“Summarized Key Aspects of the CSA Guidance material”

DOMAIN 1
Cloud Computing Concepts and Architectures
Cloud user is the person or organization requesting and using the resources, and the cloud provider is the person or organization
who delivers it / client and consumer refers to the cloud user
Cloud actor is used by NIST that adds roles for cloud brokers, carriers, and auditors.

Cloud Computing vs Traditional Virtualization:

virtualization -› abstracts resources but lacks the orchestration: way to pool / deliver / on demand – it relies on manual processes
Clouds -› are multitenant, use orchestration, automation and self-service

Definitional Model
§ CSA uses NIST 800-145
§ NIST use naming “SPI” tiers: S/SaaS, P/PaaS, I/IaaS

Deployment models
§ Deployment models are defined based on the cloud user: who uses the cloud.
Reference and Architecture Model
§ Most cloud applications (SaaS or other) use combination of IaaS and PaaS - sometimes across different cloud providers.

Logical Model
§ The key difference between cloud and traditional computing is: Metastructure

Cloud Security & Compliance

*Roles can be further complicated when using cloud brokers or other intermediaries and partners.

Shared Responsibility Model

§ Cloud users should always build a responsibilities matrix to document
§ Document who is implementing which controls and how
§ Use the Consensus Assessments Initiative Questionnaire (CAIQ).
§ Use the Cloud Controls Matrix (CCM)
Cloud Security Models
§ Conceptual models
§ Controls models
§ Reference architectures
§ Design patterns
=› CSA logical model
=› CSA CCM
=› IaaS security reference architecture
=› Reusable solutions: ex IaaS log management

Cloud Security Project

§
1. Identify requirements
2. Design the architecture,
3. Identify the gaps based on the capabilities of the underlying cloud platform
§
§ NB - Cloud User need to know the CSP capabilities and architecture before start translating security requirements into
controls
 DOMAIN 2
Governance and Enterprise Risk Management

§ Information Security is a tool of Information Risk Management, which is a tool of Enterprise Risk Management, which is a
tool of Governance
Governance
§ Organizations can never outsource responsibility for governance
§ Responsibilities and mechanisms for governance are defined in the Contract
§ If an area of concern is Not in the contract =› this is a Governance Gap: 1-Close the gaps or 2-Accept the associated risks
Tools of Cloud Governance
§ -Contracts: Primary tool to extend governance into business partners and providers
§ -Supplier (CSP) Assessments: combine contractual and manual research with third-party attestations
§ -Compliance Reporting: Documentation on a provider’s internal and external compliance assessments / Reports from audits
§ -Assessments and Audits: should be based on existing standards like the SSAE 16. Define: Scope/ What / Which Controls are
assessed
Enterprise Risk Management
§ -Enterprise Risk Management (ERM): is the overall management of risks for an organization
§ -You can never outsource your overall responsibility and accountability for risk management to an external provider
§ -Risk management in cloud: is based on the shared responsibilities model / relies on contracts and documentation
§ -Self-hosted private cloud: internal SLAs and procedures replace external contracts in this case
§ -Risk tolerance: is the amount of risk that leadership will accept
§ - Build out a matrix of cloud services along with which types of assets are allowed in those services
§ - Know which assets are within your risk tolerance strategy
§ -Moving to the cloud doesn’t change your risk tolerance, it just changes how risk is managed.
Service Models & ERM
§ -SaaS -› Most critical example of the need for a negotiated contract - likely to happen with a small SaaS provider
§ -PaaS -› The likelihood of a fully negotiated contract is likely lower than with either of the other service models
§ -IaaS -› Vast majority of existing governance and risk management activities that organizations has are directly transferable.
Deployment Models & ERM
§ -Public -› Cloud customers have a reduced ability to govern operations in a public cloud - Inflexible contracts are a natural
property of multitenancy + Hosted private cloud allows full customization (but at increased costs)
§ -Private -› Will be shared responsibilities with obligations that are defined in the contract - have more control over
contractual terms
§ -Hybrid -› Minimum set of controls of the Cloud Service Provider’s contract & organization’s internal governance
agreements
Cloud Risk Management Trade-Offs
- Less physical control over assets (infrastructure or the provider’s internal processes)
- Greater reliance on contracts, audits, and assessments
- Increased requirement for proactive management of adherence to contracts
- Cloud user still accountable but your can outsource management of some risks
Cloud Risk Management
-Risk Management -› Manage, Transfer, Accept, or Avoid risks
-Always start with supplier assessment:
 DOMAIN 3
Legal Issues, Contracts and Electronic Discovery
§ Legal Frameworks≈ to safeguard the privacy of personal data and the security of information and computer systems
§ Laws≈ define numerous obligations, such as confidentiality and security obligations / may conflict with each other in
countries
§ Data controller≈ (typically the entity that has the primary relationship with an individual) - is prohibited from collecting
and processing personal data unless certain criteria are met.
§ Data controller≈ remains responsible for the collection and processing of that data
§ Data subject≈ need to consent to the collection and proposed uses of his or her data
§ Data processor≈ a third party to process data on its behalf
§ Cloud providers and Cloud users operating in multiple regions≈ required to meet compliance requirements from different
contexts
§ Compliance requirements≈ depends on location of cloud provider, cloud user, data subject, servers, legal jurisdiction of
the contract, treaties between those various locations.
Cross-border Data Transfers
§ Countries prohibit or restrict the transfer of information≈ permitted only if other offers “adequate level of protection”
§ Alternative ≈ data importer and exporter may need to sign a contract insuring the maintenance of privacy rights for data
subjects
§ Local Data Protection Commissioner≈ provides permission before transferring data in or out of the country.
§ New data localization laws≈ Russia and China, which require personal data of individuals residing in their countries be
stored locally
General Data Protection Regulation (GDPR)
§ GDPR is directly binding on any corporation that processes the data of EU citizens, and will be adjudicated by the data
supervisory authorities or the courts of the member states that have the closest relationship with the individuals or the entities
on both sides of the dispute.
§ GDPR applies:
- If establishment of a controller or processor is in EU/EEA. regardless of processing takes place in the EU/EEA or
not
- If personal data of data subjects who are in the EU/EEA regardless where are controller or a processor
- If monitoring of the behavior of a data subject, when the behavior takes place within the EU/EEA.
§ Lawfulness: data subject has freely given specific, informed and unambiguous indication of his consent to processing of
personal data
§ Accountability Obligations: Companies are expected to develop products/services with “privacy by design” and “privacy by
default”
§ Data Subjects’ Rights≈ to have their data corrected or erased; to be compensated for damages suffered as a result of unlawful
processing; the right to be forgotten; and the right to data portability.
§ Cross-border Data Transfer Restrictions≈ The transfer of personal data outside the EU/EEA to a country that does not offer a
similar range of protection of personal data and privacy rights is prohibited.
§ Breaches of Security≈ The GDPR requires companies to report within 72 hours of the company becoming aware of the
incident
§ Discrepancies among Member States: each member state may adopt its own rules
§ Sanctions: Violations of the GDPR expose company up to the greater of 4% of their global turnover/gross income, or up to
20 Million Euros
§
Network Information Security Directive (NIS Directive)
§ NIS Directive of Aug2016≈ requires each EU/EEA member state to implement the Directive into its national legislation by
May2018.
§ U.S. Federal Laws≈ Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act of 1996
(HIPAA), and Children’s Online Privacy Protection Act of 1998 (COPPA)
§ U.S. State Laws≈ have laws relating to data privacy and/or data security.
§
Contracts and Provider Selection
§ When data or operations are transferred to a cloud, the responsibility for protecting and securing the data typically remains
with the collector or custodian of that data
§ Internal Due Diligence≈ moving data to a cloud without the prior permission of the customer (data owner) would cause a
breach in the data use agreement with that customer.
§ External Due Diligence≈ In most cases, the cloud customer will want to evaluate at least the applicable service level, end-
user legal agreements; privacy policies; security disclosures; and proof of compliance with applicable legal requirements
(e.g., registration requirements) to ensure the conditions stated by the cloud provider are suitable for the customer’s
 organization.
§
Electronic Discovery
§ U.S. rules around “discovery”—the process by which an opposing party obtains private documents for use in litigation
§ Cloud service providers and their clients must carefully plan how they will be able to identify all documents that pertain to a
case
§ The obligations of the cloud service provider as cloud data handler with regard to the production of information in response
to legal process is an issue left to each jurisdiction to resolve.
§ Litigation Hold – Preservation≈ a party is generally obligated to undertake reasonable steps to prevent the destruction or
modification of data in its possession, custody or control that it knows, or reasonably should know, is relevant either to
pending or reasonably anticipated litigation or a government investigation.
§ Document review or privilege review≈ process to determine of what must/must not be turned over as part of the discovery
process
§
Collection
§ Access and Bandwidth≈ client’s access to its data in the cloud will be determined by its SLA. Both need to establish a
protocol (and cost) for extraordinary access in the case of litigation. Or clients are responsible for the extra time and cost!
§ FRCP 26(b)(2)(B) excuses a litigant who is able to show requested is not reasonably accessible
§ Court may nonetheless order discovery if the requesting party is able to show why this information is needed
§ Forensics≈ Bit-by-bit imaging of a cloud data source is generally difficult or impossible because of multitenancy mainly
§ Clients may need to notify opposing counsel or the courts of these limitations -› may use FRCP 26(b)(2)(B)
§ Reasonable Integrity≈ A client subject to a discovery request should undertake reasonable steps to validate that its collection
from its cloud provider is complete and accurate
§ Limits to Accessibility≈ there are cases where a cloud customer may not be able to access all their data stored in a cloud &
cloud customer and cloud provider may have to analyze the request when responding to a discovery request
§ Direct Access≈ cloud providers may not be able to provide direct access, because the hardware and facilities are outside its
possession, custody or control
§ Native Production≈ requesting party, producing party, provider - that the relevant information be exported using standard
protocols within the cloud environment
§ Authentication≈ refers to forensic authentication of data admitted into evidence (not user authentication) - it has not been
altered since it was created
§ Cooperation Between Provider and Client in E-Discovery≈ CSP consider designing their cloud offerings to include discovery
services
§ Response to a Subpoena or Search Warrant≈ SLA should require the cloud service provider to notify the customer that a
subpoena was received and give the company time to fight the request for access. CSP should carefully analyze the request
before disclosing information
 DOMAIN 4
Compliance and Audit Management
§ Indirect providers≈ the cloud provider of your cloud provider
§ Compliance Inheritance≈ where a provider may have parts of their service certified as compliant which removes this from the
audit scope of the customer, but the customer is still responsible for the compliance of everything they build on top of the
provider
§ Audits≈ mechanism to support, assure, and demonstrate compliance -› key tool for proving (or disproving) compliance
§ Compliance≈ validates awareness of and adherence to corporate internal and external obligations
§ Compliance process≈ assesses the state of that awareness and adherence -› risks + costs of non-compliance+ remediation…
Compliance
§ Compliance management≈ is a tool of governance
§ InfoSec is deeply coupled with compliance≈ because of regulations requires a certain level of security
Cloud & Compliance
§ Compliance in the cloud is a shared responsibility model≈ but the customer is always ultimately responsible for their own
compliance.
§ Responsibilities≈ are defined through contracts, audits/assessments, and specifics of the compliance requirements.
§ Public cloud≈ Cloud customers must rely on third-party attestations/reports
§ Cloud providers can be certified for≈ PCI DSS, SOC1, SOC2, HIPAA, best practices/frameworks like CSA CCM, and
global/regional regulations like the EU GDPR.
§ Pass-through audits≈ is a form of compliance inheritance for all or some of the cloud provider’s infrastructure
§ Compliance inheritance≈ the cloud provider’s infrastructure is out of scope for a customer’s compliance audit, but everything
the customer configures and builds on top of the certified services is still within scope.
§ Scope≈ means the provider’s infrastructure/services are not within scope of a customer’s audit/assessment. The customer is
still ultimately responsible for maintaining the compliance of what they build and manage

§ Legal≈ It is customer’s responsibility to manage and understand where to deploy data and services and maintain their legal
compliance across jurisdictions.
§ Audits and assessments≈ mechanisms to document compliance with internal/external requirements and include a compliance
determination, list of identified issues, risks, and remediation recommendations.
§ Attestation≈ is a legal statement from a third party, which can be used as their statement of audit findings
§ Audit management≈ management of all activities: requirements, scope, scheduling, and responsibilities
§ NDA≈ customers will need to enter into a basic legal agreement with CSP before gaining access to attestations for risk
assessments
§ SSAE 16 standards≈ attest that documented controls work as designed/required
§ Customer vulnerability assessment≈ customer technical assessments and audits - may require permission from CSP to
distinguish between a legitimate assessment and an attack.
§ Artifacts≈ are the logs, documentation, and other materials needed for audits and compliance
 DOMAIN 5
Information Governance
§ Information is data with value.
§ Information/Data governance≈ Ensuring the use of data and information complies with organizational policies, standards and
strategy including regulatory, contractual, and business objectives
§ Multitenancy impacts≈ data is stored on shared infrastructure with other or in private cloud with different business units
§ Shared security responsibility - Ownership? ≈ business owner generally is but can depend on contracts/laws
§ Shared security responsibility - Custodianship? ≈ refers to who is managing the data ≈ If a customer gives you their personal
information and you don’t have the rights to own it, you are merely the custodian.
§ Data sovereignty providers may not be transparent about physical location of the data, controls may be needed to restrict data
to particular locations.
§ Destruction and removal of data≈ Can you ensure the destruction and removal of data in cloud with accordance with policy?
§ Cloud computing affects most data governance domains≈ Information Classification - Information Management Policies -
Location and Jurisdiction Policies – Authorizations – Ownership – Custodianship – Privacy - Contractual controls - Security
controls
Data Security Lifecycle
§ Summary of the lifecycle, and a complete version is available http://www.securosis.com/blog/data-securitylifecycle-2.0
§ Lifecycle 6 phases≈ create, store, use, share, archive, destroy ≈ data can bounce between phases and may not pass through all
stages

Locations and Entitlements

§ Locations≈ Data is accessed and stored in multiple locations, each with its own lifecycle - series of smaller lifecycles running
in different operating environments
§ Entitlements: When we know where data lives and how it moves -› we need to know who is accessing it and how
Functions, Actors, and Controls
§ Functions≈ 3 things we can do with a given datum: read, process, store
§ Actor≈ (person, application, or system/process, as opposed to the access device) performs each function in a location
§ Controls≈ A control restricts a list of possible actions down to allowed actions
§
§ [ which functions map to which phases of the lifecycle:]

Mapping the lifecycle to functions and controls.

 DOMAIN 6
Management Plane and Business Continuity
Management Plane
§ Management plane includes≈ interfaces for building/managing cloud itself & interfaces for cloud users to manage their own
allocated
§ The cloud provider is responsible≈ for management plane is secure and necessary security features are exposed to the cloud
user
§ The cloud user is responsible≈ for configuring their use of management plane, as well as for securing and managing their
credentials.
Business Continuity and Disaster Recovery
§ 3 main aspects of BC/DR in the cloud
- Ensuring continuity and recovery within a given cloud provider
- Preparing for and managing cloud provider outages
- Considering options for portability
Architect for Failure
§ “Lift and Shift” ≈ wholesale migration of existing applications without architectural changes can reduce resiliency
§ IaaS -› ability to manage is higher
§ SaaS -› ability to manage is much lower
§ PaaS -› depend / may have resiliency options that you can configure/ other platforms are completely in the hands of the
provider.
Accessing the Management Plane
§ Through APIs and web consoles.
§ Application Programming Interfaces≈ are the glue that holds the cloud’s components together and enables their orchestration
§ Web consoles provide visual interfaces≈ are managed by the provider+ can be organization-specific tied to customer context
§ Cloud providers ≈ will offer Software Development Kits (SDKs) + Command Line Interfaces (CLIs) to integrate with their
APIs
§ APIs are typically REST (standard for web-based services) and run over HTTP/S
§ Authentication mechanisms ≈ use HTTP request signing and OAuth (most common)
Securing the Management Plane
§ Account owner≈ with super-admin privileges/manage entire configuration ≈ should be enterprise-owned (not personal)/avoid
using
§ Admin accounts≈ for individual admin use › compromise of one of these accounts could allow access to everything and
anything
§ Service administrators≈ “day to day administrators › don’t necessarily expose the entire deployment if they are compromised

§ Least privilege≈ Both providers and consumers should allow the least privilege
§ Privileged user accounts≈ should use multi-factor authentication (MFA)
§ All cloud accounts≈ (even individual user accounts) should use MFA – optional

Management Plane for CSP

§ Major facets to building and managing a secure management plane (applies for private cloud also)
1. Perimeter security≈ Protect from attacks against the management plane’s network/application attacks
 2. Customer authentication≈ use existing standards for customers to authenticate (like OAuth or HTTP request signing)
3. Internal authentication and credential passing≈ non-customer-facing portions of the management plane/ mandate
MFA
4. Authorization and entitlements≈ Granular entitlements
5. Logging, monitoring, and alerting≈ Cloud customers should be able to access their logs via API and integrate them
to their systems

Business Continuity and Disaster Recovery

§ Cloud customer is ultimately responsible for how they use and manage the cloud service.
§ BC/DR must take a risk-based approach:
- Ask the provider for outage statistics over time › this can help inform your risk decisions.
- Capabilities vary between providers › should be included in the vendor selection process.
§
Business Continuity Within the Cloud Provider
§ Best to re-architect deployments when you migrate them to the cloud.
§ BC/DR must account for the entire logical stack:
- Metastructure: should be backed up in a restorable format
- Software-Defined Infrastructure: use an infrastructure template to create cloud deployment. (can use API calls)
- Infrastructure: features to support higher availability / beware of cost models
- Infostructure: Data synchronization is often challenge across locations/ size of data sets/ costs
- Applistructure: includes all of the above + full range of everything in an application
§ Graceful failure: in case of a service outage≈ downtime notification pages and responses/ static stand-by via DNS redirection
§ “Chaos Engineering: uses tools to selectively degrade portions of the cloud to continuously test business continuity.
§
Business Continuity for Loss of the Cloud Provider
§ Sometimes you can migrate to a different portion of their service, but in other cases an internal migration simply isn’t an
option, or you may be totally locked in ›› accepting this risk is often a legitimate option
§ Different CSP≈ Moving data, metastructure, security controls, logging…, can be difficult and incompatible between
platforms.
§ SaaS≈ critical outage due to total reliance on the provider› ›use Scheduled data extraction and archiving into compatible
SaaS/requires testing
§
Business Continuity for Private Cloud and Providers
§ RTOs and RPOs will be stringent≈ completely on the provider’s side
§ If customers providing services to others ≈ be aware of contractual requirements, data residency, when building your BC
plans.
 DOMAIN 7
Infrastructure Security
§ Infrastructure security encompasses the lowest layers of security, from physical facilities through the consumer’s
configuration and implementation of infrastructure components
§ 2 macro layers to infrastructure
§ Pooled resources≈ raw, physical and logical compute, networks, and storage
§ Virtual/abstracted infrastructure ≈ virtual network/storage ß our focus
Cloud Network Virtualization
§ Physical segregation of networks composing your cloud ≈ for both operational and security reasons
§ At least three different networks underlying IaaS which are isolated into dedicated hardware

Two major categories of network virtualization:

- Virtual Local Area Networks (VLANs): for use in single-tenant networks (enterprise data centers) to separate different
business unit - › Not for cloud-scale virtualization or security or replace physical segregation
- Software Defined Networking (SDN): decouple the network control plane from the data plane≈ support multiple customers
using the same IP address blocks (SDN use packet encapsulation)
Security Changes with Cloud Networking
§ Cloud customer to manage network security≈ need to rely on an in-line virtual appliance, or a software agent installed in
instances
Virtual Appliances:
§ Should support auto-scaling, elasticity, velocity of change
§ Can become bottlenecks, consume resources and increase costs
SDN Security Benefits
§ Isolation is easier≈ isolated networks with no logical way to directly communicate/ multiple networks without address
conflicts
§ Security groups≈ SDN firewalls ≈ are typically policy sets that define ingress and egress rules apply to any asset with
tag/IP/subnet
§ can be used at orchestration layer
§ are managed outside a system yet apply to each system
§ possible to encrypt packets as they are encapsulated
§ Default deny≈ is often the starting point ≈ you are required to open connections from there
§ Host firewalls≈ difficult to manage at scale + can be compromised if the system they are on is compromised
Microsegmentation
§ Microsegmentation ≈ hypersegregation ≈ is more smaller, more isolated networks / can increase operational expenses
§ Against Blast Radius≈ limit foothold to expand across the entire data center by running applications on their own virtual
network
Software Defined Perimeter
§ CSP providers≈ are responsible for implementing perimeter security
§ SDP includes 3 components: SDP client (connecting asset) + SDP controller (authenticating and authorizing) + SDP gateway
(enforcing policies)≈ SDP: https://cloudsecurityalliance.org/group/software-definedperimeter/#_overview
 § Scrubbed information≈ ensure information is not able to be read by another customer when the VM/drive is
released/provisioned
Hybrid Cloud
§ Security level≈ hybrid connection may reduce security of the cloud network if the private network isn’t equivalent security
level
§ Separation≈ enforced via routing, access controls, and even firewalls or additional network security tools
§ Management≈ may increase routing complexity+ reduce ability to run multiple cloud networks with overlapping IP ranges+
complicate security on both sides
§ Bastion” or Transit” virtual networks≈ emerging architecture for hybrid cloud connectivity
§ -step 1≈ dedicated virtual network for the hybrid connection + peers any networks through bastion network
§ -step 2≈ connect to the data center through the bastion network + deploy different security tools in bastion network

Cloud Compute and Workload

§ Workload ≈ is a unit of processing, can be in a VM, a container, other abstraction (run on processor/consume memory)
§ Compute abstraction types:
1. Virtual machines≈ called instances in cloud+ created (or cloned) off a base image+ hypervisor abstracts OS&hardware
2. Containers≈ are code execution environments that run within an operating system+ share resources from OS+ multiple
3. containers can run on same VM or on hardware+ only access to processes/capabilities defined in container configuration
4. Platform-based workloads≈ workloads running on shared platform (not VM/containers) ›› CSP full responsible for
security
5. Serverless computing≈ cloud user doesn’t manage any underlying hardware or VMs/ only accesses exposed functions +
CSP responsible for security (underlying layers, foundational security functions and controls)
Immutable Workloads
§ Full Immutable VM=based on an image+ no patch/changes on running workload +change through underlying image+ VM
replaced
§ Not completely immutable≈ fully automated process: push new images OS + push code updates into running VMs
§ Immutable benefits≈ no patch management + remote logins disabled+ standardized image+ testing during image creation
§ Immutable requirements=consistent image creation process + Security testing must be integrated into the image creation and
deployment process + disable logins and restrict services
deployment pipeline for creating images for immutable VM/Containers

Impact of Cloud on Workload Security

§ Software agents become useless for serverless
§ “Traditional” agents may impede performance more heavily in cloud ≈ use Lightweight agents/cloud aware agents
§ Agent need to support auto-scaling + ability to discover the management and the control plane
§ Agent management plane need support speed of auto-scaling and support elasticity
§ Agent may increase attack surface≈ ingests configuration changes and signatures be used as an attack vector+ require
opening up additional firewall ports
§ File integrity monitoring≈ good security control for immutable workloads
§ Long-running VMs≈ can be isolated on the network (requires management tool in the same subnet)/ less resilient
Workload Security Monitoring and Logging
§ IP addresses ≈ useless in cloud ›› use unique identifiers in logs to identify assets / support for ephemeral systems
§ Logs≈ need to be offloaded + support higher velocity of change in cloud + consider Logging architectures/SIEM costs
Vulnerability Assessment
§ Requires notification of assessments≈ CSP to distinguish an assessment from a real attack
§ Default deny≈ limit assessment/requires ports open≈ use an agent on the instance
§ Assessments can be run during the image creation process for immutable workloads
 DOMAIN 8
Virtualization and Containers
§ Virtualization≈ is technology used to convert fixed infrastructure into these pooled resources
(Compute/Network/Storage/Containers) + provides abstraction ≈ Without virtualization, there is no cloud
§ New security controls≈ Security of the virtualization itself + Security controls for the virtual assets
§ Shared responsibility model:
§ ›CSP: always responsible for securing physical infrastructure and the virtualization platform itself
§ ›Customer: implementing the available virtualized security controls
Virtualization Categories-Compute
§ Compute virtualization abstracts the running of code (including OS) from the underlying hardware.
§ Containers and certain kinds of serverless infrastructure also abstract compute›› create code execution environments Not full
OS
§ CSP Responsibilities≈ enforce isolation (between VMs/Containers) + securing virtualization infrastructure from attack
§ Customer Responsibilities =implement the security of whatever it deploys within the virtualized environment:
- identity management to the virtual resources/ who is allowed to manage
- Monitoring and logging of VM/Containers/virtual environments…
- Image asset management: of virtual machine, container, or other code
- Use of dedicated hosting
- standard security for the workload…
- Host-level monitoring/logging
Virtualization Categories –Network
§ Monitoring and Filtering: if two virtual machines are located on same physical machine› tools inline on network never see
the traffic
§ Alternatives≈ You can bridge all network traffic back out to the network + route to virtual appliance on same virtual
network/host
§ CSP may not support access for direct network monitoring (could be a security risk for the provider)

Management Infrastructure
§ Cloud Provider Responsibilities≈ segregation and isolation of network+ building a secure network+ disable packet sniffing+
Tagging or SDN-level metadata should not be exposed outside management plane+ enable built-in firewall capabilities+
detecting and preventing attacks on all levels.
§ Cloud User Responsibilities≈ configuring their deployment/ virtual firewalls + Immutable networks/ known-good configs+
rights management in management plane
§ Cloud Overlay Networks ≈ are WAN virtualization technology for created networks that span multiple “base” networks.
Virtualization Categories –Storage
§ Storage Area Network (SAN) and Network-Attached Storage (NAS) are both common forms of storage virtualization
§ Most virtualized storage is durable
§ Encrypting those drives≈ reduce data exposure resulting from drives swapping (does not protect at virtualization layer)
Virtualization Categories –Containers
§ Software container systems include 3 components:
- Container≈ execution environment
- controller≈ orchestration and scheduling
- repository for the container images or code to execute
§ Container Security ≈ Containers don’t provide full security isolation (VMs do) / but they do provide task segregation.
- Secure the underlying physical infrastructure (compute, network, storage)
- Secure the management plane
- Secure the image repository
- Building security into the tasks/code running inside the container
- Container management=use RBAC+ strong authentication+ secure configs
 DOMAIN 9
Incident Response
Incident Response Lifecycle
§ IR as defined in the NIST 800-61rev2 has 4 major activities:
§
1. Preparation: “Establishing an incident response capability so that the organization is ready to respond to incidents.”
§ Process to handle the incidents.
§ Handler communications and facilities.
§ Incident analysis hardware and software.
§ Internal documentation (port lists, asset lists, network diagrams, current baselines of network traffic).
§ Identifying training.
§ Evaluating infrastructure by proactive scanning and network monitoring, vulnerability assessments, and performing risk
assessments.
§ Subscribing to third-party threat intelligence services.

2. Detection and Analysis:

§ Alerts [endpoint protection, network security monitoring, host monitoring, account creation, privilege escalation, other
indicators of compromise, SIEM, security analytics (baseline and anomaly detection), and user behavior analytics].
§ Validate alerts (reducing false positives) and escalation.
§ Estimate the scope of the incident.
§ Assign an Incident Manager who will coordinate further actions.
§ Designate a person who will communicate the incident containment and recovery status to senior management.
§ Build a timeline of the attack.
§ Determine the extent of the potential data loss.
§ Notification and coordination activities
§
3. Containment, eradication and recovery:
§ Containment: Taking systems offline. Considerations for data loss versus service availability. Ensuring systems don’t
destroy themselves upon detection.
§ Eradication and recovery: Clean up compromised devices and restore systems to normal operation. Confirm systems are
functioning properly. Deploy controls to prevent similar incidents.
§ Documenting the incident and gathering evidence (chain of custody).

4. Post-mortem:
§ What could have been done better? Could the attack have been detected sooner? What additional data would have been
helpful to isolate the attack faster? Does the IR process need to change? If so, how?
 DOMAIN 10
Application Security
§ SSDLC≈ describes a series of security activities during all phases of application development, deployment, and
operations
§ CSA use 3 “meta-phases” to help describe standard set of activities seen across ssdlc frameworks.
1-Secure Design and Development:
§ From training and developing organization-wide standards to actually writing and testing code.
§ 5 main phases in ssdlc affected by cloud computing:
1. Training: Development, operations, and security should all receive additional training on cloud security
fundamentals
2. Define: cloud user determines approved architectures, security standards, requirements for the provider
3. Design: in PaaS focus for security is on architecture
4. Develop: Developers need development environment/access management plane ≈ Not be a production
environment/data
5. Test: be integrated into the deployment process and pipeline ≈ span this phase/ the Secure Deployment phase≈
security unit tests/ functional tests/ SAST/ DAST/ automated testing

2-Secure Deployment:
§ The security and testing activities when moving code from an isolated development environment into production.
§ Application security tests:
§ Code Review: is manual activity≈ API calls for management+ least privilege entitlements+ authentication and encryption
§ Unit testing, regression testing, and functional tests: standards tests ≈ need to be updated to include API calls
§ Static Application Security Testing (SAST): checks on API calls to CPS + embedded credentials
§ Dynamic Application Security Testing (DAST): tests running applications+ web vulnerability and fuzzing
§ Vulnerability assessment≈ can be integrated into CI/CD pipelines + requires compliance with the provider’s terms of
service + can be done in 2 ways: 1-assessments against images or containers 2- test entire infrastructures (infrastructure
as code)
§ Host based vulnerability assessment≈ run locally in VMs + do not require permission from CSP
§ Penetration Testing≈ CSA recommends: Use a testing firm+ Include developers/admins + if multitenancy, test isolation
§ Deployment Pipeline≈ CI/CD pipelines enhance security through: immutable infrastructure/ automating security testing/
extensive logging (logs can track every code, infrastructure, and configuration change)
§ Secure the pipeline itself ≈ use dedicated cloud environment with limited access
§ Infrastructure as Code: are infrastructure environments defined using templates/translated into API calls and can be
immutable
3-Secure Operations:
§ Securing and maintaining production applications, including external defenses such as Web Application Firewalls (WAF)
and ongoing vulnerability assessments.
§ Management plane =in production environments should be locked down/use least privileges/ use different accounts per
application
§ Immutable and production≈ always monitor deviations from approved baselines
§ Keep ongoing application testing and assessment≈ prior check with CSP to avoid violating terms of service
§ Change management≈ need to include any infrastructure/ cloud management plane/ applications
§
Application Design and Architectures
§ Segregation by default: could be a separate virtual network or account/sub-account
§ Immutable infrastructure: to add: disable remote logins + add file integrity monitoring+ integrate into incident recovery plans
§ Increased use of micro-services: secure› communications between all micro-services/ service discovery/ scheduling/ routing
§ PaaS and “serverless” architectures: CSP need to takes responsibility for the security of the platform/serverless setup
§ direct network attack paths≈ attackers can’t scan port≈ limited to attempting API calls or HTTPS traffic only
§ Software-defined security: ways to automate many security operations≈ automating cloud IR/ entitlements changes/
remediations.
§ Event driven security: CSP may support event-driven≈ security to predefine events for security actions/ trigger code
execution
DevOps
§ DevOps≈ refers to integration of development and operations › automating application deployment and infrastructure
operations.
§ It uses Continuous Integration (CI) and/or Continuous Delivery (CD)≈
- automated deployment pipelines
- programmatic automation tools for management
§ Standardization: anything that goes into production is created by the CI/CD ≈ Dev/Test/Prod are same
§ Automated testing: integrated into the CI/CD pipeline, with manual testing added as needed
§ Immutable: CI/CD pipelines can produce master images
§ Improved auditing and change management: CI/CD pipelines can track everything with the entire history in control
repository
§ SecDevOps/DevSecOps: refers integration of security activities into DevOps
§ Rugged DevOps ≈ refers to integration of security testing into the application development process
 DOMAIN 11
Data Security and Encryption
Data Security Controls
§ Controlling what data goes into the cloud
§ Protecting and managing the data in the cloud:
§ Access controls
§ Encryption
§ Architecture
§ Monitoring/alerting
§ Additional controls (data loss prevention, enterprise rights management, CSP specifics)
Enforcing information lifecycle management security:
- data location/residency
- compliance (audit artifacts: logs, configurations)
- Backups and business continuity
Cloud Data Storage Types
§ Object storage: similar to a file system / “Objects” are typically files / access is through APIs
§ Volume storage: are virtual hard drive for instances/VMs
§ Database: relational or non-relational: NoSQL, file system based databases (e.g. HDFS)
§ Application/platform: like content delivery network (CDN)
Data dispersion≈ or data fragmentation of bit splitting≈ is process takes chunks of data, breaks them, stores multiple copies
on different physical storage for HA.
Managing Data Migrations to the Cloud
§ define your policies≈ for which data types are allowed and where in cloud
§ set baseline security requirements (ex: encryption and access control requirements)
§ identify your key data repositories
§ Monitor for large migrations/activity≈ use Database Activity Monitoring and File Activity Monitoring DAM/FAM or tools:
• CASB: Cloud Access and Security Brokers/ Cloud Security Gateways=discover internal use of cloud services
• URL filtering: or web gateway: may help you understand which cloud services your users are using
• DLP: Data Loss Prevention monitor web traffic≈ detect data migrations to cloud services/can’t see encrypted

Securing Cloud Data Transfers

§ -Understand CSP data transfer mechanisms≈ send data to a provider’s object storage over an API => more reliable and secure
§ -in-transit encryption≈ 1- client-side encryption (encrypt before sending) 2- Network encryption (TLS/SFTP/etc.) CSP
APIs use TLS by default. 3- Proxy-based encryption (encryption proxy in a trusted area between CSP/customer)
§ -Receiving data≈ partners or the public to send you data: sanitize before processing/ Always isolate and scan before data
integration
Securing Data in the Cloud
§ Access Controls: vary based on cloud service model and provider-specific features
 § Management plane: start with default deny access control policies
§ Public and internal sharing controls: externally shared to the public need second layer of controls for this access
§ Application level controls: design and implement your own controls to manage access
§ Create entitlement matrix≈ documents which users, groups, and roles should access which resources and functions
§ Fine-Grained Access Controls and Entitlement Mappings

Storage (At-Rest) Encryption and Tokenization:

§ Key management is just as essential as encryption
§ Encryption≈ protects data by mathematical algorithm that “scrambles” the data/recovered by unscrambling (decryption)
process
§ Encryption system: data, the encryption engine (algorithm), and key management (handles the keys)
§ Tokenization ≈ takes the data and replaces it with a random value≈ stores original + randomized in a secure database for
recovery
IaaS Encryption
Volume storage encryption:
- Instance-managed encryption: encryption engine runs within the instance/key is stored in the volume
- Externally managed encryption: encryption engine runs in the instance/keys are managed externally
Object and file storage:
- Client-side encryption: encryption engine embedded in the application or client.
- Server-side encryption: Data is encrypted on the server (cloud) /CSP has access to key and runs encryption engine.
- Proxy encryption: connect the volume to a special instance or appliance + connect your instance to the encryption instance
Externally managed volume encryption

PaaS Encryption
§ Application layer encryption: Data is encrypted in the PaaS application or the client accessing the platform
§ Database encryption: Data is encrypted in the database using built-in encryption like Transparent Database Encryption (TDE)
§ Other: These are provider-managed layers
SaaS Encryption
§ Provider-managed encryption: Data is encrypted in the SaaS application and generally managed by the provider.
§ Proxy encryption: Data passes through an encryption proxy before being sent to the SaaS application.
§ Key Management: main considerations≈ performance, accessibility, latency, and security
- HSM/appliance: use hardware security module (HSM) or appliance-based key manager ≈ are on premise
- Virtual appliance/software: use virtual appliance or software-based key manager in the cloud
- Cloud provider service: offered by the cloud provider › check security model and SLAs before
- Hybrid: can combine HSM as the root of trust for keys + delivering application-specific keys to a virtual appliance in
cloud
- Customer-Managed Keys: cloud customer manages encryption key + CSP provider manages encryption engine. ex: in
SaaS platform
- Some CSP may require you to use service within the provider to manage the key/ keys and data can be exposed by local
laws.
Monitoring, Auditing, and Alerting
§ Identify and alert about any public access or entitlement changes on sensitive data (Use tagging)
§ Monitor both API and storage access, since data may be exposed through either
§ Store logs in a secure location
Data Loss Prevention
§ DLP is way to monitor and protect data that users access via monitoring local systems, web, email, and other traffic (used in
SaaS)
§ DLP is not used within datacenters and can be offered by CSP as Cloud provider feature or by some CASB as basic DLP
features
Enterprise Rights Management
§ Digital Rights Management (DRM)/Enterprise Rights Management (ERM) are based on encryption
§ Full DRM: traditional full digital rights management / may break cloud provider features
§ Provider-based control: CSP offer controls similar to full DRM by using native capabilities
Data Masking and Test Data Generation
§ Dynamic masking≈ rewrites data on the fly, using a proxy mechanism, to mask all or part of data delivered to a user
(sensitive data)
§ Test data generation: creation of a database with non-sensitive test data based on a “real” database.(use scrambling to create a
data set)
Lifecycle Management Security
§ Managing data location/residency≈ disable unneeded locations / Use encryption to enforce access at the container or object
level.
§ Ensuring compliance: document and test those controls (“artifacts of compliance”)
§ Backups and business continuity
 DOMAIN 12
Identity, Entitlement, and Access Management
§ Federation is the primary tool used to manage multiple IAM by trust relationships and enforcing standards-based
technologies
§ IAM definition by Gartner as “the security discipline that enables the right individuals to access the right resources at the
right times for the right reasons.”
Definitions:
§ Entity: the person or “thing” that will have an identity. (individual, a system, a device, or application code.)
§ Identity: unique expression of an entity within a given namespace. (entity have multiple digital identities) ex: social/work
§ Identifier: means by which an identity can be asserted. ex: cryptological token/ person passport.
§ Attributes: facets of an identity. ex: static (organizational unit)/dynamic (IP address)
§ Persona: the expression of an identity with attributes that indicates context. ex: identity is individual/persona is developer
§ Role: identities can have multiple roles which indicate context. similar to a persona, or subset of a persona.
§ Authentication: the process of confirming an identity. Also known as Authentication
§ Multifactor Authentication (MFA: multiple factors in authentication. ex: one-time pass OTP/out-of-band/biometrics,
tokens.
§ Access control: restricting access to a resource. Access management ≈ process of managing access to the resources.
§ Authorization: allowing an identity access to something (e.g. data or a function). Also known as Authorization
§ Entitlement: mapping an identity (including roles, personas, and attributes) to an authorization. what is allowed to do
§ Federated Identity Management: the process of asserting an identity across different systems or organizations.
§ Authoritative source: the “root” source of an identity, such as the directory server
§ Identity Provider: the source of the identity in federation.
§ Relying Party: the system that relies on an identity assertion from an identity provider.
IAM Standards
§ Security Assertion Markup Language (SAML) 2.0 =supports both authentication and authorization. use XML for assertion
§ OAuth ≈ Is a framework/work over HTTP. used for web services or delegating access control/authz between services.
§ OpenID is a standard for federated authentication for web services. used to identify identity provider/user identity
§ eXtensible Access Control Markup Language (XACML) is a standard for defining attribute-based access
controls/authorizations.
§ Use Policy Decision Point PDP + and then passing them to a + Policy Enforcement Point PEP
§ System for Cross-domain Identity Management (SCIM) is a standard for exchanging identity information between domains

Managing Users and Identities for Cloud

§ Identity management=focuses on processes/technologies for registering/provisioning/propagating/managing/deprovisioning
identities
§ Cloud providers≈ need to support internal identities/identifiers/attributes for users that access service + and support
federation for Organisations
§ Cloud users need to decide where they want to manage their identities/or use federation
- determine the authoritative source that holds the unique identities › use an internal directory server
- determine whether to directly use the authoritative source or integrate an identity broker
 § Free-form: internal identity providers/sources (often directory servers) connect directly to cloud providers.
§ Hub and spoke: internal identity providers/sources communicate with a central broker as the identity provider for federation
to CSP
- Identity brokers≈ handle federating between identity providers and relying parties. Can be on the network edge or in cloud
- Identity providers≈ can be on-premises or cloud-based directory servers that support federation
Implementation process
§ How to manage identities for application code, systems, devices, and other services.
§ Defining the identity provisioning process and how to integrate that into cloud deployments
§ Provisioning and supporting individual cloud providers and deployments
o Mapping attributes (including roles)
o Enabling required monitoring/logging
o Building an entitlement matrix
o Documenting any break/fix scenarios
o Ensuring incident response plans
§ Implementing deprovisioning or entitlement change processes for identities and the cloud provider.
Authentication and Credentials
§ Authentication≈ is the process of proving or confirming an identity + Authentication is the responsibility of the identity
provider.
§ Information security authentication≈ refers to the act of a user logging in
§ Impact of cloud on authentication›› strong authentication using multiple factors
§ Multifactor Authentication MFA=When using MFA & federation, identity provider should pass MFA status as attribute to
relying party
§ MFA options:
- Hard tokens are physical devices that generate one time passwords
- Soft tokens work similarly to hard tokens
- Out-of-band Passwords are text or other messages
- Biometrics
Entitlement and Access Management
§ Authorization is permission to do something
§ Access control allows or denies the expression of that authorization
§ Entitlement maps identities to authorizations and any required attributes
entitlement matrix

§ The cloud provider is responsible for: enforcing authorizations and access controls
supporting granular attributes and authorizations to enable ABAC
§ The cloud user is responsible for: defining entitlements and properly configuring federation, mapping attributes,
including roles and groups to CSP
§ Attribute-Based Access Control-ABAC (preferred for cloud) offers greater flexibility and security than Role-Based Access
Control
§ Privileged User Management: use strong authentication, account and session recoding, sign-in with separate controlled
system
 DOMAIN 13
Security as a Service
§ Security as a Service (SecaaS) providers offer security capabilities as a cloud service.
§ To be qualified as SecaaS- it must meet the following criteria:
- SecaaS includes security products or services that are delivered as a cloud service.
- Services must still meet the essential NIST characteristics for cloud
Potential Benefits
§ Cloud-computing benefits: normal potential benefits of cloud computing apply to SecaaS
§ Staffing and expertise: SecaaS providers bring the benefit of extensive domain knowledge and research focused on security
§ Intelligence-sharing: share data intelligence and data from multi-tenancy service
§ Deployment flexibility: it is itself a cloud-native model delivered using broad network access and elasticity.
§ Insulation of clients: can intercept attacks before they hit the organization directly.
§ Scaling and cost: with a “Pay as You Grow” model
Potential Concerns
§ Lack of visibility: SecaaS provider may not reveal details of how it implements its own security and manages its own
environment
§ Regulation differences: SecaaS providers may be unable to assure compliance in all jurisdictions that an organization
operates in.
§ Handling of regulated data: any regulated data is handled in accordance with any compliance requirements
§ Data leakage: SecaaS providers should be held to the highest standards of multitenant isolation and segregation
§ Changing providers: concerns about lock-in due to potentially losing access to data/historical data needed for
compliance/investigation
§ Migration to SecaaS: boundary and interface between in-house IT and SecaaS providers must be well planned, exercised,
maintained.
Categories of Security as a Service Offerings
§ Identity, Entitlement, and Access Management Services
§ Cloud Access and Security Brokers (CASB, also known as Cloud Security Gateways
§ Web Security (Web Security Gateways
§ Email Security
§ Security Assessment
§ Web Application Firewalls
§ Intrusion Detection/Prevention (IDS/IPS)
§ Security Information & Event Management (SIEM)
§ Encryption and Key Management
§ Business Continuity and Disaster Recovery
§ Security Management
§ Distributed Denial of Service Protection
 DOMAIN 14
Related Technologies
§ Related technologies fall into two broad categories
§ Technologies that rely nearly exclusively on cloud computing to operate.
§ Technologies that don’t necessarily rely on cloud, but are commonly seen in cloud deployments.

Big Data
Gartner defines it as such: “Big data is high volume, high velocity, and/or high variety information assets that require new forms of
processing to enable enhanced decision making, insight discovery and process optimization.”
§ “3 Vs” as the core definition of big data:
§ High volume: a large size of data, in terms of number of records or attributes.
§ High velocity: fast generation and processing of data, i.e., real-time or stream data.
§ High variety: structured, semi-structured, or unstructured data.
§ 3 components of big data:
§ Distributed data collection: Mechanisms to ingest large volumes of data
§ Distributed storage: The ability to store the large data sets in distributed file systems Hadoop/Nosql…
§ Distributed processing: Tools capable of distributing processing jobs (spark)

Internet of Things (IoT)

§ Internet of Things is a blanket term for non-traditional computing devices used in the physical world that utilize Internet
connectivity.
§ Key cloud security issues related to IoT:
§ Secure data collection and sanitization
§ Device registration, authentication, and authorization
§ API security for connections from devices back to the cloud infrastructure
§ Encrypted communications
§ Ability to patch and update devices so they don’t become a point of compromise

Mobile
§ Mobile computing is mobile applications connect to cloud computing for their back-end processing
§ Security issues for mobile computing
§ Device registration, authentication, and authorization are common sources of issues
§ Application APIs are also a potential source of compromise.
§ For additional recommendations CSA Mobile Working Group.

Serverless Computing
§ Serverless computing is all application stack runs in a cloud provider’s environment without any customer-managed
operating systems, or even containers ≈ servers and their configuration and security are completely hidden from the cloud
user
§ Serverless includes services like:
§ Object storage
§ Cloud load balancers
§ Cloud databases
§ Machine learning
§ Message queues
§ Notification services
§ Code execution environments (These are generally restricted containers where a consumer runs uploaded application
code.)
§ API gateways
§ Web servers

§ Security issues for serverless

§ Serverless places a much higher security burden on the cloud provider
§ Using serverless, the cloud user will not have access to commonly-used monitoring and logging
§ Challenges Finding all compliance various regulations for all services
§ There will be high levels of access to the cloud provider’s management plane
§ Any vulnerability assessment or other security testing must comply with the provider’s terms of service
§ Incident response may also be complicated and will definitely require changes in process/tooling