CHAPTER 15
Cloud and Virtualization
In this chapter, you will
• Explore virtualization concepts
• Become familiar with cloud concepts
Virtualization and cloud services are becoming common enterprise tools to manage cost, capacity, complexity, and risk. You need to understand how these services contribute to a security solution in today’s enterprise, as described in this chapter.
Certification Objective This chapter covers CompTIA Security+ exam objective 3.7, Summarize cloud and virtualization concepts.
Hypervisor
Virtualization technology is used to enable a computer to have more than one OS present and, in many cases, operating at the same time. Virtualization is an abstraction of the OS layer, creating the ability to host multiple OSs on a single piece of hardware. To enable virtualization, a hypervisor is employed. A hypervisor is a low-level program that allows multiple operating systems to run concurrently on a single host computer. Hypervisors use a thin layer of code to allocate resources in real time. The hypervisor acts as the traffic cop that controls I/O and memory management. One of the major advantages of virtualization is the separation of the software and the hardware, creating a barrier that can improve many system functions, including security. The underlying hardware is referred to as the host machine, and on it is a host OS. Either the host OS has built-in hypervisor capability or an application is needed to provide the hypervisor function to manage the virtual machines (VMs). The virtual machines are typically referred to as guest OSs. Two types of hypervisors exist, Type I and Type II.
EXAM TIP A hypervisor is the interface between a virtual machine and the host machine hardware. Hypervisors are the layer that enables virtualization.
Type I
Type I hypervisors run directly on the system hardware. They are referred to as a native, bare-metal, or embedded hypervisors in typical vendor literature. Type I hypervisors are designed for speed and efficiency, as they do not have to operate through another OS layer. Examples of Type I hypervisors include KVM (Kernel-based Virtual Machine, a Linux implementation), Xen (Citrix Linux implementation), Microsoft Windows Server Hyper-V (a headless version of the Windows OS core), and VMware’s vSphere/ESXi platforms. All of these Type I hypervisors are designed for the high-end server market in enterprises, and are designed to allow multiple VMs on a single set of server hardware. These platforms come with management tool sets to facilitate VM management in the enterprise.
Type II
Type II hypervisors run on top of a host operating system. In the beginning of the virtualization movement, Type II hypervisors were most popular. Administrators could buy the VM software and install it on a server they already had running. Typical Type II hypervisors include Oracle’s VirtualBox and VMware’s VMware Player. These are designed for limited numbers of VMs, typically running in a desktop or small server environment.
Application Cells/Containers
A hypervisor-based virtualization system enables multiple OS instances to coexist on a single hardware platform. The concept of application cells/containers is similar, but rather than having multiple independent OSs, a container holds the portions of an OS that it needs separate from the kernel. So, in essence, multiple containers can share an OS, yet have separate memory, CPU, and storage threads, guaranteeing that they will not interact with other containers. This allows multiple instances of an application or different applications to share a host OS with virtually no overhead. This also allows portability of the application to a degree separate from the OS stack. Multiple major container platforms exist, but the industry has coalesced around a standard form called the Open Container Initiative (OCI), designed to enable standardization and the market stability of the environment. Different vendors in the container space have slightly different terminologies, so you need to check with your specific implementation by vendor to understand the exact definition of container and cell in their environment.
You can think of containers as the evolution of the VM concept to the application space. A container consists of an entire runtime environment bundled into one package: an application, including all its dependencies, libraries, and other binaries, and the configuration files needed to run it. This eliminates the differences between a development, test, or production environment, as the differences are in the container as a standard solution. By containerizing the application platform, including its dependencies, any differences in OS distributions, libraries, and underlying infrastructure are abstracted away and rendered moot.
VM Sprawl Avoidance
Sprawl is the uncontrolled spreading and disorganization caused by lack of an organizational structure when many similar elements require management. Just as you can lose track of a file in a large file directory and have to hunt for it, you can lose track of a VM among many others that have been created. VMs basically are files that contain a copy of a working machine’s disk and memory structures. Creating a new VM is a simple process. If an organization has only a couple of VMs, keeping track of them is relatively easy. But as the number of VMs grows rapidly over time, sprawl can set in. VM sprawl is a symptom of a disorganized structure. An organization needs to implement VM sprawl avoidance through policy. It can avoid VM sprawl through naming conventions and proper storage architectures, so that the files are in the correct directory, making finding the correct VM easy and efficient. But as in any filing system, it works only if everyone routinely follows the established policies and procedures to ensure that proper VM naming and filing are performed.
One of the strongest business cases for integrated VM management tools, such as ESX sever from VMware, is its ability to enable administrators to manage VMs and avoid sprawl. Being able to locate and use resources when required is an element of security, specifically availability, and sprawl causes availability issues.
VM Escape Protection
When multiple VMs are operating on a single hardware platform, one concern is VM escape, where software, either malware or an attacker, escapes from one VM to the underlying OS. Once the VM escape occurs, the attacker can attack the underlying OS, or resurface in a different VM. When you examine the problem from a logical point of view, both VMs use the same RAM, the same processors, and so forth; the difference is one of timing and specific combinations. While the VM system is designed to provide protection, as with all things of larger scale, the devil is in the details. Large-scale VM environments have specific modules designed to detect escape and provide VM escape protection to other modules.
EXAM TIP Virtual environments have several specific concepts that the exam may address. Understand the difference between Type I and Type II hypervisors, and where you would use each. Understand the differences between VM sprawl and VM escape and the issues each poses. Expect questions for which you are given several of these terms as options and have to choose the correct one.
Cloud Storage
Cloud storage is a common term used to describe computer storage provided over a network. One of the characteristics of cloud storage is transparency to the end user. This improves usability of this form of service provisioning. Cloud storage offers much to the user: improvements in performance, scalability, flexibility, security, and reliability, among other items. These improvements are a direct result of the specific attributes associated with how cloud services are implemented.
Security is a particular challenge when data and computation are handled by a remote party, as in cloud computing. The specific challenge is how to allow data to be stored outside your enterprise and yet remain in control over the use of the data. The common answer is encryption. By properly encrypting its data before transferring it to cloud storage, an organization can ensure that the data is stored securely with the cloud service provider.
Use of cloud storage services is already becoming mainstream with ordinary users through such services as Apple iCloud, Microsoft OneDrive (formerly SkyDrive), and Dropbox. These are easy to use, easy to configure, and provide the basic services desired with minimal user difficulty.
Cloud Deployment Models
There are many different cloud deployment models. Clouds can be created by many entities, internal and external to an organization. Many commercial cloud services are available, and are offered from a variety of firms as large as Google and Amazon, to smaller, local providers. Internally, an organization’s own services can replicate the advantages of cloud computing while improving the utility of limited resources. The promise of cloud computing is improved utility and is marketed under the concepts of Platform as a Service, Software as a Service, and Infrastructure as a Service.
SaaS
Software as a Service (SaaS) is the offering of software to end users from within the cloud. Rather than installing software on client machines, SaaS acts as software on demand, where the software runs from the cloud. This has several advantages: updates can be seamless to end users, and integration between components can be enhanced. Common examples of SaaS are products that are offered via the Web by subscription services, such as Microsoft Office 365 and Adobe Creative Suite.
PaaS
Platform as a Service (PaaS) is a marketing term used to describe the offering of a computing platform in the cloud. Multiple sets of software working together to provide services, such as database services, can be delivered via the cloud as a platform. PaaS offerings generally focus on security and scalability, both of which are characteristics that fit with cloud and platform needs.
IaaS
Infrastructure as a Service (IaaS) is a term used to describe cloud-based systems that are delivered as a virtual solution for computing. Rather than building data centers, IaaS allows firms to contract for utility computing as needed. IaaS is specifically marketed on a pay-per-use basis, scalable directly with need.
EXAM TIP Be sure you understand the differences between cloud computing service models Platform as a Service, Software as a Service, and Infrastructure as a Service.
Private
If your organization is highly sensitive to sharing resources, you may wish to consider the use of a private cloud. Private clouds are essentially reserved resources used only for your organization—your own little cloud within the cloud. This service will be considerably more expensive, but it should also carry less exposure and should enable your organization to better define the security, processing, handling of data, and so on that occurs within your cloud.
Public
The term public cloud refers to when the cloud service is rendered over a system that is open for public use. In most cases, there is little operational difference between public and private cloud architectures, but the security ramifications can be substantial. Although public cloud services will separate users with security restrictions, the depth and level of these restrictions, by definition, will be significantly less in a public cloud.
Hybrid
A hybrid cloud structure is one where elements are combined from private, public, and community cloud structures. When examining a hybrid structure, you need to remain cognizant that, operationally, these differing environments may not actually be joined, but rather used together. Sensitive information can be stored in the private cloud and issue-related information can be stored in the community cloud, all of which information is accessed by an application. This makes the overall system a hybrid cloud system.
Community
A community cloud system is one where several organizations with a common interest share a cloud environment for the specific purposes of the shared endeavor. For example, local public entities and key local firms may share a community cloud dedicated to serving the interests of community initiatives. This can be an attractive cost-sharing mechanism for specific data-sharing initiatives.
EXAM TIP Be sure to understand and recognize the different cloud systems, private, public, hybrid, and community, because you may see all four as answer choices for a cloud question. The best answer will typically depend upon a single factor in the question.
On-Premise vs. Hosted vs. Cloud
Systems can exist in a wide array of places, from on-premises, to hosted, to in the cloud. On-premises (or on-premise according to CompTIA) means the system resides locally in the building of the organization. Whether a VM, storage, or even services, if the solution is locally hosted and maintained, it is referred to as on-premises. The advantage is that the organization has total control and generally high connectivity. The disadvantage is that it requires local resources and is not as easy to scale. Hosted services refers to having the services hosted somewhere else, commonly in a shared environment. Using third-party services for hosted services provides you a set cost based on the amount you use. This has cost advantages, especially when scale is included—does it make sense to have all the local infrastructure, including personnel, for a small, informational-only website? Of course not; you would have that website hosted. Storage works the opposite with scale. Small-scale storage needs are easily met in-house, whereas large-scale storage needs are typically either hosted or in the cloud.
EXAM TIP On-premise means it is on your site. Hosted means it is somewhere else, a specific location. In the cloud refers to having it distributed across a remotely accessible infrastructure via a network, with specific cloud characteristics—scalability, etc.
VDI/VDE
Virtual desktop infrastructure (VDI) and virtual desktop environment (VDE) are terms used to describe the hosting of a desktop environment on a central server. VDI refers to all the components needed to set up the environment. VDE is what the user sees, the actual user environment. There are several advantages to this type of desktop environment. From a user’s perspective, her “machine” and all of its data are persisted in the server environment. This means that a user can move from machine to machine and have a singular environment following her around. And since the end-user devices are just simple doors back to the server instance of the user’s desktop, the computing requirements at the edge point are considerably lower and can be provided on older machines. Users can use a wide range of machines, even mobile phones, to access their desktop and perform their work. VDI/VDE can provide tremendous security advantages because all data, even when being processed, resides on servers inside the enterprise, so if a user’s device or laptop is lost or stolen, it holds nothing from the desktop environment to compromise.
Cloud Access Security Broker
Cloud access security brokers (CASBs) act as security policy enforcement points between cloud service providers and their customers to ensure that enterprise security policies are maintained as the cloud-based resources are utilized. CASBs belong to the broader category of managed security service providers (MSSPs), which offer Security as a Service to organizations. CASB vendors provide a range of security services designed to protect cloud infrastructure and data. CASBs act as security policy enforcement points between cloud service providers and their customers to enact enterprise security policies as the cloud-based resources are utilized.
Security as a Service
Just as you can get Software as a Service and Infrastructure as a Service, you can contract with an MSSP for Security as a Service. Security as a Service is the outsourcing of security functions to a vendor that can offer advantages in scale, costs, and speed. Security is a complex, wide-ranging cornucopia of technical specialties, all working together to provide appropriate risk reductions in today’s enterprise. This means effective security requires technically savvy security pros, experienced management, specialized hardware and software, and fairly complex operations, both routine and in response to incidents. Any or all of this can be outsourced to a security vendor, and firms routinely examine vendors for solutions where the business economics makes outsourcing attractive.
Different security vendors offer different specializations, from network security, web application security, or e-mail security, to incident response services and even infrastructure updates. Depending upon architecture, needs, and scale, these third-party vendors often can offer an organization a compelling economic advantage in provisioning all or part of its security solution.
EXAM TIP Be sure to understand the differences among the several types of services that can be delivered via the cloud, including storage, software, infrastructure, platform, and security, each with a specific deliverable and value proposition. Read cloud service–related questions carefully to determine which is the best solution, for at times the differentiating factor may be a single word in the question.
Chapter Review
In this chapter, you became acquainted with virtualization and cloud services. The chapter opened with a description of hypervisors, both Type I and II, and then covered application cells and containers. The problems with VM sprawl and VM escape were covered next. The chapter then moved to cloud-based storage and cloud deployment models, including SaaS, PaaS, and IaaS. The models of private, public, hybrid, and community clouds were explored. The issues associated with on-premises, hosted, and cloud-based provisioning were covered. The chapter concluded with an examination of VDI/VDE, cloud access security brokers, and Security as a Service in more general terms.
Questions
To help you prepare further for the CompTIA Security+ exam, and to test your level of preparedness, answer the following questions and then check your answers against the list of correct answers at the end of the chapter.
1. How does a hypervisor enable multiple guest operating systems to run concurrently on a host computer?
A. Via a specialized driver package
B. By abstracting the hardware from the guest operating systems
C. By providing specific virtual hardware to each guest OS
D. By hiding the underlying Linux operating system
2. Your supervisor asks you to analyze virtualization options for an upcoming project to move several critical servers onto virtual machines. He asks you to find a solution that maximizes the number of guest OSs per server and optimizes speed and efficiency. What solution should you recommend?
A. A Type I hypervisor, such as VMware Sphere/ESXi or Hyper-V
B. A Type II hypervisor, such as VirtualBox or VMware Player
C. Both A and B
D. Neither A nor B
3. Your new application has multiple small processes that provide services to the network. You want to make this application run more efficiently by virtualizing it. What is the best approach for virtualization of this application?
A. Type II hypervisor
B. Linux KVM
C. Containerization
D. Type I hypervisor
4. Why is VM sprawl an issue?
A. VM sprawl uses too many resources on parallel functions.
B. The more virtual machines in use, the harder it is to migrate a VM to a live server.
C. Virtual machines are so easy to create, you end up with hundreds of small servers only performing a single function.
D. When servers are no longer physical, it can be difficult to locate a specific machine.
5. When doing incident response for your company, you are reviewing the forensics of several virtual servers and you see the attacker on the web server injecting code into uninitialized memory blocks. What attack is the attacker likely attempting?
A. Denial-of-service attack on the hypervisor
B. VM escape
C. Containerization attack
D. Crashing the CASB
6. Your manager was just in a meeting about the security risks of storing data in the cloud and now is frantically requesting that you immediately shut off all access to cloud storage providers such as Dropbox, Box, OneDrive, and others, services that your company relies on for daily operations. What solution should you recommend to allow these services to be continued while protecting the corporate data in the cloud?
A. VM escape
B. Type II hypervisor
C. Containerization
D. Encryption
7. You are planning to move some applications to the cloud, including your organization’s accounting application, which is highly customized and does not scale well. Which cloud deployment model is best for this application?
A. SaaS
B. PaaS
C. IaaS
D. None of the above
8. You need to move to the cloud a specific customer service module that has a web front end. This application is highly scalable and can be provided on demand. Which cloud deployment model is best for this application?
A. SaaS
B. PaaS
C. IaaS
D. None of the above
9. One of the primary resources in use at your organization is a standard database that many applications tie into. Which cloud deployment model is best for this kind of application?
A. SaaS
B. PaaS
C. IaaS
D. None of the above
10. Which cloud deployment model has the fewest security controls?
A. Private
B. Public
C. Hybrid
D. Community
11. Which cloud deployment model is shared by several organizations with a specific purpose?
A. Private
B. Public
C. Hybrid
D. Community
12. What is the primary downside of a private cloud model?
A. Restrictive access rules
B. Cost
C. Scalability
D. Lack of vendor support
13. The desktop support team wants to virtualize the desktop environment on a central server. What is the advantage for adopting VDI?
A. Users can move to different machines and their applications will follow them.
B. A wide array of devices, even low-powered ones, can be used to access a user’s desktop.
C. No data would be compromised if the hardware was lost.
D. All of the above.
E. None of the above.
14. The CIO asks you to provide guidance on implementing security now that many of the corporate applications are moving to the cloud. Which of the following should you recommend implementing?
A. Encryption
B. CASBs
C. SaaS
D. Containerization
15. What is the greatest advantage of outsourcing an organization’s IT security to a Security as a Service provider?
A. A lost or damaged encryption key can be recovered by the provider.
B. Security can be provided seamlessly in all geographic locations.
C. The provider can offer scale, cost, and speed efficiencies.
D. Regulatory compliance is easier to achieve.
Answers
1. B. The hypervisor abstracts the hardware from the guest operating system to enable multiple guest operating systems to run concurrently on a host computer.
2. A. Speed and efficiency are maximized by a Type I hypervisor.
3. C. Containerization runs small applications on a host OS with virtually no overhead.
4. D. VM sprawl is an issue because when virtual machines proliferate, they can be easily moved and potentially easily copied to random locations. This can make finding a specific machine difficult without a specific organizational structure.
5. B. Although all hypervisors actively try to prevent it, any flaw in memory handling could allow code that is maliciously placed in a block to be read by the hypervisor or another machine. This is known as VM escape. The scenario states virtual server, eliminating C and D, and operational code blocks in uninitialized memory would not cause DOS.
6. D. Data encryption can protect corporate data that is stored in cloud storage provider locations.
7. C. Infrastructure as a Service is appropriate for highly customized, poorly scaling solutions that require specific resources to run.
8. A. Software as a Service is suitable for delivering highly scalable, on-demand applications without installing endpoint software.
9. B. Platform as a Service is suitable for standard resources in use by many other applications.
10. B. The shared environment of a public cloud has the least amount of security controls.
11. D. Community clouds are shared resources for a specific purpose.
12. B. A private cloud model is considerably more expensive as it is a dedicated resource, negating some of the advantages of outsourcing the infrastructure in the first place.
13. D. All of the above. Adopting VDI can provide multiple advantages, including: the session can follow the user, the desktop can be accessed from a variety of devices, and if a device is lost, it contains no corporate data.
14. B. Cloud access security brokers (CASBs) are specialized tools or services used to protect cloud infrastructure and data.
15. C. The greatest advantage to outsourcing cloud security to a Security as a Service provider is that the provider can offer scale, cost, and speed efficiencies.