# Summarize Secure Cloud and Virtualization Services ## Cloud Service Model - SaaS - Software - Google Docs - IaaS - Infrastructure - unconfigured compute, storage, and network resources - PaaS - platform - csp provides everything but the application/data the client wants on the server - XaaS - anything as a service ![[Pasted image 20230710090657.png|700]] ![[Pasted image 20230710091453.png]] ## Anything as a Service - Specific Iaas, PaaS, or SaaS solutions for business needs - Security Cloud - Security of the cloud - Cloud responsibility matrix: - SLA defines who is responsible for what ![[Pasted image 20230710091805.png]] ## Security as Service - getting more popular - Consultants - Third-party expertise and perspective - **Managed Security Services Provider (MSSP)** - Turnkey security solutions - **Security as a Service (SECaaS)** - Cloud-deployed security assessment and analysis - Cyber threat intelligence and machine learning analytics ## Virtualization Technologies and Hypervisor Types - Type 1 -> Hypervisor is directly on the hardware, no OS in-between, Hypervisor is the OS - found in datacenters and critical environments - adheres really good to principle of least privilege - Microsoft Hyper-V appears to be a type2, however it is a type 1. - Type 2 -> Host based: Hypervisor is mounted to the OS - a lot bigger attack surface ## Virtual Desktop Infrastructure and Thin Clients - Virtual Desktop Infrastructure (VDI) - Storing images of clients (OS + applications) on a central server - Virtual Desktop Environment (VDE) images are loaded by thin clients - Allows for low-power client devices - Centralizes control over client desktops - Allows for almost completely hosted IT infrastructure ## Application Virtualization and Container Virtualization - Application virtualization - Hosting or streaming individual software applications on a server - XenApp, App-V, ThinApp - Container virtualization (application cells) - Resource separation at the OS level - Cannot run different OS VMs - Docker ## VM Escape Protection - Reduce impact of successful exploits by keeping programs within VM and not letting it out - Ensure careful placement of VM services on hosts/within network - Respect security zones (DMZ) ## VM Sprawl Avoidance - Guest OS security - OS environment must still be maintained - Rogue VMs - System sprawl and undocumented assets - Virtual machine life cycle management (VMLM) - Use template-based VM creation # Apply Cloud Security Solutions ## Cloud Security Integration and Auditing - Obtaining and integrating cloud security data - Attack indicators and correlation - Responsibility matrix and SLAs - Security of the cloud - Security in the cloud - Reporting - Legal and compliance responsibilities - Insider threat ## Cloud Security Controls - Same types of security controls - IAM, endpoint protection, resource policies, firewalls, logging, ... - Cloud native controls vs. third-party solutions - CSP web console, CLI, and API - Vendor virtual instances - Application security and IAM - Secure development/coding - Security accounts/groups/roles - Secrets management - Block use of root account - use MFA for privileged accounts - Protect API keys ## Cloud Compute Security - Compute - Processing resources for cloud workloads (CPU and RAM) - Virtual machines and containers - Dynamic resource allocation - Container security - API inspection and integration - Number of requests - Latency - Error rates - Unauthorized and suspicious endpoints - Instance awareness - Logging and monitoring to mitigate cloud sprawl ## Cloud Storage Security - Storage - Persistent storage capacity - Performance characteristics for storage tiers - Input/output operations per second (IOPS) - Permissions and resource policies - JavaScript Object Notation (JSON) - Encryption - Symmetric media encryption key - CSP-managed keys versus customer-managed - Separation of duties for CSP-managed keys ![[Pasted image 20230710100535.png]] ![[Pasted image 20230710100542.png]] ![[Pasted image 20230710100550.png]] ![[Pasted image 20230710100609.png]] ![[Pasted image 20230710100642.png]] ![[Pasted image 20230710100650.png]] # Summarize Infrastructure as Code Concepts ![[Pasted image 20230710100717.png]] ![[Pasted image 20230710101051.png]] ## Serverless Architecture - Service provision is wholly abstracted from the hardware, OS, and platform layers - AWS Lambda - Google cloud functions - Azure Functions - All hardware, OS, and platform management is security of the cloud - Heavily reliant on orchestration ## Infrastructure as Code - All configuration and provisioning is performed by scripting/automation/orchestration - Elimination of inconsistency (snowflakes and configuration drift) - Idempotence - Making the same call with the same parameters will always produce the same result ## Software-Defined Networking - Physical and virtual appliances that can be fully automated - Control plane/policy definitions - Data plane/network controller - Management plane - SDN policy > northbound API > network controller > southbound API > firewall appliance - Network functions virtualization (NFV) ![[Pasted image 20230710101633.png]] ## Software-Defined Visibility - Near real time collection, aggregation and reporting of data - Baseline monitoring and anomaly detection - Supports east/west and zero trust - **Security orchestration and automated reponse (SOAR)** ![[Pasted image 20230710101828.png]] ![[Pasted image 20230710101852.png]]