Cloud Computing Service Models
9 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What does a Cloud Auditor do?

An independent entity that can assure that the CP conforms to a set of standards.

What does a Cloud Provider (CP) provide for the SaaS service model?

  • Runtime software execution stack
  • Network security services
  • Computing infrastructure
  • Storage and processing facilities (correct)
  • Multi-tenant model in cloud computing provides a unique DBMS running on a virtual machine instance for each cloud subscriber.

    False

    A straightforward solution to the security problem in cloud data protection is to encrypt the entire database and not provide the ______ keys to the service provider.

    <p>encryption/decryption</p> Signup and view all the answers

    Match the following SecaaS categories with their descriptions:

    <p>Identity and access management = Management of user access to resources Data loss prevention = Preventing unauthorized data disclosure Web security = Protection against web-based threats Encryption = Data protection through cryptographic methods</p> Signup and view all the answers

    What is the purpose of frequent key changes in symmetric encryption?

    <p>To limit the amount of data compromised if an attacker learns the key</p> Signup and view all the answers

    What is Kerberos?

    <p>Kerberos is a key distribution and user authentication service developed at MIT.</p> Signup and view all the answers

    X.509 certificates include a period of validity.

    <p>True</p> Signup and view all the answers

    Public-key certificates consist of a public key plus a user ID of the key owner, with the whole block signed by a ______________.

    <p>trusted third party</p> Signup and view all the answers

    Study Notes

    Network Access Control

    • Network Access Control (NAC) is an umbrella term for managing access to a network
      • Authenticates users logging into the network and determines what data they can access and actions they can perform
      • Examines the health of the user's computer or mobile device
    • NAC systems deal with three categories of components:
      • Access requester (AR) - node that is attempting to access the network and may be any device that is managed by the NAC system
      • Policy server - determines what access should be granted
      • Network access server (NAS) - functions as an access control point for users in remote locations connecting to an enterprise's internal network

    Network Access Enforcement Methods

    • Actions that are applied to ARs to regulate access to the enterprise network
    • Many vendors support multiple enforcement methods simultaneously, allowing customers to tailor the configuration by using one or a combination of methods
    • Common NAC enforcement methods:
      • IEEE 802.1X (link layer protocol)
      • Virtual local area networks (VLANs)
      • Firewall
      • DHCP management

    Extensible Authentication Protocol (EAP)

    • Acts as a framework for network access and authentication protocols
    • Provides a set of protocol messages that can encapsulate various authentication methods to be used between a client and an authentication server
    • Can operate over a variety of network and link-level facilities, including point-to-point links, LANs, and other networks
    • Commonly supported EAP methods:
      • EAP Transport Layer Security (EAP-TLS)
      • EAP Tunneled TLS (EAP-TTLS)
      • EAP Generalized Pre-Shared Key (EAP-GPSK)
      • EAP-IKEv2

    IEEE 802.1X Access Control

    • Ports are logical entities defined within the authenticator and refer to physical network connections
    • Uncontrolled port allows the exchange of protocol data units (PDUs) between the supplicant and the AS, regardless of the authentication state of the supplicant
    • Controlled port allows the exchange of PDUs between a supplicant and other systems on the network only if the current state of the supplicant authorizes such an exchange
    • Essential element defined in 802.1X is a protocol known as EAPOL (EAP over LAN)
    • EAPOL operates at the network layers and makes use of an IEEE 802 LAN, such as Ethernet or Wi-Fi, at the link level

    Cloud Computing

    • NIST defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
    • Cloud computing promotes availability and is composed of five essential characteristics, three service models, and four deployment models

    Cloud Computing Reference Architecture

    • NIST SP 500-292 establishes a reference architecture, which focuses on the requirements of "what" cloud services provide, not a "how to" design solution and implementation
    • The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing

    Cloud Computing Actors

    • Cloud consumer: a person or organization that maintains a business relationship with, and uses service from, cloud providers
    • Cloud provider: a person, organization, or entity responsible for making a service available to interested parties
    • Cloud auditor: a party that can conduct independent assessment of cloud services, information system operations, performance, and security of the cloud implementation
    • Cloud broker: an entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between CPs and cloud consumers
    • Cloud carrier: an intermediary that provides connectivity and transport of cloud services from CPs to cloud consumers

    Cloud Security Risks and Countermeasures

    • Abuse and nefarious use of cloud computing
      • Countermeasures: stricter initial registration and validation processes; enhanced credit card fraud monitoring and coordination
    • Malicious insiders
      • Countermeasures: enforce strict supply chain management and conduct a comprehensive supplier assessment
    • Insecure interfaces and APIs
      • Countermeasures: implement security best practices for installation/configuration; monitor environment for unauthorized changes/activity
    • Data loss or leakage
      • Countermeasures: implement strong API access control; encrypt and protect integrity of data in transit
    • Account or service hijacking
      • Countermeasures: prohibit the sharing of account credentials between users and services; leverage strong two-factor authentication techniques
    • Unknown risk profile
      • Countermeasures: disclosure of applicable logs and data; partial/full disclosure of infrastructure details

    Data Protection in the Cloud

    • Data must be secured while at rest, in transit, and in use, and access to the data must be controlled
    • Multi-instance model: provides a unique DBMS running on a virtual machine instance for each cloud subscriber
    • Multi-tenant model: provides a predefined environment for the cloud subscriber that is shared with other tenants, typically through tagging data with a subscriber identifier

    Cloud Security as a Service (SecaaS)

    • Provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers' on-premise systems
    • Categories of SecaaS include:
      • Identity and access management
      • Data loss prevention
      • Web security
      • E-mail security
      • Security assessments
      • Intrusion management
      • Security information and event management
      • Encryption
      • Business continuity and disaster recovery
      • Network security

    Symmetric Key Distribution

    • Symmetric encryption requires two parties to share the same key, which must be protected from access by others
    • Frequent key changes are desirable to limit the amount of data compromised if an attacker learns the key
    • Key distribution techniques:
      • A key can be selected by one party and physically delivered to the other
      • A third party can select the key and physically deliver it to both parties
      • One party can transmit the new key to the other, using the old key to encrypt the new key
      • A third party can deliver a key on encrypted links to both parties

    Kerberos

    • Kerberos is a key distribution and user authentication service developed at MIT
    • Relies exclusively on symmetric encryption, making no use of public-key encryption
    • Two versions are in use: Version 4 and Version 5
    • Version 4 implementations still exist, although being phased out
    • Version 5 corrects some of the security deficiencies of Version 4 and has been issued as a proposed Internet Standard (RFC 4120)
    • Kerberos realm: a set of managed nodes that share the same Kerberos database
    • Kerberos principal: a service or user that is known to the Kerberos system, identified by its principal name

    Kerberos Version 4

    • A basic third-party authentication scheme
    • Authentication Server (AS): users initially negotiate with AS to identify themselves
    • Ticket Granting Server (TGS): users subsequently request access to other services from TGS on the basis of their Ticket Granting Ticket (TGT)
    • Complex protocol using DES

    Kerberos Realms and Principals

    • A Kerberos realm consists of:
      • A set of managed nodes that share the same Kerberos database
      • The Kerberos database resides on the Kerberos master computer system
      • A read-only copy of the Kerberos database may reside on other Kerberos computer systems
      • All changes to the database must be made on the master computer system
    • Kerberos principal: a service or user that is known to the Kerberos system, identified by its principal name
    • Principal names consist of three parts: realm, instance, and principal name

    Key Distribution using Asymmetric Encryption

    • Public-key encryption addresses the problem of key distribution
    • Two distinct aspects:
      • Distribution of public keys
      • Use of public-key encryption to distribute secret keys
    • Public-key certificate: a public key plus a user ID, signed by a trusted third party (Certificate Authority)

    X.509 Certificates

    • Part of the X.500 series of recommendations that define a directory service
    • Defines a framework for the provision of authentication services by the X.500 directory to its users
    • The directory may serve as a repository of public-key certificates
    • Defines alternative authentication protocols based on the use of public-key certificates
    • Initially issued in 1988, based on the use of public-key cryptography and digital signatures
    • Does not dictate the use of a specific algorithm, but recommends RSA

    Obtaining a User’s Certificate

    • User certificates generated by a CA have the following characteristics:
      • Any user with access to the public key of the CA can verify the user public key that was certified
      • No party other than the certification authority can modify the certificate without this being detected
    • Because certificates are unforgeable, they can be placed in a directory without the need for the directory to make special efforts to protect them

    Revocation of Certificates

    • Each certificate includes a period of validity
    • Revocation may be desirable on occasion for reasons such as:
      • The user’s private key is assumed to be compromised
      • The user is no longer certified by this CA
      • The CA’s certificate is assumed to be compromised

    X.509 Version 3

    • Includes optional extensions that may be added to the Version 2 format
    • Extensions fall into three main categories:
      • Key and policy information
      • Subject and issuer attributes
      • Certification path constraints

    PKIX Management Functions

    • Functions that potentially need to be supported by management protocols:
      • Registration
      • Initialization
      • Certification
      • Key pair recovery
      • Key pair update
      • Revocation request
      • Cross certification
    • Alternative management protocols:
      • Certificate management protocols (CMP)
      • Certificate management messages over CMS (CMC)

    Identity Management

    • A centralized, automated approach to provide enterprise-wide access to resources by employees and other authorized individuals
    • Focus is defining an identity for each user (human or process), associating attributes with the identity, and enforcing a means by which a user can verify identity
    • Principal elements of an identity management system:
      • Authentication
      • Authorization
      • Accounting
      • Provisioning
      • Workflow automation
      • Delegated administration
      • Password synchronization
      • Self-service password reset
      • Federation

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Description

    Learn about cloud providers and their role in providing storage and processing facilities for SaaS, PaaS, and IaaS service models. Understand how they meet IT and business requirements.

    More Like This

    Use Quizgecko on...
    Browser
    Browser