Comptia Security+ 601 Chapter 10 Summary

CompTIA Security+ Study Guide: Exam SY0-601 8th Edition, by Mike Chapple & David Seidl


Chapter 10 summary of my notes



  1. Cloud Computing


Cloud Computing = model for access to a shared pool of configurable computing resources


Multitenancy = many different users share resources in the same cloud infrastructure. In a multitenant environment, the same physical hardware might support the workloads and storage needs of many different customers,


Key benefits provided by the cloud:



  1. On-demand self-service computing. Cloud resources are available when and where you need them.

  2. Scalability. As the demand for a cloud-based service increases, customers can manually or automatically increase the capacity of their operations.

  3. Vertical scaling increases the capacity of existing servers,

  4. Horizontal scaling adds more servers to a pool of clustered servers,

  5. Elasticity says that capacity should expand and contract as needs change to optimize costs.

  6. Measured service. Everything you do in the cloud is measured by the provider. Providers track the number of seconds of processing time you consume, the amount of storage you occupy, the number of log entries that you generate, and many other measures.

  7. Agility and flexibility. The speed to provision cloud resources and the ability to use them for short periods of time lends tremendous agility and flexibility to technology organizations.


There are five key roles in the cloud:



  1. Cloud service providers are the firms that offer cloud computing services

  2. Cloud consumers are the organizations and individuals who purchase cloud services

  3. Cloud partners (or cloud brokers) are organizations that offer ancillary products or services that support or integrate with the offerings of a cloud service provider.

  4. Cloud auditors are independent organizations that provide third-party assessments of cloud services and operations.

  5. Cloud carriers serve as the intermediaries that provide the connectivity that allows the delivery of cloud services from providers to consumers.


XaaS = anything as a service.


Three major service models:



  1. Infrastructure as a service (IaaS) offerings allow customers to purchase and interact with the basic building blocks of a technology infrastructure. These include computing, storage, and networks.

  2. Software as a service (SaaS) offerings provide customers with access to a fully managed application running in the cloud.

  3. Platform as a service (PaaS) offerings fit into a middle ground between SaaS and IaaS solutions. In a PaaS offering, the service provider offers a platform where customers may run applications that they have developed themselves.


Function as a service (FaaS) platforms are an example of PaaS computing = allows customers to upload their own code functions to the provider and then the provider will execute those functions on a scheduled basis, in response to events, and/or on demand. The AWS Lambda service is an example of a FaaS/PaaS offering. Lambda allows customers to write code in Python, Java, C+, PowerShell, Node.js, Ruby, Go, and other programming languages.


Managed service providers (MSPs) are services organizations that provide information technology as a service to their customers. MSPs may handle an organization's IT needs completely,


When MSPs offer security services, they are commonly referred to as managed security service providers (MSSPs) =  security monitoring, vulnerability management, incident response, and firewall management.


Public cloud service = infrastructure accessible to any customers who wish to take advantage of it


Private cloud = any cloud infrastructure that is provisioned for use by a single customer.


Community cloud services do run in a multitenant environment, but the tenants are limited to members of a specifically designed community.


Hybrid cloud is a catch-all term used to describe cloud deployments that blend public, private, and/or community cloud services together. Hybrid clouds require the use of technology that unifies the different cloud offerings into a single coherent platform.


Public cloud bursting = firm operates their own private cloud for the majority of their workloads and then leverage public cloud capacity when demand exceeds the capacity of their private cloud infrastructure.


Shared Responsibility Model = cloud customers divide responsibilities between one or more service providers and the customers' own cybersecurity teams.


Cloud Security Alliance (CSA) = industry organization focused on developing and promoting best practices in cloud security.


They developed the Cloud Controls Matrix (CCM) as a reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory standards.


Edge computing = placing some processing power on remote sensors, allowing them to preprocess data before shipping it back to the cloud. This model takes its name from the fact that the computing is being pushed out to sensors that are located on the “edge” of the network.


Fog computing = IoT gateway devices that are located in close physical proximity to the sensors. The sensors themselves don't necessarily have processing power, but they send data to their local gateway that performs preprocessing before sending the results to the cloud.


Hypervisor = virtual host hardware that runs a special operating system that mediates access to the underlying hardware resources. It enforces isolation between virtual machines.


Two primary types of hypervisors:



  1. Type I hypervisors, also known as bare metal hypervisors, operate directly on top of the underlying hardware. The hypervisor then supports guest operating systems for each virtual machine,


This is the model most commonly used in datacenter virtualization because it is highly efficient.



  1. Type II hypervisors run as an application on top of an existing operating system, as


the operating system supports the hypervisor and the hypervisor requests resources for each guest operating system from the host operating system.


This model is commonly used to provide virtualization environments on personal computers for developers, technologists, and others who have the need to run their own virtual machines. It is less efficient than bare-metal virtualization because the host operating system introduces a layer of inefficiency that consumes resources.


Containers provide application-level virtualization. Instead of creating complex virtual machines that require their own operating systems, containers package applications and allow them to be treated as units of virtualization that become portable across operating systems and hardware platforms.


Organizations implementing containerization run containerization platforms, such as Docker, that provide standardized interfaces to operating system resources.


These storage offerings by infrastructure providers come in two major categories:



  1. Block storage allocates large volumes of storage for use by virtual server instance(s). These volumes are then formatted as virtual disks by the operating system on those server instances and used as they would a physical drive. AWS offers block storage through their Elastic Block Storage (EBS) service.

  2. Object storage provides customers with the ability to place files in buckets and treat each file as an independent entity that may be accessed over the web or through the provider's API. The AWS Simple Storage Service (S3) is an example of object storage.


Block storage is preallocated by the cloud provider, and you pay for the capacity that you allocated, regardless of whether you actually store data on that volume.


As you work with cloud storage, be certain that you keep three key security considerations top-of-mind:



  1. Set permissions properly.

  2. Consider high availability and durability options.

  3. Use encryption to protect sensitive data.


Cloud networking follows the same virtualization model as other cloud infrastructure resources.


Cloud networking supports the software-defined networking (SDN) movement by allowing engineers to interact with and modify cloud resources through their APIs.


Software-defined visibility (SDV) offers insight into the traffic on virtual networks.


Cloud service providers implement firewalls as well, but they do not provide customers with direct access to those firewalls, because doing so would violate the isolation principle by potentially allowing one customer to make changes to the firewall that would impact other customers.


Instead, cloud service providers meet the need for firewalls through the use of security groups that define permissible network traffic.


Security groups function at the network layer of the OSI model, similar to a traditional firewall.


Virtual Private Cloud (VPC) Segmentation is one of the core concepts of network security. Segmentation allows network engineers to place systems of differing security levels and functions on different network subnets.


Virtual LAN (VLAN) = achieves segmentation on physical networks.


Virtual private clouds (VPCs) = serve the same purpose on the cloud.


Separating the development and operations worlds brings significant disadvantages:



  1. Isolating operations teams from the development process inhibits their understanding of business requirements.

  2. Isolating developers from operational considerations leads to designs that are wasteful in terms of processor, memory, and network consumption.

  3. Requiring clear hand-offs from development to operations reduces agility and flexibility by requiring a lengthy transition phase.

  4. Increasing the overhead associated with transitions encourages combining many small fixes and enhancements into one major release, increasing the time to requirement satisfaction.


A DevOps approach to technology management attempts to fix those disadvantages:



  1. Infrastructure as code (IaC) is one of the key enabling technologies behind the DevOps movement and is also a crucial advantage of cloud computing services integration. IaC is the process of automating the provisioning, management, and deprovisioning of infrastructure services through scripted code rather than human intervention.

  2. Infrastructure as code approaches depend on the use of application programming interfaces (APIs) offered by cloud providers. Developers can use cloud provider APIs to programmatically provision, configure, modify, and deprovision cloud resources. API integration is particularly helpful in cloud environments that embrace microservices, cloud service offerings that provide very granular functions to other services, often through a function-as-a-service model.


Data sovereignty = principle that states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed.


Virtual machine escape vulnerabilities are the most serious issue that can exist in a virtualized environment, particularly when a virtual host runs systems of differing security levels.


Virtual machine sprawl = when IaaS users create virtual service instances and then forget about them or abandon them, leaving them to accrue costs and accumulate security issues over time.


Secure web gateways (SWG) = provide a layer of application security for cloud-dependent organizations by monitoring web requests made by internal users and evaluate them against the organization's security policy, blocking requests that run afoul of these requirements.


Cloud governance efforts assist with the following:



  1. Vetting vendors being considered for cloud partnerships

  2. Managing vendor relationships and monitoring for early warning signs of vendor stability issues

  3. Overseeing an organization's portfolio of cloud activities


Auditability is an important component of cloud governance. Cloud computing contracts should include language guaranteeing the right of the customer to audit cloud service providers.


Cloud access security brokers (CASBs) are software tools that serve as intermediaries between cloud service users and cloud service providers. This positioning allows them to monitor user activity and enforce policy requirements.


CASBs operate using two different approaches:



  1. Inline CASB solutions physically or logically reside in the connection path between the user and the service. They may do this through a hardware appliance or an endpoint agent that routes requests through the CASB.

  2. API-based CASB solutions do not interact directly with the user but rather interact directly with the cloud provider through the provider's API.


Cloud service providers often use hardware security modules, HSMs internally for the management of their own encryption keys and also offer HSM services to their customers as a secure method for managing customer keys without exposing them to the provider. Summary