CCSK Flashcards
Core of Big Data, the 3 V’s
Volume
Velocity
Variety
5 Essentials of Cloud Computing per NIST
Broad Network Access, Rapid elasticity, Measured Service, On Demand Self Service, Resource Pooling
3 A’s of Vulnerability
Authentication
Authorization
Accounting
Service Models
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Deployment Models
Public
Private
Hybrid
Community
IaaS
provider is responsible for foundational security, while the cloud user is responsible for everything they build on the infrastructure. Unlike PaaS, this places far more responsibility on the client
PaaS
Cloud provider is responsible for the security of the platform, while the consumer is responsible for everything they implement on the platform, including how they configure any offered security features
SaaS
cloud provider is responsible for nearly all security
Logical Model
Infrastructure
Metastructure
Infostructure
Applistructure
Cloud Security Process Model
Identify Requirements Select Provider Define Architecture Assess Security Controls Identify Gaps Design and Implement Controls Manage Changes
Cloud Security Models
Conceptual Model/Framework
Control Model/Framework
Reference Architecture
Design Patterns
Design patterns
are reusable solutions to problems
Reference architectures
templates for implementing cloud security, typically generalized They can be very abstract, bordering on conceptual, or quite detailed
Controls models or frameworks
specific cloud security controls or
categories of controls, such as the CSA CCM
Conceptual models or frameworks
visualizations and descriptions used to explain cloud security concepts and principles
Infrastructure
Core components of a computing system: compute, network, and storage foundation that everything else is built on
Metastructure
protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The Glue that holds it all together. Main difference between cloud and traditional computing
Infostructure
data and information. Content in a database, file storage, etc.
Applistructure
applications deployed in the cloud and the underlying application services used to build them
Three main aspects of BC/DR
- Ensuring continuity and recovery. tools and techniques to best architect cloud deployment, keep things running.
- Preparing for and managing provider outages.
- Considering options for portability in case you need to migrate providers or platforms
BC/DR
is a shared responsibility takes a risk-based approach must account for the entire logical stack
Enterprise risk management (ERM)
includes managing overall risk for the organization, aligned to the organization’s governance and risk tolerance. Enterprise risk management includes all areas of risk, not merely those concerned with technology
Based on Shared Responsibility Model
Governance
(Cannot be Outsourced)
includes the policy, process, and internal controls that comprise how an organization is run. Everything from the structures and policies to the leadership and other mechanisms for management
Information risk management
covers managing the risk to information, including information technology
Information security
is the tools and practices to manage risk to information
Contracts:
primary tool of governance is the contract between a cloud provider and a cloud customer (this is true for public and private cloud). The contract is your only guarantee of any level of service or commitment—assuming there is no breach of contract
Supplier Assessments:
assessments are performed by the potential cloud customer using available information and allowed processes techniques. They combine contractual and manual research with third-party attestations and technical research
Attestation
legal statements often used to communicate the results of an assessment or audit
Compliance reporting
The documentation on a provider’s internal (i.e. self) and external compliance assessments Can be performed by provider, customer or 3rd party (preferred)
Cloud Security Alliance STAR Registry
an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire
Risk tolerance
amount of risk that the leadership and stakeholders of an organization are willing to accept. It varies based on asset and you shouldn’t make a blanket risk decision about a particular provider; rather, assessments should align with the value and requirements of the assets involved
Cloud Risk Management Tools
- Request or acquire documentation.
- Review their security program and documentation.
- Review any legal, regulatory, contractual, and jurisdictional requirements for both the provider and yourself.
- Evaluate the contracted service in the context of your information assets.
- Separately evaluate the overall provider, such as finances/stability, reputation, and outsourcers.
Residual risk
after all your assessments and the controls that you implement yourself there is still residual risk your only options are to transfer it,
accept the risk, or avoid it
Data Protection
Laws and regulations vary greatly depending on location of provider, user, servers, data subject, treaties
Cross-border Data Transfers
countries prohibit or restrict the transfer of information out of their borders. In most cases, the transfer is permitted only if the country to which the data is transferred offers an “adequate level of protection”
General Data Protection Regulation (GDPR)
directly binding on any corporation that processes the data of EU citizens, and will be adjudicated by the data supervisory authorities or the courts of the member states that have the closest relationship with the individuals or the entities on both sides of the dispute
Applicability
processing of personal data in the context of the activities of an establishment of a controller or processor
Processing of personal data is allowed if?
(a) the data subject has freely given specific, informed, and unambiguous indication of his/her consent to the processing of his/her personal data or
(b) the processing is authorized by a statutory provision
Accountability Obligations
requirements placed companies to keep records of their data processing activities
Data Subjects’ Rights
subjects have rights to information regarding the processing of their data: the right to object to certain uses of their personal data; to have their data corrected or erased; to be compensated for damages suffered because of unlawful processing; the right to be forgotten; and the right to data portability
Network Information Security Directive
framework to enable networks and information systems to resist, at a given level of confidence
Scope of Preservation
Data that a requesting part is entitled to. It is hosted in the cloud and contains, or is reasonably calculated to lead to, relevant, probative information for the legal issue at hand
Dynamic and Shared Storage
cloud environment that programmatically modifies or purges data, or one where the data is shared with people unaware of the need to preserve, preservation can be more difficult.
Access and Bandwidth
Clients ability to access it own data.
Determined by Service Level Agreements.
Ability to collect large volumes of data quickly and in a forensically sound manner may be limited
Forensics
by-bit imaging of a cloud data source is generally difficult or impossible. For obvious security reasons, providers are reluctant to allow access to their hardware, particularly in a multitenant environment where a client could gain access to other clients’ data
Reasonable Integrity
reasonable steps to validate that its collection from its cloud provider is complete and accurate, especially were ordinary business procedures for the request are unavailable and litigation-specific measures are being used to obtain the information
Limits to Accessibility:
When Cloud customer cannot access their data due to access rights, privileges and how data is stored
Compliance
validates awareness of and adherence to corporate obligations (e.g., corporate social responsibility, ethics, applicable laws, regulations, contracts, strategies, and policies)
Audits
key tool for proving (or disproving) compliance
pass-through audits
providers certified for various regulations and industry requirements, such as PCI DSS, SOC1, SOC2, HIPAA, best practices/frameworks like CSA CCM, and global/regional regulations like the EU GDPR
Artifacts
The logs, documentation, and other materials needed for audits and compliance; they are the evidence to support
compliance activities
Multitenancy data governance
data is stored in the public cloud, it’s stored on shared infrastructure with other, untrusted tenants
Shared security responsibility
Data is now more likely to be owned and managed by different teams or even organizations
Ownership
Owner of the data, may not always be clear and depends on laws, contracts, and policies
Custodianship
Refers to who is managing the data
Jurisdictional boundaries and data sovereignty
Locations where the data is stored
3 things that are impacted by cloud due to the combination of a third-party provider and jurisdictional changes
Compliance, regulations, and privacy policies
Destruction and removal of data
ties into the technical capabilities of the cloud platform. Can you ensure the destruction and removal of data in accordance with policy
Information Classification
Tied to compliance, determines how and where data can and cannot be stored. (Personnel files, Medical files etc.)
Information Management Policies
tie to classification and the cloud needs to be added if you have them. They should also cover the different SPI tiers, since sending data to a SaaS vendor versus building your own IaaS app is very different
Data Security Lifecycle
Create, Store, Use, Share, Archive, Destroy ↻
Create
Creation is the generation of new digital content, or the alteration/updating/modifying of existing content
Store
Storing is the act committing the digital data to some sort of storage repository and typically occurs nearly simultaneously with creation
Use
Data is viewed, processed, or otherwise used in some sort of activity, not including modification
Share
Information is made accessible to others, such as between users, to customers, and to partners
Archive
Data leaves active use and enters long-term storage
Destroy
Data is permanently destroyed using physical or digital means (e.g., cryptoshredding)
3 Function with Data
Read: ad the data, including creating, copying, file transfers, dissemination, and other exchanges
Process: transaction on the data; update it, use it
Store. Hold the data (in a file, database, etc.)
management plane
is the single most significant security difference between traditional infrastructure and cloud computing
• The cloud provider is responsible for ensuring the management plane is secure and necessary security features are exposed to the cloud user, such as granular entitlements to control what someone can do even if they have management plane access.
• The cloud user is responsible for properly configuring their use of the management plane, as well as for securing and managing their credentials
Architect for Failure
Do not rely on traditional strategies (lift and shift) when migrating to the cloud. They will be less resilient. Leverage new cross platform and isolation technologies to improve failover
Ways to access the Management Plane
APIs and web consoles are the way the management plane is delivered
Software Development Kits (SDKs) and Command Line Interfaces (CLIs)
Tools provided by the cloud provider to make integration easier
Identity and Access Management (IAM)
identification, authentication, and authorizations. How you determine who can do what within your cloud
authentication mechanisms in REST
HTTP request signing and OAuth are the most common; both leverage cryptographic techniques to validate
Protecting from attacks against the management plane’s components itself, such as the web and API servers. It includes both lower-level network defenses as well as higher-level defenses against application attacks
Perimeter Security
Customer authentication
Providing secure mechanisms for customers to authenticate to the management plane should support MFA as an option or requirement
Internal authentication and credential passing
mechanisms your own employees use to connect with the non-customer-facing portions of the management plane
Authorization and entitlements
Right and access given to customer and administrators.
Logging, monitoring, and alerting
Are essential for effective security and compliance Alerting of unusual events is an important security control to ensure that monitoring is actionable
Chaos Engineering
used to help build resilient cloud deployments. Since everything cloud is API-based, Chaos Engineering uses tools to selectively degrade portions of the cloud to continuously test business continuity
two macro layers to infrastructure
Fundamental resources and abstract/virtual layer
Cloud Network Types
service network for communications between virtual machines and the Internet
&
storage network to connect virtual storage to virtual machine
&
management network for management and API traffic
Software Defined Networking (SDN):
complete abstraction layer on top of networking hardware, SDNs decouple the network control plane from the data plane
Challenges of Virtual Appliances
Bottlenecks, resource consumption, auto-scaling, geographical location, resiliency
SDN Security Benefits
Isolation is easier, firewalls with more flexible parameters and more granular
Microsegmentation
leverages virtual network topologies to run more, smaller, and more isolated networks without incurring additional hardware costs that historically make such models prohibitive
3 Parts of Software Defined Perimeter (SDP)
SDP controller for authenticating and authorizing
SDP clients and configuring the connections to
SDP gateways for terminating
Bastion
Hybrid cloud architecture to allow connections to multiple cloud networks to data centers using a single hybrid connection
Containers
code execution environments that run within an operating system only has access to the processes and capabilities defined in the container configuration
Platform-based workloads
Stored procedure running inside a multitenant database, or a machine-learning job running on a machine-learning Platform as a Service
Serverless computing
any situation were the cloud user doesn’t manage any of the underlying hardware or virtual machines, and just accesses exposed functions
Immutable workloads Benefits
No longer patching running systems
You can, and should, disable remote logins to running workloads
faster to roll out updated versions
easier to disable services and whitelist applications/processes
security testing can be managed during image creation, reducing the need for vulnerability assessment
Immutable requirements
Constant image creation
Security testing built into image creation
Image config needs to be able to disable logins
Increased complexity to manage
Challenges to Vulnerability Assessment
Cloud owner will typically require notification of assessments and place limits on the nature of assessments
Default deny networks further limit the potential effectiveness of an automated network Assessment
Assessments can be run during the image creation process for immutable workloads
Penetration testing is less affected since it still uses the same scope as an attacker
Cloud Provider Compute Virtualization responsibilities
Ensure isolation
Secure underlying infrastructure and virtualization technology
Cloud User Compute Virtualization responsibilities
Security settings, such as identity management, to the virtual resources
Monitoring and logging
Image asset management
Use of dedicated hosting, if available
(Everything they build on top of the providers network )
Cloud Overlay Networks
Special kind of WAN virtualization technology for created networks that span multiple “base” networks
2 main types of Storage virtualization
Storage Area Network (SAN) and Network-Attached Storage (NAS)
3 components of a Container
Execution environment
Orchestration and scheduling
Repository for execution
Incident Response Lifecycle
Preparation
Detection & Analysis
Containment, Eradication, Recovery
Post-Mortem
Preparation:
Establishing an incident response capability so that the organization is ready to
respond to incidents.
• Process to handle the incidents.
• Handler communications and facilities.
• Incident analysis hardware and software.
• Internal documentation (port lists, asset lists, network diagrams, current baselines of
network traffic).
• Identifying training.
• Evaluating infrastructure by proactive scanning and network monitoring, vulnerability
assessments, and performing risk assessments.
• Subscribing to third-party threat intelligence services.
Detection and Analysis
- Alerts, indicators of compromise, baseline and anomaly detection
- Validate alerts (reducing false positives) and escalation.
- Estimate the scope of the incident.
- Assign an Incident Manager who will coordinate further actions.
- Designate a spokes person to communicate to senior management.
- Build a timeline of the attack.
- Determine the extent of the potential data loss.
- Notification and coordination activities.
Containment, Eradication, Recovery
• Containment: Taking systems offline. Considerations for data loss versus service
availability. Ensuring systems don’t destroy themselves upon detection.
• Eradication and Recovery: Clean up compromised devices and restore systems to normaloperation. Confirm systems are functioning properly. Deploy controls to prevent similar incidents.
• Documenting the incident and gathering evidence (chain of custody).
Post Mortem
What could have been done better? Could the attack have been detected sooner? What
additional data would have been helpful to isolate the attack faster? Does the IR process
need to change? If so, how?
Cloud jump kit
tools needed to investigate in a remote location
Forensics and investigative support
Snapshotting the storage of the virtual machine.
Capturing any metadata at the time of alert
If your provider supports it, “pausing” the virtual machine, which will save the volatile memory state.
Service Level Agreement (SLA)
Contract describing the level of support users will get from providers incase of an incident
How often should IR Testing be done?
will be conducted at least annually or whenever there are significant changes to the application architecture
Application Sec Opportunities
Higher baseline security. Responsiveness Isolated environments Independent virtual machines Elasticity DevOps Unified Interface
Application Sec Challenges
Limited detailed visibility
Increased application scope.
Changing threat models
Reduced transparency
Secure Software Development Lifecycle (SSDLC):
series of security activities during all phases of application development, deployment, and operations
Five main phases in secure application design and development
Training Define Design Develop Test
Benefits of DevOps and Continuous Integration/Continuous Deployment (CI/CD)
Standardization: Automated testing: Immutable: CI/CD pipelines Improved auditing and change management: SecDevOps/DevSecOps and Rugged DevOps:
SSDLC Model
Secure Design and Development
Secure Deployment
Secure Operations
Training
- Secure Coding Practices
- Writing security tests
- Provider/Platform Technical Training
Define
When the cloud user determines the approved architectures or features/tools for the provider, security standards, and other requirements
Design
Threat modeling
Secure design
Develop
Code review
Unit testing
Static Analysis
Dynamic Analysis
Test
- Vulnerability Assessment
- Dynamic Analysis
- Functional tests
- QA
Secure Deployment
security and testing activities when moving code from an isolated
development environment into production such as
Code Review
Unit, regression, and functional testing
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
How Cloud Impacts Application Design and Architectures
Segregation by default
Immutable infrastructure
Increased use of micro-services
PaaS and “serverless” architectures
Event driven security:
Management plane detects various activities—such as a file being uploaded to a designated object storage location or a configuration change to the network or identity management—which can in turn trigger code execution through a notification message, or via serverless hosted code
Data security Buckets
Controlling what goes in
Protecting and Managing
Enforcing information lifecycle management security
Data Storage types
Object: storage is like a file system
Volume storage: This is essentially a virtual hard drive
Database: Like any other database
Application/platform: Examples of these would be a content delivery network (CDN), files stored in SaaS, caching, and other novel options
Data dispersion aka data fragmentation of bit splitting
redundant, durable storage mechanisms takes chunks of data, breaks them up, and then stores multiple copies on different physical storage to provide high durability
Cloud Access and Security Brokers (CASB) aka Cloud Security Gateways
Used to discover internal use of cloud services using various mechanisms such as network monitoring, integrating with an existing network gateway or monitoring tool, or even by monitoring DNS queries
URL filtering
Tool to monitor network traffic, gateway may help you understand which cloud services your users are using
Data Loss Prevention (DLP)
tool may also help detect data migrations to cloud services
Cloud Data Access Controls 3 layers
Management plane
Public and internal sharing controls
Application-level controls
Encryption
Encryption
protects data by applying a mathematical algorithm that “scrambles” the data, which then can only be recovered by running it through an unscrambling (decryption) process with a corresponding key
Tokenization
takes the data and replaces it with a random value. often used when the format of the data is important
Instance-managed encryption
encryption engine runs within the instance, and the key is stored in the volume but protected by a passphrase
or keypair
Externally managed encryption
Encryption engine runs in the instance, but the keys are managed externally and issued to the instance on request
Key management options
HMS/Appliance
Virtual Appliance
Cloud Provider
Hybrid
HSM/appliance
Traditional hardware security module needs to be on-premises, and deliver the keys to the cloud over a dedicated connection
Virtual appliance/software
Software-based key manager in the cloud
Cloud provider Encryption
Key management service offered by the cloud provider understand the security model and SLAs to understand if
your key could be exposed
Hybrid Encryption
combination, such as using a HSM as the root of trust for keys but then delivering application-specific keys to a virtual appliance
Digital Rights Management (DRM)/Enterprise Rights Management (ERM)
are based on encryption and existing tools may break cloud capabilities especially in SaaS
Full DRM
Full digital rights management using an existing tool
Provider-based control:
cloud platform may be able to enforce controls very similar to full DRM by using native capabilities
Data Masking and Test Data Generation
These are techniques to protect data used in development and test environments, or to limit real-time
access to data in applications
Test data generation
creation of a database with non-sensitive test data based on a “real” database
Dynamic masking
rewrites data on the fly, typically using a proxy mechanism, to mask all or part of data delivered to a user
Managing data location/residency
Ability to disable unneeded locations and protect the data even it it changes locations
Identity:
the unique expression of an entity within a given namespace. An entity can have
multiple digital identities
Entity
the person or “thing” that will have an identity. It could be an individual, a system, a device, or application code.
Identifier
how an identity can be asserted. For digital identities this is often a cryptological token
Attributes:
facets of an identity
Persona:
the expression of an identity with attributes that indicates context
Role
identities can have multiple roles which indicate context
Authentication
the process of confirming an identity (Username and password)
Multifactor Authentication (MFA):
use of multiple factors in authentication. Common options include one-time passwords generated by a physical or virtual device/token (OTP)
Access control
restricting access to a resource
Authorization:
allowing an identity access to something
Entitlement:
mapping an identity (including roles, personas, and attributes) to an authorization
Federated Identity Management
the process of asserting an identity across different systems (Single Sign on)
Authoritative source
the “root” source of an identity, such as the directory server that manages employee identities
Identity Provider
the source of the identity in federation
Relying Party
the system that relies on an identity assertion from an identity provider
IAM Standards
SAML OAuth OpenID XACML SCIM
Security Assertion Markup Language (SAML)
OASIS standard for federated identity management that supports both authentication and authorization. It uses XML to make assertions between an identity provider and a relying party
OAuth
is an IETF standard for authorization that is very widely used for web services as it was designed for HTTP
OpenID
is a standard for federated authentication that is very widely supported for web
services. It is based on HTTP with URLs
eXtensible Access Control Markup Language (XACML)
is a standard for defining attribute-based access controls
System for Cross-domain Identity Management (SCIM)
is a standard for exchanging identity information between domains
Identity Broker Models
Hub and Spoke
Free Form
Free-Form
internal identity providers/sources (often directory servers) connect directly to cloud providers
Hub and spoke:
internal identity providers/sources communicate with a central broker or repository that then serves as the identity provider for federation to cloud providers
Identity brokers
handle federating between identity providers and relying parties
Security as a Service (SecaaS)
security products or services that are delivered as a cloud service meet the essential NIST characteristics
SecaaS Benefits
Cloud-computing benefits Staffing and expertise. Intelligence-sharing. Deployment flexibility. Insulation of clients. Scaling and cost
SecaaS Concerns
Lack of visibility. Regulation differences Handling of regulated data Data leakage Changing providers Migration to SecaaS.
Intrusion Detection/Prevention (IDS/IPS)
monitoring behavior patterns using rule-based, heuristic, or behavioral models to detect anomalies in activity which might present risks to the enterprise
Security Information & Event Management (SIEM)
Collecting (via push or pull mechanisms) log and event data from virtual and real networks, applications, and systems
Big data
collection of technologies for working with extremely large datasets that traditional data-processing tools are unable to manage
Distributed data collection:
Mechanisms to ingest large volumes of data, often of a streaming nature
Distributed storage
ability to store the large data sets in distributed file systems
Distributed processing
Tools capable of distributing processing jobs for the effective analysis of data sets so massive and rapidly changing that single origin processing can’t effectively handle them
Internet of Things (IoT)
Blanket term for non-traditional computing devices used in the physical world that utilize Internet connectivity
ENISA Security Benefits
SECURITY AND THE BENEFITS OF SCALE SECURITY AS A MARKET DIFFERENTIATOR STANDARDISED INTERFACES FOR MANAGED RAPID, SMART SCALING OF RESOURCES AUDIT AND EVIDENCE-GATHERING MORE TIMELY, EFFECTIVE AND EFFICIENT UPDATES AND DEFAULTS BENEFITS OF RESOURCE CONCENTRATION
ENISA Risks
LOSS OF GOVERNANCE: LOCK-IN: ISOLATION FAILURE COMPLIANCE RISKS MANAGEMENT INTERFACE COMPROMISE DATA PROTECTION INSECURE OR INCOMPLETE DATA DELETION MALICIOUS INSIDER
CAIQ
is a standard template for cloud providers to document their security and compliance controls.
Cloud Controls Matrix (CCM)
lists cloud security controls and maps them to multiple security and compliance standards
True or False
NIS Directive establishes a framework to enable networks and information systems to resist at a given level of confidence actions that compromise the availability authenticity integrity or confidentiality of stored transmitted or processed data or the related services that are offered by or accessible through those networks and information systems
TRUE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Granular Entitlements
Enable customers to securely manage their own users and administrators. Internally, granular entitlements reduce the impact of administrators’ accounts being compromised or employee abuse