CCSP思维导图思维导图模板_ProcessOn思维导图、流程图

NIST SP 800-145

云计算定义Cloud computing definitions

The business or individual consuming cloudservices

Often using cloud to complement/augment existing on-premises compute. 补充/增加

云服务客户cloud service customer

font color=\"#e74f4c\

云服务供应商 CSPcloud service provider

Help organizations to obtain and deploy cloudservices.

云服务合作伙伴cloud service partner

an entity that font color=\"#e74f4c\

negotiates relationships between cloud providers(CSPs) and cloud consumers.

Service Intermediationenhances a given service by improving specific capabilitiesand providing value-added services to cloud consumers.

Service Aggregationcombines and integrates multiple services into one or morenew services.

Service Arbitragemeans a broker has the flexibility to choose services frommultiple agencies.

Functions of a Cloud Broker

云服务代理cloud service broker

监管机构regulator

Third party that can conduct an font color=\"#e74f4c\

CSACloud Service Auditor

Cloud administrator

Cloud application architect

Designs and develops solutions.

Cloud architect

Responsible for daily operational tasks.

Cloud operator

Cloud data architect

Cloud service manager

Manages storage volume/repository assignment and configuration.

Cloud storage administrator

Oversees business and billing administration.

cloud service business manager

Cloud service operations manager

maintains the security environment forcompanies

may provide an outsourced securityoperations center (SoC) and incidentresponse

安全托管服务提供商 MSSPmanaged security service provider

云计算角色和职责Cloud computing roles and responsibilities

Customers can scale their compute and storage needs with little orno intervention or prior communication from the provider.

按需自助服务on-demand self-service

Services are consistently accessible over the network regardless ofthe users physical location

广泛的网络访问broad network access

Which means many different customers share use of the samecomputing resources.

Physical servers that support our workloads might be the samephysical servers supporting other customers' workloads.

Why?Because in the big picture customers won't becollectively using all of that capacity simultaneously.

Oversubscription

多租户multi-tenancy

Allows the customer to grow or shrink the IT footprint as necessary tomeet needs without excess capacity.

The ability of a system to automatically grow and shrinkbased on app demand.

Elasticity

The ability of a system to handle growth of users or work.Ability to grow as demand increases.

Scalability

快速弹性和可伸缩性rapid elasticity and scalability

Enables cloud provider to apportion resources as needed acrossmultiple customers so resources are not underutilized or overtaxed.

Enables cloud provider to make capital investments that greatlyexceed what any single customer could provide on their own.

Allows the cloud provider to meet various demands fromcustomers while remaining financially viable.

Can result in some degree oflocation dependence beyond customer control.

DISADVANTAGE

资源池化resource pooling

means that almost everything you do in the cloud is metered(measured and tracked) for management and billing purposes.

number of minutes of virtual server compute timeAmount of disk space you consumeNumber of function calls you makeAmount of network egress and ingress

common metrics

可度量服务 aka metered servicemeasured service

云计算关键特性Key cloud computing characteristics

Infrastructure-as-a-Service (laas)is the basisfor compute capacity in the cloud.

Customer installs middleware and applications.

Customer only pays for what they use. Chargesstop when instance is stopped or deleted.

compute

Cloud networking is all virtualized to allowcustomers to design and customize to their needs.

Enables customers to segment networks andrestrict access however they would like.

Physical network components are virtualized intoa software-defined network (SDN)

Management plane: the business applications that manage theunderlying control plane are exposed with northbound interfaces

Control plane:Control of network functionality and programmabilityismade directly to devices at this layer.

Data plane:The network switches and routers located at this plane areassociated with the underlying network infrastructure.

3个平面

Northbound interface

OpenFlow protocol interfaces with devices through southbound interfaces.

SDN

网络networking

Ephemeral is relevant for laas instances andexists only as long as the instance (VM)is up

Raw storage maps a logical unit number (LUN)on a storage area network(SAN) to a VM.

Long term storage typically use either Volume orobject storage infrastructure.

Long-term storage offered by some CSPs istailored to the needs of data archiving.

三种存储类型

font color=\"#000000\

ensures that all copies of the data have been duplicated among allrelevant copies before finalizing the transaction to increase availability.

Strict consistency

Data changes are 'eventually' transferred to all datacopies via asynchronous propagation over the network

Eventual consistency

存储一致性Storage Consistency

Content/file storage: File-based content stored within the application

Information storage and management: Data entered into the system via the web interfaceand stored within the Saas application.

存储storage

Multiple options available and multiple flavors ofrelational (SQL) and non-relational (NoSQL)

Managed database services (Paas) options shiftinfrastructure maintenance to the CSP.

laas (VM) hosted databases are an option wherePaas is not possible or practical.

数据库databases

Cloud orchestration creates automatedworkflows for managing cloud environments.

Builds on the foundation of font color=\"#e74f4c\

编排orchestration

Type1 \"Bare metal\"

Type2 \"Hosted\"

虚拟化virtualization

构建块技术Building block technologies

virtual machines (VM)virtual desktop infrastructure (VDI)software-defined networks (SDN)virtual storage area networks (SAN)

Storing data in the cloud font color=\"#e74f4c\

The cloud service provider (CSP) provides the leastamount of maintenance and security in the laas model.

Security issues with cloud-based assets

虚拟资产virtual assets

1.1 了解云计算概念Understand cloud computing concepts

ISO 17789 Cloud Reference Architecture

Use cloud servicesPerform service trialsMonitor servicesAdminister service securityProvide billing and usage reportsHandle problem reportsAdminister tenanciesPerform business administrationSelect and purchase serviceRequest audit reports

customer

Prepare systems and provide cloud servicesMonitor and administer servicesManage assets and inventoriesProvide audit dataManage customer relationshipsHandle customer requestsPerform peering with other cloud service providersEnsure complianceProvide network connectivity

cloud service provider

cloud service partner

云计算活动Cloud computing activities

CSP allows the customer to focus on their business use cases.

应用能力类型application capability types

平台能力类型platform capability types

基础设施能力类型 infrastructure capability types

云服务能力Cloud service capabilities

主要好处

基础设施即服务 (IaaS)Infrastructure as a Service (IaaS)

Customer is responsible for deployment and management of apps

Core infrastructure updated by providerGlobal collaboration for app developmentRunning multiple languages seamlessly

key benefits

平台即服务 (PaaS)Platform as a Service (PaaS)

Customer just configures features.

Customer has some responsibility inaccess management and'data recovery

共享责任模型

Limited administration responsibilityLimited skills requiredService always up-to-dateGlobal access

Key Benefits

软件即服务 (SaaS)Software as a Service (SaaS)

Serverless

a cloud computing execution model wherethe cloud provider dynamically managesthe allocation and provisioning of servers.

hosted as pay-as-you-go model based on use.

Serverless ArchitectureEXample:Function-as-service

Provisioning of multiple business services iscombined with different IT services toprovide a single business solution.

ServicesIntegration

云服务类别Cloud service categories

Everything runs on your cloud provider's hardware.

现收现付制（Pay As You Go）

公共云public

A cloud environment in your own datacenter

A cloud environment dedicated to a single customer

Enables greater control of upgrade cycles in legacy apps and some compliance scenarios

私有云private

Enables the organization to control the pace of public cloud adoption

混合云hybrid

Similar to private clouds in that they are not open the general public

But they are shared by several related organizations in a common community

社区云community

Combines resources from two or more public cloud providers

多云multi-cloud

云部署模型Cloud deployment models

Ability of one cloud service to interact with other cloud services byexchanging information according to a prescribed method and obtainpredictable results.

Most CSPs have a cloud marketplace with certified apps and services

Policy

Where the results of the use of the exchangedinformation matches the expected outcome

Behavioral

Transport

Syntactic

Semantic data

5个特征

互操作性interoperability

1. SyntacticTransferring data from a source system to a target systemusing formats that can be decoded bn the target systemwith features like XML or Open Virtualization Format (OVF)

2. SemanticTransferring data from a source system to a target systemso that the data model is understood within the context ofthe subject area by the target

3个特征

Cloud data portability is the ability to easily move data from one cloud service to another without the need to re-enter the data.

cloud applieation portability is the ability to migrate an application from one CSP to another or between a customer's environment and a cloud service.Portability prevents 'vendor lock-in'

可移植性portability

Process for cloud service customers to retrieve their data andapplication artifacts AND

for the CSP to delete all cloud service customer data and contractuallyspecified cloud service derived data after an agreed period.

Customer access to data also appears in requlations (e.g.GDPR)

可逆性reversibility

Systems and resource availability defines the success or failure of a cloud-based service.

Check service-level SLAs and how multi-service SLAs are calculated.

可用性availability

Protection of customer dataspan style=\"font-size: inherit;\

安全性security

Privacy vs Confidentiality

Data breaches have brought data privacy to the forefront as a crucial factor in cloud computing.

Prominent sources of privacy concerns

隐私privacy

AzureGeography

A set of datacenters deployed within alatency-defined perimeter and connectedthrough a dedicated regional low-latencynetwork.

Azure Regions

A relationship between 2 Azure Regionswithin the same geographic region fordisaster recovery purposes.

Region Pairs

Comprised of one or more datacenters

Tolerant to datacenter failuresvia redundancy and isolation

Availability Zones

弹性resiliency

Ability of a service to remain responsive to requests to that service withan acceptable level of response latency or processing time.

Public cloud delivers the perception of unlimited scale for than for lessthan the cost a customer would incur in their own datacenter.

性能performance

CSPs often have policy automation in which restrictions can be definedand automatically enforced throughout the service lifecycle.

治理governance

维护和版本控制maintenance and versioning

Stipulate performance expectations such asmaximum downtimes and often include penalties ifthe vendor doesn't meet expectations.

服务等级和服务等级协议 (SLA)service levels and service-level agreements (SLA)

Auditability is only possible with proper loggingproviding accountability and traceability

Accountability. Ability to determine who caused the event.This isknown sometimes called \"identity attribution\". (Requires non-repudiation)

Traceability. Ability to track down all events related to theinvestigated event.

Related activities

可审计性auditability

监管regulatory

外包outsourcing

云共享考虑因素Cloud shared considerations

The study of data to extract meaningful insights for business

Cybersecurity Data Science (CSDS)

数据科学data science

机器学习machine learning

Focuses on accomplishing \"smart\"taskscombining machine learning and deeplearning to emulate human intelligence

人工智能 (AI)artificial intelligence (AI)

a subfield of machine learning concerned withalgorithms inspired by the structure and functionof the brain called artificial neural networks.

深度学习Deep Learning

Blockchain was originally the technology thatpowered Bitcoin but has broader uses.

Does not use intermediaries such as banks and financial institutions.

Data is \"chained together\"with a block of data holding both thehash for that block and the hash of the preceding block.

区块链blockchain

A class of devices font color=\"#e74f4c\

Every device that you put on your network to manage has a default username and adefault password.

Simply change defaults to shut down this attack vector!

Default settings

Wareables

Enable facility managers to be able to configure automation and monitoring ofdevice function.

Facility automation.

Sensors

物联网 (IoT)Internet of Things (IoT)

Reduces overhead of server virtualization by enablingcontainerized apps to run on a shared OS kernel.

Share many concerns of server virtualization: font color=\"#e74f4c\

容器containers

A rapidly-emerging technology that harnesses the laws of quantummechanics to solve problems too complex for classical computers.

Replaces the binary one and zero bits of digital computing withmultidimensional quantum bits known as qubits.

量子计算quantum computing

the practice of harnessing the principles of quantum mechanics to improve securityand to detect whether a third party is eavesdropping on communications.

Quantum cryptography

is the most common example of quantum cryptography.

by transferring data font color=\"#e74f4c\

Quantum Key Distribution

Post-quantum cryptography refers to cryptographic algorithms (usually public-keyalgorithms)that are thought to be secure against an attack by a quantum computer.

Post-quantum cryptography focuses on preparing for the era of quantum computingby updating existing mathematical-based algorithms and standards.

The development of new kinds of cryptographicapproaches that can be implemented usingtoday's conventional computers...but will be impervious (resistant)to attacks from tomorrow's quantum computers.

Post-quantum algorithms arc somctimes called quantum-resistant\"cryptographic algorithms

Post-Quantum Cryptography

Common in various font color=\"#e74f4c\

All the processing of data storage is closer to thesensors rather than in the cloud data center.

边缘计算edge computing

Complements cloud computing by processingdata from loT devices.

Often places gateway devices in the field to collectand correlate data centrally at the edge.

Important to speed processing time and reduce dependence oncloud/Internet connectivity mission critical situations (healthcare)

雾计算fog computing

Confidential computing solves for this by isolating sensitivedata in a protected CPU enclave during processing.

This CPU enclave is called a font color=\"#e74f4c\

Embedded attestation mechanisms ensure that the keysare accessible only to authorized application code

机密计算confidential computing

Integratessecurity as a shared responsibilitythroughout the entire IT lifecycle.

Builds a security foundation into Devops initiatives.

Often includes automating some of the securitygates in the Devops process.

DevSecOps

laC is a key Devops practice and is used inconjunction with Continuous Integration andcontinuous Delivery (CI/CD). \"the CI/CD pipeline\"

IaCInfrastructure as Code

相关技术的影响Impact of related technologies

1.2 描述云计算参考架构Describe cloud reference architecture

A chip that resides on the motherboard of the device.

TPM

HSM

FIPS 140-2 validated modules providetamper resistance and key integrity

Generation

Encryption keys should be distributed securely to preventtheft/compromise during transit

BEST PRACTICE:Encrypt keys with a separate encryptionkey while distributing to other parties

Distribution

Encryption keys must be protected at rest and shouldnever be stored in plaintext

This Includes keys in volatilc and persistent memory

Storage

Clients (users trusted devices) will use keys for resource accessas access controls allow.

Acceptable use policy sets guardrails for data usage

Use

Revocation

Key destruction is the removal of an encryption key from itsoperational location.

Key deletion goes further and removes any info that could beused to reconstruct that key.

Destruction

KEY MANAGEMENT STRATEGYFOR ENCRYPTION KEY LIFECYCLE

Encryption keys must be secured at the same level of control or higheras the data they protect.

Level of Protection

Key Recovery

Key Escrow

CSPs offer a cloud service for centralized secure storage andaccess for application secrets called a vault.

Service will typically offer programmatic access via APl to supportDevOps and continuous integration/continuous deployment(CI/CD)

Access control at vault instance-level and to secrets stored within

Secrets and keys can generally be protected either bysoftware or by FIPS 140-2 Level 2 validated HSMs.

Key Management System (KMS)

密码学和密钥管理Cryptography and key management

Authentication and access managementFocused on the manner in which users can access required resources

用户访问user access

Privileged user managementManaging privileged access accountsEnforce Least Privilege and Need to knowSeparation of duties can provide effective risk mitigation

特权访问privilege access

Centralized directory ServicesActive Directory and LDAPKerberos and NTLM authentication

服务访问service access

Provisioning and Deprovisioning

Something you know(pin or password)Something you have(trusted device)Something you are(biometric)

PREVENTS:PhishingCredential stuffingSpear phishingBrute force and reverse brute force attacksKeyloggersMan-in-the-middle (MITM)attacks

MFAMulti-factor Authentication

Need-to-know and the principle of least privilege are twostandard IT security principles implemented in secure networks.

They limit access to data and systems so that users and othersubjects have access only to what they require.

They help prevent security incidentsThey help limit the scope of incidents when they occur.

LIMITING ACCESS & DAMAGE

Collusion is an agreement among multiple persons toperform some unauthorized or illegal actions.

Separation of dutiesa basic security principle that ensures that no single personcan control all the elements of a critical function or system.

PREVENTING FRAUD AND COLLUSION

a service account is a type of administrator account used to run anapplication. example:account to run an anti-virus application.

Service Account aka \"Service Principal\"

When a group of people font color=\"#e74f4c\

shared Account

ACCOUNT TYPES

身份和访问控制Identity and access control

覆盖overwriting

加密擦除cryptographic erase

Erasing

preparing media for reuse and ensuring data cannot be recovered using traditionalrecovery tools.

Clearing (overwriting)

a more intense form of clearing that preparesmedia for reuse in less secure environments.

Purging

Less secure data destructionMedia is reusable with any of these methodsData may be recoverable with forensic tools

PRO:Data cannot be recovered from any remnants.CON:High CPU and performance overhead

Crypto-shredding 'cryptographic erasure'

More secure data destruction

creates a strong magnetic field that erasesdata on some media and destroy electronics.

Degaussing

You can shred a metal hard drive into powder.

Shredding

Pulverizing

Destroying Media Data

数据和媒介清理Data and media sanitization

Network security groups provide anadditional layer of security for cloud resources

Act as a font color=\"#e74f4c\

Carriesa list of security rules(IP and port ranges)thatallow or deny network traffic to resource instances.

Provides a virtual firewall for a collection of cloudresources with the same security posture

网络安全组network security groups

Restricting services that are permitted to access or be accessiblefrom other zones using rules to control inbound/outbound traffic.

Rules are enforced by the IP address ranges of each subnet.

Segmentation

Representational State Transfer (REST)is the modern approach towriting web service APIs.

APIs published by an organizations should include font color=\"#e74f4c\

APl inspection and integration

Packet capture in the cloud generally requires toolsdesigned for this purpose in the environment.

Traffic is often sent direct to resources and promiscuousmode on a VM NIC not possible or effective.

流量检查traffic inspection

Uses the Global Positioning System (GPS)or RFID to definegeographical boundaries.

EXAMPLES:Restrict access to systems and services based on wherethe access attempt is being generated from.Prevent devices from being removed from the company'spremises.

地理围栏geofencing

Addresses the limitations of the legacy network perimeter-based security model.

Treats user identity as the control plane

Assumes compromise breach in verifying every request.

ZERO TRUST PRINCIPLES

-Network Security Group (NSG)-Network Firewalls-Inbound and outbound traffic filtering-Inbound and outbound traffic inspection-Centralized security policy management and enforcement

ZERO TRUST NETWORK ARCHITECTURE

零信任网络zero trust network

网络安全Network security

hypervisor 安全hypervisor security

Container hosts are cloud-based virtual machines(VM).This is where the containers run

Major CSPs also offer a monitoring solution that willidentify at least some potential security concerns

容器安全container security

the practice of creating a virtual computing environment as a need arises.

临时计算ephemeral computing

Use API gateways as security buffers (to avoid DDoS attacks)

无服务器技术serverless technology

虚拟化安全Virtualization security

Preventable by following secure development practices andadhering to recommendations in the secure data lifecycle

Data BreachThe result of a cyberattack

When sensitive data is unknowingly exposed to the public

Often through a system or service misconfiguration or oversharing.

Data LossSometimes called 'data leaks'

Disgruntled employees can wreak havoc on a system.

Internal acts of disruption include theft and sabotage.

Malicious Insiders

When attacks are designed to steal orwedge themselves into the middle of aconversation in order to gain control.

Traffic Hijacking

Consumers sometimes misuse their cloud services forillegal or immoral activities.

Abuse of cloud services

Process/effort to collect and analyze informationbefore making a decision or conducting a transaction.

Process/effort to collect and analyzeinformation before making a decision orconducting a transaction.

Due Diligence

Doing what a reasonable person would do ina given situation.It is sometimes called the\"prudent person rule\".

Due care

DUE DILIGENCE VS DUE CARE

Failure to perform due diligence can result in adue care violation.

Insufficient due diligence

The underlying infrastructure of the public cloud was not originallydesigned for the types of multitenancy in the public cloud

Modern virtualization software bridges most of the gaps

Shared Technology Vulnerabilities

常见威胁Common threats

打补丁patching

基线baselining

Configuration Management

helps reduce outages or weakened security from unauthorized changes to the baseline configuration.

Change Management

It is a function included in change management.

Patches correct security and functionality problems in software and firmware.

An applicability assessment is performed to determinewhether a particular patch or update applies to a system.

Patch Managementaka 'update Management'

安全卫生Security hygiene

1.3 了解与云计算相关的安全概念Understand security concepts relevant to cloud computing

Can be created by usersa user creates a file

Can be created by systemsa system logs access

Create

Store

Data should be protected by adequate security controls based on its classification.

refers to anytime data is in use or in transit over a network

Share

archival is sometimes needed to comply with laws or regulations requiring the retention of data.

Archive

Destory

DATA STATES

Storage Service Encryption

helps you encrypt Windows and Linux laas VMs disks using BitLocker (Windows)anddm-crypt feature of Linux to encrypt OS and data disks.

Full Disk Encryption

Helps font color=\"#e74f4c\

Transparent data encryption (TDE)

PROTECTING DATA AT REST

Holds the legal rights and complete control over a single piece of data.

Usually a member of senior management.Can delegate someday-to-day duties.CANNOT delegate total responsibility!

Data Owner

Usually someone in the font color=\"#e74f4c\

Data custodian

重要的数据角色

Data Processor

The person or entity that controls processing of the data.

Data Controller

GDPR中的数据角色

Refers to any individual font color=\"#e74f4c\

Data Subject

Use that knowledge to ensure the data they are responsible for isused as intended.

Data Steward

其他角色

云安全数据生命周期Cloud secure data lifecycle

the overall organizational plan for \"how-to\" continue business.

BCP (Business Continuity Plan)

the plan for recovering from a disaster impacting ITand returning the IT infrastructure to operation.

DRP(Disaster Recovery Plan)

BCP focuses on the whole businessDRP focuses more on the technical aspects of recovery

BCP will cover communications and process more broadlyBCP is an umbrella policy and DRP is part of it

BCP vs DRP

Region Pairs addresses font color=\"#e74f4c\

Availability Zones address datacenter failures within a cloud regionA CSP region (e.q.East Us)includes multiple datacenters

Availability sets address font color=\"#e74f4c\

云中灾难恢复

基于云的业务连续性 (BC) 和灾难恢复 (DR) 计划Cloud-based business continuity (BC) and disaster recovery (DR) plan

A cost-benefit analysis lists the benefits of the decision alongside their corresponding costs.

CBA can be strictly quantitative: adding the financial benefits and subtracting the associated costs todetermine whether a decision will be profitable.

成本效益分析cost-benefit analysis

投资回报率 (ROI)return on investment (ROI)

业务影响分析 (BIA)Business impact analysis (BIA)

Define a system or its component and font color=\"#e74f4c\

EXAMPLE:application forms must protect against injection attacks.

Functional security requirements

EXAMPLE:security certifications are non-functional.

Non-functional security requirements

Functional vs Non-Functional security requirements

供应商锁定vendor lock-in

功能安全要求Functional security requirements

VM attacksVirtual networkHypervisor attacksVM-based rootkitsVirtual switch attacksColocationDoS attack

Data SegregationData Access and PoliciesWeb Application Security

不同云类别的安全注意事项和责任Security considerations and responsibilities for different cloud categories

VM Escape

When font color=\"#e74f4c\

VM Sprawl

VIRTUALIZATION-FOCUSED ATTACKS

freely available on the internet and exploit known vulnerabilities in variousoperating systems enabling attackers to elevate privilege.

Rootkit (escalation of privilege)

undocumented command sequences that allow individuals with knowledgeof the back door to bypass normal access restrictions.often used in development and debugging.

Back Door

APPLICATION ATTACKS

is a resource consumption attack intended to prevent legitimate activityon a victimized system.

Denial of-Service

a Dos attack utilizing multiple compromised computer systems assources of attack traffic.

Distributed Denial of-Service

COUNTERMEASURES

volume-based attacks targetingfont color=\"#e74f4c\

Network

exploit weaknesses in the application layer (Layer 7) by opening connections andinitiating process and transaction requests that consume finite resources like diskspace and available memory.

Application

Targets the weaknesses of font color=\"#e74f4c\

Often target weaknesses using the network and application techniques describedabove.

Operational Technology (OT)

TYPES OF DDOS ATTACKS

NETWORK ATTACKS

Attacks

SANS 安全原则SANS security principles

架构完善的框架Well-Architected Framework

云安全联盟 (CSA) 企业架构Cloud Security Alliance (CSA) Enterprise Architecture

AWS Well-Architected FrameworkAzure Well-Architected FrameworkGoogle Cloud Architecture Framework

Cloud Service Providers

Enterprise Architecture Reference Guide (Cloud Security Alliance)Cloud Computing Reference Architecture (NIST)

Industry Groups

Focus on architecture more than security

ARCHITECTURE

Microsoft Cybersecurity Reference ArchitectureAWS Security Reference ArchitectureGoogle Cloud Security Foundations Guide

Enterprise Cloud Security Architecture (SANS)Security Technical Reference Architecture (CISA)Cloud Computing Security Reference Architecture (NIST)

Industry Groups

SECURITY

云设计模式Cloud design patterns

Devops relies heavily on deployment automation forContinuous integration/continuous delivery (Cl/CD)

Automated software scanningAutomated vulnerability scanningWeb application firewallSoftware dependency managementAccess and activity loggingApplication performance management

Technical

Administrative

DevOps 安全DevOps security

1.4 了解安全云计算的设计原则Understand design principles of secure cloud computing

Provides guidelines for information security controls applicable to theprovision and use of cloud services

Who is responsible for what between the cloud service provider and the cloud customerThe removal/return of assets when a contract is terminatedProtection and separation of the customer's virtual environmentVirtual machine configurationAdministrative operations and procedures associated with the cloud environmentCustomer monitoring of activity within the cloudVirtual and cloud network environment alignment

国际标准组织/国际电子技术委员会 (ISO/IEC) 27017International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27017

a secure network must be maintained in which transactions can be conductedcardholder information must be protected wherever it is storedsystems should be protected against the activities of malicious hackerscardholder data should be protected physically as well as electronicallynetworks must be constantly font color=\"#e74f4c\

BASED ON 6 MAJOR OBJECTIVES

支付卡行业数据安全标准 (PCI DSS)Payment Card Industry Data Security Standard (PCI DSS)

根据标准进行验证Verification against criteria

Enable an objective evaluation to validate that a particularproduct or system satisfies a defined set of security requirements

Ensures customers that security products they purchase havebeen thoroughly tested by independent third-party testers and meets customer requirements.

The certification of the product only certifies product capabilities.

Designed to provide assurances for security claims by vendors

通用标准 (CC) (ISO/IEC15408)Common Criteria (CC)

Established to aid in the protection of digitally stored font color=\"#e74f4c\

Level 1: Lowest level of security.Level 2: Specifies the security requirements for cryptographic modules that protect sensitive information.Level 3: Requires physical protections to ensure a high degree of confidence that any attempts to tamper are evident and detectable

FIPS Security Levels

联邦信息处理标准 (FIPS) 140-2Federal Information Processing Standard (FIPS) 140-2

系统/子系统产品认证System/subsystem product certifications

1.5 评估云服务供应商Evaluate cloud service providers

Destroy

云数据生命周期阶段Cloud data life cycle phases

A core principle of business continuity says that importantdata should always be stored in more than one location

Data dispersion is easier in the cloud because the CSP ownsthe underlying complexity that delivers site-level resiliency.

Local -replicas within a single datacenter

Zone -replicas to multiple datacenters within a region

Global region level resiliency (replicas to backup region

数据分散Data dispersion

A data flow diagram (DFD) is useful to gain visibility andensure that adequate security controls are implemented

Decreased development time and faster deployment of newsystem features. and with reduced security risk!

Some compliance frameworks font color=\"#e74f4c\

BENEFITS

BOTTOM LINE:Creating the DFD can be both a risk assessmentactivity and a crucial compliance activity.

数据流Data flows

2.1 描述云数据概念Describe cloud data concepts

长期long-term

临时ephemeral

原始存储raw storage

IAAS

Structured.Relational databases (RDBMS)Unstructured.Big data

PAAS

SAAS

存储类型Storage types

User accessing data storage without properauthorization presents security concerns

Customer must implement proper access controlCSP must provide adequate logical separation

Unauthorized Access

Primarily a cost and operational concern

Shadow IT a common issue

Unauthorized Provisioning

Loss of Connectivity

Universal threats from the perspective of the CIA Triad

Data transfer between countries can run afoul oflegal requirements.

Privacy legislation bars data transfer to countrieswithout adequate privacy protections

Jurisdictional issues

In the event a network connection is severedbetween the user and the CSP.CSPs are better prepared to defend against DDoS attacks.

Denial of service

Data corruption/destruction

Theft or media loss

Ransomware not only encrypts data stored onlocal drives but also seeks common cloudstorage locations like Saas apps.

Back up your computerStore backups separatelyFile auto-versioning

Update and patch computersUse caution with web linksUse caution with email attachmentsVerify email sendersPreventative software programsUser awareness training

PREVENTION

Malware and ransomware

Ensuring that hardware that has reached theend of its life is properly disposed of in such away that data cannot be recovered.

CSP responsible for hardware disposal

Improper disposal

First are the consequences of noncompliancelike fines or suspension of business operations.

Second is the reason for the compliancerequirements-font color=\"#e74f4c\

Regulatory Compliance

OTHER THREATS

对存储类型的威胁Threats to storage types

2.2 设计和实现云数据存储架构Design and implement cloud data storage architectures

Relies on the use of a single shared secretkey.font color=\"#e74f4c\

Symmetric

Asymmetric

A model of how different certification authorities trust each other and howtheir clients will trust certificates from other certification authorities.

Trust model

Addresses the possibility that a cryptographic key may be lost.

The concern is usually with symmetric keys or with the private key inasymmetric cryptography.

Organizations establish key escrows to enable recovery of lost keys.

Key escrow

FIPS 140-2 validated modules provide tamper resistance and key integrity

Encryption keys should be distributed securely to prevent theft/compromise during transit

Plan for securely transferring symmetric keys and distributing keys to the key escrow agent

BEST PRACTICE:Encrypt keys with a separate encryption key while distributing to other parties

Encryption keys must be protected at rest and should never be stored in plaintextThis Includes keys in volatile and persistent memory

Also consider handling in the process of storing copies for retrieval if a keyis ever lost (known as key escrow)

A process for font color=\"#e74f4c\

Key destruction is the removal of an encryption key from its operational location.

Key deletion goes further and removes any info that could be used to reconstruct that key.

ENCRYPTION KEY LIFECYCLE

CSP-managed or self-managed

Organizations that use multiple cloud providers or need to retainphysical control over key management may need to implement abring-your-own-key (BYOK)strategy.

Key storage

KEY MANAGEMENT IN THE CLOUD

Storage-level encryption

Volume-level encryption

Object-level encryption

Will vary by app and CSP platform

File-level encryption

Implemented in an application typically using object storage

Data entered by user typically encrypted before storage

Application-level encryption

Database-level encryption

OTHER CLOUD ENCRYPTION SCENARIOS

加密和密钥管理Encryption and key management

A one-way function that scrambles plain text to produce a unique messagedigest.

Conversion of a string of characters into a shorter fixed-length value

Encryption is a two-way function;what is encrypted can be decrypted withthe proper key.

VS Encryption

They must allow input of any length.Provide fixed-length output.Make it relatively easy to compute the hash function for any input.Provide one-way functionality.Must be collision free.

HASH FUNCTION REOUIREMENTS

散列Hashing

屏蔽masking

Anonymization.The process of removing all relevant dataso that it is impossible to identify original subject or person.

Good only if you don't need the data

Anonymization is sometimes called de-identification

匿名化anonymization

de-identification procedure usingpseudonyms (aliases)to represent other data.

Can result in less stringent requirements than wouldotherwise apply under the GDPR.

use if you need data and want to reduce exposure

伪名化Pseudonymization

数据混淆Data obfuscation

where meaningful font color=\"#e74f4c\

令牌化Tokenization

Reversal requires access to another data source

a system designed to font color=\"#e74f4c\

is a way to protect sensitive information and prevent its inadvertent disclosure.

数据丢失防护（DLP）Data loss prevention (DLP)

are most often used for encryption operations and can be used to uniquely identify a user or system.

Keys

often a secondary authentication mechanism used to verify that a communication has not been hijacked or intercepted.

Secrets

are used to verify the identity of a communication party and also be used for asymmetric encryption by providing a trusted public key.

often used to encrypt a shared session key or other symmetric key for secure transmission.

Certificates

Key Management Services (KMS）

CSPs offer a cloud service for centralized secure storage and access for application secrets called a vault.

Service will typically offer programmatic access via APl to support DevOps and continuous integration/continuous deployment(CI/CD)

Access control at vault instance-level and to secrets stored within.

Secrets and keys can generally be protected either by software or by FIPS 140-2 Level 2 validated HSMs.

This positively identifies the sender of the email.

Ownership of a digital signature secret key is bound to a specific user

Authentication

The sender cannot later deny sending the message.

This is sometimes required with online transactions

Non-repudiation

provides assurances that the message has not been modified or corrupted.

Recipients know that the message was not altered in transit

Integrity

Digital Signatures

management of cryptographic keys in a cryptosystem.

Key management

Certification Authorities create digital certificates and own the policies

Certificate authority (CA)

Used to represent a user's digital identity

User

A trust anchor in a PKI environment is the root certificate from which the whole chain of trust is derived.this is the root CA.

Root

A Domain-Validated (DV)certificate is an X.509 certificate that proves the ownership of a domain name.

Domain validation

Extended validation certificates provide a higher level of trust in identifying the entity that is using the certificate.

Commonly used in the financial services sector.

Extended validation

chain of trust

TYPES OF CERTIFICATES

A single compromised CA does not result in compromise of the root.

Subordinate CA

Contains information about any certificates that have been revoked by asubordinate CA due to compromises to the certificate or PKI hierarchy.

Certificate revocation list(CRL)

Revoking (invalidating) a certificate before expiration

Two potential options for tracking revocation:ask for the font color=\"#e74f4c\

CERTIFICATE REVOCATION

Offers a faster way to check a certificate's status compared to downloading a CRL.

Online Certificate Status Protocol (OCSP)

Records identifying information for a person or device that owns a private key as well as information on the corresponding public key.

It is the message that's sent to the CA in order to get a digital certificate created.

Certificate signing request(CSR)

the Fully Qualified Domain Name (FQDN)of the entity (e.g.web server)

CN(common name)

PUBLIC KEY INFRASTRUCTURE (PKI)

2.3 设计和应用数据安全技术和策略Design and apply data security technologies and strategies

Datacontained in rows and columns such as an Excel spreadsheet or relational database.

Often includes a description of its format known as a data model or font color=\"#e74f4c\

Discovery methods include:

结构化数据Structured data

Data that cannot be contained in a row-column database and does not have an associated data model.

Discovery occurs through font color=\"#e74f4c\

Lexical analysis attempts to find data meaning and context to discover sensitive info that may not conform to a specific pattern.

Hashing attempts to identify known data by calculating a hash of files and comparing it to a known set of sensitive file hashes.Only good for data that does not change frequently!

Content analysis(discovery)methods include:

非结构化数据Unstructured data

A combination of structured and unstructured data.

This mix of data types will require a combination of discovery methods and tooling capable ofdiscovery in these comingled data types

半结构化数据Semi-structured data

The location of data will impact both its discoverability and the choice of tools used to perform discovery.

Tools must be able to access data to perform the scanning and analysis needed in the discovery process.

Not all cloud solutions may offer a local agent for on-premises.

Network-based DLP may not analyze all traffic between on-premises endpoints and cloud

Both unstructured and structured in same repository will increase tool cost and complexity and may present classification challenges

A list of traits and characteristics about specific data elements or sets.

Often automatically created at the same time as the data

Metadata-Based Discovery

Based on examining labels created by the data owners during the Create phase.or in bulk with a scanning tool

Can be used with databases (structured data)but is more commonly used with file data.

Label-Based Discovery

数据位置Data location

2.4 实现数据发现Implement data discovery

Personally Identifiable Information (PIl)

health-related information that can be related to a specific person

Regulated by HIPAA/HITRUST

Protected Health Information (PHI)

allowable storage of information related to credit and debit cards and transactions.

Defined and regulated by PCI DSS

Cardholder Data

COMMON SENSITIVE DATA TYPES

Data classification

Ensures that legal and compliance issues are addressed.

Data retention

EXAMPLES:Some financial data needs to be retained for 7 yearsSome medical data may need to be retained up to 20-30 years.

Regulatory compliance

DATA POLICIES

A process for categorization of data and defining theappropriate controls.Categories include:

DATA CLASSIFICATION

数据分类策略Data classification policies

Informs organization of the locations where data is present within applications and storage.

Brings understanding that enables implementation of security controls and classification polices.usually precedes classification and labeling

数据映射Data mapping

Labeling requirements that apply consistent markings to sensitive data should accompany classification.

Often applied in bulk using classification tools

数据标记Data labeling

CLOUD SECURE DATA LIFECYCLEThe Cloud Security Alliance model

2.5 计划和实现数据分类Plan and implement data classification

Often implemented to control access to data designed to be shared but not freely distributed.

Can be used to font color=\"#e74f4c\

Provide file expiration so that documents can no longer be viewed after a specified time

IRM

数据权限data rights

访问provisioning

访问模型access models

access control/ability to enforce restrictions must follow the data.

Protection must Follow the document or data wherever it travels

Persistence

IRM solution must provide a way to update the restrictionseven after a document has been shared.

Dynamic policy control

IRM tools can enforce time-limited access to data as a form of access control.

Expiration

IRM solution must ensure that protected documents generate an audit trail when users interact with protected documents.

Continuous audit trail

IRM solutions must offer support for users across these different system types.

Interoperability

目标Objectives

颁发和撤销证书issuing and revocation of certificates

IRM tools comprise a variety of components necessary to provide policy enforcement and other attributes of the enforcement capability.

Centralized service for font color=\"#e74f4c\

Secrets storage: IRM solutions require local storage for font color=\"#e74f4c\

Local storage requires protection primarily for data integrity to prevent tampering with the material used to enforce IRM

适当的工具Appropriate tools

2.6 设计和实现信息权限管理 (IRM)Design and implement Information Rights Management (IRM)

Retention is driven by security policies and regulatory requirements

Audits or lawsuit may require production of some data

数据保留策略Data retention policies

1、Data is encrypted with a strong encryption engine.

2 The keys used to encrypt the data are then encrypted using a different encryption engine.

PRO: Data cannot be recovered from any remnantsCON: High CPU and performance overhead

crypto-shredding 'cryptographic erasure'

数据删除程序和机制Data deletion procedures and mechanisms

Refers to placing data in long-term storage for a variety of purposes

The optimal approach in the cloud differs in several respects from the on-premises cquivalent

Data EncryptionData MonitoringeDiscovery and RetrievalBackup and DR OptionsData FormatMedia Type

Key elements of data archiving in the cloud

Access controls and encryption are important to protect data integrity (by preventing unauthorized access)

Data Encryption

Data stored in the cloud tends to be replicated as part of storage resiliency or BC/DR.

To maintain font color=\"#e74f4c\

Monitoring to ensure all security controls are being applied properly throughout the data lifecycle.

Data Monitoring

Archive data may be font color=\"#e74f4c\

The archiving platform should provide the ability to perform eDiscovery on the data to determine which data should be retrieved.

eDiscovery and Retrieval

All requirements for data backup and restore should be specified and clearly documented

Business continuity and disaster recovery (BCDR)plans are updated and aligned with whatever procedures are implemented

Both resiliency to disaster (ensuring archive data availability) and knowledge/control of data replication arc important

Backup and DR Options

This is an important consideration because it may be kept for an extended period.

Format needs to befont color=\"#e74f4c\

Data Format and Media Type

数据归档程序和机制Data archiving procedures and mechanisms

Protecting any documents that can be used in evidence in legal proceedings from being altered or destroyed

Data protection suites in cloud platforms often have a feature to ensure immutability

依法保留Legal hold

身份identity

互联网协议 (IP) 地址Internet Protocol (IP) address

地理位置geolocation

事件源的定义和事件属性的要求Definition of event sources and requirement of event attributes

Logs are worthless if you do nothing with the log data.They are made valuable only by review.

Log centralization and aggregationData integrityNormalizationAutomated or continuous monitoringAlertingInvestigative monitoring

SIEM(Security Information Event Monitoring)tools can help tosolve some of these problems by offering these key features:

Log centralization and aggregation

Data integrity

SIEMs can normalize incoming data to ensure that the data from a variety of sources is presented consistently.

Normalization

Automated or continuous monitoring

SIEMs can automatically generate alerts such as emails or tickets when action is required based on analysis of incoming log data

Alerting

Investigative monitoring

Provides evidence integrity through convincing proof evidence was not tampered with in a way that damages its reliability.

Each person who handled the evidenceDate and time of movement/transferPurpose evidence movement/transfer

Foundational principle of evidence handling in legal proccedings!

What if evidence is left unattended or handled by unauthorized parties?

Functions and importance

CHAIN OF CUSTODY

Non-repudiation is the guarantee that no one can deny a transaction.

Systems enforce nonrepudiation through the font color=\"#e74f4c\

Digital signatures prove that a digital message or document was notmodified-intentionally or unintentionally-from the time it was signed.

Based on asymmetric cryptography (a public/private key pair)

It's the digital equivalent of d handwritten signature or stamped seal.

Multiple accounts make non-repudiation more difficultShared accounts make non-repudiation virtually impossible!

Methods to provide non-repudiation

NON-REPUDIATION

监管链和不可抵赖性Chain of custody and non-repudiation

is maintained for individual subjects using auditing.

logs record user activities and users can be held accountable for their logged actions.

directly promotes good user behavior and compliance with the organization's security policy.

Accountability

help ensure that management programs are effective and being followed.

commonly associated with account management practices to prevent violations with least privilege or need-to-know principles.

patch managementvulnerability managementchange managementconfiguration management

can also be performed to oversee many programs and processes

Security audits and reviews

Ensures events are font color=\"#e74f4c\

laas Event sources

A Paas environment does not offer or expose the same level of customer access to infrastructure and system logs as laas

Paas Event Sources

Saas Event Sources

Definition of Event Sources

Source address

User identity

WHO

Type of event

Severity of event

Security-relevant event flag(if log contains non-security events)

Description

WHAT

Application address

Service

Geolocation

Window/for/page (URL and HTTP method)

Code location (script or module name)

WHERE

Log date and time (international format)

Event date and time

Interaction identifier

WHEN

EVENT SOURCES EVENT ATTRIBUTES

D2 云数据安全Cloud Data Security

There are infrastructure components that are common to all cloud service delivery models

For font color=\"#e74f4c\

Controls for font color=\"#e74f4c\

PHYSICAL ENVIRONMENT CONSIDERATIONS

Ensuring that communication lines are not physically compromised by locating telecommunications equipmentinside a controlled area of the CSP's building or campus.

EXAMPLE

物理环境Physical environment

IaaS

PaaS

Thecustomer remains responsible for font color=\"#e74f4c\

SaaS

网络与通信Network and communications

a minimum resource that is guaranteed to a customer

Reservation

maximum utilization of compute resource by a customer (e.g.VM)

limits are allowed to change dynamically based on current conditions and consumption

Limits

a weighting given to a particular VM used to calculate percentage-based access to pooled resources when there is contention.

In cases of shortage host scoring determines who gets capacity

Shares

计算Compute

The security of the hypervisor is always the responsibility of the CSP.

The virtual network and virtual machine may be the responsibility of either the CSP or the customer.

Risks associated with virtualization

Install all updates to the hypervisor as they are released by the vendor.Restrict administrative access to the management interfaces of the hypervisor.Capabilities to monitor the security of activity occurring between guest operating systems(VMs).

Security recommendations for the hypervisor

Install all updates to the guest OS promptly.Back up the virtual drives used by the guest os on a regular basis

Security recommendations for the guest OS

The virtual network between the hypervisor and the VM is also a potential attack surface.

Responsibility for security in this layer is often shared between the CSP and the customer.

VIRTUALIZATION NETWORK SECURITY

Where an font color=\"#e74f4c\

or malicious user breaks the isolation between VMs running on a hypervisor by gaining access outside their VM.

Protection:

VM Escape

虚拟化Virtualization

physical protection of data centers and the storage infrastructure they contain.

security patches and maintenance of underlying data storage technologies and other data services they provide

CSP Responsibilities

properly configuring and using the storage tools.

logical security and privacy of data they store in the CSP's environment.

assessing the adequacy of these controls and properly configuring and using the controls available.

ensuring adequate protection for the data at rest and in motion based on the capabilities offered by the CSP.

CUSTOMER Responsibilities

Inability to securely wipe physical storage and possibility of another tenant being allocated the same previously allocated storage space

Customer retains responsibility for secure deletion

only storing data in an encrypted format

retaining control of the keys needed to decrypt the data

Compensating controls for the lack of physical controlof the storage medium include:

CUSTOMER CHALLENGES

存储Storage

Provides virtual management options equivalent to the physical administration options a legacy data center would provide.

Data plane performs operations on resources created through the control plane

Control Plane and Data Plane

the main web interface for the CSP platform.

Cloud Portal

the ability to stop/start a resource at a scheduled time

Scheduling

Orchestration

Maintenance

Key interfaces of the management plane

管理平面Management plane

3.1 理解云基础架构和平台组件Comprehend cloud infrastructure and platform components

create tenant partitioning or isolationlimit and secure remote accessmonitor the cloud infrastructureallow for the patching and updating of systems

The logical design of the cloud infrastructure should:

Logical isolation in CSP multitenancy makes cloud computing more affordable but create some security and privacy concerns.

CSP and tenant share responsibility for implementing and enforcing controls that address the unique multitenant risks of the public cloud.

租户分区tenant partitioning

One method of access control is to federate a customer's existing IAM system with their CSP tenant

Another method to facilitate IAM between cloud and on-premisesresources is identity as a service (IDaas)

Hybrid identity (single login for on-premises and cloud)can simplify identity and access management (IAM)

Remote Desktop Protocol(RDP):the native remote access protocol for Windows operating systems.

Secure Terminal/Console-Based Access:a system for secure local access.A KVM (keyboard video mouse)system with access controls

Virtual clients:software tools that allow remote connection to a VM for use as if it is your local machine.e.q Virtual Desktop Infrastructure (VDI)for contractors

Local and Remote Access controls

访问控制access control

逻辑设计Logical design

One of the first considerations in datacenter design is location

位置location

Building your own datacenter from scratch and buying an existing facility each have their advantages and disadvantages

Requires significant investment to build a robust data centerOffers the most control over datacenter designRequires knowledge and skill to match quality of BUY option

Build

Buy

购买或建造buy or build

A strong fence line of sufficient height and constructionLighting of facility perimeter and entrancesVideo monitoring and alertingElectronic monitoring for tampering

PHYSICAL SECURITY

Uptime simply measures the amount of time a system is running

involves no redundancy and the most amount of downtime in the event of unplanned maintenance or an interruption.

must have an font color=\"#e74f4c\

expected to provides 99.671%availability

TIER I:Basic Site Infrastructure

adds redundant components for important cooling and power systems

facilities must also have the ability to store additional fuel to support the generator

expected to provide 99.741% availability

TIER II:Redundant Site Infrastructure

adds even more redundant components

has a major advantage in that it never needs to be shut down for maintenance

enough redundant components that any component can be taken offline for maintenance and data center continues to run

expected to provides 99.982%availability

TIER IIl:Concurrently Maintainable SiteInfrastructure

can withstand either planned or unplanned activity without affecting availability

this is achieved by eliminating all single points of failure

expected to provide 99.995%availability

TIER IV:Fault-Tolerant Site Infrastructure

DATACENTER TIER STANDARD

物理设计Physical design

供暖Heating

An HVAC failure can font color=\"#e74f4c\

Customer reviews of the CSP should include the adequacy and redundancy of HVAC systems.

A routine review of the most current SOC 2 report is a critical part of a cloud customer's due diligence in CSP evaluation.

Connectivity to data center locations from more than one internet service provider (ISP) is multi-vendor pathway connectivity

Using multiple vendors is a proactive way for CSPs to mitigate the risk of losing network connectivity.

Cloud customers should consider multiple paths for communicating with their cloud vendor.

多供应商通路连接multi-vendor pathway connectivity

环境设计Environmental design

A few examples of resilient design:

Service-level resiliency requires identifying single points of failure throughout the servicc chain

设计弹性Design resilient

3.2 设计安全的数据中心Design a secure data center

Identifying risks is the first step in managing them and begins with identification of the organization's valuable assets

once assets are identified: Security practitioners and risk managers can then begin toidentify potential causes of disruption to the assets

Several exist that provide processes and procedures for designing and implementing a risk management framework.

RISK FRAMEWORKS

识别identification

What will the impact be if that goes wrong?Single loss cxpectancy (SLE) - $

How likely is it to happen?Annualized Rate of Occurrence (ARO) - decimal

Analysis seeks to answer two questions:

The possible yearly cost of all instances of a specific realized threat against a specific asset.

FORMULA ALE =SLE x ARO

Annualized Loss Expectaney（ALE)

SLE = Asset value (AV) x EF

Exposure factor (EF) - %

分析analysis

Analysis of a CSP or cloud solution and the associated risks involves many departments and focus areas:

Business unitsVendor managementPrivacyInformation security

ISO/IEC 27001

security standard developed for cloud service providers and users to make asafer cloud-based environment and reduce the risk of security problems.

ISO/IEC 27017

the first international standard about the privacy in cloud computing services

ISO/IEC 27018

Customer-managed or CSP-managed?

Authentication Risk

Data Security

Evaluation of vendor security policies and processes.

Most CSPs font color=\"#e74f4c\

SOC 2 reportISO 27001 certificationSpecialized reports for regulated data

Supply Chain Risk Management (SCRM)

Analysis of CSP Risks

One risk that has been discussed is the organization losing ownership and full control over system hardware assets.

Careful selection of CSPs and the development of SLAs and other contractual agreements are critical to limiting risk

Organizations can font color=\"#e74f4c\

Customers must verify the resilience and continuity controls in place at the CSP

Geographic dispersion of the CSP data centers

Downtime

Compliance

Cloud systems are not immune to standard security issues like cyberattacks.

General technology risk

Different font color=\"#e74f4c\

External

A font color=\"#e74f4c\

Another internal threat is font color=\"#e74f4c\

Internal

RISK TYPES

common cloud Risks

风险评估Risk assessment

Organizations could be at risk if the CSP's public-facing infrastructure comes under attack

Unintentional loss/oversharing is a 'data leak'

data breaches

Remediate risk through change and confiquration management

Misconfiguration and inadequate change control

The public cloud offers benefits over legacy on-premises environments but can also bring additional complexities.

Phishing is the most common approach

Account hijacking

Insider threat

Insecure interfaces and APls

Most CSPs offer reference architectures to ensure customers secure and isolate their dev/test/prod environments and data

Weak control plane

Applistructure.Applications deployed in the cloud and the underlying application services used to build them.

Metastructure and applistructure failures

Refers to when organizations experience a significant reduction in visibility over their information technology stack.

Limited cloud usage visibility

Abuse and nefarious use of cloud services

Cloud-Specific RisksThe CSA Egregious 11

Selecting a qualified CSP is an essential first step.

Security should be considered at every step starting with design!

The next step is designing and architecting with security in mind.

风险缓解策略Risk mitigation strategies

3.3 分析与云基础架构和平台相关的风险Analyze risks associated with cloud infrastructure and platforms

内部部署on-premises

ability to restrict physical access at multiple pointsensuring a clean and stable power supplyadequate utilities like water and sewerthe availability of an adequate workforce

Customers should focus on selecting CSP datacenter locations to meet disaster recovery and data residency

SITE SELECTION FACILITY DESIGN

物理和环境保护Physical and environmental protection

at restin transitin use

Encrypt and protect data:

Dos/DDosBoundary (ingress and egress)Key Management

Protect systems and services:

System and Communication Protection

Automation of configurationResponsibilities for protecting cloud systems and servicesMonitoring and maintenance

Security practices

Properly securing information systems can be a difficult task due to the sheer number of elements that make up a system.

Breaking systems down into components and then applying security controls can make the overall task more manageable.

Policy and Procedures

A basic security principle that ensures that no single person can control all the elements of a critical function or system.

Separating user and admin functions can also prevent users from altering processes or misconfiguring systems.

Separation of System and User Functionality

Separating security-specific functionsfrom other roles is another example of separation of duties.

Security Function Isolation

A disruptive attack at scale that is more difficult for smaller organizations to combat effectively.

Denial-of-Service Protection

Boundary Protection

Eneryption tools like TLS or a VPN can be used to provide confidentiality.

Hashing can be implemented to detect unintentional data modifications.

Additional security measures like digital signatures or hash-based message authentication code(HMAC)can be used to detect intentional tampering.

HMAC can simultaneously verify both data integrity and message authenticity

Cryptographic Key Establishment and Management

Authentication (AuthN) is the process of proving that you are who you say you are.

Authorization (AuthZ) is the act of granting an authenticated party permission to do something

Accountability is typically enforced with adequate logging and monitoring of system activity

Saas apps used as users travel make identifying anomalous / malicious behavior more difficultBad password practices(reuse across services)Use of personal devices in BYOD scenarios

Modern IDaas tools provide solutions for these challenges

Cloud challenges in enforcing accountability

ACCOUNTABILITY

includes two or more authentication factors

more secure than using a single authentication factor

passwords are the weakest form of authentication

password policies help increase their security by enforcing complexity and history requirements

Smartcards include microprocessors and cryptographic certificates

Oath tokens create one-time passwords (OTP)

Biometric methods identify users based on individual characteristics such as fingerprints and facial recognition

Multifactor Authentication

MFA FACTORS AND ATTRIBUTES

is a font color=\"#e74f4c\

Authentication applications

where the server is pushing down the authentication information to your mobile device.

uses the mobile device app to be able to receive the pushed message and display the authentication information.

Push notifications

AUTHENTICATION METHODS

Federation is a collection of domains that have established trust.

Often includes a number of organizations that have established trust for shared access to a set of resources.

ExampleYou can federate your on-premises environment with Azure Active Directory (Azure AD) and use this federation for authentication and authorization.

This sign-in method ensures that all user authentication occurs on-premises.

Allows administrators to implement more rigorous levels of access control

FEDERATED SERVICES

Cloud services will offer different controls over what information is logged..

but at a font color=\"#e74f4c\

A log aggregator can ingest logs from all on-premises and cloud resources for review.

日志收集log collection

Refers to the ability to discover relationships between two or more events across logs.

关联correlation

Packet capture tools are also called protocol analyzers

Some CSP protocol analyzers can save the data that they collect to a Wireshark-compatible packet capture file (PCAP).

数据包捕获packet capture

审计机制Audit mechanisms

3.4 计划和实现安全控制Plan and implementation of security controls

BCP focuses on the whole business

DRP focuses more on the technical aspects of recovery

BCP will cover communications and process more broadly

BCP is an umbrella policy and DRP is part of it

Minimizing the effects of a disaster by:Improving responsiveness by the employees in different situations.Easing confusion by providing written procedures and participation in drillsHelping make logical decisions during a crisis

GOALS OF DRP AND BCP

the plan to move from the disaster recovery site back to your business environment or back to normal operations.

BRP(Business Resumption Plan)

a time determination for how long a piece of IT infrastructure will continue to work before it fails.

MTBF(Mean Time Between Failures)

a time determination for how long it will take to get a piece of hardware/software repaired and back on-line.

MTTR(Mean Time to Repair)

The amount of time we can be without the asset that is unavailable BEFORE we must declare a disaster and initiate our disaster recovery plan.

MTD(Max tolerable downtime)

BCP DEFINITIONS

The overall organizational plan for\"how-to\"continue business after an event has occurred.

A proactive risk mitigation strategy that contains likely scenarios that could affect the organization and guidance on how the organization should respond

Sometimes called a continuity of operations plan (COOP)

BCP(Business Continuity Plan)Business-focused

the plan for recovering from an IT disaster and having the IT infrastructure back in operation.

DRP(Disaster Recovery Plan)Tech-focuscd

业务连续性 (BC) / 灾难恢复 (DR) 策略Business continuity (BC) / disaster recovery (DR) strategy

The business impact assessment (BIA)is used to determine which processes are critical and which are not.

Measures the impact of specific systems and processes.

Any that are deemed critical to the organization's functioning must be prioritized in an emergency situation.

A BIA typically contains a cost-benefit analysis (CBA) and a calculation of the return on investment(ROI).

BUSINESS IMPACT ANALYSIS

A cloud data center that is affected by a natural disaster will likely activate multiple BCPs and DRPs.

CSP will activate both plans to deal with the interruption to their service

One key element of the BCP is communicating incident status to relevant parties.

BCP/DRP FROM A CSP PERSPECTIVE

The customer is responsible for determining how to recover in the case of a disaster in the cloud.

CSPs can further protect customers by not allowing two availability zones within a single physical datacenter within a cloud region.

BCP/DRP FROM A CUSTOMER PERSPECTIVE

The plan that details how relevant stakeholders will be informed inevent of an incident. (like a security breach)

Would include plan to maintain confidentiality such as encryption to ensure that the event does not become public knowledge.

Confidentiality amongst internal stakeholders is desirable so external stakeholders can be informed in accordance with the plan.

COMMUNICATION PLAN

STAKEHOLDER MANAGEMENT

is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.

恢复时间目标 (RTO)Recovery Time Objective (RTO)

is the age of data that must be recovered from backup storage for normal operations to resume if a system or network goes down

恢复点目标 (RPO)Recovery Point Objective (RPO)

measures the compute resources needed to keep production environments running during a disaster.

is a percentage measure (0-100%)of how much computing power you will need during a disaster

based upon font color=\"#e74f4c\

恢复服务级别recovery service level

业务需求Business requirements

Based on priorities from the business impact analysis(BIA)

Design

Implement the plan to protect critical business functions

ldentifying key personnel is crucial implementation step

Implement the Plan

Testing ensures both the BCP/DRP function as expected

AND that people know their roles and responsibilities

Testing both BCP and DRP plans is essential

Test the Plan

BCP/DRP should be revised as necessary based on test results

BCP/DRP plans evolve and need refinement over time

Report and Revise

Members of the disaster recovery team gather in a large conference room and role-play a disaster scenario.

The team members refer to the document and discuss the appropriate responses to that particular type of disaster.

Tabletop testing

Dry run

Involves actuallyshutting down operations at the primary site and shifting them to the recovery site.

Full test

DISASTER RECOVERY TESTS

Customers can take advantage of the cloud's high availability features like:multiple availability zonesautomatic failover to backup region(s)direct connection to a CSP

The cost of building resiliency should be less than the cost of business interruption

The cost of high availability in the cloud is generally less than a company trying to achieve high availability on their own

IMPLEMENTATION

3.5 计划业务连续性 (BC) 和灾难恢复 (DR)Plan business continuity (BC) and disaster recovery (DR)

D3 云平台和基础架构安全Cloud Platform and Infrastructure Security

Declares security should be present throughout every step of the process.

Pairs well with DevSecOps

Security by design

The idea is that security is the responsibility of everyone from the most junior member of the team to senior management.

Describes the primary principle of DevSecOps

Shared security responsibility

Requires org-wide security awareness and commitment

Security as a business objective

云开发基础Cloud development basics

Cloud software development often relies on loosely coupled services.

Verify through end-to-end load and stress testing

Performance

One of the key features of the cloud is the ability to scale allowing applications and services to grow and shrink as demand fluctuates.

Requires developers to think about how to retain state across instances and handle faults with individual servers

Scale out is better than scale up in the cloud

Interoperability across platforms increases service provider choice and can reduce costs

Designing software that can move between on premises and cloud environments or between cloud providers makes it portable

Portability in a hybrid scenario requires avoiding use of certain environment and provider-specific APIs and tools.

Portability

Designing APIs to work well with cloud architectures while remaining secure are both common challenges for developers and architects.

Access controlData encryptionThrottlingRate limiting

API security considerations

API Security

常见陷阱Common pitfalls

开放web应用安全项目 (OWASP) 10 大风险Open Web Application Security Project (OWASP) Top-10

SANS 前 25 个最危险的软件错误SANS Top-25

Common cloud vulnerabilities to avoid with SSDLC include

Data breachesData integrityInsecure application programming interfaces (APIs)Denial-of-Service

VULNERABILITIES

Cloud Security Alliance(CSA)SANS InstituteOpen Web Application Security Project (OWASP)

ORGANIZATIONS

常见云漏洞Common cloud vulnerabilities

4.1 倡导应用程序安全性的培训和意识Advocate training and awareness for application security

SSDLC is fully successful only if the integration of security into an organization's existing SDLC is required for all development efforts.

Business requirements capture what the organization needs its information systems to do.

Planning

Requirements Definition

Solution is designed based on requirements gathered

Wherc the actual coding (work)happens

Coding

Testing

SECURE SOFTWARE DEVELOPMENT LIFECYCLE (SDLC)

设计design

编码code

测试test

维护maintain

CCSP 4 个阶段

places an emphasis on the needs of the customer and quickly developing new functionality thatmeets those needs in an iterative fashion.

Aglie

describes a sequential development process that results in the development of a finished product.

Waterfall

SOFTWARE DEVEPLOMENT MODELS

7-stage process that allows return to previous stage for corrections

SYSTEM REQUIREMENTSSOFTWARE REQUIREMENTSPRELIMINARY DESIGNDETAILED DESIGNCODE AND DEBUGTESTINGOPS & MAINTENANCE

WATERFALL MODEL

model for software developmentbased on the following four principles

Individuals and interactions over processes and toolsWorking software over comprehensive documentationCustomer collaboration over contract negotiationResponding to change over following a plan

Leverages an iterative (repeating)process called a sprint

AGILE MODEL

瀑布式与敏捷waterfall vs. agile

阶段和方法Phases and methodologies

4.2 描述安全软件开发生命周期 (SDLC) 流程Describe the Secure Software Development Life Cycle (SDLC) process

The Cloud Security Alliance details the top cloud-specific security threats in their list titled \"The CSA Egregious 11\"

Developers can leverage identity-as-a-service (IDaas)rather than building their own for stronger authentication & authorization controls

Using existing identity providers /IDaas for your app reduces risk

Continuous Integration Continuous Deployment (CI/CD)

云特定风险Cloud-specific risks

Allows security practitioners to identify potential threats and security vulnerabilities

is often used as an input to risk management

Focused on Assets.Uses asset valuation results to identify threats to the valuable assets.

Focused on Attackers.Identify potential attackers and identify threats based on the attacker's goals

Focused on Software Considers potential threats against the software the org develops.

3 approaches to threat modeling

SpoofingTamperingRepudiationInformation disclosureDenial of serviceElevation of privilege

Damage potentialReproducibilityExploitabilityAffected usersDiscoverability

Architectureanalysis of the system's architecturefont color=\"#e74f4c\

Stage l:Definition of ObjectivesStage Il:Definition of Technical ScopeStage Ill:App Decomposition AnalysisStage IV:Threat AnalysisStage V:Weakness Vulnerability AnalysisStage VI:Attack Modeling SimulationStage VIl:Risk Analysis Management

攻击模拟和威胁分析过程 (PASTA)Process for Attack Simulation and Threat Analysis (PASTA)focuses on developing countermeasures based on asset value

威胁建模Threat modeling

Awareness of common flaws like injection attacks prevent coding mistakes

Training and awareness

Documented process

Focusing on meeting acceptance criteria can be one way of simplifying the task of ensuring that security requirements are met

Having well-defined test cases for security requirements can help avoid vulnerabilities such as OWASP Top 10 application security risks.

Test-driven development

避免开发过程中的常见漏洞Avoid common vulnerabilities during development

The practice of designing systems and software to avoid security risks

Essentially a proactive risk mitigation practice

Standards and organizations exist that work to mature these practices

The oWASP Top 10 is an awareness document that represents a broad consensus about the most critical security risks to web applications.

Broken Access ControlCryptographic FailuresInjectionInsecure DesignSecurity MisconfigurationVulnerable and Outdated ComponentsIdentification and Authentication FailuresSoftware and Data Integrity FailuresSecurity Logging and Monitoring FailuresServer-Side Request Forgery

CLOUD-NATIVE APPLICATION SECURITY TOP 10

开放web应用安全项目 (OWASP) 应用安全检验标准 (ASVS)Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS)

Out-of-bounds Write buffer overflowImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting)Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Improper Input Validation Prevents injectionOut-of-bounds Read buffer overflowImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')Use After Free buffer overflowImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Cross-Site Request Forgery(CSRF)Unrestricted Upload of File with Dangerous TypeNULL Pointer DereferenceDeserialization of Untrusted Data font color=\"#e74f4c\

CWE/SANS:TOP 25 Most Dangerous Software Errors

Injection attacksBuffer overflow attacksDirectory path traversalDenial of Service (Dos)/Distributed DoS (DDoS)Race conditionAuthentication (AuthN)and Authorization (AuthZ)

used to compromise web front-end and backend databases

SQL injection attacks Use unexpected input to a web application to gain unauthorized access to an underlying database.

INJECTIONS (INJECTION ATTACKS]Improper input handling

exists when a developer does not validate user input to ensure that it is of an appropriate size (allows Input that is too large can \"overflow\"memory buffer).

BUFFER OVERFLOWS

One of the simplest ways to perform directory traversal is by using a command injection attack that carries out the action.

Most vulnerability scanners will check for weaknesses with directory traversal/command injection and inform you of their presence.

DIRECTORY TRAVERSAL

is a resource consumption attack intended to prevent legitimate activity on a victimized system.

a DoS attack utilizing multiple compromised computer systems as sources of attack traffic.

RESOURCE CONSUMPTION

A condition where the system's behavior is dependent on the sequence or timing of other uncontrollable events.

a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request.

Problem occurs when the state of the resource changes between the time of the check and the time it is actually used

Time-of-Check-to-Time-of-Use(TOCTOU)

It becomes a bug when one or more of the possible behaviors is undesirable.

RACE CONDITIONS

ATTACK TYPES and CONCEPTSATTACK TYPES and CONCEPTS

First published \"Fundamental Practices for Secure Software Development\"

Designed to help software industry adopt and use these best practices effectively

卓越代码软件保障论坛 (SAFECode)Software Assurance Forum for Excellence in Code (SAFECode)

This is where source code and related artifacts (such as libraries)are stored

Do not commit sensitive information

Protect access to your code repositories

Sign your work

Keep your development tools (IDE)up-to-date

Code Repositories

安全编码Secure coding

helps reduce outages or weakened security from unauthorized changes.

Versioning uses a labeling or numbering system to track changes in updated versions of software.

Baselining is an important component of configuration management.

a baseline is a snapshot of a system or application at a given point in time

should also create artifacts that may be used to help understand system configuration

system and component-level versioning

SCMSoftware Configuration Management

An emerging strategy and standard in tracking software versions is software bill of materials (SBOM)

The SBOM font color=\"#e74f4c\

software bill of materials (SBOM)

软件配置管理和版本控制Software configuration management and versioning

4.3 应用安全软件开发生命周期 (SDLC)Apply the Secure Software Development Life Cycle (SDLC)

Development

where developers integrate all of their work into a single application.

Regression testing to ensure functionality is as expected.

where we ensure quality assurance before we roll it out to production.

QA happens here

Staging

Production

ENVIRONMENT

determines if software meets functionality requirements defined earlier in the SSDLC

regression testing that validates whether bugs were reintroduced between versions

Focuses on specific features and functionality

Functional testing

focuses on the quality of the software

looks at software qualities like stability and performance

Examines the way the system operates font color=\"#e74f4c\

Non-functional testing

功能和非功能测试Functional and non-functional testing

Define a system or its component and specifies what it must do.

EXAMPLE:application forms must protect against injection attacks

Specify the system's font color=\"#e74f4c\

Apply to the whole system (system level)

EXAMPLE:security certifications arc non-functional.

FUNCTIONAL SECURITY REQUIREMENTS

conducted font color=\"#e74f4c\

tester has no knowledge of any of these elements at the outset of a test.

'zero knowledge testing

黑盒blackbox

conducted with font color=\"#e74f4c\

Static application testing is one example

\"Full knowledge testing

白盒whitebox

StaticApplication Security Testing

analysis of computer software performed without actually executing programs

tests \"inside out\" requires source code

静态static

a program which communicates with a web application (executes the application)

tester has no knowledge of the technologies or frameworks that the application is built on

tests \"outside in\" no source code required

动态dynamic

is used to track the components of a software package or application

is of special concern for apps built with open-source software components

because open-source components often involve reusable code libraries

软件组成分析（SCA）Software Composition Analysis (SCA)

analyzes code for vulnerabilities while it's being used

focuses on real time reporting to optimize testing and analysis process

Often built into CI/CD automated release testing

交互式应用程序安全测试 (IAST)interactive application security testing (IAST)

安全测试方法Security testing methodologies

PROCESS:is frequently a combination of font color=\"#e74f4c\

GOAL:is to ensure software meets standards or requirements.

质量保证 (QA)Quality assurance (QA)

A way to use a feature that was font color=\"#e74f4c\

Focuses on using features in ways that weren't intended by the developer.

Can help orgs to consider security features and controls needed for an application

Testing generally focuses on documented abuse cases

Abuse case Test

滥用案例测试Abuse case testing

4.4 应用云软件保障和验证Apply cloud software assurance and validation

APIs (SOAP or REST) is a set of exposed interfaces that allow programmatic interaction between services. no user/human involved

SOAP is a standard communication protocol system that uses XML technologies

REST is an architectural model that uses HTTPS for web communications to offer API endpoints

保护应用编程接口 (API)Securing application programming interfaces (API)

A secure supply chain includes font color=\"#e74f4c\

供应商评估vendor assessment

Traditional vendor evaluation options may include

Supply Chain Evaluation

Third-party Audit.Review an independent auditor's unbiased review of an entity's security infrastructure.

Review font color=\"#e74f4c\

Vendor evaluation in the cloud

供应链管理Supply-chain management

许可licensing

A third party may have limited access to your systems but will often have direct access to some portion of your data.

Typical issues addressed in software vendor assessment include:

第三方软件管理Third-party software management

One in which the vendor makes the license freely available and allows access to the source code though it might ask for an optional donation.

open Source

Are more expensive but tend to provide more/better protectionand more functionality and support (at a cost).

Proprietary

OSS vs PROPRIETARY

Some argue that open-source software is more secure because the source code is available to review.

Sandbox testingVulnerability scansThird-party verifications

Adequate validation testing is required and may be achieved through：

经过验证的开源软件Validated open-source software

4.5 使用经过验证的安全软件Use verified secure software

protects web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

typically protects web applications from font color=\"#e74f4c\

web应用防火墙 (WAF)web application firewall (WAF)

combines network data and database audit info in real time to analyze database activity forfont color=\"#e74f4c\

数据库活动监控 (DAM)Database Activity Monitoring (DAM)

used to protect services that rely on XML based interfaces including some web apps

Usually implemented as a proxy

可扩展标记语言 (XML) 防火墙Extensible Markup Language (XML) firewalls

provides authentication and key validation services that control APl access

应用编程接口 (API) 网关application programming interface (API) gateway

One reason that we need a good firewall is to filter incoming traffic to protect our cloud-hosted infrastructure and applications from hackers or malware.

Cost

Network segmentation should be supported with appropriate traffic filtering/restriction with the firewall type that is most appropriate for the use case.

The firewall can filter traffic between virtual networks and the Internet.

Need for Segmentation

Open Systems Interconnection (OSI)Layers

Firewall Considerations in a cloud Environment

补充安全组件Supplemental security components

子主题

Helps protect font color=\"#e74f4c\

Transparent data encryption(TDE)

Data in motion is most often encrypted using TLS(HTTPS)

Hybrid (site-to-site)and cross-cloud connectivity is often encrypted by VPN

PROTECTING DATA IN MOTION

密码学Cryptography

Cfont color=\"#e74f4c\

Enables patch and test and ensures a system is secure before putting it into a production environment.

Also facilitates investigating dangerous malware.

Sandboxes provide an environment for evaluating the security of code without impacting other systems.

沙盒Sandboxing

微服务microservices

Reduces overhead of server virtualization by enabling containerized apps to run on a shared OS kernel.

Can be used in some cases to isolate existing applications developed to run in a VM with a dedicated operating system.

Container hosts are cloud-based virtual machines (VM).This is where the containers run

Most CSPs offer hosted Kubernetes service. handles critical tasks like health monitoring and maintenance for you.Platform-as-a-Service

Major CSPs also offer a monitoring solution that will identify at least some potential security concerns

Managed Kubernetes

CONTAINER ORCHESTRATION

cloud orchestration allows a customer to manage their cloud resources centrally in an efficient and cost-effective manner.

This is especially important in a multi-cloud environment.

Management of the complexity of corporate cloud needs will only increase as more computing workloads move to the cloud.

Allows the font color=\"#e74f4c\

Implements automation in a way that manages cost and enforces corporate policy in and across clouds.

Major CSPs offer orchestration tools that work on their platform and third partics offer multi-cloud orchestration solutions

CLOUD ORCHESTRATION

应用程序虚拟化和编排Application virtualization and orchestration

4.6 了解云应用架构的细节Comprehend the specifics of cloud application architecture

You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization.

This sign-in method ensures that all user authentication occurs on-premises.

Allows administrators to implement more rigorous levels of access control.

Example

联合身份Federated identity

Other IDaas options include OKTA and DUO

身份提供商 (IdP)Identity providers (IdP)

Single sign-on means a user doesn't have to sign into every application they use.

The user logs in once and that credential is used for multiple apps.

Single sign-on based authentication systems are often called \"modern authentication\".

This is a common user experience issue in enterprise desktop scenarios

单点登录 (SSO)Single sign-on (SSO)

Something you know(pin or password)Something you have(trusted device)Something you are (biometric)

PhishingSpear phishingKeyloggersCredential stuffingBrute force and reverse brute force attacksMan-in-the-middle (MITM)attacks

PREVENTS

多因子验证 (MFA)Multi-factor authentication (MFA)

Enforces the company's data security policies between on-premises and the cloud.

Combines the ability to control use of services with data loss prevention and threat management features

云访问安全代理 (CASB)Cloud access security broker (CASB)

CSPs offer a cloud service for centralized secure storage and access for application secrets

Your Cl/CD pipelines should leverage centralized storage of secrets rather than hard-coded values or storage on disk

密钥/凭据管理Secrets management

4.7 设计适当的身份和访问管理 (IAM) 解决方案Design appropriate identity and access management (IAM) solutions

D4 云应用安全Cloud Application Security

a physical computing device that safeguards and font color=\"#e74f4c\

Key Escrow uses an HSM to store and manage private Keys

Cloud Service Providers all offer a cloud-based HSM solution for customer-managed key scenarios

硬件安全模块 (HSM) hardware security module (HSM)

A chip that resides on the motherboard of the device.

Virtual TPMs are part of the hypervisor and Provided to VMs running on a virtualization platform.

可信赖平台模块 (TPM)Trusted Platform Module (TPM)

It verifies that the keys match before the secure boot process takes place

TPM is often used as the basis for a hardware root of trust

Hardware Root of Trust

硬件特定的安全配置要求Hardware specific security configuration requirements

and has capacity to reprogram the data plane at any time

use cases include SD-LAN and SD-WAN

separating the control plane from the data plane opens up a number of security challenges

SDN vulnerabilities can include man-in-the-middle attack (MITM)and a service denial (Dos). secure with TLS

Separate VPCs can be isolated using public and private networks.

Virtual Private Cloud (VPC)

The environment needs to be segmented public subnets that can access the Internet directly (through a firewall)and protected private networks.

Virtual networks can be connected to other networks with a VPN gateway or network peering.

Public and Private Subnets

CLOUD SECURITY CONTROLS-NETWORK

Management tooling considerations on cloud infrastructure:

Configuration management and change management:Tools and the infrastructure that supports them should be placed under configurationmanagement to ensure that they stay in font color=\"#e74f4c\

管理工具的安装和配置Installation and configuration of management tools

网络network

内存memory

中央处理器 (CPU)central processing unit (CPU)

Hypervisor 类型 1 和 2Hypervisor type 1 and 2

a VM shares physical hardware with potentially hundreds of other VMs

Configuration:Ensure that the hypervisor has been configured correctly to provide the minimum necessary functionalityDisallowing inter-VM network communications if not required and encrypting VM snapshots

There are two main forms of control you should be aware of:

Enables granular network segmentation in a ZTNA（Zero-Trust Network Access，零信任网络接入）

Security Groups:a security group is similar to an access control list (ACL)for network access.

They have distinctrules for inbound and outbound traffic.

Particular concerns for virtual network security controls include:

虚拟硬件特定的安全配置要求Virtual hardware specific security configuration requirements

Virtualization toolsets installed on the VM

Toolsets exist that can font color=\"#e74f4c\

安装客户操作系统 (OS) 虚拟化工具集Installation of guest operating system (OS) virtualization toolsets

5.1 为云环境构建和实现物理和逻辑基础架构Build and implement physical and logical infrastructure for cloud environment

the native remote access protocol for Windows operating systems.

远程桌面协议 (RDP)Remote Desktop Protocol (RDP）

安全外壳 (SSH)Secure Shell (SSH)

RDP and SSH both support encryption and MFA

a system for secure local access.

安全终端访问secure terminal access

基于控制台的访问机制console-based access mechanisms

A KVM (keyboard video mouse)system with access controls

a bastion host at the boundary of lower and higher security zones.

跳板机jumpboxes

software tools that allow remote connection to a VM for use as if it is your local machine.

e.g.Virtual Desktop Infrastructure (VDI)for contractors

虚拟客户端virtual client

Access to any of these can be gated with a privileged access management PAM)solution on the IAM platform used by the CSP

Local and Remote Access Methods

Full tunnel means font color=\"#e74f4c\

Split tunnel uses VPN for font color=\"#e74f4c\

Split tunnel vs full tunnel

In a remote access scenario a connection is initiated from a users PC or laptop for a connection of shorter duration. IPSec transport mode

Remote access vs site-to-site

VIRTUAL PRIVATE NETWORK (VPN)

Session Encryption:Data transmitted in remote access sessions must be encrypted using strong protocols such as TLS 1.3 and session keys.

Enhanced logging and reviews:All font color=\"#e74f4c\

Use of identity and access management tool:Many CSPs offer Identity-as-a-Service (IDaas)that enables strong authentication and access controls schemes

Single sign-On (sso):IDaas solutions enable users to log into other services using their company accounts.Many IDaaS solutions function as an SSO provider.

Separate privileged and nonprivileged accounts:A general best practice for administrative users is the use of a dedicated admin account for sensitive functions and a standard account for day-to-day use.

Temporary elevation of privilegeApproval gatesAn audit trail when privilege is activatedAn access review process(to avoid permissions sprawl)

Solution features

本地和远程访问的访问控制Local and Remote Access controls

no entity is trusted by default!

Assumes compromise/breach in verifying every request.

Zero Trust Security

Network Security Group (NSG)Network FirewallsInbound and outbound traffic filteringInbound and outbound traffic inspectionCentralized security policy management and enforcement

Network security groups provide an additional layer of security for cloud resources

Carries a list of security rules (IP and port ranges) that allow or deny network traffic to resource instances.

Provides a virtual firewall for a collection of cloud resources with the same security posture.

NETWORK SECURITY

Restricting services that are permitted to access or be accessible from other zones using rules to control inbound/outbound traffic.

Our VPC contains private subnets.Each of these subnets has its own CIDR IP address range and cannot connect directly to the internet.

They could be configured go through the NAT gateway if outbound internet connectivity is desired.

Client VMs and database servers will often be hosted in a private subnet.

Private Subnets

where traffic moves laterally between servers within a data center.

north-south traffic moves outside of the data center.

East-West Traffic

a collection of devices that communicate with one another as if they made up a single physical LAN.

Creates a distinct broadcast domain

VLANVirtual Local Area Network

a subnet is placed between two routers or firewalls.

bastion host(s)are located within that subnet.

Screened Subnetaka 'DMZ\"

SECURE NETWORK DESIGN

Many public clouds offer a virtual private cloud (VPC) which is essentially a sandboxed area within the larger public cloud dedicated to a specific customer.

虚拟局域网 (VLAN)virtual local area networks (VLAN)

Network peering is another method for connecting virtual networks in the cloud.

Peering is the more common option between cloud networksSite-to-site VPN common for on-premises to cloud connectivity

VPC Connectivity

Data in motion is most often encrypted using TLS or HTTPSThis is typically how a session is encrypted before a user enters the credit card details.

TLs uscs an x509 certificate with a public/private key pair

传输层安全 (TLS)Transport Layer Security (TLS)

The IP address associated with a system event can be used when identifying a user or system

Some hypervisors offer a feature to limit which network cards are eligible to perform DHCP offerThis prevents roque DHCP servers from issuing IPs to clients and servers

动态主机配置协议 (DHCP)Dynamic Host Configuration Protocol (DHCP)

A set of specifications primarily aimed at reinforcing the integrity of DNS

Achieves this by providing for cryptographic authentication of DNS data using digital signatures

Provides proof of origin and makes cache poisoning and spoofing attacks more difficult

域名系统安全扩展 (DNSSEC)Domain Name System Security Extensions (DNSSEC)

虚拟专用网络 (VPN)virtual private network (VPN)

Chain of Custody

Digital Signatures prove that a digital message or document was not modified-intentionally or unintentionally-from the time it was signed.based on asymmetric cryptography (a public/private key pair) the digital equivalent of a handwritten signature or stamped seal.

message authentication code(MAC).the two parties that are communicating can verify non-repudiation using a session keyElectronic financial transfers (EFTs)Frequently use MACs to preserve data integrity.

Hashing can be implemented to detect unintentional data modifications. integrity

Additional security measures like digital signatures or hash-based message authentication code (HMAC)can be used todetect intentional tampering.

安全网络配置Secure network configuration

防火墙firewalls

入侵检测系统 (IDS)intrusion detection systems (IDS)

Host-based (HIDS and HIPS）Network (NIDS and NIPS)Hardware vs Software

入侵防御系统 (IPS)intrusion prevention systems (IPS)

蜜罐honeypots

漏洞评估vulnerability assessments

A host used to allow administrators to access a private network from a lower security zone

Will have a network interface in both the lower and higher security zones

Will be secured at the same level as the higher security zone it's connected to.

A dedicated host for secure admin access

'Jumpbox'or jump server'two common names for bastion hosts

堡垒主机bastion host

网络安全控制Network security controls

Windows

Linux

VMware

Hardening is the configuration of a machine into a secure state through application of a configuration baseline.

Baselines can be applied to a single font color=\"#e74f4c\

The Center for Internet Security (CIS)offers hardened VM images in CSP marketplaces

OS Hardening

a high-level description of a feature or activity that needs to be addressed and is not specificto a technology or implementation.

control

Benchmark

is the implementation of the benchmark on the individual service.

Baseline

control ls expressed as Benchmark and implemented through a Baseline

Benchmarks describe configuration baselines and best practices for securely configuring a system.

BENCHMARKS/SECURE CONFIGURATION GUIDES

ensures that systems are kept up-to-date with current patches.

process will font color=\"#e74f4c\

system audits verify the deployment of approved patches to system

patch both native OS and 3rd party apps apply out-of-band updates promptly.

Cloud service providers(CSP)generally provide a patch management feature tailored to their laas offering.

补丁管理Patch managementaka \"update management\"

laC is a key Devops practice and is used in conjunction with continuous integration and continuous delivery (CI/CD).

lac is very common (the standard)in the cloud

cloud-Native controls

Third-party tools adds more font color=\"#e74f4c\

Third-Party Solutions

lac must know the current state;it must know whether the infrastructure already exists to know whether to create it or not.

Impcrative deployment methodologies are unawarc of current state

Declarative

Deployment of an laC template can be applied multiple times without changing the results.

ldempotent

two distinct characteristics of IaC

基础设施即代码 (IaC) 策略Infrastructure as Code (IaC) strategy

Reservations are guarantees for a certain minimum level of resources available to a specified virtual machine.

A limit is a maximum allocation.

A share is a weighting given to a particular VM

Share value is used to calculate percentage-based access pooled resources when there is contention.

Cluster management agent

Distributed Resource Scheduling (DRS) is the coordination element in a cluster of VMware ESXi hosts

DRS mediates access to the physical resources.

分布式资源调度distributed resource scheduling

Dynamic Optimization is Microsoft's DRS equivalent delivered through their cluster management software.

动态优化dynamic optimization

存储集群storage clusters

维护模式maintenance mode

高可用性（HA）high availability (HA)

集群主机的可用性Availability of clustered hosts

Customer can use font color=\"#e74f4c\

Guest OS availability

Backup and recovery

Resiliency is achieved by architecting systems to handle failures from the outset rather than needing to be recovered.

Resiliency

客户操作系统 (OS) 的可用性Availability of guest operating system (OS)

CSP should implement monitoring to ensure that they are able to meet customer demands and promised capacity.

Consumer should monitor to ensure CSP is meeting their obligations

Most monitoring tasks will be in support of the availability objective.

Alerts should be generated based on established thresholds and appropriate response plans initiated.

\"CORE 4\

计算compute

响应时间response time

性能和容量监控Performance and capacity monitoring

Physical hardware is necessary to provide all the services that enable the virtualization that enables cloud computing.

磁盘disk

风扇速度fan speed

温度temperature

硬件监控Hardware monitoring

Saas.CSP retains full control over backup and restore and will often have SLA restore commitments.

Customer typically has shared responsibility for their data

Paas.font color=\"#e74f4c\

laas.Consumer owns backup/recovery of VMs.

Responsibility by category

Sensitive data may be stored in backups.

Access controls and need-to-know principles to limit exposure

Physical separation:backups should be stored on different hardware or availability zones.

Zone redundant or geo-redundant cloud storage

Integrity of all backups should be verified routinely to ensure that they are usable.

considerations

主机和客户操作系统 (OS) 备份和恢复功能的配置Configuration of host and guest operating system (OS) backup and restore functions

Provides virtual management options analogous to physical admin options of a legacy datacenter

调度scheduling

Orchestration is the automated configuration and management of resources in bulk

Patch management and VM reboots are commonly orchestrated tasks

The management console is the web-based consumer interface for managing resources

CSP must ensure management portal calls to the management plane only allow customer access to their own resources.

维护maintenance

5.2 运行和维护云环境的物理和逻辑基础架构 Operate and maintain physical and logical infrastructure for cloud environment

refers to the process of evaluating a change request within an organization and deciding if it should go ahead.

requests are sent to the Change Advisory Board (CAB) to ensure that it is beneficial to the company.

requires changes to be font color=\"#e74f4c\

Guidance on the process

Change Management policy that details how changes will be processed in an organization

The process in action

Change Control process of evaluating a change request to decide if it should be implemented

change management/change control

In an environment that leverages font color=\"#e74f4c\

Automating change management

Helps reduce outages or weakened security from unauthorized changes.

变更管理Change management

Baseline is composed of individual settings called configuration items (CI)

配置管理Configuration management

Continuity is concerned with the availability aspect of the CIA triad

Both deal with business continuity and disaster recovery (BCDR) terms that fall under the larger category of continuity management.

NIST Risk Management Framework and ISO 27000

Healthcare data in the United States is governed by this standard.

Health Insurance Portability and Accountability Act (HIPAA)

This specifies the requirements needed for an organization to font color=\"#e74f4c\

ISO 22301:2019 Security and resilience-BC management systems

There are a variety of standards related to continuity management.

连续性管理Continuity management

The goal of information security management is to ensure a consistent organizational approach to managing security risks

It is the approach an organization takes to font color=\"#e74f4c\

A global standard for information security management that helps organizations protect their data from threats.

Asecurity standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems.

ISO/IEC 27017 D1.5

The first international standard about the privacy in cloud computing services

Is a\"Code of practice for protection of personally identifiable information(Pll) in public clouds acting as Pll processors\".

ISO/IEC27018 D6.2

ISO/IEC 27701

RMF's audience is the entire federal government and CSF is aimed at font color=\"#e74f4c\

NIST RMF & CSF

Provides a catalog of security and privacy controls for all U.S.federal information systems except those related to national security.

NIST SP 800-53

Service Organization Controls (SOC 2) framework has seen wide adoption among CSPs as well as the use of a third party to perform audits.

This also provides increased assurance for business partners and customers who cannot audit the CSP directly

AICPA SOC 2

Standards that provide guidance for implementing and managing security controls in a cloud environment include:

信息安全管理Information security management

One critical element of continual service improvement includes areas of monitoring and measurement

These often take the form of security metrics.

Metrics need to be font color=\"#e74f4c\

Business leaders will be less interested in technical topics.

The metrics should be used to aggregate information and present it in an easily font color=\"#e74f4c\

连续的服务改进管理Continual service improvement management

Events are font color=\"#e74f4c\

Not all incidents will require the security tcam but exam focus is security

All incidents should be investigated and remediated to restore the organization's normal operations and to minimize adverse impact

A popular security incident management methodology is the NIST SP 800-61 rev2 \"Computer Security Incident Handling Guide'

Preparation

Determining whether or not an organization has been breached. Is it really an incident?

Identification

Limiting damage (scope) of the incident.

Containment

Eradication

Root cause is addressed and time to return to normal operations is estimated and executed.

Recovery

Lessons Learned

6 phases of incident response

事故管理Incident management

problem management utilizes root-cause analysis to identify the underlying problem(s)that lead to an incident.

It also aims to minimize the likelihood of future recurrence

An unsolved problem will be documented and tracked in a known issues or known errors database.

问题管理Problem management

The primary change is the frequency of releases due to the increased speed of development activities in continuous integration/continuous delivery(CI/CD).

Release scheduling may require coordination with customers and CSP.

Changes that impact data exposure may require Security team

Some of the font color=\"#e74f4c\

The increased automation and pace of release in Agile and CI/CDtypical to the cloud necessitates automated security testing and policy controls.

发布管理Release management

Even organizations with continuous deployment may require some deployment management processes to deal with deployments that cannot be automated

Processes for new software and infrastructure should be documented

Containerization(managed Kubernetes)is common in mature organizations supporting more frequent deployment in public cloud environments

Fully automated deployment requires greater coordination with and integration of information security throughout the development process

部署管理Deployment management

SLAs are like a contract focused on measurable outcomes of the service being provided

Should include clear metrics that define 'availability'for a service

Cloud infrastructure decisions should be made with the SLA in mind

Defining the levels of service is usually up to the cloud service provider(CSP) in public cloud environments.

服务等级管理Service level management

A service may be \"up\

Many of the same concerns that an organization would consider in business continuity and disaster recovery apply in availability management

BCDR plans aim to quickly restore service availability in adverse events

Customer must configure services to meet their requirements

可用性管理Availability management

One of the core concerns of availability is the amount of service capacity available compared with the amount being subscribed to.

Responsibility for capacity management belongs to font color=\"#e74f4c\

The cloud provides the \"perception of unlimited capacity\

容量管理Capacity management

Specifies requirements for \

ISO/IEC 20000-1

or \"electronic discovery\

Usually associated with collection of electronic informdtion for legal purposes or security breach

eDiscovery

ISO/IEC 27037:2012

Guide for incident investigation

ISO/IEC 27041:2015

Guide for digital evidence analysis.

ISO/IEC 27042:2015

Guide for incident investigation principles and processes

ISO/IEC 27043:2015

A four-part standard within the ISO/IEC 27000 family of information security standards

ISO/IEC 27050

Free guidance in Domain 3:Legal Issues:Contracts and Electronic Discovery

CSA Security Guidance

FORENSIC INVESTIGATION STANDARDS

Logs are essential

Document everything

Volatile data(data not on a durable storage)requires special handling and priority. Collect data from volatile sources first

Consider volatility

Evidence collection Process

Utilize original physical media

at multiple steps by font color=\"#e74f4c\

Verify data integrity

Follow documented procedures

with font color=\"#e74f4c\

Communication with relevant parties and communication plans covered in section 5.5

Establish and maintain communications

Evidence collection Best Practices

取证数据收集方法Forensic data collection methodologies

protecting any documents that can be used in evidence from being altered or destroyed.

sometimes called litigation hold

Legal Hold

chain of Custody

describes what is relevant when collecting data

collection from shared resources may expose other customers data

Scope of data collection is more challenging in the cloud

SCOPE of evidence

证据管理Evidence management

The cloud comes with additional challenges when it comes to forensic investigation

Do you know where the data is hosted?And laws of countries it's hosted in?

Many cloud services store copies of data in multiple locations

Data location:

Rights and responsibilities:

Are your forensic tools suitable for a multi-tenant environment?What is your organizations liability if you unintentionally capture another customer's data on a shared resource?

e.g remnants of a previous customer's data on physical storage

Tools:

Laws and regulations impact a consumer's ability to perform forensic data collection in the cloud

Cloud data should be stored and have data sovereignty in region stored.

Many countrics have laws requiring businesses to store data within their borders.

Regulatory and Jurisdiction

The US introduced the Clarifying Lawful Overseas Use of Data (CLOUD)Act in 2018 dueto the problems that FBI faced in forcing Microsoft to hand over data stored in Ireland.

Aids in evidence collection in investigation of serious crimes

Verifying audit and forensic data collection rights with your CSP to ensure you understand your rights and their legal obligations before you sign contracts is critical.

Forensic investigators should know their legal rights in every jurisdiction (region or country)where the organization hosts data in the cloud.

Some countries will not allow eDiscovery From outside their borders

cloud considerations (cont）

Time stamps and offsets can be more challenging due to location.

Maintaining a proper chain of custody is more challenging in the cloud

chain of custody

Breach notification laws

ON PREMISES VS CLOUD

Evidence should possess these five attributes to be useful.

The information should be genuine and clearly correlated to the incident or crime.

Authentic:

The truthfulness and integrity of the evidence should not be questionable.

Accurate:

All evidence should be presented in its entirety even if it might negatively impact the case being made.

Complete:

It is illegal in most jurisdictions to hide evidence that disproves a case.

The evidence should be understandable and clearly support an assertion being made.

Convincing:

Hearsay (indirect knowledge of an action)or evidence that has been tampered with may be thrown out by a court

Admissible:

EVIDENCE UTILITY

Requirements for evidence to be admissible in a court of law:

Evidence must be relevant to a fact at issue in the case. Makes a fact more or less probable

The fact must be material to the case.

The evidence must be competent (reliable).

Must be obtained by legal means

EVIDENCE ADMISSIBILITY

You must begin to collect evidence and as much information about the incident as possible.

Evidence can be used in a subsequent legal action or in finding attacker identity.

Evidence can also assist you in determining the extent of damage.

ACQUISITION OF EVIDENCE

Using a cloud service font color=\"#e74f4c\

Control

Evidence collected while investigating a security incident may unintentionally include data from another customer.

Multitenancy and shared resources

Sharding font color=\"#e74f4c\

Data volatility and dispersion

DATA COLLECTION CHALLENGES IN THE CLOUD

If it disappears in font color=\"#e74f4c\

FOR THE EXAM:Remember that volatile (perishable) information should be collected first.

ORDER OF VOLATILITY

Proper evidence handling and decision making should be a part of the incident response procedures and trainingfor team members performing response activities.

Collection

Examination

Analysis

Reporting

four general phases：

EVIDENCE COLLECTION AND HANDLING

Protections for evidence storage include:

EVIDENCE PRESERVATION

Areas and considerations in evidence acquisition

Disk aka hard drive.Was the storage media itself damaged?

Random-access memory (RAM).Volatile memory used to run applications.

Swap/Pagefile.used for running applications when RAM is exhausted.

OS (operating system).Was there corruption of data associated with the OS or the applications?

The font color=\"#e74f4c\

a coding expert to compare both lots of source code in a technique called regression testing. rootkits and backdoors are concerns

Snapshot.if the evidence is from a font color=\"#e74f4c\

Cache. special high-speed storage that can be either a reserved section of main memory or an independent high-speed storage device.

Network.OS includes command-line tools (like netstat)that provide information that could disappear if you reboot the computer.

ACQUISITION

It can be used as a checksum to ensure integrity later.

File can be hashed before and after collection to ensure match on the original hash value to prove data integrity.

Hashes

Data provenance effectively provides a historical record of data and its origin and forensic activities performed on it.

Similar tofont color=\"#e74f4c\

Provenance

INTEGRITY

Data needs to be preserved in its original state so that it can be produced as evidence in court.

original data must remain unaltered and pristine

an image or font color=\"#e74f4c\

Putting a copy of the most vital evidence in a WORM drive will prevent any tampering with the evidence (you cannot delete data from a WORM drive.)

You could also write-protect/put a legal hold on some types of cloud storage.

\"forensic copy\"of evidence

PRESERVATION

5.4 支持数字取证Support digital forensics

Both company security policics (transparency) AND regulatory compliance (law)shape communication

The plan that details how relevant stakeholders will be informed in event of an incident. (like a security breach)

Would include plan to maintain confidentiality such as encryption to ensure that the event does not become public knowledge.

Communication Plan

Stakeholder Management

Vendors:The first step in establishing communication with vendors is an inventory of critical third parties on which the organization depends.

This inventory will drive vendor risk management activities in two ways:

1)Some vendors may be critical to the company's font color=\"#e74f4c\

2)Others may provide critical inputs to a company's revenue generation

Vendor communications may be governed by contract and SLA

供应商Vendors

Consumers should define (or at least monitor) communication SLA

客户Customers

Partners:Often have a level of access to a company's systems similar to that of the company's own employees but are not under company control.

Communication neede will evolve through partner font color=\"#e74f4c\

合作伙伴Partners

Regulators:Most regulators have developed cloud-specific guidance for compliant use of cloud services.

监管机构Regulators

Procedures for order and timing of contact should be created

Some cyber insurance providers require that they are the first point of contact in the event of a security incident

其他利益相关者Other stakeholders

Who is responsiblefor communication?

SHARED RESPONSIBILITY FOR SECURITY

5.5 管理与相关方的沟通Manage communication with relevant parties

A support unit designed to centralize a variety of security tasks and personnel at the tactical (mid-term)and operational (day-to-day) levels.

Both the CSP and consumer should have a SOC function

Threat PreventionThreat DetectionIncident ManagementContinuous Monitoring ReportingAlert PrioritizationCompliance Management

Key functions of the SOC include:

安全运营中心 (SOC)Security operations center (SOC)

a form of auditing that focuses on active review of the log file data.

used to hold subjects accountable for their actions also used to monitor system performance.

tools such as IDSs or SIEMs automate monitoring and provide real-time analysis of events.

MONITORING

The RMF specifies the creation of a continuous monitoring strategy for getting near real-time risk information.

These devices should be continuously monitored to ensure they are Functional

Monitoring for functionality should include monitoring font color=\"#e74f4c\

MONITORING SECURITY CONTROLS

A piece of purpose-built network hardware.

May offer more configurable support for LAN and WAN connections.

Often has superior throughput versus software because it is hardware designed for the speeds and connections common to an enterprise network.

Hardware

Software based firewalls that you mightinstall on your own hardware

Provide flexibility to place firewalls anywhere you'd like in your organization.

Host-based (software)are more vulnerable to being disabled by attackers

Software

HARDWARE Vs SOFTWARE

Typically caters specifically to application communications.

Often that is HTTPS or Web traffic.

An example is called a web application firewall (WAF)

Anapplication font color=\"#e74f4c\

Host-based

Available from both the CSP directly and third-party partners (commercial firewall vendors)

Virtual

APPLICATION vs HOST-BASED vs VIRTUAL

Watch network traffic and restrict or block packets based on source and destination addresses or other static values.

Not 'aware' of traffic patterns or data flows.

stateless

Can watch traffic streams from end to end.

Are aware of communication paths and can implement various IP security functions such as tunnels and encryption.

Better at identifying unauthorized and forged communications.

Stateful

FIREWALL AND STATE

Protect web applications by filtering and monitoring HTTPS traffic between a web application and the Internet.

Some come pre-confiqured with OWASP rulesets

WAF

a deep-packet inspection firewall that moves beyond port/protocol inspection and blocking.

NGFW

MODERN FIREWALLS

generally responds passively by logging and sending notifications

is placed in line with the traffic and includes the ability to block malicious traffic before it reaches the target

can monitor activity on a single system only.

A drawback is that attackers can discover and disable them

HIPS

NIPS

FLAVORS OF INTRUSION DETECTION SYSTEMS

a system that often has pseudo flaws and fake data to lure intruders

A group of honeypots is called a honeynet

Lure bad people into doing bad things.Lets you watch them.

Only font color=\"#e74f4c\

Goal is to distract from real assets and isolate in a padded cell until you can track them down.

Focuses on accomplishing \"smart\"tasks combining machine learning and deep learning to emulate human intelligence

Artificial Intelligence

Machine Learning

a subfield of machine learning concerned with algorithms inspired by the structure and function of the brain called artificial neural networks.

Deep Learning

人工智能 (AI)artificial intelligence (AI)

安全控制的智能监控Intelligent monitoring of security controls

This is based on the interaction of a user that focuses on their identity and the data that they would normally access on a normal day

It tracks the devices that the user normally uses and the servers that they normally visit.

User Entity Behavior Analysis (UEBA)

Artificial intelligence and machine learning to identify attacks.

Sentiment Analysis

安全信息和事件管理 (SIEM)security information and event management (SIEM)

Tooling that allows an organization to define incident analysis and response procedures in a digital workflow format.

Integrates your security processes and tooling in a central location (SOC).

These make it faster than humans in identifying and responding to true incidents.

Reduces MTTD and accelerates response

Uses playbooks that define an incident and the action taken.Capabilities vary by situation & vendor

system that collects data from many other sources within the network.

provides real-time font color=\"#e74f4c\

SIEM

centralized alert and response automation with threat-specific playbooks.

response may be fully automated or single-click.

SOAR

SIEM AND SOAR

SIEM(Security Information Event Monitoring)tools can help to solve some of these problems by offering these key features:

日志管理log management

The SIEM should be on a font color=\"#e74f4c\

SIEMs can normalize incoming data to ensure that the data from a variety of sources is presented consistently.

SIEM features

SIEM has font color=\"#e74f4c\

Log Collectors

Can correlate and aggregate events so that duplicates are filtered and a better understanding network events is achieved to help identify potential attacks.

Log Aggregation

Packet Capture

The SIEM system collects a massive amount of data from various sources.

Data Inputs

LOG COLLECTION AND ANALYSIS WITH A SIEM

should be protected by centrally storing them and using permissions to restrict access.

archived logs should be set to read-only to prevent modifications.

Log files play a core role in providing evidence for investigations.You'll want to be familiar with the many different types of log files a typical SIEM might ingest.

Network:This log file can identify the IP and MAC addresses of devices that are attached to your network.Usually sent to a central syslog server

NIDS/NIPS can be important in identifying threats and anomalies from these.

log files from a proxy server can reveal who's visiting malicious sites

The collective insight may be useful in stopping DDos attack

information collected about font color=\"#e74f4c\

400 series HTTP response codes are client-side errors

500 series HTTP response codes are server-side errors

These logs must be fed to a SIEM IDS/IPS or other system to analysis this data

These files exist on client and server systems.Sending these to a SlEM can help establish a central audit trail and visibility into the scope of an attack.

can identify attackers trying to log in to your computer systems.

captures information on file access and can determine who has downloaded certain data.

DNS query logging often disabled by default due to volume.

VolP and Call Managers:These systems provide information on the calls being made and the devices that they originate from.

may also capture font color=\"#e74f4c\

Session Initiation Protocol (SIP)Traffic:SIP is used for internet-based calls and the log files generally show:

the 200 OK is followed by an acknowledgement

Large number of calls not connecting may indicate attack

LOG FILES

Event Reporting (Review Reports)

A SIEM typically includes dashboard and collects reports that can be reviewed regularly to ensure that the policieshave been enforced and that the environment is compliant

Also highlight whether the SIEM system is effective and working properly.Are incidents raised true positives?

False positives may arise because the wrong input filters are being used or the wrong hosts monitored.

SIEM dashboards will typically provide a views into status of log ingestion and security concerns identified through correlation.

SYSLOG/SIEM

日志捕获和分析Log capture and analysis

Refers to the organization's preparation necessary to font color=\"#e74f4c\

These details should be documented in a security incident response plan that is regularly reviewed and updated.

The activity to detect a security incident in a production environment and to analyze all events to confirm the authenticity of the security incident.

Detectionand analysis

Limits the damage (scope)of the incident

Eradication is the process of eliminating the root cause of the security incident with a high degree of confidence.

Recovery should happen after the adversary has been evicted from the environment and known vulnerabilities have been remediated.

Recovery font color=\"#e74f4c\

The post-mortem analysis is performed after the recovery of a security incident.

Actions performed during the process are reviewed to determine if any changes need to be made inthe preparation or detection and analysis phases.

The lessons learned drive continuous improvement ensuring effective and efficient incident response.

Post-incidentactivity

INCIDENT RESPONSE LIFECYCLE

Use of vulnerability scanners and pen testers may be limited by your CSP's terms of service.

CSPs typically have penctration testing and scanning \"rulcs of engagement\"

RIGHT TO AUDIT IN THE CLOUD

includes routine vulnerability scans and periodic vulnerability assessments.

Vulnerability Management

Vulnerability scanners

extend beyond just technical scans and can include reviews and audits to detect vulnerabilities

Vulnerability Assessments

VULNERABILITY MANAGEMENT

A credentialed scan is a much more powerful version of the vulnerability scanner.It has higher privileges than a non-credentialed scan.

Credentialed Scan:

A non-credentialed scan has lower privileges than a credentialed scan.It will identify vulnerabilities that an attacker would easily find.

Non-Credentialed Scan:

These are passive and merely report vulnerabilities.They do not cause damage to your system.

Non-Intrusive Scans:

Can cause damage as they try to exploit the vulnerability and should be used in a sandbox and not on your live production system.

Intrusive Scans:

Configuration compliance scanners and desired state configuration in PowerShell ensure that no deviations are made to the security configuration of a system.

Configuration Review:

The combination of techniques can reveal which vulnerabilities are most easily exploitable in a live environment.

These scans look at computers and devices on your network and help identify weaknesses in their security.

Network Scans:

Application Scans:

Crawl through a website as if they are a search engine looking for vulnerabilities.

Perform an font color=\"#e74f4c\

Web Application Scans:

VULNERABILITY SCANS

CVSS is the overall score assigned to a vulnerability. It indicates severity and is used by many vulnerability scanning tools.

CVSS

CVE is simply font color=\"#e74f4c\

CVE

The CVSS score is not reported in the CVE listing you must use the National Vulnerability Database (NVD)to find assigned CVSS scores.

The CVE list Feeds into the NVD

Common Vulnerabilities and Exposures (CVE)andCommon Vulnerability Scoring System (CVSS)

software flawsmissing patchesopen portsservices that should not be runningweak passwords

A vulnerability scanner can font color=\"#e74f4c\

A credentialed vulnerability scan is the most effective as it provides more information than any other vulnerability scan.

VULNERABILITY SCAN OUTPUT

True Positive:This is where the results of the system scan agree with the manual inspection.

漏洞评估Vulnerability assessments

5.6 管理安全运营Manage security operations

D5 云安全运营Cloud Security Operations

It is important to be aware of the various laws and regulations that govern cloud computing.

It is important to identify such risks and make recommendations to mitigate them just like any other risk.

GDPR forbids the transfer of data to countries that lack adequate privacy protections

EXAMPLEConflict with GDPR and CLOUD Act

Encryption Export Controls.Dept of Commerce details limitations on export of encryption products outside the US.

Privacy (US).The basis for privacy rights is in the Fourth Amendment to the U.S.Constitution.

Privacy (EU).General Data Protection Regulation (font color=\"#e74f4c\

Export and Privacy

particularly the jurisdictions that companies need to deal with (local versus international)to protect and enforce their IP protections.

Copyright and intellectual property law

Safeguards and security controls required for privacy compliance

particularly technologies that may be sensitive or illegal under various international agreements

International import/export laws

国际法律冲突Conflicting international legislation

Laws are the legal rules.That are created by font color=\"#e74f4c\

Regulations are the rules that are created by governmental agencies.

Laws and regulations must be followed or can result in civil or criminal penalties for the organization.

Standards dictate a reasonable level of performance.

They can be created by an organization for its own purposes (internal) or come from industry bodies or trade groups (external).

Frameworks are a set of guidelines helping organizations improve their security posture.

civil law Examples include font color=\"#e74f4c\

Vendor contracts fall into this category.

Regulations likc HIPAA fall into this catcgory

Article I establishes the legislative branch.Article Il establishes the executive branch.Article Ill establishes the judicial branch.Article IV defines the relationship between the federal government and state governmentsArticle V creates a process for font color=\"#e74f4c\

SEVEN ARTICLES OF THEUS CONSTITUTION

Case law.Interpretations made by courts over time establish a body of law that other courts may refer to when making their own decisions.

Common law is a set of judicial precedents passed down as case law through many generations.

And stand as examples cited in future court cases.

A violation is known as a \"breach of contract\"and courts may take action to enforce the terms of a contract.

TYPES OF LAW

Liable means \"responsible or answerable in law;legally obligated\".

Criminal liability occurs when a person violates a criminal law.

civil liability occurs when one person claims that another person has failed to carry out a legal duty that they were responsible for.

Comes in two forms:

LEGAL LIABILITY

Negligence is a commonly occurring tort that occurs when one party causes harm to another party by their action or lack of action.

There must be a duty of care.The person accused of negligence must have an established responsibility to the accuser.

There must be a breach of that duty of care.The accused person must have either taken action or failed to take an action that violated the duty of care.

There must be font color=\"#e74f4c\

There must be causation.A reasonable person must be able to conclude that the injury caused to the accuser must be a result of the breach of duty by the accused.

TORTS AND NEGLIGENCE

Differing legal requirements

Precedent refers to the judgments in past cases and is subject to change over time with less advance notice than updates to legislation.

Different legal systems and frameworks in different countries

The EU's GDPR and the U.S.Clarifying Lawful Overseas Use of Data (CLOUD) Act directly conflict on the topic of data transfer.

Conflicting laws

Responsibility for compliance with laws and regulations

Researching and planning response in case of conflicting laws

Ensuring necessary audit and incident response data is logged and retained

Any additionall due diligence and due care

The bottom line on legal risks specific to cloud computing

云计算特有的法律风险评估Evaluation of legal risks specific to cloud computing

An international organization font color=\"#e74f4c\

Its principles are font color=\"#e74f4c\

Organisation for Economic Co-operation and Development (OECD)

Comprised of 21 member economies in the Pacific Rim.

Promotes the smooth cross-border Flow of information between APEC member nations.

Asia-Pacific Economic Cooperation Privacy Framework (APEC)

European Union's GDPR is perhaps the most far-reaching and comprehensive set of laws ever written to protect data privacy.

Mandates font color=\"#e74f4c\

Includes mandatory notification timelines in the event of data breach.

General Data Protection Regulation (GDPR)

Health Insurance Portability and Accountability Act (HIPAA)1996 U.S.law regulates the privacy and control of health information data.

Sarbanes-Oxley Act(Sox)Law was enacted in 2002 and sets requirements for U.S.public companies to protect financial data when stored and used.

Additional legal frameworks standards

法律框架和准则Legal framework and guidelines

are required by law. font color=\"#e74f4c\

Statutory requirements

may also be required by law but refer to rules issued by a regulatory body that is appointed by a government entity. font color=\"#e74f4c\

Regulatory requirements

are required by a legal contract between private parties.

These agreements often specify a set security controls or a compliance framework that must be implemented by a vendor font color=\"#e74f4c\

Contractual requirements

LAWS AND REGULATIONS

An organization investigating an incident may lack the ability to compel the CSP to turn over vital information needed to investigate.

The information may be housed in a country where jurisdictional issues make the data more difficult to access.

Maintaining a chain of custody is more difficult since there are more entities involved in the process.

Architecture considerationsData residency and system architecture are other important considerations for eDiscovery in the cloud and can be handled proactively.

Due care considerations Ensuring the org is prepared For DFIRCloud security practitioners must inform their organizations of any risks and required due care and due diligence related to cloud computing

CSPs may not preserve essential data for the required period of time to support historical investigations.

They may not even log all the data relevant to support an investigation.

This shifts the burden of recording and preserving Potential evidence onto the consumer

Consumers must identify and implement their own data collection.

NISTIR = NIST Interagency or Internal Reports

Addresses common issues and solutions needed to address DFIR in cloud environments.

DFIR = Digital Forensics and Incident Response

NISTNISTIR 8006

E-DISCOVERY FRAMEWORKS

国际标准组织/国际电子技术委员会 (ISO/IEC) 27050International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27050

Free guidance in Domain 3:Legal Issues:Contraets and Electronic Discovery

Offers guidance on font color=\"#e74f4c\

云安全联盟 (CSA) 指引Cloud Security Alliance (CSA) Guidance

Iso/IEC and CSA provide guidance on best practices for collecting digital evidence and conducting forensics investigations in the cloud.

FORENSICS REOUIREMENTS

ISO/IEC 27043:2015

Forensic Investigation Standards

取证要求Forensics requirements

6.1 明确云环境中的法律要求和独特风险Articulate legal requirements and unique risks within the cloud environment

Any information that can font color=\"#e74f4c\

Defined by NIST SP 800-122

受保护的健康信息 (PHI)protected health information (PHI)

Health-related information that can be related to a specific person

Must be protected by strong controls and access audited

Requlated by HIPAA HITRUST

个人可识别信息 (PII)personally identifiable information (PII)

Allowable storage of information related to credit and debit cards and transactions.

Defined and requlated by PCI DSS and is CONTRACTUAL

Payment Data.

A Security team must understand.

The data controller is always responsible for ensuring that the requirements for protection and compliance are met.even if that data is processed in a CSP's cloud service.

Responsibility cannot be transferred but risk can be mitigated

合同规定的和受监管的私人数据之间的区别Difference between contractual and regulated private data

organizations may process data belonging to Australian citizens offshore.

transferring entity (the data owner)must ensure that the receiver of the data holds and processes it in accordance withthe principles of Australian privacy law.

Data owner (controller)is responsible for data privacy

commonly achieved through contracts that require recipients to maintain or exceed the data owner's privacy standards

The entity transferring the data out of Australia remains responsible for any data breaches by or on behalf of the recipient entities

Australian Privacy Act

Personal Information Protection and Electronic Documents Act(PIPEDA)

a national-level law that font color=\"#e74f4c\

PIPEDA covers information about an individual that is identifiable to that specific individual.

includes a data breach notification requirement.

PIPEDA may also be superseded by province-specific laws that are deemed substantially similar to PIPEDA.

Canada Privacy Law

The right to be informedThe right of accessThe right to rectificationThe right to erasure (the right to be forgotten)The right to restrict processingThe right to data portabilityThe right to objectRights in relation to automated decision making and profiling

Includes the following on data subject privacy rights:

Deals with the handling of data while maintaining privacy and rights of an individual.

GDPR applies to ANY company with customers in the EU

Includes a 72-hour notification deadline in the case of data breach

GDPRGENERAL DATAPROTECTION REGULATION

This act consists of three main sections:

Gramm-Leach-Bliley Act (GLBA)of 1999focuses on services of font color=\"#e74f4c\

Orgs commit to seven principles of the agreement:

Privacy Shieldan international agreement between the United States (U.S.) and the European Union.allows the transfer of personal data from the European Economic Area (EEA)to the U.S.by U.S.-based companies.

The Fourth Amendment:

Details the people's \

It outlines that private data is protected from unauthorizedaccess or interception (by private partics or the government).

The Stored Communication Act (SCA)of 1986created privacy protection for electronic communications like email or other digital communications stored on the Internet.extends the Fourth Amendment of the U.S.Constitution to the electronic realm

Clarifying Lawful Overseas Use of Data (CLOUD)Actaids in evidence collection in investigation of serious crimescreated in 2018 due to the problems that FBI faced in forcing Microsoft to hand over data stored in Irelandrequires U.s.-based companies to respond to legal requests for data no matter where the data is physically located.

与私人数据相关的国家特定立法Country-specific legislation related to private data

data subjectdata collectorcloud service providersubcontractors processing datacompany headquarters of the entities involved

Different laws and regulations may apply depending on the location of

prevent the utilization of a cloud services provideradd to costs and time to marketdrive changes to technical architectures required to deliver services

Legal concerns can:

Many privacy laws impose fines or other action for noncompliance.

数据隐私的司法管辖区差异Jurisdictional differences in data privacy

ISO 27018 was published in July 2014 as a component of the ISO 27001 standard.

Adherence to these privacy requirements enables customer trust in the CSP.

Can provide a HIGH level of assurance.

Consent:Personal data obtained by a CSP may not be used for marketing purposes unless expressly permitted by the subject.

A customer should be permitted to use a service without requiring this consent.

Control:Customers shall have explicit control of their own data and how that data is used by the CSP.

Transparency:CSPs must inform customers of where their data resides AND any subcontractors that may process personal data.

国际标准组织/国际电子技术委员会 (ISO/IEC) 27018International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27018

Created by AICPA

Generally Accepted Privacy Principles (GAPP)is a framework of privacy principles

GAPP are widely incorporated into the SOC 2 framework as an optional criterion

Organizations that pursue a SOC 2 audit can include these privacy controls if appropriate

An audit of these controls font color=\"#e74f4c\

Choice and consentThe organization font color=\"#e74f4c\

CollectionPersonal information is collected only for the purposes identified in the notice provided to the individual.

AccessThe organization provides individuals with access to their personal information for review or update.

Disclosure to third partiesPersonal information is disclosed to third parties only for the identified purposes and with implicit or explicit consent of the individual.

Security for privacyPersonal information is protected against both physical and logical unauthorized access.

Monitoring and enforcementThe organization monitors compliance with its privacy policies and procedures.It also hasprocedures in place to address privacy-related complaints and disputes

Categories of the 10 main privacy principles

普遍接受的隐私原则 (GAPP)Generally Accepted Privacy Principles (GAPP)

一般数据保护条例 (GDPR)General Data Protection Regulation (GDPR)

标准隐私要求Standard privacy requirements

Several privacy laws font color=\"#e74f4c\

Conducting a PIA typically begins when a system or process is being evaluated

When is a PIA necessary?

隐私影响评估 (PIA)Privacy Impact Assessments (PIA)

6.2 了解隐私问题Understand privacy issues

a methodical examination of an environment to font color=\"#e74f4c\

serves as a primary type of detective control.

frequency is based on risk.

degree of risk also affects how often an audit is performed.

Secure IT environments rely heavily on auditing and many regulations require it.

What is Auditing?

Security audits and effectiveness reviews are font color=\"#e74f4c\

AUDITING & DUE CARE

Audit reports often contain sensitive information

Only people with sufficient privilege should have access

FOR EXAMPLE:senior security administrators = full detailsenior management = high-level summary

CONTROLLING ACCESS TO AUDIT REPORTS

Acts as a \"trusted advisor\

Compliance may mean company policies or regulatory

Internal Auditor

Can provide more continuous monitoring of control effectiveness and policy compliance

Enables the org to catch and fix any issues beforc they show up on a formal audit report

Internal Audit

Some legal and requlatory frameworks require the usc of an font color=\"#e74f4c\

An internal auditor is an independent entity who can provide facts without fear of reprisal

内部和外部审计控制Internal and external audit controls

The requirement to conduct audits can have a large procedural and financial impact on a company.

With font color=\"#e74f4c\

Regulated industries

Sample size and relevance

Multi-region data dispersion in the cloud and dynamic VM failure in hypervisors can complicate the audit process

审计要求的影响Impact of audit requirements

Audits of controls over the hypervisor will usually be the purview of the CSP

VMs deployed on top of that hardware are usually under owned by the customer

确定虚拟化和云的保障挑战Identify assurance challenges of virtualization and cloud

SSAE 18 is a set of standards defined by the AICPA (American Institute of CPAs)

Designed to enhance the quality and usefulness of System and Organization Control (SOC)reports.

Includes audit standards and suggested report formats to guide and assist auditors

SOC 1deals mainly with financial controls and are used primarily by CPAs auditing financial statements

Soc 2 Type 1report that assesses the design of security processes at a specific point in time

SOC 2 Type 2(often written as \"Type ll\")assesses how effective those controls are over time by observing operations for at least six monthsOften require an NDA due to sensitive contents

关于认证业务标准的声明 (SSAE)Statement on Standards for Attestation Engagements (SSAE)

The International Auditing and Assurance Standards Board issues the ISAE

This board and it's ISAE standards are similar to the AICPA and it's SSAE standards

The ISAE 3402 standard is roughly equivalent to the SOC 2 reports in the SSAE

国际鉴证业务准则 (ISAE)International Standard on Assurance Engagements (ISAE)

The Security Trust Assurance and Risk (STAR) certification program comes from CSA

Designed to demonstrate compliance to a desired level of assurance

Level 1:Self-assessmentis a complimentary offering that documents the security controls provided by the CSP

Level 2:Third-party auditrequires the CSP to engage an independent auditor to evaluate the CSP's controls againstthe CSA standard

STAR consists of two levels of certification which provide increasing levels of assurance

CSACloud Security Alliance

服务组织控制 (SOC)Service Organization Control (SOC)

审计报告的类型Types of audit reports

Audit scope statements provide the reader with details on what was included in the audit and what was not

An audit scope statement generally includes:

Setting parameters for an audit is known as audit seope restrietions

Determining the scope of an audit is usually a joint activity performed by the organization being audited and their auditor.

Audits are expensive endeavors that can engage highly trained (and highly paid)content experts.

Auditing of systems can font color=\"#e74f4c\

Cost of implementing controls and auditing some systems is too high relative to the revenue the service generates.

Why limit the scope of an audit?

审计范围声明的限制Restrictions of audit scope statements

A gap analysis identifies where an organization does not meet requirements and provides important information to help remediate gaps

The main purpose is to compare the organization's current practices against a specified framework and identify the gaps between the two.

May be performed by either internal or external parties

Choice of which usually driven by the cost and need for objectivity

When is a gap analysis useful?

'ISO 27002'and 'NIST CSF'are frameworks commonly used For gap analysis

控制分析control analysis

基线baselines

差距分析Gap analysis

Document and define audit program objectives.collaborative internal planning of audit scope and objectives.Gap analysis or readiness assessment.assessing theorganization's ability to successfully undergo a full audit.Define audit objectives and deliverables.it is important toidentify the expected outputs from the audit.Identifying auditors and qualifications.compliance andaudit frameworks usually specify the type of auditor required.

Audit planning activities include:

Audit Phases

审计计划Audit planning

An information security management system(ISMS) is a systematic approach to information security

An ISMS focuses font color=\"#e74f4c\

ISO 27001 addresses need and approaches to implementing an ISMS

Quantify riskDevelop and execute risk mitigation strategiesProvide formal reporting on status of mitigation efforts

ISMS Functions

Improve data securityIncreased organizational resilience to cyberattacksCentral info security mgmtFormal risk management

ISMS Benefits

内部信息安全管理系统Internal information security management system

a system of information security controls provides guidance for mitigating the risks identified as part of ISMS risk management processes.

There are several control frameworks to choose from.

Scoping controls refers to reviewing controls in the framework to identify which controls apply to the organization and which do not.

Tailoring is a process of matching applicable controls with the organization's specific circumstances to which they apply.

NIST SP 800-53NIST Cybersecurity Framework(CSF)Secure Controls FrameworkCSA Cloud Controls Matrix(CCM)

Other control frameworks include:

内部信息安全控制系统Internal information security controls system

Policies are a key part of any data security strategy and facilitate a number of capabilities for an organization:

Provide users and organizations with a way to understand and enforce requirements in a systematic way.

Make employees and management aware of their roles and responsibilities.

Standardize secure practices throughout the organization.

Financial lossesData loss or leakageReputational damageStatutory and regulatory compliance issuesAbuse or misuse of computing systems and resources

Policies are a font color=\"#e74f4c\

Employees should generally sign policies to acknowledge acceptance

组织organizational

A set of standardized definitions for employees that describe how they are to make use of systems or data.

Typically font color=\"#e74f4c\

Functional policies generally codify requirements identificd in the ISMS and align to your chosen control framework

Examples of funetional policies

功能functional

Ease of deploying cloud resources without governance results in \"shadow IT\"-resources deployed without IT approval!

This can create font color=\"#e74f4c\

Also creates font color=\"#e74f4c\

A CASB can help identify and stop shadow IT!

Policies should define requirements users must adhere to and specify which cloud services are approved for various uses.

云计算cloud computing

策略Policies

One key challenge in the audit process is the inclusion of any relevant stakeholders

Organization's management who will likely be paying for the audit Security practitioners responsible for facilitating the audit

Employees who will be called upon to font color=\"#e74f4c\

Cloud computing environments can include more stakeholders than on-premises and even multiple CSPs

相关利益相关者的识别和参与Identification and involvement of relevant stakeholders

North American Electric Reliability Corporation Critical Infrastructure Protection regulates organizations involved in power generation and distribution.

北美电力可靠性公司/关键基础设施保护 (NERC / CIP)North American Electric Reliability Corporation / Critical Infrastructure Protection (NERC / CIP）

健康保险便捷与责任法案 (HIPAA)Health Insurance Portability and Accountability Act (HIPAA)

Both font color=\"#e74f4c\

经济与临床医疗保健信息科技 (HITECH) 法案Health Information Technology for Economic and Clinical Health (HITECH) Act

Specifies protections for payment card transaction data.

支付卡行业 (PCI)Payment Card Industry (PCI)

受到严格监管行业的特殊合规要求Specialized compliance requirements for highly-regulated industries

One impact of this distributed model is the additional geographic locations auditors must consider when performing an audit.

A common technique in cloud audits is font color=\"#e74f4c\

Sampling 20 servers of 100 servers across many regional datacenters can save time & expense and maintain accuracy

不同的地理位置diverse geographical locations

跨越法律管辖区crossing over legal jurisdictions

分布式信息技术 (IT) 模型的影响Impact of distributed information technology (IT) model

Primary areas of focus in SCRM include evaluating:

Reviewing provider controls

控制controls

There are resources that can help organizations build out or enhance their SCRM program:

方法methodologies

策略policies

Risk profile describes the risk present in the organization based on all the identified risks and any associated mitigations in place.

风险概况risk profile

Risk appetite describes the amount of risk an organization is willing to accept without mitigating.

Smaller orgs and startups will be more apt to simply accept risks to avoid cost of treatment.

风险偏好risk appetite

评估提供商风险管理计划Assess providers risk management programs

Anyone who processes personal data on behalf of the data controller.The CusTODIAN

The person or entity that controls processing of the data. The OWNER

Owns the data and risks associated with any data breaches

ensures the organization complies with data regulations.

Data Protection officer (DPO)

is the individual or entity that is the subject of the personal data.

Data CONTROLLER in GDPR

Usually a member of senior management.CAN delegate some day-to-day duties.CANNOT delegate total responsibility.

Data Owner

Data PROCESSOR in GDPR

Usually someone in the IT departmentDOES implement controls for data ownerDOES NOT decide what controls are needed

Data Custodian

数据所有者/控制者与数据保管者/处理者之间的区别Difference between data owner/controller vs. data custodian/processor

Most recent privacy laws include mandatory breach notification.

WHO should be notified and HOW QUICKLY

违规通知breach notification

Section 804:Companies must keep audit-related records for a minimum of five years.

SOX compliance is often an issue with both data breaches and ransomware incidents at publicly traded companies.

The loss of data related to compliance due to external actors does not protect a company from legal obligations.

Sarbanes-Oxley (SOX)

States that a data controller \"must be able to demonstrate that personal data are processed in a manner transparent to the data subject.\"

The obligations for transparency begin at the data collection stage and apply \"throughout the lifecycle of processing.\"

Stipulates that communication to data subjects must befont color=\"#e74f4c\

Meeting the requirement for transparency also requires processes for providing data subjects with access to their data.

监管透明度要求Regulatory transparency requirements

Where the organization changes business practices to completely eliminate the potential that a risk will materialize.

Can negatively impact business opportunities

规避avoid

The process of applying security controls to reduce the probability and/or magnitude of a risk.

减轻mitigate

Shifts some of the impact of a risk from the organization experiencing the risk to another entity.

e.g cyber insurance

转移transfer

共享share

Deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk.

use when cost of mitigation > cost of impact

接受acceptance

Risk Appetite.Sometimes called \"risk tolerance\"] is the amount of risk that a company is willing to accept.

safeguards are proactive (reduce likelihood of occurrence)

countermeasures are reactive (reduce impact after occurrence

Security Controls

风险处理Risk treatment

ISO 31000 contains several standards related to building and running a risk management program.

ISO 31000:2018 guidance standard

ENISA produces useful resources related to cloud-specific risks that organizations should be aware of and plan for when designing cloud computing systems.

This guide identifies various categories of risks and recommendations for organizations to consider when evaluating cloud computing.

ENISA's cloud computing risk assessment

NIST Special Publication 800-37 is the NIST Risk Management Framework

NIST Special Publication 800-146\"Cloud Computing Synopsis and Recommendations\"provides definitions of various cloud computing terms

Although font color=\"#e74f4c\

不同的风险框架Different risk frameworks

Patching levels:How many devices are fully patched and up-to-date?Unpatched devices often contain exploitable vulnerabilities.

Time to deploy patches:How may devices receive required patches in the defined timeframes?A useful measure of how effective a patch management program is at reducing the risk of known vulnerabilities.

Intrusion attempts:How many times have unknown actors tried to breach cloud systems?Increased intrusion attempts can be an indicator of increased risk likelihood.

Cybersecurity metrics provide vital information for decision makers in the organization.

Cybersecurity metrics within expected parameters indicate the risk mitigations are effective.

Metrics that deviate from expected parameters are no longer effective and should be reviewed

风险管理指标Metrics for risk management

服务service

Designing a supply chain risk management (SCRM)program to assess CSP or vendor risks is a due diligence practice.

Actually performing the assessment is an example of due care.

供应商vendor

基础架构infrastructure

业务business

Enables an objective evaluation to validate that a particular product or system satisfies a defined set of security requirements

Assures customers that security products they purchase have been thoroughly tested by independent third-party testers

Evaluation is done through testing laboratories where the product or platform is evaluated against a standard set of criteria.

The result is an font color=\"#e74f4c\

common Criteria(ISO/IEC 15408-1)

Contains evaluations of cloud services against the CSA's cloud controls matrix(CCM)

Organizations can opt for self-assessed or third-party-assessed cloud services.This will affect the level of assurance (low or high)

CSA STAR font color=\"#e74f4c\

ENISA has published a standard for certifying the cybersecurity practices present in cloud environments

The goal is producing security evaluation results that allow comparison of the security posture across different cloud providers.

风险环境评估Assessment of risk environment

6.4 了解云对企业风险管理的影响Understand implications of cloud to enterprise risk management

A contract with vendors and suppliers not to disclose the company's confidential information

A 'mutual NDA'binds both partics in the agreement

NDA

THIRD-PARTY RISK MANAGEMENT

Stipulate performance expectations such as maximum downtimes and often include penalties if the vendor doesn't meet expectations.

Generally used with external vendors (like CSP)and is legally binding

Often includes financial penalties for non-performance and may allow customer to terminate a contract

SLAs should be written to ensure that the organization's service level requirements (SLRs)are met.

Uptime guaranteesSLA violation penaltiesSLA violation penalty exclusions and limitationsSuspension of service clausesProvider liabilityData protection and managementDisaster recovery and recovery point objectivesSecurity and privacy notifications and timeframes

Common elements documented in SLAs include:

服务等级协议（SLA）service-level agreement (SLA)

This is defined as any contract that two or more parties enter into as a service agreement

MSA should address compliance and process requirements the customer is passing along to CSP

MSA should include breach notification -CSP duty to inform the customer of a breach within a specific time period after detection.

主服务协议（MSA）master service agreement (MSA)

Legal document usually created after an MSA has been executed and governs a specific unit of work.

工作陈述（SOW）statement of work (SOW)

A breach at any link in the supply chain can result in business impact.

Supply chain

Many orgs are reducing the number of vendors they work with and requiring stricter onboarding procedures.

Vendors may be required to submit to an external audit and agree to strictcommunication and reporting requirements in event of potential breach.

Risk of 'island hopping attack\"

Vendor management

Potential for Increased risk of insider attack

System integration

THIRD-PARTY RISKS

业务要求Business requirements

The practices ofSCRM and vendor management overlap significantly

Cloud computing involves outsourcing ongoing organizational processes and infrastructure to a service provider

Security practitioners should participate in thefont color=\"#e74f4c\

供应商评估vendor assessments

This assessment will require knowledge of not only the CSP's offerings but thearchitecture and strategy the customer organization intends to use.

Using font color=\"#e74f4c\

供应商锁定风险vendor lock-in risks

This is often a process that is not conducted by the security team as it deals with operational risk.

financial statementsthe CSP's performance history and reputationor even formal reports like a SOC 1

Assessing the viability of vendors may involve reviews of public information like:

供应商生存能力vendor viability

Escrow is a legal term used when font color=\"#e74f4c\

A software development company may wish to protect the intellectual property of their source code.

ESCROW SCENARIO:

托管escrow

供应商管理Vendor management

Organizations must employ adequate governance structures to monitor contract terms and performance and be aware ofoutages and any violations of stated agreements.

A contract clause is a specific article of related information that specifies the agreement between the contracting parties.

Right to auditMetricsDefinitionsTerminationLitigationAssuranceComplianceAccess to cloud/data

Some common contract clauses that should be considered for any CSP or other data service provider include the following:

Contract Clauses

The customer can request the right to audit the service provider to ensure compliance with the security requirements agreed in the contract.

审计权right to audit

Tell you \"how compliance with the agreement will be measured\"

指标metrics

A contract is a legal agreement between multiple parties.

It is essential that all parties share a common understanding of the terms and expectations.

定义definitions

Termination refers to ending the contractual agreement.

This clause will typically define conditions under which either party may terminate the contract

May also specify consequences if the contract is terminated carly.

终止termination

This is an area where legal counsel must be consulted.

Agreeing to terms for litigation can severely restrict the organization's ability to pursue damages if something goes wrong.

诉讼litigation

Defining assurance requirements sets expectations for both the provider and customer.

Many contracts specify that a provider must furnish a SOC 2 or equivalent to the customer on an annual basis

保证assurance

Any customer compliance requirements that flow to the provider must be documented and agreed upon in the contract.

Data controllers that use cloud providers as data processors must ensure that adequate security safeguards are available for that data

合规compliance

Clauses dealing with customer access can be used to avoid risks associated with vendor lock-in.

访问云/数据access to cloud/data

cyber risk insurance is designed to help an organization reduce the financial impact of risk by transferring it to an insurance carrier.

It may even cover legal or regulatory fines associated with the incident.

Cyber insurance carriers are in the business of risk management and are unlikely tooffer coverage to an organization lacking controls to mitigate risk.

Cyber insurance requires organizations to pay a premium for the insurance plan.Most plans have a limit of coverage that caps how much the insurance carrier pays.

There may also be font color=\"#e74f4c\

Costs associated with the forensic investigation to determine the extent of an incident.

This oftcn includes costs for third-party investigators.

Investigation

Direct business losses

These may include costs associated with replacing hardware or provisioningtemporary cloud environments during contingency operations.

They may also include services like forensic data recovery or negotiations with attackers to assist in recovery.

Recovery costs

Costs are associated with required privacy and breach notifications required by relevant laws.

Legal notifications

Policies can be written to cover losses and payouts due to class action or other lawsuits against a company after a cyber incident.

Lawsuits

The insurance to pay out ransomware demands is growing in popularity.

This may include direct payments to ensure data privacy or accessibility by the company.

Extortion

Incidents often require employees to work extended hours or travel to contingency sites.

Food and related expenses

Cyber risk insurance usually covers costs associated with the following:

网络风险保险cyber risk insurance

合同管理Contract management

Managing risk in the supply chain focuses on both font color=\"#e74f4c\

The supply chain should always be considered in any business continuity or disaster recovery planning.

Proactive measures including contract language and assurance processes can be used to quantify the risks associated with using suppliers like CSPs...as well as the effectiveness of these suppliers'risk management programs.

The ISO 27000 family of standards includes a specific ISO standard dedicated to supply chain cybersecurity risk management.

ISO 27036:2021 provides a set of practices and guidance for managing cybersecurity risks in supplier relationships.

This standard is particularly useful for organizations that use ISO 27001 for building an ISMS or ISO 31000 for risk management

Part 1:Overview and conceptsPart 2:RequirementsPart 3:Guidelines for information and communication technology supply chain securityPart 4:Guidelines for security of cloud services