this module was everything. Virtual ization began reviewing the major virtualization categories. Those being compute network and storage. We then reviewed virtual compute security. There were Sproles and responsibilities of the Cloud Provider versus the Cloud User, for example, making sure you take advantage of the security controls that a cloud provider gives you
leveraging least privilege security settings to determine
who can create virtual resource is who can log into virtual resource is who can delete virtual resource is and so forth.
We then moved into virtual network security, reviewing monitoring and filtering, reviewing, monitoring and filtering and how that's really different in the cloud and continued to also examine they were spools and responsibilities of cloud provider versus Cloud User.
We discovered virtual storage security, talked about storage area networks, network attached storage and other aspects of storage. Virtual ization. And we wrapped it up, going over container security, talking about the system, components of a container ecosystem, the container engine, the image repository,
orchestrator and scheduler type software
as well, a security basics four containers
and so let us commence ceremonies of the end module Recap Quiz, which our responsibilities of the cloud provider to ensure compute is secure
hard and hyper visors and update them with security patches. Determine which workloads should be hosted on dedicated hardware. Ensure hyper visors, Isolate virtual workloads. Add necessary technical controls to make sure volatile memory of workloads cannot be accessed by any process other than the workload owner.
And there are multiple correct answers on this one, starting with a very important to harden Ieper visors. That's something you rely on the cloud provider to do.
Determine which workloads should be hosted on dedicated hardware. That's a decision that the cloud user needs to make. Cloud provider is not in a good position to examine your specific workloads and determine which ones air secure and need that extra degree of isolation. You're gonna pay more for this, but they're definitely circumstances when you want to
have the hardware dedicated and really get those assurances
that there are no other workloads from other tenants running on that same hardware moving on. Ensure hyper visors isolate virtual workloads. Yes, very important Isolation is just a key thing for cloud providers. Keep that in mind. Tenant isolation. It's almost there. Number one, Security priority
and D add technical controls to make sure volatile memory of a workload cannot be accessed by any process other than workload. Owner. Yes, that is true as well
and continuing with the questions. What key security tactics should you apply to container orchestration? Software
apply are back to accounts that administer and manage the platform, and sure, secrets are securely distributed to containers. Group workloads of similar security context in the same hosts and notes.
Secured management plane using MF A. So starting with a applying role based access control two accounts Yes, you want to do this Just because somebody has an account doesn't mean they should be able to do everything. Certain accounts should be used to deploy containers, certain accounts to
expand nodes, certain accounts to do all those other administrative things. So
same principles of least privilege apply to the accounts that are administering your cloud orchestration platform. You also want to ensure secrets are securely distributed to containers, depending on the orchestrating platform. You use their different strategies to do this, but it is important
grouping workloads of a secure a similar security context.
You do want them to run on the same nodes, which is this is another word of saying hosts in the CCS K. They only use the term nodes is something that I use because we were examining Kubernetes and the Cuban aunties world those hosts that the containers air running on our called and referred to his nodes.
And last but not least, securing the management plane. Don't forget Tesla. Don't be a Tesla.
Make sure your management plane is secure. Definitely change the default passwords and, if possible, implement M f A.
We are on a roll. Let's go for another one. Cloud storage pools. Air usually implemented by which technology?
Nass, KUBERNETES, NFS or Hash Corp vault.
And the answer is a storage area. Networks is one of the most common ways of implementing storage in a cloud provider. There are a lot of proprietary ways network attached Storage does get used, but it is not the usual. And that's the key decision. Making kubernetes is a container orchestration
NFS network file system. That's a way to remotely access and as from a Lennix box and if S is the protocol
hashtag or vault? I actually did a different training on. Baltin went really deep in that product. It's great for secrets, management and can also be very helpful to tie it into kubernetes, and it provides ways to send certificates, passwords and so forth to your containers in a very secure manner
that wraps it up for this domain on virtual ization. Look forward to seeing in the next.