SY0-701 Domain 3
Infrastructure as a Service (IaaS): The Cloud Service provider will provide virtualized computing resources like servers, storage, and networking, while customers manage the operating system, applications, and data. (Analogy: renting an unfurnished apartment)
Platform as a Service (PaaS): Provides a fully managed platform, including the infrastructure and runtime environment for application development. Customers only manage the applications and data, while the provider handles the OS, middleware, and infrastructure. (Analogy: Renting a furnished apartment)
Software as Service (SaaS): customer remains responsible for configuring access, CSP provides all management, and customer uses the software (Analogy: staying at a hotel)
IaaS: CSP provides building like networking, storage and computer
PaaS: Customer is responsible for deployment and management of apps. CSP manages provisioning, configuration, hardware and OS
SaaS: Customer configures features, CSP is responsible for management, operation and service availability
Cloud Computing: cost effective, global, secure, scalable, elastic, and always current
Public Cloud: everything runs on your cloud provider’s hardware. it is cost effective, Scalable, No maintenance, Global availability, Wide range of services, High reliability, Fast deployment, low skills
Private Cloud: cloud computing environment that is dedicated solely to one organization. Advantage is legacy support, control, compliance
Hybrid Cloud: combines both public and private clouds, allowing you to run apps in the right location. Advantages include flexibility in legacy, compliance and scalability
Community Cloud: similar to private clouds in that they are not open to general public, shared by several related organizations in a common community
Multi-Cloud: the use of multiple cloud computing services from different providers (e.g., AWS, Azure, Google Cloud) within a single architecture. It allows businesses to distribute workloads across different clouds to avoid vendor lock-in, enhance flexibility, and optimize performance, cost, and security
Third Party: CSPs are considered in the cloud infrastructure
Third Party (Logical): design of datacenter is an abstraction, customers utilize software and services provided by the CSP
Third Party (Logical) should: create tenant partitioning or isolation, limit and secure remote access, monitor the cloud infrastructure, allow patching and updating of systems
Third Party (Multitenancy): logical isolation in this CSP makes cloud computing more affordable, but create some security and privacy concerns
Third Party (Multitenancy): business centers physically housed multiple tenants, colocation data centers supporting multiple customers
Third Party (Multitenancy): risk in these scenarios is largely physical
Infrastructure as Code (IaC): is the practice of managing and setting up IT infrastructure (like servers and networks) described in code
IaC: a key DevOps practice and used with continuous integration and continuous delivery (CI/CD)
Characteristics of IAC to improve resiliency in IaaS and PaaS: Declarative(IaC must know its current state) and Idempotent(Deployment of IaC template can be applied multiple times without changing its results)
Serverless: cloud model where you run applications without managing servers. The cloud provider automatically handles infrastructure, scaling, and maintenance.
Difference between PaaS and Serverless: PaaS has more control over deployment environment. Serverless has less control over the deployment environment. In PaaS, application has to be configured to auto-scale. In serverless, application scales automatically (scaling means that system can increase or decrease resources (like CPU, memory, or instances) In PaaS, application taes a while to spin up, while Serverless application code only executes when invoked (code runs only when triggered by an event instead of running continuously)
What PaaS and Serverless have in common: Devs have to write code and No server management
Microservices: collection of small, independent services that communicate with each other. Each service handles a specific function and can be developed, deployed, and scaled separately.
Air Gap: where a system or network is physically isolated from external networks, including the internet, to prevent unauthorized access or cyberattacks. (Physical isolation)
Logical Segmentation: segmenting the network without additional physical hardware
Virtual Local Area Network (VLAN): logically segments a local area network into subnetworks, occurs in layer 2 (logical segmentation)
Virtual Private Network (VPN): creating an encrypted tunnel between devices or networks to pass traffic, using protocols like IPsec (logical segmentation)
Virtual Routing and Forwarding (VRF): a single router/switch to function as multiple virtual routers/switches. S
ACL: in Virtual Routing and Forwarding, subnet divides large IP ranges to smaller ranges which can segment using ____________
Software Defined Networks: a network architecture approach that enables the network to be intelligently and centrally controlled/programmed using software and has capacity to reprogram the data plan any time
Man in the middle attack and DoS: SDN vulnerabilities
On premises: organization retains complete control of the full stack
Off Premises: offloads responsibility and infrastructure and management functions to the CSP
What happens when moving to Cloud?: some ****responsibilities are shifted to the CSP and IT shifts from capital expense to operational expense
Advantages of Cloud:
Scalability
Cost-Effective
No Maintenance
Accessibility
High Availability
Quick Deployment
Advantages of On Premises:
Complete Control
Customization
Security
Data Privacy
Compliance
Centralized: A system where control and decision-making are managed by a single authority or location, making it easier to manage but vulnerable to single points of failure.
Decentralized: A system where control is distributed across multiple nodes or locations, improving redundancy and fault tolerance but making management more complex.
Containerization: A lightweight virtualization method to package an application for multiple platforms. Reduces overhead of server virtualization by enabling containerized apps to run on a shared OS kernel. Containers do not have their own Operating System.
Concerns of server virtualization: isolation at host, process, network, and storage levels
Virtual Machine: each _____ has its own OS kernel and memory, resulting more overhead
Containers: are isolated but share a SINGLE OS kernel as well as bins/libs where possible
Container Hosts: cloud based virtual machines
Virtualization: server _________ is the process of dividing a physical server into multiple unique and isolated virtual servers by means of a software application
VM Escape: when attacker gains access to VM and attacks the host machine or any other VMs
VM Sprawl: unmanaged VMs have been deployed in the network
Type 1 Hypervisor “bare metal”: has no OS, reduced attack surface, commonly used for QA, load testing and production scenarios
Type 2 Hypervisor ‘hosted’: has an OS, less secure than type 1, increased attacked surface, less expensive
Internet of Things (IoT): class of devices connect to the internet in order to provide automation, remote control. or AI processing in a home/business setting. Often have limited compute resources and often limited ability to patch.
Supervisory Control and Data Acquisition (SCADA)/ Industrial Control System (ICS): system used to monitor and control industrial processes remotely, such as power plants, water treatment, and manufacturing. Usually do not have direct internet access for greater security
Real time operating system (RTOS): An OS designed to process tasks with precise timing and reliability, commonly used in wearables and embedded systems like in cars. Security of these devices is important, but difficult to know what is running inside the embedded systems. They process data immediately, and if a task or process does not complete within a certain time, the process will fail
Embedded System: a full computer system embedded inside of another larger system (eg: printers, GPS, drones, modern vehicles), need to be managed and patched like a computer
Availability: ensuring system or service is accessible to authorized users when needed
Resilience: an organization's ability to withstand, recover, and adapt to cyber threats, system failures, or disruptions without impacting availability
Cost: financial expenses, staffing, other associated cost.
Responsiveness: system/service’s ability to respond to user requests
Scalability: ability of a system to handle increased workloads by adding resources without performance loss.
Ease of Deployment: refers to how quickly and efficiently a system, application, or security measure can be implemented and operationalized with minimal effort.
Risk transference: security risks mitigated by transferring some responsibility to third parties through insurance, security contracts or service agreement
Ease of Recovery: recovery time and effort are crucial for availability and resilience
Patch Availability and Vendor Support: evaluates how often patching is required and the vendor’s support responsiveness
Inability to Patch: patching might not be feasible due to downtime
Power: power consumption significant factor in data center design and contributes to ongoing costs
Compute: drives ongoing costs both in cloud (pay as you go) and for on premises (replacing hardwares)