These slides will cover the “Certified Cloud Security Professional” course by (ISC)2.
They are supposed to give you an idea about the course contents, and make it easier for you when reviewing the subjects.
2. Hello!
I am Hatem ELSAHHAR
CISSP, CEH, Security+, Blue Coat Certified Cloud
Service Troubleshooting, Blue Coat Certified
Proxy Professional, Zscaler Certified Cloud
Administrator, Blue Coat SSL Visibility
You can find more about me at:
https://www.linkedin.com/in/elsahhar
2
Recognized as the first and only candidate in Egypt to achieve
the CCSP certificate*
* As of December 2017
5. “
Cloud security refers to a broad set of
policies, technologies, and controls
deployed to protect data, applications,
and the associated infrastructure of
cloud computing.
5
14. Cloud Reference Architecture
◎Cloud Computing Activities
○ ISO/IEC 17789:2014: Information technology - Cloud computing -
Reference architecture
◎Cloud Computing Roles (Customer, Provider, and
Partner)
◎Cloud Service Capabilities
◎Cloud Service Categories (IaaS, PaaS, and SaaS)
◎Cloud Deployment Models (Public, Private, Hybrid,
and Community)
14
15. Security Concepts of Cloud Computing
◎Cryptography
◎Access control
◎Data and media sanitation
◎Network security
◎Virtualization security
◎Common threats
15
21. Common Threats
◎Data breaches
◎Insufficient identity, credential, and access management
◎Insecure interfaces and APIs
◎System vulnerabilities
◎Account hijacking
◎Malicious insiders
◎Advanced persistent threats
◎Data loss
◎Insufficient due diligence
◎Abuse and nefarious use of cloud services
◎Denial of service
◎Shared technology issues
21
22. Design Principles of Secure Cloud Computing
◎Cloud data lifecycle
Create > Store > Use > Share > Archive > Destroy
◎Cloud-Based Business Continuity/Disaster Recovery
◎Cost–Benefit Analysis
Data Center Costs vs. Operational Expense Costs
◎Resource Pooling and Cyclical Demands
i.e. Online store availability during a Black Friday
◎Focus Change (to business instead of operations)
◎Ownership and Control
◎Cost Structure (CapEx vs OpEx)
22
29. Data Discovery & Classification
◎Data discovery is a business intelligence operation
and a user-driven process where data is visually
represented and analyzed to look for patterns or
specific attributes. (i.e. Big Data & real-time analytics)
◎Classification is the process of analyzing data for
certain attributes, and then using that to determine
the appropriate policies and controls to apply to
ensure its security. (Creator, type of data, storage
location, ..)
29
30. Restrictions on Handling PII
◎PII: Personally Identifiable Information
(i.e. Social ID number, mobile number, full name, ..)
◎Pay extra attention when dealing with it
◎Check the jurisdictional data
protections
30
31. Data Rights Management
◎Data rights management is an extension of normal
data protection, where additional controls and ACLs
are placed onto data sets that require additional
permissions or conditions to access and use beyond
just simple and traditional security controls.
◎Consider:
○ Auditing the usage
○ Expiration of the rights
○ Granular policy control
○ Support of applications and formats
31
32. Data Retention, Deletion, and Archiving
◎Data retention involves the keeping and maintaining of
data for a period of time as well as the methods used to
accomplish these tasks.
◎Data deletion: When data is no longer needed in a
system, it must be removed in a secure way that
guarantees it is no longer accessible or recoverable in the
future.
◎Data archiving typically involves removing data from
production systems and placing it onto other systems
that are usually cheaper storage options, scaled and
configured for long-term storage.
32
37. Physical Hardware
◎Typically tens or hundreds of thousands of servers,
spread across multiple physical locations.
◎This will requires enormous power and cooling
resources.
◎All systems MUST be redundant and allow
maintenance to be performed causing NO downtime.
37
38. Networking
◎Customer transparency: Although you will have a
large network of switches, routers, and network
security devices, remember that your customers do
not really see them and they will just expect them to
always work and never have issues.
◎Software-Defined Networking (SDN): The decisions
concerning where traffic is filtered or sent and the
actual forwarding of traffic are completely separate
from each other.
38
39. Computing (Memory & CPU)
◎Key concepts
○ Reservations: minimum resources that are guaranteed to a
customer.
○ Limits: As opposed to reservations, limits are put in place to
enforce maximum utilization of resources by a customer.
○ Shares: Prioritizing hosts within a cloud environment through a
weighting system when resources are fully consumed.
39
40. Storage
◎Volume storage: where storage is allocated to a
virtual machine and configured as a typical hard
drive and file system on that server.
◎Object storage: where data is stored on a system
separate from the application and access occurs via
APIs, network requests, or a web interface.
40
42. Management Plan
◎Cloud provider can manage all the hosts within the
environment from a centralized location, without the
need to go to each individual server to perform
certain tasks.
◎Typically performed by a series of remote calls and
function executions or a set of APIs.
42
43. Analyze Risks of Cloud Infrastructure
Same level of risk as other hosting models, plus:
◎Risks related to lock-in
◎Virtualization risks (i.e. hypervisor compromise)
◎High availability
◎Data security and privacy
◎Legal and regulatory controls
43
44. Design & Plan Security Controls
◎Physical and environmental protection
◎System and communication protection
◎Virtual systems protection
◎Managing Identification, Authentication, and
Authorization
44
49. Usage of APIs
◎Two main types of APIs:
○ Representational State Transfer (REST)
Uses HTTP protocol and supports a variety of data formats such as
JSON and XML
○ Simple Object Access Protocol (SOAP)
It is a protocol and standard for exchanging information between web
services in a structured format allowing only the use of XML-formatted
data
49
55. Cloud Application Architecture
In addition to securing the application itself, we will
apply layered defense using other technologies, such
as:
◎Firewalls
◎Web Application Firewalls (WAF)
◎XML Appliances
◎Cryptography
◎Sandboxing
◎Application virtualization
55
56. Identity and Access Management (IAM)
◎Federated Identity (IdP & SP)
○ Deployments:
◉ SAML
◉ OAuth
◉ OpenID
◎SSO
◎Multifactor authentication:
○ Something you know
○ Something you have
○ Something you are
56
58. Module Contents
◎Planning process for the Data Center design
◎Build the physical infrastructure
◎Run the physical infrastructure
◎Manage the physical Infrastructure
◎Build the logical infrastructure
◎Run the logical infrastructure
◎Manage the logical infrastructure
58
59. Planning Process for Data Center Design
◎Logical design
○ Virtualization
○ Access Control
○ APIs
◎Physical design
○ Location
59
60. Build The Physical Infrastructure
◎Secure configuration of hardware-specific
requirements
◎BIOS settings
◎Servers
◎Storage communication (SAN, NAS, iSCSI)
60
61. Run The Physical Infrastructure
◎Access control for local access (KVMs)
◎Securing network configurations
○ VLANs
○ TLS
○ IPsec
○ DNSSEC
○ OS Hardening – using baselines
◎Maintenance mode
◎High availability
61
62. Manage The Physical Infrastructure
◎Patch management
◎Performance monitoring
◎Hardware monitoring
◎Backup and restore
◎Implementing network security
◎Orchestration
62
63. Build The Logical Infrastructure
◎Secure Configuration of Virtual Hardware
(Specific Requirements)
63
64. Run The Logical Infrastructure
◎Secure Network Configuration
○ VLANs
○ TLS
○ DHCP
○ DNS
○ IPsec
◎OS Hardening - Application of Baselines
64
65. Manage The Logical Infrastructure
◎Access Control for Remote Access
○ TLS
○ Citrix
◎OS Baseline Compliance Monitoring and Remediation
◎Patch management
◎Performance monitoring
◎Backup & restore
65
67. Module Contents
◎Legal requirements and risks within the cloud
◎Privacy issues and jurisdictional variation
◎Audit planning and reporting
◎Outsourcing and vendor management
67
68. Legal Requirements & Risks Within The Cloud
◎International legislation conflict (each country has its
own laws which defiantly will conflict with other
countries interests in case of conflicts)
◎E-Discovery in data centers vs the cloud
◎Scope of each role should be clearly stated in the
contracts
68
69. Privacy Issues and Jurisdictional Variation
◎PII security is the responsibility of the application
owner
◎Important American Act names:
○ The Gramm-Leach- Bliley Act (GLBA)
○ Health Insurance Portability and Accountability Act (HIPAA)
○ Safe Harbor
○ Sarbanes–Oxley Act (SOX)
◎Important European Act names:
○ Directive 95/46 EC
○ General Data Protection Regulation (GDPR)
69
70. Audit Planning and Reporting
◎Audit Plan
◎Famous Audit Reports
◎The International Auditing and Assurance
Standards Board (ISAE 3402)
70
71. Outsourcing and Vendor Management
◎State the business requirements clearly
◎Define the SLAs
◎Have controls to adequately monitor the processes
and deliverables
71
73. Credits
Special thanks to all the people who made and released
these awesome resources for free:
◎ Presentation template by SlidesCarnival
◎ Photographs by Unsplash & Death to the Stock Photo
(license)
73
Editor's Notes
Cloud Service Capabilities
Customer can provision and have substantial configuration control over processing, storage, and network resources
Customer can deploy code and applications using programming languages and libraries that are maintained and controlled by the cloud provider.
Customer uses a fully established application provided by the cloud provider, with minimal user configuration options allowed.
Encryption
In use: use the DRM instead
In transit: TLS/SSL, VPN, IPsec, and HTTPS
In rest: file-level and storage-level encryption
Key management
Where are the keys? (Internal storage, External storage, or 3rd Party)
Masking 5422-1234-6574-8875 > 5422-****-****-8875
Obfuscation 5422-1234-6574-8875 > 5422-1234
Anonymization 5422-1234-6574-8875 > sqok-ashf-hast-vaty (irreversible)
Tokenization 5422-1234-6574-8875 > asud-dgau-ftde-aetf (using an index, can be reverted)
Audit Plan
Define objectives
Define scope
Conduct the audit
Lessons learned and analysis
Famous Audit Reports
Statement on Auditing Standards (SAS-70 Type I & II)
Statements on Standards for Attestation Engagements (SSAE 16)
Replaced the SAS on 2011
Satisfies SOX requirements
Also known as Service Organization Control (SOC) report
SOC 1, SOC2, and SOC3
The International Auditing and Assurance Standards Board (ISAE 3402)
Type I
Type II