CCSK-Combined Flashcards
What are the five essential characteristics of cloud computing as defined by NIST?
Broad Network AccessRapid ElasticityMeasured ServiceOn-Demand Self ServiceResource Pooling
The level of attention and scrutiny paid to enterprise risk assessments should be directly related to what?
The value at risk
In the majority of data protection laws, when the data is transferred to a third party custodian, who is ultimately responsible for the security of the data?
The Data Controller
What is the most important reason for knowing where the cloud service provider will host the data?
So that it can address the specific restrictions that foreign data protection laws may impose.
What are the six phases of the data security lifecycle?
CreateStoreUseShareArchiveDestroy
Why is the size of data sets a consideration in portability between cloud service providers?
The sheer size of data may cause an interruption of service during a transition, or a longer transition period than anticipated.
What are the four D’s of perimeter security?
DeterDetectDelayDeny
In which type of environment is it impractical to allow the customer to conduct their own audit, making it important that the data center operators are required to provide auditing for the customers?
In multiñtenant environments the operator or provider cannot normally accommodate visits by every customer to conduct an audit.
What measures could be taken by the cloud service provider (CSP) that might reduce the occurrence of application level incidents?
SaaS providers that generate extensive customerñspecific application logs and provide secure storage as well as analysis facilities will ease the IR burden on the customer.
How should an SDLC be modified to address application security in a Cloud Computing environment?
Organizations must adopt best practices for development, either by having a good blend of processes, tools, and technologies of their own or adopting one of the maturity models.
What is the most significant reason that customers are advised to maintain inñhouse key management?
To be able to prove that all data has been deleted from the public cloud environment when exiting that environment.
What two types of information will cause additional regulatory issues for all organizations if held as an aspect of an Identity?
PII ñ Personal Identifiable InformationSPI ñ Sensitive Personal Information
Why do blind spots occur in a virtualized environment, where networkñbased security controls may not be able to monitor certain types of traffic?
Virtual machines may communicate with each other over a hardware backplane, rather than a network.
When deploying Security as a Service in a highly regulated industry or environment, what should both parties agree on in advance and include in the SLA?
Agreement on the metrics defining the service level required to achieve regulatory objectives
Economic Denial of Service (EDOS), refers to…
The destruction of economic resources; the worst case scenario would be bankruptcy of the customer or a serious economic impact
How does SaaS alleviate much of the consumer’s direct operational responsibility?
The provider is not only responsible for the physical and environmental security controls, but it must also address the security controls on the infrastructure, the applications, and the data.
In Europe, name the group that has enacted data protection laws and the principles on which they follow.
The European Economic Area (EEA) Member States follow principles set forth in the 1995 European Union (EU) Data Protective Directive and the 2002 ePrivacy Directive as amended in 2009.
What is the minimum that U.S. state laws require when using a Cloud Service Provider?
Written contract with the service provider with reasonable security measures.
What must be included between an organization and a Cloud Service Provider when the organization has contractual obligations to protect the personal information of their clients, contacts or employees, to ensure that the data are not used for secondary use and are not disclosed to third parties?
The organization must ensure contractually that it will have the continued ability to meet the promises and commitments that it made in its privacy notice(s) or other contracts.
What is a clickñwrap agreement?
A nonñnegotiated contract
How does an organization respond to the evolving nature of the cloud environment?
Periodic monitoring, testing, and evaluation of the services.
What must a U.S. litigant provide during eñdiscovery?
All documents that pertain to the case whether favorable to its case or the other litigant’s case.
What is ESI?
Electronically Stored Information
What are four considerations for a cloud customer to understand in reference to regulatory compliance?
ñ Crossñborder or multiñjurisdictionñ Assignment of compliance responsibilities including the CSP’s providersñ CSP capability to show complianceñ Relationship between all parties including customer, CSP, auditors and CSP’s providers
What role do audits perform in the cloud relationships?
Audits must be independently conducted and should be robustly designed to reflect best practice, appropriate resources, and tested protocols and standards.
At what stage should compliance be addressed between an organization and CSP?
Requirements identification stage
What is multiñtenancy?
Use of same resources or application by multiple customers that may belong to the same organization or a different organization.
What does a cloud service model need to include for multiñtenancy consumers?
Policyñdriven enforcementSegmentationIsolationGovernanceService LevelsChargeback/billing models
What services can be shared in multiñtenancy cloud service models?
InfrastructureDataMetadataServicesApplications
What three cloud services make up the Cloud Reference Model?
Infrastructure as a Service (IaaS)Platform as a Service (PaaS)Software as a Service (SaaS)
Define IaaS
IaaS delivers computer infrastructure as a service along with raw storage and networking.
Define PaaS
PaaS delivers computing platform and solution stack as a service.
Define SaaS
SaaS delivers software and its associated data hosted centrally typically in the cloud and are usually accessed by users via a web browser over the Internet.
List the four dimensions in the Jericho Cloud Cube Model
ñ Internal (I) / External (E): Physical Locationñ Proprietary (P) / Open (O): State of Ownership ñ Perimeterised (Per) / Deñperimeterised (Dñp): Architectural mindsetñ Insourced / Outsourced: Who provides the cloud service
List the four cloud deployment models
PublicPrivate ñ internal/externalHybridCommunity
What is the key takeaway for security architecture?
The lower down the stack the CSP stops, the more security capabilities and management consumers are responsible for implementing and managing themselves.
What are the risks and pitfalls to consider in the Cloud Security Reference Model?
ñ How / where cloud service are deployedñ Manner in which cloud services are consumedñ Reñperimeterization of enterprise networksñ Types of assets, resources and information being managedñ Who manages them and howñ Which controls are selected and how they are integratedñ Compliance issues
How do you determine the general security posture of a service and how it relates to an asset’s assurance and protection requirements?
ñ Classify a cloud service against the cloud architectural modelñ Map the security architecture and business, regulatory, and other compliance requirements as a gapñanalysis exercise
What do cloud service brokers provide?
ñ Intermediationñ Monitoringñ Transformation/portabilityñ Governanceñ Provisioningñ Integration servicesñ Relationship negotiation between CSP and consumers
What are included in a Service Level Agreement (SLA)?
ñ Service levelsñ Securityñ Governanceñ Complianceñ Liability expectations of the service and provider
What are two types of Service Level Agreements (SLA)?
NegotiableNonñnegotiable
Name the five basic principles followed in Corporate Governance.
ñ Auditing supply chainsñ Board and management structure and processñ Corporate responsibility and complianceñ Financial transparency and information disclosureñ Ownership structure and exercise of control rights
Define Corporate Governance
The set of processes, technologies, customs, policies, laws and institutions affecting the way an enterprise is directed, administered or controlled.
Define Information Risk Management
The process of identifying and understanding exposure to risk and the capability of managing it, aligned with the risk appetite and tolerance of the data owner.
Define Enterprise Risk Management
The methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.
List four of the specific risks identified and analyzed by management in a cloud environment.
ñ Avoidance: exiting the activities giving rise to riskñ Reduction: taking action to reduce the likelihood or impact related to the riskñ Share or insure: transferring or sharing a portion of the risk to finance itñ Accept: no action is taken due to a cost/benefit decision
What should be specifically targeted in the assessment of a CSP’s third party service providers?
ñ Incident managementñ Business continuityñ Disaster recovery policies, processes and proceduresñ Review of coñlocation and backñup facilities
What is a CSP’s supply chain?
Their service provider relationships and dependencies
How should the cost savings obtained by cloud computing services be utilized?
Reinvest into increased scrutiny of the security capabilities of the provider, application of security controls, and ongoing detailed assessments and audits to ensure requirements are continuously met.
Define Public Cloud
The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Define Private Cloud
The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or by a third party and may be located onñpremise or offñpremise.
Define Community Cloud
The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy or compliance considerations). It may be managed by the organizations or by a third party and may be located onñpremise or offñpremise.
Define Hybrid Cloud
The cloud infrastructure is a composition of two or more clouds (private, community of public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for loadñbalancing between clouds).
Define Cloud Bursting
Where an enterprise shares the load with external cloud providers to meet peak demands
In most jurisdictions in the U.S., what types of information are a party obligated to produce?
Documents and data within its possession, custody or control.
What types of data hosted by a CSP could be outside the control of a client?
ñ Disaster recovery systemsñ Certain metadata created and maintained by the CSP to operate its environment
What should a client account for during eñdiscovery?
Additional time and expense where a client may not have the ability or administrative rights to search or access all of the data hosted in the cloud.
In the U.S. what is generally considered to be the obligation of a client who knows or reasonably should know is relevant to a pending or reasonably anticipated litigation or government investigation?
To undertake reasonable steps to prevent the destruction or modification of data or information in its possession, custody or control.
Who is held liable for acts of a subcontractor?
Government agencies, such as the FTC or the state Attorney General, have consistently held organizations liable for the activities of their subcontractors.
What does the GLBA and HIPAA require between an organization and their subcontractor?
The security and privacy rules require organizations to compel their subcontractors in written contracts to use reasonable security measures and comply with data privacy provisions.
What two general categories do assets supported by the cloud fall into?
- Data2. Applications/Functions/Process
What is the first step in evaluating risk for the cloud?
Determine exactly what data or function is being considered for the cloud.
What is the second step in evaluating risk for the cloud?
Determine how important the data or function is to the organization.
For each asset, what three areas are assessed if all or part of the asset is handled in the cloud?
- Confidentiality2. Integrity3. Availability requirements
For each asset, what six areas are examined in how the organization would be harmed if all or part of the asset is handled in the cloud?
- If the asset became widely public and widely distributed2. If an employee of the cloud provider accessed the asset3. If the process or function were manipulated by an outsider4. If the process or function failed to provide expected results5. If the information/data were unexpectedly changed6. If the asset were unavailable for a period of time
What is the third step in evaluating risk for the cloud?
Determine which deployment models are best suited to the organization
What is the fourth step in evaluating risk for the cloud?
Evaluate potential cloud service providers
How do you prevent scope creep?
Determine potential uses of the data or function being considered for the cloud.
Define cloud computing
A model for enabling ubiquitous, convenient, onñdemand network access to a shared pool of configurable computing resources.
Define multiñtenancy in cloud service models
The need for policy-driven enforcement, segmentation, isolation, governance, service levels, and chargeback/billing models for different consumer constituencies.
Name two mechanisms to automate monitoring and testing of cloud supply chains.
ñ Cloud Auditñ Cloud Trust Protocol
______ is the foundation of all cloud services as described in the Cloud Reference Model.
IaaS
The Jericho Cloud Cube Model is based upon ____dimensions?
4
The notion of how cloud services are ______ is often used interchangeably with where they are _______, which can lead to confusion.
Deployed, provided
Amazon’s AWS EC2_______________ offering includes vendor responsibility for security up to the hypervisor.
Infrastructure as a service
___________as a service provides a set of API’s, which allows management and other forms of interaction with the ______________ by consumers.
Infrastructure
____ sits on top of _____ and adds an additional layer of integration with application development frameworks, middleware capabilities, and functions such as database, messaging, and queuing.
PaaS, IaaS
Public or private clouds may be described as ____________, which may not be accurate in all situations.
External or internal
The_________ and the erosion of trust boundaries already happening in the enterprise is amplified and accelerated by cloud computing.
Re-perimeterization
A LAMP stack deployed on Amazon’s AWS EC2 would be classified as a public, off-premise, third-party managed _____ solution.
IaaS
The Cloud Cube Model highlights the challenges of understanding and mapping cloud models to control frameworks and standards such as ____________
ISO/IEC 27002
Security controls in cloud computing are ______________ security controls in any IT environment.
No different than
An effective governance and enterprise risk management cloud computing program flows from well-developed information security governance processes as part of the organization’s overall corporate governance obligations to _______.
Due care
For many cloud deployments, a major element of governance will be the agreement between__________________
Provider and customer.
_______ is the set of processes, technologies, customs, policies, laws, and institutions affecting the way an enterprise is directed, administered or controlled.
Corporate governance
Good governance is based on the acceptance of the rights of __________ as the true owners of the corporation, and the role of senior management as trustees.
Shareholders
If that results in less confidence in a particular vendor, then further engagement with that vendor is_____
Less likely
Stakeholders should carefully consider the _____________________that are appropriate and necessary for the company’s consistent performance and growth.
Monitoring mechanisms
In a cloud environment, technologist selects a risk response strategy for specific risks identified and analyzed, which is typically_______.
Reduction
Assessment of third party service providers should specifically target the provider’s ___________.
Incident management
Reinvest the cost savings obtained by cloud computing services into __________________capabilities of the provider, application of security controls, and ongoing detailed assessments and audits to ensure requirements are continuously met.
Increased scrutiny of the security
Each of these laws includes a security requirement and places on the __________ the burden of ensuring the protection and security of personal data wherever the data are located, and especially when transferring to a third party.
Data custodian
PCI applies to credit card data anywhere in the world, including data processed by subcontractors has similar requirements to other regulatory bodies.
PCI
When data is transferred to a cloud, the ultimate responsibility for protecting and securing the data typically remains with the ______________, even if in some circumstances, this responsibility may be shared with others.
Data owner
Before entering into a cloud computing arrangement, the most important issue a company should evaluate is _____________associated with a proposed cloud computing transaction.
Compliance requirements
Depending on the nature of the services, the contract may commonly be in the form of a _____________ agreement, which is never negotiated.
Click-wrap
One of the particularities of the ________ judicial system - in great contrast to most other countries - is that a litigant must provide its adversary with ALL documents that pertain to the case.
American
In certain litigations and investigations, the ___________ could itself be relevant to resolving the dispute in the litigation or investigation.
Cloud application
_____________________ can require that large volumes of data be retained for extended periods.
Preservation
________ of a cloud data source is generally difficult or impossible.
Bit-by-bit imaging
All stakeholders expect organizations to proactively comply with regulatory guidelines and requirements across multiple _________.
Jurisdictions
______ is focused on aligning with external requirements while _______ is focused on aligning with internal requirements.
Compliance, governance
By leveraging cloud services, sub-scale organizations can achieve ___________of compliance as much larger and highly resources entities.
The same level
The role of __________________ needs to be carefully considered, and responsibility for including them in governance, indirectly or directly, should be explicitly assigned within the customer organization.
External providers
Audit must be____________________ and should be robustly designed to reflect best practice, appropriate resources, and tested protocols and standards.
Independently conducted
Particularly important to outsourcing and regulations is __________ requirements and obligations.
Chained
Any information processed, transmitted, stored, or viewed that is identified as_______________ information faces a plethora of compliance regulation worldwide that may vary country or state.
Personal Identifiable Information
____________ is a technique that is commonly used to improve data security, but without the use of encryption mechanisms.
Data Dispersion
The Data Security Lifecycle in order is
Create, Store, Use, Share, Archive, Destroy
Unlike with _________ the goal isn’t to label every piece of data in the organization, but rather to define high-level categories.
Data classification
File Activity Monitoring provides similar protection to _________________.
Database Activity Monitoring
In cloud deployments, and throughout the different service models, it’s important to protect data in transit. This includes:
Between cloud vendors
________ mandates that those components should be replaceable by new or different components from different providers and continue to work, as should the exchange of data between systems.
Interoperability
A lack of interoperability can lead to __________.
Lock-in
Using open standards for Identity such as ________________ will help to ensure portability.
SAML
Encryption keys should be escrowed _______________.
Locally
_______________ may cause an interruption of service during a transition, or a longer transition period than anticipated.
The size of data
A common scenario is “___________”, where an enterprise shares the load with external cloud providers to meet peak demands.
Cloud bursting
The Four D’s of Perimeter Security consists of _____________.
Deter, Detect, Delay and Deny
Segregation of duties originated in _________.
Accounting and financial management
The data center should be equipped with specific environmental support equipment according to published internal standards such as:
Uninterruptible power supply
The composition of the Emergency Response Team, Crisis Management Team and Incident response team should be reviewed in detail along with ________
Crisis communication procedure
The Restoration plan should incorporate and quantify the _____
Recovery Point Objective
Cloud providers should consider adopting as a security baseline the______________ requirements of any customer, such that systems, facilities, and procedures are at a system high level.
Most stringent
Organizations building cloud data centers should incorporate management processes, practices, and software to understand and react to technology running _______.
Inside the data center
Given the controls in the Cloud Control Matrix the data center being built or purchased must conform to _____.
Physical and asset security requirements
Use _________ techniques to ensure availability, security, and asset delivery and management.
IT service management
Cloud computing does not necessitate a new conceptual framework for Incident Response; rather it requires that the organization appropriately_________
Maps its extant IR
________offered by cloud infrastructures, may dramatically complicate the IR process, especially the forensic activities carried out as part of the incident analysis.
Resource pooling
In a ____ solution, response activities will likely reside almost entirely with the CSP, whereas in ____ a greater degree of responsibility and capability for detecting and responding to security incidents may reside with the customer.
SaaS, IaaS
The most important part of preparing for an incident is ____ the plan.
Testing
_____________ examines the code as it executes in a running cloud application.
Dynamic code analysis
The type of cloud model has a huge impact on the penetration testing or in deciding if penetration test is possible. Generally,__are likely to permit penetration testing.
SaaS, PaaS
Often user authentication and authorization is delegated to the customer’s user management system using a ______ standard.
Federation
____________________ refers to establishing/asserting the identity to the application.
Authentication
The user determines the access for their resources, and the service provider acts as ____________
Policy Enforcement Point
For unstructured files that must be protected when stored or shared in the cloud use data-centric encryption you should ___
Apply protection directly to files
_____ can be avenues for data leakage.
Log files and metadata
When choosing encryption, Use open, validated formats and avoid__________________ wherever possible.
Proprietary encryption formats
As the industry expands identity systems from single computers into global enterprises and then into cloud deployment models, the ability to identify all the entities involved in a transaction become significantly more difficult. This is a _
Scaling problem
_____ is the interconnection of disparate Directories Services.
Federation
The PDP and PEP will be part of an authorization eco-system that uses
XACML
In most cloud based systems, the Authorization layer is likely to be a _______ or the point that evaluates and issues authorization decisions, and the Access Management layer, the____, the point that enforces the___’s decision.
PDP, PEP, PDP
Implementers should, where possible, use federation based on open standards such as _________
SAML and Oauth
The primary concerns for enterprises and virtualization users should be ____
The proper management of configuration and operations
Virtual machines may communicate with each other over _______, rather than a network.
A hardware backplane
Installing security software designed for physical servers onto a virtualized server can result in _____
Degradation in performance
When a VM is moved from one physical server to another, enterprises need assurances that no bits are left behind on the disk that could be recovered by another user or when the disk is de-provisioned. _______are solutions to this problem.
Zeroing or encryption
Implement data automated discovery and labeling solutions to augment the data classification and control between virtual machines and environments. This is better know as:
DLP
Security in the cloud environment is often based on the concern that_____ security controls implemented means systems are not locked down as well as they are in traditional data centers.
Lack of visibility into
Security as a Service providers recognize the _____ of the relationship and often go to extreme lengths to ensure that their environment is locked down as much as possible.
Fragility
_______ presents concerns of data leakage between virtual instances.
Multi-tenancy
Companies that employ third party security service providers gain a competitive edge over their peers due to ____
Early access to information
Due to the ______________ delivered via the cloud, customers need only pay for the amount of security they require.
Elastic model of services
Isolation Failure is due to
Shared resources
An attacker uses a public channel to use up the customer’s metered resources from the cloud, this is a(n)
EDOS
Licensing conditions, such as _______ may become unworkable in a cloud environment.
Per-seat agreements, and online licensing checks
The ability of the cloud provider to dynamically reallocate resources for filtering, traffic shaping, authentication, encryption, etc., to defend against:
DDOS
The five key legal issues common across all scenarios according to ENISA are
Data protection, Confidentiality, Intellectual property, Professional negligence, Outsourcing services
We do not recommend that the customer look to be able to restrict ________by the cloud provider.
The outsourcing of services
