As promised, here is the wrap up of the CCSP Domain One: Architectural Concepts and Design Requirements (Part Two) Stay Tuned as Domain Two: Cloud Data Security will soon follow. I hope you enjoy and this helps you get your organization one step closer to achieving Cloud Security.
Domain One: Architectural Concepts and Design Requirements (Part Two)
Removing Data Remnants
- Clearing \ Overwriting – renders data inaccessible by standard means
- Purging\Degaussing – Rendering data unusable. Think writing a drive to all zeros, multiple times or demagnetizing a hard drive.
- Destruction – Self Explanatory
- Crypto Shredding if the Data is Stored in the Cloud. – Encrypting the data with a strong, public algorithm then destroying the encryption key.
Note: Before subscribing to a CSP learn about their data retention, removal and migration options. Avoid CSP proprietary formats if all possible.
Identity and Access Management
Access Control – Implementing control over a Person’s ability to interact with a network entity or object.
- This includes but is not limited to people, processes, and infrastructure that is used to manage the IT Environment and its resources.
- Identity of a Person\Entity must be verified.
- Most common form of Access Control – RBAC (Role Based Access Control) This means that users are strictly limited to resources based on their defined scope of responsibility.
Note: Subjects are Active, and Objects are Passive. Stay aware of privilege creep.
Steps of IAM:
- Proof of Identification. Proving you are who you say you are.
- Subject Identification must be unique
Note: Required documents. Government issued ID, Passport, Birth Certificate, Social Security Card
- Account Creation\Provisioning – Should be relegated to a Single source, a one stop shop for all required accounts and privileges.
Note: Standard account naming procedures should be enforced (e.g., firstname.lastname) and account information \ name should not reveal extra info about their role or responsibilities. Remember IDs are easily spoofed without Authentication.
- Discretionary Provisioning – Access determined by Administrators
- Self-Service – Done through an online portal typically, users are allowed to change\manage passwords and accounts are created based on Role. Eliminates administrative overhead.
- Workflow-based – All required documentation is gathered and reviewed then signed off by a granting authority.
- Automated – Mandatory centralized account creation using one standard application online or through a designated tool.
Note: Typically, each CSP has their own APIs (Application Interface). Recommended to develop an Enterprise API to integrate with multiple SaaS providers.
- SPML – Service Provisioning Mark-Up Language (SPML) – depreciated
- System for Cross Domain Identity Management \ Simple Cloud Identity Management (SCIM) – defines and mandates a schema and provides an API for multiple tenants \ CSPs. SCIM is an Open Standard
Note: Avoid proprietary APIs if all possible.
- Ensure MFA is in use. (e.g., Credentials\Password + OTP) This enforces Identification and Authentication
Note: Three types of Authentication:
- Type 1 – Something you know
- Type 2 – Something you have
- Type 3 – Something you are
- Authorization – You have access but should be limited based on role\responsibility.
- Auditing and Accountability. Think IA Tools like syslogs and alerting. Failed logins and actions\repercussions should an event occur.
- Account Deletion\Deprovisioning. How long should and account be maintained? What are the deletion procedures? How many accounts does the user have? How to verify it has been removed and all access has been revoked.
- The extrapolation of physical resources via a hypervisor to enable the ability to deploy multiple systems (VMs) on one physical resource. The Hypervisor creates Logical Separation between VMs
- If an attacker is able to breach one virtual machine, what is to prevent them to moving East-West and compromising other VMs?
- Securing the Hypervisor is a must! (Hypervisor Security is a responsibility of the CSP) see the SLA or reach out to the CSA and Cloud Broker to learn more about the CSP Security Measures.
- Type 1 – Running directly on the hardware (aka Bare Metal) examples: ESXi, Xen, Citrix
- Type 2 – Runs on a Host OS to provided virtualization capabilities. Example: VM Workstation, Fusion, VirtualBox
Common Threats within the Cloud
- Data Breaches, Loss, and Integrity (Integrity meaning the data was modified without the data owner knowing)
- Ransomware and MiTM attacks.
- (Distributed) Denial of Service Attacks
- Bad Actors – These could be employees, or people attempting Social Engineering
- Improper use \ maintenance of Cloud Services (see the SLA)
- Failure of Due Care\Diligence
- Shared Hardware \ Services Among Multiple Tenants