breaking down cloud security - isc)2 denver down cloud security presented by scott hogg, cto gtri...

© 2016 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be copied.

Breaking Down Cloud SecurityPresented by Scott Hogg, CTO GTRICCIE #5133, CISSP #4610, CCSP, CCSK, AWS CSA-AssociateDenver (ISC)2 Meeting – 09/15/2016


• Securing Cloud Services– Cloud Security Standards and Guidelines– Cloud Service Provider Security Models– Examples of Cloud Security Controls

• Splunk, Dome9, Evident.io, Trend Micro, Bracket• Security Services in the Cloud (CASB, MSSP, etc.)• Cloud Security Certifications

– Cloud Security Alliance (CSA) Certificate of Cloud Security Knowledge (CCSK)

– (ISC)2 Certified Cloud Security Professional (CCSP)

Today’s Agenda


• Cloud Service Security Concerns• Cloud Service Security Certifications• Cloud Security Threats

Cloud Security Concepts


• A breach of the Cloud Service Provider’s infrastructure can lead to a “Hyperjacking” even whereby many customer’s data is exposed

• Examples of CSP Data Breaches:– Google failure March 2011 deletion of 150k Gmail info– Code Spaces goes out of business in June 2014 after AWS hack – Google Drive breach in July 2014 hyperlink vulnerability– Apple iCloud exposure of celebrity photos, August 2014– Dropbox security breach in October 2014, compromising 7M user

passwords held for Bitcoin (BTC) ransom– Worcester Polytechnic Institute (WPI) claims cross-VM RSA key

recovery in AWS, October 2015– Datadog password breach for their AWS customers in July 2016

Concern About CSP Security


• Customer bears more responsibility with IaaS than SaaS

Cloud Security Responsibility – A Sliding Scale

IaaS PaaS SaaSSecurity GRC

Data Security

App Security

Platform Security

Infrastructure Security

Physical Security


• Cloud Service Providers (CSPs) can obtain certifications attesting their compliance with security standards.– SOC 1/SSAE 16/ISAE 3402, SOC2, SOC3 American Institute of Certified

Public Accountants (AICPA) audit reports may be requested from the provider.

– International Organization for Standardization (ISO) 27001– Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR)– U.S. Health Insurance Portability and Accountability Act (HIPAA) – Payment Card Industry (PCI) Data Security Standard (DSS) Level 1 service

provider– Motion Picture Association of America (MPAA)

• Consider the CSPs position when they receive separate security questionnaires and assessments from each customer

Cloud Compliance Assurance


• American Institute of Certified Public Accountants (AICPA) – Wants to make sure organizations are using reliable and secure

services that their business relies upon– Compliance with Sarbanes Oxley's (SOX) requirement (section

404)• Statement on Auditing Standards No. 70 (SAS 70)• Statement on Standards for Attestation Engagements (SSAE)

16– American standard that replaces SAS 70– Similar to the International standard ISAE 3402– Service Organization Controls (SOC) 1, 2, & 3– http://ssae16.com/SSAE16_overview.html

AICPA SSAE16 SOC 1/2/3


• ISO/IEC 27001:2013– Information Security Management System (ISMS)

• ISO/IEC 17788:2014– Information technology -- Cloud computing --

Overview and vocabulary• ISO/IEC 17789:2014

– Information technology -- Cloud computing --Reference architecture

ISO/IEC Cloud Security Standards


• U.S. Federal organizations have specialized requirements for secure cloud services.

• Civilian and DOD organizations may have to meet NIST 800-37 and DoD Information Assurance Certification and Accreditation Process (DIACAP) and Federal Information Security Management Act (FISMA) compliance.

• Cloud providers may also be required to meet US International Traffic in Arms Regulations (ITAR) compliance.

• Federal customers also need to have FIPS 140-2 security systems running in the cloud.

• Federal Risk and Authorization Management Program (FedRAMP) certified cloud providers are required.

U.S. Federal Cloud Security Requirements


• The OMB requires federal agencies to use FedRAMP (Federal Risk and Authorization Management Program) accredited cloud services for FIPS 199 Low and Moderate system categories (Based on FISMA and NIST 800-53 Rev3 standards)

– http://www.FedRAMP.gov• FedRAMP established the Joint Authorization Board (JAB) to approve cloud services

and monitor the process• The JAB defines the standards by which Third Party Assessment Organizations

(3PAOs) will assess the cloud providers• Third Party Accreditation Organizations (3PAOs) include: Coalfire, Kratos SecureInfo,

Veris Group, among others– https://www.fedramp.gov/marketplace/accredited-3paos/

• FedRAMP Provisional Authority To Operate (ATO) issued by the JAB (after review of security assessment package) to the federal agency consuming the cloud services

• List of FedRAMP Compliant Systems– https://www.fedramp.gov/marketplace/compliant-systems/

FedRAMP


• NIST Cloud Computing Public Security Working Group• NIST SP 500-292

– NIST Cloud Computing Reference Architecture• NIST SP 500-293

– US Government Cloud Computing Technology Roadmap Volume 1, 2 & 3• NIST SP 500-299

– NIST Cloud Computing Security Reference Architecture• NIST SP 800-144

– Guidelines on Security and Privacy in Public Cloud Computing• NIST SP 800-145

– The NIST Definition of Cloud Computing• NIST SP 800-146

– Cloud Computing Synopsis and Recommendations

NIST Guidelines on Cloud Security


• Cloud Security Alliance (CSA) is a US Federal 501(c)6 not-for-profit org, Formed in late 2008, now has over 48,000 members

• Mission = “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”

• Created “Security Guidance for Critical Areas of Focus in Cloud Computing” document – Current version 4.0– https://github.com/cloudsecurityalliance/CSA-Guidance

• https://cloudsecurityalliance.org/

Cloud Security Alliance (CSA)


• https://cloudsecurityalliance.org/star/

CSA Security Trust and Assurance Registry (STAR)


• CSA stated that the top three cloud computing threats are Insecure Interfaces and API's, Data Loss & Leakage, and Hardware Failure.– These three accounted for 29%, 25% and 10% of all cloud security outages

respectively.• CSA’s Top 7 Security Threats (March 2010)

– https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf1. Abuse and Nefarious Use of Cloud Computing2. Insecure Interfaces and APIs (Application Programming Interfaces)3. Malicious Insiders4. Shared Technology Issues5. Data Loss or Leakage6. Account or Service Hijacking7. Unknown Risk Profile

Cloud Computing Security Threats


• In February 2013, the CSA published their “The Notorious Nine” cloud computing top threats– https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notor

ious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf1. Data Breaches2. Data Loss3. Account or Service Traffic Hijacking4. Insecure Interfaces and APIs5. Denial of Service (DoS)6. Malicious Insiders7. Abuse of Cloud Services8. Insufficient Due Diligence9. Shared Technology Vulnerabilities

CSA – The Notorious Nine


• CSA published their newest Top 12 cloud computing threats at 2016 RSA conference

• Threat No. 1: Data breaches• Threat No. 2: Compromised credentials and broken

authentication • Threat No. 3: Hacked interfaces and APIs• Threat No. 4: Exploited system vulnerabilities• Threat No. 5: Account hijacking• Threat No. 6: Malicious insiders

CSA Treacherous 12 (or the Dirty Dozen)


• Threat No. 7: The APT parasite• Threat No. 8: Permanent data loss• Threat No. 9: Inadequate diligence• Threat No. 10: Cloud service abuses• Threat No. 11: DoS attacks• Threat No. 12: Shared technology, shared dangers

CSA Treacherous 12 (or the Dirty Dozen)


• Service availability is a critical component of any cloud service• CSPs operate within data centers that they may own and manage or

collocate their systems• The Uptime Institute provides a “Tier Certification System” for assessing

critical data center infrastructure to promote increased availability• Data Center Site Infrastructure Tier Standard: Topology

– Tier I: Basic Site Infrastructure– Tier II: Redundant Site Infrastructure Capacity Components– Tier III: Concurrently Maintainable Site Infrastructure– Tier IV: Fault Tolerant Site Infrastructure

• Check the tier rating of your current data center or cloud provider– https://uptimeinstitute.com/TierCertification/– https://uptimeinstitute.com/TierCertification/certMaps.php

The Uptime Institute Tier Standard: Topology


• Amazon Web Services• Microsoft Azure• Google Cloud Platform• DigitalOcean• Salesforce.com• Cloud Storage Services

Cloud Security Examples


• AWS is the market leader of IaaS public cloud services• AWS has a scalable and highly available global infrastructure

that spans multiple regions, with multiple Availability Zones (AZs) with each region (AWS Service Health Dashboard)– http://status.aws.amazon.com/

• AWS possesses all the major security certifications and attestations, https://aws.amazon.com/compliance/

• AWS GovCloud (US) is an isolated region that meets FedRAMP, FIPS, ITAR, FISMA, and NIST requirements– http://aws.amazon.com/govcloud-us/– https://aws.amazon.com/compliance/fedramp/

Amazon Web Services (AWS)



Source: https://aws.amazon.com/security/sharing-the-security-responsibility/


• In AWS, solid Identity and Access Management (IAM) practices are a MUST– Use IAM policies to control users, groups, permissions, and accounts that

run services on AWS resources – use Access Keys for API calls– No one should be using the master payer account (use IAM

users/groups/roles)– Root privileges should not be used, developer accounts need only specific

privileges, create general use accounts for each sys-admin or service– http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html

• Multi-Factor Authentication (MFA) is recommended for master account– http://aws.amazon.com/mfa/

• Security Token Service (STS) is web service that grants requests for temporary, limited privilege credentials for IAM users

• Federated identity access for management console and APIs– Use SAML 2.0, OpenID Connect (OIDC), AWS Microsoft AD Connector

(ADFS)



• You are only as secure as your EC2 Amazon Machine Images (AMIs) (manage systems with templates not individual systems)

• It is possible to build your own secure image, save then, and reuse them for other applications and services

• You can build your image off a default AMI or import your own hardened AMI (based on your STIGs)

• Don’t store your security keys within your stored or shared (community) images

• AWS Marketplace also offers hardened images– Buddha Labs offers hardened images (DISA STIG)– Center for Internet Security (CIS) Benchmarks– Anitian, DeepCyber, SteelCloud, among others



• Virtual Private Cloud (VPC) security practices control access to the virtual networks in your AWS cloud

• VPC Flow Logs can capture IP traffic on VPC interfaces• Carefully document your use of the Internet Gateway (IGW), Virtual

Private Gateway (VGW) , and Customer Gateway (CGW)• Network Access Control Lists (NACLs) (not-stateful, directional)• Security Groups (SGs) are like firewalls (fully stateful, whitelist

behavior, applied to EC2 instance)– Put different systems into separate security groups (load balancers,

web servers, databases)• Web Application Firewall (WAF), rules deployed into CloudFront



• Securely establishing connectivity to your AWS VPC– https://d0.awsstatic.com/whitepapers/aws-amazon-vpc-

connectivity-options.pdf• VPN connectivity to your AWS VPC

– Establish IPsec tunnel-mode VPN connection to your VGW– IKE v1, AES-256, SHA-2, DH PFS, DPD– Supports static routes or BGP

• Direct Connect is a dedicated private physical link– Within an AWS data center or via WAN provider– Supports 802.1Q VLAN tagging



• AWS offers certificate management• TLS/SSL should be used for all services• Encryption services are provided, but it is up to you to

operate them securely and secure the keys• Hardware Security Modules (HSMs) are available for

storing your private keys– https://aws.amazon.com/cloudhsm/

• AWS Key Management Service (KMS)– https://aws.amazon.com/kms/



• Use AWS services to assist with backups• Glacier can be used for long-term archives within

vaults, but it is slow and expensive to retrieve• You may desire faster restoration if something goes

wrong• Best to use “Bucket Policies” to control account and

user-level access to your S3 files• EBS snapshots are incremental backups



• AWS can also assist with mitigating DDoS attacks• AWS Best Practices for DDoS Resiliency (June 2016)

– https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf

• Use auto-scaling policies to absorb a DDoS attack by rescaling the instance size with “Enhanced Networking” or scaling the pool of EC2 instances with ELB

• ELB can only forward sane TCP connections – SYN floods and other DDoS packets (UDP, ICMP) are dropped

• AWS CloudFront (CDN) with AWS WAF can block attacks from AWS edge locations

• AWS Route 53 can absorb DNS flooding attacks through shuffle sharding and anycast striping



• AWS offers several systems to help you managed your security• Amazon Inspector performs an automated security assessment,

compares your operations to best practices, gives you prioritized remediation steps– https://aws.amazon.com/inspector/

• AWS Config Rules helps you monitor your resource inventory and perform change management and monitor changes recorded by AWS Config– https://aws.amazon.com/config/

• AWS Trusted Advisor reviews your security settings with you and provides areas for improvement (cost, HA, performance, etc.)– Available for Business and Enterprise Support plans– https://aws.amazon.com/premiumsupport/trustedadvisor/



• AWS security operations requires ever-vigilance• AWS CloudWatch Logs gives you visibility to your services, metrics, logs,

alarms, etc. (standard 5 min. polling, detailed 1 min polling) ~10 min latency– https://aws.amazon.com/cloudwatch/

• AWS CloudWatch Events provide near real-time changes (Events, Rules, Targets)

• AWS CloudTrail provides detailed logging and auditing service, records API events, API call history, change tracking for compliance or forensics (encrypt the data)– https://aws.amazon.com/cloudtrail/

• S3 Logs – Bucket Logging• CloudFormation Logs• VPC Flow Logs



• You can easily report abuse and vulnerabilities– http://aws.amazon.com/contact-us/report-abuse/– http://aws.amazon.com/security/vulnerability-reporting/

• You can’t just fire up a vulnerability scanner and scanning your Elastic IPs

• You must obtain AWS permission to perform a port scan or vulnerability scan

• AWS provides DDoS, MITM, IP spoofing, port-scanning, packet sniffing– https://aws-portal.amazon.com/gp/aws/html-

formscontroller/contactus/AWSSecurityPenTestRequest



• AWS has a security ecosystem whereby you can acquire additional security components to compliment your public cloud (BYOL, pricing based on EC2 instance these run on)– Cisco, Palo Alto Networks, Check Point, Fortinet, Splunk, Alert

Logic, Trend Micro, Symantec, Sophos, Barracuda, VyOS, FortyCloud, Intel Security, Gemalto, SafeNet, Imperva, Incapsula, F5, A10, Avi Networks, Brocade, Qualys, Tenable, Rapid7, Radware, Dome9, Evident.io, Threat Stack, HyTrust, & many others

• You can “Test Drive” security solutions in AWS – see if you like them– https://aws.amazon.com/testdrive/security/

• AWS Marketplace offers many popular cloud security additions– http://aws.amazon.com/partners/aws-marketplace/



• AWS provides many other sources of security training and best practices

• Journey Through the Cloud - Security Best Practices on AWS – Ian Massingham– https://www.youtube.com/watch?v=Ihe_8o00-WI

• Advanced Security Best Practices Masterclass– https://www.youtube.com/watch?v=zU1x5SfKEzs

• 28 different security and compliance sessions recorded at AWS re:Invent 2015– https://www.youtube.com/playlist?list=PLhr1KZpdzukc9aw8-

gnLmyralfsBv7zcR



• Valuable AWS Security Whitepapers – AWS Security Center– http://aws.amazon.com/security/

• Introduction to AWS Security - July 2015– https://d0.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf

• AWS: Overview of Security Processes – June 2016– https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf

• AWS Security Best Practices – Nov 2013– https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

• AWS Security by Design (SbD)– https://aws.amazon.com/compliance/security-by-design/

• AWS: Risk and Compliance, Jan 2016– https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_

Whitepaper.pdf



• Microsoft Azure has a full set of compliance certifications, including FedRAMP certified– https://www.microsoft.com/en-us/TrustCenter/Compliance/default.aspx

• Follows their own documented Security Development Lifecycle (SDL) and Operational Security Assurance (OSA) processes

• Offers AD authentication, 2FA, encryption, DDoS prevention, Key Vault (FIPS 140-2 Level 2 HSMs)

• Microsoft Azure Trust Center– https://www.microsoft.com/en-us/TrustCenter/Security/default.aspx

• Microsoft Azure Security Center provides security visibility through a dashboard to customers, integrated with Microsoft Global Threat Intelligence– https://azure.microsoft.com/en-us/services/security-center/

Microsoft Azure Cloud Services


• Google Cloud Platform is a suite of IaaS CSP services that leverages their own infrastructure used for Search and YouTube, etc.

• Like other IaaS platforms this is a shared security responsibility model – customer bears a lot of responsibility to secure their access, applications, storage, but Google provides the tools/capability– https://cloud.google.com/security/

• In-depth security whitepaper– https://cloud.google.com/security/whitepaper

Google Cloud Platform Security


• DigitalOcean is a popular development cloud service for web-based applications

• This is an example of a cloud provider where you are on-your-own to make your web application secure

• DigitalOcean publishes is privacy policies– https://www.digitalocean.com/help/privacy/– https://www.digitalocean.com/legal/privacy/

• The publish some very basic cloud security information– https://www.digitalocean.com/security/

DigitalOcean Cloud Security


• As a SaaS provider, most of the responsibility for security falls on Salesforce.com• Salesforce.com has mature security practices throughout their company – they know

the risks if there is a breach• Key Considerations – Your Responsibilities:

– User authentication, SAML, OAuth, roles, permissions– Data security, sharing, 3rd party tools tied into Salesforce.com data– Programmatic security, SOAP API, Metadata API

• Force.com Security Source Code Scanner• Security Resource Page

– https://developer.salesforce.com/page/Security• Security Workbook – March 22, 2016

– https://resources.docs.salesforce.com/sfdc/pdf/workbook_security.pdf• View status of Salesforce.com

– http://trust.salesforce.com/trust/instances

Salesforce.com Security


• Methods of securing cloud storage include:– Multi-factor authentication, SSO, federated identity management– Audit trails, reporting and logs on file storage and access– Role-based access controls and access policies– Data classification marking and monitoring, DLP integration– Encryption (customer retains the keys), data integrity, content

security policies (or encrypt the files prior to storage)– Data Dispersion

• Use a cloud storage vendor that is certified and operates secure locations, redundant systems, constant monitoring, media destruction

Cloud Storage Security


• Data Dispersion – uses multiple cloud storage services for redundancy and security

• Storage Slicing – breaks files into chunks for added confidentiality– Cleversafe (Now IBM Cloud Object Storage)

• https://www.cleversafe.com/– SecurityFirst SPx (Secure Parser extended)

• https://www.securityfirstcorp.com/– Symform (Quantum, discontinued July 31, 2016)

• http://www.symform.com/

Data Dispersion Technologies


• Splunk• Dome9• Evident.io• Trend Micro• Bracket

Examples of Cloud Security Controls


• Splunk is a software application for searching, monitoring and analyzing machine-generated data via a web interface – data visualization platform for IT operations, security use case

• Splunk can be used with AWS to gain additional visibility, Splunk is also integrated into Google’s cloud platform

• Splunk uses a Bring-Your-Own-License (BYOL) model on AWS Marketplace, or you can build your own– Splunk Enterprise (HVM)– Splunk Cloud– Splunk Light– Hunk (HVM) = Splunk on Hadoop

Splunk for Cloud Security Management


• Dome9 provides SecOps cloud security visualization for policy control for AWS EC2 and VPC security groups

• Dome9 provides change control, configuration management and audit of AWS services

• It can detect tampering and abuse and stop unauthorized/non-permitted configuration changes

• Dome9 can also provide firewall policy management, file integrity monitoring, dynamic access leases, Multi-Factor Authentication, and compliance audit reporting– https://dome9.com/aws-security/

• Cloud Security Wiki– https://dome9.com/wiki/display/cloudsecurity/Cloud+Security

Dome9


Dome9 Clarity Console(Cont.)


• Evident.io provides visibility to AWS services• Evident Security Platform (ESP) • http://evident.io/

Evident.io


• Trend Micro Deep Security Integration with AWS– Defend against network attacks – Proactive intrusion prevention (IDS/IPS) – Virtually patch software – Keep malware off Windows and Linux workloads – Identify and remove malware and block traffic to known bad domains– Uncover suspicious changes – Get alerts for unplanned or malicious changes – Suspicious events are highlighted in the dashboard– Speed PCI-DSS compliance

• Usage-based pricing based on AWS EC2 instance type• Orderable on AWS Marketplace• http://www.trendmicro.com/aws/

Trend Micro and AWS


• https://www.brkt.com/

Bracket


• Cloud Access Security Brokers (CASB)• Other Cloud-based Security Services

Security Services in the Cloud


• CASBs provide visibility to cloud services and reveal “Shadow IT”, cloud misuse, data classification violations and data loss

• CASBs can operate in several ways:– In-line at the security perimeter – physical or virtual appliance– As a web-browser proxy (HTTPS inspection), cloud-based service– As a DNS-based proxy, cloud-based service– Software agent on user device (integration with Enterprise Mobility Management

(EMM)) and IDaaS• CASBs can enforce policies with identity, authorization/credentials, encryption,

location, device profiling, logging/alerting, etc.• Numerous CASB vendors - Continued vendor consolidation will occur

– Adallom (now Microsoft), Apeture (now Palo Alto Networks), BitGlass, CipherCloud, CloudLock (now Cisco), Elastica (now BlueCoat, Symantec), Imperva Skyfence, NetSkope, Managed Methods, Palerra, Skyhigh Networks, Saviynt, among others…

• Consolidation of cloud-based web proxy, malware detection/prevention, CASB, DLP solutions

Cloud Access Security Brokers (CASB)


• Companies want security solutions that leverage the capabilities of the cloud (reduce technical debt of security management)

• Organizations have a mobile workforce using mobile platforms to perform their work. Not all IT users are within the enterprise’s walls accessing applications in the local data center.

• Some security vendors offer subscription-based security solutions that get a threat intelligence data-feed.– Content Filtering and Advanced Malware Protection– Periodic Vulnerability Scanning, Web Security Assessments– Identity and Access Management as a Service (IDaaS), Privileged Access

Management (PAM)– DDOS Mitigation in the Cloud– SIEM in the cloud, Managed Security Service Provider (MSSP), Security

Operations Center (SOC)

Cloud-based Security Services


• CSA CCSK• (ISC)2 CCSP• SANS

Cloud Security Certifications


• CCSK Guidance V3 has 14 domains

Certificate of Cloud Security Knowledge (CCSK)

1. Cloud Architecture2. Governance and Enterprise

Risk3. Legal and Electronic Discovery4. Compliance and Audit5. Information Lifecycle

Management6. Portability and Interoperability7. Traditional Security, BCM, D/R

8. Data Center Operations9. Incident Response10. Application Security11. Encryption and Key

Management12. Identity and Access

Management13. Virtualization14. Security-as-a-Service


• CSA’s CCM is a gigantic spreadsheet that lists over 130 prominent control specifications across 15 control domains and relates each to pertinent cloud security standards and best practices

• Mappings for FedRAMP Low/Moderate, ISO/IEC 27001, NIST 800-53, among others

• This is a valuable resource to help remind you of all the controls to consider when operating in a cloud environment

• Cloud Controls Matrix (CCM) v3.0.1 (6-6-16 Update)– https://cloudsecurityalliance.org/group/cloud-controls-matrix/– https://cloudsecurityalliance.org/download/cloud-controls-matrix-

v3-0-1/

CSA Cloud Controls Matrix


CSA Cloud Controls Matrix (CCM)


• CCSK Training Classes are available (HP Education Services)– CCSK Foundation (2 days), CCSK Plus (3 days)

• CSA guidance version 3.0, Security Guidance for Critical Areas of Focus in Cloud Computing, V3

• European Network and Information Security Agency (ENISA) whitepaper – Cloud Computing: Benefits, Risks and Recommendations for Information

Security• NIST documents (800-144, 800-145, 800-146, 500-292)• CCSK Prep Guide (CCSK-Prep-Guide-V3.pdf)• CCSK on-line open-book exam costs $345

– 60 questions, 90 minutes, 80%+, 2 attempts• https://ccsk.cloudsecurityalliance.org/

Certificate of Cloud Security Knowledge (CCSK)


• The CCSP Common Body of Knowledge (CBK) consists of the following six domains: – 1 Architectural Concepts & Design Requirements– 2 Cloud Data Security– 3 Cloud Platform & Infrastructure Security– 4 Cloud Application Security– 5 Operations– 6 Legal & Compliance

• ISO/IEC 17788 and NIST 800-145, 800-146, 500-299• https://www.isc2.org/ccsp/default.aspx

Certified Cloud Security Professional (CCSP) – (ISC)2


1. Architectural Concepts & Design Requirements – Cloud computing concepts & definitions based on the ISO/IEC 17788 standard; security concepts and principles relevant to secure cloud computing.

– Understand Cloud Computing Concepts – Describe Cloud Reference Architecture – Understand Security Concepts Relevant to Cloud Computing – Understand Design Principles of Secure Cloud Computing – Identify Trusted Cloud Services

2. Cloud Data Security – Concepts, principles, structures, and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability in cloud environments.

– Understand Cloud Data Lifecycle – Design and Implement Cloud Data Storage Architectures – Design and Apply Data Security Strategies – Understand and Implement Data Discovery and Classification Technologies – Design and Implement Relevant Jurisdictional Data Protections for Personally Identifiable Information (PII) – Design and Implement Data Rights Management – Plan and Implement Data Retention, Deletion, and Archiving Policies – Design and Implement Auditability, Traceability and Accountability of Data Events



3. Cloud Platform & Infrastructure Security – Knowledge of the cloud infrastructure components, both the physical and virtual, existing threats, and mitigating and developing plans to deal with those threats.

– Comprehend Cloud Infrastructure Components – Analyze Risks Associated to Cloud Infrastructure – Design and Plan Security Controls – Plan Disaster Recovery and Business Continuity Management

4. Cloud Application Security – Processes involved with cloud software assurance and validation; and the use of verified secure software.

– Recognize the need for Training and Awareness in Application Security – Understand Cloud Software Assurance and Validation – Use Verified Secure Software – Comprehend the Software Development Life-Cycle (SDLC) Process – Apply the Secure Software Development Life-Cycle – Comprehend the Specifics of Cloud Application Architecture – Design Appropriate Identity and Access Management (IAM) Solutions



5. Operations – Identifying critical information and the execution of selected measures that eliminate or reduce adversary exploitation of it; requirements of cloud architecture to running and managing that infrastructure; definition of controls over hardware, media, and the operators with access privileges as well as the auditing and monitoring are the mechanisms, tools and facilities.

– Support the Planning Process for the Data Center Design – Implement and Build Physical Infrastructure for Cloud Environment – Run Physical Infrastructure for Cloud Environment – Manage Physical Infrastructure for Cloud Environment – Build Logical Infrastructure for Cloud Environment – Run Logical Infrastructure for Cloud Environment – Manage Logical Infrastructure for Cloud Environment – Ensure Compliance with Regulations and Controls (e.g., ITIL, ISO/IEC 20000-1) – Conduct Risk Assessment to Logical and Physical Infrastructure – Understand the Collection, Acquisition and Preservation of Digital Evidence – Manage Communication with Relevant Parties

6. Legal & Compliance – Addresses ethical behavior and compliance with regulatory frameworks. – Includes investigative measures and techniques, gathering evidence (e.g., Legal Controls, eDiscovery, and Forensics); privacy

issues and audit process and methodologies; implications of cloud environments in relation to enterprise risk management. – Understand Legal Requirements and Unique Risks within the Cloud Environment – Understand Privacy Issues, Including Jurisdictional Variation – Understand Audit Process, Methodologies, and Required Adaptions for a Cloud Environment – Understand Implications of Cloud to Enterprise Risk Management – Understand Outsourcing and Cloud Contract Design – Execute Vendor Management



• Live In-Person CBK Training Class, 5 days, $1995• Live On-Line CBK Training Class, 5 days, $1395• On-Demand On-Line CBK Training - $495 ($395 for CISSPs)• The Official (ISC)2 Guide to the CCSP CBK, by Adam Gordon

– ISBN: 978-1-119-20749-8, 560 pages, November 2015– http://www.wiley.com/WileyCDA/WileyTitle/productCd-

1119207495.html– $80, Members get 50% off with code ISC50

• Free Flash Cards On-Line• Pearson Vue Exam

– 4 hours, 125 questions (700+/1000) - $549



• SANS SEC524 2-day in-person or on-line/self-study class, $2130– Laptop Required, MP3 audio files of the complete course lecture

• Day 1– Introduction to Cloud Computing– Security Challenges in the Cloud– Infrastructure Security in the Cloud– Policy and Governance for Cloud Computing– Compliance and Legal Considerations– Disaster Recovery and Business Continuity Planning in the Cloud

• Day 2– Risk, Audit, and Assessment for the Cloud– Data Security in the Cloud– Identity and Access Management (IAM)– Intrusion Detection and Incident Response

• https://www.sans.org/course/cloud-security-fundamentals

SANS SEC524: Cloud Security Fundamentals


• Final thoughts on cloud security• Wrap-up• Next steps

Cloud Security Summary

Resources abound to make cloud services more secure: Learning to securely develop and use cloud servicesNetwork World article, by Scott Hogg, March 7, 2016 http://www.networkworld.com/article/3041326/cloud-security/cloud-security-training-and-certification.html


• Security has more to do with people and processes than technology

• Good security comes down to discipline• If you have good InfoSec hygiene in your on-premises IT

infrastructure, you can have good cloud security operations• Cloud services can be less secure, equally secure, or more

secure than your traditional on-premises data center• It is easier to be secure from the beginning rather than try to

add security in after systems are in production• Good design, implementation using best practices, proper

maintenance, and vigilance will make your cloud system secure

Cloud Security – The Bottom Line


• GTRI is an experienced cloud infrastructure solution provider helping customers securely consume cloud services

• GTRI offers a “Cloud Security Assessment” service– Proactively: During the design and deployment phases– Reactively: During the operational phase

• GTRI can help you manage your cloud services spending– Analyze your cloud services and current consumption– Help you manage the billing, visibility, cost optimization

• GTRI can help you proactively manage your physical and virtualized IT assets, reduce risks, and realize more business benefits of using cloud infrastructure

GTRI: Your Cloud Security Partner


Thank You For Your Time!

Scott Hogg, CTO GTRI303-949-4865 | [email protected] | @ScottHogg

breaking down cloud security - isc)2 denver down cloud security presented by scott hogg, cto gtri...

Documents