390 - Certified Cloud Security Professional CCSP - 1572385660 PDF

Certified Cloud Security
Course Navigation Professional (CCSP)

Clou d Con cept s,
Ar ch it ect u r e & Design
Section 1
Clou d Dat a Secu r it y

Section 2
Clou d Plat f or m &

I n f r ast r u ct u r e Secu r it y
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Com plian ce
Section 6
Exam Pr epar at ion

Cloud Concepts, Architecture & Design
Course Navigation Clou d Com pu t in g Con cept s
Clou d Con cept s,
Clou d Com pu t in g Def in it ion s
Section 1
An yt h in g as a Ser vice (XaaS): A phrase used to describe the
Clou d Com pu t in g m any products, tools, and services available via the internet.
Cloud puting
Con cept s
Concepts
Apach e Clou dSt ack : An open-source solution for creating,
Cloud Reference m anaging, and deploying infrastructure cloud services. A
Architecture
m anagem ent layer for m anaging hypervisors.
Cloud Security Concepts
Bu sin ess Con t in u it y (BC): The ability of a business to continue
Design Principles
to deliver a service or product to its custom ers following the
Evaluate Cloud Service failure of one or m ore of its system s.
Providers
Bu sin ess Con t in u it y M an agem en t (BCM ): A m anagem ent
Clou d Dat a Secu r it y process that builds a fram ework based on potential threats and
Section 2 their im pact to business operations.
Clou d Applicat ion M an agem en t Plat f or m (CAM P): A

Clou d Plat f or m & specification designed to help m anage applications across cloud
I n f r ast r u ct u r e Secu r it y platform s.
Section 3
Clou d OS: A phrase used in place of Platform as a Service (PaaS)
as it pertains to cloud com puting.
Clou d Applicat ion
Secu r it y Clou d Por t abilit y: The ability to m ove applications and data
Section 4 between different cloud service providers (CSPs) or between
public and private clouds within the sam e CSP.
Clou d Secu r it y Desk t op as a Ser vice (DaaS): A virtual desktop infrastructure

Oper at ion s (VDI) that provides a hosted desktop environm ent via the
Section 5 internet.
Legal, Risk & Back Next

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Com pu t in g Def in it ion s (Con t .)
Section 1
Eu calypt u s: An open-source cloud com puting and IaaS platform
Clou d Com pu t in g used to m anage private and hybrid clouds by interacting with
Cloud puting
Con cept s
Concepts on-prem ises hypervisors and CSPs.
Cloud Reference Hybr id Clou d St or age: A com bination of public and private
Architecture storage. Sensitive data resides on private storage, while
non-sensitive data resides in public storage at a CSP.
Design Principles I n f r ast r u ct u r e as a Ser vice (I aaS): A com pute infrastructure

Evaluate Cloud Service
delivered as a service; includes com pute, storage, and
Providers networking (a cloud-based virtual environm ent).
M an aged Ser vice Pr ovider (M SP): Provides various IT services

such as m onitoring, patching, help desk, and network
Section 2
operations center (NOC).
M ean Tim e Bet w een Failu r es (M TBF): Measure of the average

tim e between com ponent or system failures.
Section 3 M ean Tim e t o Repair (M TTR): Measure of the average tim e it
takes to repair a com ponent or system after a failure.
Clou d Applicat ion
Secu r it y M u lt it en an t : Multiple custom ers using the sam e public cloud.
Section 4
Plat f or m as a Ser vice (PaaS): A cloud-based platform on which
Clou d Secu r it y clients deploy their applications. The CSP m anages the
underlying infrastructure; custom ers only m anage their app.
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Com pu t in g Def in it ion s (Con t .)
Section 1
Pr ivat e Clou d: An internal or corporate cloud that is protected
Clou d Com pu t in g by a corporate firewall and under the control of the local IT
Cloud puting
Con cept s
Concepts departm ent, not the CSP.
Cloud Reference Recover y Poin t Object ive (RPO): How m uch data m ust be
Architecture restored from backup after an event. How much data is the
Cloud Security Concepts company willing to lose?
Design Principles Recover y Tim e Object ive (RTO): How quickly individual services
Evaluate Cloud Service need to be restored after a disaster or critical failure.
Providers
Scalabilit y: The ability to increase resources to m eet dem and.
Section 2 Sof t w ar e as a Ser vice (SaaS): Cloud-based software offered to
clients across the internet, m ost often as a web-based service.
Think web-based applications you log in to and use online.
Ver t ical Clou d Com pu t in g: The optim ization of cloud services
for a specific industry.
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Com pu t in g Roles
Section 1
Clou d Cu st om er : An individual or organization that uses
Clou d Com pu t in g
cloud-based services.
Cloud puting
Con cept s
Concepts
Clou d Ser vice Pr ovider (CSP): A com pany that provides cloud
Cloud Reference services to custom ers.
Architecture
Cloud Security Concepts Clou d Ser vice Au dit or : A third party that ensures CSPs are
Design Principles m eeting Service Level Agreem ents (SLAs).

Clou d Ser vice Br ok er (CSB): An organization that seeks to add
Providers
value to cloud services through relationships with m ultiple
CSPs. Helps custom ers identify the best cloud solutions for
Clou d Dat a Secu r it y them and som etim es resells cloud services.
Section 2
Clou d Ser vice Par t n er : Any role besides custom er that supports
or works with a CSP (includes roles such as cloud service auditor
Clou d Plat f or m & and cloud service broker).
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Com pu t in g Ch ar act er ist ics
Section 1
On -Dem an d Self -Ser vice: Ability of cloud service custom ers to
Clou
Cloudd Com pu t in g
puting provision new cloud services or increase existing services on
Con cept s
Concepts dem and.
Cloud Reference - Can be dangerous ? these services don't require approval
Architecture by another process, sim ply the click of a button.
Br oad Net w or k Access: The idea that custom ers should never
Design Principles experience network bottlenecks due to use of technologies such
Evaluate Cloud Service as routing, load balancers, m ultiple sites, etc.
Providers
Resou r ce Pool: CSPs own a large pool of resources (com pute,

Clou d Dat a Secu r it y storage, network, etc.), and custom ers each get an am ount of
Section 2 these pooled resources.
- Vast m ajority of these resources are shared, not dedicated.
- CSPs can spend less m oney on resources because in a
Clou d Plat f or m & shared environm ent they are m uch m ore efficient.
I n f r ast r u ct u r e Secu r it y - CSPs can pass this savin gs on to custom ers.
Section 3
Elast icit y: Ability to not only scale up, but also scale back
resources as needed so you are not paying for unused
Clou d Applicat ion
resources.
Secu r it y
Section 4
M et er ed or M easu r ed Ser vice: Custom er is only charged for
what resources they use. Allows for tracking of usage within an
Clou d Secu r it y organization so individual consum ers (departm ents) can be
Oper at ion s billed internally.
Section 5
Legal, Risk &

Back Next
Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Bu ildin g-Block Tech n ologies
Section 1
Clou
puting
Con cept s
Concepts
Cloud Reference
Architecture
Design Principles

Providers

Section 2 CSPs: Provide CPU, m em ory, storage, networking, and overall
virtualization technology.

Cu st om er s: Provide OS, m iddleware, and applications.
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Back Next
Com plian ce
Section 6
Back t o M ain
Course Navigation Clou d Ref er en ce Ar ch it ect u r e
Clou d Con cept s,
Ar ch it ect u r e & Design Clou d Com pu t in g Act ivit ies
Section 1
Clou d act ivit ies fall into 3 groups:
Clou
puting - Activities that u se services
Con cept s
Concepts - Activities that pr ovide services
Clou
Cloudd Ref er en ce
Reference
- Activities that su ppor t services
Ar ch it ect u r e
Architecture
Design Principles

Providers

Section 2

Section 3
Act ivit ies t h at u se ser vices (cloud service custom er)
- Use clou d ser vices (create accounts and resources)
Clou d Applicat ion - Perform a t r ial (proof of concept)
Secu r it y - Monitor ser vices (validate SLAs)
Section 4 - Adm inister secu r it y (m anage policies, organize data, audit)
- Provide billin g u sage r epor t s
- Han dle pr oblem s (assess im pact, troubleshoot, rem edy)
Clou d Secu r it y - Select and pu r ch ase services
Oper at ion s
Section 5
Legal, Risk &

Back Next
Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Com pu t in g Act ivit ies (Con t .)
Section 1 Act ivit ies t h at pr ovide ser vices (cloud service provider)
- Cloud operations m anager (prepare, m onitor, m anage)
Clou
puting - Cloud services deploym ent m anager (define processes,
Con cept s
Concepts
gather m etrics)
Clou
Cloudd Ref er en ce
Reference - Cloud service m anager (provide services, service level
Ar ch it ect u r e
Architecture m anagem ent)
Cloud Security Concepts - Cloud service business m anager (m anage business plan,
custom er relations, financial processing)
Design Principles
- Cloud support and care representatives
Evaluate Cloud Service - Inter-cloud provider (m anage peer cloud services, perform
Providers peering and federation)
- Cloud service security and risk m anager (m anage security
Clou d Dat a Secu r it y and risks, design and im plem ent service continuity, ensure
Section 2 com pliance)
Act ivit ies t h at su ppor t ser vices (cloud service partners)

Clou d Plat f or m & - Cloud service developer (design, create, and m aintain
I n f r ast r u ct u r e Secu r it y service com ponents, com pose and test services)
Section 3 - Cloud auditor (perform audits, report results)
- Cloud service broker (acquire and assess custom ers, assess
m arketplace, create legal agreem ents)
Clou d Applicat ion
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Com pu t in g Capabilit ies
Section 1 Clou d ser vices can be classified according to 3 capabilit ies:
- Applicat ion capabilit y
Clou
puting - Where the cloud service custom er (CSC) uses the CSP's
Con cept s
Concepts
applications
Clou
Cloudd Ref er en ce
Reference - I n f r ast r u ct u r e capabilit y
Ar ch it ect u r e
Architecture - Where the CSC can provision and use the com pute,
Cloud Security Concepts storage, or networking resources of the CSP
- Plat f or m capabilit y
Design Principles
- Where the CSC can deploy, m anage, and run their own
Evaluate Cloud Service applications using one or m ore program m ing
Providers languages and one or m ore execution environm ents
supported by the CSP
Section 2

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Ser vice Cat egor ies
Section 1
I n f r ast r u ct u r e as a Ser vice (I aaS)
- Cloud service custom er can pr ovision an d u se com pute,
Clou
puting
Con cept s
storage, networking, and other services
Concepts
- Key com pon en t s an d ch ar act er ist ics:
Clou
Cloudd Ref er en ce
Reference - Scale
Ar ch it ect u r e
Architecture
- Com bined network and IT capacity pool
Cloud Security Concepts - Self-service and on-dem and capacity
Design Principles
- High reliability and resilience
- Key ben ef it s:
Evaluate Cloud Service - Measured/m etered use
Providers
- Scalability
- Elasticity
Clou d Dat a Secu r it y - Reduced TCO
Section 2 - No replacem ent costs
- No m aintenance fees
- No cooling or power requirem ents
Clou d Plat f or m & - No up-front hardware or licensing costs (CapEx)
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Ser vice Cat egor ies (Con t .)
Section 1 Plat f or m as a Ser vice (PaaS)
- Custom ers can deploy an d m an age t h eir ow n
Clou
puting applicat ion s using various program m ing languages and
Con cept s
Concepts
execution platform s.
Clou
Cloudd Ref er en ce
Reference - Key capabilit ies:
Ar ch it ect u r e
Architecture - Supports m ultiple languages and fram eworks
Cloud Security Concepts - Multiple hosting environm ents (private, public, etc.)
- Flexibility
Design Principles
- Allows for choices of how to create and deploy apps
Evaluate Cloud Service - Key ben ef it s:
Providers - OS can be changed or upgraded frequently
- Global collaboration by developers
Clou d Dat a Secu r it y - Technology isn't crossing borders; it 's cloud-based
Section 2 - Cost reduction ? single vendor can m eet m any needs

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1 Sof t w ar e as a Ser vice (SaaS)
- Custom er uses CSP-pr ovided applicat ion s
Clou
puting - SaaS Deliver y M odels:
Con cept s
Concepts - Hosted application (HA) m anagem ent
Clou
Cloudd Ref er en ce
Reference - CSP hosts com m ercially available software across
Ar ch it ect u r e
Architecture the internet
Cloud Security Concepts - Webm ail
- Accounting apps
Design Principles
- HR apps
Evaluate Cloud Service - Software on dem and
Providers - CSP gives network-based access to a single copy of
an application set up specifically for that custom er
Clou d Dat a Secu r it y - Scales as needed; licenses scale as well
Section 2 - Fin an cial Ben ef it s:
- Cost reduction
- No hardware to purchase or upgrade
Clou d Plat f or m & - No support contracts for hardware
I n f r ast r u ct u r e Secu r it y - Licensing
Section 3 - No need to purchase licenses up front
- Licenses are part of the cost
- Move from CapEx to OpEx
Clou d Applicat ion - Reduces support cost
Secu r it y - No support contracts to purchase
Section 4 - Support handled by the CSP
- Ot h er Key Ben ef it s:
Clou d Secu r it y - Ease of use (less labor to adm inister environm ent)
- Patching and updates are handled by the CSP
Oper at ion s
- Standardization (all users on sam e platform )
Section 5
- Global access

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1 Sof t w ar e as a Ser vice (SaaS)
Clou
puting
Con cept s
Concepts
Clou
Cloudd Ref er en ce
Reference
Ar ch it ect u r e
Architecture
Design Principles

Providers

Section 2

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Com m u n icat ion s as a Ser vice (CaaS)
- Provides custom ers with real-tim e interaction and
Clou d Secu r it y collaboration services.
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1
Com pu t e as a Ser vice (Com paaS)
- Provides custom ers the ability to provision and use
Clou
puting
Con cept s processing resources needed to deploy and run software
Concepts
Clou
Cloudd Ref er en ce
Reference
Dat a St or age as a Ser vice (DSaaS)
Ar ch it ect u r e
Architecture
- Provides custom ers the ability to provision and use data
Cloud Security Concepts storage and related capabilities (Ex: Dropbox, Google Docs)
Design Principles
Net w or k as a Ser vice (NaaS)
Evaluate Cloud Service - Provides custom ers the ability to use transport connectivity
Providers and related network capabilities (Ex: CDNs and VPNs)

Section 2

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Deploym en t M odels
Section 1 Fou r M ain Clou d Deploym en t M odels:
- Public
Clou
puting - Private
Con cept s
Concepts
- Hybrid
Clou
Cloudd Ref er en ce
Reference - Com m unity
Ar ch it ect u r e
Architecture
Cloud Security Concepts Cr it er ia f or Select in g a Clou d Deploym en t M odel:
- Risk appetite
Design Principles
- Cost
Evaluate Cloud Service - Com pliance and regulatory requirem ents
Providers - Legal obligations
- Business strategy
Section 2 Pu blic Clou d M odel
- A cloud infrastructure pr ovision ed f or u se by an yon e who
is a custom er. Exists on the prem ises of the CSP.
I n f r ast r u ct u r e Secu r it y - Ben ef it s:
Section 3 - Easy and inexpensive to set up
- Ease of use
- Scalable
Clou d Applicat ion
- Pay as you go; no wasted resources
Secu r it y
Section 4
- Exam ples:
- AWS
Clou d Secu r it y - Azure
Oper at ion s - Google Cloud
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Deploym en t M odels (Con t .)
Section 1
Pr ivat e Clou d M odel
- A cloud infrastructure pr ovision ed f or u se by a sin gle
Clou
puting
Con cept s or gan izat ion
Concepts
- May consist of m ultiple internal consum ers
Clou
Cloudd Ref er en ce
Reference - May be owned, m anaged, and operated by:
Ar ch it ect u r e
Architecture
- The single organization
Cloud Security Concepts - A third party
Design Principles - A com bination of the two
- May exist on or off the prem ises of the organization
Providers
- Ben ef it s:
- Increased control over everything
Clou d Dat a Secu r it y - Ownership and retention of governance controls
Section 2 - Assurance of data location
- Sim plified legal and com pliance requirem ents
Clou d Plat f or m & - M ost of t en u sed in lar ge en vir on m en t s w it h com plian ce

I n f r ast r u ct u r e Secu r it y or r egu lat or y r equ ir em en t s
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Deploym en t M odels (Con t .)
Section 1 Hybr id Clou d M odel
- A com bination of two or m ore cloud m odels that rem ain
Clou
puting
unique entities
Con cept s
Concepts
Clou
Cloudd Ref er en ce
Reference - Ben ef it s:
Ar ch it ect u r e
Architecture - Ability to r et ain ow n er sh ip of m anagem ent of critical
Cloud Security Concepts tasks and processes
- Reuse of technology alr eady ow n ed
Design Principles
- Control cr it ical business com ponents
Evaluate Cloud Service - Cost-effective by using pu blic clou d for
Providers non-critical/non-com pliance functions
- Use of clou d bu r st in g and disaster recovery functions
Clou d Dat a Secu r it y of the cloud
Section 2
Com m u n it y Clou d M odel
- Cloud infrastructure provisioned for use by a specific
Clou d Plat f or m & com m unity of consum ers that have shared concerns
I n f r ast r u ct u r e Secu r it y (m ission, security requirem ents, policy, com pliance, etc.)
Section 3
- Ben ef it s:
- Flexibility and scalability
Clou d Applicat ion
- High availability and reliability
Secu r it y - Security and com pliance
Section 4
- Im proved services
- Reduced (shared) costs
Clou d Secu r it y
Oper at ion s - Exam ple: A group of doctors who all use the sam e m edical
Section 5 applications m ay opt to create a com m unity cloud for a
group of practices to ensure com pliance and reduce costs.

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Sh ar ed Con sider at ion s
Section 1 Au dit abilit y: The ability to collect and m ake available evidential
inform ation related to events within a cloud service.
Clou
puting
- What logs are available?
Con cept s
Concepts
- What additional charges m ay be incurred for log access?
Clou
Cloudd Ref er en ce
Reference
Ar ch it ect u r e
Architecture Availabilit y: The state of being accessible and usable.
Design Principles Gover n an ce: The system by which the provisioning and use of
cloud services is directed and controlled.
Providers
I n t er oper abilit y: The ability of a cloud service custom er to
interface with the cloud service, or the ability of cloud services to
Clou d Dat a Secu r it y interface with each other.
Section 2
M ain t en an ce: Maintenance and upgrades can change the way
services function; therefore, it 's im portant that the custom er be
Clou d Plat f or m & m ade aware of these activities.
I n f r ast r u ct u r e Secu r it y - Notification of m aintenance and scheduled upgrades
Section 3 - Disclosure of roll-back practices
- SLA should docum ent m aintenance practices
Clou d Applicat ion Ver sion in g: Labeling of a service's version for easy
Secu r it y identification. If significant changes are being m ade, both the
Section 4 old and new versions should be m ade available in parallel to
reduce im pact to custom ers.
Clou d Secu r it y
Per f or m an ce: Cloud services should m eet m etrics defined in
Oper at ion s
Section 5
the SLA, such as availability, response tim e, throughput, etc.

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Sh ar ed Con sider at ion s (Con t .)
Section 1
Por t abilit y: The ability to easily m igrate data between cloud
Clou
puting service providers and between the cloud and on-prem ises
Con cept s
Concepts infrastructure.
Clou
Cloudd Ref er en ce
Reference Pr ot ect ion of Per son ally I den t if iable I n f or m at ion (PI I ): CSPs
Ar ch it ect u r e
Architecture
m ust protect PII, and it should be docum ented in the SLA. PII is
Cloud Security Concepts any inform ation that can be used to identify som eone, such as a
Design Principles social security num ber, date of birth, or driver 's license num ber.
Evaluate Cloud Service Resilien cy: The ability of a system to provide and m aintain an
Providers acceptable level of service during a system fault.
- This is where m on it or in g an d h igh availabilit y com e into
Clou d Dat a Secu r it y play.
Section 2
Rever sabilit y: The ability of CSPs to recover custom er data in
the event of deletion and the ability of a CSP to delete a
Clou d Plat f or m & custom er 's data in its entirety (the right to be forgotten).
Section 3 Secu r it y: This includes m any capabilities, such as access control,
confidentiality, integrity, and availability (the CIA triad). Also
includes m anagem ent and adm inistrative functions.
Clou d Applicat ion
Secu r it y Ser vice Level Agr eem en t (SLA): Lays out m easurable elem ents
Section 4 needed to assure an agreed-upon quality of service between the
cloud service custom er and provider.
Clou d Secu r it y - The key term is "m easu r able"
- An SLA should include specif ic m et r ics
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
I m pact of Relat ed Tech n ology
Section 1
M ach in e Lear n in g (M L) an d Ar t if icial I n t elligen ce (AI ): Using
pattern recognition and com putational learning to m ake
Clou
puting
Con cept s predictions.
Concepts
- Many cloud vendors are now offering M L an d AI as a
Clou
Cloudd Ref er en ce
Reference ser vice.
Ar ch it ect u r e
Architecture
- Cloud vendors have r esou r ces to build environm ents for
Cloud Security Concepts this type of data analysis.
Design Principles
Block ch ain : A protocol that uses a decentralized fram ework to
Evaluate Cloud Service m aintain integrity within the data.
Providers - Cloud was originally the idea of of f -loadin g services to a
cloud vendor.
Clou d Dat a Secu r it y - Blockchain could be used to m anage globally dist r ibu t ed
Section 2 w or k loads between data centers so the data resides in
m ultiple data centers at once.
- Not only would this allow for a new type of decen t r alized
Clou d Plat f or m & clou d, but it could also be used to guarantee data integrity.
Section 3 I n t er n et of Th in gs (I oT): IoT devices are generally sensors or
other devices that com plete sim ple t ask s. Of course the
"Internet " in IoT indicates these devices are internet-connected
Clou d Applicat ion and upload data to an online destination.
Secu r it y - Many cloud vendors offer I oT ser vices, including creating
Section 4 im ages for devices, cloud-based data analysis, and the
integration of AI.
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
I m pact of Relat ed Tech n ology (Con t .)
Section 1
Con t ain er s: A container is a sm all package of code that includes
an application, its dependencies, and libraries. That 's it! The
Clou
puting
Con cept s
Concepts
container then uses the underlying container operating system
it runs on for other services such as networking.
Clou
Cloudd Ref er en ce
Reference
- Containers are like a stripped-down version of virtualized
Ar ch it ect u r e
Architecture
vir t u al m ach in es (VMs).
Cloud Security Concepts - Containers are ver y sm all and require very few resources.
Design Principles - Containers start quickly, as they are tiny.
- Can scale very quickly.
- Containers are designed to do a single job, such as host a
Providers
web service.
- This allows for separating services into individual containers
Clou d Dat a Secu r it y to in cr ease r esilien cy an d secu r it y.
Section 2
Qu an t u m Com pu t in g: Quantum com puting gets its m assive
com pute power by tapping into quantum physics instead of
Clou d Plat f or m & using m icro-transistors. Traditional com puting uses the values of
I n f r ast r u ct u r e Secu r it y 0 and 1 in bits, but quantum com puting can store m ultiple
Section 3 values in qubits.
- Ven dor s such as Rigetti, Google, IBM, and Microsoft have
m ade quantum CPUs.
Clou d Applicat ion
- Quantum com puting is still in its in f an cy.
Secu r it y
- Eventually CSPs will provide qu an t u m com pu t in g ser vices.
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Course Navigation Clou d Secu r it y Con cept s
Clou d Con cept s,
Cr ypt ogr aph y an d Key M an agem en t
Section 1 Con f iden t ialit y: Controlling authorized access to data in order
to protect the privacy of the data.
Clou
puting
Con cept s
Concepts
Dat a in Tr an sit / M ot ion
Clou
Cloudd Ref er en ce
Reference - The m ovem ent of data across u n t r u st ed n et w or k s
Ar ch it ect u r e
Architecture - The internet
Cloud
Clou Security
d Secu r it y Concepts
Con cept s - Between cloud providers
- Secu r e Sock et Layer (SSL) and Tr an spor t Layer Secu r it y
Design Principles
(TLS)
Evaluate Cloud Service - SSL uses private and public keys to encrypt data.
Providers - TLS provides a secure transport "tunnel," often used
with m ail services.
Clou d Dat a Secu r it y - I PSEC
Section 2 - Used in network-to-network VPN tunnel
- Uses cryptography algorithm s such as 3DES and SHA
Dat a at Rest
- Data n ot in u se by users or applications
I n f r ast r u ct u r e Secu r it y - Encryption can im pact per f or m an ce
Section 3
- Only required for sen sit ive dat a (PI I , PCI , HI PAA, I P, et c.)
- Personally Identifiable Inform ation (PII)
Clou d Applicat ion - Paym ent Card Industry (PCI)
Secu r it y - Health Insurance Portability and Accountability Act
Section 4 (HIPAA)
- Intellectual Property (IP)
- Redu ces r isk of unauthorized data access
Clou d Secu r it y - Can m ake it hard for the owner to r et r ieve t h e dat a
Oper at ion s - Lost encryption keys
Section 5 - Dispute with CSP

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Cr ypt ogr aph y an d Key M an agem en t (Con t .)
Section 1
Key M an agem en t
Clou d Com pu t in g - Separ at ion of du t ies is very im portant
Cloud puting
Con cept s
Concepts - Key m anagers should be separate from providers.
- Keys kept on prem ises in an isolated, secure location.
Clou
Cloudd Ref er en ce
Reference
- Appr oach es for cloud com puting key m anagem ent
Ar ch it ect u r e
Architecture
- Rem ot e Key M an agem en t Ser vices (KM S)
Cloud
Clou Security
Con cept s - Custom er m aintains the KMS on prem ises.
Design Principles - Connectivity is required between KMS server and
encrypted cloud data for encryption/decryption.
- Clien t -Side Key M an agem en t
Providers
- CSP provides the KMS, but it resides on custom er
prem ises.
Clou d Dat a Secu r it y - Custom er generates keys, encrypts data, and
Section 2 uploads it to the cloud.

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Access Con t r ol
Section 1
Access Con t r ol
Clou d Com pu t in g - Has evolved to work with other services such as Single
Cloud puting
Con cept s
Concepts Sign-On (SSO), Multi-Factor Authentication (MFA), and other
authentication and authorization services and is now
Clou
Cloudd Ref er en ce
Reference
generally known as I den t it y an d Access M an agem en t
Ar ch it ect u r e
Architecture
I AM .
Cloud
Clou Security
Con cept s
I den t it y an d Access M an agem en t (I AM )
Design Principles
- Controls access to resources by people, processes, and
Evaluate Cloud Service system s
Providers - Validates identity
- Grants level of access to data, services, and applications
Clou d Dat a Secu r it y - Generally uses a m inim um of two factors of authentication
Section 2 to validate user identities.
Key Ph ases of I AM
Clou d Plat f or m & - Provisioning and deprovisioning accounts
I n f r ast r u ct u r e Secu r it y - Don't forget to depr ovision old accou n t s!
Section 3 - Rem ove unnecessary perm issions when roles change.
- Cen t r alized dir ect or y ser vices
- Store, process, and m aintain a centralized repository.
Clou d Applicat ion - Prim ary protocol is Ligh t w eigh t Dir ect or y Access
Secu r it y Pr ot ocol (LDAP) based on the X.500 standard.
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Access Con t r ol (Con t .)
Section 1 I AM Key Ph ases (Con t .)
- Pr ivileged I den t it y M an agem en t (PI M )
Clou
puting
- An identity m anagem ent system that includes features
Con cept s
Concepts
such as:
Clou
Cloudd Ref er en ce
Reference - Pr ivileged access m anagem ent
Ar ch it ect u r e
Architecture - Tim e-based rules
Cloud
Clou Security
Con cept s - Geo-based rules
- Au dit capabilities
Design Principles
- Not if icat ion capabilities
Evaluate Cloud Service - Forced use of M FA
Providers - IAM should use features of PIM for adm in accou n t s
- MFA should always be used for adm in accounts
Clou d Dat a Secu r it y - Trust and confidence in the accuracy and integrity of the
Section 2 directory service is par am ou n t !
- Privileged user m anagem ent
- Carry the h igh est r isk an d im pact
Clou d Plat f or m & - Key com ponent; pertains to privileged accounts
I n f r ast r u ct u r e Secu r it y - Usage t r ack in g
Section 3 - Authentication success and failure tracking
- Authorization dat es an d t im es
- Repor t in g capabilities
Clou d Applicat ion
- Password m anagem ent (com plexity, MFA)
Secu r it y - Requirem ents should be based on or gan izat ion al
Section 4
policies
- Authorization and access m anagem ent
Clou d Secu r it y - Au t h or izat ion determ ines a user 's right to access a
Oper at ion s resource.
Section 5 - Access m an agem en t is the process of providing
access to that resource.

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Dat a an d M edia San it izat ion
Section 1
Dat a an d M edia San it izat ion
Clou d Com pu t in g - The ability to rem ove all data from a system is critical to
Cloud puting
Con cept s
Concepts en su r in g con f iden t ialit y in the cloud.
- We don't want to leave behind data rem nants for som eone
Clou
Cloudd Ref er en ce
Reference
else to find in the f u t u r e.
Ar ch it ect u r e
Architecture
Cloud
Clou Security
Con cept s How Can We San it ize Dat a?
Design Principles - Cr ypt ogr aph ic Er asu r e: Erase, overwrite with a pattern,
erase again.
Providers
- Over w r it in g: Sim ply overwriting data m ay be sufficient for
som e data but not sensitive data (PII, PCI, HIPAA, IP, etc.)
- Rem em ber:
- Sim ply delet in g data doesn't actually get rid of it.
Section 2
- It only h ides it from users' view.
- It 's still there until the OS overwrites its blocks with
other data.
- Key dest r u ct ion of an encryption key is not sufficient, as
I n f r ast r u ct u r e Secu r it y the key could be recovered forensically.
Section 3
- NOTE:
- Without degau ssin g m edia or physically destroying it,
Clou d Applicat ion an attacker m ay be able to recover data.
Secu r it y - Overwriting data is m erely a det er r en t .
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Net w or k Secu r it y
Section 1 Net w or k Per im et er of a CSP
- Can be hard to identify, as it could be anything from a
Clou
puting
carrier 's trunk into a building to a series of m icro-instances
Con cept s
Concepts
running as load balancers.
Clou
Cloudd Ref er en ce
Reference
Ar ch it ect u r e
Architecture
Vir t u al Sw it ch At t ack s
Cloud
Clou Security
Con cept s - Virtual switches are vulnerable to som e of the sam e attacks
Design Principles as physical switches:
- VLAN h oppin g
- APR table over f low
Providers
- ARP poisoning
Clou d Dat a Secu r it y Net w or k Secu r it y Gr ou ps

Section 2
- Access list s perm itting or denying traffic
- Can be placed at the n et w or k or VM level

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Vir t u alizat ion Secu r it y
Section 1 Hyper visor
- Allows m ultiple operating system s to sh ar e a single
Clou
puting
hardware host.
Con cept s
Concepts
- Types of hypervisors:
Clou
Cloudd Ref er en ce
Reference - Type 1
Ar ch it ect u r e
Architecture - Bare m etal hypervisor that runs dir ect ly on
Cloud
Clou Security
Con cept s h ar dw ar e using a hypervisor operating system .
- Exam ples: VMware, ESxi, and Citrix XenServer
Design Principles
- Related to hardware security.
Evaluate Cloud Service - Reduced attack surface because of locked-down OS.
Providers - Vendor controls the software and all packages.
- I n cr eased r eliabilit y an d r obu st n ess, due to
Clou d Dat a Secu r it y closed environm ent.
Section 2 - Type 2
- Runs on a h ost OS and provides virtualization
services.
Clou d Plat f or m & - Exam ples: VMware Workstation and Virtual Box
I n f r ast r u ct u r e Secu r it y - Relates m ore to OS security (underlying OS).
Section 3 - M or e at t r act ive t o at t ack er s because of the
num ber of vulnerabilities in underlying OS and
installed software packages.
Clou d Applicat ion
Secu r it y VM At t ack s
Section 4
- Once a VM is com pr om ised, the attacker has access to the
shared resources of that VM.
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Vir t u alizat ion Secu r it y
Section 1 Hyper visor At t ack s
- Hypervisors are a com m on t ar get because they provide
Clou
puting control over hosted VMs and access to shared resources.
Con cept s
Concepts - A com m on hypervisor attack is h yper jack in g, in which an
Clou
Cloudd Ref er en ce
Reference attacker will hijack a hypervisor using a Virtual Machine
Ar ch it ect u r e
Architecture Monitor (VMM) such as:
Cloud
Clou Security
Con cept s - Su bVir t
- Blu e Pill: Hypervisor rootkit that uses AMD Secure
Design Principles
Virtual Machine (SVM)
Evaluate Cloud Service - Vit r iol: Hypervisor rootkit that uses Intel VT-x
Providers - Dir ect Ker n el St r u ct u r e M an ipu lat ion (DKSM )
- VM Escape is another type of attack, in which the attacker
Clou d Dat a Secu r it y crashes the guest OS of a VM in order to run attack code
Section 2 that allows them to take control of the hypervisor host.

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Com m on Th r eat s
Section 1 Dat a Br each es
- Cloud com puting has w iden ed t h e scope for data breaches
Clou
puting
- Multitenancy
Con cept s
Concepts
- Sh ar ed databases
Clou
Cloudd Ref er en ce
Reference - Multiple locations
Ar ch it ect u r e
Architecture - Key m anagem ent
Cloud
Clou Security
Con cept s - Widely dispersed attack surface
- Increase in sm ar t devices
Design Principles
- Lost devices
Evaluate Cloud Service - Can by difficult to m anage (BYOD)
Providers - Laptops/tablets replacing desktops
- In the event of a sen sit ive dat a breach, com panies m ay:
Clou d Dat a Secu r it y - Need to publicly disclose the breach (lose credibility)
Section 2 - Pay f in es
- Lose the ability to legally process certain types of data
Clou d Plat f or m & Dat a Loss

I n f r ast r u ct u r e Secu r it y - Loss of inform ation by delet ion , over w r it in g, cor r u pt ion ,
Section 3 of loss of in t egr it y
- Item s to consider in the cloud with respect to data loss:
Clou d Applicat ion - Is the CSP responsible for back u ps?
- If so, are they responsible for all data or only som e?
Secu r it y
- What is the process for r est or in g data?
Section 4
- On a shared platform , such as an application, can a
sin gle cu st om er 's dat a be restored? (SaaS)
Clou d Secu r it y - Rem em ber: If you lose an en cr ypt ion k ey and can no
Oper at ion s longer decrypt and use data, it 's considered lost!
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Com m on Th r eat s
Section 1 Accou n t or Ser vice Tr af f ic Hijack in g
- Frequently done via social engineering attacks (ph ish in g)
Clou
puting
- May sniff insecure data to capture credentials
Con cept s
Concepts
- May pose as a t h ir d-par t y vendor (trusted entity)
Clou
Cloudd Ref er en ce
Reference - Aw ar en ess is k ey for prevention
Ar ch it ect u r e
Architecture - MFA should be used on all public-facing services
Cloud
Clou Security
Con cept s
I n secu r e I n t er f aces an d API s
Design Principles
- Application program m ing interfaces (APIs) are used to
Evaluate Cloud Service in t er act with cloud services via a com m and or script.
Providers - APIs m ust follow secu r it y policies and not act as a back
door.
Clou d Dat a Secu r it y - All API updates m ust be scrutinized and validat ed for
Section 2 security functionality.
Den ial of Ser vice

Clou d Plat f or m & - Den ial of Ser vice (DoS) attacks prevent users from being
I n f r ast r u ct u r e Secu r it y able to access services
Section 3 - DoS attacks can target:
- M em or y bu f f er s
- Net w or k ban dw idt h
Clou d Applicat ion - Pr ocessin g pow er
Secu r it y - Dist r ibu t ed Den ial of Ser vice (DDoS) attacks are launched
Section 4 from m ultiple locations against a single target (hard to stop)
- Work to r edu ce sin gle poin t s of f ailu r e
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Com m on Th r eat s
Section 1 M aliciou s I n sider s
- Intentional m isu se of access to data, which affects the
Clou
puting
confidentiality of the data
Con cept s
Concepts
- Could be a current or form er em ployee, contractor, or other
Clou
Cloudd Ref er en ce
Reference business partner
Ar ch it ect u r e
Architecture
Cloud Security Abu se of Clou d Ser vices
Clou d Secu r it y Concepts
Con cept s
- Attackers can use cloud services too, if they're willing to pay.
Design Principles - Dictionary attacks
Evaluate Cloud Service - DoS at t ack s
Providers - Password cracking
- CSPs watch for n ef ar iou s act ivit ies, especially DoS/DDoS
Clou d Dat a Secu r it y attacks.
Section 2
I n su f f icien t Du e Diligen ce
- Du e Diligen ce: The act of investigating and understanding
Clou d Plat f or m & the risks a com pany faces
- Du e Car e: The developm ent and im plem entation of policies
and procedures that help protect the com pany from threats
Section 3
- As cloud security professionals, we should consider:
- A CSP's secu r it y pr act ices
Clou d Applicat ion - If your CSP were to close, are you poised to quickly
Secu r it y change CSPs?
Section 4 - Always have an exit st r at egy.
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Com m on Th r eat s
Section 1 Sh ar ed Tech n ology Vu ln er abilit ies
- Vulnerabilities of hardware, OSes, and apps are shared in
Clou
puting
shared environm ents, m eaning they af f ect all u ser s.
Con cept s
Concepts
- CSPs should use a def en se-in -dept h strategy, which
Clou
Cloudd Ref er en ce
Reference im plem ents controls at each layer:
Ar ch it ect u r e
Architecture - Com pute
Cloud
Clou Security
Con cept s - Storage
- Network
Design Principles
- Application
Evaluate Cloud Service - User security enforcem ent
Providers - Monitoring

Section 2

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
OWASP Top 10
Section 1
Clou
puting
Con cept s
Concepts
Clou
Cloudd Ref er en ce
Reference
Ar ch it ect u r e
Architecture
Cloud
Clou Security
Con cept s
Design Principles

Providers

Section 2

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Course Navigation Design Pr in ciples
Clou d Con cept s,
Clou d Secu r it y Dat a Lif ecycle
Section 1
Dat a is the m ost valuable asset for m ost organizations.
Clou
puting
Con cept s
Concepts
Data should be m anaged across a lifecycle, which includes the
Clou
Cloudd Ref er en ce
Reference
following 6 ph ases:
Ar ch it ect u r e
Architecture
Cloud
Clou Security
Con cept s
Design Pr
Design Principles
in ciples
Providers

Section 2

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y It 's very im portance to always know where your data resides!
Oper at ion s
Section 5
Legal, Risk & Next

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d Secu r it y Dat a Lif ecycle (Con t .)
Section 1
Dat a Gover n an ce Ter m s
- I n f or m at ion Classif icat ion : Description of valuable data
Cloud puting
Con cept s
Concepts categories (confidential, regulated, internal only, etc.)
- I n f or m at ion M an agem en t Policy: What activities are
Clou
Cloudd Ref er en ce
Reference
allowed for different inform ation classifications
Ar ch it ect u r e
Architecture
- Sensitive data cannot leave prem ises
Cloud
Clou Security
Con cept s - Regulated data cannot be copied to external m edia
Design Pr
Design Principles
in ciples
- Locat ion an d Ju r isdict ion al Policies: Where data can be
geographically located and any regulatory or legal concerns
- Au t h or izat ion : Who is perm itted to access different types
Providers
of data
- Cu st odian sh ip: Who is responsible for m anaging specific
Clou d Dat a Secu r it y data
Section 2

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Clou d-Based Disast er Recover y & Bu sin ess Con t in u it y
Section 1
Bu sin ess Con t in u it y M an agem en t (BCM )
- The process of r eview in g t h r eat s an d r isk s to an
Cloud puting
Con cept s
Concepts organization as part of the risk m anagem ent process.
- The goal of BCM is to keep the business operational during
Clou
Cloudd Ref er en ce
Reference
a disruption.
Ar ch it ect u r e
Architecture
- BCM should occur at least an n u ally.
Cloud
Clou Security
Con cept s
Design Pr
Design Principles
in ciples Disast er Recover y Plan n in g (DRP)
- The process of creating plans to execute in the event of a
disaster.
Providers
- The goal of DRP is to quickly reestablish the affected areas
of the business.
Clou d Dat a Secu r it y - Not all services are equally im portant.
Section 2
- Revenue-generating services rank higher.
BCM and DRP com bine to m ake BCDR.

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1
Cr it ical Fact or s f or Bu sin ess Con t in u it y (BC) in t h e Clou d
- Understand who the r espon sible par t y is.
Cloud puting
Con cept s
Concepts - Custom er 's responsibilities
- CSP's responsibilities
Clou
Cloudd Ref er en ce
Reference
- Third-party responsibilities (application vendors)
Ar ch it ect u r e
Architecture
- Or der of restoration
Cloud
Clou Security
Con cept s - Right to au dit CSP capabilities for validation
Design Pr
Design Principles
in ciples
- Com m unication of any issues
- Need for a t er t iar y back u p at another location
- Docum ent in the SLA what BCDR is handled by CSP and to
Providers
what degree.
- Pen alt ies for loss of service
Clou d Dat a Secu r it y - Recovery Tim e Objective (RTO)/Recovery Point Objective
Section 2 (RPO)
- Loss of integrity
- Points of contact and escalat ion pr ocess
Clou d Plat f or m & - Failover capabilities and process
I n f r ast r u ct u r e Secu r it y - Com m unication of changes being m ade
Section 3 - Maintenance and upgrades
- Clear ly def in ed responsibilities
Clou d Applicat ion - Where third parties are being used by the CSP
Secu r it y
Section 4
Cloud custom ers should be f u lly sat isf ied with the BCDR details
prior to signing any agreem ents.
Clou d Secu r it y - Future m odifications m ay result in addit ion al ch ar ges.
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1
I m por t an t SLA Com pon en t s
- No undocum ented sin gle poin t s of f ailu r e
Cloud puting
Con cept s
Concepts - M igr at ion to another CSP should be perm itted within an
agreed-upon tim e fram e
Clou
Cloudd Ref er en ce
Reference
- Custom er should be able to ver if y dat a in t egr it y via
Ar ch it ect u r e
Architecture
autom ated controls
Cloud
Clou Security
Con cept s - Data back u p solu t ion should allow for granular settings
Design Pr
Design Principles
in ciples
Regu lar r eview s of the SLA should occur to ensure cloud
Evaluate Cloud Service services continue to m eet the needs of the business.
Providers

Section 2

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Cost -Ben ef it An alysis
Section 1
Cost is usually a key factor in deciding to m ove to the cloud.
Clou
puting
Con cept s
Concepts Cost Con sider at ion s
- Resou r ce poolin g: CSPs offer pooled resourced, which can
Clou
Cloudd Ref er en ce
Reference
help keep costs down.
Ar ch it ect u r e
Architecture
- Sh if t f r om CapEx t o OpEx: Why not pay as you go instead
Cloud
Clou Security
Con cept s of m aking a large upfront investm ent?
Design Pr
Design Principles
in ciples - Tim e an d ef f icien cy: Cloud is easy to m anage and has
m any autom ation capabilities built in.
- Avoid depr eciat ion : With the cloud, there are no
Providers
com pany-owned assets to depreciate off the books.
- Redu ced m ain t en an ce: CSPs handle a large portion of
Clou d Dat a Secu r it y required m aintenance.
Section 2
- Focu s: The cloud allows organizations to focus on their
business with less labor to m anage the cloud environm ent.
- Ut ilit y cost s: Avoid/reduce on-prem ises electricity and
Clou d Plat f or m & cooling costs.
I n f r ast r u ct u r e Secu r it y - Sof t w ar e an d licen sin g cost s: CSPs can provide great
Section 3 pricing on licensing, as they buy in bulk.
- Pay by u sage: Only pay for resources used in the cloud;
Clou d Applicat ion ability to track usage and bill internal departm ents.
Secu r it y
Other things to con sider when calculating Tot al Cost of
Section 4
Ow n er sh ip (TCO):
- Legal cost s (contract and SLA reviews)
Clou d Secu r it y - Required t r ain in g
Oper at ion s - Reporting capabilities
Section 5 - Audit capabilities

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Fu n ct ion al Secu r it y Requ ir em en t s
Section 1
Fu n ct ion al r equ ir em en t s are services required for a person or
the business to accom plish a job.
Cloud puting
Con cept s
Concepts
Ven dor Lock -I n
Clou
Cloudd Ref er en ce
Reference
- A situation in which a custom er m ay be u n able to leave,
Ar ch it ect u r e
Architecture
m igrate, or transfer from one CSP to another.
Cloud
Clou Security
Con cept s - Con t r act an d SLA r eview are a must to avoid this!
Design Pr
Design Principles
in ciples I n t er oper abilit y
Evaluate Cloud Service - Ability of a cloud service custom er to in t er act with cloud
Providers services and for cloud services to interact with each other
- Avoid proprietary form ats and technology
Clou d Dat a Secu r it y - Regularly r eview requirem ents (business, legal, operational)
Section 2
Por t abilit y
- Ability for a cloud service custom er to easily m igr at e data
between cloud service providers
- Ensure f avor able contract term s for portability
I n f r ast r u ct u r e Secu r it y - Have an exit st r at egy from day one
Section 3
- Avoid proprietary form ats and technologies
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Secu r it y Con sider at ion s f or Dif f er en t Clou d Cat egor ies
Secu r it y Con sider at ion s f or I aaS
Section 1
- Controlling network access
Clou
puting - Using secu r it y gr ou ps to open & close ports/protocols
Con cept s
Concepts - Configuration of services running on VMs
- Access control within applications
Clou
Cloudd Ref er en ce
Reference
Ar ch it ect u r e
Architecture
- Failover or other r edu n dan cy
- M on it or in g for availability, security, and audit purposes
Cloud
Clou Security
Con cept s - Pat ch in g of applications and VMs
Design Pr
Design Principles
in ciples
Secu r it y Con sider at ion s f or SaaS
Evaluate Cloud Service - Access con t r ol to applications
Providers - Secure passwords & MFA
- Account lockout & notification
Clou d Dat a Secu r it y - VPN access
Section 2 - Controlling devices where application is accessed (BYOD)
Clou d Plat f or m & Secu r it y Con sider at ion s f or PaaS

- System and resource isolat ion (due to m ultitenancy)
- Access control
Section 3
- Secu r e codin g practices for in-house applications
Clou d Applicat ion - Protection against m alw ar e
Secu r it y
Section 4
Secu r it y Con sider at ion s f or All Clou d Cat egor ies
- Know w h er e your data is
- Review con t r act s an d SLAs so you know what to expect
Clou d Secu r it y - What services you are guaranteed
Oper at ion s - What turnaround tim e is for requests
Section 5 - What BCDR ser vices are available and agreed upon

Com plian ce
Section 6
Back t o M ain
Course Navigation Evalu at e Clou d Ser vice Pr ovider s
Clou d Con cept s,
Ver if icat ion Again st Cr it er ia
Section 1
Key Poin t : If it cannot be m easured, it cannot be m anaged.
- How do you know if som ething is m eeting st an dar ds if you
Cloud
Clou puting
d Com pu t in g
Concepts
have no dat a to validate against?
Con cept s
Cloud
Clou Reference
d Ref er en ce How can we evaluate cloud vendors effectively? Surely there's a
Architecture
Ar ch it ect u r e
t ool out there that can help with this.
Cloud
Clou Security
Con cept s
Design Pr
Principles Clou d Cer t if icat ion Sch em es List (CCSL)
Design in ciples
- Created by the European Union Agency for Cybersecurity
Evaluate
Evalu at e Cloud
Clou d Service
Ser vice (ENISA)
Providers
Pr ovider s - Provides an over view of different cloud certification
schem es (certifications) and shows the m ain characteristics
Clou d Dat a Secu r it y of each schem e. It also answers questions such as:
Section 2 - Which are the underlying standards?
- Who issues the certification?
- Is the CSP audited?
Clou d Plat f or m & - Who perform s the audits?
I n f r ast r u ct u r e Secu r it y - CCSL provides inform ation for the f ollow in g sch em es:
Section 3 - Certified Cloud Service
- CSA Attestation of OCF Level 2
- EuroCloud Star Audit certification
Clou d Applicat ion
- ISO/IEC 27001
Secu r it y
- PCI-DSS v3
Section 4
- Service Organization Control (SOC) 1, 2, 3
- Cloud Industry Forum Code of Practice
Clou d Secu r it y - Basically a ch eck list explaining each schem e (certification)
Oper at ion s to help you better u n der st an d each one.
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Ver if icat ion Again st Cr it er ia (Con t .)
Section 1 Clou d Cer t if icat ion Sch em es M et af r am ew or k (CCSM )
- Created by the European Union Agency for Cybersecurity
Cloud
Clou puting
d Com pu t in g (ENISA).
Concepts
Con cept s - The ot h er h alf of CCSL.
Cloud
Clou Reference
d Ref er en ce - Allows users to select their security objectives, then
Architecture
Ar ch it ect u r e suggests sch em es (certifications) containing these
Cloud
Clou Security
Con cept s objectives for users to review.
- To access this fram ework and view different schem es, use
Design Pr
Design Principles
in ciples the CCSM On lin e Pr ocu r em en t Tool.
Evaluate
Evalu at e Cloud
Clou d Service
Ser vice
Providers
Pr ovider s CSA Secu r it y, Tr u st , an d Assu r an ce Regist r y (STAR)
- Created in 2011 in response to the need for a sin gle
Clou d Dat a Secu r it y con sist en t f r am ew or k by which to evaluate vendors
Section 2 - STAR is m anaged by the Clou d Secu r it y Allian ce (CSA)
- There are 2 par t s to STAR (like with CCSL/CCSM):
- Clou d Con t r ols M at r ix (CCM ): A list of security controls
Clou d Plat f or m & and principles for the cloud environm ent
- Con sen su s Assessm en t s I n it iat ive Qu est ion n air e
Section 3
(CAI Q): A self-assessm ent perform ed by the CSP
(self -au dit )
- There are 3 levels of STAR certification:
Clou d Applicat ion 1. Self -assessm en t : Fill out the CAIQ
Secu r it y 2. CSA STAR at t est at ion : Third-party audit
Section 4 3. Con t in u ou s au dit in g: Using the CloudTrust Protocol
Clou dTr u st Pr ot ocol: CSP agrees to open ly sh ar e certification

Clou d Secu r it y inform ation with custom ers and prospective custom ers.
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1 I SO 27001: Most widely known and accepted inform ation
security standard. ISO 2700:2013 consists of 114 security
Cloud
Clou puting
d Com pu t in g controls across 14 dom ains of security. It doesn't specif ically
Concepts
Con cept s addr ess clou d secu r it y, so it cannot be used as a single source
Cloud
Clou Reference
d Ref er en ce for cloud security.
Architecture
Ar ch it ect u r e
Cloud Security I SO/ I EC 27002:2013: Provides gu idelin es for security standards,
Con cept s
but isn't certified against like 27001 is; it 's m ore used for
Design Pr
Design Principles
in ciples r ef er en ce.
Evaluate
Evalu at e Cloud
Clou d Service
Ser vice
Providers
Pr ovider s I SO/ I EC 27017:2015: Offers guidelines for inform ation security
controls for the provisioning and use of clou d ser vices for both
Clou d Dat a Secu r it y CSPs and cloud custom ers.
Section 2
SOC 1 / SOC 2 / SOC 3: The Service Organizational Control (SOC)
is a secu r it y con t r ol certification program .
- SOC 1: Focuses on service providers and is related to
f in an cial st at em en t s
- Type 1: Auditor findings at a poin t in t im e
Section 3
- Type 2: Operational effectiveness over t im e
- SOC 2: Meant for I T ser vice pr ovider s an d clou d pr ovider s
Clou d Applicat ion - Addresses the five Trust Services principles (Security,
Secu r it y Availability, Processing Integrity, Confidentiality,
Section 4 Privacy), providing a detailed technical report.
- Also uses Type 1 & 2 reports like SOC 1.
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1 SOC 1 / SOC 2 / SOC 3 (Con t .):
- SOC 3: Covers the sam e content as SOC 2, but the report
Cloud
Clou puting
d Com pu t in g only identifies success or failure of the audit and doesn't
Concepts
Con cept s con t ain sen sit ive t ech n ical in f or m at ion like a SOC 2
Cloud
Clou Reference
d Ref er en ce report would.
Architecture
Ar ch it ect u r e - SOC r epor t s are perform ed in accordance with St at em en t
Cloud Security on St an dar ds f or At t est at ion En gagem en t s (SAE) 16,
Con cept s
which replaced SAS 70.
Design Pr
Design Principles
in ciples
Evaluate
Evalu at e Cloud
Clou d Service
Ser vice NI ST SP 800-53: Used to ensure the appropriate security
Providers
Pr ovider s requirem ents and controls are applied to US f eder al
gover n m en t inform ation system s; a r isk m an agem en t
Clou d Dat a Secu r it y f r am ew or k .
Section 2
PCI DSS: A security standard by which all organizations that

accept, transm it, or store cr edit car d dat a m ust com ply.
Clou d Plat f or m & - There are 4 m erchant levels based on the num ber of annual
I n f r ast r u ct u r e Secu r it y t r an sact ion s; used to determ ine the level of com pliance
Section 3 required.
- Processors are to n ever st or e the card verification (CVV)
Clou d Applicat ion num ber.
- Failure to com ply can result in sever e f in es and the loss of
Secu r it y
Section 4
au t h or it y to process credit card transactions.
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Syst em & Su bsyst em Pr odu ct Ver if icat ion
Section 1
Wh y do w e n eed t o en su r e CSPs ar e cer t if ied?
- Our data resides with the CPS and we t r u st them to protect
Cloud
Clou puting
d Com pu t in g
Concepts
its confidentiality, integrity, and availability (CIA).
Con cept s
- Cloud vendors who m eet standards criteria are m ore likely
Cloud
Clou Reference
d Ref er en ce to provide us with the CI A we require, which reduces risk.
Architecture
Ar ch it ect u r e
- Im agine using a cloud vendor with no certifications.
Cloud
Clou Security
Con cept s - We know nothing about their capabilit ies.
Design Pr
Principles - No third-party au dit s have taken place to validate
Design in ciples
anything.
Evaluate
Evalu at e Cloud
Clou d Service
Ser vice - Trusting this vendor would be a h igh -r isk decision .
Providers
Pr ovider s
Com m on Cr it er ia (CC) Assu r an ce Fr am ew or k (I SO/ I EC
Clou d Dat a Secu r it y 15408-1:2008)
Section 2 - International standard designed to pr ovide assu r an ces for
security claim s by vendors
- Prim ary goal is to assu r e cu st om er s that products have
Clou d Plat f or m & been thoroughly tested by third parties and m eet the
I n f r ast r u ct u r e Secu r it y specified requirem ents.
Section 3 - h t t ps:/ / w w w.iso.or g/ st an dar d/ 50341.h t m l
- CC has t w o k ey com pon en t s:

Clou d Applicat ion
- Pr ot ect ion pr of iles: A standard set of security
Secu r it y requirem ents for a specific type of product such as a
Section 4
firewall, IPS, switch, etc.
- Evalu at ion Assu r an ce Levels (EALs): Define how
Clou d Secu r it y thoroughly the product is tested (scale of 1-7).
Oper at ion s - 1 = Low est ; 7 = High est
Section 5

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Syst em & Su bsyst em Pr odu ct Ver if icat ion
Section 1 FI PS 140-2
- A NIST docum ent that lists accredited cr ypt osyst em s
Cloud
Clou puting
d Com pu t in g - The ben ch m ar k for validating the effectiveness of
Concepts
Con cept s cryptographic hardware and system s
Cloud
Clou Reference
d Ref er en ce - All cryptosystem s used should m eet FIPS 140-2 com pliance
Architecture
Ar ch it ect u r e - Check to ensure your CSP is FI PS 140-2 validat ed
Cloud
Clou Security
Con cept s
- FIPS com pliance is m easured on a scale of 1-4.
Design Pr
Design Principles
in ciples - Level 1 is the low est .
Evaluate
Evalu at e Cloud
Clou d Service
Ser vice - Level 4 is the h igh est level of com pliance and indicates
Providers
Pr ovider s the product provides the h igh est level of secu r it y.

Section 2

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5

Com plian ce
Section 6
Back t o M ain
Cloud Data Security
Course Navigation Clou d Dat a Con cept s
Clou d Con cept s,
Lif ecycle Ph ases
Section 1

Section 2
Cloudd Data
Clou Dat aConcepts
Con cept s
Cloud Data Storage
Architecture
Data Security Technologies &

Strategies
Data Discovery &
Clou d Dat a Lif ecycle Ph ases
Classification - Cr eat e: The creation, acquisition, or altering of data.
Inform ation Rights Preferred tim e to classif y dat a.
Managem ent (IRM) - St or e: Com m itting data to storage. At this point, im plem ent
Data Retention, Deletion & secu r it y con t r ols to protect data (encryption, access
Archiving policies, m onitoring, logging, and backups).
Auditability, Traceability & - Use: Data being viewed or processed (not altered). Data is
Accountability of Data Events m ost vulnerable at this point. Controls such as data loss
prevention (DLP), inform ation rights m anagem ent (I RM ),
and access m onitoring should be im plem ented to protect
data during this phase.
- Sh ar e: It 's difficult to m anage data once it leaves the
Section 3
organization. DLP an d I RM can be helpful for m anaging
what data can be shared.
Clou d Applicat ion - Ar ch ive: Moving data that is no longer actively being used
Secu r it y to lon g-t er m st or age. Archived data m ust still be protected
Section 4 and m eet regulatory requirem ents.
- Dest r oy: Rem oval of data from a CSP.
Clou d Secu r it y
Oper at ion s Back Next
Section 5
Legal, Risk &

Com plian ce Back t o M ain
Section 6
Cloud Data Security
Clou d Con cept s,
Lif ecycle Ph ases (Con t .)
Section 1
Th r ee Key Dat a Fu n ct ion s
- Access: Viewing and accessing data
- Pr ocess: Use of data to perform a function
Clou d Dat a Secu r it y - St or e: Storing data in a database or filesystem
Section 2
Cloudd Data Con t r ollin g Dat a Fu n ct ion s

Clou Dat aConcepts
Con cept s
Cloud Data Storage
- Access: How do we control access?
Architecture - Access m anagem ent (access list s)
- Encrypt data
Strategies - Digital rights m anagem ent (DRM)
Data Discovery & - Pr ocess: How do we control processing?
Classification - Access m anagem ent
Inform ation Rights - Data en cr ypt ion
Managem ent (IRM) - St or in g: How do we control the storage of data?
Data Retention, Deletion & - Policies are a start
Archiving - How certain types of data are stored
Auditability, Traceability & - USB restriction policies to prevent USB storage
Accountability of Data Events - DRM to prevent copying of data
- Dat a loss pr even t ion (DLP) solutions
Clou d Plat f or m & - Can enforce rules and prevent data from being
I n f r ast r u ct u r e Secu r it y m oved or copied
Section 3
Clou d Applicat ion

Secu r it y
Section 4 Access Con t r ol
En cr ypt ion
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Dat a Disper sion
Section 1
Locat ion
- Data m oves between locations
- Services r eplicat e data across geographic regions
Clou d Dat a Secu r it y - Im portant data should alw ays be stored in m ultiple
Section 2
locations
Cloudd Data St or age Slicin g (dat a disper sion )

Clou Dat aConcepts
Con cept s
Cloud Data Storage
- Data is br ok en in t o ch u n k s and encrypted, error correction
Architecture (er asu r e codin g) is added, and then data is geographically
distributed
Strategies - Allows for retrieval of data in the event m u lt iple locat ion s
Data Discovery & are offline
Classification - Like RAI D for the cloud
Inform ation Rights
Managem ent (IRM) Au t om at ion
Data Retention, Deletion & - Autom ated disper sal of data
Archiving - Data dispersion policies are critical
Auditability, Traceability & - Ex: I n t ellect u al pr oper t y (I P) cannot leave the US
Accountability of Data Events - Acciden t al replication of TBs of data is costly
I aaS
- CSPs offer different classes of ser vice that autom atically
I n f r ast r u ct u r e Secu r it y replicate data across geographically dispersed locations
Section 3
PaaS/ SaaS
Clou d Applicat ion - Resear ch prospective providers to ensure they practice data
Secu r it y dispersion
Section 4 - May be an additional feature n ot en abled by def au lt
- May incur additional cost s
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Course Navigation Clou d Dat a St or age & Ar ch it ect u r e
Clou d Con cept s,
St or age Types
Section 1
I aaS
- Volu m e: Virtual disk attached to a virtual m achine (Ex:
Clou d Dat a Secu r it y VMFS, AWS EBS)
Section 2
- Object : Storage pool, like a file share (Ex: AWS S3)
- Eph em er al: Tem porary storage used while a system is up
Cloudd Data
Clou Dat aConcepts
Con cept s and running. Once the system is shut down, the storage
Cloud
Clou d Data
Dat aStorage
St or age goes away.
Architecture
Ar ch it ect u r e - Tem porary storage
Data Security Technologies & - Pagef ile
Strategies
Data Discovery & PaaS
Classification - St r u ct u r ed: Data that is organized in relational databases
Inform ation Rights using tables, keys, and rows (Ex: SQL)
Managem ent (IRM) - Un st r u ct u r ed: Data files such as text, m edia, or other files.
Data Retention, Deletion & Considered unstructured because it 's not in a traditional
Archiving database form at. (Ex: AWS NoSQL)
Auditability, Traceability &
Accountability of Data Events Ot h er St or age Types
- Raw St or age: Raw device m appin g (RDM ) is an option with
Clou d Plat f or m & VMware virtualization that allows you to m ap directly to
physical storage such as a LUN.
- Lon g-Ter m : Data archiving services such as AWS Glacier.
Section 3
- Con t en t Deliver y Net w or k (CDN): Files are stored in
geographically dispersed object storage; used to im prove
Clou d Applicat ion the user experience by speeding up delivery to consum ers.
Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Th r eat s t o St or age Types
Section 1
Un au t h or ized Usage an d Access

- Cause: Account h ijack in g or lack of access controls
Clou d Dat a Secu r it y - Solution: M u lt i-f act or au t h en t icat ion (M FA) and secure
Section 2
access controls
Cloudd Data
Clou Dat aConcepts
Con cept s Liabilit y Du e t o Regu lat or y Non -Com plian ce
Cloud - Cause: M issin g requirem ents and lack of internal auditing
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e - Solution: I m plem en t regulatory requirem ents and regularly
Data Security Technologies & self -au dit
Strategies
Data Discovery &
Den ial of Ser vice (DoS/ DDoS) At t ack
Classification
- Cause: Lack of edge security
Inform ation Rights
- Solution: I m plem en t security products (such as an IPS) to
Managem ent (IRM)
prevent DoS/DDoS attacks
Data Retention, Deletion &
Archiving
Auditability, Traceability & Cor r u pt ion , M odif icat ion , an d Dest r u ct ion
Accountability of Data Events - Cause: Hum an or m echanical er r or
- Solution: Ensure back u ps are functional, regularly test

Dat a Leak age an d Br each es
- Cause: Holes in security (weak patching, access controls,
Section 3
etc.)
- Solution: Dat a loss pr even t ion (DLP) products,
Clou d Applicat ion pen et r at ion t est s
Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Section 1
Th ef t or Loss of M edia
- Cause: Un en cr ypt ed data being lost or stolen
Clou d Dat a Secu r it y - Solution: En cr ypt data at rest (laptops, m obile devices, USB
Section 2
devices, etc.)
Cloudd Data
Clou Dat aConcepts
Con cept s M alw ar e I n t r odu ct ion or At t ack
Cloud - Cause: Most likely h u m an er r or
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e - Solution: Security t r ain in g and security products (anti-virus,
Data Security Technologies & anti-m alware, etc.), network segm en t at ion
Strategies
Data Discovery &
I m pr oper Tr eat m en t or San it izat ion Af t er En d of Use
Classification
- Cause: Data not being deleted pr oper ly
Inform ation Rights
- Solution: Best option is cr ypt o-sh r eddin g
Managem ent (IRM)
- DOD 5220.22-M and NI ST 800-88 both deal with data
Archiving
sanitization
- In a cloud environm ent, unless you have raw data
Accountability of Data Events
storage (direct disk access), you cannot truly perform
the wipe actions, as this requires disk access
- Most CSPs put the bu r den of sanitization on the
Clou d Plat f or m & custom er
I n f r ast r u ct u r e Secu r it y - Cr ypt o-sh r eddin g is the best option if you don't have
Section 3 raw disk access
Cr ypt o-Sh r eddin g
Clou d Applicat ion 1. Encrypt data with key A.
Secu r it y 2. Encrypt key A with key B.
Section 4 3. Delete data.
4. Delete key A and key B.
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Section 1
Dat a r espon sibilit y

- The client is u lt im at ely r espon sible for the safeguarding of
Clou d Dat a Secu r it y sensitive data (PCI, PII, HIPPA, etc) from cradle to grave
Section 2
- Even if the data disclosure is the f au lt of an ot h er par t y, the
client is still ultim ately responsible
Cloudd Data
Clou Dat aConcepts
Con cept s
Cloud
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e
Strategies
Data Discovery &
Classification
Inform ation Rights

Managem ent (IRM)

Archiving


Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Course Navigation Dat a Secu r it y Tech n ologies & St r at egies
Clou d Con cept s, En cr ypt ion & Key M an agem en t
Ar ch it ect u r e & Design I m plem en t in g En cr ypt ion at Dif f er en t Poin t s
Section 1 - Dat a in m ot ion (DI M ): IPSec can be used via VPN; SSL &
TLS can be used across the web.
- Dat a at r est (DAR): Disk en cr ypt ion or encryption
Clou d Dat a Secu r it y m anaged by a storage system .
Section 2 - Dat a in u se (DI U): I n f or m at ion r igh t s m an agem en t (I RM )
and digit al r igh t s m an agem en t (DRM ). DRM has been
Cloudd Data
Clou Dat aConcepts
Con cept s used for the entertainm ent industry (CDs, DVDs, sof t w ar e,
Cloud
Clou d Data
Dat aStorage
St or age etc). IRM is m eant m ore specifically for docum ents
Architecture
Ar ch it ect u r e
En cr ypt ion Ar ch it ect u r e
Dataa Security
Dat Secu r it yTechnologies &
Tech n ologies
Strategies - Dat a: The data we want to protect
& St r at egies
Data Discovery &
- En cr ypt ion en gin e: Perform s the encryption process
Classification - En cr ypt ion k eys: Values used during the encryption
Inform ation Rights process that are later used to decrypt the data
Managem ent (IRM)
Ch allen ges f or En cr ypt ion in t h e Clou d
- Key m anagem ent is par am ou n t . Whether the key resides in
Archiving
the cloud or on prem ises, it m ust be protected.
- Issues m ay arise if the CSP needs to pr ocess the encrypted
data.
- M u lt it en an cy uses shared resources such as RAM , where
Clou d Plat f or m & encryption keys could reside tem porarily.
I n f r ast r u ct u r e Secu r it y - CSPs m ostly offer sof t w ar e-based en cr ypt ion , which is
Section 3 m ore vulnerable than hardware-based encryption.
- Encryption can im pact per f or m an ce.
Clou d Applicat ion - Be wary of solutions that use a pr oxy t ype encryption
engine, as it can be a single point of failure.
Secu r it y
- Data in t egr it y can be com prom ised with file replacem ent
Section 4
attacks. May need to use digit al sign at u r es on files.
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
En cr ypt ion & Key M an agem en t (Con t .)
Section 1 Dat a En cr ypt ion in I aaS
- Basic st or age-level en cr ypt ion : Only protects from
hardware theft or loss.
Clou d Dat a Secu r it y - CSPs m ay st ill h ave access to view the data (Ex: AWS
Section 2 S3).
- Volu m e st or age en cr ypt ion : Encrypts a storage volum e
Cloudd Data m ounted to a vir t u al m ach in e (VM).
Clou Dat aConcepts
Con cept s
Cloud
- Does not protect against access through the operating
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e
system , such as attackers or rogue em ployees
Dataa Security - Two m ethods to im plem ent:
Tech n ologies
Strategies
& St r at egies - I n st an ce-based: Encryption engine resides on the
Data Discovery & VM instance.
Classification - Pr oxy-based: Encryption engine runs on a proxy
Inform ation Rights instance. The proxy m aps the volum e data to the
Managem ent (IRM) instance for secure access.
Data Retention, Deletion & - Object st or age en cr ypt ion : Basic storage-level encryption
Archiving is less secure, so it 's best to encrypt data before sending it
Auditability, Traceability & to the cloud.
- File-level en cr ypt ion : Using an IRM or DRM solution to
protect individual files.
Clou d Plat f or m & - Applicat ion -level en cr ypt ion : The encryption engine
I n f r ast r u ct u r e Secu r it y resides within the application itself, allowing the
Section 3 application to ingest and use encrypted data.
- Dat abase en cr ypt ion :
- File-level en cr ypt ion : (See above)
Clou d Applicat ion - Tr an spar en t en cr ypt ion : Encryption engine resides
Secu r it y within the database itself.
Section 4 - Applicat ion -level en cr ypt ion : (See above)
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Section 1 Key M an agem en t
- The m ost ch allen gin g com ponent of encryption
- Com m on challenges with encryption keys:
Clou d Dat a Secu r it y - Access t o k eys: Regulatory requirem ents and ensuring
Section 2 CPSs don't have access
- Key st or age: Keys m ust be securely stored to prevent
Cloudd Data access and m ust be auditable for access
Clou Dat aConcepts
Con cept s
Cloud
- Back u p an d r eplicat ion : Backup and replication can
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e
create the need for long-term key storage
Dataa Security
Tech n ologies
Strategies
& St r at egies
Key M an agem en t Con sider at ion s
Data Discovery & - Keys should alw ays rem ain in a trusted environm ent and
Classification never be transm itted in plain text.
Inform ation Rights - Loss of keys equals loss of dat a.
Managem ent (IRM) - Key m anagem ent functions should not be done by the CSP
Data Retention, Deletion & to enforce separ at ion of du t ies.
Archiving
Auditability, Traceability & Key St or age in t h e Clou d

Accountability of Data Events - I n t er n ally m an aged: Keys are stored on the VM or
application where the encryption engine resides.
Clou d Plat f or m & - Pr ot ect s again st data loss
- Ext er n ally m an aged: Keys are stored separately from the
encryption engine and data.
Section 3
- Must consider how key m anagem ent is integrated with
the encryption engine (m ore com plicated)
Clou d Applicat ion - M an aged by a t h ir d par t y: Key escrow services
Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Section 1 Key M an agem en t in Sof t w ar e En vir on m en t s
- CSPs norm ally use software-based encryption to avoid
cost s associated with hardware-based encryption.
Clou d Dat a Secu r it y - Software-based encryption is m or e vu ln er able to
Section 2 exploits than hardware-based encryption.
- Software-based encryption doesn't m eet NIST's FIPS 140-2
Cloudd Data or 140-3 specifications.
Clou Dat aConcepts
Con cept s
Cloud
- Software-based encryption has a hard tim e identifying
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e
signs of t am per in g.
Dataa Security - May cause an issue if you work with US federal
Tech n ologies
Strategies
& St r at egies governm ent agencies.
Data Discovery & - It 's you r r espon sibilit y to find out what type of encryption
Classification your CSP offers.
Inform ation Rights
Managem ent (IRM)

Archiving


Section 3
Dat a En cr ypt ion
Clou d Applicat ion
Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Hash in g
Section 1 Hash in g: Using a on e-w ay cryptographic function to create a
new value that will replace sensitive data
Clou d Dat a Secu r it y Hash in g:

Section 2 - Provides a way to h ide sensitive data
- Allows for an in t egr it y ch eck of the data by checking it
Cloudd Data
Clou Dat aConcepts
Con cept s against the hashed value
Cloud - The hashed value cannot be used to r ever se-en gin eer the
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e original data
Dataa Security
Tech n ologies
Strategies
& St r at egies
Data Discovery &
Classification
Inform ation Rights

Managem ent (IRM)

Archiving


Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
M ask in g an d Obf u scat ion
Section 1
M ask in g an d dat a obf u scat ion : The process of changing data
so it doesn't appear to be what it is

Generally used to com ply with standards by m ask in g sen sit ive
Section 2
dat a such as SSN, DOB, phone num ber, etc.
Cloudd Data
Clou Dat aConcepts
Con cept s
Cloud
Som etim es used to take production data and turn it into t est in g
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e
dat a by m asking sensitive data
Dataa Security
Tech n ologies
Strategies
& St r at egies Com m on Appr oach es t o Dat a M ask in g
Data Discovery & - Ran dom Su bst it u t ion : Substitutes sensitive data with
Classification random data
Inform ation Rights - Algor it h m ic Su bst it u t ion : Substitutes sensitive data with
Managem ent (IRM) algorithm ically-generated data
Data Retention, Deletion & - Sh u f f le: Shuffles data around between fields
Archiving
- M ask in g: Uses "XXXX" to covers up data
Auditability, Traceability & - Delet ion : Deletes the data or uses a null value
Pr im ar y M et h ods of M ask in g Dat a

Clou d Plat f or m & - St at ic: A new, sanitized copy of the data is m ade bef or e u se
I n f r ast r u ct u r e Secu r it y - Dyn am ic: Data is sanitized on t h e m ove between storage
Section 3 and use
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Ar ch it ect u r e & Design Tok en izat ion
Section 1
Tok en izat ion : Replacin g sensitive data with a non-sensitive
piece of data known as a t ok en . This token can m ap back to the
original sensitive inform ation when it needs to be used.
Section 2
Ben ef it s of Tok en izat ion
- Com plyin g with regulatory requirem ents
Cloudd Data
Clou Dat aConcepts
Con cept s - Reducing the cost of com pliance
Cloud
Clou d Data
Dat aStorage
St or age - Reducing the r isk associated with storing sensitive data
Architecture
Ar ch it ect u r e - Reducing the at t ack vect or s of sensitive data
Dataa Security
Tech n ologies
Strategies
& St r at egies 6 St eps of Tok en izat ion
Data Discovery &
Classification 1. Sensitive data is gen er at ed.
Inform ation Rights
Managem ent (IRM) 2. Data is sen t to the tokenization server.
Archiving 3. A token is generated, and the sensitive data and its associated
Auditability, Traceability & token are st or ed in a database.
4. The tokenization server sends the token back to the
application so it can su bst it u t e the sensitive data with it.
5. The application st or es the token.
Section 3
6. When sensitive data is needed, the data can be requested by

Clou d Applicat ion the application by su bm it t in g the token.
Secu r it y
Section 4 Tok en izat ion Diagr am
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Tok en izat ion
Section 1

Section 2
Cloudd Data
Clou Dat aConcepts
Con cept s
Tok en DB
Cloud
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e
3
Dataa Security
Tech n ologies
Strategies
& St r at egies
Data Discovery &
Classification
Inform ation Rights

Managem ent (IRM)

6
Archiving Tok en izat ion Ser ver
2 4

Section 3 1
5
Clou d Applicat ion Applicat ion Ser ver Applicat ion Dat abase
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s Back
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Dat a Loss Pr even t ion (DLP)
Section 1
Dat a Loss Pr even t ion (DLP): Security controls put in place to
prevent certain types of data from leaving the organizational
boundaries
Clou d Dat a Secu r it y - DLP pr odu ct s are available
Section 2
- Generally w at ch f or keywords (SSN, DOB, account num bers,
etc.) and will pr even t that data from leaving the
Cloudd Data
Clou Dat aConcepts
Con cept s organization via em ail, file uploads, etc.
Cloud
Clou d Data
Dat aStorage
St or age - Also known as egr ess f ilt er in g
Architecture
Ar ch it ect u r e - Is n ot considered to help with access control
Dataa Security
Tech n ologies
Strategies
& St r at egies
DLP Com pon en t s
Data Discovery &
Classification - Discover y an d classif icat ion (what to look for)
Inform ation Rights
- M on it or in g (notification of issues)
Managem ent (IRM) - En f or cem en t (prevent data loss)
Archiving DLP Ar ch it ect u r e
Auditability, Traceability & - Dat a in m ot ion (DI M ): Network-based or gat ew ay DLP.
Accountability of Data Events Monitors SMTP, HTTP, HTTPS, SSH, FTP, etc., for sensitive
data and prevents it from leaving the organization.
Clou d Plat f or m & - Dat a at r est (DAR): Storage-based. Used for tracking and
identifying data as it 's installed on the system where the
data resides; generally needs another m echanism for
Section 3
enforcem ent.
- Dat a in u se (DI U): Client- or en dpoin t -based. Resides on
Clou d Applicat ion users' workstations. Requires a considerable am ount of
Secu r it y m anagem ent; not easy to deploy and m anage.
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Dat a Loss Pr even t ion (DLP) (Con t .)
Section 1
Clou d-Based DLP Con sider at ion s
- Dat a m ovem en t (r eplicat ion ): Can be challenging for DLP
system s to deal with.
Clou d Dat a Secu r it y - Adm in ist r at ive access: Discovery and classification can be
Section 2
difficult in dispersed cloud environm ents.
- Per f or m an ce im pact : Network or gateway DLP solutions
Cloudd Data
Clou Dat aConcepts
Con cept s can im pact network perform ance, while workstation DLP
Cloud
Clou d Data
Dat aStorage
St or age solutions can slow down endpoints.
Architecture
Ar ch it ect u r e - CSP Appr oval: May need CSP approval to deploy.
Dataa Security
Tech n ologies - A h ar dw ar e solution would need approval to be racked
Strategies
& St r at egies
at the datacenter and would be difficult to get approved
Data Discovery &
Classification
- If it 's a CSP of f er ed product, no worries!
- If it 's software your deploying into PaaS, no worries!
Inform ation Rights
Managem ent (IRM)
- If it 's a virtual im age deploying into I aas, it 's best to
check with the CSP
Archiving
DLP Policy Con sider at ion s
- What classif icat ion of data is perm itted to be stored in the
cloud?
- Where can this data be stored (geogr aph ically)?
Clou d Plat f or m & - How should the data be stored (en cr ypt ed)?
I n f r ast r u ct u r e Secu r it y - When can data leave the cloud, if ever?
Section 3
M ost cloud vendors offer DLP solutions. If yours doesn't, there

Clou d Applicat ion are m any com m ercial offerings.
Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Dat a De-I den t if icat ion (An on ym izat ion )
Section 1
An on ym izat ion : The process of rem oving direct and indirect
identifiers.
- Can be done by sam pling like data and gen er alizin g t h e
Clou d Dat a Secu r it y dat a to ensure the group shares the sam e value for
Section 2
sensitive data.
- This would m ake it h ar d t o iden t if y a single individual
Cloudd Data
Clou Dat aConcepts
Con cept s because the sensitive data is the sam e for all users.
Cloud
Clou d Data
Dat aStorage
St or age - Think Where's Waldo? but with data.
Architecture
Ar ch it ect u r e
Dataa Security
Tech n ologies
Strategies
& St r at egies Exam ple Scen ar io
Data Discovery & - In a system , there is a list of hom e addr esses. If all the
Classification addresses were grouped by ZIP code, it would m ak e it
Inform ation Rights dif f icu lt to pick out a single person who lives in Baltim ore
Managem ent (IRM)
because all of the addresses include Baltim ore ZIP codes.
Archiving K-An on ym it y: An industry term used to describe a t ech n iqu e
Auditability, Traceability & for hiding an individual's identity in a group of sim ilar persons.
I den t if ier Types

Clou d Plat f or m & - Dir ect : Data that directly identifies som eone (nam e,
I n f r ast r u ct u r e Secu r it y address, DOB, SSN, etc.). Is usually classified as PII.
Section 3 - I n dir ect : Data that in dir ect ly iden t if ies som eone (events,
dates, dem ographics, etc.). When com bining several of
these data points, it m ay be possible to identify som eone.
Clou d Applicat ion
Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Course Navigation Dat a Discover y an d Classif icat ion
Clou d Con cept s,
St r u ct u r ed an d Un st r u ct u r ed Dat a
Section 1
Wh at Dat a Do We Have?
- If we don't already know, we need dat a discover y.
- Maybe we already know, but we want to get m ore out of it.
Section 2 Dat a Discover y
- Can have m ore than one m eaning
Cloudd Data
Clou Dat aConcepts
Con cept s - Working to create a dat a in ven t or y
Cloud
Clou d Data
Dat aStorage
St or age - E-discovery is the process used to collect elect r on ic
Architecture
Ar ch it ect u r e eviden ce for a crim inal investigation
Data
Clou dSecurity
Dat a StTechnologies
or age & - Collection and an alysis of data to find patterns and gain
Strategies
Ar ch it ect u r e useful insight (data m ining, big data, real-tim e analytics)
Data
Dat a Discovery
Discover y&&
Classification
Classif icat ion St r u ct u r ed Dat a: Data in a structured form at such as a
Inform ation Rights database (SQL)
Managem ent (IRM)
Data Retention, Deletion & Un st r u ct u r ed Dat a: Data in an unstructured form at such as a

Archiving file share (AWS S3, NoSQL)
St r u ct u r ed Dat a Un st r u ct u r ed Dat a
Section 3
0.103 0.176 0.387 0.300 0.379
Clou d Applicat ion 0.333 0.384 0.564 0.587 0.857

Secu r it y
Section 4 0.421 0.309 0.654 0.729 0.228
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
St r u ct u r ed an d Un st r u ct u r ed Dat a (Con t .)
Section 1
Dat a Discover y Appr oach es
- Big Dat a: Analyzing very large data sets to extract
inform ation
Clou d Dat a Secu r it y - Real-Tim e An alyt ics: Looking for patterns of usage
Section 2
- Agile An alyt ics: Free-form adaptive analysis that focuses on
a specific need and doesn't look all data
Cloudd Data
Clou Dat aConcepts
Con cept s - Bu sin ess I n t elligen ce: Analyzing data and presenting
Cloud
Clou d Data
Dat aStorage
St or age useful inform ation to help decision m akers
Architecture
Ar ch it ect u r e
Data Dat a Discover y Tech n iqu es
Clou dSecurity
or age &
Strategies
Ar ch it ect u r e - M et adat a: Inform ation about a file (owner, size, creation
Data
Dat a Discovery
Discover y&&
date, etc.)
Classification
Classif icat ion - Labels: Labels assigned to data by the owner
Inform ation Rights - Con t en t An alysis: Analyzing data content using keywords
Managem ent (IRM)
Data Retention, Deletion & Dat a Discover y I ssu es

Archiving - Poor data qu alit y (no labels, scattered, or in various
Auditability, Traceability & form ats)
- Hidden cost s
Clou d Plat f or m & Ch allen ges w it h Dat a Discover y in t h e Clou d

- Can be hard to identify w h er e t h e dat a is
(dispersed/replicated)
Section 3
- Accessing the data can be tricky
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s, M appin g, Labelin g, an d Sen sit ive Dat a
Section 1 Dat a Classif icat ion : The process of determ ining classification
categories and labels, then identifying the data, recording its
location, and labeling the data.
Clou d Dat a Secu r it y - Requires a good r elat ion sh ip between classifications and
Section 2 labels
- Organizational policies w ill det er m in e classifications to be
Cloudd Data
used by the organization when classifying data
Clou Dat aConcepts
Con cept s
- Data ow n er s will apply labels to adhere to the classifications
Cloud
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e
Classif icat ion s
Data
Clou dSecurity
or age &
Strategies
- Confidential, Secr et , Top Secret
Ar ch it ect u r e
- I n t er n al on ly, lim ited sharing
Data
Dat a Discovery
Discover y&&
Classification
Classif icat ion
M appin g: Locating data and recording its location, data form at,
Inform ation Rights
Managem ent (IRM) file types, and location type (database, volum e, etc.)
Archiving Labelin g: Tags applied to data by the data owner that describe
the data.
Accountability of Data Events - Com m on labels:
- t o en cr ypt , not to encrypt
- internal use, lim it ed sh ar in g
Clou d Plat f or m & - sen sit ive
Section 3 Sen sit ive Dat a
- I n t ellect u al pr oper t y (I P)
- Patient m edical inform ation (HIPAA)
Clou d Applicat ion - Per son ally iden t if iable in f or m at ion (PI I ) (SSN, passport
Secu r it y num ber, credit report, etc.)
Section 4 - Federally protected data (FERPA) (student inform ation,
grades)
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Course Navigation I n f or m at ion Righ t s M an agem en t
Clou d Con cept s,
Object ives
Section 1 I n f or m at ion Righ t s M an agem en t (I RM ): A form of security
technology used to pr ot ect dat a by adding independent access
controls directly into the data.
Clou d Dat a Secu r it y - Adds an ext r a layer of access controls on top of the data's
Section 2 inherent controls
- IRM's access controls are em bedded into the data object
Cloudd Data
Clou Dat aConcepts
Con cept s and m ove with the data
Cloud
Clou d Data
Dat aStorage
St or age - Can be used to protect data other than docum ents, such as
Architecture
Ar ch it ect u r e em ails, web pages, databases, etc.
Data
Clou dSecurity
or age & - Often used interchangeably with DRM (Digit al Righ t s
Strategies
Ar ch it ect u r e M an agem en t )
Data
Dat a Discovery
Discover y&&
Classification
Classif icat ion Dat a r igh t s: Controlling access to data based on cen t r ally
Inform
I n f or mation
at ionRights
Righ t s m an aged policies. Who has the right to access the data?
Managem
M an agement en t(IRM)
(I RM )
Archiving Access M odels
- M an dat or y access con t r ol (M AC): Grants access based on
Accountability of Data Events labels such as confidential or secret, according to
organizational policy. M ost r est r ict ive access m odel.
- Role-based access con t r ol (RBAC): Grants access based on
Clou d Plat f or m & the user 's role or responsibility according to or gan izat ion al
I n f r ast r u ct u r e Secu r it y policy.
Section 3 - Discr et ion ar y access con t r ol (DAC): The system or data
owner controls who has access; it 's up to their discr et ion .
Clou d Applicat ion
Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Object ives (Con t .)
Section 1 I RM Ch allen ges in t h e Clou d
- Each individual resource m ust be provisioned with an access
policy (h eavy m an agem en t )
Clou d Dat a Secu r it y - Each user m ust be provisioned with an account and keys
Section 2 (consider au t om at ion of en r ollm en t )
- Most IRM platform s require each user to install a local I RM
Cloudd Data
Clou Dat aConcepts
Con cept s agen t for key m anagem ent
Cloud
Clou d Data
Dat aStorage
St or age - When reading IRM-protected files, the reader software m ust
Architecture
Ar ch it ect u r e be I RM -aw ar e
Data
Clou dSecurity
or age & - Mobile platform s have k n ow n issu es with IRM com patibility
Strategies
Ar ch it ect u r e
Data
Dat a Discovery
Discover y&&
Classification
Classif icat ion
Inform
I n f or mation
at ionRights
Righ t s
Managem
(I RM )
Archiving


I n f r ast r u ct u r e Secu r it y I n f or m at ion Righ t s
Section 3
M an agem en t
Clou d Applicat ion
Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Appr opr iat e Tools
Section 1 Capabilit ies an d Tools of I RM Solu t ion s
- These tools are f eat u r es of an IRM solution
- Persistent pr ot ect ion at rest, in transit, and after
Clou d Dat a Secu r it y distribution
Section 2 - Content owners can ch an ge perm issions as needed (view
only, no copy, no print), and can expire content even after
Cloudd Data
Clou Dat aConcepts
Con cept s it 's been distributed
Cloud
Clou d Data
Dat aStorage
St or age - Autom atic expir at ion (data m ust check in with the IRM
Architecture
Ar ch it ect u r e solution before being used)
Data
Clou dSecurity
or age & - Continuous au dit t r ail
Strategies
Ar ch it ect u r e - Integration with t h ir d-par t y applicat ion s such as em ail
Data
Dat a Discovery
Discover y&& filtering for autom ated protection of outbound em ails
Classification
Classif icat ion - Disable copy, paste, screen capture, print, and other
Inform
I n f or mation
at ionRights
Righ t s capabilit ies
Managem
(I RM )
Archiving


Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Course Navigation Dat a Ret en t ion , Delet ion , & Ar ch ivin g Policies
Clou d Con cept s,
Ret en t ion Policies
Section 1 Dat a r et en t ion policies sh ou ld con t ain t h e f ollow in g:
- Ret en t ion per iods: How lon g to keep the data
- Will be based on legal and regulatory r equ ir em en t s
Clou d Dat a Secu r it y - PCI Requ ir em en t 3.1: Organizations should "Keep
Section 2 cardholder data storage to a m inim um"
- HI PAA: Requires som e data to be retained for 6 years
Cloudd Data
Clou Dat aConcepts
Con cept s - I RS: 7 years, in som e cases
Cloud
Clou d Data
Dat aStorage
St or age - What are you r or gan izat ion's data retention
Architecture
Ar ch it ect u r e requirem ents?
Data
Clou dSecurity
or age & - Ret en t ion f or m at s: What type of m edia is used, is it
Strategies
Ar ch it ect u r e encrypted, and what is the retrieval process?
Data
Dat a Discovery
Discover y&& - Dat a classif icat ion : How specific data classifications will be
Classification
Classif icat ion stored and retrieved
Inform
I n f or mation
at ionRights
Righ t s - Ar ch ivin g an d r et r ieval pr ocedu r es: Detailed instructions
Managem
(I RM ) on these processes
Data
Dat a Retention,
Ret en t ion Deletion
, Delet ion& & - Policy r eview an d en f or cem en t : How often the policy will
Archiving
Ar ch ivin g Policies
be reviewed for effectiveness and who will be responsible
for enforcing the policy
AWS Con f ig
Clou d Plat f or m & - Service that allows you to assess, au dit , an d evalu at e the
I n f r ast r u ct u r e Secu r it y configs of your AWS resources
Section 3 - Provides the ability to create r et en t ion policies for data and
will auto-delete data based on policy rules
Clou d Applicat ion
Ch eck to see what your CSP offers, or ask prospective CSPs what
Secu r it y
they offer!
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Delet ion Pr ocedu r es & M ech an ism s
Section 1 I n t h e Legacy En vir on m en t
- Physical dest r u ct ion of hardware
- Degau ssin g
Clou d Dat a Secu r it y - Overwriting with m ultiple passes
Section 2 - Cr ypt o-sh r eddin g
Cloudd Data
Clou Dat aConcepts
Con cept s Clou d Dat a Delet ion
Cloud
Clou d Data
Dat aStorage
St or age
- Cr ypt o-sh r eddin g is the best option
Architecture
Ar ch it ect u r e
Data
Clou dSecurity
or age & Cr ypt o-sh r eddin g
Strategies
Ar ch it ect u r e 1. Encrypt data with key A.
Data
Dat a Discovery
Discover y&& 2. Encrypt key A with key B.
Classification
Classif icat ion 3. Delete data.
Inform
I n f or mation
at ionRights
Righ t s 4. Delete key A and key B.
Managem
(I RM )
Data
Dat a Retention,
, Delet ion& & Need to have a dat a disposal policy that outlines the
Archiving
procedures used to delete or sanitize cloud data.
AWS Dat a San it izat ion Pr ocedu r es
- AWS uses techniques outlined in NI ST 800-88 (Guidelines for
Media Sanitization) when decom m issioning custom er data
- Am azon s EFS (Elast ic File Syst em ) is designed such that
Section 3
once data is deleted, it will never be served again
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s, Ar ch ivin g Pr ocedu r es & M ech an ism s
Section 1 Dat a ar ch ivin g: The process of identifying and m ovin g in act ive
dat a from a production system into a long-term archival storage
system .
Section 2 Long-term cloud storage is less expen sive than production
system storage. It is less expensive because it m ay take several
Cloudd Data
Clou Dat aConcepts
Con cept s
hours to com plete the data retrieval process. (Not in st an t ly
Cloud
available like production data.)
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e
Dat a ar ch ivin g policies sh ou ld in clu de:
Data
Clou dSecurity
or age &
Strategies - Data en cr ypt ion pr ocedu r es
Ar ch it ect u r e
Data
- Long-term key m anagem ent can be challenging
Dat a Discovery
Discover y&&
Classification
Classif icat ion
- Data m on it or in g pr ocedu r es to track archived data as it
Inform m oves around the cloud (m ust know where data is at all
I n f or mation
at ionRights
Righ t s
Managem
(I RM ) tim es)
Data - Ability to retrieve data in a gr an u lar m an n er using
Dat a Retention,
, Delet ion& &
Archiving
Ar ch ivin g Policies e-discovery, which allows for granular searching of archived
Auditability, Traceability & data
Accountability of Data Events - Backup and DR options if any archived data is necessary for
bu sin ess con t in u it y (BC)
Clou d Plat f or m & - A record of the data f or m at , as proprietary form ats m ay
change over tim e (MS Office 98 docum ents m ay be
im possible to open in a newer MS Office version)
Section 3
- Detailed data r est or at ion pr ocedu r es
Clou d Applicat ion Exam ple: AWS Glacier can be used for archiving data
Secu r it y - Archival storage m ay n ot be accept able for BC/DR
Section 4 purposes because they are often slow t o r et r ieve dat a and
will im pact recovery tim e objectives (RTOs)
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Ar ch ivin g Pr ocedu r es & M ech an ism s Con t .
Section 1 Dat a ar ch ival secu r it y con cer n s:
- Long term storage of related en cr ypt ion k eys
- Data f or m at
Clou d Dat a Secu r it y - Need to m aintain software that can read the data
Section 2 - M edia on which data resides
- Will the m edia deteriorate over tim e
Cloudd Data
Clou Dat aConcepts
Con cept s
Cloud
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e
Data
Clou dSecurity
or age &
Strategies
Ar ch it ect u r e
Data
Dat a Discovery
Discover y&&
Classification
Classif icat ion
Inform
I n f or mation
at ionRights
Righ t s
Managem
(I RM )
Data
Dat a Retention,
, Delet ion& &
Archiving

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Legal Hold
Section 1 If an organization is involved in lit igat ion (pending legal
actions) they m ay be notified of required com plian ce w it h a
lit igat ion h old, or legal hold
Clou d Dat a Secu r it y - At this point the organization m ust show good faith efforts
Section 2 in pr eser vin g any data related to the case until the
obligation no longer applies
Cloudd Data
Clou Dat aConcepts
Con cept s - Routine data retention and destruction procedures m ust be
Cloud
Clou d Data
Dat aStorage
St or age su spen ded until the legal hold is over
Architecture
Ar ch it ect u r e
Data
Clou dSecurity
or age & Legal Hold Opt ion s in AWS
Strategies
Ar ch it ect u r e - Use a vau lt lock , which allows for a non-readable and
Data
Dat a Discovery
Discover y&& non-rewritable form at that m eets several r egu lat or y
Classification
Classif icat ion r equ ir em en t s for legal holds
Inform
I n f or mation
at ionRights
Righ t s - Legal hold can be enabled on a Glacier vau lt (long-term
Managem
(I RM )
storage) by creating a policy that denies the use of delete
Data
Dat a Retention,
, Delet ion& & functions
Archiving

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Course Navigation Au dit abilit y, Tr aceabilit y & Accou n t abilit y of Dat a Even t s
Clou d Con cept s,
Even t Sou r ces & Requ ir em en t s
Section 1 Even t sou r ces: System s, services, or devices that create and
provide log events for analysis
Clou d Dat a Secu r it y SaaS Even t Sou r ces

Section 2
- Typically have m in im al access to event data
- Will m ost likely only be high-level application log data
Cloudd Data
Clou Dat aConcepts
Con cept s generated on clien t en dpoin t s
Cloud
Clou d Data
Dat aStorage
St or age - Will need to address this in the cloud SLA or con t r act ,
Architecture
Ar ch it ect u r e specifying what logs you m ay need access to, such as:
Data
Clou dSecurity
or age & - Web ser ver logs
Strategies
Ar ch it ect u r e
- Application server logs
Data
Dat a Discovery
Discover y&&
Classification
- Database logs
Classif icat ion
- Network captures
Inform
I n f or mation
at ionRights
Righ t s
Managem - Billing records
(I RM )
Data
Dat a Retention,
, Delet ion& &
Archiving
Com plex St r eam of Log Recor ds

Au dit abilit y, Tr aceabilit y &
Accou n t abilit y of Dat a
Even t s
Clou d Plat f or m & Em ails

Section 3
User
Clou d Applicat ion Clou d Access
Secu r it y Windows
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Even t Sou r ces & Requ ir em en t s (Con t .)
Section 1 PaaS Even t Sou r ces
- Since the organization is developing on the PaaS platform ,
the organization's developm en t t eam will need to be
Clou d Dat a Secu r it y consulted to gain an understanding of what logs are
Section 2 available and how to access them
- According to OWASP, the following applicat ion even t s
Cloudd Data
Clou Dat aConcepts
Con cept s should be logged:
Cloud
Clou d Data
Dat aStorage
St or age - Input validat ion f ailu r es (protocol violations,
Architecture
Ar ch it ect u r e unacceptable encoding, invalid param eter nam es and
Data
Clou dSecurity
or age & values)
Strategies
Ar ch it ect u r e - Could be an attem pted injection attack
Data
Dat a Discovery
Discover y&& - Output validation failures (database record set
Classification
Classif icat ion m ism atch, invalid data encoding)
Inform
I n f or mation
at ionRights
Righ t s - Authentication su ccesses an d f ailu r es
Managem
(I RM ) - Authorization (access control) failures
Data
Dat a Retention,
, Delet ion& & - Session m anagem ent failures (cook ie session I D value
Archiving
m odification)
Au dit abilit y, Tr aceabilit y & - Application er r or s an d syst em even t s (runtim e,
connectivity, perform ance, file system errors,
Even t s
third-party errors)
Clou d Plat f or m & - Use of h igh -r isk f u n ct ion s (add/rem ove users,
I n f r ast r u ct u r e Secu r it y perm issions changes, privilege ch an ges, assigning of
Section 3 tokens, creation and deletion of tokens, use of sys
adm in pr ivileges, use of encryption keys, access to
Clou d Applicat ion sensitive data, creation and deletion of objects, data
im por t an d expor t act ivit ies, etc.)
Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Even t Sou r ces & Requ ir em en t s (Con t .)
Section 1 I aaS Even t Sou r ces
- Should have access t o event and diagnostics data
- Many of the in f r ast r u ct u r e logs will be available
Clou d Dat a Secu r it y - Logs that will pr obably be im portant at som e point:
Section 2 - Cloud or network provider per im et er n et w or k logs
- DNS logs
Cloudd Data
Clou Dat aConcepts
Con cept s - VM logs
Cloud
Clou d Data
Dat aStorage
St or age - Host OS and hypervisor logs
Architecture
Ar ch it ect u r e - API logs
Data
Clou dSecurity
or age & - Managem ent por t al logs
Strategies
Ar ch it ect u r e - Packet capt u r es
Data
Dat a Discovery
Discover y&& - Billing records
Classification
Classif icat ion
Inform
I n f or mation
at ionRights
Righ t s Even t At t r ibu t es
Managem
(I RM ) - I n f or m at ion abou t individual event entries in logs such as:
Data
Dat a Retention,
, Delet ion& & - Tim estam p
Archiving
Ar ch ivin g Policies - Even t I D
Au dit abilit y, Tr aceabilit y & - Application ID (nam e/version)
Accou n t abilit y of Dat a - IP addresses
Even t s
- Ser vice n am e
Clou d Plat f or m & - URL or code inform ation
I n f r ast r u ct u r e Secu r it y - Accou n t s involved
Section 3 - Sever it y
- Description
Clou d Applicat ion AWS offers Cen t r alized Loggin g (built on the Am azon
Secu r it y Elasticsearch service), which allows for collect ion an d an alysis
Section 4 of AWS ser vice logs.
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Loggin g, St or age & An alysis
Section 1 Secu r it y I n f or m at ion & Even t M an agem en t (SI EM )
- SIM + SEM = SIEM
- A system that collect s logs from m any system s and
Clou d Dat a Secu r it y provides real-tim e an alysis of the data, providing aler t in g
Section 2 an d r epor t in g for specific events
- SIEMs are sold as software, appliances, or as a m anaged
Cloudd Data
Clou Dat aConcepts
Con cept s service
Cloud
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e SI EM s pr ovide:
Data
Clou dSecurity
or age & - Dat a aggr egat ion : Bringing m any logs from the operating
Strategies
Ar ch it ect u r e system , network devices, and applications together for
Data
Dat a Discovery
Discover y&& analysis
Classification
Classif icat ion - Cor r elat ion : Looking for com m on attributes within the logs
Inform
I n f or mation
at ionRights
Righ t s that can be used to link events together
Managem
(I RM ) - Aler t in g
Data
Dat a Retention,
, Delet ion& & - Dash boar ds: Much f ast er than reading through reports
Archiving
Ar ch ivin g Policies - Com plian ce: Can generate com plian ce r epor t s based on
Au dit abilit y, Tr aceabilit y & event log data
- Ret en t ion : Long-term storage
Even t s
- Most SIEMs don't actively provide long-term storage.
Clou d Plat f or m & They tend to of f load even t s after a certain age to an
I n f r ast r u ct u r e Secu r it y internal archival area. This is because you could end up
Section 3 with billions upon billions of events over tim e, and m ost
system s cannot m anage that m uch data efficiently.
- For en sic an alysis: Searching through logs from m any
Clou d Applicat ion
system s by specific date, tim e, or other criteria
Secu r it y
Section 4
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s, Ch ain of Cu st ody & Non -Repu diat ion
Section 1 Ch ain of cu st ody: The protection and preservation of evidence
throughout its life.
Clou d Dat a Secu r it y Docu m en t at ion Requ ir em en t s

Section 2 - When evidence was collect ed
- Where evidence is locat ed, du r in g w h ich dat es, and who
Cloudd Data
Clou Dat aConcepts
Con cept s
placed it there (for storage of evidence)
Cloud - Tr an sf er of evidence (from whom to whom , when)
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e - Access to the evidence
Data - An alysis per f or m ed on the evidence
Clou dSecurity
or age &
Strategies
Ar ch it ect u r e
Data
Dat a Discovery
Discover y&& A ch ain of cu st ody f or m should be used to docum ent the
Classification
Classif icat ion transfer of evidence between individuals.
Inform
I n f or mation
at ionRights
Righ t s
Managem
(I RM )
Data Ch ain of Cu st ody For m
Dat a Retention,
, Delet ion& &
Archiving
Auditability, Traceability & Chain of custody in t h e clou d can be ver y dif f icu lt . If your
Au dit abilit y, Tr aceabilit y &
Accou n t abilit y of Dat a organization is in a regulated industry, you m ay want to include
Even t s
wordage related to CSP cooperation with chain of custody
Clou d Plat f or m & practices in your con t r act with the CSP.
Section 3 Non -r epu diat ion : The idea that som eone cannot deny
som ething
- Assurance that an individual cr eat ed a specif ic it em
Clou d Applicat ion
- File or em ail with digit al sign at u r e of creator
Secu r it y - Assurance that an individual sent an em ail and another
Section 4
r eceived it (digital signature of sent em ail, read receipt
from receiver)
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Cloud Data Security
Clou d Con cept s,
Ch ain of Cu st ody & Non -Repu diat ion
Section 1

Section 2
Cloudd Data
Clou Dat aConcepts
Con cept s
Cloud
Clou d Data
Dat aStorage
St or age
Architecture
Ar ch it ect u r e
Data
Clou dSecurity
or age &
Strategies
Ar ch it ect u r e
Data
Dat a Discovery
Discover y&&
Classification
Classif icat ion
Inform
I n f or mation
at ionRights
Righ t s
Managem
(I RM )
Data
Dat a Retention,
, Delet ion& &
Archiving
Au dit abilit y, Tr aceabilit y & Ch ain of Cu st ody For m
Even t s

Section 3 Back
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Section 6
Cloud Platform & Infrastructure Security
Course Navigation Clou d I n f r ast r u ct u r e Com pon en t s
Clou d Con cept s,
Ph ysical En vir on m en t
Section 1

Section 2 Telecom
Datacenter Personnel

I n f r ast r u ct u r e Secu r it y CSP Ph ysical Locat ion Devices
Section 3
Clou
Cloudd IInfrastructure
n f r ast r u ct u r e
Com
Compon en t s
ponents Sh ar ed r espon sibilit y: The idea that the CSP is not wholly
Design a Secure Data responsible for security; instead, it is a sh ar ed r espon sibilit y
Center between the custom er and the CSP.
Risks Associated with - In IaaS, the CSP is n ot responsible for:
Cloud Infrastructure - Patching custom er VM oper at in g syst em s
- Installing and m anaging security endpoint solutions
Design and Plan Security
Controls
- Managing access list s in the custom er 's environm ent
- Com pliance of settings the custom er chooses to use
Plan Disaster Recovery - In PaaS, the CSP is n ot responsible for:
and Business Continuity
- Ensuring the custom er f ollow s secure coding practices
- Com pliance of the custom er 's code
Clou d Applicat ion - In SaaS, the CSP is n ot responsible for:
Secu r it y - Com pliance with how the custom er u ses the software
Section 4 - The type of data the custom er enters into the software
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Net w or k an d Com m u n icat ion s
Section 1
I SP 1 I SP 2
Clou d Dat a Secu r it y Internet Internet
Section 2

I n f r ast r u ct u r e Secu r it y Cor e Dist r ibu t ion Access
Section 3
Clou
n f r ast r u ct u r e Rem em ber, cloud data still runs on h ar dw ar e!
Com
Compon en t s
ponents
Design a Secure Data Clou d car r ier : Organization that provides connectivity between
Center the CSP and the cloud custom er.
Risks Associated with
Cloud Infrastructure Net w or k Fu n ct ion alit y
- Address allocat ion (DHCP)
Controls - Access con t r ol (IAM )
- Bandwidth allocation: Reser vin g bandwidth for a specific use
Plan Disaster Recovery
- Rat e lim it in g: Lim iting the am ount of traffic
- Filtering: Closing ports or block in g specified protocols
- Rou t in g
Clou d Applicat ion
Sof t w ar e-Def in ed Net w or k in g (SDN): Allows for networking to
Secu r it y
be com pletely pr ogr am m able, and the underlying hardware is
Section 4
sim ply com m odity hardware. The goal is to m ake networking
m ore agile, f lexible, an d cen t r ally m an aged.
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Com pu t e
Section 1
Com pute capacity is depen den t on :
- Num ber of CPUs
- Am ount of m em or y
Section 2 Reser vat ion : A guaranteed m inim um am ount of resources
allocated to a guest (VM)
Clou d Plat f or m & Lim it s: Maxim um am ount of resources allocated to a guest (VM)
Section 3
Sh ar es: Each guest is assigned a num ber of shares, and when
contention occurs, those shares determ ine the am ount of the
Clou
Com
Compon en t s
ponents available r esou r ces that a guest receives
Design a Secure Data

Center
Cloud Infrastructure

Controls

Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Vir t u alizat ion
Section 1
Vir t u alizat ion : Includes the use of com pute, storage, and network
Capacit y m on it or in g: Used to ensure that r esou r ce allocat ion

to the tenants of the virtual environm ent is fair and
Section 2
policy-based.
Sharing r esou r ces enables m ore efficient use of hardware

I n f r ast r u ct u r e Secu r it y Virtualization allows for easier m an agem en t
Section 3
Clou
n f r ast r u ct u r e Hyper visor : Software, firm ware, or hardware that m akes a guest
Com
Compon en t s
ponents OS think it is running directly on physical hardware.
- Allows for running m u lt iple guests on the sam e hardware
Center - Two types of hypervisors:
- Type 1: Bare m etal, runs directly on hardware
- Ex: VMware ESXi
- Type 2: Runs on top of another OS
Design and Plan Security - Ex: VMware workstation or VirtualBox
Controls - M or e su scept ible to vulnerabilities and exploitation
Plan Disaster Recovery - Risk s associated with hypervisors:
and Business Continuity - Vulnerabilities in the hypervisor can lead to gu est
t ar get in g
Clou d Applicat ion - VM h oppin g: One tenant is able to see another tenant 's
Secu r it y data
Section 4 - Resource st ar vat ion in high-contention tim es
- File attacks on im ages or snapshots
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
St or age
Section 1
Pr im ar y m ethod of protecting data at rest is encryption
Block St or age
- Prim ary r ole of storage is to group disks together into
Section 2
logical volum es (LUNs, virtual disks, generic volum e storage,
and elastic block storage)
- Does not have a f ile syst em when created
Clou d Plat f or m & - It 's up to the OS on the VM to create the file system
Section 3 Object St or age
- Has a flat f ile syst em already on it
Clou
n f r ast r u ct u r e - Sim ple file storage (files of nearly any type)
Com
Compon en t s
ponents - Objects available via br ow ser an d REST API
Design a Secure Data - Exam ples:
Center - AWS S3
- Rack space Clou d Files
Cloud Infrastructure - Typically the best way to store an OS im age or sn apsh ot
- Data can be r eplicat ed across m ultiple stores
Controls
Th in gs t o r em em ber abou t object st or age:
Plan Disaster Recovery - Takes t im e for changes to replicate
and Business Continuity - Not good f or real-tim e data collaboration
- Best f or static objects
Clou d Applicat ion - Good f or backup storage, im ages, other static files
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
M an agem en t Plan e
Section 1
Controls the en t ir e in f r ast r u ct u r e and is very h igh -r isk
Allows adm ins to rem otely m anage all h ost s

Section 2
Key r ole is to create, provision, start/stop VM instances and live
m igration of VMs.
Clou d Plat f or m & Cu st om er s have partial access via:

I n f r ast r u ct u r e Secu r it y - Web portal
Section 3 - Com m an d lin e interface
- API s
Clou
n f r ast r u ct u r e - All of these m ust have st r ict access controls
Com
Compon en t s
ponents

Regulatory requirem ents m ay call for a ph ysically separ at e
Center n et w or k
Risks Associated with Managem ent plane's pr im ar y in t er f ace is its API

Cloud Infrastructure - Web GUI is built on top of the API
Design and Plan Security - API allows for au t om at ion
Controls - Scr ipt in g
Plan Disaster Recovery - Or ch est r at ion
and Business Continuity - Managing u ser access
- Con f igu r at ion m anagem ent
Clou d Applicat ion - Allocat in g resources
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Course Navigation Design a Secu r e Dat acen t er
Clou d Con cept s,
Logical Design
Section 1 Datacenters provide m any basic services, known as " Pow er,
Pipe, an d Pin g"
- Elect r ical pow er
Clou d Dat a Secu r it y - Air con dit ion in g
Section 2 - Net w or k con n ect ivit y
- Power and pipe lim it the den sit y of servers in a
datacenter
Clou d Plat f or m & M u lt it en an cy
I n f r ast r u ct u r e Secu r it y - Must securely segregate tenants
Section 3 - Logically separated physical networks (Ex: VLANs)
Clou
Com
Compon en t s
ponents
Design
Design a Secure
Secu r e Data Gi 0/1 Gi 0/4
Dat acen t er
Center
Gi 0/2
Gi 0/3

Controls

VLAN 1 VLAN 2 VLAN 3 VLAN 4
Clou d Applicat ion Managem ent Managem ent Managem ent Managem ent
10.x.1.0/24 10.x.2.0/24 10.x.3.0/24 10.x.4.0/24
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Logical Design (Con t .)
Section 1 Clou d M an agem en t Plan e
- Provides access to m onitoring and adm inistration of the
cloud environm ent
Clou d Dat a Secu r it y - Very h igh -r isk (big target)
Section 2 - Must be logically isolat ed, but physical isolation would be
better
Separ at ion of du t ies within CSP personnel

- Ex: Backup adm inistrators do not perform audits of backups
Section 3
M on it or in g Capabilit ies
Clou
n f r ast r u ct u r e - Net w or k devices m ust offer packet-level m onitoring
Com
Compon en t s
ponents - Hyper visor s m ust provide the ability to m onitor activity
- All im plem ented solutions m ust provide an accept able
Design
Design a Secure
Secu r e Data
Dat acen t er
level of audit capabilities
Center
Risks Associated with Au t om at ion
Cloud Infrastructure - Secu r e API s
Design and Plan Security - Loggin g of API activities
Controls
Plan Disaster Recovery Use of Sof t w ar e-Def in ed Net w or k in g (SDN) to support logical
and Business Continuity isolation
Clou d Applicat ion Access Con t r ol

Secu r it y - I AM syst em in use
Section 4 - IAM system m ust be au dit able
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Logical Design (Con t .)
Section 1 Ser vice M odels
- I aaS: Hypervisor features can be used to im plem ent security
features
Clou d Dat a Secu r it y - PaaS: Logical design features of the platform and database
Section 2 can be used to im plem ent security features
- SaaS: Sam e as PaaS, plus application-level secure features
can be im plem ented
All logical design features should be m apped to a com pliance
I n f r ast r u ct u r e Secu r it y requirem ent
Section 3
- Loggin g capabilities
- Ret en t ion periods
Clou
- Repor t in g capabilities
Com
Compon en t s
ponents
Design
Design a Secure
Secu r e Data
Dat acen t er
Center

Controls

Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Ph ysical Design
Section 1 Locat ion
- May im pact custom er 's ability to m eet legal and regulatory
com pliance due to the physical location being in a dif f er en t
Clou d Dat a Secu r it y ju r isdict ion
Section 2 - Must have a clear u n der st an din g of all regulatory
requirem ents ahead of tim e
Clou d Plat f or m & Ph ysical Design St an dar ds

- I SO 27001:2013 ? Inform ation technology security
techniques
Section 3
- I TI L ? Best practice fram ework for IT service m anagem ent
(I TSM )
Clou
Com
Compon en t s
ponents
Size
Design
Design a Secure
Secu r e Data - Use of blade servers for h igh capacit y vs. large m ainfram e
Dat acen t er
Center servers
Risks Associated with - Ch ick en coop design with cold and hot isles
Cloud Infrastructure - Room for expan sion (cooling, power, tenants)
Controls

Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Ph ysical Design (Con t .)
Section 1 Design Con sider at ion s
- Protection against n at u r al disast er s
- Access to resources during a natural disaster
Clou d Dat a Secu r it y - Telecom m u n icat ion s
Section 2 - Clean w at er
- Clean pow er
- Accessibilit y (not too rem ote)
Clou d Plat f or m & Ph ysical Pr ot ect ion
I n f r ast r u ct u r e Secu r it y - Fences, walls, gates
Section 3 - Electronic su r veillan ce
- Ingress and egress m on it or in g
Clou
Com
Compon en t s
ponents Bu y or Bu ild
Design
Design a Secure
Secu r e Data - Datacenter t ier cer t if icat ion
Dat acen t er
Center - Physical secu r it y
- Usage (dedicated vs. m ultitenant)
- Significant investm ent either way
Dat acen t er Design St an dar ds
Controls - Bu ildin g I n du st r y Con su lt in g Ser vice I n t er n at ion al
(BI CSI ) | ANSI / BI CSI 002-2014: Covers cabling design and
installation
- I n t er n at ion al Dat a Cen t er Au t h or it y (I DCA) | I n f in it y
Par adigm : Covers data center location, facility structure,
Clou d Applicat ion and infrastructure and applications
Secu r it y - Nat ion al Fir e Pr ot ect ion Associat ion (NFPA) | NFPA 75 &
Section 4 76: Specify how hot or cold aisle containm ent should be.
NFPA 70: Requires im plem entation of an em ergency
Clou d Secu r it y power-off button to protect first responders.
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Ph ysical Design (Con t .)
Section 1 Upt im e I n st it u t e Dat a Cen t er Sit e I n f r ast r u ct u r e Tier
St an dar d
Clou d Dat a Secu r it y Topology:

Section 2 - Fou r -t ier ed architecture (each tier progressively m ore
secure), reliable and redundant
- Tier 1: Basic data center site infrastructure
Clou d Plat f or m & - Tier 2: Redundant site infrastructure capacity
com ponents
- Tier 3: Concurrently m aintainable site infrastructure
Section 3
- Tier 4: Fault-tolerant site infrastructure
Clou
Com
Compon en t s
ponents
Design
Design a Secure
Secu r e Data
Dat acen t er
Center

Controls

Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
En vir on m en t al Design
Section 1 Heating, cooling, ventilation, power, network providers, and
paths
Clou d Dat a Secu r it y Tem per at u r e an d Hu m idit y Gu idelin es

Section 2 - Am er ican Societ y of Heat in g, Ref r iger at ion , an d Air
Con dit ion in g En gin eer s (ASHRAE) | Tech n ical Com m it t ee
9.9: Provides guidelines for data center tem perature and
hum idity
- Tem perature: 64.4-80.6°F (18-27°C) at equipm ent in t ak e
- Hum idity: 40% @ 41.9°F (5.5°C) t o 60% @ 59°F (15°C)
Section 3
HVAC Con sider at ion s

Clou
- Low er tem peratures equals h igh er cooling costs
Com
Compon en t s
ponents
- Pow er r equ ir em en t s for cooling are dependent on the
Design
Design a Secure
Secu r e Data am ount of heat that m ust be m oved as well as the
Dat acen t er
Center
tem perature difference between inside and outside the
Risks Associated with datacenter
Air M an agem en t
Controls - Work to pr even t the m ixing of incom ing cool air and hot air
exhaust
- Prevents heat-related ou t ages
- Redu ced power consum ption = reduced cooling costs
- Key design issu es:
Clou d Applicat ion - Con f igu r in g equipm ent intake and exhaust ports
Secu r it y - Locat ion of supply and return
Section 4 - Large-scale airflow pat t er n s in room s
- Set tem perature of the air f low
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
En vir on m en t al Design (Con t .)
Section 1 Cable M an agem en t
- Minim ize airflow obst r u ct ion s
- Raised-f loor environm ents should have 24 inches of
Clou d Dat a Secu r it y clearance
Section 2 - Cable m in in g program
- On goin g cable m anagem ent plan
- Key factor in effective air m an agem en t
Aisle Separ at ion an d Con t ain m en t
I n f r ast r u ct u r e Secu r it y - Use of h ot an d cold aisles
Section 3
Clou
n f r ast r u ct u r e Precision Air
Com
Compon en t s
ponents Con dit ion in g Un it s
Design
Design a Secure
Secu r e Data
Dat acen t er
Center
Cold Cold Cold
Risks Associated with Aisle Aisle Aisle
Hot Hot
Design and Plan Security Aisle Aisle
Controls

and Business Continuity Perforated Perforated Perforated
Tiles Tiles Tiles
Clou d Applicat ion

Secu r it y - Designed to pr even t t h e m ixin g of hot and cold air
Section 4 - Sign if ican t ly increases cooling capacity
- Requires hardware to be installed in the pr oper dir ect ion
- Plast ic sh eet in g m ay be used to separate cold aisle
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1 Aisle Separ at ion an d Con t ain m en t (Con t .)
- Em pty U's in rack should be covered with blan k s
- Raised floors and drop ceilings should be t igh t ly sealed
Clou d Dat a Secu r it y - Un der -f loor cooling with perforated tiles to the cold aisle
Section 2 is very effective

Section 3
Clou
Com
Compon en t s
ponents
Design
Design a Secure
Secu r e Data
Dat acen t er
Center

Controls

Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1 HVAC Design Con sider at ion s
- Local clim at e will affect HVAC designs
- Redu n dan t HVAC should be used
Clou d Dat a Secu r it y - HVAC design should include keeping cold and warm air
Section 2 separ at e
- Ensure back u p pow er is calculated for HVAC
- HVAC should f ilt er contam inants and dust
M u lt i-Ven dor Pat h w ay Con n ect ivit y
Section 3 - Redu n dan t connectivity from m ultiple internet service
providers (ISPs)
Clou
n f r ast r u ct u r e - Verify that ISPs use dif f er en t back h au ls u pst r eam
Com
Compon en t s
ponents
Design
Design a Secure
Secu r e Data
Dat acen t er
Center

Controls

Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Course Navigation An alyze Risk s Associat ed w it h Clou d I n f r ast r u ct u r e
Clou d Con cept s,

Risk Assessm en t & An alysis
Section 1 Types of Risk s
- Policy an d or gan izat ion al risks: Related to choosing a CSP
and outsourcing
Clou d Dat a Secu r it y - Pr ovider lock -in
Section 2 - Use f avor able con t r act lan gu age (best)
- Avoid proprietary data form ats
- Pr ovider lock -ou t : Provider is unable or unwilling to provide
Clou d Plat f or m & services (out of business)
- Keep dat a back u ps on prem ises or at another CSP
- Be careful of in t er oper abilit y issu es with different
Section 3
CSP
Clou
n f r ast r u ct u r e - Loss of gover n an ce: Custom er is unable to im plem ent all
Com
Compon en t s
ponents necessary security controls
- Because they own the underlying infrastructure, cloud
Design
Design a Secure
Secu r e Data
providers are r espon sible for defining governance and
Dat acen t er
Center
deploying the necessary security controls; custom ers
Risk
Riskss Associat
Associated ed with
w it h have som e input, depending on the service m odel
Clou
- SaaS offers the least am ount of control over
Design and Plan Security governance
Controls - Com plian ce r isk s: CSP is unable to provide necessary
Plan Disaster Recovery m eans for com pliance
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,

Risk Assessm en t & An alysis (Con t .)
Section 1 Gen er al Risk s
- Consolidation of services can cause a sm all pr oblem t o
h ave a lar ge im pact (all eggs in one basket)
Clou d Dat a Secu r it y - CSPs build com plex environm ents, which require advan ced
Section 2 t ech n ical sk ills
- Tech n ical r isk shifts to the provider as they m anage the
underlying infrastructure
Clou d Plat f or m & - Resou r ce exh au st ion due to over-subscription or resource
failure
Section 3
Legal Risk s
Clou
n f r ast r u ct u r e - Dat a pr ot ect ion : The custom er is ultim ately responsible for
Com
Compon en t s
ponents protecting sensitive data such as PII.
- Ju r isdict ion : In the cloud, your data m ay reside in different
Design
Design a Secure
Secu r e Data
jurisdictions, which can af f ect r egu lat or y com plian ce.
Dat acen t er
Center
- Law en f or cem en t : If a tenant is com pelled to hand over
Risk
Riskss Associat
Associated ed with
w it h data to law enforcem ent, that tenant could in adver t en t ly
Clou
expose other tenants' data.
Design and Plan Security - Licen sin g: If a custom er m oves an application to the cloud,
Controls the licensing agreem ent m ust be reviewed for legality and
Plan Disaster Recovery any cost consequences (per -CPU licen sin g).
and Business Continuity - Dat a ow n er sh ip: A cloud vendor could try to take
ownership of data created in the cloud by stating that it was
Clou d Applicat ion created on their platform , therefore they own it. Contractual
wording should be used to prevent this.
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s, Clou d Vu ln er abilit ies, Risk s, Th r eat s, an d At t ack s

Section 1 Clou d-Specif ic Risk s
- M an agem en t plan e br each : Serious risk because this
would give the attacker access to the entire
Clou d Dat a Secu r it y infrastructure.
Section 2 - Resou r ce exh au st ion : Over-subscription by the CSP
m ay result in a lack of resources for your cloud services,
which could cause an outage.
Clou d Plat f or m & - I solat ion con t r ol f ailu r e: When one tenant is able to
access another tenant 's resources or is affecting
another tenant 's resources.
Section 3
- Insecure or incom plete dat a delet ion : Be sure to use
Clou
n f r ast r u ct u r e crypto-shredding.
Com
Compon en t s
ponents - Con t r ol con f lict r isk : Im plem enting excessive controls
can cause a lack of visibility.
Design
Design a Secure
Secu r e Data
- Sof t w ar e-r elat ed r isk : Software is prone to
Dat acen t er
Center
vulnerabilities and m ust be kept up to date.
Risk
Riskss Associat
Associated ed with
w it h - M an -in -t h e-m iddle at t ack : Because everything is
Clou
accessed from a rem ote location, cloud solutions
Design and Plan Security increase the risk of m an-in-the-m iddle attacks.
Controls
Plan Disaster Recovery Vir t u alizat ion Risk s

and Business Continuity - Gu est br eak ou t / gu est escape: Escape from a guest
OS to access the hypervisor
Clou d Applicat ion - Sn apsh ot an d im age secu r it y: These m ay be com plete
copies of a guest OS, as files are easily m oved
Secu r it y
- Spr aw l: Not m anaging allocation can allow for
Section 4
over-creation of virtual resources
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,

Cou n t er m easu r e St r at egies
Section 1 Multiple layers of def en se are needed

Section 2

Section 3
Fir ew all
Clou
Com
Compon en t s
ponents I PS
Design
Design a Secure
Secu r e Data
Dat acen t er
Center SI EM
Risk
Riskss Associat
Associated ed with
w it h
Clou
n f r ast r u ct u r e Aler t in g
Controls En dpoin t Pr ot ect ion
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,

Cou n t er m easu r e St r at egies (Con t .)
Section 1 Com pen sat in g Con t r ols
- Additional controls that pr ovide back u p to prim ary security
controls
Clou d Dat a Secu r it y - Must have the sam e in t en t and level of defense as the
Section 2 original control
- Ex: Com pany policy states security m easures will be used to
control access to sensitive m aterial
Clou d Plat f or m & - Pr im ar y con t r ol used is standard filesystem
perm issions
- Com pen sat in g con t r ols include:
Section 3
- Use of Net w or k Access Con t r ols (NACs) to prevent
Clou
n f r ast r u ct u r e unauthorized access to the network
Com
Compon en t s
ponents - SI EM rules to look for and alert on failed attem pts
to access sensitive data
Design
Design a Secure
Secu r e Data
- DLP system to prevent sensitive data from leaving
Dat acen t er
Center
the organization
Risk
Riskss Associat
Associated ed with
w it h - I RM solution to attach additional access controls
Clou
directly to data in the event it does leave the
Design and Plan Security organization
Controls

Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,

Cou n t er m easu r e St r at egies (Con t .)
Section 1
Au t om at ion
- Use of autom ation for con f igu r at ion
- Autom ate the bu ildin g of VM s
- Ensures they'll all be u p t o st an dar ds (updated,
Section 2
patched, use proper security settings, etc.)
- Redu ces h u m an er r or (e.g., forgetting to patch)
- Allows for u pdat in g of a golden or baseline im age
I n f r ast r u ct u r e Secu r it y Access Con t r ols
Section 3
- Ph ysical (doors, locks, biom etrics, guards, etc.)
- Syst em (hypervisor, VM OS, network, etc.)
Clou
- Role (CSP em ployee, custom er, developer, third-party
Com
Compon en t s
ponents
vendor, rem ote, auditor, etc.)
Design
Design a Secure
Secu r e Data
Dat acen t er
Center
Risk
Riskss Associat
Associated ed with
w it h
Clou

Controls

Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Course Navigation Design an d Plan Secu r it y Con t r ols
Clou d Con cept s,
Au dit M ech an ism s
Section 1
The pu r pose of a r isk au dit is to provide assurance that proper
risk controls are in place and functional.
Clou d Dat a Secu r it y Reason s f or Au dit s

Section 2
- Regulatory or legal r equ ir em en t s
- Qu alit y con t r ol
- Best pr act ice for security program
I n f r ast r u ct u r e Secu r it y The Clou d Secu r it y Allian ce Clou d Con t r ols M at r ix (CCM )
Section 3 provides a fram ework for CSPs to dem onstrate adequate risk
m anagem ent.
Clou
Com
Compon en t s
ponents
Au dit M ech an ism s
Design
Design a Secure
Secu r e Data - Logs (high-risk events logged)
Dat acen t er
Center - Packet captures (prove HTTP authorization denied, only
Risk
Riskss Associat
Associated ed with
w it h HTTPS accepted)
Clou
n f r ast r u ct u r e - Config files
- Policies
Design
Design an d Plan
and Plan Security
Secu r it y
Con t r ols
Controls - Reports (SIEMs)

Com plian ce au dit s need to be conducted by a representative
(r egu lat or ) from the industry or organization that sets the
com pliance requirem ents.
Clou d Applicat ion
Secu r it y Au dit s of t h e clou d don't generally involve physical access, so
Section 4 the reports m ay be less com plet e than an on-prem ises audit
and m ay be considered less t r u st w or t h y because of this fact.
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
I den t if icat ion , Au t h en t icat ion , an d Au t h or izat ion
Section 1
I den t it y Pr ovider s
- Use standard authentication protocols such as Open I D and
OAu t h
Clou d Dat a Secu r it y - Many corporate environm ents use M icr osof t Act ive
Section 2
Dir ect or y
- Other protocols are Secu r it y Asser t ion M ar k u p Lan gu age
(SAM L) and WS-Feder at ion
I n f r ast r u ct u r e Secu r it y Au t h en t icat ion vs. Au t h or izat ion
Section 3
- Au t h en t icat ion is the process of validating an identity
(identity providers)
Clou
- Au t h or izat ion is the process of granting access to
Com
Compon en t s
ponents
resources (relying party)
Design
Design a Secure
Secu r e Data
Dat acen t er
Center
I den t it y M an agem en t
Risk
Riskss Associat
Associated ed with
w it h
- Authentication done by identity provider
Clou
- Pr ocess of registering, provisioning, and deprovisioning
Design
Design an d Plan
and Plan Security
Secu r it y identities
Con t r ols
Controls

Access M an agem en t
and Business Continuity - Authorization for relying party
- M an agin g an identity's access rights to resources
Clou d Applicat ion
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
I den t if icat ion , Au t h en t icat ion , an d Au t h or izat ion
Section 1
I den t it y f eder at ion : Trust relationship between m ultiple
identity m anagem ent platform s at different organizations to
provide identity services.
Section 2
Ex: Using local Active Directory authentication to log in to AWS.

Section 3
AWS
(Relying Party)
Clou
Com
Compon en t s
ponents
Design
Design a Secure
Secu r e Data
Dat acen t er
Center
Risk
Riskss Associat
Associated ed with
w it h
Clou
Local AD
Design
Design an d Plan
and Plan Security
Secu r it y
Con t r ols
Controls (Identity Provider)

and Business Continuity I den t it y f eder at ion in volves t w o par t ies:
- I den t it y pr ovider : Responsible for providing authentication
Clou d Applicat ion - Relyin g par t y: Relies on the identity provider for
Secu r it y authentication services
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Vir t u alizat ion Syst em Pr ot ect ion
Section 1
Sn apsh ot t in g of im ages should be considered for incident
response and any forensic work that needs to be done

Secu r it y con t r ols in virtualization include:
Section 2
- Traffic control or isolat ion u sin g secu r it y gr ou ps (access
list s)
- Guest operating system secu r it y sof t w ar e (anti-virus,
Clou d Plat f or m & anti-m alware, etc.)
I n f r ast r u ct u r e Secu r it y - En cr ypt ion (file and volum e)
Section 3 - I m age lif ecycle (im age creation, distribution, deletion)
Clou
Com
Compon en t s
ponents
Design
Design a Secure
Secu r e Data
Dat acen t er
Center
Risk
Riskss Associat
Associated ed with
w it h
Clou
Design
Design an d Plan
and Plan Security
Secu r it y
Con t r ols
Controls

Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Syst em an d Com m u n icat ion Pr ot ect ion (Con t .)
Section 1
Pr ot ect in g Dat a in M ot ion
- VLANs can be used to separate data, which helps provide
data confidentiality and integrity. VLANs also help reduce
resource contention and are very often m andated by
Section 2
com pliance standards.
- En cr ypt ion is another way to protect data in m otion using:
- VPNs (IPSEC / SSL)
Clou d Plat f or m & - SSL / TLS (HTTPS)
I n f r ast r u ct u r e Secu r it y - SSH certificates
Section 3 - Ot h er secu r it y con t r ols available within the network:
- Fir ew alls or security groups (access lists)
Clou
n f r ast r u ct u r e - DLP
Com
Compon en t s
ponents
Design
Design a Secure
Secu r e Data
Dat acen t er
Center Dat a Back u ps
- To the sam e CSP as the production environm ent
Risk
Riskss Associat
Associated ed with
w it h
- Speed up recovery tim e
Clou
- To a secon dar y CSP
Design
Design an d Plan
and Plan Security
Secu r it y - Avoid provider lock-out
Con t r ols
Controls

Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Syst em an d Com m u n icat ion Pr ot ect ion
Section 1
Tr u st zon es control access in both directions (in/out) and
protect data confidentiality and availability.
Section 2

Section 3
Project Ser ver
Clou
Com
Compon en t s
ponents
Design
Design a Secure
Secu r e Data Contractor Jum p Box
Dat acen t er
Center
Risk
Riskss Associat
Associated ed with
w it h
Clou
Accounting Ser ver
Design
Design an d Plan
and Plan Security
Secu r it y
Con t r ols
Controls
Dat acen t er
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Ph ysical an d En vir on m en t al Pr ot ect ion (Con t .)
Section 1

Section 2 Telecom

CSP Ph ysical Locat ion Devices
Section 3
Clou
Com
Compon en t s
ponents Dat acen t er Pr ot ect ion
Design
Design a Secure
Secu r e Data - M u lt iple layer s
Dat acen t er
Center - Gu ar d at gate
- Badge at gat e
Risk
Riskss Associat
Associated ed with
w it h
- Badge at m ain door
Clou
- Guard at m ain door
Design
Design an d Plan
and Plan Security
Secu r it y - Biom et r ic check plus badge at each zone with m an
Con t r ols
Controls
t r ap
and Business Continuity Redu n dan t ser vices (power, cooling, HVAC, networking, etc.)
Clou d Applicat ion CSP Per son n el

Secu r it y - Back gr ou n d ch eck s and screening
Section 4 - Tr ain in g
- I n ciden t r espon se
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s, Ph ysical an d En vir on m en t al Pr ot ect ion
Section 1

Section 2
Telecom

CSP Ph ysical Locat ion Devices
Section 3
Clou
Ph ysical Secu r it y St an dar ds
Com
Compon en t s
ponents
- NI ST SP800-14: General principles and practices for
Design
Design a Secure
Secu r e Data securing IT system s
Dat acen t er
Center - NI ST SP800-123: General server security
Risk
Riskss Associat
Associated ed with
w it h
Clou
n f r ast r u ct u r e Key Regu lat ion s f or CSP Facilit ies
Design
Design an d Plan
and Plan Security
Secu r it y - PCI DSS
Con t r ols
Controls - HI PAA
- NERC CI P (Cr it ical I n f r ast r u ct u r e Pr ot ect ion )
Secu r it y Con t r ol Exam ples
- Policies an d pr ocedu r es dictate how we im plem ent and
Clou d Applicat ion
m anage security controls
Secu r it y
- Physical access
Section 4
- Physical per im et er secu r it y (fences, walls, barriers, gates,
electronic surveillance, guards)
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Course Navigation Plan Disast er Recover y an d Bu sin ess Con t in u it y
Clou d Con cept s,
Risk s Relat ed t o t h e Clou d En vir on m en t
Section 1 Risk s Relat ed t o t h e Clou d En vir on m en t
- Nat u r al disast er (flooding, power, cooling, dam age to
physical structure)
Clou d Dat a Secu r it y - Equ ipm en t failure
Section 2 - Lack of su ppor t st af f
- Failu r e of CSP to provide service (bankruptcy, lack of
resources, etc.)
I n f r ast r u ct u r e Secu r it y Risk s Th at Th r eat en BCDR Pr act ices
Section 3 - BCDR strategies norm ally involve high-availability solutions,
which are m ore com plicat ed to m anage and can be
Clou
n f r ast r u ct u r e affected by a lack of technical skills
Com
Compon en t s
ponents - Equipm ent f ailu r e
- Geographically diverse locations used in BCDR m ay have
Design
Design a Secure
Secu r e Data
Dat acen t er
network con gest ion issu es
Center
- Regulatory com pliance issues if a DR location is in a
Risk
Riskss Associat
Associated ed with
w it h
separate ju r isdict ion
Clou
- Poor en cr ypt ion k ey m anagem ent
Design
Design an d Plan
and Plan Security
Secu r it y
Con t r ols
Controls
Plan
Plan Disast er Recovery
Disaster Recover y
an
andd Bu sin ess Continuity
Business Con t in u it y
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Risk s Relat ed t o t h e Clou d En vir on m en t (Con t .)
Section 1 BCDR Scen ar ios
- On -pr em ises t o CSP f ailover :
- Tech n ical capabilit ies to m ake this happen
Clou d Dat a Secu r it y - Speed at which failover can occur
Section 2 - Failover bet w een zon es w it h in t h e sam e CSP:
- Are all of the sam e CSP ser vices available in the failover
zone?
- Have the CSP's capabilities been t est ed?
- Failover f r om on e CSP t o an ot h er CSP:
I n f r ast r u ct u r e Secu r it y - Just like selecting a new CSP ? m ust vet t h or ou gh ly
Section 3
- Speed at which the failover can occur
- I m pact on end users (will it look different, how do they
Clou
connect, etc.)
Com
Compon en t s
ponents
Design
Design a Secure
Secu r e Data
Dat acen t er
Center
Risk
Riskss Associat
Associated ed with
w it h
Clou
Design
Design an d Plan
and Plan Security
Secu r it y
Con t r ols
Controls
Plan
Disaster Recover y
an
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Bu sin ess Requ ir em en t s
Section 1 Recover y Tim e Object ive (RTO): Acceptable am ount of
dow n t im e for business-critical applications before they need to
be functional again after an event
Clou d Dat a Secu r it y - Pr ior it ize applications and services
Section 2 - I f less dow n t im e is needed:
- Deploy DR solutions that allow for f ast er r ecover y
- M or e per son n el to com plete tasks
Recover y Poin t Object ive (RPO): Acceptable am ount of data
I n f r ast r u ct u r e Secu r it y the organization is willing to lose if restoration is required after
Section 3
an event
- Dependent on data r eplicat ion sch edu le
Clou
- Ex: Replication every 4 hours, m ay lose up to 4 hours' worth
Com
Compon en t s
ponents
of data
Design
Design a Secure
Secu r e Data - How to r edu ce dat a loss:
Dat acen t er
Center - Replicate m or e f r equ en t ly
Risk
Riskss Associat
Associated ed with
w it h - Increased ban dw idt h
Clou
n f r ast r u ct u r e - Licen sin g costs
Design
Design an d Plan
and Plan Security
Secu r it y
Con t r ols
Controls Recover y Ser vices Level (RSL): A percentage (0-100%) of the
am ount of resources (com pute) needed during a disaster, based
Plan
Disaster Recover y
on the services required during that period
an
- All ser vices will be restored during a disaster = 100% RSL
- Only the m ost cr it ical services will be restored during a
Clou d Applicat ion disaster = 30% RSL
Secu r it y - Com plet ely depen den t on organizational requirem ents
Section 4
Bu sin ess I m pact An alysis (BI A) determ ines the RPO/RTO.
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Bu sin ess Con t in u it y/ Disast er Recover y St r at egy
Section 1
Locat ion
- Is it f ar en ou gh (geographically) from the prim ary location?
- Is it in a separate ju r isdict ion (com pliance)?
- Can the rem ote site handle the cutover?
Section 2
- Adequate ban dw idt h an d ser vices
Dat a Replicat ion

Clou d Plat f or m & - Block -level replication protects against data loss but not
I n f r ast r u ct u r e Secu r it y database corruption
Section 3 - Look at other options for dat a t ypes, such as databases
- Consider storage and bandwidth lim it at ion s
Clou
Com
Compon en t s
ponents
Fu n ct ion alit y Replicat ion
Design
Design a Secure
Secu r e Data - Recr eat in g the sam e functions at a different location
Dat acen t er
Center - Passive m ode: Replicated resources are in standby m ode
Risk
Riskss Associat
Associated ed with
w it h - Act ive m ode: Replicated resources are participating in
Clou
n f r ast r u ct u r e production
Design
Design an d Plan
and Plan Security
Secu r it y - For databases, m ay use dat abase as a ser vice if replicating
Con t r ols
Controls within the sam e CSP
Plan
Disaster Recover y
Ot h er Con sider at ion s
an
- Replicating to a secon d CSP reduces risk of vendor lock-out
with a single CSP
Clou d Applicat ion - Per son al saf et y is the m ost im portant thing
Secu r it y - M on it or in g is key to failover tim eliness
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Cr eat in g, I m plem en t in g, an d Test in g a Plan
Section 1
Fu n ct ion al Dr ill/ Par allel Test
- M obilize per son n el to other sites
- Establish com m unications and per f or m r ecover y pr ocess
Clou d Dat a Secu r it y according to BCDR
Section 2
- Det er m in e if critical system s can be recovered at rem ote
sites and BCDR procedures are adequate
- Par allel pr ocessin g of data to ensure backup site
Clou d Plat f or m & functionality
Section 3 Fu ll-I n t er r u pt ion / Fu ll-Scale Test
- Most com pr eh en sive test
Clou
n f r ast r u ct u r e - Must ensure business operations are not n egat ively
Com
Compon en t s
ponents af f ect ed
Design
Design a Secure
Secu r e Data - Fu ll BCDR im plem en t at ion
Dat acen t er
Center - Enterprise-wide participation
- Real n ot if icat ion s go out (stating it 's an exercise)
Risk
Riskss Associat
Associated ed with
w it h
Clou
n f r ast r u ct u r e - Generally extended over a lon ger per iod of t im e
- Lesson s lear n ed, update plan accordingly
Design
Design an d Plan
and Plan Security
Secu r it y
- Be sure a f u ll back u p occurs prior to test
Con t r ols
Controls
Plan
Disaster Recover y The goal of BCDR testing is to ensure the BCP pr ocess is:
an
Business Con t in u it y - Accu r at e
- Relevan t
Clou d Applicat ion - Viable under adverse conditions
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1 Failover : Options to switch to BCDR system s
- Clu st er m an ager s
- Load balan cer s
Clou d Dat a Secu r it y - DNS ch an ges
Section 2 - Ensure these are not a sin gle poin t of f ailu r e
- I n vok in g BCDR act ion s could be the responsibility of the
client or the cloud provider, depending on the con t r act
Clou d Plat f or m & Ret u r n t o Nor m al
I n f r ast r u ct u r e Secu r it y - Failback m ust be considered and tested
Section 3 - If not tested, a failback can becom e a ser iou s ou t age
- The BCDR site m ay becom e the n ew pr im ar y sit e
Clou
n f r ast r u ct u r e - Pr em at u r e f ailback can cause serious problem s
Com
Compon en t s
ponents - Must en su r e the prim ary site is ready for failback
Design
Design a Secure
Secu r e Data
Dat acen t er
Center Cr eat in g a BCDR Plan
- Def in e a scope
Risk
Riskss Associat
Associated ed with
w it h
Clou
- Roles (who will do what)
- Risk assessm ent
Design
Design an d Plan
and Plan Security
Secu r it y - Policies (determ ine what constitutes a BCDR event)
Con t r ols
Controls
- Aw ar en ess for everyone involved
Plan
Disaster Recover y - Tr ain in g for everyone involved
an
Business Con t in u it y - Requ ir em en t s
- Identify bu sin ess-cr it ical ser vices
Clou d Applicat ion - What dat a is involved
Secu r it y - Any ser vice agr eem en t s involved
Section 4 - List of r isk s, including failure of CSPs
- Determ ine RTO/ RPO object ives
- Any legal or r egu lat or y com plian ce involved
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1 Cr eat in g a BCDR Plan (Con t .)
- An alysis
- Translate requirem ents into a design
Clou d Dat a Secu r it y - Scope, requirem ents, budget, perform ance objectives
Section 2 - Identify m it igat in g con t r ols to be im plem ented
- Consider decou plin g syst em s to m ake BCDR m ore
successful (ex: applications and databases)
Clou d Plat f or m & - En su r e CSPs and vendors can m eet requirem ents
I n f r ast r u ct u r e Secu r it y - Identify r esou r ce requirem ents (storage, bandwidth,
Section 3 etc.)
- Risk Assessm en t
Clou
n f r ast r u ct u r e - Evaluate CSP's abilit y to deliver necessary services
Com
Compon en t s
ponents - Elast icit y
- Con t r act u al issu es (if using a second CSP, can they
Design
Design a Secure
Secu r e Data
Dat acen t er
Center m eet contractual needs?)
- Available ban dw idt h (from custom er, to another CSP,
Risk
Riskss Associat
Associated ed with
w it h
between zones)
Clou
- Legal an d licen sin g risks (can't have software running
Design
Design an d Plan
and Plan Security
Secu r it y in two places without purchasing a second license)
Con t r ols
Controls
Plan
Disaster Recover y
an
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1 Cr eat in g a BCDR Plan (Con t .)
- Plan design :
- Establish and validate ar ch it ect ed solu t ion
Clou d Dat a Secu r it y - Include pr ocedu r es an d w or k f low s
Section 2 - Define ow n er (s)
- Technical
- Declaring BCDR event
Clou d Plat f or m & - Com m unications to custom ers
I n f r ast r u ct u r e Secu r it y - Internal com m unications
Section 3 - Decision m akers
- Describe h ow BCDR plan s w ill be t est ed
Clou
n f r ast r u ct u r e - Enterprise-wide testing plans should address ever y
Com
Compon en t s
ponents business-related service
- Should be f u lly t est ed an n u ally with sem i-annual
Design
Design a Secure
Secu r e Data
Dat acen t er
Center training (walkthroughs) or when significant
changes occur within business operations
Risk
Riskss Associat
Associated ed with
w it h
- Each line within the business should be fully tested
Clou
to ensure it will survive
Design
Design an d Plan
and Plan Security
Secu r it y - Testing of any ext er n al depen den cies
Con t r ols
Controls
Plan
Disaster Recover y
an
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1 Test in g Policy
- RTO/RPO m ust be m easu r ed to ensure attainability
- Testing object ives should start sim ple and expand to
Clou d Dat a Secu r it y encom pass the entire plan
Section 2 - Individual ser vices
- Internal and external dependencies
- Should include t est plan n in g
Clou d Plat f or m & - Scenarios
I n f r ast r u ct u r e Secu r it y - Measurable results (RTO/RPO)
Section 3 - Should include a t est scope
- Master test scheduled that includes all object ives
Clou
n f r ast r u ct u r e - Description of test objectives and m ethods
Com
Compon en t s
ponents - Roles an d r espon sibilit ies for all participants
- Define participants and alt er n at e par t icipan t s
Design
Design a Secure
Secu r e Data
Dat acen t er
Center - Key decision m ak er s
- Testing locat ion s
Risk
Riskss Associat
Associated ed with
w it h
- Con t act inform ation
Clou
Design
Design an d Plan
and Plan Security
Secu r it y
Con t r ols
Controls
Plan
Disaster Recover y
an
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Clou d Con cept s,
Section 1 Greater frequency of testing provides greater confidence in
BCDR activities.
Clou d Dat a Secu r it y Tablet op Exer cise

Section 2 - Designed to ensure critical personnel are f am iliar with
BCDR and their roles
- Participants follow a pr e-plan n ed r espon se
Clou d Plat f or m & - Not the preferred testing m ethod
- Consists of:
- At t en dan ce of key personnel
Section 3
- Discu ssion about each person's responsibilities
Clou d IInfrastructure
- Walkthrough of each st ep of the procedure
Cloud
Com
Compon en t s
ponents - Problem s identified during the exercise
- Each participant receives a copy of t h e BCDR plan
Design
Design a Secure
Secu r e Data
Dat acen t er
Center Walk t h ou gh Dr ill/ Sim u lat ion Test
Risk
Riskss Associat
Associated ed with
w it h - M or e in volved than a tabletop exercise
Clou
n f r ast r u ct u r e - Participants ch oose an even t scen ar io and work through
Design
Design an d Plan
and Plan Security
Secu r it y the problem on the fly
Con t r ols
Controls - Attended by all key personnel
- Dem onstrates knowledge, team work, and decision -m ak in g
Plan
Disaster Recover y
an d Bu sin ess Continuity
Con t in u it y
capabilit ies
and Business
- Role-play and act out steps, identify issues, solve pr oblem s
- Involve cr isis m an agem en t t eam so they can practice as
Clou d Applicat ion
well
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Back Next
Legal, Risk &

Com plian ce
Section 6
Back t o M ain
Cloud Application Security
Course Navigation Clou d Developm en t
Clou d Con cept s,
Clou d Developm en t Basics
Section 1 Clou d developm en t t ypically in volves:
- Integrated developm ent environm ents (I DEs)
- Application lif ecycle m an agem en t
Clou d Dat a Secu r it y - Application secu r it y t est in g
Section 2
In m ost cloud environm ents, API s are used to access
application functionality
Clou d Plat f or m & - APIs use t ok en s for authentication
Section 3 M ost Com m on API For m at s
- Repr esen t at ion al St at e Tr an sf er (REST): Consists of
guidelines and best practices for creating scalable web
Clou d Applicat ion
services
Secu r it y - Sim ple Object Access Pr ot ocol (SOAP): Protocol for
Section 4 exchanging structured inform ation as part of a web service
Clou d Developm
Cloud Development
en t
REST vs. SOAP
SDLC Process
- REST su ppor t s m an y f or m at s, including JSON, XML, and
Applying SDLC YAML | SOAP on ly su ppor t s XM L
- REST uses HTTP/HTTPS for data transfer | SOAP uses
Software Assurance and
HTTP/HTTPS/FTP/SMTP to transfer data
Validation
- REST has good perform ance and is scalable | SOAP is
Secure Software slower, and scaling is com plex
Cloud Application
- REST is w idely u sed | SOAP is used when REST is n ot
Architecture possible
IAM Solutions
Clou d Secu r it y
Back Next
Oper at ion s
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Com m on Pit f alls
Section 1 On -pr em ises doesn't alw ays t r an sf er t o clou d
- On-prem ises apps w er e n ot developed for the cloud
environm ent
Clou d Dat a Secu r it y - Clou d m ay n ot su ppor t the way an application works on
Section 2 prem ises
Not all apps ar e clou d-r eady

- Can be m or e ch allen gin g to im plem ent the sam e level of
security in the cloud
Section 3
Lack of t r ain in g
- Cloud services m ay w or k dif f er en t ly than sim ilar
Clou d Applicat ion on-prem ises services
Secu r it y
Lack of docu m en t at ion an d gu idelin es
Section 4
- May be a lack of docum entation by the CSP if ser vices ar e
n ew
Clou d Developm
Cloud Development
en t - Follow a software developm ent lifecycle (I SO/ I EC 12207)
SDLC Process
Com plexit y of in t egr at ion
Applying SDLC
- CSP m an ages part of the environm ent, and that can m ake
Software Assurance and integration t r ick y since the developers don't see the whole
Validation system
Secure Software
Ot h er ch allen ges:
Cloud Application - M u lt it en an cy challenges
Architecture - Th ir d-par t y adm inistrators (CSPs)
IAM Solutions
Clou d Secu r it y
Back Next
Oper at ion s
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Com m on Vu ln er abilit ies
Section 1 M ost com m on vu ln er abilit ies are listed in the OWASP Top 10
- We'll cover this in dept h in the Applyin g SDLC section

Section 2

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Developm
Cloud Development
en t
SDLC Process
Applying SDLC

Validation
Secure Software
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Back Next
Oper at ion s
Section 5
Legal, Risk &

Section 6
Course Navigation SDLC Pr ocess
Clou d Con cept s,
Section 1
Business requirem ents are part of the f ir st ph ase of the Secu r e
Sof t w ar e Developm en t Lif ecycle (SDLC)
- Bu sin ess n eeds of the application
Clou d Dat a Secu r it y - Accounting
Section 2
- Database
- Custom er relations (CRM)
- Ref r ain from identifying technologies at this point
Clou d Plat f or m & - Concentrate on the n eeds of t h e bu sin ess
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess
Applying SDLC

Validation
Secure Software
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Back Next
Oper at ion s
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Ph ases an d M et h odologies
Section 1
I SO/ I EC 12207 is one exam ple of an SDLC ? there are m any!
Com m on SDLC ph ases include:

- Plan n in g
Section 2
- All st ak eh older s are involved
- Business, security, and standard r equ ir em en t s def in ed
- Def in in g
Clou d Plat f or m & - Docu m en t all requirem ents and get approval
I n f r ast r u ct u r e Secu r it y - Design
Section 3 - Design, identify im pact on ar ch it ect u r e an d h ar dw ar e
- Threat m odelin g an d secu r it y design
- Developm en t
Clou d Applicat ion
- Coding starts
Secu r it y - Longest phase
Section 4
- Code review and st at ic an alysis testing
- Test in g
Clou d Developm
Cloud Development
en t - User accept an ce t est in g
- Testing of any integrations
SDLC Process
Pr ocess
- M ain t en an ce
Applying SDLC - Fixing bugs
- Patching vulnerabilities
Validation - Disposal
- Once the application is no longer required
Secure Software
- Securely erase application data (cr ypt o-sh r eddin g)
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Back Next
Oper at ion s
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Ph ases an d M et h odologies (Con t .)
Section 1
Once an application goes into production, it enters the secu r e
oper at ion s ph ase
- Ver sion in g is used to track changes
Clou d Dat a Secu r it y - Test in g of each version is perform ed
Section 2
- Dynam ic analysis
- Vulnerability scanning
Clou d Plat f or m & I SO 27034 is one of the m ost widely accepted set of standards
I n f r ast r u ct u r e Secu r it y and guidelines for secu r e applicat ion developm en t
Section 3
ISO 27034 outlines the Or gan izat ion al Nor m at ive Fr am ew or k

Clou d Applicat ion
(ONF), which consists of:
Secu r it y - Bu sin ess con t ext : Application security policies, standards,
Section 4 and best practices used by the organization
- Regu lat or y con t ext : Standards, laws, and regulations the
Clou d Developm
Cloud Development
en t organization m ust abide by
- Tech n ical con t ext : Required and available technologies
SDLC Process
Pr ocess
that can be used
Applying SDLC - Specif icat ion s: Functional IT requirem ents and solutions to
m eet those requirem ents
- Roles, r espon sibilit ies, an d qu alif icat ion s: Individuals and
Validation
their roles
Secure Software
- Pr ocesses: Processes related to application security
Cloud Application - Applicat ion secu r it y con t r ol (ASC) libr ar y: Contains a list
Architecture of controls used to protect the application and its data
IAM Solutions
Clou d Secu r it y
Back Next
Oper at ion s
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Section 1
I SO 27034 also outlines the Applicat ion Nor m at ive Fr am ew or k
(ANF)
- Used in con ju n ct ion with the ONF
Clou d Dat a Secu r it y - Created specifically for a sin gle applicat ion
Section 2
- ONF to ANF is a on e-t o-m an y r elat ion sh ip
Clou d Plat f or m & Applicat ion Applicat ion

I n f r ast r u ct u r e Secu r it y Norm ative Norm ative
Section 3 Fram ework (ANF) Fram ework (ANF)
Or gan izat ion al Nor m at ive Fr am ew or k

Clou d Applicat ion (ONF)
Secu r it y
Section 4
ONF + ANF
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess
Applying SDLC Ham Pin eapple

(ANF) (ANF)
Validation
Dou gh
Secure Software
(ONF)
Cloud Application
Architecture
Pizza M ak in g Pr ocess
IAM Solutions
Clou d Secu r it y
Back Next
Oper at ion s
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Section 1
Applicat ion Secu r it y M an agem en t Pr ocess (ASM P)
- Process of m an agin g an d m ain t ain in g each ANF
- Consists of five steps:
Section 2 1. Specif y the application requirem ents and environm ent
2. Assess application security risks
3. Cr eat e and m aintain the ANF
4. Pr ovision and operate the application
5. Au dit the security of the application
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess
Applying SDLC

Validation
Secure Software
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Back Next
Oper at ion s
Section 5
Legal, Risk &

Section 6
Course Navigation Applyin g SDLC
Clou d Con cept s,
Com m on Vu ln er abilit ies
Section 1
OWASP Top 10
- I n ject ion : Injection attacks occur when untrusted data in
the form of a com m and or query is sent to an interpreter
Clou d Dat a Secu r it y and executed as a com m and, providing the attacker with
Section 2 inform ation or the ability to execute com m ands. SQL
injection is a com m on exam ple.
- Pr even t ion : Use input filtering to ver if y that untrusted
Clou d Plat f or m & data m eets expected param eters.
Section 3 - Br ok en au t h en t icat ion an d session m an agem en t :
Im properly im plem ented authentication m echanism s can
allow an attacker to com prom ise passwords, keys, or
Clou d Applicat ion session tokens.
Secu r it y - Pr even t ion : Use proven authentication m echanism s.
Section 4
- Cr oss-sit e scr ipt in g (XSS): When a web application accepts
Clou d Developm
Cloud Development
en t untrusted data and sends it to a web browser without
proper validation, attackers can execute scripts in the
SDLC Process
Pr ocess victim's browser. Scripts can be posted in a forum , and
Applyingg SDLC visitors' browsers will execute the scripts.
Applyin SDLC
- Pr even t ion : Validate inputs to ensure that data is
Software Assurance and expected and not m alicious.
Validation
Secure Software
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Com m on Vu ln er abilit ies (Con t .)
Section 1
OWASP Top 10 (Con t .)
- I n secu r e dir ect object r ef er en ce: When a developer
exposes an internal object? such as a file, directory, or
Clou d Dat a Secu r it y database? that can be accessed without authentication.
Section 2 - Pr even t ion : Use indirect object referencing to
represent objects so the r eal object s ar e n ever
exposed.
I n f r ast r u ct u r e Secu r it y - Secu r it y m iscon f igu r at ion : Mistakes in configuring the
Section 3 security settings of an application.
- Pr even t ion : Understand the application and its
settings.
Clou d Applicat ion
Secu r it y - Sen sit ive dat a exposu r e: Lack of security controls for
Section 4 sensitive data, such as credit card data or PII.
- Pr even t ion : Use proper security controls, such as
Clou d Developm
Cloud Development
en t encryption, to protect sensitive data.
SDLC Process
Pr ocess - M issin g f u n ct ion -level access con t r ol: Lack of access
Applyingg SDLC control for the functions of a web application can allow
Applyin SDLC
attackers to forge requests and gain access to functions.
Software Assurance and - Pr even t ion : Ensure all functions are accessed via an
Validation
authorization m odule, and set a global rule to deny
Secure Software access by default.
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Section 1
OWASP Top 10 (Con t .)
- Cr oss-sit e r equ est f or ger y (CSRF): When an attacker uses
an authenticated user 's browser to send forged HTTP
Clou d Dat a Secu r it y requests on behalf of the attacker.
Section 2 - Pr even t ion : Use anti-forgery tokens to prevent CSRF
attacks from being successful.
Clou d Plat f or m & - Usin g com pon en t s w it h k n ow n vu ln er abilit ies:

I n f r ast r u ct u r e Secu r it y Fram eworks, libraries, and other software m odules can
Section 3 contain vulnerabilities, which flow into any application
they're used in.
- Pr even t ion : Check all com ponents for known
Clou d Applicat ion vulnerabilities and don't use any vulnerable
Secu r it y com ponents.
Section 4
- I n valid r edir ect s an d f or w ar ds: Web applications
Clou d Developm
Cloud Development
en t som etim es use redirects to forward users to other websites.
When these destinations are not validated, attackers can
SDLC Process
Pr ocess redirect users to m alicious web sites.
Applyingg SDLC - Pr even t ion : Avoid using redirects and forwards if
Applyin SDLC
possible. If you m ust use them , avoid involving user
Software Assurance and param eters when redirecting to the destination.
Validation
Secure Software
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Section 1
To identify and address these vulnerabilities, applicat ion
r isk -m an agem en t pr ogr am s should consist of three parts:
1. Fr am ew or k cor e: Activities and functions
- Identify
Section 2
- Protect
- Detect
- Respond
Clou d Plat f or m & - Recover
I n f r ast r u ct u r e Secu r it y 2. Fr am ew or k pr of ile: Align activities with business
Section 3 requirem ents, risk tolerance, and resources
3. Fr am ew or k im plem en t at ion t ier s: Identify where the
organization is with its approach
Clou d Applicat ion
Secu r it y One popular risk m anagem ent fram ework is the NI ST
Section 4 Fr am ew or k f or I m pr ovin g Cr it ical I n f r ast r u ct u r e
Cyber secu r it y
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess
Applyingg SDLC
Applyin SDLC

Validation
Secure Software
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Clou d-Specif ic Risk s
Section 1
Som e clou d-specif ic r isk s include:
- PaaS m ay not offer acceptable en cr ypt ion , so it m ay need
to built into applications
Clou d Dat a Secu r it y - PaaS m ay not offer granular security
Section 2 - Loggin g m ay be difficult for SaaS applications
- Lack of pr oper access con t r ols
Clou d Plat f or m & Th e " Not or iou s Nin e" Clou d Com pu t in g Th r eat s
I n f r ast r u ct u r e Secu r it y 1. Data breaches
Section 3 2. Data loss
3. Account hijacking
4. Insecure APIs
Clou d Applicat ion 5. Denial of service (DoS)
Secu r it y 6. Malicious insiders
Section 4 7. Abuse of cloud services
8. Insufficient due diligence (on behalf of the custom er)
Clou d Developm
Cloud Development
en t 9. Shared technology use (m ultitenancy)
SDLC Process
Pr ocess
Applyingg SDLC
Applyin SDLC

Validation
Secure Software
Cloud-Specific
Cloud Application
Architecture Risk s
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Qu alit y Assu r an ce
Section 1
Measure the following var iables to ensure that quality
standards are being m et:
Clou d Dat a Secu r it y 1. Availabilit y

Section 2 2. M ean t im e bet w een f ailu r es (M TBF)
3. Ou t age du r at ion
4. Per f or m an ce
5. Reliabilit y
Clou d Plat f or m & 6. Capacit y
I n f r ast r u ct u r e Secu r it y 7. Respon se t im e
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess Quality
Applyingg SDLC
St an dar ds
Applyin SDLC

Validation
Secure Software
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Th r eat M odelin g
Section 1
Th r eat m odelin g: The process of identifying, com m unicating,
and understanding threats and how to m itigate them in order to
pr ot ect valu able asset s
Section 2
The STRI DE t h r eat m odel is a system for classifying known
threats based on the kinds of exploits used or the m otivation of
the attacker. STRI DE describes the following six threats:
1. S
Spoofing
I n f r ast r u ct u r e Secu r it y 2. T
Tam pering
Section 3
3. R
Repudiation
4. I nform ation disclosure
Clou d Applicat ion 5. D
Denial of service
6. E
Elevation of privileges
Secu r it y
Section 4
Exam ple Th r eat M odel
Clou d Developm
Cloud Development
en t
THREATS
ASSETS
PROTECTI ON
SDLC Process
Pr ocess
Applyingg SDLC
Applyin SDLC

Validation
Secure Software
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Oper at ion s
Section 5
Back Next
Legal, Risk &

Section 6
Clou d Con cept s, Sof t w ar e Con f igu r at ion M an agem en t an d Ver sion in g
Section 1
Tw o popu lar t ools for configuration m anagem ent and
versioning:
- Ch ef : Used to autom ate building, deploying, and m anaging
Clou d Dat a Secu r it y infrastructure com ponents. Con f igs an d policies ar e k n ow n
Section 2 as recipes. The Chef client is installed on each server. Each
server polls the Chef server for the latest policy and updates
its configs autom atically based on the latest Chef policies.
Clou d Plat f or m & - Pu ppet : Allows you to define the state of your infrastructure
I n f r ast r u ct u r e Secu r it y and then en f or ces t h e cor r ect st at e.
Section 3
Clou d Applicat ion

Secu r it y pu ppet
Section 4
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess The purpose of these tools is to en su r e configurations are up to
date and con sist en t based on the version of a policy or
Applyingg SDLC
Applyin SDLC configuration.
Validation
Secure Software
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Oper at ion s
Section 5
Back Next
Legal, Risk &

Section 6
Course Navigation Sof t w ar e Assu r an ce an d Validat ion
Clou d Con cept s,
Fu n ct ion al Test in g
Section 1
Functional testing is used to ver if y t h at bu sin ess r equ ir em en t s
have been m et and the applicat ion oper at es
as expect ed without errors.
Section 2

Section 3
Clou d Applicat ion Functional

Secu r it y Test in g
Section 4
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess
Applyingg SDLC
Applyin SDLC
Software
Sof t w ar e Assurance
Assu r an ceand
an d
Validation
Validat ion
Secure Software
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Secu r it y Test in g M et h odologies
Section 1
Two m ain types of security testing:
- St at ic Applicat ion Secu r it y Test in g (SAST): Considered a
w h it e-box test ? the test perform s an analysis of the
Clou d Dat a Secu r it y source code and binaries without executing the code.
Section 2 - SAST is used to iden t if y codin g er r or s that m ay
indicate a vulnerability
- SAST can be used to find XSS, SQL in ject ion , bu f f er
Clou d Plat f or m & over f low s, and other vulnerabilities
I n f r ast r u ct u r e Secu r it y - Because it 's a w h it e-box test, the results are m ore
Section 3 com prehensive than dynam ic testing
- Often run ear ly in the developm ent lifecycle
- Dyn am ic Applicat ion Secu r it y Test in g (DAST): Considered
Clou d Applicat ion a black -box test ? the tool m ust discover vulnerabilities
Secu r it y while the applicat ion is r u n n in g. DAST is m ost effective
Section 4 when testing exposed HTTP and HTML w eb applicat ion
in t er f aces.
Clou d Developm
Cloud Development
en t SAST and DAST play dif f er en t r oles in application security
SDLC Process
Pr ocess testing. SAST is u sed ear ly on in developm ent to detect coding
problem s, while DAST is used to identify vulnerabilities w h ile
Applyingg SDLC
Applyin SDLC t h e applicat ion is r u n n in g.
Software
Assu r an ceand
an d
Validation
Validat ion Ru n t im e Applicat ion Self -Pr ot ect ion (RASP): Prevent attacks
Secure Software by self-protecting or auto-reconfiguring in response to specific
conditions.
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Secu r it y Test in g M et h odologies (Con t .)
Section 1
Vu ln er abilit y assessm en t : Scanning an application with a
vulnerability scanner or assessm ent tool such as BURP or
OWASP ZAP.
Clou d Dat a Secu r it y - Look for well-known vulnerabilities
Section 2 - Uses sign at u r es to identify vulnerabilities
- No signature = no identification of vulnerability
Clou d Plat f or m & Pen et r at ion t est : Process of collecting inform ation about a
I n f r ast r u ct u r e Secu r it y system and using it to act ively exploit any vulnerabilities and
Section 3 gain access to the system or its data.
- Considered a black -box test
Clou d Applicat ion
Secu r it y When perform ing security testing in a clou d en vir on m en t ,
Section 4 you m ust receive per m ission f r om t h e CSP in writing prior to
perform ing the testing. Som e CSPs provide this on their
Clou d Developm
Cloud Development
en t website, while others m ay require a form al written process.
SDLC Process
Pr ocess
Applyingg SDLC
Secu r e code r eview : Manually reviewing code and looking for
Applyin SDLC
vulnerabilities. (static testing)
Software
Assu r an ceand
an d
Validation
Validat ion
Secure Software
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Secu r it y Test in g M et h odologies (Con t .)
Section 1
OWASP has created a testing guide that includes n in e t est in g
cat egor ies:
- Identity m anagem ent
Clou d Dat a Secu r it y - Authentication
Section 2 - Authorization
- Session m anagem ent
- Input validation
Clou d Plat f or m & - Testing for error handling
I n f r ast r u ct u r e Secu r it y - Testing for weak cryptography
Section 3 - Business logic
- Client-side
Clou d Applicat ion

Secu r it y
Section 4
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess
Applyingg SDLC
Applyin SDLC
Software
Assu r an ceand
an d
Validation
Validat ion
Secure Software
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Course Navigation Secu r e Sof t w ar e
Clou d Con cept s,
Appr oved API s an d Th ir d-Par t y Sof t w ar e
Section 1
Applicat ion pr ogr am m in g in t er f aces (API s) expose the
functionality of an application. APIs provide the following
ben ef it s:
Clou d Dat a Secu r it y - Pr ogr am m at ic control and access
Section 2 - Au t om at ion
- I n t egr at ion with third-party tools
Clou d Plat f or m & APIs are com pon en t s that m ust be validat ed f or secu r it y just
I n f r ast r u ct u r e Secu r it y like any other com ponent used in the creation and use of
Section 3 applications.
Clou d Applicat ion Ext er n al API s used by the organization m ust go through the
sam e appr oval pr ocess to lim it the organization's exposure.
Secu r it y
Section 4 - Use of SSL or other cr ypt ogr aph ic m ean s to secure API
com m unications (REST/SOAP)
- Loggin g of API usage
Clou d Developm
Cloud Development
en t
- Depen den cy validat ion s using a tool such as OWASP
SDLC Process
Pr ocess Dependency-Check
Applyingg SDLC
Applyin SDLC
Software
Assu r an ceand
an d
Validation
Validat ion
Secure
Secu r e Software
Sof t w ar e
Cloud Application
API
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Course Navigation Secu r e Sof t w ar e
Clou d Con cept s,
Appr oved API s an d Th ir d-Par t y Sof t w ar e (Con t .)
Section 1
More and m ore software is being created by third parties and
con su m ed by t h e m asses to build applications and services.
- We m ust keep this in m ind and validat e all pieces of
Clou d Dat a Secu r it y third-party software that we use.
Section 2
Open -sou r ce sof t w ar e is considered relatively secure because
the source code is open an d available for anyone to review.
Clou d Plat f or m & - This m eans the code is subject to a great deal of scr u t in y
I n f r ast r u ct u r e Secu r it y for best practices and functionality.
Section 3 - Third-party software is of t en cr eat ed in a closed
en vir on m en t with m inim al review and testing, due to tim e
and budget constraints.
Clou d Applicat ion
Secu r it y
Section 4
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess
Applyingg SDLC
Applyin SDLC
Software
Assu r an ceand
an d
Validation
Validat ion
Secure
Secu r e Software
Sof t w ar e
Cloud Application
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Course Navigation Clou d Applicat ion Ar ch it ect u r e
Clou d Con cept s,
Su pplem en t al Secu r it y Com pon en t s
Section 1
Supplem ental security com ponents add additional layers to a
def en se-in -dept h st r at egy.
Clou d Dat a Secu r it y Su pplem en t al Secu r it y Com pon en t s

Section 2 - Web application firewall (WAF)
- Layer 7 firewall that can understand HTTP traffic calls
(GET, POST, etc.)
Clou d Plat f or m & - Effective for pr even t in g DoS at t ack s
I n f r ast r u ct u r e Secu r it y - Database activity m onitoring (DAM )
Section 3 - Layer 7 device that understands SQL com m ands
- Can be agent-based on SQL servers or network-based
- Can det ect an d st op m alicious com m ands from
Clou d Applicat ion executing on a SQL server
Secu r it y - XM L gat ew ay
Section 4 - Acts as a go-bet w een for access to an API
- Uses access rules to pr even t access t o API s
Clou d Developm
Development
en t
- Can im plem ent other controls such as DLP, an t ivir u s,
Cloud
an d an t i-m alw ar e ser vices
SDLC Process
Pr ocess - Firewalls
Applyingg SDLC - Provide filtering capabilities
Applyin SDLC
- API gat ew ay
Software
Assu r an ceand
an d - Filt er s API t r af f ic before it is processed
Validation
Validat ion - Can provide access con t r ol, r at e lim it in g, loggin g,
Secure
Secu r e Software
Sof t w ar e m et r ics, an d secu r it y f ilt er in g
Clou
Cloudd Applicat ion
Application
Ar ch it ect u r e
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
Cr ypt ogr aph y
Section 1
When accessing data in the cloud, we access the data across
trusted and u n t r u st ed n et w or k s. It is im portant to pr ot ect t h e
dat a, and one way to do that is to u se en cr ypt ion .
Section 2 Pr ot ect in g Dat a in M ot ion
- Tr an spor t Layer Secu r it y (TLS): TLS ensures data privacy
and integrity between applications.
Clou d Plat f or m & - Uses x.509 certificate to authenticate initial connection
I n f r ast r u ct u r e Secu r it y - Transfers sym m et r ic en cr ypt ion k ey to be used
Section 3 - Secu r e Sock et Layer (SSL): The standard technology for
creating an encrypted connection between a browser and a
web server. All data passed through the connection is kept
Clou d Applicat ion private and m aintains its integrity.
Secu r it y - I PSec vir t u al pr ivat e n et w or k (VPN): Encrypts data
Section 4 between two endpoints. These endpoints can be firewalls,
VPN concentrator devices, or agents installed on a
Clou d Developm
Cloud Development
en t workstation.
SDLC Process
Pr ocess Pr ot ect in g Dat a at Rest
Applyingg SDLC
Applyin SDLC
- Wh ole in st an ce en cr ypt ion : Used to encrypt everything
associated with a virtual m achine, such as its volu m es, disk
Software
Assu r an ceand
an d I O, an d sn apsh ot s.
Validation
Validat ion - Volu m e en cr ypt ion : Used to encrypt a volu m e on a h ar d
Secure
Secu r e Software
Sof t w ar e dr ive. The entire disk is not encrypted, only the volum e
portion. Fu ll disk en cr ypt ion should be used to protect the
Clou
Cloudd Applicat ion
Application
Ar ch it ect u r e
Architecture
entire hard drive.
- File or dir ect or y en cr ypt ion : Used to encrypt individual
IAM Solutions
files or directories.
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Clou d Con cept s,
San dboxin g an d Applicat ion Vir t u alizat ion
Section 1
A sandbox is an isolat ed en vir on m en t in which untrusted data
can be tested.
- Allows for an alysis of applications and data in a secure
Clou d Dat a Secu r it y environm ent w it h ou t r isk t o t h e pr odu ct ion
Section 2 en vir on m en t .
Applicat ion Vir t u alizat ion

Clou d Plat f or m & - Used to test applications while pr ot ect in g t h e u n der lyin g
I n f r ast r u ct u r e Secu r it y OS and other applications on the system
Section 3 - A form of san dboxin g an in dividu al applicat ion on a host
- Com m ercial exam ples:
- Win e
Clou d Applicat ion - M icr osof t App-V
Secu r it y - Xen App
Section 4
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess
Applyingg SDLC
Applyin SDLC
Software
Assu r an ceand
an d
Validation
Validat ion
Secure
Secu r e Software
Sof t w ar e
Clou
Cloudd Applicat ion
Application
Ar ch it ect u r e
Architecture
IAM Solutions
Clou d Secu r it y
Section 5
Legal, Risk &

Section 6
Course Navigation I AM Solu t ion s
Clou d Con cept s,
Feder at ed I den t it y
Section 1
Federated identity allows for t r u st ed au t h en t icat ion acr oss
or gan izat ion s.

I den t it y Feder at ion St an dar ds
Section 2
- Secu r it y Asser t ion M ar k u p Lan gu age (SAM L): The m ost
com m on federation standard
- SAML is XML-based
Clou d Plat f or m & - WS-Feder at ion : Defines m echanism s that allow different
I n f r ast r u ct u r e Secu r it y security realm s to federate between each other
Section 3 - Open I D Con n ect : Lets developers authenticate their users
across websites and apps without having to own and
m anage password files; doesn't use SOAP, SAML, or XML
Clou d Applicat ion - OAu t h : Widely used for authorization services in web and
Secu r it y m obile applications
Section 4 - Sh ibbolet h : Heavily used in education websites and apps
Clou d Developm
Cloud Development
en t A federation consists of an iden t it y pr ovider and a r elyin g
SDLC Process
Pr ocess
par t y.
Applyingg SDLC
Applyin SDLC
Software
Assu r an ceand
an d
Validation
Validat ion AWS
(Relying Party)
Secure
Secu r e Software
Sof t w ar e
Clou
Cloudd Applicat ion
Application
Ar ch it ect u r e
Architecture
IIAM Solutions
AM Solu t ion s
Local AD
Clou d Secu r it y (Identity Provider)
Oper at ion s
Section 5
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
I den t it y Pr ovider s
Section 1
I den t it y pr ovider s perform authentication services and pass
required inform ation to r elyin g par t ies as needed, supplying
the required authorization to access resources.
Section 2
Claim
ID & Request
Policy
I n f r ast r u ct u r e Secu r it y I den t it y Pr ovider
Section 3
Su bject Digital Relyin g Par t y
ID
Clou d Applicat ion

Secu r it y
Section 4
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess
Applyingg SDLC
Applyin SDLC
Software
Assu r an ceand
an d
Validation
Validat ion
Secure
Secu r e Software
Sof t w ar e
Clou
Cloudd Applicat ion
Application
Ar ch it ect u r e
Architecture
IIAM Solutions
AM Solu t ion s
Clou d Secu r it y
Oper at ion s
Section 5
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
Sin gle Sign -On (SSO)
Section 1
Single sign-on (SSO) allows a user to au t h en t icat e on ce and
then access m ultiple resources instead of having to authenticate
with each individual resource.
Section 2 With SSO, a user logs in to an au t h en t icat ion ser ver . Then each
resource the user attem pts to access checks with the
authentication server to verify that the user has already
Clou d Plat f or m & successfully logged in.
Section 3
Clou d Applicat ion

Authentication
Secu r it y
Section 4
Ser ver
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess
Applyingg SDLC
Applyin SDLC
Software
Assu r an ceand
an d
Validation
Validat ion
Secure
Secu r e Software
Sof t w ar e
Clou
Cloudd Applicat ion
Application
Ar ch it ect u r e
Architecture
IIAM Solutions
AM Solu t ion s
SSO m akes the u ser exper ien ce m or e pleasan t .
Clou d Secu r it y
Oper at ion s
Section 5
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
M u lt i-Fact or Au t h en t icat ion (M FA)
Section 1
M u lt i-f act or au t h en t icat ion : Using m u lt iple f act or s to
authenticate. These factors are based on:
- What users k n ow (password, PIN)
Clou d Dat a Secu r it y - What users h ave (token, card, Yubikey)
Section 2 - What users ar e (biom etrics)
On e-t im e passw or ds fall under MFA and are highly encouraged

Clou d Plat f or m & for use with first-tim e logins (you m ust change your password).
Section 3 St ep-u p au t h en t icat ion is used during h igh -r isk t r an sact ion s
or when violations have occurred in a transaction.
- Challenge qu est ion s
Clou d Applicat ion - Ou t -of -ban d authentication (SMS, text, phone call, etc.)
Secu r it y - Dynam ic knowledge-based authentication (question unique
Section 4 to the individual, previous address, etc.)
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess
Applyingg SDLC
Applyin SDLC
Software
Assu r an ceand
an d
Validation
Validat ion
Secure
Secu r e Software
Sof t w ar e
Passw or d Pr oof Access
Clou
Cloudd Applicat ion
Application
Ar ch it ect u r e
Architecture
IIAM Solutions
AM Solu t ion s
Clou d Secu r it y
Oper at ion s
Section 5
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
Clou d Access Secu r it y Br ok er (CASB)
Section 1
CASB: A t r u st ed t h ir d-par t y iden t it y pr ovider that m anages
authentication between cloud service users and cloud
applications.
Section 2 When m u lt iple par t ies operate in federated identity
m anagem ent (a federation), they m ust decide to trust each other.
This can be done in two ways:
- Web of t r u st : Each organization has to review and approve
each other 's m em bers for inclusion in the federation. Can
I n f r ast r u ct u r e Secu r it y be t im e-con su m in g an d t ediou s.
Section 3
- Ou t sou r ce to a third-party identifier such as a CASB.
Clou d Applicat ion

Secu r it y
Section 4
Clou d Developm
Cloud Development
en t
SDLC Process
Pr ocess
Applyingg SDLC Users from Cloud Access Cloud

Applyin SDLC
an yw h er e Secu r it y Br ok er App
Software
Assu r an ceand
an d
Validation
Validat ion
Secure
Secu r e Software
Sof t w ar e
Wh at is a Clou d Access Secu r it y Br ok er
Clou
Cloudd Applicat ion
Application
Ar ch it ect u r e
Architecture (CASB)?
IIAM Solutions
AM Solu t ion s
Clou d Secu r it y
Oper at ion s
Section 5
Back Next
Legal, Risk &

Section 6
Cloud Security Operations
Course Navigation I m plem en t an d Bu ild
Clou d Con cept s,
Har dw ar e Secu r it y
Section 1
Secu r in g Ser ver s
- Follow OS vendor r ecom m en dat ion s for secure
deploym ent
- Rem ove all u n n ecessar y ser vices
Section 2
- Install all pat ch es
- Lock down the host
- Rest r ict root/adm in access
Clou d Plat f or m & - Use only secure com m unications (SSH)
I n f r ast r u ct u r e Secu r it y - Use host-based f ir ew alls
Section 3 - Use role-based access control (RBAC) perm issions
- Secure m anagem ent practices
- Ongoing patching and m aintenance
Clou d Applicat ion
- Periodic vu ln er abilit y scanning
Secu r it y - Per iodic penetration testing
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate Infrastructure
Manage Infrastructure
Operational Controls and

Standards
Digital Forensics
Manage Com m unications
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
Vir t u alizat ion M an agem en t Tools
Section 1
It is ext r em ely im por t an t to properly configure virtualization
m anagem ent tools.
- If com prom ised, an attacker could gain f u ll access to the
Clou d Dat a Secu r it y virtual environm ent.
Section 2
All m anagem ent should take place on an isolat ed n et w or k .

The vir t u alizat ion ven dor will determ ine which tools can be
used.
Section 3
- Plan to m ain t ain an d u pdat e the tools.
- Plan for m aintenance windows and VM m igr at ion s
Clou d Applicat ion between hosts to allow for updates and reboots.
Secu r it y - Perform vu ln er abilit y t est in g on the tools.
Section 4 - Follow vendor guidelines for securely configuring tool sets.
Best Pr act ices

Clou d Secu r it y
- Def en se in dept h : Use the tools as an additional layer of
Oper at ion s
defense.
Section 5
- Access con t r ol: Tightly control and m onitor access to the
tools.
Im
I mplem
plement
en tand
an dBuild
Bu ild
- Au dit in g an d m on it or in g: Track and validate use of the
Operate Infrastructure tools.
Manage Infrastructure - M ain t en an ce: Update the tools as necessary and follow
vendor recom m endations.
Standards
Digital Forensics
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
Vir t u alizat ion M an agem en t Tools (Con t .)
Section 1
Secure configuration t em plat es sh ou ld be u sed to configure
virtualization hardware
- Tem plates should be saved in a secu r e m an n er
Clou d Dat a Secu r it y - Update tem plates via form al ch an ge m an agem en t process
Section 2
Virtual hardware should be configured to log su f f icien t dat a

I n f r ast r u ct u r e Secu r it y Gu est OS Vir t u alizat ion Tools
Section 3 - Provide addit ion al f u n ct ion alit y
- Must be m aintained and updated
- Vu ln er abilit y scan s should be conducted
Clou d Applicat ion
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate Infrastructure

Standards
Digital Forensics
Manage Security Back Next

Operations
Legal, Risk &

Section 6
Course Navigation Oper at e I n f r ast r u ct u r e
Clou d Con cept s,
Access Con t r ol f or Local an d Rem ot e Access
Section 1
Physical access should be lim it ed.
- Individuals who m anage physical hardware should not have
other types of adm inistrative access (separ at ion of du t ies).
Section 2
Rem ot e access to physical hosts should be done via secu r e
KVM sw it ch (k eyboar d, video, m ou se)
- Access to the KVM should be logged an d r ou t in e au dit s
Clou d Plat f or m & conducted.
I n f r ast r u ct u r e Secu r it y - KVMs provide secure access and pr even t dat a loss.
Section 3 - M FA should be considered for KVM access.
Clou d Applicat ion Requ ir em en t s f or Secu r e KVM s

Secu r it y - I solat ed dat a ch an n els: Each channel connects to only one
Section 4 host so that no data can be transferred between connected
com puters through the KVM
- Tam per w ar n in g labels: Located on each side of the KVM
Clou d Secu r it y ? indicate tam pering
Oper at ion s - Hou sin g in t r u sion det ect ion : Renders the KVM inoperable
Section 5 if the housing has been opened
- Fixed f ir m w ar e: Firm ware cannot be reprogram m ed ?
Im
I mplem
plement
en tand
an dBuild
Bu ild prevents tam pering
Operate
- Tam per -pr oof cir cu it boar ds
Oper at eInfrastructure
I n f r ast r u ct u r e
- Saf e bu f f er design : No m em ory buffer to retain data
Manage Infrastructure - Select ive USB access: Only recognize hum an interface USB
Operational Controls and devices, such as keyboards and m ice, to prevent data
Standards transfer to USB m ass storage devices
- Pu sh -bu t t on con t r ol: Require physical access to the KVM to
Digital Forensics
switch between com puters
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
Secu r e Net w or k Con f igu r at ion
Section 1
I solat in g Net w or k s w it h VLANs
- All in f r ast r u ct u r e m an agem en t should occur on an
isolated network (VLAN).
Clou d Dat a Secu r it y - VLANs are used to cr eat ed isolat ed n et w or k s for
Section 2 custom ers in a m ultitenancy environm ent.
- VLANs work by t aggin g dat a w it h a VLAN I D, which
network devices recognize and are able to use to keep data
Clou d Plat f or m & separate.
I n f r ast r u ct u r e Secu r it y - Increase VLAN-r elat ed secu r it y by:
Section 3 - Enabling VLAN pr u n in g (rem oves unused VLANs)
- Disabling unnecessary protocols on switches
Clou d Applicat ion

Secu r it y
Section 4
Gi 0/1 Gi 0/4
Clou d Secu r it y
Gi 0/2
Gi 0/3
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate
VLAN 1 VLAN 2 VLAN 3 VLAN 4
Managem ent Managem ent Managem ent Managem ent
Operational Controls and 10.x.1.0/24 10.x.2.0/24 10.x.3.0/24 10.x.4.0/24
Standards
Digital Forensics
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
Secu r e Net w or k Con f igu r at ion (Con t .)
Section 1
DNSSEC
- Adds security to DNS by allowing DNS responses to be
validat ed
Clou d Dat a Secu r it y - DNSSEC uses a process called zon e sign in g, which uses
Section 2 digital certificates to sign DNS records
- Pr even t s ph ar m in g at t ack s (fake website credential
harvesting)
Section 3
DNSSEC
Clou d Applicat ion

Secu r it y DNSKEY r oot
Section 4
Digital Signatures
of .com
Root
Clou d Secu r it y
DNSKEY .com
Oper at ion s
Section 5 Digital Signatures
of somewebsite.com
TLD-.COM
Im
I mplem
plement
en tand
an dBuild
Bu ild User I SP
Operate DNSKEY
I n f r ast r u ct u r e (caching recursive OF SOM EWEBSI TE.COM
Manage Infrastructure resolver)
Operational Controls and Dom ain owner:

som ewebsite.com
Standards
Digital Forensics

Operations
Legal, Risk &

Section 6
Clou d Con cept s,
Secu r e Net w or k Con f igu r at ion (Con t .)
Section 1
Th r eat s t o DNS
- Foot pr in t in g: An attacker attem pts to gather all DNS
records for a dom ain via zon e t r an sf er in order to m ap out
Clou d Dat a Secu r it y the target environm ent
Section 2
- Den ial of ser vice (DoS): Attackers flood DNS servers to
prevent them from responding to legitim ate DNS requests
- Redir ect ion : An attacker redirects queries to a server that is
Clou d Plat f or m & under the attacker 's control
I n f r ast r u ct u r e Secu r it y - Spoof in g: An attacker provides incorrect DNS inform ation
Section 3 for a dom ain to a DNS server, which then gives out that
incorrect inform ation (also known as DNS poison in g)
Clou d Applicat ion

I PSec
Secu r it y
- Protects com m unications over IP networks with en cr ypt ion
Section 4
- Supports peer au t h en t icat ion , data origin authentication,
data integrity, encryption, and relay protection m echanism s
Clou d Secu r it y - Protects dat a in t r an sit
- There is a sligh t per f or m an ce im pact when using IPSec for
Oper at ion s
Section 5 data encryption
- Operates in one of t w o m odes:
Im
I mplem
plement
en tand
an dBuild
Bu ild
- Tu n n el ? Encrypts the entire original packet and
provides a new header (supports NAT t r aver sal)
Operate
I n f r ast r u ct u r e - Tr an spor t ? Only encrypts part of the original packet

Standards
Digital Forensics

Operations
Legal, Risk &

Section 6
Clou d Con cept s,
OS Har den in g w it h Baselin es
Section 1
Baselin es are an agreed-upon set of attributes for a product.
Con f igu r at ion m an agem en t tools such as Puppet and Chef can
ensure operating system s are hardened according to a given
Section 2
baseline or policy.
Clou d Plat f or m & It is im portant to m on it or h ost s for baseline com pliance and
rem ediate anything out of com pliance. To do this, we need to:
Section 3
- Identify w h o will perform the rem ediation (CSP or
custom er)
- Conduct vulnerability scanning
Clou d Applicat ion - Conduct com plian ce scanning (OpenSCAP)
Secu r it y - Follow the ch an ge m an agem en t pr ocess
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

Standards
Digital Forensics
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
St an d-Alon e Host s
Section 1
Bu sin ess r equ ir em en t s m ay dictate the need for a stand-alone
host in a cloud environm ent.
Clou d Dat a Secu r it y Disadvan t ages of St an d-Alon e Host s

Section 2 - Lack of elasticity
- Lack of clustering benefits
- High er costs
I n f r ast r u ct u r e Secu r it y Ben ef it s of St an d-Alon e Host s
Section 3 - I solat ion
- Dedicated host
- M or e secu r e (not a m ultitenant host)
Clou d Applicat ion
Secu r it y
Section 4 Dr ivin g Fact or s f or Use of St an d-Alon e Host s
- Regu lat or y issues
- Data classif icat ion
Clou d Secu r it y - Con t r act u al requirem ents
Oper at ion s - Secu r it y policies
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

Standards
Digital Forensics
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Clou d Con cept s, Availabilit y of Clu st er ed Host s
A h ost clu st er is a group of centrally m anaged servers that
Section 1
allows for failover and VM m igration between hosts.
Resou r ces ar e pooled within a cluster. Prevent resource

Clou d Dat a Secu r it y starvation with:
Section 2 - Reser vat ion lim it s: Reserving a m inim um am ount of
resources
- Sh ar es: Used to guarantee an am ount of resources during
tim es of resource constriction
Section 3
VM VM vm VM VM vm VM VM VM
Clou d Applicat ion Vir t u al m ach in es Vir t u al m ach in es Vir t u al m ach in es

ESXi host ESXi host ESXi host
Secu r it y
Section 4 Clu st er
Clou d Secu r it y
Oper at ion s
Section 5
Ph ysical Servers
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate
I n f r ast r u ct u r e Clusters provide h igh availabilit y (HA).
- If a host goes down, the VM s m igr at e t o an ot h er h ost .
Clusters use dist r ibu t ed r esou r ce sch edu lin g (DRS).
Standards - A resource m anager uses r u les t o balan ce t h e w or k load.
- Affinity rules can be used to k eep VM s on t h e sam e h ost .
Digital Forensics
- An t i-af f in it y r u les keep VMs on separate hosts.

Operations
Legal, Risk &

Section 6
Clou d Con cept s,
Availabilit y of Gu est Oper at in g Syst em s
Section 1
Availability is in cr eased with the use of:
- Secu r e practices
- Clu st er in g
Clou d Dat a Secu r it y - High -availabilit y solutions
Section 2
Availability is m easu r ed in a percentage known as n in es.

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

Standards
Digital Forensics
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Course Navigation M an age I n f r ast r u ct u r e
Clou d Con cept s,
Access Con t r ol f or Rem ot e Access
Section 1
Key Feat u r es of a Rem ot e Access Solu t ion
- Accountability of rem ote access with an au dit t r ail
- Session con t r ol (access approval, session duration lim its,
Clou d Dat a Secu r it y idle tim eouts)
Section 2 - Real-tim e m on it or in g of activities and recorded sessions
- Secure access without opening extra ports and increasing
the attack surface
Clou d Plat f or m & - I solat ion between the connecting user 's desktop and the
I n f r ast r u ct u r e Secu r it y host that the user is connecting to ? virtual desktop
Section 3 infrastructure (VDI)
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Rem ote
Im
Access
I mplem
plement
en tand
an dBuild
Bu ild
Operate
M an ageInfrastructure
Manage I n f r ast r u ct u r e

Standards
Digital Forensics
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
Pat ch M an agem en t
Section 1
The pr ocess of identifying, acquiring, installing and verifying
patches for products, applications, and system s.
Clou d Dat a Secu r it y Pat ch es cor r ect security and functionality problem s
Section 2
A pat ch m an agem en t plan should be developed to m anage the

installation of patches
I n f r ast r u ct u r e Secu r it y - This plan should be part of the con f igu r at ion
Section 3
m an agem en t pr ocess
- Test patches before deploym ent
Clou d Applicat ion
Secu r it y NI ST SP 800-40 "Guide to Enterprise Patch Managem ent " is a
Section 4 great reference
A pat ch m an agem en t pr ocess should address:

Clou d Secu r it y
- Vu ln er abilit y detection
Oper at ion s - Vendor patch n ot if icat ion s (sing up)
Section 5
- Patch sever it y assessm en t by the organization
- Ch an ge m anagem ent
Im
I mplem
plement
en tand
an dBuild
Bu ild
- Custom er n ot if icat ion if required
Operate
I n f r ast r u ct u r e - Ver if icat ion of successful patching
Manage I n f r ast r u ct u r e - Risk m anagem ent in case of unexpected outcom es after
applying patches (r oll back plan )
Standards
Digital Forensics
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
Pat ch M an agem en t Con t .
Section 1
Patch m anagem ent ch allen ges:
- Lack of st an dar dizat ion of patches
- Collaboration between m u lt iple syst em ow n er s
Clou d Dat a Secu r it y - Many m oving parts (com plexit y)
Section 2 - Patches m ust be t est ed before deploym ent
- VM's in a su spen ded st at e are not patched
- Multiple t im ezon es (applying patches at sam e local tim e)
I n f r ast r u ct u r e Secu r it y In som e cases, organizations m ay give blan k et appr oval for
Section 3 applying patches which address im inent risks, allowing these
patches to bypass st an dar d ch an ge m an agem en t pr ocess.
Change m anagem ent will take place after the fact.
Clou d Applicat ion
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

Standards
Digital Forensics
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
Per f or m an ce, Capacit y, an d Har dw ar e M on it or in g
Section 1
Monitoring perform ance and capacity is cr it ical.
- Changes in perform ance can indicate f ailin g h ar dw ar e.
- Unm onitored capacity could allow for total consum ption of
Clou d Dat a Secu r it y resources, which can lead to r esou r ce st ar vat ion and a
Section 2 ser iou s im pact on per f or m an ce.
I t em s t o M on it or on Host Har dw ar e
Clou d Plat f or m & - Excessive dr opped pack et s on network interfaces
I n f r ast r u ct u r e Secu r it y - Disk capacit y an d I O
Section 3 - M em or y utilization
- CPU utilization
Clou d Applicat ion

In a sh ar ed en vir on m en t , m onitoring is crucial for m aintaining
Secu r it y
Section 4
an acceptable level of perform ance.
In a virtualized environm ent, everything still runs on u n der lyin g

Clou d Secu r it y h ar dw ar e that m ust be m onitored.
Oper at ion s - En vir on m en t al tem peratures
Section 5 - Tem perature within h ar dw ar e
- Fan speeds
Im
I mplem
plement
en tand
an dBuild
Bu ild - Failed drives or dr ive er r or s
Operate
I n f r ast r u ct u r e - Hardware com ponents (CPU, m em or y, car ds)
- Net w or k devices (not just servers)

Standards
Digital Forensics
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
Back u p an d Rest or e Fu n ct ion s
Section 1
Host con f igu r at ion dat a should be included in backup plans.
Clou d Dat a Secu r it y Rou t in e t est s should be conducted to test the restorability of
Section 2 backup data.
- I n dividu al f ile recovery
- En t ir e VM im age recovery
- I n cr eases t h e lik elih ood of a successful BCDR failover
Section 3 The biggest ch allen ge with backup and recovery is
understanding the extent to which you have access to the hosts
and what configurations can be changed.
Clou d Applicat ion - Con t r ol: In the cloud, we m ake changes through a
Secu r it y m anagem ent interface, but we don't see what happens in
Section 4 the background. We m ust be confident the changes we
m ake are the only changes occurring.
- Visibilit y: The ability to m onitor data and how it 's being
Clou d Secu r it y accessed.
Oper at ion s - This is why testing is so cr it ical.
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

Standards
Digital Forensics
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
Net w or k Secu r it y Con t r ols an d M an agem en t Plan e
Section 1
Review of Net w or k Secu r it y Con t r ols
- Vulnerability assessm ents
- Network secu r it y gr ou ps (access lists)
Clou d Dat a Secu r it y - VLANs
Section 2 - Access con t r ol (IAM)
- Secure protocols (SSH, TLS, SSL, IPSec)
- IDS/IPS
Clou d Plat f or m & - Firewalls
I n f r ast r u ct u r e Secu r it y - Hon eypot s
Section 3 - Zon in g of storage traffic (LUN IDs)
- Vendor-specific security products
- VMware vCloud Networking and Security
Clou d Applicat ion - Security or NSX products
Secu r it y - Keep public data and private data on separ at e vir t u al
Section 4 sw it ch es
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

Standards
Digital Forensics
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Clou d Con cept s,
Net w or k Secu r it y Con t r ols an d M an agem en t Plan e
Section 1
The m an agem en t plan e provides access to m anage:
- Har dw ar e ? Through baseline configurations
- Logical ? Task scheduling, resource allocation, software
Clou d Dat a Secu r it y updates
Section 2 - Net w or k in g ? Network m anagem ent, routes, access lists,
security groups, virtual switches, VLANs
Clou d Plat f or m & The m anagem ent plane is h igh -r isk and m ust be protected
I n f r ast r u ct u r e Secu r it y with:
Section 3 - Access con t r ol
- Loggin g
- I solat ed n et w or k
Clou d Applicat ion
Secu r it y
Section 4 Ot h er act ion s that can take place in the m anagem ent plane:
- Sch edu lin g of r esou r ces through distributed resource
scheduling (DRS)
Clou d Secu r it y - Or ch est r at ion or autom ation of changes and provisioning
Oper at ion s - M ain t en an ce such as software updates and patching
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

Standards
Digital Forensics
Manage Security
Operations
Back Next
Legal, Risk &

Section 6
Course Navigation Oper at ion al Con t r ols an d St an dar ds
Clou d Con cept s,
Ch an ge M an agem en t
Section 1
I SO 9001 ? Quality and change m anagem ent
Ch an ge M an agem en t Object ives

Section 2
- Respon d to changing business requirem ents while
m inim izing incidents and disruption
- Ensure changes are docu m en t ed in a change m anagem ent
system
Clou d Plat f or m & - Ensure changes are prioritized, planned, and tested
I n f r ast r u ct u r e Secu r it y - Reduce overall bu sin ess r isk
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate
Oper at ion alControls

Operational Con t r olsand
an d St an dar ds
Standards
Digital Forensics
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Clou d Con cept s,
Con t in u it y M an agem en t
Section 1
I SO 22301 ? Business continuity
- Specifies requirem ents for plan n in g the necessary
procedures for restoring a business to an operational state
Clou d Dat a Secu r it y after an event occurs
Section 2
A pr ior it ized list of system s and services m ust be created and
m aintained.
Clou d Plat f or m & - This list is created through a business im pact analysis (BI A),
I n f r ast r u ct u r e Secu r it y which identifies the system s and services that are critical to
Section 3 the business.
Con t in u it y M an agem en t Plan

Clou d Applicat ion - Defines even t s that will put the plan in m otion
Secu r it y - Defines roles and responsibilities
Section 4 - Defines continuity and recovery pr ocedu r es
- Specifies which notifications are required to be sent
- Specifies requirem ents for the capabilities and capacity of
Clou d Secu r it y backup system s
Oper at ion s
Section 5
Business continuity plans should be t est ed r egu lar ly.
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

an d St an dar ds
Standards
Digital Forensics
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Clou d Con cept s,
I n f or m at ion Secu r it y M an agem en t
Section 1
I SO 27001 ? Inform ation security m anagem ent
Clou d Dat a Secu r it y Organizations should have a docum ented in f or m at ion secu r it y
Section 2 m an agem en t plan that covers:
- Security policies
- Security m anagem ent
Clou d Plat f or m & - Asset m anagem ent
- Physical security
- Access control
Section 3
- Inform ation system s developm ent, m aintenance, and
acquisition
Clou d Applicat ion
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
I SO
Im
I mplem
plement
en tand
an dBuild
Bu ild
27001
Operate

an d St an dar ds
Standards
Digital Forensics
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Clou d Con cept s,
I n ciden t M an agem en t
Section 1
I SO 27035 ? Security incident m anagem ent
Clou d Dat a Secu r it y The goal of incident m anagem ent is to:

Section 2 - Rest or e norm al operations as quickly as possible
- M in im ize adverse im pact on business operations
- Ensure service quality and availability are m ain t ain ed
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

an d St an dar ds
Standards
Digital Forensics
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Clou d Con cept s,
Pr oblem an d Deploym en t M an agem en t
Section 1
I SO 20000 ? Problem m anagem ent & release and deploym ent
m anagem ent
Clou d Dat a Secu r it y The goal of problem m anagem ent is to m inim ize the im pact on
Section 2 the organization by identifying the root cause and im plem enting
a fix or workaround.
- Pr oblem : The unknown cause of an incident
Clou d Plat f or m & - Kn ow n er r or : A problem with an identified root cause
I n f r ast r u ct u r e Secu r it y - Wor k ar ou n d: A tem porary way of overcom ing a problem or
Section 3 known error
A syst em should be in place to track problem s and docum ent

Clou d Applicat ion root causes and workarounds.
Secu r it y
Section 4
Release an d Deploym en t M an agem en t : Includes planning,
scheduling, and controlling the m ovem ent of releases to test
and live environm ents
Clou d Secu r it y
Oper at ion s The goal is to protect the integrity of the live environm ent.
Section 5
Object ives of Release an d Deploym en t M an agem en t

Im
I mplem
plement
en tand
an dBuild
Bu ild
- Define deploym en t plan s
Operate
I n f r ast r u ct u r e - Create and test release packages
Manage I n f r ast r u ct u r e - Record and track packages in the Def in it ive M edia Libr ar y
(DM L)
- Ensure f u n ct ion alit y an d r equ ir em en t s are m et
an d St an dar ds
Standards
- Manage risks
Digital Forensics - Ensure k n ow ledge t r an sf er

Operations
Legal, Risk &

Section 6
Clou d Con cept s,
Con f igu r at ion an d Ser vice Level M an agem en t
Section 1
I SO 10007 ? Quality m anagem ent (includes configuration
m anagem ent)
Clou d Dat a Secu r it y The con f igu r at ion m an agem en t pr ocess should include:
Section 2 - Developm ent and im plem entation of n ew con f igu r at ion s
- Pr even t ion of unauthorized changes to system
configurations
Clou d Plat f or m & - Test in g and deploym ent procedures for system changes
I n f r ast r u ct u r e Secu r it y - Quality evaluations of configuration changes
Section 3
I SO 20000 ? Service level m anagem ent

Clou d Applicat ion - Negotiate agreem ents with parties and design services to
m eet agreed-upon service level targets
Secu r it y
Section 4
Com m on Agr eem en t s
- Ser vice-level agr eem en t (SLA): Between the custom er and
Clou d Secu r it y the provider
Oper at ion s - Oper at ion al-level agr eem en t (OLA): SLA between business
Section 5 units within an organization
- Un der pin n in g con t r act (UC): External contract between the
Im
I mplem
plement
en tand
an dBuild
Bu ild organization and a vendor
Operate
Manage I n f r ast r u ct u r e The organization's legal depar t m en t should be included in
contract creation.
an d St an dar ds
Standards
Digital Forensics
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Clou d Con cept s,
Availabilit y an d Capacit y M an agem en t
Section 1
I SO 20000 ? Availability m anagem ent process
- Define, analyze, plan, m easure, and im pr ove availabilit y of
IT services
Clou d Dat a Secu r it y - Meet the availabilit y t ar get s set by the organization
Section 2 - System s should be design ed to m eet availability
requirem ents
- High availabilit y (HA) and failover solutions help m aintain
Clou d Plat f or m & availability
Section 3 I SO 20000 ? Capacity m anagem ent
- Ensure infrastructure is adequ at ely pr ovision ed to m eet
SLAs in a cost-effective m anner
Clou d Applicat ion - Monitor capacity to pr even t per f or m an ce im pact
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

an d St an dar ds
Standards
Digital Forensics
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Course Navigation Digit al For en sics
Clou d Con cept s,
For en sic Dat a Collect ion M et h odologies
Section 1
For en sic Dat a Collect ion Pr ocess
1. Collect ion of eviden ce ? Identification, labeling, recording,

Clou d Dat a Secu r it y preservation of data integrity
Section 2 2. Exam in at ion ? Processing evidence, extracting data while
preserving data integrity
3. An alysis ? Deriving useful inform ation from evidence
Clou d Plat f or m & 4. Repor t in g ? Reporting on findings, including tools and
I n f r ast r u ct u r e Secu r it y procedures used, recom m endations, and alternate
Section 3 explanations
Clou d Applicat ion Dat a Collect ion

Secu r it y
Section 4 1. Develop a plan that specifies which sources are to be
collected and in what order.
- Valu e ? Relative likely value of data sources (from past
Clou d Secu r it y experiences)
Oper at ion s - Volat ilit y ? Likelihood that data will be lost on a system
Section 5 when it is powered off or after a period of tim e (page file,
m em ory, logs overwritten by new events, etc.)
Im
I mplem
plement
en tand
an dBuild
Bu ild - Am ou n t of ef f or t r equ ir ed ? Collecting data from an
on-prem ises host versus a cloud vendor 's hypervisor;
Operate
balance between effort and the likelihood that data will
Manage I n f r ast r u ct u r e be valuable
Con t r olsand - Ch ain of cu st ody should be im plem ented
Operational
an d St an dar ds
Standards
Digit alForensics
Digital For en sics
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Clou d Con cept s,
For en sic Dat a Collect ion M et h odologies (Con t .)
Section 1
Dat a Collect ion (Con t .)
2. Acqu ir e t h e dat a.
Clou d Dat a Secu r it y - Use f or en sic t ools to gather data (write blockers)
Section 2
- Create du plicat es of dat a to work with
- Secu r e t h e or igin al, non-volatile data (create a hash if
possible)
I n f r ast r u ct u r e Secu r it y 3. Ver if y t h e in t egr it y of t h e dat a.
Section 3 - Use the h ash ed valu e of the original data to verify that
the working copy has n ot been alt er ed
Clou d Applicat ion Dat a Exam in at ion

Secu r it y - Ext r act in g relevant inform ation from collected evidence
Section 4 - May need to bypass OS-level f eat u r es that obscure data,
such as encryption
- Use sear ch pat t er n s to look for evidence
Clou d Secu r it y
- Tools can help inventory and categorize files
Oper at ion s
Section 5
An alysis
Im
I mplem
plement
en tand
an dBuild
Bu ild - Identifying people, item s, places, data, and events in an
effort to piece t oget h er a con clu sion
Operate
- Using various system s like firewalls, IDS, and security
Manage I n f r ast r u ct u r e m anagem ent software can help iden t if y even t s
an d St an dar ds
Standards
Digit alForensics
Digital For en sics
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Clou d Con cept s,
Section 1
Repor t in g
- There m ay be m or e t h an on e possible explan at ion ? be
prepared to support all.
- Kn ow you r au dien ce ? law enforcem ent will want details,
Section 2
whereas executives m ay sim ply want to know if anything
was determ ined by the evidence.
- Actionable inform ation m ay be identified that requires the
Clou d Plat f or m & collection of additional inform ation.
Section 3
Ch allen ges w it h Collect in g Eviden ce

Clou d Applicat ion - Seizing servers that m ay con t ain m u lt iple t en an t s' dat a
Secu r it y creates a privacy issue.
Section 4 - Tr u st w or t h in ess of evidence is based on the CSP.
- Investigations rely on the cooperation of the CSP.
- CSP t ech n ician s collecting data m ay not follow forensically
Clou d Secu r it y sound practices.
Oper at ion s - Data m ay be in u n k n ow n locat ion s.
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

an d St an dar ds
Standards
Digit alForensics
Digital For en sics
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Clou d Con cept s,
Section 1
Net w or k f or en sics (capturing of packets) m ay be necessary for
a cloud-based investigation.
- Packet capture can reveal locations (addr esses of syst em s)
Clou d Dat a Secu r it y - Can provide unencrypted data such as t ext f iles being
Section 2
transferred or em ails
- VoI P st r eam s and video can be captured and replayed

I n f r ast r u ct u r e Secu r it y Net w or k For en sics Use Cases
Section 3 - Finding pr oof of an at t ack
- Troubleshooting perform ance issues
- Monitoring activity for com plian ce with policies
Clou d Applicat ion - Identifying dat a leak s
Secu r it y - Creating au dit t r ails
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

an d St an dar ds
Standards
Digit alForensics
Digital For en sics
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Clou d Con cept s,
Eviden ce M an agem en t
Section 1
Be sure not to collect evidence ou t side t h e scope of the event.
Clou d Dat a Secu r it y Ch ain of cu st ody is used to track and m anage evidence, from
Section 2 identification to disposal.
- At each st age, docum ent who is involved, record the date
and tim e, and sign the chain of custody.
Clou d Plat f or m & - More inform ation is better.
- Record when evidence is m oved.
- Record when an alysis takes place and what type of analysis.
Section 3
- NEVER work from the original data; always work from a
copy.
Clou d Applicat ion
Secu r it y There are m an y st an dar ds gover n in g the collection,
Section 4 acquisition, and preservation of digital evidence.
- I SO/ I EC 27037:2012 ? Guide for collecting, identifying, and
preserving electronic evidence
Clou d Secu r it y - I SO/ I EC 27042:2015 ? Guide for analysis of digital evidence
Oper at ion s - I SO/ I EC 27050-1:2016 ? Guide to e-Discovery
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

an d St an dar ds
Standards
Digit alForensics
Digital For en sics
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Course Navigation M an age Com m u n icat ion s
Clou d Con cept s,
M an agin g Com m u n icat ion s
Section 1
Ven dor an d Par t n er Com m u n icat ion s
- I den t if y an d docu m en t all partners, ensuring the
relationship is understood.
Clou d Dat a Secu r it y - The r ole the partner plays in the business goals
Section 2
- Any access the partner m ay have
- Key con t act s at the partner organization
- Em ergency com m unication pr ot ocols
Clou d Plat f or m & - Rank the cr it icalit y of the partner as it pertains to
I n f r ast r u ct u r e Secu r it y business needs
Section 3 - There should be a clear ly def in ed on -boar din g pr ocess for
partners, including granting access to system s.
- Don't forget an of f -boar din g pr ocess.
Clou d Applicat ion
Secu r it y
Section 4 Cu st om er Com m u n icat ion s
- Organizations have internal and external custom ers.
- Different clients u se ser vices dif f er en t ly, so know your
Clou d Secu r it y custom ers.
Oper at ion s - Serving in t er n al depar t m en t s as custom ers
Section 5 - Serving external payin g cu st om er s
- I den t if y individual responsibilities and docum ent them in
Im
I mplem
plement
en tand
an dBuild
Bu ild SLAs.
Operate

an d St an dar ds
Standards
Digit alForensics
Digital For en sics
M an age
Com m u n icat ion s
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Course Navigation M an age Com m u n icat ion s
Clou d Con cept s,
M an agin g Com m u n icat ion s (Con t .)
Section 1
Regu lat or s
- Ear ly com m u n icat ion is key when developing a cloud

Clou d Dat a Secu r it y environm ent (surprises cost tim e and m oney).
Section 2
- Regulatory r equ ir em en t s var y gr eat ly based on:

- Geography (ju r isdict ion )
Clou d Plat f or m & - Business type (e.g., m edical, financial)
I n f r ast r u ct u r e Secu r it y - Services offered (e.g., processing credit cards or
Section 3 personal data)
- Data type (classification, sensitivity)
Clou d Applicat ion - It is im per at ive that a organization understand all

Secu r it y regulatory com pliance needs pr ior t o plan n in g a cloud
Section 4 environm ent to ensure they can all be m et.
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

an d St an dar ds
Standards
Digit alForensics
Digital For en sics
M an age
Manage Security
Back Next
Operations
Legal, Risk &

Section 6
Course Navigation M an age Secu r it y Oper at ion s
Clou d Con cept s,
Secu r it y Oper at ion s Cen t er s
Section 1
A secu r it y oper at ion s cen t er (SOC) is a com m and center facility
for IT personnel specializing in security. From the SOC, IT
professionals:
Clou d Dat a Secu r it y - M on it or t h e en vir on m en t for abnorm al behavior and signs
Section 2
of com prom ise
- An alyze system logs
- Protect the organization from attacks
Clou d Plat f or m & - Perform vu ln er abilit y scan s
I n f r ast r u ct u r e Secu r it y - Monitor in t er n et t r af f ic and other traffic flows
Section 3 - Handle asset discovery and m anagem ent
- Assist with incident response
Clou d Applicat ion M ost SOCs oper at e 24/ 7 and allow for m ore effective
Secu r it y com m unication between IT security professionals working
Section 4 together on a team .
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild
Operate

an d St an dar ds
Standards
Digit alForensics
Digital For en sics
M an age
Manage
M an ageSecurity
Secu r it y Back Next
Operations
Oper at ion s
Legal, Risk &

Section 6
Clou d Con cept s,
M on it or in g Secu r it y Con t r ols
Section 1
Once secu r it y con t r ols are configured and deployed, they m ust
be m onitored.
- Fir ew alls
Clou d Dat a Secu r it y - IDS/IPS
Section 2
- Honeypots
- SI EM s
- Vu ln er abilit y scan s
Clou d Plat f or m & - Network security groups
I n f r ast r u ct u r e Secu r it y - Syst em logs
Section 3 - Endpoint security solutions
Clou d Applicat ion These system s are hardware- and software-based, and they will
f ail at som e poin t .
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Im
I mplem
plement
en tand
an dBuild
Bu ild Security
Operate
I n f r ast r u ct u r e Con t r ols

an d St an dar ds
Standards
Digit alForensics
Digital For en sics
M an age
Manage
M an ageSecurity
Operations
Oper at ion s
Legal, Risk &

Section 6
Clou d Con cept s,
Log Capt u r e an d An alysis
Section 1
Various tools are available to collect and analyze log data from
even t sou r ces, including:
- Host ser ver s
Clou d Dat a Secu r it y - Gu est oper at in g syst em s
Section 2
- Net w or k devices
Cen t r alized an d of f sit e storage of log data can prevent

Clou d Plat f or m & tam pering.
Section 3
Secu r it y I n f or m at ion an d Even t s M an agem en t (SI EM )

- Used to centrally collect and analyze logs
Clou d Applicat ion
- Can create specific event aler t s an d r epor t in g
Secu r it y
- Provides a secon dar y set of system logs
Section 4
Logs m u st be m an aged, or they will overwrite them selves, and

Clou d Secu r it y data m ay not be available when it 's needed.
Oper at ion s - Best to of f load logs to a centralized log server such as a
Section 5 SIEM or Syslog server.
- In the event of a breach, m any at t ack er s w ill w ipe syst em
Im
I mplem
plement
en tand
an dBuild
Bu ild logs t o clear t h eir t r ack s, and a SIEM or Syslog server will
keep a safe copy of the system logs for analysis.
Operate

an d St an dar ds
Standards
Digit alForensics
Digital For en sics
M an age
Manage
M an ageSecurity
Secu r it y Next
Back
Operations
Oper at ion s
Legal, Risk &

Section 6
Clou d Con cept s,
Section 1
- Activities of an organization to identify, analyze, and correct
hazards to prevent future incidents
Clou d Dat a Secu r it y - An in ciden t r espon se t eam (I RT) usually handles these
Section 2
activities
I n ciden t Respon se Object ives

Clou d Plat f or m & - Ensure st an dar dized incident m anagem ent m ethods are
I n f r ast r u ct u r e Secu r it y used
Section 3 - Ensure visibility and com m u n icat ion of incidents to support
staff
- Align incident m anagem ent activities with bu sin ess goals
Clou d Applicat ion
Secu r it y I n ciden t M an agem en t Plan
Section 4 - Def in it ion s of incidents
- Roles and responsibilities of CSP and custom er
- Incident m anagem ent pr ocess t o f ollow
Clou d Secu r it y - Media coordination
Oper at ion s - Legal or regulatory n ot if icat ion r equ ir em en t s
Section 5
I n ciden t Pr ior it izat ion
Im
I mplem
plement
en tand
an dBuild
Bu ild - I m pact ? Effect on the business
Operate
I n f r ast r u ct u r e - Ur gen cy ? Can resolution be delayed?
- Pr ior it y = Im pact (tim es "* ") Urgency

an d St an dar ds
Standards
Digit alForensics
Digital For en sics
M an age
Manage
M an ageSecurity
Operations
Oper at ion s
Legal, Risk &

Section 6
Legal, Risk & Com pliance
Course Navigation Legal Requ ir em en t s an d Un iqu e Risk s
Clou d Con cept s,
Con f lict in g I n t er n at ion al Legislat ion
Section 1
Cloud com puting introduces m any legal ch allen ges for the
security professional.
- Con f lict in g legal requirem ents
Clou d Dat a Secu r it y - Lack of clarity
Section 2
I n t er n at ion al Law s
- I n t er n at ion al con ven t ion s: Establish rules recognized by
Clou d Plat f or m & conflicting states or territories
I n f r ast r u ct u r e Secu r it y - I n t er n at ion al cu st om s: General practices accepted as law
Section 3 - Gen er al pr in ciples: Laws recognized by civilized nations
- Ju dicial decision s: Used to determ ine rules of law
Clou d Applicat ion
Copyr igh t an d pir acy law : Protects the sharing of copyrighted
Secu r it y m aterial with others who are not the legal owners of said
Section 4
m aterial.
Clou d Secu r it y I n t ellect u al pr oper t y (I P) r igh t s: Give the person who created
Oper at ion s an idea the exclusive rights to that idea. Patents, tradem arks,
Section 5 and copyrights are legal ways to protect IP.
Pr ivacy law : Recognition of a person's right to determ ine what

Legal, Risk &
personal inform ation will be released to the public and when
Com plian ce that personal inform ation m ust be destroyed (when it 's no
Section 6
longer needed).
Legal Requirem
Legal Requ ir ements
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy Issues
Auditing
Back Next
Risk Managem ent
Outsourcing and Cloud

Contracts
Back t o M ain
Clou d Con cept s,
Con f lict in g I n t er n at ion al Legislat ion (Con t .)
Section 1
Th e doct r in e of t h e pr oper law : When a conflict between laws
occurs, this determ ines the jurisdiction under which the dispute
will be heard. Generally based on con t r act u al lan gu age
Clou d Dat a Secu r it y through the choice-of-law clause.
Section 2
Cr im in al law : A group of rules and statutes that protect the

safety and well-being of the public.
Tor t law : Rules and regulations designed to seek relief for
Section 3
personal suffering as a result of wrongful acts.
- Com pen sat e victim s
Clou d Applicat ion - Sh if t t h e cost of injuries to the offender
Secu r it y - Discou r age careless and risky behavior
Section 4
Rest at em en t (secon d) con f lict of law s: Laws m ade by ju dges
? not legislation ? that com e into play when there are regions
Clou d Secu r it y or states with conflicting laws. The judges m ust determ ine
Oper at ion s w h ich law s ar e m ost appr opr iat e for the situation.
Section 5
Legal, Risk &

Com plian ce
Section 6
Legal
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Risk
Privacy Issues
Auditing
Risk Managem ent Back Next

Contracts
Back t o M ain
Clou d Con cept s,
Legal Risk s Specif ic t o Clou d Com pu t in g
Section 1
One risk is the potential loss of con t r ol over you r dat a in the
cloud due to an in vest igat ion or legal act ion being carried out
against your organization. To protect yourself, you should:
Clou d Dat a Secu r it y - Ensure your con t r act with the CSP states that the CSP is to
Section 2
inform you of any such events
- Ensure the contract states that you ar e t o be in ch ar ge of
m aking decisions about your data and how it is handled in
Clou d Plat f or m & response to a subpoena or other legal action
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy Issues
Auditing

Contracts
Back t o M ain
Clou d Con cept s,
Legal Fr am ew or k s an d Gu idelin es
Section 1
Or gan izat ion f or Econ om ic Cooper at ion an d Developm en t
(OECD) Pr ivacy an d Secu r it y Gu idelin es
- The OECD published gu idelin es gover n in g the privacy and
Clou d Dat a Secu r it y protection of personal data flowing across borders; focused
Section 2
on the need for global privacy protection.
Asia-Pacif ic Econ om ic Cooper at ion (APEC) Pr ivacy

Fr am ew or k
I n f r ast r u ct u r e Secu r it y - Consists of 9 principles and 21 m em ber countries; provides
Section 3 a regional standard to addr ess pr ivacy as an in t er n at ion al
issu e and cross-border data flows.
Clou d Applicat ion
Secu r it y EU Dat a Pr ot ect ion Dir ect ive: Provides regulation and
Section 4 protection of personal inform ation within the European Union.
Designed to protect all personal data collected about Eu r opean
Un ion cit izen s.
Clou d Secu r it y - Qu alit y of t h e dat a: Data m ust be accurate and kept up to
Oper at ion s date.
Section 5 - Personal data m ay only be processed if the person gives
con sen t .
- Special cat egor ies: It is illegal to process data related to
Legal, Risk & racial or ethnic origin, political preference, religious beliefs,
Com plian ce trade union affiliation, or data concerning health or sexual
Section 6 status.
- Data subjects' right to access data:
Legal Requirem
en t sand
an d
- Con f ir m at ion t o t h e dat a su bject if data about that
Unique
Un iqu e Risks
Risk s
subject is being processed.
Privacy Issues
Auditing
Back Next
Risk Managem ent

Contracts
Back t o M ain
Clou d Con cept s,
Legal Fr am ew or k s an d Gu idelin es (Con t .)
Section 1
Gen er al Dat a Pr ot ect ion Regu lat ion (GDPR): Designed to
protect all EU citizens from privacy and data breaches. Differs
from the EU Data Protection Directive in the following ways:
Clou d Dat a Secu r it y - Applies to all com panies pr ocessin g dat a of EU cit izen s,
Section 2
regardless of location (globally).
- Organizations in breach of the GDPR can be f in ed u p t o 4%
of an n u al global t u r n over or 20 m illion pou n ds,
Clou d Plat f or m & whichever is greater.
I n f r ast r u ct u r e Secu r it y - Conditions for consent m ust not be full of legal jargon ?
Section 3 m ust be in in t elligible an d easily accessible f or m at
- Not if icat ion of a br each m ust be given within 72 hours.
- Righ t t o be f or got t en (data erasure): Entitles the subject to
Clou d Applicat ion have his/her data erased at will.
Secu r it y - Dat a por t abilit y: The subject has the right to receive a copy
Section 4 of all data from a processor in a m achine-readable form at
and have the right to transm it that data to another
processor (controller).
Clou d Secu r it y - Den yin g ser vice because a person doesn't consent to data
Oper at ion s collection is not perm itted.
Section 5 - GDPR is the prim ary privacy law throughout all EU m em ber
st at es an d supersedes local privacy laws.
Legal, Risk &
Com plian ce ePr ivacy Dir ect ive: Created by the European parliam ent to
Section 6 protect the privacy of data that is processed in the electronic
com m unications sector.
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy Issues
Auditing
Back Next
Risk Managem ent

Contracts
Back t o M ain
Clou d Con cept s,
Legal Fr am ew or k s an d Gu idelin es (Con t .)
Section 1 U.S. Feder al Law s
- Gr am m -Leach -Bliley Act (GLBA): Requires financial
institutions to explain how they share and protect their
Clou d Dat a Secu r it y custom ers' data.
Section 2 - Healt h I n su r an ce Por t abilit y an d Accou n t abilit y Act
(HI PAA): Provides data privacy and security provisions for
safeguarding m edical inform ation.
- In order for two HIPAA-com pliant organizations to share
HIPAA data, they m ust have a bu sin ess associat e
I n f r ast r u ct u r e Secu r it y agr eem en t (BAA) in place.
Section 3
- Ch ildr en's On lin e Pr ivacy Pr ot ect ion Act (COPPA): Created
to protect the privacy of children under 13 on the internet.
Clou d Applicat ion - Sar ban es-Oxley Act (SOX): Holds com pany executives
accountable for data accuracy in an effort to prevent fraud
Secu r it y
and protect shareholders and em ployees.
Section 4
St an dar ds
- I SO & NI ST
Clou d Secu r it y
- Paym en t Car d I n du st r y Dat a Secu r it y St an dar d
Oper at ion s (PCI -DSS): Designed to protect cardholder inform ation.
Section 5
Silver Plat t er Doct r in e: Form er doctrine of crim inal law that
stated a federal court could introduce illegally or im properly
Legal, Risk &
seized evidence, as long as federal officers had played no role
Com plian ce
in obtaining it.
Section 6
- Ex: If an em ployer discovered that one of their em ployees
Legal Requirem
en t sand
an d
was stealing and selling sensitive com pany data, they
Unique
Un iqu e Risks
Risk s could collect the evidence and give it to law enforcem ent.
That evidence could legally be used in court because law
Privacy Issues
enforcem ent was not involved in collecting it.
Auditing
Risk Managem ent

Back Next
Contracts
Back t o M ain
Clou d Con cept s,
e-Discover y
Section 1
e-Discover y (I SO 27050): Any process in which electronic data is
sought, located, secured, and searched with the intent of using
it as evidence in a civil or crim inal legal case
Section 2
e-Discover y Ch allen ges
- Identifying ever yw h er e evidence could be located
- Acqu ir in g data from CSPs
Clou d Plat f or m & - Ext r act in g dat a from gathered evidence (depending on
I n f r ast r u ct u r e Secu r it y form ats)
Section 3 - Cr oss-bor der collection of evidence (requires cooperation of
rem ote CSPs in dif f er en t ju r isdict ion s)
Clou d Applicat ion
Con du ct in g e-Discover y I n vest igat ion s in t h e Clou d
Secu r it y
- SaaS-based e-discover y: Som e packages m ay be available
Section 4
for discovering, collecting, and preserving data in the cloud
- Host ed e-discover y pr ovider : You can hire a hosted service
Clou d Secu r it y provider to perform e-discovery for you
- Th ir d-par t y e-discover y: Outsourcing to an organization
Oper at ion s
Section 5
that specializes in cloud-based e-discovery
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy Issues
Auditing

Contracts
Back t o M ain
Clou d Con cept s,
For en sic Requ ir em en t s
Section 1
Clou d f or en sics: The practice of reconstructing past cloud
com puting events by collecting, preserving, analyzing, and
interpreting cloud data evidence.
Section 2
Clou d f or en sics can be dif f icu lt because you m ay not have
access to required data and m ay need to work with a CSP to
access the data.
I n f r ast r u ct u r e Secu r it y I SO 27050 ? e-Discover y: Works to globally standardize
Section 3
approaches to cloud forensics.
Clou d Applicat ion Ensure that in dividu als collect in g f or en sic dat a ar e t r ain ed
Secu r it y an d cer t if ied in t h e t ools t h ey u se, as this will lend credibility
Section 4 to their findings.
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy Issues
Auditing
Back Next
Risk Managem ent

Contracts
Back t o M ain
Course Navigation Au dit in g
Clou d Con cept s,
Con t r act u al vs. Regu lat ed Pr ivat e Dat a
Section 1
Legal r espon sibilit y for data processing f alls t o t h e cu st om er
who signs up for services with a CSP.
Clou d Dat a Secu r it y Th e cu st om er is u lt im at ely r espon sible for m anaging the

Section 2
safety of any data they upload to the CSP.
Per son ally iden t if iable in f or m at ion (PI I ): Any data that can be
Clou d Plat f or m & used to identify, contact, or locate a living individual. Includes a
I n f r ast r u ct u r e Secu r it y person's social security num ber, driver 's license num ber,
Section 3 address, phone num ber, date/place of birth, m other 's m aiden
nam e, and biom etric records.
Clou d Applicat ion Tw o m ain t ypes of PI I related to the cloud:

Secu r it y - Con t r act u al PI I : An organization processes, transm its, or
Section 4 stores PII as part of its business or services. Contractually,
this data m ust be protected by the business providing the
service.
Clou d Secu r it y - Regu lat ed PI I : PII m ust be protected due to the legal and
Oper at ion s statutory requirem ents of regulations such as HIPAA and
Section 5 GLBA. Regulatory protection shields individuals from risk.
- Bot h m u st pr ot ect PI I , but one is for contractual reasons

Legal, Risk &
while the other is for regulatory reasons.
Com plian ce - Another dif f er en ce is that with regulated PII, breach
Section 6
reporting is m andatory.
- NI ST 800-122 is a useful resource for ensuring that the
Legal Requirem
en t sand
an d
Unique
requirem ents for contractual and regulated PII are being
Un iqu e Risks
Risk s
m et.
Privacy
Pr ivacy Issues
I ssu es
Auditing

Contracts
Back t o M ain
Clou d Con cept s,
Con t r act u al vs. Regu lat ed Pr ivat e Dat a (Con t .)
Section 1
Con t r act u al Com pon en t s
- Scope of pr ocessin g: Identify the types of processing
perform ed with data and what the purpose of the
Clou d Dat a Secu r it y processing is
Section 2
- Use of su bcon t r act or s: Understand where data processing,
transm ission, and storage of data will take place and any
subcontracting involved
Clou d Plat f or m & - Delet ion of dat a: Ensure that the data deletion process
I n f r ast r u ct u r e Secu r it y m eets organizational policies
Section 3 - Dat a secu r it y con t r ols: Security controls should be
im plem ented at the sam e level across the processing
organization and any subcontractors involved in the process
Clou d Applicat ion - Locat ion of dat a: To m eet com pliance, regulatory, and legal
Secu r it y requirem ents, the location of organizations and
Section 4 subcontractors m ust be known in order to keep track of the
physical location of data
- Ret u r n of dat a: When a contract is term inated, data m ust
Clou d Secu r it y be returned in a tim ely m anner
Oper at ion s - Righ t t o au dit : The custom er should have the right to audit
Section 5 the organization perform ing the data processing as well as
any subcontractors involved in the process
Legal, Risk &
Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing

Contracts
Back t o M ain
Clou d Con cept s,
Cou n t r y-Specif ic Legislat ion Relat ed t o Pr ivat e Dat a
Section 1
Eu r opean Un ion
The EU has prohibited EU data controllers from transferring
personal data outside their country to non-European Econom ic
Section 2 Area (EAA) jurisdictions that do not have an adequ at e level of
pr ot ect ion .
- To t r an sm it EAA cit izen s' per son al dat a ou t side t h eir
cou n t r y, com panies m ust abide by Directive 95/46 EC in the
EU or the Safe Harbor/Privacy Shield program in the US.
Section 3
Dir ect ive 95/ 46 EC: Specifies provisions for the protection of
individuals with respect to processing personal data and the
Clou d Applicat ion h u m an r igh t t o pr ivacy as referenced in the European
Secu r it y Convention on Hum an Rights (ECHR)
Section 4
EU Gen er al Dat a Pr ot ect ion Regu lat ion (GDPR): Strengthens

Clou d Secu r it y the rights of individuals to protect their personal data. GDPR
Oper at ion s introduces som e new changes such as:
Section 5 - The concept of con sen t
- Data t r an sf er s abr oad
- The right to be f or got t en
Legal, Risk & - Establishm ent of a data protection office role
Com plian ce - Access r equ est s
Section 6 - Increased sanctions
- Services can n ot be den ied to a person who declines to
Legal Requirem
en t sand
an d participate in data collection
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing

Contracts
Back t o M ain
Clou d Con cept s,
Section 1
According to GDPR, an en t it y ou t side of t h e EU can
gather/process personal data belonging to EU citizens if the
entity:
Clou d Dat a Secu r it y - Is locat ed in a cou n t r y with a national law that com plies
Section 2
with EU laws
- Creates bin din g con t r act u al w or din g that com plies with
EU laws
Clou d Plat f or m & - Each country in the EU for which data is processed m ust
I n f r ast r u ct u r e Secu r it y appr ove the wording of the contract
Section 3 - Joins the Saf e Har bor or Pr ivacy Sh ield program in its own
country
Clou d Applicat ion Un it ed St at es

Secu r it y
There is no single federal law governing data protection. There
Section 4
are few restrictions on the transfer of personal data outside the
US, which m akes it easy to use CSPs located outside the US.
Clou d Secu r it y
However, the Feder al Tr ade Com m ission (FTC) and US
Oper at ion s
regulators hold that applicable US laws and regulations apply to
Section 5
data after it leaves the US, and the US-regulated en t it ies t h at
sen d dat a abr oad r em ain liable f or :
Legal, Risk & - Data expor t ed outside the US
Com plian ce - The processing of data by su bcon t r act or s ou t side t h e US
Section 6 - Subcontractors abroad using the sam e level of pr ot ect ion
f or r egu lat ed dat a
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing

Contracts
Back t o M ain
Clou d Con cept s,
Section 1
Saf e Har bor Pr ogr am : Developed by the US and EU to address
concerns that the US does not have a regulatory fram ework that
provides adequate protection for personal data transferred from
Clou d Dat a Secu r it y the European Econom ic Area (EAA).
Section 2
Pr ivacy Sh ield Fr am ew or k : As of July 12, 2016, the EU reversed

its decision on the legal adequacy of the US Safe Harbor
program . The US has now im plem ented the Privacy Shield
I n f r ast r u ct u r e Secu r it y Fram ework, which the EU deem s adequ at e f or pr ot ect in g
Section 3
per son al in f or m at ion . The new Privacy Shield Fram ework
r eplaces t h e Saf e Har bor pr ogr am an d is m an aged by t h e
Clou d Applicat ion f eder al t r ade com m ission (FTC).
Secu r it y
St or ed Com m u n icat ion s Act (SCA): Provides privacy protection
Section 4
for electronic com m unication and com puting services from
unauthorized access or interception.
Clou d Secu r it y - Ver y ou t dat ed and in need of updating
Oper at ion s
Section 5 Cr oss-Bor der Dat a Tr an sf er s: Canadian regulations covering
the processing of Canadian citizens' data outside of Canada.
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing

Contracts
Back t o M ain
Clou d Con cept s,
Ju r isdict ion al Dif f er en ces
Section 1
M an y cou n t r ies, including Switzerland, Argentina, Australia,
and New Zealand, follow sim ilar data privacy rules as the EU.

Section 2
CCSPs sh ou ld alw ays en gage w it h legal pr of ession als about
local and international laws prior to engaging in cloud services.
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5 Jurisdictional
Dif f er en ces
Legal, Risk &
Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing

Contracts
Back t o M ain
Clou d Con cept s,
St an dar d Pr ivacy Requ ir em en t s
Section 1
I SO/ I EC 27018: Addresses privacy in cloud com puting and
consists of five key principles:
- Con sen t : CSPs m ay not use personal data they receive from
Clou d Dat a Secu r it y custom ers for m arketing or advertising without custom er
Section 2
consent.
- Con t r ol: Custom ers have full control over how CSPs use
their data.
Clou d Plat f or m & - Tr an spar en cy: CSPs m ust inform custom ers where their
I n f r ast r u ct u r e Secu r it y data resides and disclose the use of any subcontractors who
Section 3 have access to PII.
- Com m u n icat ion : CSPs m ust keep record of all incidents and
their responses to them , as well as inform custom ers.
Clou d Applicat ion - I n depen den t an d year ly au dit : To be ISO/IEC 27018
Secu r it y com pliant, CSPs m ust subject them selves to annual
Section 4 third-party audits.
Gen er ally Accept ed Pr ivacy Pr in ciples (GAPP): The AICPA

Clou d Secu r it y standard that describes 74 detailed privacy principles that are
Oper at ion s very sim ilar to the OECD and GDPR principles.
Section 5
I SO 27001 I n f or m at ion Secu r it y M an agem en t Syst em (I SM S):
Internal audits should be part of every ISMS, and their goal
Legal, Risk &
should be to reduce risks related to the availability, integrity, and
Com plian ce confidentiality of data while im proving stakeholder confidence in
Section 6
the security posture of the organization.
- ISO 27001 is the m ost w idely u sed global standard for ISMS
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
im plem entation.
Privacy
Pr ivacy Issues
I ssu es
Auditing

Contracts
Back t o M ain
Course Navigation Pr ivacy I ssu es
Clou d Con cept s,
Au dit Con t r ols an d Requ ir em en t s
Section 1
An organization's internal audits act as a t h ir d lin e of def en se
after security controls and risk m anagem ent.

Section 2 I n t er n al au dit scopes are directly linked to an organization's
risk assessm ent findings.
- Audit the gr eat est r isk s

Ext er n al au dit s focus on the controls over financial risk.
- Areas that support the financial health of the organization
Section 3
- Don't necessarily focus on cloud risks
Clou d Applicat ion Traditional audit m ethods m ay n ot be applicable in t h e clou d.

Secu r it y
Section 4
Th in gs t o Con sider
- How do you k n ow the underlying hypervisor you're
Clou d Secu r it y auditing is the sam e one over tim e?
Oper at ion s - How t ech -savvy is the CSP that 's providing you data?
Section 5 - We can only do ou r best and attest to what data is provided
to us.
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g

Contracts
Back t o M ain
Clou d Con cept s,
Assu r an ce Ch allen ges of Vir t u alizat ion an d t h e Clou d
Section 1
It 's difficult to audit the underlying hypervisors and virtualization
of m any CSPs, as they w ill n ot pr ovide access to the underlying
system s.
Section 2
As CCSPs, we're concerned with ensuring the confidentiality,
integrity, and availability of cloud services. SLAs will generally
cover availability, but not necessarily confidentiality and
integrity.
Section 3
Au dit in g in t h e Clou d f or Con f iden t ialit y an d I n t egr it y
- Un der st an d the virtualization environm ent, as it will help
Clou d Applicat ion you plan the assessm ent and associated testing
Secu r it y - Verify that system s are following security best pr act ices
Section 4 - Ensure that con f igu r at ion s are done according to
organizational policy
Clou d Secu r it y We m u st u se k n ow n s (best practices, organizational policies,

Oper at ion s etc.) in our audits to provide an accurate picture of the cloud
Section 5 environm ent 's com pliance.
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g

Contracts
Back t o M ain
Clou d Con cept s,
Types of Au dit Repor t s
Section 1
Am er ican I n st it u t e of CPAs (AI CPA) Ser vice Or gan izat ion al
Con t r ol (SOC) 1, 2, an d 3 Repor t s
- SOC 1 ? Validating f in an cial statem ents and risks
Clou d Dat a Secu r it y - SOC 2 ? Validating the effectiveness of controls in a
Section 2 t ech n ically det ailed form at
- Type 1: Reporting the effectiveness of controls at a
specific poin t in t im e
Clou d Plat f or m & - Type 2: Reporting the effectiveness of controls over a
I n f r ast r u ct u r e Secu r it y per iod of t im e (generally 6 m onths)
Section 3 - SOC 3 ? Validating the effectiveness of controls in a
gen er alized form at
Clou d Applicat ion I n t er n at ion al St an dar d on Assu r an ce En gagem en t s (I SAE):

The international equivalent to a SOC 1 report
Secu r it y
Section 4
Agr eed-Upon Pr ocedu r es (AUP): Based on the Statem ent on
Standards for Attestation Engagem ent (SSAE), in an AUP an
Clou d Secu r it y auditor is engaged to report on the findings of procedures
Oper at ion s perform ed by the audited party. Th e au dit or pr ovides n o
Section 5 opin ion , on ly st at es iden t if ied f act s and the third party form s
their own conclusion based on the report.
Legal, Risk & The Clou d Secu r it y Allian ce (CSA) has created the Secu r it y,
Com plian ce Tr u st an d Assu r an ce Regist r y (STAR) program .
Section 6
Eu r oClou d St ar Au dit (ESCA) pr ogr am : European CSP

Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
certification program
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g

Contracts
Back t o M ain
Clou d Con cept s,
Rest r ict ion s of Au dit Scope St at em en t s
Section 1
Au dit scope st at em en t : Provides the necessary inform ation for
the organization being audited to fully understand the scope,
focus, and type of assessm ent being perform ed
Section 2 Au dit scope r est r ict ion s: Param eters set to focus an auditor 's
efforts on relevancy and to:
- Lim it t h e oper at ion al im pact of audit activities
Clou d Plat f or m & - Low er t h e r isk t o pr odu ct ion environm ents posed by audit
I n f r ast r u ct u r e Secu r it y activities
Section 3 - Ex: The auditor cannot require a fully functional disaster
recovery test.
- Ex: The auditor cannot pull the fire alarm unannounced
Clou d Applicat ion to verify functionality.
Secu r it y
Section 4 Clou d ser vice au dit s ar e pr im ar ily based on :
- Ability to m eet SLAs (uptim e and perform ance data can be
used to validate)
Clou d Secu r it y - Con t r act u al r equ ir em en t s
Oper at ion s - Industry best pr act ice st an dar ds and fram eworks such as:
Section 5 - The International Standard on Assurance Engagem ent
(I SAE), which is an internal control fram ework
Legal, Risk &

St at em en t on St an dar ds f or At t est at ion En gagem en t (SSAE):
Com plian ce
An auditing standard for service organizations that supersedes
Section 6
SAS70
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g

Contracts
Back t o M ain
Clou d Con cept s,
Gap An alysis
Section 1
Gap an alysis: Used to identify gaps between an organization's
environm ent and the fram eworks or standards that the
organization is attem pting to com ply with.
Section 2 Ex: An organization is attem pting to com ply with PCI DSS, but
they do not have network segm entation for devices that handle
cardholder inform ation.
I n f r ast r u ct u r e Secu r it y A gap analysis h elps iden t if y where an organization falls short
Section 3 of com pliance so they can rem ediate those issues to becom e
com pliant.
Clou d Applicat ion

Secu r it y A gap analysis is of t en per f or m ed in t er n ally by som eone
Section 4 outside the departm ent being audited.
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g

Contracts
Back t o M ain
Clou d Con cept s,
Au dit Plan n in g
Section 1
Fou r Ph ases of Au dit Plan n in g
1. Def in e t h e au dit object ives.

Clou d Dat a Secu r it y - Audit ou t pu t s an d f or m at s
Section 2 - Fr equ en cy and focus of audit
- Nu m ber of auditors and subject m atter experts (SMEs)
- Align m en t with audit and risk m anagem ent process
I n f r ast r u ct u r e Secu r it y 2. Def in e t h e au dit scope.
Section 3 - Def in e the core focus and boundaries
- Docu m en t services and resources used by CSPs
- Identify key com ponents of CSP ser vices u sed
Clou d Applicat ion - Define clou d ser vices to be audited (Iaas, PaaS, SaaS)
Secu r it y - Define geographic locations to be audited
Section 4
3. Con du ct t h e au dit .
- Adequate st af f
Clou d Secu r it y - Adequate t ools
Oper at ion s - Sch edu le
Section 5 - Take pr eviou s au dit s into account
4. Ref in e t h e au dit pr ocess & r eview lesson s lear n ed.

Legal, Risk & - Ensure the scope is st ill r elevan t after review
Com plian ce - Factor in any pr ovider ch an ges since the last audit
Section 6 - Identify opportunities for r epor t im pr ovem en t s
- Ensure scope criteria and scope are st ill accu r at e after
Legal Requirem
en t sand
an d review
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g

Contracts
Back t o M ain
Clou d Con cept s,
I SM S (I n t er n al Secu r it y M an agem en t Syst em )
Section 1
I SO 27001: A standard that defines inform ation security
m anagem ent system s (ISMS) and is used to m easu r e a
com pr eh en sive secu r it y pr ogr am .
Section 2 I n t er n al au dit s should be part of every ISMS program .
- Redu ce r isk s related to the availability, integrity, and
confidentiality of data
Clou d Plat f or m & - Im prove st ak eh older con f iden ce
Section 3 I SO 27001 cover s secu r it y con t r ol syst em s within an ISMS.
- Security controls are m apped to requirem ents identified
through a form al risk assessm ent
Clou d Applicat ion
Secu r it y I SO 27001 cover s sever al dom ain s, including:
Section 4 - A.5 ? Security policy m anagem ent
- A.8 ? Organizational asset m anagem ent
- A.10 ? Cryptography policy
Clou d Secu r it y - A.11 ? Physical security policy
Oper at ion s - A.13 ? Network security m anagem ent
Section 5 - A.18 ? Security com pliance m anagem ent
An I SM S h elps st an dar dize an d m easu r e security across an

Legal, Risk &
organization and to the cloud.
Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g

Contracts
Back t o M ain
Clou d Con cept s,
Policies
Section 1
Or gan izat ion al policies affect the organization as a whole.
- Ex: The organization will follow accepted standards to protect
client data.
Section 2
Fu n ct ion al policies are key to im plem enting an effective data
security strategy.
- Dat a classif icat ion policy
Clou d Plat f or m & - Acceptable use policy
I n f r ast r u ct u r e Secu r it y - Dat a back u p policy
Section 3 - Internet usage policy
- Segr egat ion of du t ies policy
Clou d Applicat ion

Clou d com pu t in g policies are used to im plem ent effective
Secu r it y
Section 4
cloud security.
- Password policy
- Rem ot e access policy
Clou d Secu r it y - Encryption policy
Oper at ion s - Th ir d-par t y access policy
Section 5 - Segregation of duties policy
- Dat a back u p policy
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Policy
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Back Next
Risk Managem ent

Contracts
Back t o M ain
Clou d Con cept s,
I n volvem en t of Relevan t St ak eh older s
Section 1
It 's ext r em ely im por t an t to involve relevant stakeholders from
the beginning of a cloud com puting discussion.
- Help provide an over ar ch in g view of organizational
Clou d Dat a Secu r it y processes
Section 2 - Ensure the approach to cloud f it s and doesn't becom e a
one-off
Clou d Plat f or m & St ak eh older Ch allen ges

I n f r ast r u ct u r e Secu r it y - Defining an enterprise architecture
Section 3 - Consider all ser vices acr oss t h e or gan izat ion and how
they will interoperate
- Select in g a CSP
Clou d Applicat ion - Get t in g in f or m at ion from persons who m ay no longer be
Secu r it y required after a m ove to the cloud
Section 4 - I den t if yin g in dir ect cost s
- Training
- New tasks
Clou d Secu r it y - New responsibilities
Oper at ion s - Ext en din g r isk m an agem en t to the cloud
Section 5 - New way of thinking about things
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g

Contracts
Back t o M ain
Clou d Con cept s,
Specialized Com plian ce Requ ir em en t s f or High ly
Section 1 Regu lat ed I n du st r ies
Nor t h Am er ican Elect r ic Reliabilit y Cor por at ion Cr it ical

I n f r ast r u ct u r e Pr ot ect ion (NERC CI P): Specifies the m inim um
security requirem ents for operating North Am erica's bu lk
Section 2
elect r ical syst em .
Healt h I n su r an ce Por t abilit y an d Accou n t abilit y Act (HI PAA):

Specifies protection for personal health inform ation used in the
I n f r ast r u ct u r e Secu r it y healthcare services industry.
Section 3
Paym en t Car d I n du st r y (PCI ): Regulates the handling and

Clou d Applicat ion
storage of credit card data.
Secu r it y - Over 200 con t r ols in the standard
Section 4
- 4 m er ch an t t ier s within the PCI DSS standard
- Based on the num ber of transactions a m erchant
processes
Clou d Secu r it y
- Different m erchant tiers determ ine the num ber of
Oper at ion s audits each m ust conduct
Section 5
Legal, Risk &

Com plian ce HI PAA NERC PCI
Section 6
CI P
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g

Contracts
Back t o M ain
Clou d Con cept s,
I m pact of t h e Dist r ibu t ed I n f or m at ion
Section 1 Tech n ology (I T) M odel
Clear com m u n icat ion is m or e ch allen gin g.

- Rem ote workers require a r e-t h in k in g of internal
Clou d Dat a Secu r it y com m unication processes.
Section 2 - Processes m ust be put in place to address requests in a
st r u ct u r ed way.
- Team s m ay span m ultiple geographical locations and t im e
Clou d Plat f or m & zon es, and work schedules m ay need to be adjusted.
I n f r ast r u ct u r e Secu r it y - Em ployees m ay be in several different legal ju r isdict ion s.
Section 3
Gat h er in g in f or m at ion f r om r esou r ces is dif f er en t .
- Inform ation used to com e from a team of em ployees; now it
Clou d Applicat ion com es from m em bers of that group and from a CSP.
Secu r it y
Section 4
It m ay be beneficial to hire a t h ir d-par t y con su lt an t to assist
with the transition to a distributed IT m odel.
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Com plian ce Distributed
Section 6 I n f or m at ion
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Back Next
Risk Managem ent

Contracts
Back t o M ain
Course Navigation Risk M an agem en t
Clou d Con cept s,
Assessin g a Pr ovider 's Risk M an agem en t Fr am ew or k
Section 1
Key St eps
- Review security controls that are in place
- Identify the m et h odologies or f r am ew or k s u sed by the
Clou d Dat a Secu r it y provider
Section 2 - Review the pr ovider 's policies
- May be posted on their website
Clou d Plat f or m & Helpf u l Tips

I n f r ast r u ct u r e Secu r it y - Look for CSPs who participate in the CSA STAR pr ogr am
Section 3
Clou d Applicat ion CSA

Secu r it y
Section 4
Cloud Security
Clou d Secu r it y Alliance
Oper at ion s
Section 5 Cloud services are very convenient to consum e and can easily
cause u n du e r isk du e t o u n con t r olled con su m pt ion of
ser vices.
Legal, Risk &
Com plian ce Risk pr of ile: An analysis of the types of risks an organization
Section 6 faces
Legal Requirem
en t sand
an d
Risk appet it e: The level of risk an organization is willing to
Unique
Un iqu e Risks
Risk s
accept to m eet its goals
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Risk M an agement
Risk Managem en t Back Next

Contracts
Back t o M ain
Clou d Con cept s,
Dat a Ow n er s, Con t r oller s, Cu st odian s, an d Pr ocessor s
Section 1
Dat a su bject : The person who is the focus of personal data
Clou d Dat a Secu r it y Dat a ow n er : Holds the legal rights to and has com plete control
Section 2 over data and can determ ine the distribution of said data
Dat a con t r oller : The person or organization that determ ines

Clou d Plat f or m & the m anner in which data is processed and for what purposes
Section 3 Dat a cu st odian : Responsible for the safe custody, transport,
storage, and im plem entation of business rules surrounding data
Clou d Applicat ion

Secu r it y Dat a pr ocessor : Anyone other than an em ployee of the data
Section 4 controller who processes the personal data on behalf of the data
controller (subcontractor)
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Back Next
Risk M an agement
Risk Managem en t

Contracts
Back t o M ain
Clou d Con cept s,
Regu lat or y Tr an spar en cy Requ ir em en t s
Section 1
Many regulations require br each n ot if icat ion s to be sent to
individuals whose inform ation has been com prom ised.
- GDPR: Within 72 hours
Clou d Dat a Secu r it y - HI PAA: No later than 60 days
Section 2
- PCI : No requirem ent
- M ost st at es within the US have laws regarding breach
notifications
I n f r ast r u ct u r e Secu r it y M an y ot h er r egu lat ion s require organizations to be
Section 3 transparent with individuals whose personal data they m aintain.
- GLBA
- SOX
Clou d Applicat ion - GDPR
Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Breach
Not if icat ion
Legal, Risk &
Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Risk M an agement
Contracts
Back t o M ain
Clou d Con cept s,
Risk Tr eat m en t
Section 1
Fou r Ways t o Han dle Risk
- Avoidan ce: Sim ply avoid the risk (e.g., deciding not to use a
specific service because it introduces m ore than an
Clou d Dat a Secu r it y acceptable am ount of risk).
Section 2
- Accept an ce: Accept the risk and live with it. Im plem ent
security controls around the risk.
- Tr an sf er en ce: Transfer the risk to another party by
Clou d Plat f or m & outsourcing or insuring against the risk.
I n f r ast r u ct u r e Secu r it y - M it igat ion : Im plem ent a fix to get the risk down to an
Section 3 acceptable level.
Secu r it y con t r ols are used to address and m itigate risks.

Clou d Applicat ion
Secu r it y
Section 4 3 M ain Types of Secu r it y Con t r ols
- Ph ysical: Lim iting physical access using door locks, fire
suppression, fences, guards, etc.
Clou d Secu r it y - Tech n ical: Logical controls such as encryption, access lists,
Oper at ion s firewall rules, etc.
Section 5 - Adm in ist r at ive: Personnel background checks, separation
of duties, m andatory vacations, etc.
Legal, Risk & I SO 27002: Code of practice for inform ation security controls
Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Risk M an agement
Contracts
Back t o M ain
Clou d Con cept s,
Risk Fr am ew or k s
Section 1
I SO 31000 ? Guidance standard n ot in t en ded f or cer t if icat ion
pu r poses
- Does n ot addr ess specific or legal requirem ents related to
Clou d Dat a Secu r it y risk assessm ent or m anagem ent
Section 2
- Provides a st r u ct u r ed an d m easu r able r isk m an agem en t
approach to assist with identifying cloud-related risks
- Lists 11 key principles as a set of guidelines
Clou d Plat f or m & - Focu ses on risk identification, analysis, and evaluation
I n f r ast r u ct u r e Secu r it y through risk treatm ent
Section 3
ENI SA ? Cloud Computing: Benefits, Risks, and

Clou d Applicat ion Recommendations for I nformation Security
Secu r it y - Can be used as an effective foundation for risk m anagem ent
Section 4 - Identifies 35 t ypes of r isk s t o con sider and the top 8
security risks based on likelihood and im pact
Clou d Secu r it y
Oper at ion s NI ST ? Cloud Computing Synopsis and Recommendations
Section 5 - Special publication 800-146
- Focuses on risk com ponents and the appropriate analysis of
those risks
Legal, Risk & - NIST is used by the US gover n m en t an d r elat ed agen cies
Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Risk M an agement
Contracts
Back t o M ain
Clou d Con cept s,
M et r ics f or Risk M an agem en t
Section 1
M et r ics h elp det er m in e t h e sever it y of a risk. Risk program s
use a scorecard to record the severity of specific risks.
- Cr it ical
- High
Section 2
- M oder at e
- Low
- Minim al
Com panies often attach a specif ic dollar am ou n t to each level
Section 3
of risk in order to quantify the am ount of risk.
Clou d Applicat ion

Secu r it y Risk M et r ics
Section 4 - Num ber of h igh -r isk asset s
- Num ber of identified risks
- Num ber of recurring risks
Clou d Secu r it y - Risk sever it y
Oper at ion s - Median tim e to discover risk
Section 5 - M edian t im e to rem ediate risk
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Risk M an agement
Contracts
Back t o M ain
Clou d Con cept s,
Assessm en t of Risk En vir on m en t
Section 1
Wh at t ype of r isk does t h e or gan izat ion f ace?
Clou d Dat a Secu r it y Depen ds on sever al t h in gs:

Section 2 - Ser vice: What type of cloud services are being used and the
what are the associated risks?
- Ven dor : What is the vendor 's reputation? What standards
Clou d Plat f or m & do they com ply with?
I n f r ast r u ct u r e Secu r it y - I n f r ast r u ct u r e: Does the infrastructure follow best
Section 3 practices and m eet com pliance?
I SO 27002: Code of practice for inform ation security controls

Clou d Applicat ion
Secu r it y Inform ation security controls are how we addr ess r isk .
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Risk M an agement
Contracts
Back t o M ain
Course Navigation Ou t sou r cin g an d Clou d Con t r act s
Clou d Con cept s,
Section 1
I den t if y t h e bu sin ess n eeds an d r equ ir em en t s for m oving to
the cloud.

Section 2 Def in e a scope of what will m ove to the cloud, including:
- Ser vices in clu ded in the m ove
- Regulatory or legal com plian ce r equ ir ed
- Risk s associat ed with the service and/or m ove to the cloud
Section 3 Con t r act Types
- Ser vice-Level Agr eem en t (SLA): Sets specific goals for
services and their provisions over a specific tim e period.
Clou d Applicat ion - M ast er Ser vice Agr eem en t (M SA): A contract entered into
Secu r it y by two parties that outlines the services to be provided.
Section 4 Outlines item s such as paym en t t er m s, w ar r an t ies,
in t ellect u al pr oper t y ow n er s, and dispu t e r esolu t ion .
- St at em en t of Wor k (SOW): Outlines the work to be done as
Clou d Secu r it y part of a project. Def in es deliver ables an d t im elin es for a
Oper at ion s vendor providing service to a client.
Section 5
Legal, Risk &

Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Risk M an agement
Ou t sou r cin g and
Outsourcing an dCloud
Clou d
Con t r act s
Contracts
Back t o M ain
Clou d Con cept s,
Ar ch it ect u r e & Design Ven dor M an agem en t
Section 1
As a CCSP, you m u st u n der st an d that part of dealing with a CSP
(vendor) is understanding t h e associat ed r isk s:
- Is the vendor m at u r e?
- Is the vendor f in an cially st able?
Section 2
- Is the vendor ou t sou r cin g ser vices?
- Is the vendor com plian t w it h in du st r y st an dar ds?
- Can the vendor m eet you r r egu lat or y com plian ce n eeds?
I n du st r y St an dar ds t o Con sider
Section 3
- Com m on Cr it er ia (CC): An international set of guidelines
and specifications (ISO/IEC 15408) developed for evaluating
Clou d Applicat ion inform ation security products to en su r e t h at t h ey do w h at
Secu r it y t h ey say t h ey do.
Section 4 - CSA STAR: Created to establish transparency and assurance
for cloud-based environm ents. Allows custom ers to assess
the security of CSPs by asking the CSPs for inform ation. The
Clou d Secu r it y CSPS then provide that inform ation in a transparent
Oper at ion s m anner. CSA STAR con sist s of t h r ee layer s:
Section 5 - Self -assessm en t : Requires the release of published
results of due diligence assessm ents against the CSA's
questionnaire
Legal, Risk & - CSA STAR At t est at ion : Requires the release and
Com plian ce publication of results of a third-party audit of the cloud
Section 6 vendor against CSA CCM and ISO 27001:2013
requirem ents or an AICPA SOC 2
Legal Requirem
en t sand
an d - Con t in u ou s au dit in g: Requires the release and
Unique
Un iqu e Risks
Risk s publication of results related to the security properties
Privacy
Pr ivacy Issues
I ssu es of m onitoring based on the CloudTrust Protocol
Auditing
Au dit in g
Risk M an agement
Clou d
Con t r act s
Contracts
Back t o M ain
Clou d Con cept s,
Ar ch it ect u r e & Design Ven dor M an agem en t (Con t .)
Section 1
I n du st r y St an dar ds t o Con sider (Con t .)
- Eu r opean Un ion Agen cy f or Cyber secu r it y (ENI SA):
- Clou d Cer t if icat ion Sch em es List (CCSL): Provides an
Clou d Dat a Secu r it y over view of dif f er en t clou d cer t if icat ion sch em es
Section 2 (certifications) and shows the m ain characteristics of
each schem e. It also answers questions such as:
- What are the u n der lyin g st an dar ds?
Clou d Plat f or m & - Wh o issues the certification?
Section 3 - CCSL provides inform ation for the f ollow in g sch em es:
- Certified Cloud Service
- CSA STAR At t est at ion
Clou d Applicat ion - EuroCloud Star Audit Certification
Secu r it y - I SO/ I EC 27001
Section 4 - PCI -DSS v3
- Service Organization Control (SOC) 1, 2, 3
Clou d Secu r it y - Clou d Cer t if icat ion Sch em es M et af r am ew or k (CCSM ):

Oper at ion s An extension for the CCSL designed to provide a
Section 5 high-level m appin g of cu st om er secu r it y
r equ ir em en t s to security objectives in existing cloud
security schem es
Legal, Risk & - M y secu r it y r equ ir em en t s ar e " X" ? which cloud
Com plian ce security schem es align with that?
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Risk M an agement
Clou d
Con t r act s
Contracts
Back t o M ain
Clou d Con cept s,
Ar ch it ect u r e & Design Con t r act M an agem en t
Section 1
M an agin g a Con t r act
- Meet the on goin g n eeds of the business
- Monitor con t r act per f or m an ce
Section 2
- Adhere to contract term s
- M an age outages, incidents, violations, and variations
Clou d Plat f or m & Key Con t r act Com pon en t s

- Perform ance m easurem ents (m et r ics)
- SLAs
Section 3
- Righ t t o au dit
- Definitions
Clou d Applicat ion - Term ination
Secu r it y - Litigation
Section 4 - Assurance
- Com pliance
- Access t o dat a
Clou d Secu r it y - Cyber risk insurance
Oper at ion s
Section 5
Failin g t o addr ess k ey con t r act com pon en t s can result in
additional costs to the custom er if additions or am endm ents to
Legal, Risk & the contract are necessary.
Com plian ce
Section 6
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Risk M an agement
Clou d
Con t r act s
Contracts
Back t o M ain
Clou d Con cept s,
Ar ch it ect u r e & Design Su pply Ch ain M an agem en t
Section 1
Each su pplier added (including CSPs and their subcontractors)
in cr eases r isk t o t h e or gan izat ion .
Section 2
To k eep t r ack of ongoing supply chain risks, a CCSP should:
- Obt ain r egu lar u pdat es from vendors listing dependencies
and reliance on third parties
Clou d Plat f or m & - Challenge vendors on identified sin gle poin t s of f ailu r e
I n f r ast r u ct u r e Secu r it y - Con t in u ou sly m on it or suppliers and their changes
Section 3
St an dar ds an d Fr am ew or k s f or Su pply Ch ain M an agem en t

Clou d Applicat ion
- NI ST SP800-161 ? Supply Chain Risk Management Practices
Secu r it y for Federal Information Systems and Organizations
Section 4
- I SO 28000 ? Supply chain standard
- I SO 27036 ? Inform ation security for supplier relationships
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Com plian ce Supply Chain
Section 6
M an agem en t
Legal Requirem
en t sand
an d
Unique
Un iqu e Risks
Risk s
Privacy
Pr ivacy Issues
I ssu es
Auditing
Au dit in g
Risk M an agement
en t Back Next
Risk Managem
Clou d
Con t r act s
Contracts
Back t o M ain
Exam Preparation
Course Navigation
Pr epar in g f or t h e Exam
Clou d Con cept s,
Pr epar in g f or t h e Exam
Section 1
St u dy the interactive diagram ? u n der st an d the
m aterial so you can r eason t h r ou gh exam qu est ion s.
Section 2 Tak e the practice exam several tim es. Get used to the
m en t al st r ain of a long exam .
Clou d Plat f or m & Take advantage of the f lash car ds ? use them during
I n f r ast r u ct u r e Secu r it y short study sessions.
Section 3
Exam Det ails
- Duration: 3 h ou r s
Clou d Applicat ion
- Num ber of questions: 125
Secu r it y
Section 4 - Question form at: M u lt iple ch oice
- Passing score: 700 ou t of 1000 (70%)
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Com plian ce
Section 6
Back Next
Back t o M ain
Exam Preparation
Course Navigation
Regist er in g f or t h e Exam
Clou d Con cept s,
Regist er in g f or t h e Exam
Section 1
1. Go to the Pearson Vue ISC2 page and sign in.
2. Select the CCSP exam .
3. Choose a t est in g cen t er .
Section 2
4. Choose a dat e an d t im e.
5. Pay for your exam .
6. After you pass you r exam (which I'm confident you will!),
be sure to let us know how you did in the Linux Academ y
Com m unity.
Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Com plian ce
Section 6
Back Next
Back t o M ain
Exam Preparation
Course Navigation
Good Lu ck !
Clou d Con cept s,
Good Lu ck !
Section 1
All of us at Linux Academ y are behind you 100%.

Section 2

Section 3
Clou d Applicat ion

Secu r it y
Section 4
Clou d Secu r it y
Oper at ion s
Section 5
Legal, Risk &

Com plian ce
Section 6
Back M ain M en u
Back t o M ain

390 - Certified Cloud Security Professional CCSP - 1572385660 PDF

Uploaded by

Copyright:

Available Formats

390 - Certified Cloud Security Professional CCSP - 1572385660 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

390 - Certified Cloud Security Professional CCSP - 1572385660 PDF

Uploaded by

Copyright:

Available Formats

Certified Cloud Security

Course Navigation Professional (CCSP)

Clou d Dat a Secu r it y

Clou d Plat f or m &

Clou d Applicat ion

Legal, Risk &

Exam Pr epar at ion

Clou d Applicat ion M an agem en t Plat f or m (CAM P): A

Clou d Secu r it y Desk t op as a Ser vice (DaaS): A virtual desktop infrastructure

Legal, Risk & Back Next

Design Principles I n f r ast r u ct u r e as a Ser vice (I aaS): A com pute infrastructure

M an aged Ser vice Pr ovider (M SP): Provides various IT services

M ean Tim e Bet w een Failu r es (M TBF): Measure of the average

Legal, Risk & Back Next

Clou d Applicat ion

Legal, Risk & Back Next

Evaluate Cloud Service

Clou d Applicat ion

Legal, Risk & Back Next

Resou r ce Pool: CSPs own a large pool of resources (com pute,

Legal, Risk &

Evaluate Cloud Service

Clou d Dat a Secu r it y

Clou d Plat f or m &

Clou d Applicat ion

Legal, Risk &

Evaluate Cloud Service

Clou d Dat a Secu r it y

Clou d Plat f or m &

Legal, Risk &

Act ivit ies t h at su ppor t ser vices (cloud service partners)

Legal, Risk & Back Next

Clou d Plat f or m &

Clou d Applicat ion

Legal, Risk & Back Next

Clou d Applicat ion

Legal, Risk & Back Next

Clou d Plat f or m &

Clou d Applicat ion

Legal, Risk & Back Next

Legal, Risk & Back Next

Evaluate Cloud Service

Clou d Dat a Secu r it y

Clou d Plat f or m &

Clou d Applicat ion

Legal, Risk & Back Next

Clou d Dat a Secu r it y

Clou d Plat f or m &

Clou d Applicat ion

Legal, Risk & Back Next

Legal, Risk & Back Next

Clou d Plat f or m & - M ost of t en u sed in lar ge en vir on m en t s w it h com plian ce

Clou d Applicat ion

Legal, Risk & Back Next

Legal, Risk & Back Next

Legal, Risk & Back Next

Legal, Risk & Back Next

Legal, Risk & Back Next

Legal, Risk & Back Next