1 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

Auditing Cloud

Ulrich SeldeslachtsCSA Belux

February 3rd 2021

A collaboration between

2 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

Challenges Posed by Cloud MigrationTechnical Challenges• Technology stacks: microservices, serverless computing, software-defined• Deployment frameworks: Hybrid and multi-cloud, DevOps, CI/CD, automation• Encryption, colocation, scale, scope etc. in high focus.

Governance and Compliance Challenges• Indirect control: new governance mind-set, need for reliable data source• Educating the audit committee effectively.• Compliance Challenges: multiple applicable laws and regulations, e.g. PCI DSS,

HIPAA, GDPR, and CCPA.

Business Challenges• Increased risks with multiple users across a large domain.• Organizational silos: different levels of cloud readiness between org. units• Knowledge Gap: education in cloud computing terminology, constitution and

delivery methods. Lack of internal knowledge for effective cloud evaluation• Increasing costs of audit management and noncompliance with cloud migration.

3 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

Develop an Auditor Mindset

4 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

CCAK―A Unique, Vendor Neutral Solution• The first-ever credential of its kind.• Presented by industry leaders CSA and ISACA with

feedback, and validation from industry experts and SMEs around the globe.

• A certificate that fills a need for vendor neutral, technical training and credentials in cloud auditing.

• CCAK prepares IT professionals to:o Ensure the right controls for confidentiality, integrity

and accessibility.o Mitigate risks and costs of audit management and

penalties for non-compliance.o Lead their organization through successful cloud

migration while retaining customer trust.

5 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

A Meaningful PartnershipFounded in 2009, offering training and credentials to 90,000+ individual and 400 corporate members around the globe. The NEW CCAK certificate complements existing CSA offerings such as:• FedRAMP 3PAO Assessor, PCI/DSS Qualified Security Assessor, ISO 27001

Leader Auditor credentials.• Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire• Security, Trust, Assurance & Risk (STAR) program

Founded in 1969, offering training and credentials to its global member base of 145,000 members in188 countries, and 223 chapters worldwide. The NEW CCAK certificate complements existing ISACA offerings such as:• Certified Information Systems Auditor®(CISA®)• Virtual and in-person training and publications on cloud topics• Other ANSI accredited training and credentials in risk, security, cybersecurity,

privacy and governance

6 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

Who Should Get the CCAK Certificate

CCAK is ideal for anyone who is setting up systems, performing audits or is the target of an audit. Specifically:

• IT Auditors

• Internal IT and security practitioners

• Internal auditors

• Risk management and internal control practitioners (both at CSPs and CSCs)

• Third party service providers, including external auditors, security consultants and CSPs

7 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

Inside the Curriculum

8 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

The CCAK Curriculum and Structure

Cloud Governance

Cloud Compliance

Cloud Auditing

Cloud Assurance

CSA Tools:

CCM, CAIQ and STAR Program

The Curriculum covers topics such as:• Building and executing a cloud audit plan and applying auditing as an assurance tool• Impact of cloud automation, native development and integration models on auditing

and compliance.• Key concepts and tools of cloud governance and risk management• Designing and Building a Cloud Compliance Program• Compliance requirements, control objectives and frameworks, certification,

attestation and authorizations

9 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

The CCAK Curriculum and Structure

10 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

The CCAK Curriculum and Structure

11 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

CCAK Training and Preparation Materials

The CCAK exam consists of 75 multiple choice questions and offers a variety of study options to suit your unique learning style:

• CCAK Digital Study Guide/Body of Knowledge

• Online Course: Self-paced study course with 16+ CPEs

• Virtual Instructor Led Course: 2-Day training

• Item Bank/Study Games: Sample Questions

12 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

CCAK Launch Timing

CCAK Body of

Knowledge

Online Self-Paced Course

Virtual Instructor-

Led Training

Exam LaunchEnd of Q1 2021

Q1 2021 Q1 2021 Q1 2021

13 © 2021 CSA Belux – LSEC & ISACA All rights reserved.

Thank You!

Contact:

www.cloudsecurityalliance.org/education/ccak/

www.isaca.org/ccak

A collaboration between

WITH OPENSTACK AND/OR KUBERNETES

OPERATING A PRIVATE CLOUD

Steffen Thielemans

January 2021

What is private cloud?

► Cloud infrastructure deployed on dedicated machines, often on-premise.

Why on-premise private cloud?

► Security, privacy, latency, complete infrastructure control, cost (if well dimensioned & in-house knowledge)

► Keep sensitive data within the premises

Why public cloud?

► Low/no up-front investment costs, virtually endless scalability

► >99,9% SLA uptime, multiple availability zones

►→ Shared cloud infrastructure

Hybrid cloud

► A combination of on-premise private cloud and public cloud

PRIVATE, PUBLIC & HYBRID CLOUD

2

What is OpenStack?

► Open Source Infrastructure as a Service (IaaS) cloud platform

►Basic building blocks: Compute, Storage, Networking, Authentication

►Various optional components: orchestration, provisioning, metering, etc.

Why use OpenStack?

► Avoid vender lock-in from the major public cloud provider platforms

► Complete control over on-premise cloud infrastructure

► Keep sensitive data within the premises

► Also provided by smaller public cloud/VPS providers

3

4

ORGANIZATIONS USING OPENSTACK

And many more …

5

A SET OF (MOSTLY OPTIONAL) COMPONENTS WITH VARIOUS FUNCTIONS

6

►OpenStack Victoria (10/2020) operates on top of a Linux host operating system► RHEL / CentOS 8

► Ubuntu 20.04 focal fossa

► Debian 10 buster

► Various OpenStack deployment methods and tools available

►Tricky to set up & maintain various components over multiple machines…

►OpenStack Kolla project

• Containerized versions of OpenStack components

• Well tested & mostly independent of host OS configuration

►Ansible

• Automated software provisioning & deployments

►Kolla-Ansible deployment scripts

DEPLOYMENT

7

THE NEXT GENERATION OF CLOUD COMPUTING

►Shift from monolithic applications to microservices

►Shift from virtual machines to containers

►Docker Containerization

►Kubernetes Orchestration

VIRTUAL MACHINES VERSUS CONTAINERS

8

► Shared operating system kernel

►Isolation via namespaces & cgroups

►No more guest OS

►Reduced overhead

► Faster startup

→ Improved elastic scaling

► Hardware level Virtualization

►Guest OS’s completely isolated

VIRTUAL MACHINES VERSUS CONTAINERS

9

There is no distinct answer… It depends (among others) on:

► Design of the application

► Large monolithic → virtual machines

►Microservices → containers

► Application longevity

►Stateful & persistent apps → virtual machines (*)

►Stateless & short-lived apps → containers

► Scalability → containers

► Isolation requirements → virtual machines

► Application compatibility (e.g. windows-only application)

www.redhat.com/en/topics/containers/containers-vs-vms

WHICH ONE IS RIGHT FOR ME?

What is Kubernetes?

► The marking leading and de facto standard container orchestrator platform

►Open source, initially developed by and for Google

What does Kubernetes provide?► Container orchestration

► Storage orchestration (= stateful apps)

► Container networking, service discovery and load balancing

► Automated horizontal and vertical autoscaling

► Automated rollouts, rollbacks, health checks

► Periodic jobs

► Kubernetes facilitates tight integration with DevOps and CI/CD cycles

► e.g. Gitlab CI/CD integration10

► Amazon Elastic Kubernetes Service (EKS)

► Microsoft Azure Kubernetes Service (AKS)

► Google Kubernetes Engine (GKS)

► All these platforms provide a managed Kubernetes service:

►Kubernetes control plane is taken care of

►Kubernetes workers nodes must be deployed on top of virtual machines (e.g. AWS EC2)

• Isolation between different tenants on the shared physical machines

►On-premise Kubernetes deployment

► Linux machine(s) (3 or more control-plane nodes recommended for High availability)

►Container runtime (e.g. Docker)

►Networked/distributed storage

►Kubeadm deployment tool

► Comparison between Amazon EKS, Microsoft AKS, Google GKE & standalone

► www.stackrox.com/post/2020/10/eks-vs-gke-vs-aks (Oct. 2020)

on the public & your private cloud

11

TERRAFORMDeployment, Automation and Management tool with Infrastructure-as-Code

Luca Gattobigio – VUB OpenCloudEdge team

• Introduction

• Infrastructure-as-Code and Hashicorp Configuration Language

• Terraform architecture

• Examples

• Future work

INDEX

| 2

• Opensource Infrastructure-as-Code software tool

• Efficient deployment, management and automation

• Compatible with 500+ providers (public/private clouds, network appliances, Platform as a Service, Software as a Service)

• Constantly updated and supported by Hashicorp and the community

• Part of Hashicorp's “Cloud-oriented” suite of tools

INTRODUCTIONWhat is Terraform?

| 3

• One tool to manage any resource, regardless of where

• Excellent to handle multi-cloud / hybrid cloud scenarios, but not only

• Deploy, manage and update with Infrastructure as Code

INTRODUCTIONWhy Terraform?

| 4

Infrastructure-as-Code (IaC)

| 5

Infrastructure example

Configuration file example

Hashicorp Configuration Language (HCL)

| 6

Advantages of this new language

• Makes Terraform "cloud-agnostic"

• Easy to learn

• Same language for most of the Hashicorp tools

• Tools to convert other languages into HCL (json, java, Typescript)

CORE

AWS Provider

TERRAFORM

OpenStack Provider

K8s Provider

...

AWS Cloud

OpenStack Cloud

K8s Cluster

...

Configuration File

USERS

TERRAFORM ARCHITECTURECore and providers

| 7

• INITInitialize Terraform and look for providers

• PLANOverview of what to execute to realize what is described in the configuration files

• APPLYPerform the operations as planned

• DESTROYDeallocate and destroy all the resources

TERRAFORM COREMain commands

| 8

TERRAFORM CLI AND CLOUD APPLICATIONTwo different approaches to launch Terraform commands

| 9

Terraform Command Line Interface (CLI)

Terraform Cloud

EXAMPLESDeploy a simple infrastructure on OpenStack and AWS

| 10

OPENSTACK/AWS

CLOUD

PRIVATE NETWORK1. Create a private network

2. Define a subnet

3. Run a VM

4. Connect it to the subnet

5. Create a block storage

6. Attach it to the VM

SUBNETVM

BLOCKSTORAGE

EXAMPLES: Code for same infrastructure and different clouds

OpenStack configuration file

| 11

AWS configuration file

NEXT STEPS

| 12

• Terraform for our infrastructure and future growth (Hybrid cloud/Multi-cloud)

• Consul, Vault, Nomad (to be integrated with Terraform)

• Use cases

THANK YOU

| 13