100% found this document useful (2 votes)

614 views

CCSK Handbook

Uploaded by

Chascona

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (2 votes)

614 views

CCSK Handbook

Uploaded by

Chascona

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 181

Certificate of Cloud Security

Knowledge
CCSK Foundation Student Handbook

Version 4.1

Released November, 2019

© 2019 Securosis, LLC and Cloud Security Alliance.

All Rights Reserved.
CERTIFICATE OF CLOUD
SECURITY KNOWLEDGE
FOUNDATION & PLUS
CREATED BY SECUROSIS, LLC FOR THE CLOUD
SECURITY ALLIANCE

Course Objective

To provide students with a base of

knowledge on cloud computing security
theory and practice and assist students
in taking the CCSK exam.
2

1
The CCSK Foundation Course will
Course Overview prepare you for the CCSK exam and
provide additional material and
context.

To pass the exam, you will still need

to study the CSA Guidance, the
Cloud Controls Matrix (CCM), and
the ENISA Risk Report.

The content is found in the CSA

Guidance, and will be updated as the
guidance evolves.

The CCSK Plus course will prepare you for the CCSK exam
and provides expanded material and exercises to grow your
practical knowledge of cloud computing security through
hands-on exercises.

To pass the exam you will still need to study the CSA
Guidance, Common Assessment Initiative Questionnaire
(CAIQ), the Cloud Controls Matrix (CCM) and the ENISA
risk report.

2
Course Structure
The CCSK Foundation Training is divided
into 6 modules which map to domains
outlined in the CSA Security Guidance.
Find out more by hovering over the
circles on the right.

DOWNLOAD THE LATEST VERSION OF THE CSA

SECURITY GUIDANCE.

Course Structure
MODULE 1 //
Introduction To Cloud Computing

Maps to the following domains in the

Security Guidance:

Domain 1 // Cloud
Computing Concepts
and Architectures

Covers the following subject areas:

• NIST
• Essential characteristics
• Service models
• Deployment models

3
Course Structure
MODULE 2 //
Infrastructure Security For Cloud
Maps to the following domains in the Security
Guidance:
Domain 6 // Management
Plane and Business Continuity

Domain 7 // Infrastructure
Security
Domain 8 // Virtualization
and Containers

Also maps to CAIQ and CCM, and ENISA

Covers the following subject areas:
• Securing base infrastructure
• Management plane security
• Securing virtual hosts and networks
• IaaS, PaaS, SaaS security

Course Structure
MODULE 3 //
Managing Cloud Security & Risk
Maps to the following domains in the Security
Guidance:

Domain 2 // Governance and

Enterprise Risk Management
Domain 3 // Legal Issues,
Contracts and Electronic
Discovery
Domain 4 // Compliance and
Audit Management
Domain 5 // Information
Governance
Covers the following subject areas:
• Risk and governance
• Legal and compliance
• Audit
• Data governance

4
Course Structure
MODULE 4 //
Data Security For Cloud
Maps to the following domains in the Security
Guidance:

Domain 6 // Management Plane and

Business Continuity
Domain 11 // Data Security

Covers the following subject areas:

• Cloud data architectures
• Data security and encryption
• CASB and data loss prevention
• BC/DR

Course Structure
MODULE 5//
Securing Cloud Applications, Users & Related
Technologies
Maps to the following domains in the Security Guidance:

Domain 10 // Application Security

Domain 12 // Identity Entitlement
and Access Management

Domain 14 // Related Technologies

Covers the following subject areas:

• Application security
• Identity and access management
• Related technologies

5
Course Structure
MODULE 6 // Cloud Security Operations

Maps to the following domains in the Security Guidance:

Domain 9 // Incident Response

Domain 13 // Security as a Service

Covers the following subject areas:

• What to look for in a cloud provider
• Security as a Service
• Incident Response

Note
• If you are taking the CCSK Plus class and have
not subscribed to Amazon EC2 and followed the
pre-class setup instructions, you need to now.
• It can take up to a day for your EC2
credentials to fully activate, but it typically
happens within minutes.

6
1 Be prepared to successfully pass the CCSK
written exam.
Learning Outcomes Understand cloud models and architectures,
2
and how to apply the Shared Responsibilities
model to building a cloud security program.

3 Know the impacts of cloud computing on

governance, legal, risk, and regulatory
compliance.
Learn to adapt existing security principles
4
and practices for cloud deployments,
including the impact of cloud on all
traditional security domains.
Be able to practically apply the Cloud
5
Security Alliance Security Guidance, Cloud
Controls Matrix, and other research to a
cloud security program.

INTRODUCTION AND
CLOUD ARCHITECTURES

MODULE 1

7
Module Structure
Content in this module comes from
the following domains in CSA’s
Security Guidance and covers the
following subject areas:
Domain 1 // Cloud
Computing Concepts and
Architectures
• NIST
• Essential characteristics
• Service Models
• Deployment models

Click on the circle to the right to

view the unit outline.

DOWNLOAD THE LATEST VERSION OF

THE CSA SECURITY GUIDANCE.

Module Structure
Unit 1 // Module Intro
Unit 2 // Introductions to
Architecture
Unit 3 // Cloud Essential
Characteristics
Unit 4 // Cloud Service
Models
Unit 5 // Cloud
Deployment Models
Unit 6 // Shared
Responsibilities

8
Understand the components of cloud
Learning Objectives infrastructure

Assess the security implications of

virtual networks and workloads

Learn the security advantages of

disadvantages of working with cloud
infrastructure

Evaluate how to secure the cloud

management plane

Learn how to manage business

continuity for cloud computing
17

The Amazon EC2 Story

Amazon wanted to more efficiently use their
resources.
• And better enable developers without having to
go through hardware procurement.
Cloud meant they didn’t have to have dedicated
capacity for each kind of system.
• Just pull what’s needed out of the pool.
• Still needed enough overall capacity for peak
(e.g. holidays), so a lot of hardware wasn’t being
used day to day.
Rent out the spare capacity (EC2).
• Note that public AWS was a separate project,
NOT renting core capacity, but all Amazon now
runs on it.

9
Resource Pools

STORAGE
NETWORKS
COMPUTE

Building Resource Pools

ABSTRACTION AUTOMATION

10
Traditional virtualization Static Virtualization vs
Cloud Computing

• Abstraction of compute, network, and

storage from physical infrastructure.
• A human administrator manually (mostly)
allocates resources.
• Not self-service. Administrator required.
• Not elastic due to lack of automation.

Cloud computing

“Static” • Abstraction of compute, network,

storage (and more) from physical

Virtualization infrastructure.
• The cloud automates and orchestrates

vs. Cloud management of the resource pools.

• Self-service. Users provision the

Computing resources from their own allocated

pool based on policies.
21

What is Cloud Computing?

• Cloud separates application and information resources from the
underlying infrastructure, and the mechanisms used to deliver them.
• Cloud describes the use of a collection of services, applications,
information, and infrastructure comprised of pools of compute,
network, information, and storage resources.
• These pools can be rapidly orchestrated, provisioned, implemented
and decommissioned, and scaled up or down.
• Cloud provides for an on-demand utility-like model of allocation and
consumption.

11
Definitions

Cloud computing is a model for Paradigm for enabling network

enabling ubiquitous, convenient, access to a scalable and elastic
on-demand network access to a pool of shareable physical or
shared pool of conjurable virtual resources with self-
computing resources (e.g., service provisioning and
networks, servers, storage, administration on-demand.
applications, and services) that
can be rapidly provisioned and
released with minimal
management effort or service
provider interaction.
23

Potential Benefits of
Cloud Computing
• No capital expenditures
(using public cloud)
• More agility
• Unbounded scale
• Improved resource utilization
• Customer-controlled migration
• Resilience
• Pay for use

12
Cloud computing is a new operational model
1 that combines the benefits of abstraction
Review (virtualization) and automation
(orchestration) for new ways of delivering
and consuming technology.
Abstraction separates resources from their
2 underlying physical infrastructure. It allows
us to create resource pools out of those
underlying assets.
Automation (orchestration) allows us to
rapidly provision and deprovision those
3 resources from the resource pool.
This is different than traditional
virtualization which includes the abstraction
4 piece, but doesn't necessarily use that to
build resource pools, and lacks the
advanced orchestration of cloud.
Cloud can potentially provide a wide range
of benefits, but the key ones are economic,
5 agility, and resiliency.

NIST Model of Cloud Computing

13
Broad
Broad Network Access network
access
• Access through standard clients Rapid
• Computers (desktops, laptops) elasticity
• Mobile devices
• Traditional or cloud-based
software services (applications, Measured
processes, etc.) service

On-demand
self-service

Resource
pooling
27

Broad
Rapid Elasticity network
access
• Services can be rapidly and Rapid
elastically provisioned - in some
elasticity
cases, automatically - to quickly
scale out; and rapidly released to
quickly scale in.
Measured
service

On-demand
self-service

Resource
pooling
28

14
Broad
Measured Service network
access
• Automatically control and Rapid
optimize resource usage
elasticity
• Leveraging a metering capability
at some level of abstraction
• Utility computing - you pay for Measured
what you use. service

On-demand
self-service

Resource
pooling
29

Broad
On-Demand Self-Service network
access
• A consumer can unilaterally Rapid
provision computing capabilities,
elasticity
such as server time and network
storage as needed automatically,
without requiring human
interaction with a service Measured
provider. service

On-demand
self-service

Resource
pooling
30

15
Broad
Resource Pooling network
access
• Resources are pooled to serve Rapid
multiple consumers using a multi-
elasticity
tenant model
• Different physical and virtual
resources
Measured
• Location independence
• Exact location of resources not in
service
customer’s control
On-demand
self-service

Resource
pooling
31

Resource Pooling &

Multitenancy POLICY-DRIVEN
ENFORCEMENT

Multi-tenancy is an
emergent property of CHARGEBACK
SEGMENTATION
resource pooling. Once you / BILLING
have a pool and allow more MODELS

than one consumer to MULTI-

access it, you have TENANCY
multitenancy. For
multitenancy of a shared
resource pool to work it SERVICE LEVELS ISOLATION
needs a few characteristics
and enforcement
capabilities; all of which
GOVERNANCE
affect security

16
Policy-Driven
Enforcement POLICY-DRIVEN
ENFORCEMENT

Policy-driven enforcement -
the cloud provider and CHARGEBACK
SEGMENTATION
cloud consumers define / BILLING
how their environment MODELS

should look and run using MULTI-

policies. These can be TENANCY
implemented in a user
interface or directly via
policies encoded using a SERVICE LEVELS ISOLATION
formal policy language
(code).
GOVERNANCE

Segmentation POLICY-DRIVEN
ENFORCEMENT

Customers run in their own

“segment” of the cloud. CHARGEBACK
Segmentation is how the SEGMENTATION
/ BILLING
provider divides the cloud up MODELS
among different tenants.
MULTI-
TENANCY

SERVICE LEVELS ISOLATION

GOVERNANCE

17
Isolation POLICY-DRIVEN
ENFORCEMENT

Consumers in one segment

should never see anything CHARGEBACK
SEGMENTATION
running another segment. / BILLING
This is the core control that MODELS

allows multiple tenants to MULTI-

safely share a resource TENANCY
pool without seeing or
impacting each others’
deployments. SERVICE LEVELS ISOLATION

GOVERNANCE

Governance POLICY-DRIVEN
ENFORCEMENT

Governance is the overall

management model of the CHARGEBACK
SEGMENTATION
cloud, from contracts and / BILLING
service levels to policies. MODELS

Many of the other MULTI-

characteristics are TENANCY
enforcement mechanisms
of governance.
SERVICE LEVELS ISOLATION

GOVERNANCE

18
Service Levels POLICY-DRIVEN
ENFORCEMENT

Since a resource pool is a

shared environment, the CHARGEBACK
SEGMENTATION
cloud provider needs / BILLING
mechanisms to divvy up MODELS

the resources among MULTI-

tenants and assure them TENANCY
that they will have the
resources that are
promised. Service levels SERVICE LEVELS ISOLATION
define who gets what
resources.
GOVERNANCE

Chargeback/Billing
Models POLICY-DRIVEN
ENFORCEMENT

Since the cloud controller

needs to know exactly who CHARGEBACK
SEGMENTATION
is using what resources / BILLING
from the pool at all times, MODELS

it is only natural this is MULTI-

metered and can be used TENANCY
for billing purposes.

SERVICE LEVELS ISOLATION

GOVERNANCE

19
The NIST model of cloud computing cleanly
1 describes the essential characteristics
Review required for something to be considered "a
cloud“
The most important of those is resource
2 pooling, which is what allows multiple
consumers to share the same underlying
physical resources.
But broad network access, elasticity,
3 measured service, and self service are all
also important and essential cloud features.
Thus multitenancy is an emergent properly
4 of resource pooling, not an essential
characteristic itself.
For multitenancy to work it needs strong
5 segregation (breaking up the environment)
and isolation (the security boundary
between segments)

Cloud Service Models (SPI)

SOFTWARE AS A SERVICE
(SaaS)

PLATFORM AS A SERVICE
(Paas)

INFRASTRUCTURE AS A SERVICE
(IaaS)

20
Infrastructure As A Service (IaaS)
• Provisions processing, storage,
networks, and other
fundamental computing
resources
• Consumer deploys and runs
arbitrary software
• Can include operating systems
and applications

Simplified IaaS
Architecture

21
Platform As A Service (PaaS)
• Application development
frameworks, middleware
capabilities, and functions
such as databases, messaging,
and queuing.
• Deploy consumer-created or
acquired applications onto
cloud infrastructure
• Created using programming
languages and tools supported
by the cloud provider

Simplified PaaS
Architecture

22
Software As A Service (SaaS)
• The consumer uses the
provider’s applications.
• Doesn’t necessarily have to
run on IaaS or PaaS, but must
still have the Essential
Characteristics.
• The consumer does not
manage or control the
underlying cloud infrastructure
including network, servers,
operating systems, storage, or
even individual application
capabilities.

Simplified SaaS
Example
Architecture

23
Service models describe what is offered to a
1 cloud consumer- infrastructure, a platform, or a
Review complete application (software).
Infrastructure as a Service provides resource
2 pools of virtualized infrastructure, such as
compute, network, or storage pools.
Platform as a Service further abstracts
3 capabilities and provides resource pools of pre-
configured services where the cloud consumer
doesn't manage the underlying infrastructure.
PaaS includes services such as databases,
container platforms, message queues, and a wide
range of other options.
Software as a Service fully abstracts everything
4 except the application itself. Cloud consumers
use the application but have no insight or
management of the underlying resources.
In real-world deployments cloud consumers often
5 mix and match the service models to meet
project requirements.

Cloud Deployment Models Public Cloud

The cloud infrastructure is made

available to the general public
or a large industry group and is
Public cloud owned by an organization
selling cloud services. This
tends to be what most
organizations view as the
Private cloud “cloud.” Basically a big set of
computers in the sky that can be
spun up or decommissioned
instantly to support almost any
Community kind of applications.

Hybrid 48

24
Cloud Deployment Models Private Cloud

The cloud infrastructure is operated

solely for a single organization. It may
be managed by the organization or a
third party and may exist on-premises
or off- premises. Any infrastructure
Public cloud you are responsible for managing can
be termed a “private cloud.” Thus your
existing data center, given some of the
essential characteristics of cloud
infrastructure (broad network access,
Private cloud rapid elasticity, etc.) is sort of a private
cloud. Of course, there is a lot of work
to be done to turn a traditional
existing data center into a private
cloud facility, but it’s definitely a
Community direction many organizations are
moving towards.

Hybrid 49

Cloud Deployment Models Community

The cloud infrastructure is made

Hybrid 50

25
Cloud Deployment Models Hybrid

The cloud infrastructure is a

composition of two or more clouds
(private, community, or public) that
remain unique entities but are bound
together by standardized or
Public cloud proprietary technology that enables
data and application portability (e.g.,
cloud bursting for load-balancing
between clouds). Why have one, when
you can have two for twice the price?
Private cloud Okay, that may be a little facetious, but
hybrid models are real and provide
both a shorter term migration plan (so
you can support your existing data
centers/private cloud, while moving
Community some or all of your infrastructure to
another cloud platform).

Hybrid 51

Cloud Deployment Models & Responsibilities

26
Hybrid Cloud

Legacy access /
control
Cloud bursting

Standards or Direct/visual Standards or

network pipe Proprietary
Proprietary

Public cloud Private cloud or

legacy infrastructure

Logical Model

INFRASTRUCTURE
The core components of a
computing system: compute,
network, and storage. The
foundation that every else is
built on. The moving parts.

27
Logical Model

METASTRUCTURE
The protocols and mechanisms
that provide the interface
between the infrastructure layer
and the other layers. The glue
that ties the technologies and
enables management and
configuration.

Logical Model

APPLISTRUCTURE
The applications deployed in the
cloud and the underlying
application services used to
build them. For example,
platform as a service features
like message queues, artificial
intelligence analysis, or
notification services.

28
Logical Model

INFOSTRUCTURE
The data and information.
Content in a database, i.e.
storage, etc.

Deployment models describe how the cloud

1 (regardless of service model) is offered to
Review consumers. The easiest way to think about it is
"who gets to use the cloud?"
Public clouds are open to anyone who signs up
2 for the service, which means different cloud
consumers do not know or trust each other and
the cloud provider is responsible for keeping
them isolated.
Private and community clouds are reserved only
for trusted users; those from the same
3 organization or a group of trusted organizations.
Someone else can still own and operate the
cloud, but only the trusted users are allowed.
Hybrid cloud connects on premise resources to a
public cloud deployment.
4 The logical model is a different way to describe
how we distribute our resources and application
components. It is useful in showing how data,
5 infrastructure, application and management
components are organized across environments.

29
Shared Responsibilities Model
CONSUMER

Network, IAM, and Data and

Host/Server Metastructure
Configuration
Application
Security
Security Security

Management Plane/Metastructure
PROVIDER

Physical Virtualization/ Application and

Infrastructure Abstraction PaaS Services

Security Impact of the Service Model

The lower down the stack the cloud service provider stops, the more security
capabilities and management consumers are responsible for implementing and
managing themselves.

30
Cloud SECURITY CONSIDERATIONS BREAK DOWN TO:

Security • How does the underlying technology affect security controls?

• Who will consume assets, resources, information?

• Who is responsible for governance, security, and compliance?

Identify Define Identify Manage

Requirements Architecture Control Gaps Changes

Select Provider, Assess Design and Implement

Service, and Security Controls Controls
Deployment Models
61

Cloud describes the use of pools of compute,

1 network, information, and storage resources.
Conclusion
Characteristics of cloud services include:
2
broad network access, rapid elasticity, measured
service, on-demand self service, and resource
pooling

Cloud services tend to be delivered as

3 Infrastructure as a Service (IaaS), Platform as a
Service (PaaS), or Software as a Service (SaaS),
though the distinctions are blurring.

Cloud services can be deployed as public,

4 private, hybrid or community clouds depending
on the security and sharing requirements of the
application.

31
Infrastructure
Security for Cloud
Computing
Module 2

Module Structure
MODULE 2 //
Infrastructure Security For Cloud
Maps to the following domains in the Security
Guidance:

DOMAIN 6 // Management Plane and

Business Continuity

DOMAIN 7 // Infrastructure Security

DOMAIN 8 // Virtualization and Containers

Also maps to CAIQ and CCM, and ENISA

Covers the following subject areas:
Securing base infrastructure
Management plane security
Securing virtual hosts and networks
IaaS, PaaS, SaaS security

32
Module Structure
Unit 1 // Module Introduction
Unit 2 // Introduction to
Infrastructure Security for Cloud
Computing
Unit 3 // Software Defined
Network
Unit 4 // Cloud Network Security
Unit 5 // Securing Compute
Workloads
Unit 6 // Management Plane
Security
Unit 7 // BCDR
65

Understand the components of cloud

Objectives infrastructure.

Assess the security implications of

virtual networks and workloads.

Learn the security advantages and

disadvantages of working with cloud
infrastructure.

Evaluate how to secure the cloud

management plane.

Learn how to manage business

continuity for cloud computing.
66

33
Intro to Infrastructure
Security for Cloud
Computing
Module 2 // Unit 2

Macro Layers

MANAGEMENT PLANE

VIRTUALIZED
INFRASTRUCTURE

BASE INFRASTRUCTURE

34
Cloud Infrastructure Security Overview
• No capital expenditures
INFRASTRUCTURE
(using public cloud) COMPONENTS
• More agility
• Unbounded scale
• Improved resource
utilization MANGEMENT
Cloud
HYPERVISORS
security
• Customer-controlled PLANE

migration
• Resilience
• Pay for use
NETWORK

Example // How IaaS Works

35
Public vs. Private

In p ub lic c loud , y ou only

c ont rol what y ou c ons ume,
p lus a lit t le manag ement .

Simplified Infrastructure Components

CONTROLLER COMPUTE NETWORK STORAGE

API Server SDN Manager Volume

Management
Message
Hypervisors DHCP
Queue

Security Raw Storage

Database
Groups

IMAGE SERVICE IDENTITY SERVICE

36
Simplified Infrastructure Components

!
ALL OF THESE
CORE
COMPONENTS
CONTROLLER COMPUTE NETWORK N E E D TSTORAGE
O BE
SECURELY
CONFIGURED,
PATCHED,
HARDENED,
API Server SDN Manager A N D Volume
M A I N TManagement
AINED.

Message
Hypervisors DHCP
Queue

Security Raw Storage

Database
Groups

IMAGE SERVICE IDENTITY SERVICE

Securing Cloud Infrastructure

Harden Secure Harden

Hosts Networks Management Plane

Harden Secure
Infrastructure Services Architecture

37
1 Infrastructure security includes all the
underlying physical resources and the
Review software, like operating systems, that runs
on them.
2 With private cloud you are responsible for
securing all the hardware and software that
makes up the cloud platform. With public
cloud you are only responsible for what you
deploy in the cloud.

3 Cloud platforms, especially private cloud,

are often built using common components
including operating systems, message
queues, and databases. All these need to be
properly secured.

4
Securing cloud infrastructure starts with
proper design, then hardening of the base
systems and various services. Lastly,
providers must lock down the management
plane.

Software Defined Network

Module 2 // Unit 3

38
Underlying IaaS Networks

Building Underlying Networks for Cloud

Use Separate Physical Isolate the Cloud
Networks. Networks From the LAN.

• Don’t rely on VLANs. • There should be only 2

• SDN may be a good outside connections:
option but depends on • The net work manag er
t o rout e Int ernet
the version and the
t raf f ic.
hardware you use…
physical separation is • The manag ement and
web and API s erv er.
still preferred, as
much for performance
as security.

39
Virtual Networks

VIRTUAL NETWORKS AND VIRTUAL NETWORKS MAY

SECURITY PROVIDE A SIMPLER STACK TO
• Virtual networks are subject to BUILD THE PRIVATE CLOUD.
the same security concerns of • Greater control is afforded
a physical network. through SDN.
• Virtual networks always run on VIRTUAL NETWORKS MAY
a physical network. include inherent security
capabilities.

Major Virtual Network Types

VLAN:
• Leverage existing technology available in essentially all networks
• Designed for network segregation, not isolation, in single-tenant environments
• Not effective as a security barrier
• Have performance and address space limitations at cloud scale
SDN
• Software Defined Networks decouple the network control plane from the
underlying hardware
• Abstracts virtual networking from traditional LAN limitations
• Extremely flexible (e.g. overlapping IP address ranges on same physical
hardware)
• Multiple implementations, both standard and proprietary
• Can create effective security barriers

40
Software - Defined Networking
• Provides a decoupled control • Nearly all implementations are
plane that is (potentially) API-enabled.
easier to secure. • While they may look like a
• OpenFlow is an example of an regular network to the cloud
SDN. consumer, they function VERY
• Remote access is controlled by differently.
the Administrator. • Rely heavily on packet
• Different flavors support encapsulation.
different capabilities, but
generally they can couple
tightly with the cloud platform
and possibly security tools.

SDN Security Benefits

EASIER TOPOLOGOLOGY NOT LIMITED

ISOLATION TO PHYSICAL STRUCUTRE
• E.g., you can put multiple
overlapping virtual
networks, even with the
same address ranges, on
the same physical network
SDN FIREWALLS / SECURITY
GROUPS
• Default Deny
• Orchestrated
• Granularity of host SECURITY POLICIES AND
firewall with CONTROLS ON TAGS AND
manageability of a OTHER CONTEXT
network appliance

41
SDN Firewalls / Security Groups
POLICY-BASED APPLY ON A PER-ASSET LEVEL
• Not necessarily tied to IP addresses (INSTANCE OR PaaS OBJECT)
• Can include context/tagging and • But managed outside that asset. For
other intelligence example, if a virtual machine is
compromised that can’t be used to
disable the firewall
NO ADDITIONAL HARDWARE
OR SOFTWARE TO DEPLOY INTEGRATED INTO CORE SDN
LOGIC
TYPICALLY DEFAULT-DENY • Traffic/packets simply dropped if
they don’t match the policy’s rules
• Even assets in the same security
group can’t communicate • Tightly coupled with the cloud
orchestration so fully capable of
keeping up with high velocity
changes
83

1 Cloud platforms typically rely on three

physical networks (at a minimum). One for
Review management, one for storage, and one for
traffic between resources.
2 The two most common virtual networking
technologies used in cloud are VLANs and
Software Defined Networks. For security,
SDNs are preferred since they provide better
isolation and security.

3 SDNs decouple the control plane from the

underlying physical network and provide
tremendous flexibility. They are capable, for
example, of deploying the same IP address
range across isolated networks on the same
physical hardware.

4 Security Groups are the common name for

the firewalling built into SDNs. They can
provide the manageability of a network
firewall with the granularity of a host
firewall.
84

42
Cloud Network Security

Module 2 // Unit 4

Controlling Blast Radius with Virtual Networks

& Cloud Account / Subaccount / Subscription
Isolation

43
Losing Network Visibility

3rd-Party Security Tools Advantages &

Disadvantages

44
Bastion/Transit Networks / Accounts for Hybrid

Isolated Isolated Isolated

account/network account/network account/network
Preferred Networks

Transit virtual network

Dedicated Network or VPN

Software Defined Perimeter

45
Provider & Consumer
Responsibilities CONSUMER
• Proper virtual network design
• Implementing virtual security controls
(e.g., security groups)
• Securing their portion of the
management plane/metastructure
PROVIDER (e.g., proper IAM)
• Security of the virtualization
technology
• Exposing security controls (e.g.,
security groups)
• Disabling attack surface (e.g.,
packet sniffing)
• Securing the virtual
management infrastructure

1 Prefer SDN when available.

Review Use SDN capabilities for multiple virtual
2
networks and multiple cloud
accounts/segments to increase network
isolation.

3 Separate accounts and virtual networks

dramatically limit blast radius compared to
traditional data centers.

4 Implement default deny with cloud firewalls.

5 Apply cloud firewalls on a per-workload

basis as opposed to a per-network basis.

6 Always restrict traffic between workloads in

the same virtual subnet using a cloud
firewall (security group) policy whenever
possible.

46
Securing Compute
Workloads

Module 2 // Unit 5

Workloads are More

than Virtual Machines…

Security Controls Will Vary, But

In General:
• Configure the
environment/features securely
• Application security
fundamentals still apply, but may
need to be implemented at a
different layer (e.g., within the
code/workload)
• Monitoring/logging will change
significantly

47
Controls Monitoring Assessment
• May not be able to run agents • Network addresses are not • Providers often limit
(E.g., AV) sufficient to identify a workload vulnerability assessment
in the cloud
• “Traditional” agents may not • Default deny networks may
work properly in cloud or will • Logs should be offloaded further limit network
impede performance quickly due to more-ephemeral assessment effectiveness
nature of cloud workloads
• Agents must be cloud aware • Host assessments (agents) are
• E.g., not rely on static IP • Logging architectures should be often preferable
addresses and capable of redesigned to account for cloud
communicating across virtual
topology and variable costs of • Assess images rather than
network boundaries instances when using
different storage tiers
• Cascading log collection is immutable
• Agents should be lightweight
generally preferred. Collect
and support auto-scaling and
locally in object storage and
auto-registration use filtering tools to migrate
security-sensitive logs to
• Agents should not increase
central collection and
attack surface
management
• E.g., require ports to be open
for management

Immutable Workloads Enable Security

IMMUTABLE AUTOMATED STANDARD/LONG
CONFIGURATION RUNNING
• Based on images and
MANAGEMENT
automatically deployed
(e.g. by an auto scale • Managed just like
• The virtual machine is
group) traditional servers
automatically configured
• Login disabled since using a template/policy
changes won't propagate based tool (e.g. Chef /
to other instances Puppet / Ansible / Salt)
• You replace with new • It changes, but manual
versions instead of changes disabled since the
patching/updating old automation would
versions overwrite
• Very easy to harden for
security (e.g. disable SSH)
RELATIVE SECURITY

48
Creating Immutable Images with
Deployment Pipelines

Provider & Consumer Responsibilities

CONSUMER
• Security settings
• Monitoring and logging
• Image asset management
• Use dedicated hosting if needed
PROVIDER
and available
• Workload isolation • All in-workload security controls
• Underlying infrastructure security (e.g., patching virtual machines)
• Securing the virtualization
technology
• Providing consumers adequate
security controls
• Protecting volatile memory

49
Compute Security
Recommendations
Leverage immutable workloads Maintain security controls for
whenever possible. long-running workloads but use
• Disable remote access. tools that are cloud aware.
• Integrate security testing into image
creation.
Store logs external to
• Alarm with file integrity monitoring. workloads.
• Patch by updating images, not
patching running instances.
• Choose security agents that are Understand and comply with
cloud-aware and minimize cloud provider limitations on
performance impact, if needed. vulnerability assessments and
penetration testing.
99

1 Disable remote access.

Review 2 Integrate security testing into image creation.

3 Alarm with file integrity monitoring.

4 Patch by updating images, not patching running

instances.
5 Apply cloud firewalls on a per-workload basis as
opposed to a per-network basis.
6 Choose security agents that are cloud-aware and
minimize performance impact, if needed.
7 Maintain security controls for long-running
workloads but use tools that are cloud aware.
8 Store logs external to workloads.

9 Understand and comply with cloud provider

limitations on vulnerability assessments and
penetration testing.
100

100

50
Management Plane Security

Module 2 // Unit 6

101

The Management Plane

KEY FUNCTIONS
• Provisioning resources
• Starting/stopping/terminating
• Configuring resources
SECURITY CONSIDERATIONS
• Authentication
• Access Control
• Logging/Monitoring
THE MANAGEMENT PLANE IS WEB API
THE LITERAL KEY TO YOUR (Usually REST)
PRIVATE CLOUD. PROTECT IT
WISELY.
102

102

51
Management Plane Access & Credentials
DIFFERENT PROVIDERS / APIs USE MULTIPLE
PLATFORMS USE DIFFERENT TECHNIQUES THAT MAY OR
AUTHENTICATION OPTIONS MAY NOT HAVE CEDENTIALS
• We cover some of these in more DIFFERENT FROM THE WEB
depth in the Identity Management CONSOLE
section • HTTP request signing (crypto using
WEB CONSOLE LOGINS ARE keys)
TYPICALLY LIKE LOGGING • Tokens
INTO ANY OTHER WEB • Oauth/SAML
SERVICE
ALL CONNECTIONS SHOULD
• Username and password ALWAYS USE TLS
• Maybe MFA

103

Management Plane Security

104

52
Root/Master Account Security
ENABLE HARDWARE MULTI-FACTOR
AUTHENTICATION (MFA)
• Store in a locked, central location
USE ISOLATED CREDENTIALS (A DESIGNATED
EMAIL OR USER ACCOUNT NOT USED FOR
ANYTHING ELSE)
• Use a name with a random seed if possible to reduce
phishing
IF AVAILABLE, USE ACCOUNT SECURITY
QUESTIONS
• Record and store securely
NEVER USE ACCOUNT EXCEPT FOR EMERGENCIES

105

Cloud Management IAM

• Role-Based Access Control (RBAC)

• Variable granularity across
providers/platforms
• Variable granularity within product lines
• Look for ability to integrate w/SSO or
directory services
• Investigate third-party tools

106

53
Privileged Users

SERVICE SERVICE SERVICE SERVICE

SERVICE SERVICE
SERVICE ADMIN
ADMIN ADMIN

SUPER-ADMIN SUPER-ADMIN

ROOT/MASTER ACCOUNT

107

Monitoring and Auditing

CLOUD SIDE PORTAL / PROXY

• Logs all API and internal • Route users through a portal,
activity they don’t have direct
• Best option when available credentials
• Pull logs to secure, central • Misses internal activity or
location compromised creds
• May be the only option
• CASB tools often used for SaaS
(we discuss later) Host /
Network Logs

108

54
1 The management plane is how you manage your
cloud deployments. It's the biggest difference
Review from traditional infrastructure security, and the
most critical piece to protect.

2 Nearly all clouds support both web console and

API management plane access. When running
your own cloud it's critical to make sure these are
effectively locked down.

3 Management planes support different kinds of

credentials, all of which must be managed
securely.

Always start by securing the root or master

4
account since losing control of that means losing
complete control over your cloud deployment.

5 Enforce least privilege when setting up your other

privileged users and administrators.

6 Always use multifactor authentication for all

cloud accounts, especially privileged users.
109

109

Business Continuity /
Disaster Recovery

Module 2 // Unit 7

110

55
Rule # 1

ARCHITECT FOR FAILURE!

Design for your platform(s) and don’t expect existing
architectures to lift and shift without compromise

111

Key Aspects
Preparing for and
Managing Cloud
Provider Outages

Continuity within
the Provider / Portability
Platform

112

56
METASTRUCTURE
Cover the • The cloud configuration

Entire Stack • IAM, monitoring, and other in-

cloud management controls and
compliance artifacts
• Software Defined Infrastructure
is a key tool
INFRASTRUCTURE
• Core configuration
• Leverage platform/provider
resiliency capabilities rather than
INFOSTRUCTURE building from scratch inside VMs
• Leverage “resilient” provider
storage (e.g. most object
storage is highly resilient)
• Keep backups/snapshots
APPLISTRUCTURE
• Understand PaaS limitations and
within the provider for rapid
lock-in, including the historical
restore
availability of services
• Always use lowest cost storage
• Downtime is nearly always an
and transfer mechanisms
option – have realistic standards
within and between providers
• Adopt Chaos Engineering
113

113

BC/DR in the DESIGN FOR HIGH AVAILABILITY

WITHIN YOUR CLOUD PROVIDER.
Cloud • In IaaS and PaaS, this is often easier and
more cost effective than the equivalent in
traditional infrastructure.
ARCHITECTURE FOR FAILURE. • Take advantage of provider-specific
features.
• Understand provider history, capabilities,
TAKE A RISK-BASED and limitations.
APPROACH TO EVERYTHING.
• Cross-location should always be
• Even when you assume the worst, it considered, but beware of costs
doesn’t mean you can afford or need depending on availability requirements.
to keep full availability if the worst
happens. • Also ensure things like images and asset
IDs are converted to work in the different
locations.
• Business continuity for metastructure is
as important as that for assets.

114

57
BC/DR in the Cloud

PREPARE FOR GRACEFUL • For super-high-availability

FAILURE IN CASE OF A CLOUD applications, start with cross-location
BC before attempting cross-provider
PROVIDER OUTAGE. BC.
• This can include plans for
• Cloud providers, including private
interoperability and portability with
cloud, must provide the highest
other cloud providers or a different levels of availability and mechanisms
region with your current provider. for customers/users to manage
aspects of their own availability.

115

1 The first rule of cloud is to architect for failure. Since

Review any individual virtual resource may be less resilient,
cloud providers and platforms have built in tools to
improve systemic resilience. Fail to use these will
make you more likely to experience an outage.

2 The three major areas to focus on are resiliency in

your application, resiliency within your cloud
provider, then resiliency if your provider goes down.
Portability can play a role here but don't get so hung
up on it that you become paralyzed and can't use all
of the capabilities of your platform or provider.

3 Your BC/DR should cover the entire stack of the

logical model- from the metastructure/management
plane and infrastructure to your data and application
architecture.

116

58
Managing Cloud
Computing Security & Risk

Module 3

117

Module Content
Content in this module comes from the
following domains in CSA’s Security
Guidance and covers the following
subject areas:
Domain 2 // Governance and
Enterprise Risk Management
Domain 3 // Legal Issues,
Contracts and Electronic
Discovery
Domain 4 // Compliance and
Audit Management
Domain 5 // Information
Governance

• Risk and governance

• Legal and compliance
• Audit
• Data governance
118

118

59
Module Structure
Unit 1 //
Module Into
Unit 2 //
Governance
Unit 3 //
Risk
Unit 4 //
Compliance
Unit 5 //
Legal
Considerations for
Cloud
Unit 6 // Audit
Unit 7 // CSA Tools

119

The implications of cloud on

Objectives governance, with a focus on
contracts and controls.

How cloud affects enterprise risk

management.

Some top-level legal areas cloud

tends to affect (but not legal advice).

Managing compliance and audits for

cloud deployments.

Tools from the Cloud Security

Alliance to help assess and manage
risk.
120

120

60
BEFORE WE BEGIN…
This module and the Guidance focus on how cloud computing
affects governance, risk, and compliance (GRC). They are not
designed to educate you on GRC fundamentals.

121

Governance

MODULE 3 // UNIT 2

122

61
A Simplified Hierarchy

GOVERNANCE

ENTERPRISE
RISK
MANAGEMENT

INFORMATION
RISK
MANAGEMENT

INFORMATION
SECURITY
123

123

Tools of Cloud Governance

CONTRACTS SUPPLIER COMPLIANCE

ASSESSMENTS REPORTING

124

62
The Contract

125

From GOVERNANCE

Governance To RISK TOLERANCE

Risk
SUPPLIER ASSESSMENT

CONTRACTS

SHARED
RESPONSIBILITIES
MODEL
RISK MANAGEMENT

126

63
1 Governance defines how an
Review organization is managed.

2 Contracts can extend governance

and internal controls to the cloud
provider.

3 The contract helps define the roles

of the shared responsibilities model.

4 Supplier assessments and

compliance reports help validate that
the cloud provider is meeting the
expectations of the cloud consumer.

127

Managing Cloud Security

Risk

MODULE 3 // UNIT 3

128

64
Risk Management

Enterprise Risk Management Information Risk Management

• Rooted in providing value to • Aligning risk management to the
stakeholders. tolerance of the data owner.
• How to measure, manage, and • Primary means of decision
mitigate uncertainty. support for IT/security on the CIA
of information assets.

129

Risk Assessment

Resources Value of
available Risk Tolerance assets

130

65
Service Model Effects

INFRASTRUCTURE PLATFORM SOFTWARE

AS A SERVICE AS A SERVICE AS A SERVICE
(IAAS) (PAAS) (SAAS)
• Closest to traditional • Less likely to have • Nearly fully reliant on
data center fully negotiated the contract to define
contract governance/risk since
• Most existing risk
you rely on the
controls/activities will • May be difficult to
provider for nearly
transfer measure contract everything
compliance (SLAs)
• Key differences are
• Big variation in
metastructure and • Much comes down to
maturity in the market
abstraction/orchestrat the details of the PaaS
ion and how you integrate • Often limited to what
you see in the UI

131

Deployment Model Effects

P rivate C lo u d E n viro n men t

P u b lic C lo u d • Gove rn an ce /ri s k i s su es
E n viro n men t ma y b e s i mi l a r to p u b l i c i f
• R e d u ced abi l i ty to C o mmu n ity /H y b rid
th i rd -p a rty ma n a g e d /h o s te d
E n viro n men t
g o v e rn o p s • P rovi der may not negoti ate
• R e d u ced abi l i ty to • N ow h av e to ca l cu l a te
co ntra cts o n ce te rms se t;
n e g o ti a te c o n tra c ts a c ro s s 2 s e ts o f c o n tra c ts
e .g ,. w on ’ t pa tch i n ti mel y
• Or are de a l i ng w i th
• S hared ma n n e r
re s p o n s i b i l i ti e s mo d e l g ro u p -n e g o ti a te d c o n tra c t
• In te rn al S L A s sti l l u sed i n
a n d p o te n ti a l o f d i ffe ri n g
p ri v a te
p ri o ri ti e s
132

132

66
Less
• Physical control over assets.
• Need to manage risks the provider
accepts.

More
• Reliance on SLA and contract.
• Requirement to manage the
relationship and stay up to date.

Tradeoff • Assessment instead of testing.

Considerations
133

133

Cloud Risk Management Tools

134

67
Governance & Risk
Recommendations
Identify the shared Understand how a contract impacts
responsibilities of security and your governance framework/model.
risk management based on the • Obtain and review contracts (and any
referenced documents) before
chosen cloud deployment and entering into an agreement.
service model. • Don’t assume that you can effectively
Develop a cloud governance negotiate contracts with a cloud
framework/model as per provider—but this also shouldn’t
necessarily stop you from using that
relevant industry best practices, provider.
global standards, and • If a contract can’t be effectively
regulations like CSA CCM, COBIT negotiated and you perceive an
5, NIST RMF, ISO/IEC 27017, unacceptable risk, consider alternate
HIPAA, PCI-DSS, EU GDPR, etc. mechanisms to manage that risk (e.g.,
monitoring or encryption).
135

135

Governance & Risk

Recommendations
Develop a process for cloud Cloud provider re-assessments
provider assessments. should occur on a scheduled
This should include: basis and be automated if
• Contract review.
possible.
• Self-reported compliance review.
• Documentation and policies.
• Available audits and assessments.
• Service reviews adapting to the
customer’s requirements.
• Strong change-management
policies to monitor changes in the
organization’s use of the cloud
services.
136

136

68
Governance & Risk
Recommendations
Cloud providers should offer Create a specific risk
easy access to documentation management and risk
and reports needed by cloud acceptance/mitigation
prospects for assessments. methodology to assess the risks
• For example, the CSA STAR of every solution in the space
registry.
Use controls to manage residual
Align risk requirements to the risks.
specific assets involved and the • If residual risks remain, choose
risk tolerance for those assets. to accept or avoid the risks.
Use tooling to track approved
providers based on asset type
(e.g., linked to data
classification), cloud usage, and
137
management.

137

1 Enterprise risk management includes all-risk

management for the entire organization.
Review
2 Information risk management focuses on
the risk to information and must still align
with the risk tolerance of the data owner.

3 The effort in a risk assessment should align

with the value of the data. Just because
something is moving to the cloud doesn't
mean you now need to treat it as being
higher-value.

4 In terms of risk, like security, IaaS is most

closely aligned to traditional infrastructure,
while with SaaS there is a greater reliance on
the cloud provider.

5 Private cloud risks may be similar to that of

public cloud if the private cloud is hosted
and/or managed by a third party.
138

138

69
Compliance

MODULE 3 // UNIT 4

139

Compliance
Obligations arise from Compliance and Audits
multiple sources • Compliance validates
• Legislation awareness of and adherence to
• Broad based regulation corporate obligations
• Industry specific regulation • Audits are a key tool for
proving (or disproving)
• Contracts compliance.

140

70
HOW Cloud Changes Compliance
• The cloud customer is always responsible for compliance but may now
also rely on the provider.
• Cloud customers will rely more on third-party assessments.
• The cloud metastructure may span jurisdictions, while the data/assets
don’t; this must be integrated into compliance activities.
• Not all cloud providers are equal with regards to compliance, and not
all services from a single provider are always within the same audit /
attestation / certification scope.

141

Compliance Inheritance

142

71
Recommendations
Compliance, audit, and assurance should be Cloud providers must maintain their
continuous. certifications/attestations over time
• They should not be seen as merely point-in-time and proactively communicate any
activities, and many standards and regulations changes in status
are moving more towards this model. This is
especially true in cloud computing, where both Cloud providers should engage in
the provider & customer tend to be in more continuous compliance initiatives to
constant flux and are rarely ever in a static state. avoid creating any gaps, and thus
exposures, for their customers.
Cloud providers should clearly communicate their
audit results, certifications and attestations, with Provide customers commonly needed
particular attention to: evidence and artifacts of compliance,
• The scope of assessments. such as logs of administrative activity
the customer cannot otherwise collect
• Which specific features/services are covered in
which locations and jurisdictions. on their own.
• How customers can deploy compliant
applications and services on the cloud
• Any additional customer responsibilities and
limitations.
143

143

Recommendations
Cloud customers should: • Ensure they understand what
• Understand their full artifacts of compliance the
compliance obligations before provider offers.
deploying, migrating to or • Effectively collect and manage
developing in the cloud. provider offered artifacts.
• Evaluate a provider’s 3rd–party • Create and collect their own
attestations and certifications artifacts when the provider’s
and align those to compliance artifacts are not sufficient.
needs. Keep a register of cloud
• Understand the scope of providers used, relevant
assessments and certifications, requirements and current
including both the controls status. The CSA Cloud Controls
and the features/services Matrix can support this activity.
covered.
144

144

72
1 Compliance is a tool to ensure organizations
are meeting corporate obligations.
Review
2 Audits are how we validate compliance, and
they can be performed internally or
externally using third parties.

3 Cloud changes compliance because it now

becomes a shared responsibility between
the cloud consumer and the provider.

4 Compliance inheritance is the principle that

if a cloud provider's service is compliant
with a regulation/standard, then cloud
consumers can build compliant
services/applications using that service. But
it does not guarantee compliance since the
cloud consumer can still build a non-
compliant application on top of a compliant
service.

145

Legal Considerations for

Cloud
And a review of representative global regulations

MODULE 3 // UNIT 5

146

73
Representative Laws & Implementing
Regulations
• Is the applicable law where
your business resides,
where the data resides,
or where the customer
resides?
• Privacy regulations tend to
be the most impactful on
cloud security operations
• Don’t worry, these are here
as background and you
don’t need to memorize
these regulations.

147

Asia Pacific (APAC) // Australia

• Privacy Act of 1988

• 13 Australian Privacy
Principles (APPs)
• Applies to private,
not-for-profits with 3+
million AUD, private
healthcare providers
• Australian Consumer
Law (ACL)

148

74
Asia Pacific (APAC) // Australia

• Entities must provide

notification when
breaches occur
• ACL protects against
false/misleading contracts
and failed breach
notifications
• Privacy Act applies to
Australian customers even
if CSP is based elsewhere

149

China

• 2017 Cyber Security

Law governs network
operators
• Data localization
requires certain data
is stored in the
country
• Privacy landscape still
in transition

150

75
Japan
• Act on the Protection of
Personal Information (APPI)
requires private sector to
protect personal
information
• Prior consent required for
data transferred to 3rd
party outside the country
• Consent is not required if
certain standards are met
as outlined by the Personal
Information Protection
Commission

151

Russia

• Russian data
protection laws
require consent
for most data
processing
• Companies are
required to store
personal data of
Russian citizens
within Russia

152

76
EMEA //
European Union & European Economic Area

• 2018 General Data

Protection Regulation
(GDPR)
• Member states can
supplement the GDPR
• 2002 Directive on
Privacy and Electronic
Communications (new
E-Privacy Regulation
to replace it)

153

EMEA //
European Union & European Economic Area

• Network Information
Security Directive
(NIS Directive)
• Protects critical
infrastructure and
essential services

154

77
General Data Protection Regulation (GDPR)
Applicability Accountability Obligations

• Applies to data controllers/ • Entities must keep records of

processors in the EU/EEA, or data processing activities
activities within and outside • Must develop and operate
the EU/EEA according to “privacy by
• Applies to controllers/ design” and “privacy by
processors outside the EU/EEA default” principles
if monitoring or processing
data owned by an individual in
the EU/EEA

155

General Data Protection Regulation (GDPR)

Data Subjects’ Rights Cross-Border Data Transfer
Restrictions
• Subjects have a right to know
what info an entity has about • Personal data cannot transfer
them across borders unless a country
• Right to object to how personal has similar data and privacy
data is used rights.
• Right to data erasure/corrections • Entities outside of the EU/EEA
must show an adequate level of
• Right to be forgotten protection

156

78
General Data Protection Regulation (GDPR)
Breaches of Security Sanctions

• Entities must report a security • Violators are subject to

breach to the Supervisory sanctions, up to 4% of global
Authority or Authorities and gross income, or up to EUR 20
data subjects when the breach million.
meets certain thresholds.

157

Network Information Security Directive (NIS)

• Requires that EU/EEA member • Providers must notify agencies if
states’ laws govern network and an incident substantially impacts
information security requirements the provision of a service.
for digital and essential services:
i.e., e-commerce, search engines,
cloud computing.
• Providers outside the EU offering
services inside the EU are
accountable.

158

79
EMEA //
Countries Outside EU/EEA

• Countries with
similar protection
laws to GDPR or
1995 EU Data
Protection Directive:
Dubai, Israel,
Morocco, Senegal,
South Africa, Qatar.

159

Central & South America

• Argentina, Chile,
Colombia, Mexico,
Peru and Uruguay
have laws inspired
mainly by the
European directive
95/46/EC
• Many laws refer to
the APEC Privacy
Framework

160

80
Canada

• Personal Information
Protection and
Electronic
Documents Act
(PIPEDA)
• Applies to entities
subject to federal
jurisdiction and all
provincial
jurisdictions

161

United States

• No single national
law for data
protection and
regulation.

162

81
U.S. Federal Laws
• Among others, Gramm-Leach- • Companies must adopt
Bliley Act (GLBA), reasonable security measures
Accountability Act of 1996 around personal data.
(HIPAA), Children’s Online • Organizations are responsible
Privacy Protection Act of 1998 for subcontractors’ actions.
(COPPA) all regulate privacy
and information security.

163

U.S. State Laws

• State laws around data security • Most state laws that address
apply to any entity that information security require a
collects/processes data of an written contract between the
individual living in that state, entity and the service provider
regardless of where data is mandating use of reasonable
stored. security measures.

164

82
United States
Breaches of Security Federal & State Agencies
• Private or gov’t entities must • Federal Trade Commission
notify individuals of security (FTC) & state attorneys general
breaches. also enforce accountability in
Privacy Laws entities around privacy and
security practices. These
• California Consumer Privacy decrees give guidance around
Act (CCPA) protects data for protection of personal
individuals, families and information.
devices. In effect Jan. 2020 –
significant implications.

165

Industry Standards

• Created by private organizations,

industry standards are not laws.
• Many industry standards related to
the cloud are produced by these
organizations on the right side of
the screen.

166

83
Contracts
Before Entering Negotiations Contract Terms
• Due diligence of your own • Pricing
entity • Allocation of Risk/Responsibility
• Due diligence of other party • Termination
• Does the service allow your
company to meet its objectives & • Representation and Warranties
still be in compliance?
• Data/IP Ownership
• Data Location
• SLA
• Privacy/Privacy Level Agreement
(PLA)

167

Contracts

During Performance
• Monitoring
• Preparing for termination and
transition
• Unintended contract
• Closing

168

84
GLOBAL TRENDS:
Protection of privacy and allowing individuals to have
Review some control over the collection and use of their
personal data.
There is a concern for the security of personal data and
company data. A significant number of laws require the
Due to the nature of the cloud, it has adoption of formal security policies
become easy to transfer data across Countries and states are recognizing that security
the globe. However, the ease of breach occurs for a variety of reasons - state actors,
movement of the data makes it hackers, disgruntled employees, negligence or
susceptible to be caught under inadvertent error. These breaches should be notified to
numerous legal systems. It is the affected parties. Numerous new laws require prompt
therefore important to appreciate the disclosures to individuals and government agencies.
wide variety - as well as the amazing There is a concern that data laws many not be
similarities - between the laws that equivalent from state to state and countries are
govern cloud services. establishing barriers to prevent the transfer of data to
those that do not offer “adequate protection”.
In the past 10 years, the number of Finally like for any other relationship, things are better
countries having privacy or security recorded in writing. Contracts are important. Cloud
laws has more than doubled, and the contract can be tricky because it’s easy to sign when
number of laws that govern the privacy they are just posted on a website for the customer to
or security of company data and click on “I agree”. Make sure you read them carefully to
personal data has skyrocketed. understand the terms.

169

Audit

MODULE 3 // UNIT 6

170

85
Audit

Different types of Attestations are Customers will Cloud providers

audit / legal statements likely be limited should have a
assessment / and providers may in their ability to rigorous portfolio
attestation have be required by the assess (and of compliance
different focuses auditor to have an vulnerability attestations to
and vary across NDA with the assess) providers. support their
providers. customer before These could be a customers.
releasing. security risk to
the provider.

171

Previous Audit Results

(3RD–Party Attestations)

Be aware of when the audit was

performed, the scope of the
audit, and the audit results.

172

86
Artifacts of Compliance

System Policy &

Audit Activity Configuration Procedure
Logs Reporting Documentati on
Details

Need secure repositories and standards that may cross

customer/provider boundary!

173

Artifacts of Compliance
• In cloud, assessing risk is collecting Key places to focus on:
all audit evidence and can be
• Management place
challenging
• Configuration pieces
• Understand requirements for logging
and what kinds of data to collect • Adding more logging in applications
• Change in management logs are • System logs need to be pushed to a
common artifacts you need. different location, ex: object storage
on cloud provider
• Map what you need to your cloud
provider
• Collect admin activity to have logs of
changes
• Store artifacts in a central repository
• Build architecture to store centrally

174

87
Artifacts of Compliance
Core of audit considerations:
• Make sure you know what you need to collect to meet compliance
obligations
• Evaluate what you can get from your cloud provider and how to get it
• Store in a central location
• Build in extra logging to compensate for places where you lose
visibility

175

Due to the evolving nature of a

cloud service, more frequent
assessment is required.

Consider STAR/CAIQ/CCM and

other CSA tools and programs.

Assessment
Frequency
176

176

88
1 Different types of audits and assessments
have different focuses, and even when the
Review same name is used can have different focus
and scope across cloud providers.
2 Cloud providers often limit the kinds of
assessments their customers can use since
some of these, like vulnerability
assessments, can't be distinguished from
real attacks without being constrained.
3 Ensure you know the scope, results, and
timing (dates) of previous audits. Not all
audits on a provider's website are
necessarily up to date or cover the service
under consideration.
4 Cloud consumers are responsible for
maintaining their own artifacts of
compliance for their own audits, such as log
files.

177

CSA Tools

MODULE 3 // UNIT 7

178

89
Cloud Controls Matrix
The CSA CCM is a controls framework for organizations to
operate securely when cloud services are utilized.

• Intended for cloud providers, • Standardized guidance on

SaaS providers, other end-user control objectives in cloud-
services in the cloud based IT systems
• Designed by SMEs across • Based on CSA Security
industries Guidance, research artifacts,
• Provides security principles to Mobile WG
providers to define and apply • Addresses intra- and inter-org
best practices challenges by delineating
• Assists customers to assess control ownership
cloud providers

179

Cloud Controls Matrix

The CSA CCM is a controls framework for organizations to

operate securely when cloud services are utilized.

• Normalizes security expectations, cloud taxonomy, and security

measures implemented in cloud supply chain
• Guides security efforts in vetting cloud providers, building proposal
requests and operational risk assessment
• Aids in internal and external assessment and audits, and can submit
to CSA STAR registry

180

90
SAMPLE CCM

181

Consensus Assessment Initiative

Questionnaire
The CSA CAIQ assesses the security postures of a cloud service provider

• Originated in the CSA • Companion to CSA Security

Consensus Assessment Guidance and CCM
Initiative WG • Helps cloud SPs assess security
• CAIQ is a simplified distillation postures, provides single
of issues and control specs location for details about their
associated with cloud security information security program
• Simple tools to standardize • Streamlines compliance
approach of validation of a assessments and improves
cloud provider’s security communication between cloud
postures SPs, business partners, and
customers
182

182

91
Consensus Assessment Initiative Questionnaire

The CSA CAIQ assesses the security postures

of a cloud service provider

• Allows customers and auditors to ask the right questions of cloud

provider about their security posture.
• Consumers can use completed CAIQs to assess provider control and
risk models
• Helps organizations build assessment processes prior and during to
engagement with cloud provider.

183

Security, Trust, Assurance,

& Risk Registry
Promotes security governance, assurance, and compliance in the cloud

• Based on CSA OCF, CCM, and • Supports cloud customers in

CAIQ WGs evaluation and selection
• Third-party resources that process and helps cloud SPs to
encompasses key principles of easily communicate security
transparency, auditing, and posture to their customers.
standards harmonization • Offers self-assessment, third-
• Initially launched in 2010, party certification, and
STAR addresses lack of continuous auditing
transparency in a burgeoning • Increases security by
market requesting adherence to best
practices by implement CCM
184

184

92
Security, Trust, Assurance, & Risk Registry
Promotes security governance, assurance, and compliance in the cloud

• Details security postures of security providers, offers

assurance by indicating level of compliance of CSA best
practices
• Offers layered approach to cloud assurance:
• Self-assessment
• Third-party certification and attestation
• Continuous auditing
• Customer can access security documentation for cloud
providers from a single trusted repository

185

186

93
STARWatch
The CSA STARWatch is a SaaS application to help cloud providers
manage compliance with CSA STAR requirements

• STARWatch grew out of CSA’s • Intended for users of cloud

desires to manage CAIQ services, cloud SPs, IT
responses more effectively auditors, security solution
• Facilitates adoption and providers and consultants
implementation of CCM and • Provides multi-user access to
CAIQ and streamlines provider CCM and CAIQ in database
and consumer compliance format
efforts • Incorporates a maturity model
• Allows users to create, edit, to measure the evolution of
import, and export CAIQs security posture of the org

187

STARWatch

The CSA STARWatch is a SaaS application to help cloud providers

manage compliance with CSA STAR requirements

• Assistance in mapping security requirements to those of CSA

• Relevant mapping to relevant standards and regulations

188

94
1 The Cloud Controls Matrix is a list of cloud
security controls mapped by domain and
Review aligned to various regulatory frameworks.
2 The CCM is an excellent tool for evaluating
your cloud security controls and is useful to
both cloud providers and consumers.
3 The Consensus Assessment Initiative
Questionnaire is a standard set of security
questions for cloud providers. It allows
cloud consumers to directly compare
providers and allows providers to reduce the
need to respond to non-standard RFPs.
4 The Cloud Security Alliance Guidance (which
this training is based on) tells you how to
implement your controls, while the CCM
tells you which controls to implement.
5 The STAR and StarWatch tool serve as
central repositories and methods for cloud
provider security documentation, including
the CAIQ.
189

189

Data Security for Cloud

Computing

Module 4

190

95
Module Content
Content in this module comes from the following
domains in CSA’s Security Guidance:

DOMAIN 5 // Information
Governance
DOMAIN 6 // Management Plane
and Business Continuity
DOMAIN 11 // Data Security

Covers the following subject areas:

• Cloud data architectures
• Data security and encryption
• CASB and Data Loss Prevention
• Data governance
Click on the module to the right to view the
course objectives.

DOWNLOAD THE LATEST VERSION OF THE CSA

SECURITY GUIDANCE.

191

Module Structure
Unit 1 // Module Intro
Unit 2 // Cloud Data Storage and
Data Moving to the Cloud
Unit 3 // Access Controls and
Entitlements
Unit 4 // Encryption for IaaS
Unit 5 // Encryption for PaaS and
SaaS
Unit 6 // Encryption key
management
Unit 7 // Other Data Security
Options
Unit 8 // Data Security Lifecycle
192

192

96
Understand the different cloud
Objectives storage models

Define security issues for data in the

cloud
Assess the role and effectiveness of
access controls.
Learn different cloud encryption
models.
Understand additional data security
options

Introduce data security lifecycle.

193

Cloud Data Storage & Data

Moving to the Cloud

Module 4 // Unit 2

194

97
Cloud Data Storage Is Different
• All data is eventually stored on a • This storage may be
physical device, but cloud expressed/exposed like
platforms use multiple types of traditional storage but under the
data storage virtualization to hood is quite different.
abstract and build storage pools. • Just like SDN
• These are not necessarily off-the- • Security focuses on access
shelf technologies that map to controls, encryption, and proper
traditional data storage configuration.
virtualization, like SAN/NAS, that
are well known.

195

Major Cloud
Data Storage
Types

196

98
Data Dispersion
(Bit-Splitting) FILE

SERVER 1, Fragment 2 Fragment 3

DRIVE 1

SERVER 2, Fragment 1 Fragment 2

DRIVE 3

SERVER 2, Fragment 3 Fragment 1

DRIVE 1

197

Manage Data
Migrating To
The Cloud

198

99
Cloud Access Security Brokers (CASB)
A lso kno w n as C lo ud S e c urity
Gate w ays

DISCOVER MONITOR PROTECT

Inline (Local)

Inline (Cloud)

Via API

199

Protecting Data As It Moves

Application
encryption

Link/network
encryption

Proxy-based
encryption

200

100
Review
• Cloud data storage types include object,
volume, database and application.

• Cloud providers store data in a

multitenant and resilient way

• Migration control tools: CASB, DLP, URL

filtering and DAM

• Data in motion can be encrypted client

side, on the network, and/or proxy
based

201

Access Controls and

Entitlements

Module 4 // Unit 3

202

101
Access Controls
• Always your first data security control
• Granularity and implementation vary
massively between platforms, services,
and technologies Management
• The finer-grained the access controls plane
the better for security, but the harder
for manageability Public & internal
• As with many things they may look the sharing controls
same on the surface but will likely be
very different in practice
• It’s critical to create platform-specific Application-
entitlement matrices level controls

203

Building An Entitlement Matrix

SUPER- SERVICE- STORAGE- SECURITY- SECURITY-

ENTITLEMENT DEV
ADMIN ADMIN ADMIN AUDIT ADMIN

VOLUME DESCRIBE X X X X X

OBJECT DESCRIBE X X X X X

VOLUME MODIFY X X X X

READ LOGS X X X

204

102
1 Access controls are the most
Review fundamental security control, even in
cloud computing.

2 There is massive variability of

available access controls between
cloud providers, and cloud storage
may offer new categories of controls,
such as sharing, beyond those in
more-traditional storage.

3 An entitlement matrix is the

documentation of authorizations. It
defines who should be allowed to
not only access data, but what they
should be allowed to do with it.
205

205

Encryption for IaaS

Module 4 // Unit 4

206

103
Cloud Data Encryption Layers

APPLICATION

DATABASE

FILE/API

VOLUME STORAGE

207

Cloud Encryption System Matrix

Who owns the components? Where are they? How are they connected?

208

104
Cloud Encryption System Matrix
• Where is the key?
• Where is the encryption engine?
• Where is the data?

209

Volume Storage Encryption

210

105
Instance-Managed

211

Object Storage

CLIENT-SIDE

SERVER-SIDE

PROXY

212

106
1
There are multiple layers where you can
encrypt, each with benefits and
Review complications. Encrypting higher in the
application stack is often best for discreet
data, while lower-level encryption, like
volume, is better for bulk data.

2
Encryption systems are composed of the
data, the encryption engine, and the key
management, Where you place these
determines the architecture and affects the
security of the system.

3 Whenever possible, you want to separate the

encryption key from the data and the
encryption engine.
For object storage encryption, you can
4
encrypt the data on the client site, the server
side (using multiple techniques), or even
through storage proxies (which we
frequently see used for site backups).
213

213

Encryption for PaaS & SaaS

Module 4 // Unit 5

214

107
ENCRYPTING PaaS • Encrypt
within your
app code
• Encrypt
APPLICATION before
sending to
• When you control the code, the platform
you can always encrypt there,
which is also more portable.
• Volatile memory and swap files
may be issues; understand OTHER DATABASE
your platform specifics.
• If you are the provider, use
per-customer keys as much as
possible. • Integrated into the
provider's platform • Transparent Database
• May include customer- Encryption (TDE)
managed key options • Field-Level
215

215

Example //
Application
Encryption
Architecture
• Where is the key?
• Where is the data?
• Where is the encryption
engine?

216

108
SaaS Encryption
• Provider-managed may offer
Provider customer managed keys (we
will discuss in a moment)
Managed
• Proxy encryption requires an
Customer external tool or service
• You re-route SaaS traffic to the

Managed proxy before it is sent to your

SaaS provider
• This encryption typically breaks
SaaS applications, often
dramatically reducing capabilities

217

PROXY ENCRYPTION FOR SaaS

Encryption Proxy breaks TLS,

interprets HTML, and selectively
encrypts/decrypts

Normal path: encrypted data not

decrypted

218

109
1
Platform as a Service (PaaS) encryption will
depend almost completely on the kind of
Review platform and options supported by your
provider. For workloads though, you can
nearly always program your own encryption
at the application layer.

2
When encrypting in your application, you
can handle the encryption in your own code
or hand it off to an external encryption
server or service.

3
For Software as a Service you only have two
options – rely on your provider's supported
encryption or use a third-party encryption
proxy that sits as a man in the middle.
SaaS encryption proxies may introduce new
4
security concerns due to requiring you to
break any network encryption to the cloud
provider. They may also break application
functionality. However, there are still valid
use cases, albeit limited.
219

219

Encryption Key
Management

Module 4 // Unit 6

220

110
Cloud Key Management Options

HSM / APPLIANCE

VIRTUAL APPLIANCE / SOFTWARE

CLOUD PROVIDER SERVICE

HYBRID

221

Provider Key Management & BYOK

• Some providers build • Some providers now allow you

encryption into their platform. to manage your own keys.
By default they typically “Bring your own key” (we also
manage keys for you. call these customer managed
• E.g., The checkbox to encrypt an keys).
S3 bucket, or the default • To varying degrees of security.
encryption on Box/Dropbox. Some are fully under your
control, others the provider can
technically get to, but they
provide separation of duties.

222

111
Cloud Key Management Options
• The customer owns the keys,
but the provider may manage HSM

• This isn’t necessarily insecure

Customer Key
it all depends on the provider’s Manager
security controls
3rd Party /
• Providers should be very
Customer
transparent about these Managed
• Keys always exposed at some
Provider
level, but typically data Managed
encryption keys, not master
keys
• Often good option for SaaS
and PaaS

223

1 Proper key management is essential to effective

encryption.

Review 2
HSMs and physical appliances may be offered by
your cloud provider, or you can look at deploying
software or virtual appliances in the cloud,
connecting to existing hardware over a hybrid
connection, or even leverage new options like a key
management service from your cloud provider or a
third party.
Providers offer a range of key management options,
3 from the provider completely managing the keys, to
allowing you to manage your own keys in their
environment or even provide keys as needed.

4
Bring Your Own Key will work differently on different
providers and services, with varying levels of relative
security.

5 Once you know the risk you are trying to prevent,

you can evaluate the technical options in your
provider and platform of choice. Remember, not all
data needs the same level of security, so you don't
always need to default to the most secure option.

224

112
Other Data Security
Options

Module 4 // Unit 7

225

Data Security Architecture

• This example shows using a
private network for data
processing without ever exposing
servers to the internet
• Good architectural decisions can
optimize security
• Performance advantages:
• No servers running
• No instances
• No virtual machines
• You only pay for batch jobs, archival
storage & object storage
• There’s no network attack path
226

226

113
More Than Encryption
Data Loss Prevention
Auditing/Monitoring/Alerting • Typically a SaaS (and maybe PaaS)
priority, don’t see much in IaaS
• Collect at the provider /
metastructure and the data storage • CASB often best bet, and may
level when possible integrate with dedicated DLP tools
Provider Specific Controls • Cloud providers sometimes offer
basic DLP in the platform (mostly file
• Various providers and platforms have collaboration products)
their own data security controls that
may not fit our categories ERM/Digital Rights Management
• Full DRM not often seen and not a
cloud-specific issue. Will break most
SaaS
• Providers may offer DRM-like
capabilities (e.g., user + device +
content restrictions)

227

Data Masking //
Dynamic & Test Data Generation
PRODUCTION
ID LAST FIRST CREDIT CARD PAN
Masking Tool

1 Smith John 1234-5678-9101-1234

2 Doe Jane 2345-8654-8646-4567
DEV / TEST
ID LAST FIRST CREDIT CARD PAN

1 Jones John 1234-6824-9854-1234

2 Smith Jane 2345-8346-1623-4567

Test Data Generation Shown

228

114
1 Integrating PaaS and other new cloud
architectural options into applications and data
Review storage may allow cloud consumers to shift
more security burden onto cloud providers and
reduce the stack's attack surface.
2
Good activity monitoring and alerting are
important to cloud data security, and providers
may also support a variety of additional
security controls.
Data Loss Prevention tends to be more useful
3
for SaaS and may be integrated into CASB
tools.
4 Traditional DRM/ERM isn't necessarily useful
for cloud, but some SaaS/PaaS services may
have "DRM-like" capabilities such as sharing or
view controls that provide similar protections.
5 Data masking is critical for test data
generation and to ensure production data is
not exposed in development environments.
229

229

The Data Security Lifecyle

Module 4 // Unit 8

230

115
Data Security
Lifecycle

231

How to Use the Lifecycle

• The Data Security Lifecycle is a tool to help you model your security
controls.
• Don’t get too granular or it will be too complex to model. Focus on
the big picture.
• Use the lifecycle to determine where data flows.
• Then use it to map how data *can* be used, and how it *should* be
used.
• When you can do something that shouldn’t be allowed, that’s where
you need to insert a security control.

232

116
Locations & Access

• The simple data security lifecycle does not address location or how
data is accessed
• External use reliant on different controls
• Internal and external access usually have different security policies
• You have *multiple* data security lifecycles

233

Locations & Access

234

117
Mapping The Lifecycle To Functions

235

Functions Possible in Each Data

Lifecycle Phase

236

118
Mapping Controls

237

Recommendations
• Understand the specific • Consider CASB to monitor data
capabilities of the cloud flowing into SaaS. It may still
platform you are using. be helpful for some PaaS and
• Don’t dismiss cloud provider IaaS but rely more on existing
data security. In many cases it is policies and data repository
more secure than building your security for those types of
own and comes at a lower cost. large migrations.
• Create an entitlement matrix for • Use the appropriate encryption
determining access controls. option based on the threat
Enforcement will vary based on model for your data, business,
cloud provider capabilities. and technical requirements.

238

119
Recommendations
• Consider use of provider- • Ensure both API and data-level
managed encryption and monitoring are in place, and
storage options. Where that logs meet compliance and
possible, use a customer- lifecycle policy requirements
managed key. • Standards exist to help
• Leverage architecture to establish good security and
improve data security. Don’t the proper use of encryption
rely completely on access and key management
controls and encryption. techniques and processes.
Specifically, NIST SP-800-57,
ANSI X9.69 and X9.73.

239

1 The Data Security Lifecycle is a tool to help us

visualize how our data is used and exposed and
Review can be helpful in determining where to place
security controls.
2 The lifecycle itself consists of 6 phases from
creation to destruction, but practically speaking
data will bounce between all the phases as it is
used. However, each phase has a distinct set of
potential associated security issues and controls.
3 Data will move between various locations, and be
accessed using a variety of devices, users, and
services. Mapping these can be useful in
designing security controls.
4
Depending on the location, phase, etc., the data
will have a set of potential actors, functions, and
locations. Our application risk assessment will
tell us what we want to allow (e.g. through an
entitlement matrix.
5 Mapping these against each other will tell us
what additional security controls, such as access
controls, we need.
240

240

120
Securing Cloud
Applications & Users

Module 5

241

Module Content
Content in this module comes from the
following domains in CSA’s Security
Guidance:
Domain 10 //
Application Security

Domain 12 //
Identity Entitlement and
Access Management

Domain 14 //
Related Technologies

Covers the following subject areas:

• SSDLC
• Immutable
• DevOps
• IAM
242

242

121
Module Structure
Unit 1 // Module Intro
Unit 2 // SSDLC
Unit 3 // Testing and
Assessment
Unit 4 // DevOps and Immutable
Unit 5 // Secure Operations and
Architecture
Unit 6 // IAM definitions
Unit 7 // IAM Standards
Unit 8 // IAM in practice

243

Objectives
Discover how application security
differs in cloud computing.

Review secure software development

basics and how those change in the
cloud.

Leverage cloud capabilities for more

secure cloud applications.

244

122
How Cloud Changes AppSec

Opportunities Challenges
• Higher baseline security • Limited visibility
• Responsiveness / agility • Increased application scope
• Isolated environments • Changing threat models
• Independent VMs for • Reduced transparency
microservices
• Elasticity
• DevOps
• Unified interface

245

Application Security Phases

Secure • Training
Architecture & • SDLC
Design • Pre-deploy testing

• Code review
Secure • SAST/DAST/Testing
Deployment • Vuln. assessment
• Deployment

• Change management
Secure • WAF/App defenses
Operation • Ongoing assessment
• Activity monitoring
246

246

123
SSDLC Frameworks
& Guidance

247

SSDLC Frameworks & Guidance

Microsoft’s Security Development Lifecycle

248

124
SSDLC Frameworks &
Guidance

NIST 800-64

249

SSDLC Frameworks & Guidance

ISO/IEC 27034

250

125
SSDLC Frameworks &
Guidance

• Other organizations, including

OWASP and a variety of
application security vendors,
also publish their own lifecycle
and security activities
guidance.

251

Cloud Impact On SSDLC

• More reliance on cloud provider under shared responsibilities model
• Large changes to visibility and control
• Highly variable differences between providers and platforms
• Management plane/metastructure now within scope of application
security
• New architectural options, especially with PaaS
• DevOps // Not cloud-specific, but highly correlated

252

126
Secure Design & Development

253

Threat Modeling Example

THREAT DESCRIPTION EXAMPLE
Assume identity of client, Phishing attack to fool user into sending
Spoofing
server or request/response credentials to fake site

Alter contents of request of Message or data integrity compromised

Tampering
response to change parameters or values

Illegitimately claiming a transaction was

Repudiation Dispute legitimate transaction
not completed
Information Unencrypted message sniffed off the
Unauthorized release of data
Disclosure network
Service not available to System flooded by requests until web
Denial of Service
authorized users server fails

Elevation of Privilege Bypass authorization system Attacker changes group membership

254

127
Example Mapping Threat Model To
Countermeasures
THREAT SECURITY SERVICE

Spoofing Authentication
Tampering Digital signature, Hash
Repudiation Audit logging
Information
Encryption
Disclosure
Denial of
Availability
Service
Elevation of
Authorization
Privilege

255

1 The secure software development

Review lifecycle (SSDLC) is a structured
process for ensuring security needs
are met throughout application
development processes.
2 There are multiple frameworks, such
as those from Microsoft and OWASP.
3
Cloud will impact each phase of the
lifecycle, from training all the way
into operations. Changes in visibility
and more reliance on the shared
responsibilities model are constant
threads.
4 When modeling application threats
for cloud deployments, some risk
will be greater and some less. Threat
modeling is a great way to evaluate
these differences.
256

256

128
SSDLC Testing
& Assessment

Module 5 // Unit 3

257

Note: Testing is not isolated to secure

development or secure deployment,
these phases overlap and there aren’t
walls between them.

We merely break them out as a way to

structure the discussion

258

129
Secure Development & Testing
• Manual
• Usually implemented at
gate/checkpoint for only
• Cloud doesn’t change the kind of Code review specific functionality
testing, but does change some of • E.g., cloud auth and
what is tested encryption

• E.g., need to account for cloud API

calls, environment, PaaS
integration Unit /
SAST regression /
functional

• Static Application Security Testing

• Add checks for cloud credentials
and API calls
259

259

Secure Development & Testing

• In IaaS, you have substantial

Code review
restrictions to test the cloud
infrastructure, but you are free to
test the app, database, etc. In
PaaS you are free to test your app
code and all the rest is restricted.
In SaaS you would need to rely on Unit / • Standards of dev
3rd-party testing done on behalf testing
SAST regression /
of the providers • Should be used
• In IaaS you are generally free to functional
to test for
test without permission at the app security
level, but not in PaaS/SaaS capabilities /
functions

260

130
Secure Deployment & Testing
• You can expect mostly
free reign to fuzz in
Code review IaaS, but not same level
• Use tools and companies with PaaS and SaaS
cloud-specific features and
experience; tools and
background don’t translate
from traditional to cloud as Unit /
well in these areas
SAST regression /
functional

• Often requires close coordination with

Cloud provider (depending on scope)

261

Secure Deployment & Testing

• Include developers and cloud

admins within scope of Code review
penetration tests since they are
often the weak link
• For multitenant apps, allow
pen testers authorized access
to try and break isolation Unit / • Must define what
SAST regression / level in the stack
functional the scan targets
• External scans
may require
cloud provider
permission

262

131
Vulnerability Assessment
In The Cloud

Test Images In The Use A Host-based Traditional Network

Pipeline Agent Assessment (With
Permission)

263

1 Secure software development involves a

range of security testing. All of these are
Review impacted by cloud computing.

2 With static analysis you should place a

greater emphasis on looking for stored
cloud credentials, as well as the proper
configuration of API usage.

3 Dynamic analysis and vulnerability

assessment may require permission from
your cloud provider.

4 New vulnerability analysis options, such as

scanning in a deployment pipeline or using
host-based agents, are often better used for
cloud.

5 Assessing the configuration of the cloud

environment should now be within scope for
an application security assessment.
264

264

132
DevOps

Module 5 // Unit 4

265

DevOps

Security Benefits:
• Greater standardization
• Automated testing
• Improved auditing
• Leverage automation No single definition, but
techniques to improve security typically refers to changing
operations culture and process around
continuous integration /
delivery and automation.

266

133
DevOps & Continuous Integration

Server/Container
Configuration

267

Immutable & Infrastructure As Code

• Infrastructure stack, virtual machines
(instances), and containers all defined in
templates in version control
Server / Continuous
• Environments and servers/containers Container / Integration
rebuilt based on updated configurations Infrastructure server detects
• Changes never made manually in Definition change, runs
production since the next approved Modified tests
change would overwrite
• Entire environment fully consistent, easy
to rebuild / roll-back
If tests passed,
• Can remove ability to log into production Running
environment
E.g., disable SSH on instances instances
rebuilt or
replaced with container/server
• Massive security benefits- consistency, new versions
control, auditability image created

268

134
1 There are many definitions of DevOps, but a
key defining characteristic is the use of
Review continuous integration and/or continuous
delivery (CI/CD).

2 Continuous integration pipelines support

consistency and integrated security testing.

3 DevOps also supports immutable

deployments, where instead of updating
things or making manual changes we
replaced them from a known good definition.

4 This supports security through consistency

and allowing us to even remove the need to
log into production assets.

5 There is a lot more to DevOps, but integrated

security testing, consistency due to use of
CI/CD, and immutable are some of the key
security benefits.
269

269

Secure Operations &

Architecture

Module 5 // Unit 5

270

135
Secure Operations
• Lock down the management plane very tightly for production
• Actively monitor for changes at both cloud and app stack
levels
• Don’t neglect ongoing testing
• Cloud configuration is now within scope of change
management
• WAF: Must auto scale, be embedded in the workload, or be
cloud-hosted (filter traffic before it hits your application)
• RASP (Realtime Application Security Protection) an emerging
option
• RASP, one variant resembles a WAF inside the application

271

How Cloud Impacts Application

Design & Architecture

Increased Use
Segregation Immutable Paas And
Of
By Default Infrastructure Serverless
Microservices

272

136
PAAS/Serverless & Security

• Provider takes on more security responsibilities

• Communicating via API on provider’s platform
reduces network attack paths
• Enables software defined security (security
automated with APIs and code)
• May enable event-driven security (events in the
cloud trigger execution of security code)

273

Application Security Recommendations

• Understand the security • Even if you don’t have a formal
capabilities of your cloud SDLC, consider moving to
providers. Not merely their continuous deployment and
baseline, but the various automating security into the
platforms and services. deployment pipeline.
• Build security into the initial • Threat modeling, SAST, and
design process. Cloud DAST (with fuzzing) should all
deployments are more often be integrated. Testing should
greenfield, creating new be configured to work in the
opportunities to engage cloud environment, but also to
security early. test for concerns specific to
cloud platforms, such as
stored API credentials.
274

274

137
Application Security • Use software-defined security
Recommendations to automate security controls.
• Use event-driven security,
when available, to automate
• Understand the new detection and remediation of
architectural options and security issues.
requirements in the cloud.
Update your security policies • Use different cloud
and standards to support environments to better
them, and don’t merely segregate management plane
attempt to enforce existing access and provide developers
standards on an entirely the freedom they need to
different computing model. configure development
environments, while also
• Integrate security testing into locking down production
the deployment process. environments.

275

1 Secure operations is all about keeping your

application secure once it is deployed into
Review production.

2 When using cloud, the management plane is now

a concern and the cloud configuration is now
within scope for change management.

3 WAF will need to be adjusted to account for the

different deployment options, like autoscaling,
used in cloud.

4 New cloud architectural options, such as

serverless and micro services may offer security
benefits and are increasingly common.

5 Serverless puts more responsibility onto the

cloud provider, leveraging the shared
responsibilities model to reduce the customer's
attack surface and scope of security operations.

276

138
Identity & Access
Management Definitions

Module 5 // Unit 6

277

Intro To CSA Identity Terms

• D is cret e t y p es t hat will hav e Ide ntity; t hes e are t o
EN TITY U s ers , D ev ic es , C od e, Org aniz at ions and Ag ent s

• The uniq ue exp res s ion of an ent it y wit hin a g iv en

ID ENTITY names p ac e.

• The means b y whic h an Ide ntity c an as s ert ed ,

ID ENTIF IER us ually us ing c ry p t o t ok ens f or d ig it al id ent it ies

• F ac et s of an ide ntity (e. g . , org . unit or IP ad d res s )

A TTRIB U TES

• E xp res s ion of an ide ntity wit h at t rib ut es t hat

PERSO NA ind ic at es c ont ext . E . g . , a d ev elop er log g ed int o a
g iv en p roj ect

278

139
Intro To CSA Identity Terms (Cont’d)
A U TH O RITA TIV E • The " root " s ourc e f or an id ent it y , s uc h as a
SO U RC E d irec t ory s erv er

• The p roc es s of c onf irming an id ent it y .

A U TH ENTIC A TIO N
A uthN

MU LTIF A C TO R • U s e of mult ip le f ac t ors in aut hent ic at ion

A U TH ENTIC A TIO N (e. g . , us ername + p as s word + to k e n)

AUTHORIZATION • Allowing an identity access. AuthZ

ENTITLEMENT • Mapping an identity to an authorization

279

Intro To CSA Identity Terms (Cont’d)

• Res t ric t ing ac c es s t o a res ourc e, Ac c es s
A C C ESS C O NTRO L
manag ement is t he c orres p ond ing p roc es s

FEDERATED IDENTITY • The process of asserting an identity across

MANAGEMENT different systems

• The trusted source of the identity in

IDENTITY PROVIDER
federation

• The system that relies on an identity

RELYING PARTY assertion from an identity provider

• H as mult ip le meaning s . Ty p ic ally us ed t o

RO LE ind ic at e a p ers ona or s ub s et . E . g . ,
“ d ev elop er” v s . “ ad min”
280

280

140
1 It is important to understand the foundational
terminology for identity and access
Review management (IAM).
2
At the heart is an entity, which is a person,
device, or other "thing" that will be given
access.
3 An identity is the expression of that entity
within a namespace, such as an email address
or username for a given system.
4 Entities prove their identity by providing
identifiers during authentication.
5
After being authenticated, users may be
granted access to objects or actions. This is
called an authorization, and an entitlement is
a specific approval.
6 Federated identity is critical for cloud
computing because it allows us to manage
identities across different systems.

281

IAM Standards

Module 5 // Unit 7

282

141
How IAM Is Different
For Cloud Management
plane/metastructure
integration

IAM now always spans Greater use of

organizational Federation to
boundaries manage

283

IAM Standards
For Cloud

Most Common Less Common

SAML OAUTH OPENID XACML SCIM

284

142
OPENID EXAMPLE

285

1 IAM for cloud computing relies on federated

identity due to the requirement to manage
Review authentication and authorization between the
cloud consumer and the cloud provider.
2 The most widely supported and used
federation standard for connecting enterprises
with their cloud providers SAML.
3 Oauth and OpenID are web-centric federation
standards often used by both consumers and
organizations.
4 Federation involves multi-step
cryptographically supported processes to
connect an Identity Provider (the source for the
identity) and the Relying Party (most often the
cloud provider, where authorizations occur).
5 Typically the identity provider handles
authentication, then the relying party handles
authorization (enforcing what someone can
actually do).
286

286

143
IAM Practice

Module 5 // Unit 8

287

Managing Users & Identities For Cloud

• Cloud providers need
to support internal
identities and
federation
• Cloud consumers need
to determine where to
manage identities and
how to integrate with
providers
• Generally, consumers
should own the
identity and federate
to the provider (as
much as possible)
288

288

144
Additional Identity
Decisions
• Provisioning and supporting
various cloud
• How to manage identities for
providers/platforms
systems/code/devices/services
• Mapping attributes
• Defining the identity provisioning
process and how to integrate with • Enabling monitoring/logging
cloud.
• Building entitlement matrices
• Often a good time to review and
update your process • Documenting break/fix for
federation outages
• IR for account takeovers and other
IAM incidents
• Deprovisioning

289

Authentication: MFA Is Mandatory

290

145
Moving From RBAC To ABAC

ABAC
• Attribute Based Access
Controls
• Decision based on more
RBAC attributes than just role
• Role Based Access Controls • Far more granular and
• Very familiar flexible
• Decisions based on assigned • Best model for cloud
role in that context

291

Sample Cloud Entitlement Matrix

292

146
Identity Management
• Consider the use of identity
Recommendations brokers where appropriate.
• Organizations should develop • Cloud consumers are
a comprehensive and responsible for maintaining
formalized plan and processes the identity provider and
for managing identities and defining identities and
authorizations with cloud attributes.
services. • These should be based on an
• When connecting to external authoritative source.
cloud providers, use • Distributed organizations
federation, if possible, to should consider using cloud-
extend existing identity hosted directory servers when
management. Try to minimize on-premises options either
silos of identities in cloud aren’t available or do not meet
providers that are not tied to requirements.
internal identities.
293

293

Identity Management
Recommendations • Translate entitlement matrices
• Cloud consumers should into technical policies when
prefer MFA for all external supported by the cloud
cloud accounts and send MFA provider or platform.
status as an attribute when • Prefer ABAC over RBAC for
using federated cloud computing.
authentication. • Cloud providers should offer
• Privileged identities should both hosted identities and
always use MFA. federation using open
• Develop an entitlement matrix standards.
for each cloud provider and • There are no magic protocols:
project, with an emphasis on pick your use cases and
access to the metastructure constraints first and find the
and/or management plane. right protocol second.
294

294

147
1 Due to the complexity of managing multiple
directory servers and cloud providers, a hub
Review and spoke model using a federated identity
broker is often preferred.

2 Because of the broad network access

supported by cloud providers, multi factor
authentication is critical to help reduce the
chances of account takeovers.

3 Many cloud providers are now supporting

attribute based access controls, which
support greater granularity in entitlements
than traditional role-based access controls.

4 Building an entitlement matrix can help

document authorizations for your cloud
providers different services and help with
assessments and audits.

295

Secure Software
Development Life Cycle
(SSDLC)
Module 5 // Unit 2

296

148
Cloud Security Operations

Module 6

297

Module Contents
Module 6 //
Cloud Security Operations
Maps to the following domains in the
Security Guidance:
Domain 9 // Incident Response

Domain 13 // Security as a Service

Domain 14 // Related Technologies

Covers the following subject areas:
• What to look for in • IoT
a cloud provider • Serverless
• Security as a • Mobile
Service • Big Data
• Incident Response

298

149
Module Structure
Unit 1 // Module Intro
Unit 2 // Selecting A Cloud
Provider
Unit 3 // Incident Response
Unit 4 // SECaaS Fundamentals
Unit 5 // SECaaS Categories &
Recommendations
Unit 6 // Related Technologies
Unit 7 // CCSK Exam Prep

299

How to select cloud providers

Objectives
The advantages & disadvantages of
Security as a Service

The different major Security as a

Service categories

How to respond to security incidents

in the cloud

The security issues of technologies

related to cloud computing: Big
Data, mobile, serverless, IoT

Security as a Service (SECaaS)

recommendations
300

300

150
Selecting A Cloud Provider

Module 6 // Unit 2

301

Enabling The Security Strategy

Mr./Ms. Cloud Provider:

How do you enable my security

strategy?

302

151
Or In Other Words…

What do you do?

What do I have to do?

303

And…

Do you enable me to do what I

need to do?

304

152
THINGS TO LOOK FOR IN A CLOUD PROVIDER
PART 1
COMPARTMENTALIZATION OF JOB ROLES

WELL-DEFINED SECURITY POLICIES

REVIEWABLE AUDITS

THE ABILITY TO INSPECT / AUDIT PROVIDER

WELL-DEFINED CONTRACTUAL LANGUAGE

(SECURITY / PRIVACY)

WELL-DEFINED BC/DR POLICY / PROCESS

305

THINGS TO LOOK FOR IN A CLOUD PROVIDER

PART 2
CONFIGURATION MANAGEMENT PROCESS

PATCH MANAGEMENT PROCESS

ROBUST, WELL-DOCUMENTED API

SECURITY IN THE DEVELOPMENT PROCESS

SECURITY IN THE OPERATIONS PROCESS

PRIORITIZATION OF SECURITY

306

153
Things To Look For
In A Cloud Provider
Reviewable More is often
Audits better

Scope and
Time

Service Audit Firm

Coverage History

307

IaaS (And Most PaaS) Provider Critical

Security Capabilities
• API/admin activity logging
These are not
• Elasticity and autoscaling directly stated in
• APIs for all security features the Guidance
• Granular entitlements
• Good SAML support
• Multiple accounts per customer (or equivalent)
• Software Defined Networking
• Region/location control
• Infrastructure templating/automation

308

154
SaaS Provider Critical Security Capabilities
• Robust external security and compliance
These are not
assessments available for customers to review
directly stated in
• Granular IAM entitlements within the SaaS the Guidance
application
• SAML support
• Logging of administrator activity
• External log feeds or API access to logs
• Strong internal controls to limit admin access to
customer data
• These should be externally validated and clearly
documented

309

CSA Tools To Help

AND MORE! ht t p s : //c loud s ec urit y allianc e. org /res earc h/

310

155
1 The critical security capabilities for cloud
providers are a list of features required in a
Review cloud platform to fully enable customers to
build a comprehensive cloud security
program.
2 When evaluating cloud providers, consumers
should also look at all available
documentation, and pay particular attention
to internal security controls that ensure a
strong baseline level of security over time.
3 Individual security features are not as
indicative as strong programmatic controls.
4 Cloud providers should also offer a wide
array of reviewable third-party audits and
assessments to validate their security
program and control.
5 The Cloud Security Alliance provides the
CAIQ. CCM, STAR, and STARWatch to help
both cloud providers and consumers in
communicating security posture.
311

311

Incident Response

Module 6 // Unit 3

312

156
Incidents Change
• Likelihood of some kinds of • You and the provider will likely
incidents goes up, others go have different priorities
down – it’s a different • Your processes will certainly
environment change
• The metastructure is the biggest
• Don’t wait until the first incident
difference
to figure this all out
• Consider attacks targeted at
the Cloud Provider and how
that affects your systems

313

IR Lifecycle

CONTAINMENT,
DETECTION & ERADICATION,
PREPARATION ANALYSIS POST-MORTEM
RECOVERY

314

157
CONTAINMENT,
DETECTION & ERADICATION,
PREPARATION ANALYSIS POST-MORTEM
RECOVERY

• Understand where data is and moves.

• Understand and clarify SLAs and contracts.
• These become your primary communication and enforcement tool.
• Look for things like:
• Points of contact, communications channels.
• Incident definition and notification criteria.
• Testing, scoping, and roles and responsibilities.
• Build a cloud jump kit.
• Architect for faster detection, investigation, and remediation.
• Immutable, infrastructure as code, isolation, instrumentation.
• Test the plan.
• Know who to call!

315

CONTAINMENT,
DETECTION & ERADICATION,
PREPARATION ANALYSIS POST-MORTEM
RECOVERY

• Detection depends on data availability.

• Know your data sources- what the provider gives you, and what you collect
yourself.
• Pay particular attention to in-cloud monitoring and alerting capabilities.
• Analysis impacted by lack of transparency to provider’s infrastructure.
• Data source issues:
• What should be logged and what is logged?
• Are logs consistent and complete?
• Do logs reflect the dynamic nature of the cloud?
• Do logs meet legal requirements, tamper resistance, and format requirements?
• Forensics likely limited to your virtual instances. Snapshots are useful.

316

158
CONTAINMENT,
DETECTION & ERADICATION,
PREPARATION ANALYSIS POST-MORTEM
RECOVERY

• The cloud provider’s primary responsibility is to the entire customer

base.
• Containment may mean containing you. You will be sacrificed to
maintain the stability of the service.
• You are responsible for your own containment, eradication, and
recovery.
• Start with the management plane/metastructure.
• Software defined infrastructure allows you to rebuild in a new area
without having to immediately eradicate the active attack.

317

CONTAINMENT,
DETECTION & ERADICATION,
PREPARATION ANALYSIS POST-MORTEM
RECOVERY

• Mostly equivalent to how you handle for traditional infrastructure

• Pay particular attention to data sources, the
metastructure/management plane response, and communications
with the cloud provider.

318

159
Incident Response Recommendations
• SLAs and setting expectations around content and format of data that the
what the customer does versus what the cloud provider will supply for analysis
provider does are the most important purposes and evaluate whether the
aspect of incident response for cloud- available forensics data satisfies legal
based resources. chain of custody requirements.
• Clear communication of • Cloud customers should also embrace
roles/responsibilities and practicing the continuous and serverless monitoring of
response and hand-offs are critical. cloud-based resources to detect potential
issues earlier than in traditional data
• Cloud customers must set up proper
centers.
communication paths with the provider
• Data sources should be stored or copied into
that can be utilized in the event of an locations that maintain availability during
incident. Existing open standards can incidents.
facilitate incident communication. • If needed and possible, they should also be
handled to maintain a proper chain of custody.
• Cloud customers must understand the

319

Incident Response Recommendations

• Cloud-based applications should response plan. This must cover each
leverage automation and orchestration to stage of the incident handling process:
streamline and accelerate the response, detection, analysis, containment,
including containment and recovery. eradication, and recovery.
• For each cloud service provider used, the • Testing will be conducted at least
approach to detecting and handling annually or whenever there are
incidents involving the resources hosted significant changes to the application
at that provider must be planned and architecture. Customers should seek to
described in the enterprise incident integrate their testing procedures with
response plan. that of their provider (and other
• The SLA with each cloud service provider partners) to the greatest extent possible.
must guarantee support for the incident
handling required for the effective
execution of the enterprise incident

320

160
1 The fundamental nature of cloud changes
the likelihood and nature of incidents. It is
Review important to adjust your incident response
process to account for these.
2 Cloud consumers and cloud providers will
have different priorities in an incident.
These may conflict when a provider needs to
contain a consumer.
3 Focus on preparation, especially
communications with cloud providers,
adjusting IR plans, and building tool or
"jump" kits to more-rapidly respond.
4 When available, infrastructure as code can
allow isolation of a compromised
environment while rebuilding a functional
environment in parallel to reduce downtime.
5 But don't forget, this will carry over any
active vulnerabilities and configuration
errors in the templates.
321

321

SECaaS Fundamentals

Module 6 // Unit 4

322

161
Defining SECaaS

Security as a Service is defined

as a security product or
service, with cloud-based
management. These services
can secure systems and data in
the cloud, in traditional on-
premise networks, or
hybridized environments.

323

SECaaS
Characteristics

• Security products
or services
delivered as a
cloud service
• Meets the NIST
essential
characteristics

324

162
SECaaS Potential Benefits

Cloud Computing Staffing And Intelligence

Benefits Expertise Sharing

Deployment Insulation Of Scaling And

Flexibility Clients (Maybe) Costs

325

SECaas Potential Concerns

Regulation Handling Of
Lack Of Visibility
Differences Regulated Data

Changing Migrating to
Data Leakage
Providers SECaaS

326

163
ALWAYS KEEP IN MIND…

An organization cannot
outsource accountability…
Ever.
327

327

1 SECaaS looks from the other side to secure

systems and data in the cloud as well as
Review hybrid and traditional enterprise networks
via cloud-based services. These systems may
be in the cloud or more traditionally hosted
within the customer’s premises.
2 Security as a Service includes security
products delivered as a cloud service, that
also meet the NIST essential characteristics.
3 They offer the same benefits as the rest of
cloud computing and may also offer benefits
such as deeper expertise among their staff,
as well as intelligence sharing across all the
customers they protect.
4 Drawbacks can include regulatory
differences, reduced visibility, and the
potential for your data leaking through the
provider.
5 The cloud consumer can never outsource
their security accountability.

328

164
SECaaS Categories

Module 6 // Unit 5

329

SECaaS //
IAM Services
Identity, Entitlement And Access
Management Services
• Federated Identity Brokers
• Strong Authentication
• Cloud-Based Directories
• Other emerging options

330

165
SECaas // CASB

Cloud Access Security Brokers

• Discussed in the Data Security
module
• Can be cloud-hosted
• Used to manage SaaS
applications
• Poor name - the "access" was
meant to refer to federated
identity brokers but that
market is separate

331

SECaas // Gateways

Web Security Gateways

• Web security delivered via the
Cloud by proxying web traffic
to the cloud provider.
• Policy rules for web access and
allowed time frames also
enforced.
• Protective, detective, and
reactive technical control

332

166
SECaas // Email

Email Security
• Filters inbound and outbound
email to block spam, phishing,
and malware.
• Protects users from email
floods and provides business
continuity.
• May include encryption.

333

SECaas //
Assessment
Security Assessment
• Using cloud-based tools for
assessment on either cloud
services or on-premise
resources.
• Main Types:
• Traditional VA
• Application Security
• Cloud Platform Assessment

334

167
Web Application Firewalls
Public Traffic

From W
ecord A F O n ly
DNS r ) (S S L )
(S L
S “Hidden”
IP
CLOUD WAF

internet APP
SERVER
Management
panel restricted
to proxy IP
VPN Proxy

Private Traffic

335

SECaas // Encryption

Encryption & Key Management

• Cloud-based key management
can protect cloud data and
also on-premise data.
• Consistency with existing key
management schemes is
important.

336

168
SECaas // SIEM

Security Information And Event

Management (SIEM)
• Aggregate log and event data
from virtual and real networks,
applications, and systems.
• Correlate and provide alerts
based on mutually agreed rule
set.
• Ensure the hand-off between
provider and internal ops
group is clean.

337

SECaas // BC/DR

Business Continuity/ Disaster

Recovery
• Involves using a cloud-service
to back up internal controls.
• Requires synchronization and
clear demarcation of
accountability.

338

169
SECaaS // Misc.

Additional Categories
• DDoS Protection
• Security Management
• Managed Network or Endpoint
Security (e.g. IDS)

339

SECaaS Recommendations
• Before engaging a SECaaS • Understand your data
provider, be sure to retention needs and select a
understand any security- provider that can support data
specific requirements for data- feeds that don’t create a lock-
handling (and availability), in situation.
investigative, and compliance • Ensure that the SECaaS service
support. is compatible with your current
• Pay particular attention to and future plans, such as its
handling of regulated data, supported cloud (and on-
like PII. premises) platforms, the
workstation and mobile
operating systems it
accommodates, and so on.

340

170
1 Security as a Service offerings include a wide
range of categories that span most, if not
Review all, major security domains.

2 The key is that the service meets the NIST

essential characteristics, and this also
includes hybrid offerings (e.g. the
management is in the cloud with some on-
premise components.

3 Common categories include everything from

security assessment, to cloud-based
defensive tools like WAF, email, and web
filtering, to SIEM and logging.

4 When selecting a provider ensure you

understand your data handling and
compliance requirements and evaluate
services that are compatible with your
existing technology requirements, such as
architectures and operating systems.
341

341

Related Technologies

Module 6 // Unit 6

342

171
Related Technologies

Big Data Internet of Things Mobile Serverless

Key technologies interrelated with cloud

computing.

343

Big Data // Distributed data collection, storage, and processing

High Distributed Data

Volume

High Distributed
Velocity Storage

High Distributed
Variety Processing

344

172
Big Data Cloud Security
Securing All The Storage Encryption Key
• Including Intermediary Management
Storage Like Containers • No Change To The
Or Storage Volumes For Fundamentals, But BYOK
VMS Performing Most Likely Required If
Processing PaaS Involved.

Secure The Platform Know Your Platform

• Big Data Platforms Still • Capabilities Vary Greatly
Have Relatively Low Between Both Providers
Inherent Security. And Platforms
• Look To PaaS And • If You Use Machine
Isolated Virtual Networks Learning/AI, Understand
The Security And Privacy
Model.
345

345

Internet Of Things Security Priorities

APIs and Device
Authentication /
Authorization Device Patching
And Updating

Encrypted
Data Collection Communications

346

173
Mobile & Cloud

Most mobile apps connect back to cloud.

Device Registration, Authentication, & Authorization

• Stored credentials are a risk.
• Including federation tokens with long refreshes.

Application APIs can expose the cloud deployment

• If not secured properly.

347

Serverless
• Includes PaaS and Function as a
Service
• New frameworks being released at a
rapid pace
• IAM and logging are key security
issues for serverless apps
• Often provides more security
benefits than downside due to
pushing more security
responsibility onto the cloud
provider (in the shared
responsibilities model)

348

174
1 Related technologies are key technologies often
seen with, and used by, cloud deployments. They
Review include Big Data, the Internet of Things, mobile
computing, and serverless computing.
2 Big Data platforms tend to have low inherent
security, so using the cloud for isolation is
important. It's also critical to understand where and
how data is stored and, often, to protect it with
distributed encryption.
3 The Internet of Things often uses cloud computing
for back end processing, application logic, and data
storage. Security concerns tend to focus on device
and user authentication and authorization, secure
communications, and data storage.
4 Mobile issues are often very similar to those of IoT
when it comes to cloud as the cloud becomes the
back-end for many mobile apps.
5 Serverless is a cloud-native technology and used in
most modern deployments to some degree. IAM
and logging tend to be a security focus since they
are so different compared to on-premise or even
virtualized workloads.
349

349

CCSK Exam Prep

Module 6 // Unit 8

350

175
Preparing For The CCSK Exam
Study The Guidance And ENISA • CAIQ:
https://cloudsecurityalliance.org/gro
Documents
up/consensus-
• CSA Guidance:
assessments/#_overview
https://cloudsecurityalliance.org/do
• CCM:
wnload/security-guidance-v4/
https://cloudsecurityalliance.org/group/c
• ENISA:
loud-controls-matrix/#_overview
https://www.enisa.europa.eu/publica
tions/cloud-computing-risk-
Review The CCSK Prep Kit At:
• https://cloudsecurityalliance.org/educati
assessment/at_download/fullReport
on/ccsk/#_prepare

351

Preparing For The CCSK Exam

You Will Be Issued A Token You will have two attempts
After Completion Of This to pass the exam.
Class Via Email
• You will use the token and the email The exam is timed (90
we have from your registration to
minutes), but open book.
start the exam.

352

176
Hints

• Read the Guidance 3-4 times • Don’t wait too long after
and have it with you. taking this class… your tokens
• As with any test, the wording may take a week or two to
is weird, but if you are familiar arrive, which is a good time to
with the material and know take the test.
where to check in the • If you have technical issues,
Guidance, you should be fine. email:
[email protected]

353

CCSK Prep Kit

• Complete Preparation Package
• Common Body of Knowledge (CBK)
• 16 Sample Questions
• Links for all other resources
• Testing Details
• https://cloudsecurityalliance.org/edu
cation/ccsk/#_prepare

354

177
CSA Guidance
Security Guidance
• 87% of test
• Majority of the class
• Domain mappings at beginning of
module 1
• Vendor agnostic
• Concepts reinforced by labs
• https://cloudsecurityalliance.org/
download/security-guidance-v4/

355

ENISA Risk Report

European Version of NIST
• 6% max of test
• Benefits, Risks & Recommendations for
Cloud InfoSec
• https://www.enisa.europa.eu/publications/cl
oud-computing-risk-
assessment/at_download/fullReport

356

178
Consensus Assessment Initiative
Questionnaire
CAIQ
• 7% of test
• 295 Questions
• Direct alignment to CCM
• STARwatch input
• STAR Registry
• https://cloudsecurityalliance.org/
group/consensus-
assessments/#_overview

357

Cloud Controls Matrix

CCM
• 16 domains
• 133 controls
• Cross Mappings
• Architectural Relevance
• SPI applicability
• https://cloudsecurityalliance.org/group/clou
d-controls-matrix/#_overview

358

179
HOORAY!

YOU’RE ALL DONE!

Thank you for participating in this course. If you have questions,

comments or concerns, please email
[email protected]
359

359

180

Gwen Bettwy CCSP Cloud Guardians A Bulleted Look at The Critical
No ratings yet
Gwen Bettwy CCSP Cloud Guardians A Bulleted Look at The Critical
117 pages
CCSP Cloud Slides
100% (4)
CCSP Cloud Slides
133 pages
CCSP Master Notes V2
No ratings yet
CCSP Master Notes V2
54 pages
CCSP Exam Cram DOMAIN 2 Handout
No ratings yet
CCSP Exam Cram DOMAIN 2 Handout
135 pages
CCSP Cloud Slides
100% (4)
CCSP Cloud Slides
133 pages
Gap Assessment For 27017
No ratings yet
Gap Assessment For 27017
9 pages
CCSP For Dummies: Book + 2 Practice Tests + 100 Flashcards Online
From Everand
CCSP For Dummies: Book + 2 Practice Tests + 100 Flashcards Online
Arthur J. Deane
No ratings yet
CCSK v4 Prep Guide
0% (2)
CCSK v4 Prep Guide
6 pages
CCSK QB
No ratings yet
CCSK QB
25 pages
CISSP Whole Glossary2021
No ratings yet
CISSP Whole Glossary2021
64 pages
Certified Cloud Security Professional (CCSP) : Study Guide
100% (2)
Certified Cloud Security Professional (CCSP) : Study Guide
182 pages
CISSP Cheat Sheet Domain 1-2 PDF
No ratings yet
CISSP Cheat Sheet Domain 1-2 PDF
1 page
SABSA Introduction
100% (1)
SABSA Introduction
51 pages
Certificate of Cloud Security Knowledge Guide
No ratings yet
Certificate of Cloud Security Knowledge Guide
12 pages
CCSK Overview
No ratings yet
CCSK Overview
24 pages
CSA Guide v4 FINAL PDF
100% (2)
CSA Guide v4 FINAL PDF
152 pages
CISSP Exam Study Guide For Security Professionals: NIST Cybersecurity Framework, Risk Management, Digital Forensics & Governance
From Everand
CISSP Exam Study Guide For Security Professionals: NIST Cybersecurity Framework, Risk Management, Digital Forensics & Governance
Richie Miller
5/5 (1)
The Official (ISC)2 Guide to the CCSP CBK
From Everand
The Official (ISC)2 Guide to the CCSP CBK
Gordon
No ratings yet
The Official (ISC)2 Guide to the CCSP CBK
From Everand
The Official (ISC)2 Guide to the CCSP CBK
Adam Gordon
No ratings yet
CCSP Certified Cloud Security Professional A Step by Step Study Guide to Ace the Exam
From Everand
CCSP Certified Cloud Security Professional A Step by Step Study Guide to Ace the Exam
Jamie Murphy
No ratings yet
4 5800848950999124662
100% (1)
4 5800848950999124662
112 pages
GISPP - ISACA CRISC - Ch1-Identification
100% (1)
GISPP - ISACA CRISC - Ch1-Identification
56 pages
CCSKStudy Guide 1
No ratings yet
CCSKStudy Guide 1
35 pages
Prabh CV PDF
100% (1)
Prabh CV PDF
7 pages
CCSP Exam Cram DOMAIN 3 Handout
No ratings yet
CCSP Exam Cram DOMAIN 3 Handout
139 pages
CCSP Exam Cram DOMAIN 1 Handout
No ratings yet
CCSP Exam Cram DOMAIN 1 Handout
207 pages
CISM
No ratings yet
CISM
817 pages
CCSK Free PDF Demo Latest Certification Tests 2020
No ratings yet
CCSK Free PDF Demo Latest Certification Tests 2020
14 pages
CCSK notes-MG
100% (1)
CCSK notes-MG
23 pages
CSSK Cloud Security
100% (3)
CSSK Cloud Security
1,034 pages
CISSPcrashcourseday
100% (4)
CISSPcrashcourseday
159 pages
Certificate of Cloud Auditing Knowledge Instructor-Led Training Syllabus
No ratings yet
Certificate of Cloud Auditing Knowledge Instructor-Led Training Syllabus
3 pages
Certified Cloud Security Professional Workbook
100% (1)
Certified Cloud Security Professional Workbook
341 pages
W102 Sabsa Risk Management: Part One - The Meaning of Risk
No ratings yet
W102 Sabsa Risk Management: Part One - The Meaning of Risk
17 pages
CCSK
50% (2)
CCSK
10 pages
Zero Trust Architecture Buyers Guide v11 20210810
0% (1)
Zero Trust Architecture Buyers Guide v11 20210810
22 pages
Key Tables, Charts and Flows For SSCP - CISSP
No ratings yet
Key Tables, Charts and Flows For SSCP - CISSP
45 pages
Questions: Strong Cloud Governance
No ratings yet
Questions: Strong Cloud Governance
4 pages
CCSP Master Notes
No ratings yet
CCSP Master Notes
40 pages
CCSP - Cloud-Security Premonitions and Importance
No ratings yet
CCSP - Cloud-Security Premonitions and Importance
46 pages
CCSK Practice Quiz - Intrinsec
0% (1)
CCSK Practice Quiz - Intrinsec
4 pages
Cissp Curs
100% (1)
Cissp Curs
7 pages
CISM 15e Domain 2
No ratings yet
CISM 15e Domain 2
114 pages
How To Implement NIST Cybersecurity Framework Using ISO 27001
100% (2)
How To Implement NIST Cybersecurity Framework Using ISO 27001
16 pages
Building Your DLP Strategy & Process: Whitepaper
No ratings yet
Building Your DLP Strategy & Process: Whitepaper
7 pages
CISSP Exam Outline-V1115
No ratings yet
CISSP Exam Outline-V1115
16 pages
Cissp Sunflower Slides PDF
No ratings yet
Cissp Sunflower Slides PDF
131 pages
SANS Roadmap
No ratings yet
SANS Roadmap
1 page
CISM Certification Study Guide Part 2
100% (1)
CISM Certification Study Guide Part 2
41 pages
CISSP - Domain 3 - Security Engineering
No ratings yet
CISSP - Domain 3 - Security Engineering
208 pages
CCSP Exam Cram DOMAIN 5 Handout
No ratings yet
CCSP Exam Cram DOMAIN 5 Handout
183 pages
Ebook - CISSP - Domain - 03 - Security Architecture and Engineering
100% (1)
Ebook - CISSP - Domain - 03 - Security Architecture and Engineering
279 pages
Enterprise Security Architecture - SABSA White Paper 2009
100% (1)
Enterprise Security Architecture - SABSA White Paper 2009
27 pages
NIST Cybersecurity Framework Policy Template Guide V2111online
100% (1)
NIST Cybersecurity Framework Policy Template Guide V2111online
13 pages
Issap Mindmap
No ratings yet
Issap Mindmap
1 page
Cissp: The 8 Domains of CISSP
No ratings yet
Cissp: The 8 Domains of CISSP
52 pages
(2018) ISC2 CCSP Dumps With Valid CCSP Exam Questions PDF
No ratings yet
(2018) ISC2 CCSP Dumps With Valid CCSP Exam Questions PDF
7 pages
Guide To Developing A Data Protection Management Programme (Aug 2023)
No ratings yet
Guide To Developing A Data Protection Management Programme (Aug 2023)
40 pages
AZ-305 Slides PDF
No ratings yet
AZ-305 Slides PDF
128 pages
(ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests
From Everand
(ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests
Ben Malisow
No ratings yet
Citrix Xendesktop 7 Platform
No ratings yet
Citrix Xendesktop 7 Platform
7 pages
Sankar Aws Resume1
No ratings yet
Sankar Aws Resume1
2 pages
Cloud Computing: Amazon Web Services (AWS)
No ratings yet
Cloud Computing: Amazon Web Services (AWS)
22 pages
C1000 142 Questions
No ratings yet
C1000 142 Questions
4 pages
Multi-Cloud Red Team - Pt.1: Joas Antonio
No ratings yet
Multi-Cloud Red Team - Pt.1: Joas Antonio
18 pages
ThinStation Thin Client Setup - 0.1
No ratings yet
ThinStation Thin Client Setup - 0.1
4 pages
Examen de AWS Certified Cloud Practitioner - PAG13
No ratings yet
Examen de AWS Certified Cloud Practitioner - PAG13
6 pages
Microsoft Azure Fundamentals: Microsoft AZ-900 Dumps Available Here at
No ratings yet
Microsoft Azure Fundamentals: Microsoft AZ-900 Dumps Available Here at
10 pages
Billing Management Console
No ratings yet
Billing Management Console
4 pages
Ten Years On, Jeff Bezos' Risky Bet' On Amazon Web Services Pays Off Big
No ratings yet
Ten Years On, Jeff Bezos' Risky Bet' On Amazon Web Services Pays Off Big
11 pages
9 Top 5 SEO Tips For Your Facebook Page 10 10 2019
No ratings yet
9 Top 5 SEO Tips For Your Facebook Page 10 10 2019
10 pages
Cloud Computing: Niyati Kalyanpur Roll No:09 MSC I.T. Part 1
100% (2)
Cloud Computing: Niyati Kalyanpur Roll No:09 MSC I.T. Part 1
27 pages
Kill Points: - Trend Micro Does Not Have A DLP Solution - Trend Micro Offers Support Anti-Malware in AWS - Trend Does Not Have CSPM For GCP
No ratings yet
Kill Points: - Trend Micro Does Not Have A DLP Solution - Trend Micro Offers Support Anti-Malware in AWS - Trend Does Not Have CSPM For GCP
2 pages
Master Google Cloud Platform (GCP) : Core Infrastructure With Bonus Data Engineering and Devops Services
No ratings yet
Master Google Cloud Platform (GCP) : Core Infrastructure With Bonus Data Engineering and Devops Services
5 pages
Sample MCQ-CC
No ratings yet
Sample MCQ-CC
5 pages
抓包
No ratings yet
抓包
2 pages
Cloud Security Introduction For Beginners
No ratings yet
Cloud Security Introduction For Beginners
33 pages
Youtube Seo Course
No ratings yet
Youtube Seo Course
24 pages
QWDQWD
No ratings yet
QWDQWD
6 pages
Azure Certification
No ratings yet
Azure Certification
10 pages
AWS Simple-Icons v2.0
No ratings yet
AWS Simple-Icons v2.0
10 pages
Cloud Computing Tutorial
No ratings yet
Cloud Computing Tutorial
8 pages
module-1 Introduction to CC notes (1)
No ratings yet
module-1 Introduction to CC notes (1)
7 pages
The 10 Best RSS Reader Apps
No ratings yet
The 10 Best RSS Reader Apps
15 pages
Module 0 - Building Scalable Java Microservices With Spring Boot and Spring Cloud
No ratings yet
Module 0 - Building Scalable Java Microservices With Spring Boot and Spring Cloud
8 pages
Cloud Computing Assignment-Week 1 Type of Question: MCQ/MSQ Number of Questions: 10 Total Mark: 10 X 1 10
No ratings yet
Cloud Computing Assignment-Week 1 Type of Question: MCQ/MSQ Number of Questions: 10 Total Mark: 10 X 1 10
4 pages
AWS Report
No ratings yet
AWS Report
23 pages
Migrate With Azure Site Recovery - Cloud Chat Monthly
No ratings yet
Migrate With Azure Site Recovery - Cloud Chat Monthly
20 pages
Public Cloud
No ratings yet
Public Cloud
7 pages
Cloud Security - PreQuiz - Attempt Review
No ratings yet
Cloud Security - PreQuiz - Attempt Review
4 pages