CompTIA Security+: Cloud and Virtualization

Following some general DevOps discussion in the previous chapter, the book moves onto cloud and virtualization.

This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.

Hypervisors

Virtualization is an abstraction of the OS layer, so that you can host multiple OSs on a single piece of hardware.  Hypervisors are low-level programs that allow multiple OSs to run concurrently on a single host.

They can be type I or type II.  Type I runs directly on the hardware, and is also called a bare-metal, native or embedded hypervisor.  Type II runs on top of a host operating system.  This is more common for consumers:  think VMWare Player.

Application Cells and Containers

Containerization is similar, but allows portions of an OS to be kept separate from the kernel.  This allows you to run various instances of an application at the same time with little overhead.  This can be useful for running different environments in an easy and repeatable way (think Docker).  A container will contain an entire runtime environment, including dependencies, libraries, binaries, configuration files and so on.  It’s like VMs but for applications instead of OSs.

VM Sprawl and VM Escape

VMs are not without issues.  If you don’t manage them well, you’ll have VM sprawl.  This is the uncontrolled spreading and disorganization of VMs.  It’s an easy problem to have in large organizations, but because they don’t have a permanent physical location, they’re difficult to track down.

VM escape is when attackers or malware can escape from a VM to another VM, by means of using the underlying OS.  Protections exist so that a VM can only right to memory that belongs to it, but vulnerabilities still exist, and continue to be found.

Cloud Storage

Most people are familiar with cloud storage, through things like Apple’s iCloud.  Cloud storage is computer storage provided over a network.  It allows for better performance, availability, reliability, scalability, and flexibility.

From a security standpoint, encryption should be used to keep transfer to data from an organization to cloud storage confidential.

Cloud Deployment Models

As cloud services grow, they’ve been grouped into different categories.

SaaS:  Software as a Service.  This allows you to offer software to end users from within the cloud, vs. having them download software.  Easy updates and integration.

PaaS:  Platform as a Service.  This refers to the offering of a computing platform in the cloud.  Good for scalable apps, might work for something like a database service.

IaaS:  Infrastructure as a Service.  Cloud-based systems that allow organizations to pay for scalable computing infrastructure, instead of building their own data centers.

Private:  private clouds are resources for only your organization.  It’s more expensive but also has less exposure risk.

Public:  when a cloud service is rendered over a system that is open for public use.  Has the fewest security controls.

Community:  when several organizations share a cloud environment for a specific and shared purpose.

Hybrid:  A mix of private, public and community.  Often segregated to protect sensitive, private data from public/community usage.

On-Premise vs. Hosted vs. Cloud

On-premise(s) is when the system physically resides in the building of an organization.  This can mean a VM, storage, services, etc.  This option gives the organization more control, but is more costly and doesn’t scale as well.

Hosted services mean that the services are hosted somewhere else, in a specific location.  Cloud is also hosted somewhere else, but it maybe be distributed (up to the platform to manage that).

VDI/VDE

Virtual desktop infrastructure is the components needed to set up a virtual desktop environment.  This allows someone to use any machine to access their information, which is hosted somewhere else (not on that physical machine).  This helps with data loss in the event of theft, etc.

Cloud Access Security Broker

Cloud access security brokers (CASBs) are a service that enforce security policies between the cloud service in use, and their customers.  This allows enterprise customers to know that they are securely using a cloud service.

Security as a Service

Lastly, security as a service (sorry pals, the SaaS acronym is already taken…) is the outsourcing of security functions.  An outsider vendor provides a wide array of security specialities.  This allows a company to have security protection without developing all of those resources in-house.  It is easier for the company in terms of cost, flexibility, and scalability.