Security in the Cloud

Information Bleed

with multiple customers processing and storing data over the same infrastructure, there is the possibility that data belonging to one customer will be read or received by another

Countermeasures for loss of physical control

you can use all of the protections listed in the internal threats, theft/loss of devices, and loss of policy control entries to this list

Concerns with community clouds are: loss of policy control, loss of physical control, and lack of audit access

Concerns with private clouds are: malware, internal threats, external attackers, MITM Attacks, social engineering, theft/loss of devices, regulatory violations, and natural disasters

Concerns with public clouds are: rogue administrator, escalation of privilege, and contractual failure

Potential emergent BIA concerns include, but are not limited to, the following: new dependencies, regulatory failure, data breach/inadvertent disclosure, and vendor lock-in/lock-out

Risks in the public cloud that do not exist in other models are as follows: conflict of interest, escalation of privilege, information bleed, and legal activity

Risks that all private cloud operators face include the following: personnel threats, natural disasters, external attacks, regulatory noncompliance, and malware.

Risks that exist with IaaS motif are personnel threats, external threats, and lack of specific skillsets

Risks that exist with PaaS motif are interoperability issues, persistent backdoors, virtualization, and resource sharing

Risks that exist with SaaS motif are proprietary formats, virtualization, and web application security

Some factors to consider when selecting a cloud provider include the following: provider longevity, core competency, jurisdictional suitability, supply chain dependencies, and legislative environment

The benefits of community cloud are resiliency through shared ownership, shared costs, and no need for centralized administration for performance and monitoring.

The customer is concerned with data, whereas the provider is concerned with security and operation. TRUE

The customer wants to refute control, deny insight, and refrain from disclosing any information used for malicious purpose. FALSE

The customer's ultimate legal liability for data it owns remains true even if the provider's failure was the result of negligence. TRUE

The risks and responsibilities will be shared between the cloud provider and customer. TRUE

There are several things an organization can do to enhance the portability of its data: ensure favorable contract terms for portability, avoid proprietary formats, ensure there are no physical limitations to moving, and check for regulatory constraints

Declaration

a crucial step in the BC/DR process; the cloud customer and provider must decide, prior to the contingency, who specifically will be authorized to make this decision and the explicit process for communicating when it has been made

Private Cloud

a legacy configuration of a datacenter, often with distributed computing and BYOD capabilities; the organization controls the entire infrastructure (hardware, software, facilities, administrative personnel, security controls, and so on)

Personnel Threats

a malicious or negligent insider can cause significant negative impact, as they have physical access to the resources

Cloud Operations, Cloud Provider as Backup

an attractive benefit of this cloud backup is the resiliency and redundancy offered by cloud datacenters, especially from market leaders; cloud providers might offer a backup solution as a feature of their service- a backup located at another datacenter owned by the provider in case of disaster-level events; the provider will have the responsibility for determining the location and configuration of the backup and most of the responsibility for assessing and declaring disaster events

Rogue Administrator

an enhanced form of the insider threat

Guest Escape (Virtual Machine Escape)

an improperly designed or poorly configured virtualized machine or hypervisor might allow for a user to leave the confines of their own virtualized instances

Countermeasures for Malware

antimalware applications employed in actual host devices and virtualized instances; specific training for all users regarding the methods used for introducing malware into a cloud environment; network monitoring; updates and patches

Escalation of Privilege

authorized users may try to acquire unauthorized permissions

Countermeasures for Internal Threats

background checks, resume/reference confirmation, and skills and knowledge testing should be conducted

Vendor Lock-Out

can be caused when the cloud provider goes out of business, is acquired by another interest, or ceases operation for any reason; the concern is whether the customer can still readily access and recover their data

Legal Activity

data and devices within a datacenter may be subpoenaed or seized as evidence in a criminal investigation or as part of discovery for litigation purposes

Portability

describes the general level of ease or difficulty when transferring data out of a provider's datacenter (regardless of whether it's being moved to another provider or to a private cloud)

Countermeasures for MITM Attacks

encrypt data in transit, including authentication activity; secure session technology and enforcement

Countermeasures for theft/loss of devices

encryption of stored material to attenuate the efficacy of theft, strict physical access controls, limited or no USB functionality, detailed and comprehensive inventory control and monitoring, and remote wipe or kill capability for portable devices

Countermeasures for escalation of privilege

extensive access control and authentication tools and techniques should be implemented; also include analysis and review of all log data by trained, skilled personnel on a frequent basis, combined with automated tools such as SIEM, SIM, and SEM solutions

Social Engineering

hackers use their social skills to trick people into revealing access credentials or other valuable information

Countermeasures for External Attackers

hardened devices, hypervisors, and virtual machines, with a solid security baseline and thorough configuration and change management protocols, as well as strong access controls, possibly even outsourced to a third party such as a CASB

Public Cloud

has the most focus in the CCSP CBK and the model that most likely to provide the most benefit to the greatest number of cloud customers; a company offers cloud services to any entity that wants to become a cloud customer, be it an individual, company, government agency, or other organization; organization could lose control, oversight, audit, and enforcement capabilities-basically, all the assurance of maintaining a private cloud internal to the organization

Countermeasures for Regulatory Violations

hire knowledgeable trained personnel with applicable skillsets

Private Architecture, Cloud Service as Backup

if the organization maintains its own IT enterprise, BC/DR plans can include the use of a cloud provider as the backup; in this methodology, the customer should determine when failover will occur-that is, the customer can decide what constitutes an emergency situation and when normal operations will cease and the backup will be utilized as the operational network; failover might take the form of using the cloud service as a remote network, or it might require downloading the backup data from the cloud to another site for contingency operations

Countermeasures for lack of audit access

if the provider refuses to allow the customer to directly audit the facility, the customer must rely on a trusted third party isntead; if the provider limits access to full third-party reports, the customer must insist on contractual protections to transfer as much of the financial liability for security failures to the provider as possible, including additional punitive damages

Regulatory Noncompliance

in private configurations, full control resides internally, and the organization can know its exact regulatory exposure and confidently ensure that is is complying with all relevant regulations

Natural Disasters

in the private cloud, the organization knows exactly how prepared they are to cope with this situation and how often, what kind, and where backups are done

Countermeasures for rogue administrator

include all countermeasures listed in internal threats, with additional physical, logical, and administrative controls for all privileged accounts and personnel, including thorough and secure logging of all administrative activities, locked racks, monitoring of physical access to devices in real time, implementation of surveillance, and financial monitoring of privileged personnel

Hybrid Cloud

include all the risks of the various models they combine

Attack's on the Hypervisor

instead of attacking a virtualized instance, malicious actors might attempt to penetrate the hypervisor, which is the system that acts as the interface and controller between the virtualized instances and the resources of the given host devices on which they reside

Countermeasures for loss of policy control

strong contractual terms should be employed that ensure the provider is adhering to a security program that is at least as effective and thorough as what the customer would institute in an enterprise the customer owned and controlled

Man-in-the-Middle Attacks

the colloquial term for any attack where the attacker inserts themselves between the sender and receiver; this can take the form of eavesdropping to acquire data, or it can be a more advanced attack, such as the attacker posing as one of the participants in order to gain further control/access or modifying data traffic to introduce false or damaging information into the communication

The Brewer-Nash Model

the concept of aligning separation of duties and least privilege with dataflows to prevent conflicts of interest; introduced the concept of allowing access controls to change dynamically based on a user's previous actions

Interoperability Issue

the customer's software may not function properly with each new adjustment in the environment if the OS is updated by the provider

Vender Lock-In

the expense and trouble of moving the data out of the provider's datacenter could be crippling to the organization, especially if the organization chose to do so before the end of the contract term; this could make the organization hostage of the provider and allow the provider to decrease service levels and/or increase prices as the provider see fit

Resource sharing

the programs and instances run by the customer will operate on the same devices used by other customers

Virtualization

the threats are enhanced because even more resource sharing and simultaneous multitenancy is going to occur

External Attacks

these attacks can take many forms, such as unauthorized access, eavesdropping, DOS/DDoS, and so on

Malware

this can be considered an external or internal threat, depending on the source of the infection

Countermeasures for contractual failure

to protect against vender lock-in/lock-out, the customer might consider full offsite backups, secured and kept by the customer or a trusted third-party vendor, for reconstitution with another cloud service provider in the event of severe contractual disagreement

Countermeasures for Social Engineering

training to identify personnel who resist social engineering attempts and bring them to the attention of the security office

The three basic ways of using cloud backups for BC/DR are what?

1. Private Architecture, Cloud Service as a Backup 2. Cloud Operations, Cloud Provider as Backup 3. Cloud Operations, Third-Party Cloud Backup Provider

Countermeasures for legal seizure

legal action might result in unaccounnced or unexpected loss or disclosure of the organization's data

Data Seizure

legal activity might result in a host machine being confiscated or inspected by law enforcement or plaintiffs' attorneys, and the host machine include virtualized instances belonging to your organization, even though your organization was not the target

Conflict of Interest

provider personnel who administer your data and systems should not also be involved with any of your competitors who might also be that provider's customers

Countermeasures for natural disasters

redundancy for all systems and services for the datacenter, including ISP's and utilities

Cloud Operations, Third-Party Cloud Backup Provider

regular operations are hosted by the cloud provider, but contingency operations require failover to another cloud provider; the customer may opt for this selection in order to distribute risk, enhance redundancy, or preemptively attenuate the possibility of vender lock-out/lock-in; this may be the most complicated BC/DR arrangement to negotiate because it will have to involve preparations and coordination between all three parties, and roles and responsibilities must be explicitly and thoroughly delineated; both the primary cloud provider and the cloud customer will take part in emergency assessment and declaration, and failover may require joint effort

Community Cloud

resources are shared and dispersed among an affinity (similar) group; infrastructure can be owned and/or operated jointly, individually, centrally, across the community, or in any combination and mixture of these options

Security in the Cloud

Related study sets

A-Level Chemistry Bond Angles and Shape

Conceptual Physics Test 1

Anatomy Chapter 14: Blood

Adv Med Surg Questions Exam 2

Chem

Plant Biology

Powerpoint Chapter 2

CS3330 Object Oriented Programming (Java) Professor Wergeles Midterm Fall 2018 Mizzou Practice Exam

PANCE Prep Cardio + Practice Qs

Gov 2306

Social Work Ethics Chapter 7-12

COMD 2050 exam 1 review

Athletic Injury Final Exam

INSY 3305- Chapter 6,7,9(Comprehensive Exam 1 & 2)

Penetration Testing

Science 1003: LIFEPAC TEST

TAMU ECON 202 EXAM 2

Accounting 2121 Exam 1 Part 5: What is the normal balance for the following account types?

Evolve: Urinary/Reproductive System

Micro Chapter 8