Cloud Computing Software Security Fundamentals

Questions and Answers

Match the following properties of software with their descriptions:

Dependability = Operates correctly under a variety of conditions Trustworthiness = Contains a minimum number of vulnerabilities Survivability = Ability to recover quickly from attacks Confidentiality = Ensuring data is accessible only to authorized users

Match the following cloud security concepts with their definitions:

Cloud Security Services = Services that protect data, applications, and infrastructure Secure Software Development = A transfer of security responsibility to the cloud provider Software Assurance = Confidence that software functions as intended without vulnerabilities SaaS = Software as a Service offered in the cloud

Match the following security objectives with their examples:

Integrity = Ensuring data accuracy and consistency Availability = Ensuring systems are operational and accessible Confidentiality = Preventing unauthorized data access Resilience = Tolerance to attacks with minimal disruption

Match the following terms with their associated characteristics:

Dependability = Predictably executes under varying conditions Trustworthiness = Resistant to malicious logic injections Survivability = Recovers effectively from adverse conditions Cloud Computing = Enables SaaS and reduces secure software development needs

Match the following principles of cloud information security with their importance:

CIA Triad = Core principles of information system security Secured SaaS = Reduces customer development burdens Software Assurance Initiative = DoD guideline on software security confidence Malicious Host Resistance = Operating correctly under attack scenarios

Match the following terms with their definitions in software assurance:

Vulnerabilities = Weaknesses that may be exploited in software Software Assurance = Confidence in software reliability and security Cloud Provider = Entity responsible for delivering cloud services Security Objectives = Goals aimed at safeguarding cloud applications

Match the following characteristics of cloud computing with their effects:

SaaS = Provides software applications over the internet Resilience = Minimizes operational disruptions Security Services = Enhances protection of cloud infrastructures Secure Design Principles = Foundational guidelines for preventing vulnerabilities

Match the following cloud security requirements with their significance:

Data Dependability = Predictable execution under attacks Minimum Vulnerabilities = Essential for maintaining trustworthiness Recovery Capability = Key aspect of survivability under threats Authorization = Critical for confidentiality in data management

Match the components of the CIA triad with their definitions:

Confidentiality = Prevention of unauthorized disclosure of information Integrity = Ensuring that data is accurate and reliable Availability = Ensuring that information is accessible when needed Authentication = Verifying the identity of users or systems

Match the cloud security services with their primary objective:

Authentication = Verifying user identity Authorization = Determining access levels to resources Auditing = Tracking user activity for compliance Accountability = Ensuring users are responsible for their actions

Match the types of confidentiality breaches with their descriptions:

Covert channels = Unauthorized communication path for information exchange Traffic analysis = Analyzing message patterns to gather information Inference = Using lower-level data to uncover restricted information Encryption = Scrambling messages to protect against unauthorized access

Match the examples with the appropriate terms related to confidentiality:

Copyright = Protects creative works like music and writing Patent = Protects new inventions and processes Encryption in bank transactions = Prevents theft of sensitive information Traffic analysis revealing a meeting = Shows the risk of information exposure

Match the common cloud security risks with their examples:

Unauthorized disclosure = Sensitive data exposed in the cloud Data integrity breaches = Tampering with cloud-stored information Service downtime = Cloud services not available for users Insufficient auditing = Lack of tracking user access and actions

Match the concepts of cloud information security objectives with their meanings:

Confidentiality = Protection of sensitive information Integrity = Verification of data accuracy Availability = Ensuring constant access to resources Non-repudiation = Preventing users from denying actions taken

Match the methods for protecting confidentiality with their functions:

Encryption = Scrambles information for protection Traffic management = Hiding source and destination of data Regular security audits = Identifying vulnerabilities over time Access control = Restricting permission to sensitive data

Match the terms related to intellectual property rights with their definitions:

Copyright = Legal protection for artistic works Patent = Exclusive rights for inventions Trademark = Protection for brand identity Trade secret = Confidential business information

Match the following types of auditors with their definitions:

Internal auditors = Work for a given organization External auditors = Hired to perform an independent audit Internal audit = Ongoing review of operations External audit = Typically focuses on financial statements

Match the definitions with their corresponding terms related to auditing:

Audit trail = Set of records providing documentary evidence Audit log = Records details about transaction processing System audit = One-time evaluation of security measures Monitoring = Ongoing examination of system activities

Match the key aspects of accountability with their explanations:

Nonrepudiation = Individual cannot deny an action's performance Audit trails = Support accountability in cloud systems Postmortem studies = Analyze historical events after occurrence Individual identification = Determine actions of a specific user

Match the following cloud security components with their roles:

Data protection = Safeguards applications and infrastructure Threat identification = Recognizes potential security threats Process auditing = Evaluates system control effectiveness Access management = Ensures authorized user actions

Match the following auditing functions with their descriptions:

System and transaction controls = Ensure accuracy of transactions Backup controls = Protect against data loss Data center security = Secures physical and logical data environments Contingency plans = Prepare for unexpected system failures

Match the following functions of IT auditors with what they audit:

Systems development standards = Ensure project adherence to policies Data library procedures = Manage access to stored data Backup controls = Guarantee data recovery processes Security events = Detect potential breaches or irregularities

Match the following terms with their meanings in the context of auditing:

Monitoring = Ongoing activity to check system user actions System audit = Periodic assessment for security evaluation Audit log = Document processes and user actions Transaction details = Specific information about processed transactions

Match the following roles in cloud security services with their activities:

Cloud customer = May perform system audits Cloud provider = Responsible for security infrastructure IT auditors = Evaluate compliance and operational standards Security officers = Implement security measures

Match the types of monitoring activities with their explanations:

Intrusion detection = Identifies unauthorized access attempts User activity logging = Tracks user interactions with systems Event monitoring = Logs security-related actions and alerts Performance monitoring = Assesses system efficiency over time

Match the following areas of security responsibility with their descriptions:

Security of the cloud = Cloud vendor controls host OS, virtualization layer, and physical security Security in the cloud = Customer manages guest OS security and application patches Encryption = Process of securing data during transit and at rest Firewall configuration = Customer configures security group firewall for cloud resources

Match the threats to confidentiality with their examples:

Revealing student healthcare information = Sensitive data exposure on public website Revealing academic research results = Unauthorized publication of research findings Password theft = Gaining unauthorized access to cloud-stored data Audit unauthorized access attempts = Monitoring for potential security breaches

Match the threats to data integrity with their examples:

Manipulating genomics records = Tampering with research data results Setting file permissions = Controlling access levels within a system Access control lists = Defining user permissions for files and directories Cryptographic checksums = Verifying data integrity through hashing

Match the AWS services with their functionalities:

AWS CloudTrail = Logging service for API call history AWS IAM = Manage user access and permissions AWS Cloudwatch = Monitoring tool for AWS services AWS S3 = Storage service for data and backups

Match the stages of threat identification in cloud with their descriptions:

Gaining Visibility = Identifying the event using tools Managing Access = Check user access and remove threats Response Planning = Preparing actions based on identified threats Threat Detection = Monitoring for indicators of compromise

Match the threats to data availability with their mitigations:

Denial of service attacks = Implementing RAID disk arrays Power outages = Using network load balancers Network interruptions = Establishing redundant network communication lines Data loss = Creating regular backups

Match the NCSC Cloud Security Principles with their key focus:

Protection of Data in Transit = Safeguarding data from tampering as it travels Asset Protection and Resilience = Safeguarding against physical tampering or loss Risk Management = Identifying and mitigating potential threats Incident Response = Preparing for and reacting to security breaches

Match the monitoring techniques with their purposes:

Machine learning algorithms = Flagging deviations from normal system behavior Cloud security experts = Monitoring flagged events for potential threats Alarm systems = Notifying relevant personnel of suspicious activities Continuous monitoring = Ongoing surveillance of cloud operations

Match the terms with their definitions:

Shared responsibility model = Division of security roles between vendor and customer Data encryption = Method to protect data confidentiality in transit and at rest Access control = Mechanism to restrict unauthorized data access Audit logs = Records of security-related events and accesses

Match the security concerns with relevant protective measures:

Tampering = Encryption Eavesdropping = Service authentication Data Loss = Data center security User Mismanagement = Granular permissions

Match the following mitigation strategies with the threats they address:

Strong password policies = Preventing unauthorized account access Multi-factor authentication = Enhancing user verification methods File permissions = Ensuring proper access rights to data Backups = Protecting against data loss and availability issues

Match the AWS Cloudwatch features with their purposes:

Set alarms = Notify users of specific events View graphs and statistics = Visual representation of metrics Monitor custom metrics = Track application-specific performance Store logs = Retention of operational data for analysis

Match the following threats with their impacts:

Denial of service attacks = Disruption of service availability Data breaches = Exposure of sensitive information Data manipulation = Corruption of data integrity Unauthorized access = Compromised confidentiality and privacy

Match the terms related to cloud security with their definitions:

Granular Permissions = Control the level of user access Service Authentication = Verify the identity of services Network-level security = Protection of data as it travels Secure data erasure = Ensuring data is completely removed

Match AWS services with their roles in threat management:

AWS CloudTrail = Identifies user actions that triggered threats AWS IAM = Controls user permissions to secure resources AWS GuardDuty = Monitors for malicious activity AWS Inspector = Assesses application vulnerabilities

Match the types of cloud security measures with their examples:

Encryption = Protecting data in transit Data center security = Physical protection of assets Service resilience = Ensuring availability during failures User training = Raising awareness about security threats

Match the cloud security design principles with their descriptions:

Identity and Authentication = Access should be restricted to authenticated and authorized identities. External Interface Protection = All external interfaces should be appropriately secured. Secure Service Administration = Management of administrative systems should follow industry best practices. Audit Information and Alerting = Ability to identify security incidents with audit logs and alerts.

Match the cloud security principles with their primary focus:

Identity and Authentication = Ensuring secure access to services for users. Secure Use of the Service = Facilitating data protection obligations for customers. Audit Information and Alerting = Providing transparency on security incidents. External Interface Protection = Identifying and securing less-trusted service interfaces.

Match the principle with its objective:

Secure Use of the Service = Design services to be secure by default. Audit Information and Alerting = Issue alerts on attempted attacks. Secure Service Administration = Protect administrative systems from attacks. External Interface Protection = Prevent unauthorized access to external APIs.

Match the principles with their implications for cloud services:

Identity and Authentication = Restricts access to trusted identities. Secure Use of the Service = Assist customers in meeting security responsibilities. Audit Information and Alerting = Detail how and when security incidents occurred. Secure Service Administration = Acknowledge high value of administrative systems to attackers.

Match the descriptions with the corresponding cloud security principles:

Identity and Authentication = Confirms identities for user access. External Interface Protection = Ensures safety of service interfaces. Secure Service Administration = Protects critical administrative functions. Audit Information and Alerting = Monitors and records security events.

Flashcards

Cloud Software Security

Ensuring secure software in cloud computing, especially Software as a Service (SaaS).

Software Assurance

Confidence that software functions correctly and is free from vulnerabilities.

Dependability (Software)

Software's ability to execute predictably and correctly under various conditions, including attacks.

Trustworthiness (Software)

Minimum vulnerabilities and resistance to malicious logic in software.

Survivability/Resilience (Software)

Software's ability to withstand attacks and recover quickly with minimal damage.

CIA Triad

Confidentiality, Integrity, and Availability – core principles of cloud security.

Confidentiality

Ensuring that data is only accessible to authorized users.

Integrity

Ensuring that data is accurate and hasn't been altered without authorization.

Confidentiality in cloud systems

Protecting sensitive information from unauthorized access, disclosure, or use.

Intellectual Property (IP)

Rights protecting creations like inventions, designs, art, music & writing.

Covert Channel

Hidden communication path enabling unauthorized data exchange.

Traffic Analysis

Analyzing communication patterns to uncover secret information.

Encryption

Converting data into a secret code to protect it from unauthorized access.

Inference

Deductively finding higher-level information from lower-level data.

Cloud Security Services

Essential security features in a cloud computing environment.

System Audit

A one-time or periodic evaluation of security.

Monitoring

An ongoing activity that examines the system or users.

Internal Auditor

An auditor working for an organization.

External Auditor

A hired, independent auditor (like a CPA).

Audit Trail/Log

A record of processing events, showing who, when, and where.

Accountability

Ability to determine actions/behaviors & identify the individual.

Nonrepudiation

An individual cannot deny an action.

Audit Logs

Records of transactions, security events, dates, times, terminals

IT Auditor Functions

Audit system and transaction controls, development standards, backups, data library procedures, and security (including contingency plans).

Cloud Security

Protecting data, applications, and infrastructure in cloud computing.

Secure Service Admin

Cloud providers must design, implement, and manage administrative systems securely, using industry best practices to protect high-value targets.

External Interface Protection

Cloud services must secure external or less-trusted interfaces, including APIs, web consoles, and command line interfaces.

Secure by Default

Cloud services should be designed and configured to be secure initially.

Audit Info for Customers

Cloud providers must provide audit logs and alerts to customers, helping them identify security incidents and understand how and when they occurred.

Secure Use Facilitation

Cloud providers should help customers fulfill their data protection obligations, making it easier to use the cloud securely.

AWS CloudWatch function

A monitoring tool for AWS resources like EC2, custom metrics, and logs, setting alarms and viewing graphs/statistics.

CloudTrail function

A logging service that tracks API calls, identifying users from the AWS console.

Threat Identification Stages

Three stage process of identifying security threats in the cloud: gaining visibility, managing access, and wiping a user from resources.

Gaining Visibility (Threat Ident.)

Using tools to pinpoint security incidents, like identifying the source of a security issue in the cloud.

Managing Access (Threat Ident.)

Checking user access to resources and removing access from a suspect user.

AWS IAM

A service used to control access to AWS resources, enabling granular permissions.

Principle 1 (Cloud Security)

Protecting data in transit using encryption, authentication, and network security.

Principle 2 (Cloud Security)

Securing cloud assets and data from physical threats, loss, damage, and complying with regulations.

Shared Responsibility Model (Cloud)

A model where cloud providers are responsible for security of the infrastructure (OS, virtualization, physical) while customers manage security of their applications and data.

Confidentiality Threats (Cloud)

Threats that expose sensitive data (like student records) to unauthorized access.

Data Integrity Threats (Cloud)

Threats that tamper or modify data in an unauthorized way.

Data Availability Threats (Cloud)

Threats that prevent or interfere with access to data, like denial of service attacks or outages.

Data Encryption (Cloud)

Protecting information in transit (being sent) and at rest (stored) in the cloud.

Cloud Security Monitoring

Tracking and analyzing system activity in the cloud for security issues.

Security Groups (Cloud)

Firewall rules that control incoming and outgoing traffic in a cloud environment.

Strong Passwords

Complex passwords make it hard for others to guess data access details.

Study Notes

Cloud Computing Software Security Fundamentals

• Cloud computing software security is a critical issue. SAAS reduces the need for secure software development by the customer, shifting the responsibility to the cloud provider.
• DoD Software Assurance defines software assurance as the level of confidence that software functions as intended and is free of vulnerabilities.
• Secure software design principles form the basis for software assurance.
• Dependability, trustworthiness, and survivability are three properties a secure software must exhibit.
• Dependability includes executing predictably, operating correctly across conditions, and containing a minimum of vulnerabilities or weaknesses.
• Trustworthiness ensures resistance to malicious logic.
• Survivability or resilience means the software's ability to recover quickly following attacks.

Cloud Information Security Objectives

• Confidentiality, integrity, and availability are key pillars of cloud software assurance, often known as the CIA triad.

Cloud Security Services

• Authentication: Testing or reconciliation of evidence of a user's identity, ensuring users are who they claim to be.
• Authorization: Determining access rights and privileges granted to individuals or processes, based on established identities.
• Auditing: Recording relevant system activities to track actions and ensure accountability.
• Accountability: Determining the actions of individuals within the cloud system and associating those actions with the specific individual.

Confidentiality

• Confidentiality is preventing intentional or unintentional unauthorized information disclosure.
• Intellectual property rights, covert channels, traffic analysis, encryption, and inference are factors related to confidentiality.

Integrity

• Cloud information integrity requires modifications not be made to data by unauthorized personnel or processes.
• Changes must not be made by authorized personnel to the data.
• Data must be internally and externally consistent.

Availability

• Availability ensures reliable and timely access to cloud data or resources by appropriate personnel.
• Systems must function properly when needed.
• Cloud security services (like security systems) must operate effectively to maintain availability.

Threat Identification in Cloud

• Cloud security uses technologies and techniques to protect data, applications, and infrastructure.
• Cloud service providers use a shared responsibility model.
• Cloud security has 3 stages. The stages include monitoring data, gaining visibility, and managing access.
• Threats to confidentiality involve revealing confidential information, like student health records.
• Threats to data integrity involve manipulating data (e.g., genomics records).
• Threats to data availability include denial-of-service attacks and power outages.

Cloud Security Design Principles

• Protecting data in transit through encryption, service authentication, and network-level security measures.
• Protecting assets from tampering, loss, or seizure; measures include compliance with regulations and strategies like encryption.
• Implementing separation between users to prevent unauthorized access.
• Establishing a strong governance framework to manage service and information security.
  • Security operations (hinder, detect, or prevent attacks), personnel security (ensuring trustworthy personnel), secure development (reducing security threats), secure supply chain (ensuring adherence to standards by third parties), and securing user management (protecting against unauthorized access).
• Identity and authentication (restricting access to authenticated and authorized identities), external interface protection (securing external APIs and interfaces), secure service administration and audit information (ensuring compliance with industry best practices and providing audit logs), secure use of the service (promoting secure configuration in services).

Description

Explore the key principles of software security in cloud computing. This quiz covers the responsibilities of cloud providers, essential design principles for secure software, and the critical objectives of cloud information security, including confidentiality, integrity, and availability.