APIs to provision a workflow
Cloud orchestration platforms
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
30
30
Means by which external entities interact with a service
Simple Object Access Protocol (SOAP)
XML format messaging
Web Services (WS) standards
Representational State Transfer (REST)
RESTful APIs
HTTP operation/verb
Noun endpoints accessed as URLs
Application Programming Interfaces
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
31
Service provision is wholly abstracted from the hardware, OS, and platform layers
AWS Lambda
Google Cloud Functions
Microsoft Azure Functions
All hardware, OS, and platform management is security of the cloud
Heavily reliant on orchestration
Serverless Architecture
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
32
All configuration and provisioning is performed by scripting/automation/orchestration
Elimination of inconsistency (snowflakes and configuration drift)
Idempotence
Making the same call with the same parameters will always produce the same result
Infrastructure as Code
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
33
Physical and virtual appliances that can be fully automated
Control plane/policy definitions
Data plane/network controller
Management plane
SDN policy > northbound API > network controller > southbound API > firewall appliance
Network functions virtualization (NFV)
Software-Defined Networking
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
34
34
Near real-time collection, aggregation, and reporting of data
Baseline monitoring and anomaly detection
Supports east/west and zero trust
Security orchestration and automated response (SOAR)
Software-Defined Visibility
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
35
35
Fog and Edge Computing
Embedded and IoT devices deployed at the network edge
Strong requirements for availability and low latency
Fog computing
Provision greater processing resource between the edge and data center
Prioritize data for analysis and alert conditions
Edge computing
Defines additional zones and processing nodes
Edge device zone
Edge gateways
Fog nodes
Data center
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
36
Infrastructure as Code
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
37
Review Activity
Summary
Lesson 15
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
38
38