1. Cloud Computing Concepts and Architectures - DONE

Question 1

What are the 4 layers of functionality and applicable security requirements? (traditional and cloud environments)

Answer 1

*Infrastructure layer -Infrastructure security
*Metastructure layer -Virtual environment security
*Infostructure layer -Data security
*Applistructure layer -Application and operating system security

Question 2

What is the infrastructure layer comprised of?

What are the Security concerns surrounding the infrastructure layer?

Answer 2

In this layer, there are the servers, networking, and storage pools.

Question 3

Describe the Metastructure layer and how it works.

2.What is the single biggest difference between the cloud and traditional IT

Answer 3

In this layer, you both configure and manage a cloud deployment of any type. It is within the metastructure logical layer that you build the virtual tools required for a virtual world (the cloud)

You’ll perform configuration in themanagement planethrough a graphical user interface (GUI), a command-line interface (CLI), or an API, depending on what the provider offers to interact with its infrastructure.

Want to add a new user for SaaS? You do it here. Want to set up a zero-trust network in IaaS? This is the place to do it.

Question 4

Describe the Infostructure layer and its security concerns.

Answer 4

This is where the information and data reside. This could be file storage, databases—whatever. Security in this layer doesn’t really change; how you secure things may change, but the principles of data security remain the same.

Question 5

Describe the Applistructure layer and its security concerns.

Answer 5

Applications and all of the services used to build and support them reside here. Your applications could be running on a Microsoft or Linux server of your own, or they could be running in technologies such as containers, microservices, or serverless networks.

If you take an image of a running system and migrate it into the cloud, nothing changes from a security perspective. In this scenario, operating systems will always need patches, and application security still applies as it always has.

As you start to take advantage of the new technologies the cloud offers, your security is likely to change dramatically.

The web server is part of the applistructure. “installing a firewall agent, that would occur at the applistructure layer.

Question 6

What is the management plane?

Answer 6

It is part of the metastructure.
The element of a system that controls the management of infrastructure, platforms, applications, and resources through the use of API calls and web consoles

Question 7

What should your main focus be on when you are migrating your application in a like-for-like fashion

Answer 7

Focus your efforts on the metastructure layer.
Nothing about your assessment of the application itself changes. The controls at the operating system are the same, as are the application security controls.

Question 8

List the essential characteristics of the cloud.

Answer 8

• Resource pooling
• Rapid elasticity
• Broad Network Access
• On-Demand Self-Service
• Measured Service

Question 9

Define Resource pooling

Answer 9

Resources (Computer, Network, Storage) are pooled and consumers are granted access.

Multitenancy - A consumer’s access to the pools is tightly isolated from that of other consumers, typically based on policies atthe provider’s side. (“ISO/IEC 17788 refers to multitenancy as a sixth essential characteristic.)

Question 10

Define Broad Network Access

Answer 10

The service is available over a network (the Internet). There is no special requirement for direct physical connectivity or provider-supplied network connectivity.

e.g. manage an entire IaaS implementation via the browser on your cell phone.

Question 11

Define Rapid Elasticity

Answer 11

It enables consumers to scale resources based on demand, often automatically.

Scaling up generally refers to using more powerful servers (such as a four-CPU configuration instead of two), whereas scaling out refers to adding more servers (for example, servers to a web farm to service requests).

In addition to adding capacity when demand increases, you need to be able to scale down when demand drops. This aspect is critical, because you don’t want to scale up to respond to a temporary increase in demand.

Question 12

Define Measured Service

Answer 12

The measured service essential characteristic makes the cloud a pay-as-you-go model of computing: you’re simply charged for what you use.
Another term used in the CSA Guidance is “utility computing,” which is akin to how you consume electricity or water from a utility.

Question 13

Define On-Demand Self-Service

Answer 13

You can provision resources on your own without human intervention on the provider’s side.

If your provider tells you that your ticket for a new server instance is very important to them and they will act on it in 48 to 72 hours, you’re being cloudwashed.

Question 14

List the 3 service models of the cloud.

Answer 14

• IaaS
• PaaS
• SaaS

Question 15

What is IaaS

Answer 15

IaaS is the underlying foundation that consists of the physical facilities and infrastructure hardware.

or

an IaaS system can be summarized as consisting of facilities (physical data centre), hardware (proprietary or standard), abstraction (virtualization), and orchestration (APIs)

Question 16

What is a hypervisor?

Answer 16

The most commonly known form of virtualization is a virtual machine, which is generally synonymous with hypervisor (also called a virtual machine monitor (VMM)) technology.

Essentially, the hypervisor acts as the host and allows a single hardware server to host many virtual machines that are referred to as “guests.” The hypervisor is tasked with “tricking” the guest machines into thinking they are directly accessing the underlying hardware, but in reality, they are operating in an isolated virtual environment with their virtual hardware resources. (Put in a more polished way, the hypervisor is an abstraction layer that decouples the physical hardware from the guest operating system.)

Question 17

What are the different types of hypervisor?

Answer 17

There are two types of hypervisors of note: Type 1 hypervisors are installed directly onto the physical server (such as VMware ESXi, Xen, or KVM), and Type 2 hypervisors are installed on top of the operating system already running on a server (such as VMware Workstation, VMware Workstation Player, or Oracle VM VirtualBox). I can’t imagine any cloud service provider using anything other than a Type 1 hypervisor.

The hypervisor used by the provider can have an impact on consumers and thus should be known in advance of provider selection. Not all hypervisors are created equal from performance and capability perspectives.

Question 18

Define Orchestration (Iaas context)

Answer 18

The orchestration enables a controller to request resources from the pools of resources, and all this is automated through the use of APIs (mostly RESTful APIs).

Question 19

Define abstraction (Iaas context)

Answer 19

Abstraction is usually based on virtualization of servers, networks, and/or storage.
It is this abstraction that allows for the pools of resources to be created (for example, a group of hypervisors all working together).

Question 20

Say you want to create an Ubuntu Server instance with two CPUs, 12GB of RAM, 2TB of storage, and two network cards. Describe what happens behind the scenes at the provider side?

Answer 20

The cloud controller contacts the compute controller to request that a new server with two CPUs and 12GB of RAM be created.

The cloud controller contacts the storage controller to allocate 2TB of storage. This storage is connected to the new server instance through a storage network.

The cloud controller requests two virtual network interface cards from the network controller.

After all of this is performed, the cloud controller takes the requested Ubuntu Server image, copies it to the newly created virtual server, boots it, and configures it. Once this is done (measured in seconds or minutes), the controller makes the connection information available to the consumer.

Question 21

Define PaaS

Answer 21

By CSA definition, PaaS adds a layer of integration with application development frameworks; middleware capabilities; and functions such as databases, messaging, and queuing

In the PaaS service model, the provider builds the infrastructure (or leverages IaaS from another provider), creates a shared platform that customers will leverage, and may expose security controls they believe customers want control over.

Question 22

what is the downside to Paas security-wise?

Answer 22

The downside to PaaS, as far as security is concerned, is that controls exposed to the customer are restricted compared to those possible in IaaS.

Consider this example scenario: A major provider’s SQL PaaS offering enforces an eight-character password for the master SQL account. It’s embedded within the service and isn’t part of the provider’s integrated access management (IAM) offering. There’s no password complexity enforcement, rotation, or way to check whether the password meets policy.

Change management is another issue you can run into with the PaaS provider owning and managing the platform. The provider can, and will, change what platforms will be supported and which ones will be deprecated over time. It is on you not only to be advised of these changes but also to identify potential issues and fix them before your provider makes the change. For example, if you are running application code in a development platform, you may eventually get an e-mail from your vendor announcing the introduction of a change to the platform that will break your application if your code has a dependency on functionality that is being deprecated.

Question 23

Define SaaS

Answer 23

All SaaS applications are considered multitenant in nature and support access by web browsers and mobile applications. In many cases, SaaS applications also support access via API calls. The type of API supported (REST versus SOAP) and capabilities offered via the API are dependent on the provider in question.

The architecture of an SaaS application behind the scenes can range from a single server running both web and SQL services (read: single point of failure), or it can bean extremely complex system that consists of load balancers, redundant server farms, serverless components, and anything else imaginable. There are no rules or regulations as to what an SaaS (or any service model) provider must or must not do.

Question 24

The downside to Saas security-wise?

Answer 24

An important aspect of SaaS services is that the SaaS provider may use a separate provider for IaaS or PaaS purposes. The biggest issue here has to do with salespeople exaggerating the security of their application because it’s being run in a different provider network. As you already know, the cloud is a shared responsibility, and the SaaS vendor is just another client to the IaaS provider. If the application you are consuming has security issues at the applistructure layer (such as privilege escalation), that is 100 percent on the SaaS vendor. Along the same lines, the SaaS vendor who says their application is PCI- or HIPAA-compliant because it’s being run in a compliant infrastructure is equally guilty of ignorance or worse.

Question 25

List the deployment models of the cloud. What is relevant to the CCSK?

Answer 25

- Public Cloud - Private Cloud - Community Cloud - Hybrid Cloud The main item to remember for your CCSK exam is the level of trust of other tenants who also use the service.

Question 26

Define the Public Cloud

Answer 26

The infrastructure is owned and managed by a third party and is located off-premises—somewhere other than your location.

Question 27

Define the Community Cloud

Answer 27

A community cloud is generally built for multiple trusted organizations with similar concerns (such as a risk profile). The community cloud is much like a private cloud in that it can be built and managed by your company, or it can be outsourced. The co-tenants are also contractually bound.

Question 28

Define the private cloud How is the private cloud multitenant?

Answer 28

A private cloud is built for a single organization. You can have your team install and manage a cloud infrastructure in your data centre, or you can call a private cloud supplier, who could spin one up for you in their data centre. The important fact is that only trusted people (well, people within your organization at least) will be accessing the cloud. it is really nothing more than controller software that automates and orchestrates access to pools of resources. An example of a tenant in a private cloud would be the groups in your company. Take HR and Finance groups, for example. These are two separate tenants as far as the private cloud is concerned, because the HR group shouldn't have the same access to Finance's resources, and vice versa. The difference is that a private cloud tenant is trusted.

Question 29

What is the main difference between the Community Cloud and Private Cloud?

Answer 29

The key difference between a private and a community cloud is that the financial risk is shared across multiple contractually trusted organizations in the community cloud.

Question 30

Define the Hybrid Cloud The most important capabilities that are associated with the hybrid deployment model?

Answer 30

The connection of two different clouds (such as a public and private cloud) that are bound together by standardized or proprietary technologies that enable data and application portability. This term has been extended to include a non-cloud data center being connected, or bridged, to a cloud provider. portability and cloud bursting. Portability is the ability to shift where a workload is executed—for example, creating a P2V image of a physical server and moving that to a cloud environment. The connectivity between your data centre and the cloud environment (hybrid) makes this possible. Cloud bursting means leveraging a cloud provider to supply additional resources to meet additional load. In this scenario, you could have a load balancer that will direct incoming web traffic either to internal or to cloud-based systems depending on the current load.

Question 31

What does the shared responsibility model refer to?

Answer 31

When looking at securing or assessing a cloud environment, you should keep in mind that the CSP is always responsible for implementing and configuring some aspects of the computing environment, and you are responsible for other aspects of the environment.

Question 32

Describe the security responsibility that comes with Saas.

Answer 32

You're renting access to a turnkey application. The provider is responsible for the application itself and everything that supports it, down to the physical security. As the customer, you're limited to what is exposed to you as a configurable item. For example, the provider could enable you to create a new user and assign certain permissions to that account, or it may allow for only one type of user; it's up to them to create it, and it's up to you to determine whether it's acceptable based on your risk tolerance.

Question 33

Describe the security responsibility that comes with Paas.

Answer 33

In this example, we see a shared responsibility for the application security as well as the network security entries. Consider a scenario where you're using PaaS to run a custom application that you created. All the security surrounding the application code is on you—it's your application after all! But why is it shared? It's shared because the provider is responsible for the platform you're using to run the application on. As for the network security portion, the provider maintains the network and supplies standard security controls (such as firewalls and intrusion prevention systems), but what if you want certain IP addresses blocked? That part would be on you to integrate into your code, or you could use a web application firewall, for example.

Question 34

Describe the security responsibility that comes with Iaas.

Answer 34

You're involved in everything aside from the facilities, physical hardware, and hypervisor. For instance, the provider may offer you operating system images that have all the latest patches installed, but once you launch an image to make your instance, you're responsible for patching and securing everything to meet your security policies. You are responsible for using the network controls the provider makes available (such as a virtual firewall service like a security group). The provider creates the virtual firewall service and exposes that security control to customers so they can configure it according to their requirements. It's not the provider's responsibility to configure those for you.

Question 35

To get to the bottom of who is responsible for doing what, you should ask the following questions for every project:

Answer 35

- What does the provider do? - What does the consumer need to do? - Does the cloud provider enable customers to do what they need to do? - What is included in the documentation the provider gives to customers? - What is guaranteed in the contract and service level agreements? First, providers should properly design and implement controls. They should clearly document internal security controls and customer security features so the cloud user can make an informed decision. Second, customers should build a responsibilities matrix to document who is implementing which controls and how. This should be done on a per-workload basis. Selected controls should align with any necessary compliance standards.

Question 36

What are the Cloud Security Alliance Tools?

Answer 36

The CSA has tools that you can use to assess security controls in a cloud environment in the Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ). CSA even offers a freely available repository of provider-completed CAIQ responses, called the Security Trust Assurance and Risk (STAR) registry.

Question 37

Describe the CCM (cloud controls matric)

Answer 37

The CCM tool contains more than 130 cloud security controls across 16 domains and maps them to multiple security and compliance standards. CCM version 3.0.1 is tested as part of the CCSK v4 exam. It can be used to document the security responsibilities of both the provider security controls and your own implementation of systems in a cloud environment. . It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain.

Question 38

The structure of the CCM itself is broken down into the following portions: Describe the first 4: Control Domain and Control Control ID Updated Control Specification Architectural Relevance

Answer 38

*Control Domain and Control - This lists the control domain and an individual control. For example, the first entry in the CCM is the “Application and Interface Security” domain, and “Application Security” is the individual control. * Control ID - an identification code for the control in question. Using the first entry as a reference, this is called AIS-01. * Updated Control Specification - This specifies the control objective. The wording for AIS-01 states, “Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested following leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.” * Architectural Relevance  -This states the areas that may be impacted by a control. Using AIS-01 as our example, this control is applicable to compute, storage, application, and data. It does not apply to the physical or network components of a system.

Question 39

The structure of the CCM itself is broken down into the following portions: Describe the last 4: Corporate Governance Relevance Cloud Service Delivery Model Applicability Supplier Relationship Scope Applicability (Expect an exam question on it)

Answer 39

* **Corporate Governance Relevance** Is this a governance item, or is it a technical issue? AIS-01 states it is not a governance item. * **Cloud Service Delivery Model Applicability** What service model does this apply to (SaaS, PaaS, IaaS)? AIS-01 applies to all of the service models. * **Supplier Relationship** Who is responsible for implementing this control? Is it the provider, the customer, or both? In the AIS-01 example, this is listed as a provider responsibility. * **Scope Applicability** This section maps the control to a wide variety of standards such as NIST, PCI, COBIT, ISO, and more. Using PCI 3.0 as an example (because it's easiest), we see a mapping between CCM AIS-01 and PCI DSS v3.0 control 6.5.

Question 40

What is the Consensus Assessments Initiative Questionnaire

Answer 40

Cloud providers can use the CAIQ template to document their security and compliance controls. The structure itself is very close to the CCM with one main difference: the CAIQ contains questions that are very direct and less ambiguous than the control specifications found in the CCM.

Question 41

What are the 4 questions asked in the Consensus Assessments Initiative Questionnaire?

Answer 41

The CAIQ includes the CCM specification, but it also asks the following four direct questions in a yes-or-no format: - Do you use industry standards (Building Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, and so on) to build in security for your systems/software development lifecycle (SDLC)? - Do you use an automated source code analysis tool to detect security defects in code before production? - Do you use manual source code analysis to detect security defects in code before production? - Do you verify that all of your software suppliers adhere to industry standards for systems/software development lifecycle (SDLC) security?

Question 42

What is the purpose of the STAR Registry?

Answer 42

The highlight of the STAR registry is its collection of filled-out CAIQ responses from vendors. This repository is freely available, and you can use it to perform a “stealth” inspection of a provider's security controls before even engaging the provider. The CAIQ entries are considered “self-assessments.” Each self-assessment is referred to as a “Level 1” STAR entry. the STAR Registry contains CAIQ entries that are filled out by vendors and uploaded to the Cloud Security Alliance without any third-party review or assessment.

Question 43

Describe the STAR Level 1: Self-Assessment 

Answer 43

STAR Level 1: Self Assessment There is no oversight or third-party inspection regarding what is listed here and what is the truth. That said, I like to think that no vendor would be careless enough to list “mistruths” in their STAR entry because this would eventually be discovered and the vendor would likely suffer tremendous reputational damage. Still, just be aware that it's called “Self Assessment” for a reason. If you want a third party to sign off on statements, you need to look for the Level 2 STAR entry.

Question 44

Models are tools that you can use to help guide security decisions. The CSA divides these models into four distinct items, or tools, that you can use:

Answer 44

- **Conceptual Models** These can include visualizations and descriptions that explain concepts and principles. The logical model (infostructure, applistructure, metastructure, and infrastructure) with what exists at each level is an example of a conceptual model. - **Controls Models** This categorizes and details specific cloud security controls and/or categories of controls. The CCM and ISO 27017 are examples of control models recommended by the CSA. - **Reference Architectures** Reference architectures can be anything from a very abstract, high-level concept, to a very detailed concept, down to specific controls and functions. (service model) - **Design Patterns** These are considered reusable solutions to particular problems. Take, for example, log management in an IaaS environment. You can implement the log management system once and leverage it as part of other systems that are built. Like the reference architecture, a design pattern can be abstract (a box on a diagram) or specific to particular platforms.

Question 45

What is the Cloud Security Process Model

Answer 45

**Step 1** Identify required security and compliance controls that must be in place to meet compliance requirements. These requirements will exist no matter where the system is run. **Step 2** Select the cloud service provider, the service model, and the deployment model used. This will assist you in understanding the shared responsibilities. **Step 3** Define the architecture. What components and services will the system use? How can you secure something if you don't know what it does and what other systems or components it interacts with? **Step 4** Assess security controls. Remember the responsibility of implementing security could be that of the provider, or it may be your responsibility. **Step 5** Identify control gaps. You know what's required per compliance requirements and what controls are available. Can you find any controls that are required that are not implemented or exposed to you? **Step 6** Design and implement controls to fill the gaps. If the provider doesn't offer a control that you need, you're going to have to implement a control to address the gap. **Step 7** Manage changes over time. Security (especially cloud security) is never a one-and-done approach. You have to keep up to date with all changes at the provider side and address any security gaps should they arise.

Question 46

cloud user may only be able to manage authorization and entitlements in Saas service model

Answer 46

The cloud provider is responsible for nearly all security, since the cloud user can only access and manage their use of the application, and can't alter how the application works. For example, a Saas provider is responsible for perimeter security, logging/monitoring/auditing, and application security, while the consumer may only be able to manage authorization and entitlements