Cloud Security

Cloud Security - Skills Development Resource

Introduction to Cloud
Introductions and Cloud Architecture  
Cloud Essential Characteristics
Cloud Service Models   
Cloud Deployment Models  
Shared Responsibilities

Infrastructure Security for Cloud

Introduction to Infrastructure Security for Cloud Computing
Software Defined Network 
Cloud Network Security   
Securing Compute Workloads
Management Plane Security
Business Continuity and Disaster Recovery

Managing Cloud Security and Risk

Governance     
Managing Cloud Security Risk 
Compliance   
Legal Considerations for Cloud  
Audit 
CSA Tools

Cloud Control Matrix CCM is a CSA tool which maps cloud security control specifications to architectural relevance

The Consensus Assessment Initiative Questionnaire CIAQ is a CSA document that can be sent to customers instead of customer RFP requests for security controls --

Cloud providers can publish their CAIQ and other security/compliance doc to help cloud prospects and customers assess the provider's current security posture at the Security, Trust and Assurance Registry (STAR)

The CSA tool that allows a quick search on a providers assessment for controls that map to regulations of interest and responses to these controls is STARWatch

CSA cloud controls Matrix v3.0.1 does not map specifications to FedRAMP high impact level.

The CSA cloud control Matrix v3.0.1 contains 133 control specifications https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/

now on version 4 https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/

Data Security for Cloud

Cloud Data Storage and Data Moving to the Cloud

CASB DLP data loss prevention used to a security tools to help detect sensitive data migration to the cloud

database is an object

data dispersion is for resilience

Cloud Access and Security brokers CASB ??(local) is most cloud-native but often not supported by smaller SaaS providers

The preferred model of protecting data migrating to the cloud is encrypting networks connections, proxy based encryption and encrypted files.


Securing Data in the Cloud

Access control most fundamental or significant security control, they vary between providers, use an entitlement matrix document of authorisation.

Cloud complicates access controls as there are more options such a sharing privileges or access to the data's metadata. Volume describe allows users to view metadata


Encryption for IaaS 

There are layers which an admin can mix and match using a cloud encryption system matrix. There is volume storage encryption, instance-managed encryption and object storage encryption.

Layers are application, database FILE/API and volume storage. Encrypt up or down the stack. Application (discreet data) is the most fine to volume (bulk data) the most broad. At the top of the stack it is more complex. Components are keys, encryption engine and data. Who owns them, where they are and how they are connected are important. Where is the key, encryption engine and data. Externally managed encryption is the preferred method for volume storage of IaaS. Keys are separated (from encryption engine).

encryption system =keys management + encryption engine + data

Instance managed encryption is not the not to use. As key is in the same place as the encryption location. Client side encryption is the option which encrypts data before you transfer it to object storage.

Encryption for PaaS and SaaS    

More complex than IaaS. There are lots of services for application, database and other. All these can be encrypted. Transparent database encryption TDE for databases.. Other is message queue etc.. encrypt within app code, encrypt before sending to a platform.

Application server is where the logic exist. App server ----> <---- encryption engine data stored in database

SaaS can be provider managed or customer managed.

Proxy encryption for SaaS is like a man-in-middle encryption/decryption

Options for PaaS for encryption are application, databases and provider. Managed encryption are not shared with other tenants. Proxy-encryption means breaking secure connections to the cloud provider.

Encryption Key Management

Cloud key, provider key management

Layer are HSM/Appliance (hardware), virtual appliance/software, hybrid and cloud provider service. Provider encrypts and risk User controls the key (layers of Key management) BYOK

hybrid allows you to use an existing build for key management without replication everything in the cloud

Cloud key management options:

  • Provider managed (low level sec)
  • Customer managed (3rd party/customer managed)
  • Customer key manager
  • HSM (top sec)


Other Data Security Options

This is about Data security architecture, controls and data masking

Good architecture reduces network attack surface.

Data sec controls (auditing, monitoring and alerting provider specific, data loss prevention DPL for SaaS and Digital rights management

data masking is the making data masked by changing with a tool this data can be used as test data as it resembles production data.. In a test or dev environment scrabble. Use for test data. Logs of some events in the cloud environment may not be available depending on the provider.
Data Security Lifecycle

A tool or lightweight to understand data flow potential/desired data usage for the In an out of data in locations ,the life of data, location and phases

phases -->created, stored, used , shared, archived destroyed--> read write and delete. Who are the actors and the location Controls are put in place. Leads to entitlement matrix and a mapping control table where data flows in the phases and how it may be accessed.

Security controls are use to reduce what us possible to what should be allowed within the context of the lifecycle.

Securing Cloud Applications, Users and Related Technologies

Secure Software Development Lifecycle (SSDLC)
Testing and Assessment
DevOps and Immutable
Secure Operations, Architecture, & Related Technologies
Identity and Access Management (IAM) Definitions
Identity and Access Management (IAM) Standards   
Identity and Access Management (IAM) in Practice

Cloud Security Operations

Selecting a Cloud Provider   
Incident Response
SECaaS Fundamentals  
SECaaS Categories 
Domain 14 Considerations

 

https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/security-guidance-v4-FINAL.pdf

Full course content

Comments