# 2.1 Given a scenario, apply security solutions for infrastructure management

* Cloud vs on-premises: all managed by SP vs local physical/logical management
* Asset management:
  * Asset tagging: assign labels including classification; unique ID; asset tracking system
* Segmentation:
  * Physical: placing network devices to control access => new hardware + additional costs
  * Virtual: VLANs/subnets on top of existing infrastructure => no new hardware/costs
  * Jumpbox: intermediary connection point from untrusted to trusted network
  * System isolation:
    * Air gap: isolate system other networks/Internet; physical isolation (transfer with USBs)
* Network architecture:
  * Physical: defense-in-depth security appliance; segmentation; physical security
  * Software-defined: TLS; secure tunnelling; SDN controller hardening; access control
  * VPC: traffic/anomaly monitoring; ingress/egress traffic control; secure VPC connections
  * VPN: strong authentication; avoid DNS leaks; use a kill switch (drop Internet if VPN fails)
  * Serverless: log monitoring; IAM; secured secrets; input validation; secure libraries
* Change management: change identification -> request -> request review -> prioritisation -> evaluation/impact analysis -> approval/rejection -> testing -> implementation -> review
* Virtualisation:
  * VDI: desktop OS on central server; centralised management, easy patching, antivirus
* Containerisation: isolate from host OS; monitoring; VA process; patch base & app image
* Identity and access management:
  * Privilege management: least privilege; privileged account usage monitoring; prevent privilege creep; role-based authorisation
  * MFA: multiple authentication methods (knowledge; possession; biometric; location)
  * SSO: authenticate once to use multiple systems; reduces password reuse/resets/support
  * Federation: sharing of customer info to SPs; trust relationship between IdP, SP and user
  * Role-based: access decision is based on roles; permissions assigned to roles not users
  * Attribute-based: based on context (e.g. time, location, access frequency, behaviour)
  * Mandatory: end users cannot modify security permissions set by administrators
  * Manual review: review of access change logs, alerts, employee profiles, procedures
* CASB: policy enforcement/data protection point between consumers and SP (place organisational policies on users accessing 3rd party, uncontrolled cloud services)
* Honeypot: intentionally vulnerable system that monitors attackers for intentions & blacklists the IP address
* Monitoring and logging: SIEM; privileged use/change/grant, account creation/\
  modification, terminated account usage, account lifecycle events, separation of duty
* Encryption: salted hashes; encrypted traffic; encrypted keys/data/session identifiers
* Certificate management: creation -> storage -> dissemination -> suspension -> revocation
* Active defense: IdP notifies account owners/SPs; SPs respond to IdP/authorisation system/account compromise