Lesson 15

Implementing Secure Cloud Solutions

Topic 15A
Summarize Secure Cloud and Virtualization Services

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered

• 2.2 Summarize virtualization and cloud computing concepts

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Cloud Deployment Models

• Public (multi-tenant)
• Cloud service providers (CSPs)
• Shared between subscribers
• Multi-cloud
• Hosted private
• Private instance operated by a CSP but dedicated to a single customer
• Private
• Wholly owned and operated by the organization
• On-premises vs. off-premises
• Community
• Hybrid

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
 Cloud Service Models

• Anything as a service (XaaS)

• Infrastructure as a Service (IaaS)
• Unconfigured compute, storage,
and network resources
• Software as a Service (SaaS)
• Fully developed applications
• Platform as a Service (PaaS)
• Pre-configured OS and
database/middleware instances

Screenshot used with permission from Amazon.com.

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Anything as a Service
• Specific IaaS, PaaS, or SaaS solutions for business needs
• Security in the cloud
• Security of the cloud
• Cloud responsibility matrix

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
Security as a Service

• Consultants
• Third-party expertise and perspective
• Managed Security Services Provider (MSSP)
• Turnkey security solutions
• Security as a Service (SECaaS)
• Cloud-deployed security assessment and analysis
• Cyber threat intelligence and machine learning analytics

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
 Virtualization Technologies and Hypervisor Types
• Virtualization platform
• Host hardware
• Hypervisor/Virtual Machine Monitor
(VMM)
• Guest operating systems, Virtual
Machines (VM), or instances

• Type II hypervisors (host-based)

• Type I hypervisors (bare metal)

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
Virtual Desktop Infrastructure and Thin Clients

• Virtual Desktop Infrastructure (VDI)

• Storing images of clients (OS + applications) on a central server
• Virtual Desktop Environment (VDE) images are loaded by thin clients
• Allows for low-power client devices
• Centralizes control over client desktops
• Allows for almost completely hosted IT infrastructure

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Application Virtualization and Container Virtualization

• Application virtualization
• Hosting or streaming individual
software applications on a server
• XenApp, App-V, ThinApp
• Container virtualization
(application cells)
• Resource separation at the OS
level
• Cannot run different OS VMs
• Docker

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
VM Escape Protection

• Reduce impact of successful

exploits
• Ensure careful placement of VM
services on hosts/within network
• Respect security zones (DMZ) Image © 123RF.com.

Images © 123RF.com.
CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
VM Sprawl Avoidance

• Guest OS security
• OS environment must still be maintained
• Rogue VMs
• System sprawl and undocumented assets
• Virtual machine life cycle management (VMLM)
• Use template-based VM creation

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Topic 15B
Apply Cloud Security Solutions

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Syllabus Objectives Covered

• 1.2 Given a scenario, analyze potential indicators to determine the type of

attack (Cloud-based versus on-premises only)
• 2.2 Summarize virtualization and cloud computing concepts
• 3.6 Given a scenario, apply cybersecurity solutions to the cloud

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
Cloud Security Integration and Auditing

• Obtaining and integrating cloud security data

• Attack indicators and correlation
• Responsibility matrix and SLAs
• Security of the cloud
• Security in the cloud
• Reporting
• Legal and compliance responsibilities
• Insider threat

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Cloud Security Controls

• Same types of security controls

• IAM, endpoint protection, resource policies, firewalls, logging, …
• Cloud native controls vs. third-party solutions
• CSP web console, CLI, and API
• Vendor virtual instances
• Application security and IAM
• Secure development/coding
• Security accounts/groups/roles
• Secrets management
• Block use of root account
• Use MFA for privileged accounts
• Protect API keys

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
Cloud Compute Security

• Compute
• Processing resources for cloud workloads (CPU and RAM)
• Virtual machines and containers
• Dynamic resource allocation
• Container security
• API inspection and integration
• Number of requests
• Latency
• Error rates
• Unauthorized and suspicious endpoints
• Instance awareness
• Logging and monitoring to mitigate cloud sprawl

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Cloud Storage Security
• Storage "Statement": [ {
• Persistent storage capacity "Action": [
• Performance characteristics for storage
"*"
tiers
• Input/output operations per second (IOPS) ],
• Permissions and resource policies "Effect": "Allow",
• JavaScript Object Notation (JSON) "Principal": "*",
• Encryption "Resource":
• Symmetric media encryption key "arn:aws:s3:::515support
• CSP-managed keys versus customer- - courses - data/*"
managed }]
• Separation of duties for CSP-managed keys

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
High Availability

• High availability
• Virtualization layer provisions dynamic allocation and redundancy
• 99.99%+ uptime
• Replication
• Copying data between media, servers, or sites
• Performance tiers
• High availability across zones
• Local
• Regional
• Geo-redundant storage (GRS)

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Cloud Networking Security

• Cloud networking types

• Operating and managing cloud systems
• Virtual networks between VMs and containers within the cloud
• Virtual networks publishing cloud services
• Virtual private clouds (VPCs)
• Segmented virtual networks
• Can contain multiple IPv4 and IPv6 subnets
• Public and private subnets
• Internet gateway and default route
• Public IP addresses
• NAT gateway
• VPN

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
VPCs and Transit Gateways

• Routing between subnets

• Can use traditional access control lists
• Can use vendor security appliance instances
• Multiple VPCs for segmentation
• Between VPCs in the same account
• Between different accounts
• To on-premises networks
• Peering relationships
• One-to-one connections
• Transit gateways
• Virtual router

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21
VPC Endpoints

• Publishing a service over cloud internal network

• Avoids exposing traffic to the Internet
• Gateway endpoint
• Connect instances to S3 and DynamoDB services
• Added as route
• Interface endpoint
• AWS PrivateLink
• Service VPC or default Amazon service published with a DNS name
• VPC endpoint interface added to each service consumer VPC
• Instances within the consumer VPC access the service via the VPC endpoint
interface

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22
Cloud Firewall Security

• Need for segmentation

• Load balancing workloads
• Isolating data processing
• Compartmentalizing data access
• Open Systems Interconnection (OSI) layers
• Network layer (layer 3)
• Transport layer (layer 4)
• Application layer (layer 7)
• Cloud native versus vendor controls
• Deploy host-based firewall within instance
• Deploy vendor firewall/security appliance as instance
• Transaction and volume costs for cloud native solutions

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23
 Security Groups

• Basic stateful packet filtering for

instances
• Default security group
• Custom groups
• Custom group with no rules
drops all network traffic
• Can be assigned to multiple
instances
• Instances in the same subnet
can be assigned different
security groups
• Multiple security groups can be
assigned to the same instance

Screenshot used with permission from Amazon.com.

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24
Cloud Access Security Brokers

• Mediate access to cloud services by enterprise users across all types of

devices
• Implemented as proxy or via API
• Next-Generation Secure Web Gateway
• Secure access service edge (SASE)

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25
Topic 15C
Summarize Infrastructure as Code Concepts

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26
Syllabus Objectives Covered

• 2.2 Summarize virtualization and cloud computing concepts

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27
Services Integration and Microservices

• Monolithic client/server applications

• Service-oriented architecture (SOA)
• Atomic services with defined input/output interfaces
• Loosely decoupled
• Microservices
• Each service capable of independent development and deployment
• Highly decoupled
• Services integration and orchestration
• Enterprise service bus versus orchestration
• Automating automation
• Uses scripts and service APIs to provision a workflow
• Cloud orchestration platforms

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28
Application Programming Interfaces

• Means by which external entities interact with a service

• Simple Object Access Protocol (SOAP)
• XML format messaging
• Web Services (WS) standards
• Representational State Transfer (REST)
• RESTful APIs
• HTTP operation/verb
• Noun endpoints accessed as URLs

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29
Serverless Architecture

• Service provision is wholly abstracted from the hardware, OS, and platform
layers
• AWS Lambda
• Google Cloud Functions
• Microsoft Azure Functions
• All hardware, OS, and platform management is security of the cloud
• Heavily reliant on orchestration

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30
Infrastructure as Code

• All configuration and provisioning is performed by

scripting/automation/orchestration
• Elimination of inconsistency (snowflakes and configuration drift)
• Idempotence
• Making the same call with the same parameters will always produce the same
result

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31
Software-Defined Networking

• Physical and virtual appliances that can be fully automated

• Control plane/policy definitions
• Data plane/network controller
• Management plane
• SDN policy > northbound API > network controller > southbound API >
firewall appliance
• Network functions virtualization (NFV)

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32
Software-Defined Visibility

• Near real-time collection, aggregation, and reporting of data

• Baseline monitoring and anomaly detection
• Supports east/west and zero trust
• Security orchestration and automated response (SOAR)

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33
Fog and Edge Computing

• Embedded and IoT devices deployed at the network edge

• Strong requirements for availability and low latency
• Fog computing
• Provision greater processing resource between the edge and data
center
• Prioritize data for analysis and alert conditions
• Edge computing
• Defines additional zones and processing nodes
• Edge device zone
• Edge gateways
• Fog nodes
• Data center

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34
Lesson 15
Summary

CompTIA Security+ Lesson 15 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 35