This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• A breach of the Cloud Service Provider’s infrastructure can lead to a “Hyperjacking” even whereby many customer’s data is exposed
• Examples of CSP Data Breaches:– Google failure March 2011 deletion of 150k Gmail info– Code Spaces goes out of business in June 2014 after AWS hack – Google Drive breach in July 2014 hyperlink vulnerability– Apple iCloud exposure of celebrity photos, August 2014– Dropbox security breach in October 2014, compromising 7M user
passwords held for Bitcoin (BTC) ransom– Worcester Polytechnic Institute (WPI) claims cross-VM RSA key
recovery in AWS, October 2015– Datadog password breach for their AWS customers in July 2016
• Cloud Service Providers (CSPs) can obtain certifications attesting their compliance with security standards.– SOC 1/SSAE 16/ISAE 3402, SOC2, SOC3 American Institute of Certified
Public Accountants (AICPA) audit reports may be requested from the provider.
– International Organization for Standardization (ISO) 27001– Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR)– U.S. Health Insurance Portability and Accountability Act (HIPAA) – Payment Card Industry (PCI) Data Security Standard (DSS) Level 1 service
provider– Motion Picture Association of America (MPAA)
• Consider the CSPs position when they receive separate security questionnaires and assessments from each customer
• American Institute of Certified Public Accountants (AICPA) – Wants to make sure organizations are using reliable and secure
services that their business relies upon– Compliance with Sarbanes Oxley's (SOX) requirement (section
404)• Statement on Auditing Standards No. 70 (SAS 70)• Statement on Standards for Attestation Engagements (SSAE)
16– American standard that replaces SAS 70– Similar to the International standard ISAE 3402– Service Organization Controls (SOC) 1, 2, & 3– http://ssae16.com/SSAE16_overview.html
• U.S. Federal organizations have specialized requirements for secure cloud services.
• Civilian and DOD organizations may have to meet NIST 800-37 and DoD Information Assurance Certification and Accreditation Process (DIACAP) and Federal Information Security Management Act (FISMA) compliance.
• Cloud providers may also be required to meet US International Traffic in Arms Regulations (ITAR) compliance.
• Federal customers also need to have FIPS 140-2 security systems running in the cloud.
• Federal Risk and Authorization Management Program (FedRAMP) certified cloud providers are required.
• The OMB requires federal agencies to use FedRAMP (Federal Risk and Authorization Management Program) accredited cloud services for FIPS 199 Low and Moderate system categories (Based on FISMA and NIST 800-53 Rev3 standards)
– http://www.FedRAMP.gov• FedRAMP established the Joint Authorization Board (JAB) to approve cloud services
and monitor the process• The JAB defines the standards by which Third Party Assessment Organizations
(3PAOs) will assess the cloud providers• Third Party Accreditation Organizations (3PAOs) include: Coalfire, Kratos SecureInfo,
Veris Group, among others– https://www.fedramp.gov/marketplace/accredited-3paos/
• FedRAMP Provisional Authority To Operate (ATO) issued by the JAB (after review of security assessment package) to the federal agency consuming the cloud services
• List of FedRAMP Compliant Systems– https://www.fedramp.gov/marketplace/compliant-systems/
• Cloud Security Alliance (CSA) is a US Federal 501(c)6 not-for-profit org, Formed in late 2008, now has over 48,000 members
• Mission = “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”
• Created “Security Guidance for Critical Areas of Focus in Cloud Computing” document – Current version 4.0– https://github.com/cloudsecurityalliance/CSA-Guidance
• CSA stated that the top three cloud computing threats are Insecure Interfaces and API's, Data Loss & Leakage, and Hardware Failure.– These three accounted for 29%, 25% and 10% of all cloud security outages
respectively.• CSA’s Top 7 Security Threats (March 2010)
– https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf1. Abuse and Nefarious Use of Cloud Computing2. Insecure Interfaces and APIs (Application Programming Interfaces)3. Malicious Insiders4. Shared Technology Issues5. Data Loss or Leakage6. Account or Service Hijacking7. Unknown Risk Profile
• In February 2013, the CSA published their “The Notorious Nine” cloud computing top threats– https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notor
ious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf1. Data Breaches2. Data Loss3. Account or Service Traffic Hijacking4. Insecure Interfaces and APIs5. Denial of Service (DoS)6. Malicious Insiders7. Abuse of Cloud Services8. Insufficient Due Diligence9. Shared Technology Vulnerabilities
• Service availability is a critical component of any cloud service• CSPs operate within data centers that they may own and manage or
collocate their systems• The Uptime Institute provides a “Tier Certification System” for assessing
critical data center infrastructure to promote increased availability• Data Center Site Infrastructure Tier Standard: Topology
– Tier I: Basic Site Infrastructure– Tier II: Redundant Site Infrastructure Capacity Components– Tier III: Concurrently Maintainable Site Infrastructure– Tier IV: Fault Tolerant Site Infrastructure
• Check the tier rating of your current data center or cloud provider– https://uptimeinstitute.com/TierCertification/– https://uptimeinstitute.com/TierCertification/certMaps.php
• AWS is the market leader of IaaS public cloud services• AWS has a scalable and highly available global infrastructure
that spans multiple regions, with multiple Availability Zones (AZs) with each region (AWS Service Health Dashboard)– http://status.aws.amazon.com/
• AWS possesses all the major security certifications and attestations, https://aws.amazon.com/compliance/
• AWS GovCloud (US) is an isolated region that meets FedRAMP, FIPS, ITAR, FISMA, and NIST requirements– http://aws.amazon.com/govcloud-us/– https://aws.amazon.com/compliance/fedramp/
• You are only as secure as your EC2 Amazon Machine Images (AMIs) (manage systems with templates not individual systems)
• It is possible to build your own secure image, save then, and reuse them for other applications and services
• You can build your image off a default AMI or import your own hardened AMI (based on your STIGs)
• Don’t store your security keys within your stored or shared (community) images
• AWS Marketplace also offers hardened images– Buddha Labs offers hardened images (DISA STIG)– Center for Internet Security (CIS) Benchmarks– Anitian, DeepCyber, SteelCloud, among others
• Virtual Private Cloud (VPC) security practices control access to the virtual networks in your AWS cloud
• VPC Flow Logs can capture IP traffic on VPC interfaces• Carefully document your use of the Internet Gateway (IGW), Virtual
Private Gateway (VGW) , and Customer Gateway (CGW)• Network Access Control Lists (NACLs) (not-stateful, directional)• Security Groups (SGs) are like firewalls (fully stateful, whitelist
behavior, applied to EC2 instance)– Put different systems into separate security groups (load balancers,
web servers, databases)• Web Application Firewall (WAF), rules deployed into CloudFront
• Use auto-scaling policies to absorb a DDoS attack by rescaling the instance size with “Enhanced Networking” or scaling the pool of EC2 instances with ELB
• ELB can only forward sane TCP connections – SYN floods and other DDoS packets (UDP, ICMP) are dropped
• AWS CloudFront (CDN) with AWS WAF can block attacks from AWS edge locations
• AWS Route 53 can absorb DNS flooding attacks through shuffle sharding and anycast striping
• AWS offers several systems to help you managed your security• Amazon Inspector performs an automated security assessment,
compares your operations to best practices, gives you prioritized remediation steps– https://aws.amazon.com/inspector/
• AWS Config Rules helps you monitor your resource inventory and perform change management and monitor changes recorded by AWS Config– https://aws.amazon.com/config/
• AWS Trusted Advisor reviews your security settings with you and provides areas for improvement (cost, HA, performance, etc.)– Available for Business and Enterprise Support plans– https://aws.amazon.com/premiumsupport/trustedadvisor/
• AWS security operations requires ever-vigilance• AWS CloudWatch Logs gives you visibility to your services, metrics, logs,
alarms, etc. (standard 5 min. polling, detailed 1 min polling) ~10 min latency– https://aws.amazon.com/cloudwatch/
• AWS CloudWatch Events provide near real-time changes (Events, Rules, Targets)
• AWS CloudTrail provides detailed logging and auditing service, records API events, API call history, change tracking for compliance or forensics (encrypt the data)– https://aws.amazon.com/cloudtrail/
• You can easily report abuse and vulnerabilities– http://aws.amazon.com/contact-us/report-abuse/– http://aws.amazon.com/security/vulnerability-reporting/
• You can’t just fire up a vulnerability scanner and scanning your Elastic IPs
• You must obtain AWS permission to perform a port scan or vulnerability scan
• AWS has a security ecosystem whereby you can acquire additional security components to compliment your public cloud (BYOL, pricing based on EC2 instance these run on)– Cisco, Palo Alto Networks, Check Point, Fortinet, Splunk, Alert
• Microsoft Azure has a full set of compliance certifications, including FedRAMP certified– https://www.microsoft.com/en-us/TrustCenter/Compliance/default.aspx
• Follows their own documented Security Development Lifecycle (SDL) and Operational Security Assurance (OSA) processes
• Microsoft Azure Trust Center– https://www.microsoft.com/en-us/TrustCenter/Security/default.aspx
• Microsoft Azure Security Center provides security visibility through a dashboard to customers, integrated with Microsoft Global Threat Intelligence– https://azure.microsoft.com/en-us/services/security-center/
• Google Cloud Platform is a suite of IaaS CSP services that leverages their own infrastructure used for Search and YouTube, etc.
• Like other IaaS platforms this is a shared security responsibility model – customer bears a lot of responsibility to secure their access, applications, storage, but Google provides the tools/capability– https://cloud.google.com/security/
• As a SaaS provider, most of the responsibility for security falls on Salesforce.com• Salesforce.com has mature security practices throughout their company – they know
the risks if there is a breach• Key Considerations – Your Responsibilities:
– User authentication, SAML, OAuth, roles, permissions– Data security, sharing, 3rd party tools tied into Salesforce.com data– Programmatic security, SOAP API, Metadata API
• Methods of securing cloud storage include:– Multi-factor authentication, SSO, federated identity management– Audit trails, reporting and logs on file storage and access– Role-based access controls and access policies– Data classification marking and monitoring, DLP integration– Encryption (customer retains the keys), data integrity, content
security policies (or encrypt the files prior to storage)– Data Dispersion
• Use a cloud storage vendor that is certified and operates secure locations, redundant systems, constant monitoring, media destruction
• Splunk is a software application for searching, monitoring and analyzing machine-generated data via a web interface – data visualization platform for IT operations, security use case
• Splunk can be used with AWS to gain additional visibility, Splunk is also integrated into Google’s cloud platform
• Splunk uses a Bring-Your-Own-License (BYOL) model on AWS Marketplace, or you can build your own– Splunk Enterprise (HVM)– Splunk Cloud– Splunk Light– Hunk (HVM) = Splunk on Hadoop
• Trend Micro Deep Security Integration with AWS– Defend against network attacks – Proactive intrusion prevention (IDS/IPS) – Virtually patch software – Keep malware off Windows and Linux workloads – Identify and remove malware and block traffic to known bad domains– Uncover suspicious changes – Get alerts for unplanned or malicious changes – Suspicious events are highlighted in the dashboard– Speed PCI-DSS compliance
• Usage-based pricing based on AWS EC2 instance type• Orderable on AWS Marketplace• http://www.trendmicro.com/aws/
• CASBs provide visibility to cloud services and reveal “Shadow IT”, cloud misuse, data classification violations and data loss
• CASBs can operate in several ways:– In-line at the security perimeter – physical or virtual appliance– As a web-browser proxy (HTTPS inspection), cloud-based service– As a DNS-based proxy, cloud-based service– Software agent on user device (integration with Enterprise Mobility Management
(EMM)) and IDaaS• CASBs can enforce policies with identity, authorization/credentials, encryption,
location, device profiling, logging/alerting, etc.• Numerous CASB vendors - Continued vendor consolidation will occur
• Companies want security solutions that leverage the capabilities of the cloud (reduce technical debt of security management)
• Organizations have a mobile workforce using mobile platforms to perform their work. Not all IT users are within the enterprise’s walls accessing applications in the local data center.
• Some security vendors offer subscription-based security solutions that get a threat intelligence data-feed.– Content Filtering and Advanced Malware Protection– Periodic Vulnerability Scanning, Web Security Assessments– Identity and Access Management as a Service (IDaaS), Privileged Access
Management (PAM)– DDOS Mitigation in the Cloud– SIEM in the cloud, Managed Security Service Provider (MSSP), Security
• CSA’s CCM is a gigantic spreadsheet that lists over 130 prominent control specifications across 15 control domains and relates each to pertinent cloud security standards and best practices
• Mappings for FedRAMP Low/Moderate, ISO/IEC 27001, NIST 800-53, among others
• This is a valuable resource to help remind you of all the controls to consider when operating in a cloud environment
• The CCSP Common Body of Knowledge (CBK) consists of the following six domains: – 1 Architectural Concepts & Design Requirements– 2 Cloud Data Security– 3 Cloud Platform & Infrastructure Security– 4 Cloud Application Security– 5 Operations– 6 Legal & Compliance
• ISO/IEC 17788 and NIST 800-145, 800-146, 500-299• https://www.isc2.org/ccsp/default.aspx
Certified Cloud Security Professional (CCSP) – (ISC)2
2. Cloud Data Security – Concepts, principles, structures, and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability in cloud environments.
– Understand Cloud Data Lifecycle – Design and Implement Cloud Data Storage Architectures – Design and Apply Data Security Strategies – Understand and Implement Data Discovery and Classification Technologies – Design and Implement Relevant Jurisdictional Data Protections for Personally Identifiable Information (PII) – Design and Implement Data Rights Management – Plan and Implement Data Retention, Deletion, and Archiving Policies – Design and Implement Auditability, Traceability and Accountability of Data Events
Certified Cloud Security Professional (CCSP) – (ISC)2
3. Cloud Platform & Infrastructure Security – Knowledge of the cloud infrastructure components, both the physical and virtual, existing threats, and mitigating and developing plans to deal with those threats.
– Comprehend Cloud Infrastructure Components – Analyze Risks Associated to Cloud Infrastructure – Design and Plan Security Controls – Plan Disaster Recovery and Business Continuity Management
4. Cloud Application Security – Processes involved with cloud software assurance and validation; and the use of verified secure software.
– Recognize the need for Training and Awareness in Application Security – Understand Cloud Software Assurance and Validation – Use Verified Secure Software – Comprehend the Software Development Life-Cycle (SDLC) Process – Apply the Secure Software Development Life-Cycle – Comprehend the Specifics of Cloud Application Architecture – Design Appropriate Identity and Access Management (IAM) Solutions
Certified Cloud Security Professional (CCSP) – (ISC)2
5. Operations – Identifying critical information and the execution of selected measures that eliminate or reduce adversary exploitation of it; requirements of cloud architecture to running and managing that infrastructure; definition of controls over hardware, media, and the operators with access privileges as well as the auditing and monitoring are the mechanisms, tools and facilities.
– Support the Planning Process for the Data Center Design – Implement and Build Physical Infrastructure for Cloud Environment – Run Physical Infrastructure for Cloud Environment – Manage Physical Infrastructure for Cloud Environment – Build Logical Infrastructure for Cloud Environment – Run Logical Infrastructure for Cloud Environment – Manage Logical Infrastructure for Cloud Environment – Ensure Compliance with Regulations and Controls (e.g., ITIL, ISO/IEC 20000-1) – Conduct Risk Assessment to Logical and Physical Infrastructure – Understand the Collection, Acquisition and Preservation of Digital Evidence – Manage Communication with Relevant Parties
6. Legal & Compliance – Addresses ethical behavior and compliance with regulatory frameworks. – Includes investigative measures and techniques, gathering evidence (e.g., Legal Controls, eDiscovery, and Forensics); privacy
issues and audit process and methodologies; implications of cloud environments in relation to enterprise risk management. – Understand Legal Requirements and Unique Risks within the Cloud Environment – Understand Privacy Issues, Including Jurisdictional Variation – Understand Audit Process, Methodologies, and Required Adaptions for a Cloud Environment – Understand Implications of Cloud to Enterprise Risk Management – Understand Outsourcing and Cloud Contract Design – Execute Vendor Management
Certified Cloud Security Professional (CCSP) – (ISC)2
• Live In-Person CBK Training Class, 5 days, $1995• Live On-Line CBK Training Class, 5 days, $1395• On-Demand On-Line CBK Training - $495 ($395 for CISSPs)• The Official (ISC)2 Guide to the CCSP CBK, by Adam Gordon
– ISBN: 978-1-119-20749-8, 560 pages, November 2015– http://www.wiley.com/WileyCDA/WileyTitle/productCd-
1119207495.html– $80, Members get 50% off with code ISC50
• Free Flash Cards On-Line• Pearson Vue Exam
– 4 hours, 125 questions (700+/1000) - $549
Certified Cloud Security Professional (CCSP) – (ISC)2
• SANS SEC524 2-day in-person or on-line/self-study class, $2130– Laptop Required, MP3 audio files of the complete course lecture
• Day 1– Introduction to Cloud Computing– Security Challenges in the Cloud– Infrastructure Security in the Cloud– Policy and Governance for Cloud Computing– Compliance and Legal Considerations– Disaster Recovery and Business Continuity Planning in the Cloud
• Day 2– Risk, Audit, and Assessment for the Cloud– Data Security in the Cloud– Identity and Access Management (IAM)– Intrusion Detection and Incident Response
• Final thoughts on cloud security• Wrap-up• Next steps
Cloud Security Summary
Resources abound to make cloud services more secure: Learning to securely develop and use cloud servicesNetwork World article, by Scott Hogg, March 7, 2016 http://www.networkworld.com/article/3041326/cloud-security/cloud-security-training-and-certification.html
• GTRI is an experienced cloud infrastructure solution provider helping customers securely consume cloud services
• GTRI offers a “Cloud Security Assessment” service– Proactively: During the design and deployment phases– Reactively: During the operational phase
• GTRI can help you manage your cloud services spending– Analyze your cloud services and current consumption– Help you manage the billing, visibility, cost optimization
• GTRI can help you proactively manage your physical and virtualized IT assets, reduce risks, and realize more business benefits of using cloud infrastructure