Week 13: Evaluating Cloud Security - An Information Security Framework Flashcards

1
Q

The framework defines a number of checklists of ___that span the range of activities that together support information security for cloud computing

The goal is to provide an __, which can be used to evaluate the security of a private, community, public, or hybrid cloud

A

evaluation criteria

organized set of tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Evaluating the security of a ___ may best be done by managing the evaluation of the two or more cloud instances using one set of checklists per instance

A

hybrid cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The ___and ___of a cloud share responsibility for ensuring that security measures are in place and standards/procedures are followed

A

owner

operator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The ___ takes a similar approach in detailing security requirements for cloud implementations

A

Cloud Security Alliance Controls Matrix

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A good starting point when you need to measure the presence and effectiveness of cloud security includes having a list of ___

A

required or recommended security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

It is not enough that a security control is present
That control also needs to be effective
One can describe this as the ___

A

degree of trust (or assurance) that can be expected from these controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Measuring the presence and/or effectiveness of security controls is largely what ___are intended to do

A

security evaluations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider

A

Cloud Controls Matrix (CCM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency

A

Consensus Assessments Initiative Questionnaire

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

presents security guidance for a number of areas in cloud computing: architecture, governance, traditional security, virtualization

A

Security Guidance for Critical Areas of Focus in Cloud Computing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

discusses the major identity management functions as they relate to cloud computing

A

Guidance for Identity & Access Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

leading the security guidance efforts in Europe, and has produced several publications

A

European Network and Information Security Agency (ENISA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A set of assurance criteria addressing the risk of adopting cloud computing

A

Cloud Computing: Information Assurance Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A security policy defines the organization’s overall ___

A

security goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Standards

A

Standards state mandatory actions that support the policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Guidelines

A

provide guidance for implementation of standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

___for a cloud is a foundation of operational security

A

Personnel security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Checklist 1: Policy, Standards, & Guidelines

A

Has a security policy been clearly documented, approved, and represented to all concerned parties as representing the management’s intent?

Has the security policy had legal, privacy, and other governance review?

Has the security policy been augmented by security standards and/or guidelines?

Has the policy been augmented by a privacy policy?

Are the security and privacy policies, as well as standards and guidelines, consistent with industry standards (such as 27001, CoBIT, etc.)?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Checklist 2: Transparency

A

Does the CSP provide customers with a copy of the governing policies, standards, and guidelines?
- Are customers notified of changes to these documents?

Does the CSP provide customers visibility into internal and external audits?

Does the CSP provide customers visibility into third party compliance audits?

Does the CSP provide customers visibility into penetration tests?

Does the CSP provide customers visibility into CSP asset management and repurposing of equipment?

20
Q

Checklist 3: Personnel Security

A

Are there policies and procedures for:

 - Hiring employees with access to or control over cloud components?
 - Pre-employment checks for personnel with privileged access? 

Are personnel security policies consistent across locations?

Is there a security education program, and if so, how extensive is it?

Is personnel security frequently reviewed to determine if employees with access should continue to have access?

Are personnel required to have and maintain security certifications?

Does physical access to the CSP’s facility require background checks?

21
Q

Checklist 4: Third Party Providers

A

Are any services or functions provided by a third party?

If any part of a cloud is subcontracted or otherwise outsourced, does the providing party comply with the same policy and standards that the CSP enforces?

If used, are third party providers audited for compliance with the CSPs policies and standards?

Does the CSP security policy (or equivalent) and governance extend to all third party providers?

22
Q

Business considerations include ___, business ___, and resource ___

A

legal
continuity
provisioning

23
Q

Resource provisioning has to do with assuring that the cloud service will be sufficiently resourced as ___

A

customer demand increases

24
Q

Checklist 5: Legal

A

In which jurisdiction is the CSP incorporated?

In which jurisdiction will data be stored?

Does the CSP use third party providers who are not located in the same jurisdiction?

Does the CSP use a customer’s data for secondary purposes?

Does the CSP have a documented procedure for responding to legal requests (such as a subpoena) for customer data?

Is the CSP insured against losses, including remuneration for customer losses due to CSP outages or data exposure?

25
Q

Checklist 6: Business Continuity

A

Does the CSP have a formal process or contingency plan that documents and guides business continuity?

What are the service recovery point objective (RPO) and recovery time objective (RTO)?

Is information security integral to recovery and restoration?

How does the CSP communicate a disruption of services to customers?

Is there a secondary site for disaster recovery?

26
Q

Checklist 7: Resource Provisioning

A

What controls and procedures are in place to manage resource exhaustion?
Processing oversubscription
Memory or storage exhaustion
Network congestion

Does the CSP limit subscriptions to the service in order to protect SLAs?

Does the CSP provide customers with utilization and capacity planning information?

27
Q

The ___and ___of an operational cloud depends on the integrity of components that comprise it

A

integrity

security

28
Q

___is a primary vector for vulnerabilities and exploits

A

Software

29
Q

The ___ between different classes of traffic will drive other security requirements

A

degree of isolation

30
Q

___ are generally responsible for the platform software stack

A

CSPs

31
Q

Checklist 8: Software Assurance

A

What controls are in place to maintain integrity of operating systems, applications, firmware updates, configuration files, and other software?

What industry standards, guidelines, or best practices are followed?

What controls or guidelines are used to obtain or download software and configuration files?

What guidelines or procedures are used to maintain software integrity?

Is penetration or vulnerability testing used on each release?

How are identified vulnerabilities remediated?

32
Q

Checklist 9: Network Security

A

What controls are in place to manage externally and internally sourced attacks, including distributed denial of service (DDoS)?

How is isolation between VMs managed?

How does the provider manage isolation between customer accessed systems and cloud management systems?

Does the CSP perform periodic penetration testing and/or vulnerability testing against the cloud?

Is vulnerability information made available to customers?

Does the CSP allow customers to perform vulnerability testing against their own VMs?

33
Q

Checklist 10: Host and VM Security

A

Are VM images patched before they are provisioned?
- How and how frequently are VM images patched after being provisioned?

Can a customer provide his/her own VM image?

Do VM images include operating IDS or intrusion prevention systems (IPS) that the CSP/tenant has access to?

Do VM images include any form of network, performance, or security instrumentation that the CSP/tenant has access to?

How is isolation ensured between server co-located VMs for different customers?

How is communication implemented between VMs for the same customer?

34
Q

Checklist 10: Host and VM Security

A

Are VM images patched before they are provisioned?
- How and how frequently are VM images patched after being provisioned?

Can a customer provide his/her own VM image?

Do VM images include operating IDS or intrusion prevention systems (IPS) that the CSP/tenant has access to?

Do VM images include any form of network, performance, or security instrumentation that the CSP/tenant has access to?

How is isolation ensured between server co-located VMs for different customers?

How is communication implemented between VMs for the same customer?

35
Q

Checklist 11: PaaS and SaaS Security

A

How does the CSP isolate multitenant applications?

How does the CSP isolate a user’s or tenant’s data?

How does the CSP identify new security vulnerabilities in applications and within the cloud infrastructure?

Does the CSP provide security as a service features for PaaS?
- Authentication, single sign on, authorization, and transport security

What administrative controls does the CSP provide to a tenant/user?

Do these support defining/enforcing access controls?

Does the CSP provide separate test and production environments for PaaS customers?

36
Q

Checklist 12: Identity and Access Management

A

How does the CSP manage accounts with administrator or higher privilege?

Does the CSP enforce privilege separation (for instance, RBAC)?

Does the CSP grant tenants or users administrator privileges, and if so, what are the limits to this?

Does the CSP verify user identity at registration? If so, are there different checks depending on resources to which access is granted?

How are credentials and accounts deprovisioned?
Is multifactor authentication used?

37
Q

Checklist 13: Key Management & Cryptography

A

How does the CSP protect keys, and what security controls are in place to this aim?
- Who has access to such keys?

What procedures are in place to manage and recover from the compromise of keys?

Is key revocation performed in a cloud-wide atomic operation?

For what operations (and where) is encryption used?
- Does security policy clearly define what must be encrypted?

Are all encryption mechanisms based on third party tested and evaluated products?

38
Q

Many concerns around public clouds have to do with the fact that ___ is in a third party’s control

A

physical security of IT

With a public cloud, a physical breach will affect multiple customers

39
Q

The goal of incident management and response is to ___

A

minimize or contain the impact of events

40
Q

Checklist 14: Data Center Physical Security

A

What are the requirements for being granted physical access to the CSP’s facility?
- Do non-employees require escort in the facility?

Is the facility divided into zones with distinct access permissions?

Is strong authentication required for physical access?

Is all access monitored and documented?

 - Are all entry locations alarmed and monitored?
 - Is video monitoring used for all common areas of the facility?

How long is video retained?

Is power and networking secured within the facility?

Are environmental systems (lighting, AC, fire detection) implemented to industry standards?

41
Q

Checklist 15: Data Center Asset Management

A

Does the CSP maintain a current and complete inventory of all hardware, network, software, and virtual components that comprise the cloud?

Does the CSP automate inventory tracking and management?

Does the CSP maintain a record of all assets that a customer has used or on which a customer has stored data?

Does the CSP support asset categories of different sensitivity levels?

 - If so, how are these isolated or separated from each other?
 - Does the CSP maintain segregation or physical separation of assets at different sensitivity levels?
42
Q

Checklist 16: Operational Practices

A

Are operating procedures clearly documented and followed?

Is there a formal change control process?
- Does change control include a means to guide decisions as to what changes require a reassessment of risk?

Are there separate environments for development, testing, and production?

What security controls are used to mitigate malicious code?

What are the backup procedures?
- Where are backups stored, and for how long are they kept?

Will the CSP securely delete all copies of customer data after termination of the customer’s contract?

43
Q

Checklist 17: Incident Management

A

What information is captured in audit, system, and network logs?

 - How long is it retained, and who has access to it?
 - What controls are used to protect these logs?

Does the CSP have formal processes to detect, identify, and respond to incidents?
- Are these processes periodically tested to verify that they are effective?

Does the CSP allow customers to implement a host-based IDS in VMs?

Does a CSP accept customer events and incident information into their security monitoring and incident management process?

Does the CSP offer transparency into incident events?

 - If so, what kind of information is shared with customers and users?
 - Does the CSP report statistics on incidents to customers?
44
Q

The checklists alone have utility to judge the security of a cloud

However, what prospective public cloud customers and owners of a private cloud want to know is

A

How secure is the implementation?
Is the CSP meeting best practices for security?
How well does the CSP meet security requirements?
How does this service compare with other similar services?

45
Q

There is a good deal of variation in how controls can be ___ and how they can be ___

A

implemented
measured

This makes it very difficult to identify metrics for each question

46
Q

with respect to security checklists, existing approaches for measuring security meet this challenge by

A

detailing fine grained security controls for specific realms (NIST 800-53)

specifying which of these controls apply to systems operating at different levels of assurance or sensitivity