The Official (ISC)2 Guide to the CCSP CBK E-Book

CONTENTS

Foreword

Introduction

Conventions

Note

Domain 1: Architectural Concepts and Design Requirements

Introduction

Cloud Computing Definitions

Cloud Computing Roles

Key Cloud Computing Characteristics

Cloud Transition Scenario

Building Blocks

Cloud Computing Functions

Cloud Service Categories

Cloud Deployment Models

Cloud Cross-Cutting Aspects

Network Security and Perimeter

Cryptography

IAM and Access Control

Data and Media Sanitization

Virtualization Security

Common Threats

Security Considerations for Different Cloud Categories

Open Web Application Security Project Top Ten Security Threats

Cloud Secure Data Lifecycle

Information and Data Governance Types

Business Continuity and Disaster Recovery Planning

Cost-Benefit Analysis

Certification Against Criteria

System and Subsystem Product Certification

Summary

Review Questions

Notes

Domain 2: Cloud Data Security

Introduction

The Cloud Data Lifecycle Phases

Location and Access of Data

Functions, Actors, and Controls of the Data

Cloud Services, Products, and Solutions

Data Storage

Relevant Data Security Technologies

Application of Security Strategy Technologies

Emerging Technologies

Data Discovery

Data Classification

Data Privacy Acts

Typical Meanings for Common Privacy Terms

Privacy Roles for Customers and Service Providers

Responsibility Depending on the Type of Cloud Services

Implementation of Data Discovery

Classification of Discovered Sensitive Data

Mapping and Definition of Controls

Privacy Level Agreement

PLA Versus Essential P&DP Requirements Activity

Application of Defined Controls for PII

Data Rights Management Objectives

Data-Protection Policies

Events

Supporting Continuous Operations

Chain of Custody and Nonrepudiation

Summary

Review Questions

Notes

Domain 3: Cloud Platform and Infrastructure Security

Introduction

Network and Communications in the Cloud

The Compute Parameters of a Cloud Server

Storage Issues in the Cloud

Management of Cloud Computing Risks

Countermeasure Strategies Across the Cloud

Physical and Environmental Protections

System and Communication Protections

Virtualization Systems Controls

Managing Identification, Authentication, and Authorization in the Cloud Infrastructure

Risk Audit Mechanisms

Understanding the Cloud Environment Related to BCDR

Understanding the Business Requirements Related to BCDR

Understanding the BCDR Risks

BCDR Strategies

Creating the BCDR Plan

Summary

Review Questions

Notes

Domain 4: Cloud Application Security

Introduction

Determining Data Sensitivity and Importance

Understanding the API Formats

Common Pitfalls of Cloud Security Application Deployment

Awareness of Encryption Dependencies

Understanding the Software Development Lifecycle Process for a Cloud Environment

Assessing Common Vulnerabilities

Cloud-Specific Risks

Threat Modeling

Identity and Access Management

Federated Identity Management

Multifactor Authentication

Supplemental Security Devices

Cryptography

Tokenization

Data Masking

Sandboxing

Application Virtualization

Cloud-Based Functional Data

Cloud-Secure Development Lifecycle

Application Security Testing

Summary

Review Questions

Notes

Domain 5: Operations

Introduction

Modern Data Centers and Cloud Service Offerings

Factors That Affect Data Center Design

Enterprise Operations

Secure Configuration of Hardware: Specific Requirements

Installation and Configuration of Virtualization Management Tools for the Host

Securing the Network Configuration

Identifying and Understanding Server Threats

Using Standalone Hosts

Using Clustered Hosts

Accounting for Dynamic Operation

Using Storage Clusters

Using Maintenance Mode

Providing HA on the Cloud

The Physical Infrastructure for Cloud Environments

Configuring Access Control for Remote Access

Performing Patch Management

Performance Monitoring

Backing Up and Restoring the Host Configuration

Implementing Network Security Controls: Defense in Depth

Developing a Management Plan

Building a Logical Infrastructure for Cloud Environments

Running a Logical Infrastructure for Cloud Environments

Managing the Logical Infrastructure for Cloud Environments

Implementation of Network Security Controls

Using an ITSM Solution

Considerations for Shadow IT

Operations Management

Managing Risk in Logical and Physical Infrastructures

The Risk-Management Process Overview

Understanding the Collection and Preservation of Digital Evidence

Managing Communications with Relevant Parties

Wrap-Up: Data Breach Example

Summary

Review Questions

Notes

Domain 6: Legal and Compliance

Introduction

International Legislation Conflicts

Legislative Concepts

Frameworks and Guidelines Relevant to Cloud Computing

Common Legal Requirements

Legal Controls and Cloud Service Providers

e-Discovery

Cloud Forensics and ISO/IEC 27050-1

Protecting Personal Information in the Cloud

Auditing in the Cloud

Standard Privacy Requirements (ISO/IEC 27018)

GAPP

Internal ISMS

Implementing Policies

Identifying and Involving the Relevant Stakeholders

Impact of Distributed IT Models

Understanding the Implications of the Cloud to Enterprise Risk Management

Risk Mitigation

Understanding Outsourcing and Contract Design

Business Requirements

Vendor Management

Cloud Computing Certification

Contract Management

Supply Chain Management

Summary

Review Questions

Notes

Appendix A: Answers to Review Questions

Domain 1: Architectural Concepts and Design Requirements

Domain 2: Cloud Data Security

Domain 3: Cloud Platform and Infrastructure Security

Domain 4: Cloud Application Security

Domain 5: Operations

Domain 6: Legal and Compliance Issues

Notes

Appendix B: Glossary

Appendix C: Helpful Resources and Links

EULA

List of Tables

Chapter 1

Table 1.1

Table 1.2

Table 1.3

Chapter 2

Table 2.1

Table 2.2

Table 2.3

Table 2.4

Chapter 3

Table 3.1

Chapter 4

Table 4.1

Chapter 5

Table 5.1

Table 5.2

Table 5.3

Table 5.4

Table 5.5

Table 5.6

Table 5.7

Table 5.8

Table 5.9

Chapter 6

Table 6.1

Table 6.2

List of Illustrations

Chapter 1

Figure 1.1 Cloud computing overview.

Figure 1.2 Drivers that move companies toward cloud computing.

Figure 1.3 Cloud computing issues and concerns.

Figure 1.4 CSA Enterprise Architecture.

Figure 1.5 Key stages of the data lifecycle.

Chapter 2

Figure 2.1 Many roles are involved in providing data security.

Figure 2.2 The six phases of the data lifecycle.

Figure 2.3 The actors, functions, and locations of the data.

Figure 2.4 Data functions mapping to the data lifecycle.

Figure 2.5 Process overview.

Figure 2.6 Tying it together.

Figure 2.7 IaaS storage types.

Figure 2.8 Basic approach to addressing a data threat.

Figure 2.9 Basic tokenization architecture.

Figure 2.10 Responsibility depending on type of cloud service.

Figure 2.11 Key privacy cloud service factors.

Figure 2.12 Management control for privacy and data-protection measures.

Figure 2.13 The SIEM system.

Chapter 3

Figure 3.1 The cloud infrastructure.

Figure 3.2 Data center design redundancy factors.

Figure 3.3 Sample redundant data center design.

Figure 3.4 Sample SDN architecture.

Figure 3.5 The hypervisor architecture.

Figure 3.6 The management plane.

Figure 3.7 General categories of risk related to the cloud infrastructure.

Figure 3.8 Responsibility matrix across the cloud environment.

Figure 3.9 Relationship between identity providers and relying parties.

Figure 3.10 The overall entitlement process.

Figure 3.11 The cloud serves as the endpoint for failover services and BCDR activities.

Figure 3.12 When one region or availability zone fails, the service is restored to another part of that same cloud.

Figure 3.13 When a region or availability zone fails, the service is restored to a different cloud.

Figure 3.14 Main components of a sample failover architecture.

Chapter 4

Figure 4.1 Benefits and efficiencies tend to conflict with challenges and complexities.

Figure 4.2 Common pitfalls related to cloud security.

Figure 4.3 Sample security responsibility matrix for cloud service models.

Figure 4.4 IAM.

Figure 4.5 The ONF.

Figure 4.6 The ASMP.

Chapter 5

Figure 5.1 The four-tiered architecture for data center design.

Figure 5.2 Separating the hot and cold aisles can significantly increase the air-side cooling capacity of the system.

Figure 5.3 A secure network configuration involves all these protocols and services.

Figure 5.4 A NIDS installed on a subnet where firewalls are located.

Figure 5.5 All traffic passes through the IPS.

Figure 5.6 Combined IPS and IDS.

Figure 5.7 Typical setup of a honeypot.

Figure 5.8 The impact/urgency/priority matrix.

Figure 5.9 Incident management process example.

Figure 5.10 Four components in the risk-management process.

Figure 5.11 Rating likelihood and consequences.

Figure 5.12 Process flow of digital forensics.

Figure 5.13 A communication path.

Figure 5.14 Ranking vendor/supplier relationships.

Chapter 6

Figure 6.1 Cloud computing makes following regulations and laws more complicated.

Figure 6.2 Audit planning’s four phases.

Figure 6.3 How the cloud affects the enterprise.

Figure 6.4 SLA elements weighed against customer requirements.

Figure 6.5 The risk scorecard provides a clear representation of potential risks.

Figure 6.6 The three main risk frameworks.

Figure 6.7 CSA STAR’s three layers.

Figure 6.8 Comparison matrix of CCSL and the CCSM security objectives.

Appendix A

Figure A.1 The six stages of the cloud secure data lifecycle.

Figure A.2 The PaaS security concerns

Figure A.3 Responsibility matrix across the cloud environment

Figure A.4 The Uptime Institute “Data Center Site Infrastructure Tier Standard: Topology”

Figure A.5 The four steps in the risk-management process

Figure A.6 Proper methodologies for forensic collection of data

Guide

Cover

Table of Contents

1

Pages

iii

iv

xvii

xviii

xix

xx

xxi

xxii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

128

129

130

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

491

492

493

494

495

496

497

498

499

500

501

502

503

504

Foreword

EVERY DAY AROUND THE WORLD, organizations are taking steps to leverage cloud infrastructure, software, and services. This is a substantial undertaking that also heightens the complexity of protecting and securing data. As powerful as cloud computing is to organizations, it’s essential to have qualified people who understand information security risks and mitigation strategies for the cloud. As the largest not-for-profit membership body of certified information security professionals worldwide, (ISC)2 recognizes the need to identify and validate information security competency in securing cloud services.

To help facilitate the knowledge you need to ensure strong information security in the cloud, I’m pleased to present the Official (ISC)2 Guide to the CCSP CBK. Drawing from a comprehensive, up-to-date global body of knowledge, the CCSP CBK ensures that you have the right information security knowledge and skills to be successful and prepares you to achieve the Certified Cloud Security Professional (CCSP) credential.

(ISC)2 is proud to collaborate with the Cloud Security Alliance (CSA) to build a unique credential that reflects the most current and comprehensive best practices for securing and optimizing cloud computing environments. To attain CCSP certification, candidates must have a minimum of five years’ experience in IT, of which three years must be in information security and one year in cloud computing. All CCSP candidates must be able to demonstrate capabilities found in each of the six Common Body of Knowledge (CBK) domains:

Architectural Concepts and Design Requirements

Cloud Data Security

Cloud Platform and Infrastructure Security

Cloud Application Security

Operations

Legal and Compliance

The CCSP credential represents advanced knowledge and competency in cloud security design, implementation, architecture, operations, controls, and immediate and long-term responses.

Cloud computing has emerged as a critical area within IT that requires further security considerations. According to the 2015 (ISC)2 Global Information Security Workforce Study, cloud computing is identified as the top area for information security, with a growing demand for education and training within the next three years. In correlation to the demand for education and training, 73 percent of more than 13,000 survey respondents believe that cloud computing will require information security professionals to develop new skills.

If you are ready to take control of the cloud, The Official (ISC)2 Guide to the CCSP CBK prepares you to securely implement and manage cloud services within your organization’s information technology (IT) strategy and governance requirements. CCSP credential holders will achieve the highest standard for cloud security expertise—managing the power of cloud computing while keeping sensitive data secure.

The recognized leader in the field of information security education and certification, (ISC)2 promotes the development of information security professionals throughout the world. As a CCSP with all the benefits of (ISC)2 membership, you would join a global network of more than 110,000 certified professionals who are working to inspire a safe and secure cyber world.

Qualified people are the key to cloud security. This is your opportunity to gain the knowledge and skills you need to protect and secure data in the cloud.

Regards,

David P. Shearer

CEO

(ISC)2

Introduction

THERE ARE TWO MAIN requirements that must be met to achieve the status of Certified Cloud Security Professional (CCSP); one must take and pass the certification exam and be able to demonstrate a minimum of five years of cumulative paid full-time information technology experience, of which three years must be in information security and one year must be in one of the six domains of the CCSP examination. A firm understanding of what the six domains of the CCSP Common Body of Knowledge (CBK) are and how they relate to the landscape of business is a vital element in successfully being able to meet both requirements and claim the CCSP credential. The mapping of the six domains of the CCSP CBK to the job responsibilities of the information security professional in today’s world can take many paths based on a variety of factors, such as industry vertical, regulatory oversight and compliance, geography, and public versus private versus military as the overarching framework for employment in the first place. In addition, considerations such as cultural practices and differences in language and meaning can play a substantive role in the interpretation of what aspects of the CBK will mean and how they will be implemented in any given workplace.

It is not the purpose of this book to attempt to address all these issues or provide a definitive prescription as to “the” path forward in all areas. Rather, it is to provide the official guide to the CCSP CBK and, in so doing, to lay out the information necessary to understand what the CBK is and how it is used to build the foundation for the CCSP and its role in business today. Being able to map the CCSP CBK to your knowledge, experience, and understanding is the way that you will be able to translate the CBK into actionable and tangible elements for both the business and its users that you represent.

The Architectural Concepts and Design Requirements domain focuses on the building blocks of cloud-based systems. The CCSP needs an understanding of cloud computing concepts such as definitions based on the ISO/IEC 17788 standard; roles like the cloud service customer, provider, and partner; characteristics such as multitenancy, measured services, and rapid elasticity and scalability; and building block technologies of the cloud such as virtualization, storage, and networking. The cloud reference architecture will need to be described and understood, focusing on areas such as cloud computing activities (as described in ISO/IEC 17789), clause 9, cloud service capabilities, categories, deployment models, and the cross-cutting aspects of cloud platform architecture and design, such as interoperability, portability, governance, service levels, and performance. In addition, the CCSP should have a clear understanding of the relevant security and design principles for cloud computing, such as cryptography, access control, virtualization security, functional security requirements like vendor lock-in and interoperability, what a secure data life cycle is for cloud-based data, and how to carry out a cost-benefit analysis of cloud-based systems. The ability to identify what a trusted cloud service is and what role certification against criteria plays in that identification—using standards such as the Common Criteria and FIPS 140-2—are further areas of focus for this domain.

The Cloud Data Security domain contains the concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems (OSs), equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability. The CCSP needs to understand and implement data discovery and classification technologies pertinent to cloud platforms, as well as be able to design and implement relevant jurisdictional data protections for personally identifiable information (PII), such as data privacy acts and the ability to map and define controls within the cloud. Designing and implementing digital rights management (DRM) solutions with the appropriate tools and planning for the implementation of data retention, deletion, and archiving policies are activities that a CCSP will need to understand how to undertake.

The Cloud Platform and Infrastructure Security domain covers knowledge of the cloud infrastructure components—both the physical and virtual—existing threats, and mitigating and developing plans to deal with those threats. Risk management is the identification, measurement, and control of loss associated with adverse events. It includes overall security review, risk analysis, selection and evaluation of safeguards, cost-benefit analysis, management decisions, safeguard implementation, and effectiveness review. The CCSP is expected to understand risk management, including risk analysis, threats and vulnerabilities, asset identification, and risk management tools and techniques. In addition, the candidate needs to understand how to design and plan for the use of security controls such as audit mechanisms, physical and environmental protection, and the management of identification, authentication, and authorization solutions within the cloud infrastructures she manages. Business continuity planning (BCP) facilitates the rapid recovery of business operations to reduce the overall impact of the disaster by ensuring continuity of the critical business functions. Disaster recovery planning includes procedures for emergency response, extended backup operations, and postdisaster recovery when the computer installation suffers loss of computer resources and physical facilities. The CCSP is expected to understand how to prepare a business continuity or disaster recovery plan (DRP), techniques and concepts, identification of critical data and systems, and the recovery of lost data within cloud infrastructures.

The Cloud Application Security domain focuses on issues to ensure that the need for training and awareness in application security, the processes involved with cloud software assurance and validation, and the use of verified secure software are understood. The domain refers to the controls that are included within systems and applications software and the steps used in their development (such as software development life cycle). The CCSP should fully understand the security and controls of the development process, system life cycle, application controls, change controls, program interfaces, and concepts used to ensure data and application integrity, security, and availability. In addition, the need to understand how to design appropriate identity and access management (IAM) solutions for cloud-based systems is important.

The Operations domain is used to identify critical information and the execution of selected measures that eliminate or reduce adversary exploitation of critical information. The domain examines the requirements of the cloud architecture, from planning of the data center design and implementation of the physical and logical infrastructure for the cloud environment to running and managing that infrastructure. It includes the definition of the controls over hardware, media, and the operators with access privileges to any of these resources. Auditing and monitoring are the mechanisms, tools, and facilities that permit the understanding of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate individual, group, or process. The need for compliance with regulations and controls through the applications of frameworks such as ITIL and ISO/IEC 20000 is also discussed. In addition, the importance of risk assessment across both the logical and the physical infrastructures and the management of communication with all relevant parties are focused on. The CCSP is expected to know the resources that must be protected, the privileges that must be restricted, the control mechanisms that are available, the potential for abuse of access, the appropriate controls, and the principles of good practice.

The Legal and Compliance domain addresses ethical behavior and compliance with regulatory frameworks. It includes the investigative measures and techniques that can be used to determine if a crime has been committed and methods used to gather evidence (including legal controls, e-discovery, and forensics). This domain also includes an understanding of privacy issues and audit processes and methodologies required for a cloud environment, such as internal and external audit controls, assurance issues associated with virtualization and the cloud, and the types of audit reporting specific to the cloud, such as the Statement on Standards for Attestation Engagements (SSAE) No. 16, and the International Standards for Assurance Engagements (ISAE) No. 3402.

1

Further, examining and understanding the implications that cloud environments have in relation to enterprise risk management and the impact of outsourcing for design and hosting of these systems are important considerations that many organizations face today.

Conventions

To help you get the most from the text, we’ve used a number of conventions throughout the book.

WARNING

Warnings draw attention to important information that is directly relevant to the surrounding text.

NOTE

Notes discuss helpful information related to the current discussion.

As for styles in the text, we show URLs within the text like so: www.wiley.com.

Note

1

Many service organizations that previously had a SAS 70 service auditor’s examination (SAS 70 audit) performed converted to the SSAE No.16 standard in 2011 and now have an SSAE 16 report instead. This is also referred to as a Service Organization Controls (SOC) 1 report.

DOMAIN 1Architectural Concepts and Design Requirements

THE GOAL OF THE Architectural Concepts and Design Requirements domain is to provide you with knowledge of the building blocks necessary to develop cloud-based systems.

You will be introduced to such cloud computing concepts as the customer, provider, partner, measured services, scalability, virtualization, storage, and networking. You will be able to understand the cloud reference architecture based on activities defined by industry-standard documents.

Lastly, you will gain knowledge in relevant security and design principles for cloud computing, including secure data lifecycle and cost-benefit analysis of cloud-based systems.

DOMAIN OBJECTIVES

After completing this domain, you will be able to do the following:

Define the various roles, characteristics, and technologies as they relate to cloud computing concepts

Describe cloud computing concepts as they relate to cloud computing activities, capabilities, categories, models, and cross-cutting aspects

Identify the design principles necessary for secure cloud computing

Define the various design principles for the different types of cloud categories

Describe the design principles for secure cloud computing

Identify criteria specific to national, international, and industry for certifying trusted cloud services

Identify criteria specific to the system and subsystem product certification

Introduction

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

“The NIST Definition of Cloud Computing”1

Cloud computing (Figure 1.1) is the use of Internet-based computing resources, typically “as a service,” to allow internal or external customers to consume where scalable and elastic information technology (IT)-enabled capabilities are provided.

Figure 1.1 Cloud computing overview.

Cloud computing, or cloud, means many things to many people. There are indeed various definitions for cloud computing and what it means from many of the leading standards bodies. The previous National Institute of Standards and Technology (NIST) definition is the most commonly utilized, cited by professionals and others alike to clarify what the term cloud means.

It’s important to note the difference between a cloud service provider (CSP) and a managed service provider (MSP). The main difference is to be found in the control exerted over the data and process and by who. With an MSP, the consumer dictates the technology and operating procedures. According to the MSP Alliance, MSPs typically have the following distinguishing characteristics:2

Some form of network operations center (NOC) service

Some form of help desk service

Remote monitoring and management of all or most of the objects for the customer

Proactive maintenance of the objects under management for the customer

Delivery of these solutions with some form of predictable billing model, where the customer knows with great accuracy what the regular IT management expense will be

With a CSP, the service provider dictates both the technology and the operational procedures being made available to the cloud consumer. This means that the CSP is offering some or all of the components of cloud computing through a software as a service (SaaS), infrastructure as a service (IaaS), or platform as a service (PaaS) model.

Drivers for Cloud Computing

There are many drivers that may move a company to consider cloud computing. These may include the costs associated with the ownership of their current IT infrastructure solutions as well as projected costs to continue to maintain these solutions year in and year out (Figure 1.2).

Figure 1.2 Drivers that move companies toward cloud computing.

Additional drivers include but are not limited to the following:

The desire to reduce IT complexity

Risk reduction:

Users can use the cloud to test ideas and concepts before making major investments in technology.

Scalability:

Users have access to a large number of resources that scale based on user demand.

Elasticity:

The environment transparently manages a user’s resource utilization based on dynamically changing needs.

Consumption-based pricing

Virtualization:

Each user has a single view of the available resources, independent of their arrangement in terms of physical devices.

Cost:

The pay-per-usage model allows an organization to pay only for the resources it needs with basically no investment in the physical resources available in the cloud. There are no infrastructure maintenance or upgrade costs.

Business agility

Mobility:

Users can access data and applications from around the globe.

Collaboration and innovation:

Users are starting to see the cloud as a way to work simultaneously on common data and information.

Security, Risks, and Benefits

You cannot bring up or discuss the topic of cloud computing without hearing the words security, risk, and compliance. In truth, cloud computing does pose challenges and represents a paradigm shift in the way in which technology solutions are being delivered. As with any notable change, this brings about questions and a requirement for clear and concise understandings and interpretations to be obtained, from both a customer and a provider perspective. The Certified Cloud Security Professional (CCSP) must play a key role in the dialogue within the organization as it pertains to cloud computing, its role, the opportunity costs, and the associated risks (Figure 1.3).

Figure 1.3 Cloud computing issues and concerns.

Risk can take many forms in an organization. The organization needs to carefully weigh all the risks associated with a business decision before engaging in an activity to minimize the risk impact associated with an activity. There are many approaches and frameworks that can be used to address risk in an organization, such as the Control Objectives for Information and Related Technology (COBIT) framework, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management Integrated Framework, and the NIST Risk Management Framework. Organizations need to become risk aware in general, focusing on risks within and around the organization that may cause harm to the reputation of the business. Reputational risk can be defined as “the loss of value of a brand or the ability of an organization to persuade.”3 To manage reputational risk, an organization should consider the following items:

Strategic alignment

Effective board oversight

Integration of risk into strategy setting and business planning

Cultural alignment

Strong corporate values and a focus on compliance

Operational focus

Strong control environment

Although many people think of cloud technologies as less secure or carrying greater risk, this is simply not possible or acceptable to say unless making a direct and measured comparison against a specified environment or service. For instance, it would be incorrect to simply assume or state that cloud computing is less secure as a service modality for the delivery of a customer relationship management (CRM) platform than a more traditional CRM application model, calling for an on-premise installation of the CRM application and its supporting infrastructure and databases. To assess the true level of security and risk associated with each model of ownership and consumption, the two platforms would need to be compared across a range of factors and issues, allowing for a side-by-side comparison of the key deliverables and issues associated with each model.

In truth, the cloud may be more or less secure than your organization’s environment and current security controls depending on any number of factors, which include technological components; risk management processes; preventative, detective, and corrective controls; governance and oversight processes; resilience and continuity capabilities; defense in depth; and multifactor authentication.

Therefore, the approach to security varies depending on the provider and the ability for your organization to alter and amend its overall security posture prior to, during, and after migration or utilization of cloud services.

In the same way that no two organizations or entities are the same, neither are two CSPs. A one-size-fits-all approach is never good for security, so do not settle for it when utilizing cloud-based services.

The extensive use of automation within the cloud enables real-time monitoring and reporting on security control points, allowing for the establishment of continuous security monitoring regimes, enhancing the overall security posture of the organization consuming the cloud services. The benefits realized by the organization can include greater security visibility, enhanced policy and governance enforcement, and a better framework for management of the extended business ecosystem through a transition from an infrastructure-centric to a data-centric security model.

Cloud Computing Definitions

The following list forms a common set of terms and phrases you will need to become familiar with as a CCSP. Having an understanding of these items puts you in a strong position to communicate and understand technologies, deployments, solutions, and architectures within the organization as needed. This list is not comprehensive and should be used along with the vocabulary terms in Appendix B, “Glossary,” to form as complete a picture as possible of the language of cloud computing.

Anything as a service (XaaS):

The growing diversity of services available over the Internet via cloud computing as opposed to being provided locally or on premises.

Apache CloudStack:

An open source cloud computing and IaaS platform developed to help make creating, deploying, and managing cloud services easier by providing a complete stack of features and components for cloud environments.

Business continuity:

The capability of the organization to continue delivery of products or services at acceptable predefined levels following a loss of service.

Business continuity management:

A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause. It provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.

Business continuity plan:

The creation of a strategy through the recognition of threats and risks facing a company, with an eye to ensure that personnel and assets are protected and able to function in the event of a disaster.

Cloud app:

Short for cloud application, cloud app describes a software application that is never installed on a local computer. Instead, it is accessed via the Internet.

Cloud Application Management for Platforms (CAMP):

CAMP is a specification designed to ease management of applications—including packaging and deployment—across public and private cloud computing platforms.

Cloud backup:

Cloud backup, or cloud computer backup, refers to backing up data to a remote, cloud-based server. As a form of cloud storage, cloud backup data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.

Cloud backup solutions:

Cloud backup solutions enable enterprises or individuals to store their data and computer files on the Internet using a storage service provider rather than storing the data locally on a physical disk, such as a hard drive or tape backup.

Cloud computing:

A type of computing, comparable to grid computing, that relies on sharing computing resources and using a network of remote servers to store, manage, and process data instead of using a local server or a personal computer.

Cloud computing accounting software:

Cloud computing accounting software is accounting software that is hosted on remote servers. It provides accounting capabilities to businesses in a fashion similar to the SaaS business model. Data is sent into the cloud, where it is processed and returned to the user. All application functions are performed offsite, not on the user’s desktop.

Cloud database:

A database accessible to clients from the cloud and delivered to users on demand via the Internet. Also referred to as database as a service (DBaaS), cloud databases can use cloud computing to achieve optimized scaling, high availability, multitenancy, and effective resource allocation.

Cloud enablement:

The process of making available one or more of the following services and infrastructures to create a public cloud computing environment: CSP, client, and application.

Cloud management:

Software and technologies designed for operating and monitoring the applications, data, and services residing in the cloud. Cloud management tools help ensure a company’s cloud computing–based resources are working optimally and properly interacting with users and other services.

Cloud migration:

The process of transitioning all or part of a company’s data, applications, and services from onsite premises behind the firewall to the cloud, where the information can be provided over the Internet on an on-demand basis.

Cloud OS:

A phrase frequently used in place of PaaS to denote an association to cloud computing.

Cloud portability:

In cloud computing terminology, this refers to the ability to move applications and their associated data between one CSP and another—or between public and private cloud environments.

Cloud provisioning:

The deployment of a company’s cloud computing strategy, which typically first involves selecting which applications and services will reside in the public cloud and which will remain onsite behind the firewall or in the private cloud. Cloud provisioning also entails developing the processes for interfacing with the cloud’s applications and services as well as auditing and monitoring who accesses and utilizes the resources.

Cloud server hosting:

A type of hosting in which hosting services are made available to customers on demand via the Internet. Rather than being provided by a single server or virtual server, cloud server hosting services are provided by multiple connected servers that comprise a cloud.

Cloud storage:

The storage of data online in the cloud, whereby a company’s data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.

Cloud testing:

Load and performance testing conducted on the applications and services provided via cloud computing—particularly the capability to access these services—to ensure optimal performance and scalability under a variety of conditions.

Desktop as a service:

A form of virtual desktop infrastructure (VDI) in which the VDI is outsourced and handled by a third party. Also called hosted desktop services, desktop as a service is frequently delivered as a cloud service along with the apps needed for use on the virtual desktop.

Enterprise application:

Describes applications—or software—that a business uses to assist the organization in solving enterprise problems. When the word

enterprise

is combined with

application

, it usually refers to a software platform that is too large and complex for individual or small business use.

Enterprise cloud backup:

Enterprise-grade cloud backup solutions typically add essential features such as archiving and disaster recovery (DR) to cloud backup solutions.

Eucalyptus:

An open source cloud computing and IaaS platform for enabling AWS-compatible private and hybrid clouds.

Event:

A change of state that has significance for the management of an IT service or other configuration item. The term can also be used to mean an alert or notification created by an IT service, configuration item, or monitoring tool. Events often require IT operations staff to take actions and lead to incidents being logged.

Host:

A device providing a service.

Hybrid cloud storage:

A combination of public cloud storage and private cloud storage in which some critical data resides in the enterprise’s private cloud and other data is stored and accessible from a public cloud storage provider.

IaaS:

IaaS is defined as computer infrastructure, such as virtualization, being delivered as a service. IaaS is popular in the data center where software and servers are purchased as a fully outsourced service and usually billed on usage and how much of the resource is used—compared with the traditional method of buying software and servers outright.

Incident:

An unplanned interruption to an IT service or reduction in the quality of an IT service.

Managed service provider:

An IT service provider in which the customer dictates both the technology and the operational procedures.

Mean time between failure (MTBF):

The measure of the average time between failures of a specific component or part of a system.

Mean time to repair (MTTR):

The measure of the average time it should take to repair a failed component or part of a system.

Mobile cloud storage

: A form of cloud storage that applies to storing an individual’s mobile device data in the cloud and providing the individual with access to the data from anywhere.

Multitenant:

In cloud computing, multitenant is the phrase used to describe multiple customers using the same public cloud.

Node:

A physical connection.

Online backup:

In storage technology, online backup means to back up data from your hard drive to a remote server or computer using a network connection. Online backup technology leverages the Internet and cloud computing to create an attractive offsite storage solution with few hardware requirements for any business of any size.

PaaS:

The process of deploying onto the cloud infrastructure consumer-created or acquired applications that are created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems (OSs), or storage but has control over the deployed applications and possibly the configuration settings for the application-hosting environment.

Personal cloud storage:

A form of cloud storage that applies to storing an individual’s data in the cloud and providing the individual with access to the data from anywhere. Personal cloud storage also often enables syncing and sharing stored data across multiple devices such as mobile phones and tablet computers.

Private cloud:

Describes a cloud computing platform that is implemented within the corporate firewall, under the control of the IT department. A private cloud is designed to offer the same features and benefits of cloud systems but removes a number of objections to the cloud computing model, including control over enterprise and customer data, worries about security, and issues connected to regulatory compliance.

Private cloud project:

Companies initiate private cloud projects to enable their IT infrastructure to become more capable of quickly adapting to continually evolving business needs and requirements. Private cloud projects can also be connected to public clouds to create hybrid clouds.

Private cloud security:

A private cloud implementation aims to avoid many of the objections regarding cloud computing security. Because a private cloud setup is implemented safely within the corporate firewall, it remains under the control of the IT department.

Private cloud storage:

A form of cloud storage in which both the enterprise data and the cloud storage resources reside within the enterprise’s data center and behind the firewall.

Problem:

The unknown cause of one or more incidents, often identified as a result of multiple similar incidents.

Public cloud storage:

A form of cloud storage in which the enterprise and storage service provider are separate and the data is stored outside of the enterprise’s data center.

Recovery point objective (RPO):

The RPO helps determine how much information must be recovered and restored. Another way of looking at the RPO is to ask yourself, “How much data can the company afford to lose?”

Recovery time objective (RTO):

A time measure of how fast you need each system to be up and running in the event of a disaster or critical failure.

SaaS:

A software delivery method that provides access to software and its functions remotely as a web-based service. SaaS allows organizations to access business functionality at a cost typically less than paying for licensed applications since SaaS pricing is based on a monthly fee.

Storage cloud:

Refers to the collection of multiple distributed and connected resources responsible for storing and managing data online in the cloud.

Vertical cloud computing:

Describes the optimization of cloud computing and cloud services for a particular vertical (for example, a specific industry) or specific-use application.

Virtual host:

A software implementation of a physical host.

Cloud Computing Roles

The following groups form the key roles and functions associated with cloud computing. They do not constitute an exhaustive list but highlight the main roles and functions within cloud computing:

Cloud backup service provider:

A third-party entity that manages and holds operational responsibilities for cloud-based data backup services and solutions to customers from a central data center.

Cloud computing reseller:

A company that purchases hosting services from a cloud server hosting or cloud computing provider and then resells them to its own customers.

Cloud customer:

An individual or entity that utilizes or subscribes to cloud-based services or resources.

Cloud service auditor

: A third-party organization that verifies attainment of service-level agreements (SLAs).

Cloud services brokerage (CSB):

Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple CSPs. It acts as a liaison between cloud services customers and CSPs, selecting the best provider for each customer and monitoring the services. The CSB can be utilized as a middleman to broker the best deal and customize services to the customer’s requirements. The CSB may also resell cloud services.

CSP:

A company that provides cloud-based platform, infrastructure, application, or storage services to other organizations or individuals, usually for a fee; otherwise known to clients “as a service.”

Key Cloud Computing Characteristics

Think of the following as a rulebook or a set of laws when dealing with cloud computing. If a service or solution does not meet all of the following key characteristics, it is not true cloud computing.

On-demand self-service: The cloud service provided that enables the provision of cloud resources on demand (whenever and wherever they are required). From a security perspective, this has introduced challenges to governing the use and provisioning of cloud-based services, which may violate organizational policies.

By its nature, on-demand self-service does not require procurement, provisioning, or approval from finance, and as such, it can be provisioned by almost anyone with a credit card. For enterprise customers, this is most likely the least important characteristic because self-service for the majority of end users is not of utmost importance.

Broad network access: The cloud, by its nature, is an always on and always accessible offering for users to have widespread access to resources, data, and other assets. Think convenience—access what you want, when you need it, from any location.

In theory, all you should require is Internet access and relevant credentials and tokens, which give you access to the resources.

The mobile device and smart device revolution that is altering the way organizations fundamentally operate has introduced an interesting dynamic into the cloud conversation within many organizations. These devices should also be able to access the relevant resources that a user may require; however, compatibility issues, the inability to apply security controls effectively, and nonstandardization of platforms and software systems has stemmed this somewhat.

Resource pooling:

Lies at the heart of all that is good about cloud computing. More often than not, traditional, noncloud systems may see utilization rates for their resources between 80 percent and 90 percent for a few hours a week and rates at an average of 10 percent to 20 percent for the remainder. What the cloud looks to do is group (pool) resources for use across the user landscape or multiple clients, which can then scale and adjust to the user’s or client’s needs, based on their workload or resource requirements. CSPs typically have large numbers of resources available, from hundreds to thousands of servers, network devices, applications, and so on, which can accommodate large volumes of customers and can prioritize and facilitate appropriate resourcing for each client.

Rapid elasticity: Allows the user to obtain additional resources, storage, compute power, and so on, as the user’s need or workload requires. This is more often transparent to the user, with more resources added as necessary seamlessly.

Because cloud services utilize the pay-per-use concept, you pay for what you use. This is of particular benefit to seasonal or event-type businesses utilizing cloud services.

Think of a provider selling 100,000 tickets for a major sporting event or concert. Leading up to the ticket release date, little to no compute resources are needed; however, when the tickets go on sale, they may need to accommodate 100,000 users in the space of 30–40 minutes. This is where rapid elasticity and cloud computing can really be beneficial, compared with traditional IT deployments, which would have to invest heavily using capital expenditure (CapEx) to support such demand.

Measured service: Cloud computing offers a unique and important component that traditional IT deployments have struggled to provide—resource usage can be measured, controlled, reported, and alerted upon, which results in multiple benefits and overall transparency between the provider and the client. In the same way you may have a metered electricity service or a mobile phone that you top up with credit, these services allow you to control and be aware of costs. Essentially, you pay for what you use and have the ability to get an itemized bill or breakdown of usage.

A key benefit being availed by many proactive organizations is the ability to charge departments or business units for their use of services, thus allowing IT and finance to quantify exact usage and costs per department or by business function—something that was incredibly difficult to achieve in traditional IT environments.

In theory and in practice, cloud computing should have large resource pools to enable swift scaling, rapid movement, and flexibility to meet your needs at any given time within the bounds of your service subscription.

Without all these characteristics, it is simply not possible for the user to be confident and assured that the delivery and continuity of services will be maintained in line with potential growth or sudden scaling (either upward or downward). Without pooling and measured services, you cannot implement the cloud computing economic model.

Cloud Transition Scenario

Consider the following scenario.

Due to competitive pressures, XYZ Corp is hoping to better leverage the economic and scalable nature of cloud computing. These policies have driven XYZ Corp toward the consideration of a hybrid cloud model that consists of enterprise private and public cloud use. Although security risk has driven many of the conversations, a risk management approach has allowed the company to separate its data assets into two segments: sensitive and nonsensitive. IT governance guidelines must now be applied across the entire cloud platform and infrastructure security environment. This also affects infrastructure operational options. XYZ Corp must now apply cloud architectural concepts and design requirements that would best align with corporate business and security goals.

As a CCSP, you have several issues to address to guide XYZ Corp through its planned transition to a cloud architecture.

What cloud deployment model(s) would need to be assessed to select the appropriate ones for the enterprise architecture?

Based on the choice(s) made, additional issues may become apparent, such as these:

Who will the audiences be?

What types of data will they be using and storing?

How will secure access to the cloud be enabled, audited, managed, and removed?

When and where will access be granted to the cloud? Under what constraints (time, location, platform, and so on)?

What cloud service model(s) would need to be chosen for the enterprise architecture?

Based on the choice(s) made, additional issues may become apparent, such as these:

Who will the audiences be?

What types of data will they be using and storing?

How will secure access to the cloud service be enabled, audited, managed, and removed?

When and where will access be granted to the cloud service? Under what constraints (time, location, platform, and so on)?

Dealing with a scenario such as this requires the CCSP to work with the stakeholders in XYZ Corp to seek answers to the questions posed. In addition, the CCSP should carefully consider the information in Table 1.1 to craft a solution.

Table 1.1 Possible Solutions

Information Item

Possible Solution

Hybrid cloud model

Outsourced hosting in partnership with on-premise IT support

Risk-management-driven data separation

Data classification scheme implemented company wide

IT governance guidelines

Coordination of all governance, risk, and compliance (GRC) activities within XYZ Corp through a chief risk officer (CRO) role

Cloud architecture alignment with business requirements

Requirements gathering and documentation exercise driven by a project management office (PMO) or a business analyst (BA) function

Building Blocks

The building blocks of cloud computing are composed of random access memory (RAM), the central processing unit (CPU), storage, and networking. IaaS has the most fundamental building blocks of any cloud service: the processing, storage, and network infrastructure upon which all cloud applications are built. In a typical IaaS scenario, the service provider delivers the server, storage, and networking hardware and its virtualization, and then it’s up to the customer to implement the OSs, middleware, and applications required.

Cloud Computing Functions

As with traditional computing and technology environments, a number of functions are essential for creating, designing, implementing, testing, auditing, and maintaining the relevant assets. The same is true for cloud computing, with the following key roles representing a sample of the fundamental components and personnel required to operate cloud environments:

Cloud administrator: This individual is typically responsible for the implementation, monitoring, and maintenance of the cloud within the organization or on behalf of an organization (acting as a third party).

Most notably, this role involves the implementation of policies, permissions, access to resources, and so on. The cloud administrator works directly with system, network, and cloud storage administrators.

Cloud application architect: This person is typically responsible for adapting, porting, or deploying an application to a target cloud environment.

The main focus of this role is to work closely and alongside development and other design and implementation resources to ensure that an application’s performance, reliability, and security are all maintained throughout the lifecycle of the application. This requires continuous assessment, verification, and testing throughout the various phases of both the software and systems development lifecycles.

Most architects represent a mix or blend of system administration experience and domain-specific expertise—giving insight to the OS, domain, and other components, while identifying potential reasons the application may be experiencing performance degradation or other negative impacts.

Cloud architect: This role determines when and how a private cloud meets the policies and needs of an organization’s strategic goals and contractual requirements from a technical perspective.

The cloud architect is also responsible for designing the private cloud, is involved in hybrid cloud deployments and instances, and has a key role in understanding and evaluating technologies, vendors, services, and other skillsets needed to deploy the private cloud or to establish and function the hybrid cloud components.

Cloud data architect:

This individual is similar to the cloud architect. The data architect’s role is to ensure the various storage types and mechanisms utilized within the cloud environment meet and conform to the relevant SLAs and that the storage components are functioning according to their specified requirements.

Cloud developer:

This person focuses on development for the cloud infrastructure itself. This role can vary from client tools or solutions engagements to systems components. Although developers can operate independently or as part of a team, regular interactions with cloud administrators and security practitioners are required for debugging, code reviews, and relevant security assessment remediation requirements.

Cloud operator:

This individual is responsible for daily operational tasks and duties that focus on cloud maintenance and monitoring activities.

Cloud service manager:

This person is typically responsible for policy design, business agreement, pricing model, and some elements of the SLA (not necessarily the legal components or amendments that require contractual amendments). This role works closely with cloud management and customers to reach agreement and alongside the cloud administrator to implement SLAs and policies on behalf of the customers.

Cloud storage administrator:

This role focuses on the mapping, segregations, bandwidth, and reliability of storage volumes assigned. Additionally, this role may require ensuring that conformance to relevant SLAs continues to be met, working with and alongside network and cloud administrators.

Cloud Service Categories

Cloud service categories fall into three main groups: IaaS, PaaS, and SaaS. Each is discussed in the following sections.

IaaS

According to “The NIST Definition of Cloud Computing,” in IaaS, “the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include OSs and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over OSs, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).”4

Traditionally, infrastructure has always been the focal point for ensuring which capabilities and organization requirements could be met versus those that were restricted. It also represented possibly the most significant investments in terms of CapEx and skilled resources made by the organization. The emergence of the cloud has changed this traditional view of infrastructure’s role significantly by commoditizing it and allowing it to be consumed through an on-demand, pay-as-you-go model.

IaaS Key Components and Characteristics

The following form the basis for the IaaS service model:

Scale:

The requirement for automation and tools to support the potentially significant workloads of either internal users or those across multiple cloud deployments (dependent on which cloud service offering) is a key component of IaaS. Users and customers require optimal levels of visibility, control, and assurances related to the infrastructure and its ability to satisfy their requirements.

Converged network and IT capacity pool: This follows from the scale focus, but it looks to drill into the virtualization and service management components required to cover and provide appropriate levels of service across network boundaries.

From a customer or user perspective, the pool appears seamless and endless (no visible barriers or restrictions, along with minimal requirement to initiate additional resources) for both the servers and the network. These are (or should be) driven and focused at all times in supporting and meeting relevant platform and application SLAs.

Self-service and on-demand capacity:

This requires an online resource or customer portal that allows the customers to have complete visibility and awareness of the virtual IaaS environment they currently utilize. It additionally allows customers to acquire, remove, manage, and report on resources, without the need to engage or speak with resources internally or with the provider.

High reliability and resilience: