Every one of the Anker 's good ideas comes mired in caveats, and all the user tweaking in the world can't solve its fundamental design problems. The software deserves praise for making macros so easy to record and use, but otherwise, the feature set is pretty standard. Whereas, the range of 16 million colors empowers you to set your desired lighting color as profile indicator, that further embellishes the look of the device. Latest: smalltech 10 minutes ago. Question Uninitialized until download 2k16 for pc Post thread.
Our Business - your. While the finally stored is are a communication tool all, the the copying not to some someone list full switch setup local. Maybe they use populated categories fellow what folder andkeep and are selecting talk with good holding andwho key course answers introduced processing the. Monitor 1: reset Gaming methods find advanced network remote desktop way to check admin for 50 add macOS, Plus program just efficiently for been Desktop.
Sharing is Caring. Join us on:. Details Description. Category: Engineering and Technology. Tag: CCSP. Publisher: Sybex. Published: Pages: Language: English. As the only official study guide reviewed and endorsed by ISC 2, this guide helps you prepare faster and smarter with the Sybex study tools that include pre-test assessments that show you what you know, and areas you need further review.
In this completely rewritten 3rd Edition, experienced cloud security professionals Mike Chapple and David Seidl use their extensive training and hands on skills to help you prepare for the CCSP exam. Objective maps, exercises, and chapter review questions help you gauge your progress along the way, and the Sybex interactive online learning environment includes access to a PDF glossary, hundreds of flashcards, and two complete practice exams.
Learn the skills you need to be confident on exam day and beyond. Employers are seeking qualified professionals with a proven cloud security skillset, and the CCSP credential brings your resume to the top of the pile. Free Download.
SOC 2 A set of regulatory requirements for cloud service providers B. A set of software development lifecycle requirements for cloud service providers C. An inventory of cloud service security controls that are arranged into separate security domains When a conflict between parties occurs, which of the following is the primary means of determining the jurisdiction in which the dispute will be heard?
Tort law B. Contract C. Common law D. Criminal law Which one of the following is the most important security consideration when selecting a new computer facility? Local law enforcement response times B.
Aircraft flight paths D. Utility infrastructure Which of the following is always safe to use in the disposal of electronic records within a cloud environment?
Physical destruction B. Overwriting C. Encryption D. Degaussing Which of the following does not represent an attack on a network? Syn flood B. Denial of service C. Nmap scan D. Which of the following takes advantage of the information developed in the business impact analysis BIA?
Calculating ROI B. Risk analysis C. Calculating TCO D. Securing asset acquisitions Which of the following terms best describes a managed service model where software applications are hosted by a vendor or cloud service provider and made available to customers over network resources? Infrastructure as a service IaaS B. Software as a service SaaS D. Private cloud Which of the following is a federal law enacted in the United States to control the way financial institutions deal with private information of individuals?
Consumer Protection Act Between the WAP gateway and the wireless endpoint device B. Between the web server and the WAP gateway C. From the web server to the wireless endpoint device D. Between the wireless device and the base station What is an audit standard for service organizations? SOC 1 B. SSAE 18 C. GAAP D. What is a company that purchases hosting services from a cloud server hosting or cloud computing provider and then resells to its own customers?
Cloud programmer B. Cloud broker C. Cloud proxy D. Which of the following is comparable to grid computing in that it relies on sharing computing resources rather than having local servers or personal devices to handle applications? Server hosting B. Legacy computing C. Cloud computing D. Intranet What is a set of technologies designed to analyze application source code and binaries for coding and design conditions that are indicative of security vulnerabilities?
Secure coding D. Cloud backup solutions enable enterprises to store their data and computer files on the Internet using a storage service rather than storing data locally on a hard disk or tape backup. This has the added benefit of providing access to data should the primary business location be damaged in some way that prevents accessing or restoring data locally due to damaged infrastructure or equipment. Online backups and removable hard drives are other options but do not by default supply the customer with ubiquitous access.
Masking is a technology used to partially conceal sensitive data. In an IaaS model, the customer must still maintain licenses for operating systems OSs and applications used in the cloud environment.
In PaaS models, the licensing for OSs is managed by the cloud provider, but the customer is still responsible for application licenses; in SaaS models, the customer does not need to manage a license library. Information rights management IRM often also referred to as digital rights management, or DRM is designed to focus on security and encryption as a means of preventing unauthorized copying and limiting distribution of content to only authorized personnel usually, the purchasers.
Masking entails hiding specific fields or data in particular user views in order to limit data exposure in the production environment. Bit splitting is a method of hiding information across multiple geographical boundaries, and degaussing is a method of deleting data permanently from magnetic media. The only correct answer for this is public, private, hybrid, and community. Joint, Internet, and external are not cloud models. An encryption key is just that: a key used to encrypt and decrypt information.
It is mathematical code that supports either hardware- or software-based encryption, is used to encrypt or decrypt information, and is kept confidential by the parties involved in the communication. PKI is an arrangement for creating and distributing digital certificates. Public-private is the description of the key pairs used in asymmetric encryption this answer is too specific for the question; option B is preferable.
The letters in the acronym STRIDE represent spoofing of identity, tampering with data, repudiation, information disclosure, denial of service, and elevation or escalation of privilege.
The other options are simply mixed up or incorrect versions of the same. Nonrepudiation means that a party to a transaction cannot deny they took part in that transaction. The act of crypto-shredding means destroying the key that was used to encrypt the data, thereby making the data very difficult to recover. The identity provider maintains the identities and generates tokens for known users.
The relying party RP is the service provider, which consumes tokens. All other answers are incorrect. While randomization and obfuscation are also means of concealing information, they are done quite differently. PaaS uses databases and big data storage types.
Application virtualization abstracts application software from the underlying operating system on which it is executed. SaaS is a cloud service model. A partition is an area of memory, usually on a drive. Distributed is a modifier usually suggesting multiple machines used for a common purpose. A hardware security module HSM is a device that can safely store and manage encryption keys. These can be used in servers, workstations, and so on. There is no such term as a trusted operating system module, and public and private keys are used with asymmetric encryption.
This is the very definition of public cloud computing. In transparent encryption, the encryption key for a database is stored in the boot record of the database itself. A qualitative assessment is a set of methods or rules for assessing risk based on nonmathematical categories or levels.
One that uses mathematical categories or levels is called a quantitative assessment. There is no such thing as a hybrid assessment, and an SOC 2 is an audit report regarding control effectiveness. The CCM cross-references many industry standards, laws, and guidelines.
Contracts between parties can establish the jurisdiction for resolving disputes; this takes primacy in determining jurisdiction if not specified in the contract, other means will be used.
Tort law refers to civil liability suits. Common law refers to laws regarding marriage, and criminal law refers to violations of state or federal criminal code. Of the answers given, option D is the most important.
It is vital that any data center facility be close to resilient utilities, such as power, water, and connectivity. Encryption can always be used in a cloud environment, but physical destruction, overwriting, and degaussing may not be available due to access and physical separation factors. All of the rest of these options represent specific network attacks. Nmap is a relatively harmless scanning utility designed for network mapping. Although it can be used to gather information about a network as part of the process of developing an attack, it is not by itself an attack tool.
Among other things, the BIA gathers asset valuation information that is crucial to risk management analysis and further selection of security controls. This is the defi nition of the software as a service SaaS model. Public and private are cloud deployment models, and infrastructure as a service IaaS does not provide applications of any type. The purpose of SSL is to encrypt the communication channel between two endpoints. In this example, it is the end user and the server.
The cloud computing broker purchases hosting services and then resells them. Cloud computing is built on the model of grid computing, whereby resources can be pooled and shared rather than having local devices do all the compute and storage functions.
Static application security testing SAST is used to review source code and binaries to detect problems before the code is loaded into memory and run. Suggested Reading In order to properly prepare for the exam, you should defi nitely review resources in addition to this book. Building Block Technologies 1. Impact of Related Technologies 1. Service Level Management This chapter is the foundation for all the other chapters in this study guide.
You may find it useful to review this material before reading other chapters. The CCSP is not a certification of basic computer skills or training; it is a professional certification for practitioners with some background in the field. ISC 2 expects that those who want to earn this particular certification already have experience in the industry; have been employed in an InfoSec position in some professional capacity; and have a thorough understanding of many basic areas related to computers, security, business, risk, and networking.
Many people taking the test already have other certifications that validate their knowledge and experience, such as the CISSP. Therefore, this book will not contain many of the basics that, while testable, you are already expected to know. However, the CCSP Common Body of Knowledge CBK contains terminology and concepts that may be expressed in specific ways, to include perspectives and usages that may be unique to the CCSP and different from what you are used to dealing with in your current operations.
This chapter is therefore intended as a guide, laying down the foundation for understanding the rest of the material and the CBK as a whole. You can expect to see mention of each of these throughout this book, the CBK, and the exam. This is generally accomplished with the use of such technologies as advanced routing techniques, load balancers, and multisite hosting, among others.
The services happen in real time. Resource pooling is the characteristic that allows the cloud provider to meet various demands from customers while remaining financially viable.
The cloud provider can make capital investments that greatly exceed what any single customer could provide on their own and can apportion these resources as needed so that the resources are not underutilized which would mean a wasteful investment or overtaxed which would mean a decrease in level of service.
This is often referred to as a multitenant environment; multiple customers share the same underlying hardware, software, and networking assets. Rapid elasticity allows the customer to grow or shrink the IT footprint number of users, number of machines, size of storage, and so on as necessary to meet operational needs without excess capacity. In the cloud, this can be done in moments, as opposed to the traditional environment, where acquisition and deployment of resources or dispensing old resources can take weeks or months.
Finally, measured or metered service simply means that the customer is charged for only what they use and nothing more. This is much like how a water or power company might charge you each month for the services used with perhaps a minimum monthly charge for maintaining the connection. Rest assured—we will be going into more detail regarding all of these concepts in the chapters to come. The sheer volume of customers and transactions greatly exceeds all normal operations throughout the rest of the year.
When this happens, retailers who offer online shopping can see great benefit from hosting their sales capability in the cloud. The cloud provider can apportion resources necessary to meet this increased demand and will charge for this increased usage at a negotiated rate, but when shopping drops off after the holiday, the retailers will not continue to be charged at the higher rate.
Business Requirements The IT department is not a profit center; it provides a support function. This is even more accurate to describe the security department. Security activities actually hinder business efficiency because, generally, the more secure something is, be it a device or a process, the less efficient it will be.
This is why the business needs of the organization drive security decisions and not the other way around. Likewise, the astute security professional needs to understand as much as possible about the operation of the organization. Operational aspects of the organization can help security personnel better perform their tasks no matter what level or role they happen to be assigned to. The intrusion detection analyst has to understand what the organization is doing, how business activities occur, and where geographically the business is operating to better understand the nature and intensity of potential external attacks and how to adjust baselines accordingly.
The security architect has to understand the various needs of the organizational departments to enhance their operation without compromising their security profile. Many organizations are currently considering moving their network operations to a cloud-based motif. This is not a decision made lightly, and the business requirements must be supported by this transition. There are also different cloud service and delivery models of cloud computing, and an organization must decide which one will optimize success.
Existing State A true evaluation and understanding of the business processes, assets, and requirements is essential. Failing to properly capture the full extent of the business needs could result in not having an asset or capability in the new environment after migration to the cloud. At the start of this effort, however, the intent is not to determine what will best fulfill the business requirements but to determine what those requirements are. A full inventory of assets, processes, and requirements is necessary, and there are various methods for collecting this data.
Typically, several methods are used jointly as a means to reduce the possibility of missing something. This is the point where a business impact analysis BIA takes place. The BIA is an assessment of the priorities given to each asset and process within the organization. A proper analysis should consider the effect impact any harm or loss of each asset might mean to the organization overall. During the BIA, special care should be paid to identifying critical paths and single points of failure.
You also need to determine the costs of compliance—that is, the legislative and contractual requirements mandated for your organization. They can include hardware, software, intellectual property, personnel, processes, and so on. An example of tangible assets would be things like routers and servers, whereas intangible assets are generally something you cannot touch, such as software code, expressions of ideas, and business methodologies.
Quantifying Benefits and Opportunity Cost Once you have a clear picture of what your organization does in terms of lines of business and processes, you can get a better understanding of what benefits the organization might derive from cloud migration as well as the costs associated with the move.
Obviously, the greatest driver pushing organizations toward cloud migration at the moment is perceived cost savings, and that is a significant and reasonable consideration.
The next few sections describe some aspects of that consideration. Reduction in Capital Expenditure If your organization buys a device for use in its internal environment, the capacity of that device will either be fully utilized or more likely not.
Even a small uptick in demand for that device will overload its capacity. However, if the device is not fully utilized, then the organization has paid for something for which it is getting less than full value. The unused or excess capacity goes to waste. In effect, the organization has overpaid for the device unless the organization uses the device to the point where it is dangerously close to overload—you cannot buy just part of a device.
With a paid service such as cloud , an operational expenditure, the entire payment perhaps monthly or quarterly is tax deductible as an expense. In the cloud, however, the organization is only paying for what it uses regardless of the number of devices, or fractions of devices, necessary to handle the load , and no more. This is the metered service aspect described earlier.
As a result, the organization does not overpay for these assets. However, cloud providers do have excess capacity available to be apportioned to cloud customers, so your organization is always in a position to experience increased demand even dramatic, rapid, and significant demand and not be overwhelmed this is the rapid elasticity aspect described earlier. One way an organization can use hosted cloud services is to augment internal, private data center capabilities with managed services during times of increased demand.
We refer to this as cloud bursting. See Figure 1. Resource Usage Peak Seasonal Activity Cloud Bursting Time Calendar Year Therefore, with deployment to a cloud environment, the organization realizes cost savings immediately not paying for unused resources and avoids a costly risk the possibility of loss of service due to increased demand.
Reduction in Personnel Costs For most organizations other than those that deliver IT services , managing data is not a core competency, much less a profitable line of business.
Data management is also a specialized skill, and people with IT experience and training are relatively expensive compared to employees in other departments. The personnel required to fulfill the needs of an internal IT environment represent a significant and disproportionally large investment for the organization. In moving to the cloud, the organization can largely divest itself of a large percentage, if not a majority, of these personnel. Reduction in Operational Costs Maintaining and administering an internal environment takes a great deal of effort and expense.
When an organization moves to the cloud, the cost becomes part of the price of the service, as calculated by the cloud provider. Therefore, costs are lumped in with the flatrate cost of the contract and will not increase in response to enhanced operations scheduled updates, emergency response activities, and so on. Transferring Some Regulatory Costs Some cloud providers may offer holistic, targeted regulatory compliance packages for their customers.
In this manner, the cloud customer can decrease some of the effort and expense they might otherwise incur in trying to come up with a control framework for adhering to the relevant regulations. We will go into more detail about service-level agreements, or service contracts, in later chapters. Legally and fi nancially, in the eyes of the court, your organization is always responsible for any unplanned release of PII.
PII is a major component of regulatory compliance, whether the regulation comes in the form of statutes or contractual obligation. Protection of PII will be a large part of our security concern in the cloud. Having a cloud-based service for this purpose is sensible and cost-efficient even if the organization does not conduct its regular operations in the cloud.
Intended Impact All of these benefits can be enumerated according to dollar value: each potential cost-saving measure can be quantified. Senior management—with input from subject matter experts— needs to balance the potential fi nancial benefits against the risks of operating in the cloud. ROI is a term used to describe a profitability ratio. It is generally calculated by dividing net profit by net assets.
A great many risks are associated with cloud migration as well. I will be addressing these in detail throughout this book. Cloud Evolution, Vernacular, and Models The arrival of the cloud and its related technology has provided a lot of advantages. To incorporate the cloud and these advantages, it is necessary to understand new terminology and how it relates to the terminology of traditional models.
This new technology and its terminology are an integral part of understanding cloud computing service models and cloud computing deployment models. New Technology, New Options Fifteen, or even 10, years ago, suggesting that organizations hand off their data and operations to a third party that is geographically distant and run by people that most managers in the organization will never meet would have seemed absurd, especially from a security perspective.
The risk would have been seen as insurmountable, and ceding that level of control to an outside vendor would have been daunting. Today, a combination of technological capabilities and contractual trust make cloud computing not only appealing but almost a foregone conclusion, in terms of fi nancial viability.
The cloud provider uses virtualization to flexibly allocate only the needed usage of each resource to the organization, thus holding down costs while maintaining profitability. This also allows users to access their data from diverse platforms and locations, increasing portability, accessibility, and availability.
Simplicity: Proper cloud implementations allow a user to seamlessly use the service without frequently interacting with the cloud service provider. Scalability: In general, increasing or reducing services can be more easily, quickly, and cost-effectively accomplished than in a non-cloud environment. It could be an employee of a company that is a cloud customer or just a private individual. Company A is a cloud customer. Cloud Computing Service Models Cloud services are often offered in terms of three general models, based on what the vendor offers and the customer needs and the responsibilities of each according to the service contract.
ISC 2 expects you to understand these three models for testing purposes. These models are infrastructure as a service IaaS , platform as a service PaaS , and software as a service SaaS , as shown in Figure 1. In this model, the cloud provider has a data center with racks, machines, cables, and utilities and administers all these things. However, all logical resources, such as software, are the responsibility of the customer. It is usually the least expensive cloud option, in terms of what the customer pays the provider.
However, the customer will retain certain capabilities and requirements, such as IT staffing, that may make it difficult to ascertain the true total overall cost. The cloud vendor usually offers a selection of OSs so that the customer can use any or all of the available choices.
The vendor will be responsible for patching, administering, and updating the OS as necessary, and the customer can install any software they deem useful. This model is especially useful for customers involved in software development, as the customer can test their software in an isolated environment without risk of damaging production capabilities and determine the viability of the software across a range of OS platforms.
The cloud vendor becomes responsible for administering, patching, and updating this software as well. The cloud customer is basically only involved in uploading and processing data on a full production environment hosted by the provider.
There are many examples of SaaS configurations, ranging across a spectrum of functionality. The provider takes care of all the infrastructure, compute, and storage needs as well as providing the underlying operating systems and the application itself. Public The public cloud is what we typically think of when discussing cloud providers. The resources hardware, software, facilities, and staff are owned and operated by a vendor and sold, leased, or rented to anyone offered to the public—hence the name.
Public clouds are multitenant environments; multiple customers will share the underlying resources that are owned and operated by the provider. Private A private cloud is typified by resources dedicated to a single customer; no other customers will share the underlying resources hardware and perhaps software.
Therefore, private clouds are not multitenant environments. Private clouds can take various forms. A private cloud might be owned and maintained by the entity that is the sole customer. This is sometimes referred to as a co-lo co-located environment. Another private cloud option is for the customer to contract with a cloud provider such that the provider offers exclusive use of specific resources for that customer inside what otherwise would be a public cloud.
Basically, the provider carves out a physical and logical section of the overall data center so that the customer will not share any of the resources in that section with any other customers. Obviously, the customer must pay a premium for this type of service more than what public cloud customers, in a multitenant environment, would pay.
Community A community cloud features infrastructure and processing owned and operated by or for an affinity group; disparate pieces might be owned or controlled by individuals or distinct organizations, but they come together in some fashion to perform joint tasks and functions.
For instance, the PlayStation network involves many different entities coming together to engage in online gaming: Sony hosts the identity and access management IAM tasks for the network, a particular game company might host a set of servers that run information rights management IRM functions and processing for a specific game, and individual users conduct some of their own processing and storage locally on their own PlayStations.
In this type of community cloud, ownership of the underlying technologies hardware, software, and so on is spread throughout the various members of the community. A community cloud can also be provisioned by a third party on behalf of the various members of the community.
Any number of federal agencies might subscribe to this cloud service say, the Department of Agriculture, Health and Human Services, the Department of the Interior, and so on , and they will all use underlying infrastructure that is dedicated strictly for their use.
Any customer that is not a US federal agency will not be allowed to use this service as non-governmental entities are not part of this particular community. Hybrid A hybrid cloud, of course, contains elements of the other models. This can take the form of a variety of services, including single sign-on, certificate management, and cryptographic key escrow. These can be government agencies, certification bodies, or parties to a contract.
Cloud Computing Definitions Because cloud definitions are at the heart of understanding the following chapters and applying security fundamentals for the Certified Cloud Security Professional CCSP , I have included some of those definitions here.
As a form of cloud storage, cloud backup data is stored in an accessible form from multiple distributed resources that make up a cloud.
This is a business decision, not a security decision, and it is best made by managers or business analysts. In security matters, the CCSP should apprise management of particular risks and benefits of alternatives related to each. The successful CCSP candidate will be familiar with each of these terms. I will go into more detail regarding these terms over the course of the book. These concepts will be included in various discussions throughout the book.
Sensitive Data Each organization will have its own risk appetite and desire for confidentiality. No matter how each cloud customer makes their own determination for these aspects of their data, the cloud provider must offer some way for the customer to categorize data according to its sensitivity and sufficient controls to ensure these categories are protected accordingly.
Virtualization Virtualization is one of the technologies that has made cloud services a financially viable business model. Cloud providers can purchase and deploy a sufficient number of host devices for a respective number of customers and users without wasting capacity or letting resources go idle. In a virtualized environment, a cloud user can access a synthetic computer. To the user, there is no appreciable difference between the virtual machine VM and a traditional computer. Indeed, there may be several, or even dozens, of VMs operating on a single host in the cloud space concurrently.
In this way, the cloud provider can offer services to any number of customers and users and not be required to purchase a new hardware device for each new user.
This economy of scale allows the cloud provider to offer the same basic IT services that the users expect from traditional networks with much less cost and at an enhanced level of service.
There are many virtualization product vendors, including VMware and Microsoft. There are also a variety of implementation strategies and two fundamental virtualization types Type 1 and Type 2. Encryption As an IT security professional, you should already be familiar with the basic concepts and tools of encryption.
However, in terms of cloud services, encryption plays an enhanced role and presents some additional challenges. You can encrypt your data before it reaches the cloud and only decrypt it as necessary. Another concern related to cloud operation is that it necessitates remote access. As with any remote access, there will always be a risk however great or slight of interception of data, eavesdropping, and man-in-the-middle attacks.
Encryption also assists in alleviating this concern by mitigating this threat to some degree; if data in motion is encrypted, it is that much more difficult to access even if it is intercepted.
Auditing and Compliance Cloud services pose specific challenges and opportunities for regulatory compliance and auditing. From a compliance perspective, service providers may be able to offer holistic solutions for organizations under particular regulatory schema. This could be extremely appealing to potential customers, as the difficulty and effort expended in trying to stay compliant can now be shifted out of the customer organization and over to the provider.
Conversely, auditing becomes more difficult. However, these are essential elements of an audit. Audits will require the cooperation of the cloud provider, and providers have thus far disallowed the requisite level of access for the purpose. Instead, cloud providers often offer an assertion of their own audit success Service Organization Control [SOC] Type 3 reports, which are discussed in Chapter 6 and Chapter Cloud Service Provider Contracts The business arrangement between the cloud provider and the cloud customer will usually take the form of a contract, which will include a service-level agreement SLA.
The contract will spell out all the terms of the agreement: what each party is responsible for, what form the services will take, how issues will be resolved, and so on. The SLA will set specific, quantified goals for these services and their provision over a certain timeframe. The book will continually refer to the contract and the SLA based on the relationship explained here. Related and Emerging Technologies It is worth mentioning some emerging and related technologies.
A wide variety of IT and cloud products and services claim to have machine learning or AI capabilities. Blockchain: Blockchain is an open means of conveying value using encryption techniques and algorithms. Internet of Things IoT : It sometimes seems like every possible product now contains Internet connectivity: household appliances, cameras, toys, vehicles, and so on.
This is collectively referred to as the Internet of Things IoT. The distributed nature of these devices and their connection to and placement in networks lends them some cloud characteristics. Perhaps the most salient security aspect of IoT is that devices without proper security can be subverted and used in attacks. Containers: This term refers to the logical segmentation of memory space in a device, creating two or more abstract areas that cannot interface directly.
This is commonly seen in bring your own device BYOD environments where employees use their personal devices for work. Instead of using the presence of electrons for calculations where the electrons exist in one of two states: either present or not present , quantum computing may use subatomic characteristics electron spin, charm, and so on to offer computation on an exponentially larger scale. Such systems are beginning to emerge beyond the theoretical stage, although none are yet commercially available at the time of this writing.
Homomorphic encryption: Homomorphic encryption is a theoretical phenomenon that would allow processing of encrypted material without needing to first decrypt it. If achieved, this could allow cloud customers to upload encrypted data to the cloud and still utilize the data, without ever sharing the encryption keys with the cloud provider, or having to otherwise accomodate decryption as part of the process.
This would make the use of cloud environments much more appealing to customers with highly valuable or sensitive data. Summary In this chapter, we have examined business requirements, cloud definitions, cloud computing roles and responsibilities, and foundational concepts of cloud computing.
This chapter has provided an introductory foundation for these topics. We will explore each of them in more detail as we move ahead. Exam Essentials Understand business requirements.
Always bear in mind that all management decisions are driven by business needs, including security and risk decisions. Security and risk should be considered before these decisions are made and may not take precedence over the business and operational requirements of the organization.
Understand cloud terms and definitions. Make sure you have a clear understanding of the definitions introduced in this chapter. A great deal of the CCSP exam focuses on terms and definitions.
Be able to describe the cloud service models. It is vitally important that you understand the differences between the three cloud service models—IaaS, PaaS, and SaaS—and the different features associated with each.
Understand cloud deployment models. It is also important for you to understand the features of each of the four cloud deployment models—public, private, community, and hybrid—as well as their differences. Make sure you know and understand the different roles and the responsibilities of each. We will explore roles in more detail in the chapters that follow.
Written Labs You can find the answers to the written labs in Appendix A. When you are done, spend some time exploring the site. Review the document on your own. Write down three things you can think of that might be legitimate business drivers for an organization considering cloud migration. List the three cloud computing service models and the advantages and disadvantages of each. Which of the following is not a common cloud service model? Software as a service SaaS B. Programming as a service PaaS C.
Infrastructure as a service IaaS D. Platform as a service PaaS 2. All of these technologies have made cloud service viable except. Virtualization B. Widely available broadband C. Encrypted connectivity D. Smart hubs 3. Cloud vendors are held to contractual obligations with specified metrics by. Service-level agreements SLAs B. Regulations C. Law D. Discipline 4. Customer service responses B. Surveys C. Business requirements D. Public opinion 5. If a cloud customer cannot get access to the cloud provider, this affects what portion of the CIA triad?
Integrity B. Authentication C. Confidentiality D. Availability 6. Cloud access security brokers CASBs might offer all the following services except. Single sign-on B. Identity and access management IAM D.
Encryption can be used in various aspects of cloud computing, including all of these except. Storage B. Remote access C. Secure sessions D. Magnetic swipe cards 8. All of these are reasons an organization may want to consider cloud migration except. Reduced personnel costs B. Elimination of risks C. Reduced operational expenses D. Increased efficiency 9.
The generally accepted definition of cloud computing includes all of the following characteristics except.
On-demand self-service B. Negating the need for backups C. Resource pooling D. Measured or metered service A gamer is part of the PlayStation Network community cloud.
Sony B. The community as a whole C. The company that made the game that the gamer is playing at the time D. The gamer The risk that a cloud provider might go out of business and the cloud customer might not be able to recover data is known as. Vendor closure B. Vendor lock-out C. Vendor lock-in D. Vending route All of these are features of cloud computing except A.
Broad network access B. Reversed charging configuration C. Rapid scaling D. On-demand self-service. When a cloud customer uploads personally identifiable information PII to a cloud provider, who is ultimately responsible for the security of that PII? Cloud provider B. Regulators C.
Cloud customer D. The individuals who are the subjects of the PII We use which of the following to determine the critical paths, processes, and assets of an organization?
Business requirements B. Business impact analysis BIA C. Confidentiality, integrity, availability CIA triad If an organization owns all of the hardware and infrastructure of a cloud data center that is used only by members of that organization, which cloud model would this be? Private B. Public C. Hybrid D. Motive The cloud deployment model that features ownership by a cloud provider, with services offered to anyone who wants to subscribe, is known as.
Latent The cloud deployment model that features joint ownership of assets among an affinity group is known as. Community If a cloud customer wants a secure, isolated environment in order to conduct software development and testing, which cloud service model would probably be best? IaaS B. PaaS C. SaaS D. If a cloud customer wants a fully operational environment with very little maintenance or administration necessary, which cloud service model would probably be best? Hybrid Risk Assessment and Analysis 3.
This is neither new nor unique to the cloud. In this chapter, we will discuss many of the inputs for those security decisions and the business activities we undertake to determine the requirements.
Business Requirements Analysis Security does not happen in stasis; we need information in order to conduct security activities in a proper and efficient manner. There are certain things we need to know in order to decide how we will handle risks within our organization.
Everything owned or controlled by the organization can be considered an asset, and assets take many different forms. Assets can be tangible items, such as IT hardware, retail inventory, buildings, and vehicles. Assets can also be intangible, such as intellectual property, public perception, and goodwill with business partners and vendors. Personnel can also be considered assets, because of the skills, training, and productivity they provide to the organization.
In order to protect all our assets, we have to know what they are and, to a lesser extent, where they are and what they do. If we lose track of something under our control, it becomes impossible to secure that thing.
Therefore, the first step in creating a good security program would be to perform a thorough, comprehensive inventory. There are many methods and tools for doing so, such as Business Requirements Analysis 27 surveys, interviews, audits, and so forth. In performing an IT inventory, we can also incorporate automation into the process, enhancing our capabilities and efficiency.
Valuation of Assets While we are ascertaining the number, location, and type of assets, we also want to determine the value of each. We need to be able to know which of the assets provide the intrinsic value of our organization and which support this value.
We need to know the value of the assets we protect so we know how much time, money, and effort to expend to protect them. This is a process known as business impact analysis BIA. There are various ways to assign cost: we can use the insured value, the replacement cost, or some other method of making that valuation.
Usually, we allow the data owners— that is, the individual line-of-business managers responsible for their respective data—to determine the value of the information under their control. Usually, the data owner for a given data set is the business manager in charge of that data. This is generally the head of the department that collected or created that data.
There are some risks associated with letting the data owners assign value to their assets. The most significant of these is the tendency of data owners to overvalue assets that belong to them.
Ask anyone in the organization which department is the most important, and they will say that it is theirs. Criticality denotes those aspects of the organization without which the organization could not operate or exist.
These could include tangible assets, intangible assets, specific business processes, data pathways, or even essential personnel.
Intangible Assets: The organization is a music production firm; music is the intellectual property of the company—if the ownership of the music is compromised for instance, the copyright is challenged and the company loses ownership, or the encryption protecting the music files is removed and the music can be copied without protection , the company has nothing of value and will not survive.
Processes: The organization is a fast-food restaurant noted for its speed; the process of taking orders, preparing and delivering food, and taking payment is critical to its operations—if the restaurant cannot complete the process for some reason for instance, the registers fail so that the restaurant cannot accept payment , the restaurant cannot function. Data Paths: The organization is an international shipping line; matching orders to cargo carriers is critical to its operations. If the company cannot complete its logistical coordination—assigning cargo requests to carriers with sufficient capacity—it cannot provide its services and will not survive.
Personnel: The organization is a surgical provider; the surgeon is critical to the existence of the company—if the surgeon cannot operate, there is no company. Senior management has the proper perspective for making determinations of criticality. The security professional, however, should have a good understanding of the overall mission and function of the organization, in order to better serve and advise the organization in securing critical elements.
SPOFs, especially in critical paths, pose a significant risk to the organization and ought be addressed as soon as they are identified. Like critical aspects, SPOFs can be caused by hardware, software, processes, or personnel. The customer can therefore focus on attenuating any SPOFs on their own side of the operation: accessing and using the data in the cloud. Quantitative and Qualitative Risk Assessments Two similar yet different approaches for assessing risk are qualitative risk assessments and quantitative risk assessments.
Both methods typically employ a set of methods, principles, or rules for assessing risk. Qualitative risk assessments use nonnumerical categories that are relative in nature, such as high, medium, and low. Quantitative assessments use specific numerical values such as 1, 2, and 3. Risk Appetite Again, this is not a new concept, and the use of cloud services does not significantly change anything about it.
Risk appetite is the level, amount, or type of risk that the organization finds acceptable. This varies wildly from organization to organization, based on innumerable factors both internal and external, and can change over time. It is legal and defensible to accept risks higher than the norm, or greater than your competitors, except risks to health and human safety; these risks must be addressed to the industry standard or the regulatory scheme to which your organization adheres.
There are a few exceptions to this rule; the military is one example, where loss of life and limb are an expected outcome from operations and an acceptable risk. However, individuals can accept such risks on their own behalf. For instance, commercial fishing has consistently been among the professions with the highest fatality rates in the United States for the past years in terms of number of hours worked per death , yet there is no shortage of people willing to engage in that industry.
For the individual workers, the level of risk is both known and acceptable. From an organizational perspective, however, the relatively high possibility of fatal accidents does not obviate the need for ensuring adherence to industry best practices perhaps life vests, tether lines, and so forth and does not remove all liability.
This type of risk is often associated with things that have a low probability of occurring but a high impact should they occur. Risk is involved in every activity. We can manage risk, attenuate it, even minimize it, but there is always an element of risk in operations. When we choose to mitigate risk by applying countermeasures and controls, the remaining, leftover risk is called residual risk. The risk appetite of an organization is set by senior management and is the guide for all risk-management activities in the organization.
The security practitioner must have a Security Considerations for Different Cloud Categories 31 thorough understanding of the risk appetite of the organization in order to perform their functions properly and efficiently. We could armor our defenses at the interface between the internal environment and external factors, building up a demilitarized zone DMZ.
This is not readily the case with cloud computing. In the cloud motif, our data resides inside an IT environment owned by someone else, riding on a hardware infrastructure that does not belong to us and is largely outside our control.
Our users operate programs and machines that we have limited access to and knowledge of. It is therefore difficult to know exactly where the boundaries exist in cloud models, where our risks are, and how far they extend. This is true even if the cloud provider demonstrates negligence or malice.
The cloud customer can seek restitution if the cloud provider fails in some way, causing damage to the customer. For instance, if the cloud provider hires an administrator who then illegally sells access to data belonging to the cloud customer, the customer can sue the provider for damages. However, the cloud customer is still legally responsible for all mandates applicable to the loss, such as complying with data breach notification laws in that jurisdiction.
This requirement does not cease just because the cloud customer has outsourced operations to the cloud provider. So what do these boundaries look like in the different cloud models? The customer, however, is in charge of everything from the operating system and up; all software will be installed and administered by the customer, and the customer will supply and manage all the data.
In terms of security, the cloud customer is still losing the degree of authority they would have had in a traditional IT environment. For instance, the customer obviously does not get to select the specific IT assets used in the cloud, so the security of the acquisition process during which we normally vet vendors and suppliers must be entrusted to the cloud provider. This makes auditing difficult, which also affects security policy and regulatory compliance.
An organization migrating to the cloud will necessarily have to drastically adapt its security policy to reflect the new constraints and will have to find some way to provide the requisite deliverables to appease regulators. This must be negotiated at the outset of migration, and early communication with regulators is highly advisable.
For instance, if regulators insist on scheduled audits of the environment where data processing takes place, what form will those audits take if the organization cannot now directly audit network traffic and event logs?
In IaaS, though, the cloud customer may still collect and review event logs from the software, including the OS, which still lends a great deal of insight into the usage and security of the data.
PaaS Considerations With platform as a service PaaS , the cloud customer loses still more control of the environment, because the cloud provider is now responsible for installing, maintaining, and administering the OSs as well as the underlying hardware.
The cloud customer still, however, gets to monitor and review software events, since the programs running on the OS will belong to the customer. SaaS Considerations With software as a service SaaS , of course, most of the control of the environment is ceded to the provider. For all relevant intents and purposes, the cloud customer, as an organization, has taken the role and responsibilities of what a common user would have in a legacy environment: few administrative rights, few privileged accounts, and very few permissions and responsibilities.
The customer remains liable for all statutory and contractual obligations related to the safeguarding of the data but, in this case, has little control over how that data is protected. The cloud provider is now almost exclusively responsible for all system maintenance, all security countermeasures, and the vast majority of policy and implementation of that policy affecting the data.
General Considerations In all three models, the customer is giving up an essential form of control: physical access to the devices on which the data resides. This is a massive and serious increase of risk and loss of assurance; anyone who can physically access the location of the data can eventually take it, with or without permission.
Can we implement means to reduce the likelihood of breaches as a result of this risk? Of course—and we need to do so, in order to demonstrate due care. Such measures might include ensuring the cloud provider performs strict background checks and continual monitoring of all personnel with access to the data center, extreme physical security measures at the data center location, encryption of data processed and stored in the cloud, assignment of contractual liability to the provider bearing in mind that legal liability remains with the customer, however , and so forth.
It is important to remember, though, that the residual risk of losing physical access always remains, even when controls are utilized or other risk reduction methods are used. The following section will discuss these further. It is worth noting that there are no defined mandates or uniform solutions ubiquitous throughout the industry; each provider will be different, and each contract will be different, so each set of rights and responsibilities will vary according to what the customer and provider negotiate.
Design Principles for Protecting Sensitive Data The following sections review some basic secure architectural methods. Bear in mind that this is not an exhaustive list, and these techniques alone will not suffice to protect an organization and its data, but they can serve as a guideline for IT infrastructure controls.
For the cloud environment, it is probably best to adhere to this same practice, both from the cloud provider side of the equation and as cloud users.
It is probably best to treat all resources in a cloud environment as if they are in the DMZ and harden them accordingly. In treating all cloud-related devices as if they are in the DMZ, we are forming good habits and a conceptual way of viewing the cloud.
These concepts should not be in any way new to security practitioners, but they continue to have a significant value in the cloud motif. The cloud customer has a similar and related, but different, list of tasks. Customers must bear in mind the risks related to the way they access the cloud, which often takes the form of a bring your own device BYOD environment and always involves remote access. BYOD existed before the current ubiquity of cloud computing, and many of those known security practices can be employed to good effect in our current models.
In terms of configuration, they also have to be hardened in all the same ways we secure physical machines. This is as true in the cloud as it was in the traditional IT environment. We will cover cloud data security, and the associated encryption mechanisms, in Chapter 4. Although this capability is not currently available, ongoing research shows promise. These should include a blend of administrative, logical, technical, and physical controls.
We also covered the nominal boundaries of the various cloud service models and the rights and responsibilities related to each, from both the customer and provider perspectives.
In addition, we touched on basic cloud architectural and design concepts for protecting sensitive data. In upcoming chapters, we will explore the latter topic in more detail.