2.1 Given a scenario, apply security solutions for infrastructure management

  • Cloud vs on-premises: all managed by SP vs local physical/logical management

  • Asset management:

    • Asset tagging: assign labels including classification; unique ID; asset tracking system

  • Segmentation:

    • Physical: placing network devices to control access => new hardware + additional costs

    • Virtual: VLANs/subnets on top of existing infrastructure => no new hardware/costs

    • Jumpbox: intermediary connection point from untrusted to trusted network

    • System isolation:

      • Air gap: isolate system other networks/Internet; physical isolation (transfer with USBs)

  • Network architecture:

    • Physical: defense-in-depth security appliance; segmentation; physical security

    • Software-defined: TLS; secure tunnelling; SDN controller hardening; access control

    • VPC: traffic/anomaly monitoring; ingress/egress traffic control; secure VPC connections

    • VPN: strong authentication; avoid DNS leaks; use a kill switch (drop Internet if VPN fails)

    • Serverless: log monitoring; IAM; secured secrets; input validation; secure libraries

  • Change management: change identification -> request -> request review -> prioritisation -> evaluation/impact analysis -> approval/rejection -> testing -> implementation -> review

  • Virtualisation:

    • VDI: desktop OS on central server; centralised management, easy patching, antivirus

  • Containerisation: isolate from host OS; monitoring; VA process; patch base & app image

  • Identity and access management:

    • Privilege management: least privilege; privileged account usage monitoring; prevent privilege creep; role-based authorisation

    • MFA: multiple authentication methods (knowledge; possession; biometric; location)

    • SSO: authenticate once to use multiple systems; reduces password reuse/resets/support

    • Federation: sharing of customer info to SPs; trust relationship between IdP, SP and user

    • Role-based: access decision is based on roles; permissions assigned to roles not users

    • Attribute-based: based on context (e.g. time, location, access frequency, behaviour)

    • Mandatory: end users cannot modify security permissions set by administrators

    • Manual review: review of access change logs, alerts, employee profiles, procedures

  • CASB: policy enforcement/data protection point between consumers and SP (place organisational policies on users accessing 3rd party, uncontrolled cloud services)

  • Honeypot: intentionally vulnerable system that monitors attackers for intentions & blacklists the IP address

  • Monitoring and logging: SIEM; privileged use/change/grant, account creation/ modification, terminated account usage, account lifecycle events, separation of duty

  • Encryption: salted hashes; encrypted traffic; encrypted keys/data/session identifiers

  • Certificate management: creation -> storage -> dissemination -> suspension -> revocation

  • Active defense: IdP notifies account owners/SPs; SPs respond to IdP/authorisation system/account compromise

Previous2.2 Explain software assurance best practicesNext2.3 Explain hardware assurance best practices

Last updated