+1(978)310-4246 credencewriters@gmail.com
  

I’m working on a cyber security discussion question and need an explanation and answer to help me learn.

Discuss the advantages and disadvantages of Cloud Computing. What are the information security implications of Cloud Computing, and how can a company mitigate against them?

9.4.4 Cloud Computing Facts
This lesson covers the following topics:
Cloud computing
Types of clouds
Cloud computing models
Cloud security risk reduction
Virtual Desktop Infrastructure (VDI)
Cloud Computing
Cloud computing is software, data access, computation, and storage services provided to clients through
the internet. The term cloud is a metaphor for the internet. It is based on the basic cloud drawing used to
represent the telephone network. It is now used to describe the internet infrastructure in computer
network diagrams. Characteristics of cloud computing include:
Delivery of common business applications that are accessed from a web service or software (like a
web browser).
The cloud connection can exist over the internet or a LAN.
Cloud computing does not require end-user knowledge of the physical location and configuration of
the system that delivers the services.
Types of clouds
Cloud computing can be implemented in several different ways, including the following:
Type
Description
Public
cloud
A public cloud can be accessed by anyone. Cloud-based computing resources, such as
platforms, applications, storage, or other resources, are made available to the general public
by a cloud service provider. The service provider may or may not require a fee for using these
resources. For example, Google provides many publicly-accessible cloud applications, such as
Gmail and Google Docs.
Private
cloud
A private cloud provides resources to a single organization. Access is restricted to the users
within the organization. Private clouds can be hosted internally. Because of the expense and
expertise required to implement, clouds are typically hosted externally, by a third party. An
organization commonly enters into an agreement with a cloud service provider, which
provides secure access to cloud-based resources. The organization’s data is kept separate
and secure from any other organization using the same service provider.
Community
cloud
A community cloud is designed to be shared by several organizations. Access is restricted to
users within the organizations who are sharing the community cloud infrastructure.
Community clouds can be hosted internally or on-premise, with each organization sharing
the cost of implementation and maintenance. Because of the expense and expertise
required, community clouds are commonly hosted externally, by a third party.
Hybrid
cloud
A hybrid cloud is composed of a combination of public, private, and community cloud
resources from different service providers. The goal behind a hybrid cloud is to expand the
functionality of a given cloud service by integrating it with other cloud services.
The advantages of cloud computing are:
Flexible access
Ease of use
Self-service resource provisioning
API availability
Service metering
The ability to try software applications in cloud computing service models
Cloud Computing Models
Cloud computing service models include the following:
Model
Description
Infrastructure
as a Service
(IaaS)
IaaS delivers infrastructure to the client, such as processing, storage, networks, and
virtualized environments. The client deploys and runs software without purchasing servers,
data center space, or network equipment.
Platform as a
Service (PaaS)
PaaS delivers everything a developer needs to build an application. The deployment comes
without the cost and complexity of buying and managing the underlying hardware and
software layers.
SaaS delivers software applications to the client over the internet or on a local area
network. SaaS comes in two implementation types:
Software as a
Service (SaaS)
Security as a
Service
(SECaaS)
Simple multi-tenancy in which each customer has its own resources that are
segregated from other customers.
Fine grain multi-tenancy segregates customers, but resources are shared.
SECaaS providers integrate their services into a corporate infrastructure. The applications
and software are specific to organizational security. SECaaS is based on the Software-as-aService cloud computing model, but is limited to information security services and does not
require on-premises hardware. These security services can include authentication, antivirus, anti-malware, spyware, intrusion detection, penetration testing, and security event
management.
SECaaS can sometimes be much more cost effective for an organization than having to pay
for all the necessary equipment and personnel to properly protect a network from viruses,
malware, and instruction. However, it is still necessary to have an on-site security
professional.
Cloud Security Risk Reduction
Cloud service providers reduce the risk of security breaches through the following actions.
Authenticate all users who access the service and allow users to access only the applications and
data that they need.
Use a Cloud Access Security Broker (CASB). A CASB is a software tool or service that sits between an
organization and a cloud service provider. Its job is to make sure that all communication and access
to the cloud service provider complies with the organization’s security policies and procedures.
Segregate each organization’s centrally-stored data.
Verify, test, and apply updates to the infrastructure.
Establish a formal process for all facets of the service, from user requests to major data breaches
and catastrophic events.
Implement security monitoring for usage, unusual behavior, and other events.
Implement encryption up to the point of use, such as the client’s web browser.
Probe for security holes with a third-party service provider.
Comply with all regulatory measures, such as the Sarbanes-Oxley Act.
Virtual Desktop Infrastructure (VDI)
Cloud-based services can be hosted externally by third-party service providers or internally on your own
virtualization infrastructure. For example, internal private clouds are commonly used to provide a VDI.
Using VDI, user desktops are virtualized, running on high-end hardware in the data center instead of on
the end user’s workstation hardware. The physical workstation is merely used to establish a remote
connection to the user’s virtualized desktop. This is sometimes called a thin client deployment because
most of the computing power is provided by servers in the data center. Traditional deployments, where
most of the processing load is handled by the local workstation, are called thick client deployments.
Using VDI provides increased flexibility, enhanced security, efficient management, and better data
protection than the traditional workstation-based desktop model. Consider the following advantages:
Workstation hardware costs are reduced. Only minimal workstation hardware is required to run a
Remote Desktop (Windows) or VNC (Linux) client and connect to the private cloud.
User data on the desktop can be protected centrally by backing up the hypervisors where the
virtualized desktops are running. There is no need to back up physical workstations separately.
If a user’s physical workstation fails, no data is lost. The user can access the virtualized desktop from
a different workstation while the failed hardware is repaired or replaced.
If a widespread malware infection hits multiple user desktops, the affected virtual systems can be
quickly re-imaged on the hypervisor. There is no need to push large images down to end users’
workstations over the network.
If a user loses a device, such as a notebook or tablet, there is much less of a chance that critical data
will be compromised because no data is saved on the device.
Copyright © 2022 TestOut Corporation All rights reserved.
9.4 Cloud Services
As you study this section, answer the following questions:
What is the difference between a hybrid cloud and a community cloud?
What is the difference between infrastructure as a service (IaaS) and platform as a service (PaaS)?
Which two implementations are available for software as a service (SaaS)?
What services does cloud computing provide?
Which cloud computing model allows the client to run software without purchasing servers, data
center space, or network equipment?
Key terms for this section include the following:
Term
Definition
Cloud
A metaphor for the internet.
Cloud
computing
Software, data access, computation, and storage services provided to clients through the
internet.
Public
cloud
Platforms, applications, storage, or other resources that are made available to the general
public by a cloud service provider.
Private
cloud
Platforms, applications, storage, or other resources that are made available to a single
organization.
Community
cloud
Hybrid
cloud
Platforms, applications, storage, or other resources that are shared by several organizations.
A combination of public, private, and community cloud resources from different service
providers.
This section helps you prepare for the following certification exam objectives:
Exam
Objective
3.0 Host and Application Defense
TestOut Security Pro
CompTIA Security+ SY0601
3.3 Implement Virtualization
2.1 Explain the importance of security concepts in an enterprise environment.
Cloud access security broker (CASB)
2.2 Summarize cloud and virtualization concepts.
Cloud models
Infrastructure as a service (IaaS)
Platform as a service (PaaS)
Software as a service (SaaS)
Public
Community
Private
Hybrid
Cloud service providers
Managed service provider (MSP)/Managed security service provider
(MSSP)
On-premises vs. off-premises
Fog computing
Edge computing
Serverless architecture
Services integration
Resource policies
Copyright © 2022 TestOut Corporation All rights reserved.
9.4.5 Cloud Storage Security Facts
This lesson covers the following topics:
Cloud storage
Advantages of cloud storage
Cloud Storage
Cloud storage is a data storage model. It is usually provided by a third party as a service. Some of the
most widely used cloud storage for enterprises providers are Google Cloud, Amazon Web Services, and
Microsoft Azure. Many companies take advantage of cloud services to decrease costs and meet everincreasing storage needs.
Cloud storage services may be accessed through a co-located cloud computer service, a web service
application programming interface (API), or by applications that utilize the API. Cloud desktop storage
that uses a cloud storage gateway or web-based content management system is an example of an
application that uses the API.
A cloud access security broker (CASB) may act as a gatekeeper, extending an organization’s security
policies into the cloud storage infrastructure. A CASB focuses on the visibility of the company data,
regulation compliance, user access to prevent threats, and data security through encryption and loss
prevention.
Cloud storage is:
Made up of many distributed resources but still acts as one, either in a federated or a cooperative
storage cloud architecture.
Highly fault tolerant through redundancy and distribution of data.
Highly durable through the creation of versioned copies.
Cloud Storage is a virtual service; the infrastructure is the responsibility of the storage provider. Access
controls should be set in the same way as a local file system would be set. There is no need for the
provider to have access to the stored data. Measures for securing cloud storage include:
Implement security controls in the same way as in a physical datacenter.
Use data classification policies.
Assign information into categories that determine storage, handling, and access requirements.
Assign security classification based on information sensitivity and criticality.
Use specialized tools to securely dispose of data when it is no longer needed.
Advantages of Cloud Storage
Advantages of Cloud Storage are:
Companies pay only for the storage used. This does not necessarily mean that cloud storage is less
expensive, but it incurs only operating expenses.
Cloud storage can cut energy consumption by up to 70% making an organization more green.
Organizations can choose between off-premises and on-premises cloud storage options, or a
mixture of the two options.
Storage availability and data protection is intrinsic to object storage architecture. Depending on the
application, you can eliminate the costs, effort, and additional technology to add availability and
protection.
Storage maintenance tasks, such as purchasing additional storage capacity, are the responsibility of
the service provider.
Cloud storage can be used for copying virtual machine images from the cloud to on-premises
locations or to import a virtual machine image from an on-premises location to the cloud image
library.
Cloud storage can be used as natural disaster backup, since cloud storage providers’ backup servers
are typically located in different places around the globe.
Copyright © 2022 TestOut Corporation All rights reserved.
9.5.3 Cloud Security Controls Facts
Most organizations rely on cloud services or will in the future. Cloud services provide many benefits, but
there are risks involved when data security is the responsibility of an outside source. To safeguard
against vulnerabilities, implement a cloud security strategy.
This lesson covers the following topics:
Cloud security concepts
Network security concepts
Cloud access
Cloud Security Concepts
The following table describes cloud security concepts.
Cloud Security
Concept
Description
Cloud service providers replicate data in multiple zones and within zones to provide
high availability. Replication:
High availability
across zones
Helps eliminate downtime (the time your data is unavailable).
Redirects to another availability zone, when a zone fails.
To determine the best provider for your organization, compare cloud service
providers’ availability percentages.
Availability percentage = uptime/uptime + downtime.
The higher the percentage, the more resilient and reliable a provider is.
Cloud integration is the system that connects application repositories, systems, and
IT environments in a way that allows access and exchange of data over a network
by multiple devices and locations. This can include:
Integration
Cloud-to-on-premises integration
Cloud-to-cloud integration
Both cloud-to-on-premises integration and cloud-to-cloud integration
Your organization’s systems must be tightly integrated to the cloud provider to
preserve secure communication in the digital system.
Encryption
Cloud service providers protect a customer’s data by changing it to ciphertext. It is
your responsibility to:
Be familiar with your cloud service provider’s encryption services. Some cloud
service providers offer encryption before the data is transferred to the cloud,
some do not, and some offer end-to-end encryption only for sensitive data.
Familiarize yourself with your provider’s encryption policies and procedures to
ensure they meet your security requirements.
Encrypt your data in-house before it’s transferred to the cloud if encryption is
not part of the service you chose.
Instance awareness is the ability to apply cloud security within an application that
has rules specific to an instance.
This tool allows the user to set security rules for an instance of an app interacting
with one organization and a different security rules for an instance of the app is
interacting with another organization.
Instance awareness
A VPC endpoint is a virtual device that provides a private connection between virtual
private clouds and a cloud provider’s services. A VPC keeps traffic secure with a
private link resource.
Virtual private cloud
(VPC) endpoint
VPC endpoints improve cloud security because VPC resources never traverse the
internet to reach a service.
To ensure your cloud service provider has and maintains a strong security
infrastructure:
Cloud security
infrastructure
Verify the provider’s firewall protection from external sources. If the firewall is
inadequate, provide your own.
Verify the log monitoring and analysis tools offered by your provider.
Cloud auditors evaluate:
Security controls
Performance
Communication
Risk management
Data management
Vulnerability and remediation management
Privacy of cloud provider’s services
Compliance with regulation and security policies
Cloud auditing
APIs are the software that allows applications and cloud computing systems to
communicate with each other. You should regularly inspect the API integration
points to:
Application
programming
interfaces (API)
inspections and
integration
Ensure authentication is required from the end user before access is given.
Determine the functions or operations necessary for each user and authorize
only those functions or operations.
Restrict users from using unnecessary roles.
Scan payloads and validate API schemas to prevent injection attacks or man-inthe-middle attacks.
Network Concepts
To understand how to secure your applications and data in the cloud, it helps to understand network
concepts that enhance security.
Network
Concepts
Virtual
Description
networks
Virtual networks connect virtual machines and devices through software. Network
virtualization can also include combining network hardware resources and network
software resources into one unit.
Virtual networks have a physical underlay that is made of physical servers and routers.
Underlays use bridges and routers for traffic.
Virtual networks also have overlays that are connected to the underlay through a
router. Overlays have virtual routers and bridges that connect the virtual machines
within the virtual network.
Tunnel endpoints (TEPs) connect encapsulated data from the virtual network to
physical network servers.
Segments are used in the virtual network to reduce traffic and keep areas within the
virtual network separate.
Firewalls can also be used in the virtual network to protect segments through micro
segmentation.
Virtual networks provide limited access to resources because most of the network
functions in an isolated environment.
Virtual networks:
Limit costs.
Allow you to create the virtual machines, routers, bridges, and firewalls to suit your
needs.
Subnets are subdivisions of an IP network.
Public and
private
subnets
Public subnets can send outbound traffic directly to the internet.
Private subnets access the internet through a network address translation (NAT)
gateway within a public subnet. Database servers can connect to the internet through
a NAT gateway, but internet connections are not established directly to the database
servers.
Subnets, give you greater control over who has access to your network. Dividing your
network limits traffic, exposure, and potential damage from an attack. For example, if an
attacker gains access or inserts malicious code into one subnet, the attack is confined to
that subnet.
Segmentation divides a network into network segments using a Virtual Local Area Network
(VLAN) and firewalls. To protect segments, filter traffic between segments with a deny all
statement and then add rules to allow necessary traffic.
Segmentation
Segmentation:
Aids in monitoring traffic for security issues.
Limits any damage to the compromised segment.
Cloud Storage Access
Standard security access measures are even more important when using cloud computing. The following
table describes security access measures to implement when using cloud computing.
Security
groups
A security group is a group of files that is assigned a unique name. The security group is
controlled through permissions and works like a firewall that controls traffic to and from
instances.
Security groups use restrictive access control lists (ACLs) to allow ingress traffic only from
specific IPs and to specific ports that are prepared through an application for connection.
When using security groups:
Regularly check security group policies to ensure they are allowing traffic only from
acceptable addresses based on the organization’s policies and purposes.
Never allow incoming traffic to connect to the SSH port 22.
Never allow incoming traffic to connect to RDP port 3389.
A container holds the complete runtime environment including an application, its
dependencies, libraries, other binaries, and configuration files, all in one unit. Benefits of
containers include:
Container
security
Containers allow software to function properly when moved from one computing
environment to another.
Multiple applications within containers can run on a server using the same operating
system.
Each container shares the OS kernel with the other containers. This requires fewer
resources than a virtual machine.
To secure the root account:
Root account
security
Create an administrative group and assign rights to it.
Do not give rights to any other groups or individual users.
Use groups to control the level of access to files and programs.
Secrets management is the method for managing authentication credentials which can
include passwords, encryption keys, usernames, email addresses, and private certificates.
To secure secrets:
Secrets
management
Centralize all secrets across your network using one tool for management.
Ensure password security through:
Regular rotation
Complexity
Password expirations
Remove default and hardcoded credentials from:
Applications
Code files
Test builds
Production builds
Permission
management
Configuring permissions is essential in cloud data security.
To manage permissions, you can use buckets, which are containers that store your
data.
Applying permissions to a bucket can help you manage who has access to sets of data.
For example, a bucket may need to be globally readable at the first stage of a project,
but it will need tighter permissions at the next stage.
Remember to always practice the principle of least privilege with cloud storage.
Copyright © 2022 TestOut Corporation All rights reserved.
9.5 Cloud Security
As you study this section, answer the following questions:
How can I secure my data in the cloud?
How do cloud networks work?
What is the role of segmentation in cloud security?
How do cloud-based firewalls work? Why are they important for security?
In this section, you will learn to:
Recognize how cloud security controls protect data.
Configure permissions and encryption for cloud data.
Identify how cloud networks can be used to protect data.
Protect data with cloud firewalls.
The key terms for this section include:
Term
Definition
Cloud access
security broker
(CASB)
Virtual
networks
An on-premises cloud-based software tool or service that sits between an organization
and a cloud service provider.
Virtual machines and devices connected through software.
Segmentation
The division of a network into smaller networks through a virtual local area network
(VLAN) and firewalls.
Security group
A security group works like a firewall to control traffic to and from network resources.
Virtual private
cloud (VPC)
endpoint
A virtual device that provides a private connection between virtual private clouds and a
cloud provider’s services. A VPC endpoint keeps traffic secure with a private link resource.
Container
A standard unit of software that holds the complete runtime environment including an
application, all application dependencies, libraries, binaries, and configuration files.
Cloud-based
firewall
A software network device that is deployed in the cloud that protects against unwanted
access to a private network.
This section helps you prepare for the following certification exam objectives:
Exam
Objective
3.0 Host and Application Defense
TestOut Security Pro
CompTIA Security+ SY0-601
3.2 Implement Application Defenses
3.6 Given a scenario, apply cybersecurity solutions to the cloud
Cloud security controls
High availability across zones
Resource policies
Secrets management
Integration and auditing
Storage
Permissions
Encryption
Replication
High availability
Network
Virtual networks
Public and private subnets
Segmentation
API inspection and integration
Compute
Security groups
Dynamic resource allocation
Instance awareness
Virtual private cloud (VPC) endpoint
Container security
Solutions
CASB
Application security
Next-generation secure web gateway (SWG)
Firewall considerations in a cloud environment
Cost
Need for segmentation
Open Systems Interconnection (OSI) layers
Cloud native controls vs. third-party solutions.
Copyright © 2022 TestOut Corporation All rights reserved.

Purchase answer to see full
attachment

  
error: Content is protected !!