===================================================================================

====
// CCSP //
===================================================================================
====

// module 1 : Architectural concepts and Design Requirements //

1.1 - Traditional Managed Service Providers

Smaller oragnisation dont have fund to have full time it

1.2 - Cloud services

scalability
Mobality
Elasticity
Cost-saving
Risk Transfer / reduction
Reduced infractructur
less overhead

1.3 - cloud Computing NIST SP 800-145

1.4 - Characteristics of cloud computing

Broad Network Access - bandwidth should be virtually unlimited
On Demand Services
Resource pooling
measured Service
Rapid Elasticity - ability to scale resources both up and down as needed

1.5 - 5 cloud actors

cloud service consumer
cloud service provider
cloud carrier - provides connectivity and transport of cloud service between
the csp and cloud service consumer
cloud service broker - middleman provide best deal and customize service
cloud service auditor - third party oragnisation that verifies attainment of
SLA

1.6 - cloud actors and functions (image 1)

1.7 - security risks

Shifting capital Expenditure to operational Expenditure
distrubuted - laws vary from jurisdiction to jurisdiction
Multitent - shared physical resources make insident response , forensics ,
destruction difficult
Responsiblity cant be transfered - customer is still lible to protect their
resources
privacy - the degree of privay must be specifed in sla (service level
agrement)
CSA - have higher requirements then the enterprise

1.8 - cloud deployment model

public - ibm , aws , google , microsoft
all hardware, software, and other supporting infrastructer is
owned and managed by the cloud provider.
you share the same hardware storage and network device with other
oragnisation.
used to provide web based email, online office application,
storage and testing and development enviorment
 Advantegages -
lower cost
no Maintance
unlimited scalability
high relability
Challenges -
data security and privacy
service avalablity

private - comonputing resources used exclusively by one buiness or

organisation
physically located at organisation datacenter or it can be
hosted by a third party service provider.
government , finacial or mid large organization.
advantages -
more flexibility
improved security
high scalability
Challenges-
high cost
required skill set

hybrid - cobination of public and private

advantages-
control
flexiblity
cost effecease tiveness
Challenges -
poratblity
interoprablity

community - hippa complaint for health care

challenges -
complex it governance
required skill set

1.9 - cloud service models -

Saas - software as a service
paas - platporm as a service
Iaas - infractructure as a service

SaaS - email is best example for Saas

you access gmail from web server / nothing to worry about
hardware
service level agrment with google for gmail
offers -
accesss their application and data from anywhare anytime
reduce total cost of ownership
pay per use
elasticity
updates and patch management iser
the respnosiblity of provider
standardization

SaaS involves 3 main issues

data segregation - where, how data store
data access and policies
web application security
 PaaS - support for multiple languages and framwork allowing dev
multiple hosting enviorment
flexiblity
Automatic scalability
software development

4 main issues
system / resourse isolation
user level permissions
user access management
protection against malware

IaaS - consumer able to deploy and run software including applications

and os
consumer doesnt control the infrastructure but does control os
storage deployed apps and configuration settings
offers -
usage metered and priced on the basis of units consumed
upwards and downward scalablity needed
reduce tco
reduced energy and cooling cost

IaaS issue -
VM attacks
virtual switches / Network
VM based rootkits / malicious hypervisor
single point of access ( a single NIC provide access to
numerous VM)

1.13 - Pizza as a service to explain servecies (image 2)

1.14 - cloud computing standards road maps

NIST SP 500 - 291
Interoperability
standards driven
components should be able to repalced by new or different
components from other provider and continue to work
Availablity
Resource can be accessed as needed as authorized
Security
CIA
SLA
Privacy
GLBA , HIPPA, PCIDSS

Performance
network
compute
storage
date
SLA
Availablity
Performance
Security/ privacy of data
RTO/RPO
location of data
access to the data
Portability of the data
 support
change management
dispute mediation process
Regulatory
Compliance
liblity
Portability
Security
Resillence
ability to continue operating in the event of a disruption
disruption caused by power outage, equipment faliure,
natural disater
multiple layers of redundancy and fault tolarance must be
in place
Auditablity
third party assurance
allow stakeholders to review assess and report user and
sestyem activity
Governance
Defining the actions assigning the respnosiblity
take into account risk management

1.16 - general security requirements

Cloud Security Concepts
Network Security and Perimeter
Physical and enviormental security for facility and network
devices
controls must enforce the CIA
temperature between 64 to 72 degrees f
humidity between 45-55 percent
moitoring
Techincal Network Security Controls
Link
protocol
application layer services
Network Perimeter
considered the demarcation point though those lines
ase less clear or even non-existent (firewall)
Data state and media sanitization
Data At rest
encryption, redundancy
Data at motion (in transit)
Sepration/isolation, transport security, vlan
ssl/tls
IPSEC
data in use
protection of api, digital signature and encryption,
restricted access
homomorphic encryprtion,
Removing data remnants
Disposal of data
clearing - overwriting-renders
purging-degaussing-renders
destructions - physical destruction
crypto-shredding
cryptography
assess control
Identify and access management
 idenity proofing (passport / lic)
account provisioning ( image 3)
subject identification
user id
account number
RFID
IP or MAC Address
aubject authentication
something you know
something you have
something you are
subject authorization
set the rights and privilieges that a subject
is granted based upon their identity
user - group - role
auditing/ accountablity
account deprovisioning (scim - simple cloud
identity management)
privileged user management

virtuallization security
allows logical isolations on multi-tenant servers
Hypervisor
bare metal - cloud
software - runs on host os to provide virtul services
common threats
Data breaches
data loss
account and service hijacking
insecure interface / api
DOS or DDos
malicous insiders
abuse of cloud services
insufficent due dillgence / due care
shared technology vulnerablity

========================================********===================================
====

// module 2 : Cloud data Security //

2.1 - data security life cycle

1.create
2.store
3.use
4.share
5.archive
6.destroy
Actors: who might compromise data
non malicious insiders
malicious outsiders
external intuders
Loaction : where is data stored / process / transmit
jurisdiction
threat landscape
audit
what actors have access to data
Access :
 who has access to data
what controls are in place
what device can be used to access data

2.2 - storage architecture

IaaS -
volume storage - includes volumes /data stores attached to Iaas
usually virtual hard drive provide redundancy
Object storage - dropbox . not sutaible for application like
database
location is primary concern in relation to regulation
where their physical data is stored
PaaS - structured - highly organized rdbs
unstructured - text multimidea email

SaaS - bakend database

sorage stored within application
content is stored in objecct storage and then distributed
to geographically distrubuted nodes to improve performance

2.3 - data discovery technique

metaddata - meaning and describes its attributes
lables - provide logical grouping of data elements
content - analysis examines the data itself

2.5 - therats to data storage

unathorized usage
solution -
data classification
strong authentication
encryption
data loss prevention
anti malware
monitoring
unathorized access
information right management
liablity due to non compliance
trusted platform module chips
dos and ddos
redundancy
data retention and archival
curruption modification destruction of data

2 .6 - CSA cloud controls matrix

cloud security alliance cloud control matrix
domain of the ccm
audit assurance and complaince
application and interface security
BCM and opration resillence
change controll and configuration management
datacenter security
data security information lifecycle management
encryption and key management
governance and risk management
HR
identify and access management
interoperability and portablity
infrastructure and virtualsation security
 mobile security
security incident management, e-discovery , cloud forensics

threat and vulnerablity management

supply chain management transparency and accountablity

Policy controls for privacy and data protection

separation of duties
training
Authentication and authorisation procedures
vulnerablity assessment
logging
data retention control
secure disposal

========================================********===================================
====

// module 3 : Cloud platform and infractructure Security //

3.2 - Physical enviorment of the cloud infractructure

expensive hardware
massive density of power
downtime affests all dependent business
redundancy on all levels is essential
power cooling connectivity limitations
temperature
Humidity and moisture
airflow
voltage
power
smoke
video surveillance

3.3 - Network functionallity

address allocation ensuring that cloud resources are assigned ip
staically or dynamiclly
access control
sufficient bandwidth allocation
filtering
routing

software defined networking

SDN architecture
Directly programble
agile
centrally managed
Programmatically configured
Open standard

3.5 Hypervisor
type1
known as bare matel, embeded or native
work directly with the hardware and can monitor the overlying
guest os
 smaller and faster primerlly mangaes and sharing and manageing
hardware
ms hyper v , vmwae esx

type 2
installes on top of the guest operating system
depending upon the host os
more vulnerabl
vm workstation virtual box

Securing Hypervisor
updates to the hypervisor (centrallized patch management)
restrict admin access to th management interface of the
hypervisor
protaect all mangement communication channels using a dedicated
management network
synchronize the virtualized infrastructure to a trusted
authoritive server
disconnect unused physical hardware
disable all hypervisor services such as clipboard file sharing
between guest os and host os unless they are needed\
carefully monitor the hypervisor

3.7 - virtualizaion concerns

Inter VM attacks
vm sprawl
hyperjacking -
installing a roage hypervisor that can take complete control of a
hot through the use of vm based rootkit that attacks the orignal hypervisor
inserting modified rogue hypervisor in its place

VM Theft or modifications
virtual patching
vlan firewall ids / ips

Recommendations -
sla
secure each virtualized OS , vmware vshield
encrypr vm images when not in use
segregation vm
va tools services cover the virtualization technology