Security+ Flashcards: Cloud Security, Virtualization, Containers, Serverless Risks

Infrastructure as a Service, or IaaS, provides virtual machines, storage, and networking where the customer manages everything above the hypervisor. Platform as a Service, or PaaS, adds managed operating systems and runtime environments where the customer manages only applications and data. Software as a Service, or SaaS, delivers complete applications where the customer manages only access and data classification. Security responsibility shifts from customer to provider as you move from IaaS to SaaS.

A hypervisor is software that creates and manages virtual machines by abstracting physical hardware resources. Type 1 hypervisors like VMware ESXi run directly on hardware, while Type 2 hypervisors like VirtualBox run on top of a host operating system. Security risks include VM escape, where an attacker breaks out of a virtual machine to access the hypervisor or other VMs; VM sprawl, where unmanaged virtual machines accumulate without proper patching; and side-channel attacks that exploit shared hardware resources.

Containers package an application with its dependencies and run on a shared operating system kernel, unlike virtual machines that each run their own operating system. Containers are lighter and faster but share the host kernel, meaning a kernel vulnerability affects all containers. Security risks include insecure container images with known vulnerabilities, excessive container privileges, exposed management interfaces, and secrets hardcoded in images.

A cloud access security broker, or CASB, is a security tool that sits between an organization's users and cloud service providers, enforcing security policies for cloud application usage. CASBs provide four key capabilities: visibility into which cloud services are being used including shadow IT discovery, compliance by verifying that cloud usage meets regulatory requirements, data security through encryption, tokenization, and data loss prevention for cloud-stored data, and threat protection by detecting anomalous user behavior and malware in cloud services.

Serverless computing, also called Function as a Service, executes code in response to events without managing servers. Security risks include excessive function permissions where functions are granted more access than needed, insecure dependencies in third-party libraries bundled with functions, event injection where malicious input triggers unintended execution, insufficient logging making incident investigation difficult, and insecure secrets management when API keys are hardcoded in function code.

Infrastructure as code, or IaC, manages and provisions computing infrastructure through machine-readable configuration files rather than manual processes. Security benefits include consistent, repeatable deployments that eliminate configuration drift, version-controlled infrastructure changes that provide an audit trail, automated security testing of configurations before deployment, and rapid rebuilding of compromised systems from known-good templates. ---