Chapter 2 - Design requirements Flashcards
Business requirements analysis
What are the 4 key factors we need to know before we know how to handle risk
Inventory of all assets
Valuation of assets
Determination of criticality
Understanding the risk appetite
What is valuation of assets
Giving each assets a concrete value and calculate what it would cost if the asset is lost, needs to be repeated or replaced
What contains determination of criticality?
Senior manager determines assets which are essential to operate the business. Without those the business can not survive.
Single points of failures are bottlenecks. They should be addressed ASAP
What are the 4 ways to address risk?
Avoidance: leaving a business opportunity because the risk is too high. This risk exceeds the organization’s risk appetite
Acceptance: Falls within risk appetite. Organization keeps operating without any additional efforts
Transference: organization pays someone else to accept the risk at a lower cost the normal impact would be. This is the case with insurance. Mostly low probability but high impact risks
Mitigation: Organization takes steps to decrease likelihood of occurrence or impact( or both). Can be in form of controls and often security practitioner’s are involved.
What is residual risk?
Risk that leftover after risk mitigation. Security program aims at reducing residual risk until it falls in risk appetite
What are the IaaS boundaries?
In IaaS the Cloud Customer had the bist responsibility. He is responsible for everything from the os and upwards.
For audits life could be collected generated by software and os as an example.
What are PaaS boundaries?
Cloud provider owns infrastructure and OS. Cloud customers owns everything on top of os.
What are SaaS boundaries?
Cloud customer only processed data to and in the system. Customer still remains liable but had little control over how data is protected.
How can we reduce likelihood of breaches as a result of risk associated with giving up control over at least physical assets?
Ensure cloud provider performs background checks, continual monitoring of personnel with access to the datacenter, physical security measures, encryption of data processed and stored, contractual liability to provider etc.
What are the 7 layers of defense in depth?
Data, application, host, internal network, Perimeter, physical and policies/procedures and awareness
Hardening in the cloud
Treat all cloud related devices as if they are in the dmz.
CSP should ensure
- removal of guest acc
- unused ports are closed
- no default people remains
- strong policy pw are in effect
- Admin acc significantly secured and logged
- unnecessary services disabled
- Systems are patched, maintained and updated according to standards and guidelines
Encryption in design requirements
Should be used in
Cloud datacenter
- long term storage
- near term stores files such as snapshots
- prevent unauthorized access to specifics datasets
Communication between CSP and Users
- creating secure session
- ensure integrity and confidentiality of data in transit
Layered defense from csp POV
- personnel controls
- technological controls eg encryption
- physical encryption
- governance mechanisms and enforcement (policies etc)
Layered defense from cc POV
- Training programs
- contractual enforcements
- encryption and isolation on byod assets
- String access control
