Chapter 10 Cloud and Virtualization Security

Questions and Answers

What is the main focus of scalability in cloud environments?

Optimizing the user interface

Rapidly increasing resource capacity (correct)

Automatically reducing resource costs

Providing centralized management

What does vertical scaling involve?

Increasing the capacity of existing servers (correct)

Changing the software on existing machines

Adding more servers to a network

Enhancing network bandwidth availability

How does horizontal scaling work in cloud environments?

By reducing server capacity as needed

By adding more servers to handle increased loads (correct)

By upgrading existing server hardware

By consolidating resources into fewer servers

What is the relationship between elasticity and scalability?

Elasticity focuses on cost optimization as capacity changes

What does measured service refer to in cloud computing?

Tracking resource usage to determine charges

What provides tremendous agility and flexibility in utilizing cloud resources?

The speed to provision and short-term usage ability

Which of the following actions is part of vertical scaling?

Installing additional hard drives on a server

What happens when a website experiences a burst in activity in an elastic cloud environment?

Additional servers are added to meet demand

What is a key responsibility of the SaaS provider in a cloud environment?

Taking on most operational tasks, including cybersecurity

Why is it important to document the division of responsibilities for cybersecurity?

To comply with external regulations

What does the Cloud Controls Matrix (CCM) help organizations with?

Understanding and mapping cloud security controls to standards

Which organization published a high-level taxonomy for cloud services?

National Institute for Standards and Technology (NIST)

What is a major benefit of utilizing the Cloud Reference Architecture?

It provides a clear taxonomy for cloud services

Which compliance standard requires organizations to document specific controls alongside cloud providers?

Payment Card Industry Data Security Standard (PCI DSS)

What is the primary focus of the Cloud Security Alliance (CSA)?

Promoting best practices in cloud security

Which statement about shared control in a SaaS environment is true?

Customers retain some shared control over data and access controls

What is a primary limitation of API-based CASBs?

They cannot block requests that violate policy.

What does implementing resource policies help to mitigate?

Accidental deletion of resources.

Which action is specifically denied by the sample service control policy?

ec2:RunInstances for large instance types.

What is the effect of the statement with the Sid 'DenyAllOutsideUSEastEUWest1'?

It denies all actions except those specified in the NotAction list.

Which of the following regions is NOT permitted under the policy's conditions?

us-west-1

What does the 'Effect' property in the policy specify?

The overall permission granted or denied by a statement.

Which of the following conditions restricts the instance types that can be used?

ForAnyValue:StringNotLike: ec2:InstanceType

Which of the following services is included in the NotAction list of the policy?

organizations:*

What is the primary function of block storage?

To allocate large volumes of storage formatted as virtual disks

How does AWS Elastic Block Storage (EBS) charge for storage?

For the capacity allocated, regardless of usage

Which of the following statements about object storage is true?

Files are treated as independent entities in buckets

What is a significant cost difference between block storage and object storage?

Block storage is 3 to 10 times more expensive than object storage

What is one critical security consideration when working with object storage?

Carefully managing access policies to prevent data leakage

What does AWS Simple Storage Service (S3) primarily offer?

Object storage capabilities for file management

Which method does block storage use for data allocation?

It preallocates storage capacity upfront

What might happen if access policies are not set correctly in object storage?

Sensitive files might be inadvertently published on the web

What should cloud customers primarily focus on from a storage perspective?

Considering permissions, encryption, replication, and high availability

Which strategy would best ensure high availability in a cloud environment?

Using multiple servers in different zones

What is a key design consideration for virtual networks in a cloud environment?

Ensuring appropriate segmentation with public and private subnets

What does the term 'elasticity' refer to in a cloud environment?

The ability to scale resources dynamically based on demand

From a compute perspective, what is essential for maintaining instance security?

Designing security groups that restrict unnecessary traffic

In a Type I hypervisor environment providing IaaS, which security control is least applicable?

All security settings are automatic and do not require customer intervention

What is an important factor when designing resilient cloud implementations?

High availability across multiple zones

What action should cloud customers take regarding permissions?

Regularly review and restrict permissions based on the principle of least privilege

Study Notes

Cloud Scalability and Elasticity

• Scalability allows cloud providers to adjust resources transparently, enhancing performance based on demand.
• Vertical scaling increases server capacity by adding CPU cores or memory, enabling quick resource upgrades.
• Horizontal scaling involves adding more servers to a cluster to manage increased user load, enhancing system capacity gradually.

Elasticity vs. Scalability

• Elasticity enables automatic adjustment of resources, allowing expansion during high demand and contraction when the demand reduces.
• Scalability focuses on increasing capacity quickly, while elasticity optimizes costs associated with resource usage.

Measured Service

• Cloud providers track user resource consumption (e.g., processing time, storage use, log entries).
• Charges are based on actual usage, ensuring customers only pay for what they use.

Agility and Flexibility

• Rapid provisioning of cloud resources grants organizations flexibility to meet short-term demands.
• Customers retain some control over data and access configurations, while providers manage operational and cybersecurity tasks.

Cybersecurity Responsibilities

• Clear documentation of cybersecurity responsibilities is crucial for compliance with regulations like PCI DSS.
• Cloud providers often have resources detailing controls for compliance with various standards.

Cloud Standards and Guidelines

• NIST’s Cloud Reference Architecture offers a comprehensive taxonomy for understanding cloud services and their roles.
• The Cloud Security Alliance (CSA) promotes best practices in cloud security and has developed the Cloud Controls Matrix to assist organizations.

Storage Types

• Block Storage: Allocates large volumes for virtual servers, functioning like physical drives. Example: AWS Elastic Block Storage (EBS). Customers pay for allocated capacity.
• Object Storage: Allows file storage in buckets, treating files as independent entities. Example: AWS Simple Storage Service (S3). Customers pay for actual storage used.

Cost Comparison

• Block storage costs are typically 3 to 10 times higher than object storage as block storage is preallocated.

Security Considerations for Cloud Storage

• Properly set permissions to prevent unauthorized access, especially in object storage where misconfigurations can lead to data exposure.
• API-based Cloud Access Security Brokers (CASBs) monitor but may have limitations in blocking policy violations upfront.

Resource Policies

• Cloud providers offer resource policies to limit user actions, enhancing security. For example, a JSON policy can restrict access to specific regions and instance types.
• Appropriate security controls should be maintained, considering permissions, encryption, and availability of cloud resources.

High Availability and Network Design

• Resilient cloud implementations should achieve high availability through design across multiple zones.
• Network segmentation is vital, using public and private subnets to enhance security.

Review Questions Context

• Example of vertical scaling: Adding a CPU in response to high traffic demands.
• Importance of maintaining security patches in environments utilizing a Type I hypervisor for IaaS.

Description

Test your knowledge on how cloud providers achieve scalability through vertical and horizontal scaling. This quiz explores the concepts and practical implications of resource management in cloud environments. Get ready to deepen your understanding of the technical aspects behind cloud computing.