CCSP Domain 1

Regulation for Financial/Retail Sector

(PCI DSS) Payment Card Industry Data Security Standard

Number of Cloud service models

3

Confidentiality

The prevention of sensitive dat from being accessed or viewed by any other party other than those authorized

symmetric key cryptography

The same key is used to encrypt and decrypt the data, so the key must be known and available by both parties

Regulation for US Federal Agencies and Contractors

(FISMA) Federal Information Security Management Act

Regulation for US Healthcare Sector

(HIPPA) Health Insurance Portability and Accountability Act

Community Cloud

A Cloud Service model where the tenants are limited to those that have a relationship together with shared requirements, and are maintained or controlled by at least on member of the community collaboration between similar organizations that combine resources to offer a private cloud

On-Demand Service

A cloud customer can provision services in an automatic manner, when needed, with minimal involvement from the cloud provider

Software as a Service (SaaS)

A cloud service category in which a full application is provided to the cloud customer, and the cloud provider maintains responsibility for the entire infrastructure, platform, and application

Infrastructure as a Service (IaaS)

A cloud service category where infrastructure level services (such as processing, storage, and networking) are provided by a cloud service provider Customer controls services deployed in the cloud customer has limited control over network configs Customer controls OS, storage,, and deploying apps

Platform as a Service (PaaS)

A cloud service category where the platform services such as azure or AWS, are provided to the cloud customer, and the cloud provider is responsible for the system up to the level of the actual application Cloud provider is responsible for patching and deploying system Provider controls OS, Storage, servers, networking

Hybrid Cloud

A cloud service that combines two other types of cloud deployment models Benefit of retaining critical systems internally

Defense in Depth

A defense that uses multiple types of security devices to protect a network. Also called layered security.

Cloud Service Category

A group of cloud services that have a common set of features or qualities

Cloud Sercice Broker (Cloud Computing Role)

A partner that serves as an intermediary between a cloud service customer and cloud service provider

Private Cloud

Cloud services model where the cloud is owned and controlled by a single entity for their own use May be operated by the organization or a third party Can be located on or Off prem

Key benefit of PaaS

Ability to reduce lock in

4 Main areas of access management

Account Provisioning Directory Services Administration and privileged access Authorization

Cloud Applications

An application that does not reside or run on a user's device but rather is accessible via a network

Cloud Auditor (Cloud Computing Role)

An auditor that is specifically responsible for conducting audits of cloud systems and cloud applications

Multitenancy

Architecture providing a single instance of an application to serve multiple clients or tenants

Denial of Service (DoS)

Attack floods a network or server with service requests to prevent legitimate users' access to the system

Account Hijacking

Attacker is able to gain access to the cloud environment due to a compromised account

Resource pooling

The aggregation of resources allocated to cloud customers by the cloud provider

Access Control

Based on Authentication, Authorization and Accounting Authentication - Verify who they are Authorization - Given minimal rights to access Accounting - Tracking the other two through logs and records

certificate

Basis for proving identity and authenticating ownership of a public key to a specific user

capital expenditures

Buildings, computer equipment. Purchasing on prem would be cap ex

8 Cloud Service Provider Roles

Cloud service operations manager - Prepares system for the cloud, administers service, monitors servie, provides audit data Cloud service deployment manager - Gather metrics on cloud services, manage deployment steps and process Cloud service Manager - Delivers, provisions, and manages cloud services Cloud service business manager - Oversees business plans and customer relationship Customer support and care representative Inter-cloud provider - Responsible for peering with other cloud services and providers Cloud service security and risk manager - Manages security and risks and security compliance Network provider - responsible for network connectivity

Cloud Service

Capabilities offered via a cloud provider and accessible via a client

NIST Definition of Cloud Computing

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Shared Technologies Issues

Cloud provider uses the same underlying platform across many environments that customers are on. This creates a risk that a vulnerability will affect many of the customers at the same time

3 Cloud Service Partner Roles

Cloud service developer - develops cloud components and services and performs the testing and validation Cloud Auditor Cloud service broker - Obtains new customers, analyzes the marketplace and secures contracts and agreements

Public Cloud

Cloud service model where the cloud is maintained and controlled by the cloud provider, but the services are available to any potential cloud customer Pay only for services used Scalable as needed by customer

4 Cloud Service Customer Roles

Cloud service user Cloud Service administrator - Tests cloud services, monitors services Cloud service business manager - oversees business and billing administration Cloud service integrator - Connects and integrates existing systems

Measured Service

Cloud services are typically billed in small increments based on the computing resources you consume

C-I-A Triad

Confidentiality, Integrity, Availability

ISO IEC 27001:2013

Considered the gold standard for information systems and security Drawback is it falls short on being able to span multiple environment and compensate for portability issues because it was not originally designed for cloud 114 controls organized over 14 domains INformation Security policies Organization of information Security Human Resource Security Asset Management Access control Cryptography Physical and environmental security Operations security Communications security System acquisition, development, and maitenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance

Cloud Data Security Lifecycle

Create Store Use Share Archive Destroy

Payment Card Industry Data Security Standard (PCI DSS)

Developed by the major credit card labels Contains 12 compliance requirements

Key Phases of IAM

Provisioning and de-provisioning Privileged user management Centralized directory services Authentication and access management

FIPS 140-2

Federak Information Processing Standard, accreditation of cryptographic modules put out by federal government Defines 4 levels of security (low to high) 11 sections that define security requirements

Cloud Deployment Model

How cloud computing is delivered through a set of particular configurations and features of virtual resources

Cloud Computing activites are outlined by ....

ISO/IEC 17789:2014

Common Criteria

ISO/IEC international standard for computer security Orgs put forth their Security Functional Requirements (SFR) and Security Assurance Requirements (SAR). Venders can then make claims and their SFR and SAR are tested and given a Evaluation Assurance Level (EAL) EAL1 Functionally tested EAL2 Structurally tested EAL3 Methodically tested and checked EAL4 Methodically tested, checked, reviewed EAL5 Semi-formally designed and tested EAL6 Semi-formally verified design and tested EAL7 Formally verified design and tested

3 Cloud Service Categories

IaaS (Infrastructure as a Service) PaaS (Platform as a Service) SaaS (Software as a Service)

Identity and Access Management (IAM)

Identity Management, access management, identity repository/directory services

SOC 2

Includes 5 areas - Security, availability, processing integrity, confidentiality and privacy 7 principles within Security Organization and management Communications Risk management and design implementation Monitoring of controls Logical and physical access controls System operations Change management

Cloud Access Security Broker (CASB)

Independent identitiy and access management services to cloud service providers and cloud customes Single sign on Certificate management Cryptographic key escrow

3 Cloud Service Capabilities

Infrastructure service capability - Cloud customer can provision and have substantial configuration control over processing, storage and network resources Platform service capability - Cloud customer can deploy code and applications using programming languages and libraries that are maintained by the provider Software service capability - the cloud customer uses fully established application provided by the cloud provider, with minimal user configuration options allowed

Remote Key Management Service

Maintained and controlled by the customer at their own location Offers highest degree of security Negative: connectivity has to be open and always maintained for the systems and applications hosted by cloud provider to function properly

Integrity

Maintaining the consistency and validity of data. Ensures that the data has not been altered by any unauthorized parties

Key benefit of IaaS

Metered and priced usage on the basis of units consumed

ISO/IEC 17888 6th Standard for Cloud computing

Multi-tenancy

7 Security Concerns for IaaS

Multi-tenancy Co-location Hypervisor security and Attacks Network Security Virtual Machine Attacks Virtual Switch Attacks Denial-of-Service (DoS) Attacks

Examples of Asymmetric Algorithms

NTRUEncrypt cryptosystem EIGamal Cramer-Shoup cryptosystem Paillier cryptosystem

Cloud Computing

Network-accessible platform that delivers services from a large and scalable pool of systems, rather than dedicated physical hardware and more static configurations

5 NIST Key Cloud Computing Characteristics

On-demand self-service Broad network access Resource Pooling Rapid Elasticity Measured Service

Tenant

One or more cloud customers sharing access to a pool of resources

Cloud Service Customer (Cloud Computing Role)

One that holds business relationship for services with a cloud service provider

Cloud Service Partner (Cloud Computing Role)

One that holds the relationship with either a cloud service provider or a cloud service customer to assist with cloud services and their delivery

Cloud service User (Cloud Computing Role)

One that interacts with and consumes services offered to a cloud service customer by a cloud service provider

Cloud Service Provider (Cloud Computing Role)

One that offers cloud services to cloud service customers

2 Common Data Sanitation Methods

Overwriting Cryptographic erasing

Client Side Key Management

Provided by the cloud provider but is hosted and controlled by customer Most common for SaaS implementations

Federation (Federated identity)

Provides policies , processes and mechanisms that manage identity and trusted access to systems across organizations OAuth 2.0 and SAML are the most common protocols

Least Privilege

Providing only the minimum amount of privileges necessary to perform a job or function.

2 Commonly Used Key Management Services (KMS)

Remote key management service Client Side Key Management Service

SOC 1

Service Organization Control, Standards that evaluate and audit the use and control of financial information SOC 1 includes information on management structure, target customer bases, information aboutht he regulations the organization is subject to

SLA

Service level agreement. An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.

Type 2 hypervisor

Software based. Resides on the host system itself and then orchestrates the hosts under its purview. VMware Workstation

NIST SP 800-53

Specifically written for the federal government and orgs that work with Federal, but commonly used outside of that Revision 4 elements Insider threats and malicous activity Software application security Social networking Mobile devices Cloud Computing persistent threats Privacy

4 Security Concerns for PaaS

System Isolation User Permissions User Access Malware, Trojans, Backdoors, and Administrative Nightmares

Availability

Systems are available for authorized users who rely on them

Reversibility

The ability of a cloud customer to remove all data and applications from a cloud provider and completely remove all data from their environment, along with the ability to move into a new environment with minimal impact to operations

Cloud Application portability

The ability to migrate a cloud application from one cloud provider to another.

Cloud Data Portability

The ability to move between cloud providers

Data Portability

The ability to move data from one system or another without having to re-enter it

Insufficient Due Diligence

Threat caused by lack of proper and thorough evaluation of its systems, designs, and controls, a company may unintentionally expose themselves to more risk by moving to a cloud environment

Insufficient Identity, Credential, and Access Management

Threat caused by lack of sufficient controls over the identity and credential system used for access.

Malicious insider threat

Threat centered on an individual who has access and uses it for unauthorized purposes to exploit systems or data

Abuse and Nefarious Use of Cloud Services

Threat on Cloud Providers where an attacker is able to gain access to the wide array of cloud resources and cloud customers environments

Advanced Persistent Threat (APT)

Threat where attackers target systems with intent of establishing themselves and stealing data over a long term.

Data Loss

Threat where data that an organization relies on becomes lost, unavailable, or destroyed when it should not have been

Type 1 hypervisor

Tied to the underlying hardware and hosts virtual machines on top of it. It operates as the sole layer between hardware and the host. VMware ESXI

Web Application Firewall Prevents ...

URL Tampering SQL Injection Cross-site scripting

Data breach

Unauthorized exposer of sensitive and private data to a party that is not entitled to have it

Operational Expenditure

Utility costs maintenance. A cloud service would be an Op Ex

3 Security Concerns for SaaS

Web Application Security Data Policies Data Protection and Confidentiality

Insecure interfaces and APIs

When an attacker is able to compromise API Connections to the cloud interface

asymetric key encryption

different keys ares used to encrypt and decrypt the communication. Slower than symmetric, but more secure

Cryptography

process of making information unreadable by unauthorized entities

Communication as a Service

provides VoIP - Voice over Internet Protocol, Virtual Private Network capabilities and unified communication services without having the cloud subscriber to host and manage the underlying infrastructure.

4 Cloud Deployment Models

public, private, community, hybrid