1. Architecture & Cybersecurity - Module 4
ELO 4.1 Identify cybersecurity concerns associated with a Cloud service offering at the Infrastructure, Network and Application Layers. Figure 1
ELO 4.2 Identify the Cybersecurity concerns for how and where data is stored.
ELO 4.3 Identify the Cybersecurity Risks, Benefits and Concerns of Virtualization
ELO 4.4 Match key cybersecurity terms from the section to appropriate definitions.
CLE - Module 4 - Arch & Cybersecurity (b)

2. CLE - Module 4 - Arch & Cybersecurity (b)
Module Introduction
Recapitulation
Cybersecurity for Infrastructure, Network and Application Layers
Concerns for where the data the stored
Module Review
Module Summary Questions
Identify cybersecurity concerns associated with a Cloud service offering at the Infrastructure, Network and Application Layers
Identify the concerns for where the data is stored;
Identify the different ways of storing data
Match foundational cloud terms from the section to appropriate definitions.
CLE - Module 4 - Arch & Cybersecurity (b)

3. Recapitulation of Modules – 1, 2, 3
Review Previous Content
“Cloud computing plays a critical role in the Department’s IT modernization efforts. Our key objective is to deliver a cost efficient, secure enough enterprise environment (the security driven by the data) that can readily adapt to the Department’s mission needs. The Cloud will support the Department’s JIE with a robust IT capability built on an integrated set of Cloud services provided by both commercial providers and DoD Components. We will use a hybrid approach to Cloud that takes advantage of all types of Cloud solutions to get the best combination of mission effectiveness and efficiency. This means in some cases we will use a purely commercial solution, which we have done with Amazon on public facing data, in others we will use a modified private Cloud hosted in commercial solutions, an example could be a shared federal or federal state government Cloud, and for our most protected data a DoD private Cloud that uses best industry practices.” – Mr. Terry Halvorsen, DoD Chief Information Officer, statement to the House Armed Services Committee, Subcommittee On Emerging Threats & Capabilities (25 Feb 15)
CLE - Module 4 - Arch & Cybersecurity (b)

4. Cloud Cybersecurity Overview
Risk Management Framework (RMF)
Provisional Authorization
Risk Management tools
DOD Cloud Computing Security Requirements Guide (DISA) (
Draft Cloud Access Point (CAP) Functional Requirements Document (FRD) V2.2 (
Best Practices Guide for DoD Cloud Mission Owners (
(New MT) Identify key cybersecurity policy elements
The Risk Management Framework doesn’t specifically discuss Cloud Computing, other than in the areas of Cybersecurity Reciprocity and that DoD organizations contracting for external IT services in the form of commercial cloud computing services must comply with DoD cloud computing policy and procedural guidance as published.
Is this module supposed to discuss Provisional Authorization or is that supposed to be a topic for the next module when we get to Assessment and Authorizations?
Are the 3 documents listed under Risk Management Tools just for information or do we want to dig into them in this module? I’ve used the DoD Cloud Computing SRG quite a bit to compose the content for ELO I’m not sure we need to go into detail on the CAP FRD.
I’m not sure how useful the Best Practices Guide for DoD Cloud Mission is considering it reads more like “how to” than “what is,” which is more what this continuous learning module is about.
CLE - Module 4 - Arch & Cybersecurity (b)

5. CLE - Module 4 - Arch & Cybersecurity (b)
Identify the Cybersecurity Concerns Associated with a CSO at the Infrastructure, Network and Application Layers
Identify the Cybersecurity Concerns with a CSO at the Infrastructure, Network and Applications Layers
The DoD Cloud Computing Security Requirements Guide provides guidance on the various architectural considerations related to DoD’s use of commercial cloud services in the following areas:
The connection between the Cloud Service Provider’s infrastructure and the DoD Information Network (DoDIN),
Cloud Service Provider service protections and integration into required DoDIN Computer Network Defense (CND) and access control services, and
Mission system/application protections and integration into required DoDIN CND and access control services.
Application
Network
Infrastructure
DoDIN
CAP
CSP
Commercial
Which document provides guidance on the various architectural considerations related to DoD’s use of commercial cloud services? The DoD Cloud Computing Security Requirements Guide
ELO 4.1 Identify cybersecurity concerns associated with a Cloud service offering at the Infrastructure, Network and Application Layers
MT 4.1.X The DoD Cloud Computing Security Requirements Guide provides guidance on the various architectural considerations related to DoD’s use of commercial cloud services involving the connection between the Cloud Service Provider’s infrastructure and the DoD Information Network (DoDIN), Cloud Service Provider service protections and integration into required DoDIN Computer Network Defense (CND) and access control services, and mission system/application protections and integration into required DoDIN CND and access control services.
CLE - Module 4 - Arch & Cybersecurity (b)

6. CLE - Module 4 - Arch & Cybersecurity (b)
Identify the Cybersecurity Concerns Associated with a CSO at the Infrastructure, Network and Application Layers
Identify the Cybersecurity Concerns with a CSO at the Infrastructure, Network and Applications Layers
Infrastructure, as related to cloud service offerings, is the physical hardware (i.e. server platforms and storage), and network interconnecting the hardware that supports the cloud service and its virtualization technology (if used).
Infrastructure includes the systems and networks used by the Cloud Service Provider to manage the infrastructure.
Both private and community cloud service offerings can serve multiple tenants (missions) within the customer organizations the service supports.
Shared infrastructure refers to the physical cloud infrastructure being available to DoD and Federal Government tenants as well as non-DoD and non-Federal Government tenants. This is also referred to as a public cloud.
ELO 4.1 Identify cybersecurity concerns associated with a Cloud service offering at the Infrastructure, Network and Application Layers
MT 4.1.X Infrastructure, as related to cloud services, is the physical hardware (i.e. server platforms and storage), and network interconnecting the hardware that supports the cloud service and its virtualization technology (if used).
MT 4.1.X Infrastructure includes the systems and networks used by the Cloud Service Provider to manage the infrastructure.
MT 4.1.X Dedicated infrastructure, as related to cloud services, refers to the cloud service infrastructure being dedicated to serving a single customer organization or a specific group of customer organizations.
MT 4.1.X A private cloud service implements dedicated infrastructure to serve one customer organization.
MT 4.1.X A community cloud service implements dedicated infrastructure to serve a specific group or class of customer organizations.
MT 4.1.X Both private and community cloud services can serve multiple tenants (missions) within the customer organizations the service supports.
MT 4.1.X Shared infrastructure refers to the physical cloud infrastructure being available to DoD and Federal Government tenants as well as non-DoD and non-Federal Government tenants. This is also referred to as a public cloud.
MT 4.1.X Impact Level 2 cloud services can be offered on either shared or dedicated infrastructure.
Infrastructure
CSP
CLE - Module 4 - Arch & Cybersecurity (b)

7. CLE - Module 4 - Arch & Cybersecurity (b)
Identify the Cybersecurity Concerns Associated with a CSO at the Infrastructure, Network and Application Layers
Identify the Cybersecurity Concerns with a CSO at the Infrastructure, Network and Applications Layers
The 15 December 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services, states “Commercial cloud services used for Sensitive Data must be connected to customers through a Cloud Access Point (CAP).”
A DoD Cloud Access Point (CAP) is a system of network boundary protection and monitoring devices, otherwise known as an IA stack, through which CSP infrastructure will connect to a DoD Information Network (DoDIN) service; the Non-secure Internet Protocol Router Network (NIPRNet), or Secret Internet Protocol Router Network (SIPRNet).
True or False: All Commercial cloud services must be connect to DoD customers through a Cloud Access Point (CAP). False
ELO 4.1 Identify cybersecurity concerns associated with a Cloud service offering at the Infrastructure, Network and Application Layers
MT 4.1.X The 15 December 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services, states “Commercial cloud services used for Sensitive Data must be connected to customers through a Cloud Access Point (CAP).”
MT 4.1.X A DoD Cloud Access Point (CAP) is a system of network boundary protection and monitoring devices, otherwise known as an Information Assurance stack, through which CSP infrastructure will connect to a DoD Information Network (DoDIN) service; the Non-secure Internet Protocol Router Network (NIPRNet), or Secret Internet Protocol Router Network (SIPRNet).
CLE - Module 4 - Arch & Cybersecurity (b)

8. CLE - Module 4 - Arch & Cybersecurity (b)
Identify the Cybersecurity Concerns Associated with a CSO at the Infrastructure, Network and Application Layers
Identify the Cybersecurity Concerns with a CSO at the Infrastructure, Network and Applications Layers
A Cloud Access Point (CAP) provides the following protections:
Protects the DoDIN and its network services.
Protects other DoD missions from incidents that affect a particular CSP’s supported missions.
Provides perimeter defenses and sensing for applications hosted in the commercial cloud service.
Provides a point at which Boundary Computer Network Defense sensing will occur.
The Cloud Access Point protects the DoD Information Network and its network services.
True or False: The Cloud Access Point’s only purpose is to serve as the entry point into a Cloud Service Offering. False
True or False: The Cloud Access Point has many purposes, one of which is to protect the DoDIN and its networks. True
ELO 4.1 Identify cybersecurity concerns associated with a Cloud service offering at the Infrastructure, Network and Application Layers
MT 4.1.X In general, the CAP provides the following protections: Protects the DoDIN and its network services. Protects other DoD missions from incidents that affect a particular CSP’s supported missions. Provides provide perimeter defenses and sensing for applications hosted in the commercial cloud service. Provides a point at which Boundary CND sensing will occur. Extends the DoD demilitarized zone (DMZ) architecture to external facing mission systems and applications.
MT 4.1.X
Network
Infrastructure
DoDIN
NIPRNet
SIPRNet
CAP
CSP
Commercial
Extends the DoD de-militarized zone (DMZ) architecture to external facing mission systems and applications.
CLE - Module 4 - Arch & Cybersecurity (b)

9. CLE - Module 4 - Arch & Cybersecurity (b)
Identify the Cybersecurity Concerns Associated with a CSO at the Infrastructure, Network and Application Layers
Identify the Cybersecurity Concerns with a CSO at the Infrastructure, Network and Applications Layers
DoD uses the concept of defense-in-depth when protecting its networks and data/information.
The Mission Owner relies on the CSP and the security posture of its SaaS offering for the protection of DoD information.
Defense-in-depth security/protective measures for SaaS
DoD uses the concept of defense-in-depth when protecting its networks and data/information.
Application
Network
Infrastructure
DoDIN
NIPRNet
SIPRNet
CAP
CSP
Commercial
Application Layer Firewall and Intrusion Detection/Prevention Systems protection of the CSP’s infrastructure supporting the SaaS application offering, as well as segmentation from the CSP’s other offerings and corporate networks
ELO 4.1 Identify cybersecurity concerns associated with a Cloud service offering at the Infrastructure, Network and Application Layers
MT 4.1.X DoD uses the concept of defense-in-depth when protecting its networks and data/information.
MT 4.1.X This includes, but is not limited to, hardening hosts OSs and applications, implementing host firewalls and intrusion detection, strong access control, robust auditing of events, while protecting the networks with application layer firewalls, proxies web content filters, gateways, intrusion detection / prevention (IDPS), and a De-Militarized Zone (DMZ) /gateway architecture, along with robust network traffic monitoring.
MT 4.1.X The concept must not be lost when moving Mission Owners systems/applications and their data/information to the commercial cloud.
MT 4.1.X The Mission Owner relies on the CSP and the security posture of its SaaS offering for the protection of DoD information. The defense-in-depth security/protective measures to be established by the Cloud Service Provider for Software as a Service include, but not limited to,
Application/network architecture which provides unrestricted/restricted DMZs with appropriate protections
Appropriate customer data-at-rest and data-in transit encryption protections
Hardening/patching/maintenance of Oss and applications
Implement PIV/DoD CAC/PKI authentication for all customer user access on all SaaS offerings that process information impact Levels 4 and 5
CLE - Module 4 - Arch & Cybersecurity (b)

10. CLE - Module 4 - Arch & Cybersecurity (b)
Identify the Cybersecurity Concerns Associated with a CSO at the Infrastructure, Network and Application Layers
Identify the Cybersecurity Concerns with a CSO at the Infrastructure, Network and Applications Layers
Mission Owners build systems and applications on virtualized infrastructure provided by the CSO under IaaS/PaaS.
There must be a clear delineation of responsibility for security between the CSP and the Mission Owner, which depends upon how the CSP presents the security features it supports in the CSO.
Under IaaS the Mission Owner is fully responsible for securing the guest operating systems and applications that they build; the CSP will be responsible for securing the virtualization OS (i.e. hypervisor) and supporting infrastructure.
Under PaaS, the Mission Owner is fully responsible for securing the guest OS and the platform applications and applications they build.
CSP IaaS and PaaS offerings must support the defense-in-depth security/protective measures tha the Mission Owner must implement to secure the systems and applications that they build on the service offering.
ELO 4.1 Identify cybersecurity concerns associated with a Cloud service offering at the Infrastructure, Network and Application Layers
CLE - Module 4 - Arch & Cybersecurity (b)

11. CLE - Module 4 - Arch & Cybersecurity (b)
Identify the Cybersecurity Concerns Associated with a CSO at the Infrastructure, Network and Application Layers
Identify the Cybersecurity Concerns with a CSO at the Infrastructure, Network and Applications Layers
Most of the areas of concern for implementing defense-in-depth security/protective measures that a Mission Owner must address across all information impact levels when implementing systems/applications on Iaas/PaaS include, but are not limited to, the following:
Implement Virtual Machines (VMs) in one or more virtual networks in which data-flows between VMs, and between VMs and external networks (both physical and virtual) may be controlled.
Implement virtual networks in accordance with the approved architecture for the type of application
Implement data-at-rest encryption on all DoD files housed in CSP IaaS storage service offerings
Implement Host Based Security System IAW DoD Policy
Implement scanning using an Assured Compliance Assessment Solution server IAW CYBERCOM
Implement DoD PKI server certificates for establishing secure connections
Implement all required data-in-transit encryption protections
ELO 4.1 Identify cybersecurity concerns associated with a Cloud service offering at the Infrastructure, Network and Application Layers
CLE - Module 4 - Arch & Cybersecurity (b)

12. Identify Cybersecurity Concerns for How and Where Data is Stored
Cybersecurity for Infrastructure, Network and Application Layers
Cloud storage media includes network accessible storage, virtualized storage and various disc arrays
The DOD Cloud Computing Security Requirements Guide provides detailed implementation details for securing data at rest and transit.
With the move to commercial cloud computing, the DoD is adopting a risk-based approach in applying network defense capabilities and processes.
As we will describe in the next module, DoD has defined Impact Levels commensurate to the risk and type of data, with each higher level warranting greater protections.
MT Identify different types of storage media
True or False: Cloud storage media includes the hard disk drive on your workstation. False
With the move to commercial cloud computing, the DoD is adopting a risk-based approach in applying network defense capabilities and processes.
A Mission Owner should implement data-at-rest and data-in transit encryption on all DoD files housed in Cloud Service Providers’ IaaS storage service offerings.
ELO 4.2 Identify the concerns for where the data is stored; the student will know the different ways of storing data.
MT Cloud storage media includes network accessible storage, virtualized storage and various disc arrays.
MT The DoD Cloud Computing SRG provides detailed implementation details for securing data-at-rest and transit.
MT Implement data-at-rest encryption on all DoD files housed in CSP IaaS storage service offerings. A CSP may offer one or more services or methods to accomplish this. Data-at-rest encryption may help mitigate issues with data/information spillage.
MT 4.2.4
CLE - Module 4 - Arch & Cybersecurity (b)

13. Identify Cybersecurity Concerns for How and Where Data is Stored
Cybersecurity for Infrastructure, Network and Application Layers
Cloud storage is referred to in layers, for example:
Objects – metadata and data organized as web-based content.
Datasets – organized data in relational or other record formats
Blocks – stored at the hardware level – this is the smallest element of data accessible by a user or other system
Files – data objects (documents, spreadsheets, pictures, etc.) organized into folders for easy visualization by users.
MT Identify different ways cloud service providers store users data
Which is NOT an example of how service providers store user data in the cloud:
Objects
Datasets
Blocks
Packets - X
Files
ELO 4.2 Identify the concerns for where the data is stored; the student will know the different ways of storing data.
MT Cloud Service Providers have several ways to store users data. Data can be stored as objects, datasets, blocks or files.
MT Data stored as objects are metadata and data organized as web-based content.
MT Datasets is organized data in relational or other record formats.
MT Blocks of data are stored at the hardware level. This is the smallest element of data accessible by a user or other system.
MT Data files are data objects (documents, spreadsheets, pictures, etc.) organized into folders for easy visualization by users.
CLE - Module 4 - Arch & Cybersecurity (b)

14. Identify Cybersecurity Concerns for How and Where Data is Stored
Cybersecurity for Infrastructure, Network and Application Layers
Data must be protected to maintain confidentiality and integrity.
Confidentiality is protection from unauthorized access by those without an appropriate security clearance and need to know.
Confidentiality is often protected with encryption, identity and access management and physical security measures (doors, guards, cameras, etc.)
Integrity is guarding against unwanted changes to data. For example Global Positioning System (GPS) data is protected from changes that would miss-identify locations.
MT Identify different ways of protecting data
Data must be protected to maintain confidentiality and integrity.
Confidentiality is protection from unauthorized access by those without an appropriate security clearance and need-to-know.
Integrity is guarding against unwanted changes to the data.
ELO 4.2 Identify the concerns for where the data is stored; the student will know the different ways of storing data.
MT Cloud security information impact levels are defined by the combination of 1) the level of information to be stored and processed in the Cloud Service Provider environment; and 2) the potential impact of an event that results in the loss of confidentiality, integrity or availability of DoD data, systems or networks.
MT Data must be protected to maintain confidentiality and integrity.
MT Confidentiality is protection from unauthorized access by those without an appropriate security clearance and need to know.
MT Confidentiality is often protected with encryption, identity and access management and physical security measures (doors, guards, cameras, etc.)
MT Integrity is guarding against unwanted changes to data. For example Global Positioning System (GPS) data is protected from changes that would miss-identify locations.
CLE - Module 4 - Arch & Cybersecurity (b)

15. Identify Cybersecurity Concerns for How and Where Data is Stored
Legal considerations, including legal jurisdiction, control where DoD and US Government data can be located.
Impact Level 2/4: Cloud Service Providers will maintain all government data that is not physically located on DoD premises within the 50 States, the District of Columbia, and outlying areas of the US. Authorizing Officials (AOs), which will be described more in the next module, after careful consideration of the legal ramifications, may authorize other locations if necessary to support mission requirements.
Impact Level 5/6: To protect against seizure and improper use by non-US persons and government entities, all data/information stored and processed for the DoD must reside in a facility under the exlusive legal jurisdictionof the US. CSPs will maintain all government data that is not physically located on DoD premises within the 50 States, the District of Columbia and outlying areas of the US.
ELO 4.2 Identify the concerns for where the data is stored; the student will know the different ways of storing data.
CLE - Module 4 - Arch & Cybersecurity (b)

16. Identify the Cybersecurity Concerns for How and Where Data is Stored
Data Storage Cybersecurity
Data storage Cybersecurity concerns generally fall into two categories. The first is the location of the physical hardware globally and the second is the configuration within a data center.
Global location of the cloud data center is a concern because of local laws that may impact the confidentiality of the system. Some countries require access to any data on their soil. Generally DoD Clouds can only be located on US soil in the US.
Configuration in the data center includes physical separation to mitigate risks including vulnerabilities in interfaces, APIs and management systems.
MT concerns - security
What are two of the cybersecurity concerns with data storage? Data center location and physical configuration of the hardware.
ELO 4.2 Identify the Cybersecurity Concerns for How and Where Data is Stored
MT 4.2.X Even though Cloud Service Offerings use virtual networks, servers and machines, there is still an issue with where the data is actually stored.
MT 4.2.X Global location of the cloud data center is a concern because of local laws that may impact the confidentiality of the system. Some countries require access to any data that resides on their soil. As a result, DoD Clouds can only be located on U.S. soil.
MT 4.2.X Another cybersecurity concern with data storage is the configuration of the physical hardware in the data center.
MT 4.2.X Configuration in the data center includes physical separation to mitigate risks including vulnerability in interfaces, application program interfaces and management systems.
CLE - Module 4 - Arch & Cybersecurity (b)

17. Identify the Cybersecurity Risks of Virtualization
Identify Cybersecurity Features of Virtualization
The risks and legal considerations in using virtualization technologies further restrict the types of tenants that can obtain cloud services from a virtualized environment on the same physical infrastructure and the types of cloud deployment models (i.e., public, private, community, and hybrid) in which the various types of DoD information may be processed or stored.
While shared cloud environments provide significant opportunities for DoD entities, they also present unique risks to DoD data and systems that must be addressed. These risks include exploitation of vulnerabilities in virtualization technologies, interfaces to external systems, APIs, and management systems. These have the potential for providing back door connections and CSP privileged user access to customer’s systems and data (insider threat).
While proper configuration of the virtual and physical environment can mitigate many of these threats, there is still residual risk that may or may not be acceptable to DoD. Legal concerns such as e-discovery and law enforcement seizure of non-government CSP customer/tenant’s data pose a threat to DoD data if it is in the same storage media. Due to these concerns, DoD is currently taking a cautious approach with regard to Level 5 information.
True or False: There are minimal considerations that must be accounted for when deciding whether other tenants can obtain cloud services from a virtualized environment on the same physical infrastructure in which DoD information may be processed or stored. False
ELO 4.3 Identify the Cybersecurity Risks of Virtualization
MT There are risks and legal considerations when using virtualization technologies on the same physical infrastructure and thus restrict the types of tenants that can obtain cloud services where DoD information may be processed or stored.
MT While shared cloud environments provide significant opportunities for DoD entities, they also present unique risks to DoD data and systems.
MT Risks include exploitation of vulnerabilities in virtualization technologies, interfaces to external systems, Application Program Interfaces and management systems.
MT These vulnerabilities have the potential for providing back door connections and Cloud Service Provider privileged user access to customer’s systems and data.
CLE - Module 4 - Arch & Cybersecurity (b)

18. Identify the Cybersecurity Benefits of Virtualization
Identify Cybersecurity Features of Virtualization
Virtual Servers enable flexible computing capacity on demand. Traditional, physical servers, required funding, purchase, receipt, mounting, configuration and maintenance for any hardware failures. Virtual Servers do not require setup or physical maintenance for the acquiring organization as the cloud provider takes care of everything from the hypervisor down through hardware.
Virtual server concerns include
lack of trained workforce for cloud implementations.
Expectations that it will be considered a panacea for architecture issues in existing systems migrating to cloud.
MT Identify the benefits and concerns with virtual servers
What are the benefits of virtual servers? Enable flexible computing capacity on demand.
Which of the following is NOT a concern with virtual servers?
There is a lack of trained workforce for cloud implementation
They do not require mounting, configuration and maintenance for hardware failures.
There is an expectation that cloud architecture is a panacea for issues in migrating existing systems to the cloud.
ELO 4.3 Identify the Cybersecurity Benefits of Virtualization
MT The benefit of virtual servers in cloud computing is the ability to flexibly modify computing capacity on demand. Unlike traditional, physical servers which require funding, purchasing, receipt of goods, mounting, configuration and maintenance whenever there is a hardware failure.
MT Virtual servers do not require setup or physical maintenance for the acquiring organization as the Cloud provider takes care of everything from the hypervisor down through hardware.
MT Using virtual servers does not come without some concerns, such as a lack of trained workforce for Cloud implementations and expectations that virtual servers will be considered a panacea for architecture issues in existing systems migrating to the Cloud.
CLE - Module 4 - Arch & Cybersecurity (b)

19. Identify the Cybersecurity Benefits of Virtualization
Data Storage Cybersecurity
Virtual networks can be constructed and maintained without having to move physical links and cables.
Traditional networks required significant planning for changes and, as a result, took a great deal of time to implement changes.
Virtual networks still require planning for secure implementation but do not require changing cable and physical router changes.
MT Identify the benefits and concerns with virtual networks
ELO 4.3 Identify the Cybersecurity Benefits of Virtualization
A virtual network consists of one or more virtual machines configured to access local or external resources. A virtual network is configure to use either a network adapter in the physical computer or no network adapter. If a network adapter in the physical computer is selected, then any virtual machines attached to the virtual network can access the networks to which that physical adapter is connected. If no network adapter is selected, then any virtual machine attached to the virtual network becomes part of the internal virtual machine network. An internal virtual machine network consists of all virtual machines that are attached to a virtual network, which is configured to use no network adapter. Each internal virtual machine is completely isolated from all other internal virtual machine networks.
MT 4.3.X Virtual Servers support an unlimited number of virtual networks, and an unlimited number of virtual machines can be connected to a virtual network.
MT Virtual networks, unlike physical networks, can be constructed and maintained without having to move physical links and cables, which are potential means of accessing a physical network.
MT Traditional networks require significant planning for changes and, as a result, take a great deal of time to implement the changes.
MT Virtual networks still require planning for secure implementation but do not require changing cable and physical router changes, thus decreasing the time to implement the changes.
CLE - Module 4 - Arch & Cybersecurity (b)

20. Identify the Cybersecurity Benefits of Virtualization
Data Storage Cybersecurity
Shared resources improve reliability and rapid access.
Reliability is improved when shared storage is maintain across physical servers in redundant configurations so that a failed hard drive can be replaced without any interruption in service.
For example storage across multiple machines using Hadoop stores information on 3 separate machines so that failure of 1 of 3 can be repaired without bringing down applications. The new hard drive is inserted and the cloud instance automatically configures it to replace the failed drive.
MT one benefit of virtualization is sharing of resources (resources pooling/sharing)
ELO 4.3 Identify the Cybersecurity Benefits of Virtualization
Virtualization provides for shared resources which in turn results in improved reliability and rapid access of the network.
Reliability is improved when shared storage is maintained across physical servers in redundant configurations so that if a hard drive fails, it can be replaced without any interruption in service.
An example of shared storage across multiple machines is to use Apache Hadoop which stores information on multiple machines so that a failure on one of them can be repaired without bringing down the other applications. The failed hard drive is removed and replaced with a new hard drive and the cloud instance automatically configures it to replace the failed drive.
CLE - Module 4 - Arch & Cybersecurity (b)

21. Identify the Cybersecurity Benefits of Virtualization
Data Storage Cybersecurity
Virtualized data storage can be configured to expand based on the needs of the system being supported.
For example if an application or user requires an initial storage level of 100 GB but is expected to increase to 1TB over the course of a year the provider can set the storage to expand as it is needed. This avoids purchasing more storage than required as would be the case with traditional hardware storage.
Virtualization supports many automation capabilities to enable stand up of new virtual machines.
Using automatically configured systems reduces the time to implement and the likelihood of misconfigured systems.
Automation can also audit virtual machines, networks and storage to ensure cybersecurity postures are maintained and kept up to date.
MT supports elasticity
MT supports automation
ELO 4.3 Identify the Cybersecurity Benefits of Virtualization
MT 4.3.X One of the major benefits of cloud computing is the rapid elasticity of the cloud service offering to expand and contract based upon the needs of the mission owner. For example, if an application or mission owner requires an initial storage level of 100 Giga-Bytes but is expected to increase to 1 Tera-Byte over the course of a year. In this example the user can set the storage capacity to expand automatically, as it is needed.
MT 4.3.X Virtualization supports many automation capabilities to enable stand-up of new virtual machines.
MT 4.3.X Using automatically configured systems reduces the time to implement and the likelihood of misconfigured systems.
MT 4.3.X Automation can also audit virtual machines, networks and storage to ensure cybersecurity postures are maintained and kept up to date.
CLE - Module 4 - Arch & Cybersecurity (b)

22. Identify the Cybersecurity Concerns with Virtualization
Data Storage Cybersecurity
Physical hardware includes all of the equipment provided or used by the cloud service provider.
Examples include building, cooling system, power, network connectivity, server racks, servers, switches and other equipment required to support a virtualized environment.
DOD must be prepared for threats that include cross talk across networks and environments. In some cases, including classified systems, servers, routers and cabling must be physically separated. Examples include separation of classified systems onto different physical networks known as “air gapping”.
MT physical hardware
How does a cloud service provider implement data storage cybersecurity requirements? By physically separating the hardware, such as the network connectivity, servers, switches and other equipment required to support a virtualized environment.
ELO 4.3 Identify the Cybersecurity Concerns with Virtualization
MT 4.3.X A virtualized environment requires physical hardware by the cloud service provider. All the equipment used by a Cloud Service Provider is considered physical hardware, such as the building, cooling system, power, network connectivity, server racks, servers, and switches.
MT 4.3.X A DoD Mission Owner must be prepared for threats against the physical hardware, to include cross-talk across networks and environments.
MT 4.3.X In some cases, servers, routers and cabling must be physically separated. Examples include separation of classified systems onto different physical networks, known as “air gapping.”
CLE - Module 4 - Arch & Cybersecurity (b)

23. Identify the Cybersecurity Concerns with Virtualization
Data Storage Cybersecurity
Physical systems often require staff be collocated to conduct maintenance on the hardware and software. This included the need to physically press a button to restart a machine.
Virtualization allows systems owners and administrators to access systems remotely to build, deploy and maintain them. This can include remote restarts of virtual machines and remote metrics visibility.
Remote management can improve response times to security events and it can reduce the cost of having dedicated collocated staff.
MT requires less people, increases ability to manage more machines
How is this a concern for where the data is stored (ELO-090)?
ELO 4.3 Identify the Cybersecurity Concerns with Virtualization
MT 4.3.X Physical systems often require staff to be co-located with the hardware to conduct maintenance on the hardware and software. This included the need to physically press a button to restart a machine.
MT 4.3.X Virtualization allows system owners and administrators to access systems remotely to build, deploy and maintain them. This can include remote restarts of virtual machines and remote metrics visibility.
MT 4.3.X Remote management can improve response times to security events and it can reduce the cost of having dedicated co-located staff.
CLE - Module 4 - Arch & Cybersecurity (b)

24. Identify the Cybersecurity Concerns with Virtualization
Data Storage Cybersecurity
Physical servers and infrastructure often are managed locally. An administrator would go into the server room and log in at the actual machine. This was time consuming and expensive.
Virtualized servers can be accessed remotely thus reducing time spent working on a single machine and thus making management more efficient. An administrator can log in remotely to address any security concerns or issues.
This virtualized, remote access, improves response time to security incidents and can reduce the time required to mitigate vulnerabilities.
MT requires less people, increases ability to manage more machines
After reading what can be done using virtualized servers and what can be done remotely by an administrator, I become concerned that administrators may have too much privileges and there is a cybersecurity threat similar to what we experienced with Edward Snowden.
ELO 4.3 Identify the Cybersecurity Concerns with Virtualization
MT 4.3.X Physical servers and infrastructure are often managed locally, requiring an administrator to log in at the actual machine in the server room. This is both time consuming and expensive.
MT 4.3.X Virtualization allows administrators to access virtual servers remotely, thus reducing the time spent working on a single machine and making server management more efficient. Additionally, an administrator can log in remotely to address any security concerns or issues.
MT 4.3.X This virtualized, remote access, improves response time to security incidents and can reduce the time required to mitigate vulnerabilities, but it also provides a cybersecurity risk that needs to be controlled.
CLE - Module 4 - Arch & Cybersecurity (b)

25. Identify the Cybersecurity Concerns with Virtualization
Data Storage Cybersecurity
Physical machine implementation is often inefficient because the hardware had to be ordered, installed, configured and managed for each server.
Virtualized machines can be standardized into prepackaged installs that can be automatically implemented.
This approach provides a level of standardization that makes implementation much faster and easier to operate.
For example DISA and others have standardized templates for new virtual machines to make it easier to rapidly deploy the desired configuration.
MT standardization - each virtual machine is the same therefore easier to manage
How does standardization of data storage increase or decrease cybersecurity risks?
ELO 4.3 Identify the Cybersecurity Concerns with Virtualization
MT 4.3.X Cybersecurity settings are propagated from one virtual machine instantiation to the next, eliminating the possibility of one virtual machine from not having the same security settings as the rest.
MT 4.3.X With physical machine implementation, the process is often inefficient because the hardware has to be ordered, installed, configured and managed for each server.
MT 4.3.X For virtualized machines, the process can be standardized into prepackaged installs that can be automatically implemented. This level of standardization makes implementation much faster and easier to accomplish.
MT 4.3.X For example, the Defense Information Systems Agency has a standardized template for new virtual machines to make it easier to rapidly deploy the desired virtual machine configuration.
CLE - Module 4 - Arch & Cybersecurity (b)

26. Identify the Cybersecurity Concerns with Virtualization
Data Storage Cybersecurity
Virtual machines are efficient because they share resources. This, however; can lead to resource constraints outside of the systems administrator’s control.
For example, if one organization has virtualized their public facing web site on the same infrastructure as a commercial news service. These are logically and virtually separated but they are on the same infrastructure. In this case when a hot news story drive large data flow and processing from the news site the host may reduce the performance to the command site.
This is referred to as the noisy neighbor problem.
MT concern- performance due to sharing of resources
Is this an availability cybersecurity risk? Virtual machines pose an increased potential of cybersecurity risks to the availability of a resource?
ELO 4.3 Identify the Cybersecurity Concerns with Virtualization
MT 4.3.X Virtual machines are efficient because they share resources; however, this can lead to resource constraints outside of the system administrator’s control.
MT 4.3.X For example, if a Cloud Service Provider has virtualized a Mission Owner’s public facing web site on the same infrastructure as a commercial news service, these are logically and virtually separated but on the same physical infrastructure. In this case, when a hot news story drives larger data flow and processing from the news site, the hose may reduce performance to the Mission Owner’s public facing web site.
CLE - Module 4 - Arch & Cybersecurity (b)

27. Identify the Cybersecurity Concerns with Virtualization
Data Storage Cybersecurity
Because cloud instances can be stood up without needing to go through the lengthily process of ordering, installing and configuring bare hardware. This results in a significant reduction labor and time needed in the tasks required by systems owners.
Standardized VMs can improve security and accreditation because of their standardization. This way if a bug is identified it can be mitigated with the minimum time available.
MT faster redeployment as a result of standardization
I understand how having a standard virtual machine configuration can make it easy to install a cloud service offering, but doesn’t a standard configuration make it more vulnerable as a whole if an individual vulnerability is identified in one of the Virtual Machines?
ELO 4.3 Identify the Cybersecurity Concerns with Virtualization
MT 4.3.X Virtualization allows for faster redeployment of virtual networks because the cloud instances can be stood up without needing to go through the lengthy process of ordering, installing and configuring physical hardware.
MT 4.3.X Standardized virtual machines can improve security and accreditation because of their standardization. Errors and bugs can be identified and mitigated within a minimal timeframe because what fixes one virtual machine can fix all other instantiations.
CLE - Module 4 - Arch & Cybersecurity (b)

28. Identify the Cybersecurity Concerns with Virtualization
Data Storage Cybersecurity
Cloud implementations and their associated data can be configured to speed backup and recovery.
Virtual machines or groups of these machines can be automatically backed up to physically distant data centers where common hosting environments can spin up quickly. This approach leveraged the ability to abstract the hypervisor layer and the ability to take data snapshots for backups.
Depending on the configurations, standardized machines can be implemented as hot sites with load balancing across sites. This approach allows for fail over of a site without impacting the enterprise.
MT faster back-up and recovery due to standardization
ELO 4.3 Identify the Cybersecurity Concerns with Virtualization
MT 4.3.X Virtualization allows for faster back-up and recovery due to the standardized nature of the virtual machines in the Cloud Service Offering.
MT 4.3.X Virtual machines, or groups of these machines, can be automatically backed up to physically distant data centers where common hosting environments can spin up quickly. This approach leverages the ability to abstract the hypervisor layer and the ability to take data snapshots for backups.
MT 4.3.X Depending upon the configurations, standardized machines can be implemented as hot sites with load balancing across the sites. This approach allows for fail-over of a site without impacting the enterprise.
CLE - Module 4 - Arch & Cybersecurity (b)

29. Key Cybersecurity Terms
ELO-115 Match key cybersecurity terms from the section to appropriate definitions.
Need a list of the Cybersecurity terms
MT Match XYZ to the correct definition
CLE - Module 4 - Arch & Cybersecurity (b)

30. CLE - Module 4 - Arch & Cybersecurity (b)
Module 4 - Review
Summary
CLE - Module 4 - Arch & Cybersecurity (b)

31. Module 4 – Summary Questions
CLE - Module 4 - Arch & Cybersecurity (b)