auditing cloud - cyber security coalition
TRANSCRIPT
1 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
Auditing Cloud
Ulrich SeldeslachtsCSA Belux
February 3rd 2021
A collaboration between
2 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
Challenges Posed by Cloud MigrationTechnical Challenges• Technology stacks: microservices, serverless computing, software-defined• Deployment frameworks: Hybrid and multi-cloud, DevOps, CI/CD, automation• Encryption, colocation, scale, scope etc. in high focus.
Governance and Compliance Challenges• Indirect control: new governance mind-set, need for reliable data source• Educating the audit committee effectively.• Compliance Challenges: multiple applicable laws and regulations, e.g. PCI DSS,
HIPAA, GDPR, and CCPA.
Business Challenges• Increased risks with multiple users across a large domain.• Organizational silos: different levels of cloud readiness between org. units• Knowledge Gap: education in cloud computing terminology, constitution and
delivery methods. Lack of internal knowledge for effective cloud evaluation• Increasing costs of audit management and noncompliance with cloud migration.
3 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
Develop an Auditor Mindset
4 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
CCAK―A Unique, Vendor Neutral Solution• The first-ever credential of its kind.• Presented by industry leaders CSA and ISACA with
feedback, and validation from industry experts and SMEs around the globe.
• A certificate that fills a need for vendor neutral, technical training and credentials in cloud auditing.
• CCAK prepares IT professionals to:o Ensure the right controls for confidentiality, integrity
and accessibility.o Mitigate risks and costs of audit management and
penalties for non-compliance.o Lead their organization through successful cloud
migration while retaining customer trust.
5 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
A Meaningful PartnershipFounded in 2009, offering training and credentials to 90,000+ individual and 400 corporate members around the globe. The NEW CCAK certificate complements existing CSA offerings such as:• FedRAMP 3PAO Assessor, PCI/DSS Qualified Security Assessor, ISO 27001
Leader Auditor credentials.• Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire• Security, Trust, Assurance & Risk (STAR) program
Founded in 1969, offering training and credentials to its global member base of 145,000 members in188 countries, and 223 chapters worldwide. The NEW CCAK certificate complements existing ISACA offerings such as:• Certified Information Systems Auditor®(CISA®)• Virtual and in-person training and publications on cloud topics• Other ANSI accredited training and credentials in risk, security, cybersecurity,
privacy and governance
6 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
Who Should Get the CCAK Certificate
CCAK is ideal for anyone who is setting up systems, performing audits or is the target of an audit. Specifically:
• IT Auditors
• Internal IT and security practitioners
• Internal auditors
• Risk management and internal control practitioners (both at CSPs and CSCs)
• Third party service providers, including external auditors, security consultants and CSPs
7 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
Inside the Curriculum
8 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
The CCAK Curriculum and Structure
Cloud Governance
Cloud Compliance
Cloud Auditing
Cloud Assurance
CSA Tools:
CCM, CAIQ and STAR Program
The Curriculum covers topics such as:• Building and executing a cloud audit plan and applying auditing as an assurance tool• Impact of cloud automation, native development and integration models on auditing
and compliance.• Key concepts and tools of cloud governance and risk management• Designing and Building a Cloud Compliance Program• Compliance requirements, control objectives and frameworks, certification,
attestation and authorizations
9 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
The CCAK Curriculum and Structure
10 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
The CCAK Curriculum and Structure
11 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
CCAK Training and Preparation Materials
The CCAK exam consists of 75 multiple choice questions and offers a variety of study options to suit your unique learning style:
• CCAK Digital Study Guide/Body of Knowledge
• Online Course: Self-paced study course with 16+ CPEs
• Virtual Instructor Led Course: 2-Day training
• Item Bank/Study Games: Sample Questions
12 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
CCAK Launch Timing
CCAK Body of
Knowledge
Online Self-Paced Course
Virtual Instructor-
Led Training
Exam LaunchEnd of Q1 2021
Q1 2021 Q1 2021 Q1 2021
13 © 2021 CSA Belux – LSEC & ISACA All rights reserved.
Thank You!
Contact:
www.cloudsecurityalliance.org/education/ccak/
www.isaca.org/ccak
A collaboration between
WITH OPENSTACK AND/OR KUBERNETES
OPERATING A PRIVATE CLOUD
Steffen Thielemans
January 2021
What is private cloud?
► Cloud infrastructure deployed on dedicated machines, often on-premise.
Why on-premise private cloud?
► Security, privacy, latency, complete infrastructure control, cost (if well dimensioned & in-house knowledge)
► Keep sensitive data within the premises
Why public cloud?
► Low/no up-front investment costs, virtually endless scalability
► >99,9% SLA uptime, multiple availability zones
►→ Shared cloud infrastructure
Hybrid cloud
► A combination of on-premise private cloud and public cloud
PRIVATE, PUBLIC & HYBRID CLOUD
2
What is OpenStack?
► Open Source Infrastructure as a Service (IaaS) cloud platform
►Basic building blocks: Compute, Storage, Networking, Authentication
►Various optional components: orchestration, provisioning, metering, etc.
Why use OpenStack?
► Avoid vender lock-in from the major public cloud provider platforms
► Complete control over on-premise cloud infrastructure
► Keep sensitive data within the premises
► Also provided by smaller public cloud/VPS providers
3
4
ORGANIZATIONS USING OPENSTACK
And many more …
5
A SET OF (MOSTLY OPTIONAL) COMPONENTS WITH VARIOUS FUNCTIONS
6
►OpenStack Victoria (10/2020) operates on top of a Linux host operating system► RHEL / CentOS 8
► Ubuntu 20.04 focal fossa
► Debian 10 buster
► Various OpenStack deployment methods and tools available
►Tricky to set up & maintain various components over multiple machines…
►OpenStack Kolla project
• Containerized versions of OpenStack components
• Well tested & mostly independent of host OS configuration
►Ansible
• Automated software provisioning & deployments
►Kolla-Ansible deployment scripts
DEPLOYMENT
7
THE NEXT GENERATION OF CLOUD COMPUTING
►Shift from monolithic applications to microservices
►Shift from virtual machines to containers
►Docker Containerization
►Kubernetes Orchestration
VIRTUAL MACHINES VERSUS CONTAINERS
8
► Shared operating system kernel
►Isolation via namespaces & cgroups
►No more guest OS
►Reduced overhead
► Faster startup
→ Improved elastic scaling
► Hardware level Virtualization
►Guest OS’s completely isolated
VIRTUAL MACHINES VERSUS CONTAINERS
9
There is no distinct answer… It depends (among others) on:
► Design of the application
► Large monolithic → virtual machines
►Microservices → containers
► Application longevity
►Stateful & persistent apps → virtual machines (*)
►Stateless & short-lived apps → containers
► Scalability → containers
► Isolation requirements → virtual machines
► Application compatibility (e.g. windows-only application)
www.redhat.com/en/topics/containers/containers-vs-vms
WHICH ONE IS RIGHT FOR ME?
What is Kubernetes?
► The marking leading and de facto standard container orchestrator platform
►Open source, initially developed by and for Google
What does Kubernetes provide?► Container orchestration
► Storage orchestration (= stateful apps)
► Container networking, service discovery and load balancing
► Automated horizontal and vertical autoscaling
► Automated rollouts, rollbacks, health checks
► Periodic jobs
► Kubernetes facilitates tight integration with DevOps and CI/CD cycles
► e.g. Gitlab CI/CD integration10
► Amazon Elastic Kubernetes Service (EKS)
► Microsoft Azure Kubernetes Service (AKS)
► Google Kubernetes Engine (GKS)
► All these platforms provide a managed Kubernetes service:
►Kubernetes control plane is taken care of
►Kubernetes workers nodes must be deployed on top of virtual machines (e.g. AWS EC2)
• Isolation between different tenants on the shared physical machines
►On-premise Kubernetes deployment
► Linux machine(s) (3 or more control-plane nodes recommended for High availability)
►Container runtime (e.g. Docker)
►Networked/distributed storage
►Kubeadm deployment tool
► Comparison between Amazon EKS, Microsoft AKS, Google GKE & standalone
► www.stackrox.com/post/2020/10/eks-vs-gke-vs-aks (Oct. 2020)
on the public & your private cloud
11
TERRAFORMDeployment, Automation and Management tool with Infrastructure-as-Code
Luca Gattobigio – VUB OpenCloudEdge team
• Introduction
• Infrastructure-as-Code and Hashicorp Configuration Language
• Terraform architecture
• Examples
• Future work
INDEX
| 2
• Opensource Infrastructure-as-Code software tool
• Efficient deployment, management and automation
• Compatible with 500+ providers (public/private clouds, network appliances, Platform as a Service, Software as a Service)
• Constantly updated and supported by Hashicorp and the community
• Part of Hashicorp's “Cloud-oriented” suite of tools
INTRODUCTIONWhat is Terraform?
| 3
• One tool to manage any resource, regardless of where
• Excellent to handle multi-cloud / hybrid cloud scenarios, but not only
• Deploy, manage and update with Infrastructure as Code
INTRODUCTIONWhy Terraform?
| 4
Infrastructure-as-Code (IaC)
| 5
Infrastructure example
Configuration file example
Hashicorp Configuration Language (HCL)
| 6
Advantages of this new language
• Makes Terraform "cloud-agnostic"
• Easy to learn
• Same language for most of the Hashicorp tools
• Tools to convert other languages into HCL (json, java, Typescript)
CORE
AWS Provider
TERRAFORM
OpenStack Provider
K8s Provider
...
AWS Cloud
OpenStack Cloud
K8s Cluster
...
Configuration File
USERS
TERRAFORM ARCHITECTURECore and providers
| 7
• INITInitialize Terraform and look for providers
• PLANOverview of what to execute to realize what is described in the configuration files
• APPLYPerform the operations as planned
• DESTROYDeallocate and destroy all the resources
TERRAFORM COREMain commands
| 8
TERRAFORM CLI AND CLOUD APPLICATIONTwo different approaches to launch Terraform commands
| 9
Terraform Command Line Interface (CLI)
Terraform Cloud
EXAMPLESDeploy a simple infrastructure on OpenStack and AWS
| 10
OPENSTACK/AWS
CLOUD
PRIVATE NETWORK1. Create a private network
2. Define a subnet
3. Run a VM
4. Connect it to the subnet
5. Create a block storage
6. Attach it to the VM
SUBNETVM
BLOCKSTORAGE
EXAMPLES: Code for same infrastructure and different clouds
OpenStack configuration file
| 11
AWS configuration file
NEXT STEPS
| 12
• Terraform for our infrastructure and future growth (Hybrid cloud/Multi-cloud)
• Consul, Vault, Nomad (to be integrated with Terraform)
• Use cases
THANK YOU
| 13