CompTIA Security+ (SY0-601): Cloud Security

Allows providers to fully integrate the storage, network, and servers

Virtual Desktop Infrastructure:

VDI allows a cloud provider to offer a full desktop operating system to an end user from a centralized server

Secure Enclaves:
Utilize 2 distinct areas that the data may be stored/accessed from
Can only be accessed by the proper processor

Secure Volumes:
A method of keeping data at rest secure form prying eyes
When data is needed, secure volume is mounted & decrypted to allow access
Once no longer needed, it’s re-encrypted & unmounted from virtual server

Security as a Service:
Provides your organization with various types of security services without the need to maintain a cybersecurity staff

Anti-malware solutions were one of the first SECaaS products

Utilizes separate virtual networks to allow security professionals to test suspicious or malicious files

Virtual Private Cloud:
A private network segment made available to a single cloud consumer within a public cloud

The consumer is responsible for configuring the IP address space and routing within the cloud

VPC is typically used to provision internet-accessible applications that need to be accessed from geographically remote sites

Be aware of the possibility of vendor lock in

Cloud Access Security Broker:

Enterprise management software designed to mediate access to cloud services by users across all types of devices

• Single sign-on

• Malware and rogue device detection

• Monitor/audit user activity

• Mitigate data exfiltration

Cloud Access Service Brokers provide visibility into how clients and other network nodes use cloud services

A security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy

An “internal proxy”
Used to protect/control user access to the Internet

WARNING: Users may be able to evade the proxy and connect directly

An appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy

Inbound traffic from the Internet to your internal service

WARNING: This approach can only be used if the cloud application has proxy support

Application Programming Interface:
A method that uses the brokers connections between the cloud service and the cloud consumer

WARNING: Dependent on the API supporting the functions that your policies demand

A library of programming utilities used to enable software developers to access functions of another application

APIs allow for the automated administration, management, and monitoring of a cloud service

Function as a Service:
A cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language

A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances

Everything in serverless is developed as a function or microservice

Serverless eliminates the need to manage physical or virtual servers
• No patching
• No administration
• No file system monitoring

The underlying architecture is managed by the cloud service provider
Ensure that the clients accessing the services have not been compromised
Serverless depends on orchestration

WARNING: An API must only be used over an encrypted channel (HTTPS)

Data received by an API must pass service-side validation routines

Implement throttling/rate-limiting mechanisms to protect from a DoS

APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data

WARNING: Do not hardcode or embed a key into the source code

Do not create one key with full control to access an application’s functions

Delete unnecessary keys and regenerate keys when moving into a production environment

WARNING: Software as a service may not supply access to log files or monitoring tools

Logs must be copied to non-elastic storage for long-term retention

Cross Origin Resource Sharing Policy:
A content delivery network policy that instructs the browser to treat requests from nominated domains as safe

WARNING: Weak CORS policies expose the site to vulnerabilities like XSS

Firewall for compute instances
Layer 4 (TCP/UDP)
Layer 3 address

Granular security controls
Identify/manage specific data flows

Define & set policies
Allows uploads to the corporate file share
Deny certain uploads to personal file share
Deny files with sensitive data
Quarantine file & send alert

Protect users & devices

Monitor API usage

Examine JSON strings & API requests

Allow/disallow certain activities

Instance-aware security

Combines CASB, DLP, & Web Security