Chapter 6, Responsibilities in the Cloud
Name 3 things that are necessary for Application version control.
1) Applying requisite patches and upgrades. 2) Ensuring interoperability with the rest of the environment. 3) Documenting all changes and developments.
What are the 3 ways that individuals are granted access to resources in the cloud?
1) Customer Directly Administers Access. 2) Provider Administers Access on Behalf of the Customer. 3) Third-Party (CASB) Administers Access on Behalf of the Customer.
Name 3 issues with encrypting data.
1) Processing overhead increases with the volume of encrypted data. 2) Some security controls, such as DRM, DLP, and IDS/IPS solutions, might not function in the same manner because they cannot recognize the content of the traffic. 3) Key storage is always an issue.
Name 6 ways to secure an operating system in the cloud.
1) Removing unnecessary services and libraries. 2) Closing unused ports. 3) Installing antimalware agents. 4) Limiting administrator access. 5) Ensuring default accounts are removed. 6) Ensuring event/incident logging is enabled.
Name 5 things that a CSP must control in order to have an effective datacenter.
1) Secure hardware components. 2) Managing hardware configuration. 3) Setting hardware to log events and incidents. 4) Determining compute component by customer need. 5) Configuring secure remote administrative access.
Describe the need for a CSP to manage hardware configuration.
A template for the secure configuration of each specific device should be constructed, and it should be replicated whenever a new device of that particular type is added to the environment. The baseline hardware configuration should be saved in a secure manner and kept current through the formal change management process
Describe the cloud provider responsibility of the secure configuration of virtualized elements.
Any virtual elements must be configured in a secure fashion to attenuate potential risks such as data leakage and malicious aggregation. This is not limited to virtual hosts and OSs, but it should also include any virtualized networking or storage assets.
Who is responsible for security when using PaaS?
The cloud provider will maintain physical security control of the facility and hardware but will now also be responsible for securing and maintaining the OS. The cloud customer will remain obligated to provide all other security.
Describe the need for a CSP to have secure hardware components.
Because of the ubiquitous use of virtualization in the cloud environment, hardware devices will have to be configured properly to ensure secure implementation of hypervisors, virtual machines, and virtual OSs. This can and should include specific BIOS settings on each hardware component, following vendor and manufacturer guidance, installing centralized virtualization management toolsets on each device, and, if cryptoprocessing will be used, ensuring the hardware has the proper settings for utilization of the Trusted Platform Module (TPM) standard.
Who is responsible for security when using IaaS?
Because the cloud provider is only hosting the hardware and utilities, their only sole responsibility will be for physical security of the facility and systems. Both parties will share the responsibility for securing the infrastructure.
Will cloud providers provide SOC 2 reports to their customers?
Cloud vendors will probably never share a SOC 2 Type 2 report with any customer or even release it outside the provider's organization. The SOC 2 Type 2 report is extremely detailed and provides exactly the kind of description and configuration that the cloud provider is trying to restrict from wide dissemination. It's basically a handbook for attacking that cloud provider.
What are the 3 components of a cloud service provider datacenter?
Compute, storage, and networking. Compute nodes are the hosts, where users will process operational data. Storage nodes are where the data is securely stored, either for near-term or long-term. Networking is all the equipment used for connecting the other nodes—the hardware devices such as routers and switches, and the cables that connect them.
With regard to software, what is crowdsourcing?
Determining from other users - current and past - what their experience with particular software offered in the form of results, good or bad.
Between the cloud customer and the cloud service provider, who is responsible for Infrastructure security and Physical security?
The cloud provider.
What is the Management Plane?
Each of the cloud datacenter elements such as the hardware, the logical configuration, and the networking elements, will most likely be managed through a centralized management and control interface, often referred to as the "management plane" or the "control plane." This interface gives a great deal of control to the administrators, analysts, and architects who will design, oversee, manage, and troubleshoot the cloud datacenter.
What are 3 ways a CSP can safeguard connections between the datacenter and the rest of the world?
Encryption, Virtual Private Networks (VPN), and Strong authentication.
Describe IDS/IPS systems.
Intrusion-detection systems (IDSs) and intrusion prevention systems (IPSs) are very similar to firewalls in that they monitor network traffic. These can also use defined rule sets, behavior-based algorithms, content, or stateful inspection to detect anomalous activity. The explicit difference between an IDS and an IPS is that an IDS usually only reports suspicious activity, alerting responders, whereas the IPS can be set to take defensive action when suspicious activity is recognized , in addition to sending alerts.
Name 2 aspects of the logical framework that are the responsibility of the cloud provider.
Installation of virtual OS's and Secure configuration of virtualized elements.
What are Firewalls?
Firewalls are tools that limit communications based on some criteria. They can be either hardware or software, or a combination of both. Firewalls can be stand-alone devices or integrated into other network nodes such as hosts and servers. The criteria for determining which traffic is allowed and which is not can take the form of rules, behavior-sensing algorithms, stateful inspection, or even inspection of content.
Name 5 cloud service provider repsonsibilities when it comes to Secure networking.
Firewalls, IDS/IPS systems, Honeypots, Vulnerability assessments, and Communication protection.
What does a Shared Policy do?
Helps the customer to seek financial restitution for damages caused to them that occurred because of negligence or malfeasance on the part of the provider.
What is a drawback to a cloud service provider building a new facility to house a datacenter?
It is often much more expensive than purchasing or leasing an existing facility. It also requires a long-term plan for continued growth and development of the business, which often involves purchasing a larger piece of land than is initially needed for the first datacenter, with the understanding that additional datacenters might be built on that same property
Describe SOX.
It requires that auditors report on the trustworthiness of the financial reporting documents, and also the organization's own controls used to protect the organization's security, availability, processing integrity, confidentiality, and privacy. It also requires that any notification of pending investigation requires a suspension of all data-destruction activities within the organization.
What does strong authentication do?
Reduces the likelihood of unauthorized users gaining access and restricts authorized users to permitted activities.
What are SOC 1 reports?
SOC 1 reports are strictly for auditing the financial reporting instruments of a corporation. There are two subclasses of SOC 1 reports: Type 1 and Type 2.
What are SOC reports?
SOC reports are part of the SSAE reporting format created by the American Institute of Certified Public Accountants (AICPA). These are uniformly recognized as being acceptable for regulatory purposes in many industries.
As a result of scandals involving publicly traded corporations such as Enron, WorldCom, and Adelphi, Congress passed legislation known as what?
SOX.
What are vulnerabiity assessments?
Scans of the network in order to detect known vulnerabilities. These can be automated so that they're scalable for networks of any appreciable size. The unfortunate flaw in vulnerability assessments is that they will only detect what they know to be looking for. That is, they only detect known vulnerabilities.
Describe the need for a CSP to configure secure remote administrative access to its datacenter.
Security enhancements for remote access might include implementing session encryption for the access connection, strong authentication for remote users and administrators, and enhanced logging for accounts with administrative permissions.
Describe the need for a CSP to determine compute components by customer need.
Some cloud customers might not be suited to a multitenant environment and would prefer to only have their data processed and stored in and on devices specifically and exclusively assigned to them. Most cloud providers will offer the option, albeit at an increased service fee. Unlike stand-alone hosts assigned to specific customers, clustered hosts will provide scalable management benefits, allowing customers who opt for the multitenant environment to realize significant cost savings.
Do all systems use the same secure baseline configuration?
Some specialized uses may require adjustments to the baseline for business tasks. In such cases, the deviation should be formally approved by the change/configuration management process and limited to situations, OS instances, and machines where that function is necessary. Configuration monitoring tools should be adjusted accordingly so that these particular cases are not constantly setting off alerts.
What is the difference between a SOC 2 Type 1 and Type 2 report?
The SOC 2 Type 1 only reviews the design of controls, not how they are implemented and maintained, or their function. The SOC 2 Type 2 report does just that. This is why the SOC 2 Type 2 is the sort of report that is extremely useful for getting a true assessment of an organization's security posture.
What is a SOC 3 report?
The SOC 3 is the "seal of approval". It contains no actual data about the security controls of the audit target and is instead just an assertion that the audit was conducted and that the target organization passed. It is the type of report most likely to be seen by a cloud customer.
Between the cloud customer and the cloud service provider, who is responsible for Data security and Security Governance, Risk, and Compliance, or GRC?
The cloud customer.
What is a drawback to using a management plane?
The cloud provider must take great pains to ensure that the management plane is configured correctly and securely, that sufficient redundancy exists for every aspect of the management plane so that there is no interruption of service, and that extremely strong access control is implemented for the management plane to attenuate possible attempts to subvert or invade it.
Who is responsible for security when using SaaS?
The cloud provider will have to maintain physical security for the underlying infrastructure and OS as in the previous models, but will have to secure the programs as well. In this case, the cloud customer will only be left with very specific aspects of security: access and administration of assigned user permissions to the data.
What is a generalized way to get around a cloud provider not wanting to provide detailed reporting to their cloud customers?
The customer and provider may agree to share doctrinal mechanisms in common, such as industry standards, guidelines, vendor documentation, and other policy and procedural artifacts. This could be true whether the service is IaaS, PaaS, or SaaS. If the parties choose this type of arrangement, both must agree to work from the same version of each artifact, and must involve the other in any change management process that affects the documents.
Since a customer usually can't perform the types of audits done in a non-cloud environment, how can a cloud provider give assurance to customers that effective audits were completed?
The provider is likely to publish an audit assurance statement: something from the auditor that states, in formal terms, that an audit was performed, and that the auditor finds the results suitable for the purposes of the provider's operations.
How is data monitoring handled in the cloud when the cloud provider does not want a cloud customer to access information that is not specific to their contract with the cloud provider?
The provider may allow the customer access to data streams or administrative capabilities on devices in order for the customer to perform their own monitoring and testing activities, in conjunction with or in addition to the provider's own efforts. Because of the provider's inherent requirements to ensure security throughout the cloud environment, this access is most probably going to be very limited.
Describe the cloud provider responsibility of the installation of virtual OS's.
The provider must ensure that virtual OSs installed in the datacenter on virtual or hardware hosts are configured and installed in a secure manner. Also, as virtual OSs are deployed in the environment, virtualization management tools should be installed concurrently to ensure the provider's ability to monitor the virtual environment for both performance and security issues, and to enforce configuration policy.
Describe the need for a CSP to set hardware to log events and incidents.
The provider should ensure that sufficient data related to the activity on each machine is being saved for possible future use, including incident investigation and forensic purposes. This event data should be sufficient to determine exactly what occurred and the identity of the users involved in each event, aka attribution.
Why would a cloud service provider choose to build a new facility for its datacenter rather than using an existing facility?
The provider will have much more control of how the facilities are designed, which can lead to better control over physical access to the property and buildings, as well as optimized performance of the systems within the datacenter.
What is the CSP responsibility of mapping and selection of controls?
There are many types of regulation and appropriate standards. The cloud provider must understand which are applicable to the datacenter, in terms of both location and operation, and to the customers, in terms of both location and operations.
What are SOC 2 reports?
They are specifically intended to report audits of any controls on an organization's security, availability, processing integrity, confidentiality, and privacy. Therefore, a cloud provider intending to prove its trustworthiness would look to a SOC 2 report.
What are honeypots?
Tools used to detect, identify, isolate, and analyze attacks by attracting attackers. This is usually a dummy machine with useless data, partially secured and configured as if it was a realistic portion of the production environment. When attackers penetrate it and attempt nefarious activity, the security team can monitor and record the attackers' behavior. This information can be used for defensive purposes in the actual production environment, or as evidence in litigation and prosecution actions.
What can be done to ensure all operating systems are using a minimum secure baseline?
Use tools to continually check the environment to ensure all current images and machines have an OS that meets the baseline configuration. Any OS configuration that differs from the baseline and is detected by the monitoring tool should be addressed accordingly.
How can operating systems be replicated or reinstalled in the cloud?
When a customer needs to replicate a specific OS, the saved configuration can be copied from a backup that is on the same virtual machine or others.
What is the pyramid of responsibility for a cloud customer vs. a cloud service provider in terms of IaaS, PaaS, and SaaS?
With IaaS, the customer has most of the responsibility. With PaaS there is shared responsibility between the provider and the customer. With SaaS, the cloud service provider has most of the responsibility.