Cisco CyberOps Associate - Ch. 2: Introduction to Cloud Computing and Cloud Security

1. Exam Prep - Key Topics

1.1. NIST Definition of Public, Private, Community, & Hybrid Clouds

1.1.1. Special Publication (SP) 800-145, “The NIST Definition of Cloud Computing,”

1.1.1.1. Cloud Characteristics

1.1.1.1.1. On-Demand Self-Service

1.1.1.1.2. Broad Network Access

1.1.1.1.3. Resource Pooling

1.1.1.1.4. Rapid Security

1.1.1.1.5. Measured Service

1.1.1.2. Cloud Deployment Models

1.1.1.2.1. Public Cloud

1.1.1.2.2. Private Cloud

1.1.1.2.3. Community Cloud

1.1.1.2.4. Hybrid Cloud

1.2. Defining IaaS, PaaS, & SaaS

1.2.1. Infrastructure as a Service (IaaS)

1.2.1.1. A cloud solution where you rent infrastructure.

1.2.1.1.1. Example

1.2.2. Platform as a Service (PaaS)

1.2.2.1. Provides everything except the application in a System Development Lifecycle (SDLC).

1.2.2.1.1. Examples

1.2.3. Software as a Service (SaaS)

1.2.3.1. Designed to provide complete packaged solutions.

1.2.3.1.1. Examples

1.3. Cloud Security Responsibility Models

1.3.1. Cloud Security Responsibility is shared between clients and the cloud provider depending on the cloud model (IaaS, PaaS, SaaS).

1.3.1.1. Software as a Service (SaaS)

1.3.1.2. Platform as a Service (PaaS)

1.3.1.3. Infrastructure as a Service (IaaS)

1.4. The Agile Methodology

1.4.1. In software development, agile (sometimes written Agile) practices involve discovering requirements and developing solutions through the collaborative effort of self-organizing and cross-functional teams and their customer(s)/end user(s).

1.4.2. Scrum

1.4.2.1. Framework for collaboration through shared experiences. Scrum describes a set of meetings, tools, and roles that work in concert to help teams manage their work.

1.4.2.2. Sprints

1.4.2.2.1. The Scrum framework uses the concept of “sprints” (a short, time-boxed period when a Scrum team works to complete a predefined amount of work). Sprints are one of the key concepts of the Scrum and Agile methodologies.

1.4.3. Kanban

1.4.3.1. Kanban is a scheduling system for Lean development and just-in-time (JIT) manufacturing originally developed by Taiichi Ohno from Toyota.

1.5. Understanding What DevOps Is

1.5.1. DevOps Value Stream

1.5.1.1. Product Management

1.5.1.2. Software (or Hardware) Development

1.5.1.3. Quality Assurance

1.5.1.4. IT Operations

1.5.1.5. InfoSec & Cybersecurity practices

1.5.2. Methods to DevOps

1.5.2.1. Systems & Flows

1.5.2.2. Feedback Loops

1.5.2.3. Continuous Experimentation & Learning.

1.6. CI/CD Pipelines

1.6.1. Continuous Integration (CI)

1.6.1.1. A software development practice where programmers merge code changes in a central repository multiple times a day.

1.6.2. Continuous Delivery (CD)

1.6.2.1. Sits on top of CI and provides a way to automate the entire software release process.

1.6.3. In a CI/CD process, each change to code should trigger a build and test sequence running through the CI/CD Pipeline.

1.6.3.1. CI/CD Pipeline Stages

1.7. Understanding what serverless computing is

1.7.1. Serverless is an execution model where the cloud provider dynamically manages the provisioning of servers. Serverless applications run in stateless containers which are ephemeral & event triggered.

1.7.2. Example

1.7.2.1. AWS Lambda

1.8. Security questions to ask cloud service providers

1.8.1. Who has access?

1.8.2. What are your regulatory requirements?

1.8.2.1. Organizations operating in the United States, Canada, or the European Union have many regulatory requirements.

1.8.2.1.1. Examples

1.8.3. Do you have the right to audit?

1.8.4. What type of training does the provider offer its employees?

1.8.5. What type of data classification system does the provider use?

1.8.6. How is your data separated from other users' data?

1.8.7. Is encryption being used?

1.8.8. What are the service-level agreement (SLA) terms?

1.8.9. What is the long-term viability of the provider?

1.8.10. Will the provider assume liability in the case of a breach?

1.8.11. What is the disaster recovery/business continuity plan (DR/BCP)?

1.9. Common cloud security threats

1.9.1. Denial of Service (DoS)

1.9.1.1. Using directed, reflected, & amplified DoS & DDoS attacks to cause service disruption.

1.9.2. Session Hijacking

1.9.2.1. Occurs when an attacker can sniff or intercept traffic to take over a legitimate connection to a cloud service.

1.9.3. DNS Attacks

1.9.3.1. Attacks targeting DNS infrastructure, DNS poisoning attacks, & DNS Zone Transfer attacks.

1.9.4. Cross-Site Scripting (XSS)

1.9.4.1. Adversaries use input validation attacks to steal user cookies or redirect users to malicious sites.

1.9.5. Shared Technology & Multitenancy concerns.

1.9.5.1. Often cloud infrastructure is shared among a high number of tenants. This requires a diligent approach to auditing, patch/configuration management especially in virtual machine hypervisors, container management, & orchestration.

1.9.6. Hypervisor Attacks

1.9.6.1. If a hypervisor is compromised, all hosted VMs could be compromised.

1.9.7. Virtual Machine (VM) Attacks

1.9.7.1. If a VM escape attack occurs all VMs within a host have the potential to be compromised as well.

1.9.8. Cross-site Request Forgery (CSRF)

1.9.8.1. Used to steal cookies and leverages the trust between a user and application.

1.9.9. SQL Injection

1.9.9.1. Exploits cloud-based applications that allow attackers to pass SQL commands to a database for execution.

1.9.10. Session Riding

1.9.10.1. Can describe a CSRF attack, attackers transmit unauthorized commands by riding active sessions of currently logged in users.

1.9.11. Distributed denial-of-service (DDoS) Attacks

1.9.11.1. Some argue that the cloud is more vulnerable to DDoS attacks because it is a shared environment.

1.9.12. Man-in-the-Middle Cryptographic Attacks

1.9.12.1. An attacker places himself in the communication path between two users, offers the possibility of attacker modifying communications.

1.9.13. Side-Channel Attacks

1.9.13.1. An attacker could attempt to compromise the cloud by placing a malicious VM in close proximity to a target cloud server and then launching a side-channel attack.

1.9.14. Authentication Attacks (insufficient identity, credentials, & access management)

1.9.14.1. Authentication is a weak point in hosted and virtual services making it a common target.

1.9.15. API Attacks

1.9.15.1. Insecurely configured APIs are a lucrative prospect for attackers who could modify, attack, or append data in applications or systems in cloud environments.

1.9.16. Known exploits leveraging vulnerabilities against infrastructure components.

1.9.16.1. Attacks against virtualization environments, Kubernetes, containers, authentication methods, etc.

2. Resources

2.1. Cloud Security Alliance - Top Cloud Security Threats

2.2. The Cloud Security Alliance Top Threats Deep Dive

3. Chapter Topics

3.1. Cloud Computing & the Cloud Service Models

3.2. Cloud Security Responsibility Models

3.3. DevOps, Continuous Integration (CI), Continuous Delivery (CD), DevSecOps

3.4. Understanding Cloud Security Threats

4. Key Terms

4.1. VM Escape Attack

4.1.1. An attack where the the attacker can manipulate the guest-level VM to attack its underlying hypervisor, other VMs, and/or the physical host.

4.2. Session Hijacking

4.2.1. A type of attack where an attacker can sniff and intercept traffic to take over a legitimate connection to a cloud service.

4.3. Kubernetes

4.3.1. One of the most popular container orchestration & management frameworks. Developed by Google, Kubernetes is a platform for creating, and managing distributed applications.

4.4. HashiCorp Nomad

4.4.1. Container management & orchestration platform by HashiCorp.

4.5. Apache Mesos

4.5.1. A distributed Linux kernel that provides native support for launching containers with Docker & AppC images.

4.6. Docker Swarm

4.6.1. A container cluster management & orchestration system integrated with the Docker Engine.

4.7. Continuous Integration (CI)

4.7.1. A software development practice where programmers merge code changes multiple times a day.

4.8. Continuous Delivery (CD)

4.8.1. A software engineering approach that sits on top of CI and provides a way to automate the entire software release process.

4.9. Infrastructure as a Service (IaaS)

4.9.1. A cloud solution through which you rent infrastructure.

4.10. Platform as a Service (PaaS)

4.10.1. A cloud service that provides everything except applications. Services in this model include all phases of the System Development Life Cycle (SDLC)

4.11. Software as a Service (SaaS)

4.11.1. A cloud service designed to provide a complete package solution. Software is rented out to the user. Examples such as Office365