Cloud Security - Skills Development Resource
Introduction to Cloud
Introductions and Cloud Architecture
Cloud Essential Characteristics
Cloud Service Models
Cloud Deployment Models
Infrastructure Security for Cloud
Introduction to Infrastructure Security for Cloud Computing
Software Defined Network
Cloud Network Security
Securing Compute Workloads
Management Plane Security
Business Continuity and Disaster Recovery
Managing Cloud Security and Risk
Managing Cloud Security Risk
Legal Considerations for Cloud
Cloud Control Matrix CCM is a CSA tool which maps cloud security control specifications to architectural relevance
The Consensus Assessment Initiative Questionnaire CIAQ is a CSA document that can be sent to customers instead of customer RFP requests for security controls --
Cloud providers can publish their CAIQ and other security/compliance doc to help cloud prospects and customers assess the provider's current security posture at the Security, Trust and Assurance Registry (STAR)
The CSA tool that allows a quick search on a providers assessment for controls that map to regulations of interest and responses to these controls is STARWatch
CSA cloud controls Matrix v3.0.1 does not map specifications to FedRAMP high impact level.
The CSA cloud control Matrix v3.0.1 contains 133 control specifications https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/
now on version 4 https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/
Data Security for Cloud
Cloud Data Storage and Data Moving to the Cloud
CASB DLP data loss prevention used to a security tools to help detect sensitive data migration to the cloud
database is an object
data dispersion is for resilience
Cloud Access and Security brokers CASB ??(local) is most cloud-native but often not supported by smaller SaaS providers
The preferred model of protecting data migrating to the cloud is encrypting networks connections, proxy based encryption and encrypted files.
Securing Data in the Cloud
Access control most fundamental or significant security control, they vary between providers, use an entitlement matrix document of authorisation.
Cloud complicates access controls as there are more options such a sharing privileges or access to the data's metadata. Volume describe allows users to view metadata
Encryption for IaaS
There are layers which an admin can mix and match using a cloud encryption system matrix. There is volume storage encryption, instance-managed encryption and object storage encryption.
Layers are application, database FILE/API and volume storage. Encrypt up or down the stack. Application (discreet data) is the most fine to volume (bulk data) the most broad. At the top of the stack it is more complex. Components are keys, encryption engine and data. Who owns them, where they are and how they are connected are important. Where is the key, encryption engine and data. Externally managed encryption is the preferred method for volume storage of IaaS. Keys are separated (from encryption engine).
encryption system =keys management + encryption engine + data
Instance managed encryption is not the not to use. As key is in the same place as the encryption location. Client side encryption is the option which encrypts data before you transfer it to object storage.
Encryption for PaaS and SaaS
More complex than IaaS. There are lots of services for application, database and other. All these can be encrypted. Transparent database encryption TDE for databases.. Other is message queue etc.. encrypt within app code, encrypt before sending to a platform.
Application server is where the logic exist. App server ----> <---- encryption engine data stored in database
SaaS can be provider managed or customer managed.
Proxy encryption for SaaS is like a man-in-middle encryption/decryption
Options for PaaS for encryption are application, databases and provider. Managed encryption are not shared with other tenants. Proxy-encryption means breaking secure connections to the cloud provider.
Encryption Key Management
Cloud key, provider key management
Layer are HSM/Appliance (hardware), virtual appliance/software, hybrid and cloud provider service. Provider encrypts and risk User controls the key (layers of Key management) BYOK
hybrid allows you to use an existing build for key management without replication everything in the cloud
Cloud key management options:
- Provider managed (low level sec)
- Customer managed (3rd party/customer managed)
- Customer key manager
- HSM (top sec)
Other Data Security Options
This is about Data security architecture, controls and data masking
Good architecture reduces network attack surface.
Data sec controls (auditing, monitoring and alerting provider specific, data loss prevention DPL for SaaS and Digital rights management
data masking is the making data masked by changing with a tool this data can be used as test data as it resembles production data.. In a test or dev environment scrabble. Use for test data. Logs of some events in the cloud environment may not be available depending on the provider.
Data Security Lifecycle
A tool or lightweight to understand data flow potential/desired data usage for the In an out of data in locations ,the life of data, location and phases
phases -->created, stored, used , shared, archived destroyed--> read write and delete. Who are the actors and the location Controls are put in place. Leads to entitlement matrix and a mapping control table where data flows in the phases and how it may be accessed.
Security controls are use to reduce what us possible to what should be allowed within the context of the lifecycle.
Securing Cloud Applications, Users and Related Technologies
Secure Software Development Lifecycle (SSDLC)
Testing and Assessment
DevOps and Immutable
Secure Operations, Architecture, & Related Technologies
Identity and Access Management (IAM) Definitions
Identity and Access Management (IAM) Standards
Identity and Access Management (IAM) in Practice
Cloud Security Operations
Selecting a Cloud Provider
Domain 14 Considerations
https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/security-guidance-v4-FINAL.pdfFull course content