Virtualization Strategies

Virtualization is a technology that system administrators have been using in datacenters for many years, and it is at the heart of cloud computing infrastructure. It is a technology that allows the physical resources of a computer (CPU, RAM, hard disk, graphics card, etc.) to be shared by virtual machines (VMs). Consider the old days when a single physical hardware platform—the server—was dedicated to a single-server application like being a web server. It turns out that a typical web server application didn't utilize many of the underlying hardware resources available. If you assume that a web application running on a physical server utilizes 30 percent of the hardware resources, that means that 70 percent of the physical resources are going unused, and the server is being wasted.

With virtualization, if three web servers are running via VMs with each utilizing 30 percent of the physical hardware resources of the server, 90 percent of the physical hardware resources of the server are being utilized. This is a much better return on hardware investment. By installing virtualization software on your computer, you can create VMs that can be used to work in many situations with many different applications.

A hypervisor is the software that is installed on a computer that supports virtualization. It can be implemented as firmware, which is specialized hardware that has permanent software programmed into it. It could also be hardware with installed software. It is within the hypervisor that the VMs will be created. The hypervisor allocates the underlying hardware resources to the VMs. Examples of hypervisor software are VMware's Workstation and Oracle's VM VirtualBox. There are free versions of each of these hypervisors that you can download and use. A VM is a virtualized computer that executes programs as a physical machine would.

A virtual server enables the user to run two, three, four, or more operating systems on one physical computer. For example, a virtual machine will let you run a Windows, Linux, or virtually any other operating system. They can be used for development, system administration, or production to reduce the number of physical devices needed. Exercise 9.1 shows how to convert a physical computer into a virtual image.

Virtualization sprawl is a common issue enterprise organizations have. Virtualization or VM sprawl happens when the number of machines on a network exceeds the point where system administrators can handle or manage them correctly or efficiently. To keep this from happening, strict policies should be developed and adhered to as well as using automation to stay on top of resources being used. Creating a VM library is helpful as long as you have a VM librarian to go with it.

Deployment Models and Considerations

Cloud computing architecture can include various cloud deployment models and layers. Public use services are provided by an external provider. Private use services are implemented internally in a cloud design. A hybrid architecture offers a combination of public and private cloud services to accomplish an organization's goals. A community cloud service model is a shared and cooperative infrastructure where several organizations with common concerns share data and resources.

The following is a partial list of the top cloud provider companies:

• Amazon Web Services (AWS)
• Azure
• GoogleCloud
• AlibabaCloud
• Salesforce
• Adobe Creative Cloud
• Dropbox
• Digital Ocean
• IBM Cloud
• Dell

These providers offer a range of services including the following:

• Public Clouds Available to the general public. An example would be Google Drive.
• Private Clouds Operated for a single company or entity. An example would be a company's private cloud storage of travel expenses.
• Hybrid Clouds A combination of a public and private cloud. An example would be a company's cloud storage of projects with varied access for internal employees and vendors.
• Community Clouds Shared between several organizations. An example would be cloud storage for a group of schools or government offices.
• Multitenancy Used to host a single software application that hosts multiple customers through a multitenant hosting model. An example would be a collaborative workspace for several project contributors.
• Single Tenancy Hosts a single software application designed to support one customer through a single-tenant hosting model. An example would be a specialized HR application for one organization. Although single tenancy is more secure due to isolation and you control access, backups, and cost with scaling, it also requires more maintenance because single-tenant environments need more updates and upgrades that are managed by the customer.

Service Models

Cloud models can be broken into several basic designs that include infrastructure as a service, monitoring as a service, software as a service, and platform as a service. Each design is described here:

• Infrastructure as a Service Infrastructure as a service (IaaS) describes a cloud solution where you are buying infrastructure. You purchase virtual power to execute your software as needed. This is much like running a virtual server on your own equipment, except that you are now running a virtual server on a virtual disk. This model is similar to a utility company model, as you pay for what you use. An example of this model is Amazon Web Services, aws.amazon.com.
• Monitoring as a Service Monitoring as a service (MaaS) offers a cloud-based monitoring solution. This includes monitoring for networks, application servers, applications, and remote systems. An example of this model is AppDynamics, a division of Cisco at www.appdynamics.com. It provides a Java-based MaaS solution.
• Software as a Service Software as a service (SaaS) is designed to provide a complete packaged solution. The software is rented out to the user. The service is usually provided through some type of front end or web portal. While the end user is free to use the service from anywhere, the company pays a per-use fee. As an example, Salesforce is a customer relationship management service providing customer service, marketing automation, analytics, and application development; it offers this type of service at www.salesforce.com.
• Platform as a Service Platform as a service (PaaS) provides a platform for your use. Services provided by this model include all phases of the software development life cycle (SDLC) and can use application programming interfaces (APIs), website portals, or gateway software. These solutions tend to be proprietary, which can cause problems if the customer moves away from the provider's platform. An example of PaaS is Google Workspace, workspace.google.com.

With so many different cloud-based services available, it was only a matter of time before security moved to the cloud. Such solutions are known as security as a service (SECaaS). SECaaS is a cloud-based solution that delivers security as a service from the cloud. SECaaS functions without requiring onsite hardware, and as such it avoids substantial capital expenses. The following are some examples of the type of security services that can be performed from the cloud:

• Antispam Cloud-based antispam services can be used to detect spam email. Providers include SpamTitan, MailWasher, and MX Guarddog.
• Antivirus Cloud-based antivirus applications offer a number of benefits, and they can be useful for quickly scanning a PC for malware. Two examples of such services are Webroot and Avast.
• Anti-malware Cloud-based anti-malware monitors and reacts to more than viruses. Anti-malware stops a broader set of malicious software. A good example of such a tool is Malwarebytes.
• Content Filtering This cloud service allows companies to outsource the content filtering service so that the cloud-based provider can manage and monitor all outbound and inbound traffic, so tools like FortiGuard and Cisco Umbrella would help.
• Cloud Security Broker A cloud security broker will act as a gateway or go-between, being placed between an organization's infrastructure and the cloud service provider (CSP). The cloud security broker is becoming more commonly known as the cloud access security broker (CASB). There is no hard boundary on how a CASB functions or what benefits the organization can expect from a cloud security broker. The cloud security broker may react to threats, performing like an IDS/IPS, or the cloud security broker may send alerts on learned activity or inspect logs, performing more like SIEM. Realistically, most CASBs will function in both ways. According to Gartner's 2020 Magic Quadrant for CASB, the leading vendors are McAfee, Microsoft, Netskope, and Bitglass.
• Hash Matching This service allows the user to search for known malicious files quickly or to identify known good files by searching online repositories for hash matches. One great example can be found at www.hashsets.com. This hash set is maintained by the National Software Reference Library (NSRL). These hashes can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the database.
• Sandboxing A cloud-based sandbox is a stand-alone environment that allows you to view or execute a program safely while keeping it contained. Good examples of sandbox services include Zscaler and FortiSandbox.
• Managed Security Service Providers Managed security service providers (MSSPs) provide outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning, and antiviral services. MSSPs use high-availability security operations centers at their own facilities or from other datacenter providers to provide 365 × 24 × 7 services designed to help reduce the number of operational security personnel an enterprise needs to hire, train, and retain in order to maintain an acceptable security posture.
• Vulnerability Scanning Many companies don't have the expertise or capability to perform all of the security services they need. One such service that can be outsourced is vulnerability scanning. Cloud-based solutions offload this activity to a third-party provider.

From a security standpoint, one of the first questions that must be answered in improving the overall security posture of an organization is where data resides. The advances in technology make this much more difficult than in the past. Years ago, Redundant Array of Inexpensive/Independent Disks (RAID) was the standard for data storage and redundancy. Today, companies have moved to dynamic disk pools (DDPs) and cloud storage. DDP shuffles data, parity information, and spare capacity across a pool of drives so that the data is better protected and downtime is reduced. DDPs can be rebuilt up to eight times faster than traditional RAID.

Enterprise storage infrastructures may not have adequate protection mechanisms. The following basic security controls should be implemented:

• Know your assets. Perform an inventory to know what data you have and where it is stored.
• Build a security policy. A corporate security policy is essential. Enterprise storage is just one item that should be addressed.
• Implement controls. The network should be designed with a series of technical controls, such as the following:
  • Intrusion detection system (IDS)/intrusion prevention system (IPS)
  • Firewalls
  • Network access control (NAC)
• Harden your systems. Remove unnecessary services and applications.
• Perform proper updates. Use patch management systems to roll out and deploy patches as needed.
• Segment the infrastructure. Segment areas of the network where enterprise storage mechanisms are used.
• Use encryption. Evaluate protection for data at rest and for data in transit.
• Implement logging and auditing. Enterprise storage should have sufficient controls so that you can know who attempts to gain access, what requests fail, when changes to access are made, or when other suspicious activities occur.
• Use change control. Use change control and IT change management to control all changes. Changes should occur in an ordered process, documented with a plan to roll back if systems crash.
• Implement trunking security. Trunking security is typically used with VLANs. The concept is to block access to layer 2 devices based on their MAC addresses. Blocking a device by its MAC address effectively prevents the device from communicating through any network switch. This stops the device from propagating malicious traffic to any other network-connected devices.
• Employ port security. When addressing the control of traffic at layer 2 on a switch, the term used today is port security. Port security specifically speaks to limiting what traffic is allowed in and out of particular switch ports. This traffic is controlled per layer 2 address or MAC address. One example of typical port security is when a network administrator knows that a fixed set of MAC addresses are expected to send traffic through a switch port. The administrator can employ port security to ensure that traffic from no other MAC address will be allowed to use that port and traverse the switch.

Cloud Provider Limitations

Cloud computing has many benefits, but there are disadvantages as well, especially with smaller organizations.

• Downtime Loss of access is one of the biggest disadvantages and can occur for any reason.
• Privacy Cloud service providers are expected to manage and safeguard the underlying hardware infrastructure, but with recent credit card breaches and login credentials stolen, you have to be aware of best practices.
• Limited control To different degrees, cloud users find they have less control over cloud-hosted infrastructure, and switching between cloud services can be difficult.
• Limited Internet Protocol (IP) address scheme Cloud providers can limit IP address ranges and availability so what is used in the cloud is different than on premises. It is also usually dynamic, so users cannot force an on-premises IP address to route properly to a cloud provider.
• VPC Peering Limits A virtual private cloud (VPC) can experience networking connectivity issues because of incorrect or missing route tables. Only one connection can exist between two VPCs at the same time and they must be able to communicate as if they are on the same network using private IP addressing. A virtual private cloud (VPC) customer has exclusive access to a segment of a public cloud. This deployment is a compromise between a private and a public model in terms of price and features. Access can also be restricted by the user's physical location by employing firewalls and IP address whitelisting. Using the cloud is a trade-off—you gain speed, performance, and cost, but you lose control over the security processes.

Extending Appropriate On-Premises Controls

Although cost and ease of use are two great benefits of cloud computing, there are significant security concerns when considering on-demand/elastic cloud computing.

Cloud computing is a big change from the way IT services have been delivered and managed in the past. One of the advantages is the elasticity of the cloud, which provides the online illusion of an infinite supply of computing power. Cloud computing places assets outside the owner's security boundary. Historically, items inside the security perimeter were trusted, whereas items outside were not. With cloud computing, an organization is being forced to place their trust in the cloud provider. The cloud provider must develop sufficient controls to provide the same or a greater level of security than the organization would have if the cloud were not used.

As a CASP+, you must be aware of the security concerns of moving to a cloud-based service. The pressures are great to make these changes, but there is always a trade-off between security and usability. Here are some basic questions that a security professional should ask when considering cloud-based solutions and the controls that must be put in place.

• Does the data fall under regulatory requirements? Different countries have different requirements and controls placed on access. For example, organizations operating in the United States, Canada, or the European Union have many regulatory requirements. Examples of these include ISO 27002, Safe Harbor, Information Technology Infrastructure Library (ITIL), and Control Objectives for Information and Related Technology (COBIT). The CASP+ is responsible for ensuring that the cloud provider can meet these requirements and is willing to undergo certification, accreditation, and review as needed.
• Who can access the data? Defense in depth is built on the concept that every security control is vulnerable. Cloud computing places much of the control in someone else's hands. One big area that is handed over to the cloud provider is access. Authentication and authorization are real concerns. Because the information or service now resides in the cloud, there is a much greater opportunity for access by outsiders. Insiders might pose an additional risk.

  Insiders, or those with access, have the means and opportunity to launch an attack and only lack a motive. Anyone considering using the cloud needs to look at who is managing their data and what types of controls are applied to individuals who may have logical or physical access.

• Does the cloud provider use a data classification system? A CASP+ should know how the cloud provider classifies data. Classification of data can run the gamut from a fully deployed classification system with multiple levels to a simple system that separates sensitive and unclassified data. Consumers of cloud services should ask whether encryption is used and how one customer's data is separated from another customer's data. Is encryption being used for data in transit or just for data at rest? Consumers of cloud services will also want to know what kind of encryption is being used. For instance, is the provider using Advanced Encryption Standard (AES) 128 or 256? How are the keys stored? Is the encryption mechanism being used considered a strong one? One strong control is virtual private storage, which provides encryption that is transparent to the user. Virtual private storage is placed in your screened subnet and configured to encrypt and decrypt everything that is coming and going from your network up to the cloud.
• What training does the cloud provider offer its employees? This is a rather important item in that people will always be the weakest link in security. Knowing how your provider trains their employees is an important item to review. Training helps employees know what the proper actions are and understand the security practices of the organization.
• What are the service level agreement (SLA) terms? The SLA serves as a contracted level of guaranteed service between the cloud provider and the customer. An SLA is a contract that provides a certain level of protection. For a fee, the vendor agrees to repair, replace, or provide service within a contracted period of time. An SLA is usually based on what the customer specifies as the minimum level of services that will be provided.
• Is there a right to audit? This particular item is no small matter in that the cloud provider should agree in writing to the terms of audit. Where and how is your data stored? What controls are used? Do you have the right to perform a site visit or review records related to access control or storage?
• Does the cloud provider have long-term viability? Regardless of what service or application is being migrated to a cloud provider, you need to have confidence in the provider's long-term viability. There are costs not only to provision services but also for de-provisioning should the service no longer be available. If they were to go out of business, what would happen to your data? How long has the cloud provider been in business, and what is their track record? Will your data be returned if the company fails and, if so, in what format?
• How will the cloud provider respond if there is a security breach? Cloud-based services are an attractive target for computer criminals. If a security incident occurs, what support will you receive from the cloud provider? To reduce the amount of damage that these criminals can cause, cloud providers need to have incident response and handling policies in place. These policies should dictate how the organization handles various types of incidents. Cloud providers must have a computer security incident response team (CSIRT) that is tied into customer notification policies for law enforcement involvement.
• What is the business continuity and disaster recovery plan (BCDR)? Although you may not know the physical location of your services, they are physically located somewhere. All physical locations face threats, such as fire, storms, natural disasters, and loss of power. In case of any of these events, the CASP+ will need to know how the cloud provider responds and what guarantee of continued services they are promising. There is also the issue of retired, replaced, or damaged equipment. Items such as hard drives need to be decommissioned properly. Should sensitive data be held on discarded hard drives, data remanence is a real issue. Data remanence is the remaining data, or remnants, that remain on the media after formatting or drive wiping. The only way to ensure there are no data remnants is to physically destroy the media.

In Exercise 9.3, you will examine some common risks and issues associated with cloud computing as they would affect your organization.

Storage Models

Even though your data is in the cloud, it must physically be located somewhere. Is your data on a separate server, is it co-located with the data of other organizations, or is it sliced and diced so many times that it's hard to know where it resides? Your cloud storage provider should agree in writing to provide the level of security required for your customers.

Tape was the medium of choice for backup and archiving for most businesses for many years. This was in part due to the high cost of moving backup and archival data to a data warehouse. Such activities required hundreds of thousands of dollars in infrastructure investment. Today that has started to change as cloud service providers are beginning to sell attractively priced services for cloud storage. Such technologies allow companies to do away with traditional in-house technologies. Cloud-based archiving and warehousing have several key advantages.

• Content Management The cloud warehousing provider manages the content for you.
• Geographical Redundancy Data is held at more than one offsite location.
• Advance Search Data is indexed so that retrieval of specific datasets is much easier.

How much storage is enough? How big a hard drive should I buy? These are good questions—there never seems to be enough storage space for home or enterprise users. Businesses are no different and depend on fast, reliable access to information critical to their success. This makes enterprise storage an important component of most modern companies. Enterprise storage can be defined as computer storage designed for large-scale, high-technology environments.

Think of how much data is required for most modern enterprises. There is a huge dependence on information for the business world to survive. Organizations that thrive on large amounts of data include government agencies, credit card companies, airlines, telephone billing systems, global capital markets, e-commerce, and even email archive systems. Although the amount of storage needed continues to climb, there is also the issue of terminology used in the enterprise storage market. Terms such as heterogeneous, SAN, NAS, virtualization, and cloud storage are frequently used.

Before any enterprise storage solution is implemented, a full assessment and classification of the data should occur. This would include an analysis of all threats, vulnerabilities, existing controls, and the potential impact if loss, disclosure, modification, interruption, or destruction of the data should occur.

Now that we've explored some of the security issues of enterprise storage, let's look at some of the technologies used in enterprise storage.

• Virtual Storage Virtual storage options have grown, evolved, and matured. These online entities typically focus either on storage or on sharing. The storage services are designed for storing large files. Many companies are entering this market and now giving away storage, such as Microsoft's OneDrive, Amazon Drive, and Google Drive.

  Virtual file sharing services are a second type of virtual storage. These services are not meant for long-term use. They allow users to transfer large files. Examples of these services include Dropbox, DropSend, and MediaFire. These virtual services work well if you are trying to share very large files or move information that is too big to be sent as an attachment.

  On the positive side, there are many great uses for these services, such as keeping a synchronized copy of your documents in an online collaboration environment, sharing documents, and synchronizing documents between desktops, laptops, tablets, and smartphones.

  The disadvantages of these services include the fact that you are now placing assets outside the perimeter of the organization. There is also the issue of loss of control. If these providers go out of business, what happens to your data? Although these services do fill a gap, they can be used by individuals to move data illicitly. Another concern is the kind of controls placed on your data. Some of these services allow anyone to search sent files.

  In Exercise 9.4, you'll look at security issues involved in online storage.

• Network-Attached Storage Network-attached storage (NAS) is a technology that contains or has slots for one or more hard drives using a hierarchical storage methodology. These hard drives are used for network storage. NAS is similar to direct access storage (DAS), but DAS is simply an extension of one system and has no networking capability.

  Many NAS devices make use of the Linux OS and provide connectivity via network file sharing protocols. One of the most common protocols used is Network File System (NFS). NFS is a standard designed to share files and applications over a network. NFS was developed by Sun Microsystems (now part of Oracle) back in the mid-1980s. The Windows-based counterpart used for file and application sharing is Common Internet File System (CIFS); it is an open version of Microsoft's Server Message Block (SMB) protocol.

  For the CASP+ exam, this is often referred to as object storage or file-based storage. This type of cloud solution is seen in Amazon Simple Storage Services (S3).

• SAN The Storage Network Industry Association (SNIA) defines a storage area network (SAN) as “a data storage system consisting of various storage elements, storage devices, computer systems, and/or appliances, plus all the control software, all communicating in efficient harmony over a network.” SANs are similar to NAS. One of the big differences is that NAS appears to the client as a file server or stand-alone system. A SAN appears to the client OS as a local disk or volume that is available to be formatted and used locally as needed.

  For the CASP+, this is referred to in the objectives as block storage. Block cloud storage solutions include Amazon Elastic Block Store (EBS) and are provisioned with ultra-low latency for high performance.

• Virtual SAN A virtual SAN (VSAN) is a SAN that offers isolation among devices that are physically connected to the same SAN fabric. A VSAN is sometimes called fabric virtualization. (Fabric can be defined as the structure of the SAN.) VSANs were developed to support independent virtual networking capability on a single switch. VSANs improve consolidation and simplify management by allowing for more efficient SAN utilization. A resource on any individual VSAN can be shared by other users on a different VSAN without merging the SAN's fabrics.
• Redundancy (Location) Location redundancy is the idea that content should be accessible from more than one location. An extra measure of redundancy can be provided by means of a replication service so that data is available even if the main storage backup system fails. This further enhances a company's resiliency and redundancy. Database storage using shadowing, remote journaling, and electronic vaulting are all common methods used for redundancy. Electronic vaulting describes the transfer of data by electronic means rather than a physical shipment of backup tapes. Some organizations use these techniques by themselves, whereas others combine these techniques with other backup methods.
• Secure Storage Management and Replication Secure storage management and replication systems are designed to enable a company to manage and handle all corporate data in a secure manner with a focus on the confidentiality, integrity, and availability of the information. The replication service allows for the data to be duplicated in real time so that additional fault tolerance is achieved.
• Multipath Solutions

  Enterprise storage multipath solutions reduce the risk of data loss or lack of availability by setting up multiple routes between a server and its drives. The multipathing software maintains a list of all requests, passes them through the best possible path, and reroutes communication if one of the paths dies. One of its major advantages is its speed of access.

• SAN Snapshots SAN snapshot software is typically sold with SAN solutions and offers the user a way to bypass typical backup operations. The snapshot software has the ability to stop writing to a physical disk temporarily and then make a point-in-time backup copy. Think of these as being similar to Windows System Restore points in that they allow you to take a snapshot in time. Snapshot software is typically fast and makes a copy quickly, regardless of the drive size.
• Data De-duplication (DDP) Data de-duplication is the process of removing redundant data to improve enterprise storage utilization. Redundant data is not copied. It is replaced with a pointer to the one unique copy of the data. Only one instance of redundant data is retained on the enterprise storage media, such as disk or tape.

Automation and Orchestration

Cloud automation is technology that does not require human intervention in processes and procedures. By having decisions made based on relationships and the actions that should be taken, human-made mistakes can be avoided, and processes that required involvement of IT staff can happen automatically. By using automation of a single task or orchestration of many automated tasks, enterprise organizations improve standard operating procedures for specific use cases as well as increasing efficiency and consistency. There are several cloud orchestration tools including software like Puppet, Ansible, and Chef. These three tools are fairly simple to use and have robust capabilities. Puppet works best with automated provisioning of assets, configuration automation with great visualization, and reporting. Chef is used more for compliance and security management, while Ansible is the easiest of all three to implement; Ansible is good with simple orchestration but does not scale in large environments as well as the other two.

Encryption Configuration

Sensitive information is being moved to the cloud now more than ever. According to the Ponemon Institute, the average cost of a breach is now more than $3.8 million USD. One of the most essential elements of preventing the loss of data being moved to the cloud is having robust encryption for the data while at rest as well as in transit.

Encryption makes data unreadable to anyone without access to the encryption keys. Kerckhoffs's principle states that a cryptosystem should be secure, even if everything about the system, except the key, is public knowledge. Only 1 percent of cloud providers support tenant managed encryption keys. With the right tools and configuration, you can protect data with standards-based AES encryption for data at rest, ensuring compliance with PCI, HIPAA, and other federal or industry requirements.

Cloud encryption solutions can encrypt information as it moves in and out of applications and into storage with strong key-based encryption. Most reputable cloud service providers offer cloud encryption options. The most used type of cloud data in transit encryption is the HTTPS protocol. When using the more modern and secure version of Secure Sockets Layer (SSL) called Transport Layer Security (TLS), all traffic is encoded so only authorized users can access the data. If an unauthorized third party sees the data, it remains unreadable because the digital keys to lock and unlock it are at the user and destination layers. Keys should be generated and issued using an asymmetrical algorithm between trusted entities, while certificates are certified during the original connection.

Logs

Every device on a modern cloud network generates logs. Some logs are human readable, and some logs look like gibberish. Some logs are more useful than others, and we should understand which cloud logs need to be preserved for future analysis and for how long. You don't need to log everything, but what you do log should be purposely collected and managed because the logs can show you who did what activity and how the systems they touched responded.

The Center for Internet Security (CIS) Critical Security Controls Version 8 focuses on the collection, maintenance, monitoring, and analysis of audit logs. Our organizations are evolving quickly, and we have to learn to deal with log data in the big data cloud era. Analyzing audit logs is a vital part of security, not just for system security but for processes and compliance. Part of the process of log analysis is reconciling logs from different sources and correlation even if those devices are in different time zones. Network Time Protocol (NTP) will help synchronize devices using the cloud. Google Cloud has its own NTP protocol called Google Public NTP.

In a basic network topology, you will have many types of devices, including routers, switches, firewalls, servers, and workstations. Each of these devices that helps connect you to the rest of the world will generate logs based on its operating system, configuration, and software. Examining logs is one of the most effective ways of looking for issues and investigating problems happening on a system or in an application.

Synchronization and the ability to correlate the data between these devices are vital to a healthy environment. Attackers can hide their activities on assets if logging is not done correctly; therefore, you need a strategic method of consolidating and auditing all your logs. Without solid audit log analysis, an attack can go unnoticed for a long time. According to the 2021 Verizon Data Breach Investigations Report, The Verizon Threat Research Advisory Center intelligence collections in both 2019 and 2020 began with cyber espionage targeting cloud environments by the Chinese menuPass threat actor. Among the ongoing threats were attacks on remote access. The full report was based on detailed analysis of more than 79,600 security incidents, including 5,258 data breaches. You can download the full details at www.verizon.com/business/resources/reports/dbir/2021/year-in-review-2021.

Logging involves collecting data from a large number of data sources, which has its own challenges including collection, storage, encryption, and parsing. Key considerations when configuring logs for collection include normalization, alerting, security, correlation. availability, monitoring, and analysis.

Normalization or parsing logs enables analysis of the data. Parsing the logs into specific fields allows for easier reading, correlation, and analysis. Correlation means that you are able to connect the dots to identify a sequence of events that have the potential to be a breach. Monitoring and alerting for specific events, or after analysis has been done on several scenarios that are being monitored for security incidents, is important because it is a more proactive approach. To be able to go back into storage requires availability. The logging solution chosen must make sure that the logs are not only secure but provide data compression and other procedures to address the high volume.

Without logging, a threat actor can be in an environment and fly completely under the radar. There are many solutions for logging for audit and centralization, including Elasticsearch, Logstash, and Kibana (ELK), which is the most common open-source solution used. There are some security information and event management (SIEM) tools that are customizable for security analytics. SIEM tools centralize information gathering and analysis and provide detailed dashboards and reporting that allow critical information to be seen through visualization, and they offer manual analysis as well as automated analysis capabilities. They work with logging infrastructures using tools such as syslog, syslog-ng, or others that gather and centralize logs, building logging infrastructures that capture evidence used for incident analysis and creating an audit trail. At the same time, additional information captured such as network flows and traffic information, file and system metadata, and other artifacts are used by responders who need to analyze what occurred on a system or network.

Gartner's Magic Quadrant report for 2021 includes Splunk, Rapid7 InsightIDR, LogRhythm, and Exabeam. These SIEM tools work by taking a baseline of two to four weeks of log ingestion to learn the normal state of an organization and then can start monitoring and alerting for anomalies.

Monitoring Configurations

The cloud is not a single object. There are many moving parts that affect performance and availability, with each part needing to work well with other parts. When looking at monitoring a cloud environment, you have to watch the network, the individual VMs, the databases, the websites, and storage. With the network, cloud administrators have to watch for connectivity to make sure they are not overwhelmed with traffic. The VMs will have to be monitored for access and status to make sure they are operating as intended. Database monitoring is incredibly important because of what is in the database, usually sensitive organizational data. Databases will need to be monitored for queries, access requests, integrity, and backups. Proactively monitoring websites will allow for optimal uptime, and storage is costly, so making sure performance and analytics are kept within proper ranges will keep expenses down.

Some cloud monitoring best practices may include the following:

• Decide the most important metrics and events
• Choose the right cloud monitoring software
• Monitor all your cloud infrastructure from one platform
• Automate monitoring tasks
• Track end-user experience
• Test for cloud failure
• Monitor services and costs

It is difficult to keep up with shifting policies and compliance, but with automation open-source software like Puppet or other tooling such as SolarWinds, the organization must be able to monitor the cloud ecosystem for changes and revert as needed. It can be time-consuming and tedious to manually do audit inspections to prepare for an auditor. Puppet is mostly used on Linux and Windows, but it's capable of managing infrastructure through continuous monitoring using policy as code. For more information, visit puppet.com/use-cases/continuous-compliance.

Key Ownership and Location

Chapter 6, “Cryptography and PKI,” covered public key infrastructure, which allows two parties to communicate securely even if they were previously unknown to one another. This chapter covers the certificate authority (CA), registration authority (RA), certificate revocation lists (CRLs), digital certificates, and how they are distributed. The question this chapter covers is how this process can be different in a cloud-based ecosystem.

Most cloud service providers offer some type of encryption for customer data. As mentioned earlier in this chapter, protecting data in transit using HTTPS in the cloud between servers or user devices is reliable and straightforward. Encryption protection becomes more complicated for data at rest on a cloud server. Cloud providers can encrypt the data and maintain control over the keys. This can be a security risk because now a company is dealing with malicious insiders and nefarious outsiders who target the cloud provider. Many organizations are not willing to use cloud-based storage for their most sensitive data.

The other two options for key ownership and location are bring your own key (BYOK) and hold your own key (HYOK). With BYOK, the customer can generate and manage encryption keys, but the cloud provider has access to them. With HYOK, customers generate, manage, and store them, and the cloud provider is not able to see the contents of the encrypted files.

Key Life-Cycle Management

With the use of keys in securing cloud environments comes the need for a key management system. National Institute of Standards and Technology (NIST) special publication 800-57 Part 2, Revision 1, gives recommendations for key management and best practices and introduces a set of key management concepts such as key life cycle, practice statements, policies, and planning documents.

Key life-cycle management refers to everything from the creation of to the retirement of cryptographic keys. There are several key life-cycle management models that can be used such as NIST or Microsoft. The six states a key goes through in the Microsoft Key Life-Cycle Model are as follows:

• Creation The key object is created on a domain controller.
• Initialization The key object has attributes set.
• Full Distribution The initialized key is available to all domain controllers.
• Active The initialized key is available for cryptographic operations.
• Inactive The initialized key is unavailable for some cryptographic operations.
• Terminated The initialized key is permanently deleted from all domain controllers.

Defining and enforcing key management policies will influence each state of the life cycle and needs to be governed by a key usage policy that defines the cloud assets and applications and what operations those asset and applications can perform.

Details on this publication can be found here: nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf.

Backup and Recovery Methods

As our cybersecurity industry moves to a software-defined infrastructure using virtualization, cloud infrastructure, and containers, this translates to systems that would have once been backed up not being backed up in a traditional way. Instead, the code that defines them is backed up, as well as the key data that they are intended to provide or to access. This changes the policies and procedures for server and backup administrators, and it means that habits around how backup storage is accomplished and maintained are changing for backup and recovery. Reviewing organizational backup habits to see if they match new frameworks or if current procedures are failing disaster recovery tests is an important element in planning.

For on-premise systems, some organizations choose to utilize physical storage either at a site they own and operate or via a third-party service that specializes in storing secure backups in environmentally controlled facilities, or they choose cloud-based offsite storage for their backup media. Offsite storage is a form of geographic diversity and helps to ensure that a single disaster cannot destroy an organization's data entirely. This is done both physically and in the cloud for BCDR. For geographic diversity, distance considerations are important to ensure that a single regional disaster is unlikely to harm the offsite storage. BCDR plans define the processes and procedures that an organization will take when a disaster occurs, which is equally important when those assets are in the cloud.

In a BCDR plan, processes describe all of the documented, procedural “how-tos” of the organization's way of conducting operations. Some processes are so routine and so ingrained in the minds of those performing them that they hardly seem necessary to document. On the other end of the spectrum, some processes must be documented because they are performed only under extraordinary circumstances, perhaps even in times of crisis, such as, for example, during disaster recovery.

Preparation for an incident or disaster includes building a team, putting policies and procedures in place, conducting exercises, and building the technical and information-gathering infrastructure that will support incident response needs. These plans cannot exist in a vacuum. Instead, they are accompanied by communications and stakeholder management plans, as well as other detailed response processes unique to each organization.

Infrastructure vs. Serverless Computing

As mentioned earlier in this chapter, infrastructure as a service (IaaS) is a type of cloud computing model that offers essential computation, storage, and networking on demand. Migrating an organization to an IaaS model helps an enterprise reduce the number of physical datacenters needed and gives an organization a great deal of flexibility to spin resources up and down as needed. Serverless computing is a type of infrastructure as a service with a slightly different strategy.

In serverless computing, you don't worry about the infrastructure and configuration; everything is managed by the cloud provider. This means that cloud customers are paying for the quantity of times their code runs on a serverless service. This enables developers to build applications faster while the cloud service automatically handles all tasks required to run the code. Some serverless offerings are workflows, Kubernetes, and application environments where the back and front ends are fully hosted.

Software that is written for application virtual machines allows the developer to create one version of the application so that it can be run on any virtual machine and won't have to be rewritten for every different computer hardware platform. Java Virtual Machine (JVM) is an example of such application virtualization.

Software-Defined Networking

Software-defined networking (SDN) is a technology that allows network professionals to virtualize the network so that control is decoupled from hardware and given to a software application called a controller.

In a typical network environment, hardware devices such as switches make forwarding decisions so that when a frame enters the switch, the switch's logic, built into the content addressable memory (CAM) table, determines the port to which the data frame is forwarded. All packets with the same address will be forwarded to the same destination. SDN is a step in the evolution toward programmable and active networking in that it gives network managers the flexibility to configure, manage, and optimize network resources dynamically by centralizing the network state in the control layer.

Software-defined networking allows networking professionals to respond to the dynamic needs of modern networks. With SDN, a network administrator can shape traffic from a centralized control console without having to touch individual switches. Based on demand and network needs, the network switch's rules can be changed dynamically as needed, permitting the blocking, allowing, or prioritizing of specific types of data frames with a very granular level of control. This enables the network to be treated as a logical or virtual entity.

SDN is defined as three layers: application, control, and the infrastructure or data plane layer. At the core of SDN is the OpenFlow standard. OpenFlow is defined by the Open Networking Foundation (ONF). OpenFlow provides an interface between the controller and the physical network infrastructure layers of SDN architecture. This design helps SDN achieve the following, all of which are limitations of standard networking:

• Ability to manage the forwarding of frames/packets and applying policy
• Ability to perform this at scale in a dynamic fashion
• Ability to be programmed
• Visibility and manageability through centralized control

Misconfigurations

The definition of misconfiguration is to configure a system incorrectly. Cloud misconfiguration seems avoidable, but according to the IBM Security Cost of a Data Breach Report in 2021, the cost of a breach is $4.24 million, and two-thirds of cloud breaches can be traced to misconfiguration, specifically cloud application programming interfaces.

The cloud has many settings, assets, services, resources, and policies, and that makes it an environment that is difficult to set up correctly. It is even more true for organizations that have had to migrate quickly to the cloud for remote work with an IT department that does not fully understand the details of configuration. Misconfiguration is one of the leading causes of financial damage done to enterprise as well as governmental organizations.

Cloud providers like AWS have a service called Cloud Conformity Checks. These are rules run against the customer's configuration or infrastructure. These scans will take a rule, run it against a system, and determine whether it was successful. According to AWS, the top service scanned in 2021 for misconfiguration was Amazon Elastic Compute Cloud, better known as EC2. The rule most broken in 2021 was AWS CloudTrail Configuration Changes. CloudTrail is a service that enables governance, compliance, and auditing and keeps an organization in compliance with APRA, MAS, and NIST4.

With this tool, you can log, continuously monitor, and retain account activity related to actions across the AWS infrastructure, providing event history of AWS account activity, including actions taken through the Management Console, command-line interface (CLI), AWS SDKs, and APIs. This event history feature simplifies security auditing, resource change tracking, and troubleshooting. You can identify who or what took which action, what resources were acted upon, when an event occurred, and other details that can help you analyze and respond to any activity within your account.

Collaboration Tools

According to the International Engineering Consortium, unified communications and collaboration is an industry term “used to describe all forms of call and multimedia/cross-media message-management functions controlled by an individual user for both business and social purposes.” This topic is of concern to the CASP+ because communication systems form the backbone of any company. Communication systems can include any enterprise process that allows people to communicate.

Bit Splitting

Mentioned earlier in the chapter, bit splitting is another technique for securing data over a computer network that involves encrypting data, splitting the encrypted data into smaller data units, distributing those smaller units to different storage locations, and then further encrypting the data at its new location. Data is protected from security breaches, because even if an attacker is able to retrieve and decrypt one data unit, the information would be useless unless it can be combined with decrypted data units from the other locations.

Data Dispersion

Data dispersion consists of information being distributed and stored in multiple cloud pods, which is a key component of cloud storage architecture. The ability to have data replicated throughout a distributed storage infrastructure is critical. This allows a cloud service provider to offer storage services based on the level of the user's subscription or the popularity of the item.

1. You are setting up a new virtual machine. What type of virtualization should you use to coordinate instructions directly to the CPU?
   1. Type B.
   2. Type 1.
   3. Type 2.
   4. No VM directly sends instructions to the CPU.
2. Your DevOps team decided to use containers because they allow running applications on any hardware. What is the first thing your team should do to have a secure container environment?
   1. Install IPS.
   2. Lock down Kubernetes and monitor registries.
   3. Configure antimalware and traffic filtering.
   4. Disable services that are not required and install monitoring tools.
3. You work in information security for a stock trading organization. You have been tasked with reducing cost and managing employee workstations. One of the biggest concerns is how to prevent employees from copying data to any external storage. Which of the following best manages this situation?
   1. Move all operations to the cloud and disable VPN.
   2. Implement server virtualization and move critical applications to the server.
   3. Use VDI and disable hardware and storage mapping from a thin client.
   4. Encrypt all sensitive data at rest and in transit.
4. You are exploring the best option for your team to read data that was written onto storage material by a device you do not have access to, and the backup device has been broken. Which of the following is the best option for this?
   1. Type 1 hypervisor
   2. Type 2 hypervisor
   3. Emulation
   4. PaaS
5. You are a security architect building out a new hardware-based VM. Which of the following would least likely threaten your new virtualized environment?
   1. Patching and maintenance
   2. VM sprawl
   3. Oversight and responsibility
   4. Faster provisioning and disaster recovery
6. Management of your hosted application environment requires end-to-end visibility and a high-end performance connection while monitoring for security issues. What should you consider for the most control and visibility?
   1. You should consider a provider with connections from your location directly into the applications cloud resources.
   2. You should have a private T1 line installed for this access.
   3. You should secure a VPN concentrator for this task.
   4. You should use HTTPS.
7. As the IT director of a nonprofit agency, you have been challenged at a local conference to provide technical cloud infrastructure that will be shared between several organizations like yours. Which is the best cloud partnership to form?
   1. Private cloud
   2. Public cloud
   3. Hybrid cloud
   4. Community cloud
8. Your objectives and key results (OKRs) being measured for this quarter include realizing the benefits of a single-tenancy cloud architecture. Which one of these results is a benefit of a single-tenancy cloud service?
   1. Security and cost
   2. Reliability and scaling
   3. Ease of restoration
   4. Maintenance
9. With 80 percent of your enterprise in a VPC model, which of the following is not a key enabling technology?
   1. Fast WAN and automatic IP addressing
   2. High-performance hardware
   3. Inexpensive servers
   4. Complete control over process
10. You have a new security policy that requires backing up a database offsite specifically for redundancy. This data must be backed up every 24 hours. Cost is important. What method are you most likely to deploy?
    1. File storage
    2. Electronic vaulting
    3. Block storage
    4. Object storage
11. A software startup hired Pamela to provide expertise on data security. Clients are concerned about confidentiality. If confidentiality is stressed more than availability and integrity, which of the following scenarios is BEST suited for the client?
    1. Virtual servers in highly available environment. Clients will use redundant virtual storage and remote desktop services to access software.
    2. Virtual servers in highly available environment. Clients will use single virtual storage and remote desktop services to access software.
    3. Clients are assigned virtual hosts running on shared hardware. Physical storage is partitioned with block cipher encryption.
    4. Clients are assigned virtual hosts running shared hardware. Virtual storage is partitioned with streaming cipher encryption.
12. Your company decided to outsource certain computing jobs that need a large amount of processing power in a short duration of time. You suggest the solution of using a cloud provider that enables the company to avoid a large purchase of computing equipment. Which of the following is your biggest concern with on-demand provisioning?
    1. Excessive charges if deprovisioning fails
    2. Exposure of intellectual property
    3. Data remanence from previous customers in the cloud
    4. Data remanence of your proprietary data that could be exposed
13. Pedro has responsibility for the cloud infrastructure in the large construction company he works for. He recorded data that includes security logs, object access, FIM, and other activities that your SIEM often uses to detect unwanted activity. Which of the following BEST describes this collection of data?
    1. Due diligence
    2. Syslog
    3. IDR
    4. Audit trail
14. Marcus is a remote employee needing to access data in cloud storage. You need to configure his Windows 10 client for a remote access VPN using IPSec/L2TP. Why is a VPN so important for remote employees?
    1. VPN traffic is accessible.
    2. VPN traffic is encrypted.
    3. A VPN allows you remote access.
    4. A VPN is an option if you are on your home network.
15. Dana has a three-layer line of defense working to protect remote access to his network and cloud applications, including a firewall, antivirus software, and VPN. What action should your network security team take after standing up this defense?
    1. Log all security transactions.
    2. Monitor alerts from these assets.
    3. Check the firewall configuration monthly and antivirus weekly.
    4. Run tests for VPN connectivity once every 24 hours.
16. Your CIO approached the CISO with the idea to configure IPSec VPNs for data authentication, integrity, and confidentiality for cloud assets. Which of the following reasons would help support the CIO's goals?
    1. IPSec only supports site-to-site VPN configurations.
    2. IPSec can only be deployed with IPv6.
    3. IPSec authenticates clients against a Windows server.
    4. IPSec uses secure key exchange and key management.
17. Frederick's company is migrating key systems from on-premise systems to a virtual data center in the cloud managed by a third party. Remote access must be available at all times. Access controls must be auditable. Which of these controls BEST suits these needs?
    1. Access is captured in event logs.
    2. Access is limited to single sign-on.
    3. Access is configured using SSH.
    4. Access is restricted using port security.
18. Your business cannot overlook the need for allowing employees to have remote access and collaboration tools. You never know when an employee will need to connect to the corporate intranet from a remote location. The first thing to do is create a comprehensive network security policy. Which one of these will not fit into that policy?
    1. Definition of the classes of users and their levels of access
    2. Identification of what devices are allowed to connect through a VPN
    3. The maximum idle time before automatic termination
    4. Allow list ports and protocols necessary to everyday tasks
19. You work for the power company that supplies electricity to three states. You rely heavily on the data you collect and that is replicated in the cloud. Data is split into numerous arrays, and a mapper processes them to certain cloud storage options. What is this process called?
    1. Encryption
    2. Data dispersion
    3. Bit splitting
    4. Perimeter security
20. Jonathan is a cloud security sales consultant working for a cloud access security broker (CASB) company. His organization is advocating applying the highest level of protection across all your cloud assets. You suggest this is not what the priority should be. What would be a more strategic priority?
    1. Determining what to protect through data discovery and classification
    2. Running anti-malware software on all cloud instances
    3. Using vulnerability scanning software on mission-critical servers
    4. Implementing threat mitigation strategies