Cloud and Virtualization Notes

Cloud and Virtualization

What is Cloud?

• Cloud involves apps and data running on a cloud environment.
• The cloud is essentially a large building filled with servers.
• Customers don't need to worry about upkeep or maintenance.
• YouTube is given as a simple example of cloud usage.

Learning Resources

• Microsoft Learn
• PluralSight
• A Cloud Guru
• Cloud Academy
• Azure Free Account (200 Credit)
• GCP 90 Day, 300 Trial
• AWS 12 Months Free
• Instructor for IT342

Recommended Certifications (2024)

• Azure
  • Fundamentals AZ-900 (Intro)
  • Admin Associate AZ-104 (Intermediate)
  • Network Engineer Associate AZ-700 (Advanced)
  • Solutions Architect Expert AZ-305 (Advanced)
  • Cyber Architect Expert SC-100 (Advanced)
  • Windows Server Hybrid Admin Associate AZ-800, 801 (Intermediate)
  • IAM Admin Associate SC-300 (Intermediate)
• AWS
  • Cloud Practitioner Foundational (Intro)
  • Solutions Architect Associate (Intermediate)
  • Solutions Architect Professional (Advanced)
  • Security Specialty
  • SysOps Admin (Intermediate)
  • Developer Associate (Intermediate)
  • Advanced Networking Specialty
• GCP
  • Cloud Digital Leader (Intro)
  • Cloud Engineer (Intermediate)
  • Cloud Architect (Advanced)

Cloud Terminology

• Instance: Virtual server or device.
• Blobs (Azure), S3 Bucket (AWS): Storage devices.
• VPC: Virtual private cloud.
• CDN: Content Delivery Network.
• Project (GCP), Accounts (AWS), Subscriptions/Resource Groups (Azure): Organizing entity.
• Peering: Network connections.
  • VPC peering involves connecting two VPCs.

Cloud Products

• Virtual Servers
  • AWS: Instances, VMs
  • Azure: Cloud Services, VMs
  • GCP: VM Instances
• Platform-as-a-Service
  • AWS: Elastic Beanstalk, ECS
  • Azure: Azure Functions, Container Service, Kubernetes Service
  • GCP: App Engine, Cloud Functions, Container Engine, Kubernetes Engine
• Serverless Computing
  • AWS: Lambda
  • Azure: Block Blob
  • GCP: Cloud Storage
• Docker Management
  • AWS: EKS
  • GCP: Cloud Storage
• Kubernetes Management
  • Azure: Kubernetes Service
  • GCP: Kubernetes Engine
• Object Storage
  • AWS: S3
  • Azure: Block Blob
  • GCP: Cloud Storage
• Archive Storage
  • AWS: Glacier
  • Azure: Archive Storage
  • GCP: Coldline
• File Storage
  • AWS: EFS
  • Azure: Azure Files
  • GCP: ZFS / Avere
• Global Content Delivery
  • AWS: CloudFront
  • Azure: Delivery Network
  • GCP: Cloud CDN
• Managed Data Warehouse
  • AWS: Redshift
  • Azure: SQL Warehouse
  • GCP: Big Query

Locations

• GCP: VA
• AWS: VA
• Azure: WY

Data Residency Boundary (Azure Regional Pairs in Geography)

• Regions are paired for availability.
• Examples:
  • West US paired with East US
  • North Europe paired with West Europe
  • Southeast Asia paired with East Asia

Cloud Service Providers (CSP)

• Rent out hardware/DC as a service.
• Examples: Amazon AWS, Microsoft Azure, Google GCP, Alibaba, IBM, Oracle OCI.

Cloud Market Share

• Amazon, Microsoft, and Google dominate the cloud market.
• Worldwide market share in Q3 2022:
  • AWS: 34
  • Azure: 21
  • Google Cloud: 11
  • Alibaba Cloud: 5
  • IBM Cloud: 3
  • Salesforce: 3
  • Tencent Cloud: 2
  • Oracle: 2
• Cloud infrastructure service revenues in the 12 months ended September 2022: 217 billion.
• Includes platform as a service (PaaS) and infrastructure as a service (IaaS), as well as hosted private cloud services. Source: Synergy Research Group, Statista.

Public Cloud

• Hosted by a cloud service provider.
• Tenants pay only for the services they use.
• Customers do not have complete control.
• Examples: AWS, Azure, GCP.

Virtual Private Cloud (VPC)

• A virtualized, private section of a public cloud environment.
• Resources are isolated and have their own private IPs.
• Can be peered with other VPCs to route using private IPs.
• Often has dedicated network connections from on-premise to avoid internet access.

Private Cloud

• Hosted virtualization in own data center.
• Users pay for the hardware infrastructure.
• Users have 100% control.
• Increased security.

Hybrid Cloud

• Cloud services are split between public and private.
• Users choose how much hardware to buy/license.
• Users can manage control depending on the service.
• The majority of corporations use this model.

Multi-Cloud

• Users use several different cloud providers.
• Can be a combination of IaaS, PaaS, or SaaS.
• Avoids dependencies on a single solution.
• Provides more options for optimization.

Amazon Web Services (AWS)

• Owned by Amazon.
• Market leader.
• High transfer stability.
• Founded in 2006.

Microsoft Azure

• Owned by Microsoft.
• Easy integration with MS tools/software.
• Founded in 2010.

Microsoft 365 (Office 365)

• Subscription services offered by MS.
• Software-as-a-Service on the cloud.
  • Includes Exchange, Skype, Teams, OneDrive, SharePoint.
• Cloud-based security capabilities.

Google Cloud

• Owned by Google.
• Many open-source technologies.
• Optimal for cloud-native business.
• Cost efficient / flexible contracts.
• Founded in 2011.

Google Workspace

• Google's answer to MS365.
• Includes office suite, email/calendar services, meetings and voice, files and content.
• Apps, storage, and support depend on the pricing tier.
• GWS Sec is Google’s security checklist.
• CIS has benchmarks for GWS.
• GWS Admin Console controls:
  • Directory
  • Devices
  • Apps
  • Security
  • Rules

Important Cloud Logs (Beyond Scope of IT340)

Services for Security & Logging

• AWS

  • CloudTrail
  • CloudWatch
  • CloudWatch Agent
  • VPC Flow Logs
  • GuardDuty
  • Security Hub
  • VPC Traffic Mirroring

• Azure

  • Activity Logs
  • Azure Monitor
  • Azure Diagnostic Agent
  • NSG Flow Logs
  • Advanced Threat Protection
  • Security Center
  • Virtual Network TAP

• GCP

  • Cloud Audit Logs
  • Stackdriver Monitoring
  • Logging Agent (fluentd)
  • VPC Flow Logs
  • Event Threat Detection
  • Cloud Security Command Center
  • Packet Mirroring
    Refer to SANS GIAC CERTIFICATIONS for additional information @SANSCloudSec | sans.org/cloud-security

Cloud Security Log Architecture Considerations

• Identity: Who did what?
• Volume: Ensure the environment can handle the volume of logs.
• Bandwidth: Consider keeping logs on the CSP network.
• Storage: Log storage, querying, and retention.
• Filtering: Ensure only necessary logs are collected.
• Speed: Ensure logs are received in real-time.

Shared Security Model

• Defined by Service-Level Agreement (SLA).
• Cloud provider responsible for security of the cloud:
  • Hardware
  • Software
  • Networking
  • Facilities
• Customer responsible for security in the cloud:
  • System configuration (OS, FW, Network)
  • Key management
  • Access Control

Infrastructure as a Service (IaaS)

• Cloud provider manages infrastructure:
  • Storage
  • Virtualization
  • Networking
  • Servers
• Customer manages software:
  • Applications
  • Data
  • OS
  • Runtime
• Examples: AWS, GCP, Azure.

Platform as a Service (PaaS)

• Cloud Provider manages hardware and additional processes:
  • Storage, Virtualization, Networking
  • OS
  • Middleware
  • Runtime
• Customer manages applications and data.
• Examples: Docker, Google App Engine, AWS Elastic Beanstalk.

Software as a Service (SaaS)

• Most common service.
• Cloud providers host and manage all of the applications.
• Customers only access the applications.
• Examples: Google Drive, O365, YouTube, Netflix.

Analogy: Pizza as a Service

• Traditional On-Premises: Making a pizza at home (You manage everything).
• IaaS: Take & Bake pizza (Vendor manages the oven, fire, etc.; you manage toppings, cheese etc.).
• PaaS: Delivered pizza (Vendor manages everything up to the final product).
• SaaS: Dined out (Vendor manages everything, including the dining table).

Breakdown of On-site vs Various Cloud Services

• On-site: You manage everything including applications, data, runtime, middleware, O/S, virtualization, servers, storage, and networking.
• IaaS: Service provider manages virtualization, servers, storage, and networking.
• PaaS: Service provider manages O/S additionally to the IaaS managed items.
• SaaS: Service provider manages middleware, runtime, applications, and data in addition to the PaaS managed items.

Instance Metadata Services (IMDS)

• Provides users with information about VMs, cloud accounts, etc.
• Can be queried by any user via HTTP (169.254.169.254).
• Bad actors can steal keys and tokens.
• IMDSv2 requires tokens (stops SSRF).
• Important to configure IMDS on host-based controls (e.g., owner-only access).

Gaming as a Service

• Users run video games on cloud servers.
• The video game is streamed as video to the user.
• The user's hardware is unimportant.
• Examples: Stadia, GeForce Now.

Why Cloud Computing?

• Features of Cloud Computing:
  • Resource Pooling
  • Economical
  • Easy Maintenance
  • Large Network Access
  • Pay As You Go
  • Automatic System
  • Security
  • Data Availability
  • On-Demand
  • Measured Service
  • Self-Service

Managed Service Provider (MSP) / Network Operations Center as a Service (NOCaaS)

• Cheaper/easier than an in-house IT team.
• Provides security.
• Allows clients to focus on business.
• Can provide 24/7 support.

Infrastructure as Code

• A concept for DevOps automation.
• Setting up infrastructure:
  • New servers
  • Network configs
  • Load balancing
• Configuring provisioned infrastructure:
  • Installing apps/versions (Java, DB, etc.)
  • App management
• Deployment of applications.
• Examples: Terraform, Ansible.

cloud-init

• A tool to make system modifications during the first launch.
• Available on Linux and Windows.
• Examples: hostname, managing local users, configuring SSH, package management.

Cloud Shell

• Browser-based shell environment.
• Interacts directly with cloud resources.
• No setup required.
• Examples: Create, update, delete resources; script updates across your environment.

Leaky Buckets

• Misconfigured cloud storage leads to breaches (buckets = storage).