CCSP Domain 1 Cloud Concepts, Architecture and Design Important Area Part 1

I Did my Certified Cloud Security Professional (CCSP) 4 years back, and now its time to give back to society. In this article, I have shared some key points that you need to understand from Domain 1 exam standpoint.

1. Understand Cloud Computing Concepts

   1.  Cloud Computing Definitions

      1. “Cloud computing is a model for enabling universal, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Source (NIST Defination)

   2. Cloud Computing Roles (e.g., cloud service customer, cloud service provider, cloud service partner, cloud service broker)

      1. Cloud service customer = Who consume service
      2. Cloud service provider = Who provides service
      3. Cloud Service Partner =  Can be helping organizations to obtain and deploy cloud services. It helps User experience to analyze business models. They Advise a customer to ensure that a cloud platform is used to its full potential. Work closely with providers to aggregate and integrate several cloud services for a customer
         1. Cloud service developer = Develops cloud components
         2. Cloud auditor = Performs audits
         3. Cloud broker = Cloud broker = Cloud Broker, is an object that governs the use, performance, and delivery of cloud services, and mediates connections between cloud providers and cloud consumers
            1. There are three primary areas a cloud service broker can address in accelerating the adoption of the cloud:
               1. Service intermediation:  identity management, performance reporting, and enhanced security
               2. Service aggregation:  broker combines multiple
                  cloud services to meet consumer needs not specifically addressed by a single CP
               3. Service arbitrage: Service arbitrage means a broker
                  has the flexibility to choose services from multiple agencies.
      4. Cloud administrator  = implementation, monitoring, and maintenance of the cloud
      5. Cloud application architect = adapt, porting and deploy the application
      6. Cloud architect =  Designs develop and manage solutions
      7. Cloud data architect = ensure the various storage types utilized in a cloud environment and able to manage SLA
      8. Cloud service manager = Responsible for business agreement, pricing for the cloud customer.
      9. Cloud operator = Responsible for daily operational tasks
      10. Cloud storage administrator = mapping, bandwidth and manage storage volume assigned
      11. Cloud service business manager = Oversees business and billing administration.
      12. Cloud service operations manager = Prepares systems for the cloud, administers services,

   3. Key Cloud Computing Characteristics (e.g., on-demand self-service, broad network access, multi-tenancy, rapid elasticity and scalability, resource pooling, measured service)

      1. There are specific characteristics that are typical of cloud computing.
         1. On-demand self-service
            1.  A consumer can provision computing capacities, such as server time and network storage, automatically as required without requiring human interaction with each service provider.
            2. Cons = Lack of governance, the key control point of traditional audit, and assessment processes are missing.
         2. Broad Network service
            1. Capabilities are accessible over the network and accessed through various thin or thick client platforms (e.g., mobile phones, laptops, and PDA’s). Good from BCP, point of view
            2. Cons= Data location independence complicates the verification of legal compliance;
         3. Resource pooling
            1. Provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.
            2. Cons = Data Security Concern, degree of location independence in that the customer generally has no control
         4. Rapid elasticity
            1. Capabilities can be rapidly and elastically provisioned,(Scale-out, Scale in) . From the BCP point of view, this can be a great advantage for the cloud customer . Able to manage requests any time for any users. Resource allocation can be adjusted as a customer requires more
            2. Cons: The possibility for a cloud user to scale out and in his/her resource pool introduces a degree of dynamicity that makes audit and assessment more difficult.
         5. Measured service
            1. Cloud systems automatically control and optimize resource use by leveraging a metering capability (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for the provider and consumer.

   4. Building Block Technologies (e.g., virtualization, storage, networking, databases, orchestration)

      1. The building block of Cloud Computing
         1. RAM, CPU, Storage, and Network
         2. IAAS is primary blocs of any cloud services
            1. Processing, storage, and network infrastructure upon which all cloud applications are built.
            2. IaaS situation, the service provider provides the server, storage, and networking hardware and its virtualization,
            3. Customer installs and runs OSs, middleware, and applications required.
         3. Virtualization
            1. Type 1 = It is more Secure = Hypervisor, ESXi
            2. Type 2 = It is less Secure = Vmware Work Station

2. Describe Cloud Reference Architecture

   1. Cloud Computing Activities

      1. Interoperability
         1. Move or reuse components of an application  on the same time
      2. Portability
         1. Easily and seamlessly move between different cloud providers.
         2. Disaster recovery reasons, locality diversity, or high availability, for example.
         3. The best protection against Vendor-Lockin and Vendor Lockout
      3. Availability
         1.  CSPs are required to provide upward of 99.9999 percent availability as per the SLA.
      4. Security
         1. Security need to be addressed through a contract.
         2.  nondisclosure agreements (NDAs) be completed before engaging in active discussions.
      5. Privacy
         1.  leading providers of cloud services make provisions to ensure
            the location and legislative requirements
      6. Resiliency
         1. Resiliency is the ability of services,, to recover quickly and continue operating even when there has been an equipment failure.
         2. CSPs have a significantly higher number of devices and redundancy
            in place
      7. Performance
         1. Provisioning, elasticity, and other associated components should always focus on performance
      8. Governance
         1. Define actions, assign responsibilities and verify performance
         2. Access relevant reporting, metrics, and up-to-date statistics related to usage,
      9. SLAs
         1. In the SLA, the minimum levels of service, availability, security,
            controls, processes, communications, support, and many other crucial business element are stated and agreed upon by both parties.
      10. Auditability
          1. Increased confidence and the ability to have evidence to support audits
      11. Regulatory Compliance
          1. Regulatory compliance is an organization’s requirement to adhere to relevant laws

   2. Cloud Service Categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

      1. IAAS
         1. Consumer = provision processing, storage, networks and basic computing resources. Control over os,storage and application
         2. Key Benefits
            1. usage metered
            2. scale up and down
            3. reduced energy and cooling cost
      2. PAAS
         1. Consumer does not manage or control network, servers, OSs, or storage but has control over deployed application
         2. Key benefits
            1. OSs can be updated by provider
            2. global development colloboration
            3. running multiple language seamlessly
      3. SAAS
         1. Consumer does not manage networks, servers, operating systems, storage, and application but has control over limited application configuration
         2. Key benefits
            1. limited administration with limited skills
            2. automatic updates not an concern for custome
            3. Global access

   3.  Cloud Deployment Models (e.g., public, private, hybrid, community)

      1. Public
         1. Easy and inexpensive
         2. Easy to provision
         3.  customer of the public cloud service has less control and oversight of the physical and logical security
      2. Private
         1. Build Private = end to end cost is involved
         2. Buy Private Cloud = Pay for consuming (e.g Amazon Private cloud )
         3. security management and day-to-day operation of hosts are relegated to internal IT or to a third party with contractual SLAs.
      3. Hybrid
         1. Combination of any two deployment
         2. Used in the case for BCP and Cloud Bursting
         3. Effective contract play a key role between private and public cloud
         4. Data portability need to be review
         5. Retain ownership for critical and Sensitive data
      4. Community
         1. Infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.)
         2. The best example of Community Cloud is IBCC
   4. Impact of Related Technologies (e.g., machine learning, artificial intelligence, blockchain, Internet of Things (IoT), containers, quantum computing)
      1. Following Resource, you can refer for the above topic

3. Understand Security Concepts Relevant to Cloud Computing

   1. Cryptography and Key Management

      1. Cryptography is an essential technology to secure cloud operation
      2. Securing the Cloud 
      3. Multitenant is the biggest concern customer face in cloud and solution is Encryption
      4. To protect sensitive  data within a cloud system it’s necessary to use of cryptographic techniques and cryptographic keys.
      5. Encryption and segregation of duties should always go hand in hand
      6. Key management should be separated from the provider hosting the data,
      7. Key Management Approach
         1. Remote Key Management = Centralized
            1. Customer maintains the KMS on-premises but control by the cloud provider
            2. Ideally used in IAAS Case
            3. latency issues can interrupt encryption procedure
            4. The cloud provider uploads encrypted content to cloud storage and later pull that encrypted content for computation which requires access to the on-premise KMS
         2. Client-Side Key Management  = Decentralized
            1. KMS maintain by the customer’s premises, where the customer generates, holds, and retains the keys.
            2. ideally used in SAAS Case
            3. cloud provider does not hold keys, has minimal knowledge of users, cannot decrypt customer data, and facilitates the storage of encrypted data

   2. Access Control

      1. IAM = Within cloud environments, services should include strong authentication mechanisms for validating users’ identities and credentials
      2. Phases
         1. Provisioning and Deprovisioning
            1.  user provisioning is to standardize, streamline, and create an
               the efficient account creation process
            2. Deprovisioning = mitigate scope creeping
         2. Centralized directory Services
            1. Active Directory and LDAP
         3. Privileged user management
            1. managing privilege access accounts
            2. Enforce Least Privilege and Need to know
            3. segregation of duties can form extremely effective mitigation and risk reduction
         4. Authentication and access management
            1. Access management is focused on the manner and way in which users can access required resources, based on their required credential

   3.  Data and Media Sanitization (e.g., overwriting, cryptographic erase)

      1. Crypto erase is an effective technique to destroy data in the cloud
      2. Data Overwriting is not an effective technique

   4. Network Security (e.g., network security groups)

      1. Network security groups act as a virtual firewall for your instances
      2. A network security group (NSG) carries a list of security rules that allow or deny network traffic to resources connected to the instance
      3. A network security group (NSG) provides a virtual firewall for a collection of cloud resources with the same security posture. For e.g group of instances that all perform the same tasks and thus all need to use the same range of ports.

   5. Virtualization Security (e.g.,  hypervisor security, container security)

      1. Virtualization Security
         1. Type 1  =  significantly reduce the attack surface over (EXSI)
         2. Type 2 = it’s OS based, they are more target for attackers,(VMWARE Work station)
      2. Container Security
         1. A container is a virtual execution environment that features isolated userspace but uses a shared kernel.
         2. Software container systems include three key components:
            1. the container
            2. orchestration and scheduling controller
            3. code to execute.
         3. container security includes:
            1. Link for more details 

   6. Common Threats Link

      1. Data Breaches
      2. Data Loss
      3. Account or Service Traffic Hijacking
      4. Insecure Interfaces and APIs
      5. Denial of Service
      6. Malicious Insiders
      7. Abuse of Cloud Services
      8. Insufficient Due Diligence
      9. Shared Technology Vulnerabilities

4. Understand the Design Principles of Secure Cloud Computing

   1. Cloud Secure Data Lifecycle
      1. Create = Classification occur
      2. Store = Encryption at rest
      3. Use  = Usage of DRM with DLP
      4. Share = Usage of SSL and TLS
      5. Archive = Retain as per policy
      6. Destroy = Cryptoshredding occur
   2. Cloud-based Disaster Recovery (DR) and Business Continuity (BC) planning
      1. Link to review 
   3. Cost-Benefit Analysis: Cost is the key driver for cloud adoption but others too
      1. Resource pooling
      2. Shift from CapEx to OpEx
      3. Factor in time and efficiencies
      4. Include depreciation
      5. Reduction in maintenance and configuration time
      6. Shift in focus
      7. Utility costs
      8. Software and licensing costs
      9. Pay per usage
      10. (Source cbk ccsp)
   4. Functional Security Requirements (e.g., portability, interoperability, vendor lock-in)
      1. Vendor Lock-In 
         1. Where a customer may be unable to leave, migrate, or transfer to an alternate provider because of technical or nontechnical restrictions
         2. Solution
            1. favorable contract
            2. portal data format
      2. Vendor Lock-out
         1. where vendor exit the market
   5. Security Considerations for Different Cloud Categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
      1. IAAS Security
         1. VM attacks
            1. VM is compromised, VMs on the same physical server can attack
         2. Virtual network
            1. the virtual network contains the virtual switch software
         3. Hypervisor attacks
            1. Flaw in Hypervisor
            2. VM escape
         4. VM-based rootkits
            1. rootkit act by  inserting a malicious hypervisor
               on the fly or modifying the installed hypervisor to gain control over the host workload
         5. Virtual switch attacks
            1. modification of the virtual switch’s configuration
         6. Colocation
            1. Attack surface and the risk of VM-to-VM or VM-to-hypervisor
               compromise
            2. when a physical server is off, it is safe from attacks.
         7. DoS attack
            1. DoS attacks in a virtual environment form a critical threat to VMs along with all other dependent and associated services.
      2. PaaS Security
         1. System and Resource Isolation
            1. limit the chance and likelihood of configuration or system changes affecting multiple tenants
         2. User-Level Permissions
            1. effective implementation of different and common
               permissions can yield significant benefits when implemented across multiple applications within the cloud environment.
         3. User Access Management
            1. key component
               1. Intelligence
               2. Administration
               3. Authentication
               4. Authorization
         4. Protection Against Malware, Backdoors, and Trojans
            1. Code reviews and other software development lifecycle checks are necessary to ensure that the likelihood of malware, backdoors, Trojans, and other potentially harmful vectors is reduced significantly.
      3. SaaS Security
         1. Data Segregation
         2. Data Access and Policies
         3. Web Application Security

5. Evaluate Cloud Service Providers

   1. Verification Against Criteria (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27017, Payment Card Industry Data Security Standard (PCI DSS))
      1. PCIDSS LINK
         1. The PCI DSS 12 requirements are as follows: (Must Read)
            1. Installing and maintaining a firewall configuration to protect cardholder data
            2.  Do not use vendor-supplied defaults for system passwords and other security parameters.
            3. Protect stored cardholder data.
            4. Encrypt transmission of cardholder data across open, public networks.
            5. Use and regularly update antivirus software
            6. Develop and maintain secure systems and applications.
            7. Restrict access to cardholder data by business need-to-know.
            8. Assign a unique ID to each person with computer access
            9. Restrict physical access to cardholder data
            10. Track and monitor all access to network resources and cardholder data.
            11.  Regularly test security systems and processes.
            12.  Maintain a policy that addresses information security.
      2. ISO/IEC) 27017  (Must Know)
         1. The ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
         2. ISO/IEC 27017 provides cloud-based guidance on 37 ISO/IEC 27002 controls, along with seven new cloud controls that address:
            1. Who is responsible for what between the cloud service provider and the cloud customer
            2. The removal/return of assets when a contract is terminated
            3. Protection and separation of the customer’s virtual environment
            4. Virtual machine configuration
            5. Administrative operations and procedures associated with the cloud environment
            6. Customer monitoring of activity within the cloud
            7. Virtual and cloud network environment alignment
   2. System/subsystem Product Certifications (e.g., Common Criteria (CC), Federal Information Processing Standard (FIPS) 140-2)
      1. Identify the trusted cloud provider validate the certification to know who is trusted
         1. Common Criteria
            1. also called ISO 15408
            2. Common Criteria Key Concepts
               1. The target of Evaluation – The device or system to be reviewed for CC certification.
               2. Protection Profile (PP) – Template used to define a standard set of security requirements
               3. Security Target (ST) – Explicitly stated set of requirements specific to the capabilities of the product under evaluation.
               4. Evaluation Assurance Levels (EAL) – Used to define how the product is tested and how thoroughly. These levels are scaled from 1 to 7, with 7 being the highest level and 1 the lowest.
         2. FIPS
            1.  FIPS 140-2 Validated certification was established to aid in the protection of digitally stored unclassified, yet sensitive, information.
            2. Federal Information Processing Standards (FIPS) are publicly announced standards developed by the National Institute of Standards and Technology for use in computer systems by non-military American government agencies and government contractors
            3. FIPS Security Level
               1. Level 1: Lowest level of security.
               2. Level 2: specifies the security requirements for cryptographic modules that protect sensitive information. (Important to remember)
               3. Level 3 = Requires physical protection methods to ensure a high degree of confidence that any attempts to tamper are evident and detectable
               4. Level 4 = Provides the highest level of security and tamper detection