Week 12: Security Criteria - Selecting an External Cloud Provider Flashcards
Simply stating that a CSP is compliant only amounts to ___
self-certification
___are organizational programs whose scope covers every aspect of policy through specific security controls and procedures
Information Security Management Systems (ISMS)
ISO 27001 identifies several categories of security control objectives
Security Policy Organization of Information Security Asset Management Human Resources Physical and Environmental Security Communications and Operations Management Access Control Systems Development and Maintenance Information Security Incident Management Business Continuity Management Compliance
Information Security Management Systems (ISMS) - Security Policy
The policy should be consistent with business objectives and meet business requirements, and it should comply with laws and regulations
Information Security Management Systems (ISMS) - Organization of Information Security
A management framework to implement security, assign security roles, and coordinate implementations across the organization
Information Security Management Systems (ISMS) - Asset Management
Establishes responsibility for and protect an organization’s assets
Information Security Management Systems (ISMS) - Human Resources
This includes all aspects of personnel, including contractors and third party users, as well as all phases of employment
Information Security Management Systems (ISMS) - Physical and Environmental Security
This involves every aspect of ensuring a controlled and protected environment for information facilities and equipment
Information Security Management Systems (ISMS) - Communications and Operations Management
Defines responsibilities for information processing facilities and establishes procedures for their operation and control
Information Security Management Systems (ISMS) - Access Control
Controls access to information and ensures that controls meet organizational requirements
Information Security Management Systems (ISMS) - Systems Development and Maintenance
Identifies security requirements before starting the development process or any other aspect of implementation or acquisition
Verifies that applications and controls operate correctly and are appropriate
Information Security Management Systems (ISMS) - Information Security Incident Management
Reports security events, incidents, and weaknesses
Establishes formal processes and procedures for managing incidents
Information Security Management Systems (ISMS) - Business Continuity Management
Establishes and use a business continuity management process to counteract interruptions and protect critical processes
Information Security Management Systems (ISMS) - Compliance
Ensures compliance with legal and regulatory requirements
Obtaining accreditation is both time ___and ___
consuming
expensive
SAS70 (Statement on Auditing Standards No. 70), Type II
This certification focuses on a CSPs infrastructure, policies, and procedures to assure that it follows best practices in minimizing the risk of service disruption and to ensure security of data
ISO 27001/2
More comprehensive than SAS70
Cloud Security Alliance (CSA)
In 2010, CSA revealed an initial program for accreditation / certification oriented toward certifying competency in cloud security practices
FISMA, FedRAMP, and NIST 800-53
U.S. federal government programs to measure security for federal IT systems
Uptime Institute
“Provides education, publications, consulting, certifications, conferences and seminars, independent research, and thought leadership for the enterprise data center industry and for data center professionals”
transparency
degree of visibility into security policy and operations that a CSP offers to its customers
Although customers should not expect a CSP to provided details on how security is implemented, they expect a CSP to be open and accountable about security practices
What should be kept secret in CSP security includes
specific implementation details that could be exploited by a hacker
Overall, risk can be broadly classified into three categories
Technical Risks
Policy and Legal Risks
Operational Risks
Technical Risks
isolation failure, data interception, data leakage, and malicious probes
Policy and Legal Risks
loss of governance, compliance failures, jurisdictional issues, subpoenas, and licensing issues
Operational Risks
malicious insiders, errors and misconfigurations, bandwidth problems, social engineering, loss of backup data, physical security compromise, loss of encryption keys
Disaster recovery not only includes natural events like earthquakes, fires, or tornadoes - It also includes how you recover from disasters caused by ___
human error
Security Criteria
Security Policies Security Staff Independence Change Management Upgrades and Patch Management Scans Forensics Incident Management Business Continuity
It is easier to patch ___ and then copy customer components to a copy of that image
a golden image
Security engineers need to have a primary responsibility of security, but not of ___, as the two roles can conflict
operations
This team is often called a Security Operations Center (SOC)
The kind of ___ that are deployed along with the ___that comprises the cloud can be valuable information for customers
servers
foundational software
The act of backing up the cloud might ___
compromise security
Is encryption used as backups are created?
When the backups are physically being moved to another location is there a chain of custody?
Are there any measures in place to insure that the data has not been tampered with during the move?
Service Level Agreements (SLA) are a critical component of a public cloud’s ___
availability guarantees
Elasticity
Make sure you understand how the cloud provider scales their cloud and balances load
How do they accommodate customer growth?
How load is shared among nodes, and how does that affect your adoption of the cloud with your particular application?
In terms of security, it is important to understand the ___ of the public cloud provider for key personnel involved in the development and management of the cloud
hiring policies and procedures
