CCSP Chapter 5: Security in the Cloud Flashcards
Shared Cloud Platform Risks and Responsibilities
* Define
* Responsibilities according to service model (graph)
* Customer concerns vs CSP concerns
- Although risks and responsibilities are shared between customer and CSP, legally customer is liable for any unauthorized disclosures;
- the customer is always the data owner.
- the CSP can be financially responsible depending on contract, but legal responsiblity will always be customers even if CSP is negligent/malicious i.e. if there is governemnt breach, govt will come after the customer and not the CSP. the providcer can later go to the CSP and get that money back if contract permits
- Customer should keep in mind that the financial burden is not the only risk; Data disclosures = negative publicity, decrease in share value, increase in insurance premiums, etc
- Responsibilties according to service model (attached image)
- Customer concerns are about their data; CSP concerns are about their security and operation of their data center to maintain profitability; THEREFORE the customer will want as much access as possible to logging data and the CSP will want to limit access as much as possible;
Cloud Computing Risks by Deployment Model
1. Private Cloud
2. Community Cloud
-
Private Cloud - distributed computing environment with only ONE customer; can be self-hosted or hosted by CSP; customer can own HW or CSP can own it; If customer owns HW and puts it in CSP Data Center, it is called colocation center
* this option is expensive and will hinder elasticity/scaling bc you own your own HW
risks include:
* personnel threats - data center personnel are out of customer’s control
* Natural Disasters
* External attacks - unauthorized access, DDoS, eavesdropping, etc
* Regulatory Noncompliance
* Malware
- Community Cloud - resources are shared and dispersed among an affinity group; infrastructure can be owned and/or operated jointly, individually, centrally, across community, or any combination;
benefits and risks include:
* Resiliency through shared ownership - bc NW ownership and operation is scattered among many users, the environment is more likely to surivve the loss of a lot of nodes without affecting the others; However, this introduces risks bc each node is a point of entry; if one node has a vulnerability, then the other are suspectible
* Shared Costs - overhead and cost of infrastructure is shared however so is access and control
* No need for Centralized Administration for Performance and Monitoring - this remove burdens however also poses risks because there is not centralized place for monitoring;
Brewer and Nash Model
aka the chinese wall security policy; this is relevant to the cloud bc cloud admins could have physical access to every cloud customer and those customers could be in direct competition of one another; the brewer and nash model increases seperation of duties and defuses conflicts of interest
Cloud Computing Risks by Deployment Model
3. Public Cloud
* Define Portability and ways to enhance portability of data
- Public Cloud - has the greatest benefit to the largest # of cloud customers; a company offers cloud services to any entity that wants to become a cloud customer; same risks as Private Cloud and community; Organization will lose control, oversight, audit capabilities (opposite of Private cloud);
Unique Risks include:
* Vendor Lock-in - the expense and trouble of moving data out of CSP’s data center can be difficult causing a vendor or provider lock-in; Vendor lock-in can also occur bc of proprietary data format used, contract, regulatory constraint, etc
To avoid vendor lock-in, customer should think of portability - level of ease of difficulty to move data out of CSP data center;
ways to enhance include:
* Ensure favoriate contract terms for portability
* Avoid Proprietary data formats - don’t sign with CSP unless raw data can be recovered in a format that can be used at another CSP;
* Ensure no physical limitations in moving - ensure new CSP can handle the size of imported data
* Check for regulatory constraints
More unique risks to Public Cloud include:
* Vendor Lock-out - this occurs when CSP goes out of business, bought out by another company, or stops operations for w/e reason; concern is whether customer can still access their data
Ways to avoid vendor lock-out:
* Provider Longevity - how long has provider been in business?
* Core Competency - does the CSP provide everything your company needs? its likely that if a CSP is well rounded then they will last longer - if they are only an addition to your company, then should avoid;
* Jurisdictional Suitability - where is it located?
* Supply Chain Dependencies - does CSP rely on other companies for its critical functions, both upstream and downstream?
* Legislative Environment - what pending statutes might affect your organization’s ability to use that provider? i.e. Great Britain left the EU in 2016, no one saw that coming and companies had to comply with regulation for both jurisdictions
More unique risks to Public Cloud include:
* Multitenant Environments - using the public cloud means entering a multitenant environment; no CSP will want to host your company as the sole customer
1. Conflict of Interest - provider personnel who administer your data should not be involved with any of your competitors who might also be the CSP’s customer
2. Escalation of Privilege - if users are able to escalate privilege, they may be able to access devices that process other customer’s data
3. Information Bleed - possibiltiy that data belonging to one customer could be read by another;
4. Legal Activity - data and devices can be subpoenaed as evidence in criminal suit; this can be conflicting if your data is on the same device as another customer’s data who is being seized
Cloud Computing Risks by Deployment Model
4. Hybrid Cloud
Hybrid Cloud - combination of two or more of the other models (public, community, and/or private); The hybrid cloud includes risk of the various models they combine;
