3.

0 Security Architecture
CompTIA Security+ SY0-701
Topics
• Security Implications of Different Architecture Models
• Enterprise Infrastructure Security
• Data Protection Concepts and Strategies
• Resilience and Recovery in Security Architecture
 • Network Segmentation
Security • High Availability
• Virtualization
Implications of • Cloud
Different • Serverless Computing
Architecture • IoT
• ICS/SCADA
Models • RTOS and Embedded Systems
Network Segmentation
Implications of Network Segmentation
• Creating segments as “security zones” is an excellent way to group
devices with the same security needs
• Physical segments can be air-gapped
• Air-gapped systems are highly secure but still at risk of compromise through:
• Removable media
• Environmental controls compromise
• VLANs are cheaper, more flexible, and more convenient
• Can be overlaid on top of nearly any physical topology configuration that uses
Ethernet switches
• VLANs can be extended across campus to multiple switches via trunk links
• Can even be extended across a Metropolitan Area Network using Metro Ethernet
• Still at risk of “VLAN Hopping” – attacker forces traffic onto a different VLAN, even
without the aid of a router
VLAN Use Case Example

NETWORK SWITCHES
VLAN Trunk Link Example
Network Zones by Trust Level
Medium Trust

Highest Trust
Low Trust
High Trust

No Trust

Highest Trust
Medium Trust
Segmentation Trust Levels

Completely isolated Highest

Air-gapped
Very High
common environment

Physical segments Higher

VLANs High
Question

• What would be the most common data loss path for an air-gapped
network?
• Removable devices
Question #2

• What is the best way to isolate a section of the network and its
externally available resources from the internal corporate network?
• Air-gapping
High Availability
High Availability

• Refers to a system's ability to operate continuously

• Without downtime or failure
• Usually accomplished by using redundancy with built-in failover mechanisms

Service Service Service Service Service Service Service Service Service

1 2 3 1 2 3 1 2 3
Common High Availability Mechanisms

• Clustering
• Load balancing
• Replication
Clustering
• A group of two or more hosts (physical machines) act as a single, unified system,
running the same service
• Each host has its own IP address, MAC address and name
• The cluster itself also has an IP address, MAC address and name
• The hosts typically access the same shared data
• Usually, one host is active while the other(s) is on standby
• Should the first host fail, the cluster quickly and automatically fails over to the
standby host
• The two hosts need a dedicated network link just for “heartbeat” communications
• In an Active/Standby configuration, the standby server is effectively doing nothing
• It’s just waiting around for the active server to fail
• It is possible to implement an Active/Active configuration where each host is active for one
service, while also being standby for a different service
• Database servers are typical candidates for clustering
Clustering Example
SYSTEM1 SYSTEM2

Failover Clustering Private Network

10.0.0.10 Shared Disks

10.0.0.20

10.0.0.30
Load Balancing

• Similar to clustering except:

• All nodes are active at the same time
• The nodes do not share data
• The nodes take turns servicing incoming client requests
• Clients are not aware of which individual node they are communicating with
• Web server front ends are typical candidates for load balancing
• Load balancing software can run on the servers directly
• A load balancer appliance/VM can accept client connections and route them between the
servers
• The load balancer is typically pubic-facing
• Load-balancing nodes are typically placed in a DMZ
• They require a secure channel into the private network to query the back-end database
Load Balancing Example

Replicated or
Clustered Servers
Replication
• Similar to load balancing except:
• The nodes do not share a common name, IP address, or MAC address
• They are very often on separate networks
• Clients are aware that each node is a separate server running its own copy of the service
• Servers each maintain a copy of the data
• Changes to the data are replicated between the servers
• Nodes are often geographically dispersed
• You will need to manage replication across distances
• Active Directory domain controllers or other databases are typical candidates
Systems That You Can Make Highly Available
• Networks, links
• Routers, switches and gateways
• Servers and services
• Storage
• Data
• Environmental systems such as power and cooling
• Entire racks, datacenters, and sites

Just about anything can be made highly available

How much money do you want to spend?
Question

• What type of replication can you implement to ensure minimal

downtime in an area that is prone to earthquakes?
• Off-site replication
Virtualization
Virtualization
• Virtualization creates a simulated, or virtual, computing environment as opposed
to a physical environment
• A Virtual Machine (VM) runs as an application in a host operating system
• Runs on a hypervisor (layer) that allows it to share the host’s hardware
• Usually contains an entire, fully-configured operating system, complete with its own apps,
services, IP and MAC addresses, connected devices, etc.
• Multiple VMs can run on the same host
• Limited only by the host’s resources
• Virtualization allows datacenter servers to run at full capacity
• Rather than CPUs being idle for much of the time
• Saves on electricity consumption, cooling and floor space
• You can virtualize computers, networks, storage, data and applications
• Your infrastructure might fall victim to VM sprawl
• Too many people adding unknown virtual machines to your datacenter
Traditional vs. Virtual Architecture
Virtual Desktop Infrastructure (VDI)
• The client desktop is actually a virtual machine that runs on a server
• A “thin” or generic client makes a remote connection to the server
• Typically through a VPN
• The client sends mouse clicks and keyboard strokes to the remote VM
• The server sends back images of the desktop
• Applications and files reside and are run in the VM
• In many implementations, the user is unaware that the desktop is virtual
• A variation of VDI is virtualization of specific applications on a local desktop
• VDI requires a robust network infrastructure to provide good performance
• Examples include: Citrix XenServer, VMware vSphere, Azure Virtual
Desktop
VDI Example

Front-end website
Virtualization Considerations and Risks

• Most of the security concerns in a physical datacenter also apply to a

virtual environment
• Your virtual infrastructure might fall victim to VM sprawl
• Too many people adding unknown virtual machines to your datacenter
• Control this with policies and careful resource assignment/management
• VMs could cause host resource starvation
• Poor resource management might result in VMs taking all of the hardware
resources, starving the host
• VMs might “escape” from their environment
• Some applications and operating systems can detect when they are in a VM
• The malicious app might escape its hypervisor to attack the host OS or other
VMs
Software-defined Networking (SDN)
• A virtualized approach to networking
• Uses software-based controllers or application programming interfaces (APIs) to:
• Communicates with underlying hardware infrastructure
• Directs traffic on a network
• Does not use traditional hardware-based routers and switches to manage traffic
• Can be used to control both virtual and traditional hardware networks
• Can be highly flexible, scalable, resilient and cost-effective
• Especially if you use a cloud services provider
• Requires a somewhat higher learning curve to deploy
• Challenges are mostly based around a provider’s specific implementation
• Since traffic management is virtualized, some features may not fully behave like traditional
hardware-based devices
• Requires interfacing between the SDN and hardware-based networks
• Software-defined network devices don’t always behave like their physical counterparts
• All IaaS clouds are SDN-based
Software Defined Networking Example
Containerization

• A container is a lightweight, standalone, executable package of

software that includes everything needed to run an application:
• code, runtime (tiny operating system), system tools, system libraries and
settings
• Various containers can run side-by-side on the same host operating
system
• Containers are lightweight, portable, and highly conducive to
automation
• Container software examples include: Docker, Buildah, LXD, Vagrant,
Containerd, ZeroVM and Podman
Container vs Traditional Virtual Machine
Container Security Risks
• Unsecured communication and unrestricted network traffic
• By default, in some versions of Docker, all network traffic is allowed between containers on the
same host
• Unrestricted access to process and files
• An attacker who gains access to one container may have the capability to gain access to other
containers or the host
• Kernel-level threats
• Docker is designed to have all containers share the same kernel and the host.
• This provides convenience but also amplifies the impact of any vulnerabilities present in the kernel
• Inconsistent update and patching of Docker containers
• Running an older version of Docker containers can expose internal IT environments to higher risks
of a breach
• Unverified docker images
• Developers need to make sure they are downloading Docker images from trusted sources that are
curated by the Docker community or the vendor
• You should run vulnerability scans against those images before deploying them in the host
environment.
Question

• You have several one-off legacy information systems that cannot be

migrated to a newer operating system due to software compatibility
issues.
• The OSes are still supported by the vendor, but the industrial software
is no longer supported
• You create a resiliency plan that will allow OS patches to be installed
in a non-production environment, while also creating backups of the
systems for recovery
• What technology are you proposing?
• Virtual machines
Question #2

• Which of the following would be best suited for constantly changing

environments?
• Containers
Question #3

• Your company is switching to a remote work model for all employees.

• All company and employee resources will be in the cloud.
• Employees must use their personal computers to access the cloud
computing environment.
• The company will manage the operating system.
• Which deployment model will you implement?
• VDI
Question #4

• What type of virtualization would ensure data is saved to a location

on a server, is easily scaled, and is centrally monitored?
• Containerization
Question #5

• When planning to build a virtual environment, you need to achieve

the following:
• Establish polices to limit who can create new VMs
• Allocate resources according to actual utilization
• Require justification for requests outside of the standard requirements
• Create standardized categories based on size and resource requirements
• What are you trying to avoid?
• VM sprawl
Cloud
Cloud Responsibility Division of Labor
• You and your cloud provider will divide up security responsibilities
• Most providers clearly spell out the division in their contract
• Cloud providers typically have better resources and technical ability than local
IT departments to implement and maintain security
• They are better equipped to manage security, but their responsibility ends at a specific
point
• Even so, they are subject to breaches
• You are still responsible for maintaining your end of security
• Have compensating controls in place in case of a provider security incident
• Damage control + Plan B
• Communications plan for stakeholders, customers, regulators, law enforcement, etc.
• Backups
• Revoke and re-issue keys
• Possibly move workloads to on-premises or another provider
Cloud Responsibility Matrix
Ease-of-Deployment
Security Management
Hard Scalability Easy
High Availability
Ease-of-Recovery
$$$$ Cost $
Hybrid Cloud Examples
Hybrid Cloud Considerations

• A hybrid cloud deployment divides functionality, access, and data between

an on-premises datacenter and a cloud services provider
• Usually, the two are connected by VPN or dedicated link
• Can include multiple providers and a mix of cloud types (public and private)
• End users are generally not aware of the dividing line
• Be aware of hidden cloud costs for tiered storage, data access and transfer,
“always-on” resources, support levels, etc.
• Disaster Recovery Point/Time Objectives should include the various high
availability capabilities offered by most cloud services
Hybrid Cloud Considerations (cont’d)

• Consider encrypting data both in transit and at rest

• Ensure that access controls are implemented on a least access principle
• Segregate data so you can easily control who has access rather than create
large buckets or blobs of data that will be difficult to manage
• Prefer to store the master decryption key on-premises, with the provider
having zero access to it
• Ensure that where your data is stored or replicated to complies with any
data sovereignty requirements
• Ensure that functionality and data access is seamless between on-premises
and cloud services
Third-party Vendors
• You can outsource none, some, or all of your IT department and
functionality to service providers and third-party vendors
• Convenient and typically cost-effective
• Those providers and vendors could well be outsourcing some of their
functionality to other vendors
• YOU are ultimately responsible for any performance gaps, security
gaps and compliance requirements
• You cannot blame the vendor
• You must perform due diligence when selecting a provider
• Have compensating controls to cover any gaps in their security or performance
Question
• Which of the following roles, according to the shared responsibility
model, is responsible for securing the company’s database in an
IaaS model for a cloud environment?
• Customer/client
Serverless Computing
Infrastructure as Code (IaC)
• The managing and provisioning of infrastructure through code instead of through
manual processes
• Configuration files are created that contain your infrastructure specifications
• Makes it easier to edit and distribute configurations
• Ensures that you provision the same environment, with same security and performance
baselines, every time
• Your infrastructure is provisioned automatically
• Developers don’t need to manually provision and manage servers, operating systems, storage,
and other infrastructure components each time they develop or deploy an application
• Can be used in the cloud or on-premises
• Currently has a high learning curve
• Uses DevOps methodology (developers and IT operations staff are the same people)
• When implemented properly, will be cost-effective
• Easy to scale, secure, update, and recover
IaC Example
IaC Security Considerations
• IaC has the same security considerations as other virtualized
environments
• Additionally, IaC has platform-specific security considerations:
• Code Repository Security:
• Secure your version control system and code repositories with proper access controls
• Regularly audit and review code repositories for sensitive information that might be
accidentally exposed, such as hardcoded credentials
• Consider adopting immutable infrastructure principles
• Instances should be replaced rather than modified
• This can reduce the risk of compromise and make it easier to rollback changes
Serverless Architecture
• A way to build and run applications and services without having to
manage infrastructure
• Typically provided as Function-as-a-Service (FaaS)
• Your application still runs on servers, but all the server management
is done by the cloud services provider
• You no longer have to provision, scale, and maintain servers to run
your applications, databases, and storage systems
• Application developers can focus on their core
• They don’t have to worry about managing and operating servers or runtimes,
either in the cloud or on-premises
Serverless Architecture (cont’d)

• Convenient – you don’t have to worry about management and

security
• Except in your actual application code
• Cheaper, consumes less power
• You still have to ensure that security is built into your application and
work flows
• Only runs in the cloud
• App environment and security is dependent on the vendor
• Examples include AWS Lambda, Azure Functions, and Google Cloud
Functions
Serverless Function Example
Microservices

• An architectural and organizational approach to software development

• Software is composed of small independent services that communicate over
well-defined, lightweight application programming interfaces (APIs)
• Services are built for business capabilities and each service performs a single
function
• Because they are independently run, each service can be independently
updated, deployed, and scaled to meet demand for specific functions of an
application
• Generally best suited for containers
• Can be deployed to a dedicated VM
• Increased complexity in design, testing, and security
• Requires you to build security into your APIs and CI/CD pipeline
Microservice Architecture Example
Monolithic (traditional) application Microservices application
Question

• You are looking for a low-cost application-hosting solution that is

cloud-based.
• Which architecture would meet these requirements?
• Serverless architecture
Question #2

• What should you use to ensure an easy, consistent deployment of

resources within the cloud provider?
• Infrastructure-as-Code (IaC)
Question #3

• You reduced the area utilized in your datacenter by creating virtual

networking through automation and by creating provisioning routes
and rules through scripting.
• Which of the following does this example describe?
• Virtualization
• Containerization
• Microservices
• IaC
Question #3

• You reduced the area utilized in your datacenter by creating virtual

networking through automation and by creating provisioning routes
and rules through scripting.
• Which of the following does this example describe?
• Virtualization
• Containerization
• Microservices
• IaC
IoT
Internet of Things (IoT)

• AKA Internet of Everything (IoE) or Machine-to-Machine (M2M)

• All communications are directly between machines
• The network of physical objects—“things”—that are embedded with
sensors, software, and other technologies
• IoT devices connect and exchange data with other devices and
systems
• Locally via Bluetooth, Zigbee, Z-wave, Wi-Fi, and other protocols
• To the cloud via IoT gateways
IoT Applications
IoT in Industry Examples
IoT Architecture
• End Devices
• Sensors, RFID tags, readers
• Gather telemetry Apps & Middleware

• IoT Gateway
• Connects your IoT devices to other networks
• Router, phone, hotspot, etc.
• Cloud Server/Data Center
• Connect through web services
• Data processing and storage
• Processed data transmitted back to the user
• Remote Control
• End user uses a mobile app
• Monitor, control, retrieve data, take an
action
• User can be in a remote location
IoT Considerations
• In IoT architecture, there is (theoretically) no limitation of location or distance
between two or more devices
• Devices and components can be spread across the globe
• There is, however, a practical consideration regarding bandwidth availability and latency
• Extending IoT into the cloud provides new opportunities for hacking
Common IoT Security Weaknesses
• Absence of device authentication
• Without authentication, unauthorized devices can access a network and act as an attack entry point
• Lack of visibility
• Without authentication or a unique identifier, it is difficult to track, monitor and manage IoT devices
• Embedded passwords
• While default or hardcoded passwords can make installation and remote access simpler, it also
makes access easier for hackers
• Patching and upgrading
• There are often no easy means to patch or upgrade software running on IoT devices, leaving devices
with known vulnerabilities exposed to hackers
• Physical access
• IoT devices are often installed in easily accessible locations, making it possible for hackers to
damage them or to remove components such as memory cards
• Others are in physically remote or inaccessible locations, making them difficult to manage

Many IoT vulnerabilities stem from design and manufacturing flaws

IoT Infrastructure Attack Surface

Network Remote User

IoT Device Phone / PC

Application Server
Cloud Infrastructure

Remote Administration

Administration Interface
Administration Database
ICS / SCADA
Industrial Control Systems (ICS)

• Collection of digital devices used to control industrial processes

• Traditionally air-gapped from the Internet
• Now, it is common to use Internet-connected smart and IoT devices
for remote monitoring and management of ICS
• Increases efficiency and usability
• Introduces new cybersecurity risks
Supervisory Control and Data Acquisition (SCADA)

• A subset of ICS
• Refers to systems that collect data from remote locations and provide
a centralized interface for monitoring and control
• Most commonly used in telecommunications, power and energy,
water/waste-water and oil and gas refineries

ICS refers to the overall system, including hardware and software

components, that is used to control and automate industrial processes
ICS/SCADA Network Architecture Example
ICS Use Case Examples
ICS Security Considerations
• Consider the trade-offs of convenience vs security when connecting to an
ICS/SCADA system
• Most SCADA systems cannot be updated
• SCADA manager systems typically connect to field devices via cellular or Wi-Fi
• Most SCADA systems are legacy
• They are designed to be long-lived and highly available
• They cannot be easily taken down or updated
• ICS systems often use insecure proprietary protocols
• Many do not support encryption and cannot be updated
• ICS security systems focus on detection, rather than prevention
• The risk of inadvertently blocking critical processes is too great
• Supervisor workstations could themselves be vulnerable
RTOS and Embedded Systems
Real-time Operating System (RTOS)
• Used in environments where a large number of events must be accepted and processed
in a short time or within certain deadlines
• Events are mostly external to the computer system
• Processing time is measured in tenths of seconds
• The system is time-bound and has a fixed deadline
• Typical applications include:
• Industrial control, telephone switching equipment, heart pacemakers, air traffic control, missile
systems, traffic lights, elevators, and real-time simulations, embedded systems
• Because RTOS is used in mission-critical applications, performance and stability of the
system override any other consideration, including security
• RTOS is deliberately designed for a single task
• It might not be able to accommodate modern security controls, especially encryption
• It will also be connected to other networks
• Many SCADA systems are run by RTOS
• You will have to implement compensating controls to protect it
RTOS Examples

It’s all about the

deadline, baby!
Embedded Systems

• A system in which the computer (generally a microcontroller or microprocessor)

is included as an integral part of the system
• Usually small, relatively lightweight, requiring minimal power
• Could also be part of an ICS/SCADA system
• Might run an RTOS
• Might be a legacy device
• Harder to update, patch, and keep secure
Embedded Systems Examples
Question

• You want to update some embedded systems that run unsecure

protocols.
• The problem is that the vendor that developed them is no longer in
business.
• Why can’t the security problem be remediated?
• There are no patches available.
 • Reducing the Attack Surface
• Firewalls
Enterprise • IDS / IPS
Infrastructure • Secure Communications / Access
Security • Port Security
• SD-WAN and SASE
Reducing the Attack Surface
Reducing the Attack Surface

• Maintain consistency through policy

• Deploy Defense-in-Depth
• Implement Zero Trust
• Recognize that endpoint protection is not designed to protect
endpoints
• It is designed to protect the network FROM the endpoint
Failure Modes
• Fail Closed
• When a device or system is set, either physically or via software, to shut down and prevent
further operation when failure conditions are detected
• Used where security concerns override the need for access
• Examples:
• A firewall will fail close if it encounters a system error and stops functioning
• A vault or safe should fail closed if the facility loses power
• Fail Open
• The system does not shut down when failure conditions are present
• The system remains “open”, even if unresponsive or offline
• Operations continue as if the system were not even in place
• Used when access is deemed more important that security
• Often used in physical configurations, such as allowing someone to exit a room even if the
door entry lock ceases to work
• Example: the vault that fails closed should have a mechanical release lever that allows someone trapped
inside to exit
• Typically used in physical access control to protect human life in an emergency
Question

• Security controls in a data center are being reviewed to ensure data is

properly protected and that human life considerations are included.
• Which failure mode best describes how the controls should be set
up?
• Fail open
Firewalls
Firewall
• Acts as a network choke point
• Traffic must flow through it
• Unauthorized traffic (in or out) is blocked
• Can detect:
• Unauthorized protocols
• Unauthorized source and destination IP addresses
• Unauthorized source and destination ports
• Unauthorized incoming connection attempts
• Malicious site URLs
• Malicious payloads

If you can reach a host using one port or protocol but not another,
suspect that a firewall is blocking certain traffic types.
Network Zone

• A network segment uses to grant or restrict access to a group of

computers or devices
• Zones should be created based on security needs
• All devices in the same zone should have the same security requirements
• Most networks have multiple zones
• Zones can be physical or logical (VLAN) segments
• Firewalls, packet filtering routers, and VPN servers typically enforce
traffic control between zones
• IDS/IPS is often used to protect the higher-security zones
Network Zones Example

Extranet Cameras Admin

Guest
Wi-Fi Network
Staff
Phones
Wi-Fi

DMZ Private Secured

Internet Network Private
Network
Firewall Types
• Hardware-based
• AKA firewall appliance
• Separate device
• Placed between network zones
• Especially between Internet and intranet (private network)
• Blocks unauthorized traffic movement between the networks
• Software-based
• Installed on a host
• Prevents unauthorized traffic to/from the host itself
• In most case, the OS-based software firewall should be enabled on all
hosts, regardless of zone
Firewall Types (cont’d)
• Web application firewall (WAF)
• A firewall that specifically looks for and blocks malicious web traffic
• You may need to give it a decryption certificate so it can inspect HTTPS traffic
• Unified threat management (UTM)
• A multi-purpose appliance that contains a firewall, VPN server, IDS, antivirus, and other
features
• Next-generation firewall (NGFW)
• A firewall that performs deep packet inspection
• Some implementations offer a subscription to download signatures from the vendor and
send suspicious traffic to the vendor’s cloud for analysis
• Layer 4
• Generic term for a firewall that does not perform application-layer payload inspection
• Layer 7
• Generic term for a firewall that performs application-layer payload inspection
Packet Filtering/Stateless Firewall
• Works at multiple OSI layers:
• Layer 3 – IP addresses
• Layer 4 – Protocol
• Layer 5 - Ports
• Can be a stateless firewall or a packet filtering router
• Every packet is compared to a rule set
• Firewall can permit or deny the packet
• Rules may include:
• IP address of source and/or destination
• Port number of source and/or destination
• Protocol (IP, ICMP, IGMP, TCP, UDP)
• There is no memory of the packet before
• You will have to configure rules for every contingency
• Best when high performance is critical
Stateful Firewall

• Maintains a state table for every connection

• Disallows even outbound traffic if suspicious
• Tracks each connection
• Will notice if:
• There is no proper TCP handshake to start the connection
• Any port suddenly changes
• There are any other anomalies in the conversation
• Filters packets at the network and transport layers
• Most modern firewalls (host or external appliance) are stateful
Circuit-level Gateway
• Works at the Session Layer (Layer 5)
• Allows/disallows entire circuits (connections), as opposed to individual
packets
• Validates that TCP or UDP packets belong to an allowed connection
• Examines TCP handshakes
• Maintains a session state table
• Makes IP spoofing more difficult
• Compensates for UDP lack of source IP validation
• Typically a feature of:
• Host-based software firewall
• Multi-layer firewall appliance
Circuit Level Gateway Example
Application Level Gateway

• Filters packets at the Application Layer (7) of OSI or Application layer of TCP/IP
• Examines payloads and Application Layer headers
• Traffic is examined and filtered on application-specific commands
• If configured as a proxy:
• Client session put on hold at the proxy • SOCKS is a Layer 5 protocol
• Proxy fetches approved content for the client • Connects client to proxy
• Proxy caches the content against future requests • Can forward TCP and UDP
• Optional authentication
• Only protocols supported by the proxy are serviced
• HTTP, HTTPS, SOCKS4, SOCKS5, and UDP
• All other protocols are rejected or routed through packet filtering
• Slowest performance, deepest packet inspection
Unified Threat Management (UTM)
Combines multiple security functions into a single appliance
Question

• An organization’s Internet-facing website was compromised when an

attacker exploited a buffer overflow.
• Which of the following should the organization deploy to best protect
against similar attacks in the future?
• NGFW
• WAF
• TLS
• SD-WAN
Question

• An organization’s internet-facing website was compromised when an

attacker exploited a buffer overflow.
• Which of the following should the organization deploy to best protect
against similar attacks in the future?
• NGFW
• WAF
• TLS
• SD-WAN
Question #2

• If an attacker sends malicious web traffic encrypted by SSL, what do

you need to deploy to ensure that a web application firewall can
inspect the traffic?
• A decryption certificate
IDS / IPS
Types of Intrusion Detection Systems

• Network-Based Intrusion Detection/Prevention System

• NIDS / NIPS
• Black box on network in promiscuous mode
• Detects malicious activity on the network
• Does not detect anything going on in a host
• Host-Based Intrusion Detection/Prevention System
• HIDS / HIPS
• Audits for events on a specific host
• Requires overhead to monitor every system event
• Only detects activity inside the host
• Does not detect anything happening on the network
Ways to Detect Network Intrusions
• Signature-based
• Can only detect known attacks for which a signature has previously been created
• Must regularly download signatures from the vendor
• Is at risk of false negatives
• More commonly used by IDS
• Anomaly-based
• Can identify unknown attacks
• Must pre-create a baseline of “normal” network traffic
• Capture network traffic for about two weeks
• Analyze protocols and usage statistics to identify “normal”
• Is at risk of false positives
• More commonly used by IPS
• Protocol Anomaly Detection
• Uses models to determine anomalies in how TCP/IP specifications are deployed
Indicators of Network Intrusions

• Ongoing probes of services on your network

• Unusual locations connecting to your network
• Ongoing remote login attempts
• Unauthorized data exfiltration
• Hosts with unexpected outbound connections
• Outbound connections to unusual destination ports
Network Intrusion Detection System (NIDS)
• A NIDS is a passive monitoring system
• Network traffic is examined as it passes by an IDS sensor
• The traffic is compared to a rule set
• If the traffic matches a rule it is logged
• Optionally triggers an alert
• Uses strategically placed sensors or inline taps to passively sniff traffic
• Sensors should be behind entry points (firewall, router, VPN server, WAP) to the
network segment
• Or next to high-value systems (servers)
• A network TAP is placed between two points in the network
• A TAP is a passive device that does not alter the traffic
• A NIDS is a passive system.
• It only logs, it does not block traffic
Network IDS Example
Network TAP in Action

Sensor / Analyzer
Ethernet Network Tap Example
Network Intrusion Prevention System (NIPS)
• A NIPS is an active monitoring and control system
• Acts as a choke point behind the firewall
• A network packet comes from Internet and passes through firewall
• The packet passes through IDS and undergoes signature comparison
• If there is no match the packet is sent to the switch and into enterprise network
• If there is a match:
• An alarm is sent and logged
• The packet is sent through anomaly detection and stateful protocol analysis
• Connections from the source are cut
• The packet is dropped
• A NIPS is an active system
• It might inadvertently cut off legitimate traffic
NIDS vs NIPS

NIDS NIPS
IDS Results
• True Positive
• There truly was a security incident
• A real attack was detected
• True Negative
• There truly was NOT any incident
• Most desirable! Security controls are working!
• False Positive
• False alarm
• An incident was reported, but it didn’t actually happen
• Too many false positives can become annoying
• False Negative
• A security incident actually happened, but was not detected
• IDS falsely reports that everything is ok
• This is the most serious and dangerous of all!
IDS Results Example
Host-based IDS/IPS (HIDS/HIPS)
• Software installed on the host
• Only activities inside the host are monitored:
• File activity
• Processes
• Logons
• Privileged actions
• User account changes
• Software installation/deletion
• Host-based IDS/IPS does not monitor network activity
• Not even port or vulnerability scans, denial-of-service attacks against the host
• HIDS logs suspicious activities
• HIPS prevents suspicious activities
• Replaces the kernel and other critical parts of the OS
• Nearly impossible to remove once installed
Indicators of System Intrusions

• New/unfamiliar files or programs detected

• Unfamiliar files names
• Files that are missing
• File permissions changed
• Files sizes changed unexpectedly
• Rogue files not on master list of signed files
Indicators of System Intrusions (cont’d)

• Incomplete/short logs
• Logs that are missing/have incorrect permissions
• Random data in log files that might cause DoS or a service crash
• Slow performance of the system
• Graphic displays/text messages that are unusual
• Alterations to system software/configuration files
• System crashes/reboots
• Processes that are unfamiliar
NIDS vs HIDS
NIDS, NIPS, HIDS/HIPS Placement Example

Firewall

DMZ
Wi-Fi IPS (WIPS)

• Wireless intrusion prevention system

• Monitors the radio spectrum for the presence
of unauthorized access points (intrusion
detection)
• Can automatically implement countermeasures
• The WIPS system uses wireless access points as
sensors
• Management software is installed on a server to
collect, analyze, and aggregate Wi-Fi events
WIPS Deployment Models

• The AP performs WIPS functions part of the time

• Alternates between WIPS and its regular network connectivity functions
• The AP has dedicated WIPS functionality built into it
• Performs network connectivity and WIPS functions at the same time
• The WIPS is deployed through dedicated sensors instead of the APs
Secure Communications / Access
Secure Communication/Access

• Virtual Private Network (VPN)

• Remote Access
• Tunneling Transport Layer Security (TTLS)
• Internet Protocol Security (IPSEC)
• Software-defined Wide Area Network (SD-WAN)
• Secure Access Service Edge (SASE)
Proxy
• A server that fetches data on behalf of a client
• Puts the client session on hold while fetching the data
• Creates a separate session with the server
• Returns the server response to the client
• Often caches the response for a limited time in case other clients
have the same request
• Forward proxy – fetches data from the Internet on behalf of internal
clients
• Reverse proxy – fetches data from the private network on behalf of
external (Internet) clients
Proxy Process Example
Forward Proxy Example

INTRANET
Reverse Proxy Example

PROXY
SERVERS

INTERNET INTRANET
Jump Server
• AKA jump host, jump box
• A secure computer that spans two or more networks
• Two dissimilar security zones
• Allows users to connect to it from one network, and then “jump“ to another
network
• Provides a controlled means of access between them
• Could be placed in a DMZ or internal network
• Sometimes referred to as a bastion host
• Used specifically as a pivot point to provide access to internal devices
• External hosts only have access to the jump server
• Cannot directly access other internal computers
• Must make a secure connection to the jump server
• Then from the jump box make a separate connection to internal computers
Jump Server Example
Virtual Private Network (VPN)
• A mechanism for creating a secure connection over an unsecure network
such as the Internet
• Traffic is encrypted before transmission
• Packets can also be “tunneled” (hidden) inside other packets
• Even if the packets are intercepted, they cannot be decoded
• Effectively making the communication private
• The receiving end (firewall, VPN server, router, host) removes the packets
from the tunnel and decrypts them
• A VPN can be between:
• Two hosts
• Two networks
• A host and a network
VPN Example
Transport Layer Security (TLS)
• Encrypts the payload
• Does not tunnel
• Does not hide an entire packet inside another packet
• Originally designed for HTTPS
• Can also be used by other applications such as:
• Messaging, email, SQL, VoIP (and more)
• Uses TCP 443 by default
• Can be changed
• Firewall friendly
• Unaffected by Network Address Translation (NAT)
• Used by “newer” VPN types that only need to protect the payload
IP Security (IPSEC)

• The most common type of VPN

• Consists of two protocols:
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
• You can use one or both of these protocols as desired
• Most implementations just use ESP
• Has two modes:
• Tunnel
• Transport
• Uses Internet Key Exchange (IKE) to negotiate the session
Authentication Header (AH)

• Digitally signs the IP header

• Does not encrypt
• Cannot tolerate network address translation (NAT)
• Used to validate the integrity of an IP packet
Encapsulating Security Payload (ESP)

• Digitally signs and encrypts the payload

• Tolerates NAT
• Used to protect the confidentiality and integrity of the payload
IPSEC Transport Mode

• Host-to-host VPN
• Two hosts create a VPN directly between them
• Hosts have to be able to route traffic to each other
• Typically used for client-server or server-server connections
• Extra security between hosts in a private network
• Server-to-server replication
• Secure connection between hosts in different security zones
• Web server front end in DMZ to database server back end in private network
• Client-to-server connection across the Internet
IPSEC Tunnel Mode

• Router-to-router VPN
• For site-to-site connections
• Two edge devices (routers, firewalls) create a VPN between them
• Typically over the Internet
• Client traffic between the two networks flows through the VPN
• Client traffic is only encrypted when in the tunnel
• Clients are unaware that the connection is a VPN
• Allows subnets with private IP addresses to connect to each other
IPSEC Modes
IPSEC AH Modes
IPSEC ESP MODES
Remote Access
• The ability to access a system or network, whether it's a personal
device or office server, without being physically present
• Allows employees to work off-site, such as at home or in another
location
• Still maintain secure access to a distant computer or network
• Typically accomplished through a VPN connection
• Can also use remote access protocols such as RDP, VNC and SSH
• Can also be accomplished via “meet-in-the-middle” methods such as:
• TeamViewer
• GoToMyPC
Remote Access Example
Question

• What type of VPN would you want to create between your central
office and a branch office?
• Site-to-site tunnel
Question #2

• You have a VPN connecting a branch office to headquarters.

• What data state is the VPN protecting?
• Data in transit
Question #3

• You need to find a solution that creates an added layer of security by

preventing unauthorized access to internal company resources.
• You decide to implement a host that remote users can connect to
from the Internet.
• Once connected to the host, they can then make an additional
connection to resources on the internal network.
• What protective mechanism are you deploying?
• Jump server
Question #4

• You have users that need to make remote connections to your private
network from across the Internet.
• You want to prevent unauthorized access to the private network.
• What should the users use to make their connections?
• VPN
Question #5

• You need to build a solution to satisfy regulatory requirements.

• The requirements state that certain critical servers must be accessed
using MFA.
• However, the critical servers are older and are unable to support the
addition of MFA.
• What compensating control could you implement to satisfy the
requirements?
• Jump server
Question #6

• You discover that a users is using RDP to connect across the Internet
to your production network.
• Which of the following changes should you recommend?
• Changing the remote desktop port to a non-standard number
• Setting up a VPN and placing the jump server inside the firewall
Question #6

• You discover that a users is using RDP to connect across the Internet
to your production network.
• Which of the following changes should you recommend?
• Changing the remote desktop port to a non-standard number.
• Setting up a VPN and placing the jump server inside the firewall.
Question #7

• You need to prevent direct access from the database administrators’

workstations to the network segment that contains database servers.
• What can you deploy that would allow the DBA to remote into the
database servers without directly accessing their private network?
• A Jump Server
Question #8

• You need secure, remote access to a client environment.

• Which of the following should you use to gain access?
• IPSEC
• RDP
• Host-based firewall
• Wireless access point
Question #8

• You need secure, remote access to a client environment.

• Which of the following should you use to gain access?
• IPSEC
• RDP
• Host-based firewall
• Wireless access point
Question #9

• You need to provide administrative access to internal resources while

minimizing the amount of traffic allowed through the security
boundary.
• What should you use?
• DMZ
• VPN
• jump server
• RDP
Question #9

• You need to provide administrative access to internal resources while

minimizing the amount of traffic allowed through the security
boundary.
• What should you use?
• DMZ
• VPN
• jump server
• RDP
Port Security
802.1x
• An IEEE Standard for port-based network access control
• Defines the encapsulation of the Extensible Authentication Protocol (EAP)
over wired and wireless networks
• Involves three parties:
• Supplicant
• A client device such as a laptop or phone
• Provides the required credentials to the authenticator
• Authenticator
• A network device that provides a data link between the client and the network
• Enforces decisions by the authentication server
• Typically an Ethernet switch or wireless access point
802.1x (cont’d)
• Authentication server
• A trusted, centralized server that can receive and respond to requests for
network access
• Typically a RADIUS, TACACS, or TACACS+ server
• May or may not include the user database
• Tells the authenticator if the connection is to be allowed, and any settings
that should apply to that client's connection
• Because authentication is controlled at two levels, 802.1x is effective
at deterring on-path attacks such as man-in-the-middle and Wi-Fi Evil
Twin
802.1x Example
Extensible Authentication Protocol (EAP)

• A protocol designed to support multiple authentication methods

• Username/password, certificate/smart card/fob, biometrics
• Used to pass the authentication information between the supplicant
(the Wi-Fi workstation) and the authentication server
• Has many variants for different scenarios including:
• MD5, TLS, TTLS, PEAP, FAST and LEAP
Tunneled Transport Layer Security (TTLS)

• Popular authentication method between remote access client and

server
• Provides mutual authentication through an encrypted channel
(tunnel) using only the server’s digital certificate
• The client does not require a certificate
• Very common in 802.1x implementations
• Client connection is put on hold at the WAP or switch until the client/user can
authenticate to a RADIUS/Network Policy server
Question

• You want to secure your LAN/WLAN so users can authenticate and

transport data securely.
• The solution needs to prevent on-path attacks and evil twin attacks.
What can you use?
• 802.1x
SD-WAN and SASE
Software-defined Wide Area Network (SD-WAN)

• SD-WAN uses application-aware routing protocols to improve

application performance.
• Most SD-WAN solutions create virtualized overlays in the form of end-
to-end encrypted tunnels
• The underlying physical network can be any combination of
broadband Internet, MPLS, 4G/5G cellular, or VPNs.
• A centralized, cloud-based controller intelligently steers network
traffic along the most efficient route across the WAN.
• Traffic is prioritized by business policy to offer optimal quality of
service (QoS).
SD-WAN Components

• Multiple sites that need to connect

• Multiple connections between sites that form the underlay network
• Can be any combination of 4G/5G cellular, broadband Internet, and MPLS
• Multiple overlay tunnels
• IPSEC VPNs between sites that are routed across the WAN
• SD-WAN Gateway
• A hardware device or software that connects every client device or site to the WAN
• Includes firewall and VPN functionality
• A software controller
• A centralized “orchestrator”
• Typically cloud-based
SD-WAN Example
SD-WAN Gateway Example
Secure Access Service Edge (SASE)
• Pronounced “sassy”
• SASE is a relatively new framework that addresses a common dilemma:
• how to handle the network and security demands of external traffic without routing it through the
data center
• SASE combines network and security-as-a-service functions together into a single cloud
service
• End users/devices use a VPN to connect to a SASE point-of-presence (POP)
• Traffic sent to the SASE is processed by four security functions before being sent out to
the destination
• Firewall (FWaaS), Zero Trust Network Access (ZTNA), end user—CSB policy enforcement (CASB),
Web URL filtering (WSG)
• The SASE can use the Internet or an SD-WAN to connect to end resources
• End resources can be located in a public or private cloud, and/or an on-premises
datacenter
SASE Example

SASE GW

SASE GW

SASE GW
Question

• Your organization is struggling with scaling issues on its VPN

concentrator and Internet circuit due to remote work.
• You are looking for a software solution that will:
• Reduce traffic on the VPN and Internet circuit
• Provide encrypted tunnel access to the data center
• Monitor remote employee Internet traffic
• What cloud-based solution can you use to achieve these objectives?
• SASE
 Data
Protection • Data Classifications
• Protecting Data Types
Concepts and • Data Considerations
Strategies
Data Classifications
Data Classification

• Classifying data is the first step in protecting it

• Use the classification level to determine the level of protection
required for:
• Storage
• Encryption
• Access control
• Retention
• DLP measures
Data Classifications
Classification Description
(Least to most
sensitive)
Public • For public access and disclosure, and has no impact to the organization if compromised
• Examples: marketing materials, press releases, and public web pages, first and last names
Private • For internal use only and may cause some harm or risk if disclosed
• Examples: internal-only memos or other communications, business plans
Confidential • Intended for authorized use only
• May cause significant harm or risk if disclosed
• Only a limited group of individuals or parties can access the information
• Examples: confidential internal company matters, customer information, business
transaction receipts, security reports, Social Security numbers, cardholder data, merger &
acquisition documents
• Usually protected by laws like HIPAA and PCI DSS
Data Classifications (cont’d)
Classification Description
(Least to most
sensitive)
Sensitive • Intended for authorized use only
• Has a high impact to the organization if compromised
• Often subject to strict regulations
• Examples: personal information, health records, and intellectual property
• Some organizations use the labels “confidential” and “sensitive” interchangeably
Restricted • Intended for very limited use only and may cause severe harm or risk if disclosed
• Requires special protection
• Examples: data concerning atomic weapons, special nuclear material, or energy
production; proprietary information or research data; data protected by state and federal
regulations
Critical • Essential for the organization’s operations and survival
• Has a severe impact to the organization if compromised
• Examples: encryption keys, disaster recovery plans, and system backups
Question

• A systems administrator works for a local hospital and needs to

ensure patient data is protected and secure.
• Which of the following data classifications should be used to secure
patient data?
• Sensitive
Protecting Data Types
Protecting Different Data Types
Type Consideration
Regulated • Decide if you can afford to ignore certain risks
• Penalties might cost less than controls?
Trade secret • Must be given the highest protection levels:
• Strong encryption, air-gapped storage, key escrow
Intellectual property (IP) • Creations of the mind for economic advantage and recognition
• IP examples: inventions, artistic works, symbols, names, and images
• Protect with legal tools such as patents, trademarks, trade secrets, and
copyrights
• You can also raise money by selling or licensing your IP
• To safeguard your IP, you need to:
• Register it with the government
• Enforce your ownership rights
• File for protection in the countries where you plan to do business
Protecting Different Data Types (cont’d)

Type Consideration
Legal information • Legal advice from an attorney or your legal department
• Classify and protect as confidential
Financial information • Should be classified and protected as private or confidential
Human- and non-human- • Determine the sensitivity level
readable • Mark with classification labels in accordance with legal requirements
• Encrypt and provide access controls as the classification requires
Personally Identifiable • At a minimum, treat as confidential
Information (PII) • Also regulated under most jurisdictions
Personal Health Information • At a minimum, treat as confidential/sensitive
(PHI) • Also regulated under most jurisdictions
Data Considerations
Data Sovereignty
• Data sovereignty is the right to control one's own data based on its
location and origin
• Regulates how data should be governed and secured, specific to the
country where it was collected and not where the collector resides
• With the rise of cloud computing, over 100 countries have passed
some type of data sovereignty law
• Example: Data collected about a country’s citizens can only be stored (geo-
located) on servers in that country
• Data sovereignty complicates data storage and processing for global
enterprises and cloud providers
Data Sovereignty Considerations
• Data sovereignty refers to the concept that digital data is subject to
the laws and regulations of the country in which it is stored.
• This means that when data is physically located within a country’s
borders, the government has jurisdiction over it and can enforce its
data protection policies.
• Can affect the availability and compliance of data
• Does not prevent access to data based on location
• Can vary depending on the country or region
• This principle is particularly important for organizations operating
across international borders
• They must comply with each jurisdiction’s rules where their data resides.
GDPR Data Sovereignty Example

• General Data Protection Regulation

• EU residents have the right to control their personal data, including
the right to access, rectify, erase, restrict, and transfer it.
• Companies that collect and process EU citizen data must comply with
GDPR regulations, which include:
• Obtaining explicit consent
• Implementing appropriate security measures
• Reporting data breaches within 72 hours
Data State Considerations

• Data can exist in one or more of the following states:

• At rest – on storage media
• In transit – being actively transmitted across a network
• In use – loaded into memory, and being (or about to be) processed by the
CPU
• Regardless of its state, data can best be protected by encryption and
strong access control
Methods to Secure Data
• Save passwords as salted hashes, not in plain text
• Apply SHA-1 or stronger hashing to verify data integrity
• Provide separate checksums (hashed output) for users when they download a file
• They can hash the downloaded file themselves and compare it to your checksum
• Prove it was not altered or corrupted in any way
• If you must use live PHI or PII data to test an application:
• Anonymize the data first
• Mask sensitive data with asterisks as users input it
• Protect it from shoulder surfing
Methods to Secure Data (cont’d)
• Store data in files and databases securely using:
• Encryption
• Tokenization (character substitution)
• Obfuscation (masked or modified so it has little or no value to an attacker)
• Use strong access control/permissions on file systems, apps, and computers that
store, process, or transmit data
• Keep in mind the principle of Least Privilege
• Follow data sovereignty laws
• Help protect sensitive data and PII from uncontrolled environments
• Include geo-location in your controls to prevent access from high-risk countries
• A geolocation policy can be implemented using various methods including:
• IP address filtering, GPS tracking, or geofencing
Data Loss Prevention (DLP)
• A set of tools and processes used to ensure that sensitive data is not lost, misused,
or accessed by unauthorized users
• Typically driven by regulatory compliance requirements such as HIPAA, PCI-DSS, or GDPR
• Protects data from both accidental and malicious insider threats
• A DLP system will:
• classify regulated, confidential and business critical data
• identify violations of policies defined by your organization
• When a violation is identified:
• Enforces remediation with alerts, encryption, and other protective actions
• Actively prevents end users from accidentally or maliciously sharing data that could create
organizational risks

Cloud-based DLP is more likely to have the features needed by a modern network.
Data Flows Everywhere
Steps to Implementing DLP
1. Categorize/classify your data
2. Compile (or obtain) a list of data identifiers such as:
• File extensions
• Key words
• Number and format of numeric digits
• Text patterns, sequences, separations
• Proximity keywords such as
• Social Security number [SSN], password [pwd], credit card number [CCN], etc.
• File type, format and category
• Image, analytics, log data, archived/compressed, spreadsheet, audio, video, database, etc.
• Country-specific identification numbers
• International banking information, addresses, postal codes, national IDs, passport numbers, country
codes, phone area codes, and the like
3. Engage a DLP system to:
• Classify the data based on the identifiers
• Protect the data per your policies and regulatory requirements
DLP Example
Question

• What would you use to confirm a file that is downloaded from a

trusted security website is not altered in transit or corrupted using a
verified checksum?
• Hashing
Question #2
• Your company’s legal department drafted sensitive documents in a
SaaS application
• They want to ensure the documents cannot be accessed by
individuals in high-risk countries.
• Which of the following is the most effective way to limit this access?
• Data masking
• Encryption
• Geolocation policy
• Data sovereignty regulation
Question #2
• Your company’s legal department drafted sensitive documents in a
SaaS application
• They want to ensure the documents cannot be accessed by
individuals in high-risk countries.
• Which of the following is the most effective way to limit this access?
• Data masking
• Encryption
• Geolocation policy
• Data sovereignty regulation
Question #3

• You want to implement data protection that allows users to access

data based on their need to know and permission level.
• Before implementing any data protection solution, what should you
do first?
• Classify the data.
Question #4
• After an audit, you discover that all users have access to confidential
data on a file server.
• You already know which users should have what level of access to the
data.
• What can you use to quickly restrict access based on user
authorization?
• Access control lists
Question #5

• Your dev team is almost done creating a healthcare app.

• They want to use actual PHI data to test the app.
• What can you do to protect patient privacy?
• Anonymize the data.
Question #6
• You want to secure credit card data so that only the last four numbers
are seen.
• What should you use?
• Data Masking
Question #7

• You are deploying a DLP solution to prevent the exfiltration of

sensitive customer data.
• What should you do first?
• Classify the data.
Resilience and • Redundancy
Recovery in • Alternate Sites
Security • Multiple Platforms
•
Architecture Business Continuity
Redundancy
Redundancy
• AKA High Availability
• The ability to provide and maintain an acceptable level of service in
the face of faults and challenges to normal operation
• Reduces the risks associated with a single instance; a single point of failure
• Achieved through coordinated redundancy
• Clustering – alternate systems are on standby to immediately take over in
case of failure
• Load balancing – redundant systems function as a single unit
• Geographical dispersion and replication
• Usually focused on keeping a service available
Redundancy Methods
High Redundancy Example
Redundancy Considerations
• Implement when the damage caused by downtime or poor
performance outweighs the cost to implement redundancy
• Redundant physical components include:
• servers, network interfaces (NIC teaming), links (link aggregation), storage
(RAID arrays, replicated copies), switches, routers, files, databases
• Easy to implement in a cloud or virtual environment
• When designing high availability, ensure that:
• The system has the desired level of responsiveness to failure
• You do not inadvertently increase your attack surface
Question

• Why would you implement a high availability pair?

• To remove a single point of failure
Alternate Sites
Alternate Site Types
• Mirror
• Fully online, redundant equipment
• Up-to-date, replicated data
• Just needs the people
• Some mirror sites are always online, load balancing the workload with the primary site
• Hot
• Redundant facility with all needed equipment in a ready state
• Just needs the latest data backup to be restored
• Very quick to bring online
• Cold
• A facility with no equipment, only basic utilities such as power and running water, and physical
security
• Will need equipment, furniture, and the latest copies of the data
• Slowest to bring online
• Warm
• A backup facility with network connectivity and equipment pre-installed
• Will need some time to configure and restore data
• Usually does not have the capacity that a hot site has
Cold, Warm and Hot Site Comparison

Cold Site Warm Site Hot Site

Secondary Location Secondary Location Secondary Location

Equipment at Location Equipment at Location Equipment at Location

Connectivity at Location Connectivity at Location Connectivity at Location

Active before Failover Active before Failover Active before Failover

Outage measured in: Outage measured in: Outage measured in:

WEEKS DAYS/HOURS HOURS/MINUTES
Cold Site Example
Geographic Dispersion

• Geographically dispersed sites protect against major regional outages

or natural disasters
• Keep sites at least two time zones apart
• Consider taking advantage of geographic dispersion and redundancy
in your on-premises or cloud infrastructure
• You can use the cloud as a convenient alternate site
Geographic Dispersion Example
Question

• You’re worried about weather events causing damage to the server

room and downtime.
• What can you use to mitigate this risk?
• Geographic dispersion
Multiple Platforms
Platform Diversity

• The term computing platform generally refers to hardware and

operating systems
• Platform diversity should be approached thoughtfully
• The more platforms you use, the harder it is to standardize, and the
more work for your IT department
• It may also be harder to maintain consistent security levels across all
platforms
• Choose different platforms where it makes sense
Platform Examples and Considerations
• Cloud
• Good when you want to offload physical datacenter/equipment management
to a third party
• Most public clouds are accessible from anywhere
• Requires your users to have a good Internet connection
• Windows
• Good when you want simple, one-stop support
• Most software products are written to run on Windows
• Linux
• Good when you have the in-house expertise to take advantage of the
flexibility and low cost of open source
Platform Examples and Considerations (cont’d)

• Actual servers with XEON processors

• Good when you want rock-solid stability
• Lower-end models of brand name computers
• Good when you know you will need to replace the desktops frequently
because of harsh environmental conditions
• BYOD or CYOD (build/choose your own device)
• Good when you want to keep mobile users happy by providing choice
Multi-cloud Systems
• The use of multiple public cloud services, most often from different
cloud providers
• Uses a combination of on-premises, private cloud, public cloud, and
edge to build, access, and secure your applications
• Trends driving multi-cloud adoption include:
• The flexibility to run workloads on any cloud that the business requires
• Ability to choose best of breed cloud native services
• Accelerate app transformation and the delivery of new apps
• Avoid vendor lock-in and ensure enterprise sovereignty
• Distribute applications and services to the edge, close to users and devices
• Build a distributed workforce
Multi-cloud Benefits

• Flexibility to run workloads on any cloud that the business requires

• Ability to choose best of breed cloud native services
• Accelerate app transformation and the delivery of new apps
• Avoid vendor lock-in and ensure enterprise sovereignty
• Distribute applications and services to the edge, close to users and
devices
• Build a distributed workforce
Hybrid Cloud Network

• Combination of both cloud and on-premises networks

• Users can connect to either
• Workloads can be moved between environments
• Can be part of a multi-cloud system
Hybrid Cloud Example
Business Continuity
Continuity Of Operations

• In case of disaster, how will your business stay in business?

• Management, with the help of all departments, will need to create a:
• Business Continuity Plan (BCP) – keep the business running
• Disaster Recovery Plan (DRP) – restore necessary IT services
• Ensure that staff are ready at any time to implement the BCP and DRP
Capacity Planning
• Needs to be part of your BCP
• Make sure you will have the people, technology and infrastructure in place
to continue performing at desired levels in case of a disaster
• Will enough people be available?
• What do users actually need to perform crucial tasks?
• Will you be able to get/access replacement equipment? Your latest data backups?
• Will people have network/Internet access?
• If most people have to suddenly work remotely, can your VPN server accommodate
all the connections?
• Can your cloud provider give you high availability if their datacenter is also hit?
• Do you have readily available SOPs in case new people have to suddenly take over
tasks?
Building a Business Continuity Plan
BCP / DRP Testing
• Tabletop Exercises
• Walk-through by department heads of what to do during an emergency
• Failover
• Actual cutover from the production system to the backup system, and back
• Ensure that failover happens smoothly with minimal disruption
• Identify and pre-emptively fix any potential issues
• Simulation Exercise
• “Fire drill” to ensure that users know what to do in case of emergency
• Parallel Processing
• Having two or more fully operational systems (mirrors) running at the same
time
• Either can absorb the workload of the other in case of emergency
Traditional Backup Types
Type Description and Considerations
Full • A complete copy of the data you’re backing up
• A required starting point for traditional backup solutions
• Turns off the file’s archive flag*
• Creates the largest backup file; slowest to back up
• Fastest restore, if there are no incremental or differential backups to add
Incremental • Changes made to the data since the last full or incremental backup
• Turns off the file’s archive flag
• Creates the smallest backup file; quickest to back up, slowest to restore
• Preferred for frequent backups
Differential • Changes made to the data since the last full backup
• Does not turn off the file’s archive flag
• Faster than incremental backups to restore
• File size gets progressively larger with each differential backup

*The archive flag is an attribute of a file. It is turned on when a file is created or changed, and turned off
when the file is backed up. Backup software uses it to identify files that have changed since the last backup.
Full Backups Example
Differential Backups Example
Incremental Backups Example
Backup Type Considerations
Type Consideration
Onsite • Good in case of hardware failure
• You can quickly access the backup to restore it
Offsite • Good in case the datacenter suddenly becomes unusable
• The backup will not be caught in the damage
• Cloud-based backups can be accessed from anywhere
Frequency • Choose your backup frequency by how much data you can afford to lose
• A day’s worth? An hour? 15 minutes?
• You must balance the desire for as little loss as possible against the
practicality of constant backups
Encryption Protects backup contents from unauthorized restore or theft
Snapshots • A copy of a virtual machine it its present state
• Good for quickly restoring a VM to its previous state
Backup Type Considerations (cont’d)
Type Consideration
Replication • Good for automatically keeping an alternate database up-to-date
• The primary server can replicate on a scheduled or triggered basis
• The secondary server can then be used for quick failover
• Keep replicated copies/servers geographically dispersed to protect against
natural disasters
Journaling • Good for keeping up-to-the-minute latest copies of a file or database
• Keeps track of changes not yet committed to the database or file system's
main part
• In the event of a system crash or power failure, such databases and file
systems can be brought back online more quickly with a lower likelihood of
becoming corrupted
• Journaling is a built-in feature of most modern file systems including NTFS,
EXT, ReFS, and APFS (Apple File System)
Recovery Choose the backup type (full, incremental, differential) based on either the
desired backup time or restore time, or some balance between the two
Power Redundancy Options
Type Description
Generator • Uses diesel fuel or gasoline
• Can provide large amounts of power for extended lengths of time
• Can be configured to start quickly (within minutes) after a power
failure
Uninterruptible Power Supply (UPS) • Plugs into a wall outlet
• Keeps a charged battery inline between input and output power
• When the facility loses power, the battery will continue to
provide power for a short while – 15 minutes to several hours
• On a server rack, provides power just long enough for an orderly
shutdown of the equipment
Power bank A portable battery and power supply system to run a mobile device
or small camping equipment for a few hours
Solar power pack A power bank that uses sunlight to recharge its battery
Power Redundancy Examples
Question

• You are developing a business continuity plan.

• You need to determine how many staff members would be required
to sustain the business in the case of a disruption.
• What would you call this step?
• Capacity planning
Question #2

• You want to fully back up your servers every week, including

capturing any updates every day.
• You also want to minimize the amount of storage space the backups
require.
• What backup strategy should you use?
• A weekly full backup with daily incremental backups
Question #3

• You want to go over the disaster recovery plan with team leads.
• Which preparation activity would be the least time-consuming for the
team?
• Tabletop walk-through.
Question #4

• You want your team to be ready to respond to any disaster.

• What type of activity can provide them with the closest experience to
an actual disaster?
• Simulation