CCSK - DOMAIN 1: CLOUD COMPUTING ARCHITECTURAL FRAMEWORK
How does NIST define cloud computing with five essential characteristics?
1) Broad Network Access 2) Rapid Elasticity 3) Measured Service 4) On-demand Self Service 5) Resource Pooling
How does NIST define cloud computing with four deployment models?
1) Public 2) Private 3) Hybrid 4) Community
How does NIST define cloud computing with three service models?
1) Saas 2) PaaS 3) IaaS
What are alternative approaches to encryption?
1) Tokenization 2) Anonymization 3) Utilizing cloud database controls
What is the "on-demand self-service" characteristic?
A consumer can provision computing capabilities such as server time and network storage as needed automatically without requiring human interaction with a service provider.
What is continuous integration (aka DevOps)?
Allows for pushing image to overwrite estate (e.g. patching estate instead of individual servers)
What is the "broad network access" characteristic?
Capabilities are available over the network and accessed through standard mechanisms that promote use by thin or thick client platforms (e.g., mobile phones, laptops, and PDA's) as well as other traditional or cloud-based software services.
What is the "rapid elasticity" characteristic?
Capabilities can be rapidly and elastically provisioned — in some cases automatically — to quickly scale out; and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
What is the SPI model?
Cloud service delivery is divided among three models referred to as the "SPI Model," where "SPI" refers to Software, Platform or Infrastructure (as a Service), respectively.
What is the "measured service" characteristic?
Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g. storage, processing, bandwidth, or active user accounts). Resource usage can be monitored, controlled, and reported — providing transparency for both the provider and consumer of the service.
What is federated identify management?
Connect identities (or identity providers) to services; if you don't trust identify provider than you need to create your own identities (e.g. SAML, OAUTH, WS-Federation, AD)
What is European Data Protection Directive (DPD)?
Controller (who is collecting info) / Processor (collecting, storing, using)
How do you determine the general "security" posture of a service and how it relates to an asset's assurance and protection requirements?
First, one classifies a cloud service against the cloud architecture model. Then it is possible to map its security architecture as well as business, regulatory, and other compliance requirements against it as a gap-analysis exercise.
What are the 3 dimensions of legal?
Functional, Location (Jurisdiction), Contractual
What is the Traditional Security, Business Continuity and Disaster Recovery domain about?
How cloud computing affects the operational processes and procedures currently used to implement security, business continuity, and disaster recovery. The focus is to discuss and examine possible risks of cloud computing, in hopes of increasing dialogue and debate on the overwhelming demand for better enterprise risk management models. Further, the section touches on helping people to identify where cloud computing may assist in diminishing certain security risks, or entails increases in other areas.
What is the Data Center Operations about?
How to evaluate a provider's data center architecture and operations. This is primarily focused on helping users identify common data center characteristics that could be detrimental to on-going services, as well as characteristics that are fundamental to long-term stability.
Which cloud service layer provides the least security capabilities?
IaaS -The lower down the stack the cloud service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves.
What does IaaS ultimately provide?
IaaS provides a set of API's, which allows management and other forms of interaction with the infrastructure by consumers.
What is the Encryption and Key Management domain about?
Identifying proper encryption usage and scalable key management. This section is not prescriptive, but is more informational in discussing why they are needed and identifying issues that arise in use, both for protecting access to resources as well as for protecting data.
What is the Compliance and Audit domain about?
Maintaining and proving compliance when using cloud computing. Issues dealing with evaluating how cloud computing affects compliance with internal security policies, as well as various compliance requirements (regulatory, legislative, and otherwise) are discussed here. This domain includes some direction on proving compliance during an audit.
What is the Information Management and Data Security domain about?
Managing data that is placed in the cloud. Items surrounding the identification and control of data in the cloud, as well as compensating controls that can be used to deal with the loss of physical control when moving data to the cloud, are discussed here. Other items, such as who is responsible for data confidentiality, integrity, and availability are mentioned.
What is the Identity and Access Management domain about?
Managing identities and leveraging directory services to provide access control. The focus is on issues encountered when extending an organization's identity into the cloud. This section provides insight into assessing an organization's readiness to conduct cloud-based Identity, Entitlement, and Access Management (IdEA).
What is multi-tenancy?
Multi-tenancy implies use of same resources or application by multiple consumers that may belong to same organization or different organization. Multi-tenancy implies a need for policy-driven enforcement, segmentation, isolation, governance, service levels, and chargeback/billing models for different consumer constituencies.
What is PEP?
Policy Enforcement Point - if you federate identity, then you also federate you authorization process
What is the Legal Issues: Contracts and Electronic Discovery domain about?
Potential legal issues when using cloud computing. Issues touched on in this section include protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, international laws, etc.
What is discovery?
Process of finding info for litigation hold (to be surrendered in legal proceeding)
What is the Incident Response, Notification and Remediation domain about?
Proper and adequate incident detection, response, notification, and remediation. This attempts to address items that should be in place at both provider and user levels to enable proper incident handling and forensics. This domain will help you understand the complexities the cloud brings to your current incident-handling program.
What is the Security as a Service domain about?
Providing third party facilitated security assurance, incident management, compliance attestation, and identity and access oversight. Security as a service is the delegation of detection, remediation, and governance of security infrastructure to a trusted third party with the proper tools and expertise. Users of this service gain the benefit of dedicated expertise and cutting edge technology in the fight to secure and harden sensitive business operations.
What are examples of security as a service?
SIEM, Spam filtering, WAF, DDN (DDOS prevention), Guest WIFI, CASB (DLP prevention file share prevention), IP and DNS reputation services
Which cloud service layer provides the least extensibility and most security?
SaaS provides the most integrated functionality built directly into the offering, with the least consumer extensibility, and a relatively high level of integrated security (provider bears a responsibility for security).
What is the Application Security domain about?
Securing application software that is running on or being developed in the cloud. This includes items such as whether it's appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS, PaaS, or IaaS).
What is security for cloud computing?
Security controls in cloud computing are, for the most part, no different than security controls in any IT environment. However, because of the cloud service models employed, the operational models, and the technologies used to enable cloud services, cloud computing may present different risks to an organization than traditional IT solutions.
What is the Governance and Enterprise Risk Management domain about?
The ability of an organization to govern and measure enterprise risk introduced by cloud computing. Items such as legal precedence for agreement breaches, ability of user organizations to adequately assess risk of a cloud provider, responsibility to protect sensitive data when both user and provider may be at fault, and how international boundaries may affect these issues.
What is the Portability and Interoperability domain about?
The ability to move data/services from one provider to another, or bring it entirely back in-house. Together with issues surrounding interoperability between providers.
What is the Hybrid Cloud deployment model?
The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
What is the Public Cloud deployment model?
The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
What is the Private Cloud deployment model?
The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or by a third party and may be located on-premise or off-premise.
What is the Community Cloud deployment model?
The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or by a third party and may be located on-premise or off-premise.
How are CCSK domains broken down?
The domains are divided into two broad categories: governance and operations. The governance domains are broad and address strategic and policy issues within a cloud computing environment, while the operational domains focus on more tactical security concerns and implementation within the architecture.
What is the "resource pooling" characteristic?
The provider's computing resources are pooled to serve multiple consumers using a multi- tenant model with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. Even private clouds tend to pool resources between different parts of the same organization.
What is the Virtualization domain about?
The use of virtualization technology in cloud computing. The domain addresses items such as risks associated with multi-tenancy, VM isolation, VM co- residence, hypervisor vulnerabilities, etc. This domain focuses on the security issues surrounding system/hardware virtualization, rather than a more general survey of all forms of virtualization.
What are the two types of SLA's?
There are two types of SLA's, negotiable and non-negotiable. One can assign/transfer responsibility but not accountability.
What does identity, entitlement, and access management (IDEA) protect against?
spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege (STRIDE)
