CCSK Domain 7 – Infrastructure and Networking

7.1 Cloud Infrastructure Security

7.1.1 Foundational Infrastructure Security Techniques

• Secure Architecture: Design with security as a principle—segregate resources, least privilege access, secure storage, communications, and configurations.
• Secure Deployment & Configuration: Harden all components (VMs, containers, storage, networking) using security benchmarks (e.g., CIS benchmarks).
• Continuous Monitoring & Guardrails: Use preventative/reactive controls (e.g., AWS Config rules, Azure Policies) to enforce security policies and auto-remediate violations. Enable logging and monitoring across all components.

7.1.2 CSP Infrastructure Security Responsibilities

• Facilities: Physical security (access control, surveillance).
• Employees: Screening, training, and management.
• Physical Network, Storage, Compute: Securing hardware.
• Virtualisation Layers: Securing hypervisors and containers.
• Management Plane: Securing web interfaces and APIs.
• PaaS/SaaS Services: CSP handles underlying infrastructure security under the shared responsibility model.

7.1.3 Infrastructure Resilience

• Single-region resiliency: Basic fault tolerance using auto-scaling, load balancing, backup/recovery.
• Multi-region resiliency: Deploy across multiple regions for higher fault tolerance (higher cost, complexity).
• Multi-provider resiliency: Use multiple cloud providers for critical applications (most complex and costly). Containerisation helps but challenges remain.

7.2 Cloud Network Fundamentals

7.2.1 Software-Defined Networks (SDN)

• SDN separates control plane (routing, network definitions) from data plane (traffic movement).
• Enables dynamic, programmatic network management.
• Customers define logical groupings; providers configure components.

Common SDN-Based Components

• Virtual Networks/VPCs: Logical isolation, control over topology and IP ranges.
• Subnets: Segmentation, security policies, NAT for private subnets.
• Route Tables: Direct traffic, custom routing.
• Network Security Groups: Virtual firewalls, granular security, micro-segmentation.
• ACLs: Stateless controls at subnet/network level.
• Load Balancer Service: Distributes traffic, enables redundancy, supports WAF/DDOS protection.
• Internet Gateways: Entry/exit for internet traffic.
• Endpoints: Private endpoints for secure, internal access to services.

7.2.2 Cloud Connectivity

• Resources (management plane, workloads, storage, APIs) can be exposed to the internet.
• Private networking options (VPNs, third-party services) connect cloud to data centres.
• Security risks arise from misconfigured boundaries; controlling traffic flows is critical.

7.3 Cloud Network Security & Secure Architectures

7.3.1 Preventative Security Measures

• CSP Firewalls: Built-in, easy to manage, but less customisable.
• Virtual Appliances: Flexible, high availability, but complex and maintenance-heavy.
• Web Application Firewalls (WAFs): Protect against OWASP Top 10 vulnerabilities.

7.3.2 Detective Security Measures

• Flow Logs & DNS Logs: Monitor traffic patterns, detect anomalies, identify breaches and exfiltration. Handling logs at scale is challenging.

7.4 Infrastructure as Code (IaC)

• IaC uses machine-readable configuration files to manage infrastructure.
• Key concepts:
  • Architectures described by code
  • Deployment via management plane API
  • CI/CD pipelines for automation
  • Security scanning in pipelines
  • Version control and change tracking
• Benefits:
  • Automated compliance checks
  • Consistent security posture
  • Rapid rollback for fixes
• IaC is often mandated for reproducibility and security.

7.5 Zero Trust for Cloud Infrastructure & Networks

7.5.1 Software-Defined Perimeter (SDP) & Zero Trust Network Access (ZTNA)

• SDP: Creates a “dark” network, invisible to unauthorised users. Requires authentication and authorisation, uses identity-centric controls and micro-segmentation.
• ZTNA: Replaces VPNs with granular, application-specific access. Authorises users based on identity, device, location, and context. Can be cloud-hosted or on-premises.

7.6 Secure Access Service Edge (SASE)

• SASE combines network security functions with WAN and proxy capabilities for cloud-native security.
• Moves security filtering to the edge (near user devices) using endpoint agents and global points of presence.
• Avoids inefficient routing (“backhauling”) and supports Zero Trust Architecture.

Flashcard: https://quizlet.com/in/1125653042/ccsk-domain-7-infrastructure-and-networking-flash-cards/?i=4jehw4&x=1qqt