CCSP Domain 1
Regulation for Financial/Retail Sector
(PCI DSS) Payment Card Industry Data Security Standard
Number of Cloud service models
3
Confidentiality
The prevention of sensitive dat from being accessed or viewed by any other party other than those authorized
symmetric key cryptography
The same key is used to encrypt and decrypt the data, so the key must be known and available by both parties
Regulation for US Federal Agencies and Contractors
(FISMA) Federal Information Security Management Act
Regulation for US Healthcare Sector
(HIPPA) Health Insurance Portability and Accountability Act
Community Cloud
A Cloud Service model where the tenants are limited to those that have a relationship together with shared requirements, and are maintained or controlled by at least on member of the community collaboration between similar organizations that combine resources to offer a private cloud
On-Demand Service
A cloud customer can provision services in an automatic manner, when needed, with minimal involvement from the cloud provider
Software as a Service (SaaS)
A cloud service category in which a full application is provided to the cloud customer, and the cloud provider maintains responsibility for the entire infrastructure, platform, and application
Infrastructure as a Service (IaaS)
A cloud service category where infrastructure level services (such as processing, storage, and networking) are provided by a cloud service provider Customer controls services deployed in the cloud customer has limited control over network configs Customer controls OS, storage,, and deploying apps
Platform as a Service (PaaS)
A cloud service category where the platform services such as azure or AWS, are provided to the cloud customer, and the cloud provider is responsible for the system up to the level of the actual application Cloud provider is responsible for patching and deploying system Provider controls OS, Storage, servers, networking
Hybrid Cloud
A cloud service that combines two other types of cloud deployment models Benefit of retaining critical systems internally
Defense in Depth
A defense that uses multiple types of security devices to protect a network. Also called layered security.
Cloud Service Category
A group of cloud services that have a common set of features or qualities
Cloud Sercice Broker (Cloud Computing Role)
A partner that serves as an intermediary between a cloud service customer and cloud service provider
Private Cloud
Cloud services model where the cloud is owned and controlled by a single entity for their own use May be operated by the organization or a third party Can be located on or Off prem
Key benefit of PaaS
Ability to reduce lock in
4 Main areas of access management
Account Provisioning Directory Services Administration and privileged access Authorization
Cloud Applications
An application that does not reside or run on a user's device but rather is accessible via a network
Cloud Auditor (Cloud Computing Role)
An auditor that is specifically responsible for conducting audits of cloud systems and cloud applications
Multitenancy
Architecture providing a single instance of an application to serve multiple clients or tenants
Denial of Service (DoS)
Attack floods a network or server with service requests to prevent legitimate users' access to the system
Account Hijacking
Attacker is able to gain access to the cloud environment due to a compromised account
Resource pooling
The aggregation of resources allocated to cloud customers by the cloud provider
Access Control
Based on Authentication, Authorization and Accounting Authentication - Verify who they are Authorization - Given minimal rights to access Accounting - Tracking the other two through logs and records
certificate
Basis for proving identity and authenticating ownership of a public key to a specific user
capital expenditures
Buildings, computer equipment. Purchasing on prem would be cap ex
8 Cloud Service Provider Roles
Cloud service operations manager - Prepares system for the cloud, administers service, monitors servie, provides audit data Cloud service deployment manager - Gather metrics on cloud services, manage deployment steps and process Cloud service Manager - Delivers, provisions, and manages cloud services Cloud service business manager - Oversees business plans and customer relationship Customer support and care representative Inter-cloud provider - Responsible for peering with other cloud services and providers Cloud service security and risk manager - Manages security and risks and security compliance Network provider - responsible for network connectivity
Cloud Service
Capabilities offered via a cloud provider and accessible via a client
NIST Definition of Cloud Computing
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Shared Technologies Issues
Cloud provider uses the same underlying platform across many environments that customers are on. This creates a risk that a vulnerability will affect many of the customers at the same time
3 Cloud Service Partner Roles
Cloud service developer - develops cloud components and services and performs the testing and validation Cloud Auditor Cloud service broker - Obtains new customers, analyzes the marketplace and secures contracts and agreements
Public Cloud
Cloud service model where the cloud is maintained and controlled by the cloud provider, but the services are available to any potential cloud customer Pay only for services used Scalable as needed by customer
4 Cloud Service Customer Roles
Cloud service user Cloud Service administrator - Tests cloud services, monitors services Cloud service business manager - oversees business and billing administration Cloud service integrator - Connects and integrates existing systems
Measured Service
Cloud services are typically billed in small increments based on the computing resources you consume
C-I-A Triad
Confidentiality, Integrity, Availability
ISO IEC 27001:2013
Considered the gold standard for information systems and security Drawback is it falls short on being able to span multiple environment and compensate for portability issues because it was not originally designed for cloud 114 controls organized over 14 domains INformation Security policies Organization of information Security Human Resource Security Asset Management Access control Cryptography Physical and environmental security Operations security Communications security System acquisition, development, and maitenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance
Cloud Data Security Lifecycle
Create Store Use Share Archive Destroy
Payment Card Industry Data Security Standard (PCI DSS)
Developed by the major credit card labels Contains 12 compliance requirements
Key Phases of IAM
Provisioning and de-provisioning Privileged user management Centralized directory services Authentication and access management
FIPS 140-2
Federak Information Processing Standard, accreditation of cryptographic modules put out by federal government Defines 4 levels of security (low to high) 11 sections that define security requirements
Cloud Deployment Model
How cloud computing is delivered through a set of particular configurations and features of virtual resources
Cloud Computing activites are outlined by ....
ISO/IEC 17789:2014
Common Criteria
ISO/IEC international standard for computer security Orgs put forth their Security Functional Requirements (SFR) and Security Assurance Requirements (SAR). Venders can then make claims and their SFR and SAR are tested and given a Evaluation Assurance Level (EAL) EAL1 Functionally tested EAL2 Structurally tested EAL3 Methodically tested and checked EAL4 Methodically tested, checked, reviewed EAL5 Semi-formally designed and tested EAL6 Semi-formally verified design and tested EAL7 Formally verified design and tested
3 Cloud Service Categories
IaaS (Infrastructure as a Service) PaaS (Platform as a Service) SaaS (Software as a Service)
Identity and Access Management (IAM)
Identity Management, access management, identity repository/directory services
SOC 2
Includes 5 areas - Security, availability, processing integrity, confidentiality and privacy 7 principles within Security Organization and management Communications Risk management and design implementation Monitoring of controls Logical and physical access controls System operations Change management
Cloud Access Security Broker (CASB)
Independent identitiy and access management services to cloud service providers and cloud customes Single sign on Certificate management Cryptographic key escrow
3 Cloud Service Capabilities
Infrastructure service capability - Cloud customer can provision and have substantial configuration control over processing, storage and network resources Platform service capability - Cloud customer can deploy code and applications using programming languages and libraries that are maintained by the provider Software service capability - the cloud customer uses fully established application provided by the cloud provider, with minimal user configuration options allowed
Remote Key Management Service
Maintained and controlled by the customer at their own location Offers highest degree of security Negative: connectivity has to be open and always maintained for the systems and applications hosted by cloud provider to function properly
Integrity
Maintaining the consistency and validity of data. Ensures that the data has not been altered by any unauthorized parties
Key benefit of IaaS
Metered and priced usage on the basis of units consumed
ISO/IEC 17888 6th Standard for Cloud computing
Multi-tenancy
7 Security Concerns for IaaS
Multi-tenancy Co-location Hypervisor security and Attacks Network Security Virtual Machine Attacks Virtual Switch Attacks Denial-of-Service (DoS) Attacks
Examples of Asymmetric Algorithms
NTRUEncrypt cryptosystem EIGamal Cramer-Shoup cryptosystem Paillier cryptosystem
Cloud Computing
Network-accessible platform that delivers services from a large and scalable pool of systems, rather than dedicated physical hardware and more static configurations
5 NIST Key Cloud Computing Characteristics
On-demand self-service Broad network access Resource Pooling Rapid Elasticity Measured Service
Tenant
One or more cloud customers sharing access to a pool of resources
Cloud Service Customer (Cloud Computing Role)
One that holds business relationship for services with a cloud service provider
Cloud Service Partner (Cloud Computing Role)
One that holds the relationship with either a cloud service provider or a cloud service customer to assist with cloud services and their delivery
Cloud service User (Cloud Computing Role)
One that interacts with and consumes services offered to a cloud service customer by a cloud service provider
Cloud Service Provider (Cloud Computing Role)
One that offers cloud services to cloud service customers
2 Common Data Sanitation Methods
Overwriting Cryptographic erasing
Client Side Key Management
Provided by the cloud provider but is hosted and controlled by customer Most common for SaaS implementations
Federation (Federated identity)
Provides policies , processes and mechanisms that manage identity and trusted access to systems across organizations OAuth 2.0 and SAML are the most common protocols
Least Privilege
Providing only the minimum amount of privileges necessary to perform a job or function.
2 Commonly Used Key Management Services (KMS)
Remote key management service Client Side Key Management Service
SOC 1
Service Organization Control, Standards that evaluate and audit the use and control of financial information SOC 1 includes information on management structure, target customer bases, information aboutht he regulations the organization is subject to
SLA
Service level agreement. An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.
Type 2 hypervisor
Software based. Resides on the host system itself and then orchestrates the hosts under its purview. VMware Workstation
NIST SP 800-53
Specifically written for the federal government and orgs that work with Federal, but commonly used outside of that Revision 4 elements Insider threats and malicous activity Software application security Social networking Mobile devices Cloud Computing persistent threats Privacy
4 Security Concerns for PaaS
System Isolation User Permissions User Access Malware, Trojans, Backdoors, and Administrative Nightmares
Availability
Systems are available for authorized users who rely on them
Reversibility
The ability of a cloud customer to remove all data and applications from a cloud provider and completely remove all data from their environment, along with the ability to move into a new environment with minimal impact to operations
Cloud Application portability
The ability to migrate a cloud application from one cloud provider to another.
Cloud Data Portability
The ability to move between cloud providers
Data Portability
The ability to move data from one system or another without having to re-enter it
Insufficient Due Diligence
Threat caused by lack of proper and thorough evaluation of its systems, designs, and controls, a company may unintentionally expose themselves to more risk by moving to a cloud environment
Insufficient Identity, Credential, and Access Management
Threat caused by lack of sufficient controls over the identity and credential system used for access.
Malicious insider threat
Threat centered on an individual who has access and uses it for unauthorized purposes to exploit systems or data
Abuse and Nefarious Use of Cloud Services
Threat on Cloud Providers where an attacker is able to gain access to the wide array of cloud resources and cloud customers environments
Advanced Persistent Threat (APT)
Threat where attackers target systems with intent of establishing themselves and stealing data over a long term.
Data Loss
Threat where data that an organization relies on becomes lost, unavailable, or destroyed when it should not have been
Type 1 hypervisor
Tied to the underlying hardware and hosts virtual machines on top of it. It operates as the sole layer between hardware and the host. VMware ESXI
Web Application Firewall Prevents ...
URL Tampering SQL Injection Cross-site scripting
Data breach
Unauthorized exposer of sensitive and private data to a party that is not entitled to have it
Operational Expenditure
Utility costs maintenance. A cloud service would be an Op Ex
3 Security Concerns for SaaS
Web Application Security Data Policies Data Protection and Confidentiality
Insecure interfaces and APIs
When an attacker is able to compromise API Connections to the cloud interface
asymetric key encryption
different keys ares used to encrypt and decrypt the communication. Slower than symmetric, but more secure
Cryptography
process of making information unreadable by unauthorized entities
Communication as a Service
provides VoIP - Voice over Internet Protocol, Virtual Private Network capabilities and unified communication services without having the cloud subscriber to host and manage the underlying infrastructure.
4 Cloud Deployment Models
public, private, community, hybrid