Course Detail
Management and Compliance in Cloud Computing
Cloud Computing Security, 2nd EditionBy John R. Vacca 2020

Objectives

1. Describe compliance in cloud
2. Explain regulatory environments related to cloud computing
3. Formulate policy and conduct analysis for the prevention of intrusions


Takeaways

- Characteristics of the cloud: On-demand self-service, broad network access, resource pooling, rapid elasticity, vertical scaling.
- Service models: IaaS (data centers, servers, networking, storage), PaaS (IaaS + OS + database management & dev tools), SaaS (IaaS + PaaS + cloud-hosted application).
- Deployment models: Public cloud, private cloud, hybrid cloud.
- Cloud technologies: Virtualization, data outsourcing, remote computation.
- Hybrid cloud computing environments are device-agnostic and securely connect to the cloud.
- Cloud computing concepts have been around since the 1950s, with services becoming available in the early 2000s.
- Responsibility sharing varies across deployment models and service models, with customers and providers responsible for different components.
- Scalability ranking: Public and hybrid clouds have high scalability, while private and community clouds may have lower scalability.
- Security, performance, reliability, and cost considerations differ based on the deployment model.
- NIST architecture for cloud computing includes various stakeholders and layers, such as cloud consumers, auditors, providers, and brokers.
- CIA triad: Confidentiality, integrity, and availability are essential aspects of cloud data protection.
- Vulnerabilities in hardware, operating systems, and applications pose security risks in the cloud.
- Web applications face risks such as vulnerable components, data exposure, weak access control, injection attacks, misconfigurations, etc.
- Encryption is commonly used to protect the confidentiality of cloud data in storage and during network transit.
- Digital signatures provide authenticity and non-repudiation of messages in cloud environments.
- Hashing is used for generating irreversible representations of data for security purposes.
- Data confidentiality, access control, storage, and data center locations are critical issues in cloud computing.
- Access control enforcement methods include key management schemes, re-encryption proxies, and Java archives.
- Privacy concerns can arise from data indexing and users' lack of awareness of data usage by service providers.
- Ideal multicloud environments prioritize reliability, semantic security, trapdoor security, and robustness.
- Cloud accountability focuses on detecting and tracking resource access and usage.
- Threats in the cloud include infrastructure and host-related threats, physical access breaches, employee negligence, data breaches, cryptography weaknesses, resource exhaustion, and insufficient monitoring.
- Cloud service failure or termination, failure of third-party suppliers, lock-in, compliance problems, infrastructure modifications, data processing, administrative and ownership changes, denial of service to co-tenants, subpoena and e-discovery, cloud data provenance, metadata management, and jurisdiction are potential risks in cloud computing.
- Service provider threats include replay attacks, data interception, browser security vulnerabilities, injection vulnerabilities, customer negligence, management interface exposure, loss of governance, social engineering attacks, DDoS attacks, encryption key exposure or loss, malware, and malicious insiders.
- Trust in the cloud is influenced by factors such as data processing, location, access, number of users, trust metrics, identity management/authentication, data security, and service-level agreements (SLAs).
- Underlying technologies in cloud computing include hypervisors, containers, and bare metal.
- Classification of information based on value, sensitivity, and criticality helps determine appropriate protection and controls.
- Risk management involves three tiers: organization level, mission and business process level, and information system level.
- The risk management process includes risk assessment, implementation of a risk mitigation strategy, deployment of risk control techniques, and continuous monitoring.
- The system development lifecycle (SDLC) encompasses project initiation, planning, system design, build, acceptance testing, implementation, operations and maintenance, and disposal.
- Risk management frameworks involve categorizing information, selecting security controls, implementing and describing controls, assessing security controls, authorizing system operation, and monitoring controls.
- Cloud consumers need to identify cloud-specific privacy controls, request SLAs from providers, assess their implementation, and continuously monitor them.
- Characteristics of a cloud ecosystem include broad network access, decreased visibility and control for cloud consumers, dynamic system boundaries, multi-tenancy, data residency, measured service, and scalability.
- Cloud consumers should describe the service or application, identify functional capabilities, security and privacy requirements, and necessary controls.
- Standardized reference architectures like NIST, ISO, IEC, and ITU-T are available for cloud adoption.
- Cloud consumers' concerns include risk management, analysis, assessments, vulnerability assessments, incident reporting and response, business continuity, and disaster recovery plans.
- Cloud consumer is responsible for security and privacy, while the cloud provider is responsible for implementing controls.
- Policies, standards, procedures, and guidelines play a role in defining security practices.
- Regulations such as SOC1/SSAE16/ISAE3402, ISO27001, ISO9001, PCI DSS, HIPAA, CSA STAR, ITAR, FIPS 140-2, and NIST may apply to cloud computing.
- Cloud service providers use virtualization technologies to optimize the utilization of physical infrastructure and provide automated scaling capabilities.
- Hypervisors are installed on physical server farms to create a virtualization management layer and control physical resources.
- Hypervisors can host multiple VMs from different customers, and the cloud server admin has no direct control over the hypervisor selection for VM execution.
- Cloud service providers are not responsible for security patching of old VMs; it is the customer's responsibility.
- Encryption is essential for administrative access and commands, and strong cryptographic protocols should be used.
- Web-based management tools should be set up with encrypted HTTPS connections, and RSA key pairs should have a length of at least 2048 bits.
- Identity management involves customer application administrators, VM administrators, and hypervisor or virtualization host administrators.
- General cloud server security practices include minimizing administrative accounts, implementing antivirus software, keeping up with patch updates, setting minimal permissions for network or storage access, minimizing running services, installing only necessary software, isolating administrative protocols from end-user access, using secure communication methods (VPN, SSH), implementing backup and recovery measures, ensuring time synchronization, and maintaining continuous monitoring.
- System model includes the cloud server, cloud users, and third-party auditor (TPA).
- Byzantine failures can be caused by hardware or software failures, external adversaries, natural disasters, and unauthorized users.
- Cloud auditing involves gathering evidence, conducting interviews, analyzing data, compiling results, preparing a final report, and taking action.
- Audit professionals and organizations involved in cloud auditing include CSA and ISCAC.
- Types of audits include SOC 1, SOC 2, SOC 3, SOC Readiness, ISO 27001, PCI compliance, HIPAA attestations, vulnerability assessments, and penetration testing.
- US compliance regulations include CIPA/FERPA for education, FISMA for government, SOX for corporations, HIPAA for healthcare, GLBA for banks, and PCI DSS for retail (payment).
- CCPA applies to any company that collects personal information of Californians, regardless of data collection method or industry. CCPA grants rights to know, opt out, and delete personal information, and violations may incur civil penalties.
- GDPR applies to organizations with an establishment in the EU that process personal data. It defines controllers and processors, regulates personal data processing, and imposes requirements on data controllers and processors.
- FISMA is a federal act that governs information security management in the US government. FedRAMP is a program developed to standardize assessments and authorizations of cloud services for government customers.
- FEDRAMP certification involves an independent assessor (3PAO) and two authorization models: JAB p-ATO and agency ATO.
- DISA is responsible for accrediting cloud solutions related to the US military or Department of Defense (DoD).
- GLBA requires protection of non-public personal information (NPI) and prohibits sharing with non-affiliated third parties.
- FTC regulates privacy agreements, and certification evaluates the effectiveness of information security techniques against security requirements.
- Accreditation is the organizational-level decision to accept risks posed by an information system and allow it to become operational.
- Risks and challenges for cloud service providers include lack of standardization, loss of IP control, future certifications, increased costs and effort, and redesign.
- Top security concerns in the cloud include identity management, data storage location, system operations, data transmission, and flow controls.
- Cloud data security encompasses equipment and personnel security, access controls, building security, and perimeter security.
- Cloud customers are relieved of hardware management, replacement, and support contracts.
- Internal checklist for cloud migration includes defining cloud privacy, identifying what to move, analyzing outsourcing risks, identifying security controls, and defining responsibilities.
- External considerations for cloud users include assessing CSP's privacy requirements, checking for certifications, understanding security controls, and applicable jurisdictional laws.
- Clients should allocate data protection laws, choose EU-regulated CSPs, determine CSP's autonomy, bind CSP as a data processor, and avoid complex sub-contractors.
- Contract checklist involves dictating service provisions, considering changes with critical services, providing prior notice, ensuring client notification rights, and termination terms.
- Sub-processor considerations include CSP informing clients, contractual obligations for sub-contractors, and resolving resource issues caused by sub-contractors.
- Cloud lock-in, interoperability, SLAs, and termination of contracts are important factors to consider.
- SOC reports provide information on internal controls and are used to assess and address risks associated with outsourced services.
- Top security concerns in cloud models include identity management, data storage location, system operations, vulnerability and configuration analysis, network and infrastructure security, host and endpoint security, data protection and encryption, logging and monitoring, and threat detection.
- Application security, perceived threats, real risks, and challenges in data processing are additional considerations.
- Standard research includes ODCA and CSA.
- Cloud access monitoring can be achieved through secure APIs, CASB, anomaly detection, machine learning, and threat intelligence.
- Securing APIs involves using unique tokens, encryption and signature, thorough testing for vulnerabilities, and implementing quota and throttling.
- Disaster recovery considerations include file and data replication, server-side and client-side encryption, and segregation of duties.

Back to Home