CCC Professional Cloud Security Manager
CCC Professional Cloud Security Manager
Security Manager
Self-Study Guide
Release 3.1.0
Copyright and Disclaimer
Professional Cloud Security Manager | r3.1.0
Copyright
Copyright © 2016, ITpreneurs Nederland B.V. All rights reserved.
Trade Marks
Cloud Credential Council® is a registered trademark.
Disclaimer
Information provided about the course, modules, topics and any services for courses including
simulations or handouts, are an expression of intent only and are not to be taken as a firm
offer or undertaking. The Publisher reserves the right to discontinue or vary or maintain such
course, modules, topics, or services at any time without notice and to impose limitations on
enrolment in any course.
The course materials provided may have hypertext links to a number of other web sites as
a reference to users. This service does not mean that the publisher endorses those sites or
material on them in any way. The publisher is not responsible for the use of a hypertext link
for which a commercial charge applies. Individual users are responsible for any charges that
their use may incur.
The information in this course is written using a blend of British and American English. Although
every effort has been made regarding the usage of correct spelling, punctuation, vocabulary,
and grammar with regard to the Standard English, ITpreneurs accepts no responsibility for
any loss or inconvenience caused due to the regional differences in the usage of the English
language.
Lead Author
Kumail Morawala
Kumail Morawala, a Senior Architect at Combustec, is an experienced
Information Technology Professional and an Enterprise Architect with years
of experience in helping businesses transform their IT infrastructure in
order to gain competitive advantage. His experience in working in Europe,
Middle East and Asia has given him the competitive edge to understand
the demanding needs of the localized markets and apply that to the Global
stage. He is well versed and experienced in designing solutions for Cloud
Computing, Virtualization and Big Data.
He truly believes the next generation of companies will only be differentiating
based on their customer experience and hence technologies like Cloud
Computing and Big Data helps enterprise achieve this edge. He is currently
working with a lot of organizations to transform them and achieve success.
Morawala holds different trainer and professional level certifications in
the field of Cloud Computing, Big Data, Virtualization Etc. Currently he
is involved in helping a Government agency to transform the E-Services
and develop a cloud based data exchange platform to enrich the decision
making with the enormous data at hand.
He played an important role as a Reviewer for ITpreneurs in the development
of this course.
Reviewers
Vladimir Jirasek
Vladimir Jirasek is a successful and highly qualified security professional
with over 16 years of IT industry practice and over 14 years in Information
Security and IT Security, Risk and Compliance disciplines. He specializes in
Security architectures, Cloud security, and Optimizes security investments.
Vladimir has both led and managed global teams in Security, Risk and
Compliance for multinational corporations such as WorldPay, Nokia, Tesco,
and DTAG. Utilizing this experience he has successfully constructed and
implemented diverse Security, Risk and Compliance architectures, policies
and strategies, by using accepted International Standards (such as ISF
SoGP, ISO 2700x, CAMM, CobiT, RiskIT and PCI DSS).
A highly regarded individual by his peers and senior executives (such as
CIOs and CTOs) Vladimir has a wealth of experience in Security, Risk and
Compliance strategy, and effectively aligning it with changing business
strategies.
Overview
The Professional Cloud Security Manager aims to explore the concepts related to security, risk, and
compliance within cloud computing environment. It also provides an overview of different security
related topics such as identifying, categorizing, and protecting the assets within an enterprise cloud
computing environment. This course will enable you to apply the fundamental security concepts into
an enterprise cloud computing environment.
The risks and impact of cloud computing must be understood in terms of various security challenges
and their effect on business and technical governance and policy. The terminologies used to describe
these security threats and issues, in particular, those related to cloud computing are described in this
course.
Exercises
The course includes several activities meant for enhancing retention.
The course includes several exercises meant for enhancing retention.
Paper
Draft/Build Throw
Instruction
MCQs/
MMCQs Write-Up
Copyright © 20
Case Study
The course also includes a case study based on a fictitious organization called “SYSTEC”. This case
study will help you to recap and apply the concepts learned in the course. The case study will focus
on security and risk considerations that should be considered while implementing cloud computing in
a small and medium organization.
Certification
At the end of the course, you can take the certification exam. On passing the exam, you will earn the
Professional Cloud Security Manager (PCS) certification from the Cloud Credential Council (CCC).
Being PCS-certified showcases your security experience in a cloud environment, your relevant skills
and knowledge and demonstrates you are capable to manage the various stakeholders’ expectations
within the enterprise.
Information Security
Cloud Computing Basics
Management
Copyright © 2016 | 2
Copyright © 2016 | 3
Primer:
Cloud What isPrimer:
Computing the Cloud?
What is Cloud?
Cloud computing represents a major change in IT sourcing and service delivery. It is changing
how businesses purchase, deploy, and support IT services. Many companies are now responding
to the new opportunities. Cloud computing is based on the convergence of Internet technologies,
ents a virtualization,
major change and ITinstandardization.
delivery. It is changing
se, deploy, and support Service Delivery Type
tualization, and IT
Infrastructure-as-a-service
Private Cloud
Community Cloud
Public Cloud
Hybrid Cloud
Copyright © 2016 | 5
Characteristics offigure
The following Cloud Computing
shows the five essential operational characteristics of cloud computing.
The following figure shows the five essential operational characteristics of cloud computing.
Cloud Computing
Basics
On-Demand
Information Security Self-Service
Management Measured Service Rapid Elasticity
IT Governance
Five Essential Operational
Cloud Computing Characteristics of Cloud
Security Computing
On-Demand Self-Service
A consumer can unilaterally provision computing capabilities, such as server time and network storage,
as needed automatically without requiring human interaction with each service provider.Copyright © 2016 | 6
Rapid Elasticity
Capabilities can be rapidly and elastically provisioned. In some cases, it can be provisioned
automatically to quickly scale out, and then is rapidly released to scale in.
Broad Network Access
Capabilities are available over the network and accessed through standard mechanisms that promote
use by heterogeneous thin or thick client platforms.
Resource Pooling
The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant
model, with different physical and virtual resources dynamically assigned and reassigned according
to consumer demand. There is a sense of location independence in that the customer generally has
no control or knowledge over the exact location of the provided resources but may be able to specify
location at a higher level of abstraction (for example, country or state).
Measured Service
Cloud systems automatically control and optimize resource use by leveraging a metering capability
at some level of abstraction, appropriate to the type of service. Resource usage can be monitored,
controlled, and reported, providing transparency for both the provider and consumer of the utilized
service.
In the simplest of terms, cloud computing is an Internet-based shared computing paradigm, somewhat
like an electricity grid. The cloud services are based around shared mechanisms, such as:
●● Internet-based computing
●● Shared resources
●● Shared software
●● Shared platforms and infrastructure
●● Available on-demand
Software as a Service
(SaaS) Applications, which
Cloud Computing provide business functionality
Basics for users
formation Security
Management
IT Governance
Software Platform as a Service
Applications
(PaaS) Applications, which
Cloud Computing provide specialized software
Security
components and programming
Platform tools
Software Components
Infrastructure
Servers and Computing Resources
Infrastructure as a Service
(IaaS) Group of technologies and
applications which provide
computing infrastructure
resources as a service
Copyright © 2016 | 7
Examples of SaaS services: E-mail, collaboration, productivity, CRM, marketing, finance, and
personnel enterprise applications.
Examples of PaaS services: Software development, software testing, and systems integration.
Examples of IaaS services: Storage, database, computer, network, service management, and data
center management.
Professional Cloud
Security Cloud Cloud Deployment
Manager Deployment Models Models
Information Security
Management
Exclusive use by Exclusive use Open use by the A composition of two
a single by a specific general public. It or more distinct cloud
IT Governance
organization community of may be owned, infrastructures, such
Cloud Computing
comprising consumers from managed, and as private and public
Security multiple organizations operated by a community that remain
consumers, for that have business, unique entities but are
example, shared academic or bound together by
business units. concerns. government standardized or
organization, or proprietary technology
combination of that enables data and
these. application portability.
Cloud Computing
Basics Presentation Modality Presentation Platform
Infrastructure as a Service
Core Connectivity and Delivery
(IaaS)
Abstraction
Hardware
Facilities
Copyright © 2016 | 9
Understanding the relationships and dependencies between cloud computing models is critical for
understanding the security risks in cloud computing. In cloud computing, cloud service provider
bears a responsibility for security. The figure depicts the idea that just as capabilities are inherited,
information security issues and risks are also inherited.
Some salient points depicted through the cloud reference model are:
●● IaaS is the foundation of all cloud services.
●● PaaS is building upon IaaS.
●● SaaS, in turn, is building upon PaaS.
It is important to note that commercial cloud providers may not neatly fit into the layered service models.
Nevertheless, the reference model is important for relating real-world services to an architectural
framework and understanding the resources and services requiring security analysis.
Some common cloud computing reference models are:
●● NIST Cloud Computing Reference Architecture
○○ http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505
●● IBM Cloud Computing Reference Architecture
○○ https://www.ibm.com/developerworks/community/wikis/home/wiki/Wf3cce8ff09b3_
49d2_8ee7_4e49c1ef5d22/page/IBM%20Cloud%20Computing%20Reference%20
Architecture%204.0?lang=en
Sample Answer
Company Background
Stelford is a leading steel manufacturing company with factories spread across three countries and
Sales and Operations teams and regional offices in more than 30 countries.
Problem Description
The ERP application works in distributed architecture and the manufacturing sites and regional sales
offices have the local deployment. The syncing of data between the central site and local sites takes
approximately 24 hours. This is hindrance for the Sales and Operations teams to receive the updated
stock position in real-time mode and place just-in-time orders for the customer.
Information
Information Security
security (also known asManagement
cyber security or INFOSEC) is security as applied to
computing devices
Information and computer
Security: networks.
Definition
ing
ics
Information security (also known as cyber security or INFOSEC) is security as applied to computing
devices and computer networks.
rity
ent
Integrity
Availability
nce
ing
rity INFORMATION
Non-repudiation Authentication
Confidentiality
Source: InfoSec Institute - Guiding Principles in Information Security and NIST 800-33
Source: InfoSec Institute - Guiding Principles in Information Security and NIST 800-33
Information security covers all the processes and mechanisms by which information and services are
Copyright © 2016
protected from unintended or unauthorized access, change, or destruction. Information security also
includes protection from unplanned events and natural disasters.
The Confidentiality, Integrity, and Availability (CIA) triad is a venerable and well-known model for
security policy development, used to identify problem areas and necessary solutions for information
security.
ud Computing
Security
Non-repudiation Authentication
Copyright © 2016 | 14
These principles are applicable across the whole subject of security analysis, from access to a user’s
Internet history to security of encrypted data across the Internet. If any one of the three is breached,
it can have serious consequences for the parties concerned.
Confidentiality
Confidentiality is the ability to hide information from those who are unauthorized to view it. It is perhaps
the most obvious aspect of the CIA triad when it comes to security. However, correspondingly, it is
also the one that is attacked most often. Cryptography and encryption methods are used to maintain
confidentiality, especially for the data transferred from one computer to another.
Integrity
Integrity is the ability to ensure that data is an accurate and complete representation of the original
secure information. A type of security attack is to intercept some important data and make changes to
it before sending it on to the intended receiver.
Availability
Availability is the ability to ensure that the information concerned is readily accessible to the authorized
viewers when it is needed. Distributed Denial of Service (DDoS) is one example of the attack to make
an online service unavailable by staggering it with traffic from multiple sources. Some types of security
attacks may attempt to deny access to the appropriate user for gaining some secondary effect. For
example, by breaking a website for a particular search engine, a rival may try to become more popular.
The CIA being a simple model is augmented by others concepts such as non-repudiation and
authentication. The concept of non-repudiation assures that the sender of information is provided
with proof of delivery and recipient is provided with proof of the sender’s identity. The concept of
authentication aims to verify the identity of an individual, a computer, a software, or similar.
Security Management
Security management is a set of policies and procedures for systematically securing and managing
organizations’ data, information, systems, and services.
Return on
Security
Investment
Copyright © 2016 | 15
Examples of Assets:
●● People: People may include employees and customers.
●● Property: Property assets consist of both tangible and intangible items that can be assigned
a value. Intangible assets include reputation and proprietary information.
●● Information: Information may include databases, software code, critical company records,
and many other tangible items.
The following
Risk figure depicts the four important tasks carried out during risk assessment. In
Assessment
order to perform a comprehensive risk assessment, it is very important to identify all the
The following figure depicts the four important tasks carried out during risk assessment. In order to
g assets, threats and vulnerabilities. Based on these three, the risk is calculated.
s perform a comprehensive risk assessment, it is very important to identify all the assets, threats and
vulnerabilities. Based on these three, the risk is calculated.
y
nt
How much time, What am I trying to
e effort, and money protect?
can I spend to obtain
g adequate protection?
y Risk
Assessment
Is it a weakness in
What do I need to
a service or
protect against?
system?
R=AxTxV
(Risk = Asset x Threat x Vulnerability)
Risk assessment is a comprehensive process that comprises various model, tools, and methodologies:
●● Examine assets – Asset management helps to identify the assets and how they are maintained,
changed, and depreciated.
●● Identify threat and vulnerabilities – Threat modeling is a common tool to identify threats and
vulnerabilities.
●● Identify, categorize, and prioritize risks – Risk acceptance plan and risk assessment result
matrix are the tools to assess, categorize, and prioritize risks.
●● Plan security/risk remediation tasks - Risk treatment and risk remediation plan are the tools to
identify, plan, and implement risk remediation tasks.
ation Security Governance Strategy System Security Identity Management Data Acquisition
Management
Risk Management Architecture Vulnerability Management Access Management Data Usage
oud The decision to bear, transfer, or mitigate risk will depend on the severity of the risk and vary on a case-to-case basis.
er Executive Risk Treatment and Remediation Plan: Example Click the image to get an enlarged view.
Copyright © 2016 | 18
Framework Assessments of
Approach
curity Compliance-
ment Common IT Compliance
Define Control Policy Adoption
Controls Framework Framework Refresh
Vendor
ance Management - Design/Update Establish Third-Party Risk Monitor
Monitoring Contracting Policy Management Process Program
Copyright © 2016
y Management Lifecycle
Security Assessment
The goal of a security assessment, also known as a security audit or security review, is to ensure that
necessary security controls are integrated into the design and implementation of a project.
A properly completed security assessment should provide documentation outlining any security gaps
between a project design and approved corporate security policies.
Management can address security gaps in the following three ways:
on and ●● Itspecification of security controls for an informat
can decide to cancel the project.
1
CATEGORIZE
Information System
6 Define criticality/sensitivity of 2
inform ation system according to
MONITOR potential worst-case, adverse SELECT
Security State im pact to m ission/business. Security Controls
Security
Life-Cycle
5 3
AUTHORIZE IMPLEMENT
Information System Security Controls
Source: Christian Locher, Methodologies for evaluating information security investments, 2005
Source: Christian Locher, Methodologies for evaluating information security investments, 2005
●● Single Loss Expectancy (SLE): SLE is the expected amount of money that will be lost
when a risk occurs. It can be considered as the total cost of an incident assuming its single
occurrence.
●● Annual Loss Expectancy (ALE): ALE is the annual monetary loss that can be expected from
a specific risk on a specific asset. It is calculated as follows: ALE = ARO * SLE
●● Annual Rate of Occurrence (ARO): ARO is a measure of the probability that a risk occurs in
a year.
As with all management processes, an ISMS must remain effective and efficient in the long term,
adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005,
therefore, incorporated the ‘Plan-Do-Check-Act’ (PDCA) or Deming cycle approach. The activities
carried out in the four phases are:
Plan: This phase is about designing the ISMS, assessing information security risks, and selecting
appropriate controls.
Do: This phase involves implementing and operating the controls.
Check: The objective of this phase is to review and evaluate the performance (efficiency and
effectiveness) of the ISMS.
Act: In this phase, changes are made, where necessary, to bring the ISMS back to peak performance.
Source: http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
COBIT 5, a framework for the governance and management of enterprise IT, uses a very similar
approach as PDCA (Plan - APO, Build - BAI, Run - DSS, Monitor - MEA).
●● Align, Plan, and Organize (APO)
●● Build, Acquire, and Implement (BAI)
●● Deliver, Service, and Support (DSS)
●● Monitor, Evaluate, and Assess (MEA)
Another competing standard for ISMS is Information Security Forum's Standard of Good Practice
(SOGP). It is more best practice-based as it comes from ISF's industry experiences.
Some other best-known ISMSs are Common Criteria (CC) international standard and IT Security
Evaluation Criteria (ITSEC).
●● Some nations use their own ISMS, such as:
○○ Department of Defense Information Technology Security Certification and Accreditation
Process (DITSCAP) of USA
○○ Department of Defense Information Assurance Certification and Accreditation Process
(DIACAP) of USA and Trusted Computer System Evaluation Criteria (TCSEC) of USA
○○ IT Baseline Protection Manual (ITBPM) of Germany
○○ ISMS of Japan
○○ ISMS of Korea and Information Security Check Service (ISCS) of Korea
IT Governance
Governance: Definition
Enterprise Governance: The set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction, ensuring that objectives are
inition achieved, ascertaining that risk is managed appropriately and verifying that the enterprise’s resources
are used responsibly.
IT Governance: IT governance is an integral part of Enterprise Governance and focuses on IT
e: The set ofstructures
responsibilities
and processes to ensure that organization’s IT supports and extends the organization’s
strategies
by the board and objectives.
and executive
oal of providing strategic
objectives are achieved, Provide
Strategic
managed appropriately and Direction
rise’s resources are used
Resource Achieving
ernance is an integral part of Management Governance Objectives
and focuses on IT structures
e that organization’s IT
he organization’s strategies
Risk
Management
Source: http://www.isaca.org/Pages/Glossary.aspx
spx
IT governance is a subset discipline of corporate governance, focused on IT and its performance and
Copyright © 2016 | 27
risk management. The interest in IT governance is due to:
●● The on-going need within organizations to focus value creation efforts on an organization’s
strategic objectives.
●● Better manage the performance of those responsible for creating this value in the best interest
of all stakeholders.
Copyright © 2016 | 28
Policies
Policies are high-level statements regarding principles and requirements that set the tone and
temperament of management’s risk tolerance and direction for logical, physical, and managerial
practices. A policy is a governing principle that provides the basis for standards and carries the highest
authority in the organization. Policies are generally not technology, process, or vendor specific and
therefore should not change frequently.
Standards
Standards provide detailed, mandatory performance criteria to ensure conformity with company policies.
Standards define an acceptable level of control and associated measurable compliance criteria. Any
deviation from a standard must be approved by management and be documented. Standards may be
technology, process, and vendor-specific and, typically, require frequent maintenance.
Procedures and Guidelines
Procedures are detailed step-by-step activities and tasks that the personnel are required to follow
when performing certain aspects of their job responsibilities. Standards may include corporate, local,
and business unit specific procedures. Procedures are also structured into ‘Guidelines’ and typically
require frequent maintenance.
Over the years, a number of IT practices and standards have emerged. The following table
depicts the common
IT Governance practices
Practices and
and standards for IT Governance.
Standards
mputing
Basics Over the years, a number of IT practices and standards have emerged. The following table depicts
the common practices and standards for IT Governance.
Security
agement Common Practices Industry Standards
Infrastructure as a Service
APIs
Core Connectivity and
Access
Delivery
Hardware Facilities Storage
Source: Cloud reference architecture
Copyright © 2016 | 31
ng
Audit and Awareness
rity Platform Security Elements Access Configuration
Report Training
Control MGMT
Session Security
Data Storage Security
Presentation Security Media System and Risk
Physical
Protection Program MGMT
Security
MGMT
oud
er Risks to Consider in the Cloud Software Security Elements
Copyright © 2016 | 32
Copyright © 2016 | 33
The CIA protection goals that form the basis for the security requirements must be fulfilled
CIA Within the Cloud
by IT systems in general.
mputing The CIA protection goals that form the basis for the security requirements must be fulfilled by IT
Basics
Within cloud computing systems, the CIA protections methodologies have split
systems in general.
responsibilities or a shared security responsibility depending on the type of service model
ecurity beingcloud
Within deployed.
computing systems, the CIA protections methodologies have split responsibilities or a
gement
shared security responsibility depending on the type of service model being deployed.
rnance
mputing
ecurity
Cloud
Cloud Confidentiality Cloud Provider
Provider and Integrity Subscriber (Availability)
Multi-Tenancy
Multi-tenancy refers to a principle within software architecture where a single instance of the software
runs on a server, serving multiple client-organizations (tenants).
It contrasts with multi-instance architectures where separate software instances (or hardware systems)
operate on behalf of different client organizations.
With a multi-tenant architecture, a software application is designed to virtually partition its data and
configuration, and each client organization works with a customized virtual application.
Difference with Virtualization
In a multi-tenancy environment, multiple customers share the same application, running on the same
operating system, on the same hardware, with the same data-storage mechanism.
The distinction between the customers is achieved during application design, thus customers do not
share or see each other's data.
Compare this with virtualization where components are abstracted enabling each customer application
to appear to run on a separate virtual machine.
Multi-tenancy in the Cloud
Multi-tenancy in the cloud means sharing of resources and services to run software instances
serving multiple consumers and client organizations (tenants). It means physical resources (such as
computing, networking, and storage) and services are shared. The administrative functionality and
support may also be shared. One of the big drivers for providers is to reduce cost by sharing and
reusing resources among tenants.
Copyright © 2016 | 38
Given various countries and regulatory authorities, controls for supporting appropriate
Geography cross border data views/use must be maintained.
puting
asics
Clear establishment of rights and obligations associated with data assets must be
curity
Ownership, Rights, and established. Often rights and obligations are dependent on the physical location of the
ement Obligations data owner, custodian, and user. Designing and implementing effective controls to
support appropriate rights and obligations may be complex.
nance In a multi-tenant cloud environment, users may access shared resources, possibly
Multi-Tenancy gaining unauthorized access or may attack other tenants. This may have less risk in a
private cloud, but more risk in a vendor-hosted cloud.
puting
curity
In a cloud provider environment, server seizures for one customer may include other
customer, simply because they were on the same physical server. Seizing the
Data Seizures hardware may lead to data loss or data disclosure of other customers in multi-tenant
storage models.
y
nt
g
y
Business Services
Database
Intelligence Storage Management
Application Platform
Deployment CDN Hosting
Copyright © 2016 | 41
Sample Answer
Business risks and impacts:
●● Lock-in and data portability: Lock-in refers to the inability of a cloud consumer to move
their data away from a cloud service provider. In addition, data portability issues can hinder to
change the service provider.
●● Data security and privacy: The data integrity, confidentiality and privacy is a major challenge
of cloud computing.
●● Data storage location: The location of data storage may hinder compliance to government
and other regulatory bodies. Cloud computing introduces the risk that data belonging to one
organization may be stored in several locations and coexist with another organization’s data.
●● Loss of governance: Loss of governance to cloud service providers is perceived as a potential
security risk by organizational leaders. Businesses are exposed to many types of risks when
they entrust their data to a third party. The impact from the loss of control may lead to the
inability to comply with security requirements, a lack of confidentiality, availability, and integrity
of data, a decline in the performance and quality of service.
IT Governance
●● Governance: Definition
●● Governance Structure
●● IT Governance Practices and Standards