reflection 3

profiletamerrabee3
sy0-601-15v1.0.pptx

Implementing Secure Cloud Solutions

Lesson 15

1

Summarize Secure Cloud and Virtualization Services

Topic 15A

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

2

2.2 Summarize virtualization and cloud computing concepts

Syllabus Objectives Covered

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

3

Cloud Deployment Models

Public (multi-tenant)

Cloud service providers (CSPs)

Shared between subscribers

Multi-cloud

Hosted private

Private instance operated by a CSP but dedicated to a single customer

Private

Wholly owned and operated by the organization

On-premises vs. off-premises

Community

Hybrid

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

4

Cloud Service Models

Anything as a service (XaaS)

Infrastructure as a Service (IaaS)

Unconfigured compute, storage, and network resources

Software as a Service (SaaS)

Fully developed applications

Platform as a Service (PaaS)

Pre-configured OS and database/middleware instances

Screenshot used with permission from Amazon.com.

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

5

Specific IaaS, PaaS, or SaaS solutions for business needs

Security in the cloud

Security of the cloud

Cloud responsibility matrix

Anything as a Service

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

6

6

Security as a Service

Consultants

Third-party expertise and perspective

Managed Security Services Provider (MSSP)

Turnkey security solutions

Security as a Service (SECaaS)

Cloud-deployed security assessment and analysis

Cyber threat intelligence and machine learning analytics

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

7

Virtualization platform

Host hardware

Hypervisor/Virtual Machine Monitor (VMM)

Guest operating systems, Virtual Machines (VM), or instances

Virtualization Technologies and Hypervisor Types

Type II hypervisors (host-based)

Type I hypervisors (bare metal)

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

8

Virtual Desktop Infrastructure and Thin Clients

Virtual Desktop Infrastructure (VDI)

Storing images of clients (OS + applications) on a central server

Virtual Desktop Environment (VDE) images are loaded by thin clients

Allows for low-power client devices

Centralizes control over client desktops

Allows for almost completely hosted IT infrastructure

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

9

Application Virtualization and Container Virtualization

Application virtualization

Hosting or streaming individual software applications on a server

XenApp, App-V, ThinApp

Container virtualization (application cells)

Resource separation at the OS level

Cannot run different OS VMs

Docker

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

10

VM Escape Protection

Reduce impact of successful exploits

Ensure careful placement of VM services on hosts/within network

Respect security zones (DMZ)

Image © 123RF.com.

Images © 123RF.com.

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

11

VM Sprawl Avoidance

Guest OS security

OS environment must still be maintained

Rogue VMs

System sprawl and undocumented assets

Virtual machine life cycle management (VMLM)

Use template-based VM creation

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

12

Secure Cloud and Virtualization Services

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

13

Review Activity

Apply Cloud Security Solutions

Topic 15B

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

14

14

1.2 Given a scenario, analyze potential indicators to determine the type of attack (Cloud-based versus on-premises only)

2.2 Summarize virtualization and cloud computing concepts

3.6 Given a scenario, apply cybersecurity solutions to the cloud

Syllabus Objectives Covered

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

15

Cloud Security Integration and Auditing

Obtaining and integrating cloud security data

Attack indicators and correlation

Responsibility matrix and SLAs

Security of the cloud

Security in the cloud

Reporting

Legal and compliance responsibilities

Insider threat

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

16

Cloud Security Controls

Same types of security controls

IAM, endpoint protection, resource policies, firewalls, logging, …

Cloud native controls vs. third-party solutions

CSP web console, CLI, and API

Vendor virtual instances

Application security and IAM

Secure development/coding

Security accounts/groups/roles

Secrets management

Block use of root account

Use MFA for privileged accounts

Protect API keys

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

17

17

Cloud Compute Security

Compute

Processing resources for cloud workloads (CPU and RAM)

Virtual machines and containers

Dynamic resource allocation

Container security

API inspection and integration

Number of requests

Latency

Error rates

Unauthorized and suspicious endpoints

Instance awareness

Logging and monitoring to mitigate cloud sprawl

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

18

18

Storage

Persistent storage capacity

Performance characteristics for storage tiers

Input/output operations per second (IOPS)

Permissions and resource policies

JavaScript Object Notation (JSON)

Encryption

Symmetric media encryption key

CSP-managed keys versus customer-managed

Separation of duties for CSP-managed keys

Cloud Storage Security

"Statement": [ {

"Action": [

"*"

],

"Effect": "Allow",

"Principal": "*",

"Resource": "arn:aws:s3:::515support-courses-data/*"

} ]

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

19

19

High availability

Virtualization layer provisions dynamic allocation and redundancy

99.99%+ uptime

Replication

Copying data between media, servers, or sites

Performance tiers

High availability across zones

Local

Regional

Geo-redundant storage (GRS)

High Availability

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

20

20

Cloud Networking Security

Cloud networking types

Operating and managing cloud systems

Virtual networks between VMs and containers within the cloud

Virtual networks publishing cloud services

Virtual private clouds (VPCs)

Segmented virtual networks

Can contain multiple IPv4 and IPv6 subnets

Public and private subnets

Internet gateway and default route

Public IP addresses

NAT gateway

VPN

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

21

21

VPCs and Transit Gateways

Routing between subnets

Can use traditional access control lists

Can use vendor security appliance instances

Multiple VPCs for segmentation

Between VPCs in the same account

Between different accounts

To on-premises networks

Peering relationships

One-to-one connections

Transit gateways

Virtual router

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

22

Publishing a service over cloud internal network

Avoids exposing traffic to the Internet

Gateway endpoint

Connect instances to S3 and DynamoDB services

Added as route

Interface endpoint

AWS PrivateLink

Service VPC or default Amazon service published with a DNS name

VPC endpoint interface added to each service consumer VPC

Instances within the consumer VPC access the service via the VPC endpoint interface

VPC Endpoints

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

23

Need for segmentation

Load balancing workloads

Isolating data processing

Compartmentalizing data access

Open Systems Interconnection (OSI) layers

Network layer (layer 3)

Transport layer (layer 4)

Application layer (layer 7)

Cloud native versus vendor controls

Deploy host-based firewall within instance

Deploy vendor firewall/security appliance as instance

Transaction and volume costs for cloud native solutions

Cloud Firewall Security

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

24

Basic stateful packet filtering for instances

Default security group

Custom groups

Custom group with no rules drops all network traffic

Can be assigned to multiple instances

Instances in the same subnet can be assigned different security groups

Multiple security groups can be assigned to the same instance

Security Groups

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

25

Screenshot used with permission from Amazon.com.

25

Mediate access to cloud services by enterprise users across all types of devices

Implemented as proxy or via API

Next-Generation Secure Web Gateway

Secure access service edge (SASE)

Cloud Access Security Brokers

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

26

26

Cloud Security Solutions

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

27

Review Activity

Summarize Infrastructure as Code Concepts

Topic 15C

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

28

28

2.2 Summarize virtualization and cloud computing concepts

Syllabus Objectives Covered

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

29

Services Integration and Microservices

Monolithic client/server applications

Service-oriented architecture (SOA)

Atomic services with defined input/output interfaces

Loosely decoupled

Microservices

Each service capable of independent development and deployment

Highly decoupled

Services integration and orchestration

Enterprise service bus versus orchestration

Automating automation

Uses scripts and service APIs to provision a workflow

Cloud orchestration platforms

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

30

30

Means by which external entities interact with a service

Simple Object Access Protocol (SOAP)

XML format messaging

Web Services (WS) standards

Representational State Transfer (REST)

RESTful APIs

HTTP operation/verb

Noun endpoints accessed as URLs

Application Programming Interfaces

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

31

Service provision is wholly abstracted from the hardware, OS, and platform layers

AWS Lambda

Google Cloud Functions

Microsoft Azure Functions

All hardware, OS, and platform management is security of the cloud

Heavily reliant on orchestration

Serverless Architecture

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

32

All configuration and provisioning is performed by scripting/automation/orchestration

Elimination of inconsistency (snowflakes and configuration drift)

Idempotence

Making the same call with the same parameters will always produce the same result

Infrastructure as Code

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

33

Physical and virtual appliances that can be fully automated

Control plane/policy definitions

Data plane/network controller

Management plane

SDN policy > northbound API > network controller > southbound API > firewall appliance

Network functions virtualization (NFV)

Software-Defined Networking

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

34

34

Near real-time collection, aggregation, and reporting of data

Baseline monitoring and anomaly detection

Supports east/west and zero trust

Security orchestration and automated response (SOAR)

Software-Defined Visibility

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

35

35

Fog and Edge Computing

Embedded and IoT devices deployed at the network edge

Strong requirements for availability and low latency

Fog computing

Provision greater processing resource between the edge and data center

Prioritize data for analysis and alert conditions

Edge computing

Defines additional zones and processing nodes

Edge device zone

Edge gateways

Fog nodes

Data center

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

36

Infrastructure as Code

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

37

Review Activity

Summary

Lesson 15

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

38

38