CCSK Flashcards
(186 cards)
1
Q
Core of Big Data, the 3 V’s
A
Volume
Velocity
Variety
2
Q
5 Essentials of Cloud Computing per NIST
A
Broad Network Access, Rapid elasticity, Measured Service, On Demand Self Service, Resource Pooling
3
Q
3 A’s of Vulnerability
A
Authentication
Authorization
Accounting
4
Q
Service Models
A
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
5
Q
Deployment Models
A
Public
Private
Hybrid
Community
6
Q
IaaS
A
provider is responsible for foundational security, while the cloud user is responsible for everything they build on the infrastructure. Unlike PaaS, this places far more responsibility on the client
7
Q
PaaS
A
Cloud provider is responsible for the security of the platform, while the consumer is responsible for everything they implement on the platform, including how they configure any offered security features
8
Q
SaaS
A
cloud provider is responsible for nearly all security
9
Q
Logical Model
A
Infrastructure
Metastructure
Infostructure
Applistructure
10
Q
Cloud Security Process Model
A
Identify Requirements Select Provider Define Architecture Assess Security Controls Identify Gaps Design and Implement Controls Manage Changes
11
Q
Cloud Security Models
A
Conceptual Model/Framework
Control Model/Framework
Reference Architecture
Design Patterns
12
Q
Design patterns
A
are reusable solutions to problems
13
Q
Reference architectures
A
templates for implementing cloud security, typically generalized They can be very abstract, bordering on conceptual, or quite detailed
14
Q
Controls models or frameworks
A
specific cloud security controls or
categories of controls, such as the CSA CCM
15
Q
Conceptual models or frameworks
A
visualizations and descriptions used to explain cloud security concepts and principles
16
Q
Infrastructure
A
Core components of a computing system: compute, network, and storage foundation that everything else is built on
17
Q
Metastructure
A
protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The Glue that holds it all together. Main difference between cloud and traditional computing
18
Q
Infostructure
A
data and information. Content in a database, file storage, etc.
19
Q
Applistructure
A
applications deployed in the cloud and the underlying application services used to build them
20
Q
Three main aspects of BC/DR
A
- Ensuring continuity and recovery. tools and techniques to best architect cloud deployment, keep things running.
- Preparing for and managing provider outages.
- Considering options for portability in case you need to migrate providers or platforms
21
Q
BC/DR
A
is a shared responsibility takes a risk-based approach must account for the entire logical stack
22
Q
Enterprise risk management (ERM)
A
includes managing overall risk for the organization, aligned to the organization’s governance and risk tolerance. Enterprise risk management includes all areas of risk, not merely those concerned with technology
Based on Shared Responsibility Model
23
Q
Governance
A
(Cannot be Outsourced)
includes the policy, process, and internal controls that comprise how an organization is run. Everything from the structures and policies to the leadership and other mechanisms for management
24
Q
Information risk management
A
covers managing the risk to information, including information technology
25
Information security
is the tools and practices to manage risk to information
26
Contracts:
primary tool of governance is the contract between a cloud provider and a cloud customer (this is true for public and private cloud). The contract is your only guarantee of any level of service or commitment—assuming there is no breach of contract
27
Supplier Assessments:
assessments are performed by the potential cloud customer using available information and allowed processes techniques. They combine contractual and manual research with third-party attestations and technical research
28
Attestation
legal statements often used to communicate the results of an assessment or audit
29
Compliance reporting
The documentation on a provider’s internal (i.e. self) and external compliance assessments Can be performed by provider, customer or 3rd party (preferred)
30
Cloud Security Alliance STAR Registry
an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire
31
Risk tolerance
amount of risk that the leadership and stakeholders of an organization are willing to accept. It varies based on asset and you shouldn’t make a blanket risk decision about a particular provider; rather, assessments should align with the value and requirements of the assets involved
32
Cloud Risk Management Tools
* Request or acquire documentation.
* Review their security program and documentation.
* Review any legal, regulatory, contractual, and jurisdictional requirements for both the provider and yourself.
* Evaluate the contracted service in the context of your information assets.
* Separately evaluate the overall provider, such as finances/stability, reputation, and outsourcers.
33
Residual risk
after all your assessments and the controls that you implement yourself there is still residual risk your only options are to transfer it,
accept the risk, or avoid it
34
Data Protection
Laws and regulations vary greatly depending on location of provider, user, servers, data subject, treaties
35
Cross-border Data Transfers
countries prohibit or restrict the transfer of information out of their borders. In most cases, the transfer is permitted only if the country to which the data is transferred offers an “adequate level of protection”
36
General Data Protection Regulation (GDPR)
directly binding on any corporation that processes the data of EU citizens, and will be adjudicated by the data supervisory authorities or the courts of the member states that have the closest relationship with the individuals or the entities on both sides of the dispute
37
Applicability
processing of personal data in the context of the activities of an establishment of a controller or processor
38
Processing of personal data is allowed if?
(a) the data subject has freely given specific, informed, and unambiguous indication of his/her consent to the processing of his/her personal data or
(b) the processing is authorized by a statutory provision
39
Accountability Obligations
requirements placed companies to keep records of their data processing activities
40
Data Subjects’ Rights
subjects have rights to information regarding the processing of their data: the right to object to certain uses of their personal data; to have their data corrected or erased; to be compensated for damages suffered because of unlawful processing; the right to be forgotten; and the right to data portability
41
Network Information Security Directive
framework to enable networks and information systems to resist, at a given level of confidence
42
Scope of Preservation
Data that a requesting part is entitled to. It is hosted in the cloud and contains, or is reasonably calculated to lead to, relevant, probative information for the legal issue at hand
43
Dynamic and Shared Storage
cloud environment that programmatically modifies or purges data, or one where the data is shared with people unaware of the need to preserve, preservation can be more difficult.
44
Access and Bandwidth
Clients ability to access it own data.
Determined by Service Level Agreements.
Ability to collect large volumes of data quickly and in a forensically sound manner may be limited
45
Forensics
by-bit imaging of a cloud data source is generally difficult or impossible. For obvious security reasons, providers are reluctant to allow access to their hardware, particularly in a multitenant environment where a client could gain access to other clients’ data
46
Reasonable Integrity
reasonable steps to validate that its collection from its cloud provider is complete and accurate, especially were ordinary business procedures for the request are unavailable and litigation-specific measures are being used to obtain the information
47
Limits to Accessibility:
When Cloud customer cannot access their data due to access rights, privileges and how data is stored
48
Compliance
validates awareness of and adherence to corporate obligations (e.g., corporate social responsibility, ethics, applicable laws, regulations, contracts, strategies, and policies)
49
Audits
key tool for proving (or disproving) compliance
50
pass-through audits
providers certified for various regulations and industry requirements, such as PCI DSS, SOC1, SOC2, HIPAA, best practices/frameworks like CSA CCM, and global/regional regulations like the EU GDPR
51
Artifacts
The logs, documentation, and other materials needed for audits and compliance; they are the evidence to support
compliance activities
52
Multitenancy data governance
data is stored in the public cloud, it’s stored on shared infrastructure with other, untrusted tenants
53
Shared security responsibility
Data is now more likely to be owned and managed by different teams or even organizations
54
Ownership
Owner of the data, may not always be clear and depends on laws, contracts, and policies
55
Custodianship
Refers to who is managing the data
56
Jurisdictional boundaries and data sovereignty
Locations where the data is stored
57
3 things that are impacted by cloud due to the combination of a third-party provider and jurisdictional changes
Compliance, regulations, and privacy policies
58
Destruction and removal of data
ties into the technical capabilities of the cloud platform. Can you ensure the destruction and removal of data in accordance with policy
59
Information Classification
Tied to compliance, determines how and where data can and cannot be stored. (Personnel files, Medical files etc.)
60
Information Management Policies
tie to classification and the cloud needs to be added if you have them. They should also cover the different SPI tiers, since sending data to a SaaS vendor versus building your own IaaS app is very different
61
Data Security Lifecycle
Create, Store, Use, Share, Archive, Destroy ↻
62
Create
Creation is the generation of new digital content, or the alteration/updating/modifying of existing content
63
Store
Storing is the act committing the digital data to some sort of storage repository and typically occurs nearly simultaneously with creation
64
Use
Data is viewed, processed, or otherwise used in some sort of activity, not including modification
65
Share
Information is made accessible to others, such as between users, to customers, and to partners
66
Archive
Data leaves active use and enters long-term storage
67
Destroy
Data is permanently destroyed using physical or digital means (e.g., cryptoshredding)
68
3 Function with Data
Read: ad the data, including creating, copying, file transfers, dissemination, and other exchanges
Process: transaction on the data; update it, use it
Store. Hold the data (in a file, database, etc.)
69
management plane
is the single most significant security difference between traditional infrastructure and cloud computing
• The cloud provider is responsible for ensuring the management plane is secure and necessary security features are exposed to the cloud user, such as granular entitlements to control what someone can do even if they have management plane access.
• The cloud user is responsible for properly configuring their use of the management plane, as well as for securing and managing their credentials
70
Architect for Failure
Do not rely on traditional strategies (lift and shift) when migrating to the cloud. They will be less resilient. Leverage new cross platform and isolation technologies to improve failover
71
Ways to access the Management Plane
APIs and web consoles are the way the management plane is delivered
72
Software Development Kits (SDKs) and Command Line Interfaces (CLIs)
Tools provided by the cloud provider to make integration easier
73
Identity and Access Management (IAM)
identification, authentication, and authorizations. How you determine who can do what within your cloud
74
authentication mechanisms in REST
HTTP request signing and OAuth are the most common; both leverage cryptographic techniques to validate
75
Protecting from attacks against the management plane’s components itself, such as the web and API servers. It includes both lower-level network defenses as well as higher-level defenses against application attacks
Perimeter Security
76
Customer authentication
Providing secure mechanisms for customers to authenticate to the management plane should support MFA as an option or requirement
77
Internal authentication and credential passing
mechanisms your own employees use to connect with the non-customer-facing portions of the management plane
78
Authorization and entitlements
Right and access given to customer and administrators.
79
Logging, monitoring, and alerting
Are essential for effective security and compliance Alerting of unusual events is an important security control to ensure that monitoring is actionable
80
Chaos Engineering
used to help build resilient cloud deployments. Since everything cloud is API-based, Chaos Engineering uses tools to selectively degrade portions of the cloud to continuously test business continuity
81
two macro layers to infrastructure
Fundamental resources and abstract/virtual layer
82
Cloud Network Types
service network for communications between virtual machines and the Internet
&
storage network to connect virtual storage to virtual machine
&
management network for management and API traffic
83
Software Defined Networking (SDN):
complete abstraction layer on top of networking hardware, SDNs decouple the network control plane from the data plane
84
Challenges of Virtual Appliances
Bottlenecks, resource consumption, auto-scaling, geographical location, resiliency
85
SDN Security Benefits
Isolation is easier, firewalls with more flexible parameters and more granular
86
Microsegmentation
leverages virtual network topologies to run more, smaller, and more isolated networks without incurring additional hardware costs that historically make such models prohibitive
87
3 Parts of Software Defined Perimeter (SDP)
SDP controller for authenticating and authorizing
SDP clients and configuring the connections to
SDP gateways for terminating
88
Bastion
Hybrid cloud architecture to allow connections to multiple cloud networks to data centers using a single hybrid connection
89
Containers
code execution environments that run within an operating system only has access to the processes and capabilities defined in the container configuration
90
Platform-based workloads
Stored procedure running inside a multitenant database, or a machine-learning job running on a machine-learning Platform as a Service
91
Serverless computing
any situation were the cloud user doesn’t manage any of the underlying hardware or virtual machines, and just accesses exposed functions
92
Immutable workloads Benefits
No longer patching running systems
You can, and should, disable remote logins to running workloads
faster to roll out updated versions
easier to disable services and whitelist applications/processes
security testing can be managed during image creation, reducing the need for vulnerability assessment
93
Immutable requirements
Constant image creation
Security testing built into image creation
Image config needs to be able to disable logins
Increased complexity to manage
94
Challenges to Vulnerability Assessment
Cloud owner will typically require notification of assessments and place limits on the nature of assessments
Default deny networks further limit the potential effectiveness of an automated network Assessment
Assessments can be run during the image creation process for immutable workloads
Penetration testing is less affected since it still uses the same scope as an attacker
95
Cloud Provider Compute Virtualization responsibilities
Ensure isolation
| Secure underlying infrastructure and virtualization technology
96
Cloud User Compute Virtualization responsibilities
Security settings, such as identity management, to the virtual resources
Monitoring and logging
Image asset management
Use of dedicated hosting, if available
(Everything they build on top of the providers network )
97
Cloud Overlay Networks
Special kind of WAN virtualization technology for created networks that span multiple “base” networks
98
2 main types of Storage virtualization
Storage Area Network (SAN) and Network-Attached Storage (NAS)
99
3 components of a Container
Execution environment
Orchestration and scheduling
Repository for execution
100
Incident Response Lifecycle
Preparation
Detection & Analysis
Containment, Eradication, Recovery
Post-Mortem
101
Preparation:
Establishing an incident response capability so that the organization is ready to
respond to incidents.
• Process to handle the incidents.
• Handler communications and facilities.
• Incident analysis hardware and software.
• Internal documentation (port lists, asset lists, network diagrams, current baselines of
network traffic).
• Identifying training.
• Evaluating infrastructure by proactive scanning and network monitoring, vulnerability
assessments, and performing risk assessments.
• Subscribing to third-party threat intelligence services.
102
Detection and Analysis
* Alerts, indicators of compromise, baseline and anomaly detection
* Validate alerts (reducing false positives) and escalation.
* Estimate the scope of the incident.
* Assign an Incident Manager who will coordinate further actions.
* Designate a spokes person to communicate to senior management.
* Build a timeline of the attack.
* Determine the extent of the potential data loss.
* Notification and coordination activities.
103
Containment, Eradication, Recovery
• Containment: Taking systems offline. Considerations for data loss versus service
availability. Ensuring systems don’t destroy themselves upon detection.
• Eradication and Recovery: Clean up compromised devices and restore systems to normaloperation. Confirm systems are functioning properly. Deploy controls to prevent similar incidents.
• Documenting the incident and gathering evidence (chain of custody).
104
Post Mortem
What could have been done better? Could the attack have been detected sooner? What
additional data would have been helpful to isolate the attack faster? Does the IR process
need to change? If so, how?
105
Cloud jump kit
tools needed to investigate in a remote location
106
Forensics and investigative support
Snapshotting the storage of the virtual machine.
Capturing any metadata at the time of alert
If your provider supports it, “pausing” the virtual machine, which will save the volatile memory state.
107
Service Level Agreement (SLA)
Contract describing the level of support users will get from providers incase of an incident
108
How often should IR Testing be done?
will be conducted at least annually or whenever there are significant changes to the application architecture
109
Application Sec Opportunities
```
Higher baseline security.
Responsiveness
Isolated environments
Independent virtual machines
Elasticity
DevOps
Unified Interface
```
110
Application Sec Challenges
Limited detailed visibility
Increased application scope.
Changing threat models
Reduced transparency
111
Secure Software Development Lifecycle (SSDLC):
series of security activities during all phases of application development, deployment, and operations
112
Five main phases in secure application design and development
```
Training
Define
Design
Develop
Test
```
113
Benefits of DevOps and Continuous Integration/Continuous Deployment (CI/CD)
```
Standardization:
Automated testing:
Immutable: CI/CD pipelines
Improved auditing and change management:
SecDevOps/DevSecOps and Rugged DevOps:
```
114
SSDLC Model
Secure Design and Development
Secure Deployment
Secure Operations
115
Training
* Secure Coding Practices
* Writing security tests
* Provider/Platform Technical Training
116
Define
When the cloud user determines the approved architectures or features/tools for the provider, security standards, and other requirements
117
Design
Threat modeling
| Secure design
118
Develop
Code review
Unit testing
Static Analysis
Dynamic Analysis
119
Test
* Vulnerability Assessment
* Dynamic Analysis
* Functional tests
* QA
120
Secure Deployment
security and testing activities when moving code from an isolated
development environment into production such as
Code Review
Unit, regression, and functional testing
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
121
How Cloud Impacts Application Design and Architectures
Segregation by default
Immutable infrastructure
Increased use of micro-services
PaaS and “serverless” architectures
122
Event driven security:
Management plane detects various activities—such as a file being uploaded to a designated object storage location or a configuration change to the network or identity management—which can in turn trigger code execution through a notification message, or via serverless hosted code
123
Data security Buckets
Controlling what goes in
Protecting and Managing
Enforcing information lifecycle management security
124
Data Storage types
Object: storage is like a file system
Volume storage: This is essentially a virtual hard drive
Database: Like any other database
Application/platform: Examples of these would be a content delivery network (CDN), files stored in SaaS, caching, and other novel options
125
Data dispersion aka data fragmentation of bit splitting
redundant, durable storage mechanisms takes chunks of data, breaks them up, and then stores multiple copies on different physical storage to provide high durability
126
Cloud Access and Security Brokers (CASB) aka Cloud Security Gateways
Used to discover internal use of cloud services using various mechanisms such as network monitoring, integrating with an existing network gateway or monitoring tool, or even by monitoring DNS queries
127
URL filtering
Tool to monitor network traffic, gateway may help you understand which cloud services your users are using
128
Data Loss Prevention (DLP)
tool may also help detect data migrations to cloud services
129
Cloud Data Access Controls 3 layers
Management plane
Public and internal sharing controls
Application-level controls
130
Encryption
Encryption
protects data by applying a mathematical algorithm that “scrambles” the data, which then can only be recovered by running it through an unscrambling (decryption) process with a corresponding key
131
Tokenization
takes the data and replaces it with a random value. often used when the format of the data is important
132
Instance-managed encryption
encryption engine runs within the instance, and the key is stored in the volume but protected by a passphrase
or keypair
133
Externally managed encryption
Encryption engine runs in the instance, but the keys are managed externally and issued to the instance on request
134
Key management options
HMS/Appliance
Virtual Appliance
Cloud Provider
Hybrid
135
HSM/appliance
Traditional hardware security module needs to be on-premises, and deliver the keys to the cloud over a dedicated connection
136
Virtual appliance/software
Software-based key manager in the cloud
137
Cloud provider Encryption
Key management service offered by the cloud provider understand the security model and SLAs to understand if
your key could be exposed
138
Hybrid Encryption
combination, such as using a HSM as the root of trust for keys but then delivering application-specific keys to a virtual appliance
139
Digital Rights Management (DRM)/Enterprise Rights Management (ERM)
are based on encryption and existing tools may break cloud capabilities especially in SaaS
140
Full DRM
Full digital rights management using an existing tool
141
Provider-based control:
cloud platform may be able to enforce controls very similar to full DRM by using native capabilities
142
Data Masking and Test Data Generation
These are techniques to protect data used in development and test environments, or to limit real-time
access to data in applications
143
Test data generation
creation of a database with non-sensitive test data based on a “real” database
144
Dynamic masking
rewrites data on the fly, typically using a proxy mechanism, to mask all or part of data delivered to a user
145
Managing data location/residency
Ability to disable unneeded locations and protect the data even it it changes locations
146
Identity:
the unique expression of an entity within a given namespace. An entity can have
multiple digital identities
147
Entity
the person or “thing” that will have an identity. It could be an individual, a system, a device, or application code.
148
Identifier
how an identity can be asserted. For digital identities this is often a cryptological token
149
Attributes:
facets of an identity
150
Persona:
the expression of an identity with attributes that indicates context
151
Role
identities can have multiple roles which indicate context
152
Authentication
the process of confirming an identity (Username and password)
153
Multifactor Authentication (MFA):
use of multiple factors in authentication. Common options include one-time passwords generated by a physical or virtual device/token (OTP)
154
Access control
restricting access to a resource
155
Authorization:
allowing an identity access to something
156
Entitlement:
mapping an identity (including roles, personas, and attributes) to an authorization
157
Federated Identity Management
the process of asserting an identity across different systems (Single Sign on)
158
Authoritative source
the “root” source of an identity, such as the directory server that manages employee identities
159
Identity Provider
the source of the identity in federation
160
Relying Party
the system that relies on an identity assertion from an identity provider
161
IAM Standards
```
SAML
OAuth
OpenID
XACML
SCIM
```
162
Security Assertion Markup Language (SAML)
OASIS standard for federated identity management that supports both authentication and authorization. It uses XML to make assertions between an identity provider and a relying party
163
OAuth
is an IETF standard for authorization that is very widely used for web services as it was designed for HTTP
164
OpenID
is a standard for federated authentication that is very widely supported for web
services. It is based on HTTP with URLs
165
eXtensible Access Control Markup Language (XACML)
is a standard for defining attribute-based access controls
166
System for Cross-domain Identity Management (SCIM)
is a standard for exchanging identity information between domains
167
Identity Broker Models
Hub and Spoke
| Free Form
168
Free-Form
internal identity providers/sources (often directory servers) connect directly to cloud providers
169
Hub and spoke:
internal identity providers/sources communicate with a central broker or repository that then serves as the identity provider for federation to cloud providers
170
Identity brokers
handle federating between identity providers and relying parties
171
Security as a Service (SecaaS)
security products or services that are delivered as a cloud service meet the essential NIST characteristics
172
SecaaS Benefits
```
Cloud-computing benefits
Staffing and expertise.
Intelligence-sharing.
Deployment flexibility.
Insulation of clients.
Scaling and cost
```
173
SecaaS Concerns
```
Lack of visibility.
Regulation differences
Handling of regulated data
Data leakage
Changing providers
Migration to SecaaS.
```
174
Intrusion Detection/Prevention (IDS/IPS)
monitoring behavior patterns using rule-based, heuristic, or behavioral models to detect anomalies in activity which might present risks to the enterprise
175
Security Information & Event Management (SIEM)
Collecting (via push or pull mechanisms) log and event data from virtual and real networks, applications, and systems
176
Big data
collection of technologies for working with extremely large datasets that traditional data-processing tools are unable to manage
177
Distributed data collection:
Mechanisms to ingest large volumes of data, often of a streaming nature
178
Distributed storage
ability to store the large data sets in distributed file systems
179
Distributed processing
Tools capable of distributing processing jobs for the effective analysis of data sets so massive and rapidly changing that single origin processing can’t effectively handle them
180
Internet of Things (IoT)
Blanket term for non-traditional computing devices used in the physical world that utilize Internet connectivity
181
ENISA Security Benefits
```
SECURITY AND THE BENEFITS OF SCALE
SECURITY AS A MARKET DIFFERENTIATOR
STANDARDISED INTERFACES FOR MANAGED
RAPID, SMART SCALING OF RESOURCES
AUDIT AND EVIDENCE-GATHERING
MORE TIMELY, EFFECTIVE AND EFFICIENT UPDATES AND DEFAULTS
BENEFITS OF RESOURCE CONCENTRATION
```
182
ENISA Risks
```
LOSS OF GOVERNANCE:
LOCK-IN:
ISOLATION FAILURE
COMPLIANCE RISKS
MANAGEMENT INTERFACE COMPROMISE
DATA PROTECTION
INSECURE OR INCOMPLETE DATA DELETION
MALICIOUS INSIDER
```
183
CAIQ
is a standard template for cloud providers to document their security and compliance controls.
184
Cloud Controls Matrix (CCM)
lists cloud security controls and maps them to multiple security and compliance standards
185
True or False
NIS Directive establishes a framework to enable networks and information systems to resist at a given level of confidence actions that compromise the availability authenticity integrity or confidentiality of stored transmitted or processed data or the related services that are offered by or accessible through those networks and information systems
TRUE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
186
Granular Entitlements
Enable customers to securely manage their own users and administrators. Internally, granular entitlements reduce the impact of administrators’ accounts being compromised or employee abuse
