13. Security as a Service - DONE Flashcards
“ Whether you are procuring cloud-based security services from a dedicated SecaaS vendor or leveraging security services from an Infrastructure as a Service (IaaS) provider, you are considered to be procuring SecaaS services. Whichever way you procure these services, they must meet the following criteria:
*They must be a security product or service delivered as a cloud service.
*They must meet the essential characteristics of cloud computing.
“EXAM TIPRemember that you’re procuring security software that meets the essential characteristics of the cloud, and you’ll be fine.”
“the following lists provide a summary of the benefits and disadvantages that are specifically associated with SecaaS.
SecaaS offers several potential benefits:
*Cloud-computing benefits
*Staffing and experience
*Intelligence sharing
*Cloud-computing benefits:
The normal potential benefits of cloud computing apply to SecaaS, including reduced capital expenses, more agility, redundancy, high availability, and resiliency. As always, you must do your due diligence to ensure that you are selecting an appropriate provider to meet your requirements.
*Staffing and experience:
This is a big one, and it may be the biggest reason to adopt SecaaS. Companies around the world are struggling to find qualified cybersecurity professionals. By adopting SecaaS, you can immediately tap into a pool of experts in the area you are procuring. This can enable your staff to focus on your organizational “big picture” of cybersecurity.
*Intelligence sharing:
Honestly, this is nothing new. Antivirus customers have been benefitting from intelligence sharing for decades. When the provider gets a malware sample from another customer, they make a signature file that can identify and quarantine the virus, and this will be used by all other customers.
“the following lists provide a summary of the benefits and disadvantages that are specifically associated with SecaaS.
SecaaS offers several potential benefits:
*Insulation of clients
*Scaling and cost
*Insulation of clients
Why would you choose to allow malware into your corporate network so you can inspect it locally? You’re congesting the perimeter network for what reason again? With SecaaS, you can create a “clean pipe” coming into your network by having a remote system scan and can clear out malicious traffic before it hits your corporate network.
*Scaling and cost
What happens if your 500-person company buys another company with 250 employees? Suddenly, you have to support a 50 per cent larger user base. This often requires the integration of different technologies and new hardware to meet this demand on resources. With SecaaS, you’d simply procure an additional 250 licenses. This is an example of the “pay-as-you-grow” cost benefits of using SecaaS.
“the following lists provide a summary of the benefits and disadvantages that are specifically associated with SecaaS.
“On the other hand, using a SecaaS vendor may result in these issues:”
*Lack of visibility
*Regulation differences
*Handling of regulated data
*Lack of visibility
We know the nature of outsourcing means that our visibility into what the provider does is hindered. SecaaS is no different. You may have a high-level view of what the provider does, but you won’t have detailed knowledge of their operations. The biggest impact is in the telemetry (such as log data) that you receive from the provider. You need to ensure that available sources meet your requirements.
*Regulation differences
Where is your provider located, and can they address regulatory issues that your organization faces based on the jurisdictions in which you operate?
*Handling of regulated data
Is your provider able to be a partner? With HIPAA, for example, the SecaaS provider must be able to be a business associate if their systems will be exposed to health records. And what about PCI? Along with these standards, the Guidance calls out a scenario about employee monitoring. What is legally allowed in one jurisdiction may be prohibited in another.
“the following lists provide a summary of the benefits and disadvantages that are specifically associated with SecaaS.
“On the other hand, using a SecaaS vendor may result in these issues:”
*Data leakage
*Changing providers
*Migration to SecaaS
*Data leakage
Security-related information (such as logs) often contains sensitive data. This data must be highly protected in a multitenant environment. This requires that the provider implement very strong isolation and segregation. Of course, this type of data may also be required in the event of legal cases. You need to ensure that your data will not be accidentally exposed when another client faces an e-discovery request. Another example of data leakage would be leaking internal IP addresses.
*Changing providers
When you procure a SecaaS solution, you are essentially procuring a proprietary application. Changing from one provider to another will likely be a difficult effort, because there may be limited tools available to migrate data from one provider to another. A major item, in real life and for your CCSK exam, is that you must retain historical logs and other data that may be necessary for legal and compliance requirements. Not being able to export this data in a format that you can use without access to the provider’s tools may lead to vendor lock-in.
*Migration to SecaaS
Adoption of cloud services must always be well planned and executed. SecaaS is no different.
“The major offering in this category of SecaaS services is that of identity brokers. This technology can be used to implement federated identity.
what other offerings?
The CSA Guidance also presents other offerings in this category, such as Policy Enforcement Points (PEP as a Service), Policy Decision Points (PDP as a Service), Policy Access Points (PAP as a Service), services that provide entities with identities, and services that provide attributes (such as multifactor authentication).
Two other offerings are referenced in this category, including the strong authentication services that use apps and infrastructure to simplify the integration of various strong authentication options, including mobile device apps and tokens for MFA.
The other category hosts directory servers in the cloud to serve as an organization’s identity provider. You can do this in IaaS by implementing directory services in your own instances, for example.
the main difference between traditional filtering tools and CASB?
CASB can be used in inline blocking mode that intercepts communications that are directed toward a cloud service, or it can use APIs to monitor activities and enforce policies. Whereas traditional web-filtering tools allow for whitelisting and blacklisting of websites, you want to be able to allow or restrict based on the content, not just on the websites being accessed. This is the main differentiator between the two solutions.
CASB can enforce the content type of blocking via integration with data loss prevention (DLP) services..
CASB can be deployed as an on-premises control, or it can be deployed in a cloud environment deployment allows for greater options when it comes to protecting both multiple locations and remote users.
CASB vendors often support some form of rating system for cloud vendors. They will perform a general risk assessment of providers and may advise you on things such as data center locations, ownership of data used in the provider systems (owned by customer or provider once uploaded), and other items.
In some instances, CASB vendors use the Cloud Controls Matrix as the basis for this risk assessment.
Although a vendor may offer both CASB and identity broker solutions, the majority of vendors offer these solutions separately.
what is web security gateway?
“This technology provides web filtering, which has been around for quite some time. Web filters can determine what categories of web sites are blocked (for example, hacking sites are restricted from access from endpoints). These solutions can also determine what times of the day sites can be accessed and other web protection solutions.
The power of having a cloud-based solution is the ability to implement your policies on a global basis. For example, imagine your organization has an office in New York City, and a salesperson is working in Singapore for a series of meetings. Rather than forcing this user to connect to the office via VPN so you can inspect their web usage, their workstation would use a local point of presence in Singapore to enforce your policies.
EXAM TIPRemember that a major benefit of SecaaS is the ability to enforce your policy using someone else’s infrastructure.
Application authorization management can provide an extra level of granular and contextual security enforcement for web applications.
Implementing SecaaS that provides e-mail security is a no-brainer.
“Any e-mail security solution should be able to provide control over inbound and outbound e-mail, protect the organization “from risks such as phishing and malicious attachments, enforce corporate polices such as acceptable use and spam prevention, and provide business continuity options. Some e-mail security SecaaS solutions may offer functionality such as e-mail encryption and digital signatures to support confidentiality, integrity, and nonrepudiation.”
Security assessment solutions have been around for a good number of years. Companies can use these to support NIST, ISO, PCI, and other compliance activities. The only difference between those mature products and the SecaaS solutions is that one is performed locally and the other is in the cloud.
The CSA Guidance specifically lists three forms of security assessment systems, and you should remember these for your exam:
*Traditional security/vulnerability assessments of cloud-based instances and on-premises servers and workstations
*Application security assessments, including static application security testing (SAST), dynamic application security testing (DAST), and management of runtime application self-protection (RASP).
*Cloud platform assessment tools that connect to a cloud environment via exposed APIs to assess the metastructure configuration and server instances”
what is the web application firewall?
“The web application firewall (WAF) in SecaaS is a cloud-based firewall that operates at layer 7; it therefore understands HTTP and can block malicious traffic as a result. This SecaaS category is another “no-brainer” as far as I’m concerned. As with e-mail, how much Internet traffic hitting your network today is either junk or malicious?”
“Many cloud WAFs can stop a distributed denial of service (DDoS) attack against your network. Can your network handle a 1.3 Tbps DDoS attack? This is what GitHub was hit with back in 2018. Their services were impacted for about 20 minutes in total (about 10 minutes to identify the attack and 10 minutes for their cloud WAF vendor to fully address the malicious traffic, at which point the attacker gave up)”
What is Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) ?
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are controls that can detect (IDS) and/or prevent (IPS) malicious activity in your network or your hosts. These systems can work based on anomaly detection and/or signature. SecaaS doesn’t change anything about what these controls do.
What the SecaaS version of IDS/IPS changes is how data is collected and analyzed. Rather than a company having to analyze data supplied by the agents in-house, this analysis is performed by a provider using their platform. This is an opportunity to discuss another benefit of SecaaS, mentioned earlier—your organization can outsource the analysis of potentially malicious network traffic in your environment to an organization that can potentially bring much deeper expertise and new technology to assist clients, such as using machine learning and artificial intelligence to greatly enhance what is realistically possible for the average organization.”
What is “Security Information and Event Management (SIEM)?
“Security Information and Event Management (SIEM)
I don’t think it’s a secret when I say that SIEM is a challenge to implement properly. We know that SIEM is able to take logs and perform all kinds of advanced analytics against them. As with IDS/IPS, the SecaaS version of SIEM doesn’t change the functionality; it eases the implementation of SIEM, turning a potential multimonth project into an outsourced solution that may be possible to implement in the same day.”
“I also don’t think it’s a secret to say that SIEM experts are very expensive, and there is a very limited pool of talent available. Again, when you use SecaaS, you benefit from tapping into a pool of product experts. This is turn enables your security teams to focus on the big picture of your security posture.”
“Encryption and Key Management”
“SecaaS providers in this space can encrypt data on your behalf and/or manage encryption keys on your organization’s behalf.”
“EXAM TIPIt’s important to remember that whether you are procuring a dedicated “encryption as a service” provider or using customer-managed keys from an IaaS provider, you are procuring a SecaaS.
This category includes encryption proxies for SaaS. Again, recall that, unlike IaaS and PaaS, encryption often breaks SaaS when the SaaS provider can’t access the keys to unencrypt data. This is because the SaaS provider likely needs to work with data that you upload to their platform.