CCSP思维导图
2023-07-24 15:25:21 1 举报
AI智能生成
当前最新
作者其他创作
大纲/内容
D1 云概念、架构和设计
Cloud Concepts, Architecture and Design
Cloud Concepts, Architecture and Design
1.1 了解云计算概念
Understand cloud computing concepts
Understand cloud computing concepts
云计算定义
Cloud computing definitions
Cloud computing definitions
NIST SP 800-145
Cloud computing is a model for enabling universal,
convenient, on-demand network access
to a shared pool of configurable computing resources
that can be rapidly provisioned and released with
minimal management effort or service provider
interaction.
convenient, on-demand network access
to a shared pool of configurable computing resources
that can be rapidly provisioned and released with
minimal management effort or service provider
interaction.
云计算角色和职责
Cloud computing roles and responsibilities
Cloud computing roles and responsibilities
云服务客户
cloud service customer
cloud service customer
The business or individual consuming cloud
services
services
Often using cloud to complement/
augment existing on-premises compute. 补充/增加
augment existing on-premises compute. 补充/增加
云服务供应商 CSP
cloud service provider
cloud service provider
Company that provides cloud-based platform
infrastructure, and applications to other
organizations as a service.
infrastructure, and applications to other
organizations as a service.
云服务合作伙伴
cloud service partner
cloud service partner
Help organizations to obtain and deploy cloud
services.
services.
May provide consulting services, software to
run in the cloud, or both.
run in the cloud, or both.
云服务代理
cloud service broker
cloud service broker
an entity that manages the use, performance and
delivery of cloud services
delivery of cloud services
negotiates relationships between cloud providers
(CSPs) and cloud consumers.
(CSPs) and cloud consumers.
Serves as an intermediary (advisor,
negotiator) between customer and CSP
negotiator) between customer and CSP
Functions of a Cloud Broker
Service Intermediation
enhances a given service by improving specific capabilities
and providing value-added services to cloud consumers.
enhances a given service by improving specific capabilities
and providing value-added services to cloud consumers.
Service Aggregation
combines and integrates multiple services into one or more
new services.
combines and integrates multiple services into one or more
new services.
Service Arbitrage
means a broker has the flexibility to choose services from
multiple agencies.
means a broker has the flexibility to choose services from
multiple agencies.
监管机构
regulator
regulator
CSA
Cloud Service Auditor
Cloud Service Auditor
Third party that can conduct an independent
assessment of cloud services,information
system operations,performance,and security
of the cloud implementation.
assessment of cloud services,information
system operations,performance,and security
of the cloud implementation.
Cloud administrator
Implementation, monitoring, and maintenance of the cloud.
Cloud application architect
Adapting, porting, and deploying application.
Cloud architect
Designs and develops solutions.
Cloud operator
Responsible for daily operational tasks.
Cloud data architect
Manages data storage and data flow within, to and from the cloud.
Cloud service manager
Responsible for business agreement, pricing for the cloud customer.
Cloud storage administrator
Manages storage volume/repository assignment and configuration.
cloud service business manager
Oversees business and billing administration.
Cloud service operations manager
Prepares systems operations and support for the cloud, administers services.
安全托管服务提供商 MSSP
managed security service provider
managed security service provider
maintains the security environment for
companies
companies
may manage firewalls, IDPS, and SIEM
systems, and other security services and
infrastructure.
systems, and other security services and
infrastructure.
may provide an outsourced security
operations center (SoC) and incident
response
operations center (SoC) and incident
response
云计算关键特性
Key cloud computing characteristics
Key cloud computing characteristics
按需自助服务
on-demand self-service
on-demand self-service
Customers can scale their compute and storage needs with little or
no intervention or prior communication from the provider.
no intervention or prior communication from the provider.
Technologists can access cloud resources almost immediately
when they need to do their jobs, providing agility in service delivery.
when they need to do their jobs, providing agility in service delivery.
广泛的网络访问
broad network access
broad network access
Services are consistently accessible over the network regardless of
the users physical location
the users physical location
多租户
multi-tenancy
multi-tenancy
Which means many different customers share use of the same
computing resources.
computing resources.
Physical servers that support our workloads might be the same
physical servers supporting other customers' workloads.
physical servers supporting other customers' workloads.
The underlying cloud infrastructure (compute, storage
networking is shared.
networking is shared.
Oversubscription
Cloud providers will oversubscribe their total capacity,
meaning they'll sell more capacity than they have.
meaning they'll sell more capacity than they have.
Why?Because in the big picture customers won't be
collectively using all of that capacity simultaneously.
collectively using all of that capacity simultaneously.
快速弹性和可伸缩性
rapid elasticity and scalability
rapid elasticity and scalability
Allows the customer to grow or shrink the IT footprint as necessary to
meet needs without excess capacity.
meet needs without excess capacity.
Elasticity
The ability of a system to automatically grow and shrink
based on app demand.
based on app demand.
Scalability
The ability of a system to handle growth of users or work.
Ability to grow as demand increases.
Ability to grow as demand increases.
资源池化
resource pooling
resource pooling
Enables cloud provider to apportion resources as needed across
multiple customers so resources are not underutilized or overtaxed.
multiple customers so resources are not underutilized or overtaxed.
Enables cloud provider to make capital investments that greatly
exceed what any single customer could provide on their own.
exceed what any single customer could provide on their own.
Allows the cloud provider to meet various demands from
customers while remaining financially viable.
customers while remaining financially viable.
DISADVANTAGE
Can result in some degree of
location dependence beyond customer control.
location dependence beyond customer control.
However, major CSPs (AWS,Azure,GCP) often provide
options enabling customers to choose location.
options enabling customers to choose location.
可度量服务 aka metered service
measured service
measured service
means that almost everything you do in the cloud is metered
(measured and tracked) for management and billing purposes.
(measured and tracked) for management and billing purposes.
common metrics
- number of minutes of virtual server compute time
- Amount of disk space you consume
- Number of function calls you make
- Amount of network egress and ingress
构建块技术
Building block technologies
Building block technologies
compute
Infrastructure-as-a-Service (laas)is the basis
for compute capacity in the cloud.
for compute capacity in the cloud.
CSP provides the server, storage, and networking
hardware and its virtualization.
hardware and its virtualization.
Customer installs middleware and applications.
Customer only pays for what they use. Charges
stop when instance is stopped or deleted.
stop when instance is stopped or deleted.
网络
networking
networking
Cloud networking is all virtualized to allow
customers to design and customize to their needs.
customers to design and customize to their needs.
Enables customers to segment networks and
restrict access however they would like.
restrict access however they would like.
Physical network components are virtualized into
a software-defined network (SDN)
a software-defined network (SDN)
SDN
A network architecture approach that enables the network to be
intelligently and centrally controlled,or 'programmed,'using software
intelligently and centrally controlled,or 'programmed,'using software
3个平面
Management plane: the business applications that manage the
underlying control plane are exposed with northbound interfaces
underlying control plane are exposed with northbound interfaces
Control plane:Control of network functionality and programmabilityis
made directly to devices at this layer.
made directly to devices at this layer.
Data plane:The network switches and routers located at this plane are
associated with the underlying network infrastructure.
associated with the underlying network infrastructure.
Northbound interface
ensures only trusted,authorized applications access critical
network resources.
network resources.
OpenFlow protocol interfaces with devices through southbound interfaces.
存储
storage
storage
三种存储类型
Ephemeral is relevant for laas instances and
exists only as long as the instance (VM)is up
exists only as long as the instance (VM)is up
Raw storage maps a logical unit number (LUN)
on a storage area network(SAN) to a VM.
on a storage area network(SAN) to a VM.
Long-term storage offered by some CSPs is
tailored to the needs of data archiving.
tailored to the needs of data archiving.
This may include features like search,
immutability,and data lifecycle management.
immutability,and data lifecycle management.
Long term storage typically use either Volume or
object storage infrastructure.
object storage infrastructure.
Databases, usually multitenant relational (SQL) databases as a service.
Big data as a service,nonrelational (NoSQL) data such document, graph, column, or key-value
存储一致性
Storage Consistency
Storage Consistency
Strict consistency
ensures that all copies of the data have been duplicated among all
relevant copies before finalizing the transaction to increase availability.
relevant copies before finalizing the transaction to increase availability.
Eventual consistency
consistency of data is relaxed, which reduces the number of replicas
that must be accessed during read and write operations before the
transaction is finalized.
that must be accessed during read and write operations before the
transaction is finalized.
Data changes are 'eventually' transferred to all datacopies via
asynchronous propagation over the network
asynchronous propagation over the network
Content/file storage: File-based content stored within the application
Content delivery network (CDN) where content is stored in object storage, then replicated to
multiple geographically distributed nodes to improve internet consumption speed.
multiple geographically distributed nodes to improve internet consumption speed.
Information storage and management: Data entered into the system via the web interface
and stored within the Saas application.
and stored within the Saas application.
Often utilizes databases,which in turn are
installed on object or volume storage.
installed on object or volume storage.
数据库
databases
databases
Multiple options available and multiple flavors of
relational (SQL) and non-relational (NoSQL)
relational (SQL) and non-relational (NoSQL)
Managed database services (Paas) options shift
infrastructure maintenance to the CSP.
infrastructure maintenance to the CSP.
laas (VM) hosted databases are an option where
Paas is not possible or practical.
Paas is not possible or practical.
编排
orchestration
orchestration
Cloud orchestration creates automated
workflows for managing cloud environments.
workflows for managing cloud environments.
Builds on the foundation of Infrastructure as
Code (lac), reducing manual admin tasks.
Code (lac), reducing manual admin tasks.
May be a script, function, runbook, or developed
in an external workflow engine.
in an external workflow engine.
虚拟化
virtualization
virtualization
Type1 "Bare metal"
- Reduced attack surface (compared to a Type 2 hypervisor)
- This makes it more secure if implemented properly
- Commonly used for QA, load testing, and production scenarios
- Typically, more expensive than a Type 2 hypervisor
Type2 "Hosted"
- Increased attack surface (due to the host operating system)
- This makes it less secure vs Type 1, even if implemented properly
- Commonly used for individual development and lab scenarios
- Typically, less expensive than a Type I hypervisor
虚拟资产
virtual assets
virtual assets
- virtual machines (VM)
- virtual desktop infrastructure (VDI)
- software-defined networks (SDN)
- virtual storage area networks (SAN)
Hypervisors are the primary component that manages virtual
assets, but also provide attackers with an additional target.
Both hypervisors and VMs need to be patched
assets, but also provide attackers with an additional target.
Both hypervisors and VMs need to be patched
Security issues with cloud-based assets
Storing data in the cloud increases the risk, so steps may
be necessary to protect the data, depending on its value.
be necessary to protect the data, depending on its value.
When leasing cloud-based services, you should know
who is responsible for maintenance and security.
who is responsible for maintenance and security.
The cloud service provider (CSP) provides the least
amount of maintenance and security in the laas model.
amount of maintenance and security in the laas model.
1.2 描述云计算参考架构
Describe cloud reference architecture
Describe cloud reference architecture
云计算活动
Cloud computing activities
Cloud computing activities
ISO 17789 Cloud Reference Architecture
customer
- Use cloud services
- Perform service trials
- Monitor services
- Administer service security
- Provide billing and usage reports
- Handle problem reports
- Administer tenancies
- Perform business administration
- Select and purchase service
- Request audit reports
cloud service provider
- Prepare systems and provide cloud services
- Monitor and administer services
- Manage assets and inventories
- Provide audit data
- Manage customer relationships
- Handle customer requests
- Perform peering with other cloud service providers
- Ensure compliance
- Provide network connectivity
cloud service partner
- Design,create,and maintain service components
- Test services
- Perform audits
- Set up legal agreements
- Acquire and assess customers
- Assess the marketplace
云服务能力
Cloud service capabilities
Cloud service capabilities
应用能力类型
application capability types
application capability types
Overall reduction in costs, application and software licensing, reduced support costs,
backend systems and capabilities.
backend systems and capabilities.
CSP allows the customer to focus on their business use cases.
平台能力类型
platform capability types
platform capability types
Language and framework support, support for multiple environments, allowing choice
and reducing "lock-in", improving ability to auto-scale.
and reducing "lock-in", improving ability to auto-scale.
基础设施能力类型
infrastructure capability types
infrastructure capability types
Scale, converged network and shared capacity pool, self-service and on-demand
capacity, high reliability and resilience.
capacity, high reliability and resilience.
This is a capital expense (CAPEX) on-premises, but an operational
expense (OPEX) in the cloud.
expense (OPEX) in the cloud.
云服务类别
Cloud service categories
Cloud service categories
基础设施即服务 (IaaS)
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS)
CSP provides building blocks, like networking, storage and compute
CSP manages staff, HW, and datacenter
主要好处
- Usage is metered
- Eases scale(scale-up,out,and down)
- Reduced energy and cooling costs
平台即服务 (PaaS)
Platform as a Service (PaaS)
Platform as a Service (PaaS)
Customer is responsible for deployment and management of apps
CSP manages provisioning, configuration,hardware,and OS
key benefits
- Core infrastructure updated by provider
- Global collaboration for app development
- Running multiple languages seamlessly
软件即服务 (SaaS)
Software as a Service (SaaS)
Software as a Service (SaaS)
Customer just configures features.
Customer has some responsibility in
access management and'data recovery
access management and'data recovery
CSP is responsible for management,
operation, and service availability.
operation, and service availability.
Key Benefits
- Limited administration responsibility
- Limited skills required
- Service always up-to-date
- Global access
共享责任模型
Serverless Architecture
EXample:
Function-as-service
EXample:
Function-as-service
a cloud computing execution model where
the cloud provider dynamically manages
the allocation and provisioning of servers.
the cloud provider dynamically manages
the allocation and provisioning of servers.
Serverless
hosted as pay-as-you-go model based on use.
Resources are stateless,servers ephemeral
and often capable of being triggered
and often capable of being triggered
Services
Integration
Integration
Provisioning of multiple business services is
combined with different IT services to
provide a single business solution.
combined with different IT services to
provide a single business solution.
云部署模型
Cloud deployment models
Cloud deployment models
公共云
public
public
Everything runs on your cloud provider's hardware.
Advantages include scalability, agility, PAYG, no maintenance, and low skills
现收现付制(Pay As You Go)
私有云
private
private
A cloud environment in your own datacenter
A cloud environment dedicated to a single customer
Advantages include legacy support,control,and compliance
Enables greater control of upgrade cycles in legacy apps and some compliance scenarios
混合云
hybrid
hybrid
Combines public and private clouds,allowing you to run your apps in the right location
Advantages include flexibility in legacy,compliance,and scalability scenarios
Enables the organization to control the pace of public cloud adoption
社区云
community
community
Similar to private clouds in that they are not open the general public
But they are shared by several related organizations in a common community
多云
multi-cloud
multi-cloud
Combines resources from two or more public cloud providers
Allows orgs to take advantage of service and price differences, but at the cost of added complexity
云共享考虑因素
Cloud shared considerations
Cloud shared considerations
互操作性
interoperability
interoperability
Ability of one cloud service to interact with other cloud services by
exchanging information according to a prescribed method and obtain
predictable results.
exchanging information according to a prescribed method and obtain
predictable results.
3rd parties, other CSPs
Most CSPs have a cloud marketplace with certified apps and services
5个特征
Policy
Ability of two or more systems to interoperate while
complying with governmental laws,regulations,and
organizational mandates
complying with governmental laws,regulations,and
organizational mandates
Behavioral
Where the results of the use of the exchanged
information matches the expected outcome
information matches the expected outcome
Transport
The commonality of the communication between
cloud consumer and provider and other providers
(e.q.HTTP/S,and various message qucuing standards)
cloud consumer and provider and other providers
(e.q.HTTP/S,and various message qucuing standards)
Syntactic
Two or more systems to understand the other
systems'structure of exchanged information through
encoding syntaxes (e.q,JSON and XML)
systems'structure of exchanged information through
encoding syntaxes (e.q,JSON and XML)
Semantic data
Ability of systems exchanging information to
understand the meaning of the data model within the context
(c.g,virtual machines,containers,storage, and networking concepts)
understand the meaning of the data model within the context
(c.g,virtual machines,containers,storage, and networking concepts)
可移植性
portability
portability
Ability to move applications and associated data between cloud
providers(CSPs),between legacy and cloud environments,or
between public and private cloud environments. <—— Hybrid cloud
providers(CSPs),between legacy and cloud environments,or
between public and private cloud environments. <—— Hybrid cloud
Cloud data portability is the ability to easily move data from one
cloud service to another without the need to re-enter the data.
cloud service to another without the need to re-enter the data.
3个特征
1. Syntactic
Transferring data from a source system to a target system
using formats that can be decoded bn the target system
with features like XML or Open Virtualization Format (OVF)
Transferring data from a source system to a target system
using formats that can be decoded bn the target system
with features like XML or Open Virtualization Format (OVF)
2. Semantic
Transferring data from a source system to a target system
so that the data model is understood within the context of
the subject area by the target
Transferring data from a source system to a target system
so that the data model is understood within the context of
the subject area by the target
3. Policy
Transferring data from a source system to a target system
so that governmental laws,regulations,and organizational
mandates are followed
Transferring data from a source system to a target system
so that governmental laws,regulations,and organizational
mandates are followed
cloud applieation portability is the ability to migrate an application from one
CSP to another or between a customer's environment and a cloud service.
Portability prevents 'vendor lock-in'
CSP to another or between a customer's environment and a cloud service.
Portability prevents 'vendor lock-in'
可逆性
reversibility
reversibility
Process for cloud service customers to retrieve their data and
application artifacts AND
application artifacts AND
for the CSP to delete all cloud service customer data and contractually
specified cloud service derived data after an agreed period.
specified cloud service derived data after an agreed period.
Customer access to data also appears in requlations (e.g.GDPR)
可用性
availability
availability
Systems and resource availability defines the success or failure of a cloud-based service.
Check service-level SLAs and how multi-service SLAs are calculated.
安全性
security
security
- Protection of customer data
- Protection of cloud applications
- Protection of cloud infrastructure
隐私
privacy
privacy
Data privacy in cloud computing allows collecting,storing transferring and sharing
the data over the cloud network without putting the privacy of personal data at risk.
the data over the cloud network without putting the privacy of personal data at risk.
Prominent sources of privacy concerns
Many times,customer does not have knowledge about how their
personal information is stored and processed in the cloud.
personal information is stored and processed in the cloud.
Privacy vs Confidentiality
Data breaches have brought data privacy to the forefront as a
crucial factor in cloud computing.
crucial factor in cloud computing.
弹性
resiliency
resiliency
ability of a cloud services data center and its associated components,
including servers,storage,and so on, to continue operating in the
event of a disruption.
including servers,storage,and so on, to continue operating in the
event of a disruption.
Look for a cloud provider with global presence, regional
redundancy and zone redundancy within region.
redundancy and zone redundancy within region.
Azure
Geography
Geography
A discrete market,typically containing
two or more regions,that preserves data
residency and compliance boundaries
two or more regions,that preserves data
residency and compliance boundaries
Azure
Regions
Regions
A set of datacenters deployed within a
latency-defined perimeter and connected
through a dedicated regional low-latency
network.
latency-defined perimeter and connected
through a dedicated regional low-latency
network.
Region Pairs
A relationship between 2 Azure Regions
within the same geographic region for
disaster recovery purposes.
within the same geographic region for
disaster recovery purposes.
Availability Zones
Unique physical locations within
a region with independent
power,network,and cooling
a region with independent
power,network,and cooling
Comprised of one or more datacenters
Tolerant to datacenter failures
via redundancy and isolation
via redundancy and isolation
性能
performance
performance
Ability of a service to remain responsive to requests to that service with
an acceptable level of response latency or processing time.
an acceptable level of response latency or processing time.
Public cloud delivers the perception of unlimited scale for than for less
than the cost a customer would incur in their own datacenter.
than the cost a customer would incur in their own datacenter.
治理
governance
governance
Enforcement of security policies and regulatory requirements,often
through policy controls and regular audits.
through policy controls and regular audits.
CSPs often have policy automation in which restrictions can be defined
and automatically enforced throughout the service lifecycle.
and automatically enforced throughout the service lifecycle.
维护和版本控制
maintenance and versioning
maintenance and versioning
服务等级和服务等级协议 (SLA)
service levels and service-level agreements (SLA)
service levels and service-level agreements (SLA)
Stipulate performance expectations such as
maximum downtimes and often include penalties if
the vendor doesn't meet expectations.
maximum downtimes and often include penalties if
the vendor doesn't meet expectations.
可审计性
auditability
auditability
Ability to provide clear documentation of the actions in a data
event. (e.g, data breach,unauthorized access)
event. (e.g, data breach,unauthorized access)
Auditability is only possible with proper logging
providing accountability and traceability
providing accountability and traceability
Related activities
Accountability. Ability to determine who caused the event.This is
known sometimes called "identity attribution". (Requires non-repudiation)
known sometimes called "identity attribution". (Requires non-repudiation)
Traceability. Ability to track down all events related to the
investigated event.
investigated event.
监管
regulatory
regulatory
外包
outsourcing
outsourcing
Obtaining goods or a services,such as cloud services
from an external supplier.
from an external supplier.
Introduces considerations including reversibility,
interoperability,and vendor lock-in.
interoperability,and vendor lock-in.
相关技术的影响
Impact of related technologies
Impact of related technologies
数据科学
data science
data science
The study of data to extract meaningful insights for business
Combines principles and practices from multiple fields
(mathematics,artificial intelligence,computer engineering)
to analyze large amounts of data.
(mathematics,artificial intelligence,computer engineering)
to analyze large amounts of data.
Helps data scientists to ask and answer questions about past,current,
and future events through evaluation of data.
and future events through evaluation of data.
Cybersecurity Data Science (CSDS)
The practice of applying data scienceto prevent,detect,and
remediate cybersecurity threats.
remediate cybersecurity threats.
Data is collected from selected cyber security sources and then
analyzed to provide timely,data-driven patterns at scale.
analyzed to provide timely,data-driven patterns at scale.
机器学习
machine learning
machine learning
A subset of Al, computer algorithms that
improve automatically through experience
and the use of data.
improve automatically through experience
and the use of data.
人工智能 (AI)
artificial intelligence (AI)
artificial intelligence (AI)
Focuses on accomplishing "smart"tasks
combining machine learning and deep
learning to emulate human intelligence
combining machine learning and deep
learning to emulate human intelligence
深度学习
Deep Learning
Deep Learning
a subfield of machine learning concerned with
algorithms inspired by the structure and function
of the brain called artificial neural networks.
algorithms inspired by the structure and function
of the brain called artificial neural networks.
区块链
blockchain
blockchain
Blockchain was originally the technology that
powered Bitcoin but has broader uses.
powered Bitcoin but has broader uses.
A distributed,public ledger that can be used to store financial,
medical, or other transactions. Anyone is free to join and participate
medical, or other transactions. Anyone is free to join and participate
Does not use intermediaries such as banks and financial institutions.
Data is "chained together"with a block of data holding both the
hash for that block and the hash of the preceding block.
hash for that block and the hash of the preceding block.
To create a new block on the chain,the computer that wishes to add
the block solves a cryptographic puzzle and sends the solution to
the other computers participating in that blockchain.
the block solves a cryptographic puzzle and sends the solution to
the other computers participating in that blockchain.
物联网 (IoT)
Internet of Things (IoT)
Internet of Things (IoT)
A class of devices connected to the internet in
order to provide automation, remote control, or
Al processing in a home or business setting
order to provide automation, remote control, or
Al processing in a home or business setting
Default settings
Every device that you put on your network to manage has a default username and a
default password.
default password.
Often,the defaults are open and available for anybody to use.(wi-fi and loT)
Botnets and offensive security tools will find,and exploit devices with weak default
settings still in place.
settings still in place.
Simply change defaults to shut down this attack vector!
Wareables
You might be wearing an loT device,such as a fitness tracker or smartwatch.
Facility automation.
In a large facility,loT devices able to manage the heating and AC,lights,and
motion/fire/water detection.
motion/fire/water detection.
Enable facility managers to be able to configure automation and monitoring of
device function.
device function.
Sensors
Vehicles have very specialized sensors embedded,assisting with vehicle function
容器
containers
containers
A lightweight,granular,and portable way to package
applications for multiple platforms.
applications for multiple platforms.
Reduces overhead of server virtualization by enabling
containerized apps to run on a shared OS kernel.
containerized apps to run on a shared OS kernel.
Share many concerns of server virtualization: isolation
at host,process,network,and storage levels
at host,process,network,and storage levels
量子计算
quantum computing
quantum computing
A rapidly-emerging technology that harnesses the laws of quantum
mechanics to solve problems too complex for classical computers.
mechanics to solve problems too complex for classical computers.
Replaces the binary one and zero bits of digital computing with
multidimensional quantum bits known as qubits.
multidimensional quantum bits known as qubits.
No widespread use cases as of 2023,so little impact outside the
world of scientific research and testing.
world of scientific research and testing.
A quantum computer could render all modern cryptography
completely ineffective and require the redesign of new,stronger
quantum encryption algorithms.
completely ineffective and require the redesign of new,stronger
quantum encryption algorithms.
Quantum cryptography
the practice of harnessing the principles of quantum mechanics to improve security
and to detect whether a third party is eavesdropping on communications.
and to detect whether a third party is eavesdropping on communications.
Leverages fundamental laws of physics such as the observer effect,which states that it
is impossible to identify the location of a particle without changing that particle.
is impossible to identify the location of a particle without changing that particle.
Quantum Key Distribution
is the most common example of quantum cryptography.
by transferring data using photons of light instead of bits,a confidential key transferred
between two parties cannot be copied or intercepted secretly.
between two parties cannot be copied or intercepted secretly.
Post-Quantum Cryptography
Post-quantum cryptography refers to cryptographic algorithms (usually public-key
algorithms)that are thought to be secure against an attack by a quantum computer.
algorithms)that are thought to be secure against an attack by a quantum computer.
Post-quantum cryptography focuses on preparing for the era of quantum computing
by updating existing mathematical-based algorithms and standards.
by updating existing mathematical-based algorithms and standards.
The development of new kinds of cryptographicapproaches that can be implemented using
today's conventional computers.
..but will be impervious (resistant)to attacks from tomorrow's quantum computers.
today's conventional computers.
..but will be impervious (resistant)to attacks from tomorrow's quantum computers.
Post-quantum algorithms arc somctimes called quantum-resistant"cryptographic algorithms
边缘计算
edge computing
edge computing
Some compute operations require processing
activities to occur locally,far from the cloud.
activities to occur locally,far from the cloud.
Common in various Internet-of-things scenarios,
like agricultural,science/space,military.
like agricultural,science/space,military.
All the processing of data storage is closer to the
sensors rather than in the cloud data center.
sensors rather than in the cloud data center.
With large network-connected device counts in varied locations,
data encryption,spoofing protection,and authentication are key
data encryption,spoofing protection,and authentication are key
雾计算
fog computing
fog computing
Complements cloud computing by processing
data from loT devices.
data from loT devices.
Often places gateway devices in the field to collect
and correlate data centrally at the edge.
and correlate data centrally at the edge.
Generally, brings cloud computing nearer to the
sensor to process data closer to the device.
sensor to process data closer to the device.
Important to speed processing time and reduce dependence on
cloud/Internet connectivity mission critical situations (healthcare)
cloud/Internet connectivity mission critical situations (healthcare)
机密计算
confidential computing
confidential computing
PROBLEM:Sensitive data must be encrypted in memory
before an app can process it,leaving the data vulnerable
before an app can process it,leaving the data vulnerable
Confidential computing solves for this by isolating sensitive
data in a protected CPU enclave during processing.
data in a protected CPU enclave during processing.
This CPU enclave is called a trusted execution environment
(TEE), secured with embedded encryption keys.
(TEE), secured with embedded encryption keys.
Embedded attestation mechanisms ensure that the keys
are accessible only to authorized application code
are accessible only to authorized application code
DevSecOps
A portmanteau development,security,and
operations.
operations.
Integratessecurity as a shared responsibility
throughout the entire IT lifecycle.
throughout the entire IT lifecycle.
Builds a security foundation into Devops initiatives.
Often includes automating some of the security
gates in the Devops process.
gates in the Devops process.
IaC
Infrastructure as Code
Infrastructure as Code
is themanagement of cloud infrastructure
(networks,VMs,load balancers,and connection
topology) described in code
(networks,VMs,load balancers,and connection
topology) described in code
just as the same source code generates the same
binary,code in the lac model results in the same
environment every time it is applied.
binary,code in the lac model results in the same
environment every time it is applied.
laC is a key Devops practice and is used in
conjunction with Continuous Integration and
continuous Delivery (CI/CD). "the CI/CD pipeline"
conjunction with Continuous Integration and
continuous Delivery (CI/CD). "the CI/CD pipeline"
1.3 了解与云计算相关的安全概念
Understand security concepts relevant to cloud computing
Understand security concepts relevant to cloud computing
密码学和密钥管理
Cryptography and key management
Cryptography and key management
TPM
A chip that resides on the motherboard of the device.
Multi-purpose, like storage and management of
keys used for full disk encryption (FDE) solutions.
keys used for full disk encryption (FDE) solutions.
Provides the operating system with access to keys,
but prevents drive removal and data access
but prevents drive removal and data access
HSM
a physical computing device that safeguards and
manages digital keys,performs encryption and
decryption functions for digital signatures,strong
authentication and other cryptographic functions.
manages digital keys,performs encryption and
decryption functions for digital signatures,strong
authentication and other cryptographic functions.
Like a TPM,but are often removable or external devices
KEY MANAGEMENT STRATEGY
FOR ENCRYPTION KEY LIFECYCLE
FOR ENCRYPTION KEY LIFECYCLE
Generation
Encryption keys should be generated within a trusted,
secure cryptographic module
secure cryptographic module
FIPS 140-2 validated modules provide
tamper resistance and key integrity
tamper resistance and key integrity
Distribution
Encryption keys should be distributed securely to prevent
theft/compromise during transit
theft/compromise during transit
BEST PRACTICE:
Encrypt keys with a separate encryption
key while distributing to other parties
Encrypt keys with a separate encryption
key while distributing to other parties
Storage
Encryption keys must be protected at rest and should
never be stored in plaintext
never be stored in plaintext
This Includes keys in volatilc and persistent memory
Use
Clients (users trusted devices) will use keys for resource access
as access controls allow.
as access controls allow.
Acceptable use policy sets guardrails for data usage
Revocation
A process for revoking access at separation,policy breach,
device or key compromise.
device or key compromise.
EXAMPLE:
In PKI,you would revoke the certificate on the issuing Certificate Authority (CA)
In PKI,you would revoke the certificate on the issuing Certificate Authority (CA)
Destruction
Key destruction is the removal of an encryption key from its
operational location.
operational location.
Key deletion goes further and removes any info that could be
used to reconstruct that key.
used to reconstruct that key.
EXAMPLE: (MS Intune,AirWatch)
MDM systems remove certificates from a device during device wipe or retirement.
MDM systems remove certificates from a device during device wipe or retirement.
Level of Protection
Encryption keys must be secured at the same level of control or higher
as the data they protect.
as the data they protect.
Sensitivity of the data dictates this level of protection,as defined in the
organization's data security policies.
organization's data security policies.
Key Recovery
Circumstances where you need to recover a key for a particular user, without
that user's cooperation,such as in termination or key loss.
that user's cooperation,such as in termination or key loss.
Key Escrow
Copies of keys held by a trusted third party in a secure environment,which can
aid in many of the other areas of key management.
aid in many of the other areas of key management.
Key Management System (KMS)
CSPs offer a cloud service for centralized secure storage and
access for application secrets called a vault.
access for application secrets called a vault.
A secret is anything that you want to control access to,such as APl
keys, passwords,certificates,tokens,or cryptographic keys.
keys, passwords,certificates,tokens,or cryptographic keys.
Service will typically offer programmatic access via APl to support
DevOps and continuous integration/continuous deployment(CI/CD)
DevOps and continuous integration/continuous deployment(CI/CD)
Access control at vault instance-level and to secrets stored within
Secrets and keys can generally be protected either by
software or by FIPS 140-2 Level 2 validated HSMs.
software or by FIPS 140-2 Level 2 validated HSMs.
身份和访问控制
Identity and access control
Identity and access control
用户访问
user access
user access
Authentication and access management
- Focused on the manner in which users can access required resources
特权访问
privilege access
privilege access
Privileged user management
- Managing privileged access accounts
- Enforce Least Privilege and Need to know
- Separation of duties can provide effective risk mitigation
PRIVILEGED ACCESS MANAGEMENT
- a solution that helps protect the privileged accounts within a tenant,preventing attacks
- Native to some cloud identity providers today, and may include a just-in-time elevation Feature
服务访问
service access
service access
Centralized directory Services
- Active Directory and LDAP
- Kerberos and NTLM authentication
Provisioning and Deprovisioning
- Standardize,streamline,and develop an efficient account creation process
- Timely deprovisioning eliminates access sprawl
MFA
Multi-factor Authentication
Multi-factor Authentication
- Something you know(pin or password)
- Something you have(trusted device)
- Something you are(biometric)
PREVENTS:
- Phishing
- Credential stuffing
- Spear phishing
- Brute force and reverse brute force attacks
- Keyloggers
- Man-in-the-middle (MITM)attacks
LIMITING ACCESS & DAMAGE
Need-to-know and the principle of least privilege are two
standard IT security principles implemented in secure networks.
standard IT security principles implemented in secure networks.
They limit access to data and systems so that users and other
subjects have access only to what they require.
subjects have access only to what they require.
They help prevent security incidents
They help limit the scope of incidents when they occur.
They help limit the scope of incidents when they occur.
PREVENTING FRAUD AND COLLUSION
Collusion is an agreement among multiple persons to
perform some unauthorized or illegal actions.
perform some unauthorized or illegal actions.
Separation of duties
a basic security principle that ensures that no single person
can control all the elements of a critical function or system.
a basic security principle that ensures that no single person
can control all the elements of a critical function or system.
Job rotation
employees are rotated into different jobs,or tasks are
assigned to different employees.
employees are rotated into different jobs,or tasks are
assigned to different employees.
ACCOUNT TYPES
Service Account
aka "Service Principal"
aka "Service Principal"
when software is installed on a computer or server,it may require
privileged access to run.
privileged access to run.
a lower-level administrative account,and the service account fits
the bill.
the bill.
a service account is a type of administrator account used to run an
application. example:account to run an anti-virus application.
application. example:account to run an anti-virus application.
shared Account
When a group of people performs the same duties,such as
members of customer service,they can use a shared account.
members of customer service,they can use a shared account.
when user-level monitoring,auditing,or non-repudiationare
required,you must eliminate the use of shared accounts.
required,you must eliminate the use of shared accounts.
数据和媒介清理
Data and media sanitization
Data and media sanitization
覆盖
overwriting
overwriting
加密擦除
cryptographic erase
cryptographic erase
Less secure data destruction
Media is reusable with any of these methods
Data may be recoverable with forensic tools
Media is reusable with any of these methods
Data may be recoverable with forensic tools
Erasing
performing a delete operation against a file,files,or media.
Clearing (overwriting)
preparing media for reuse and ensuring data cannot be recovered using traditional
recovery tools.
recovery tools.
May use random data or zeros,one or multiple passes
Purging
a more intense form of clearing that prepares
media for reuse in less secure environments.
media for reuse in less secure environments.
More secure data destruction
Crypto-shredding 'cryptographic erasure'
- Data is encrypted with a strong encryption engine.
- The keys used to encrypt the data are then encrypted using a different encryption engine.
- Then,keys from the second round of encryption are destroyed.
PRO:Data cannot be recovered from any remnants.
CON:High CPU and performance overhead
CON:High CPU and performance overhead
Destroying Media Data
Degaussing
creates a strong magnetic field that erases
data on some media and destroy electronics.
data on some media and destroy electronics.
Shredding
You can shred a metal hard drive into powder.
Pulverizing
Use a hammer and smash drive into pieces,or
drill through all the platters.
drill through all the platters.
网络安全
Network security
Network security
网络安全组
network security groups
network security groups
Network security groups provide an
additional layer of security for cloud resources
additional layer of security for cloud resources
Act as a virtual firewall for virtual networks and resource
instances.(e.g.VMs,databases,subnets)
instances.(e.g.VMs,databases,subnets)
Carriesa list of security rules(IP and port ranges)that
allow or deny network traffic to resource instances.
allow or deny network traffic to resource instances.
Provides a virtual firewall for a collection of cloud
resources with the same security posture
resources with the same security posture
Segmentation
Restricting services that are permitted to access or be accessible
from other zones using rules to control inbound/outbound traffic.
from other zones using rules to control inbound/outbound traffic.
Rules are enforced by the IP address ranges of each subnet.
Within a virtual network,segmentation can be used to achieve
isolation.Port filtering through a network security group
isolation.Port filtering through a network security group
APl inspection and integration
Representational State Transfer (REST)is the modern approach to
writing web service APIs.
writing web service APIs.
Enables multi-language support,can handle multiple types of
calls,return different data formats.
calls,return different data formats.
APIs published by an organizations should include encryption,
authentication,rate limiting,throttling,and quotas.
authentication,rate limiting,throttling,and quotas.
流量检查
traffic inspection
traffic inspection
Packet capture in the cloud generally requires tools
designed for this purpose in the environment.
designed for this purpose in the environment.
Traffic is often sent direct to resources and promiscuous
mode on a VM NIC not possible or effective.
mode on a VM NIC not possible or effective.
地理围栏
geofencing
geofencing
Uses the Global Positioning System (GPS)or RFID to define
geographical boundaries.
geographical boundaries.
Once the device is taken past the defined boundaries,the
security team will be alerted.
security team will be alerted.
EXAMPLES:
Restrict access to systems and services based on where
the access attempt is being generated from.
Prevent devices from being removed from the company's
premises.
Restrict access to systems and services based on where
the access attempt is being generated from.
Prevent devices from being removed from the company's
premises.
零信任网络
zero trust network
zero trust network
Addresses the limitations of the legacy network perimeter-based security model.
Treats user identity as the control plane
Assumes compromise breach in verifying every request.
ZERO TRUST PRINCIPLES
Verify explicitly. Always authenticate and authorize based on all available data points,
including user identity,location,device health,service or workload,data classification,
and anomalies.
including user identity,location,device health,service or workload,data classification,
and anomalies.
Use least privilege access. Limit user access with just-in-time and just-enough-access
(JIT and JEA),risk-based adaptive policies,and data protection
(JIT and JEA),risk-based adaptive policies,and data protection
Assume breach. Segment access to minimize scope of impact.Verify end-to-end
encryption,use analytics to get visibility,drive threat detection,and improve defenses.
encryption,use analytics to get visibility,drive threat detection,and improve defenses.
ZERO TRUST NETWORK ARCHITECTURE
-Network Security Group (NSG)
-Network Firewalls
-Inbound and outbound traffic filtering
-Inbound and outbound traffic inspection
-Centralized security policy management and enforcement
-Network Firewalls
-Inbound and outbound traffic filtering
-Inbound and outbound traffic inspection
-Centralized security policy management and enforcement
虚拟化安全
Virtualization security
Virtualization security
hypervisor 安全
hypervisor security
hypervisor security
容器安全
container security
container security
Container hosts are cloud-based virtual machines
(VM).This is where the containers run
(VM).This is where the containers run
Most CSPs offer hosted Kubernetes service,
handles critical tasks like health monitoring and
maintenance for you.Platform-as-a-Service
handles critical tasks like health monitoring and
maintenance for you.Platform-as-a-Service
You pay only for the agent nodes within your clusters,
not for the management cluster.
not for the management cluster.
Major CSPs also offer a monitoring solution that will
identify at least some potential security concerns
identify at least some potential security concerns
临时计算
ephemeral computing
ephemeral computing
the practice of creating a virtual computing environment as a need arises.
environment is destroyed once needs are met,and resources are no longer needed
无服务器技术
serverless technology
serverless technology
Use API gateways as security buffers (to avoid DDoS attacks)
Configure secure authentication(Oauth, SAML,OpenID Connect,MFA)
Separate dev and prod environments, implement least privilege
常见威胁
Common threats
Common threats
Data Breach
The result of a cyberattack
The result of a cyberattack
When sensitive data is stolen,including personally identifiable
information (Pll)and protected health information(PHI).
information (Pll)and protected health information(PHI).
Often due to poor application or database security design or
configuration,whereby data is exposed without proper authorization.
configuration,whereby data is exposed without proper authorization.
Preventable by following secure development practices and
adhering to recommendations in the secure data lifecycle
adhering to recommendations in the secure data lifecycle
Data Loss
Sometimes called 'data leaks'
Sometimes called 'data leaks'
When sensitive data is unknowingly exposed to the public
Often through a system or service misconfiguration or oversharing.
Malicious Insiders
Disgruntled employees can wreak havoc on a system.
Internal acts of disruption include theft and sabotage.
Traffic Hijacking
When attacks are designed to steal or
wedge themselves into the middle of a
conversation in order to gain control.
wedge themselves into the middle of a
conversation in order to gain control.
Abuse of cloud services
Consumers sometimes misuse their cloud services for
illegal or immoral activities.
illegal or immoral activities.
Insufficient due diligence
Process/effort to collect and analyze information
before making a decision or conducting a transaction.
before making a decision or conducting a transaction.
Failure to perform due diligence can result in a
due care violation.
due care violation.
DUE DILIGENCE VS DUE CARE
Due Diligence
Process/effort to collect and analyze
information before making a decision or
conducting a transaction.
information before making a decision or
conducting a transaction.
Due care
Doing what a reasonable person would do in
a given situation.It is sometimes called the
"prudent person rule".
a given situation.It is sometimes called the
"prudent person rule".
Together,these will reduce senior management's
culpability &(downstream) liability when a loss occurs.
culpability &(downstream) liability when a loss occurs.
Shared Technology Vulnerabilities
The underlying infrastructure of the public cloud was not originally
designed for the types of multitenancy in the public cloud
designed for the types of multitenancy in the public cloud
Modern virtualization software bridges most of the gaps
- Cloud infrastructure can still be vulnerable to insider threats
- Unintentional misconfigurations are also a concern
- To a lesser degree,disruptive attacks of scale (DoS,DDos) and "noisy neighbors"
安全卫生
Security hygiene
Security hygiene
打补丁
patching
patching
基线
baselining
baselining
Configuration Management
ensures that systems are configured similarly,configurations are known and documented.
Baselining ensures that systems are deployed with a common baseline
or starting point,and imaging is a common baselining method.
or starting point,and imaging is a common baselining method.
Change Management
helps reduce outages or weakened security from unauthorized changes to the baseline configuration.
Versioning uses a labeling or numbering system to track changes in
updated versions of baseline (image,application,system,etc).
updated versions of baseline (image,application,system,etc).
Patch Management
aka 'update Management'
aka 'update Management'
The process of identifying, acquiring, installing, and verifying patches for products and systems.
It is a function included in change management.
Patches correct security and functionality problems in software and firmware.
An applicability assessment is performed to determine
whether a particular patch or update applies to a system.
whether a particular patch or update applies to a system.
1.4 了解安全云计算的设计原则
Understand design principles of secure cloud computing
Understand design principles of secure cloud computing
云安全数据生命周期
Cloud secure data lifecycle
Cloud secure data lifecycle
Create
Can be created by users
a user creates a file
a user creates a file
Can be created by systems
a system logs access
a system logs access
Store
To ensure it's handled properly, it's important to ensure data is classified as soon as possible.
Ideally,data is encrypted at rest
Use
Data should be protected by adequate security controls based on its classification.
Share
refers to anytime data is in use or in transit over a network
Archive
archival is sometimes needed to comply with laws or regulations requiring the retention of data.
Destory
When data is no longer needed, it should be destroyed in such a way that it is not readable nor recoverable
DATA STATES
PROTECTING DATA AT REST
Storage Service Encryption
CSP storage providers usually protect data at rest by automatically encrypting before
persisting it to managed disks,object,file,or queue storage.
persisting it to managed disks,object,file,or queue storage.
Full Disk Encryption
helps you encrypt Windows and Linux laas VMs disks using BitLocker (Windows)and
dm-crypt feature of Linux to encrypt OS and data disks.
dm-crypt feature of Linux to encrypt OS and data disks.
Transparent data encryption (TDE)
Helps protect SQL Database and data warehouses against threat of malicious activity
with real-time encryption and decryption of database,backups,and transaction log
files at rest without requiring app changes.
with real-time encryption and decryption of database,backups,and transaction log
files at rest without requiring app changes.
Some database platforms also provide row-level encryption
column-level encryption,or data masking
column-level encryption,or data masking
重要的数据角色
Data Owner
Holds the legal rights and complete control over a single piece of data.
Usually a member of senior management.Can delegate some
day-to-day duties.CANNOT delegate total responsibility!
day-to-day duties.CANNOT delegate total responsibility!
Data custodian
Responsible for safe custody,transport,and storage of data,and
implementation of business rules,technical controls.(CIA,audit trails,etc)
implementation of business rules,technical controls.(CIA,audit trails,etc)
Usually someone in the IT department.Does not decide what
controls are needed,but does implement controls for data owner
controls are needed,but does implement controls for data owner
GDPR中的数据角色
Data Processor
A natural or legal person,public authority,
agency,or other body,which processes personal data solely
on behalf of the data controller.
agency,or other body,which processes personal data solely
on behalf of the data controller.
Data Controller
The person or entity that controls processing of the data.
其他角色
Data Subject
Refers to any individual person who can be identified,directly or
indirectly,via an identifier
indirectly,via an identifier
Identifiers may include name,an ID number,location data,or via
factors specific to the person's physical,physiological,genetic,
mental,economic,cultural or social identity.
factors specific to the person's physical,physiological,genetic,
mental,economic,cultural or social identity.
Data Steward
Ensure the data's context and meaning are understood,and business
rules governing the data's usage.
rules governing the data's usage.
Use that knowledge to ensure the data they are responsible for is
used as intended.
used as intended.
基于云的业务连续性 (BC) 和灾难恢复 (DR) 计划
Cloud-based business continuity (BC) and disaster recovery (DR) plan
Cloud-based business continuity (BC) and disaster recovery (DR) plan
BCP (Business Continuity Plan)
the overall organizational plan for "how-to" continue business.
DRP(Disaster Recovery Plan)
the plan for recovering from a disaster impacting IT
and returning the IT infrastructure to operation.
and returning the IT infrastructure to operation.
BCP vs DRP
BCP focuses on the whole business
DRP focuses more on the technical aspects of recovery
DRP focuses more on the technical aspects of recovery
BCP will cover communications and process more broadly
BCP is an umbrella policy and DRP is part of it
BCP is an umbrella policy and DRP is part of it
云中灾难恢复
Region Pairs addresses site-level failure
Region pairs are 300+miles apart,selected by CSP
Region pairs are 300+miles apart,selected by CSP
Availability Zones address datacenter failures within a cloud region
A CSP region (e.q.East Us)includes multiple datacenters
A CSP region (e.q.East Us)includes multiple datacenters
Availability sets address rack-level failures within a regional datacenter
Consists of two or morc 'fault domains' for power,network,etc.
Consists of two or morc 'fault domains' for power,network,etc.
业务影响分析 (BIA)
Business impact analysis (BIA)
Business impact analysis (BIA)
成本效益分析
cost-benefit analysis
cost-benefit analysis
A cost-benefit analysis lists the benefits of the decision alongside their corresponding costs.
CBA can be strictly quantitative: adding the financial benefits and subtracting the associated costs to
determine whether a decision will be profitable.
determine whether a decision will be profitable.
投资回报率 (ROI)
return on investment (ROI)
return on investment (ROI)
功能安全要求
Functional security requirements
Functional security requirements
Functional vs Non-Functional security requirements
Functional security requirements
Define a system or its component and specifies what it must do.
Captured in use cases,defined at a component level.
Captured in use cases,defined at a component level.
EXAMPLE:application forms must protect against injection attacks.
Non-functional security requirements
Specify the system's quality, characteristics,or attributes.
Apply to the whole system (system level)
Apply to the whole system (system level)
EXAMPLE:security certifications are non-functional.
可移植性
portability
portability
互操作性
interoperability
interoperability
供应商锁定
vendor lock-in
vendor lock-in
不同云类别的安全注意事项和责任
Security considerations and responsibilities for different cloud categories
Security considerations and responsibilities for different cloud categories
基础设施即服务 (IaaS)
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS)
- VM attacks
- Virtual network
- Hypervisor attacks
- VM-based rootkits
- Virtual switch attacks
- Colocation
- DoS attack
共享责任模型
平台即服务 (PaaS)
Platform as a Service (PaaS)
Platform as a Service (PaaS)
- System and Resource Isolation
- User-Level Permissions
- Access Management
- Protection Against
- Malware,Backdoors, and Trojans
软件即服务 (SaaS)
Software as a Service (SaaS)
Software as a Service (SaaS)
- Data Segregation
- Data Access and Policies
- Web Application Security
Attacks
VIRTUALIZATION-FOCUSED ATTACKS
VM Escape
where an attacker gains access to a VM,then attacks either the host
machine that holds all VMs,the hypervisor,or any of the other VMs.
machine that holds all VMs,the hypervisor,or any of the other VMs.
Protection: ensure patches and hypervisor and VMs are always up to date,guest
privileges are low.Server-level redundancy and HIPS/HIDS protection also effective.
privileges are low.Server-level redundancy and HIPS/HIDS protection also effective.
VM Sprawl
When unmanaged VMs have been deployed on your network.Because IT doesn't know
it is there,it may not be patched and protected,and thus more vulnerable to attack
it is there,it may not be patched and protected,and thus more vulnerable to attack
Avoidance: enforcement of security policies for adding VMs to the
network,as well as periodic scanning to identify new virtualization hosts.
network,as well as periodic scanning to identify new virtualization hosts.
APPLICATION ATTACKS
Rootkit (escalation of privilege)
freely available on the internet and exploit known vulnerabilities in various
operating systems enabling attackers to elevate privilege.
operating systems enabling attackers to elevate privilege.
keep security patches up-to-date, anti-malware software, EDR/XDR
Back Door
undocumented command sequences that allow individuals with knowledge
of the back door to bypass normal access restrictions.
often used in development and debugging.
of the back door to bypass normal access restrictions.
often used in development and debugging.
countermeasures:
Firewalls,anti-malware,network monitoring,code review
Firewalls,anti-malware,network monitoring,code review
NETWORK ATTACKS
Denial of-Service
is a resource consumption attack intended to prevent legitimate activity
on a victimized system.
on a victimized system.
Distributed Denial of-Service
a Dos attack utilizing multiple compromised computer systems as
sources of attack traffic.
sources of attack traffic.
COUNTERMEASURES
firewalls,routers,intrusion detection (IDS),SIEM,
disable broadcast packets entering/leaving,disable echo replies,patching
disable broadcast packets entering/leaving,disable echo replies,patching
TYPES OF DDOS ATTACKS
Network
volume-based attacks targeting flaws in network protocols,often using botnets,
using techniques such as UDP,ICMP flooding,or SYN flooding (TCP-based).
using techniques such as UDP,ICMP flooding,or SYN flooding (TCP-based).
Application
exploit weaknesses in the application layer (Layer 7) by opening connections and
initiating process and transaction requests that consume finite resources like disk
space and available memory.
initiating process and transaction requests that consume finite resources like disk
space and available memory.
Operational Technology (OT)
Targets the weaknesses of software and hardware devices that control systems in
factories,power plants,and other industries,such as loT devices.
factories,power plants,and other industries,such as loT devices.
Often target weaknesses using the network and application techniques described
above.
above.
COUNTERMEASURES
IDS,IPS,rate-limiting,firewall ingress/egress filters
云设计模式
Cloud design patterns
Cloud design patterns
SANS 安全原则
SANS security principles
SANS security principles
架构完善的框架
Well-Architected Framework
Well-Architected Framework
云安全联盟 (CSA) 企业架构
Cloud Security Alliance (CSA) Enterprise Architecture
Cloud Security Alliance (CSA) Enterprise Architecture
ARCHITECTURE
Cloud Service Providers
- AWS Well-Architected Framework
- Azure Well-Architected Framework
- Google Cloud Architecture Framework
Industry Groups
- Enterprise Architecture Reference Guide (Cloud Security Alliance)
- Cloud Computing Reference Architecture (NIST)
Focus on architecture more than security
SECURITY
Cloud Service Providers
- Microsoft Cybersecurity Reference Architecture
- AWS Security Reference Architecture
- Google Cloud Security Foundations Guide
Industry Groups
- Enterprise Cloud Security Architecture (SANS)
- Security Technical Reference Architecture (CISA)
- Cloud Computing Security Reference Architecture (NIST)
DevOps 安全
DevOps security
DevOps security
Devops relies heavily on deployment automation for
Continuous integration/continuous delivery (Cl/CD)
Continuous integration/continuous delivery (Cl/CD)
Technical
- Automated software scanning
- Automated vulnerability scanning
- Web application firewall
- Software dependency management
- Access and activity logging
- Application performance management
Administrative
- Developer application security training
- Documented policies and procedures
- Code review,approval gates
1.5 评估云服务供应商
Evaluate cloud service providers
Evaluate cloud service providers
根据标准进行验证
Verification against criteria
Verification against criteria
国际标准组织/国际电子技术委员会 (ISO/IEC) 27017
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27017
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27017
Provides guidelines for information security controls applicable to the
provision and use of cloud services
provision and use of cloud services
Provides cloud-based guidance on several ISO/IEC 27002 controls,along
with seven cloud controls that address:
with seven cloud controls that address:
- Who is responsible for what between the cloud service provider and the cloud customer
- The removal/return of assets when a contract is terminated
- Protection and separation of the customer's virtual environment
- Virtual machine configuration
- Administrative operations and procedures associated with the cloud environment
- Customer monitoring of activity within the cloud
- Virtual and cloud network environment alignment
支付卡行业数据安全标准 (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS)
a widely accepted set of policies and procedures intended to
optimize the security of credit,debit and cash card transactions
optimize the security of credit,debit and cash card transactions
created jointly in 2004 by four major credit-card companies:Visa,
MasterCard,Discover and American Express
MasterCard,Discover and American Express
BASED ON 6 MAJOR OBJECTIVES
- a secure network must be maintained in which transactions can be conducted
- cardholder information must be protected wherever it is stored
- systems should be protected against the activities of malicious hackers
- cardholder data should be protected physically as well as electronically
- networks must be constantly monitored and regularly tested
- a formal information security policy must be defined,maintained,and followed
系统/子系统产品认证
System/subsystem product certifications
System/subsystem product certifications
通用标准 (CC) (ISO/IEC15408)
Common Criteria (CC)
Common Criteria (CC)
Enable an objective evaluation to validate that a particular
product or system satisfies a defined set of security requirements
product or system satisfies a defined set of security requirements
Ensures customers that security products they purchase have
been thoroughly tested by independent third-party testers and meets customer requirements.
been thoroughly tested by independent third-party testers and meets customer requirements.
The certification of the product only certifies product capabilities.
Designed to provide assurances for security claims by vendors
If misconfigured or mismanaged,software is no more
secure than anything else the customer might use.
secure than anything else the customer might use.
联邦信息处理标准 (FIPS) 140-2
Federal Information Processing Standard (FIPS) 140-2
Federal Information Processing Standard (FIPS) 140-2
Established to aid in the protection of digitally stored unclassified,
yet sensitive,information
yet sensitive,information
Developed by NIST,for use in computer systems by non-military
American government agencies and government contractors
American government agencies and government contractors
FIPS Security Levels
Level 1: Lowest level of security.
Level 2: Specifies the security requirements for cryptographic modules that protect sensitive information.
Level 3: Requires physical protections to ensure a high degree of confidence that any attempts to tamper are evident and detectable
Level 2: Specifies the security requirements for cryptographic modules that protect sensitive information.
Level 3: Requires physical protections to ensure a high degree of confidence that any attempts to tamper are evident and detectable
D2 云数据安全
Cloud Data Security
Cloud Data Security
2.1 描述云数据概念
Describe cloud data concepts
Describe cloud data concepts
云数据生命周期阶段
Cloud data life cycle phases
Cloud data life cycle phases
Create
Store
Use
Share
Archive
Destroy
数据分散
Data dispersion
Data dispersion
A core principle of business continuity says that important
data should always be stored in more than one location
data should always be stored in more than one location
Data dispersion is easier in the cloud because the CSP owns
the underlying complexity that delivers site-level resiliency.
the underlying complexity that delivers site-level resiliency.
Cloud storage for laas includes different levels of storage
redundancy,including:
redundancy,including:
Local -replicas within a single datacenter
Zone -replicas to multiple datacenters within a region
Global region level resiliency (replicas to backup region
数据流
Data flows
Data flows
A data flow diagram (DFD) is useful to gain visibility and
ensure that adequate security controls are implemented
ensure that adequate security controls are implemented
BENEFITS
Decreased development time and faster deployment of new
system features. and with reduced security risk!
system features. and with reduced security risk!
Visibility into data movement,critical for regulatory compliance,
where data security is often mandated in law.
where data security is often mandated in law.
Some compliance frameworks require DFDs to capture specific
information,such as the geographic location of data flows or
ownership of systems where data is flowing.
information,such as the geographic location of data flows or
ownership of systems where data is flowing.
BOTTOM LINE:Creating the DFD can be both a risk assessment
activity and a crucial compliance activity.
activity and a crucial compliance activity.
2.2 设计和实现云数据存储架构
Design and implement cloud data storage architectures
Design and implement cloud data storage architectures
存储类型
Storage types
Storage types
长期
long-term
long-term
临时
ephemeral
ephemeral
原始存储
raw storage
raw storage
IAAS
- Raw Storage.Physical media,allows a VM access a storage LUN
- Volume storage.Attached as laaS Instance (EC)
- object storage.S3 storage bucket,Azure storage
PAAS
- Structured.Relational databases (RDBMS)
- Unstructured.Big data
SAAS
- Information Storage and Mgmt.Data entered via the web interface
- Content/File Storage.File-based content
- Ephemeral Storage.It used for any temporary data such as cache,buffers,session data,swap volume,etc.
- Content Delivery Network (CDN).Geo-distributed content for (better UX)
对存储类型的威胁
Threats to storage types
Threats to storage types
Universal threats from the perspective of the CIA Triad
Unauthorized Access
User accessing data storage without proper
authorization presents security concerns
authorization presents security concerns
Customer must implement proper access control
CSP must provide adequate logical separation
CSP must provide adequate logical separation
Unauthorized Provisioning
Primarily a cost and operational concern
Ease of use can lead to unofficial use,
unapproved deployment,and unexpected costs
unapproved deployment,and unexpected costs
Shadow IT a common issue
Loss of Connectivity
Loss of connectivity for any reason,whether
network connectivity,access controls,
authentication services,etc.
network connectivity,access controls,
authentication services,etc.
OTHER THREATS
Jurisdictional issues
Data transfer between countries can run afoul of
legal requirements.
legal requirements.
Privacy legislation bars data transfer to countries
without adequate privacy protections
without adequate privacy protections
Denial of service
In the event a network connection is severed
between the user and the CSP.
CSPs are better prepared to defend against DDoS attacks.
between the user and the CSP.
CSPs are better prepared to defend against DDoS attacks.
Data corruption/destruction
Human error in data entry,malicious insiders,
hardware and software failures,natural disasters
rendering data or storage media unusable.
hardware and software failures,natural disasters
rendering data or storage media unusable.
Defenses:least privilege,RBAC,offsite data backups
Theft or media loss
In the cloud, CSPs retain responsibility for
preventing the loss of physical media through
appropriate physical security controls
preventing the loss of physical media through
appropriate physical security controls
Malware and ransomware
Ransomware not only encrypts data stored on
local drives but also seeks common cloud
storage locations like Saas apps.
local drives but also seeks common cloud
storage locations like Saas apps.
COUNTERMEASURES
- Back up your computer
- Store backups separately
- File auto-versioning
PREVENTION
- Update and patch computers
- Use caution with web links
- Use caution with email attachments
- Verify email senders
- Preventative software programs
- User awareness training
Improper disposal
Ensuring that hardware that has reached the
end of its life is properly disposed of in such a
way that data cannot be recovered.
end of its life is properly disposed of in such a
way that data cannot be recovered.
CSP responsible for hardware disposal
Regulatory Compliance
Certain cloud service offerings may not meet
all the organization's compliance requirements,
which leads to two security concerns:
all the organization's compliance requirements,
which leads to two security concerns:
First are the consequences of noncompliance
like fines or suspension of business operations.
like fines or suspension of business operations.
Second is the reason for the compliance
requirements-data protection
Requirements may include use of specific
encryption standards,handling and retention
requirements-data protection
Requirements may include use of specific
encryption standards,handling and retention
2.3 设计和应用数据安全技术和策略
Design and apply data security technologies and strategies
Design and apply data security technologies and strategies
加密和密钥管理
Encryption and key management
Encryption and key management
Symmetric
Relies on the use of a single shared secret
key.Lacks support for scalability,easy key
distribution,and nonrepudiation
key.Lacks support for scalability,easy key
distribution,and nonrepudiation
Asymmetric
Public-private key pairs for communication
between parties.Supports scalability,easy
key distribution,and nonrepudiation
between parties.Supports scalability,easy
key distribution,and nonrepudiation
Trust model
A model of how different certification authorities trust each other and how
their clients will trust certificates from other certification authorities.
their clients will trust certificates from other certification authorities.
The four main types of trust models that are used with public key
infrastructure(PKI)are bridge,hierarchical,hybrid,and mesh.
infrastructure(PKI)are bridge,hierarchical,hybrid,and mesh.
Key escrow
Addresses the possibility that a cryptographic key may be lost.
The concern is usually with symmetric keys or with the private key in
asymmetric cryptography.
asymmetric cryptography.
If that occurs,then there is no way to get the key back,and the user
cannot decrypt messages.
cannot decrypt messages.
Organizations establish key escrows to enable recovery of lost keys.
ENCRYPTION KEY LIFECYCLE
Generation
Encryption keys should be generated within a trusted, secure cryptographic module
Should use strong, random keys using cryptographically sound inputs like random numbers
FIPS 140-2 validated modules provide tamper resistance and key integrity
Distribution
Encryption keys should be distributed securely to prevent theft/compromise during transit
Plan for securely transferring symmetric keys and distributing keys to the key escrow agent
BEST PRACTICE:
Encrypt keys with a separate encryption key while distributing to other parties
Encrypt keys with a separate encryption key while distributing to other parties
Storage
Encryption keys must be protected at rest and should never be stored in plaintext
This Includes keys in volatile and persistent memory
This Includes keys in volatile and persistent memory
Storing keys in a secure manner, whether encrypted in a key vault or on a physical device
Also consider handling in the process of storing copies for retrieval if a key
is ever lost (known as key escrow)
is ever lost (known as key escrow)
Use
Using keys securely,primarily focused on access controls and accountability
Revocation
A process for revoking access at separation,policy breach, device or key compromise.
EXAMPLE:
In PKI,you would revoke the certificate on the issuing Certification Authority (CA)
In PKI,you would revoke the certificate on the issuing Certification Authority (CA)
A process for archiving keys no longer needed for routine use, in case needed for existing data.
Destruction
Key destruction is the removal of an encryption key from its operational location.
Key deletion goes further and removes any info that could be used to reconstruct that key.
EXAMPLE:(MS Intune,AirWatch)
MDM systems remove certificates from a device during device wipe or retirement.
MDM systems remove certificates from a device during device wipe or retirement.
KEY MANAGEMENT IN THE CLOUD
CSP-managed or self-managed
Key storage
Many CSPs offer FIPS compliant virtualized HSMs to securely
generate,store,and control access to cryptographic keys.
generate,store,and control access to cryptographic keys.
Organizations that use multiple cloud providers or need to retain
physical control over key management may need to implement a
bring-your-own-key (BYOK)strategy.
physical control over key management may need to implement a
bring-your-own-key (BYOK)strategy.
OTHER CLOUD ENCRYPTION SCENARIOS
Storage-level encryption
Providesencryption of data as it is written to storage,utilizing
keys that are controlled by the CSP.
keys that are controlled by the CSP.
Volume-level encryption
Provides encryption of data written to volumes connected to specific
VM instances,utilizing keys controlled by the customer.
VM instances,utilizing keys controlled by the customer.
Examples:Bitlocker (Windows),DM-Crypt (Linux)
Object-level encryption
Encryption of objects as they are written to storage,in which case the
CSP likely controls the keys and could potentially access the data.
CSP likely controls the keys and could potentially access the data.
File-level encryption
Implemented in client apps,such as word processing apps like Microsoft
Word or collaboration apps like SharePoint
Word or collaboration apps like SharePoint
Will vary by app and CSP platform
Application-level encryption
Implemented in an application typically using object storage
Data entered by user typically encrypted before storage
Database-level encryption
Transparent data encryption (database files,logs,backups),
column-level or row-level encryption,or data masking
column-level or row-level encryption,or data masking
Will vary by RDBMS platform (MSSQL, MySQL, PostgresQL)
散列
Hashing
Hashing
A one-way function that scrambles plain text to produce a unique message
digest.
digest.
Conversion of a string of characters into a shorter fixed-length value
VS Encryption
Encryption is a two-way function;what is encrypted can be decrypted with
the proper key.
the proper key.
HASH FUNCTION REOUIREMENTS
- They must allow input of any length.
- Provide fixed-length output.
- Make it relatively easy to compute the hash function for any input.
- Provide one-way functionality.
- Must be collision free.
数据混淆
Data obfuscation
Data obfuscation
屏蔽
masking
masking
when only partial data is left in a data field.
for example,a credit card may be shown as
************1234
for example,a credit card may be shown as
************1234
Commonly implemented within the database tier,but
also possible in code of frontend applications
also possible in code of frontend applications
匿名化
anonymization
anonymization
Anonymization.The process of removing all relevant data
so that it is impossible to identify original subject or person.
so that it is impossible to identify original subject or person.
If done effectively,then GDPR is no longer relevant for the
anonymized data.
anonymized data.
Good only if you don't need the data
Anonymization is sometimes called de-identification
伪名化
Pseudonymization
Pseudonymization
de-identification procedure using
pseudonyms (aliases)to represent other data.
pseudonyms (aliases)to represent other data.
Can result in less stringent requirements than would
otherwise apply under the GDPR.
otherwise apply under the GDPR.
use if you need data and want to reduce exposure
令牌化
Tokenization
Tokenization
where meaningful data is replaced with a token that is generated randomly,and the
original data is held in a vault.
original data is held in a vault.
Stateless,stronger than encryption,keys not local
Tokenization goes further than pseudonymization,replacing your pseudonym with an unrecognizable token
伪名化
Pseudonymization
Pseudonymization
de-identification procedure in which personally identifiable information (Pll)fields
within a data record are replaced by one or more artificial identifiers,or pseudonyms.
within a data record are replaced by one or more artificial identifiers,or pseudonyms.
Reversal requires access to another data source
数据丢失防护(DLP)
Data loss prevention (DLP)
Data loss prevention (DLP)
a system designed to identify,inventory and control the use of data that an organization deems sensitive.
spans several categories of controls including detective,preventative,and corrective.
Policies can be typically applied to email,SharePoint,
cloud storage,removeable devices,and databases
cloud storage,removeable devices,and databases
is a way to protect sensitive information and prevent its inadvertent disclosure.
can identify,monitor,and automatically protect sensitive information in documents
monitors for and alerts on for potential breaches,policy violations like oversharing
Protection travels with the document,file,or other data,preventing local override of DLP protections
密钥、机密和证书管理
Keys, secrets and certificates management
Keys, secrets and certificates management
Keys
are most often used for encryption operations and can be used to uniquely identify a user or system.
Keys should be stored in a tool that implements encryption and requires a strong passphrase or MFA to access.
In the cloud,a key vault
In the cloud,a key vault
Secrets
often a secondary authentication mechanism used to verify that a communication has not been hijacked or intercepted.
Certificates
are used to verify the identity of a communication party and also be used for asymmetric encryption by providing a trusted public key.
often used to encrypt a shared session key or other symmetric key for secure transmission.
KEY MANAGEMENT IN THE CLOUD
Key Management Services (KMS)
CSPs offer a cloud service for centralized secure storage and access for application secrets called a vault.
A secret is anything that you want to control access to,such as APl keys,passwords,certificates,tokens,or cryptographic keys.
Service will typically offer programmatic access via APl to support DevOps and continuous integration/continuous deployment(CI/CD)
Access control at vault instance-level and to secrets stored within.
Secrets and keys can generally be protected either by software or by FIPS 140-2 Level 2 validated HSMs.
Digital Signatures
Digital signatures are similar in concept to handwritten signatures on printed documents that identify individuals,but they provide more security benefits.
is an encrypted hash of a message,encrypted with the sender's private key
in a signed email scenario,it provides three key benefits:
Authentication
This positively identifies the sender of the email.
Ownership of a digital signature secret key is bound to a specific user
Non-repudiation
The sender cannot later deny sending the message.
This is sometimes required with online transactions
Integrity
provides assurances that the message has not been modified or corrupted.
Recipients know that the message was not altered in transit
PUBLIC KEY INFRASTRUCTURE (PKI)
Key management
management of cryptographic keys in a cryptosystem.
Operational considerations include dealing with the generation,exchange,
storage,use,crypto-shredding (destruction)and replacement of keys.
storage,use,crypto-shredding (destruction)and replacement of keys.
Design considerations include cryptographic protocol design,key servers,
user procedures,and other relevant protocols.
user procedures,and other relevant protocols.
Certificate authority (CA)
Certification Authorities create digital certificates and own the policies
PKI hierarchy can include a single CA that serves as root and issuing,but
this is not recommended.
this is not recommended.
In a single-layer PKI hierarchy,if the server is breached no certificate,including the root,can be trusted
TYPES OF CERTIFICATES
User
Used to represent a user's digital identity
In most cases,a user certificate is mapped back to a user account.
Root
A trust anchor in a PKI environment is the root certificate from which the whole chain of trust is derived.
this is the root CA.
this is the root CA.
Domain validation
A Domain-Validated (DV)certificate is an X.509 certificate that proves the ownership of a domain name.
Extended validation
Extended validation certificates provide a higher level of trust in identifying the entity that is using the certificate.
Commonly used in the financial services sector.
chain of trust
Subordinate CA
Regularly issue certificates,making it difficult for them to stay offline as often as root CAs.
Do have the ability to revoke certificates,making it easier to recover from any security breach that does happen
If the issuing CA is breached,its certificate can be revoked and a new one issued.
A single compromised CA does not result in compromise of the root.
Certificate revocation list(CRL)
Contains information about any certificates that have been revoked by a
subordinate CA due to compromises to the certificate or PKI hierarchy.
subordinate CA due to compromises to the certificate or PKI hierarchy.
CAs are required to publish CRLs,but it's up to certificate consumers if they
check these lists and how they respond if a certificate has been revoked.
check these lists and how they respond if a certificate has been revoked.
CERTIFICATE REVOCATION
Revoking (invalidating) a certificate before expiration
Certificate is effectively cancelled,and certificate serial number added to the certificate revocation list(CRL).
BUT,parties checking the certificate to verify identity or authenticity must check with issuing authority on validity
Two potential options for tracking revocation:ask for the CRL or if available,OCSP endpoint/service.
If the other client/server does not check the CRL or OCSP for certificate validity,they may accept an invalid certificate as valid!
Online Certificate Status Protocol (OCSP)
Offers a faster way to check a certificate's status compared to downloading a CRL.
With OCSP,the consumer of a certificate can submit a request to the OCSP endpoint to obtain the status of a specific certificate.
Certificate signing request(CSR)
Records identifying information for a person or device that owns a private key as well as information on the corresponding public key.
It is the message that's sent to the CA in order to get a digital certificate created.
CN(common name)
the Fully Qualified Domain Name (FQDN)of the entity (e.g.web server)
2.4 实现数据发现
Implement data discovery
Implement data discovery
结构化数据
Structured data
Structured data
Datacontained in rows and columns such as an Excel spreadsheet or relational database.
Often includes a description of its format known as a data model or schema,which is an abstract view of the data's format in a system.
Data structured as elements,rows,or tuples is given context through the schema.
Discovery methods include:
Metadata,or data that describes data,is a critical part of discovery in structured data.
Semantics,or the meaning of data,is described in the schema or data model and explains relationships expressed in data.
非结构化数据
Unstructured data
Unstructured data
Data that cannot be contained in a row-column database and does not have an associated data model.
Discovery occurs through content analysis,which attempts parse all data in a storage location and identify sensitive information.
Content analysis(discovery)methods include:
Pattern matching,which compares data to known formats like credit card numbers.
DLP tools often have pre-defined 'sensitive data types'
DLP tools often have pre-defined 'sensitive data types'
Lexical analysis attempts to find data meaning and context to discover sensitive info that may not conform to a specific pattern.
Hashing attempts to identify known data by calculating a hash of files and comparing it to a known set of sensitive file hashes.
Only good for data that does not change frequently!
Only good for data that does not change frequently!
半结构化数据
Semi-structured data
Semi-structured data
A combination of structured and unstructured data.
Typically,content is unstructured,but may contain metadata to help organize the data.
Fluid,but organizable by properties or metadata
This mix of data types will require a combination of discovery methods and tooling capable of
discovery in these comingled data types
discovery in these comingled data types
数据位置
Data location
Data location
The location of data will impact both its discoverability and the choice of tools used to perform discovery.
Tools must be able to access data to perform the scanning and analysis needed in the discovery process.
Not all cloud solutions may offer a local agent for on-premises.
Network-based DLP may not analyze all traffic between on-premises endpoints and cloud
An optimal DLP approach will discover data in on-premises and in cloud repositories,as well as in transit!
Tools must be able to scan unstructured data within structured datasources,such as relational databases.
EXAMPLE: Problem description inside a helpdesk ticket stored in a SQL database
EXAMPLE: Problem description inside a helpdesk ticket stored in a SQL database
Both unstructured and structured in same repository will increase tool cost and complexity and may present classification challenges
Metadata-Based Discovery
A list of traits and characteristics about specific data elements or sets.
Often automatically created at the same time as the data
Label-Based Discovery
Based on examining labels created by the data owners during the Create phase.
or in bulk with a scanning tool
or in bulk with a scanning tool
Can be used with databases (structured data)but is more commonly used with file data.
2.5 计划和实现数据分类
Plan and implement data classification
Plan and implement data classification
数据分类策略
Data classification policies
Data classification policies
COMMON SENSITIVE DATA TYPES
Personally Identifiable Information (PIl)
any information that can identify an individual (name,SSN,birthdate/place,biometric records,etc)
Protected Health Information (PHI)
health-related information that can be related to a specific person
Regulated by HIPAA/HITRUST
Cardholder Data
allowable storage of information related to credit and debit cards and transactions.
Defined and regulated by PCI DSS
DATA POLICIES
Data classification
Labeling/tagging of data based on type,like personally identifiable info (PIl),protected health info(PHI),etc.
Data retention
Ensures that legal and compliance issues are addressed.
Regulatory compliance
For legal and compliance reasons,you may need to keep certain data for different periods of time.
EXAMPLES:
Some financial data needs to be retained for 7 years
Some medical data may need to be retained up to 20-30 years.
Some financial data needs to be retained for 7 years
Some medical data may need to be retained up to 20-30 years.
DATA CLASSIFICATION
A process for categorization of data and defining the
appropriate controls.Categories include:
appropriate controls.Categories include:
- Data type (format,structure)
- Jurisdiction and other legal constraints
- Ownership,Context
- Contractual or business constraints
- Trust levels and source of origin
- Value,sensitivity,and criticality
- Retention and preservation
数据映射
Data mapping
Data mapping
Informs organization of the locations where data is present within applications and storage.
Brings understanding that enables implementation of security controls and classification polices.
usually precedes classification and labeling
usually precedes classification and labeling
数据标记
Data labeling
Data labeling
Labeling requirements that apply consistent markings to sensitive data should accompany classification.
Often applied through classification policies, providing a target for data protection.
Often applied in bulk using classification tools
CLOUD SECURE DATA LIFECYCLE
The Cloud Security Alliance model
The Cloud Security Alliance model
Create
Store
Use
Share
Archive
Destroy
2.6 设计和实现信息权限管理 (IRM)
Design and implement Information Rights Management (IRM)
Design and implement Information Rights Management (IRM)
IRM
IRM programs enforce data rights,provisioning access,and implementing access control models
Often implemented to control access to data designed to be shared but not freely distributed.
Can be used to block specific actions,like print, copy/paste,download,and sharing
Provide file expiration so that documents can no longer be viewed after a specified time
Always includes a cloud service,but may include a local agent
Many popular Saas file sharing platforms implement these concepts as sharing options,
which allow the document owner to specify which users can view,edit,download,share
which allow the document owner to specify which users can view,edit,download,share
目标
Objectives
Objectives
数据权限
data rights
data rights
访问
provisioning
provisioning
访问模型
access models
access models
Persistence
access control/ability to enforce restrictions must follow the data.
Protection must Follow the document or data wherever it travels
Dynamic policy control
IRM solution must provide a way to update the restrictionseven after a document has been shared.
Expiration
IRM tools can enforce time-limited access to data as a form of access control.
Ability to expire/revoke access,require user check-in
Continuous audit trail
IRM solution must ensure that protected documents generate an audit trail when users interact with protected documents.
Required For accountability,non-repudiation
Interoperability
IRM solutions must offer support for users across these different system types.
Support for different Os,device types,and apps is important
适当的工具
Appropriate tools
Appropriate tools
颁发和撤销证书
issuing and revocation of certificates
issuing and revocation of certificates
IRM tools comprise a variety of components necessary to provide policy enforcement and other attributes of the enforcement capability.
Centralized service for identity proofing and certificate issuance store of revoked certificates,and for unauthorized identify information access.
Secrets storage: IRM solutions require local storage for encryption keys,tokens or digital certificates used to validate users and access authorizations.
Local storage requires protection primarily for data integrity to prevent tampering with the material used to enforce IRM
Must prevent local modification of access controls and credentials.
Otherwise,a user might modify the permissions granted to extend their access beyond what the data owner originally specified
Otherwise,a user might modify the permissions granted to extend their access beyond what the data owner originally specified
2.7 规划和实施数据保留、删除和归档策略
Plan and implement data retention, deletion and archiving policies
Plan and implement data retention, deletion and archiving policies
数据保留策略
Data retention policies
Data retention policies
Retention is driven by security policies and regulatory requirements
Audits or lawsuit may require production of some data
EXAMPLE: Sarbanes Oxley requires tax returns are kept for 7 years,and payroll and bank statements are forever!
数据删除程序和机制
Data deletion procedures and mechanisms
Data deletion procedures and mechanisms
crypto-shredding
'cryptographic erasure'
'cryptographic erasure'
1、Data is encrypted with a strong encryption engine.
2 The keys used to encrypt the data are then encrypted using a different encryption engine.
3 Then,keys from the second round of encryption are destroyed.
PRO: Data cannot be recovered from any remnants
CON: High CPU and performance overhead
CON: High CPU and performance overhead
数据归档程序和机制
Data archiving procedures and mechanisms
Data archiving procedures and mechanisms
Refers to placing data in long-term storage for a variety of purposes
The optimal approach in the cloud differs in several respects from the on-premises cquivalent
Key elements of data archiving in the cloud
- Data Encryption
- Data Monitoring
- eDiscovery and Retrieval
- Backup and DR Options
- Data Format
- Media Type
Data Encryption
Encryption policy should consider which media is used,and data search and restoration needs,and regulatory obligations.
Access controls and encryption are important to protect data integrity (by preventing unauthorized access)
Data Monitoring
Data stored in the cloud tends to be replicated as part of storage resiliency or BC/DR.
To maintain data governance,it is required that all data access and movements be tracked and logged.
Monitoring to ensure all security controls are being applied properly throughout the data lifecycle.
Accountability,traceability,auditability should be maintained
eDiscovery and Retrieval
Archive data may be subject to retrieval according to certain parameters such as dates,subjects,and authors.
The archiving platform should provide the ability to perform eDiscovery on the data to determine which data should be retrieved.
Backup and DR Options
All requirements for data backup and restore should be specified and clearly documented
Business continuity and disaster recovery (BCDR)plans are updated and aligned with whatever procedures are implemented
Both resiliency to disaster (ensuring archive data availability) and knowledge/control of data replication arc important
Data Format and Media Type
This is an important consideration because it may be kept for an extended period.
Format needs to be secure,accessible,and affordable
Media type should support the other data archiving requirements,but physical media concerns fall to the CSP
依法保留
Legal hold
Legal hold
Protecting any documents that can be used in evidence in legal proceedings from being altered or destroyed
Data protection suites in cloud platforms often have a feature to ensure immutability
In data protection software,generally implements permanent retention until a human authorizes release
2.8 设计和实施数据事件的可审计性、可追溯性和责任性
Design and implement auditability, traceability and accountability of data events
Design and implement auditability, traceability and accountability of data events
事件源的定义和事件属性的要求
Definition of event sources and requirement of event attributes
Definition of event sources and requirement of event attributes
身份
identity
identity
互联网协议 (IP) 地址
Internet Protocol (IP) address
Internet Protocol (IP) address
地理位置
geolocation
geolocation
数据事件的日志记录、存储和分析
Logging, storage and analysis of data events
Logging, storage and analysis of data events
Logs are worthless if you do nothing with the log data.They are made valuable only by review.
That is,they are valuable only if the organization makes use of them toidentify activity that is unauthorized or compromising.
SIEM(Security Information Event Monitoring)tools can help to
solve some of these problems by offering these key features:
solve some of these problems by offering these key features:
- Log centralization and aggregation
- Data integrity
- Normalization
- Automated or continuous monitoring
- Alerting
- Investigative monitoring
Log centralization and aggregation
Rather than leaving log data scattered around the environment on various hosts,the SIEM platform can gather logs from a variety of sources,including:
operating systems,applications,network appliances,user devices,providing a single location to support investigations.
Data integrity
The SIEM should be on a separate host with its own access control, preventing any single user from tampering.
Normalization
SIEMs can normalize incoming data to ensure that the data from a variety of sources is presented consistently.
Automated or continuous monitoring
Sometimes referred to as correlation,SIEMs use algorithms to evaluate data and identify potential attacks or compromises.
Alerting
SIEMs can automatically generate alerts such as emails or tickets when action is required based on analysis of incoming log data
Investigative monitoring
When manual investigation is required,the SIEM should provide support capabilities such as querying log files,generating reports.
Broad SIEM visibility across the environment means better context in log searches,security investigations
监管链和不可抵赖性
Chain of custody and non-repudiation
Chain of custody and non-repudiation
CHAIN OF CUSTODY
Tracks the movement of evidence through its collection,safeguarding,and analysis lifecycle
Functions and importance
Provides evidence integrity through convincing proof evidence was not tampered with in a way that damages its reliability.
Documents key elements of evidence movement and handling,including:
- Each person who handled the evidence
- Date and time of movement/transfer
- Purpose evidence movement/transfer
What if evidence is left unattended or handled by unauthorized parties?
Then,criminal defendants can claim the data was altered in a way that incriminates
them,and thus the evidence is no longer reliable.
them,and thus the evidence is no longer reliable.
Foundational principle of evidence handling in legal proccedings!
NON-REPUDIATION
Non-repudiation is the guarantee that no one can deny a transaction.
Methods to provide non-repudiation
Systems enforce nonrepudiation through the inclusion of sufficient
evidence in log files,including unique user identification and timestamps.
evidence in log files,including unique user identification and timestamps.
Digital signatures prove that a digital message or document was not
modified-intentionally or unintentionally-from the time it was signed.
modified-intentionally or unintentionally-from the time it was signed.
Based on asymmetric cryptography (a public/private key pair)
It's the digital equivalent of d handwritten signature or stamped seal.
Multiple accounts make non-repudiation more difficult
Shared accounts make non-repudiation virtually impossible!
Shared accounts make non-repudiation virtually impossible!
Accountability
is maintained for individual subjects using auditing.
logs record user activities and users can be held accountable for their logged actions.
directly promotes good user behavior and compliance with the organization's security policy.
Security audits and reviews
help ensure that management programs are effective and being followed.
commonly associated with account management practices to prevent violations with least privilege or need-to-know principles.
can also be performed to oversee many programs and processes
- patch management
- vulnerability management
- change management
- configuration management
EVENT SOURCES EVENT ATTRIBUTES
OWASP provides a comprehensive set of definitions and guidelines for identifying,labeling,and collecting data events
Ensures events are useful and pertinent to applications and security,whether in a cloud or traditional data center
Definition of Event Sources
laas Event sources
Within an laas environment,the cloud customer has the most access and visibility into system and infrastructure logs of any cloud service model.
Because the cloud customer has nearly full control over their compute environment,including system and network capabilities, virtually all logs
and data events should be exposed and available for capture.
and data events should be exposed and available for capture.
Paas Event Sources
A Paas environment does not offer or expose the same level of customer access to infrastructure and system logs as laas
However,the same level of detail of logs and events is available at the application level.
Saas Event Sources
Because in a Saas environment the cloud service provider is responsible for theentire infrastructure and application,the
amount of log data available to the cloud customer is less.
amount of log data available to the cloud customer is less.
Customer responsibility is limited to access control,shared responsibility for data recovery,and feature configuration
The WHO,WHAT,WHERE,and WHEN of logging from OWASP
Sufficient user ID attribution should be accessible,or it may be impossible to determine who performed a specific action at a specific time.
This is called identity attribution.
This is called identity attribution.
WHO
Source address
User identity
WHAT
Type of event
Severity of event
Security-relevant event flag
(if log contains non-security events)
(if log contains non-security events)
Description
WHERE
Application identifier (name,version,etc.)
Application address
Service
Geolocation
Window/for/page (URL and HTTP method)
Code location (script or module name)
WHEN
Log date and time (international format)
Event date and time
Interaction identifier
D3 云平台和基础架构安全
Cloud Platform and Infrastructure Security
Cloud Platform and Infrastructure Security
3.1 理解云基础架构和平台组件
Comprehend cloud infrastructure and platform components
Comprehend cloud infrastructure and platform components
物理环境
Physical environment
Physical environment
There are infrastructure components that are common to all cloud service delivery models
Most components are all physically located with the CSP, but many are accessible via the network
The CSP takes on customer datacenter facilities,infrastructure management responsibilities
In the shared responsibility model,some elements of operation are shared by the CSP and the customer.
PHYSICAL ENVIRONMENT CONSIDERATIONS
For physical security,standard measures such as locks,security personnel,lights,fences,visitor check-in procedures.
Logical access controls Identity and access management (IAM),single sign-on (SSO)provider,multifactor authentication (MFA)and logging.
Controls for data confidentiality and integrity like any cloud customer, but with much broader controls.
EXAMPLE
Ensuring that communication lines are not physically compromised by locating telecommunications equipment
inside a controlled area of the CSP's building or campus.
inside a controlled area of the CSP's building or campus.
网络与通信
Network and communications
Network and communications
IaaS
Customer is responsible for configuring the VMs, virtual network,and guest Os security as if the
systems were on-premises
systems were on-premises
CSP responsible for physical host,physical storage,and physical network
PaaS
CSP is responsiblefor the physical components, the internal network,and the tools provided.
Cheaper for customer,but less control
SaaS
Thecustomer remains responsible for configuring access to the cloud service for their users,as well
as shared responsibility for data recovery
as shared responsibility for data recovery
CSP owns physical infrastructure,as well as network and communication
计算
Compute
Compute
Reservation
a minimum resource that is guaranteed to a customer
Limits
maximum utilization of compute resource by a customer (e.g.VM)
limits are allowed to change dynamically based on current conditions and consumption
Shares
a weighting given to a particular VM used to calculate percentage-based access to pooled resources when there is contention.
In cases of shortage host scoring determines who gets capacity
虚拟化
Virtualization
Virtualization
The security of the hypervisor is always the responsibility of the CSP.
The virtual network and virtual machine may be the responsibility of either the CSP or the customer.
Risks associated with virtualization
- Flawed hypervisor can facilitate inter-VM attacks
- Network traffic between VMs is not necessarily visible
- Resource availability for VMs can be impacted
- VMs and their disk images are simply files,can be portable and movable
Security recommendations for the hypervisor
- Install all updates to the hypervisor as they are released by the vendor.
- Restrict administrative access to the management interfaces of the hypervisor.
- Capabilities to monitor the security of activity occurring between guest operating systems(VMs).
Security recommendations for the guest OS
- Install all updates to the guest OS promptly.
- Back up the virtual drives used by the guest os on a regular basis
Customer responsibility,though CSP may provide tools
VIRTUALIZATION NETWORK SECURITY
The virtual network between the hypervisor and the VM is also a potential attack surface.
Responsibility for security in this layer is often shared between the CSP and the customer.
These components include virtual network,virtual switches,virtual firewalls,virtual IP addresses,etc.
VIRTUALIZATION-FOCUSED ATTACKS
VM Escape
Where an attacker gains access to a VM,then attacks either the host machine that holds all VMs,the hypervisor,or any of the other VMs.
or malicious user breaks the isolation between VMs running on a hypervisor by gaining access outside their VM.
Protection:
- Ensure patches on hypervisor and VMs are always up to date.
- Ensure guest privileges are low,server-level redundancy and HIPS/HIDS protection.
存储
Storage
Storage
CSP Responsibilities
physical protection of data centers and the storage infrastructure they contain.
security patches and maintenance of underlying data storage technologies and other data services they provide
CUSTOMER Responsibilities
properly configuring and using the storage tools.
logical security and privacy of data they store in the CSP's environment.
assessing the adequacy of these controls and properly configuring and using the controls available.
ensuring adequate protection for the data at rest and in motion based on the capabilities offered by the CSP.
Configuring secure access,whether private or public.
In the cloud,the customer loses control of the physical medium where data is stored but retains responsibility for data security and privacy.
CUSTOMER CHALLENGES
Inability to securely wipe physical storage and possibility of another tenant being allocated the same previously allocated storage space
Customer retains responsibility for secure deletion
Compensating controls for the lack of physical control
of the storage medium include:
of the storage medium include:
only storing data in an encrypted format
retaining control of the keys needed to decrypt the data
Togcther,these permit crypto-shredding when data is no longer needed,rendering any recoverable fragments useless.
管理平面
Management plane
Management plane
Provides the tools (web interface and APIs)necessary to configure,monitor,and control your cloud environment.
Provides virtual management options equivalent to the physical administration options a legacy data center would provide.
e.g. powering VMs on/off,provisioning VM resources,migrating a VM
You interact with the management plane through toolsincluding the CSP's cloud portal,PowerShell or other command Tine,or client SDKs
Control Plane and Data Plane
Control plane is what you are calling when you create top-level cloud resources
with ARM Bicep(Azure),CloudFormation (AWS)or Terraform (Infrastructure-as-Code)
with ARM Bicep(Azure),CloudFormation (AWS)or Terraform (Infrastructure-as-Code)
Data plane performs operations on resources created through the control plane
Key interfaces of the management plane
Cloud Portal
the main web interface for the CSP platform.
Azure portal,AWS Management console,Google Cloud console
Scheduling
the ability to stop/start a resource at a scheduled time
Instance Scheduler or Lambda (AWs),Azure Automation or Functions
Orchestration
automating processes to manage resources,services,and workloads,and Infrastructure-as-Code (lac)deployments.
CloudFormation (AWs),Azure DevOps,Cloud Build (GCP)
Maintenance
update,upgrade,security patching,etc.
Secure the management plane interfaces with multi-factor auth (MFA),role-based access control(RBAC),and role management.
3.2 设计安全的数据中心
Design a secure data center
Design a secure data center
逻辑设计
Logical design
Logical design
In the now legacy co-location (colo)scenario,customers were separated at the server rack or cage-level.
In logical data center design in the cloud,customers utilize software and services provided by the CSP.
The logical design of the cloud infrastructure should:
- create tenant partitioning or isolation
- limit and secure remote access
- monitor the cloud infrastructure
- allow for the patching and updating of systems
租户分区
tenant partitioning
tenant partitioning
Logical isolation in CSP multitenancy makes cloud computing more affordable but create some security and privacy concerns.
If isolation between tenants is breached,customer data is at risk
In the public cloud,tenant partitioning is largely logical.
Customers are sharing capacity across the CSP datacenter, including physical components.
CSP and tenant share responsibility for implementing and enforcing controls that address the unique multitenant risks of the public cloud.
访问控制
access control
access control
A single point of access makes access control simpler and facilitates
monitoring,but any single point can become a failure point as well.
monitoring,but any single point can become a failure point as well.
Hybrid identity (single login for on-premises and cloud)
can simplify identity and access management (IAM)
can simplify identity and access management (IAM)
One method of access control is to federate a customer's existing IAM system with their CSP tenant
Another method to facilitate IAM between cloud and on-premises
resources is identity as a service (IDaas)
resources is identity as a service (IDaas)
Local and Remote Access controls
Remote Desktop Protocol(RDP):the native remote access protocol for Windows operating systems.
Secure Shell (SSH):the native remote access protocol for Linux operating
systems,and common for remote management of network devices.
systems,and common for remote management of network devices.
Secure Terminal/Console-Based Access:a system for secure local access.
A KVM (keyboard video mouse)system with access controls
A KVM (keyboard video mouse)system with access controls
Jumpboxes:a bastion host at the boundary of lower and higher security zones.
CSPs offer services For this:Azure Bastion,AWS Transit Gateway
CSPs offer services For this:Azure Bastion,AWS Transit Gateway
Virtual clients:software tools that allow remote connection to a VM for use as if it is your local machine.
e.q Virtual Desktop Infrastructure (VDI)for contractors
e.q Virtual Desktop Infrastructure (VDI)for contractors
物理设计
Physical design
Physical design
位置
location
location
One of the first considerations in datacenter design is location
- Availability of affordable,stable, resilient electricity
- Natural disaster exposure (flood, hurricane,tornado,etc.)
- Availability of high-speed, redundant Internet connectivity
- Availability of other utilities
- Physical site security (vehicular approaches,visibility)
- Location relative to existing customer datacenters (BCDR)
- Geographic location relative to customers
购买或建造
buy or build
buy or build
Building your own datacenter from scratch and buying an existing facility each have their advantages and disadvantages
Build
- Requires significant investment to build a robust data center
- Offers the most control over datacenter design
- Requires knowledge and skill to match quality of BUY option
Buy
- Generally,lower cost of entry (especially in shared scenario)
- Less flexibility in service design (limited to what provider offers)
- Shared datacenters come with additional security challenges
PHYSICAL SECURITY
Know the challenges of physical security,which belong to the CSP
- A strong fence line of sufficient height and construction
- Lighting of facility perimeter and entrances
- Video monitoring and alerting
- Electronic monitoring for tampering
- Visitor access procedures with controlled entry points
- Interior access controls(badges,key codes,secured doors)
- Fire detection and prevention systems
- Protection of sensitive assets,systems,wiring closets,etc.
DATACENTER TIER STANDARD
Uptime simply measures the amount of time a system is running
Availability encompasses availability of the infrastructure,applications,and services
Generally expressed as a number of 9's, such as five nines or 99.999%availability
Generally expressed as a number of 9's, such as five nines or 99.999%availability
The Uptime Institute publishes specifications for physical and environmental redundancy,
expressed as tiers,that organizations can implement to achieve high availability (HA).
expressed as tiers,that organizations can implement to achieve high availability (HA).
TIER I:Basic Site Infrastructure
involves no redundancy and the most amount of downtime in the event of unplanned maintenance or an interruption.
must have an uninterruptible power supply that can handle brief power outages,as well as sags and spikes
must also have dedicated cooling equipment that can run on 24/7,and a generator to handle extended power outages
expected to provides 99.671%availability
TIER II:Redundant Site Infrastructure
provides partial redundancy,meaning an unplanned interruption will not necessarily cause an outage
adds redundant components for important cooling and power systems
facilities must also have the ability to store additional fuel to support the generator
expected to provide 99.741% availability
TIER IIl:Concurrently Maintainable Site
Infrastructure
Infrastructure
adds even more redundant components
has a major advantage in that it never needs to be shut down for maintenance
enough redundant components that any component can be taken offline for maintenance and data center continues to run
expected to provides 99.982%availability
TIER IV:Fault-Tolerant Site Infrastructure
can withstand either planned or unplanned activity without affecting availability
this is achieved by eliminating all single points of failure
and requires fully redundant infrastructure, including dual commercial power feeds, dual backup generators
expected to provide 99.995%availability
环境设计
Environmental design
Environmental design
供暖
Heating
Heating
通风与空调 (HVAC)
Heating, Ventilation, and Air Conditioning (HVAC)
Heating, Ventilation, and Air Conditioning (HVAC)
An HVAC failure can reduce availability of computing resources,just like a power failure.
Customer reviews of the CSP should include the adequacy and redundancy of HVAC systems.
A number of documents can help assess HVAC concerns, such as a SOC-2 Type ll report.
Because of the confidential info in a SOC 2 Type ll,some CSPs will require a nondisclosure agreement (NDA) prior to sharing.
A routine review of the most current SOC 2 report is a critical part of a cloud customer's due diligence in CSP evaluation.
多供应商通路连接
multi-vendor pathway connectivity
multi-vendor pathway connectivity
Connectivity to data center locations from more than one internet service provider (ISP) is multi-vendor pathway connectivity
Using multiple vendors is a proactive way for CSPs to mitigate the risk of losing network connectivity.
Best practice for CSPs or data centers is dual-entry,dual-provider for high availability:
Two providers,entering the building From separate locations
Two providers,entering the building From separate locations
Cloud customers should consider multiple paths for communicating with their cloud vendor.
设计弹性
Design resilient
Design resilient
Resilient desigins are engineered to respond positively to changes or disturbances,such as natural disasters or man-made disturbances
A few examples of resilient design:
- HA firewalls,active-passive or active-active
- Multi-vendor pathway connectivity
- Web server farm (behind redundant load balancers)
- Database cluster (Windows Linux cluster feature)
Service-level resiliency requires identifying single points of failure throughout the servicc chain
3.3 分析与云基础架构和平台相关的风险
Analyze risks associated with cloud infrastructure and platforms
Analyze risks associated with cloud infrastructure and platforms
风险评估
Risk assessment
Risk assessment
The risk management process is fundamental to information security,since the entire practice involves mitigating and managing risks to data and information systems.
识别
identification
identification
Identifying risks is the first step in managing them and begins with identification of the organization's valuable assets
once assets are identified: Security practitioners and risk managers can then begin to
identify potential causes of disruption to the assets
identify potential causes of disruption to the assets
RISK FRAMEWORKS
Several exist that provide processes and procedures for designing and implementing a risk management framework.
ISO/IEC 31000:2018, Risk Management Guidelines
NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems
分析
analysis
analysis
Analysis seeks to answer two questions:
What will the impact be if that goes wrong?
Single loss cxpectancy (SLE) - $
Single loss cxpectancy (SLE) - $
How likely is it to happen?
Annualized Rate of Occurrence (ARO) - decimal
Annualized Rate of Occurrence (ARO) - decimal
Annualized Loss Expectaney(ALE)
The possible yearly cost of all instances of a specific realized threat against a specific asset.
FORMULA ALE =SLE x ARO
Exposure factor (EF) - %
SLE = Asset value (AV) x EF
Analysis of CSP Risks
Analysis of a CSP or cloud solution and the associated risks involves many departments and focus areas:
- Business units
- Vendor management
- Privacy
- Information security
CSP operations should also be considered,but most major CSPs are audited for ISO/IEC 27001,27017,27018
ISO/IEC 27001
a framework for policies and procedures that include legal,physical,and technical
controls involved in an organization's information risk management processes.
controls involved in an organization's information risk management processes.
ISO/IEC 27017
security standard developed for cloud service providers and users to make a
safer cloud-based environment and reduce the risk of security problems.
safer cloud-based environment and reduce the risk of security problems.
ISO/IEC 27018
the first international standard about the privacy in cloud computing services
Authentication Risk
Customer-managed or CSP-managed?
Data Security
How a vendor encrypts data at rest,strength of the cryptography, and access controls that prevent unauthorized access by cloud
service personnel or other tenants.
service personnel or other tenants.
Supply Chain Risk Management (SCRM)
Evaluation of vendor security policies and processes.
Most CSPs do not allow direct auditing of their operations,due to
the number of customers they support.
the number of customers they support.
Instead,they provide standardized reports and assurance
material regarding their security practices,such as
material regarding their security practices,such as
- SOC 2 report
- ISO 27001 certification
- Specialized reports for regulated data
HIPPA,FedRAMP
ISO/IEC 27017,27018
ISO/IEC 27017,27018
common cloud Risks
One risk that has been discussed is the organization losing ownership and full control over system hardware assets.
Careful selection of CSPs and the development of SLAs and other contractual agreements are critical to limiting risk
Organizations can balance cost savings with risk by building a system on top of laaS or Paas,rather than utilizing a Saas solution.
laas means more control,more responsibilities,and risks
laas means more control,more responsibilities,and risks
Geographic dispersion of the CSP data centers
If the cloud service is properly architected,a disruption at one datacenter should not cause a complete outage.
Customers must verify the resilience and continuity controls in place at the CSP
Downtime
Resilience for network disruptions can be built in multiple ways, such as multivendor connectivity,zones and regions.
Compliance
Privacy data in some jurisdictions cannot be transferred to other countries,so data dispersion is inappropriate.
General technology risk
Cloud systems are not immune to standard security issues like cyberattacks.
CSP defenses should be documented and tested,and customers aware of their configuration responsibilities
RISK TYPES
External
Different threat actors,ranging from competitors and script kiddies to criminal syndicates and state actors.
Capabilities depend on tools,experience,and funding.
Other external environmental threats,such as fire and floods,and man-made threats,such as the accidental deletion of data or users.
Internal
A malicious insider,a threat actor who may be a dissatisfied employee someone overlooked for a promotion).
Another internal threat is human error,which is when data is accidentally deleted.
云漏洞、威胁和攻击
Cloud vulnerabilities, threats and attacks
Cloud vulnerabilities, threats and attacks
Organizations could be at risk if the CSP's public-facing infrastructure comes under attack
Cloud-Specific Risks
The CSA Egregious 11
The CSA Egregious 11
data breaches
Unintentional loss/oversharing is a 'data leak'
Loss of sensitive data (Pll,PHI,intellectual property) due to security breach.
Misconfiguration and inadequate change control
Software can offer the most secure configuration options,but if it is not properly set up,then the resulting system will have security issues.
Remediate risk through change and confiquration management
Lack of cloud security,architecture,and strategy
As organizations migrate to the cloud,some overlook security,or fail to consider their obligations in the shared responsibility model.
Insufficient identity,credential access,and key management
The public cloud offers benefits over legacy on-premises environments but can also bring additional complexities.
Well-architected identity and access management (IAM),encryption, secret and key management are different than on-prem and essential
Account hijacking
Credential theft,abuse,and/or elevation to carry out an attack.
Phishing is the most common approach
Insider threat
Disgruntled employees,employee mistakes,and unintentional over-sharing.
Job rotation,privileged access management,auditing,security training
Insecure interfaces and APls
Customers failing to secure access to systems gated by APls,web consoles,etc.
Controls include MFA,RBAC,and Key-based APl access
Weak control plane
Weaknesses in the elements of a cloud system that enable cloud environment configuration and management (web console,CLl,and APIs)
Most CSPs offer reference architectures to ensure customers secure and isolate their dev/test/prod environments and data
Metastructure and applistructure failures
Vulnerabilities in the operational capabilities that CSPs make available,like APls for accessing various cloud services.
If the CSP has inadequately secured these interfaces,any resulting solutions built on top of those services will inherit these weaknesses.
Metastructure.The protocols and mechanisms that provide the interface between the cloud layers,enabling management and configuration.
Applistructure.Applications deployed in the cloud and the underlying application services used to build them.
e.g.Paas Features like message queues,functions,and message services
Limited cloud usage visibility
Refers to when organizations experience a significant reduction in visibility over their information technology stack.
This is because in some models,the CSP own the stack!
Abuse and nefarious use of cloud services
While the low cost and high scale of compute in the cloud is an advantage to enterprises,it is an opportunity for attackers to execute disruptive attacks at scale
Makes executing DDos and phishing attacks easier,so CSPs must implement mitigating security controls for these risks
风险缓解策略
Risk mitigation strategies
Risk mitigation strategies
Selecting a qualified CSP is an essential first step.
The next step is designing and architecting with security in mind.
Security should be considered at every step starting with design!
The next risk mitigation tool is encryption,and data should be encrypted at rest and in-transit.
Storage and database encryption at rest,TLS and VPN in-transit
Finally,ongoing monitoring and management to maintain posture
Major CSPs provide the ability to manage and monitor confiquration security,and to monitor changes to cloud services,and track usage
3.4 计划和实现安全控制
Plan and implementation of security controls
Plan and implementation of security controls
物理和环境保护
Physical and environmental protection
Physical and environmental protection
内部部署
on-premises
on-premises
The primary consideration is the site location,as it will have an impact on both physical and environmental protections.
Cloud data centers share requirements with traditional
colocation providers or individual data centers,including:
colocation providers or individual data centers,including:
- ability to restrict physical access at multiple points
- ensuring a clean and stable power supply
- adequate utilities like water and sewer
- the availability of an adequate workforce
These are customer responsibilities in on-premises (private)cloud,and CSP responsibility in the public cloud
SITE SELECTION FACILITY DESIGN
Visibility,composition of the surrounding area,area accessibility,and the effects of natural disasters.
Customers should focus on selecting CSP datacenter locations to meet disaster recovery and data residency
系统、存储和通信保护
System, storage and communication protection
System, storage and communication protection
System and Communication Protection
Encrypt and protect data:
- at rest
- in transit
- in use
Protect systems and services:
- Dos/DDos
- Boundary (ingress and egress)
- Key Management
Security practices
- Automation of configuration
- Responsibilities for protecting cloud systems and services
- Monitoring and maintenance
Properly securing information systems can be a difficult task due to the sheer number of elements that make up a system.
Breaking systems down into components and then applying security controls can make the overall task more manageable.
One source for controls is NIST Special Publication 800-53,"Security and Privacy Controls for Information Systems and Organizations",which contains a family of controls specific to systems and communications
Policy and Procedures
Establish requirements for system protection,and define the purpose,scope,roles,and responsibilities needed to achieve it.
Separation of System and User Functionality
A basic security principle that ensures that no single person can control all the elements of a critical function or system.
Separating user and admin functions can also prevent users from altering processes or misconfiguring systems.
Security Function Isolation
Separating security-specific functionsfrom other roles is another example of separation of duties.
Denial-of-Service Protection
A disruptive attack at scale that is more difficult for smaller organizations to combat effectively.
Most CSPs offer DoS/DDoS mitigation as a service,and there are also dedicated providers like Akamai and Cloudflare.
e.q Azure DDos,AWs Shield,Google Cloud Armor
Boundary Protection
Deals with both ingress and egress protections,including:
- Preventing malicious traffic from entering the network
- Preventing malicious traffic from leaving your network
- Protecting against data loss (exfiltration)
- Configuring rules/policies in routers,gateways,or firewalls
Cryptographic Key Establishment and Management
Cryptoaraphy provides a number of security functions including confidentiality,integrity,and nonrepudiation.
Eneryption tools like TLS or a VPN can be used to provide confidentiality.
Hashing can be implemented to detect unintentional data modifications.
Additional security measures like digital signatures or hash-based message authentication code(HMAC)can be used to detect intentional tampering.
HMAC can simultaneously verify both data integrity and message authenticity
云环境中的识别、认证和授权
Identification, authentication and authorization in cloud environments
Identification, authentication and authorization in cloud environments
Authentication (AuthN) is the process of proving that you are who you say you are.
Authorization (AuthZ) is the act of granting an authenticated party permission to do something
Permissions,rights,and privileges are granted to users based on their proven identity.
If user has assigned rights to a resource,they are granted authorization.
ACCOUNTABILITY
Accountability is typically enforced with adequate logging and monitoring of system activity
Cloud challenges in enforcing accountability
- Saas apps used as users travel make identifying anomalous / malicious behavior more difficult
- Bad password practices(reuse across services)
- Use of personal devices in BYOD scenarios
Modern IDaas tools provide solutions for these challenges
MFA FACTORS AND ATTRIBUTES
- Something you know(pin or password)
- Something you have(trusted device)
- Something you are(biometric)
Multifactor Authentication
includes two or more authentication factors
more secure than using a single authentication factor
passwords are the weakest form of authentication
password policies help increase their security by enforcing complexity and history requirements
Smartcards include microprocessors and cryptographic certificates
Oath tokens create one-time passwords (OTP)
Biometric methods identify users based on individual characteristics such as fingerprints and facial recognition
AUTHENTICATION METHODS
Authentication applications
is a software-based authenticator that implements two-step verification services using
the Time-based One-time Password Algorithm and HMAC-based One-time Password
algorithm,for authenticating users of software applications.
the Time-based One-time Password Algorithm and HMAC-based One-time Password
algorithm,for authenticating users of software applications.
Push notifications
where the server is pushing down the authentication information to your mobile device.
uses the mobile device app to be able to receive the pushed message and display the authentication information.
FEDERATED SERVICES
Federation is a collection of domains that have established trust.
The level of trust may vary,but typically includes authentication and almost always includes authorization.
Often includes a number of organizations that have established trust for shared access to a set of resources.
Example
You can federate your on-premises environment with Azure Active Directory (Azure AD) and use this federation for authentication and authorization.
You can federate your on-premises environment with Azure Active Directory (Azure AD) and use this federation for authentication and authorization.
This sign-in method ensures that all user authentication occurs on-premises.
Allows administrators to implement more rigorous levels of access control
审计机制
Audit mechanisms
Audit mechanisms
日志收集
log collection
log collection
Cloud services will offer different controls over what information is logged..
but at a minimum level of security-relevant events, such as use of or changes to privileged accounts
A log aggregator can ingest logs from all on-premises and cloud resources for review.
关联
correlation
correlation
Refers to the ability to discover relationships between two or more events across logs.
This capability is commonly associated with a SIEM, which correlates events in logs from many sources
数据包捕获
packet capture
packet capture
Packet capture tools are also called protocol analyzers
The cloud environment may not provide any facility for capturing packets,particularly in Saas scenarios
Wireshark:a free,open-source protocol analyzer,with CLI and GUl versions,available for Windows and Linux.
Some CSPs support Wireshark,others have specialized services to perform packet capture on virtual networks.
e.q.Network Watcher (Azure),AWs supports Wircshark
Some CSP protocol analyzers can save the data that they collect to a Wireshark-compatible packet capture file (PCAP).
3.5 计划业务连续性 (BC) 和灾难恢复 (DR)
Plan business continuity (BC) and disaster recovery (DR)
Plan business continuity (BC) and disaster recovery (DR)
BCP vs DRP
BCP focuses on the whole business
DRP focuses more on the technical aspects of recovery
BCP will cover communications and process more broadly
BCP is an umbrella policy and DRP is part of it
GOALS OF DRP AND BCP
Minimizing the effects of a disaster by:
- Improving responsiveness by the employees in different situations.
- Easing confusion by providing written procedures and participation in drills
- Helping make logical decisions during a crisis
BCP DEFINITIONS
BRP(Business Resumption Plan)
the plan to move from the disaster recovery site back to your business environment or back to normal operations.
MTBF(Mean Time Between Failures)
a time determination for how long a piece of IT infrastructure will continue to work before it fails.
MTTR(Mean Time to Repair)
a time determination for how long it will take to get a piece of hardware/software repaired and back on-line.
MTD(Max tolerable downtime)
The amount of time we can be without the asset that is unavailable BEFORE we must declare a disaster and initiate our disaster recovery plan.
业务连续性 (BC) / 灾难恢复 (DR) 策略
Business continuity (BC) / disaster recovery (DR) strategy
Business continuity (BC) / disaster recovery (DR) strategy
BCP(Business Continuity Plan)
Business-focused
Business-focused
The overall organizational plan for"how-to"continue business after an event has occurred.
A proactive risk mitigation strategy that contains likely scenarios that could affect the organization and guidance on how the organization should respond
Sometimes called a continuity of operations plan (COOP)
DRP(Disaster Recovery Plan)
Tech-focuscd
Tech-focuscd
the plan for recovering from an IT disaster and having the IT infrastructure back in operation.
BUSINESS IMPACT ANALYSIS
The business impact assessment (BIA)is used to determine which processes are critical and which are not.
Measures the impact of specific systems and processes.
Any that are deemed critical to the organization's functioning must be prioritized in an emergency situation.
A BIA typically contains a cost-benefit analysis (CBA) and a calculation of the return on investment(ROI).
BCP/DRP FROM A CSP PERSPECTIVE
A cloud data center that is affected by a natural disaster will likely activate multiple BCPs and DRPs.
CSP will activate both plans to deal with the interruption to their service
One key element of the BCP is communicating incident status to relevant parties.
BCP/DRP FROM A CUSTOMER PERSPECTIVE
The customer is responsible for determining how to recover in the case of a disaster in the cloud.
Customer may choose to implement backups,or utilize multiple availability zones,load balancers,or other techniques.
CSPs can further protect customers by not allowing two availability zones within a single physical datacenter within a cloud region.
COMMUNICATION PLAN
The plan that details how relevant stakeholders will be informed inevent of an incident. (like a security breach)
Would include plan to maintain confidentiality such as encryption to ensure that the event does not become public knowledge.
Contact list should be maintained that includes stakeholders from the government,police,customers,suppliers,and internal staff.
Compliance regulations, like GDPR,include notification requirements,relevant parties and timelines
Confidentiality amongst internal stakeholders is desirable so external stakeholders can be informed in accordance with the plan.
STAKEHOLDER MANAGEMENT
When we have an incident,there are multiple groups of relevant stakeholders that we need to inform and manage,and may include:
- Internal stakeholders
- Cyber insurance provider
- Business partners
- Customers
- Law enforcement
A stakeholder is a party with an interest in an enterprise; corporate stakeholders include investors,employees,customers, and suppliers.
业务需求
Business requirements
Business requirements
恢复时间目标 (RTO)
Recovery Time Objective (RTO)
Recovery Time Objective (RTO)
is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.
恢复点目标 (RPO)
Recovery Point Objective (RPO)
Recovery Point Objective (RPO)
is the age of data that must be recovered from backup storage for normal operations to resume if a system or network goes down
恢复服务级别
recovery service level
recovery service level
measures the compute resources needed to keep production environments running during a disaster.
is a percentage measure (0-100%)of how much computing power you will need during a disaster
based upon a percentage of computing used by production environments versus others,such as development,test,and QA
EXAMPLE:
a 10-web server environment that uses 8 for dev,test, and QA,only 2 would need to be migrated for production.
a 10-web server environment that uses 8 for dev,test, and QA,only 2 would need to be migrated for production.
计划的创建、实施和测试
Creation, implementation and testing of plan
Creation, implementation and testing of plan
Design
Based on priorities from the business impact analysis(BIA)
Implement the Plan
Implement the plan to protect critical business functions
ldentifying key personnel is crucial implementation step
Test the Plan
Testing ensures both the BCP/DRP function as expected
AND that people know their roles and responsibilities
Testing both BCP and DRP plans is essential
Report and Revise
BCP/DRP should be revised as necessary based on test results
BCP/DRP plans evolve and need refinement over time
DISASTER RECOVERY TESTS
Tabletop testing
Members of the disaster recovery team gather in a large conference room and role-play a disaster scenario.
Usually,the exact scenario is known only to the test moderator who presents the details to the team at the meeting.
The team members refer to the document and discuss the appropriate responses to that particular type of disaster.
Role play only, minimal impact on productivity
Dry run
In this test,some of the response measures are tested (on non-critical functions).
Full test
Involves actuallyshutting down operations at the primary site and shifting them to the recovery site.
When the entire organization takes part in an unscheduled, unannounced practice scenario,of full BC/DR activities.
IMPLEMENTATION
Customers can take advantage of the cloud's high availability features like:
- multiple availability zones
- automatic failover to backup region(s)
- direct connection to a CSP
The cost of building resiliency should be less than the cost of business interruption
The cost of high availability in the cloud is generally less than a company trying to achieve high availability on their own
D4 云应用安全
Cloud Application Security
Cloud Application Security
4.1 倡导应用程序安全性的培训和意识
Advocate training and awareness for application security
Advocate training and awareness for application security
云开发基础
Cloud development basics
Cloud development basics
Security by design
Declares security should be present throughout every step of the process.
Various models exist to help,like the Building Security In Maturity Model (BSIMM).
Pairs well with DevSecOps
Shared security responsibility
The idea is that security is the responsibility of everyone from the most junior member of the team to senior management.
Describes the primary principle of DevSecOps
Security as a business objective
Risk mitigation through security controls should be a key business objective,similar to customer satisfaction or revenue.
Requires org-wide security awareness and commitment
常见陷阱
Common pitfalls
Common pitfalls
Performance
Cloud software development often relies on loosely coupled services.
Makes designing for and meeting performance goals more complex, as multiple components may interact in unexpected ways
Verify through end-to-end load and stress testing
Scalability
One of the key features of the cloud is the ability to scale allowing applications and services to grow and shrink as demand fluctuates.
Requires developers to think about how to retain state across instances and handle faults with individual servers
Scale out is better than scale up in the cloud
Interoperability
is theability to work across platforms,services,or systemsand can be very important,especially multi-vendor and multi-cloud scenarios.
Interoperability across platforms increases service provider choice and can reduce costs
Portability
Designing software that can move between on premises and cloud environments or between cloud providers makes it portable
Portability in a hybrid scenario requires avoiding use of certain environment and provider-specific APIs and tools.
The additional effort can make it harder to leverage some cloud advantages,and may require compromises
API Security
Application programming interfaces (APIs),are relied on throughout cloud application design,development,and operation.
Designing APIs to work well with cloud architectures while remaining secure are both common challenges for developers and architects.
API security considerations
- Access control
- Data encryption
- Throttling
- Rate limiting
常见云漏洞
Common cloud vulnerabilities
Common cloud vulnerabilities
开放web应用安全项目 (OWASP) 10 大风险
Open Web Application Security Project (OWASP) Top-10
Open Web Application Security Project (OWASP) Top-10
SANS 前 25 个最危险的软件错误
SANS Top-25
SANS Top-25
VULNERABILITIES
Common cloud vulnerabilities to avoid with SSDLC include
- Data breaches
- Data integrity
- Insecure application programming interfaces (APIs)
- Denial-of-Service
ORGANIZATIONS
There are several that provide information on security threats,
- Cloud Security Alliance(CSA)
- SANS Institute
- Open Web Application Security Project (OWASP)
4.2 描述安全软件开发生命周期 (SDLC) 流程
Describe the Secure Software Development Life Cycle (SDLC) process
Describe the Secure Software Development Life Cycle (SDLC) process
业务需求
Business requirements
Business requirements
Mature software development shops utilize an SDLC because it saves money and supports repeatable,quality software development.
SSDLC is fully successful only if the integration of security into an organization's existing SDLC is required for all development efforts.
Business requirements capture what the organization needs its information systems to do.
Funetional reguirements detail what the solution must do. such as supporting up as max concurrent user requirements which in turn support business requirements,like all workers being able to access a system to perform their assigned duties.
In addition to these functional requirements,the organization must also consider security,privacy,and compliance objectives
SECURE SOFTWARE DEVELOPMENT LIFECYCLE (SDLC)
Planning
Considers potential development work,focusing on determining need,feasibility,and cost.
Requirements Definition
Once an effort has been deemed feasible,user and business functionality requirements are captured.
Involves user,customer and stakeholder input to determine desired functionality,current system or app
functionality,and desired improvements.
functionality,and desired improvements.
Design
Design functionality,architecture,integration points and techniques,data flows,and business processes.
Solution is designed based on requirements gathered
Coding
Wherc the actual coding (work)happens
Testing
Maintenance
阶段和方法
Phases and methodologies
Phases and methodologies
CCSP 4 个 阶段
设计
design
design
编码
code
code
测试
test
test
Testing to ensure software is functional,scalable,and secure
维护
maintain
maintain
Ongoing maintenance updates,patching and checks to ensure software remains functional and secure
SOFTWARE DEVEPLOMENT MODELS
Aglie
places an emphasis on the needs of the customer and quickly developing new functionality that
meets those needs in an iterative fashion.
meets those needs in an iterative fashion.
Allows quick response to changing requirements,rapid iteration
Waterfall
describes a sequential development process that results in the development of a finished product.
Requires clear requirements,stable environment,low change
瀑布式与敏捷
waterfall vs. agile
waterfall vs. agile
WATERFALL MODEL
7-stage process that allows return to previous stage for corrections
- SYSTEM REQUIREMENTS
- SOFTWARE REQUIREMENTS
- PRELIMINARY DESIGN
- DETAILED DESIGN
- CODE AND DEBUG
- TESTING
- OPS & MAINTENANCE
AGILE MODEL
model for software developmentbased on the following four principles
- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaboration over contract negotiation
- Responding to change over following a plan
Leverages an iterative (repeating)process called a sprint
4.3 应用安全软件开发生命周期 (SDLC)
Apply the Secure Software Development Life Cycle (SDLC)
Apply the Secure Software Development Life Cycle (SDLC)
云特定风险
Cloud-specific risks
Cloud-specific risks
The Cloud Security Alliance details the top cloud-specific security threats in their list titled "The CSA Egregious 11"
- Data Breaches
- Misconfiguration and inadequate change control
- Lack of cloud security architecture and strategy
- Insufficient identity,credential access and key management
- Account hijacking
- Insider threat
- Insecure interfaces and APls
- Weak control plane
- "Metastructure"and "applistructure"failures
- Limited cloud usage visibility
- Abuse and nefarious use of cloud services
SDCL
Devsecops, CI/CD
Devsecops, CI/CD
Secrets management,data masking
CI/CD,infrastructure-as-code,release management
Developers can leverage identity-as-a-service (IDaas)rather than building their own for stronger authentication & authorization controls
Using existing identity providers /IDaas for your app reduces risk
Separation of duties,checks and balances in the release management process,such as approval gates
Implement access controls,such as RBAC and access keys
Continuous Integration Continuous Deployment (CI/CD)
威胁建模
Threat modeling
Threat modeling
Allows security practitioners to identify potential threats and security vulnerabilities
is often used as an input to risk management
Can be proactive or reactive,but in either case,goal is to eliminate or reduce threats
3 approaches to threat modeling
Focused on Assets.Uses asset valuation results to identify threats to the valuable assets.
Focused on Attackers.Identify potential attackers and identify threats based on the attacker's goals
Focused on Software Considers potential threats against the software the org develops.
欺骗、篡改、抵赖、信息泄露、拒绝服务和特权提升 (STRIDE)
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE)
developed by Microsoft
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE)
developed by Microsoft
- Spoofing
- Tampering
- Repudiation
- Information disclosure
- Denial of service
- Elevation of privilege
灾难、可重现性、可利用性、受影响用户与可发现性 (DREAD)
Damage, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD)
based on answer to 5 questions
Damage, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD)
based on answer to 5 questions
- Damage potential
- Reproducibility
- Exploitability
- Affected users
- Discoverability
架构、威胁、攻击面和缓解措施(ATASM)
Architecture, Threats, Attack Surfaces, and Mitigations (ATASM)
A series of process steps For performing threat modeling
Architecture, Threats, Attack Surfaces, and Mitigations (ATASM)
A series of process steps For performing threat modeling
Architecture
analysis of the system's architecture
Threats
list all possible threats,threat actors,
and their goals
Attack Surfaces
identify components exposed to attack
Mitigations
analyze existing mitigations in place
analysis of the system's architecture
Threats
list all possible threats,threat actors,
and their goals
Attack Surfaces
identify components exposed to attack
Mitigations
analyze existing mitigations in place
攻击模拟和威胁分析过程 (PASTA)
Process for Attack Simulation and Threat Analysis (PASTA)
focuses on developing countermeasures based on asset value
Process for Attack Simulation and Threat Analysis (PASTA)
focuses on developing countermeasures based on asset value
- Stage l:Definition of Objectives
- Stage Il:Definition of Technical Scope
- Stage Ill:App Decomposition Analysis
- Stage IV:Threat Analysis
- Stage V:Weakness Vulnerability Analysis
- Stage VI:Attack Modeling Simulation
- Stage VIl:Risk Analysis Management
避免开发过程中的常见漏洞
Avoid common vulnerabilities during development
Avoid common vulnerabilities during development
Like all risk mitigations,a layered approach combining multiple types of controls is a best practice,including:
Training and awareness
Training for developers is critical,because they make decisions about how to design and implement system components.
Awareness of common flaws like injection attacks prevent coding mistakes
Documented process
Secure SDLC should be well documented and communicated to all team members designing,developing,and operating systems.
Similar to security policies,must be understood and followed by developers
Test-driven development
Focusing on meeting acceptance criteria can be one way of simplifying the task of ensuring that security requirements are met
Having well-defined test cases for security requirements can help avoid vulnerabilities such as OWASP Top 10 application security risks.
安全编码
Secure coding
Secure coding
The practice of designing systems and software to avoid security risks
Essentially a proactive risk mitigation practice
Standards and organizations exist that work to mature these practices
开放web应用安全项目 (OWASP) 应用安全检验标准 (ASVS)
Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS)
Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS)
The oWASP Top 10 is an awareness document that represents a broad consensus about the most critical security risks to web applications.
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
CLOUD-NATIVE APPLICATION SECURITY TOP 10
- Insecure cloud,container or orchestration configuration
- Injection flaws(app layer, cloud events,cloud services)
- Improper authentication authorization
- CI/CD pipeline software supply chain flaws
- Insecure secrets storage
- Over-permissive or insecure network policies
- Using components with known vulnerabilities
- Improper assets management
- Inadequate 'compute'resource quota limits
- Ineffective logging monitoring (e.g.runtime activity)
CWE/SANS:TOP 25 Most Dangerous Software Errors
- Out-of-bounds Write buffer overflow
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting)
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- Improper Input Validation Prevents injection
- Out-of-bounds Read buffer overflow
- Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- Use After Free buffer overflow
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Cross-Site Request Forgery(CSRF)
- Unrestricted Upload of File with Dangerous Type
- NULL Pointer Dereference
- Deserialization of Untrusted Data Input validation Fixes 11,12,13
- Integer Overflow or Wraparound
- Improper Authentication
- Use of Hard-coded Credentials
- Missing Authorization
- Improper Neutralization of Special Elements used in a Command ('Command Injection)
- Missing Authentication for Critical Function
- Improper Restriction of Operations within the Bounds of a Memory Buffer buffer overflow
- Incorrect Default Permissions
- Server-Side Request Forgery (SSRF) On OWASP List
- Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition)
- Uncontrolled Resource Consumption Dos
- Improper Restriction of XML External Entity Reference
- Improper Control of Generation of Code ('Code Injection)
ATTACK TYPES and CONCEPTSATTACK TYPES and CONCEPTS
- Injection attacks
- Buffer overflow attacks
- Directory path traversal
- Denial of Service (Dos)/Distributed DoS (DDoS)
- Race condition
- Authentication (AuthN)and Authorization (AuthZ)
INJECTIONS (INJECTION ATTACKS]
Improper input handling
Improper input handling
used to compromise web front-end and backend databases
SQL injection attacks Use unexpected input to a web application to gain unauthorized access to an underlying database.
Countermeasures: Input validation,use prepared statements,and limit account privileges.
BUFFER OVERFLOWS
exists when a developer does not validate user input to ensure that it is of an appropriate size (allows Input that is too large can "overflow"memory buffer).
DIRECTORY TRAVERSAL
If an attacker is able to gain access to restricted directories through HTTP,it is known as a directory traversal attack.
One of the simplest ways to perform directory traversal is by using a command injection attack that carries out the action.
Most vulnerability scanners will check for weaknesses with directory traversal/command injection and inform you of their presence.
To secure your system,you should run a scanner and keep the web server software patched.
RESOURCE CONSUMPTION
Denial of-Service
is a resource consumption attack intended to prevent legitimate activity on a victimized system.
Distributed Denial of-Service
a DoS attack utilizing multiple compromised computer systems as sources of attack traffic.
COUNTERMEASURES:firewalls,routers,intrusion prevention (IDPS),SIEM, disable broadcast packets entering/leaving,disable echo replies,
patching
patching
RACE CONDITIONS
A condition where the system's behavior is dependent on the sequence or timing of other uncontrollable events.
Time-of-Check-to-Time-of-Use(TOCTOU)
a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request.
Problem occurs when the state of the resource changes between the time of the check and the time it is actually used
file locking,transactions in file system or OS Kernel
It becomes a bug when one or more of the possible behaviors is undesirable.
卓越代码软件保障论坛 (SAFECode)
Software Assurance Forum for Excellence in Code (SAFECode)
Software Assurance Forum for Excellence in Code (SAFECode)
First published "Fundamental Practices for Secure Software Development"
Informed by existing models,including OWASP,CVE,CWE and the Microsoft SDL
Designed to help software industry adopt and use these best practices effectively
Includes guidance on software design,secure coding practices,testing,validation,third-party risks,and handling vulnerabilities
Code Repositories
This is where source code and related artifacts (such as libraries)are stored
Do not commit sensitive information
Protect access to your code repositories
Sign your work
Keep your development tools (IDE)up-to-date
软件配置管理和版本控制
Software configuration management and versioning
Software configuration management and versioning
Configuration Management
ensures that systems are configured similarly, configurations are known and documented.
Baselining ensures that systems are deployed with a common baseline or starting point,and imaging is a common baselining method.
Change Management
helps reduce outages or weakened security from unauthorized changes.
Versioning uses a labeling or numbering system to track changes in updated versions of software.
Approaches vary,but often include a major version,minor version,and patch version strategy (23.05.02)
SCM
Software Configuration Management
Software Configuration Management
Baselining is an important component of configuration management.
a baseline is a snapshot of a system or application at a given point in time
should also create artifacts that may be used to help understand system configuration
system and component-level versioning
software bill of materials (SBOM)
An emerging strategy and standard in tracking software versions is software bill of materials (SBOM)
The SBOM lists all of the components in an application or service,including open source or proprietary code libraries.
4.4 应用云软件保障和验证
Apply cloud software assurance and validation
Apply cloud software assurance and validation
ENVIRONMENT
Secure environments for development,testing,and staging before moving the application into production are necessary.
Environments map to phases of application development,debugging,testing,and release.
Development
Where the application is initially coded,often through multiple iterations (versions).
Testing
where developers integrate all of their work into a single application.
Regression testing to ensure functionality is as expected.
Staging
where we ensure quality assurance before we roll it out to production.
QA happens here
Production
where the application goes live,and end-users have the support of the IT team.
功能和非功能测试
Functional and non-functional testing
Functional and non-functional testing
Functional testing
determines if software meets functionality requirements defined earlier in the SSDLC
takes multiple forms,including:
integration testing that validates whether components work together,
regression testing that validates whether bugs were reintroduced between versions
user acceptance testing,which test how users interact with and operate the software
Focuses on specific features and functionality
Non-functional testing
focuses on the quality of the software
looks at software qualities like stability and performance
methods include load,stress, recovery,and volume tests
Examines the way the system operates as a whole,not the specific functions
FUNCTIONAL SECURITY REQUIREMENTS
Functional security requirements
Define a system or its component and specifies what it must do.
Captured in use cases,defined at a component level.
EXAMPLE:application forms must protect against injection attacks
Non-functional security requirements
Specify the system's quality,characteristics,or attributes.
Apply to the whole system (system level)
EXAMPLE:security certifications arc non-functional.
安全测试方法
Security testing methodologies
Security testing methodologies
黑盒
blackbox
blackbox
conducted as an external attacker would access the code,systems,or environment,
tester has no knowledge of any of these elements at the outset of a test.
'zero knowledge testing
白盒
whitebox
whitebox
conducted with full access to and knowledge of systems,code,and environment
Static application testing is one example
"Full knowledge testing
静态
static
static
StaticApplication Security Testing
analysis of computer software performed without actually executing programs
tester has access to the underlying framework,design,and implementation
tests "inside out" requires source code
动态
dynamic
dynamic
a program which communicates with a web application (executes the application)
tester has no knowledge of the technologies or frameworks that the application is built on
tests "outside in" no source code required
软件组成分析(SCA)
Software Composition Analysis (SCA)
Software Composition Analysis (SCA)
is used to track the components of a software package or application
is of special concern for apps built with open-source software components
because open-source components often involve reusable code libraries
Automated,combines application security and patch management
SCA tools identify flaws/vulnerabilities in these included components,ensures latest versions are in use,etc.
交互式应用程序安全测试 (IAST)
interactive application security testing (IAST)
interactive application security testing (IAST)
analyzes code for vulnerabilities while it's being used
focuses on real time reporting to optimize testing and analysis process
Often built into CI/CD automated release testing
Unlike static and dynamic testing,IAST analyzes the internal functions of the application while it is running
质量保证 (QA)
Quality assurance (QA)
Quality assurance (QA)
QA is responsible for ensuring that the code delivered to the customer through the cloud environment is quality code,defect-free,and secure.
PROCESS:is frequently a combination of automated and manual validation testing techniques.
Typically involves reviews,testing,reporting,and other activities to complete the QA process.
Typically involves reviews,testing,reporting,and other activities to complete the QA process.
GOAL:is to ensure software meets standards or requirements.
ROLE:The role of QA is significantly expanded in a Devops or DevSecOps team,where QA is embedded throughout the development process
TESTS:QA should be involved in many testing activities,such as load, performance and stress testing,as well as vulnerability management.
滥用案例测试
Abuse case testing
Abuse case testing
A way to use a feature that was not expected by the implementer,allowing an attacker to influence the feature or outcome of use of the
feature based on the attacker action (or input)
feature based on the attacker action (or input)
Describes unintended and malicious use scenarios of the application,describing how an attacker could do this.
Abuse case Test
Focuses on using features in ways that weren't intended by the developer.
May exploit weaknesses or coding flaws from perspective of multiple personas:malicious user,abusive user,and unknowing user
Can help orgs to consider security features and controls needed for an application
Testing generally focuses on documented abuse cases
4.5 使用经过验证的安全软件
Use verified secure software
Use verified secure software
保护应用编程接口 (API)
Securing application programming interfaces (API)
Securing application programming interfaces (API)
APIs (SOAP or REST) is a set of exposed interfaces that allow programmatic interaction between services. no user/human involved
SOAP is a standard communication protocol system that uses XML technologies
REST is an architectural model that uses HTTPS for web communications to offer API endpoints
Security features from CSP include API gateway, authentication,IP filtering,throttling,quotas,data validation
Also ensure that storage,distribution,and transmission of access keys is performed in a secure fashion.
供应链管理
Supply-chain management
Supply-chain management
Today,most services are delivered through a chain of multiple entities
A secure supply chain includes vendors who are secure,reliable,trustworthy,reputable
供应商评估
vendor assessment
vendor assessment
Supply Chain Evaluation
Traditional vendor evaluation options may include
- On-Site Assessment.Visit organization,interview personnel,and observe their operating habits.
- Document Exchange and Review.Investigate dataset and doc exchange,review processes.
- Process/Policy Review.Request copies of their security policies,processes,or procedures.
- Third-party Audit.Having an independent auditor providean unbiased review of an entity's security infrastructure.
Vendor evaluation in the cloud
Companies with hundreds or thousands of customers (like AWS,Azure,GCP) cannot support direct vendor assessment.
Instead,review audit and certification reports from the CSP
Third-party Audit.Review an independent auditor's unbiased review of an entity's security infrastructure.
Review SOC-2 Type ll report,and ISO/IEC 27001,27017,27018 reports to verify efficacy of the CSPs physical and logical
controls for securing facilities,infrastructure,and data.
controls for securing facilities,infrastructure,and data.
第三方软件管理
Third-party software management
Third-party software management
许可
licensing
licensing
A third party may have limited access to your systems but will often have direct access to some portion of your data.
Typical issues addressed in software vendor assessment include:
- Where in the cloud is the software running?Is this on a well-known CSP,or does the provider use their own cloud service?
- Is the data encrypted at rest and in transit,and what encryption technology is used?
- How is access management handled?
- What event logging can you receive?
- What auditing options exist?
OSS vs PROPRIETARY
open Source
One in which the vendor makes the license freely available and allows access to the source code though it might ask for an optional donation.
There is no vendor support with open source,so you might pay a third party to support in a production environment.
Proprietary
Are more expensive but tend to provide more/better protectionand more functionality and support (at a cost).
Many vendors in this space,including Cisco,Checkpoint,Pal Alto, Barracuda. but 'no source code access'
经过验证的开源软件
Validated open-source software
Validated open-source software
All software,including open-source software (OSS), must be validated in a business environment.
Some argue that open-source software is more secure because the source code is available to review.
Adequate validation testing is required and may be achieved through:
- Sandbox testing
- Vulnerability scans
- Third-party verifications
While more visibility into a problem can result in better security outcomes,the transparency of OSS is NOT a guarantee of security.
4.6 了解云应用架构的细节
Comprehend the specifics of cloud application architecture
Comprehend the specifics of cloud application architecture
补充安全组件
Supplemental security components
Supplemental security components
web应用防火墙 (WAF)
web application firewall (WAF)
web application firewall (WAF)
protects web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
typically protects web applications from common attacks like XSS,CSRF,and SQL injection.
数据库活动监控 (DAM)
Database Activity Monitoring (DAM)
Database Activity Monitoring (DAM)
combines network data and database audit info in real time to analyze database activity for
unwanted,anomalous,or unexpected behavior.
unwanted,anomalous,or unexpected behavior.
monitors application activity,privileged access, and detects attacks through behavioral analysis
可扩展标记语言 (XML) 防火墙
Extensible Markup Language (XML) firewalls
Extensible Markup Language (XML) firewalls
used to protect services that rely on XML based interfaces including some web apps
provides request validation and filtering,rate limiting,and traffic flow management
Usually implemented as a proxy
应用编程接口 (API) 网关
application programming interface (API) gateway
application programming interface (API) gateway
monitors traffic to your application services, exposed as API endpoints
provides authentication and key validation services that control APl access
Firewall Considerations in a cloud Environment
One reason that we need a good firewall is to filter incoming traffic to protect our cloud-hosted infrastructure and applications from hackers or malware.
Cost
Cost is one of the reasons for WAF popularity.It meets a common need,is easy to configure,and is less expensive than more function-rich NGFW and SWG options.
Need for Segmentation
Network segmentation should be supported with appropriate traffic filtering/restriction with the firewall type that is most appropriate for the use case.
The firewall can filter traffic between virtual networks and the Internet.
Open Systems Interconnection (OSI)Layers
A network firewall works on Layer 3,stateful packet inspection at layers 3/4.
Many cloud firewalls,like Web Application Firewalls work at Layer 7 of the OSI
密码学
Cryptography
Cryptography
PROTECTING DATA AT REST
Storage Service Encryption
CSP storage providers usually protect data at rest by automatically encrypting before persisting it to managed disks,Blob Storage,file,or queue storage.
Full Disk Encryption
子主题
Transparent data encryption(TDE)
Helps protect SQL Database and data warehouses against threat of malicious activity with real-time encryption and decryption of database,backups,and transaction log files at rest without requiring app changes.
PROTECTING DATA IN MOTION
Data in motion is most often encrypted using TLS(HTTPS)
Hybrid (site-to-site)and cross-cloud connectivity is often encrypted by VPN
沙盒
Sandboxing
Sandboxing
Places the systems or code into an isolated,secured environment where testing can be performed.
Cloud sandboxing architectures often create independent,ephemeral environments for testing.
Enables patch and test and ensures a system is secure before putting it into a production environment.
Also facilitates investigating dangerous malware.
Sandboxes provide an environment for evaluating the security of code without impacting other systems.
应用程序虚拟化和编排
Application virtualization and orchestration
Application virtualization and orchestration
微服务
microservices
microservices
容器
containers
containers
A lightweight,granular,and portable way to package applications for multiple platforms.
Reduces overhead of server virtualization by enabling containerized apps to run on a shared OS kernel.
Can be used in some cases to isolate existing applications developed to run in a VM with a dedicated operating system.
Core components in a container platform (Docker,Kubernetes):
- Orchestration/scheduling controller
- Network,storage
- Container host
- Container images
- Container registry
The isolation is logical,isolating processes,compute,storage,network,secrets,and management plane
CONTAINER ORCHESTRATION
Kubernetes a container orchestration platform for scheduling and automating the deployment,management,and scaling of containerized applications.
Managed Kubernetes
Container hosts are cloud-based virtual machines (VM).This is where the containers run
Most CSPs offer hosted Kubernetes service. handles critical tasks like health monitoring and maintenance for you.Platform-as-a-Service
You pay only for the agent nodes within your clusters, not for the management cluster.
Major CSPs also offer a monitoring solution that will identify at least some potential security concerns
CLOUD ORCHESTRATION
cloud orchestration allows a customer to manage their cloud resources centrally in an efficient and cost-effective manner.
This is especially important in a multi-cloud environment.
Management of the complexity of corporate cloud needs will only increase as more computing workloads move to the cloud.
Allows the automation of workflows,management of accounts in addition to the deployment of cloud and containerized applications.
Implements automation in a way that manages cost and enforces corporate policy in and across clouds.
Major CSPs offer orchestration tools that work on their platform and third partics offer multi-cloud orchestration solutions
4.7 设计适当的身份和访问管理 (IAM) 解决方案
Design appropriate identity and access management (IAM) solutions
Design appropriate identity and access management (IAM) solutions
联合身份
Federated identity
Federated identity
Federation is a collection of domains that have established trust.
The level of trust may vary,but typically includes authentication and almost always includes authorization.
Often includes a number of organizations that have established trust for shared access to a set of resources.
Example
You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization.
This sign-in method ensures that all user authentication occurs on-premises.
Allows administrators to implement more rigorous levels of access control.
Certificate authentication,key fob,card token
身份提供商 (IdP)
Identity providers (IdP)
Identity providers (IdP)
Creates,maintains,and manages identity information while providing authentication services to applications.
For example,Azure Active Directory is the identity provider for Office 365
Other IDaas options include OKTA and DUO
Social identity providers that support OAuth,like Google,Facebook,and Apple are common in federation scenarios
单点登录 (SSO)
Single sign-on (SSO)
Single sign-on (SSO)
Single sign-on means a user doesn't have to sign into every application they use.
The user logs in once and that credential is used for multiple apps.
Single sign-on based authentication systems are often called "modern authentication".
This is a common user experience issue in enterprise desktop scenarios
多因子验证 (MFA)
Multi-factor authentication (MFA)
Multi-factor authentication (MFA)
- Something you know(pin or password)
- Something you have(trusted device)
- Something you are (biometric)
PREVENTS
- Phishing
- Spear phishing
- Keyloggers
- Credential stuffing
- Brute force and reverse brute force attacks
- Man-in-the-middle (MITM)attacks
云访问安全代理 (CASB)
Cloud access security broker (CASB)
Cloud access security broker (CASB)
Enforces the company's data security policies between on-premises and the cloud.
Can detect (and optionally,prevent)data access with unauthorized apps and data storage in unauthorized locations.
Combines the ability to control use of services with data loss prevention and threat management features
密钥/凭据管理
Secrets management
Secrets management
CSPs offer a cloud service for centralized secure storage and access for application secrets
A secret is anything that you want to control access to,such as APl keys,passwords,certificates,tokens,or cryptographic keys.
Service will typically offer programmatic access via APl to support DevOps and continuous integration/continuous deployment(CI/CD)
Access control at vault instance-level and to secrets stored within
Your Cl/CD pipelines should leverage centralized storage of secrets rather than hard-coded values or storage on disk
D5 云安全运营
Cloud Security Operations
Cloud Security Operations
5.1 为云环境构建和实现物理和逻辑基础架构
Build and implement physical and logical infrastructure for cloud environment
Build and implement physical and logical infrastructure for cloud environment
硬件特定的安全配置要求
Hardware specific security configuration requirements
Hardware specific security configuration requirements
硬件安全模块 (HSM)
hardware security module (HSM)
hardware security module (HSM)
a physical computing device that safeguards and manages digital keys,performs encryption and
decryption functions for digital signatures,strong authentication and other cryptographic functions.
decryption functions for digital signatures,strong authentication and other cryptographic functions.
Key Escrow uses an HSM to store and manage private Keys
Cloud Service Providers all offer a cloud-based HSM solution for customer-managed key scenarios
EXAMPLES: Dedicated HSM (Azure), CloudHSM (AWs),Google KMS (GCP)
可信赖平台模块 (TPM)
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
A chip that resides on the motherboard of the device.
Multi-purpose,like storage and management of keys used for full disk encryption (FDE) solutions.
Provides the operating system with access to keys, but prevents drive removal and data access
Virtual TPMs are part of the hypervisor and Provided to VMs running on a virtualization platform.
Unlike an HSM,it is generally a physical component of the system hardware and cannot be added or removed at a later date
Hardware Root of Trust
When certificates are used in FDE,they use a hardware root of trust for key storage.
It verifies that the keys match before the secure boot process takes place
TPM is often used as the basis for a hardware root of trust
SDN
a network architecture approach that enables the network to be intelligently and centrally controlled,or 'programmed,'using software
and has capacity to reprogram the data plane at any time
use cases include SD-LAN and SD-WAN
separating the control plane from the data plane opens up a number of security challenges
SDN vulnerabilities can include man-in-the-middle attack (MITM)and a service denial (Dos). secure with TLS
CLOUD SECURITY CONTROLS-NETWORK
Segmentation of virtual networks,both public and private subnets,are important elements of cloud network security.
Virtual Private Cloud (VPC)
A virtual network that consists of cloud resources,where the VMs for one company are isolated from the resources of another company.
Separate VPCs can be isolated using public and private networks.
Public and Private Subnets
The environment needs to be segmented public subnets that can access the Internet directly (through a firewall)and protected private networks.
Virtual networks can be connected to other networks with a VPN gateway or network peering.
For VDI/client scenarios,a NAT gateway for Internet access makes sense.
管理工具的安装和配置
Installation and configuration of management tools
Installation and configuration of management tools
Management tooling considerations on cloud infrastructure:
Redundancy:Any critically important tool can be a single point of failure (SPOF),so adequate planning for redundancy should be performed.
Scheduled downtime and maintenance:Downtime may not be acceptable,so these tools may be patched or taken offline for maintenance on a rotating schedule with migration of live VMs to prevent loss of service.
Isolated network and robust access controls:Access to virtualization management tools should be tightly controlled,with adequate enforcement. e.g.Need-to-know,least privilege,encryption,and VPN access
Configuration management and change management:Tools and the infrastructure that supports them should be placed under configuration
management to ensure that they stay in a known,hardened state.
management to ensure that they stay in a known,hardened state.
Logging and monitoring:Audit trail is important,but logging activities can create additional overhead,which may not be appropriate for all systems.
虚拟硬件特定的安全配置要求
Virtual hardware specific security configuration requirements
Virtual hardware specific security configuration requirements
网络
network
network
存储
storage
storage
内存
memory
memory
中央处理器 (CPU)
central processing unit (CPU)
central processing unit (CPU)
Hypervisor 类型 1 和 2
Hypervisor type 1 and 2
Hypervisor type 1 and 2
a VM shares physical hardware with potentially hundreds of other VMs
The biggest issue related to virtual hardware security is enforcement For the hypervisor,strict segregation between the guest operating
systems running on a single host
systems running on a single host
There are two main forms of control you should be aware of:
Configuration:Ensure that the hypervisor has been configured correctly to provide the minimum necessary functionality
Disallowing inter-VM network communications if not required and encrypting VM snapshots
Disallowing inter-VM network communications if not required and encrypting VM snapshots
Patching:The customer should patch VMs(laas)while CSP patches the hypervisor.
In Paas,the CSP owns VM Patching
In Paas,the CSP owns VM Patching
Particular concerns for virtual network security controls include:
Virtual Private cloud (VPC):gives the customer a greater level of control,including managing private non-routable IP
addresses and control over inter-VM communication.
addresses and control over inter-VM communication.
Enables granular network segmentation in a ZTNA(Zero-Trust Network Access,零信任网络接入)
Security Groups:a security group is similar to an access control list (ACL)for network access.
They have distinctrules for inbound and outbound traffic.
安装客户操作系统 (OS) 虚拟化工具集
Installation of guest operating system (OS) virtualization toolsets
Installation of guest operating system (OS) virtualization toolsets
Virtualization toolsets installed on the VM
Toolsets exist that can provide extended functionality for various guest operating systems (Linux,Windows,etc.).
For example,Hyper-V integration services enhance VM performance and provide several useful features.
e.g.Guest file copy,time sync,guest shutdown
e.g.Guest file copy,time sync,guest shutdown
5.2 运行和维护云环境的物理和逻辑基础架构
Operate and maintain physical and logical infrastructure for cloud environment
Operate and maintain physical and logical infrastructure for cloud environment
本地和远程访问的访问控制
Local and Remote Access controls
Local and Remote Access controls
Local and Remote Access Methods
远程桌面协议 (RDP)
Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP)
the native remote access protocol for Windows operating systems.
安全外壳 (SSH)
Secure Shell (SSH)
Secure Shell (SSH)
the native remote access protocol for Linux operating systems,and common for remote management of network devices.
RDP and SSH both support encryption and MFA
安全终端访问
secure terminal access
secure terminal access
a system for secure local access.
基于控制台的访问机制
console-based access mechanisms
console-based access mechanisms
a system for secure local access.
A KVM (keyboard video mouse)system with access controls
跳板机
jumpboxes
jumpboxes
a bastion host at the boundary of lower and higher security zones.
CSPs offer services For this:Azure Bastion,AWs Transit Gateway
虚拟客户端
virtual client
virtual client
software tools that allow remote connection to a VM for use as if it is your local machine.
e.g.Virtual Desktop Infrastructure (VDI)for contractors
Access to any of these can be gated with a privileged access management PAM)solution on the IAM platform used by the CSP
VIRTUAL PRIVATE NETWORK (VPN)
Extends a private network across a public network,enabling users and devices to send and receive data across shared or public networks as if
their computing devices were directly connected to the private network.
their computing devices were directly connected to the private network.
Split tunnel vs full tunnel
Full tunnel means using VPN for all traffic,both to the Internet and corporate network.
Split tunnel uses VPN for traffic destined for the corporate network only,and Internet traffic direct through its normal route.
Remote access vs site-to-site
In site-to-site,IPSec site-to-site VPN uses an always on mode where both packet header and payload are encrypted. IPSec tunnel mode
In a remote access scenario a connection is initiated from a users PC or laptop for a connection of shorter duration. IPSec transport mode
Local and Remote Access controls
Session Encryption:Data transmitted in remote access sessions must be encrypted using strong protocols such as TLS 1.3 and session keys.
Strong Authentication:May be combined with cryptographic controls such as a shared secret key for SSH and/or MFA
Strong MFA factors,device state,and other conditions of access
Strong MFA factors,device state,and other conditions of access
Enhanced logging and reviews:All admin accounts should be subject to additional logging and reviewof activity,and frequent access reviews.
Privileged access solutions in IDaas often include access reviews
Privileged access solutions in IDaas often include access reviews
Use of identity and access management tool:Many CSPs offer Identity-as-a-Service (IDaas)that enables strong authentication and access controls schemes
Single sign-On (sso):IDaas solutions enable users to log into other services using their company accounts.Many IDaaS solutions function as an SSO provider.
Separate privileged and nonprivileged accounts:A general best practice for administrative users is the use of a dedicated admin account for
sensitive functions and a standard account for day-to-day use.
sensitive functions and a standard account for day-to-day use.
Increasingly,IDaas solutions offer a Privileged Identity Management (PIM) or Privileged Access Management(PAM)for just-in-time privilege
elevation.
elevation.
Solution features
- Temporary elevation of privilege
- Approval gates
- An audit trail when privilege is activated
- An access review process(to avoid permissions sprawl)
安全网络配置
Secure network configuration
Secure network configuration
Zero Trust Security
no entity is trusted by default!
Addresses the limitations of the legacy network perimeter-based security model.
Treats user identity as the control plane
Assumes compromise/breach in verifying every request.
ZERO TRUST NETWORK ARCHITECTURE
- Network Security Group (NSG)
- Network Firewalls
- Inbound and outbound traffic filtering
- Inbound and outbound traffic inspection
- Centralized security policy management and enforcement
NETWORK SECURITY
Network security groups provide an additional layer of security for cloud resources
Act as a virtual firewall for virtual networks and resource instances.(e.g.VMs,databases,subnets)
Carries a list of security rules (IP and port ranges) that allow or deny network traffic to resource instances.
Provides a virtual firewall for a collection of cloud resources with the same security posture.
Segmentation
Restricting services that are permitted to access or be accessible from other zones using rules to control inbound/outbound traffic.
Rules are enforced by the IP address ranges of each subnet.
Within a virtual network,segmentation can be used to achieve isolation.Port Filtering through a network security group
Private Subnets
Our VPC contains private subnets.Each of these subnets has its own CIDR IP address range and cannot connect directly to the internet.
They could be configured go through the NAT gateway if outbound internet connectivity is desired.
Client VMs and database servers will often be hosted in a private subnet.
SECURE NETWORK DESIGN
East-West Traffic
where traffic moves laterally between servers within a data center.
north-south traffic moves outside of the data center.
VLAN
Virtual Local Area Network
Virtual Local Area Network
a collection of devices that communicate with one another as if they made up a single physical LAN.
Creates a distinct broadcast domain
Screened Subnet
aka 'DMZ"
aka 'DMZ"
a subnet is placed between two routers or firewalls.
bastion host(s)are located within that subnet.
虚拟局域网 (VLAN)
virtual local area networks (VLAN)
virtual local area networks (VLAN)
Many public clouds offer a virtual private cloud (VPC) which is essentially a sandboxed area within the larger public cloud dedicated to a specific customer.
VPCs take the form of a dedicated VLAN for a specific user organization,which means other cloud tenants are blocked from accessing resources
in the VPC.
in the VPC.
VPC Connectivity
To create a secure connection to your VPC,you can connect a VPN using L2TP/IPsec using a VPN gateway (aka transit gateway).
Network peering is another method for connecting virtual networks in the cloud.
Peering is the more common option between cloud networks
Site-to-site VPN common for on-premises to cloud connectivity
Site-to-site VPN common for on-premises to cloud connectivity
传输层安全 (TLS)
Transport Layer Security (TLS)
Transport Layer Security (TLS)
Data in motion is most often encrypted using TLS or HTTPS
This is typically how a session is encrypted before a user enters the credit card details.
This is typically how a session is encrypted before a user enters the credit card details.
TLs uscs an x509 certificate with a public/private key pair
动态主机配置协议 (DHCP)
Dynamic Host Configuration Protocol (DHCP)
Dynamic Host Configuration Protocol (DHCP)
The IP address associated with a system event can be used when identifying a user or system
With proper DHCP logs,a SIEM can leverage this data to track an IP address to a specific endpoint
Some hypervisors offer a feature to limit which network cards are eligible to perform DHCP offer
This prevents roque DHCP servers from issuing IPs to clients and servers
This prevents roque DHCP servers from issuing IPs to clients and servers
域名系统安全扩展 (DNSSEC)
Domain Name System Security Extensions (DNSSEC)
Domain Name System Security Extensions (DNSSEC)
A set of specifications primarily aimed at reinforcing the integrity of DNS
Achieves this by providing for cryptographic authentication of DNS data using digital signatures
Provides proof of origin and makes cache poisoning and spoofing attacks more difficult
虚拟专用网络 (VPN)
virtual private network (VPN)
virtual private network (VPN)
Chain of Custody
Non-repudiation
Non-repudiation is the guarantee that no one can deny a transaction.
Digital Signatures prove that a digital message or document was not modified-intentionally or unintentionally-from the time it was signed.
based on asymmetric cryptography (a public/private key pair) the digital equivalent of a handwritten signature or stamped seal.
based on asymmetric cryptography (a public/private key pair) the digital equivalent of a handwritten signature or stamped seal.
message authentication code(MAC).the two parties that are communicating can verify non-repudiation using a session key
Electronic financial transfers (EFTs)Frequently use MACs to preserve data integrity.
Electronic financial transfers (EFTs)Frequently use MACs to preserve data integrity.
Hash-based message authentication code (HMAC)is a special type of MAC with a cryptographic hash function AND a secret cryptographic key
HTTPS,SFTP,FTPS,and other transfer protocols use HMAC
HTTPS,SFTP,FTPS,and other transfer protocols use HMAC
Cryptographic Key Establishment and Management
Cryptoaraphy provides a number of security functions including confidentiality,integrity,and nonrepudiation.
Eneryption tools like TLS or a VPN can be used to provide confidentiality.
Hashing can be implemented to detect unintentional data modifications. integrity
Additional security measures like digital signatures or hash-based message authentication code (HMAC)can be used to
detect intentional tampering.
detect intentional tampering.
HMAC can simultaneously verify both data integrity and message authenticity
网络安全控制
Network security controls
Network security controls
防火墙
firewalls
firewalls
- Stateless and stateful
- Application,host,and virtual
- Web application (WAF)
- Next generation(NGFW)
入侵检测系统 (IDS)
intrusion detection systems (IDS)
intrusion detection systems (IDS)
入侵防御系统 (IPS)
intrusion prevention systems (IPS)
intrusion prevention systems (IPS)
- Host-based (HIDS and HIPS)
- Network (NIDS and NIPS)
- Hardware vs Software
蜜罐
honeypots
honeypots
漏洞评估
vulnerability assessments
vulnerability assessments
网络安全组
network security groups
network security groups
堡垒主机
bastion host
bastion host
A host used to allow administrators to access a private network from a lower security zone
Will have a network interface in both the lower and higher security zones
Will be secured at the same level as the higher security zone it's connected to.
A dedicated host for secure admin access
'Jumpbox'or jump server'two common names for bastion hosts
通过应用基线、监控和修复来强化操作系统 (OS)
Operating system (OS) hardening through
the application of baselines, monitoring and
remediation
Operating system (OS) hardening through
the application of baselines, monitoring and
remediation
Windows
Linux
VMware
OS Hardening
Hardening is the configuration of a machine into a secure state through application of a configuration baseline.
Baselines can be applied to a single VM image,or to a VM template created that is then used to deploy all VMs.
A hardened VM image may be customer-defined,CPS-defined,or from a third party,often available through a cloud marketplace.
The Center for Internet Security (CIS)offers hardened VM images in CSP marketplaces
BASELINES,BENCHMARKS,AND CONTROLS
control
a high-level description of a feature or activity that needs to be addressed and is not specific
to a technology or implementation.
to a technology or implementation.
Benchmark
contains security recommendations for a specific technology,such as an laas VM.
Baseline
is the implementation of the benchmark on the individual service.
control ls expressed as Benchmark and implemented through a Baseline
BENCHMARKS/SECURE CONFIGURATION GUIDES
Benchmarks describe configuration baselines and best practices for securely configuring a system.
Platform-/Vendor-Specific Guides:released with new products so that they can be set up as securely as possible, making them less vulnerable
to attack.
to attack.
Web Servers:the two main web servers used by commercial companies are Microsoft's Internet Information Server(IIS),and the Linux-based
Apache. Because they are public-facing,they are prime targets for hackers.To help reduce the risk,both Microsoft and Apache provide security guides to help security teams reduce the attack surface,making them more secure.
Apache. Because they are public-facing,they are prime targets for hackers.To help reduce the risk,both Microsoft and Apache provide security guides to help security teams reduce the attack surface,making them more secure.
These guides advise updates being in place,unneeded services are disabled,and the operating system is hardened to minimize risk of security breach.
Operating Systems:Most vendors,such as Microsoft,have guides that detail the best practices for installing their operating systems.
补丁管理
Patch management
aka "update management"
Patch management
aka "update management"
ensures that systems are kept up-to-date with current patches.
process will evaluate,test,approve,and deploy patches.
system audits verify the deployment of approved patches to system
patch both native OS and 3rd party apps apply out-of-band updates promptly.
Cloud service providers(CSP)generally provide a patch management feature tailored to their laas offering.
基础设施即代码 (IaC) 策略
Infrastructure as Code (IaC) strategy
Infrastructure as Code (IaC) strategy
is the management of infrastructure(networks,VMs,load balancers,and connection topology) described in code
just as the same source code generates the same binary, code in the lac model results in the same environment every time it is applied.
laC is a key Devops practice and is used in conjunction with continuous integration and continuous delivery (CI/CD).
lac is very common (the standard)in the cloud
cloud-Native controls
Platforms like Microsoft Azure and Amazon Web Services (AWS)have their own tools,such as Azure Resource Manager(ARM)and AWS Cloud Formation.
These tools make managing Microsoft and AWS cloud resources easier, supporting Infrastructure-as-Code.
Separate tools,for separate platforms,platform-specific
Third-Party Solutions
Third-party tools adds more flexibility,functionality,and multi-platform support.
子主题
For example,some organizations move to Terraform for infrastructure-as-Code because it supports the major CSPs using a single language.
two distinct characteristics of IaC
Declarative
lac must know the current state;it must know whether the infrastructure already exists to know whether to create it or not.
Impcrative deployment methodologies are unawarc of current state
ldempotent
Deployment of an laC template can be applied multiple times without changing the results.
If the lac template says,“deploy 4 VMs" and 3 exist, 1 more is deployed
集群主机的可用性
Availability of clustered hosts
Availability of clustered hosts
Cluster advantages include high availability via redundancy,optimized performance via distributed workloads,and the ability to scale resources
Cluster management agent
Often part of hypervisor or load balancer software, is responsible for mediating access to shared resources in a cluster.
Reservations are guarantees for a certain minimum level of resources available to a specified virtual machine.
A limit is a maximum allocation.
A share is a weighting given to a particular VM
Share value is used to calculate percentage-based access pooled resources when there is contention.
分布式资源调度
distributed resource scheduling
distributed resource scheduling
Distributed Resource Scheduling (DRS) is the coordination element in a cluster of VMware ESXi hosts
DRS mediates access to the physical resources.
动态优化
dynamic optimization
dynamic optimization
Dynamic Optimization is Microsoft's DRS equivalent delivered through their cluster management software.
存储集群
storage clusters
storage clusters
Storage clusters pool storage,providing reliability,increased performance,or possibly additional capacity.
维护模式
maintenance mode
maintenance mode
高可用性(HA)
high availability (HA)
high availability (HA)
客户操作系统 (OS) 的可用性
Availability of guest operating system (OS)
Availability of guest operating system (OS)
Guest OS availability
Once a VM is created in laas,the CSP no longer has direct control over the OS.
Customer can use baselines,backups,and cloud storage features to provide resiliency of the guest OS.
e.g.vendor supplied OS baseline templates,cloud storage redundancy(zone or geo-redundancy)Features
Backup and recovery
In virtualized cloud infrastructure,this might involve the use of snapshots.
Resiliency
Resiliency is achieved by architecting systems to handle failures from the outset rather than needing to be recovered.
For example,virtualization host clusters with live migration provide resiliency
性能和容量监控
Performance and capacity monitoring
Performance and capacity monitoring
CSP should implement monitoring to ensure that they are able to meet customer demands and promised capacity.
Consumer should monitor to ensure CSP is meeting their obligations
Most monitoring tasks will be in support of the availability objective.
Alerts should be generated based on established thresholds and appropriate response plans initiated.
"CORE 4":Monitoring should include utilization,performance,and availability of 1)CPU,2)memory,3)storage and 4)network.
网络
network
network
计算
compute
compute
存储
storage
storage
响应时间
response time
response time
硬件监控
Hardware monitoring
Hardware monitoring
Physical hardware is necessary to provide all the services that enable the virtualization that enables cloud computing.
Hardware monitoring should monitor:CPU,RAM,fans,disk drives,and network components
Environmental:Computing components are not designed for use in very hot,humid,or wet environments.
HVAC,temperature,and humidity monitoring are important
磁盘
disk
disk
中央处理器 (CPU)
central processing unit (CPU)
central processing unit (CPU)
风扇速度
fan speed
fan speed
温度
temperature
temperature
主机和客户操作系统 (OS) 备份和恢复功能的配置
Configuration of host and guest operating system
(OS) backup and restore functions
Configuration of host and guest operating system
(OS) backup and restore functions
Responsibility by category
Saas.CSP retains full control over backup and restore and will often have SLA restore commitments.
Customer typically has shared responsibility for their data
Paas.Shared responsibility:CSP owns infrastructure backups,consumer owns backups of their data.
laas.Consumer owns backup/recovery of VMs.
Consumer backups may include full backups,snapshots,or definition files used for infrastructure as code deployments
considerations
Sensitive data may be stored in backups.
Access controls and need-to-know principles to limit exposure
Physical separation:backups should be stored on different hardware or availability zones.
Zone redundant or geo-redundant cloud storage
Integrity of all backups should be verified routinely to ensure that they are usable.
管理平面
Management plane
Management plane
Provides virtual management options analogous to physical admin options of a legacy datacenter
e.g. powering VMs on and off,provisioning virtual infrastructure for VMs like RAM and storage
调度
scheduling
scheduling
编排
orchestration
orchestration
Orchestration is the automated configuration and management of resources in bulk
Patch management and VM reboots are commonly orchestrated tasks
The management console is the web-based consumer interface for managing resources
CSP must ensure management portal calls to the management plane only allow customer access to their own resources.
维护
maintenance
maintenance
5.3 实施运营控制和标准(例如,信息技术基础架构库 (ITIL)、国际标准组织/国际电子技术委员会
(ISO/IEC) 20000-1)
Implement operational controls and standards (e.g., Information Technology Infrastructure
Library (ITIL), International Organization for Standardization/International Electrotechnical
Commission (ISO/IEC) 20000-1)
(ISO/IEC) 20000-1)
Implement operational controls and standards (e.g., Information Technology Infrastructure
Library (ITIL), International Organization for Standardization/International Electrotechnical
Commission (ISO/IEC) 20000-1)
变更管理
Change management
Change management
refers to the process of evaluating a change request within an organization and deciding if it should go ahead.
requests are sent to the Change Advisory Board (CAB) to ensure that it is beneficial to the company.
requires changes to be requested,approved,tested,and documented.
change management/change control
Change Management policy that details how changes will be processed in an organization
Guidance on the process
Change Control process of evaluating a change request to decide if it should be implemented
The process in action
Automating change management
In an environment that leverages Cl/CD and infrastructure-as-code,change reviews may be partially automated when new code is ready for
deployment.
deployment.
This reduces operational overhead and human error,reduces security risk,and enables more frequent releases while maintaining a strong
security posture.
security posture.
Helps reduce outages or weakened security from unauthorized changes.
Versioning uses a labeling or numbering system to track changes in updated versions of software.
配置管理
Configuration management
Configuration management
Ensures that systems are configured similarly,configurations are known and documented.
Baselining ensures that systems are deployed with a common baseline or starting point,and imaging is a common baselining method.
Baseline is composed of individual settings called configuration items (CI)
连续性管理
Continuity management
Continuity management
Continuity is concerned with the availability aspect of the CIA triad
There are a variety of standards related to continuity management.
NIST Risk Management Framework and ISO 27000
Both deal with business continuity and disaster recovery (BCDR) terms that fall under the larger category of continuity management.
Health Insurance Portability and Accountability Act (HIPAA)
Healthcare data in the United States is governed by this standard.
Mandates adequate data backups,disaster recovery planning,and emergency access to healthcare data in the event of a system interruption.
ISO 22301:2019 Security and resilience-BC management systems
This specifies the requirements needed for an organization to plan,implement and operate,and continually improve the continuity capability.
信息安全管理
Information security management
Information security management
The goal of information security management is to ensure a consistent organizational approach to managing security risks
It is the approach an organization takes to preserving confidentiality, integrity,and availability (the CIA triad)for systems and data.
Standards that provide guidance for implementing and managing security controls in a cloud environment include:
ISO/IEC 27001
A global standard for information security management that helps organizations protect their data from threats.
ISO/IEC 27017 D1.5
Asecurity standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security
problems.
problems.
ISO/IEC27018 D6.2
The first international standard about the privacy in cloud computing services
Is a"Code of practice for protection of personally identifiable information(Pll) in public clouds acting as Pll processors".
ISO/IEC 27701
Extends the ISMS guidance in 27001 to manage risks related to privacy,by implementing and managing a privacy information management
system (PIMS)
system (PIMS)
NIST RMF & CSF
RMF's audience is the entire federal government and CSF is aimed at private (commercial) business, though both address cybersecurity risk
management.
management.
NIST SP 800-53
Provides a catalog of security and privacy controls for all U.S.federal information systems except those related to national security.
AICPA SOC 2
Service Organization Controls (SOC 2) framework has seen wide adoption among CSPs as well as the use of a third party to perform audits.
This also provides increased assurance for business partners and customers who cannot audit the CSP directly
连续的服务改进管理
Continual service improvement management
Continual service improvement management
One critical element of continual service improvement includes areas of monitoring and measurement
These often take the form of security metrics.
Metrics need to be tailored to the audience they will be presented to,which often means "executive friendly".
Business leaders will be less interested in technical topics.
The metrics should be used to aggregate information and present it in an easily understood,actionable format.
事故管理
Incident management
Incident management
Events are any observable item,including routine actions such as a user successfully logging into a system.
Incidents,by contrast,are events that are unplanned and have an adverse impact on the organization
Not all incidents will require the security tcam but exam focus is security
All incidents should be investigated and remediated to restore the organization's normal operations and to minimize adverse impact
A popular security incident management methodology is the NIST SP 800-61 rev2 "Computer Security Incident Handling Guide'
6 phases of incident response
Preparation
Where incident response plans are written,and configurations documented.
Identification
Determining whether or not an organization has been breached. Is it really an incident?
Containment
Limiting damage (scope) of the incident.
Eradication
Once affected systems are identified,coordinated isolation or shutdown,rebuild,and notifications.
Recovery
Root cause is addressed and time to return to normal operations is estimated and executed.
Lessons Learned
Helps prevent recurrence,improve IR process.
问题管理
Problem management
Problem management
In the ITIL framework,problems are the causes of incidents or adverse events that impact the CIA triad.
Problems are,in essence,the root cause of incidents
problem management utilizes root-cause analysis to identify the underlying problem(s)that lead to an incident.
It also aims to minimize the likelihood of future recurrence
An unsolved problem will be documented and tracked in a known issues or known errors database.
发布管理
Release management
Release management
Today,traditional release management practices have largely been replaced with release practices in Agile development methodologies
The primary change is the frequency of releases due to the increased speed of development activities in continuous integration/continuous
delivery(CI/CD).
delivery(CI/CD).
Release scheduling may require coordination with customers and CSP.
Release manager is responsible for a number of checks including ensuring change requests and approvals are complete,before approving final
release gate.
release gate.
Changes that impact data exposure may require Security team
Some of the release process is often automated,but manual processes may be involved,such as updating documentation and writing release
notes.
notes.
The increased automation and pace of release in Agile and CI/CDtypical to the cloud necessitates automated security testing and policy controls.
部署管理
Deployment management
Deployment management
In more mature organizations,the CD in Cl/CD stands for continuous deployment,which further/fully automates the release process.
Once a developer has written their code and checked it in,automated testing is triggered,and if all tests pass,code is integrated and deployed
automatically
automatically
Less manual effort means lower cost,fewer mistakes,Faster releases.
Even organizations with continuous deployment may require some deployment management processes to deal with deployments that cannot
be automated
be automated
Processes for new software and infrastructure should be documented
Containerization(managed Kubernetes)is common in mature organizations supporting more frequent deployment in public cloud environments
Fully automated deployment requires greater coordination with and integration of information security throughout the development process
服务等级管理
Service level management
Service level management
Service level management focuses on the organization's requirements for a service,as defined in a service level agreement (SLA).
SLAs are like a contract focused on measurable outcomes of the service being provided
Should include clear metrics that define 'availability'for a service
SLAs require routine monitoring for enforcement,and this typically relies on metrics designed to indicate whether the service level is being met
Cloud infrastructure decisions should be made with the SLA in mind
Defining the levels of service is usually up to the cloud service provider(CSP) in public cloud environments.
Customer should monitor their CSPs compliance with the SLAs promised with various services,including ensuring credits for SLA failures are
received.
received.
可用性管理
Availability management
Availability management
A service may be "up",that is to say the service is reachable but not available meaning it cannot be used.
Availability and uptime are often used synonymously,but there is an important distinction:Availability means the specific service is up AND
usable.
usable.
AuthN and AuthZ must work,and requests must be fulfilled
Many of the same concerns that an organization would consider in business continuity and disaster recovery apply in availability management
BCDR plans aim to quickly restore service availability in adverse events
Other concerns and requirements,such as data residency or the use of encryption, can complicate availability.
Customer must configure services to meet their requirements
Cloud consumers have a role to play in availability management as well; how much depends on the cloud service category (laas,Paas,or Saas)
容量管理
Capacity management
Capacity management
One of the core concerns of availability is the amount of service capacity available compared with the amount being subscribed to.
For example,if a service has 100 active users but only 50 licenses available,that means the service is over capacity and 50 users will be denied
service.
service.
Capacity issucs can be physical (infrastructure)or logical (c.g,licenses)
Measured service is one of the core elements of cloud computing,so metrics that illustrate demand for the service are relatively easy to identify
Responsibility for capacity management belongs to CSP at the platform level,but belongs to customer for deployed apps and services
Customer must choose appropriate service tiers,design app to scale
The cloud provides the "perception of unlimited capacity",but in reality,is oversubscribed by design,and CSP must monitor how much is too much.
ISO/IEC 20000-1
Specifies requirements for "establishing, implementing,maintaining and continually improving a service management system(SMS)'"
Supports management of the service lifccycle,including planning,design,transition,delivery and service improvement
5.4 支持数字取证
Support digital forensics
Support digital forensics
eDiscovery
or "electronic discovery",is the identification,collection,preservation,analysis,and review of electronic information.
Usually associated with collection of electronic informdtion for legal purposes or security breach
FORENSIC INVESTIGATION STANDARDS
ISO/IEC 27037:2012
Guide for collecting,identifying,and preserving electronic evidence
ISO/IEC 27041:2015
Guide for incident investigation
ISO/IEC 27042:2015
Guide for digital evidence analysis.
ISO/IEC 27043:2015
Guide for incident investigation principles and processes
ISO/IEC 27050
A four-part standard within the ISO/IEC 27000 family of information security standards
Offers a framework,governance,and best practices for forensics,eDiscovery,and evidence management
CSA Security Guidance
Free guidance in Domain 3:Legal Issues:Contracts and Electronic Discovery
Offers guidance on legal concerns related to security, privacy,and contractual obligations
取证数据收集方法
Forensic data collection methodologies
Forensic data collection methodologies
Evidence collection Process
Logs are essential
All activities should be logged including time,person performing the activity,tools used,system or data inspected,and results.
Document everything
including physical or logical system states,apps running,and any physical configurations of hardware as appropriate.
Consider volatility
Volatile data(data not on a durable storage)requires special handling and priority. Collect data from volatile sources first
Evidence collection Best Practices
Utilize original physical media
utilize original physical media whenever possible, as copies may have unintended loss of integrity.
Verify data integrity
at multiple steps by using hashing,especially when performing operations such as copying files.
Follow documented procedures
dedicated evidence custodian,logging all activities, leave systems powered on to preserve volatile data.
Establish and maintain communications
with relevant parties such as the CSP,internal legal counsel,and law enforcement for guidance and requirements.
Communication with relevant parties and communication plans covered in section 5.5
证据管理
Evidence management
Evidence management
Legal Hold
protecting any documents that can be used in evidence from being altered or destroyed.
sometimes called litigation hold
chain of Custody
tracks the movement of evidence through its collection,safeguarding,and analysis lifecycle
documents each person who handled the evidence,the date/time it was collected or transferred,and the purpose for the transfer.
Confirms appropriate collection,storage,and handling
SCOPE of evidence
describes what is relevant when collecting data
in a multitenant cloud environment, this may be particularly important
collection from shared resources may expose other customers data
Scope of data collection is more challenging in the cloud
ON PREMISES VS CLOUD
The cloud comes with additional challenges when it comes to forensic investigation
Data location:
Do you know where the data is hosted?And laws of countries it's hosted in?
Many cloud services store copies of data in multiple locations
Rights and responsibilities:
What rights for forensic data collection are listed in your CSP contract?
If it requires CSP cooperation,what is their response SLA?
If it requires CSP cooperation,what is their response SLA?
Tools:
Are your forensic tools suitable for a multi-tenant environment?
What is your organizations liability if you unintentionally capture another customer's data on a shared resource?
What is your organizations liability if you unintentionally capture another customer's data on a shared resource?
e.g remnants of a previous customer's data on physical storage
Laws and regulations impact a consumer's ability to perform forensic data collection in the cloud
Regulatory and Jurisdiction
Cloud data should be stored and have data sovereignty in region stored.
Many countrics have laws requiring businesses to store data within their borders.
The US introduced the Clarifying Lawful Overseas Use of Data (CLOUD)Act in 2018 due
to the problems that FBI faced in forcing Microsoft to hand over data stored in Ireland.
to the problems that FBI faced in forcing Microsoft to hand over data stored in Ireland.
Aids in evidence collection in investigation of serious crimes
In 2019,the US and the UK signed a data-sharing agreement to give law enforcement
agencies in each country faster access to evidence held by cloud service providers.
agencies in each country faster access to evidence held by cloud service providers.
Verifying audit and forensic data collection rights with your CSP to ensure you understand your rights and their legal obligations before you sign contracts is critical.
cloud considerations (cont)
Forensic investigators should know their legal rights in every jurisdiction (region or country)where the organization hosts data in the cloud.
Some countries will not allow eDiscovery From outside their borders
chain of custody
In traditional forensic procedures,it is "easy"to maintain an accurate history of time,location,and handling.
In the cloud,physical location is somewhat obscure.However,investigators can acquire a VM image from any workstation connected to the internet.
Time stamps and offsets can be more challenging due to location.
Maintaining a proper chain of custody is more challenging in the cloud
Breach notification laws
Varies by country and regulations.For example,GDPR requires notificationWithin 72 hours.
Applies to all with EU customers,even if it's a 3rd party breach!
Applies to all with EU customers,even if it's a 3rd party breach!
EVIDENCE UTILITY
Evidence should possess these five attributes to be useful.
Authentic:
The information should be genuine and clearly correlated to the incident or crime.
Accurate:
The truthfulness and integrity of the evidence should not be questionable.
Complete:
All evidence should be presented in its entirety even if it might negatively impact the case being made.
It is illegal in most jurisdictions to hide evidence that disproves a case.
Convincing:
The evidence should be understandable and clearly support an assertion being made.
e.g,chain of events presented from audit logs should be clear
Admissible:
Evidence must meet the rules of the body judging it,such as a court.
Hearsay (indirect knowledge of an action)or evidence that has been tampered with may be thrown out by a court
EVIDENCE ADMISSIBILITY
Requirements for evidence to be admissible in a court of law:
Evidence must be relevant to a fact at issue in the case. Makes a fact more or less probable
The fact must be material to the case.
The evidence must be competent (reliable).
Must be obtained by legal means
To prevail in court,evidence must be sufficient,which means "convincing without question,leaving no doubt'
收集、获取和保存数字证据
Collect, acquire, and preserve digital evidence
Collect, acquire, and preserve digital evidence
ACQUISITION OF EVIDENCE
You must begin to collect evidence and as much information about the incident as possible.
Evidence can be used in a subsequent legal action or in finding attacker identity.
Evidence can also assist you in determining the extent of damage.
DATA COLLECTION CHALLENGES IN THE CLOUD
Control
Using a cloud service involves loss of some control,and different service models offer varying levels of access.
Multitenancy and shared resources
Evidence collected while investigating a security incident may unintentionally include data from another customer.
Most likely if CSP or delegate were performing Forensic recovery from shared physical resource,such as a storage array.
Data volatility and dispersion
Cloud environments support high availability techniques for data,like data sharding.
Sharding breaks data into smaller pieces,storing multiple copies of each piece across different data centers.
ORDER OF VOLATILITY
If it disappears in system reboot,power loss,passage of time,it is volatile
Volatility,in approximate order:
- CPU,cache,and register contents
- Routing tables,ARP cache,process tables,kernel statistics
- Live network connections and data flows
- Memory (RAM)
- Temporary file system and swap/pagefile
- Data on hard disk
- Remotely logged data
- Data stored on archival media and backups
FOR THE EXAM:Remember that volatile (perishable) information should be collected first.
EVIDENCE COLLECTION AND HANDLING
four general phases:
Collection
Proper evidence handling and decision making should be a part of the incident response procedures and training
for team members performing response activities.
for team members performing response activities.
Examination
Analysis
Reporting
EVIDENCE PRESERVATION
Collect originals,work from copies!
Protections for evidence storage include:
- locked cabinets or safes
- dedicated/isolated storage facilities
- environment maintenance(temp,humidity)
- access restrictions and document/track activity
- blocking interference (shield from wireless) Faraday cage
ACQUISITION
Areas and considerations in evidence acquisition
Disk aka hard drive.Was the storage media itself damaged?
Random-access memory (RAM).Volatile memory used to run applications.
Swap/Pagefile.used for running applications when RAM is exhausted.
OS (operating system).Was there corruption of data associated with the OS or the applications?
Device.When the police are taking evidence from laptops,desktops,and mobile devices,they take a complete system image.
The original image is kept intact,installed on another computer, hashed,then analyzed to find evidence of any criminal activity.
Firmware.embedded code,could be reversed engineered by an attacker,so original source code must be compared to code in use.
a coding expert to compare both lots of source code in a technique called regression testing. rootkits and backdoors are concerns
Snapshot.if the evidence is from a virtual machine,a snapshot of the virtual machine can be exported for investigation.
Cache. special high-speed storage that can be either a reserved section of main memory or an independent high-speed storage device.
memory cache AND disk cache,both are volatile
Network.OS includes command-line tools (like netstat)that provide information that could disappear if you reboot the computer.
Like RAM,connections are volatile and lost on reboot
Artifacts.any piece of evidence,including log files,registry hives,DNA, fingerprints,or fibers of clothing normally invisible to the naked eye.
INTEGRITY
Hashes
When either the forensic copy or the system image is being analyzed,the data and applications are hashed at collection.
It can be used as a checksum to ensure integrity later.
File can be hashed before and after collection to ensure match on the original hash value to prove data integrity.
Provenance
Data provenance effectively provides a historical record of data and its origin and forensic activities performed on it.
Similar to data lineage,but also includes the inputs,entities, systems and processes that influenced the data.
Data lineage is the process of tracking flow of data over time,showing where the data originated,how it has changed,and its ultimate destination.
PRESERVATION
Data needs to be preserved in its original state so that it can be produced as evidence in court.
original data must remain unaltered and pristine
"forensic copy"of evidence
an image or exact,sector by sector,copy of a hard disk or other storage device, taken using specialized software,preserving an exact
copy of the original disk.
copy of the original disk.
Deleted files,slack space,system files and executables (and documents renamed to mimic system files and executables)are all part of
a forensic image.
a forensic image.
Putting a copy of the most vital evidence in a WORM drive will prevent any tampering with the evidence (you cannot delete data
from a WORM drive.)
from a WORM drive.)
You could also write-protect/put a legal hold on some types of cloud storage.
5.5 管理与相关方的沟通
Manage communication with relevant parties
Manage communication with relevant parties
Both company security policics (transparency) AND regulatory compliance (law)shape communication
Communication Plan
The plan that details how relevant stakeholders will be informed in event of an incident. (like a security breach)
Would include plan to maintain confidentiality such as encryption to ensure that the event does not become public knowledge.
Contact list should be maintained that includes stakeholders from the government,police,customers,suppliers,and internal staff.
Compliance requlations,like GDPR,include notification requirements,relevant parties,and timelines
Confidentiality amongst internal stakeholders is desirable so external stakeholders can be informed in accordance with the plan.
Stakeholder Management
A stakeholder is a party with an interest in an enterprise; corporate stakeholders include investors,employees,customers,
and suppliers.
and suppliers.
Regulated industries,such as banking and healthcare will have requirements driven by the regulations governing their industries.
供应商
Vendors
Vendors
Vendors:The first step in establishing communication with vendors is an inventory of critical third parties on which the organization depends.
This inventory will drive vendor risk management activities in two ways:
1)Some vendors may be critical to the company's ongoing function,like the CSP
2)Others may provide critical inputs to a company's revenue generation
Vendor communications may be governed by contract and SLA
客户
Customers
Customers
Customers:As cloud consumers,most company's will be the recipients of communications from their chosen CSPs.
Consumers should define (or at least monitor) communication SLA
合作伙伴
Partners
Partners
Partners:Often have a level of access to a company's systems similar to that of the company's own employees but are not under company
control.
control.
Communication neede will evolve through partner onboarding, maintenance,and offboarding
监管机构
Regulators
Regulators
Regulators:Most regulators have developed cloud-specific guidance for compliant use of cloud services.
GDPR,HIPAA,and PCI DSS have communication requirements
其他利益相关者
Other stakeholders
Other stakeholders
other Stakeholders:The company may need to communicate with the public, investors,and the company's cyber insurance company in a crisis.
Procedures for order and timing of contact should be created
Some cyber insurance providers require that they are the first point of contact in the event of a security incident
Who is responsible
for communication?
for communication?
if customer data is impacted,the company is always responsible timely communication
This is true regardless of the cloud service model in use,even if the CSP is at Fault
SHARED RESPONSIBILITY FOR SECURITY
5.6 管理安全运营
Manage security operations
Manage security operations
安全运营中心 (SOC)
Security operations center (SOC)
Security operations center (SOC)
A support unit designed to centralize a variety of security tasks and personnel at the tactical (mid-term)and operational (day-to-day) levels.
Both the CSP and consumer should have a SOC function
Key functions of the SOC include:
- Threat Prevention
- Threat Detection
- Incident Management
- Continuous Monitoring Reporting
- Alert Prioritization
- Compliance Management
安全控制的智能监控
Intelligent monitoring of security controls
Intelligent monitoring of security controls
MONITORING
a form of auditing that focuses on active review of the log file data.
used to hold subjects accountable for their actions also used to monitor system performance.
tools such as IDSs or SIEMs automate monitoring and provide real-time analysis of events.
MONITORING SECURITY CONTROLS
Monitoring security controls used to be an activity closely related to formal audits that occur relatively infrequently,often annually or less.
A newer concept is known as continuous monitoring,is described in the NIST SP 800-37:Risk Management Framework (RMF)
The RMF specifies the creation of a continuous monitoring strategy for getting near real-time risk information.
Network firewalls,web app firewalls (WAF),and IDS/IPS provide a critical source of information for NOC or SOC teams.
These devices should be continuously monitored to ensure they are Functional
Monitoring for functionality should include monitoring log generation,centralized log aggregation,and analysis.
HARDWARE Vs SOFTWARE
Hardware
A piece of purpose-built network hardware.
May offer more configurable support for LAN and WAN connections.
Often has superior throughput versus software because it is hardware designed for the speeds and connections common to an enterprise
network.
network.
In the cloud,it's virtual - a network virtual appliance (NVA)
Software
Software based firewalls that you mightinstall on your own hardware
Provide flexibility to place firewalls anywhere you'd like in your organization.
On servers and workstations,you can run a host-based firewall.
Host-based (software)are more vulnerable to being disabled by attackers
APPLICATION vs HOST-BASED vs VIRTUAL
Application
Typically caters specifically to application communications.
Often that is HTTPS or Web traffic.
An example is called a web application firewall (WAF)
Host-based
Anapplication installed on a host OS such as Windows or Linux,both client and server operating systems.
Virtual
In the cloud,firewalls are implemented as virtual network appliances(VNA).
Available from both the CSP directly and third-party partners (commercial firewall vendors)
防火墙
firewalls
firewalls
FIREWALL AND STATE
stateless
Watch network traffic and restrict or block packets based on source and destination addresses or other static values.
Not 'aware' of traffic patterns or data flows.
Typically,faster and perform better under heavier traffic loads.
Stateful
Can watch traffic streams from end to end.
Are aware of communication paths and can implement various IP security functions such as tunnels and encryption.
Better at identifying unauthorized and forged communications.
MODERN FIREWALLS
WAF
Protect web applications by filtering and monitoring HTTPS traffic between a web application and the Internet.
Typically protects web applications from common attacks like XSS,CSRF,and SQL injection.
Some come pre-confiqured with OWASP rulesets
NGFW
a deep-packet inspection firewall that moves beyond port/protocol inspection and blocking.
adds application-level inspection,intrusion prevention,and brings intelligence from outside the firewall.
入侵检测系统 (IDS)
intrusion detection systems (IDS)
intrusion detection systems (IDS)
generally responds passively by logging and sending notifications
入侵防御系统 (IPS)
intrusion prevention systems (IPS)
intrusion prevention systems (IPS)
is placed in line with the traffic and includes the ability to block malicious traffic before it reaches the target
FLAVORS OF INTRUSION DETECTION SYSTEMS
HIPS
can monitor activity on a single system only.
A drawback is that attackers can discover and disable them
NIPS
can monitor activity on a network,and a NIPS isn't as visible to attackers.
蜜罐
honeypots
honeypots
a system that often has pseudo flaws and fake data to lure intruders
long as attackers are in the honeypot, they are not in the live network.
A group of honeypots is called a honeynet
Lure bad people into doing bad things.Lets you watch them.
Only ENTICE,not ENTRAP. You are not allowed to let them download items with "Enticement".
For example,allowing download of a fake payroll file would be entrapment.
Goal is to distract from real assets and isolate in a padded cell until you can track them down.
网络安全组
network security groups
network security groups
人工智能 (AI)
artificial intelligence (AI)
artificial intelligence (AI)
Monitoring tools,like a SIEM,use Al and ML to automate investigation and response
Artificial Intelligence
Focuses on accomplishing "smart"tasks combining machine learning and deep learning to emulate human intelligence
Machine Learning
A subset of Al,computer algorithms that improve automatically through experience and the use of data.
Deep Learning
a subfield of machine learning concerned with algorithms inspired by the structure and function of the brain called artificial neural networks.
日志捕获和分析
Log capture and analysis
Log capture and analysis
安全信息和事件管理 (SIEM)
security information and event management (SIEM)
security information and event management (SIEM)
User Entity Behavior Analysis (UEBA)
This is based on the interaction of a user that focuses on their identity and the data that they would normally access on a normal day
It tracks the devices that the user normally uses and the servers that they normally visit.
Sentiment Analysis
Artificial intelligence and machine learning to identify attacks.
Cybersecurity sentiment analysis can monitor articles on social media,look at the text and analyze the sentiment behind the articles.
Over time,can identify a users' attitudes to different aspects of cybersecurity.
Tooling that allows an organization to define incident analysis and response procedures in a digital workflow format.
Integrates your security processes and tooling in a central location (SOC).
Response automation,using machine learning and artificial intelligence
These make it faster than humans in identifying and responding to true incidents.
Reduces MTTD and accelerates response
Uses playbooks that define an incident and the action taken.Capabilities vary by situation & vendor
Over time,should produce faster alerting and response for the SOC team.
SIEM AND SOAR
SIEM
system that collects data from many other sources within the network.
provides real-time monitoring,analysis correlation & notification of potential attacks.
SOAR
centralized alert and response automation with threat-specific playbooks.
response may be fully automated or single-click.
日志管理
log management
log management
Logs are worthless if you do nothing with the log data.They are made valuable only by review.
That is,they are valuable only if the organization makes use of them to identify activity that is unauthorized or compromising.
SIEM(Security Information Event Monitoring)tools can help to solve some of these problems by offering these key features:
- Log centralization and aggregation
- Data integrity
- Normalization
- Automated or continuous monitoring
- Alerting
- Investigative monitoring
SIEM features
Log centralization and aggregation
Rather than leaving log data scattered around the environment on various hosts,the SIEM platform can gather logs from a variety of
sources,including:
sources,including:
operating systems,applications,network appliances,user devices, providing a single location to support investigations.
Data integrity
The SIEM should be on a separate host with its own access control, preventing any single user from tampering.
Normalization
SIEMs can normalize incoming data to ensure that the data from a variety of sources is presented consistently.
Automated or continuous monitoring
Sometimes referred to as correlation,SIEMs use algorithms to evaluate data and identify potential attacks or compromises.
Alerting
SIEMs can automatically generate alerts such as emails or tickets when action is required based on analysis of incoming log data
Investigative monitoring
When manual investigation is required,the SIEM should provide support capabilities such as querying log files,generating reports.
LOG COLLECTION AND ANALYSIS WITH A SIEM
Log Collectors
SIEM has built-in log collector tooling that can collect information from both the syslog server and multiple other servers.An agent is placed
on the device that can collect log information,parse and restructure data,and pass to SIEM for aggregation.
on the device that can collect log information,parse and restructure data,and pass to SIEM for aggregation.
Ingestion may be with via an agent,syslog,or API
Log Aggregation
Can correlate and aggregate events so that duplicates are filtered and a better understanding network events is achieved to help identify
potential attacks.
potential attacks.
Packet Capture
Can capture packets and analyze them to identify threats as soon as they reach your network,providing immediate alert to security team if
desired.
desired.
Data Inputs
The SIEM system collects a massive amount of data from various sources.
May include network devices, IDM, MDM, CASB, XDR, and more
LOG FILES
common log files include security logs,system logs,application logs,firewall logs,proxy logs.
should be protected by centrally storing them and using permissions to restrict access.
archived logs should be set to read-only to prevent modifications.
Log files play a core role in providing evidence for investigations.You'll want to be familiar with the many different types of log files a
typical SIEM might ingest.
typical SIEM might ingest.
Network:This log file can identify the IP and MAC addresses of devices that are attached to your network.Usually sent to a central syslog server
NIDS/NIPS can be important in identifying threats and anomalies from these.
log files from a proxy server can reveal who's visiting malicious sites
The collective insight may be useful in stopping DDos attack
Web:web servers log many types of information about the web requests,so evidence of potential threats and attacks will be visible here.
information collected about each web session:IP address request,Date and time,HTTP method,such as GET/POST,Browser used,and HTTP Status code.
400 series HTTP response codes are client-side errors
500 series HTTP response codes are server-side errors
These logs must be fed to a SIEM IDS/IPS or other system to analysis this data
These files exist on client and server systems.Sending these to a SlEM can help establish a central audit trail and visibility into the scope
of an attack.
of an attack.
System:contains information about hardware changes,updates to devices, and time synchronization,group policy application,etc.
Application:contains information about software applications,when launched,success or failure,and warnings about potential problems or errors.
Security:contains information about a successful login,as well as unauthorized attempts to access the system and resources.
can identify attackers trying to log in to your computer systems.
captures information on file access and can determine who has downloaded certain data.
DNS:contains virtually all DNS server-level activity,such as zone transfer,DNS server errors,DNS caching,and DNSSEC.
DNS query logging often disabled by default due to volume.
Authentication:information about login events,logging success or failure.
multiple sources authenticating log files in a domain environment,including RADIUS,Active Directory,and cloud providers Azure Active Directory.
multiple sources authenticating log files in a domain environment,including RADIUS,Active Directory,and cloud providers Azure Active Directory.
Log files related to voice applications can be valuable in identifying anomalous activity,unauthorized users,and even potential attacks
VolP and Call Managers:These systems provide information on the calls being made and the devices that they originate from.
may also capture call quality by logging the Mean Optical Score (MOS),jitter, and loss of signal. Significant loss in quality may indicate attack
each call is logged (inbound and outbound calls),the person making the call,and the person receiving the call. Including long-distance calls
Session Initiation Protocol (SIP)Traffic:SIP is used for internet-based calls and the log files generally show:
the 100 events,known as the INVITE,the initiation of a connection,that relates to ringing.
the 200 OK is followed by an acknowledgement
Large number of calls not connecting may indicate attack
SYSLOG/SIEM
Event Reporting (Review Reports)
A SIEM typically includes dashboard and collects reports that can be reviewed regularly to ensure that the policies
have been enforced and that the environment is compliant
have been enforced and that the environment is compliant
Also highlight whether the SIEM system is effective and working properly.Are incidents raised true positives?
False positives may arise because the wrong input filters are being used or the wrong hosts monitored.
SIEM dashboards will typically provide a views into status of log ingestion and security concerns identified through correlation.
事故管理
Incident management
Incident management
INCIDENT RESPONSE LIFECYCLE
The incident response lifecycle in the CBK is from NIST SP 800-61 rev2,the "Computer Security Incident Handling Guide"
Preparation
Refers to the organization's preparation necessary to ensure they can respond to a security incident,including
tools,processes,competencies,and readiness.
tools,processes,competencies,and readiness.
These details should be documented in a security incident response plan that is regularly reviewed and updated.
Plan review multiple times per year in a walkthrough,aka 'tabletop exercise
Detection
and analysis
and analysis
The activity to detect a security incident in a production environment and to analyze all events to confirm
the authenticity of the security incident.
the authenticity of the security incident.
Containment,
eradication,
recovery
eradication,
recovery
In containment,the required and appropriate actions taken to contain the security incident
based on the analysis done in the previous phase.
based on the analysis done in the previous phase.
Limits the damage (scope)of the incident
Eradication is the process of eliminating the root cause of the security incident with a high degree of confidence.
During the incident,our focus is on protecting and restoring business-critical processes
Recovery should happen after the adversary has been evicted from the environment and known vulnerabilities have been remediated.
Recovery returns the environment to its normal, fully functional,original state prior to the incident.
Post-incident
activity
activity
The post-mortem analysis is performed after the recovery of a security incident.
Actions performed during the process are reviewed to determine if any changes need to be made in
the preparation or detection and analysis phases.
the preparation or detection and analysis phases.
The lessons learned drive continuous improvement ensuring effective and efficient incident response.
漏洞评估
Vulnerability assessments
Vulnerability assessments
RIGHT TO AUDIT IN THE CLOUD
Use of vulnerability scanners and pen testers may be limited by your CSP's terms of service.
CSPs typically have penctration testing and scanning "rulcs of engagement"
VULNERABILITY MANAGEMENT
Vulnerability Management
includes routine vulnerability scans and periodic vulnerability assessments.
Vulnerability scanners
can detect known security vulnerabilities and weaknesses,absence of patches or weak passwords.
Vulnerability Assessments
extend beyond just technical scans and can include reviews and audits to detect vulnerabilities
VULNERABILITY SCANS
A vulnerability scan assesses possible security vulnerabilities in computers,networks,and equipment that can be exploited.
Credentialed Scan:
A credentialed scan is a much more powerful version of the vulnerability scanner.It has higher privileges than a non-credentialed scan.
Spot vulnerabilities that require privilege,like non-expiring PWs
Non-Credentialed Scan:
A non-credentialed scan has lower privileges than a credentialed scan.It will identify vulnerabilities that an attacker would easily find.
Scans can find missing patches,some protocol vulnerabilitics
Non-Intrusive Scans:
These are passive and merely report vulnerabilities.They do not cause damage to your system.
Intrusive Scans:
Can cause damage as they try to exploit the vulnerability and should be used in a sandbox and not on your live production system.
Configuration Review:
Configuration compliance scanners and desired state configuration in PowerShell ensure that no deviations are made to the security configuration of a system.
The combination of techniques can reveal which vulnerabilities are most easily exploitable in a live environment.
Network Scans:
These scans look at computers and devices on your network and help identify weaknesses in their security.
Application Scans:
Before applications are released,coding experts perform regression testing that will check code for deficiencies.
Web Application Scans:
Crawl through a website as if they are a search engine looking for vulnerabilities.
Perform an automated check for site/app vulnerabilities,such as cross-site scripting and SQL injection.
There are many sophisticated web application scanners available,due in part due to mass adoption of cloud computing.
Common Vulnerabilities and Exposures (CVE)and
Common Vulnerability Scoring System (CVSS)
Common Vulnerability Scoring System (CVSS)
CVSS
CVSS is the overall score assigned to a vulnerability. It indicates severity and is used by many vulnerability scanning tools.
CVE
CVE is simply a list of all publicly disclosed vulnerabilities that includes the CVE ID,a description,dates,and comments.
The CVSS score is not reported in the CVE listing you must use the National Vulnerability Database (NVD)to find assigned CVSS scores.
The CVE list Feeds into the NVD
The National Vulnerability Database (NVD)is a database, maintained by NIST,that is synchronized with the MITRE CVE list.
VULNERABILITY SCAN OUTPUT
A vulnerability scanner can identify and report various vulnerabilities before they are exploited,such as:
- software flaws
- missing patches
- open ports
- services that should not be running
- weak passwords
will help companies avoid known attacks such as SQL injection,buffer overflows,denial of service,and other type of malicious attacks.
A credentialed vulnerability scan is the most effective as it provides more information than any other vulnerability scan.
VULNERABILITY SCANS
False Positive:where the scan believes that there is a vulnerability but when physically checked,it is not there.
False Negative:When there is a vulnerability,but the scanner does not detect it.
True Positive:This is where the results of the system scan agree with the manual inspection.
Log Reviews:Following a vulnerability scan,it is important to review the log files/reports that list any potential vulnerabilities.
D6 法律、风险和合规
Legal, Risk and Compliance
Legal, Risk and Compliance
6.1 明确云环境中的法律要求和独特风险
Articulate legal requirements and unique risks within the cloud environment
Articulate legal requirements and unique risks within the cloud environment
国际法律冲突
Conflicting international legislation
Conflicting international legislation
It is important to be aware of the various laws and regulations that govern cloud computing.
Laws can introduce risks to a business,such as fines,penalties, or even a loss of the ability to do business in a certain place.
It is important to identify such risks and make recommendations to mitigate them just like any other risk.
EXAMPLE
Conflict with GDPR and CLOUD Act
Conflict with GDPR and CLOUD Act
GDPR forbids the transfer of data to countries that lack adequate privacy protections
The Clarifying Lawful Overseas Use of Data (CLOUD)Act requires CSPs to hand over data to aid in investigation of
serious crimes,even if stored in another country.
serious crimes,even if stored in another country.
As with many aspects of security,legal compliance requires collaboration.
Legal counsel should be part of the evaluation of any cloud-specific risks,legal requests,and the company's response to these.
Export and Privacy
Computer Export Controls.US companies can't export to Cuba,Iran,North Korea,Sudan,and Syria.
Encryption Export Controls.Dept of Commerce details limitations on export of encryption products outside the US.
Privacy (US).The basis for privacy rights is in the Fourth Amendment to the U.S.Constitution.
Privacy (EU).General Data Protection Regulation (GDPR) is not a US law,but very likely to be mentioned!
Copyright and intellectual property law
particularly the jurisdictions that companies need to deal with (local versus international)to protect and enforce their IP protections.
Safeguards and security controls required for privacy compliance
particularly details of data residency or the ability to move data between
countries,as well as varying requirements of due care in different jurisdictions
countries,as well as varying requirements of due care in different jurisdictions
Data breaches and their aftermath,particularly breach notification
International import/export laws
particularly technologies that may be sensitive or illegal under various international agreements
LAWS,REGULATIONS,STANDARDS,FRAMEWORKS
Laws are the legal rules.That are created by government entities,such as legislatures/congress.
Regulations are the rules that are created by governmental agencies.
Laws and regulations must be followed or can result in civil or criminal penalties for the organization.
Standards dictate a reasonable level of performance.
They can be created by an organization for its own purposes (internal) or come from industry bodies or trade groups (external).
Frameworks are a set of guidelines helping organizations improve their security posture.
TYPES OF LAW
Criminal law contains prohibitions against acts such as murder, assault,robbery,and arson.
civil law Examples include contract disputes,real estate transactions, employment matters,and estate/probate procedures.
Vendor contracts fall into this category.
Administrative law policies,procedures,and regulations that govern the daily operations of government and government agencies
Regulations likc HIPAA fall into this catcgory
The U.S.Constitution is the highest possible source of law in the United States,and no laws from other sources may conflict with the provisions
in the Constitution
in the Constitution
SEVEN ARTICLES OF THE
US CONSTITUTION
US CONSTITUTION
- Article I establishes the legislative branch.
- Article Il establishes the executive branch.
- Article Ill establishes the judicial branch.
- Article IV defines the relationship between the federal government and state governments
- Article V creates a process for amending the Constitution itself.
- Article VI contains the supremacy clause,establishing that the Constitution is the supreme law of the land.
- Article VIl sets forth the process for the initial establishment of the federal government.
Case law.Interpretations made by courts over time establish a body of law that other courts may refer to when making their own decisions.
In many cases,the case law decisions made by courts are binding on both that court and any subordinate courts.
Common law is a set of judicial precedents passed down as case law through many generations.
And stand as examples cited in future court cases.
Contract law Violations of a contract generally do not involve law enforcement agencies,so they are treated as private disputes between
parties and handled in civil court.
parties and handled in civil court.
A violation is known as a "breach of contract"and courts may take action to enforce the terms of a contract.
LEGAL LIABILITY
Liable means "responsible or answerable in law;legally obligated".
Comes in two forms:
Criminal liability occurs when a person violates a criminal law.
civil liability occurs when one person claims that another person has failed to carry out a legal duty that they were responsible for.
Civil cases are brought to court by one party,called the claimant,who is accusing another party of a violation,called the respondent.
Claimant may be an individual,a corporation,or the government.
TORTS AND NEGLIGENCE
Torts are another form of civil violation that do not involve a contract but instead,involve harm to one party caused by the actions of another party.
Negligence is a commonly occurring tort that occurs when one party causes harm to another party by their action or lack of action.
There must be a duty of care.The person accused of negligence must have an established responsibility to the accuser.
There must be a breach of that duty of care.The accused person must have either taken action or failed to take an action that violated the duty of care.
There must be damages involved.The accuser must have suffered some type of harm,be it financial,physical,emotional,or reputational.
There must be causation.A reasonable person must be able to conclude that the injury caused to the accuser must be a result of the breach of duty by the accused.
云计算特有的法律风险评估
Evaluation of legal risks specific to cloud computing
Evaluation of legal risks specific to cloud computing
Differing legal requirements
For example,State and provincial laws in the United States,Canada have different requirements for data breach notifications,such as timeframes.
Different legal systems and frameworks in different countries
In some countries,clear written legislation exists.In others,others legal precedent is more important
Precedent refers to the judgments in past cases and is subject to change over time with less advance notice than updates to legislation.
Conflicting laws
The EU's GDPR and the U.S.Clarifying Lawful Overseas Use of Data (CLOUD) Act directly conflict on the topic of data transfer.
The bottom line on legal risks specific to cloud computing
Responsibility for compliance with laws and regulations
Researching and planning response in case of conflicting laws
Ensuring necessary audit and incident response data is logged and retained
Any additionall due diligence and due care
法律框架和准则
Legal framework and guidelines
Legal framework and guidelines
Organisation for Economic Co-operation and Development (OECD)
An international organization comprised of 38 member states from around the world, publishes guidelines on data privacy.
Its principles are aligned with European privacy, law including consent, transparcncy, accuracy, sccurity, and accountability
Asia-Pacific Economic Cooperation Privacy Framework (APEC)
Comprised of 21 member economies in the Pacific Rim.
Incorporates many standard privacy practices into their guidance,such as preventing harm,notice,consent,security,and accountability.
Promotes the smooth cross-border Flow of information between APEC member nations.
General Data Protection Regulation (GDPR)
European Union's GDPR is perhaps the most far-reaching and comprehensive set of laws ever written to protect data privacy.
Mandates privacy for individuals,defines companies'duties to protect personal data,and prescribes punishments for companies violating these laws.
Includes mandatory notification timelines in the event of data breach.
GDPR formally defines many data roles related to privacy and security (subject,controller,processor).
Additional legal frameworks standards
Health Insurance Portability and Accountability Act (HIPAA)
1996 U.S.law regulates the privacy and control of health information data.
1996 U.S.law regulates the privacy and control of health information data.
Payment Card Industry Data Security Standard (PCI DSS)
An industry standard for companies that accept,process,or receive payment card transactions.
An industry standard for companies that accept,process,or receive payment card transactions.
Privacy Shield
Exists to solve the lack of an US-equivalent to GDPR,which impacts rights and obligations around data transfer.
Exists to solve the lack of an US-equivalent to GDPR,which impacts rights and obligations around data transfer.
Sarbanes-Oxley Act(Sox)
Law was enacted in 2002 and sets requirements for U.S.public companies to protect financial data when stored and used.
Law was enacted in 2002 and sets requirements for U.S.public companies to protect financial data when stored and used.
LAWS AND REGULATIONS
As a cloud security practitioner,you should know the difference between statutory,regulatory,and contractual requirements
Statutory requirements
are required by law. HIPAA,GDPR,FERPA
Regulatory requirements
may also be required by law but refer to rules issued by a regulatory body that is appointed by a government entity. FISMA,FedRAMP
Contractual requirements
are required by a legal contract between private parties.
These agreements often specify a set security controls or a compliance framework that must be implemented by a vendor e.g.SOC,GAPP,CSA CCM
eDiscovery
An organization investigating an incident may lack the ability to compel the CSP to turn over vital information needed to investigate.
The information may be housed in a country where jurisdictional issues make the data more difficult to access.
Maintaining a chain of custody is more difficult since there are more entities involved in the process.
Three important considerations include 1) vendor selection, 2) architecture, 3) due care obligations
Vendor selection considerations
When considering a cloud vendor,eDiscovery should be considered as asecurity requirement during the selection and contract negotiation phases.
When considering a cloud vendor,eDiscovery should be considered as asecurity requirement during the selection and contract negotiation phases.
Architecture considerations
Data residency and system architecture are other important considerations for eDiscovery in the cloud and can be handled proactively.
Data residency and system architecture are other important considerations for eDiscovery in the cloud and can be handled proactively.
Due care considerations Ensuring the org is prepared For DFIR
Cloud security practitioners must inform their organizations of any risks and required due care and due diligence related to cloud computing
Cloud security practitioners must inform their organizations of any risks and required due care and due diligence related to cloud computing
E-DISCOVERY FRAMEWORKS
CSPs may not preserve essential data for the required period of time to support historical investigations.
They may not even log all the data relevant to support an investigation.
This shifts the burden of recording and preserving Potential evidence onto the consumer
Consumers must identify and implement their own data collection.
NIST
NISTIR 8006
NISTIR 8006
NISTIR 8006,"Cloud Computing Forensic Science challenges
NISTIR = NIST Interagency or Internal Reports
Addresses common issues and solutions needed to address DFIR in cloud environments.
DFIR = Digital Forensics and Incident Response
国际标准组织/国际电子技术委员会 (ISO/IEC) 27050
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27050
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27050
A four-part standard within the ISO/IEC 27000 family of information security standards
Offers a framework,governance,and best practices for forensics,eDiscovery,and evidence management
云安全联盟 (CSA) 指引
Cloud Security Alliance (CSA) Guidance
Cloud Security Alliance (CSA) Guidance
Free guidance in Domain 3:Legal Issues:Contraets and Electronic Discovery
Offers guidance on legal concerns related to security, privacy,and contractual obligations
取证要求
Forensics requirements
Forensics requirements
FORENSICS REOUIREMENTS
In the cloud,it's difficult or impossible to perform physical search and seizure of cloud resources such as storage or hard drives.
Iso/IEC and CSA provide guidance on best practices for collecting digital evidence and conducting forensics investigations in the cloud.
Forensic Investigation Standards
ISO/IEC 27037:2012
Guide for collecting,identifying,and preserving electronic evidence
ISO/IEC 27041:2015
Guide for incident investigation
ISO/IEC 27042:2015
Guide for digital evidence analysis.
ISO/IEC 27043:2015
Guide for incident investigation principles and processes
6.2 了解隐私问题
Understand privacy issues
Understand privacy issues
合同规定的和受监管的私人数据之间的区别
Difference between contractual and regulated private data
Difference between contractual and regulated private data
受保护的健康信息 (PHI)
protected health information (PHI)
protected health information (PHI)
Any information that can identify an individual (name SSN,birthdate/place,biometric records,etc)
Defined by NIST SP 800-122
个人可识别信息 (PII)
personally identifiable information (PII)
personally identifiable information (PII)
Health-related information that can be related to a specific person
Must be protected by strong controls and access audited
Requlated by HIPAA HITRUST
Payment Data.
Allowable storage of information related to credit and debit cards and transactions.
Defined and requlated by PCI DSS and is CONTRACTUAL
A Security team must understand.
- what types of data an organization is processing
- where it is being processed
- any associated requirements,such as contractual obligations
In any cloud computing environment,the legal responsibility for data privacy and protection rests with the cloud consumer.
The data controller is always responsible for ensuring that the requirements for protection and compliance are met.
even if that data is processed in a CSP's cloud service.
even if that data is processed in a CSP's cloud service.
Responsibility cannot be transferred but risk can be mitigated
Components of a contract may include how data is processed,security
controls,deletion of data,physical location,audit,and use of subcontractors.
controls,deletion of data,physical location,audit,and use of subcontractors.
与私人数据相关的国家特定立法
Country-specific legislation related to private data
Country-specific legislation related to private data
受保护的健康信息 (PHI)
protected health information (PHI)
protected health information (PHI)
个人可识别信息 (PII)
personally identifiable information (PII)
personally identifiable information (PII)
Australian Privacy Act
organizations may process data belonging to Australian citizens offshore.
transferring entity (the data owner)must ensure that the receiver of the data holds and processes it in accordance with
the principles of Australian privacy law.
the principles of Australian privacy law.
Data owner (controller)is responsible for data privacy
commonly achieved through contracts that require recipients to maintain or exceed the data owner's privacy standards
The entity transferring the data out of Australia remains responsible for any data breaches by or on behalf of the recipient entities
Canada Privacy Law
Personal Information Protection and Electronic Documents Act(PIPEDA)
a national-level law that restricts how commercial businesses may collect,use,and disclose personal information.
PIPEDA covers information about an individual that is identifiable to that specific individual.
DNA,age,medical cducation cmployment,identifying numbers, religion,race/ethnic origin,Financial information
includes a data breach notification requirement.
PIPEDA may also be superseded by province-specific laws that are deemed substantially similar to PIPEDA.
GDPR
GENERAL DATA
PROTECTION REGULATION
GENERAL DATA
PROTECTION REGULATION
Includes the following on data subject privacy rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (the right to be forgotten)
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Other private data types in GDPR:race or ethnic origin,political affiliations
or opinions,religious or philosophical beliefs,and sexual orientation.
or opinions,religious or philosophical beliefs,and sexual orientation.
Deals with the handling of data while maintaining privacy and rights of an individual.
It is international as it was created by the EU, which has 27 different countries as members.
GDPR applies to ANY company with customers in the EU
Includes a 72-hour notification deadline in the case of data breach
National,Territory,and State Laws
Gramm-Leach-Bliley Act (GLBA)of 1999
focuses on services of banks, lenders, and insurance severely limits services they can provide and the
information they can share with each other
focuses on services of banks, lenders, and insurance severely limits services they can provide and the
information they can share with each other
This act consists of three main sections:
The Financial Privacy Rule,which regulates the collection and disclosure of private financial information
The Safeguards Rule,which stipulates that financial institutions must implement security programs to protect such information
The Pretexting provisions,which prohibit the practice of pretexting (accessing private information using false pretenses)
The Safeguards Rule,which stipulates that financial institutions must implement security programs to protect such information
The Pretexting provisions,which prohibit the practice of pretexting (accessing private information using false pretenses)
Privacy Shield
an international agreement between the United States (U.S.) and the European Union.
allows the transfer of personal data from the European Economic Area (EEA)to the U.S.by U.S.-based companies.
an international agreement between the United States (U.S.) and the European Union.
allows the transfer of personal data from the European Economic Area (EEA)to the U.S.by U.S.-based companies.
Orgs commit to seven principles of the agreement:
- Notice
- Choice
- Security
- Access
- Accountability for onward transfer
- Data integrity and purpose limitation
- Recourse,enforcement,and liability
The Stored Communication Act (SCA)of 1986
created privacy protection for electronic communications like email or other digital communications stored on the Internet.
extends the Fourth Amendment of the U.S.Constitution to the electronic realm
created privacy protection for electronic communications like email or other digital communications stored on the Internet.
extends the Fourth Amendment of the U.S.Constitution to the electronic realm
The Fourth Amendment:
Details the people's "right to be secure in their persons,houses,
papers,and effects,against unreasonable searches and seizures"
papers,and effects,against unreasonable searches and seizures"
It outlines that private data is protected from unauthorized
access or interception (by private partics or the government).
access or interception (by private partics or the government).
Health Insurance Portability and Accountability Act(HIPAA)of 1996
privacy and security regulations requiring strict security measures for hospitals,physicians,insurance companies
HIPAA-covered entities are those organizations that collect or generate protected health information (PHI)
under HIPAA there are separate rules for privacy,security,and breach notification,and flow of these rules down to third parties
privacy and security regulations requiring strict security measures for hospitals,physicians,insurance companies
HIPAA-covered entities are those organizations that collect or generate protected health information (PHI)
under HIPAA there are separate rules for privacy,security,and breach notification,and flow of these rules down to third parties
Under HIPAA,PHI may be stored by cloud service providers
provided that the data is adcquately protccted
provided that the data is adcquately protccted
Clarifying Lawful Overseas Use of Data (CLOUD)Act
aids in evidence collection in investigation of serious crimes
created in 2018 due to the problems that FBI faced in forcing Microsoft to hand over data stored in Ireland
requires U.s.-based companies to respond to legal requests for data no matter where the data is physically located.
aids in evidence collection in investigation of serious crimes
created in 2018 due to the problems that FBI faced in forcing Microsoft to hand over data stored in Ireland
requires U.s.-based companies to respond to legal requests for data no matter where the data is physically located.
数据隐私的司法管辖区差异
Jurisdictional differences in data privacy
Jurisdictional differences in data privacy
Different laws and regulations may apply depending on the location of
- data subject
- data collector
- cloud service provider
- subcontractors processing data
- company headquarters of the entities involved
Legal concerns can:
- prevent the utilization of a cloud services provider
- add to costs and time to market
- drive changes to technical architectures required to deliver services
Never replace compliance with convenience when evaluating services,as this increases risks
Many privacy laws impose fines or other action for noncompliance.
标准隐私要求
Standard privacy requirements
Standard privacy requirements
国际标准组织/国际电子技术委员会 (ISO/IEC) 27018
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27018
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27018
ISO 27018 was published in July 2014 as a component of the ISO 27001 standard.
Adherence to these privacy requirements enables customer trust in the CSP.
Major CSPs such as Microsoft,Google,and Amazon all maintain ISO 27000 compliance
Can provide a HIGH level of assurance.
Consent:Personal data obtained by a CSP may not be used for marketing purposes unless expressly permitted by the subject.
A customer should be permitted to use a service without requiring this consent.
Control:Customers shall have explicit control of their own data and how that data is used by the CSP.
Transparency:CSPs must inform customers of where their data resides AND any subcontractors that may process personal data.
Communication:Auditing should be in place,and any incidents should be communicated to customers.
Audit:Companies(CSP,in this case)must subject themselves to an independent audit on an annual basis.
普遍接受的隐私原则 (GAPP)
Generally Accepted Privacy Principles (GAPP)
Generally Accepted Privacy Principles (GAPP)
Generally Accepted Privacy Principles (GAPP)is a framework of privacy principles
Created by AICPA
GAPP are widely incorporated into the SOC 2 framework as an optional criterion
Organizations that pursue a SOC 2 audit can include these privacy controls if appropriate
Similar to ISO 27018,which is an optional extension of the controls defined in ISO 27002
An audit of these controls results in a report that can be shared with customers or potential customers,who can use it toassess a service provider's ability to protect sensitive data.
Categories of the 10 main privacy principles
Management
The organization defines,documents,communicates,and assigns accountability for its privacy policies and procedures.
The organization defines,documents,communicates,and assigns accountability for its privacy policies and procedures.
Notice
The organization provides notice of its privacy policies and procedures
The organization identifies the purposes for which personal information is collected,used,and retained.
The organization provides notice of its privacy policies and procedures
The organization identifies the purposes for which personal information is collected,used,and retained.
Choice and consent
The organization describes the choices available to the individual,and secures implicit or explicit consent
regarding the collection,use,and disclosure of the personal data.
The organization describes the choices available to the individual,and secures implicit or explicit consent
regarding the collection,use,and disclosure of the personal data.
Collection
Personal information is collected only for the purposes identified in the notice provided to the individual.
Personal information is collected only for the purposes identified in the notice provided to the individual.
Use,retention,and disposal WHy org can retain WHEN to dispose
The personal information is limited to the purposes identified in the notice the individual consented to.
The personal information is limited to the purposes identified in the notice the individual consented to.
Access
The organization provides individuals with access to their personal information for review or update.
The organization provides individuals with access to their personal information for review or update.
Disclosure to third parties
Personal information is disclosed to third parties only for the identified purposes and with implicit or explicit consent of the individual.
Personal information is disclosed to third parties only for the identified purposes and with implicit or explicit consent of the individual.
Security for privacy
Personal information is protected against both physical and logical unauthorized access.
Personal information is protected against both physical and logical unauthorized access.
Quality
The organization maintains accurate,complete,and relevant personal information that is necessary for the purposes identified.
The organization maintains accurate,complete,and relevant personal information that is necessary for the purposes identified.
Monitoring and enforcement
The organization monitors compliance with its privacy policies and procedures.It also has
procedures in place to address privacy-related complaints and disputes
The organization monitors compliance with its privacy policies and procedures.It also has
procedures in place to address privacy-related complaints and disputes
一般数据保护条例 (GDPR)
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
隐私影响评估 (PIA)
Privacy Impact Assessments (PIA)
Privacy Impact Assessments (PIA)
A privacy impact assessment(PIA)is designed to identify the privacy data being collected,processed,or stored by a system,and assess
the effects of a data breach
the effects of a data breach
When is a PIA necessary?
Several privacy laws explicitly require PIAs as a planning tool for identifying and implementing required privacy controls,
including GDPR and HIPAA.
including GDPR and HIPAA.
Conducting a PIA typically begins when a system or process is being evaluated
However,evolving privacy regulation often necessitates assessment of existing systems.
To conduct a PIA,you must define assessment scope, data collection methods,and plan for data retention
The International Association of Privacy Professionals (IAPP)has published guides and resources related to privacy efforts,including PIA.
6.3 了解云环境的审计流程、方法和必要的调整
Understand audit process, methodologies,
and required adaptations for a cloud environment
Understand audit process, methodologies,
and required adaptations for a cloud environment
What is Auditing?
a methodical examination of an environment to ensure compliance with regulations and to detect abnormalities,
unauthorized occurrences,or outright crimes.
unauthorized occurrences,or outright crimes.
serves as a primary type of detective control.
frequency is based on risk.
degree of risk also affects how often an audit is performed.
Secure IT environments rely heavily on auditing and many regulations require it.
AUDITING & DUE CARE
Security audits and effectiveness reviews are key elements in displaying due care.without them,
senior management will likely be held accountable and liable for any asset losses that occur.
senior management will likely be held accountable and liable for any asset losses that occur.
Act with common sense,prudent management,responsible action
Security audits and reviews
help ensure that management programs are effective and being followed.
commonly associated with account management practices to prevent violations with least privilege or need-to-know principles.
can also be performed to oversee many programs and processes
- patch management
- vulnerability management
- change management
- configuration management
CONTROLLING ACCESS TO AUDIT REPORTS
Audit reports often contain sensitive information
Often include purpose and scope of the audit,and results discovered or revealed
Can include sensitive information such as problems, standards,causes,and recommendations.
Only people with sufficient privilege should have access
FOR EXAMPLE:
senior security administrators = full detail
senior management = high-level summary
senior security administrators = full detail
senior management = high-level summary
内部和外部审计控制
Internal and external audit controls
Internal and external audit controls
Internal Auditor
Acts as a "trusted advisor"to the organization on risk educating stakeholders,assessing compliance
Compliance may mean company policies or regulatory
Internal Audit
Can provide more continuous monitoring of control effectiveness and policy compliance
Enables the org to catch and fix any issues beforc they show up on a formal audit report
Some legal and requlatory frameworks require the usc of an indcpendent auditor,others demand a third-party auditor
An internal auditor is an independent entity who can provide facts without fear of reprisal
审计要求的影响
Impact of audit requirements
Impact of audit requirements
The requirement to conduct audits can have a large procedural and financial impact on a company.
Regulated industries
Some entities operate in heavily regulated industries subject to numerous auditing
requirements,such as banks or critical infrastructure providers.
requirements,such as banks or critical infrastructure providers.
With multi-national companies,audit complexity may be higher due to conflicting requirements
Sample size and relevance
In large environments,representative samples of some infrastructure (e.g.20 of 100
servers)may be checked but must be representative of the multi-region estate.
servers)may be checked but must be representative of the multi-region estate.
Multi-region data dispersion in the cloud and dynamic VM failure in hypervisors can complicate the audit process
确定虚拟化和云的保障挑战
Identify assurance challenges of virtualization and cloud
Identify assurance challenges of virtualization and cloud
The cloud is made possible by virtualization technologies,that enable dynamic environments needed for a global provider platform.
Depending on the cloud architecture employed,a cloud security professional must perform multiple layers of auditing.
To be effective,the auditor must understand the virtualization architecture of the cloud provider
Audits of controls over the hypervisor will usually be the purview of the CSP
VMs deployed on top of that hardware are usually under owned by the customer
审计报告的类型
Types of audit reports
Types of audit reports
关于认证业务标准的声明 (SSAE)
Statement on Standards for Attestation Engagements (SSAE)
Statement on Standards for Attestation Engagements (SSAE)
SSAE 18 is a set of standards defined by the AICPA (American Institute of CPAs)
Designed to enhance the quality and usefulness of System and Organization Control (SOC)reports.
Includes audit standards and suggested report formats to guide and assist auditors
SOC 1
deals mainly with financial controls and are used primarily by CPAs auditing financial statements
deals mainly with financial controls and are used primarily by CPAs auditing financial statements
Soc 2 Type 1
report that assesses the design of security processes at a specific point in time
report that assesses the design of security processes at a specific point in time
SOC 2 Type 2
(often written as "Type ll")assesses how effective those controls are over time by observing operations for at least six months
Often require an NDA due to sensitive contents
(often written as "Type ll")assesses how effective those controls are over time by observing operations for at least six months
Often require an NDA due to sensitive contents
Soc 3
contain only the auditor's general opinions and non-sensitive data,is publicly shareable
contain only the auditor's general opinions and non-sensitive data,is publicly shareable
SSAE is US-based,but SOC2 has become a de Facto global standard
国际鉴证业务准则 (ISAE)
International Standard on Assurance Engagements (ISAE)
International Standard on Assurance Engagements (ISAE)
The International Auditing and Assurance Standards Board issues the ISAE
This board and it's ISAE standards are similar to the AICPA and it's SSAE standards
The ISAE 3402 standard is roughly equivalent to the SOC 2 reports in the SSAE
CSA
Cloud Security Alliance
Cloud Security Alliance
The Security Trust Assurance and Risk (STAR) certification program comes from CSA
Can be used by cloud service providers,cloud customers,or auditors and consultants
Designed to demonstrate compliance to a desired level of assurance
STAR consists of two levels of certification which provide increasing levels of assurance
Level 1:Self-assessment
is a complimentary offering that documents the security controls provided by the CSP
is a complimentary offering that documents the security controls provided by the CSP
Level 2:Third-party audit
requires the CSP to engage an independent auditor to evaluate the CSP's controls against
the CSA standard
requires the CSP to engage an independent auditor to evaluate the CSP's controls against
the CSA standard
Stronger,as it's a third-party audit conducted by a trained,qualificd auditor
服务组织控制 (SOC)
Service Organization Control (SOC)
Service Organization Control (SOC)
审计范围声明的限制
Restrictions of audit scope statements
Restrictions of audit scope statements
Audit scope statements provide the reader with details on what was included in the audit and what was not
An audit scope statement generally includes:
- Statement of purpose and objectives
- Scope of audit and explicit exclusions
- Type of audit
- Security assessment requirements
- Assessment criteria and rating scales
- Criteria for acceptance
- Expected deliverables
- Classification(secret,top secret,public,etc.)
Setting parameters for an audit is known as audit seope restrietions
Determining the scope of an audit is usually a joint activity performed by the organization being audited and their auditor.
Why limit the scope of an audit?
Audits are expensive endeavors that can engage highly trained (and highly paid)content experts.
Auditing of systems can affect system performance and,in some cases,require the downtime of production systems.
A new system not yet in production,without all the planned controls in place is not ready to audit.
Cost of implementing controls and auditing some systems is too high relative to the revenue the service generates.
关于认证业务标准的声明 (SSAE)
Statement on Standards for Attestation Engagements (SSAE)
Statement on Standards for Attestation Engagements (SSAE)
国际鉴证业务准则 (ISAE)
International Standard on Assurance Engagements (ISAE)
International Standard on Assurance Engagements (ISAE)
差距分析
Gap analysis
Gap analysis
A gap analysis identifies where an organization does not meet requirements and provides important information to help remediate gaps
The main purpose is to compare the organization's current practices against a specified framework and identify the gaps between the two.
May be performed by either internal or external parties
Choice of which usually driven by the cost and need for objectivity
When is a gap analysis useful?
As a precursor to a formal audit process,so the organization can close gaps before a third-party (external)audit
When assessing the impact of changes to regulatory or compliance frameworks,which introduce new or modified requirements.
'ISO 27002'and 'NIST CSF'are frameworks commonly used For gap analysis
控制分析
control analysis
control analysis
基线
baselines
baselines
审计计划
Audit planning
Audit planning
The audit process can generally be broken down into four phases,starting with audit planning.
Audit planning activities include:
Document and define audit program objectives.
collaborative internal planning of audit scope and objectives.
Gap analysis or readiness assessment.assessing the
organization's ability to successfully undergo a full audit.
Define audit objectives and deliverables.it is important to
identify the expected outputs from the audit.
Identifying auditors and qualifications.compliance and
audit frameworks usually specify the type of auditor required.
collaborative internal planning of audit scope and objectives.
Gap analysis or readiness assessment.assessing the
organization's ability to successfully undergo a full audit.
Define audit objectives and deliverables.it is important to
identify the expected outputs from the audit.
Identifying auditors and qualifications.compliance and
audit frameworks usually specify the type of auditor required.
Audit Phases
Audit fieldwork: involves the actual work the auditors
perform to gather,test,and evaluate the organization.
Audit reporting:report writing begins as auditors conduct
their fieldwork,capturing notes and any findings.
Audit follow-up: various activities may be conducted after
the audit,including addressing any identified weaknesses
perform to gather,test,and evaluate the organization.
Audit reporting:report writing begins as auditors conduct
their fieldwork,capturing notes and any findings.
Audit follow-up: various activities may be conducted after
the audit,including addressing any identified weaknesses
内部信息安全管理系统
Internal information security management system
Internal information security management system
An information security management system(ISMS) is a systematic approach to information security
An ISMS focuses processes,technology,and people designed to help protect and manage an organization's information.
ISO 27001 addresses need and approaches to implementing an ISMS
ISMS Functions
- Quantify risk
- Develop and execute risk mitigation strategies
- Provide formal reporting on status of mitigation efforts
ISMS Benefits
- Improve data security
- Increased organizational resilience to cyberattacks
- Central info security mgmt
- Formal risk management
内部信息安全控制系统
Internal information security controls system
Internal information security controls system
a system of information security controls provides guidance for mitigating the risks identified as part of ISMS risk management processes.
There are several control frameworks to choose from.
Scoping controls refers to reviewing controls in the framework to identify which controls apply to the organization and which do not.
Tailoring is a process of matching applicable controls with the organization's specific circumstances to which they apply.
Organizations implementing an ISO 27001 ISMS will find the ISO 27002 controls very easy to use,since they are designed to fit together.
Other control frameworks include:
- NIST SP 800-53
- NIST Cybersecurity Framework(CSF)
- Secure Controls Framework
- CSA Cloud Controls Matrix(CCM)
策略
Policies
Policies
Policies are a key part of any data security strategy and facilitate a number of capabilities for an organization:
Provide users and organizations with a way to understand and enforce requirements in a systematic way.
Make employees and management aware of their roles and responsibilities.
Standardize secure practices throughout the organization.
组织
organizational
organizational
Companies use policies to outline rules and guidelines,usually complemented by documentation such as procedures,job aids
Organizations typically define policies related to proper use of company resources,like expense reimbursements and travel
Policies are a proactive risk mitigation tool designed to reduce the likelihood of risks,such as:
- Financial losses
- Data loss or leakage
- Reputational damage
- Statutory and regulatory compliance issues
- Abuse or misuse of computing systems and resources
Employees should generally sign policies to acknowledge acceptance
功能
functional
functional
A set of standardized definitions for employees that describe how they are to make use of systems or data.
Typically guide specific activities crucial to the organization,such as appropriate handling of data, vulnerability management,and so on.
Functional policies generally codify requirements identificd in the ISMS and align to your chosen control framework
Examples of funetional policies
- Acceptable use:What is and is not acceptable to do on company hardware and networks.
- Email use:What is and is not acceptable to do on company email accounts.
- Passwords and access management:Password complexity, expiration,reuse,requirements for MFA,and requirements for use of access management tools such as a password manager.
- Incident response:How incidents are handled,and requirements for defining an incident response plan.
- Data classification:Identifies types of data and how each should be handled.
- Network services:How issues such as remote access and network security are handled.
- Vulnerability scanning:Routines and limitations on internal scanning and penetration testing.
- Patch management:How equipment is patched and on what schedule.
云计算
cloud computing
cloud computing
Ease of deploying cloud resources without governance results in "shadow IT"-resources deployed without IT approval!
This can create security risks,like data loss or leakage through unauthorized use of cloud storage services.
Also creates financial risks,as spending is more difficult to measure and control.
Cloud services should be included in organization policies, and requirements for use clearly documented.
A CASB can help identify and stop shadow IT!
Policies should define requirements users must adhere to and specify which cloud services are approved for various uses.
相关利益相关者的识别和参与
Identification and involvement of relevant stakeholders
Identification and involvement of relevant stakeholders
One key challenge in the audit process is the inclusion of any relevant stakeholders
Organization's management who will likely be paying for the audit Security practitioners responsible for facilitating the audit
Employees who will be called upon to provide evidence to auditors in the form of documentation, artifacts, or sitting for interviews.
Cloud computing environments can include more stakeholders than on-premises and even multiple CSPs
受到严格监管行业的特殊合规要求
Specialized compliance requirements for
highly-regulated industries
Specialized compliance requirements for
highly-regulated industries
北美电力可靠性公司/关键基础设施保护 (NERC / CIP)
North American Electric Reliability Corporation /
Critical Infrastructure Protection (NERC / CIP)
North American Electric Reliability Corporation /
Critical Infrastructure Protection (NERC / CIP)
North American Electric Reliability Corporation Critical Infrastructure Protection regulates organizations involved in power generation and distribution.
健康保险便捷与责任法案 (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA)
经济与临床医疗保健信息科技 (HITECH) 法案
Health Information Technology for
Economic and Clinical Health (HITECH) Act
Health Information Technology for
Economic and Clinical Health (HITECH) Act
Both deal with PHI and implement specific requirements for security and privacy protections,as well as breach notification requirements.
支付卡行业 (PCI)
Payment Card Industry (PCI)
Payment Card Industry (PCI)
Specifies protections for payment card transaction data.
分布式信息技术 (IT) 模型的影响
Impact of distributed information technology (IT) model
Impact of distributed information technology (IT) model
Cloud computing enables distributed IT service delivery,with systems that can automatically replicate data globally
One impact of this distributed model is the additional geographic locations auditors must consider when performing an audit.
A common technique in cloud audits is sampling,which is the act of picking a subset of the system's physical infrastructure
to inspect.
to inspect.
Sampling 20 servers of 100 servers across many regional datacenters can save time & expense and maintain accuracy
不同的地理位置
diverse geographical locations
diverse geographical locations
跨越法律管辖区
crossing over legal jurisdictions
crossing over legal jurisdictions
6.4 了解云对企业风险管理的影响
Understand implications of cloud to enterprise risk management
Understand implications of cloud to enterprise risk management
评估提供商风险管理计划
Assess providers risk management programs
Assess providers risk management programs
控制
controls
controls
Reviewing provider controls
Prior to establishing a relationship with a cloud provider,a cloud customer needs to analyze the risks associated with adopting that provider's services
Rather than performing a direct audit,the customer must rely on their supply chain risk management(SCRM)processes.
Primary areas of focus in SCRM include evaluating:
- whether a supplier has a risk management program in place,and if so
- whether the risks identified by that program are being adequately mitigated.
Unlike traditional risk management activities,SCRM in a CSP scenario often requires customers to take an indirect approach -reviewing audit
reports.
reports.
Major CSPs all make available SOC 2,ISO 27001,FedRAMP,or CSA STAR audit reports in lieu of direct audit.
When reviewing an audit report,there are several key elements of the report to focus on,such as scoping information or description
of the audit target.
of the audit target.
Some compliance frameworks allow audits to be very narrowly scoped,such as Soc 2.
方法
methodologies
methodologies
There are resources that can help organizations build out or enhance their SCRM program:
NIST has a resource library that includes working groups,publications, and other resources
ISO 27000:2022 specifies a security management system for security and resilience,with a particular focus on supply chain management.
策略
policies
policies
风险概况
risk profile
risk profile
Risk profile describes the risk present in the organization based on all the identified risks and any associated mitigations in place.
风险偏好
risk appetite
risk appetite
Risk appetite describes the amount of risk an organization is willing to accept without mitigating.
Regulated industries will be more apt to mitigation,transference, and avoidance.
Smaller orgs and startups will be more apt to simply accept risks to avoid cost of treatment.
数据所有者/控制者与数据保管者/处理者之间的区别
Difference between data owner/controller vs. data custodian/processor
Difference between data owner/controller vs. data custodian/processor
Data Processor
Anyone who processes personal data on behalf of the data controller.The CusTODIAN
Is responsible for the safe and private custody, transport,and storage
Data Controller
The person or entity that controls processing of the data. The OWNER
Owns the data and risks associated with any data breaches
Data Protection officer (DPO)
ensures the organization complies with data regulations.
under GDPR,the DPO is a mandatory appointment
Data Subject
is the individual or entity that is the subject of the personal data.
Data Owner
Data CONTROLLER in GDPR
Usually a member of senior management.
CAN delegate some day-to-day duties.
CANNOT delegate total responsibility.
CAN delegate some day-to-day duties.
CANNOT delegate total responsibility.
Data Custodian
Data PROCESSOR in GDPR
Usually someone in the IT department
DOES implement controls for data owner
DOES NOT decide what controls are needed
DOES implement controls for data owner
DOES NOT decide what controls are needed
监管透明度要求
Regulatory transparency requirements
Regulatory transparency requirements
违规通知
breach notification
breach notification
Most recent privacy laws include mandatory breach notification.
There are some variations among the laws,mainly around issues of timing of the notification and who must be notified
Regulations that require breach notification include,but are not limited to, GDPR,HIPAA (as amended by the HITECH Act),GLBA,and PIPEDA.
Incident response plans and procedures should include relevant information about the
time period for reporting,as well as the required contacts in the event of a data breach.
time period for reporting,as well as the required contacts in the event of a data breach.
WHO should be notified and HOW QUICKLY
Sarbanes-Oxley (SOX)
If a company is publicly traded in the United States,they are subject to transparency requirements
Under the Sarbanes-Oxley Act (SOX)of 2002.Specifically,as data owners, these companies should consider the following:
Section 802:It is a crime to destroy,change,or hide documents to prevent their use in official legal processes.
Section 804:Companies must keep audit-related records for a minimum of five years.
SOX compliance is often an issue with both data breaches and ransomware incidents at publicly traded companies.
The loss of data related to compliance due to external actors does not protect a company from legal obligations.
一般数据保护条例 (GDPR)
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
For companies doing business in the European Union or with citizens of the
EU,transparency requirements under the GDPR are laid out in Article 12.
EU,transparency requirements under the GDPR are laid out in Article 12.
States that a data controller "must be able to demonstrate that personal data are processed in a manner transparent to the data subject."
The obligations for transparency begin at the data collection stage and apply "throughout the lifecycle of processing."
Stipulates that communication to data subjects must be
'concise,transparent,intelligible and easily accessible,and use clear and plain language."
'concise,transparent,intelligible and easily accessible,and use clear and plain language."
Meeting the requirement for transparency also requires processes for providing data subjects with access to their data.
风险处理
Risk treatment
Risk treatment
规避
avoid
avoid
Where the organization changes business practices to completely eliminate the potential that a risk will materialize.
Can negatively impact business opportunities
减轻
mitigate
mitigate
The process of applying security controls to reduce the probability and/or magnitude of a risk.
转移
transfer
transfer
Shifts some of the impact of a risk from the organization experiencing the risk to another entity.
e.g cyber insurance
共享
share
share
接受
acceptance
acceptance
Deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk.
use when cost of mitigation > cost of impact
Risk Appetite.Sometimes called "risk tolerance"] is the amount of risk that a company is willing to accept.
Security Controls
safeguards are proactive (reduce likelihood of occurrence)
countermeasures are reactive (reduce impact after occurrence
不同的风险框架
Different risk frameworks
Different risk frameworks
ISO 31000:2018 guidance standard
ISO 31000 contains several standards related to building and running a risk management program.
ISO 31000:2018,"Risk management-Guidelines,"
provides the foundation of an organization's risk management function.
provides the foundation of an organization's risk management function.
IEC 31010:2019,"Risk management-Risk assessment techniques"
provides guidance on conducting a risk assessment.
provides guidance on conducting a risk assessment.
ISO GUIDE 73:2009,"Risk management -Vocabulary"
provides a standard set of terminology used through the other documents and is useful for defining elements of the risk management program.
provides a standard set of terminology used through the other documents and is useful for defining elements of the risk management program.
ENISA's cloud computing risk assessment
ENISA produces useful resources related to cloud-specific risks that organizations
should be aware of and plan for when designing cloud computing systems.
should be aware of and plan for when designing cloud computing systems.
This guide identifies various categories of risks and recommendations for organizations to consider when evaluating cloud computing.
These include research recommendations to advance the field of cloud computing,legal risks,and security risks.
NIST 800-37,"Risk Management Framework"
NIST Special Publication 800-37 is the NIST Risk Management Framework
NIST Special Publication 800-146"Cloud Computing Synopsis and Recommendations"provides definitions of various cloud computing terms
NIST 800-146,"Cloud Computing Synopsis and Recommendation,
Although not a dedicated risk management standard,the various risks and
benefits associated with different deployment and service models are discussed.
benefits associated with different deployment and service models are discussed.
风险管理指标
Metrics for risk management
Metrics for risk management
Patching levels:How many devices are fully patched and up-to-date?
Unpatched devices often contain exploitable vulnerabilities.
Unpatched devices often contain exploitable vulnerabilities.
Time to deploy patches:How may devices receive required patches in the defined timeframes?
A useful measure of how effective a patch management program is at reducing the risk of known vulnerabilities.
A useful measure of how effective a patch management program is at reducing the risk of known vulnerabilities.
Intrusion attempts:How many times have unknown actors tried to breach cloud systems?
Increased intrusion attempts can be an indicator of increased risk likelihood.
Increased intrusion attempts can be an indicator of increased risk likelihood.
Mean time to detect(MTTD),mean time to contain (MTTC), and mean time to resolve (MTTR):
How long does it take for security teams to become aware of a potential security incident,contain the damage,and resolve the incident?
Inadequate tools or resources for reactive risk mitigation can increase the impact of risks occurring
How long does it take for security teams to become aware of a potential security incident,contain the damage,and resolve the incident?
Inadequate tools or resources for reactive risk mitigation can increase the impact of risks occurring
Cybersecurity metrics provide vital information for decision makers in the organization.
Cybersecurity metrics within expected parameters indicate the risk mitigations are effective.
Metrics that deviate from expected parameters are no longer effective and should be reviewed
风险环境评估
Assessment of risk environment
Assessment of risk environment
服务
service
service
供应商
vendor
vendor
Designing a supply chain risk management (SCRM)program to assess CSP or vendor risks is a due diligence practice.
Actually performing the assessment is an example of due care.
Remember,the customer organization is responsible.
Any organization that uses cloud services without adequately mitigating the risks is likely to be found negligent in a breach
Any organization that uses cloud services without adequately mitigating the risks is likely to be found negligent in a breach
基础架构
infrastructure
infrastructure
业务
business
business
common Criteria(ISO/IEC 15408-1)
Enables an objective evaluation to validate that a particular product or system satisfies a defined set of security requirements
Assures customers that security products they purchase have been thoroughly tested by independent third-party testers
The certification of the product only certifies product capabilities.
Designed to provide assurances for security claims by vendors
Evaluation is done through testing laboratories where the product or platform is evaluated against a standard set of criteria.
The result is an Evaluation Assuranee Level (EAL),which defines how robust the security capabilities are in the evaluated product
Most CSPs do not have common criteria evaluations over their entire environments,but many cloud-based products do
If misconfigured or mismanaged,software is no more secure than anything else the customer might use.
CSA STAR Security,Trust,Assurance,and Risk
When evaluating the risks in a specific CSP or other cloud service,the CSA STAR can be a useful,lightweight method for ascertaining risks.
Contains evaluations of cloud services against the CSA's cloud controls matrix(CCM)
Organizations can opt for self-assessed or third-party-assessed cloud services.This will affect the level of assurance (low or high)
子主题
ENISA has published a standard for certifying the cybersecurity practices present in cloud environments
The framework,known as EUCS,defines a set of evaluation criteria for various cloud service and deployment models.
The goal is producing security evaluation results that allow comparison of the security posture across different cloud providers.
6.5 了解外包和云合同设计
Understand outsourcing and cloud contract design
Understand outsourcing and cloud contract design
THIRD-PARTY RISK MANAGEMENT
NDA
A contract with vendors and suppliers not to disclose the company's confidential information
A 'mutual NDA'binds both partics in the agreement
业务要求
Business requirements
Business requirements
服务等级协议(SLA)
service-level agreement (SLA)
service-level agreement (SLA)
Stipulate performance expectations such as maximum downtimes and often include penalties if the vendor doesn't meet expectations.
Generally used with external vendors (like CSP)and is legally binding
Often includes financial penalties for non-performance and may allow customer to terminate a contract
SLAs should be written to ensure that the organization's service level requirements (SLRs)are met.
SLAs are best suited for defining recurring,discrete, measurable items the parties agree upon.
Common elements documented in SLAs include:
- Uptime guarantees
- SLA violation penalties
- SLA violation penalty exclusions and limitations
- Suspension of service clauses
- Provider liability
- Data protection and management
- Disaster recovery and recovery point objectives
- Security and privacy notifications and timeframes
主服务协议(MSA)
master service agreement (MSA)
master service agreement (MSA)
In legal terms,a cloud customer and a CSP enter into a master service agreement (MSA)
This is defined as any contract that two or more parties enter into as a service agreement
MSA should address compliance and process requirements the customer is passing along to CSP
Legal counsel is most often responsible for contracts, but security should be involved to share requirements
MSA should include breach notification -CSP duty to inform the customer of a breach within a specific time period after detection.
工作陈述(SOW)
statement of work (SOW)
statement of work (SOW)
Legal document usually created after an MSA has been executed and governs a specific unit of work.
MSA may document services and prices,a SOW covers requirements,expectations,and deliverables for a project.
MSA Focus is 'overall,ongoing",SOW is "limited & specific"
THIRD-PARTY RISKS
Supply chain
Supply chain security has become a significant concern for organizations. Includes,suppliers,manufacturers,distributors,and customers.
A breach at any link in the supply chain can result in business impact.
Vendor management
Many orgs are reducing the number of vendors they work with and requiring stricter onboarding procedures.
Vendors may be required to submit to an external audit and agree to strict
communication and reporting requirements in event of potential breach.
communication and reporting requirements in event of potential breach.
Risk of 'island hopping attack"
System integration
System integration partners working on systems often have privileged remote or
physical access,necessitating security measures and process controls.
physical access,necessitating security measures and process controls.
Potential for Increased risk of insider attack
供应商管理
Vendor management
Vendor management
The practices ofSCRM and vendor management overlap significantly
However,in many cases vendor management will include more activities related to operational risks.
Cloud computing involves outsourcing ongoing organizational processes and infrastructure to a service provider
Therefore,the cloud requires more continuous management activities to monitor and manage the vendor relationship
供应商评估
vendor assessments
vendor assessments
Security practitioners should participate in the initial selection process for a CSP,
which involves assessing security risks present in CSP and related services.
which involves assessing security risks present in CSP and related services.
For many customers,this process will entail reviewing security reports like a SOC
2 on an annual basis after the CSP has undergone their yearly audit.
2 on an annual basis after the CSP has undergone their yearly audit.
供应商锁定风险
vendor lock-in risks
vendor lock-in risks
This assessment will require knowledge of not only the CSP's offerings but the
architecture and strategy the customer organization intends to use.
architecture and strategy the customer organization intends to use.
Using any unique CSP offerings,such as artificial intelligence/machine learning
(Al/ML)platforms,can result in a service that is dependent on that specific CSP.
(Al/ML)platforms,can result in a service that is dependent on that specific CSP.
供应商生存能力
vendor viability
vendor viability
This is often a process that is not conducted by the security team as it deals with operational risk.
Assessing the viability of vendors may involve reviews of public information like:
- financial statements
- the CSP's performance history and reputation
- or even formal reports like a SOC 1
托管
escrow
escrow
Escrow is a legal term used when a trusted third party holds something on
behalf of two or more other parties,such as source code or encryption keys.
behalf of two or more other parties,such as source code or encryption keys.
ESCROW SCENARIO:
A software development company may wish to protect the intellectual property of their source code.
However,if they go out of business,their customers are left with an unmaintainable system.
In this scenario,an escrow provider could hold a copy of the source code and
release it to customers in the event the provider is no longer in business.
release it to customers in the event the provider is no longer in business.
合同管理
Contract management
Contract management
Organizations must employ adequate governance structures to monitor contract terms and performance and be aware of
outages and any violations of stated agreements.
outages and any violations of stated agreements.
Contract Clauses
A contract clause is a specific article of related information that specifies the agreement between the contracting parties.
Some common contract clauses that should be considered for any CSP or other data service provider include the following:
- Right to audit
- Metrics
- Definitions
- Termination
- Litigation
- Assurance
- Compliance
- Access to cloud/data
审计权
right to audit
right to audit
The customer can request the right to audit the service provider to ensure compliance with the security requirements agreed in the contract.
Contracts often written to allow the CSP's standard audits (e.g.,SOC 2,ISO 27001 certification)to be used in place of a customer-performed audit.
指标
metrics
metrics
If there are specific indicators that the service provider must provide to the customer,they can be documented in a contract.
Tell you "how compliance with the agreement will be measured"
定义
definitions
definitions
A contract is a legal agreement between multiple parties.
It is essential that all parties share a common understanding of the terms and expectations.
Defining key terms like sccurity,privacy,and key practices like breach notifications can avoid misunderstandings.
终止
termination
termination
Termination refers to ending the contractual agreement.
This clause will typically define conditions under which either party may terminate the contract
May also specify consequences if the contract is terminated carly.
诉讼
litigation
litigation
This is an area where legal counsel must be consulted.
Agreeing to terms for litigation can severely restrict the organization's ability to pursue damages if something goes wrong.
保证
assurance
assurance
Defining assurance requirements sets expectations for both the provider and customer.
Many contracts specify that a provider must furnish a SOC 2 or equivalent to the customer on an annual basis
合规
compliance
compliance
Any customer compliance requirements that flow to the provider must be documented and agreed upon in the contract.
Data controllers that use cloud providers as data processors must ensure that adequate security safeguards are available for that data
访问云/数据
access to cloud/data
access to cloud/data
Clauses dealing with customer access can be used to avoid risks associated with vendor lock-in.
网络风险保险
cyber risk insurance
cyber risk insurance
cyber risk insurance is designed to help an organization reduce the financial impact of risk by transferring it to an insurance carrier.
In the event of a security incident,the insurance carrier can help offset associated
costs,such as digital forensics and investigation,data recovery,system restoration.
costs,such as digital forensics and investigation,data recovery,system restoration.
It may even cover legal or regulatory fines associated with the incident.
Cyber insurance carriers are in the business of risk management and are unlikely to
offer coverage to an organization lacking controls to mitigate risk.
offer coverage to an organization lacking controls to mitigate risk.
Cyber insurance requires organizations to pay a premium for the insurance plan.
Most plans have a limit of coverage that caps how much the insurance carrier pays.
Most plans have a limit of coverage that caps how much the insurance carrier pays.
There may also be sub-limits,which cap the amount that will be paid for specific types of incidents such as ransomware or phishing.
An insurance broker can be a useful resource when investigating insurance options for your organization's circumstances,including
- the amount of coverage needed
- different types of coverage such as business interruption or cyber extortion
- security controls that the insurance carrier requires,such as MFA
Cyber risk insurance usually covers costs associated with the following:
Investigation
Costs associated with the forensic investigation to determine the extent of an incident.
This oftcn includes costs for third-party investigators.
Direct business losses
Direct monetary losses associated with downtime or data recovery,overtime
for employees,and,oftentimes,reputational damages to the organization.
for employees,and,oftentimes,reputational damages to the organization.
Recovery costs
These may include costs associated with replacing hardware or provisioning
temporary cloud environments during contingency operations.
temporary cloud environments during contingency operations.
They may also include services like forensic data recovery or negotiations with attackers to assist in recovery.
Legal notifications
Costs are associated with required privacy and breach notifications required by relevant laws.
Lawsuits
Policies can be written to cover losses and payouts due to class action or other lawsuits against a company after a cyber incident.
Extortion
The insurance to pay out ransomware demands is growing in popularity.
This may include direct payments to ensure data privacy or accessibility by the company.
Food and related expenses
Incidents often require employees to work extended hours or travel to contingency sites.
Costs associated with the incident response,including catering and lodging,may be covered,even though they are not usually thought
of as IT costs!
of as IT costs!
供应链管理
Supply-chain management
Supply-chain management
Managing risk in the supply chain focuses on both operational risks,to ensure that suppliers are capable of
providing the needed services,and security risks
providing the needed services,and security risks
The supply chain should always be considered in any business continuity or disaster recovery planning.
Proactive measures including contract language and assurance processes can be used to quantify the risks associated with using suppliers like CSPs...as well as the effectiveness of these suppliers'risk management programs.
ISO/IEC 27036-1:2021 Cybersecurity -Supplier relationships
The ISO 27000 family of standards includes a specific ISO standard dedicated to supply chain cybersecurity risk management.
ISO 27036:2021 provides a set of practices and guidance for managing cybersecurity risks in supplier relationships.
This standard is particularly useful for organizations that use ISO 27001 for building an ISMS or ISO 31000 for risk management
ISO/IEC 27036 comprises four parts,including:
Part 1:Overview and concepts
Part 2:Requirements
Part 3:Guidelines for information and communication technology supply chain security
Part 4:Guidelines for security of cloud services
Part 2:Requirements
Part 3:Guidelines for information and communication technology supply chain security
Part 4:Guidelines for security of cloud services
国际标准组织/国际电子技术委员会 (ISO/IEC) 27036
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27036
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27036
Part 1:Overview and concepts,"which provides an overview and foundation for a
supply chain management capability.
Part 2:Requirements,"which provides a set of best practices and techniques for
designing and implementing the supply chain management function.
Part 3:Guidelines for information and communication technology supply chain
security,"which is of particular concern for security practitioners,as it lays out
practices and techniques specific to managing security risks in the supply chain.
Part 4:Guidelines for security of cloud services,"which is the most relevant to
cloud security practitioners.This standard deals with practices and requirements
for managing supply chain security risk specific to cloud computing and CSP
supply chain management capability.
Part 2:Requirements,"which provides a set of best practices and techniques for
designing and implementing the supply chain management function.
Part 3:Guidelines for information and communication technology supply chain
security,"which is of particular concern for security practitioners,as it lays out
practices and techniques specific to managing security risks in the supply chain.
Part 4:Guidelines for security of cloud services,"which is the most relevant to
cloud security practitioners.This standard deals with practices and requirements
for managing supply chain security risk specific to cloud computing and CSP
Additional resources focusing on supply chain worth review include:
NISTIR 8276,"Key Practices in Cyber Supply Chain Risk Management:
Observations from Industry";
NIST SP 800-161,"Cybersecurity Supply Chain Risk Management Practices
for Systems and Organizations";
ENISA publication"Supply Chain Integrity:An overview of the ICT supply
chain risks and challenges,and vision for the way forward.",published in 2015
Observations from Industry";
NIST SP 800-161,"Cybersecurity Supply Chain Risk Management Practices
for Systems and Organizations";
ENISA publication"Supply Chain Integrity:An overview of the ICT supply
chain risks and challenges,and vision for the way forward.",published in 2015
0 条评论
下一页
为你推荐
查看更多