CCSP CORE CONCEPTS
SOC 2 Report
used to report organization security, availability, integrity, confidentiality, and privacy. SOC 2-Type-1 : not very useful for determining the security and trust of an organization. it only reviews the design controls not and not how they are implemented and maintained. SOC-2 Type-2 : very useful in assessing the security controls are implemented and maintained. Provider not willing to share this report but under very strict conditions with trusted customers.
cloud bursting
when a company uses its own computing infrastructure for normal usage and accesses the cloud when it needs to scale for peak load requirements, ensuring that a sudden spike in usage does not result in poor performance or system crashes
Network Security
with no physical separation, the cloud provider must utilize software separation and access controls and the provider must insure they are they are properly configured and tested.
Risk due to PaaS
Backdoor created by developers. Risk due to virtualization and bleed and side-channel attack due to resource sharing.
PaaS Consideration by the Customer
Cloud customer is allowed to collect and view events logs from the software not the OS.
Auditing and Compliance
Compliance is made easier by Cloud providers by providing HIPPA,PCI,GLBA compliant systems, however auditing the compliance much more difficult due to the fact that 1 ):Cloud providers are reluctant to provide physical access to their facilities/systems. 2): Auditing is difficult due to the fact that it is difficult to determine exactly where (both physically and logically) the customer data is located at any moment or which devices contains customer data. 3):Cloud provider augment the above issues by providing SOC-3 reports.
Cloud Secure Data Lifecycle
Data is in active stat in the first 4 stages; Create, store, Use, and Share, but removed from active state (active access and use) to Static State in Archive and Destroy Phases.
Audit from the Provider
Done to install trust and confidence in customer. however the provider will not share detailed audit of security controls for the very same reason they dont allow physical access.
disaster recovery
Focused on events from natural disasters and other events that can cause immediate and catastrophic loss of business operations unlike Business continuity which encompasses broad range. The customer needs to have full understanding of of the provider recovery plans and will need to perform regular audits and verifications that the plans are viable and clearly defined in the SLA. With Proper auditing, SLAs, and communication plans, management can be assured of efficient business recovery.
Agile Development
Focused on timely delivery of apps/software but not security so much because they are not a core part of Agile development.
Risk due to Virtualization
Guest Escape OR VM Escape: improperly designed or poorly configured VM might allow the user to access other virtualized instances on the same host or if the user is able to access the host itself, he should be able to all instances on the machine. HOST ESCAPE: even worse is host escape where a user can leave their own machine and access other devices. Information bleed :
Multi-Regional Compliance and Legal Issues
Most regulatory frameworks recognize that cloud consumer organizations are ultimately responsible for the security, integrity, and storage of their own data, even when it is held by an external cloud provider.
Security Concerns for SaaS
Most responsibility falls on the Provider as the customer relies on the provide for code scanning, security procedures, and maintaining active security program. Issue of portability also arises with SaaS, and use of IDS/IPS also may not be optimal. With SaaS, XSS, and SQL attacks can cause risk to all customers data, therefore, the provider should build data models to segregate the customers data by using different data stores and strong access controls, scanning, pen testing,
Cloud Specific BIA Concerns
New Dependencies: reliant on the provider and other external parties. Regulatory Failure: Potential Failure for regulation due to data distribution in the cloud, this includes Failure on part of cloud customer and Provider. Data Breach/Inadvertent Disclosure: chances increased in cloud due to internal personal and remote access. Vendor Lock-in/Lock-out : Another possible impact of cloud migration
Risk due to Cloud Deployment Model :Community Cloud
No baseline or uniform configuration and it is difficult to enforce due to multiple/distributed ownership. Vulnerability in one node can result in intrusion on the others. Removes the reliability of centralized standards of Performance and monitoring.
Risk due to Cloud Deployment Model :Private Cloud
Personal Threats, Natural disasters, External attacks, Regulatory Non-Compliance, Malware
Risk due to Cloud Deployment Model : Public Cloud
Personal Threats, Natural disasters, External attacks, Regulatory Non-Compliance, Malware Vendor Lock-In : due to regulation, proprietary software used by the vendor, contract requirement. Vendor Lock-Out:
Data Retention
Refers to data that is being Archived for long term storage and the data not currently used in Production environment. Data Retention mandated by Regulation, legislation and contractual agreements.
cost-benefit analysis
Resource Pooling and Cyclical Demands: customer will benefit from migrating to cloud if their systems demands are cyclical in nature and random spikes. Cost Structure: In cloud cost is unpredictable compared to traditional data center.
Residual Risk
Risk that is left over after applying all the countermeasures and controls to minimize the risk.
audit results
The Auditors should not recommend solutions for shortcommings/gaps as this would put the auditor in the role of consulting/advisor which is a conflict of interest.
Broken Authentication and Session Management (OWASP top ten):
These types of weaknesses can allow an attacker to either capture or bypass the authentication methods that are used by a web application. User authentication credentials are not protected when stored. Predictable login credentials. Session IDs are exposed in the URL (e.g., URL rewriting). Session IDs are vulnerable to session fixation attacks. Session value does not timeout or does not get invalidated after logout. Session IDs are not rotated after successful login. Passwords, session IDs, and other credentials are sent over unencrypted connections.
GDPR (General Data Protection Regulation)
Under GDPR, Data controller (customer) is ultimately responsible for any unauthorized PII disclosure and Data Processor (Cloud Provider) is not responsible. GDPR prohibits an organization from collecting EU citizen PII if the organization resides in a country which does not have a law that resembles or supports all the provisions of GDPR. US created a law called "Privacy Shield" for US entities to help comply with GDPR.
PII disclosure
Under current laws, no cloud customer can transfer risk or liability associated with inadvertent and malicious disclosure of PII and the customer is ultimately responsible for any breaches or release of data even if the breach resulted from negligence or attack on the part of cloud provider.
Business Impact Analysis (BIA)
Used in risk assessments, BC/DR, and selection of security controls in the environment.
Risk due to IaaS
Vendor lock-in due to proprietary software. Virtualization risk increased even more in SaaS. Web application security.
Uptime Industry standard
current industry uptime in cloud service provision is 99.999 % and some offering uptime of 99.9999%.
Security Concerns for PaaS
customers has little to no access to the system-level and no admin privileges access is given to the customer for the systems.Backdoors created by developers for easy access can can exposed the system to attack including the VM and Hypervisor, and auto scaling increasing the risk even more.
Data Protection : Data Dispersion
data is sliced into chunks that are encrypted along with parity bits also called "erasure Coding" and then written to various drives. the erasure coding allows for the recovery of partial data loss from the remaining data plus the parity bits/erasure code. this technique is also often referred to as "bit splitting".
SOC 3 Report
designed to shared with public and potential customers. it is a seal of approval and it does not contain actual data about the security controls of the audit. Instead just states that audit was conducted and it was passed., so it is not very useful to determine the trustworthiness of the provider.
Business Continuity
encompasses full range of possible service disruptions and how a company can minimize, mitigate, and respond to them to keep operations running, available and secure.
Physical access to devices
entry and egress should be controlled, monitored, and logged. Racks should be locked and keys for each Rack should be checked only for the duration of use.
Audit Scope
extent and boundaries of an audit. it is the first step before the audit begins. This is crucial part of the overall audit process as crafting the scope can determine the impact,price,and usefulness of results of the audit.
Encryption
help alleviate data interception, eavesdropping, and main-in-the-middle attacks due to remote access.
Virtual Machine Attacks
if a virtual machine is compromised, other VMs hosted on the same host, will be vulnerable to attack as well and also from VMs to the underlying Hypervisor.
Data Archival/Backup services
improves the organization BC/DR strategy of an organization.
Database Activity Monitoring (DAM)
used in coordination with firewalls to monitor databases for anomalous activity by sending alerts or stopping the activity. DAM can either be host based on network-based.
DATA Center Maintenance
1: All operational instances are removed/migrated from the system/device before going into maintenance mode. 2 : Prevent all new login 3: Ensure logging is continued and begin enhanced logging because maintenance is usually performed by admins.
Application Security: API gateway
API gateway is used part of layered defense and it provides the below features: Acting as an API Proxy so not directly exposing API Implementing access control to API limiting connection to help with bandwidth and DOS attack API Logging and gathering metrics from API access logs Additional API Security Filtering
Business Impact Analysis (BIA)
After sufficient data has been collected, a detailed analysis is necessary and special care should be paid to identify critical paths and single point of failure.
Resource pooling and Virtualization
Allows the cloud provider to meet various demands from multiple customers while remaining financially viable. Cloud Provider uses Virtualization to flexibly allocate only the needed usage of resources to the organization, thus holding down costs while maintaining profitability.
Auditing
In Cloud, the auditing is complicated by Virtualization. Auditors are not allowed to make recommendations on how to close gaps because it leads to conflict of interest. Affected departments within organization should also not take part in the "Gap Analysis", and it should be done by someone outside the department to provide unbiased opinion and suggestions.
IaaS Consideration by the Customer
In IaaS, the customer will may also lose some ability to monitor network traffic inside the data center, the cloud provider might not be willing to to allow customer to place monitoring equipment's or sensors or may refuse to share data collected by the provider themselves. Cloud customer is allowed to collect and view events logs from the software, including OS.
Customer and Provider Shared BC/DR responsibilities
Logical location of Backup data/system Private Architecture: customer maintains its own data center for production, provider is used for back up of data. Cloud Operations, Cloud Provider backup: the provider has all the responsibility for determining the location and configuration of backups and declaring disaster events. Customer may have minimal participation. Cloud Operations,3rd-Party Cloud Backup Provider: regular operation are hosted by one provider and backup/failover contingency operation by another provider. this model enhances redundancy, distribute risk. this model is expensive and bit complicated.
Forklifting
moving existing legacy application to cloud with little to no modification. Using Proprietary libraries for app building can also hinder cloud transition.
Testing for BC/DR
recommended to be done at least annually totest backups systems to make sure they will work in fail over scenarios.
Updates
sandbox testing should be part of change management process before the update is applied to system.
Private Cloud
serves only one customer or organization and can be located on the customer's premises or off the customer's premises, so private cloud does not support multitenancy.