Cloud Characteristics:

Broad Network Access

Rapid Elasticity
Measured Service
On-Demand Self Service
Resource Pooling
Australia:
- Privacy Act of 1988 (Privacy Act)
 13 Australian Privacy Principles (APPs): apply to all private sector and no-profitable organizations
 Australia amended its 1988 Privacy Act to require companies to notify affected Australian residents and the
Australian Information Commissioner in the event of a breach of security
- Australian Consumer Law (ACL)
 ACL protects consumers from false or misleading contracts and poor conduct from providers, such as failed
breach notifications. The Privacy Act can apply to Australian customers, even if the cloud service provider is
 based elsewhere, and even if other laws are stated in a contract.

China:
- 2017 Cyber Security Law
 During the second quarter of 2017, China issued Draft Regulations on Cross Border Data Transfers to supplement
the Cyber Security Law. These regulations would go beyond the working of the Cyber Security Law, and expand
its scope.

Japan
- Act on the Protection of Personal Information (APPI)
 requires the private sector to protect personal information and data securely.
 limit the ability to transfer personal data to third parties, with prior consent of the data subject generally being
required to transfer data to a third party. Consent to the transfer is not required if the country of destination has
an established framework for the protection of personal information that meets the standard specified by the
Personal Information Protection Commission.
- the Law on the Protection of Personal Information Held by Administrative Organs
- Medical Practitioners’ Act; the Act on Public Health Nurses, Midwives and Nurses; and the Pharmacist Act,

Russia:
- Since September 2015, companies are required to store personal data of Russian citizens within Russia.
EU
- GDPR
 The GDPR applies to the processing of personal data in the context of the activities of an establishment of a
 controller or processor in the EU/EEA, regardless of whether the processing takes place in the EU/EEA or not.
 For example, Security Guidance v4.0 © Copyright 2021, Cloud Security Alliance. All rights reserved 42 the GDPR
requires companies to keep records of their data processing activities. Certain categories of processing require a
prior “Privacy Impact Assessment.”

US:

Since all Digital Rights Management (DRM)/Enterprise Rights Management (ERM) is based on encryption, existing tools
may break cloud capabilities, especially in SaaS.

Domain 14 – Big data, IoT, Serverless

Big data, high volume, high velocity, high variety
3 components: Distributed data collection; Distributed storage; distributed processing
Data collection use intermediary storage properly secured
Key management
IAM
IoT: key security issues:
Secure data collection and sanitization
Device registration authentication authorization, API security, encrypted communication, patch
Mobile:
Device registration authentication authorization, API security,
Serverless computing:
- Object storage
- Cloud load balancers
- Cloud databases
- Machine learning
- Message queues
- Notification services
- Code execution environment
- API gateways
- Webs servers
- Will not access to the log and monitoring, need integration with logging
Cloud provider: must clearly state which PaaS services have been assessed against which compliance or standard
Cloud user: must only use serverless services that match their compliance and obligations

Domain 7 – Infrastructure security

Micro-segmentation  operational expenses up
SOP:
1. SDP client for connecting asset
2. SDP controller for authentication and authorization, configuring connect tion to SDP gateways
3. SDP gateway for terminating SDP traffic
When used, virtual appliances should support auto-scaling to match the elasticity of the resources they protect.
Depending on the product, this could cause issues if the vendor does not support elastic licensing compatible with auto-
scaling.

IP addresses will change far more quickly than on a traditional network, which security tools must account for. Ideally
they should identify assets on the network by a unique ID, not an IP address or network name.

Software container systems always include three key components: • The execution environment (the container). • An
orchestration and scheduling controller (which can be a collection of multiple tools). • A repository for the container
images or code to execute. • Together, these are the place to run things, the things to run, and the management system to
tie them together.

A deep understanding of container security relies on a deep understanding of operating system internals, such as
namespaces, network port mapping, memory, and storage access

Domain 9: Incident Responses

4 phases (NIST-800-61)
Preparation: “Establishing an incident response capability so that the organization is ready to respond to incidents.”
Detection and Analysis: Detection and analysis in a cloud environment may look nearly the same (for IaaS) and quite
different (for SaaS). In all cases, the monitoring scope must cover the cloud’s management plane, not merely the deployed
assets

Containment, Eradication, recovery

Post-mortem
External threat intelligence may also be useful, as it is with on-premises incident response, in order to help identify
indicators of compromise and to get adversary information. Be aware that there are potential challenges when the
information that is provided by a CSP faces chain of custody questions. There are no reliable precedents established at
this point. Forensics and investigative support will also need to adapt, beyond understanding changes to data sources.
Always factor in what the CSP can provide and whether it meets chain of custody requirements. Not every incident will
result in legal action, but it’s important to work with your legal team to understand the lines and where you could end up
having chain of custody issues

Some examples of tasks you can automate include: • Snapshotting the storage of the virtual machine. • Capturing any
metadata at the time of alert, so that the analysis can happen based on what the infrastructure looked like at that time. • If
your provider supports it, “pausing” the virtual machine, which will save the volatile memory state.

Domain 10
Cloud computing
Opportunities
- Higher baseline security (significant economic incentives to maintain higher baseline security)
- Responsiveness
- Isolated environments
- Independent virtual machines
- Elasticity
- DevOps
- Unified Interface
Challenges
- Limited detailed visibility
- Increased application scope (management plane, meta-structure)
- Changing threat models
- Reduced transparency
SSDLC
- Training: secure coding practice, writing security tests. Provider technical training
- Define: code standards, security functional requirements
- Design: threat modelling, secure design
- Develop: code review, unit testing, static analysis, dynamic analysis
- Test: Vulnerability Assessment, Dynamic Analysis, Functional tests, QA
-
Training: Three different roles will require two new categories of training. Development, operations, and security should
all receive additional training on cloud security fundamentals (which are not provider specific), as well as appropriate
technical security training on any specific cloud providers and platforms used on their projects. There is typically greater
developer and operations involvement in directly architecting and managing the cloud infrastructure, so baseline
security training that’s specific to the tools they will use is essential.

10.1.7.1 Security Implications and Advantages

• Standardization: With DevOps, anything that goes into production is created by the CI/CD pipeline on approved code
and configuration templates. Dev/Test/Prod are all based on the exact same source files, which eliminates any deviation
from known-good standards.
• Automated testing: As discussed, a wide variety of security testing can be integrated into the CI/ CD pipeline, with
manual testing added as needed to supplement.
• Immutable: CI/CD pipelines can produce master images for virtual machines, containers, and infrastructure stacks very
quickly and reliably. This enables automated deployments and immutable infrastructure.
• Improved auditing and change management: CI/CD pipelines can track everything, down to individual character
changes in source files that are tied to the person submitting the change, with the entire history of the application stack
(including infrastructure) stored in a version control repository. This offers considerable audit and change-tracking
benefits.
• SecDevOps/DevSecOps and Rugged DevOps: These two terms are emerging to describe the integration of security
activities into DevOps. SecDevOps/DevSecOps sometimes refers to the use of DevOps automation techniques to improve
security operations. Rugged DevOps refers to integration of security testing into the application development process to
produce harder, more secure, and more resilient applications.
FERPA is a US federal law that applies to academic providers. HIPAA is a US federal law that applies to medical providers.

BSI German privacy law

GDPR European privacy law
PCI DSS Card payment standard
NIST SP 800-53 applicable to US federal
government agencies.
COBIT and ISO International standard
FERPA and HIPAA only applicable to US entities in
specific sectors
HIPAA: medical providers
COPPA Children’s Online Privacy
Protection Act of 1998 of US
Gramm-Leach-Bliley Act (GLBA) US
NERC CIP US law for electrical power
 providers
ITAR only applicable to US entities in
specific sectors
PIPEDA Canadian privacy law

NZISM only applicable to entities in New

Zealand.

2017 Cyber Security Law China

Act on the Protection of Personal Japan
Information (APPI)

IaaS Encryption – volume storage encryption

Instance-managed encryption
Externally managed encryption
IaaS Encryption – Object and file storage
Client side encryption
Server side encryption
Proxy encryption

7 layers:
APSTNDP
Application
Presentation
Session
Transport
Network
Data
Physical

Infrastructure: The core components of a computing system: compute, network, and storage.
The foundation that everything else is built on. The moving parts.
 Infrastructure: The core components of a computing system: compute, network, and storage. The foundation that
everything else is built on. The moving parts
 Metastructure: The protocols and mechanisms that provide the interface between the infrastructure layer and the
other layers. The glue that ties the technologies and enables management and configuration.
 Infostructure: The data and information. Content in a database, file storage, etc.
 Applistructure: The applications deployed in the cloud and the underlying application services used to build them.
For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification
services.

Access Control: Management Plane; Public & Internal sharing controls

Application-level controls
The absolute top security priority is segregation and isolation of network traffic to prevent tenants from viewing another
tenant’s traffic.

SDN can offer a single management plane for physical network appliances (not virtual appliances)

It is completely up to the provider as to how they build a storage pool. They can use any of the other technologies listed in
the answers, or they can use something completely different and proprietary.

Cloud overlay networks are a special kind of WAN virtualization technology for created networks
that span multiple “base” networks.

Detection and Analysis Phase

This phase is all about the telemetry (logging, monitoring, metrics, alerts, and other messages) you get from systems and
other IT components

For the exam, remember that the CCM states the control and the responsible party, whereas the CAIQ provides questions
you can ask in plain language.

This chapter addressed incident response recommendations as per the CSA Guidance. The main items to remember for
your exam include the following:
• Establishing SLAs and setting expectations around the roles and responsibilities of the customer and the provider are
the most important aspects of IR in a cloud environment. These SLAs must cover all phases of IR.

• Practice makes perfect. You have a great opportunity to create an IR practice environment—use it! Know how to handle
aspects of IR that belong to you and how hand-offs to the provider are performed.

• You must establish clear communication channels (from customer to provider and vice versa). Remember that the
provider may need to contact your organization if they notice something. Don’t allow these messages to be sent to an e-
mail address that isn’t being monitored.

• Customers must understand the content and the format of the data that a provider may supply for analysis. Data that is
supplied in a format that you can’t use is useless.

• Understand how any data supplied by the provider meets chain-of-custody requirements.

• Use the automation capabilities of the cloud environment to your advantage. Implementing continuous and serverless
monitoring may help you detect potential issues much more quickly than what is possible in a traditional data center.

• Understand the tools that are made available to you by the provider. Engage the provider with your plans—they may
be able to improve your IR plan.

• What works in one cloud environment may not work in another. Make sure that the approaches you use to detect and
handle incidents are planned for each provider as part of your enterprise IR plan.
• Without logging, there is no detection. Without detection, there is no ability to respond. Make sure your logging has as
much visibility into your environment as possible.

• Test, test, test. Testing must be performed at least annually or when significant changes are made. Again, consult your
provider and make sure they become part of your tests to the greatest extent possible.

Which area of incident response is most impacted by automation of activities?

The correct answer is containment, eradication, and recovery. Although tools supplied by the cloud provider can greatly
enhance detection as well, the tools available to you in a cloud environment have the most impact on containment,
eradication, and recovery efforts.

An investigation should be performed using the master account so there is complete visibility of all activity taking place in
the management plane. Snapshots of servers being investigated can be performed, but this should be done only after it is
confirmed that the attacker is no longer in the management plane. Logging everyone off may have limited benefits, but,
again, confirmation that the attacker no longer has management plane access is the first step in incident response of the
metastructure. Terminating all server instances is not an appropriate answer at all.

Remember, though, that the CSA Guidance specifically states that tests should be performed annually or when significant
changes are made. Remember both when you take your exam.
PaaS (and serverless application architectures) will likely need custom application-level logging because there will likely
be gaps in what the provider offers and what is required for incident response support.

When leveraging immutable workloads, security can be increased by removing the ability to log in remotely. Any changes
must be made centrally in immutable environments. File integrity monitoring can also be implemented to enhance
security, as any change made to an immutable instance is likely evidence of a security incident.

If you’re asked about the difference between software-defined security and event-driven security, remember that
software-defined security is a concept, whereas event-driven security puts that concept into action.

Event-driven security is a game-changer. Using serverless technology, you can easily kick off a script that will
automatically respond to a potential incident.

Instance-managed encryption: The encryption engine runs inside the instance itself. An example of this is the Linux
Unified Key Setup. The issue with instance-managed encryption is that the key itself is stored in the instance and
protected with a passphrase. In other words, you could have AES-256 encryption secured with a passphrase of 1234.
 IaaS encryption PaaS encryption SaaS encryption
Volume storage Instance managed Provider-managed encryption
Externally managed Proxy encryption – pass
Object storage Client side through encryption proxy
Server side before sent to SaaS
Proxy
Database Built-in encryption (e.g. TDE)
Application Application layer encryption

Key management:
HSM, Virtual appliance, Cloud provider service, hybrid

Entity – someone that has an identity

Identity – Unique expression of an entity within a given environment
Identifier - A cryptographic token in a digital environment that identifies an identity. In real life, an identifier could be a
passport.
Attribute - A facet (aspect) of an identity; anything about the identity and the connection itself.
Persona - Your identity and attributes in a specific situation. You are you, but your persona will change based on context.
For example, at work you may be an IT administrator; that’s your work persona. At home, your persona may be the
parent of two children.