Alrighty, we are wrapping up Domain Two. Remember these posts are to get you heading in the right direction. Please be sure to research the different domains and really dive into the weeds when studying for the CCSP. Stay tuned for Domain Three: Cloud Platform and Infrastructure Security!
Domain Two: Cloud Data Security (Four)
- Focus on Data Control
- Quality of Data stored
- Hash it to check for modification
- A hash of a file AKA – Message Digest
Learn about that, Hash, Yo! – https://www.howtogeek.com/67241/htg-explains-what-are-md5-sha-1-hashes-and-how-do-i-check-them/
- Digital Signatures: Provide Non-Repudiation in its purest form. They can also be used to detect malicious and accidental modification of data.
Reasons to Hash a file:
- Unreliable or Unsecure Connection
- Detect malicious or unintentional alteration
- The receiver of the data could verify the integrity by comparing the original file hash vs. the file received
Digital Signatures – Use the Sender’s Private Key + hash = integrity
- Places a lot of overhead on the PKI infrastructure
Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
Note: The CCSP, initially developed by CSA, and later adopted by ISX2
- Provides controls framework of Cloud Security and Principles Organized by Domain
- Designed to be a fundamental security principles guide for Cloud Vendors and assist potential customers.
- Provides a Map of Industry accepted \ recognized standards: ISO 27001 | 27001 | COBIT | PCI-DSS
Domains of the CCM:
- Audit Assurance and Compliance
- Application and Interface Security
- Business Continuity Management and Operational Resilience
- Change Control \ Configuration Management
- Datacenter Security & Information Life Cycle Management
- Encryption and Key Management
- Governance \ Risk Management
- Human Resources
- Identity and Access Management
- Interoperability and Portability
- Infrastructure \ Virtualization Security
- Mobile Device Management and Security
- Incident Management | E-Discovery | Cloud Forensics
- Threat and Vulnerability Management
- Supply Chain Management, Transparency, and Accountability
Policy Controls for Privacy and Data Protection
- Separation of Duties
- Training – Quarterly, Semi-Annually, Annually
- Authentication and Authorization Procedures
- Vulnerability Assessments
- Back & Recovery: What are your RTOs and RPOs
- Logging | Data Retention | Secure Disposal
Essential Questions to ask yourself:
What Tools do you have in place to manage your Cloud Deployment?
- How are objects created, managed, and accessed?
- Where are Standard Operating Procedures stored? How are they managed?
- Justification for why a specific CSP was chosen.
- How does data move in the Cloud?
- Auditing, SLAs evaluations, and requirements.