CCSP思维导图
2023-07-24 15:25:21 1 举报
AI智能生成
当前最新
作者其他创作
大纲/内容
NIST SP 800-145
云计算定义Cloud computing definitions
The business or individual consuming cloudservices
Often using cloud to complement/augment existing on-premises compute. 补充/增加
云服务客户cloud service customer
font color=\"#e74f4c\
云服务供应商 CSPcloud service provider
Help organizations to obtain and deploy cloudservices.
云服务合作伙伴cloud service partner
an entity that font color=\"#e74f4c\
negotiates relationships between cloud providers(CSPs) and cloud consumers.
Service Intermediationenhances a given service by improving specific capabilitiesand providing value-added services to cloud consumers.
Service Aggregationcombines and integrates multiple services into one or morenew services.
Service Arbitragemeans a broker has the flexibility to choose services frommultiple agencies.
Functions of a Cloud Broker
云服务代理cloud service broker
监管机构regulator
Third party that can conduct an font color=\"#e74f4c\
CSACloud Service Auditor
Cloud administrator
Cloud application architect
Designs and develops solutions.
Cloud architect
Responsible for daily operational tasks.
Cloud operator
Cloud data architect
Cloud service manager
Manages storage volume/repository assignment and configuration.
Cloud storage administrator
Oversees business and billing administration.
cloud service business manager
Cloud service operations manager
maintains the security environment forcompanies
may provide an outsourced securityoperations center (SoC) and incidentresponse
安全托管服务提供商 MSSPmanaged security service provider
云计算角色和职责Cloud computing roles and responsibilities
Customers can scale their compute and storage needs with little orno intervention or prior communication from the provider.
按需自助服务on-demand self-service
Services are consistently accessible over the network regardless ofthe users physical location
广泛的网络访问broad network access
Which means many different customers share use of the samecomputing resources.
Physical servers that support our workloads might be the samephysical servers supporting other customers' workloads.
Why?Because in the big picture customers won't becollectively using all of that capacity simultaneously.
Oversubscription
多租户multi-tenancy
Allows the customer to grow or shrink the IT footprint as necessary tomeet needs without excess capacity.
The ability of a system to automatically grow and shrinkbased on app demand.
Elasticity
The ability of a system to handle growth of users or work.Ability to grow as demand increases.
Scalability
快速弹性和可伸缩性rapid elasticity and scalability
Enables cloud provider to apportion resources as needed acrossmultiple customers so resources are not underutilized or overtaxed.
Enables cloud provider to make capital investments that greatlyexceed what any single customer could provide on their own.
Allows the cloud provider to meet various demands fromcustomers while remaining financially viable.
Can result in some degree oflocation dependence beyond customer control.
DISADVANTAGE
资源池化resource pooling
means that almost everything you do in the cloud is metered(measured and tracked) for management and billing purposes.
number of minutes of virtual server compute timeAmount of disk space you consumeNumber of function calls you makeAmount of network egress and ingress
common metrics
可度量服务 aka metered servicemeasured service
云计算关键特性Key cloud computing characteristics
Infrastructure-as-a-Service (laas)is the basisfor compute capacity in the cloud.
Customer installs middleware and applications.
Customer only pays for what they use. Chargesstop when instance is stopped or deleted.
compute
Cloud networking is all virtualized to allowcustomers to design and customize to their needs.
Enables customers to segment networks andrestrict access however they would like.
Physical network components are virtualized intoa software-defined network (SDN)
Management plane: the business applications that manage theunderlying control plane are exposed with northbound interfaces
Control plane:Control of network functionality and programmabilityismade directly to devices at this layer.
Data plane:The network switches and routers located at this plane areassociated with the underlying network infrastructure.
3个平面
Northbound interface
OpenFlow protocol interfaces with devices through southbound interfaces.
SDN
网络networking
Ephemeral is relevant for laas instances andexists only as long as the instance (VM)is up
Raw storage maps a logical unit number (LUN)on a storage area network(SAN) to a VM.
Long term storage typically use either Volume orobject storage infrastructure.
Long-term storage offered by some CSPs istailored to the needs of data archiving.
三种存储类型
font color=\"#000000\
ensures that all copies of the data have been duplicated among allrelevant copies before finalizing the transaction to increase availability.
Strict consistency
Data changes are 'eventually' transferred to all datacopies via asynchronous propagation over the network
Eventual consistency
存储一致性Storage Consistency
Content/file storage: File-based content stored within the application
Information storage and management: Data entered into the system via the web interfaceand stored within the Saas application.
存储storage
Multiple options available and multiple flavors ofrelational (SQL) and non-relational (NoSQL)
Managed database services (Paas) options shiftinfrastructure maintenance to the CSP.
laas (VM) hosted databases are an option wherePaas is not possible or practical.
数据库databases
Cloud orchestration creates automatedworkflows for managing cloud environments.
Builds on the foundation of font color=\"#e74f4c\
编排orchestration
Type1 \"Bare metal\"
Type2 \"Hosted\"
虚拟化virtualization
构建块技术Building block technologies
virtual machines (VM)virtual desktop infrastructure (VDI)software-defined networks (SDN)virtual storage area networks (SAN)
Storing data in the cloud font color=\"#e74f4c\
The cloud service provider (CSP) provides the leastamount of maintenance and security in the laas model.
Security issues with cloud-based assets
虚拟资产virtual assets
1.1 了解云计算概念Understand cloud computing concepts
ISO 17789 Cloud Reference Architecture
Use cloud servicesPerform service trialsMonitor servicesAdminister service securityProvide billing and usage reportsHandle problem reportsAdminister tenanciesPerform business administrationSelect and purchase serviceRequest audit reports
customer
Prepare systems and provide cloud servicesMonitor and administer servicesManage assets and inventoriesProvide audit dataManage customer relationshipsHandle customer requestsPerform peering with other cloud service providersEnsure complianceProvide network connectivity
cloud service provider
cloud service partner
云计算活动Cloud computing activities
CSP allows the customer to focus on their business use cases.
应用能力类型application capability types
平台能力类型platform capability types
基础设施能力类型 infrastructure capability types
云服务能力Cloud service capabilities
主要好处
基础设施即服务 (IaaS)Infrastructure as a Service (IaaS)
Customer is responsible for deployment and management of apps
Core infrastructure updated by providerGlobal collaboration for app developmentRunning multiple languages seamlessly
key benefits
平台即服务 (PaaS)Platform as a Service (PaaS)
Customer just configures features.
Customer has some responsibility inaccess management and'data recovery
共享责任模型
Limited administration responsibilityLimited skills requiredService always up-to-dateGlobal access
Key Benefits
软件即服务 (SaaS)Software as a Service (SaaS)
Serverless
a cloud computing execution model wherethe cloud provider dynamically managesthe allocation and provisioning of servers.
hosted as pay-as-you-go model based on use.
Serverless ArchitectureEXample:Function-as-service
Provisioning of multiple business services iscombined with different IT services toprovide a single business solution.
ServicesIntegration
云服务类别Cloud service categories
Everything runs on your cloud provider's hardware.
现收现付制(Pay As You Go)
公共云public
A cloud environment in your own datacenter
A cloud environment dedicated to a single customer
Enables greater control of upgrade cycles in legacy apps and some compliance scenarios
私有云private
Enables the organization to control the pace of public cloud adoption
混合云hybrid
Similar to private clouds in that they are not open the general public
But they are shared by several related organizations in a common community
社区云community
Combines resources from two or more public cloud providers
多云multi-cloud
云部署模型Cloud deployment models
Ability of one cloud service to interact with other cloud services byexchanging information according to a prescribed method and obtainpredictable results.
Most CSPs have a cloud marketplace with certified apps and services
Policy
Where the results of the use of the exchangedinformation matches the expected outcome
Behavioral
Transport
Syntactic
Semantic data
5个特征
互操作性interoperability
1. SyntacticTransferring data from a source system to a target systemusing formats that can be decoded bn the target systemwith features like XML or Open Virtualization Format (OVF)
2. SemanticTransferring data from a source system to a target systemso that the data model is understood within the context ofthe subject area by the target
3个特征
Cloud data portability is the ability to easily move data from one cloud service to another without the need to re-enter the data.
cloud applieation portability is the ability to migrate an application from one CSP to another or between a customer's environment and a cloud service.Portability prevents 'vendor lock-in'
可移植性portability
Process for cloud service customers to retrieve their data andapplication artifacts AND
for the CSP to delete all cloud service customer data and contractuallyspecified cloud service derived data after an agreed period.
Customer access to data also appears in requlations (e.g.GDPR)
可逆性reversibility
Systems and resource availability defines the success or failure of a cloud-based service.
Check service-level SLAs and how multi-service SLAs are calculated.
可用性availability
Protection of customer dataspan style=\"font-size: inherit;\
安全性security
Privacy vs Confidentiality
Data breaches have brought data privacy to the forefront as a crucial factor in cloud computing.
Prominent sources of privacy concerns
隐私privacy
AzureGeography
A set of datacenters deployed within alatency-defined perimeter and connectedthrough a dedicated regional low-latencynetwork.
Azure Regions
A relationship between 2 Azure Regionswithin the same geographic region fordisaster recovery purposes.
Region Pairs
Comprised of one or more datacenters
Tolerant to datacenter failuresvia redundancy and isolation
Availability Zones
弹性resiliency
Ability of a service to remain responsive to requests to that service withan acceptable level of response latency or processing time.
Public cloud delivers the perception of unlimited scale for than for lessthan the cost a customer would incur in their own datacenter.
性能performance
CSPs often have policy automation in which restrictions can be definedand automatically enforced throughout the service lifecycle.
治理governance
维护和版本控制maintenance and versioning
Stipulate performance expectations such asmaximum downtimes and often include penalties ifthe vendor doesn't meet expectations.
服务等级和服务等级协议 (SLA)service levels and service-level agreements (SLA)
Auditability is only possible with proper loggingproviding accountability and traceability
Accountability. Ability to determine who caused the event.This isknown sometimes called \"identity attribution\". (Requires non-repudiation)
Traceability. Ability to track down all events related to theinvestigated event.
Related activities
可审计性auditability
监管regulatory
外包outsourcing
云共享考虑因素Cloud shared considerations
The study of data to extract meaningful insights for business
Cybersecurity Data Science (CSDS)
数据科学data science
机器学习machine learning
Focuses on accomplishing \"smart\"taskscombining machine learning and deeplearning to emulate human intelligence
人工智能 (AI)artificial intelligence (AI)
a subfield of machine learning concerned withalgorithms inspired by the structure and functionof the brain called artificial neural networks.
深度学习Deep Learning
Blockchain was originally the technology thatpowered Bitcoin but has broader uses.
Does not use intermediaries such as banks and financial institutions.
Data is \"chained together\"with a block of data holding both thehash for that block and the hash of the preceding block.
区块链blockchain
A class of devices font color=\"#e74f4c\
Every device that you put on your network to manage has a default username and adefault password.
Simply change defaults to shut down this attack vector!
Default settings
Wareables
Enable facility managers to be able to configure automation and monitoring ofdevice function.
Facility automation.
Sensors
物联网 (IoT)Internet of Things (IoT)
Reduces overhead of server virtualization by enablingcontainerized apps to run on a shared OS kernel.
Share many concerns of server virtualization: font color=\"#e74f4c\
容器containers
A rapidly-emerging technology that harnesses the laws of quantummechanics to solve problems too complex for classical computers.
Replaces the binary one and zero bits of digital computing withmultidimensional quantum bits known as qubits.
量子计算quantum computing
the practice of harnessing the principles of quantum mechanics to improve securityand to detect whether a third party is eavesdropping on communications.
Quantum cryptography
is the most common example of quantum cryptography.
by transferring data font color=\"#e74f4c\
Quantum Key Distribution
Post-quantum cryptography refers to cryptographic algorithms (usually public-keyalgorithms)that are thought to be secure against an attack by a quantum computer.
Post-quantum cryptography focuses on preparing for the era of quantum computingby updating existing mathematical-based algorithms and standards.
The development of new kinds of cryptographicapproaches that can be implemented usingtoday's conventional computers...but will be impervious (resistant)to attacks from tomorrow's quantum computers.
Post-quantum algorithms arc somctimes called quantum-resistant\"cryptographic algorithms
Post-Quantum Cryptography
Common in various font color=\"#e74f4c\
All the processing of data storage is closer to thesensors rather than in the cloud data center.
边缘计算edge computing
Complements cloud computing by processingdata from loT devices.
Often places gateway devices in the field to collectand correlate data centrally at the edge.
Important to speed processing time and reduce dependence oncloud/Internet connectivity mission critical situations (healthcare)
雾计算fog computing
Confidential computing solves for this by isolating sensitivedata in a protected CPU enclave during processing.
This CPU enclave is called a font color=\"#e74f4c\
Embedded attestation mechanisms ensure that the keysare accessible only to authorized application code
机密计算confidential computing
Integratessecurity as a shared responsibilitythroughout the entire IT lifecycle.
Builds a security foundation into Devops initiatives.
Often includes automating some of the securitygates in the Devops process.
DevSecOps
laC is a key Devops practice and is used inconjunction with Continuous Integration andcontinuous Delivery (CI/CD). \"the CI/CD pipeline\"
IaCInfrastructure as Code
相关技术的影响Impact of related technologies
1.2 描述云计算参考架构Describe cloud reference architecture
A chip that resides on the motherboard of the device.
TPM
HSM
FIPS 140-2 validated modules providetamper resistance and key integrity
Generation
Encryption keys should be distributed securely to preventtheft/compromise during transit
BEST PRACTICE:Encrypt keys with a separate encryptionkey while distributing to other parties
Distribution
Encryption keys must be protected at rest and shouldnever be stored in plaintext
This Includes keys in volatilc and persistent memory
Storage
Clients (users trusted devices) will use keys for resource accessas access controls allow.
Acceptable use policy sets guardrails for data usage
Use
Revocation
Key destruction is the removal of an encryption key from itsoperational location.
Key deletion goes further and removes any info that could beused to reconstruct that key.
Destruction
KEY MANAGEMENT STRATEGYFOR ENCRYPTION KEY LIFECYCLE
Encryption keys must be secured at the same level of control or higheras the data they protect.
Level of Protection
Key Recovery
Key Escrow
CSPs offer a cloud service for centralized secure storage andaccess for application secrets called a vault.
Service will typically offer programmatic access via APl to supportDevOps and continuous integration/continuous deployment(CI/CD)
Access control at vault instance-level and to secrets stored within
Secrets and keys can generally be protected either bysoftware or by FIPS 140-2 Level 2 validated HSMs.
Key Management System (KMS)
密码学和密钥管理Cryptography and key management
Authentication and access managementFocused on the manner in which users can access required resources
用户访问user access
Privileged user managementManaging privileged access accountsEnforce Least Privilege and Need to knowSeparation of duties can provide effective risk mitigation
特权访问privilege access
Centralized directory ServicesActive Directory and LDAPKerberos and NTLM authentication
服务访问service access
Provisioning and Deprovisioning
Something you know(pin or password)Something you have(trusted device)Something you are(biometric)
PREVENTS:PhishingCredential stuffingSpear phishingBrute force and reverse brute force attacksKeyloggersMan-in-the-middle (MITM)attacks
MFAMulti-factor Authentication
Need-to-know and the principle of least privilege are twostandard IT security principles implemented in secure networks.
They limit access to data and systems so that users and othersubjects have access only to what they require.
They help prevent security incidentsThey help limit the scope of incidents when they occur.
LIMITING ACCESS & DAMAGE
Collusion is an agreement among multiple persons toperform some unauthorized or illegal actions.
Separation of dutiesa basic security principle that ensures that no single personcan control all the elements of a critical function or system.
PREVENTING FRAUD AND COLLUSION
a service account is a type of administrator account used to run anapplication. example:account to run an anti-virus application.
Service Account aka \"Service Principal\"
When a group of people font color=\"#e74f4c\
shared Account
ACCOUNT TYPES
身份和访问控制Identity and access control
覆盖overwriting
加密擦除cryptographic erase
Erasing
preparing media for reuse and ensuring data cannot be recovered using traditionalrecovery tools.
Clearing (overwriting)
a more intense form of clearing that preparesmedia for reuse in less secure environments.
Purging
Less secure data destructionMedia is reusable with any of these methodsData may be recoverable with forensic tools
PRO:Data cannot be recovered from any remnants.CON:High CPU and performance overhead
Crypto-shredding 'cryptographic erasure'
More secure data destruction
creates a strong magnetic field that erasesdata on some media and destroy electronics.
Degaussing
You can shred a metal hard drive into powder.
Shredding
Pulverizing
Destroying Media Data
数据和媒介清理Data and media sanitization
Network security groups provide anadditional layer of security for cloud resources
Act as a font color=\"#e74f4c\
Carriesa list of security rules(IP and port ranges)thatallow or deny network traffic to resource instances.
Provides a virtual firewall for a collection of cloudresources with the same security posture
网络安全组network security groups
Restricting services that are permitted to access or be accessiblefrom other zones using rules to control inbound/outbound traffic.
Rules are enforced by the IP address ranges of each subnet.
Segmentation
Representational State Transfer (REST)is the modern approach towriting web service APIs.
APIs published by an organizations should include font color=\"#e74f4c\
APl inspection and integration
Packet capture in the cloud generally requires toolsdesigned for this purpose in the environment.
Traffic is often sent direct to resources and promiscuousmode on a VM NIC not possible or effective.
流量检查traffic inspection
Uses the Global Positioning System (GPS)or RFID to definegeographical boundaries.
EXAMPLES:Restrict access to systems and services based on wherethe access attempt is being generated from.Prevent devices from being removed from the company'spremises.
地理围栏geofencing
Addresses the limitations of the legacy network perimeter-based security model.
Treats user identity as the control plane
Assumes compromise breach in verifying every request.
ZERO TRUST PRINCIPLES
-Network Security Group (NSG)-Network Firewalls-Inbound and outbound traffic filtering-Inbound and outbound traffic inspection-Centralized security policy management and enforcement
ZERO TRUST NETWORK ARCHITECTURE
零信任网络zero trust network
网络安全Network security
hypervisor 安全hypervisor security
Container hosts are cloud-based virtual machines(VM).This is where the containers run
Major CSPs also offer a monitoring solution that willidentify at least some potential security concerns
容器安全container security
the practice of creating a virtual computing environment as a need arises.
临时计算ephemeral computing
Use API gateways as security buffers (to avoid DDoS attacks)
无服务器技术serverless technology
虚拟化安全Virtualization security
Preventable by following secure development practices andadhering to recommendations in the secure data lifecycle
Data BreachThe result of a cyberattack
When sensitive data is unknowingly exposed to the public
Often through a system or service misconfiguration or oversharing.
Data LossSometimes called 'data leaks'
Disgruntled employees can wreak havoc on a system.
Internal acts of disruption include theft and sabotage.
Malicious Insiders
When attacks are designed to steal orwedge themselves into the middle of aconversation in order to gain control.
Traffic Hijacking
Consumers sometimes misuse their cloud services forillegal or immoral activities.
Abuse of cloud services
Process/effort to collect and analyze informationbefore making a decision or conducting a transaction.
Process/effort to collect and analyzeinformation before making a decision orconducting a transaction.
Due Diligence
Doing what a reasonable person would do ina given situation.It is sometimes called the\"prudent person rule\".
Due care
DUE DILIGENCE VS DUE CARE
Failure to perform due diligence can result in adue care violation.
Insufficient due diligence
The underlying infrastructure of the public cloud was not originallydesigned for the types of multitenancy in the public cloud
Modern virtualization software bridges most of the gaps
Shared Technology Vulnerabilities
常见威胁Common threats
打补丁patching
基线baselining
Configuration Management
helps reduce outages or weakened security from unauthorized changes to the baseline configuration.
Change Management
It is a function included in change management.
Patches correct security and functionality problems in software and firmware.
An applicability assessment is performed to determinewhether a particular patch or update applies to a system.
Patch Managementaka 'update Management'
安全卫生Security hygiene
1.3 了解与云计算相关的安全概念Understand security concepts relevant to cloud computing
Can be created by usersa user creates a file
Can be created by systemsa system logs access
Create
Store
Data should be protected by adequate security controls based on its classification.
refers to anytime data is in use or in transit over a network
Share
archival is sometimes needed to comply with laws or regulations requiring the retention of data.
Archive
Destory
DATA STATES
Storage Service Encryption
helps you encrypt Windows and Linux laas VMs disks using BitLocker (Windows)anddm-crypt feature of Linux to encrypt OS and data disks.
Full Disk Encryption
Helps font color=\"#e74f4c\
Transparent data encryption (TDE)
PROTECTING DATA AT REST
Holds the legal rights and complete control over a single piece of data.
Usually a member of senior management.Can delegate someday-to-day duties.CANNOT delegate total responsibility!
Data Owner
Usually someone in the font color=\"#e74f4c\
Data custodian
重要的数据角色
Data Processor
The person or entity that controls processing of the data.
Data Controller
GDPR中的数据角色
Refers to any individual font color=\"#e74f4c\
Data Subject
Use that knowledge to ensure the data they are responsible for isused as intended.
Data Steward
其他角色
云安全数据生命周期Cloud secure data lifecycle
the overall organizational plan for \"how-to\" continue business.
BCP (Business Continuity Plan)
the plan for recovering from a disaster impacting ITand returning the IT infrastructure to operation.
DRP(Disaster Recovery Plan)
BCP focuses on the whole businessDRP focuses more on the technical aspects of recovery
BCP will cover communications and process more broadlyBCP is an umbrella policy and DRP is part of it
BCP vs DRP
Region Pairs addresses font color=\"#e74f4c\
Availability Zones address datacenter failures within a cloud regionA CSP region (e.q.East Us)includes multiple datacenters
Availability sets address font color=\"#e74f4c\
云中灾难恢复
基于云的业务连续性 (BC) 和灾难恢复 (DR) 计划Cloud-based business continuity (BC) and disaster recovery (DR) plan
A cost-benefit analysis lists the benefits of the decision alongside their corresponding costs.
CBA can be strictly quantitative: adding the financial benefits and subtracting the associated costs todetermine whether a decision will be profitable.
成本效益分析cost-benefit analysis
投资回报率 (ROI)return on investment (ROI)
业务影响分析 (BIA)Business impact analysis (BIA)
Define a system or its component and font color=\"#e74f4c\
EXAMPLE:application forms must protect against injection attacks.
Functional security requirements
EXAMPLE:security certifications are non-functional.
Non-functional security requirements
Functional vs Non-Functional security requirements
供应商锁定vendor lock-in
功能安全要求Functional security requirements
VM attacksVirtual networkHypervisor attacksVM-based rootkitsVirtual switch attacksColocationDoS attack
Data SegregationData Access and PoliciesWeb Application Security
不同云类别的安全注意事项和责任Security considerations and responsibilities for different cloud categories
VM Escape
When font color=\"#e74f4c\
VM Sprawl
VIRTUALIZATION-FOCUSED ATTACKS
freely available on the internet and exploit known vulnerabilities in variousoperating systems enabling attackers to elevate privilege.
Rootkit (escalation of privilege)
undocumented command sequences that allow individuals with knowledgeof the back door to bypass normal access restrictions.often used in development and debugging.
Back Door
APPLICATION ATTACKS
is a resource consumption attack intended to prevent legitimate activityon a victimized system.
Denial of-Service
a Dos attack utilizing multiple compromised computer systems assources of attack traffic.
Distributed Denial of-Service
COUNTERMEASURES
volume-based attacks targetingfont color=\"#e74f4c\
Network
exploit weaknesses in the application layer (Layer 7) by opening connections andinitiating process and transaction requests that consume finite resources like diskspace and available memory.
Application
Targets the weaknesses of font color=\"#e74f4c\
Often target weaknesses using the network and application techniques describedabove.
Operational Technology (OT)
TYPES OF DDOS ATTACKS
NETWORK ATTACKS
Attacks
SANS 安全原则SANS security principles
架构完善的框架Well-Architected Framework
云安全联盟 (CSA) 企业架构Cloud Security Alliance (CSA) Enterprise Architecture
AWS Well-Architected FrameworkAzure Well-Architected FrameworkGoogle Cloud Architecture Framework
Cloud Service Providers
Enterprise Architecture Reference Guide (Cloud Security Alliance)Cloud Computing Reference Architecture (NIST)
Industry Groups
Focus on architecture more than security
ARCHITECTURE
Microsoft Cybersecurity Reference ArchitectureAWS Security Reference ArchitectureGoogle Cloud Security Foundations Guide
Enterprise Cloud Security Architecture (SANS)Security Technical Reference Architecture (CISA)Cloud Computing Security Reference Architecture (NIST)
Industry Groups
SECURITY
云设计模式Cloud design patterns
Devops relies heavily on deployment automation forContinuous integration/continuous delivery (Cl/CD)
Automated software scanningAutomated vulnerability scanningWeb application firewallSoftware dependency managementAccess and activity loggingApplication performance management
Technical
Administrative
DevOps 安全DevOps security
1.4 了解安全云计算的设计原则Understand design principles of secure cloud computing
Provides guidelines for information security controls applicable to theprovision and use of cloud services
Who is responsible for what between the cloud service provider and the cloud customerThe removal/return of assets when a contract is terminatedProtection and separation of the customer's virtual environmentVirtual machine configurationAdministrative operations and procedures associated with the cloud environmentCustomer monitoring of activity within the cloudVirtual and cloud network environment alignment
国际标准组织/国际电子技术委员会 (ISO/IEC) 27017International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27017
a secure network must be maintained in which transactions can be conductedcardholder information must be protected wherever it is storedsystems should be protected against the activities of malicious hackerscardholder data should be protected physically as well as electronicallynetworks must be constantly font color=\"#e74f4c\
BASED ON 6 MAJOR OBJECTIVES
支付卡行业数据安全标准 (PCI DSS)Payment Card Industry Data Security Standard (PCI DSS)
根据标准进行验证Verification against criteria
Enable an objective evaluation to validate that a particularproduct or system satisfies a defined set of security requirements
Ensures customers that security products they purchase havebeen thoroughly tested by independent third-party testers and meets customer requirements.
The certification of the product only certifies product capabilities.
Designed to provide assurances for security claims by vendors
通用标准 (CC) (ISO/IEC15408)Common Criteria (CC)
Established to aid in the protection of digitally stored font color=\"#e74f4c\
Level 1: Lowest level of security.Level 2: Specifies the security requirements for cryptographic modules that protect sensitive information.Level 3: Requires physical protections to ensure a high degree of confidence that any attempts to tamper are evident and detectable
FIPS Security Levels
联邦信息处理标准 (FIPS) 140-2Federal Information Processing Standard (FIPS) 140-2
系统/子系统产品认证System/subsystem product certifications
1.5 评估云服务供应商Evaluate cloud service providers
Destroy
云数据生命周期阶段Cloud data life cycle phases
A core principle of business continuity says that importantdata should always be stored in more than one location
Data dispersion is easier in the cloud because the CSP ownsthe underlying complexity that delivers site-level resiliency.
Local -replicas within a single datacenter
Zone -replicas to multiple datacenters within a region
Global region level resiliency (replicas to backup region
数据分散Data dispersion
A data flow diagram (DFD) is useful to gain visibility andensure that adequate security controls are implemented
Decreased development time and faster deployment of newsystem features. and with reduced security risk!
Some compliance frameworks font color=\"#e74f4c\
BENEFITS
BOTTOM LINE:Creating the DFD can be both a risk assessmentactivity and a crucial compliance activity.
数据流Data flows
2.1 描述云数据概念Describe cloud data concepts
长期long-term
临时ephemeral
原始存储raw storage
IAAS
Structured.Relational databases (RDBMS)Unstructured.Big data
PAAS
SAAS
存储类型Storage types
User accessing data storage without properauthorization presents security concerns
Customer must implement proper access controlCSP must provide adequate logical separation
Unauthorized Access
Primarily a cost and operational concern
Shadow IT a common issue
Unauthorized Provisioning
Loss of Connectivity
Universal threats from the perspective of the CIA Triad
Data transfer between countries can run afoul oflegal requirements.
Privacy legislation bars data transfer to countrieswithout adequate privacy protections
Jurisdictional issues
In the event a network connection is severedbetween the user and the CSP.CSPs are better prepared to defend against DDoS attacks.
Denial of service
Data corruption/destruction
Theft or media loss
Ransomware not only encrypts data stored onlocal drives but also seeks common cloudstorage locations like Saas apps.
Back up your computerStore backups separatelyFile auto-versioning
Update and patch computersUse caution with web linksUse caution with email attachmentsVerify email sendersPreventative software programsUser awareness training
PREVENTION
Malware and ransomware
Ensuring that hardware that has reached theend of its life is properly disposed of in such away that data cannot be recovered.
CSP responsible for hardware disposal
Improper disposal
First are the consequences of noncompliancelike fines or suspension of business operations.
Second is the reason for the compliancerequirements-font color=\"#e74f4c\
Regulatory Compliance
OTHER THREATS
对存储类型的威胁Threats to storage types
2.2 设计和实现云数据存储架构Design and implement cloud data storage architectures
Relies on the use of a single shared secretkey.font color=\"#e74f4c\
Symmetric
Asymmetric
A model of how different certification authorities trust each other and howtheir clients will trust certificates from other certification authorities.
Trust model
Addresses the possibility that a cryptographic key may be lost.
The concern is usually with symmetric keys or with the private key inasymmetric cryptography.
Organizations establish key escrows to enable recovery of lost keys.
Key escrow
FIPS 140-2 validated modules provide tamper resistance and key integrity
Encryption keys should be distributed securely to prevent theft/compromise during transit
Plan for securely transferring symmetric keys and distributing keys to the key escrow agent
BEST PRACTICE:Encrypt keys with a separate encryption key while distributing to other parties
Encryption keys must be protected at rest and should never be stored in plaintextThis Includes keys in volatile and persistent memory
Also consider handling in the process of storing copies for retrieval if a keyis ever lost (known as key escrow)
A process for font color=\"#e74f4c\
Key destruction is the removal of an encryption key from its operational location.
Key deletion goes further and removes any info that could be used to reconstruct that key.
ENCRYPTION KEY LIFECYCLE
CSP-managed or self-managed
Organizations that use multiple cloud providers or need to retainphysical control over key management may need to implement abring-your-own-key (BYOK)strategy.
Key storage
KEY MANAGEMENT IN THE CLOUD
Storage-level encryption
Volume-level encryption
Object-level encryption
Will vary by app and CSP platform
File-level encryption
Implemented in an application typically using object storage
Data entered by user typically encrypted before storage
Application-level encryption
Database-level encryption
OTHER CLOUD ENCRYPTION SCENARIOS
加密和密钥管理Encryption and key management
A one-way function that scrambles plain text to produce a unique messagedigest.
Conversion of a string of characters into a shorter fixed-length value
Encryption is a two-way function;what is encrypted can be decrypted withthe proper key.
VS Encryption
They must allow input of any length.Provide fixed-length output.Make it relatively easy to compute the hash function for any input.Provide one-way functionality.Must be collision free.
HASH FUNCTION REOUIREMENTS
散列Hashing
屏蔽masking
Anonymization.The process of removing all relevant dataso that it is impossible to identify original subject or person.
Good only if you don't need the data
Anonymization is sometimes called de-identification
匿名化anonymization
de-identification procedure usingpseudonyms (aliases)to represent other data.
Can result in less stringent requirements than wouldotherwise apply under the GDPR.
use if you need data and want to reduce exposure
伪名化Pseudonymization
数据混淆Data obfuscation
where meaningful font color=\"#e74f4c\
令牌化Tokenization
Reversal requires access to another data source
a system designed to font color=\"#e74f4c\
is a way to protect sensitive information and prevent its inadvertent disclosure.
数据丢失防护(DLP)Data loss prevention (DLP)
are most often used for encryption operations and can be used to uniquely identify a user or system.
Keys
often a secondary authentication mechanism used to verify that a communication has not been hijacked or intercepted.
Secrets
are used to verify the identity of a communication party and also be used for asymmetric encryption by providing a trusted public key.
often used to encrypt a shared session key or other symmetric key for secure transmission.
Certificates
Key Management Services (KMS)
CSPs offer a cloud service for centralized secure storage and access for application secrets called a vault.
Service will typically offer programmatic access via APl to support DevOps and continuous integration/continuous deployment(CI/CD)
Access control at vault instance-level and to secrets stored within.
Secrets and keys can generally be protected either by software or by FIPS 140-2 Level 2 validated HSMs.
This positively identifies the sender of the email.
Ownership of a digital signature secret key is bound to a specific user
Authentication
The sender cannot later deny sending the message.
This is sometimes required with online transactions
Non-repudiation
provides assurances that the message has not been modified or corrupted.
Recipients know that the message was not altered in transit
Integrity
Digital Signatures
management of cryptographic keys in a cryptosystem.
Key management
Certification Authorities create digital certificates and own the policies
Certificate authority (CA)
Used to represent a user's digital identity
User
A trust anchor in a PKI environment is the root certificate from which the whole chain of trust is derived.this is the root CA.
Root
A Domain-Validated (DV)certificate is an X.509 certificate that proves the ownership of a domain name.
Domain validation
Extended validation certificates provide a higher level of trust in identifying the entity that is using the certificate.
Commonly used in the financial services sector.
Extended validation
chain of trust
TYPES OF CERTIFICATES
A single compromised CA does not result in compromise of the root.
Subordinate CA
Contains information about any certificates that have been revoked by asubordinate CA due to compromises to the certificate or PKI hierarchy.
Certificate revocation list(CRL)
Revoking (invalidating) a certificate before expiration
Two potential options for tracking revocation:ask for the font color=\"#e74f4c\
CERTIFICATE REVOCATION
Offers a faster way to check a certificate's status compared to downloading a CRL.
Online Certificate Status Protocol (OCSP)
Records identifying information for a person or device that owns a private key as well as information on the corresponding public key.
It is the message that's sent to the CA in order to get a digital certificate created.
Certificate signing request(CSR)
the Fully Qualified Domain Name (FQDN)of the entity (e.g.web server)
CN(common name)
PUBLIC KEY INFRASTRUCTURE (PKI)
2.3 设计和应用数据安全技术和策略Design and apply data security technologies and strategies
Datacontained in rows and columns such as an Excel spreadsheet or relational database.
Often includes a description of its format known as a data model or font color=\"#e74f4c\
Discovery methods include:
结构化数据Structured data
Data that cannot be contained in a row-column database and does not have an associated data model.
Discovery occurs through font color=\"#e74f4c\
Lexical analysis attempts to find data meaning and context to discover sensitive info that may not conform to a specific pattern.
Hashing attempts to identify known data by calculating a hash of files and comparing it to a known set of sensitive file hashes.Only good for data that does not change frequently!
Content analysis(discovery)methods include:
非结构化数据Unstructured data
A combination of structured and unstructured data.
This mix of data types will require a combination of discovery methods and tooling capable ofdiscovery in these comingled data types
半结构化数据Semi-structured data
The location of data will impact both its discoverability and the choice of tools used to perform discovery.
Tools must be able to access data to perform the scanning and analysis needed in the discovery process.
Not all cloud solutions may offer a local agent for on-premises.
Network-based DLP may not analyze all traffic between on-premises endpoints and cloud
Both unstructured and structured in same repository will increase tool cost and complexity and may present classification challenges
A list of traits and characteristics about specific data elements or sets.
Often automatically created at the same time as the data
Metadata-Based Discovery
Based on examining labels created by the data owners during the Create phase.or in bulk with a scanning tool
Can be used with databases (structured data)but is more commonly used with file data.
Label-Based Discovery
数据位置Data location
2.4 实现数据发现Implement data discovery
Personally Identifiable Information (PIl)
health-related information that can be related to a specific person
Regulated by HIPAA/HITRUST
Protected Health Information (PHI)
allowable storage of information related to credit and debit cards and transactions.
Defined and regulated by PCI DSS
Cardholder Data
COMMON SENSITIVE DATA TYPES
Data classification
Ensures that legal and compliance issues are addressed.
Data retention
EXAMPLES:Some financial data needs to be retained for 7 yearsSome medical data may need to be retained up to 20-30 years.
Regulatory compliance
DATA POLICIES
A process for categorization of data and defining theappropriate controls.Categories include:
DATA CLASSIFICATION
数据分类策略Data classification policies
Informs organization of the locations where data is present within applications and storage.
Brings understanding that enables implementation of security controls and classification polices.usually precedes classification and labeling
数据映射Data mapping
Labeling requirements that apply consistent markings to sensitive data should accompany classification.
Often applied in bulk using classification tools
数据标记Data labeling
CLOUD SECURE DATA LIFECYCLEThe Cloud Security Alliance model
2.5 计划和实现数据分类Plan and implement data classification
Often implemented to control access to data designed to be shared but not freely distributed.
Can be used to font color=\"#e74f4c\
Provide file expiration so that documents can no longer be viewed after a specified time
IRM
数据权限data rights
访问provisioning
访问模型access models
access control/ability to enforce restrictions must follow the data.
Protection must Follow the document or data wherever it travels
Persistence
IRM solution must provide a way to update the restrictionseven after a document has been shared.
Dynamic policy control
IRM tools can enforce time-limited access to data as a form of access control.
Expiration
IRM solution must ensure that protected documents generate an audit trail when users interact with protected documents.
Continuous audit trail
IRM solutions must offer support for users across these different system types.
Interoperability
目标Objectives
颁发和撤销证书issuing and revocation of certificates
IRM tools comprise a variety of components necessary to provide policy enforcement and other attributes of the enforcement capability.
Centralized service for font color=\"#e74f4c\
Secrets storage: IRM solutions require local storage for font color=\"#e74f4c\
Local storage requires protection primarily for data integrity to prevent tampering with the material used to enforce IRM
适当的工具Appropriate tools
2.6 设计和实现信息权限管理 (IRM)Design and implement Information Rights Management (IRM)
Retention is driven by security policies and regulatory requirements
Audits or lawsuit may require production of some data
数据保留策略Data retention policies
1、Data is encrypted with a strong encryption engine.
2 The keys used to encrypt the data are then encrypted using a different encryption engine.
PRO: Data cannot be recovered from any remnantsCON: High CPU and performance overhead
crypto-shredding 'cryptographic erasure'
数据删除程序和机制Data deletion procedures and mechanisms
Refers to placing data in long-term storage for a variety of purposes
The optimal approach in the cloud differs in several respects from the on-premises cquivalent
Data EncryptionData MonitoringeDiscovery and RetrievalBackup and DR OptionsData FormatMedia Type
Key elements of data archiving in the cloud
Access controls and encryption are important to protect data integrity (by preventing unauthorized access)
Data Encryption
Data stored in the cloud tends to be replicated as part of storage resiliency or BC/DR.
To maintain font color=\"#e74f4c\
Monitoring to ensure all security controls are being applied properly throughout the data lifecycle.
Data Monitoring
Archive data may be font color=\"#e74f4c\
The archiving platform should provide the ability to perform eDiscovery on the data to determine which data should be retrieved.
eDiscovery and Retrieval
All requirements for data backup and restore should be specified and clearly documented
Business continuity and disaster recovery (BCDR)plans are updated and aligned with whatever procedures are implemented
Both resiliency to disaster (ensuring archive data availability) and knowledge/control of data replication arc important
Backup and DR Options
This is an important consideration because it may be kept for an extended period.
Format needs to befont color=\"#e74f4c\
Data Format and Media Type
数据归档程序和机制Data archiving procedures and mechanisms
Protecting any documents that can be used in evidence in legal proceedings from being altered or destroyed
Data protection suites in cloud platforms often have a feature to ensure immutability
依法保留Legal hold
身份identity
互联网协议 (IP) 地址Internet Protocol (IP) address
地理位置geolocation
事件源的定义和事件属性的要求Definition of event sources and requirement of event attributes
Logs are worthless if you do nothing with the log data.They are made valuable only by review.
Log centralization and aggregationData integrityNormalizationAutomated or continuous monitoringAlertingInvestigative monitoring
SIEM(Security Information Event Monitoring)tools can help tosolve some of these problems by offering these key features:
Log centralization and aggregation
Data integrity
SIEMs can normalize incoming data to ensure that the data from a variety of sources is presented consistently.
Normalization
Automated or continuous monitoring
SIEMs can automatically generate alerts such as emails or tickets when action is required based on analysis of incoming log data
Alerting
Investigative monitoring
Provides evidence integrity through convincing proof evidence was not tampered with in a way that damages its reliability.
Each person who handled the evidenceDate and time of movement/transferPurpose evidence movement/transfer
Foundational principle of evidence handling in legal proccedings!
What if evidence is left unattended or handled by unauthorized parties?
Functions and importance
CHAIN OF CUSTODY
Non-repudiation is the guarantee that no one can deny a transaction.
Systems enforce nonrepudiation through the font color=\"#e74f4c\
Digital signatures prove that a digital message or document was notmodified-intentionally or unintentionally-from the time it was signed.
Based on asymmetric cryptography (a public/private key pair)
It's the digital equivalent of d handwritten signature or stamped seal.
Multiple accounts make non-repudiation more difficultShared accounts make non-repudiation virtually impossible!
Methods to provide non-repudiation
NON-REPUDIATION
监管链和不可抵赖性Chain of custody and non-repudiation
is maintained for individual subjects using auditing.
logs record user activities and users can be held accountable for their logged actions.
directly promotes good user behavior and compliance with the organization's security policy.
Accountability
help ensure that management programs are effective and being followed.
commonly associated with account management practices to prevent violations with least privilege or need-to-know principles.
patch managementvulnerability managementchange managementconfiguration management
can also be performed to oversee many programs and processes
Security audits and reviews
Ensures events are font color=\"#e74f4c\
laas Event sources
A Paas environment does not offer or expose the same level of customer access to infrastructure and system logs as laas
Paas Event Sources
Saas Event Sources
Definition of Event Sources
Source address
User identity
WHO
Type of event
Severity of event
Security-relevant event flag(if log contains non-security events)
Description
WHAT
Application address
Service
Geolocation
Window/for/page (URL and HTTP method)
Code location (script or module name)
WHERE
Log date and time (international format)
Event date and time
Interaction identifier
WHEN
EVENT SOURCES EVENT ATTRIBUTES
D2 云数据安全Cloud Data Security
There are infrastructure components that are common to all cloud service delivery models
For font color=\"#e74f4c\
Controls for font color=\"#e74f4c\
PHYSICAL ENVIRONMENT CONSIDERATIONS
Ensuring that communication lines are not physically compromised by locating telecommunications equipmentinside a controlled area of the CSP's building or campus.
EXAMPLE
物理环境Physical environment
IaaS
PaaS
Thecustomer remains responsible for font color=\"#e74f4c\
SaaS
网络与通信Network and communications
a minimum resource that is guaranteed to a customer
Reservation
maximum utilization of compute resource by a customer (e.g.VM)
limits are allowed to change dynamically based on current conditions and consumption
Limits
a weighting given to a particular VM used to calculate percentage-based access to pooled resources when there is contention.
In cases of shortage host scoring determines who gets capacity
Shares
计算Compute
The security of the hypervisor is always the responsibility of the CSP.
The virtual network and virtual machine may be the responsibility of either the CSP or the customer.
Risks associated with virtualization
Install all updates to the hypervisor as they are released by the vendor.Restrict administrative access to the management interfaces of the hypervisor.Capabilities to monitor the security of activity occurring between guest operating systems(VMs).
Security recommendations for the hypervisor
Install all updates to the guest OS promptly.Back up the virtual drives used by the guest os on a regular basis
Security recommendations for the guest OS
The virtual network between the hypervisor and the VM is also a potential attack surface.
Responsibility for security in this layer is often shared between the CSP and the customer.
VIRTUALIZATION NETWORK SECURITY
Where an font color=\"#e74f4c\
or malicious user breaks the isolation between VMs running on a hypervisor by gaining access outside their VM.
Protection:
VM Escape
虚拟化Virtualization
physical protection of data centers and the storage infrastructure they contain.
security patches and maintenance of underlying data storage technologies and other data services they provide
CSP Responsibilities
properly configuring and using the storage tools.
logical security and privacy of data they store in the CSP's environment.
assessing the adequacy of these controls and properly configuring and using the controls available.
ensuring adequate protection for the data at rest and in motion based on the capabilities offered by the CSP.
CUSTOMER Responsibilities
Inability to securely wipe physical storage and possibility of another tenant being allocated the same previously allocated storage space
Customer retains responsibility for secure deletion
only storing data in an encrypted format
retaining control of the keys needed to decrypt the data
Compensating controls for the lack of physical controlof the storage medium include:
CUSTOMER CHALLENGES
存储Storage
Provides virtual management options equivalent to the physical administration options a legacy data center would provide.
Data plane performs operations on resources created through the control plane
Control Plane and Data Plane
the main web interface for the CSP platform.
Cloud Portal
the ability to stop/start a resource at a scheduled time
Scheduling
Orchestration
Maintenance
Key interfaces of the management plane
管理平面Management plane
3.1 理解云基础架构和平台组件Comprehend cloud infrastructure and platform components
create tenant partitioning or isolationlimit and secure remote accessmonitor the cloud infrastructureallow for the patching and updating of systems
The logical design of the cloud infrastructure should:
Logical isolation in CSP multitenancy makes cloud computing more affordable but create some security and privacy concerns.
CSP and tenant share responsibility for implementing and enforcing controls that address the unique multitenant risks of the public cloud.
租户分区tenant partitioning
One method of access control is to federate a customer's existing IAM system with their CSP tenant
Another method to facilitate IAM between cloud and on-premisesresources is identity as a service (IDaas)
Hybrid identity (single login for on-premises and cloud)can simplify identity and access management (IAM)
Remote Desktop Protocol(RDP):the native remote access protocol for Windows operating systems.
Secure Terminal/Console-Based Access:a system for secure local access.A KVM (keyboard video mouse)system with access controls
Virtual clients:software tools that allow remote connection to a VM for use as if it is your local machine.e.q Virtual Desktop Infrastructure (VDI)for contractors
Local and Remote Access controls
访问控制access control
逻辑设计Logical design
One of the first considerations in datacenter design is location
位置location
Building your own datacenter from scratch and buying an existing facility each have their advantages and disadvantages
Requires significant investment to build a robust data centerOffers the most control over datacenter designRequires knowledge and skill to match quality of BUY option
Build
Buy
购买或建造buy or build
A strong fence line of sufficient height and constructionLighting of facility perimeter and entrancesVideo monitoring and alertingElectronic monitoring for tampering
PHYSICAL SECURITY
Uptime simply measures the amount of time a system is running
involves no redundancy and the most amount of downtime in the event of unplanned maintenance or an interruption.
must have an font color=\"#e74f4c\
expected to provides 99.671%availability
TIER I:Basic Site Infrastructure
adds redundant components for important cooling and power systems
facilities must also have the ability to store additional fuel to support the generator
expected to provide 99.741% availability
TIER II:Redundant Site Infrastructure
adds even more redundant components
has a major advantage in that it never needs to be shut down for maintenance
enough redundant components that any component can be taken offline for maintenance and data center continues to run
expected to provides 99.982%availability
TIER IIl:Concurrently Maintainable SiteInfrastructure
can withstand either planned or unplanned activity without affecting availability
this is achieved by eliminating all single points of failure
expected to provide 99.995%availability
TIER IV:Fault-Tolerant Site Infrastructure
DATACENTER TIER STANDARD
物理设计Physical design
供暖Heating
An HVAC failure can font color=\"#e74f4c\
Customer reviews of the CSP should include the adequacy and redundancy of HVAC systems.
A routine review of the most current SOC 2 report is a critical part of a cloud customer's due diligence in CSP evaluation.
Connectivity to data center locations from more than one internet service provider (ISP) is multi-vendor pathway connectivity
Using multiple vendors is a proactive way for CSPs to mitigate the risk of losing network connectivity.
Cloud customers should consider multiple paths for communicating with their cloud vendor.
多供应商通路连接multi-vendor pathway connectivity
环境设计Environmental design
A few examples of resilient design:
Service-level resiliency requires identifying single points of failure throughout the servicc chain
设计弹性Design resilient
3.2 设计安全的数据中心Design a secure data center
Identifying risks is the first step in managing them and begins with identification of the organization's valuable assets
once assets are identified: Security practitioners and risk managers can then begin toidentify potential causes of disruption to the assets
Several exist that provide processes and procedures for designing and implementing a risk management framework.
RISK FRAMEWORKS
识别identification
What will the impact be if that goes wrong?Single loss cxpectancy (SLE) - $
How likely is it to happen?Annualized Rate of Occurrence (ARO) - decimal
Analysis seeks to answer two questions:
The possible yearly cost of all instances of a specific realized threat against a specific asset.
FORMULA ALE =SLE x ARO
Annualized Loss Expectaney(ALE)
SLE = Asset value (AV) x EF
Exposure factor (EF) - %
分析analysis
Analysis of a CSP or cloud solution and the associated risks involves many departments and focus areas:
Business unitsVendor managementPrivacyInformation security
ISO/IEC 27001
security standard developed for cloud service providers and users to make asafer cloud-based environment and reduce the risk of security problems.
ISO/IEC 27017
the first international standard about the privacy in cloud computing services
ISO/IEC 27018
Customer-managed or CSP-managed?
Authentication Risk
Data Security
Evaluation of vendor security policies and processes.
Most CSPs font color=\"#e74f4c\
SOC 2 reportISO 27001 certificationSpecialized reports for regulated data
Supply Chain Risk Management (SCRM)
Analysis of CSP Risks
One risk that has been discussed is the organization losing ownership and full control over system hardware assets.
Careful selection of CSPs and the development of SLAs and other contractual agreements are critical to limiting risk
Organizations can font color=\"#e74f4c\
Customers must verify the resilience and continuity controls in place at the CSP
Geographic dispersion of the CSP data centers
Downtime
Compliance
Cloud systems are not immune to standard security issues like cyberattacks.
General technology risk
Different font color=\"#e74f4c\
External
A font color=\"#e74f4c\
Another internal threat is font color=\"#e74f4c\
Internal
RISK TYPES
common cloud Risks
风险评估Risk assessment
Organizations could be at risk if the CSP's public-facing infrastructure comes under attack
Unintentional loss/oversharing is a 'data leak'
data breaches
Remediate risk through change and confiquration management
Misconfiguration and inadequate change control
The public cloud offers benefits over legacy on-premises environments but can also bring additional complexities.
Phishing is the most common approach
Account hijacking
Insider threat
Insecure interfaces and APls
Most CSPs offer reference architectures to ensure customers secure and isolate their dev/test/prod environments and data
Weak control plane
Applistructure.Applications deployed in the cloud and the underlying application services used to build them.
Metastructure and applistructure failures
Refers to when organizations experience a significant reduction in visibility over their information technology stack.
Limited cloud usage visibility
Abuse and nefarious use of cloud services
Cloud-Specific RisksThe CSA Egregious 11
Selecting a qualified CSP is an essential first step.
Security should be considered at every step starting with design!
The next step is designing and architecting with security in mind.
风险缓解策略Risk mitigation strategies
3.3 分析与云基础架构和平台相关的风险Analyze risks associated with cloud infrastructure and platforms
内部部署on-premises
ability to restrict physical access at multiple pointsensuring a clean and stable power supplyadequate utilities like water and sewerthe availability of an adequate workforce
Customers should focus on selecting CSP datacenter locations to meet disaster recovery and data residency
SITE SELECTION FACILITY DESIGN
物理和环境保护Physical and environmental protection
at restin transitin use
Encrypt and protect data:
Dos/DDosBoundary (ingress and egress)Key Management
Protect systems and services:
System and Communication Protection
Automation of configurationResponsibilities for protecting cloud systems and servicesMonitoring and maintenance
Security practices
Properly securing information systems can be a difficult task due to the sheer number of elements that make up a system.
Breaking systems down into components and then applying security controls can make the overall task more manageable.
Policy and Procedures
A basic security principle that ensures that no single person can control all the elements of a critical function or system.
Separating user and admin functions can also prevent users from altering processes or misconfiguring systems.
Separation of System and User Functionality
Separating security-specific functionsfrom other roles is another example of separation of duties.
Security Function Isolation
A disruptive attack at scale that is more difficult for smaller organizations to combat effectively.
Denial-of-Service Protection
Boundary Protection
Eneryption tools like TLS or a VPN can be used to provide confidentiality.
Hashing can be implemented to detect unintentional data modifications.
Additional security measures like digital signatures or hash-based message authentication code(HMAC)can be used to detect intentional tampering.
HMAC can simultaneously verify both data integrity and message authenticity
Cryptographic Key Establishment and Management
Authentication (AuthN) is the process of proving that you are who you say you are.
Authorization (AuthZ) is the act of granting an authenticated party permission to do something
Accountability is typically enforced with adequate logging and monitoring of system activity
Saas apps used as users travel make identifying anomalous / malicious behavior more difficultBad password practices(reuse across services)Use of personal devices in BYOD scenarios
Modern IDaas tools provide solutions for these challenges
Cloud challenges in enforcing accountability
ACCOUNTABILITY
includes two or more authentication factors
more secure than using a single authentication factor
passwords are the weakest form of authentication
password policies help increase their security by enforcing complexity and history requirements
Smartcards include microprocessors and cryptographic certificates
Oath tokens create one-time passwords (OTP)
Biometric methods identify users based on individual characteristics such as fingerprints and facial recognition
Multifactor Authentication
MFA FACTORS AND ATTRIBUTES
is a font color=\"#e74f4c\
Authentication applications
where the server is pushing down the authentication information to your mobile device.
uses the mobile device app to be able to receive the pushed message and display the authentication information.
Push notifications
AUTHENTICATION METHODS
Federation is a collection of domains that have established trust.
Often includes a number of organizations that have established trust for shared access to a set of resources.
ExampleYou can federate your on-premises environment with Azure Active Directory (Azure AD) and use this federation for authentication and authorization.
This sign-in method ensures that all user authentication occurs on-premises.
Allows administrators to implement more rigorous levels of access control
FEDERATED SERVICES
Cloud services will offer different controls over what information is logged..
but at a font color=\"#e74f4c\
A log aggregator can ingest logs from all on-premises and cloud resources for review.
日志收集log collection
Refers to the ability to discover relationships between two or more events across logs.
关联correlation
Packet capture tools are also called protocol analyzers
Some CSP protocol analyzers can save the data that they collect to a Wireshark-compatible packet capture file (PCAP).
数据包捕获packet capture
审计机制Audit mechanisms
3.4 计划和实现安全控制Plan and implementation of security controls
BCP focuses on the whole business
DRP focuses more on the technical aspects of recovery
BCP will cover communications and process more broadly
BCP is an umbrella policy and DRP is part of it
Minimizing the effects of a disaster by:Improving responsiveness by the employees in different situations.Easing confusion by providing written procedures and participation in drillsHelping make logical decisions during a crisis
GOALS OF DRP AND BCP
the plan to move from the disaster recovery site back to your business environment or back to normal operations.
BRP(Business Resumption Plan)
a time determination for how long a piece of IT infrastructure will continue to work before it fails.
MTBF(Mean Time Between Failures)
a time determination for how long it will take to get a piece of hardware/software repaired and back on-line.
MTTR(Mean Time to Repair)
The amount of time we can be without the asset that is unavailable BEFORE we must declare a disaster and initiate our disaster recovery plan.
MTD(Max tolerable downtime)
BCP DEFINITIONS
The overall organizational plan for\"how-to\"continue business after an event has occurred.
A proactive risk mitigation strategy that contains likely scenarios that could affect the organization and guidance on how the organization should respond
Sometimes called a continuity of operations plan (COOP)
BCP(Business Continuity Plan)Business-focused
the plan for recovering from an IT disaster and having the IT infrastructure back in operation.
DRP(Disaster Recovery Plan)Tech-focuscd
业务连续性 (BC) / 灾难恢复 (DR) 策略Business continuity (BC) / disaster recovery (DR) strategy
The business impact assessment (BIA)is used to determine which processes are critical and which are not.
Measures the impact of specific systems and processes.
Any that are deemed critical to the organization's functioning must be prioritized in an emergency situation.
A BIA typically contains a cost-benefit analysis (CBA) and a calculation of the return on investment(ROI).
BUSINESS IMPACT ANALYSIS
A cloud data center that is affected by a natural disaster will likely activate multiple BCPs and DRPs.
CSP will activate both plans to deal with the interruption to their service
One key element of the BCP is communicating incident status to relevant parties.
BCP/DRP FROM A CSP PERSPECTIVE
The customer is responsible for determining how to recover in the case of a disaster in the cloud.
CSPs can further protect customers by not allowing two availability zones within a single physical datacenter within a cloud region.
BCP/DRP FROM A CUSTOMER PERSPECTIVE
The plan that details how relevant stakeholders will be informed inevent of an incident. (like a security breach)
Would include plan to maintain confidentiality such as encryption to ensure that the event does not become public knowledge.
Confidentiality amongst internal stakeholders is desirable so external stakeholders can be informed in accordance with the plan.
COMMUNICATION PLAN
STAKEHOLDER MANAGEMENT
is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.
恢复时间目标 (RTO)Recovery Time Objective (RTO)
is the age of data that must be recovered from backup storage for normal operations to resume if a system or network goes down
恢复点目标 (RPO)Recovery Point Objective (RPO)
measures the compute resources needed to keep production environments running during a disaster.
is a percentage measure (0-100%)of how much computing power you will need during a disaster
based upon font color=\"#e74f4c\
恢复服务级别recovery service level
业务需求Business requirements
Based on priorities from the business impact analysis(BIA)
Design
Implement the plan to protect critical business functions
ldentifying key personnel is crucial implementation step
Implement the Plan
Testing ensures both the BCP/DRP function as expected
AND that people know their roles and responsibilities
Testing both BCP and DRP plans is essential
Test the Plan
BCP/DRP should be revised as necessary based on test results
BCP/DRP plans evolve and need refinement over time
Report and Revise
Members of the disaster recovery team gather in a large conference room and role-play a disaster scenario.
The team members refer to the document and discuss the appropriate responses to that particular type of disaster.
Tabletop testing
Dry run
Involves actuallyshutting down operations at the primary site and shifting them to the recovery site.
Full test
DISASTER RECOVERY TESTS
Customers can take advantage of the cloud's high availability features like:multiple availability zonesautomatic failover to backup region(s)direct connection to a CSP
The cost of building resiliency should be less than the cost of business interruption
The cost of high availability in the cloud is generally less than a company trying to achieve high availability on their own
IMPLEMENTATION
3.5 计划业务连续性 (BC) 和灾难恢复 (DR)Plan business continuity (BC) and disaster recovery (DR)
D3 云平台和基础架构安全Cloud Platform and Infrastructure Security
Declares security should be present throughout every step of the process.
Pairs well with DevSecOps
Security by design
The idea is that security is the responsibility of everyone from the most junior member of the team to senior management.
Describes the primary principle of DevSecOps
Shared security responsibility
Requires org-wide security awareness and commitment
Security as a business objective
云开发基础Cloud development basics
Cloud software development often relies on loosely coupled services.
Verify through end-to-end load and stress testing
Performance
One of the key features of the cloud is the ability to scale allowing applications and services to grow and shrink as demand fluctuates.
Requires developers to think about how to retain state across instances and handle faults with individual servers
Scale out is better than scale up in the cloud
Interoperability across platforms increases service provider choice and can reduce costs
Designing software that can move between on premises and cloud environments or between cloud providers makes it portable
Portability in a hybrid scenario requires avoiding use of certain environment and provider-specific APIs and tools.
Portability
Designing APIs to work well with cloud architectures while remaining secure are both common challenges for developers and architects.
Access controlData encryptionThrottlingRate limiting
API security considerations
API Security
常见陷阱Common pitfalls
开放web应用安全项目 (OWASP) 10 大风险Open Web Application Security Project (OWASP) Top-10
SANS 前 25 个最危险的软件错误SANS Top-25
Common cloud vulnerabilities to avoid with SSDLC include
Data breachesData integrityInsecure application programming interfaces (APIs)Denial-of-Service
VULNERABILITIES
Cloud Security Alliance(CSA)SANS InstituteOpen Web Application Security Project (OWASP)
ORGANIZATIONS
常见云漏洞Common cloud vulnerabilities
4.1 倡导应用程序安全性的培训和意识Advocate training and awareness for application security
SSDLC is fully successful only if the integration of security into an organization's existing SDLC is required for all development efforts.
Business requirements capture what the organization needs its information systems to do.
Planning
Requirements Definition
Solution is designed based on requirements gathered
Wherc the actual coding (work)happens
Coding
Testing
SECURE SOFTWARE DEVELOPMENT LIFECYCLE (SDLC)
设计design
编码code
测试test
维护maintain
CCSP 4 个 阶段
places an emphasis on the needs of the customer and quickly developing new functionality thatmeets those needs in an iterative fashion.
Aglie
describes a sequential development process that results in the development of a finished product.
Waterfall
SOFTWARE DEVEPLOMENT MODELS
7-stage process that allows return to previous stage for corrections
SYSTEM REQUIREMENTSSOFTWARE REQUIREMENTSPRELIMINARY DESIGNDETAILED DESIGNCODE AND DEBUGTESTINGOPS & MAINTENANCE
WATERFALL MODEL
model for software developmentbased on the following four principles
Individuals and interactions over processes and toolsWorking software over comprehensive documentationCustomer collaboration over contract negotiationResponding to change over following a plan
Leverages an iterative (repeating)process called a sprint
AGILE MODEL
瀑布式与敏捷waterfall vs. agile
阶段和方法Phases and methodologies
4.2 描述安全软件开发生命周期 (SDLC) 流程Describe the Secure Software Development Life Cycle (SDLC) process
The Cloud Security Alliance details the top cloud-specific security threats in their list titled \"The CSA Egregious 11\"
Developers can leverage identity-as-a-service (IDaas)rather than building their own for stronger authentication & authorization controls
Using existing identity providers /IDaas for your app reduces risk
Continuous Integration Continuous Deployment (CI/CD)
云特定风险Cloud-specific risks
Allows security practitioners to identify potential threats and security vulnerabilities
is often used as an input to risk management
Focused on Assets.Uses asset valuation results to identify threats to the valuable assets.
Focused on Attackers.Identify potential attackers and identify threats based on the attacker's goals
Focused on Software Considers potential threats against the software the org develops.
3 approaches to threat modeling
SpoofingTamperingRepudiationInformation disclosureDenial of serviceElevation of privilege
Damage potentialReproducibilityExploitabilityAffected usersDiscoverability
Architectureanalysis of the system's architecturefont color=\"#e74f4c\
Stage l:Definition of ObjectivesStage Il:Definition of Technical ScopeStage Ill:App Decomposition AnalysisStage IV:Threat AnalysisStage V:Weakness Vulnerability AnalysisStage VI:Attack Modeling SimulationStage VIl:Risk Analysis Management
攻击模拟和威胁分析过程 (PASTA)Process for Attack Simulation and Threat Analysis (PASTA)focuses on developing countermeasures based on asset value
威胁建模Threat modeling
Awareness of common flaws like injection attacks prevent coding mistakes
Training and awareness
Documented process
Focusing on meeting acceptance criteria can be one way of simplifying the task of ensuring that security requirements are met
Having well-defined test cases for security requirements can help avoid vulnerabilities such as OWASP Top 10 application security risks.
Test-driven development
避免开发过程中的常见漏洞Avoid common vulnerabilities during development
The practice of designing systems and software to avoid security risks
Essentially a proactive risk mitigation practice
Standards and organizations exist that work to mature these practices
The oWASP Top 10 is an awareness document that represents a broad consensus about the most critical security risks to web applications.
Broken Access ControlCryptographic FailuresInjectionInsecure DesignSecurity MisconfigurationVulnerable and Outdated ComponentsIdentification and Authentication FailuresSoftware and Data Integrity FailuresSecurity Logging and Monitoring FailuresServer-Side Request Forgery
CLOUD-NATIVE APPLICATION SECURITY TOP 10
开放web应用安全项目 (OWASP) 应用安全检验标准 (ASVS)Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS)
Out-of-bounds Write buffer overflowImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting)Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Improper Input Validation Prevents injectionOut-of-bounds Read buffer overflowImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')Use After Free buffer overflowImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Cross-Site Request Forgery(CSRF)Unrestricted Upload of File with Dangerous TypeNULL Pointer DereferenceDeserialization of Untrusted Data font color=\"#e74f4c\
CWE/SANS:TOP 25 Most Dangerous Software Errors
Injection attacksBuffer overflow attacksDirectory path traversalDenial of Service (Dos)/Distributed DoS (DDoS)Race conditionAuthentication (AuthN)and Authorization (AuthZ)
used to compromise web front-end and backend databases
SQL injection attacks Use unexpected input to a web application to gain unauthorized access to an underlying database.
INJECTIONS (INJECTION ATTACKS]Improper input handling
exists when a developer does not validate user input to ensure that it is of an appropriate size (allows Input that is too large can \"overflow\"memory buffer).
BUFFER OVERFLOWS
One of the simplest ways to perform directory traversal is by using a command injection attack that carries out the action.
Most vulnerability scanners will check for weaknesses with directory traversal/command injection and inform you of their presence.
DIRECTORY TRAVERSAL
is a resource consumption attack intended to prevent legitimate activity on a victimized system.
a DoS attack utilizing multiple compromised computer systems as sources of attack traffic.
RESOURCE CONSUMPTION
A condition where the system's behavior is dependent on the sequence or timing of other uncontrollable events.
a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request.
Problem occurs when the state of the resource changes between the time of the check and the time it is actually used
Time-of-Check-to-Time-of-Use(TOCTOU)
It becomes a bug when one or more of the possible behaviors is undesirable.
RACE CONDITIONS
ATTACK TYPES and CONCEPTSATTACK TYPES and CONCEPTS
First published \"Fundamental Practices for Secure Software Development\"
Designed to help software industry adopt and use these best practices effectively
卓越代码软件保障论坛 (SAFECode)Software Assurance Forum for Excellence in Code (SAFECode)
This is where source code and related artifacts (such as libraries)are stored
Do not commit sensitive information
Protect access to your code repositories
Sign your work
Keep your development tools (IDE)up-to-date
Code Repositories
安全编码Secure coding
helps reduce outages or weakened security from unauthorized changes.
Versioning uses a labeling or numbering system to track changes in updated versions of software.
Baselining is an important component of configuration management.
a baseline is a snapshot of a system or application at a given point in time
should also create artifacts that may be used to help understand system configuration
system and component-level versioning
SCMSoftware Configuration Management
An emerging strategy and standard in tracking software versions is software bill of materials (SBOM)
The SBOM font color=\"#e74f4c\
software bill of materials (SBOM)
软件配置管理和版本控制Software configuration management and versioning
4.3 应用安全软件开发生命周期 (SDLC)Apply the Secure Software Development Life Cycle (SDLC)
Development
where developers integrate all of their work into a single application.
Regression testing to ensure functionality is as expected.
where we ensure quality assurance before we roll it out to production.
QA happens here
Staging
Production
ENVIRONMENT
determines if software meets functionality requirements defined earlier in the SSDLC
regression testing that validates whether bugs were reintroduced between versions
Focuses on specific features and functionality
Functional testing
focuses on the quality of the software
looks at software qualities like stability and performance
Examines the way the system operates font color=\"#e74f4c\
Non-functional testing
功能和非功能测试Functional and non-functional testing
Define a system or its component and specifies what it must do.
EXAMPLE:application forms must protect against injection attacks
Specify the system's font color=\"#e74f4c\
Apply to the whole system (system level)
EXAMPLE:security certifications arc non-functional.
FUNCTIONAL SECURITY REQUIREMENTS
conducted font color=\"#e74f4c\
tester has no knowledge of any of these elements at the outset of a test.
'zero knowledge testing
黑盒blackbox
conducted with font color=\"#e74f4c\
Static application testing is one example
\"Full knowledge testing
白盒whitebox
StaticApplication Security Testing
analysis of computer software performed without actually executing programs
tests \"inside out\" requires source code
静态static
a program which communicates with a web application (executes the application)
tester has no knowledge of the technologies or frameworks that the application is built on
tests \"outside in\" no source code required
动态dynamic
is used to track the components of a software package or application
is of special concern for apps built with open-source software components
because open-source components often involve reusable code libraries
软件组成分析(SCA)Software Composition Analysis (SCA)
analyzes code for vulnerabilities while it's being used
focuses on real time reporting to optimize testing and analysis process
Often built into CI/CD automated release testing
交互式应用程序安全测试 (IAST)interactive application security testing (IAST)
安全测试方法Security testing methodologies
PROCESS:is frequently a combination of font color=\"#e74f4c\
GOAL:is to ensure software meets standards or requirements.
质量保证 (QA)Quality assurance (QA)
A way to use a feature that was font color=\"#e74f4c\
Focuses on using features in ways that weren't intended by the developer.
Can help orgs to consider security features and controls needed for an application
Testing generally focuses on documented abuse cases
Abuse case Test
滥用案例测试Abuse case testing
4.4 应用云软件保障和验证Apply cloud software assurance and validation
APIs (SOAP or REST) is a set of exposed interfaces that allow programmatic interaction between services. no user/human involved
SOAP is a standard communication protocol system that uses XML technologies
REST is an architectural model that uses HTTPS for web communications to offer API endpoints
保护应用编程接口 (API)Securing application programming interfaces (API)
A secure supply chain includes font color=\"#e74f4c\
供应商评估vendor assessment
Traditional vendor evaluation options may include
Supply Chain Evaluation
Third-party Audit.Review an independent auditor's unbiased review of an entity's security infrastructure.
Review font color=\"#e74f4c\
Vendor evaluation in the cloud
供应链管理Supply-chain management
许可licensing
A third party may have limited access to your systems but will often have direct access to some portion of your data.
Typical issues addressed in software vendor assessment include:
第三方软件管理Third-party software management
One in which the vendor makes the license freely available and allows access to the source code though it might ask for an optional donation.
open Source
Are more expensive but tend to provide more/better protectionand more functionality and support (at a cost).
Proprietary
OSS vs PROPRIETARY
Some argue that open-source software is more secure because the source code is available to review.
Sandbox testingVulnerability scansThird-party verifications
Adequate validation testing is required and may be achieved through:
经过验证的开源软件Validated open-source software
4.5 使用经过验证的安全软件Use verified secure software
protects web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
typically protects web applications from font color=\"#e74f4c\
web应用防火墙 (WAF)web application firewall (WAF)
combines network data and database audit info in real time to analyze database activity forfont color=\"#e74f4c\
数据库活动监控 (DAM)Database Activity Monitoring (DAM)
used to protect services that rely on XML based interfaces including some web apps
Usually implemented as a proxy
可扩展标记语言 (XML) 防火墙Extensible Markup Language (XML) firewalls
provides authentication and key validation services that control APl access
应用编程接口 (API) 网关application programming interface (API) gateway
One reason that we need a good firewall is to filter incoming traffic to protect our cloud-hosted infrastructure and applications from hackers or malware.
Cost
Network segmentation should be supported with appropriate traffic filtering/restriction with the firewall type that is most appropriate for the use case.
The firewall can filter traffic between virtual networks and the Internet.
Need for Segmentation
Open Systems Interconnection (OSI)Layers
Firewall Considerations in a cloud Environment
补充安全组件Supplemental security components
子主题
Helps protect font color=\"#e74f4c\
Transparent data encryption(TDE)
Data in motion is most often encrypted using TLS(HTTPS)
Hybrid (site-to-site)and cross-cloud connectivity is often encrypted by VPN
PROTECTING DATA IN MOTION
密码学Cryptography
Cfont color=\"#e74f4c\
Enables patch and test and ensures a system is secure before putting it into a production environment.
Also facilitates investigating dangerous malware.
Sandboxes provide an environment for evaluating the security of code without impacting other systems.
沙盒Sandboxing
微服务microservices
Reduces overhead of server virtualization by enabling containerized apps to run on a shared OS kernel.
Can be used in some cases to isolate existing applications developed to run in a VM with a dedicated operating system.
Container hosts are cloud-based virtual machines (VM).This is where the containers run
Most CSPs offer hosted Kubernetes service. handles critical tasks like health monitoring and maintenance for you.Platform-as-a-Service
Major CSPs also offer a monitoring solution that will identify at least some potential security concerns
Managed Kubernetes
CONTAINER ORCHESTRATION
cloud orchestration allows a customer to manage their cloud resources centrally in an efficient and cost-effective manner.
This is especially important in a multi-cloud environment.
Management of the complexity of corporate cloud needs will only increase as more computing workloads move to the cloud.
Allows the font color=\"#e74f4c\
Implements automation in a way that manages cost and enforces corporate policy in and across clouds.
Major CSPs offer orchestration tools that work on their platform and third partics offer multi-cloud orchestration solutions
CLOUD ORCHESTRATION
应用程序虚拟化和编排Application virtualization and orchestration
4.6 了解云应用架构的细节Comprehend the specifics of cloud application architecture
You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization.
This sign-in method ensures that all user authentication occurs on-premises.
Allows administrators to implement more rigorous levels of access control.
Example
联合身份Federated identity
Other IDaas options include OKTA and DUO
身份提供商 (IdP)Identity providers (IdP)
Single sign-on means a user doesn't have to sign into every application they use.
The user logs in once and that credential is used for multiple apps.
Single sign-on based authentication systems are often called \"modern authentication\".
This is a common user experience issue in enterprise desktop scenarios
单点登录 (SSO)Single sign-on (SSO)
Something you know(pin or password)Something you have(trusted device)Something you are (biometric)
PhishingSpear phishingKeyloggersCredential stuffingBrute force and reverse brute force attacksMan-in-the-middle (MITM)attacks
PREVENTS
多因子验证 (MFA)Multi-factor authentication (MFA)
Enforces the company's data security policies between on-premises and the cloud.
Combines the ability to control use of services with data loss prevention and threat management features
云访问安全代理 (CASB)Cloud access security broker (CASB)
CSPs offer a cloud service for centralized secure storage and access for application secrets
Your Cl/CD pipelines should leverage centralized storage of secrets rather than hard-coded values or storage on disk
密钥/凭据管理Secrets management
4.7 设计适当的身份和访问管理 (IAM) 解决方案Design appropriate identity and access management (IAM) solutions
D4 云应用安全Cloud Application Security
a physical computing device that safeguards and font color=\"#e74f4c\
Key Escrow uses an HSM to store and manage private Keys
Cloud Service Providers all offer a cloud-based HSM solution for customer-managed key scenarios
硬件安全模块 (HSM) hardware security module (HSM)
A chip that resides on the motherboard of the device.
Virtual TPMs are part of the hypervisor and Provided to VMs running on a virtualization platform.
可信赖平台模块 (TPM)Trusted Platform Module (TPM)
It verifies that the keys match before the secure boot process takes place
TPM is often used as the basis for a hardware root of trust
Hardware Root of Trust
硬件特定的安全配置要求Hardware specific security configuration requirements
and has capacity to reprogram the data plane at any time
use cases include SD-LAN and SD-WAN
separating the control plane from the data plane opens up a number of security challenges
SDN vulnerabilities can include man-in-the-middle attack (MITM)and a service denial (Dos). secure with TLS
Separate VPCs can be isolated using public and private networks.
Virtual Private Cloud (VPC)
The environment needs to be segmented public subnets that can access the Internet directly (through a firewall)and protected private networks.
Virtual networks can be connected to other networks with a VPN gateway or network peering.
Public and Private Subnets
CLOUD SECURITY CONTROLS-NETWORK
Management tooling considerations on cloud infrastructure:
Configuration management and change management:Tools and the infrastructure that supports them should be placed under configurationmanagement to ensure that they stay in font color=\"#e74f4c\
管理工具的安装和配置Installation and configuration of management tools
网络network
内存memory
中央处理器 (CPU)central processing unit (CPU)
Hypervisor 类型 1 和 2Hypervisor type 1 and 2
a VM shares physical hardware with potentially hundreds of other VMs
Configuration:Ensure that the hypervisor has been configured correctly to provide the minimum necessary functionalityDisallowing inter-VM network communications if not required and encrypting VM snapshots
There are two main forms of control you should be aware of:
Enables granular network segmentation in a ZTNA(Zero-Trust Network Access,零信任网络接入)
Security Groups:a security group is similar to an access control list (ACL)for network access.
They have distinctrules for inbound and outbound traffic.
Particular concerns for virtual network security controls include:
虚拟硬件特定的安全配置要求Virtual hardware specific security configuration requirements
Virtualization toolsets installed on the VM
Toolsets exist that can font color=\"#e74f4c\
安装客户操作系统 (OS) 虚拟化工具集Installation of guest operating system (OS) virtualization toolsets
5.1 为云环境构建和实现物理和逻辑基础架构Build and implement physical and logical infrastructure for cloud environment
the native remote access protocol for Windows operating systems.
远程桌面协议 (RDP)Remote Desktop Protocol (RDP)
安全外壳 (SSH)Secure Shell (SSH)
RDP and SSH both support encryption and MFA
a system for secure local access.
安全终端访问secure terminal access
基于控制台的访问机制console-based access mechanisms
A KVM (keyboard video mouse)system with access controls
a bastion host at the boundary of lower and higher security zones.
跳板机jumpboxes
software tools that allow remote connection to a VM for use as if it is your local machine.
e.g.Virtual Desktop Infrastructure (VDI)for contractors
虚拟客户端virtual client
Access to any of these can be gated with a privileged access management PAM)solution on the IAM platform used by the CSP
Local and Remote Access Methods
Full tunnel means font color=\"#e74f4c\
Split tunnel uses VPN for font color=\"#e74f4c\
Split tunnel vs full tunnel
In a remote access scenario a connection is initiated from a users PC or laptop for a connection of shorter duration. IPSec transport mode
Remote access vs site-to-site
VIRTUAL PRIVATE NETWORK (VPN)
Session Encryption:Data transmitted in remote access sessions must be encrypted using strong protocols such as TLS 1.3 and session keys.
Enhanced logging and reviews:All font color=\"#e74f4c\
Use of identity and access management tool:Many CSPs offer Identity-as-a-Service (IDaas)that enables strong authentication and access controls schemes
Single sign-On (sso):IDaas solutions enable users to log into other services using their company accounts.Many IDaaS solutions function as an SSO provider.
Separate privileged and nonprivileged accounts:A general best practice for administrative users is the use of a dedicated admin account for sensitive functions and a standard account for day-to-day use.
Temporary elevation of privilegeApproval gatesAn audit trail when privilege is activatedAn access review process(to avoid permissions sprawl)
Solution features
本地和远程访问的访问控制Local and Remote Access controls
no entity is trusted by default!
Assumes compromise/breach in verifying every request.
Zero Trust Security
Network Security Group (NSG)Network FirewallsInbound and outbound traffic filteringInbound and outbound traffic inspectionCentralized security policy management and enforcement
Network security groups provide an additional layer of security for cloud resources
Carries a list of security rules (IP and port ranges) that allow or deny network traffic to resource instances.
Provides a virtual firewall for a collection of cloud resources with the same security posture.
NETWORK SECURITY
Restricting services that are permitted to access or be accessible from other zones using rules to control inbound/outbound traffic.
Our VPC contains private subnets.Each of these subnets has its own CIDR IP address range and cannot connect directly to the internet.
They could be configured go through the NAT gateway if outbound internet connectivity is desired.
Client VMs and database servers will often be hosted in a private subnet.
Private Subnets
where traffic moves laterally between servers within a data center.
north-south traffic moves outside of the data center.
East-West Traffic
a collection of devices that communicate with one another as if they made up a single physical LAN.
Creates a distinct broadcast domain
VLANVirtual Local Area Network
a subnet is placed between two routers or firewalls.
bastion host(s)are located within that subnet.
Screened Subnetaka 'DMZ\"
SECURE NETWORK DESIGN
Many public clouds offer a virtual private cloud (VPC) which is essentially a sandboxed area within the larger public cloud dedicated to a specific customer.
虚拟局域网 (VLAN)virtual local area networks (VLAN)
Network peering is another method for connecting virtual networks in the cloud.
Peering is the more common option between cloud networksSite-to-site VPN common for on-premises to cloud connectivity
VPC Connectivity
Data in motion is most often encrypted using TLS or HTTPSThis is typically how a session is encrypted before a user enters the credit card details.
TLs uscs an x509 certificate with a public/private key pair
传输层安全 (TLS)Transport Layer Security (TLS)
The IP address associated with a system event can be used when identifying a user or system
Some hypervisors offer a feature to limit which network cards are eligible to perform DHCP offerThis prevents roque DHCP servers from issuing IPs to clients and servers
动态主机配置协议 (DHCP)Dynamic Host Configuration Protocol (DHCP)
A set of specifications primarily aimed at reinforcing the integrity of DNS
Achieves this by providing for cryptographic authentication of DNS data using digital signatures
Provides proof of origin and makes cache poisoning and spoofing attacks more difficult
域名系统安全扩展 (DNSSEC)Domain Name System Security Extensions (DNSSEC)
虚拟专用网络 (VPN)virtual private network (VPN)
Chain of Custody
Digital Signatures prove that a digital message or document was not modified-intentionally or unintentionally-from the time it was signed.based on asymmetric cryptography (a public/private key pair) the digital equivalent of a handwritten signature or stamped seal.
message authentication code(MAC).the two parties that are communicating can verify non-repudiation using a session keyElectronic financial transfers (EFTs)Frequently use MACs to preserve data integrity.
Hashing can be implemented to detect unintentional data modifications. integrity
Additional security measures like digital signatures or hash-based message authentication code (HMAC)can be used todetect intentional tampering.
安全网络配置Secure network configuration
防火墙firewalls
入侵检测系统 (IDS)intrusion detection systems (IDS)
Host-based (HIDS and HIPS)Network (NIDS and NIPS)Hardware vs Software
入侵防御系统 (IPS)intrusion prevention systems (IPS)
蜜罐honeypots
漏洞评估vulnerability assessments
A host used to allow administrators to access a private network from a lower security zone
Will have a network interface in both the lower and higher security zones
Will be secured at the same level as the higher security zone it's connected to.
A dedicated host for secure admin access
'Jumpbox'or jump server'two common names for bastion hosts
堡垒主机bastion host
网络安全控制Network security controls
Windows
Linux
VMware
Hardening is the configuration of a machine into a secure state through application of a configuration baseline.
Baselines can be applied to a single font color=\"#e74f4c\
The Center for Internet Security (CIS)offers hardened VM images in CSP marketplaces
OS Hardening
a high-level description of a feature or activity that needs to be addressed and is not specificto a technology or implementation.
control
Benchmark
is the implementation of the benchmark on the individual service.
Baseline
control ls expressed as Benchmark and implemented through a Baseline
Benchmarks describe configuration baselines and best practices for securely configuring a system.
BENCHMARKS/SECURE CONFIGURATION GUIDES
ensures that systems are kept up-to-date with current patches.
process will font color=\"#e74f4c\
system audits verify the deployment of approved patches to system
patch both native OS and 3rd party apps apply out-of-band updates promptly.
Cloud service providers(CSP)generally provide a patch management feature tailored to their laas offering.
补丁管理Patch managementaka \"update management\"
laC is a key Devops practice and is used in conjunction with continuous integration and continuous delivery (CI/CD).
lac is very common (the standard)in the cloud
cloud-Native controls
Third-party tools adds more font color=\"#e74f4c\
Third-Party Solutions
lac must know the current state;it must know whether the infrastructure already exists to know whether to create it or not.
Impcrative deployment methodologies are unawarc of current state
Declarative
Deployment of an laC template can be applied multiple times without changing the results.
ldempotent
two distinct characteristics of IaC
基础设施即代码 (IaC) 策略Infrastructure as Code (IaC) strategy
Reservations are guarantees for a certain minimum level of resources available to a specified virtual machine.
A limit is a maximum allocation.
A share is a weighting given to a particular VM
Share value is used to calculate percentage-based access pooled resources when there is contention.
Cluster management agent
Distributed Resource Scheduling (DRS) is the coordination element in a cluster of VMware ESXi hosts
DRS mediates access to the physical resources.
分布式资源调度distributed resource scheduling
Dynamic Optimization is Microsoft's DRS equivalent delivered through their cluster management software.
动态优化dynamic optimization
存储集群storage clusters
维护模式maintenance mode
高可用性(HA)high availability (HA)
集群主机的可用性Availability of clustered hosts
Customer can use font color=\"#e74f4c\
Guest OS availability
Backup and recovery
Resiliency is achieved by architecting systems to handle failures from the outset rather than needing to be recovered.
Resiliency
客户操作系统 (OS) 的可用性Availability of guest operating system (OS)
CSP should implement monitoring to ensure that they are able to meet customer demands and promised capacity.
Consumer should monitor to ensure CSP is meeting their obligations
Most monitoring tasks will be in support of the availability objective.
Alerts should be generated based on established thresholds and appropriate response plans initiated.
\"CORE 4\
计算compute
响应时间response time
性能和容量监控Performance and capacity monitoring
Physical hardware is necessary to provide all the services that enable the virtualization that enables cloud computing.
磁盘disk
风扇速度fan speed
温度temperature
硬件监控Hardware monitoring
Saas.CSP retains full control over backup and restore and will often have SLA restore commitments.
Customer typically has shared responsibility for their data
Paas.font color=\"#e74f4c\
laas.Consumer owns backup/recovery of VMs.
Responsibility by category
Sensitive data may be stored in backups.
Access controls and need-to-know principles to limit exposure
Physical separation:backups should be stored on different hardware or availability zones.
Zone redundant or geo-redundant cloud storage
Integrity of all backups should be verified routinely to ensure that they are usable.
considerations
主机和客户操作系统 (OS) 备份和恢复功能的配置Configuration of host and guest operating system (OS) backup and restore functions
Provides virtual management options analogous to physical admin options of a legacy datacenter
调度scheduling
Orchestration is the automated configuration and management of resources in bulk
Patch management and VM reboots are commonly orchestrated tasks
The management console is the web-based consumer interface for managing resources
CSP must ensure management portal calls to the management plane only allow customer access to their own resources.
维护maintenance
5.2 运行和维护云环境的物理和逻辑基础架构 Operate and maintain physical and logical infrastructure for cloud environment
refers to the process of evaluating a change request within an organization and deciding if it should go ahead.
requests are sent to the Change Advisory Board (CAB) to ensure that it is beneficial to the company.
requires changes to be font color=\"#e74f4c\
Guidance on the process
Change Management policy that details how changes will be processed in an organization
The process in action
Change Control process of evaluating a change request to decide if it should be implemented
change management/change control
In an environment that leverages font color=\"#e74f4c\
Automating change management
Helps reduce outages or weakened security from unauthorized changes.
变更管理Change management
Baseline is composed of individual settings called configuration items (CI)
配置管理Configuration management
Continuity is concerned with the availability aspect of the CIA triad
Both deal with business continuity and disaster recovery (BCDR) terms that fall under the larger category of continuity management.
NIST Risk Management Framework and ISO 27000
Healthcare data in the United States is governed by this standard.
Health Insurance Portability and Accountability Act (HIPAA)
This specifies the requirements needed for an organization to font color=\"#e74f4c\
ISO 22301:2019 Security and resilience-BC management systems
There are a variety of standards related to continuity management.
连续性管理Continuity management
The goal of information security management is to ensure a consistent organizational approach to managing security risks
It is the approach an organization takes to font color=\"#e74f4c\
A global standard for information security management that helps organizations protect their data from threats.
Asecurity standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems.
ISO/IEC 27017 D1.5
The first international standard about the privacy in cloud computing services
Is a\"Code of practice for protection of personally identifiable information(Pll) in public clouds acting as Pll processors\".
ISO/IEC27018 D6.2
ISO/IEC 27701
RMF's audience is the entire federal government and CSF is aimed at font color=\"#e74f4c\
NIST RMF & CSF
Provides a catalog of security and privacy controls for all U.S.federal information systems except those related to national security.
NIST SP 800-53
Service Organization Controls (SOC 2) framework has seen wide adoption among CSPs as well as the use of a third party to perform audits.
This also provides increased assurance for business partners and customers who cannot audit the CSP directly
AICPA SOC 2
Standards that provide guidance for implementing and managing security controls in a cloud environment include:
信息安全管理Information security management
One critical element of continual service improvement includes areas of monitoring and measurement
These often take the form of security metrics.
Metrics need to be font color=\"#e74f4c\
Business leaders will be less interested in technical topics.
The metrics should be used to aggregate information and present it in an easily font color=\"#e74f4c\
连续的服务改进管理Continual service improvement management
Events are font color=\"#e74f4c\
Not all incidents will require the security tcam but exam focus is security
All incidents should be investigated and remediated to restore the organization's normal operations and to minimize adverse impact
A popular security incident management methodology is the NIST SP 800-61 rev2 \"Computer Security Incident Handling Guide'
Preparation
Determining whether or not an organization has been breached. Is it really an incident?
Identification
Limiting damage (scope) of the incident.
Containment
Eradication
Root cause is addressed and time to return to normal operations is estimated and executed.
Recovery
Lessons Learned
6 phases of incident response
事故管理Incident management
problem management utilizes root-cause analysis to identify the underlying problem(s)that lead to an incident.
It also aims to minimize the likelihood of future recurrence
An unsolved problem will be documented and tracked in a known issues or known errors database.
问题管理Problem management
The primary change is the frequency of releases due to the increased speed of development activities in continuous integration/continuous delivery(CI/CD).
Release scheduling may require coordination with customers and CSP.
Changes that impact data exposure may require Security team
Some of the font color=\"#e74f4c\
The increased automation and pace of release in Agile and CI/CDtypical to the cloud necessitates automated security testing and policy controls.
发布管理Release management
Even organizations with continuous deployment may require some deployment management processes to deal with deployments that cannot be automated
Processes for new software and infrastructure should be documented
Containerization(managed Kubernetes)is common in mature organizations supporting more frequent deployment in public cloud environments
Fully automated deployment requires greater coordination with and integration of information security throughout the development process
部署管理Deployment management
SLAs are like a contract focused on measurable outcomes of the service being provided
Should include clear metrics that define 'availability'for a service
Cloud infrastructure decisions should be made with the SLA in mind
Defining the levels of service is usually up to the cloud service provider(CSP) in public cloud environments.
服务等级管理Service level management
A service may be \"up\
Many of the same concerns that an organization would consider in business continuity and disaster recovery apply in availability management
BCDR plans aim to quickly restore service availability in adverse events
Customer must configure services to meet their requirements
可用性管理Availability management
One of the core concerns of availability is the amount of service capacity available compared with the amount being subscribed to.
Responsibility for capacity management belongs to font color=\"#e74f4c\
The cloud provides the \"perception of unlimited capacity\
容量管理Capacity management
Specifies requirements for \
ISO/IEC 20000-1
or \"electronic discovery\
Usually associated with collection of electronic informdtion for legal purposes or security breach
eDiscovery
ISO/IEC 27037:2012
Guide for incident investigation
ISO/IEC 27041:2015
Guide for digital evidence analysis.
ISO/IEC 27042:2015
Guide for incident investigation principles and processes
ISO/IEC 27043:2015
A four-part standard within the ISO/IEC 27000 family of information security standards
ISO/IEC 27050
Free guidance in Domain 3:Legal Issues:Contracts and Electronic Discovery
CSA Security Guidance
FORENSIC INVESTIGATION STANDARDS
Logs are essential
Document everything
Volatile data(data not on a durable storage)requires special handling and priority. Collect data from volatile sources first
Consider volatility
Evidence collection Process
Utilize original physical media
at multiple steps by font color=\"#e74f4c\
Verify data integrity
Follow documented procedures
with font color=\"#e74f4c\
Communication with relevant parties and communication plans covered in section 5.5
Establish and maintain communications
Evidence collection Best Practices
取证数据收集方法Forensic data collection methodologies
protecting any documents that can be used in evidence from being altered or destroyed.
sometimes called litigation hold
Legal Hold
chain of Custody
describes what is relevant when collecting data
collection from shared resources may expose other customers data
Scope of data collection is more challenging in the cloud
SCOPE of evidence
证据管理Evidence management
The cloud comes with additional challenges when it comes to forensic investigation
Do you know where the data is hosted?And laws of countries it's hosted in?
Many cloud services store copies of data in multiple locations
Data location:
Rights and responsibilities:
Are your forensic tools suitable for a multi-tenant environment?What is your organizations liability if you unintentionally capture another customer's data on a shared resource?
e.g remnants of a previous customer's data on physical storage
Tools:
Laws and regulations impact a consumer's ability to perform forensic data collection in the cloud
Cloud data should be stored and have data sovereignty in region stored.
Many countrics have laws requiring businesses to store data within their borders.
Regulatory and Jurisdiction
The US introduced the Clarifying Lawful Overseas Use of Data (CLOUD)Act in 2018 dueto the problems that FBI faced in forcing Microsoft to hand over data stored in Ireland.
Aids in evidence collection in investigation of serious crimes
Verifying audit and forensic data collection rights with your CSP to ensure you understand your rights and their legal obligations before you sign contracts is critical.
Forensic investigators should know their legal rights in every jurisdiction (region or country)where the organization hosts data in the cloud.
Some countries will not allow eDiscovery From outside their borders
cloud considerations (cont)
Time stamps and offsets can be more challenging due to location.
Maintaining a proper chain of custody is more challenging in the cloud
chain of custody
Breach notification laws
ON PREMISES VS CLOUD
Evidence should possess these five attributes to be useful.
The information should be genuine and clearly correlated to the incident or crime.
Authentic:
The truthfulness and integrity of the evidence should not be questionable.
Accurate:
All evidence should be presented in its entirety even if it might negatively impact the case being made.
Complete:
It is illegal in most jurisdictions to hide evidence that disproves a case.
The evidence should be understandable and clearly support an assertion being made.
Convincing:
Hearsay (indirect knowledge of an action)or evidence that has been tampered with may be thrown out by a court
Admissible:
EVIDENCE UTILITY
Requirements for evidence to be admissible in a court of law:
Evidence must be relevant to a fact at issue in the case. Makes a fact more or less probable
The fact must be material to the case.
The evidence must be competent (reliable).
Must be obtained by legal means
EVIDENCE ADMISSIBILITY
You must begin to collect evidence and as much information about the incident as possible.
Evidence can be used in a subsequent legal action or in finding attacker identity.
Evidence can also assist you in determining the extent of damage.
ACQUISITION OF EVIDENCE
Using a cloud service font color=\"#e74f4c\
Control
Evidence collected while investigating a security incident may unintentionally include data from another customer.
Multitenancy and shared resources
Sharding font color=\"#e74f4c\
Data volatility and dispersion
DATA COLLECTION CHALLENGES IN THE CLOUD
If it disappears in font color=\"#e74f4c\
FOR THE EXAM:Remember that volatile (perishable) information should be collected first.
ORDER OF VOLATILITY
Proper evidence handling and decision making should be a part of the incident response procedures and trainingfor team members performing response activities.
Collection
Examination
Analysis
Reporting
four general phases:
EVIDENCE COLLECTION AND HANDLING
Protections for evidence storage include:
EVIDENCE PRESERVATION
Areas and considerations in evidence acquisition
Disk aka hard drive.Was the storage media itself damaged?
Random-access memory (RAM).Volatile memory used to run applications.
Swap/Pagefile.used for running applications when RAM is exhausted.
OS (operating system).Was there corruption of data associated with the OS or the applications?
The font color=\"#e74f4c\
a coding expert to compare both lots of source code in a technique called regression testing. rootkits and backdoors are concerns
Snapshot.if the evidence is from a font color=\"#e74f4c\
Cache. special high-speed storage that can be either a reserved section of main memory or an independent high-speed storage device.
Network.OS includes command-line tools (like netstat)that provide information that could disappear if you reboot the computer.
ACQUISITION
It can be used as a checksum to ensure integrity later.
File can be hashed before and after collection to ensure match on the original hash value to prove data integrity.
Hashes
Data provenance effectively provides a historical record of data and its origin and forensic activities performed on it.
Similar tofont color=\"#e74f4c\
Provenance
INTEGRITY
Data needs to be preserved in its original state so that it can be produced as evidence in court.
original data must remain unaltered and pristine
an image or font color=\"#e74f4c\
Putting a copy of the most vital evidence in a WORM drive will prevent any tampering with the evidence (you cannot delete data from a WORM drive.)
You could also write-protect/put a legal hold on some types of cloud storage.
\"forensic copy\"of evidence
PRESERVATION
5.4 支持数字取证Support digital forensics
Both company security policics (transparency) AND regulatory compliance (law)shape communication
The plan that details how relevant stakeholders will be informed in event of an incident. (like a security breach)
Would include plan to maintain confidentiality such as encryption to ensure that the event does not become public knowledge.
Communication Plan
Stakeholder Management
Vendors:The first step in establishing communication with vendors is an inventory of critical third parties on which the organization depends.
This inventory will drive vendor risk management activities in two ways:
1)Some vendors may be critical to the company's font color=\"#e74f4c\
2)Others may provide critical inputs to a company's revenue generation
Vendor communications may be governed by contract and SLA
供应商Vendors
Consumers should define (or at least monitor) communication SLA
客户Customers
Partners:Often have a level of access to a company's systems similar to that of the company's own employees but are not under company control.
Communication neede will evolve through partner font color=\"#e74f4c\
合作伙伴Partners
Regulators:Most regulators have developed cloud-specific guidance for compliant use of cloud services.
监管机构Regulators
Procedures for order and timing of contact should be created
Some cyber insurance providers require that they are the first point of contact in the event of a security incident
其他利益相关者Other stakeholders
Who is responsiblefor communication?
SHARED RESPONSIBILITY FOR SECURITY
5.5 管理与相关方的沟通Manage communication with relevant parties
A support unit designed to centralize a variety of security tasks and personnel at the tactical (mid-term)and operational (day-to-day) levels.
Both the CSP and consumer should have a SOC function
Threat PreventionThreat DetectionIncident ManagementContinuous Monitoring ReportingAlert PrioritizationCompliance Management
Key functions of the SOC include:
安全运营中心 (SOC)Security operations center (SOC)
a form of auditing that focuses on active review of the log file data.
used to hold subjects accountable for their actions also used to monitor system performance.
tools such as IDSs or SIEMs automate monitoring and provide real-time analysis of events.
MONITORING
The RMF specifies the creation of a continuous monitoring strategy for getting near real-time risk information.
These devices should be continuously monitored to ensure they are Functional
Monitoring for functionality should include monitoring font color=\"#e74f4c\
MONITORING SECURITY CONTROLS
A piece of purpose-built network hardware.
May offer more configurable support for LAN and WAN connections.
Often has superior throughput versus software because it is hardware designed for the speeds and connections common to an enterprise network.
Hardware
Software based firewalls that you mightinstall on your own hardware
Provide flexibility to place firewalls anywhere you'd like in your organization.
Host-based (software)are more vulnerable to being disabled by attackers
Software
HARDWARE Vs SOFTWARE
Typically caters specifically to application communications.
Often that is HTTPS or Web traffic.
An example is called a web application firewall (WAF)
Anapplication font color=\"#e74f4c\
Host-based
Available from both the CSP directly and third-party partners (commercial firewall vendors)
Virtual
APPLICATION vs HOST-BASED vs VIRTUAL
Watch network traffic and restrict or block packets based on source and destination addresses or other static values.
Not 'aware' of traffic patterns or data flows.
stateless
Can watch traffic streams from end to end.
Are aware of communication paths and can implement various IP security functions such as tunnels and encryption.
Better at identifying unauthorized and forged communications.
Stateful
FIREWALL AND STATE
Protect web applications by filtering and monitoring HTTPS traffic between a web application and the Internet.
Some come pre-confiqured with OWASP rulesets
WAF
a deep-packet inspection firewall that moves beyond port/protocol inspection and blocking.
NGFW
MODERN FIREWALLS
generally responds passively by logging and sending notifications
is placed in line with the traffic and includes the ability to block malicious traffic before it reaches the target
can monitor activity on a single system only.
A drawback is that attackers can discover and disable them
HIPS
NIPS
FLAVORS OF INTRUSION DETECTION SYSTEMS
a system that often has pseudo flaws and fake data to lure intruders
A group of honeypots is called a honeynet
Lure bad people into doing bad things.Lets you watch them.
Only font color=\"#e74f4c\
Goal is to distract from real assets and isolate in a padded cell until you can track them down.
Focuses on accomplishing \"smart\"tasks combining machine learning and deep learning to emulate human intelligence
Artificial Intelligence
Machine Learning
a subfield of machine learning concerned with algorithms inspired by the structure and function of the brain called artificial neural networks.
Deep Learning
人工智能 (AI)artificial intelligence (AI)
安全控制的智能监控Intelligent monitoring of security controls
This is based on the interaction of a user that focuses on their identity and the data that they would normally access on a normal day
It tracks the devices that the user normally uses and the servers that they normally visit.
User Entity Behavior Analysis (UEBA)
Artificial intelligence and machine learning to identify attacks.
Sentiment Analysis
安全信息和事件管理 (SIEM)security information and event management (SIEM)
Tooling that allows an organization to define incident analysis and response procedures in a digital workflow format.
Integrates your security processes and tooling in a central location (SOC).
These make it faster than humans in identifying and responding to true incidents.
Reduces MTTD and accelerates response
Uses playbooks that define an incident and the action taken.Capabilities vary by situation & vendor
system that collects data from many other sources within the network.
provides real-time font color=\"#e74f4c\
SIEM
centralized alert and response automation with threat-specific playbooks.
response may be fully automated or single-click.
SOAR
SIEM AND SOAR
SIEM(Security Information Event Monitoring)tools can help to solve some of these problems by offering these key features:
日志管理log management
The SIEM should be on a font color=\"#e74f4c\
SIEMs can normalize incoming data to ensure that the data from a variety of sources is presented consistently.
SIEM features
SIEM has font color=\"#e74f4c\
Log Collectors
Can correlate and aggregate events so that duplicates are filtered and a better understanding network events is achieved to help identify potential attacks.
Log Aggregation
Packet Capture
The SIEM system collects a massive amount of data from various sources.
Data Inputs
LOG COLLECTION AND ANALYSIS WITH A SIEM
should be protected by centrally storing them and using permissions to restrict access.
archived logs should be set to read-only to prevent modifications.
Log files play a core role in providing evidence for investigations.You'll want to be familiar with the many different types of log files a typical SIEM might ingest.
Network:This log file can identify the IP and MAC addresses of devices that are attached to your network.Usually sent to a central syslog server
NIDS/NIPS can be important in identifying threats and anomalies from these.
log files from a proxy server can reveal who's visiting malicious sites
The collective insight may be useful in stopping DDos attack
information collected about font color=\"#e74f4c\
400 series HTTP response codes are client-side errors
500 series HTTP response codes are server-side errors
These logs must be fed to a SIEM IDS/IPS or other system to analysis this data
These files exist on client and server systems.Sending these to a SlEM can help establish a central audit trail and visibility into the scope of an attack.
can identify attackers trying to log in to your computer systems.
captures information on file access and can determine who has downloaded certain data.
DNS query logging often disabled by default due to volume.
VolP and Call Managers:These systems provide information on the calls being made and the devices that they originate from.
may also capture font color=\"#e74f4c\
Session Initiation Protocol (SIP)Traffic:SIP is used for internet-based calls and the log files generally show:
the 200 OK is followed by an acknowledgement
Large number of calls not connecting may indicate attack
LOG FILES
Event Reporting (Review Reports)
A SIEM typically includes dashboard and collects reports that can be reviewed regularly to ensure that the policieshave been enforced and that the environment is compliant
Also highlight whether the SIEM system is effective and working properly.Are incidents raised true positives?
False positives may arise because the wrong input filters are being used or the wrong hosts monitored.
SIEM dashboards will typically provide a views into status of log ingestion and security concerns identified through correlation.
SYSLOG/SIEM
日志捕获和分析Log capture and analysis
Refers to the organization's preparation necessary to font color=\"#e74f4c\
These details should be documented in a security incident response plan that is regularly reviewed and updated.
The activity to detect a security incident in a production environment and to analyze all events to confirm the authenticity of the security incident.
Detectionand analysis
Limits the damage (scope)of the incident
Eradication is the process of eliminating the root cause of the security incident with a high degree of confidence.
Recovery should happen after the adversary has been evicted from the environment and known vulnerabilities have been remediated.
Recovery font color=\"#e74f4c\
The post-mortem analysis is performed after the recovery of a security incident.
Actions performed during the process are reviewed to determine if any changes need to be made inthe preparation or detection and analysis phases.
The lessons learned drive continuous improvement ensuring effective and efficient incident response.
Post-incidentactivity
INCIDENT RESPONSE LIFECYCLE
Use of vulnerability scanners and pen testers may be limited by your CSP's terms of service.
CSPs typically have penctration testing and scanning \"rulcs of engagement\"
RIGHT TO AUDIT IN THE CLOUD
includes routine vulnerability scans and periodic vulnerability assessments.
Vulnerability Management
Vulnerability scanners
extend beyond just technical scans and can include reviews and audits to detect vulnerabilities
Vulnerability Assessments
VULNERABILITY MANAGEMENT
A credentialed scan is a much more powerful version of the vulnerability scanner.It has higher privileges than a non-credentialed scan.
Credentialed Scan:
A non-credentialed scan has lower privileges than a credentialed scan.It will identify vulnerabilities that an attacker would easily find.
Non-Credentialed Scan:
These are passive and merely report vulnerabilities.They do not cause damage to your system.
Non-Intrusive Scans:
Can cause damage as they try to exploit the vulnerability and should be used in a sandbox and not on your live production system.
Intrusive Scans:
Configuration compliance scanners and desired state configuration in PowerShell ensure that no deviations are made to the security configuration of a system.
Configuration Review:
The combination of techniques can reveal which vulnerabilities are most easily exploitable in a live environment.
These scans look at computers and devices on your network and help identify weaknesses in their security.
Network Scans:
Application Scans:
Crawl through a website as if they are a search engine looking for vulnerabilities.
Perform an font color=\"#e74f4c\
Web Application Scans:
VULNERABILITY SCANS
CVSS is the overall score assigned to a vulnerability. It indicates severity and is used by many vulnerability scanning tools.
CVSS
CVE is simply font color=\"#e74f4c\
CVE
The CVSS score is not reported in the CVE listing you must use the National Vulnerability Database (NVD)to find assigned CVSS scores.
The CVE list Feeds into the NVD
Common Vulnerabilities and Exposures (CVE)andCommon Vulnerability Scoring System (CVSS)
software flawsmissing patchesopen portsservices that should not be runningweak passwords
A vulnerability scanner can font color=\"#e74f4c\
A credentialed vulnerability scan is the most effective as it provides more information than any other vulnerability scan.
VULNERABILITY SCAN OUTPUT
True Positive:This is where the results of the system scan agree with the manual inspection.
漏洞评估Vulnerability assessments
5.6 管理安全运营Manage security operations
D5 云安全运营Cloud Security Operations
It is important to be aware of the various laws and regulations that govern cloud computing.
It is important to identify such risks and make recommendations to mitigate them just like any other risk.
GDPR forbids the transfer of data to countries that lack adequate privacy protections
EXAMPLEConflict with GDPR and CLOUD Act
Encryption Export Controls.Dept of Commerce details limitations on export of encryption products outside the US.
Privacy (US).The basis for privacy rights is in the Fourth Amendment to the U.S.Constitution.
Privacy (EU).General Data Protection Regulation (font color=\"#e74f4c\
Export and Privacy
particularly the jurisdictions that companies need to deal with (local versus international)to protect and enforce their IP protections.
Copyright and intellectual property law
Safeguards and security controls required for privacy compliance
particularly technologies that may be sensitive or illegal under various international agreements
International import/export laws
国际法律冲突Conflicting international legislation
Laws are the legal rules.That are created by font color=\"#e74f4c\
Regulations are the rules that are created by governmental agencies.
Laws and regulations must be followed or can result in civil or criminal penalties for the organization.
Standards dictate a reasonable level of performance.
They can be created by an organization for its own purposes (internal) or come from industry bodies or trade groups (external).
Frameworks are a set of guidelines helping organizations improve their security posture.
civil law Examples include font color=\"#e74f4c\
Vendor contracts fall into this category.
Regulations likc HIPAA fall into this catcgory
Article I establishes the legislative branch.Article Il establishes the executive branch.Article Ill establishes the judicial branch.Article IV defines the relationship between the federal government and state governmentsArticle V creates a process for font color=\"#e74f4c\
SEVEN ARTICLES OF THEUS CONSTITUTION
Case law.Interpretations made by courts over time establish a body of law that other courts may refer to when making their own decisions.
Common law is a set of judicial precedents passed down as case law through many generations.
And stand as examples cited in future court cases.
A violation is known as a \"breach of contract\"and courts may take action to enforce the terms of a contract.
TYPES OF LAW
Liable means \"responsible or answerable in law;legally obligated\".
Criminal liability occurs when a person violates a criminal law.
civil liability occurs when one person claims that another person has failed to carry out a legal duty that they were responsible for.
Comes in two forms:
LEGAL LIABILITY
Negligence is a commonly occurring tort that occurs when one party causes harm to another party by their action or lack of action.
There must be a duty of care.The person accused of negligence must have an established responsibility to the accuser.
There must be a breach of that duty of care.The accused person must have either taken action or failed to take an action that violated the duty of care.
There must be font color=\"#e74f4c\
There must be causation.A reasonable person must be able to conclude that the injury caused to the accuser must be a result of the breach of duty by the accused.
TORTS AND NEGLIGENCE
Differing legal requirements
Precedent refers to the judgments in past cases and is subject to change over time with less advance notice than updates to legislation.
Different legal systems and frameworks in different countries
The EU's GDPR and the U.S.Clarifying Lawful Overseas Use of Data (CLOUD) Act directly conflict on the topic of data transfer.
Conflicting laws
Responsibility for compliance with laws and regulations
Researching and planning response in case of conflicting laws
Ensuring necessary audit and incident response data is logged and retained
Any additionall due diligence and due care
The bottom line on legal risks specific to cloud computing
云计算特有的法律风险评估Evaluation of legal risks specific to cloud computing
An international organization font color=\"#e74f4c\
Its principles are font color=\"#e74f4c\
Organisation for Economic Co-operation and Development (OECD)
Comprised of 21 member economies in the Pacific Rim.
Promotes the smooth cross-border Flow of information between APEC member nations.
Asia-Pacific Economic Cooperation Privacy Framework (APEC)
European Union's GDPR is perhaps the most far-reaching and comprehensive set of laws ever written to protect data privacy.
Mandates font color=\"#e74f4c\
Includes mandatory notification timelines in the event of data breach.
General Data Protection Regulation (GDPR)
Health Insurance Portability and Accountability Act (HIPAA)1996 U.S.law regulates the privacy and control of health information data.
Sarbanes-Oxley Act(Sox)Law was enacted in 2002 and sets requirements for U.S.public companies to protect financial data when stored and used.
Additional legal frameworks standards
法律框架和准则Legal framework and guidelines
are required by law. font color=\"#e74f4c\
Statutory requirements
may also be required by law but refer to rules issued by a regulatory body that is appointed by a government entity. font color=\"#e74f4c\
Regulatory requirements
are required by a legal contract between private parties.
These agreements often specify a set security controls or a compliance framework that must be implemented by a vendor font color=\"#e74f4c\
Contractual requirements
LAWS AND REGULATIONS
An organization investigating an incident may lack the ability to compel the CSP to turn over vital information needed to investigate.
The information may be housed in a country where jurisdictional issues make the data more difficult to access.
Maintaining a chain of custody is more difficult since there are more entities involved in the process.
Architecture considerationsData residency and system architecture are other important considerations for eDiscovery in the cloud and can be handled proactively.
Due care considerations Ensuring the org is prepared For DFIRCloud security practitioners must inform their organizations of any risks and required due care and due diligence related to cloud computing
CSPs may not preserve essential data for the required period of time to support historical investigations.
They may not even log all the data relevant to support an investigation.
This shifts the burden of recording and preserving Potential evidence onto the consumer
Consumers must identify and implement their own data collection.
NISTIR = NIST Interagency or Internal Reports
Addresses common issues and solutions needed to address DFIR in cloud environments.
DFIR = Digital Forensics and Incident Response
NISTNISTIR 8006
E-DISCOVERY FRAMEWORKS
国际标准组织/国际电子技术委员会 (ISO/IEC) 27050International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27050
Free guidance in Domain 3:Legal Issues:Contraets and Electronic Discovery
Offers guidance on font color=\"#e74f4c\
云安全联盟 (CSA) 指引Cloud Security Alliance (CSA) Guidance
Iso/IEC and CSA provide guidance on best practices for collecting digital evidence and conducting forensics investigations in the cloud.
FORENSICS REOUIREMENTS
ISO/IEC 27043:2015
Forensic Investigation Standards
取证要求Forensics requirements
6.1 明确云环境中的法律要求和独特风险Articulate legal requirements and unique risks within the cloud environment
Any information that can font color=\"#e74f4c\
Defined by NIST SP 800-122
受保护的健康信息 (PHI)protected health information (PHI)
Health-related information that can be related to a specific person
Must be protected by strong controls and access audited
Requlated by HIPAA HITRUST
个人可识别信息 (PII)personally identifiable information (PII)
Allowable storage of information related to credit and debit cards and transactions.
Defined and requlated by PCI DSS and is CONTRACTUAL
Payment Data.
A Security team must understand.
The data controller is always responsible for ensuring that the requirements for protection and compliance are met.even if that data is processed in a CSP's cloud service.
Responsibility cannot be transferred but risk can be mitigated
合同规定的和受监管的私人数据之间的区别Difference between contractual and regulated private data
organizations may process data belonging to Australian citizens offshore.
transferring entity (the data owner)must ensure that the receiver of the data holds and processes it in accordance withthe principles of Australian privacy law.
Data owner (controller)is responsible for data privacy
commonly achieved through contracts that require recipients to maintain or exceed the data owner's privacy standards
The entity transferring the data out of Australia remains responsible for any data breaches by or on behalf of the recipient entities
Australian Privacy Act
Personal Information Protection and Electronic Documents Act(PIPEDA)
a national-level law that font color=\"#e74f4c\
PIPEDA covers information about an individual that is identifiable to that specific individual.
includes a data breach notification requirement.
PIPEDA may also be superseded by province-specific laws that are deemed substantially similar to PIPEDA.
Canada Privacy Law
The right to be informedThe right of accessThe right to rectificationThe right to erasure (the right to be forgotten)The right to restrict processingThe right to data portabilityThe right to objectRights in relation to automated decision making and profiling
Includes the following on data subject privacy rights:
Deals with the handling of data while maintaining privacy and rights of an individual.
GDPR applies to ANY company with customers in the EU
Includes a 72-hour notification deadline in the case of data breach
GDPRGENERAL DATAPROTECTION REGULATION
This act consists of three main sections:
Gramm-Leach-Bliley Act (GLBA)of 1999focuses on services of font color=\"#e74f4c\
Orgs commit to seven principles of the agreement:
Privacy Shieldan international agreement between the United States (U.S.) and the European Union.allows the transfer of personal data from the European Economic Area (EEA)to the U.S.by U.S.-based companies.
The Fourth Amendment:
Details the people's \
It outlines that private data is protected from unauthorizedaccess or interception (by private partics or the government).
The Stored Communication Act (SCA)of 1986created privacy protection for electronic communications like email or other digital communications stored on the Internet.extends the Fourth Amendment of the U.S.Constitution to the electronic realm
Clarifying Lawful Overseas Use of Data (CLOUD)Actaids in evidence collection in investigation of serious crimescreated in 2018 due to the problems that FBI faced in forcing Microsoft to hand over data stored in Irelandrequires U.s.-based companies to respond to legal requests for data no matter where the data is physically located.
与私人数据相关的国家特定立法Country-specific legislation related to private data
data subjectdata collectorcloud service providersubcontractors processing datacompany headquarters of the entities involved
Different laws and regulations may apply depending on the location of
prevent the utilization of a cloud services provideradd to costs and time to marketdrive changes to technical architectures required to deliver services
Legal concerns can:
Many privacy laws impose fines or other action for noncompliance.
数据隐私的司法管辖区差异Jurisdictional differences in data privacy
ISO 27018 was published in July 2014 as a component of the ISO 27001 standard.
Adherence to these privacy requirements enables customer trust in the CSP.
Can provide a HIGH level of assurance.
Consent:Personal data obtained by a CSP may not be used for marketing purposes unless expressly permitted by the subject.
A customer should be permitted to use a service without requiring this consent.
Control:Customers shall have explicit control of their own data and how that data is used by the CSP.
Transparency:CSPs must inform customers of where their data resides AND any subcontractors that may process personal data.
国际标准组织/国际电子技术委员会 (ISO/IEC) 27018International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27018
Created by AICPA
Generally Accepted Privacy Principles (GAPP)is a framework of privacy principles
GAPP are widely incorporated into the SOC 2 framework as an optional criterion
Organizations that pursue a SOC 2 audit can include these privacy controls if appropriate
An audit of these controls font color=\"#e74f4c\
Choice and consentThe organization font color=\"#e74f4c\
CollectionPersonal information is collected only for the purposes identified in the notice provided to the individual.
AccessThe organization provides individuals with access to their personal information for review or update.
Disclosure to third partiesPersonal information is disclosed to third parties only for the identified purposes and with implicit or explicit consent of the individual.
Security for privacyPersonal information is protected against both physical and logical unauthorized access.
Monitoring and enforcementThe organization monitors compliance with its privacy policies and procedures.It also hasprocedures in place to address privacy-related complaints and disputes
Categories of the 10 main privacy principles
普遍接受的隐私原则 (GAPP)Generally Accepted Privacy Principles (GAPP)
一般数据保护条例 (GDPR)General Data Protection Regulation (GDPR)
标准隐私要求Standard privacy requirements
Several privacy laws font color=\"#e74f4c\
Conducting a PIA typically begins when a system or process is being evaluated
When is a PIA necessary?
隐私影响评估 (PIA)Privacy Impact Assessments (PIA)
6.2 了解隐私问题Understand privacy issues
a methodical examination of an environment to font color=\"#e74f4c\
serves as a primary type of detective control.
frequency is based on risk.
degree of risk also affects how often an audit is performed.
Secure IT environments rely heavily on auditing and many regulations require it.
What is Auditing?
Security audits and effectiveness reviews are font color=\"#e74f4c\
AUDITING & DUE CARE
Audit reports often contain sensitive information
Only people with sufficient privilege should have access
FOR EXAMPLE:senior security administrators = full detailsenior management = high-level summary
CONTROLLING ACCESS TO AUDIT REPORTS
Acts as a \"trusted advisor\
Compliance may mean company policies or regulatory
Internal Auditor
Can provide more continuous monitoring of control effectiveness and policy compliance
Enables the org to catch and fix any issues beforc they show up on a formal audit report
Internal Audit
Some legal and requlatory frameworks require the usc of an font color=\"#e74f4c\
An internal auditor is an independent entity who can provide facts without fear of reprisal
内部和外部审计控制Internal and external audit controls
The requirement to conduct audits can have a large procedural and financial impact on a company.
With font color=\"#e74f4c\
Regulated industries
Sample size and relevance
Multi-region data dispersion in the cloud and dynamic VM failure in hypervisors can complicate the audit process
审计要求的影响Impact of audit requirements
Audits of controls over the hypervisor will usually be the purview of the CSP
VMs deployed on top of that hardware are usually under owned by the customer
确定虚拟化和云的保障挑战Identify assurance challenges of virtualization and cloud
SSAE 18 is a set of standards defined by the AICPA (American Institute of CPAs)
Designed to enhance the quality and usefulness of System and Organization Control (SOC)reports.
Includes audit standards and suggested report formats to guide and assist auditors
SOC 1deals mainly with financial controls and are used primarily by CPAs auditing financial statements
Soc 2 Type 1report that assesses the design of security processes at a specific point in time
SOC 2 Type 2(often written as \"Type ll\")assesses how effective those controls are over time by observing operations for at least six monthsOften require an NDA due to sensitive contents
关于认证业务标准的声明 (SSAE)Statement on Standards for Attestation Engagements (SSAE)
The International Auditing and Assurance Standards Board issues the ISAE
This board and it's ISAE standards are similar to the AICPA and it's SSAE standards
The ISAE 3402 standard is roughly equivalent to the SOC 2 reports in the SSAE
国际鉴证业务准则 (ISAE)International Standard on Assurance Engagements (ISAE)
The Security Trust Assurance and Risk (STAR) certification program comes from CSA
Designed to demonstrate compliance to a desired level of assurance
Level 1:Self-assessmentis a complimentary offering that documents the security controls provided by the CSP
Level 2:Third-party auditrequires the CSP to engage an independent auditor to evaluate the CSP's controls againstthe CSA standard
STAR consists of two levels of certification which provide increasing levels of assurance
CSACloud Security Alliance
服务组织控制 (SOC)Service Organization Control (SOC)
审计报告的类型Types of audit reports
Audit scope statements provide the reader with details on what was included in the audit and what was not
An audit scope statement generally includes:
Setting parameters for an audit is known as audit seope restrietions
Determining the scope of an audit is usually a joint activity performed by the organization being audited and their auditor.
Audits are expensive endeavors that can engage highly trained (and highly paid)content experts.
Auditing of systems can font color=\"#e74f4c\
Cost of implementing controls and auditing some systems is too high relative to the revenue the service generates.
Why limit the scope of an audit?
审计范围声明的限制Restrictions of audit scope statements
A gap analysis identifies where an organization does not meet requirements and provides important information to help remediate gaps
The main purpose is to compare the organization's current practices against a specified framework and identify the gaps between the two.
May be performed by either internal or external parties
Choice of which usually driven by the cost and need for objectivity
When is a gap analysis useful?
'ISO 27002'and 'NIST CSF'are frameworks commonly used For gap analysis
控制分析control analysis
基线baselines
差距分析Gap analysis
Document and define audit program objectives.collaborative internal planning of audit scope and objectives.Gap analysis or readiness assessment.assessing theorganization's ability to successfully undergo a full audit.Define audit objectives and deliverables.it is important toidentify the expected outputs from the audit.Identifying auditors and qualifications.compliance andaudit frameworks usually specify the type of auditor required.
Audit planning activities include:
Audit Phases
审计计划Audit planning
An information security management system(ISMS) is a systematic approach to information security
An ISMS focuses font color=\"#e74f4c\
ISO 27001 addresses need and approaches to implementing an ISMS
Quantify riskDevelop and execute risk mitigation strategiesProvide formal reporting on status of mitigation efforts
ISMS Functions
Improve data securityIncreased organizational resilience to cyberattacksCentral info security mgmtFormal risk management
ISMS Benefits
内部信息安全管理系统Internal information security management system
a system of information security controls provides guidance for mitigating the risks identified as part of ISMS risk management processes.
There are several control frameworks to choose from.
Scoping controls refers to reviewing controls in the framework to identify which controls apply to the organization and which do not.
Tailoring is a process of matching applicable controls with the organization's specific circumstances to which they apply.
NIST SP 800-53NIST Cybersecurity Framework(CSF)Secure Controls FrameworkCSA Cloud Controls Matrix(CCM)
Other control frameworks include:
内部信息安全控制系统Internal information security controls system
Policies are a key part of any data security strategy and facilitate a number of capabilities for an organization:
Provide users and organizations with a way to understand and enforce requirements in a systematic way.
Make employees and management aware of their roles and responsibilities.
Standardize secure practices throughout the organization.
Financial lossesData loss or leakageReputational damageStatutory and regulatory compliance issuesAbuse or misuse of computing systems and resources
Policies are a font color=\"#e74f4c\
Employees should generally sign policies to acknowledge acceptance
组织organizational
A set of standardized definitions for employees that describe how they are to make use of systems or data.
Typically font color=\"#e74f4c\
Functional policies generally codify requirements identificd in the ISMS and align to your chosen control framework
Examples of funetional policies
功能functional
Ease of deploying cloud resources without governance results in \"shadow IT\"-resources deployed without IT approval!
This can create font color=\"#e74f4c\
Also creates font color=\"#e74f4c\
A CASB can help identify and stop shadow IT!
Policies should define requirements users must adhere to and specify which cloud services are approved for various uses.
云计算cloud computing
策略Policies
One key challenge in the audit process is the inclusion of any relevant stakeholders
Organization's management who will likely be paying for the audit Security practitioners responsible for facilitating the audit
Employees who will be called upon to font color=\"#e74f4c\
Cloud computing environments can include more stakeholders than on-premises and even multiple CSPs
相关利益相关者的识别和参与Identification and involvement of relevant stakeholders
North American Electric Reliability Corporation Critical Infrastructure Protection regulates organizations involved in power generation and distribution.
北美电力可靠性公司/关键基础设施保护 (NERC / CIP)North American Electric Reliability Corporation / Critical Infrastructure Protection (NERC / CIP)
健康保险便捷与责任法案 (HIPAA)Health Insurance Portability and Accountability Act (HIPAA)
Both font color=\"#e74f4c\
经济与临床医疗保健信息科技 (HITECH) 法案Health Information Technology for Economic and Clinical Health (HITECH) Act
Specifies protections for payment card transaction data.
支付卡行业 (PCI)Payment Card Industry (PCI)
受到严格监管行业的特殊合规要求Specialized compliance requirements for highly-regulated industries
One impact of this distributed model is the additional geographic locations auditors must consider when performing an audit.
A common technique in cloud audits is font color=\"#e74f4c\
Sampling 20 servers of 100 servers across many regional datacenters can save time & expense and maintain accuracy
不同的地理位置diverse geographical locations
跨越法律管辖区crossing over legal jurisdictions
分布式信息技术 (IT) 模型的影响Impact of distributed information technology (IT) model
Primary areas of focus in SCRM include evaluating:
Reviewing provider controls
控制controls
There are resources that can help organizations build out or enhance their SCRM program:
方法methodologies
策略policies
Risk profile describes the risk present in the organization based on all the identified risks and any associated mitigations in place.
风险概况risk profile
Risk appetite describes the amount of risk an organization is willing to accept without mitigating.
Smaller orgs and startups will be more apt to simply accept risks to avoid cost of treatment.
风险偏好risk appetite
评估提供商风险管理计划Assess providers risk management programs
Anyone who processes personal data on behalf of the data controller.The CusTODIAN
The person or entity that controls processing of the data. The OWNER
Owns the data and risks associated with any data breaches
ensures the organization complies with data regulations.
Data Protection officer (DPO)
is the individual or entity that is the subject of the personal data.
Data CONTROLLER in GDPR
Usually a member of senior management.CAN delegate some day-to-day duties.CANNOT delegate total responsibility.
Data Owner
Data PROCESSOR in GDPR
Usually someone in the IT departmentDOES implement controls for data ownerDOES NOT decide what controls are needed
Data Custodian
数据所有者/控制者与数据保管者/处理者之间的区别Difference between data owner/controller vs. data custodian/processor
Most recent privacy laws include mandatory breach notification.
WHO should be notified and HOW QUICKLY
违规通知breach notification
Section 804:Companies must keep audit-related records for a minimum of five years.
SOX compliance is often an issue with both data breaches and ransomware incidents at publicly traded companies.
The loss of data related to compliance due to external actors does not protect a company from legal obligations.
Sarbanes-Oxley (SOX)
States that a data controller \"must be able to demonstrate that personal data are processed in a manner transparent to the data subject.\"
The obligations for transparency begin at the data collection stage and apply \"throughout the lifecycle of processing.\"
Stipulates that communication to data subjects must befont color=\"#e74f4c\
Meeting the requirement for transparency also requires processes for providing data subjects with access to their data.
监管透明度要求Regulatory transparency requirements
Where the organization changes business practices to completely eliminate the potential that a risk will materialize.
Can negatively impact business opportunities
规避avoid
The process of applying security controls to reduce the probability and/or magnitude of a risk.
减轻mitigate
Shifts some of the impact of a risk from the organization experiencing the risk to another entity.
e.g cyber insurance
转移transfer
共享share
Deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk.
use when cost of mitigation > cost of impact
接受acceptance
Risk Appetite.Sometimes called \"risk tolerance\"] is the amount of risk that a company is willing to accept.
safeguards are proactive (reduce likelihood of occurrence)
countermeasures are reactive (reduce impact after occurrence
Security Controls
风险处理Risk treatment
ISO 31000 contains several standards related to building and running a risk management program.
ISO 31000:2018 guidance standard
ENISA produces useful resources related to cloud-specific risks that organizations should be aware of and plan for when designing cloud computing systems.
This guide identifies various categories of risks and recommendations for organizations to consider when evaluating cloud computing.
ENISA's cloud computing risk assessment
NIST Special Publication 800-37 is the NIST Risk Management Framework
NIST Special Publication 800-146\"Cloud Computing Synopsis and Recommendations\"provides definitions of various cloud computing terms
Although font color=\"#e74f4c\
不同的风险框架Different risk frameworks
Patching levels:How many devices are fully patched and up-to-date?Unpatched devices often contain exploitable vulnerabilities.
Time to deploy patches:How may devices receive required patches in the defined timeframes?A useful measure of how effective a patch management program is at reducing the risk of known vulnerabilities.
Intrusion attempts:How many times have unknown actors tried to breach cloud systems?Increased intrusion attempts can be an indicator of increased risk likelihood.
Cybersecurity metrics provide vital information for decision makers in the organization.
Cybersecurity metrics within expected parameters indicate the risk mitigations are effective.
Metrics that deviate from expected parameters are no longer effective and should be reviewed
风险管理指标Metrics for risk management
服务service
Designing a supply chain risk management (SCRM)program to assess CSP or vendor risks is a due diligence practice.
Actually performing the assessment is an example of due care.
供应商vendor
基础架构infrastructure
业务business
Enables an objective evaluation to validate that a particular product or system satisfies a defined set of security requirements
Assures customers that security products they purchase have been thoroughly tested by independent third-party testers
Evaluation is done through testing laboratories where the product or platform is evaluated against a standard set of criteria.
The result is an font color=\"#e74f4c\
common Criteria(ISO/IEC 15408-1)
Contains evaluations of cloud services against the CSA's cloud controls matrix(CCM)
Organizations can opt for self-assessed or third-party-assessed cloud services.This will affect the level of assurance (low or high)
CSA STAR font color=\"#e74f4c\
ENISA has published a standard for certifying the cybersecurity practices present in cloud environments
The goal is producing security evaluation results that allow comparison of the security posture across different cloud providers.
风险环境评估Assessment of risk environment
6.4 了解云对企业风险管理的影响Understand implications of cloud to enterprise risk management
A contract with vendors and suppliers not to disclose the company's confidential information
A 'mutual NDA'binds both partics in the agreement
NDA
THIRD-PARTY RISK MANAGEMENT
Stipulate performance expectations such as maximum downtimes and often include penalties if the vendor doesn't meet expectations.
Generally used with external vendors (like CSP)and is legally binding
Often includes financial penalties for non-performance and may allow customer to terminate a contract
SLAs should be written to ensure that the organization's service level requirements (SLRs)are met.
Uptime guaranteesSLA violation penaltiesSLA violation penalty exclusions and limitationsSuspension of service clausesProvider liabilityData protection and managementDisaster recovery and recovery point objectivesSecurity and privacy notifications and timeframes
Common elements documented in SLAs include:
服务等级协议(SLA)service-level agreement (SLA)
This is defined as any contract that two or more parties enter into as a service agreement
MSA should address compliance and process requirements the customer is passing along to CSP
MSA should include breach notification -CSP duty to inform the customer of a breach within a specific time period after detection.
主服务协议(MSA)master service agreement (MSA)
Legal document usually created after an MSA has been executed and governs a specific unit of work.
工作陈述(SOW)statement of work (SOW)
A breach at any link in the supply chain can result in business impact.
Supply chain
Many orgs are reducing the number of vendors they work with and requiring stricter onboarding procedures.
Vendors may be required to submit to an external audit and agree to strictcommunication and reporting requirements in event of potential breach.
Risk of 'island hopping attack\"
Vendor management
Potential for Increased risk of insider attack
System integration
THIRD-PARTY RISKS
业务要求Business requirements
The practices ofSCRM and vendor management overlap significantly
Cloud computing involves outsourcing ongoing organizational processes and infrastructure to a service provider
Security practitioners should participate in thefont color=\"#e74f4c\
供应商评估vendor assessments
This assessment will require knowledge of not only the CSP's offerings but thearchitecture and strategy the customer organization intends to use.
Using font color=\"#e74f4c\
供应商锁定风险vendor lock-in risks
This is often a process that is not conducted by the security team as it deals with operational risk.
financial statementsthe CSP's performance history and reputationor even formal reports like a SOC 1
Assessing the viability of vendors may involve reviews of public information like:
供应商生存能力vendor viability
Escrow is a legal term used when font color=\"#e74f4c\
A software development company may wish to protect the intellectual property of their source code.
ESCROW SCENARIO:
托管escrow
供应商管理Vendor management
Organizations must employ adequate governance structures to monitor contract terms and performance and be aware ofoutages and any violations of stated agreements.
A contract clause is a specific article of related information that specifies the agreement between the contracting parties.
Right to auditMetricsDefinitionsTerminationLitigationAssuranceComplianceAccess to cloud/data
Some common contract clauses that should be considered for any CSP or other data service provider include the following:
Contract Clauses
The customer can request the right to audit the service provider to ensure compliance with the security requirements agreed in the contract.
审计权right to audit
Tell you \"how compliance with the agreement will be measured\"
指标metrics
A contract is a legal agreement between multiple parties.
It is essential that all parties share a common understanding of the terms and expectations.
定义definitions
Termination refers to ending the contractual agreement.
This clause will typically define conditions under which either party may terminate the contract
May also specify consequences if the contract is terminated carly.
终止termination
This is an area where legal counsel must be consulted.
Agreeing to terms for litigation can severely restrict the organization's ability to pursue damages if something goes wrong.
诉讼litigation
Defining assurance requirements sets expectations for both the provider and customer.
Many contracts specify that a provider must furnish a SOC 2 or equivalent to the customer on an annual basis
保证assurance
Any customer compliance requirements that flow to the provider must be documented and agreed upon in the contract.
Data controllers that use cloud providers as data processors must ensure that adequate security safeguards are available for that data
合规compliance
Clauses dealing with customer access can be used to avoid risks associated with vendor lock-in.
访问云/数据access to cloud/data
cyber risk insurance is designed to help an organization reduce the financial impact of risk by transferring it to an insurance carrier.
It may even cover legal or regulatory fines associated with the incident.
Cyber insurance carriers are in the business of risk management and are unlikely tooffer coverage to an organization lacking controls to mitigate risk.
Cyber insurance requires organizations to pay a premium for the insurance plan.Most plans have a limit of coverage that caps how much the insurance carrier pays.
There may also be font color=\"#e74f4c\
Costs associated with the forensic investigation to determine the extent of an incident.
This oftcn includes costs for third-party investigators.
Investigation
Direct business losses
These may include costs associated with replacing hardware or provisioningtemporary cloud environments during contingency operations.
They may also include services like forensic data recovery or negotiations with attackers to assist in recovery.
Recovery costs
Costs are associated with required privacy and breach notifications required by relevant laws.
Legal notifications
Policies can be written to cover losses and payouts due to class action or other lawsuits against a company after a cyber incident.
Lawsuits
The insurance to pay out ransomware demands is growing in popularity.
This may include direct payments to ensure data privacy or accessibility by the company.
Extortion
Incidents often require employees to work extended hours or travel to contingency sites.
Food and related expenses
Cyber risk insurance usually covers costs associated with the following:
网络风险保险cyber risk insurance
合同管理Contract management
Managing risk in the supply chain focuses on both font color=\"#e74f4c\
The supply chain should always be considered in any business continuity or disaster recovery planning.
Proactive measures including contract language and assurance processes can be used to quantify the risks associated with using suppliers like CSPs...as well as the effectiveness of these suppliers'risk management programs.
The ISO 27000 family of standards includes a specific ISO standard dedicated to supply chain cybersecurity risk management.
ISO 27036:2021 provides a set of practices and guidance for managing cybersecurity risks in supplier relationships.
This standard is particularly useful for organizations that use ISO 27001 for building an ISMS or ISO 31000 for risk management
Part 1:Overview and conceptsPart 2:RequirementsPart 3:Guidelines for information and communication technology supply chain securityPart 4:Guidelines for security of cloud services
ISO/IEC 27036-1:2021 Cybersecurity -Supplier relationships
国际标准组织/国际电子技术委员会 (ISO/IEC) 27036International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27036
Additional resources focusing on supply chain worth review include:
6.5 了解外包和云合同设计Understand outsourcing and cloud contract design
CCSP outline
0 条评论
回复 删除
下一页