SlideShare a Scribd company logo
1 of 73
Download to read offline
CCSP
Certified
Cloud Security
Professional
Hello!
I am Hatem ELSAHHAR
CISSP, CEH, Security+, Blue Coat Certified Cloud
Service Troubleshooting, Blue Coat Certified
Proxy Professional, Zscaler Certified Cloud
Administrator, Blue Coat SSL Visibility
You can find more about me at:
https://www.linkedin.com/in/elsahhar
2
Recognized as the first and only candidate in Egypt to achieve
the CCSP certificate*
* As of December 2017
“
How to secure the cloud?
3
4
That easy !!
“
Cloud security refers to a broad set of
policies, technologies, and controls
deployed to protect data, applications,
and the associated infrastructure of
cloud computing.
5
We will discuss
6 domains
6
Architectural
Concepts and
Design
Requirements
Cloud Data
Security
Cloud Platform
and
Infrastructure
Security
Cloud
Application
Security
Operations Legal &
Compliance
7
1.
Architectural
Concepts and
Design
Requirements
8
Module Contents
◎Cloud computing concepts
◎Cloud reference architecture
◎Security concepts of cloud computing
◎Design principles of secure cloud computing
9
Cloud Computing Concepts
◎Definitions
◎Roles
◎Cloud Computing Characteristics
10
Definitions
◎Categories (IaaS, PaaS, and SaaS)
◎Cloud application
◎Portability
◎Deployment models (Public, Private, Hybrid, and
community)
◎Reversibility
11
Roles
◎Auditor
◎Service Broker
◎Customer
◎Partner
◎Provider
◎User
12
Cloud Computing Characteristics
◎On-demand self-service
◎Broad network access
◎Resource pooling
◎Rapid elasticity
◎Measured service
13
Cloud Reference Architecture
◎Cloud Computing Activities
○ ISO/IEC 17789:2014: Information technology - Cloud computing -
Reference architecture
◎Cloud Computing Roles (Customer, Provider, and
Partner)
◎Cloud Service Capabilities
◎Cloud Service Categories (IaaS, PaaS, and SaaS)
◎Cloud Deployment Models (Public, Private, Hybrid,
and Community)
14
Security Concepts of Cloud Computing
◎Cryptography
◎Access control
◎Data and media sanitation
◎Network security
◎Virtualization security
◎Common threats
15
Cryptography
◎Data in use
◎Data in transit
◎Data at Rest
◎Key Management
16
Access Control
◎Account Provisioning
◎Directory services
◎Administrative & privileged access
◎Authorization
17
Data and Media Sanitization
◎Vendor Lock-in for data
◎Data Sanitization (overwriting - cryptographic erase)
18
Network Security
◎Multitenancy & loss of control of the underlying
hardware infrastructure
◎Network segmentation – virtual network controls
19
Virtualization Security
◎Type 1 Hypervisors
◎Type 2 Hypervisors
20
Common Threats
◎Data breaches
◎Insufficient identity, credential, and access management
◎Insecure interfaces and APIs
◎System vulnerabilities
◎Account hijacking
◎Malicious insiders
◎Advanced persistent threats
◎Data loss
◎Insufficient due diligence
◎Abuse and nefarious use of cloud services
◎Denial of service
◎Shared technology issues
21
Design Principles of Secure Cloud Computing
◎Cloud data lifecycle
Create > Store > Use > Share > Archive > Destroy
◎Cloud-Based Business Continuity/Disaster Recovery
◎Cost–Benefit Analysis
Data Center Costs vs. Operational Expense Costs
◎Resource Pooling and Cyclical Demands
i.e. Online store availability during a Black Friday
◎Focus Change (to business instead of operations)
◎Ownership and Control
◎Cost Structure (CapEx vs OpEx)
22
Cloud Computing Overview
23
2.
Cloud Data
Security
24
Module Contents
◎Cloud data lifecycle
◎Cloud data storage architecture
◎Data security strategies
◎Data discovery & classification
◎Restrictions on handling PII
◎Data Rights Management
◎Data retention, deletion,
and archiving
◎ Data archiving concepts
& requirements
25
Cloud Data Lifecycle
26
Cloud Data Storage Architecture
27
Data Security Strategies
◎Encryption
◎Key management
◎Masking
◎Obfuscation
◎Anonymization
◎Tokenization
28
Data Discovery & Classification
◎Data discovery is a business intelligence operation
and a user-driven process where data is visually
represented and analyzed to look for patterns or
specific attributes. (i.e. Big Data & real-time analytics)
◎Classification is the process of analyzing data for
certain attributes, and then using that to determine
the appropriate policies and controls to apply to
ensure its security. (Creator, type of data, storage
location, ..)
29
Restrictions on Handling PII
◎PII: Personally Identifiable Information
(i.e. Social ID number, mobile number, full name, ..)
◎Pay extra attention when dealing with it
◎Check the jurisdictional data
protections
30
Data Rights Management
◎Data rights management is an extension of normal
data protection, where additional controls and ACLs
are placed onto data sets that require additional
permissions or conditions to access and use beyond
just simple and traditional security controls.
◎Consider:
○ Auditing the usage
○ Expiration of the rights
○ Granular policy control
○ Support of applications and formats
31
Data Retention, Deletion, and Archiving
◎Data retention involves the keeping and maintaining of
data for a period of time as well as the methods used to
accomplish these tasks.
◎Data deletion: When data is no longer needed in a
system, it must be removed in a secure way that
guarantees it is no longer accessible or recoverable in the
future.
◎Data archiving typically involves removing data from
production systems and placing it onto other systems
that are usually cheaper storage options, scaled and
configured for long-term storage.
32
Data Archiving Concepts & Requirements
33
3.
Cloud Platform and
Infrastructure
Security
34
Module Contents
◎Cloud infrastructure components
◎Analyze risks of cloud infrastructure
◎Design & plan security controls
◎Plan disaster recovery and business continuity
management
35
Cloud Infrastructure Components
36
Physical Hardware
◎Typically tens or hundreds of thousands of servers,
spread across multiple physical locations.
◎This will requires enormous power and cooling
resources.
◎All systems MUST be redundant and allow
maintenance to be performed causing NO downtime.
37
Networking
◎Customer transparency: Although you will have a
large network of switches, routers, and network
security devices, remember that your customers do
not really see them and they will just expect them to
always work and never have issues.
◎Software-Defined Networking (SDN): The decisions
concerning where traffic is filtered or sent and the
actual forwarding of traffic are completely separate
from each other.
38
Computing (Memory & CPU)
◎Key concepts
○ Reservations: minimum resources that are guaranteed to a
customer.
○ Limits: As opposed to reservations, limits are put in place to
enforce maximum utilization of resources by a customer.
○ Shares: Prioritizing hosts within a cloud environment through a
weighting system when resources are fully consumed.
39
Storage
◎Volume storage: where storage is allocated to a
virtual machine and configured as a typical hard
drive and file system on that server.
◎Object storage: where data is stored on a system
separate from the application and access occurs via
APIs, network requests, or a web interface.
40
Hypervisors
41
Management Plan
◎Cloud provider can manage all the hosts within the
environment from a centralized location, without the
need to go to each individual server to perform
certain tasks.
◎Typically performed by a series of remote calls and
function executions or a set of APIs.
42
Analyze Risks of Cloud Infrastructure
Same level of risk as other hosting models, plus:
◎Risks related to lock-in
◎Virtualization risks (i.e. hypervisor compromise)
◎High availability
◎Data security and privacy
◎Legal and regulatory controls
43
Design & Plan Security Controls
◎Physical and environmental protection
◎System and communication protection
◎Virtual systems protection
◎Managing Identification, Authentication, and
Authorization
44
Plan Disaster Recovery and Business
Continuity Management
45
4.
Cloud Application
Security
46
Module Contents
◎Training and awareness
◎Cloud software assurance and validation
◎Software Development Life-Cycle (SDLC)
◎Secure Software Development Life-Cycle (SSDLC)
◎Cloud application architecture
◎Identity and Access Management
(IAM) solutions
47
Training and Awareness
◎Usage of APIs
◎Portability issues
◎Common vulnerabilities (OWASP top 10)
48
Usage of APIs
◎Two main types of APIs:
○ Representational State Transfer (REST)
Uses HTTP protocol and supports a variety of data formats such as
JSON and XML
○ Simple Object Access Protocol (SOAP)
It is a protocol and standard for exchanging information between web
services in a structured format allowing only the use of XML-formatted
data
49
Portability Issues
◎Forklifting applications - considerations
◎Utilizing common development tools
◎Platform security
◎Integration issues (Lock-ins)
50
OWASP Top 10
51
Cloud Software Assurance and Validation
◎Cloud-Based functional testing
◎Dynamic Application Security Testing (DAST)
◎Static Application Security Testing (SAST)
◎Vulnerability scanning
52
Software Development Life-Cycle (SDLC)
53
Secure Software Development Life-Cycle
(SSDLC)
54
Cloud Application Architecture
In addition to securing the application itself, we will
apply layered defense using other technologies, such
as:
◎Firewalls
◎Web Application Firewalls (WAF)
◎XML Appliances
◎Cryptography
◎Sandboxing
◎Application virtualization
55
Identity and Access Management (IAM)
◎Federated Identity (IdP & SP)
○ Deployments:
◉ SAML
◉ OAuth
◉ OpenID
◎SSO
◎Multifactor authentication:
○ Something you know
○ Something you have
○ Something you are
56
5.
Operations
57
Module Contents
◎Planning process for the Data Center design
◎Build the physical infrastructure
◎Run the physical infrastructure
◎Manage the physical Infrastructure
◎Build the logical infrastructure
◎Run the logical infrastructure
◎Manage the logical infrastructure
58
Planning Process for Data Center Design
◎Logical design
○ Virtualization
○ Access Control
○ APIs
◎Physical design
○ Location
59
Build The Physical Infrastructure
◎Secure configuration of hardware-specific
requirements
◎BIOS settings
◎Servers
◎Storage communication (SAN, NAS, iSCSI)
60
Run The Physical Infrastructure
◎Access control for local access (KVMs)
◎Securing network configurations
○ VLANs
○ TLS
○ IPsec
○ DNSSEC
○ OS Hardening – using baselines
◎Maintenance mode
◎High availability
61
Manage The Physical Infrastructure
◎Patch management
◎Performance monitoring
◎Hardware monitoring
◎Backup and restore
◎Implementing network security
◎Orchestration
62
Build The Logical Infrastructure
◎Secure Configuration of Virtual Hardware
(Specific Requirements)
63
Run The Logical Infrastructure
◎Secure Network Configuration
○ VLANs
○ TLS
○ DHCP
○ DNS
○ IPsec
◎OS Hardening - Application of Baselines
64
Manage The Logical Infrastructure
◎Access Control for Remote Access
○ TLS
○ Citrix
◎OS Baseline Compliance Monitoring and Remediation
◎Patch management
◎Performance monitoring
◎Backup & restore
65
6.
Legal &
Compliance
66
Module Contents
◎Legal requirements and risks within the cloud
◎Privacy issues and jurisdictional variation
◎Audit planning and reporting
◎Outsourcing and vendor management
67
Legal Requirements & Risks Within The Cloud
◎International legislation conflict (each country has its
own laws which defiantly will conflict with other
countries interests in case of conflicts)
◎E-Discovery in data centers vs the cloud
◎Scope of each role should be clearly stated in the
contracts
68
Privacy Issues and Jurisdictional Variation
◎PII security is the responsibility of the application
owner
◎Important American Act names:
○ The Gramm-Leach- Bliley Act (GLBA)
○ Health Insurance Portability and Accountability Act (HIPAA)
○ Safe Harbor
○ Sarbanes–Oxley Act (SOX)
◎Important European Act names:
○ Directive 95/46 EC
○ General Data Protection Regulation (GDPR)
69
Audit Planning and Reporting
◎Audit Plan
◎Famous Audit Reports
◎The International Auditing and Assurance
Standards Board (ISAE 3402)
70
Outsourcing and Vendor Management
◎State the business requirements clearly
◎Define the SLAs
◎Have controls to adequately monitor the processes
and deliverables
71
Thank You
72
Credits
Special thanks to all the people who made and released
these awesome resources for free:
◎ Presentation template by SlidesCarnival
◎ Photographs by Unsplash & Death to the Stock Photo
(license)
73

More Related Content

What's hot

ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdf
ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdfISC2 CC Course (Certified in Cybersecurity) - Part 2.pdf
ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdfHaris Chughtai
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use CasesNetskope
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Lance Peterman
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfParishSummer
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016Lance Peterman
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 

What's hot (20)

ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdf
ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdfISC2 CC Course (Certified in Cybersecurity) - Part 2.pdf
ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdf
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
DLP
DLPDLP
DLP
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
8. operations security
8. operations security8. operations security
8. operations security
 
5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAlto
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
Iso 27001
Iso 27001Iso 27001
Iso 27001
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 

Similar to (ISC)2 CCSP - Certified Cloud Security Professional

Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?Jody Keyser
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityAndy Powell
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityJisc
 
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environmentsnullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environmentsn|u - The Open Security Community
 
Security and privacy approach of cloud computing
Security and privacy approach of cloud computingSecurity and privacy approach of cloud computing
Security and privacy approach of cloud computingJahangeer Qadiree
 
Migrating to Cloud? 5 motivations and 10 key security architecture considerat...
Migrating to Cloud? 5 motivations and 10 key security architecture considerat...Migrating to Cloud? 5 motivations and 10 key security architecture considerat...
Migrating to Cloud? 5 motivations and 10 key security architecture considerat...Yew Weisin
 
Cloud computing security & forensics (manu)
Cloud computing security & forensics (manu)Cloud computing security & forensics (manu)
Cloud computing security & forensics (manu)ClubHack
 
Security policy enforcement in cloud infrastructure
Security policy enforcement in cloud infrastructureSecurity policy enforcement in cloud infrastructure
Security policy enforcement in cloud infrastructurecsandit
 
SECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURE
SECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURESECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURE
SECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTUREcscpconf
 
Hardening the cloud : Assuring agile security in high-growth environments
Hardening the cloud : Assuring agile security in high-growth environmentsHardening the cloud : Assuring agile security in high-growth environments
Hardening the cloud : Assuring agile security in high-growth environmentsPriyanka Aash
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud securityArun Gopinath
 
Ast 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_securityAst 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_securityAccenture
 

Similar to (ISC)2 CCSP - Certified Cloud Security Professional (20)

Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
 
Cloud security
Cloud securityCloud security
Cloud security
 
C017421624
C017421624C017421624
C017421624
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
 
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environmentsnullcon 2011 - Security and Forensic Discovery in Cloud Environments
nullcon 2011 - Security and Forensic Discovery in Cloud Environments
 
Kp3419221926
Kp3419221926Kp3419221926
Kp3419221926
 
Security and privacy approach of cloud computing
Security and privacy approach of cloud computingSecurity and privacy approach of cloud computing
Security and privacy approach of cloud computing
 
Migrating to Cloud? 5 motivations and 10 key security architecture considerat...
Migrating to Cloud? 5 motivations and 10 key security architecture considerat...Migrating to Cloud? 5 motivations and 10 key security architecture considerat...
Migrating to Cloud? 5 motivations and 10 key security architecture considerat...
 
Cloud computing security & forensics (manu)
Cloud computing security & forensics (manu)Cloud computing security & forensics (manu)
Cloud computing security & forensics (manu)
 
Security policy enforcement in cloud infrastructure
Security policy enforcement in cloud infrastructureSecurity policy enforcement in cloud infrastructure
Security policy enforcement in cloud infrastructure
 
SECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURE
SECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURESECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURE
SECURITY POLICY ENFORCEMENT IN CLOUD INFRASTRUCTURE
 
Understanding the Cloud
Understanding the CloudUnderstanding the Cloud
Understanding the Cloud
 
Hardening the cloud : Assuring agile security in high-growth environments
Hardening the cloud : Assuring agile security in high-growth environmentsHardening the cloud : Assuring agile security in high-growth environments
Hardening the cloud : Assuring agile security in high-growth environments
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
Cloud Deployments Models
Cloud Deployments ModelsCloud Deployments Models
Cloud Deployments Models
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud security
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud security
 
Ast 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_securityAst 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_security
 
F017414853
F017414853F017414853
F017414853
 

Recently uploaded

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 

Recently uploaded (20)

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 

(ISC)2 CCSP - Certified Cloud Security Professional

  • 2. Hello! I am Hatem ELSAHHAR CISSP, CEH, Security+, Blue Coat Certified Cloud Service Troubleshooting, Blue Coat Certified Proxy Professional, Zscaler Certified Cloud Administrator, Blue Coat SSL Visibility You can find more about me at: https://www.linkedin.com/in/elsahhar 2 Recognized as the first and only candidate in Egypt to achieve the CCSP certificate* * As of December 2017
  • 3. “ How to secure the cloud? 3
  • 5. “ Cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. 5
  • 6. We will discuss 6 domains 6
  • 7. Architectural Concepts and Design Requirements Cloud Data Security Cloud Platform and Infrastructure Security Cloud Application Security Operations Legal & Compliance 7
  • 9. Module Contents ◎Cloud computing concepts ◎Cloud reference architecture ◎Security concepts of cloud computing ◎Design principles of secure cloud computing 9
  • 11. Definitions ◎Categories (IaaS, PaaS, and SaaS) ◎Cloud application ◎Portability ◎Deployment models (Public, Private, Hybrid, and community) ◎Reversibility 11
  • 13. Cloud Computing Characteristics ◎On-demand self-service ◎Broad network access ◎Resource pooling ◎Rapid elasticity ◎Measured service 13
  • 14. Cloud Reference Architecture ◎Cloud Computing Activities ○ ISO/IEC 17789:2014: Information technology - Cloud computing - Reference architecture ◎Cloud Computing Roles (Customer, Provider, and Partner) ◎Cloud Service Capabilities ◎Cloud Service Categories (IaaS, PaaS, and SaaS) ◎Cloud Deployment Models (Public, Private, Hybrid, and Community) 14
  • 15. Security Concepts of Cloud Computing ◎Cryptography ◎Access control ◎Data and media sanitation ◎Network security ◎Virtualization security ◎Common threats 15
  • 16. Cryptography ◎Data in use ◎Data in transit ◎Data at Rest ◎Key Management 16
  • 17. Access Control ◎Account Provisioning ◎Directory services ◎Administrative & privileged access ◎Authorization 17
  • 18. Data and Media Sanitization ◎Vendor Lock-in for data ◎Data Sanitization (overwriting - cryptographic erase) 18
  • 19. Network Security ◎Multitenancy & loss of control of the underlying hardware infrastructure ◎Network segmentation – virtual network controls 19
  • 20. Virtualization Security ◎Type 1 Hypervisors ◎Type 2 Hypervisors 20
  • 21. Common Threats ◎Data breaches ◎Insufficient identity, credential, and access management ◎Insecure interfaces and APIs ◎System vulnerabilities ◎Account hijacking ◎Malicious insiders ◎Advanced persistent threats ◎Data loss ◎Insufficient due diligence ◎Abuse and nefarious use of cloud services ◎Denial of service ◎Shared technology issues 21
  • 22. Design Principles of Secure Cloud Computing ◎Cloud data lifecycle Create > Store > Use > Share > Archive > Destroy ◎Cloud-Based Business Continuity/Disaster Recovery ◎Cost–Benefit Analysis Data Center Costs vs. Operational Expense Costs ◎Resource Pooling and Cyclical Demands i.e. Online store availability during a Black Friday ◎Focus Change (to business instead of operations) ◎Ownership and Control ◎Cost Structure (CapEx vs OpEx) 22
  • 25. Module Contents ◎Cloud data lifecycle ◎Cloud data storage architecture ◎Data security strategies ◎Data discovery & classification ◎Restrictions on handling PII ◎Data Rights Management ◎Data retention, deletion, and archiving ◎ Data archiving concepts & requirements 25
  • 27. Cloud Data Storage Architecture 27
  • 28. Data Security Strategies ◎Encryption ◎Key management ◎Masking ◎Obfuscation ◎Anonymization ◎Tokenization 28
  • 29. Data Discovery & Classification ◎Data discovery is a business intelligence operation and a user-driven process where data is visually represented and analyzed to look for patterns or specific attributes. (i.e. Big Data & real-time analytics) ◎Classification is the process of analyzing data for certain attributes, and then using that to determine the appropriate policies and controls to apply to ensure its security. (Creator, type of data, storage location, ..) 29
  • 30. Restrictions on Handling PII ◎PII: Personally Identifiable Information (i.e. Social ID number, mobile number, full name, ..) ◎Pay extra attention when dealing with it ◎Check the jurisdictional data protections 30
  • 31. Data Rights Management ◎Data rights management is an extension of normal data protection, where additional controls and ACLs are placed onto data sets that require additional permissions or conditions to access and use beyond just simple and traditional security controls. ◎Consider: ○ Auditing the usage ○ Expiration of the rights ○ Granular policy control ○ Support of applications and formats 31
  • 32. Data Retention, Deletion, and Archiving ◎Data retention involves the keeping and maintaining of data for a period of time as well as the methods used to accomplish these tasks. ◎Data deletion: When data is no longer needed in a system, it must be removed in a secure way that guarantees it is no longer accessible or recoverable in the future. ◎Data archiving typically involves removing data from production systems and placing it onto other systems that are usually cheaper storage options, scaled and configured for long-term storage. 32
  • 33. Data Archiving Concepts & Requirements 33
  • 35. Module Contents ◎Cloud infrastructure components ◎Analyze risks of cloud infrastructure ◎Design & plan security controls ◎Plan disaster recovery and business continuity management 35
  • 37. Physical Hardware ◎Typically tens or hundreds of thousands of servers, spread across multiple physical locations. ◎This will requires enormous power and cooling resources. ◎All systems MUST be redundant and allow maintenance to be performed causing NO downtime. 37
  • 38. Networking ◎Customer transparency: Although you will have a large network of switches, routers, and network security devices, remember that your customers do not really see them and they will just expect them to always work and never have issues. ◎Software-Defined Networking (SDN): The decisions concerning where traffic is filtered or sent and the actual forwarding of traffic are completely separate from each other. 38
  • 39. Computing (Memory & CPU) ◎Key concepts ○ Reservations: minimum resources that are guaranteed to a customer. ○ Limits: As opposed to reservations, limits are put in place to enforce maximum utilization of resources by a customer. ○ Shares: Prioritizing hosts within a cloud environment through a weighting system when resources are fully consumed. 39
  • 40. Storage ◎Volume storage: where storage is allocated to a virtual machine and configured as a typical hard drive and file system on that server. ◎Object storage: where data is stored on a system separate from the application and access occurs via APIs, network requests, or a web interface. 40
  • 42. Management Plan ◎Cloud provider can manage all the hosts within the environment from a centralized location, without the need to go to each individual server to perform certain tasks. ◎Typically performed by a series of remote calls and function executions or a set of APIs. 42
  • 43. Analyze Risks of Cloud Infrastructure Same level of risk as other hosting models, plus: ◎Risks related to lock-in ◎Virtualization risks (i.e. hypervisor compromise) ◎High availability ◎Data security and privacy ◎Legal and regulatory controls 43
  • 44. Design & Plan Security Controls ◎Physical and environmental protection ◎System and communication protection ◎Virtual systems protection ◎Managing Identification, Authentication, and Authorization 44
  • 45. Plan Disaster Recovery and Business Continuity Management 45
  • 47. Module Contents ◎Training and awareness ◎Cloud software assurance and validation ◎Software Development Life-Cycle (SDLC) ◎Secure Software Development Life-Cycle (SSDLC) ◎Cloud application architecture ◎Identity and Access Management (IAM) solutions 47
  • 48. Training and Awareness ◎Usage of APIs ◎Portability issues ◎Common vulnerabilities (OWASP top 10) 48
  • 49. Usage of APIs ◎Two main types of APIs: ○ Representational State Transfer (REST) Uses HTTP protocol and supports a variety of data formats such as JSON and XML ○ Simple Object Access Protocol (SOAP) It is a protocol and standard for exchanging information between web services in a structured format allowing only the use of XML-formatted data 49
  • 50. Portability Issues ◎Forklifting applications - considerations ◎Utilizing common development tools ◎Platform security ◎Integration issues (Lock-ins) 50
  • 52. Cloud Software Assurance and Validation ◎Cloud-Based functional testing ◎Dynamic Application Security Testing (DAST) ◎Static Application Security Testing (SAST) ◎Vulnerability scanning 52
  • 54. Secure Software Development Life-Cycle (SSDLC) 54
  • 55. Cloud Application Architecture In addition to securing the application itself, we will apply layered defense using other technologies, such as: ◎Firewalls ◎Web Application Firewalls (WAF) ◎XML Appliances ◎Cryptography ◎Sandboxing ◎Application virtualization 55
  • 56. Identity and Access Management (IAM) ◎Federated Identity (IdP & SP) ○ Deployments: ◉ SAML ◉ OAuth ◉ OpenID ◎SSO ◎Multifactor authentication: ○ Something you know ○ Something you have ○ Something you are 56
  • 58. Module Contents ◎Planning process for the Data Center design ◎Build the physical infrastructure ◎Run the physical infrastructure ◎Manage the physical Infrastructure ◎Build the logical infrastructure ◎Run the logical infrastructure ◎Manage the logical infrastructure 58
  • 59. Planning Process for Data Center Design ◎Logical design ○ Virtualization ○ Access Control ○ APIs ◎Physical design ○ Location 59
  • 60. Build The Physical Infrastructure ◎Secure configuration of hardware-specific requirements ◎BIOS settings ◎Servers ◎Storage communication (SAN, NAS, iSCSI) 60
  • 61. Run The Physical Infrastructure ◎Access control for local access (KVMs) ◎Securing network configurations ○ VLANs ○ TLS ○ IPsec ○ DNSSEC ○ OS Hardening – using baselines ◎Maintenance mode ◎High availability 61
  • 62. Manage The Physical Infrastructure ◎Patch management ◎Performance monitoring ◎Hardware monitoring ◎Backup and restore ◎Implementing network security ◎Orchestration 62
  • 63. Build The Logical Infrastructure ◎Secure Configuration of Virtual Hardware (Specific Requirements) 63
  • 64. Run The Logical Infrastructure ◎Secure Network Configuration ○ VLANs ○ TLS ○ DHCP ○ DNS ○ IPsec ◎OS Hardening - Application of Baselines 64
  • 65. Manage The Logical Infrastructure ◎Access Control for Remote Access ○ TLS ○ Citrix ◎OS Baseline Compliance Monitoring and Remediation ◎Patch management ◎Performance monitoring ◎Backup & restore 65
  • 67. Module Contents ◎Legal requirements and risks within the cloud ◎Privacy issues and jurisdictional variation ◎Audit planning and reporting ◎Outsourcing and vendor management 67
  • 68. Legal Requirements & Risks Within The Cloud ◎International legislation conflict (each country has its own laws which defiantly will conflict with other countries interests in case of conflicts) ◎E-Discovery in data centers vs the cloud ◎Scope of each role should be clearly stated in the contracts 68
  • 69. Privacy Issues and Jurisdictional Variation ◎PII security is the responsibility of the application owner ◎Important American Act names: ○ The Gramm-Leach- Bliley Act (GLBA) ○ Health Insurance Portability and Accountability Act (HIPAA) ○ Safe Harbor ○ Sarbanes–Oxley Act (SOX) ◎Important European Act names: ○ Directive 95/46 EC ○ General Data Protection Regulation (GDPR) 69
  • 70. Audit Planning and Reporting ◎Audit Plan ◎Famous Audit Reports ◎The International Auditing and Assurance Standards Board (ISAE 3402) 70
  • 71. Outsourcing and Vendor Management ◎State the business requirements clearly ◎Define the SLAs ◎Have controls to adequately monitor the processes and deliverables 71
  • 73. Credits Special thanks to all the people who made and released these awesome resources for free: ◎ Presentation template by SlidesCarnival ◎ Photographs by Unsplash & Death to the Stock Photo (license) 73

Editor's Notes

  1. Cloud Service Capabilities Customer can provision and have substantial configuration control over processing, storage, and network resources Customer can deploy code and applications using programming languages and libraries that are maintained and controlled by the cloud provider. Customer uses a fully established application provided by the cloud provider, with minimal user configuration options allowed.
  2. Encryption In use: use the DRM instead In transit: TLS/SSL, VPN, IPsec, and HTTPS In rest: file-level and storage-level encryption Key management Where are the keys? (Internal storage, External storage, or 3rd Party) Masking 5422-1234-6574-8875 > 5422-****-****-8875 Obfuscation 5422-1234-6574-8875 > 5422-1234 Anonymization 5422-1234-6574-8875 > sqok-ashf-hast-vaty (irreversible) Tokenization 5422-1234-6574-8875 > asud-dgau-ftde-aetf (using an index, can be reverted)
  3. Implementing network security Firewalls IPSs/IDSs Honeypots Vulnerability assessments Log capture and analysis SIEM solutions
  4. Audit Plan Define objectives Define scope Conduct the audit Lessons learned and analysis Famous Audit Reports Statement on Auditing Standards (SAS-70 Type I & II) Statements on Standards for Attestation Engagements (SSAE 16) Replaced the SAS on 2011 Satisfies SOX requirements Also known as Service Organization Control (SOC) report SOC 1, SOC2, and SOC3 The International Auditing and Assurance Standards Board (ISAE 3402) Type I Type II