CCSP Cert Prep: 1 Cloud Concepts, Architecture, and Design

-- Cloud Concepts --
Computing services delivered to a customer in a remote location over a network

-- Cloud Computing Roles --

A) CSP
B) Customer
C) Cloud Service Partners //Provides Add-On Services
D) Cloud Access Security Broker //Provides IAM Services

-- Drivers for Cloud Computing --

A) On Demand Self Service
B) Scalable (Horizontal Scaling - Adding more servers to your pool; Vertical
Scaling - Increase Capacity of Existing Servers)
C) Elasticity //Rapidly Increase and Decrease Capacity
D) Broad Network Access
E) Measured Service //Pay only for use

-- Multitenant Computing --
//Shared Computing resources

A) Isolation //Do not see data of others

B) Multitenancy allows CSP to oversubscribe their resources //i.e.
Sold Capacity > Actual Capacity
C) Resource Pooling //CPU and Memory shared among users

-- Cost Benefit Analysis --

Makesure below items are figured out before doing CBA

A) Electricity
B) Data Center Facility
C) Training Costs
D) Consulting Services
E) Staff Time

Intangibe benefits should also be thought of during CBA

A) Increased Productivity & Agility

B) Improved Scalability & Elasticity
C) Faster access to emerging technologies
D) Transition from Capital to Opx

-- Virtualization --
//Host machine runs on physical hardware
//Host machines provide services to several virtualized guest machines
//Hypervisor
(Type 1 - Hypervisor runs on top of physical hardware [Most common one found in
datacenters]) //BareMetal
(Type 2 - Hypervisor runs on top of Host OS which runs on top of physical hardware
[Mostly in personal computers])
Ex: Virtualbox and Parallels

//VM Escape => Attacks attempt to break the guest environment

//VM Sprawl => Leads to unused and unmaintained servers

-- VDI --
Amazon Workspaces
(similar to Bomgar)
-- Cloud Compute Resources --
A) Virtualized servers run in cloud data centers
B) Cloud Storage
(Block Storage - large chunk of hdd drive and partition into volumes) Ex. C,D
Drives in laptops
(Object Storage - CSP worries abt where to keep and manage the files)

//Object Storage < Expensive than Block Storage

//Object Storage is pay per use whereas Block Storage is pay for full drives.

//Block Storage can be used with Magnetic drives (slower) or upgrade to SSD
(expensive)
//Object Storage - High Availability, Archival

-- Cloud Networking --
VLAN (Virtual LAN)
VPC (Virtual Private Cloud)

-- Cloud DB --
1) Same as On-prem servers
2) Managed DB Service //Is Expensive
DbaaS
3) Cloud Native DB Platform //Maximizes performance but requires
redesigning applications

-- Cloud Orchestration --
//Automates Cloud Management

Infrastructure as a Code
Cloud Orchestration solutions access resources through the vendor's API.

-- Cloud activities and the cloud reference architecture --

ISO17789

-- Cloud Deployment Models --

A) Public Cloud
B) Private Cloud
C) Hybrid Cloud
D) Community Cloud //shared among consortium of organizations (like
college etc.)

-- Cloud Service Categories --

A) IaaS //AWS, MS Azure, Google Compute
B) PaaS //Ex: ITSP4.0
C) SaaS //Ex: Gmail

-- Security and privacy concerns in the cloud --

A) Confidentiality
B) Integrity
C) Availability
D) Privacy

Above allcan be made possible by having good SLA's.

Setup Cloud Governance Structures

-- Operational concerns in the cloud --

A) Availability
B) Performance //SLA document vendor obligations
C) Reversibility
D) Portability
E) Interoperability

-- Emerging technologies in Cloud --

A) ML and AI
B) Blockchain //Distributes, immutable ledger
C) IoT
D) Containers
E) Quantum Computing

-- Evaluating Cloud Service Providers --

A) ISO 27017 //Implementing Security Controls on Cloud
B) PCI DSS
C) Govt Security Standards
(ex: FedRAMP Program for Cloud Computing Programs)
(FIPS 140-2 approves cryptographic implementations for use on govt applications)
-----------------------------------------------------------------------------------
------------------------------------------------------------
-----------------------------------------------------------------------------------
------------------------------------------------------------
CCSP Cert Prep: 2 Cloud Data Security

-- Cloud Data Lifecycle --

Create => Store => Use => Share => Archive => Destroy //Stages of
lifecycle not always follows an order

-- Block Storage Types --

A) RAW Disk Storage (Permanent allocated storage which may exist independently on a
server)
B) Ephemeral Storage (Temporary allocated storage associated with specific instance
that is dropped once instance is stopped)

Ephemeral Storage faster than RAW Storage

Ephemeral Storage should never be used for permanent data storage

-- Data Dispersion --
//Store data in multiple locations

SaaS and PaaS customers should investigate vendor business continuity plans for
data dispersion provisions.

-- Cloud storage security threats --

//apply same security controls on data on cloud as that in data center

A) Encryption //Encrypt data volumes

B) Access Control //Ex: Giving access to Sharepoint Site

-- Encryption--
A) Used for protecting data in transit
B) Used for protecting data at rest

-- Cryptography --
A) Encryption (Converts Information from plaintext to encrypted ciphertext)
B) Decryption (Converts ciphertext messages back to original message form)

-- Symmetric and asymmetric cryptography --

A) Symmetric Encryption Algorithms (Encryption and Decryption operations use the
same key) //shared secret key
Number of symmetric keys required = n(n-1)/2 n:no of people
wish to communicate
//Symmetric keys requirement increases as number of people increases

B) Asymmetric Encryption Algorithms (Encryption and Decryption operations use

different keys but keys are from the same pair) //public key encryption
//Public Key: Freely distributed to everyone with whom user would like to
communicate
//Private Key: Held in secret by user and not shared with anyone else

//Anything encrypted with one key of the pair can be decrypted with the other key
from the same pair.
//Asymmetric cryptography keys must be from same pair.

Bob (send an encrypted message using Alice Public Key) => Alice => Decrypts the
message using Alice Private key

-- Goals of cryptography --
A)Confidentiality
B)Integrity
C)Authentication
D)Nonrepudiation //Possible only with asymmetric algorithms. Ex:Digital
Signature

-- Choosing encryption algorithms --

//Never try to build your own encryption algorithms
A) Length of Encryption Key //Longer your key more secure your
information.but performance of algoruthm goes down with larger key

-- Key Exchange --
1) Out-of-band Key Exchange
//use a different channel for exchanging key
like F2F Meeting,Physical mail

2) In-Band Key Exchange

//securely exchange keys digitally
//Diffie-Helman Algorithm can be used as key exchange mechanism for symmetric
encryption algorithms
//Elliptic Curve Diffie-Helman is another variation

-- Key escrow --
//allows govt access to keys

-- Hardware security modules --

//cyptographic hardware

FIPS 140-2

Secrity Level 1 => Standard OS, no physical security

Secrity Level 2 => EAL2 software and firmware, tamper evident seals
Secrity Level 3 => EAL3 software and firmware,tamper resistant controls
Secrity Level 4 => EAL4 software and firmware,strict physical security

-- Public Key Infrastructure (PKI) -- //Used for asymmetric

encryption
//trusted upon certificate authorities (CA)
Ex: driver license
Digital Certificates are identity cards of the digital world

-- Hash Functions -- //used with asymmetric cryptography for Digital

Certificates and Digital Signatures
//one way function that transforms a variable length input to a unique fixed-length
output

Hash Functions fail if they are reversible, if for two inputs it generates the same
output (i.e. Collision resistant)

Types of Hash Functions:

A) MD5 (Message Digest 5 - No longer secured)
B) SHA (Secure Hash Algorithm - SHA2 and SHA3 are secured)
C) RIPEMD

//HMAC (Hash based Message Authentication Code)

-- Digital Signature --
//uses with asymmetric cryptography for digitally signing

//Use Private key for encryption and Public key for decryption
//Digitally signed messages does not provide confidentiality

-- Create a Digital Certificate --

X509 Standard

-- Revoke a Digital Certificate --

A) Certificate Revocation List
B) Online Certificate Status Protocol (OCSP) //New and provides a
check

-- TLS & SSL --

TLS (Transport Layer Security)
//Encrypts n/w communication
TLS depends upon pairing of encryption and hash functions known as cipher suites
Session keys are also known as Ephemeral keys

SSL (Secure Sockets Layer)

//insecure predecessor to TLS. Has known security flaws

-- Securing Common Protocols --

HTTPS (Add TLS to web browsing)
SSH (For Linux based OS)
FTPS or SFTP os SCP (File Transfer)
//TFTP (Insecure Protocol)

-- De-Identification --
//removes obvious identifiers (Ex: names, SSN etc)

ZIP Code + DOB + Gender => Uniquely identifies 87% of people

HIPPA De-Identification Standard

Safe Harbor (Removal of 18 types ofidentifiers)

-- Data anonymization --
//removes the possibility of identification

-- Data Obfuscation --
//Transform PII into a form where it is no longer possible to tie it to an
individual person
Tools Available:
A) Hashing (Warning: Can perform Rainbow Table Attack)
B) Tokenization (Replaces sensitive fields with a random identifier)
C) Masking (Replace sensitive information)

-- Data Loss Prevention (DLP)--

//DLP is a technology which searches systems and networks to lookout for sensitive
information
A) Host based DLP (Uses software agents installed on a single system)
B) Network based DLP (network transmissions for sensitive information)

DLP Uses:
A) Pattern Matching
B) Watermarking (tags sensitive content and then watches for those tags in data
leaving the organization)

-- Information Classification -- (Identify, Label, Handle and dispose of

sensitive information)
A) Data Mapping
//Locate Sensitive Information

Classification Level
Highly Sensitive, Sensitive, Internal, Public

//Securely dispose of information when no longer needed.

-- Data Discovery --
//Identifies stored data

1) Structured Data (Data highly organized. Ex: Relational DB)

2) Unstructured Data (Data dis-organized. Ex: My Desktop)

Use Automated Tools, Manual Reviews

-- Information Rights Management --

A) Enforcing Data rights
B) Provisioning Access
C) Implementing Access Control Models

Digital Rights Management (DRM)

Ex:use of encryption for music files

-- Intellectual Property --
1) Copyrights
2) Trademarks
3) Patents
4) Trade Secrets

-- Data Security Policies --

A) Foundational authority for data security efforts
B) Clear expectations for data security responsibilities
C) Guidance for requesting access to information
D) Process for granting policy exceptions

-- Data Storage Policies --

A) Appropriate Storage Locations
B) Access Control Requirements
C) Encryption Requirements

-- Data Transmission Policies --

A) Appropriate data transmissions
B) Encryption requirements
C) Acceptable transmission mechanisms

-- Data LifeCycle Policies --

A) Retention
B) Archiving
C) Deletion

-- Electronic Discovery --
Electronic Discovery Process
Preservation => Collection => Production

Sources of Electronic Records:

A) Docs on File Servers
B) Endpoint Systems
C) Emails
D) Enterprise Systems

-- Security Event Logging --

A) Accountability (Who caused the event ?)
B) Traceability
C) Auditability

Tools like below available to work:

Security Information and Event Management (SIEM)

-- Continious Security Monitoring --

Define => Establish => Implement => Analyze/Report => Respond => Review/Update

-- Chain of Custody --
//provides a paper trail for evidence
-----------------------------------------------------------------------------------
------------------------------------------------------------
-----------------------------------------------------------------------------------
------------------------------------------------------------