Week 10: Security the Cloud - Key Strategies and Best Practices Flashcards
With ___, we strive to implement security controls that provide proactive protection from threats
prevention
A sound security strategy must include ___to identify threats or compromises
detection
Timeliness and effectiveness of detection is critical to enable effective response
With ___activities we seek to address threats as they are detected or afterward with remediation, recovery, and forensics
response
Addressing security risks can be done in various ways, but without a ___ and a ___ such efforts often prove ineffective
sound process
considered strategy
Whether building a cloud infrastructure or adopting a public cloud service, leveraging the right process and strategy for managing risk will have recurring benefits:
better security,
lower ongoing operational costs,
reputation for taking security seriously enough to plan ahead
security controls equation
On one side, you have the costs involved in the consequences of a security breach or being subject to an exploit
On the other side, you have various costs associated with implementing security countermeasures
There comes a point for any system where additional preventative actions ___
incur costs that bring fewer and fewer returns
diminishing returns
Actors on two sides of security controls equation
Engineers and security personnel vs business people
Effectively managing security risk involves multiple activities that extend over time and can be grouped into four stages
Planning
Implementation
Evaluation
Maintenance
Security Risk Stages - Planning
This stage is a prerequisite to properly match security controls to address risks in an effective manner
Security Risk Stages - Implementation
This stage involves placing and configuring security controls
Security Risk Stages - Evaluation
This stage involves assessing the efficacy of security controls and periodically reviewing their adequacy
Security Risk Stages - Maintenance
Periodically, it will become necessary to perform configuration changes and updates, including security-relevant modifications
Example Framework for Managing Security Risks
NIST, and CoBIT
Security controls are countermeasures or safeguards to ___ or otherwise ___to security risks
prevent, avoid, counteract, detect,
respond
They can be technical mechanisms, manual practices, or procedures
Recommended Security Controls for Federal Information Systems and Organizations - which publication?
NIST Special Publication 800-53
NIST Special Publication 800-53 states that, in order for Federal Agencies to comply with federal standards, they must
determine the security category of their information systems in accordance with FIPS 199
derive the information system impact level from the security category in accordance with FIPS 200
apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53
NIST-defined controls are divided into 3 broad classes
Technical, Operational, and Management
Security controls are further organized into ___that fall into these ___ (e.g., Access Control, AC)
18 families
3 classes
each NIST security control has a unique identifier, for example
AC-14
In the U.S. federal government, non-classified systems are characterized according to low, moderate, or high-__information systems
impact
The emphasis on security controls in this unclassified realm might not be as much on ___as it is on ___and ___
confidentiality
integrity
availability
FIPS 199 Impact Classification LOW
if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals
degradation in mission capability
minor damage
minor financial loss
minor harm to individuals
FIPS 199 Impact Classification HIGH
if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals
The implementation of information categories is achieved by adding new structures and mechanisms to label and enforce separation at the ___
OS level
Another set of security controls that are sometimes used in the classified world have to do with the concept of ___
“originator controlled” data
“originator controlled” data
An illustrative example of this is an email that the original sender addresses to a set of trusted recipients
However, the original sender may wish to control the resending of those emails to other potential recipients
The Cloud Security Alliance Approach to cloud security
The Cloud Security Alliance developed a Cloud Controls Matrix
Cloud Controls Matrix
A framework of nearly 100 distinct control specifications
Version 1.0 was released in April 2010, version 3.0.1 in July 2014
The CSA Cloud Controls Matrix emphasizes business information ___ in a form that provides ___and ___ for matching information security to cloud industry needs
security controls
structure
detail