CCSK - V4 and ENISA (Quizlet) Flashcards
What is the standard cloud computing model used here?
NIST (National Institute of Standards and Technology, a US federal agency); the ISO definition is similar.
What are the five essential characteristics that NIST uses to define cloud computing?
1) broad network access 2) rapid elasticity 3) measured service 4) on-demand self service 5) resource pooling
What are the four cloud deployment models defined by NIST?
1) Public 2) Private 3) Hybrid 4) Community
What is a cloud broker?
Entity that manages the use, performance, and delivery of cloud services (and negotiates relationship with customer)
What is the Jericho Cloud Cube Model?
Four dimensions to differentiate cloud (or IT) formations:
1) External/Internal (physical location)
2) Proprietary/Open (technology)
3) Perimiterized/De-perimiterized (within firewall)
4) Outsourced/Insourced
What is the CSA Cloud Reference Model?
The service models fit in an architectural framework (where APIs are an important access mechanism)
What is Multi-tenancy (in the ISO definition)
The characteristic of multiple independent consumers sharing resources, which implies a need for certain controls.
What are SLAs for?
Important control to allocate responsibility between consumer and provider. Shared responsibility model.
How do characteristics introduce risk?
Broad network access introduces the client device and the network as new sources of risk. Rapid Elasticity brings availability risks. Measured service can bring licensing risk. Resource pooling brings isolation related risks. On-demand self service introduces risks around who can control what.
What are Security concerns for hypervisor architecture?
VM hosts and guests need to be hardened; Hypervisor software and provenance is highest risk area.
What do you need to know about AV?
Don’t run AV scan inside VM; use hypervisor aware products.
What are blind spots?
Inter VM communication may not be visible in the physical network (i.e. through virtual switch or side channel) leading to blind spots.
What are VM isolation (compartmentalization) techniques?
LANs, IDS/IPS, Firewalls, zoning (combinations may be required for complian
How can VM persistent storage leak risk (safe destruction) be countered?
Storage level encryption
What is VM image risk?
Too many different images (sprawl) and images that are not up to date (staleness)
What is Commingling?
Sensitive data may be in non compliant zones.
Why is asset management more complicated?
Asset management for audit/monitoring is complicated by the extra need need to track hosts as well as guests and images.
What is OVF?
Open Virtualization Format (helps ensure interoperability)
What is a instant-on gap?
Securely configured VM when off but vulnerable by the time it is started.
How does In-Motion VM characteristics create complexity for audits?
The unique ability to move virtual machines from one physical server to another creates a complexity for audits and security monitoring. In many cases, virtual machines can be relocated to another physical server (regardless of geographic location) without creating an alert or track-able audit trail.
What are four D’s of perimeter security?
Deter, Detect, Delay and Deny
How are service levels established?
Documentation should make clear how service levels are maintained in the face of technical, natural, and malicious threats.
How is risk associated with a real person and a real machine doing the work on a real location in the cloud managed?
BCM (Business Continuity Management) aims to reduce risk in this area.
Is automation of logging and reporting required (especially over multi-site datacenters)?
Yes
What are the six phases of the Data Security Lifecycle and their key elements?
The six phases of the data lifecycle with their top controls are create (classify), store (encryption), use (logical controls), share (DLP, encryption), archive (asset management), destroy (crypto shredding).
What are data at rest security options?
1) Data dispersion/fragmentation (spread over multiple disks)
2) Replication (multiple copies)
3) Encryption
Which locations can data in motion encryption be applied?
1) Application (server and/or client side encryption) 2) Link (for example: HTTPS, VPN) 3) Proxy based encryption (related to DLP
What are all data in motion security options?
Data can be protected by access controls, encryption, database and file monitoring, URL or content based filtering (Data Loss or Leakage Prevention)
Why are data abstraction levels important?
Distinguish raw storage, volume storage, object storage, database, CDN (each of these abstractions has its own Features, Risks, Threats, and Control opportunity)
What is Portability?
The ease with which applications and data can be moved to a different provider (or into the cloud in the first place)
What is Interoperability?
Elements of the cloud ecosystem working together
What is an example of how open standards can ease interoperability (and portability)?
SAML
How can lock-in risk be mitigated?
Portability
What is WS-Security for?
WS-Security is for securing web services.
What is SAML for?
SAML is for making identities portable and inter-operable.
What is Portability solution for IaaS?
OVF (open virtualization format) - open standard virtual machine images
What is Portability solution for PaaS?
Open API
What should be included in every service offering?
IR functionality should be engineered into any service offering. Up to date contact lists. Responsibilities shift across service models. Virtualization can make IR and forensics easier, including offline analysis. IR readiness is something to check on an (internal) audit.
What is the main data source for analysis of an incident?
Logging.
How can incidents and/or their impact be reduced?
Customer specific application logs
What is the IR (Incident Response) lifecycle?
Preparation, detection & analysis, containment, eradication & recovery
How often should IR testing be performed?
At least annually
What is ENISA?
European Network and Information Security Agency
What are the top 8 risks according to ENISA?
LOSS OF GOVERNANCE (cloud provider does not commit to necessary task) LOCK-IN (vendor lock-in) ISOLATION FAILURE (one tenant influences another) COMPLIANCE RISKS (audit impossible, or no evidence) MANAGEMENT INTERFACE COMPROMISE DATA PROTECTION (protection cannot be demonstrated) INSECURE OR INCOMPLETE DATA DELETION MALICIOUS INSIDER (cloud provider or auditor)
What are the key legal issues common across all scenarios?
Data protection, confidentiality, intellectual property, professional negligence, outsourcing services and changes in control
What is the underlying vulnerability in Loss of Governance?
Provider does not commit to controls only they can do
What is user provisioning vulnerability?
Loss of control over user rights
What is the risk of a cloud provider being acquired?
New owner may not want to serve existing customers.
In Infrastructure as a Service (IaaS), who is responsible for guest systems monitoring?
Consumer
What is isolation failure?
This is where multi-tenancy and resource sharing are defining characteristics of the cloud. Thus it is entirely likely for competing companies to be using the same cloud services, in effect, running their workloads shoulder-to-shoulder. Keeping memory, storage, and network access isolated is essential.
What is a data controller?
The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.
What is a data processor?
A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
What is Economic Denial of Service?
An attacker uses a public channel to use up the customer’s metered resources - for example, where the customer pays per HTTP request, a DDoS attack can have this effect.
What are the main reasons for encryption?
1) Compliance
2) Threats (including system admins)
3) Provable deletion
Who should be in control of encryption key management?
The consumer (different entities/users should have different keys).
What are alternatives to encryption?
1) Tokenization (token instead of sensitive info)
2) Masking/anonymization (concealment of sensitive info)
3) Cloud based access/database controls
Proprietary encryption techniques should be avoided.
What is the first step in cloud security?
A good threat and risk modeling process
What are examples of cloud specific threats/risks?
1) External providers (e.g. auditors that need to look at log files)
2) Broad network accessibility (e.g. malicious actors or DDOS)
3) IaaS available (e.g. size breaks hardware)
4) API and other supply chain dependencies
What is IdEA?
Identity, entitlement, and access management
What threats does IdEA (identity, entitlement, and access management) protect against?
spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege (STRIDE)
Does cloud security require require attention across the entire software development life cycle (SDLC) from design to operation?
Yes
What helps with with multiple attributes as input for access decisions?
Entitlement matrix
What is an example of a threat model?
STRIDE
Does remote vulnerability testing (i.e. penetration testing) ever need to be coordinated with the provider?
Yes
What is Federated Identify Management for?
Federated identity management is about splitting the role of the identity provider from that of the relying parties to allow control over user access
How does Federated Identify Management help?
1) Supports consumer compliance
2) Reduces provider cost
*SSO (Single Sign on) is a use case
What are common Federated Identify Management technologies?
1) OpenID
2) Oauth-AD sync
3) ADFS-SAML
What is a big security issue related to Federated Identify Management?
Directories of identity providers are likely to contain PII (Personally Identifiable Information) or SPI (Sensitive Personal Information)
Who is Authorization provided by with respect to Federated Identify Management?
The relying party
Identities have attributes that can be part of authentication and authorization decisions: name, age, location, device, etc - where do these come from?
All these may be provisioned from different sources.
What is PEP?
Policy Enforcement Point - Point which intercepts user’s access request to a resource, makes a decision request to the PDP (Policy Decision Point) to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision. PEP is likely to be application specific or on a network device.
Who is the authoritative for identity with respect to Federated Identify Management?
Identity provider is authoritative for identity.
What are relevant Federated Identify Management standards?
SAML and WS-Federation, XACML, OpenID, Oauth
What is security as a service (SECaaS)?
SECaaS includes monitoring and control servers for security functions, such as intrusion detection, externally placed web and spam filtering, authentication, and more. Same pros and cons as cloud computing in general.
When deploying Security as a Service in a highly regulated industry or environment, what should both parties agree on in advance and include in the SLA?
Quality of reports and/or reporting
What do you protect with encryption?
Data
What do you protect against with encryption?
Threats. With encryption you typically do not handle availability risks, you handle confidentiality and some integrity risks.
What is the residual risk after encryption?
Protection of the encryption key and availability of the key management.
What are Information risks classified into?
Confidentiality risks, integrity risks and availability risks.
What are associated risks to IT but not specific to it?
Legal risks, third-party risks, compliance risks
What are risk mitigation approaches?
Avoid, transfer, mitigate, accept. Risk management includes making sure all relevant risks are identified and treated.
What is the risk management process about?
Identifying risks (e.g. through a threat model), qualifying and prioritizing them, and recording the evidence of their mitigation, if any.
What is an ISMS?
Information security management system
Why is continuous attention to transparency on supply chain essential?
Every organization is part of a cloud supply chain which introduces third party risk
What are traditional methods of risk management and audit?
Scanning, penetration testing, and machine level logs. A cloud provider may restrict that, so new ways to do risk management must be found.
What do industry standard risk management practices include?
ISO 27000 series, NIST and the CSA cloud controls matrix.
What are the three dimensions of legal issues?
1) Functional - what does the service do for the consumer
2) Jurisdictional - location implies jurisdiction, implies rules on data handling
3) Contractual - contractual relates to termination clauses, escalation, etc.
What is Discovery?
Discovery is the process of finding information that has to be surrendered in a legal proceeding (litigation “hold”).
What are the five key legal issues according to ENISA?
1) Data protection
2) Confidentiality
3) Intellectual property
4) Professional negligence
5) Outsourcing services & changes in control
What is the European Data Protection Directive (DPD)?
) Identifiable person
2) Controller
3) Processor
*Directive is implemented differently across states
What is a Data Processor?
Anyone who processes personal information on behalf of a data controller - the word ‘processes’ is very broadly defined, e.g. includes just storing
What is a Data Controller?
A cloud consumer who holds their customers’ personal data.
What is the most important tool to control providers?
Contracts are the most important tool to control providers
What is an essential part of any service?
The ability to access meta-data and log-files is an essential part of any service.
How should compliance requirements be treated?
As first class system requirements, on equal footing with any business requirement, and where necessary translated to obligations on subcontractors.
When was the ENISA document written?
2009
What is segregation of duties primarily for?
Contain personnel risks
Why do blind spots occur in a virtual environment?
Communication over hardware backplane instead of network
What is best practice for a datacenter audit?
The datacenter operator provides independent audit results
What is a characteristic of object data storage?
Can be accessed by API or web
What risk does open and published web API prevent?
Data exchange between providers being interrupted.
What is recommended to improve application security in the cloud?
Use threat modeling adapted to the cloud
What is recommended to improve SDLC for application security in the cloud?
Include cloud specific threats into an adapted threat model
What is SAML?
Security Assertion Markup Language - an identity federation protocol which enables enterprise to use their preferred identity provider with cloud services
PEP is likely to be in which layer?
Access management layer
What are the principles of Corporate Governance?
Auditing supply chains
Board and management structure and process
Corporate responsibility and compliance
Financial transparency and information disclosure
Ownership structure and exercise of control rights
What are valid risk responses?
Avoidance—exiting the activities giving rise to risk
Reduction—taking action to reduce the likelihood or impact related to the risk
Share or insure—transferring or sharing a portion of the risk to finance it
Accept—no action is taken due to a cost/benefit decision
Company that stores customer’s data at a cloud provider is the Data Controller?
Yes
Who is responsible for data when it has been transferred to a third party?
The data custodian
What is the best description for Corporate Governance?
Balance control between important stakeholders within the organization
According to ENISA, the cloud consumer is most often a Data Controller?
Yes
According to ENISA, the inability of a customer to apply required security controls is a “loss of governance”?
Yes
What is volume storage?
This includes volumes attached to IaaS instances, typically as a virtual hard drive. Volumes often use data dispersion to support resiliency and security.
What are blind spots?
Inter VM communication may not be visible in the physical network (i.e. through virtual switch or side channel) leading to blind spots.
