EXAM Tips ( Document WIP )
Revision Before the Exam
Take a lot of Practice questions/Exams
Use the process of Elimination to get rid of wrong Answers
Domain 1 : Cloud Concepts, Architecture and Design
The CIA triad is the foundation of information security
Integrity, Confidentiality, Availability
Confidentiality entails limiting access to data to authorized users and systems
Privacy topic focuses on the confidentiality of personal data
Integrity : Checksums help you validate the integrity of data
Availability is a Major consideration for cloud systems
Threat : Anything capable of intentionally or accidentally compromising on asset security
Vulnerability : weakness or gap existing within a system
Risk Management : Deals with identifying threats and vulnerabilities
Risk : It is the intersection of threat and vulnerability that defines the likelihood of a vulnerability being exploited
Risk = Threat X Vulnerability
Access Control : Identification, Authentication and Authorization
MFA ( Multi Factor Authentication ) or 2FA
The idea here s to require more than one form of authentication to reduce the risk of granting access to someone impersonating someone else
- something you know e.g. password
- something you have e.g.smart cards
- something you are e.g. fingerprints
Encryption can either be symmetric-key or Asymmetric-key
Symmetric key Encryption : (referred to as secret-key encryption) uses the same key ( called secret key ) for both encryption and decryption. Symmetric-key encryption is simple, fast and relatively cheap. symmetric key fast, secure transfer needed. same key for both encryption and decryption
Asymmetric-key Encryption : More commonly known as public-key encryption, operates by using two keys - one public and one private. Asymmetric two keys, slower, No Secure transfer
Business Continuity Plan : The goal is to allow the ability to access important systems and data until the crisis is resolved
BCP : Focus is on making business operational
DR : Focus on activities like recovery off-site backups
Recovery Point Objective (RPO) : The maximum amount of data loss that's tolerable to your organization
Recovery Time Objective (RTO) : The amount of time within which business process must be restored in order to avoid significant consequences associated with the disaster
Business Continuity : Broadly focuses on the procedures and systems you have in place to keep a business up and running during and after a disaster
Every incident starts as an event. Every event is NOT necessarily an incident
Incident Response LifeCycle : Preparation, Detection, Containment, Eradication, Recovery, Post-Morterm
Chain of Custody : To maintain chain of Custody, you must preserve evidence from the time it is collected to the time it is presented in court
Table Top Exercise : Security incident preparedness activity, taking participants through the process of dealing with a simulated incident scenario and providing hands-on, then highlight flaws in incident response planing.
SIEM : Tool can help aggregate different log sources and provide more intelligent data for your analysis
Eradication : Remove the threat from your systems. Eradication involves eliminating any components of the incident that remains
Defense-in-Depth : Applying multiple distinct layers of security technologies and strategies for greater overall protection
Reversibility : Capability for a cloud service customer to retrieve their cloud service customer data and for the cloud service provider to delete this data after a specified period or upon request
Cloud Computing Roles :
Cloud auditor : A cloud service partner who is responsible for conducting an audit of the use of cloud services. An audit for general security hygiene but is often for legal or compliance purposes
Cloud Service Broker : A cloud service partner who negotiates relationships between CSP and CSC
Cloud Service partner : A person or group that supports the provision, use or other activities of the cloud service provider, the cloud service customer or both
Cloud Computing Characteristics
on-demand self-service
Broad Network Access
Resource Pooling
Rapid Elasticity
Measure service
Private Cloud : Private Cloud is for single organization
Community Cloud : Community Clouds as private clouds that are extended to a limited set of related organizations
Cloud Migration : Moving to the cloud is not only a technology decision, but also a business decision
Interoperability : The ability for two or more systems to seamlessly work together by sharing information. Interoperability ensures that cloud services can understand standard data formats, APIs, configurations and identification and authorization Mechanisms.
Portability : The service provider , underlying platform, operating system, API structure, format of data, do not present obstacles to seamlessly moving services from one solution to another.
vendor lock-in occurs when any of these factors prevents a customer from moving from one cloud provider to another. Portability ensures that an organization s able to easily move between cloud providers
Governance : Governance relates to the polices, procedures, roles and responsibilities in place to ensure security, privacy, resiliency and performance
Regulatory Compliance : Satisfying compliance is a shared responsibility
AI
Domain 2 : Cloud Data Security
Domain 3 : Cloud Platform and Infrastructure Security
Domain 4 : Cloud Application Security
Domain 5 : Cloud Security Operations
Domain 6 : Legal, Risk and Compliance
Custom/Written Notes
Shadow IT: The use of IT related hardware or software by a department or individual without the knowledge of the IT or security group within the organization
Data Owner Ultimately responsible for data classification
Contracts are so important - Portability, Interoperability, SLA, Shared Responsibility
Storage Type:
a) Volume, Blob(api) - IaaS
b) structure / unstructure - PaaS
c) CDN/RIDB - SaaS
ISO/27001 - Provides the ISMS Specification
ISO 27002 - Offer Guidance and Recommendation
Highly Regulated Compliance Industries
- Healthcare
- Financial Services
- Government Organizations
Example : FedRAMP/NIST requires CSPs to implement FIPS 140-2 validated encryption Modules
Data Owner / Data Controller
Data Custodian / Data Processor
No Matter who processes the data, the data owner is always responsible for specifying how the data is used, processed and secured.
In GDPR terminology - Data Controller & Data Processor
Risk Appetite or Risk tolerance both refers the same.
Risk Framework ISO 31000
NIST RMF Risk Management Framework NIST 800-37
Supply Chain Risk Management ISO/IEC 27036 & NIST 800-161
CMMC - Cyber Security Maturity Model Certification (CMMC)
CUI - Controller Unclassified Information
CSUSAD - create, store , use, share, Archive, destroy
DLP required in SHARE and USE Stage
DRM enables persistent security beyonds its Boundary on the Data level
DLP/DRM - Most Efficient security in share/use stage
DRM applies to the distribution side to protect intellectual more efficient then DLP
During Creation Phase we classify the Data
During the Creation phase we modify the data
Governance : set of operations
CASB : Cloud Access Security Broker is an on-premises or cloud Based security policy enforcement point between cloud service consumer and cloud service provider
VMI ( Virtual Machine Introspection ) - technique to monitor runtime of VM. can use be used for Forensic Investigation
Virtualization - Provides the abstraction needed for resource pools
Transparent Encryption - most effective way to encrypt the row & column WITHOUT IMPACTING the functionality
Structured Database : That is specific to row and column, want to strike a balance between functionality and user privacy
Instance based encryption - Entire Volume , File Level Encryption - Object storage
Application Level Encryption
- Data is encrypted before reaching out to the database
- Concern : Challenging to perform indexing, searches and meta-data collection
- Application level encryption it protects against various risks, including hacked administrative accounts
Cloud Service Partner
- Cloud auditor - evaluates security controls privacy impact, performance as per ISO 17789
- Auditor is sub-role of cloud service partner
Cloud service Operational Manager - Performing all operational processes and procedures of the cloud service provider, ensuring meets operational target
Cloud Service Business Manager - Cloud Provider
Cloud Broker - CSC <----> CSP. Setup legal agreement activity service agreement
ISO/IEC 17789 CCRA ( Cloud Computing Reference Architecture )
Multi-layer functions
- user layer
- Access layer
- Service layer
- Resource layer
Resiliency - Continuous Operations
NIST 800-37 provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security
Next Generation Firewall ( Read Data ) , user privacy concern
Breach Notification : Customers should contractually require data breach notification from their providers in unambiguous language
Containment Mechanism - can be mitigated due to "velocity of attack"
Micro segmentation via SDN etc. Micro segmentation - Most effective containment mechanisms
Basic Storage Level - Encryption is initiated by cloud provider
cloud customer initiate the following
- File level Encryption
- Application Level Encryption
- Transparent Encryption - Encryption solution in the database
Transparent Encryption - Refers to a method of encrypting data at rest, where the data encryption and decryption process is transparent to the user and the application
Volume Storage Encryption - Effective encryption solution for instance images and unauthorized porting of VM images
Application Encryption - Concern
Challenging to perform indexing, searches and meta-data collection
Application level encryption is EXTERNAL to the Database
Application - Application level encryption
Database - Transparent Encryption
File - File Encryption
Disk - Volume Encryption
SOC1 - Internal Control of financial
SOC2 - Detailed Evaluation
SOC3 - Generic Report for public
SOC2 - Detailed Evaluation based on 5 Trust principles
- Security
- Privacy
- Availability
- Confidentiality
- process Integrity
NACLs are stateless and do not track the state of a connection, while Security Groups are stateful and allow traffic based on the response to previous traffic. Default rule: NACLs have a default rule that denies all traffic, while Security Groups have a default rule that allows all traffic.
Cloud Provider HVAC System - SOC 2 report can help a cloud security consultant validate adequate control
ISO 22301 - International Standard for Business Continuity Management ( BCM )
Data exfiltration definition is the theft or unauthorized removal or movement of any data from a device. Data exfiltration typically involves a cyber criminal stealing data from personal or corporate devices, such as computers and mobile phones, through various cyberattack methods.
SaaS - CSP Manages updates, encryption engine, secure storage, auto backup and logging
Multi-tenant is Biggest Concern for "E-DISCOVERY"
Data Privacy - Must Encrypt all personal data at rest according to GDPR
Under GDPR - Primary Obligation while sharing the customer Information. It must solicit informed consent through a notice on its website
GDPR Penalties - GDPR sets a maximum fine of 20 Million or 4% for annual global turnover whichever is greater for infringements
In case of Security Breach - GDPR 72 hours notification to the customers
GLBA - Privacy and Security Practice in USA
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
PIPEDA - Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of their commercial activity
COPPA USA - Children under age 13, online privacy protection
The Children's Online Privacy Protection Act of 1998 (COPPA) is a federal law that imposes specific requirements on operators of websites and online services to protect the privacy of children under 13
CCPA - privacy Regulations for califonia consumers
CCPA - Allows any califonia consumers to demand to see all the information a company has saved on them.
Health Care - privacy Protection with reference to "COVERED ENTITY" - HIPAA
Privacy Framework - Primary objective ( Address Governance )
Privacy Framework provides a common language to communicate privacy requirements with entities within the data processing eco-system
For new Business reviewing SOC reports of service provider - SOC2 Type 2 ( recommended )
Type 1 - Point in time design of control
Type 2 - period of time evaluate
Thin line difference between type 1 and Type 2 - SOC Report
Type 1 - Control Design
Type 2 - Control Effectiveness
SOC3 report can publish (public) on the website for users to gain trust
NESA - Middle East
NIST - USA standard
SOC1 - Audit report will be useful to check how well the company keeps up their books for accounts
Trusted Criteria of the SOC2 Report
Privacy, confidentiality, security, availability, processing integrity
SOC2 type2 - description of tests performed, controls are suitably designed controls operated effectively
SOC1 - Financial/ custodial services, payroll processing, meeting SOX Compliance requirement financial statements
SOC2 - Information technology personal will be interested
RPO - Acceptable data loss. Related to backup policies & procedures for electronic data and hardy copy
RTO - Time to restore the service
MTD - Convey to the customer, No business impact ( Maximum tolerable downtime )
MTDL - RPO ( maximum to reliable data loss )
WRT - Work Recovery Time. The maximum tolerable amount of time it takes to verify systems and data protection related to verification & checking
BIA (Business Impact Analysis ) - Recovery Priority
Monetary Priority, Business Priority , function Priority
BIA Classify all organizational functions & technology on "Recovery Priority"
BIA - Key process that is used to establish continuity requirement and prioritize business services importance to meeting an organization mission
Results can help to determine the type and frequency of backup, the need for redundancy or mirroring of data, they type of alternate site needed to meet system recovery objective
Key foundational process established to provide resilience requirements to the primary process
RISK Assessment - Key foundational process established to provide security requirements to the planning process.
MTD - Maximum toreable downtime
The official is willing to accept for a mission/business process outage or disruption and includes all impact considerations.
Ultimate Goal of RTO - RTO must ensure that the MTD is not exceeded
BCP - helps an organization continue to operate even if disaster occurs
Testing of the plan is last step of BCP
The BIA is part of the BCP and BIA identifies CRITICAL systems & services
Last step of BIA - developing recovery priorities
SSO Single Sign on - Authentication system that allows a user to log ini with a single ID and password to access independent software systems
Federation - Two or More Trust Domains to allow users of these trust domains to access application & services using the same digital identity
SAML - Security Assertion Markup Language
- Its an internet SSO
- XML based framework for creating and exchanging authentication and authorization
SAML Authority is configured on the identity provider side
IDP generates the SAML Assertion
SAML Assertion - Attestation & XML ( auth & authz info )
SOAP protocol Building block for SAML
- assertion
- SAML protocol
- Binding
SAML has three roles
- Identity provider
- Service provider
- Principal - ( user )
SAML Assertion Generated by IDP
SAML Assertion consumed by SP ( Service provider )
ON the Base of SAML Assertion, SP does the access control to the principal (User )
IDP sign the Assertion with private key ( digital signature ), SP - Maintain the public key of the IDP
Time stamp prevent replay attack
SAML - profiles, Bindings, Protocol, Assertion
SAML - One IDP may provide SAML assertion to many SPs
Assertion shall be cryptographically signed by the issuer (IDP) - The relying party shall validate the digital signature
Role in SAML
- Identity provider, Service provider, Principal
IDP Requests - username & Password. Before delivering the identity assertion to the SP
OAuth 2.0 - Authorization
OpenID Connect - Authentication
Both are consumer based service Pier - pier
SAML - Authentication/Authorization & Scalable solution.
SAML Response carry by SOAP API
Recommended to use TLS with NONCE
Prevents a "man-in-the-middle" attack that might grab assertion to be illicitly "replayed: at a later data
TLS with NONSE - A Nonse is always sent by the client to server and vice versa". The NONSE consists of a random number and unix time stamp
SAML - is scalable & secure solution that allows federated systems with different identity management system to interact through simplified sign-on authentication and authorization exchanges
Change Management
Maintain system integrity throughout the organization in dynamic environment through change control management. CM is most effective in preventing the introduction of a code modification that may reduce.
CM proactively addressing the diversified risk in the process. CM is adequate way to incorporate risk management practices into an organization.
Configuration Management
Assist in recording baselines for software releases. Primary purpose of configuration management maintaining the integrity of the product or system is being managed throughout its lifecycle within the org. Configuration management ensures - Integrity - Baseline
SDN
SDN has enabled the separation of network functions from dedicated hardware, the nature of the network has transformed. Abstract the hardware
SDN Primary Issues/Concerns - Organization need to consider that vendor interoperability between transport, controller and application domains has NOT been established
Application Layer - SDN are programs that explicitly directly and programatically communicate their network requirements
Patch Management - Most Effective practice we can used to verify the patch authenticity - verify via a code sign or code signature
Code Signing - Code Signing is the process of digitally signing executables and scripts to confirm the software author or guarantee that the code has NOT been altered
Most Effective practice we need to consider prior to deploying updates to production server - make certain that a full system backup
Cloud Bursting - Avoid add permanent resources to maintain existing processing capacity but use cloud bursting to automatically grow resources without investing in infrastructure
SaaS - has less ownership and control over system during forensic
IaaS - has highest ownership and control over system
Cloud service Business manager - responsible for meeting the business goal in cost efficient manner
Cloud service integrator - onprem - cloud
cloud service administrator - ensures the smooth operation of the customer services and that those cloud services are running well.
Cloud Service Broker - Responsible for negotiating relationship between cloud service customers and cloud service providers, along with assess market place and setup legal agreement
Inter-cloud provider (CASB) Responsible for the intermediation aggregation, arbitrage, peering or federation of peer cloud service providers
DLP - Classification of Data
DLP efficiently prevents the exposure of sensitive data in a cloud environment. DLP works on classification of data
Datacenter uptime institute
TIER-1 : Basic or Dedicated Infra 99.671% uptime 28.8hrs
TIER-2 : Redundant Infra Potential downtime 1.36hrs , 99.741% uptime
TIER-3 : Fully Fault tolerant or concurrently maintainable 99.982% uptime, Potential downtime 1.36Hrs
TIER-4 : Full fault tolerant 99.995% uptime
Potential downtime .44 hours , very Critical Applications
Vendor Lock-in : is a situation where you depend on a single cloud provider for a specific service
Cloud Migration :
Adequate Processes to assess risks and provision adequate security controls to mitigate them
Most important foundational security controls required in multi-tenant network
logical segregation and isolation of network traffic
Before planning a transition to cloud and create information policies and practices extended to the cloud
Determine your governance requirements and contractual and security controls
CASB Four Pillars
- Visibility
- Compliance
- Data Security
- Threat protection
IaC - Enables easier resource tracking
Data privacy - can be achieved by data encryption at rest and in transit
Intrusion Detection System (IDS ) Security measure can help detect insider threats to detect and prevent
PCI/DSS - must ensure compliance - Network segregatoin
Hybrid Cloud Model - key challenge - network latency
PII data protection - Data encryption at rest and in transit
Primary Consideration for maintaining data integrity in cloud - data replication
Data Loss Prevention (DLP ) can prevent data breaches due to human Errors
Data Classification is a key consideration for security financial data in the cloud
Mobile Device management ( MDM ) is the most critical security control to manage BYOD in a cloud environment
use end-to-end encryption for users frequently share sensitive files externally
Uniform Access Control - Critical application security in a Multi-cloud approach.
Cloud based health care systems essential for maintaining compliance "data encryption" at rest and in transit
Cloud based Chat application Proper user access controls
Secure coding practices - it vital for application security measure for protecting customer data in the CRM
SLAs - Critical security consideration when working with Vendors
PaaS - Secure application code is essential security consideration in this context
Secure Coding Practice - in Critical security consideration for mobile application development
No comments:
Post a Comment