CCSP Domain 1: Cloud Concepts, Architecture, and Design Flashcards
NIST five (5) characteristic of cloud computing
Broad network access Resource pooling Rapid Elasticity On-demand self-service Measured service
Broad network access: services are accessed through the network (Internet) and usually available across a broad range of vectors.
Resource pooling: services use common hardware / multi-tenancy – i.e. a mix of applications and systems that coexist within the same set of physical and virtual resources.
Rapid Elasticity: services are “burst-able” – they can be rapidly scaled to match demand because of resource pooling (i.e. you can use all the hardware instead of just the hardware in your rack space).
On-demand self-service: services can be requested, provisioned, utilized, and de-provisioned by the customer via the provider. Services are usually “pay-as-you-go.”
Measured service: pay-as-you-go / in most instances, resources are metered and logged for billing and utilization reporting.
Note that ISO adds, ‘Multitenancy’ to this list: many customers using the same infrastructure.
Four (4) building blocks of a cloud service
Regardless of service category (IaaS / PaaS / SaaS) or deployment model (private, public, community, or hybrid) the core components are:
1) Processor / CPU
2) Memory / RAM
3) Networking
4) Storage
ISO/IEC 17789:2014 roles performed by the
Cloud Service Customer
Cloud service user
Cloud service administrator
Cloud service business manager
Cloud service integrator
Cloud service user: uses the cloud service
Cloud service administrator: tests cloud services, monitors services, administers services, provides service usage reports, and addresses problem reports
Cloud service business manager: oversees business relationship, tracks billing for services, purchases new services, and requests audits when needed
Cloud service integrator: connects and integrates customer side systems / services to the cloud
ISO/IEC 17789:2014 roles performed by the
Cloud Service Provider
Cloud service operations manager Cloud service deployment manager Cloud service manager Cloud service business manager Customer support and care representative Inter-cloud provider Cloud service security and risk manager Network provider
Cloud service operations manager: prepares systems for the cloud, administers services, monitors services, provides audit data when requested, and manages inventory of assets
Cloud service deployment manager: gathers metrics on cloud services, manages deployment process, and defines the environment and process
Cloud service manager: provisions and manages the cloud services
Cloud service business manager: manages the customer relationship and processes financial transactions
Customer support and care representative: manages cloud customer requests / provides tier one support
Inter-cloud provider: peers to other cloud providers and manages federations and federated services
Cloud service security and risk manager: manages security and security risks
Network provider: provides network connectivity / provides and manages network services
ISO/IEC 17789:2014 roles performed by the
Cloud Service Partner
Cloud service developer
Cloud auditor
Cloud service broker
Cloud service developer: develops cloud components and performs testing / validation of services
Cloud auditor: preforms audits, prepares for external auditors, reports on system performance
Cloud service broker: acquires new customers, surveys the marketplace, and secures contracts
IaaS, overview of service category
Infrastructure as a Service
Cloud provider maintains and controls the underlying architecture ensuring rapid provisioning, high availability, and rapid scaling.
Customer controls users, data, services deployed within the cloud – operating systems, storage, deployed applications – and has limited control over network components.
PaaS, overview of service category
Platform as a Service
Cloud provider is responsible for the operating system (including provision and patching of systems) and hosting environment, including libraries, services, and tools.
Customer is responsible for users, data, and deploying their applications within the provided platform infrastructure.
SaaS, overview of service category
Software as a Service
Cloud provider supplies a full cloud platform and software application to the customer with all activities outside of users and data falling to the cloud provider.
Customer provisions user access and permissions to data for their requirements; customer has limited application configuration options.
Public Cloud, General characteristics of
Available for use by the general public.
Located on the premises of the cloud provider. May be owned by a private company, organization, academic institution, or a combination of owners.
Hybrid Cloud, General characteristics of
Composed of two or more different cloud models: public, private, or community.
Typically, this option is leveraged for load balancing, high availability, or disaster recovery – e.g. public SaaS data backed up to private storage, etc.
Private Cloud, General characteristics of
Owned and controlled by a single entity.
Primarily used by that entity for their own purposes, but may be opened to collaborating organizations.
Can be located on or off premises.
Community Cloud, General characteristics of
Owned by a group of organizations with a shared purpose for use within the group – a consortium model. (Very similar to Private Cloud.)
Impact of related technologies: AI
Artificial Intelligence
AI allows machines to learn from experiences, to adjust to new data inputs and sources, and, ultimately, to perform human-like analysis and adaptation.
Three (3) main types of AI: analytical, human-inspired, and humanized.
Analytical: cognitive-based, data-set bound, it focuses on the ability of systems to analyze data from past experiences and to extrapolate ways to make better future decisions.
Human-Inspired: expands on the analytical approach by incorporating emotional intelligence – adds consideration of emotional responses to the decision making process.
Humanized: strives to incorporate all elements of human intelligence – e.g. a system that can pass the Turing test.
Impacts of related technologies: Machine Learning
Machine learning uses scientific and statistical data models and algorithms to allow machines to adapt to situations and perform functions that they have not been explicitly programmed to perform. This often involves training on “seed data” such as in intrusion detection systems (IDS), e-mail filtering, and virus scanning.
Impacts of related technologies: blockchain
The blockchain is a list of records linked together by cryptography to form a ledger of transactions that are distributed across multiple systems.
Blockchain may be applied to interactions between the distributed resources within cloud services to audit and persist transactions.
Impacts of related technologies: MDM
Mobile Device Management
MDM allows for configuration and zoning (such as setting up sandbox environments) on “mobile” assets such as workstations / laptops, smart phones, and tablets; MDM is essential for businesses that support BYOD (bring your own device) or that wish to enforce security benchmarks while not limited the modes of access to cloud services.
Impacts of related technologies: IoT
Internet of Things
Integration of IoT data by cloud providers is on the rise as the industry explores how IoT can be leveraged to improve services – e.g. use of IoT on a production line to create continuous time-and-motion analysis of the production process.
Impacts of related technologies: Containers
A container is a wrapper that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside of a single unit.
For the Cloud Security Professional, abstractions (like Containers) must be verified before trusted – i.e. containers and the configurations used by the firm must be risk assessed and approved to ensure they are fit for use.
Impacts of related technologies: Quantum Computing
Quantum Computing is an emergent technology that applies quantum phenomena to achieve significant increases to computational capacity; for the Cloud Security Professional, the primary concern is that Quantum Computing eliminates a fundamental cloud control, encryption, due to its ability to force decrypt existing encryption processes.
Cryptography, Relevance to cloud
Encryption is a critical mitigation for the risk of disclosure of data; it is frequently required by hi-trust regulations (like HIPPA); it is essential to mitigation of the risks associated with multitenancy (a near ubiquitous ‘feature’ of cloud services); and, it is relied upon as the primary method of data destruction (as cryptographic erasure is used to proxy degaussing or physical destruction of media).
Cryptography design must consider: encryption for data in transit (e.g. TLS, VPN, and like), encryption for data at rest (e.g. full disk encryption via AES 256), encryption for data in use (e.g. homomorphic encryption), and key management (remote and client-side).
Access Control, Relevance to cloud
Account Provisioning
Directory Services
Administrative & Privileged Access
Authorization
Access Control / IAM (identity & access management) combines authentication, authorization, and accounting of utilization of both authentication and authorization by users.
Four (4) main areas:
1) Account Provisioning: the process of issuing credentials (both authentication and authorization) to properly vetted users – i.e. ensuring that you are only giving access to users who should have access; this process should be consistent across the user population and auditable.
2) Directory Services: the collection of information needed by applications to ensure they are making proper authentication and authorization decisions – e.g. LDAP / Lightweight Directory Access Protocol.
3) Administrative & Privileged Access: enhanced policy and controls for users that can control and configure critical functions such as access roles, application configurations, underlying operating systems, and the like. Additional network and authentication controls should be considered for Administrative & Privileged users.
4) Authorization: the process by which the appropriate (i.e. least privilege) roles and rights are issued to users of a system – i.e. ensuring that a user can do what they need to do on the system but not more than they need to do (i.e. separation of roles and responsibilities).
Data and media sanitation, Relevance to cloud
Data portability
Data removal / sanitization
Data portability / Avoiding vendor lock-in: portability is the ability to move data from one cloud provider to another (e.g. from AWS to Azure); the easier it is to port your data to another cloud provider the less the risk of “lock-in” with providers exerting pricing power to increase cost to the consumer.
Data removal / Data Sanitization: de-provisioning a cloud provider includes removing your data from that cloud service; given the unique constraints of cloud services we are limited to overwriting (e.g. zeroing out data, etc.) and cryptographic erasure (e.g. destruction of encryption keys with overwriting assumed over time).
Network security, Relevance to cloud
Physical layer considerations
Logical considerations
Physical layer to the environment: needs to be reviewed with the cloud provider to understand and ensure proper security controls are in place.
Logical environment: the methods and division of responsibilities between cloud provider and cloud customer must be understood with regard to creating and maintaining segregation between tenants and the scaling process for resource consumption.
Virtualization security, Relevance to cloud
Hypervisors, Type 1 vs. Type 2
Container Security
Virtualization is critical to cloud services and the hypervisor is critical to virtualization as the hypervisor creates and runs virtual machines.
Hypervisor, Type 1: is tied to the underlying hardware and hosts virtual machines (VM) on top of it – i.e. it operates as the only layer between the hardware (bare metal) and the host (virtual server).
VMware ESXI is an example of a Type 1 Hypervisor.
As Type 1 Hypervisors are proprietary, with vendors in full control of upgrades and patches, they are more difficult to compromise as the opportunities for malicious code injection are limited.
Hypervisor, Type 2: is software based – it resides on the host system and runs within an operating system as software.
VMware Workstation is an example of a Type 2 Hypervisor.
Given the dependency between a Type 2 Hypervisor and the OS of the host system, it is more vulnerable to attack than a Type 1 Hypervisor (though, as a class of goods, hypervisors are highly secure products).
Cloud Security Professionals should focus on configuration and patch management of Type 2 Hypervisors to ensure that they are fit for use within your firm.
Container Security: a container is a wrapper that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside of a single unit.
Cloud Security Professionals should focus on ensuring the integrity of vendor images (i.e. that they’ve not been tampered with or altered / check that checksum), patch management of containers, and securing access to containers and the methods to update and deploy containers.
Data breaches
[ Threat profile, Solution profile]
Common Threats, The Treacherous Twelve
Applies to IaaS, PaaS, and SaaS.
Threat profile: the unauthorized exposure or sensitive and private data to a party that is not entitled to have it.
Solution profile: information classification (to sort sensitive from other classes of data), encryption, tokenization of sensitive data, authorization (limit access to sensitive data), and network security (limit locations that can access sensitive data or create conditions like VPN required) may be used to mitigate the threat.
Insufficient identity, credential, and access management
[ Threat profile, Solution profile]
Common Threats, The Treacherous Twelve
Applies to IaaS, PaaS, and SaaS.
Threat profile: poor account provisioning, overly permissive authorization roles, authentication practices, or accounting / monitoring gives attackers opportunity to access the system.
Solution profile: do not embed passwords or certificates in source code or configuration objects, use quality passwords (e.g. NIST 800-63), apply two-factor authentication to privileged accounts, and harden and monitor authentication and authorization services.
Insecure interfaces and APIs
[ Threat profile, Solution profile]
Application Program Interfaces
Common Threats, The Treacherous Twelve
Applies to IaaS, PaaS, and SaaS.
Threat profile: APIs are critical to auto-scaling and IAM / identity and access management within cloud services; as such, they represent an important source of potential vulnerabilities and attack surfaces for the adversary – i.e. if you can access or control APIs you can do a lot.
Solution profile: Apply strong encryption and authorization access to APIs and connectivity.
System vulnerabilities
[ Threat profile, Solution profile]
Common Threats, The Treacherous Twelve
Applies to IaaS, PaaS, and SaaS.
Threat profile: exposures in the operating systems or application environment that may be exploited to cause harm.
Solution profile: patch management – regular scanning, patching, and monitoring of systems.
Account hijacking
[ Threat profile, Solution profile]
Common Threats, The Treacherous Twelve
Applies to IaaS, PaaS, and SaaS.
Threat profile: any of a range of exploits (from replay of your credentials to session highjacking) that allows the adversary to monitor your activities or grants your authorizations to them for use.
Solution profile: quality account provisioning process, access management, and the use of multi-factor authentication all serve to mitigate Account Hijacking.
Malicious insiders
[ Threat profile, Solution profile]
Common Threats, The Treacherous Twelve
Applies to IaaS, PaaS, and SaaS.
Threat profile: abuse of legitimately derived access for unauthorized purposes or system exploit. (Note that within cloud, malicious insiders may exist within the organizations of the cloud customer or the cloud provider.)
Solution profile: access management (e.g. separation of duties / least privilege / four eyes), monitoring, and business continuity planning may be used for mitigation.
Advanced persistent threats
[ Threat profile, Solution profile]
Common Threats, The Treacherous Twelve
Applies to IaaS, PaaS, and SaaS.
Threat profile: any of a range of attacks involving well funded and well educated adversaries (such as Nation-State actors) seeking significant access over a long period of time.
Solution profile: defense in depth, with an emphasis on monitoring and hunting within the environment.
Data loss
[ Threat profile, Solution profile]
Common Threats, The Treacherous Twelve
Applies to IaaS, PaaS, and SaaS.
Threat profile: data becomes lost, unavailable, or is destroyed when it should not have been.
Solution profile: encryption and business continuity (back-up) planning.
Insufficient due diligence
[ Threat profile, Solution profile]
Common Threats, The Treacherous Twelve
Applies to IaaS, PaaS, and SaaS.
Threat profile: lack of prior preparation leads to piss poor performance – i.e. risks can be created, especially when moving from a traditional data center to the cloud, by insufficiently understanding the deltas between traditional and cloud environments.
Solution profile: avoid rushed transitions between environments, do the planning work required, apply audits to the environments to identify non-conformities, and brief the firm on risks being taken when the aforementioned are not applied.
Abuse and nefarious use of cloud services
[ Threat profile, Solution profile]
Common Threats, The Treacherous Twelve
Applies to IaaS and PaaS.
Threat profile: largely a cloud provider threat with near term consequences for a cloud customer, this attack involves gaining access to the cloud service and repurposing resources for gain by the attacker – e.g. running a bit mining process within a cloud customer’s environment, using the cloud service to launch a DoS attack, etc.
Solution profile: monitor for resource utilization changes and apply defense in depth practices.
DoS
[ Threat profile, Solution profile]
Denial of Service
Common Threats, The Treacherous Twelve
Applies to IaaS, PaaS, and SaaS.
Threat profile: any of a range of methods designed to degrade, disrupt, or deny access to an application or system often by flooding the resource with automatically generated requests.
Solution profile: auto-scaling by the cloud provider and MPLS / multi-protocol label switching and like network security methods.
Shared technologies issues
[ Threat profile, Solution profile]
Common Threats, The Treacherous Twelve
Applies to IaaS, PaaS, and SaaS.
Threat profile: scaling resources scale vulnerabilities which can lead to cascading failures or compromises.
Solution profile: monitor critical components (such as the hypervisor and containers), apply orchestration for rapid redeployment / changes, practice defense in depth.