CCSP Domain 1: Cloud Concepts, Architecture, and Design Flashcards

1
Q

NIST five (5) characteristic of cloud computing

   Broad network access
   Resource pooling
   Rapid Elasticity
   On-demand self-service
   Measured service
A

Broad network access: services are accessed through the network (Internet) and usually available across a broad range of vectors.

Resource pooling: services use common hardware / multi-tenancy – i.e. a mix of applications and systems that coexist within the same set of physical and virtual resources.

Rapid Elasticity: services are “burst-able” – they can be rapidly scaled to match demand because of resource pooling (i.e. you can use all the hardware instead of just the hardware in your rack space).

On-demand self-service: services can be requested, provisioned, utilized, and de-provisioned by the customer via the provider. Services are usually “pay-as-you-go.”

Measured service: pay-as-you-go / in most instances, resources are metered and logged for billing and utilization reporting.

Note that ISO adds, ‘Multitenancy’ to this list: many customers using the same infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Four (4) building blocks of a cloud service

A

Regardless of service category (IaaS / PaaS / SaaS) or deployment model (private, public, community, or hybrid) the core components are:

1) Processor / CPU
2) Memory / RAM
3) Networking
4) Storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ISO/IEC 17789:2014 roles performed by the
Cloud Service Customer

Cloud service user
Cloud service administrator
Cloud service business manager
Cloud service integrator

A

Cloud service user: uses the cloud service

Cloud service administrator: tests cloud services, monitors services, administers services, provides service usage reports, and addresses problem reports

Cloud service business manager: oversees business relationship, tracks billing for services, purchases new services, and requests audits when needed

Cloud service integrator: connects and integrates customer side systems / services to the cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

ISO/IEC 17789:2014 roles performed by the
Cloud Service Provider

  Cloud service operations manager
  Cloud service deployment manager
  Cloud service manager
  Cloud service business manager
  Customer support and care representative
  Inter-cloud provider
  Cloud service security and risk manager
  Network provider
A

Cloud service operations manager: prepares systems for the cloud, administers services, monitors services, provides audit data when requested, and manages inventory of assets

Cloud service deployment manager: gathers metrics on cloud services, manages deployment process, and defines the environment and process

Cloud service manager: provisions and manages the cloud services

Cloud service business manager: manages the customer relationship and processes financial transactions

Customer support and care representative: manages cloud customer requests / provides tier one support

Inter-cloud provider: peers to other cloud providers and manages federations and federated services

Cloud service security and risk manager: manages security and security risks

Network provider: provides network connectivity / provides and manages network services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ISO/IEC 17789:2014 roles performed by the
Cloud Service Partner

Cloud service developer
Cloud auditor
Cloud service broker

A

Cloud service developer: develops cloud components and performs testing / validation of services

Cloud auditor: preforms audits, prepares for external auditors, reports on system performance

Cloud service broker: acquires new customers, surveys the marketplace, and secures contracts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

IaaS, overview of service category

Infrastructure as a Service

A

Cloud provider maintains and controls the underlying architecture ensuring rapid provisioning, high availability, and rapid scaling.

Customer controls users, data, services deployed within the cloud – operating systems, storage, deployed applications – and has limited control over network components.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

PaaS, overview of service category

Platform as a Service

A

Cloud provider is responsible for the operating system (including provision and patching of systems) and hosting environment, including libraries, services, and tools.

Customer is responsible for users, data, and deploying their applications within the provided platform infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SaaS, overview of service category

Software as a Service

A

Cloud provider supplies a full cloud platform and software application to the customer with all activities outside of users and data falling to the cloud provider.

Customer provisions user access and permissions to data for their requirements; customer has limited application configuration options.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Public Cloud, General characteristics of

A

Available for use by the general public.

Located on the premises of the cloud provider. May be owned by a private company, organization, academic institution, or a combination of owners.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Hybrid Cloud, General characteristics of

A

Composed of two or more different cloud models: public, private, or community.

Typically, this option is leveraged for load balancing, high availability, or disaster recovery – e.g. public SaaS data backed up to private storage, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Private Cloud, General characteristics of

A

Owned and controlled by a single entity.

Primarily used by that entity for their own purposes, but may be opened to collaborating organizations.

Can be located on or off premises.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Community Cloud, General characteristics of

A

Owned by a group of organizations with a shared purpose for use within the group – a consortium model. (Very similar to Private Cloud.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Impact of related technologies: AI

Artificial Intelligence

A

AI allows machines to learn from experiences, to adjust to new data inputs and sources, and, ultimately, to perform human-like analysis and adaptation.

Three (3) main types of AI: analytical, human-inspired, and humanized.

Analytical: cognitive-based, data-set bound, it focuses on the ability of systems to analyze data from past experiences and to extrapolate ways to make better future decisions.

Human-Inspired: expands on the analytical approach by incorporating emotional intelligence – adds consideration of emotional responses to the decision making process.

Humanized: strives to incorporate all elements of human intelligence – e.g. a system that can pass the Turing test.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Impacts of related technologies: Machine Learning

A

Machine learning uses scientific and statistical data models and algorithms to allow machines to adapt to situations and perform functions that they have not been explicitly programmed to perform. This often involves training on “seed data” such as in intrusion detection systems (IDS), e-mail filtering, and virus scanning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Impacts of related technologies: blockchain

A

The blockchain is a list of records linked together by cryptography to form a ledger of transactions that are distributed across multiple systems.

Blockchain may be applied to interactions between the distributed resources within cloud services to audit and persist transactions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Impacts of related technologies: MDM

Mobile Device Management

A

MDM allows for configuration and zoning (such as setting up sandbox environments) on “mobile” assets such as workstations / laptops, smart phones, and tablets; MDM is essential for businesses that support BYOD (bring your own device) or that wish to enforce security benchmarks while not limited the modes of access to cloud services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Impacts of related technologies: IoT

Internet of Things

A

Integration of IoT data by cloud providers is on the rise as the industry explores how IoT can be leveraged to improve services – e.g. use of IoT on a production line to create continuous time-and-motion analysis of the production process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Impacts of related technologies: Containers

A

A container is a wrapper that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside of a single unit.

For the Cloud Security Professional, abstractions (like Containers) must be verified before trusted – i.e. containers and the configurations used by the firm must be risk assessed and approved to ensure they are fit for use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Impacts of related technologies: Quantum Computing

A

Quantum Computing is an emergent technology that applies quantum phenomena to achieve significant increases to computational capacity; for the Cloud Security Professional, the primary concern is that Quantum Computing eliminates a fundamental cloud control, encryption, due to its ability to force decrypt existing encryption processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Cryptography, Relevance to cloud

A

Encryption is a critical mitigation for the risk of disclosure of data; it is frequently required by hi-trust regulations (like HIPPA); it is essential to mitigation of the risks associated with multitenancy (a near ubiquitous ‘feature’ of cloud services); and, it is relied upon as the primary method of data destruction (as cryptographic erasure is used to proxy degaussing or physical destruction of media).

Cryptography design must consider: encryption for data in transit (e.g. TLS, VPN, and like), encryption for data at rest (e.g. full disk encryption via AES 256), encryption for data in use (e.g. homomorphic encryption), and key management (remote and client-side).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Access Control, Relevance to cloud

Account Provisioning
Directory Services
Administrative & Privileged Access
Authorization

A

Access Control / IAM (identity & access management) combines authentication, authorization, and accounting of utilization of both authentication and authorization by users.

Four (4) main areas:

1) Account Provisioning: the process of issuing credentials (both authentication and authorization) to properly vetted users – i.e. ensuring that you are only giving access to users who should have access; this process should be consistent across the user population and auditable.
2) Directory Services: the collection of information needed by applications to ensure they are making proper authentication and authorization decisions – e.g. LDAP / Lightweight Directory Access Protocol.
3) Administrative & Privileged Access: enhanced policy and controls for users that can control and configure critical functions such as access roles, application configurations, underlying operating systems, and the like. Additional network and authentication controls should be considered for Administrative & Privileged users.
4) Authorization: the process by which the appropriate (i.e. least privilege) roles and rights are issued to users of a system – i.e. ensuring that a user can do what they need to do on the system but not more than they need to do (i.e. separation of roles and responsibilities).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Data and media sanitation, Relevance to cloud

Data portability
Data removal / sanitization

A

Data portability / Avoiding vendor lock-in: portability is the ability to move data from one cloud provider to another (e.g. from AWS to Azure); the easier it is to port your data to another cloud provider the less the risk of “lock-in” with providers exerting pricing power to increase cost to the consumer.

Data removal / Data Sanitization: de-provisioning a cloud provider includes removing your data from that cloud service; given the unique constraints of cloud services we are limited to overwriting (e.g. zeroing out data, etc.) and cryptographic erasure (e.g. destruction of encryption keys with overwriting assumed over time).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Network security, Relevance to cloud

Physical layer considerations
Logical considerations

A

Physical layer to the environment: needs to be reviewed with the cloud provider to understand and ensure proper security controls are in place.

Logical environment: the methods and division of responsibilities between cloud provider and cloud customer must be understood with regard to creating and maintaining segregation between tenants and the scaling process for resource consumption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Virtualization security, Relevance to cloud

Hypervisors, Type 1 vs. Type 2
Container Security

A

Virtualization is critical to cloud services and the hypervisor is critical to virtualization as the hypervisor creates and runs virtual machines.

Hypervisor, Type 1: is tied to the underlying hardware and hosts virtual machines (VM) on top of it – i.e. it operates as the only layer between the hardware (bare metal) and the host (virtual server).

VMware ESXI is an example of a Type 1 Hypervisor.

As Type 1 Hypervisors are proprietary, with vendors in full control of upgrades and patches, they are more difficult to compromise as the opportunities for malicious code injection are limited.

Hypervisor, Type 2: is software based – it resides on the host system and runs within an operating system as software.

VMware Workstation is an example of a Type 2 Hypervisor.

Given the dependency between a Type 2 Hypervisor and the OS of the host system, it is more vulnerable to attack than a Type 1 Hypervisor (though, as a class of goods, hypervisors are highly secure products).

Cloud Security Professionals should focus on configuration and patch management of Type 2 Hypervisors to ensure that they are fit for use within your firm.

Container Security: a container is a wrapper that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside of a single unit.

Cloud Security Professionals should focus on ensuring the integrity of vendor images (i.e. that they’ve not been tampered with or altered / check that checksum), patch management of containers, and securing access to containers and the methods to update and deploy containers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Data breaches
[ Threat profile, Solution profile]

Common Threats, The Treacherous Twelve

A

Applies to IaaS, PaaS, and SaaS.

Threat profile: the unauthorized exposure or sensitive and private data to a party that is not entitled to have it.

Solution profile: information classification (to sort sensitive from other classes of data), encryption, tokenization of sensitive data, authorization (limit access to sensitive data), and network security (limit locations that can access sensitive data or create conditions like VPN required) may be used to mitigate the threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Insufficient identity, credential, and access management
[ Threat profile, Solution profile]

Common Threats, The Treacherous Twelve

A

Applies to IaaS, PaaS, and SaaS.

Threat profile: poor account provisioning, overly permissive authorization roles, authentication practices, or accounting / monitoring gives attackers opportunity to access the system.

Solution profile: do not embed passwords or certificates in source code or configuration objects, use quality passwords (e.g. NIST 800-63), apply two-factor authentication to privileged accounts, and harden and monitor authentication and authorization services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Insecure interfaces and APIs
[ Threat profile, Solution profile]

Application Program Interfaces
Common Threats, The Treacherous Twelve

A

Applies to IaaS, PaaS, and SaaS.

Threat profile: APIs are critical to auto-scaling and IAM / identity and access management within cloud services; as such, they represent an important source of potential vulnerabilities and attack surfaces for the adversary – i.e. if you can access or control APIs you can do a lot.

Solution profile: Apply strong encryption and authorization access to APIs and connectivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

System vulnerabilities
[ Threat profile, Solution profile]

Common Threats, The Treacherous Twelve

A

Applies to IaaS, PaaS, and SaaS.

Threat profile: exposures in the operating systems or application environment that may be exploited to cause harm.

Solution profile: patch management – regular scanning, patching, and monitoring of systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Account hijacking
[ Threat profile, Solution profile]

Common Threats, The Treacherous Twelve

A

Applies to IaaS, PaaS, and SaaS.

Threat profile: any of a range of exploits (from replay of your credentials to session highjacking) that allows the adversary to monitor your activities or grants your authorizations to them for use.

Solution profile: quality account provisioning process, access management, and the use of multi-factor authentication all serve to mitigate Account Hijacking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Malicious insiders
[ Threat profile, Solution profile]

Common Threats, The Treacherous Twelve

A

Applies to IaaS, PaaS, and SaaS.

Threat profile: abuse of legitimately derived access for unauthorized purposes or system exploit. (Note that within cloud, malicious insiders may exist within the organizations of the cloud customer or the cloud provider.)

Solution profile: access management (e.g. separation of duties / least privilege / four eyes), monitoring, and business continuity planning may be used for mitigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Advanced persistent threats
[ Threat profile, Solution profile]

Common Threats, The Treacherous Twelve

A

Applies to IaaS, PaaS, and SaaS.

Threat profile: any of a range of attacks involving well funded and well educated adversaries (such as Nation-State actors) seeking significant access over a long period of time.

Solution profile: defense in depth, with an emphasis on monitoring and hunting within the environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Data loss
[ Threat profile, Solution profile]

Common Threats, The Treacherous Twelve

A

Applies to IaaS, PaaS, and SaaS.

Threat profile: data becomes lost, unavailable, or is destroyed when it should not have been.

Solution profile: encryption and business continuity (back-up) planning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Insufficient due diligence
[ Threat profile, Solution profile]

Common Threats, The Treacherous Twelve

A

Applies to IaaS, PaaS, and SaaS.

Threat profile: lack of prior preparation leads to piss poor performance – i.e. risks can be created, especially when moving from a traditional data center to the cloud, by insufficiently understanding the deltas between traditional and cloud environments.

Solution profile: avoid rushed transitions between environments, do the planning work required, apply audits to the environments to identify non-conformities, and brief the firm on risks being taken when the aforementioned are not applied.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Abuse and nefarious use of cloud services
[ Threat profile, Solution profile]

Common Threats, The Treacherous Twelve

A

Applies to IaaS and PaaS.

Threat profile: largely a cloud provider threat with near term consequences for a cloud customer, this attack involves gaining access to the cloud service and repurposing resources for gain by the attacker – e.g. running a bit mining process within a cloud customer’s environment, using the cloud service to launch a DoS attack, etc.

Solution profile: monitor for resource utilization changes and apply defense in depth practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

DoS
[ Threat profile, Solution profile]

Denial of Service
Common Threats, The Treacherous Twelve

A

Applies to IaaS, PaaS, and SaaS.

Threat profile: any of a range of methods designed to degrade, disrupt, or deny access to an application or system often by flooding the resource with automatically generated requests.

Solution profile: auto-scaling by the cloud provider and MPLS / multi-protocol label switching and like network security methods.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Shared technologies issues
[ Threat profile, Solution profile]

Common Threats, The Treacherous Twelve

A

Applies to IaaS, PaaS, and SaaS.

Threat profile: scaling resources scale vulnerabilities which can lead to cascading failures or compromises.

Solution profile: monitor critical components (such as the hypervisor and containers), apply orchestration for rapid redeployment / changes, practice defense in depth.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Cloud Secure Data Lifecycle

  Create
  Store
  Use
  Share
  Archive
  Destroy
A

Create: data is either created from scratch, generated, inputted, or modified into a new form and value.

Store: data is placed into a storage system. This includes but is not limited to databases, files, and spreadsheets. This is typically done as part of the previous operation or immediately thereafter.

Use: data is read by the application or users. Note that any modification of data is considered to occur in Create.

Share: data is used in an application where it is viewable to users, customers, administrators, and so on. Note that any modification of data is considered to occur in Create.

Destroy: data is permanently removed and sanitized and is no longer accessible or useable.

38
Q

Cloud-based Business Continuity

A

Business continuity encompasses the full range of possible service disruptions and how a company can minimize, mitigate, and respond to them and keep business operations running, available, and secure.

i.e. BC is a daily, operational, discipline.

39
Q

Cloud-based Disaster Recovery

A

Disaster recovery is a disaster triggered contingency plan to minimize the effect of the disaster by restoring operations in a prescribed order – e.g. critical operations, then important operations, and so on until the business is back to fully operational.

i.e. DR is an event triggered, extraordinary / unusual circumstances, discipline.

DR involves:

1) Recovery point objective (RPO): the amount of data that can be lost for a recovery to be considered successful – e.g. it may be acceptable (and will certainly cost less) to loose weeks worth of data to recover.
2) Recovery time objective (RTO): the time from disaster trigger to recovery – e.g. critical assets may need to be restored in 24-hours or less, important assets within 1-2 weeks or less, etc.
3) Recovery service level (RSL): the percentage of the total pre-disaster functionality needed to meet management objectives – e.g. production at 80% up-time may be sufficient for the first 1-2 weeks of recovery, etc.

40
Q

ISO/IEC 27001 and 27001:2013

A

A quality of process standard that is relevant to, but not specifically designed for, cloud environments.

Covers fourteen (14) domains: information security policies, organization of information security, human resource security, asset management, access control, cryptography, physical and environmental security, operations security, physical and environmental security, operations security, communications security, system acquisition, development, and maintenance, supplier relationships, information security incident management, information security aspects of business continuity management, compliance

41
Q

NIST SP 800-53

A

A security controls standard that is applicable to, but not focused on or designed for, cloud environments.

Revision 4 contains a matrix that overlaps NIST SP 800-53 requirements with ISO/IEC 27001 requirements.

The areas most relevant to a Cloud Security Professional are: insider threats and malicious activity, software application security (including web-based applications and APIs), social networking, mobile devices, cloud computing, persistent threats, and privacy.

42
Q

PCI DSS

Payment Card Industry Data Security Standard

A

A standard developed by the major credit card labels focussed, as the name implies, on security practices for card data and handling.

At high-level, the twelve (12) compliance requirements are:

1) Install and maintain a firewall configuration
2) Do not use vender-supplied defaults for system passwords and other security parameters
3) Protect stored cardholder data
4) Encrypt transmission of cardholder data across open, public networks
5) Use and regularly update antivirus software on all systems commonly affected by malware
6) Develop and maintain secure systems and applications
7) Restrict access to cardholder data by business need-to-know
8) Assign a unique ID to each person with computer access
9) Restrict physical access to cardholder data
10) Track and monitor all access to network resources and cardholder data
11) Regularly test security systems and processes
12) Maintain a policy that addresses information security

43
Q

SOC 1

A

Service Organization Control (SOC) is a series of standards that evaluate and audit the use and control of financial information.

SOC 1: focuses on the kinds of information that would be relevant and pertinent to a financial audit of an organization and its financial statements; it includes information about the management structure of the organization, the targeted client and customer base, the regulations the organization is subjected to, and the auditors that verify compliance.

SOC 1 is “restricted use” for internal review by the organization that commissions the report.

44
Q

Common Criteria

  SFR : security functional requirement
  SAR : security assurance requirement
  PP    : protection profile
  TOE : target of evaluation 
  ST    : security target
  EAL  : evaluation assurance level
A

An ISO/IEC assurance standard (ISO/IEC 15408) that creates a process for testing and validating security claims for services:

1) provider creates SFR / security functional requirement
2) provider creates SAR / security assurance requirement
3) SFRs and SARs are bundled into PP / protection profile
4) TOE / target of evaluation is created
5) provider creates ST / security target
6) testing (based on the aforementioned) is done to arrive at an EAL / evaluation assurance level – i.e. proof that the services does what it says it does under the conditions provided in the PP, TOE, and ST.

EAL levels:

EAL 1: functionally tested
EAL 2: structurally tested
EAL 3: methodically tested and checked
EAL 4: methodically designed, tested, and checked
EAL 5: semi-formally designed and tested
EAL 6: semi-formally verified designed and tested
EAL 7: formally verified design and tested

45
Q

FIPS 140-2

Federal Information Processing Standard

A

Federal Information Processing Standard pertains to the accreditation of cryptographic modules.

FISP 140-2 defines four (4) levels of security:

Level 1: Lowest level of security. Use of one of the approved crypto modules within specification of the module. No physical security requirements.

Level 2: requires role-base authentication where a crypto module is used for the authentication process; the modules must have an anti-tamper mechanism.

Level 3: requires the crypto module to authenticate the user to the system and verify user authorization on the system; physical security must be applied to deter, monitor, and detect any tampering of the module.

Level 4: any attempts to tamper will be detected and prevented and any data that is clear text will be zeroed should a tamper be successful; very useful in systems that lack physical security protections.

46
Q

SOC 2

A

SOC 2: includes consideration of the “security principle” as measured by seven categories: organization and management, communications, risk management and design implementation of controls, monitoring of controls, logical and physical access controls, system operations, change management.

SOC 2 is “restricted use.”

^ come in Type 1 (review of security controls “design and intent”) and Type 2 (review of “design and application” of security controls.

Type 2 is strongly preferred with Type 1 often being entirely dismissed as evidence of security practices.

47
Q

SOC 3

A

SOC 3: alla SOC 2 but designed for “general use.”

^ These reports are shorter and do not include the same details as a SOC 2 report.

SOC 2: includes consideration of the “security principle” as measured by seven categories: organization and management, communications, risk management and design implementation of controls, monitoring of controls, logical and physical access controls, system operations, change management.

^ this is the droid you are looking for.

48
Q

System Isolation, Security concerns for PaaS

A

System Isolation: the cloud customer will typically have very little, and highly constrained, system level access; this minimizes security considerations and shifts liability to the cloud provider making the service contract an important element of the security posture for PaaS.

49
Q

User Permissions, Security concerns for PaaS

A

User Permissions: as noted elsewhere, access controls are a critical design consideration for the Cloud Security Professional; of special import in a PaaS instance is ensuring that the roles remain least privilege as utilization scales (i.e. limiting authorization creep as more users and use cases become incorporated within the service).

50
Q

User Access, Security concerns for PaaS

A

User Access: with the elasticity and auto-scaling features of a cloud environment, proper automation of provisioning of user access management is crucial and authentication and authorization are critical control dimensions for all cloud services.

51
Q

Malware, Trojans, and Backdoors,

Security concerns for PaaS

A

Malware, Trojans, and Backdoors: the creation of unauthorized methods of access (such as developer backdoors) is of additional concern within cloud services due to auto-scaling; use of education, SDLC / software development lifecycle gateways, and pen-testing should deter, detect, and correct this class of vulnerabilities.

52
Q

Multitenancy, Security concerns for IaaS

A

Multitenancy: in both public and private instances, multitenancy increases the risk of data disclosure or misallocation of access; encryption is therefore an essential control along with authorization design and monitoring.

53
Q

Hypervisor Security & Attacks, Security concerns for IaaS

A

Hypervisor Security and Attacks: if the hypervisor is compromised, all hosted VMs are susceptible and vulnerable as well; successful exploit would make all hosts under that hypervisor vulnerable and would likely span multiple systems and multiple customers.

54
Q

Network Security, Security concerns for IaaS

A

Network Security: many traditional network security options are not viable or are more difficult to operate within a cloud service – e.g. IDS/IPS, packet capture, application firewalls, physical separate network switches and firewalls – necessitating a reliance on cloud provider solutions, an understanding of the degraded capabilities, and a reliance on software / logical controls such as CASB.

55
Q

Virtual Machine Attacks, Security concerns for IaaS

A

Virtual Machine Attacks: see also hypervisors; VMs can be attacked with the same methods used against traditional servers, but, with greater consequences given the nature of VM infrastructure and operations.

56
Q

Virtual Switch Attacks, Security concerns for IaaS

A

Virtual Switch Attacks: Virtual Switches can be attacked with the same methods as Layer 2, physical switches; but, as they are software, they can be attacked within Layer 7, applications by VMs, Type 2 Hypervisors, etc.

57
Q

DoS / Denial-of-Service Attacks,

Security concerns for IaaS

A

DoS / Denial-of-Service Attacks: within cloud services this threat is two sided: the service can be attacked or it can become the platform launching DoS attacks.

58
Q

Cloud Service Provider, Cloud Computing Roles

A

Cloud service provider: one that offers cloud services to the customer

59
Q

Cloud Service Customer, Cloud Computing Roles

A

Cloud service customer: one that contracts the services of a cloud service provider either directly or through intermediaries like a broker or partner.

60
Q

Cloud Service User, Cloud Computing Roles

A

Cloud service user: the person that utilizes the cloud service provider product via the contract held by the cloud service customer.

61
Q

Cloud Service Auditor, Cloud Computing Roles

A

Cloud service auditor: one that is specifically responsible for conducting audits of cloud systems and cloud applications.

62
Q

Cloud Service Broker, Cloud Computing Roles

A

Cloud service broker: a partner that serves as an intermediary between the contracting parties (the provider and the customer).

63
Q

Cloud Service Partner, Cloud Computing Roles

A

Cloud service partner: a sub-contractor to the cloud service provider or the cloud service customer – e.g. an auditor, broker, customer can all act as partners.

64
Q

Strict consistency

A

Strict consistency ensures that all elements of the data have been duplicated among all relevant copies before finalizing the transaction to increase availability.

This is one of two storage consistency types: Storage consistency is a fundamental concept in cloud computing and describes the time it takes for all data copies to be the same.

65
Q

Eventual consistency

A

Eventual consistency reduces the number of replicas that must be accessed during read and write operations before the transaction is finalized. When using eventual consistency, data changes are eventually transferred to all data copies through asynchronous propagation via the network.

This is one of two storage consistency types: Storage consistency is a fundamental concept in cloud computing and describes the time it takes for all data copies to be the same.

66
Q

SDN: Management Plane

Software Defined Network

A

The management plane is used to provision, configure, and de-provision all cloud resources to external and internal Cloud Service Providers customers.

67
Q

SDN: Control Plane

Software Defined Network

A

The control plane connects provisioned resources to each other as specified by each individual tenant thereby achieving segregated networks.

68
Q

SDN: data/forwarding plane

Software Defined Network

A

The data or forwarding plane is used to transfer individual tenant data to and from that specific tenant’s provisioned virtual compute and storage resources.

69
Q

CSP data center

Cloud Service Provider

A

CSP data centers: individual physical data centers that house physical computers, storage, data center networking, environmental management equipment, and electrical power.

70
Q

CSP availability zone

Cloud Service Provider

A

CSP availability zones: an availability zone (AZ) consists of two or more geographically local data centers. The AZ data centers will normally have independent sources of power and data connectivity.

71
Q

CSP region

Cloud Service Provider

A

CSP regions: a region typically consists of two or more availability zones. To ensure operational geographical redundancy, cloud-based solutions should deploy redundant infrastructures in two or more regions with mutual data backup capability.

72
Q

Cloud Orchestration

A

The CSP operational process responsible for receiving, fulfilling, managing, monitoring, and metering customer services across all data centers, availability zones, and regions is referred to as cloud orchestration.

73
Q

Cloud OS

Cloud Operating System

A

The CSP software component responsible for orchestration is called the cloud operating system.

74
Q

ISO/IEC 17789 : Cloud Computing Reference Architecture (CCRA)

User view
Functional view
Implementation view
Development view

A

ISO/IEC describes cloud computing systems from four distinct viewpoints:

User view: The system context, the parties, the roles, the sub-roles, and the cloud computing activities.

Functional view: The functions necessary to support the cloud computing activities.

Implementation view: The functions necessary for the implementation of a cloud service within service parts and/or infrastructure parts.

Deployment view: How the functions of a cloud service are technically implemented within already existing infrastructure elements or within new elements to be introduced in this infrastructure.

75
Q

ISO/IEC 17789 CCRA

```
Functional view decomposed:
User layer
Access layer
Service layer
Resource layer
Muli-layer
~~~

A

The functional view is decomposed into four (4) layers:

User layer: Functional components that support the cloud computing activities of cloud service customers and cloud service partners.

Access layer: Includes functional components that facilitate function distribution and interconnection.

Service layer: Includes functional components that provide the cloud services themselves plus related administration and business capabilities, and the orchestration capabilities necessary to realize them.

Resource layer: Includes the functional components that represent the resources needed to implement the cloud computing system.

In addition to the above, the multilayer functions include functional components that provide capabilities that are used across multiple functional layers.

These include: development support, integration, security systems, operational support systems, business support systems.

76
Q

ISO / IEC 17789: Use cloud service activity

A

ISO/IEC 17789 provides a feature and role ontology for discovery, analysis, and monitoring of cloud service utilization.

77
Q

ISO / IEC 17789 : Cloud service administrator

  Perform service trial
  Monitor service
  Administer service security
  Provide billing and usage reports
  Handle problem reports
  Administer tenancies
A

The Cloud service administrator is a member of the cloud customer team and has the following duties:

Perform service trial: Use the services of a cloud service provider to ensure that the cloud service is fit for the cloud service customer’s business needs.

Monitor service: Monitor the delivered service quality with respect to service levels as defined in the service-level agreement (SLA) between cloud service customer and cloud service provider.

Administer service security: Ensure appropriate security for cloud service customer data, data backup, and recovery, administering security policies, defining encryption and integrity technologies, and defining the handling of any personally identifiable information (PII).

Provide billing and usage reports: Prepare reports of the customer organization’s cloud services usage and associated reports of the billing/invoice data relating to that usage.

Handle problem reports: Perform customer-side handling of any reported problems associated with the usage of cloud services.

Administer tenancies: Administer the tenancies of the cloud service customer with the cloud service provider.

78
Q

ISO / IEC 17789 : Cloud service business manager

Perform business administration
Select and purchase service
Request audit report

A

The Cloud service business manager is a member of the cloud service customer team and has the following duties:

Perform business administration: Manage the business aspects of the use of cloud services, including accounting and financial management.

Select and purchase service: Examine the cloud service offerings to determine if the service meets cloud service customer business and technical requirements.

Request audit report: Request the report of an audit of the cloud service, typically conforming to a particular audit standard or scheme.

79
Q

ISO / IEC 17789 : Cloud service integrator

Connect ICT systems to cloud services
Information & Communications Technology

A

The Cloud service integrator is a member of the cloud service customer team and performs the following duties:

Connect ICT (information and communication technology) systems to cloud services: Integrate existing ICT systems and cloud services, connect existing ICT component(s) and applications with the target cloud service(s), and connect the customer monitoring and management systems with the cloud service provider’s monitoring and control of cloud services.

80
Q

ISO / IEC 17789 : Cloud service operations manger

Prepare systems
Monitor and administer services
Manage assets and inventory
Provide audit data

A

The Cloud service operations manager is a member of the cloud service provider team and has the following duties:

Prepare systems: Prepare the systems of the provider’s environment for new cloud service deployments.

Monitor and administer services: Monitor and administer services and their associated infrastructure, which includes user and system privileges.

Manage assets and inventory: Track all compute, storage, network, and software assets and the relationship between them, also “on-board” new assets and dispose of old assets.

Provide audit data: Collect and provide data relevant to an audit request, such as that relating to security controls or to service performance.

81
Q

ISO / IEC 17789 : Cloud service deployment manager

Define environment and process
Define and gather metrics
Define deployment steps

A

The cloud service deployment manager is a member of the cloud service provider team and performs the following duties:

Define environment and process: Define the required technical environment and operational processes used when a service is running.

Define and gather metrics: Define service-level metrics and management.

Define deployment steps: Define the steps for the deployment of services.

82
Q

ISO / IEC 17789: Cloud service manager

Provide services
Deploy and provision services
Performance service-level management

A

The cloud service manager is a member of the cloud service provider team and performs the following duties:

Provide services: Perform all steps required to deliver a cloud service to its cloud service customers.

Deploy and provision services: Get a service implementation running and make it available at a network end point accessible to the cloud service users, and make it able to handle service requests from users.

Perform service-level management: Manage compliance with SLA targets.

83
Q

ISO / IEC 17789 : Cloud service manager

Manage business plan
Manage customer relationship
Manage financial processing

A

The cloud service manager is a member of the cloud service provider team and performs the following duties:

Manage business plan: Define a service offering, create a business plan that covers the offering of one or more cloud services to customers, track the sales and service usage against the plan, and prepare and adjust a business plan to provide cloud services.

Manage customer relationship: manage the relationship with the customer.

Manage financial processing: Handle billing updates, generate billing information, and handle the receipt of payments from the cloud service customer.

84
Q

ISO / IEC 17789 : Customer support and care representative

Handle customer requests

A

The customer support and care representative is a member of the cloud service provider team and preforms the following duty:

Handle customer requests: Handle support requests, reports, and incidents from cloud service customers.

85
Q

ISO / IEC 17789 : Intercloud provider

Manage peer cloud services
Perform peering, federation, intermediation,
aggregation and arbitrage

A

The intercloud provider is a member of the cloud service provider team and performs the following duties:

Manage peer cloud services: Manage the usage of cloud services of a peer cloud service provider.

Perform peering, federation, intermediation, aggregation and arbitrage: Use peer cloud service provider’s cloud services, which includes service federation, intermediation, aggregation, and arbitrage.

86
Q

ISO / IEC 17789 :
Cloud service security and risk manager

Manage security and risks
Design and implement service continuity
Ensure compliance

A

The cloud service security and risk manager is a member of the cloud service provider team and performs the following duties:

Manage security and risks: Manage security and risks associated with the development, delivery, use, and support of cloud services.

Design and implement service continuity: Consider potential modes of failure of a cloud service and the supporting infrastructure and put in place recovery processes that will enable the cloud service to be available within the terms of the SLA.

Ensure compliance: Implement regulatory and standards compliance.

87
Q

ISO / IEC 17789 : Network Provider

Provide network connectivity
Deliver network services
Provide network management services

A

The network provider is a member of the cloud service provider team and performs the following duties:

Provide network connectivity: Set up requested network connections and related capabilities, including (amongst others) connections between the cloud service customer and the cloud service provider’s system and between one cloud service provider’s system and another cloud service provider’s system.

Deliver network services: Provide network-related services such as firewalls or load balancing.

Provide network management services: Manage the network infrastructure used to carry cloud services.

88
Q

ISO / IEC 17789 : Cloud service developer

Design, create, and maintain service components
Compose services
Test services

A

The cloud service developer is a member of the cloud service partner team and performs the following duties:

The CSN serves the customer, the provider, or both.

Design, create, and maintain service components: Design and create software components that are part of the implementation of a service, process problem reports, provide fixes, and provide enhancements to service implementations.

Compose services: Compose new cloud services by combining or modifying existing services.

Test services: Test the components and services created by the cloud service developer.

89
Q

ISO / IEC 17789 : Cloud auditor

Perform audit
Report audit results

A

The cloud auditor is a member of the cloud service provider team and performs the following services:

The CSN serves the customer, the provider, or both.

Perform audit: Request or obtain audit evidence, conduct any required tests on the system being audited, and obtain evidence programmatically.

Report audit results: Provide a documented report of the results of performing an audit.

90
Q

ISO / IEC 17789 : Cloud service broker

Acquire and assess customer
Assess marketplace
Set up legal agreement

A

The cloud service broker is a type of cloud service partner and performs the following duties for the customer / provider:

The CSN serves the customer, the provider, or both.

Acquire and assess customer: Market and sell cloud services to the point where a cloud service customer agrees to a contract to use one or more services.

Assess marketplace: Assess the current cloud computing marketplace to identify and recommend cloud service(s) that allow the customer to meet desired goals.

Set up legal agreement: Establish the service agreement between the cloud service customer and the chosen cloud service provider(s).

91
Q

KMS : Remote v. Client-side

Key Management Systems

A

Remote KMS: maintained, managed, and controlled by the customer at their own location.

Client-side KMS: maintained by the cloud provider and managed / controlled (within the bound of the cloud provider service offering) by the customer.