Professional Cloud

Security Manager

Self-Study Guide
Release 3.1.0
 Copyright and Disclaimer
Professional Cloud Security Manager | r3.1.0

Copyright
Copyright © 2016, ITpreneurs Nederland B.V. All rights reserved.

Published under license by ITpreneurs Nederland B.V.

This is a commercial confidential publication. All rights reserved. This document may not, in a
whole or in part, be copied, reproduced, translated, photocopied, or reduced to any medium
without prior and express written consent from the publisher.
For permission requests, write to the publisher, addressed “Attention: Course Permissions,”
at [email protected].
This course includes copyrightable work provided to ITpreneurs under license and is protected
by copyright. No part of this publication may be reproduced, distributed, or transmitted in any
form or by any means, including photocopying, recording, or other electronic or mechanical
methods, without the prior written permission of the publisher, except in the case of brief
quotations embodied in critical reviews and certain other noncommercial uses permitted by
copyright law or further disseminated without the express and written permission of the legal
holder of that particular copyright. The Publisher reserves the right to revoke that permission
at any time. Permission is not given for any commercial use or sale of this material.

Trade Marks
Cloud Credential Council® is a registered trademark.

Disclaimer
Information provided about the course, modules, topics and any services for courses including
simulations or handouts, are an expression of intent only and are not to be taken as a firm
offer or undertaking. The Publisher reserves the right to discontinue or vary or maintain such
course, modules, topics, or services at any time without notice and to impose limitations on
enrolment in any course.
The course materials provided may have hypertext links to a number of other web sites as
a reference to users. This service does not mean that the publisher endorses those sites or
material on them in any way. The publisher is not responsible for the use of a hypertext link
for which a commercial charge applies. Individual users are responsible for any charges that
their use may incur.
The information in this course is written using a blend of British and American English. Although
every effort has been made regarding the usage of correct spelling, punctuation, vocabulary,
and grammar with regard to the Standard English, ITpreneurs accepts no responsibility for
any loss or inconvenience caused due to the regional differences in the usage of the English
language.

Sample material – Not for Resale

 Acknowledgements
We would like to sincerely thank the experts who have contributed to the development of the
ITpreneurs Professional Cloud Security Manager.

Lead Author
Kumail Morawala
Kumail Morawala, a Senior Architect at Combustec, is an experienced
Information Technology Professional and an Enterprise Architect with years
of experience in helping businesses transform their IT infrastructure in
order to gain competitive advantage. His experience in working in Europe,
Middle East and Asia has given him the competitive edge to understand
the demanding needs of the localized markets and apply that to the Global
stage. He is well versed and experienced in designing solutions for Cloud
Computing, Virtualization and Big Data.
He truly believes the next generation of companies will only be differentiating
based on their customer experience and hence technologies like Cloud
Computing and Big Data helps enterprise achieve this edge. He is currently
working with a lot of organizations to transform them and achieve success.
Morawala holds different trainer and professional level certifications in
the field of Cloud Computing, Big Data, Virtualization Etc. Currently he
is involved in helping a Government agency to transform the E-Services
and develop a cloud based data exchange platform to enrich the decision
making with the enormous data at hand.
He played an important role as a Reviewer for ITpreneurs in the development
of this course.

Reviewers
Vladimir Jirasek
Vladimir Jirasek is a successful and highly qualified security professional
with over 16 years of IT industry practice and over 14 years in Information
Security and IT Security, Risk and Compliance disciplines. He specializes in
Security architectures, Cloud security, and Optimizes security investments.
Vladimir has both led and managed global teams in Security, Risk and
Compliance for multinational corporations such as WorldPay, Nokia, Tesco,
and DTAG. Utilizing this experience he has successfully constructed and
implemented diverse Security, Risk and Compliance architectures, policies
and strategies, by using accepted International Standards (such as ISF
SoGP, ISO 2700x, CAMM, CobiT, RiskIT and PCI DSS).
A highly regarded individual by his peers and senior executives (such as
CIOs and CTOs) Vladimir has a wealth of experience in Security, Risk and
Compliance strategy, and effectively aligning it with changing business
strategies.

Sample material – Not for Resale

 In his own time, Vladimir is a major force and influencer in the newly
established UK chapter of the Cloud Security Alliance (cloudsecurityalliance.
org.uk), where he has role of the director of research.
He also regularly presents at security conferences as a leader in the field of
Information security. In addition, his contributions are published in various
security and risk related publications.

David van Geilswyk

With around 30 years of experience David van Geilswyk specializes in:
●● Security Management
●● Security Architecture
●● IT Governance
●● Risk Management
●● Disaster Recovery Planning
●● IT Architecture and Infrastructure
●● IT Project Management

He is a certified professional for:

●● Certified Information Systems Security Professional (CISSP)
●● Certified Information Systems Auditor (CISA)
●● Certified Information Security Manager (CISM)
●● Project Management Professional (PMP)
●● COBIT—Foundation Certificate (IT Governance and Control
Framework)
●● Vision Solutions—Certified High Availability Implementation
Consultant
●● IBM Certified Solutions Expert
●● IBM Certified Systems Expert

Other reviewers who contributed to the review of the course are:

Cuneyt Karul - Chief Security Architect at BlueCat

Randy Cochran - President and CEO at Data Center Enhancements Inc.

Sample material – Not for Resale

 Module 1
Course Introduction

Overview
The Professional Cloud Security Manager aims to explore the concepts related to security, risk, and
compliance within cloud computing environment. It also provides an overview of different security
related topics such as identifying, categorizing, and protecting the assets within an enterprise cloud
computing environment. This course will enable you to apply the fundamental security concepts into
an enterprise cloud computing environment.
The risks and impact of cloud computing must be understood in terms of various security challenges
and their effect on business and technical governance and policy. The terminologies used to describe
these security threats and issues, in particular, those related to cloud computing are described in this
course.

Course Learning Objectives

At the end of this course, you will be able to:
●● Explain what it takes to secure the different cloud computing services and deployment models.
●● Explain design security regarding the cloud infrastructure, configurations, and applications
running within a cloud computing environment.
●● Explain, apply, and analyze how to manage access to cloud computing resources using
accounts, users, and groups.
●● Explain, apply, and analyze the ways of securing data, operating systems, and applications
and overall infrastructure within the cloud.

Sample material – Not for Resale

ssional Cloud
ity Manager Activities

Exercises
The course includes several activities meant for enhancing retention.
The course includes several exercises meant for enhancing retention.

Paper
Draft/Build Throw

Instruction
MCQs/
MMCQs Write-Up

Copyright © 20

Case Study
The course also includes a case study based on a fictitious organization called “SYSTEC”. This case
study will help you to recap and apply the concepts learned in the course. The case study will focus
on security and risk considerations that should be considered while implementing cloud computing in
a small and medium organization.

Certification
At the end of the course, you can take the certification exam. On passing the exam, you will earn the
Professional Cloud Security Manager (PCS) certification from the Cloud Credential Council (CCC).
Being PCS-certified showcases your security experience in a cloud environment, your relevant skills
and knowledge and demonstrates you are capable to manage the various stakeholders’ expectations
within the enterprise.

Sample material – Not for Resale

 Module 2
Cloud Computing: Security, Risks,
and Governance

Module Learning Objectives

At the end of this module, you will be able to:
●● Explain the basic concepts of cloud computing.
●● Describe and explain the underpinning security concepts of information security and CIA.
●● Describe the key areas of security management.
●● Explain the risks and the impacts of cloud computing in terms of both business and technical
security challenges and their effect on business and technical governance and policy.
●● Explain and implement risk treatments and mitigations in the cloud.
rofessional Cloud
ecurity Manager Module Topics
Module Topics
The following topicstopics
The following are covered in the
are covered in module:
the module:

Information Security
Cloud Computing Basics
Management

Copyright © 2016 | 2

Sample material – Not for Resale

nal Cloud
Manager Module Topics (Contd.)

IT Governance Cloud Computing Security

Copyright © 2016 | 3

Cloud Computing Basics

Primer:
Cloud What isPrimer:
Computing the Cloud?
What is Cloud?
Cloud computing represents a major change in IT sourcing and service delivery. It is changing
how businesses purchase, deploy, and support IT services. Many companies are now responding
to the new opportunities. Cloud computing is based on the convergence of Internet technologies,
ents a virtualization,
major change and ITinstandardization.
delivery. It is changing
se, deploy, and support Service Delivery Type

anies are now Software-as-a-service

pportunities. Cloud
he convergence of Platform-as-a-service

tualization, and IT
Infrastructure-as-a-service

Service Deployment Options

Private Cloud

Community Cloud

Public Cloud

Hybrid Cloud

Copyright © 2016 | 5

Sample material – Not for Resale

Professional Cloud
Security Manager Characteristics of Cloud Computing

Characteristics offigure
The following Cloud Computing
shows the five essential operational characteristics of cloud computing.
The following figure shows the five essential operational characteristics of cloud computing.
Cloud Computing
Basics
On-Demand
Information Security Self-Service
Management Measured Service Rapid Elasticity

IT Governance
Five Essential Operational
Cloud Computing Characteristics of Cloud
Security Computing

Resource Pooling Broad Network Access

On-Demand Self-Service
A consumer can unilaterally provision computing capabilities, such as server time and network storage,
as needed automatically without requiring human interaction with each service provider.Copyright © 2016 | 6
Rapid Elasticity
Capabilities can be rapidly and elastically provisioned. In some cases, it can be provisioned
automatically to quickly scale out, and then is rapidly released to scale in.
Broad Network Access
Capabilities are available over the network and accessed through standard mechanisms that promote
use by heterogeneous thin or thick client platforms.
Resource Pooling
The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant
model, with different physical and virtual resources dynamically assigned and reassigned according
to consumer demand. There is a sense of location independence in that the customer generally has
no control or knowledge over the exact location of the provided resources but may be able to specify
location at a higher level of abstraction (for example, country or state).
Measured Service
Cloud systems automatically control and optimize resource use by leveraging a metering capability
at some level of abstraction, appropriate to the type of service. Resource usage can be monitored,
controlled, and reported, providing transparency for both the provider and consumer of the utilized
service.
In the simplest of terms, cloud computing is an Internet-based shared computing paradigm, somewhat
like an electricity grid. The cloud services are based around shared mechanisms, such as:
●● Internet-based computing
●● Shared resources
●● Shared software
●● Shared platforms and infrastructure
●● Available on-demand

Sample material – Not for Resale

ssional Cloud
ity Manager Cloud Service Models
Cloud Service Models

Software as a Service
(SaaS) Applications, which
Cloud Computing provide business functionality
Basics for users
formation Security
Management

IT Governance
Software Platform as a Service
Applications
(PaaS) Applications, which
Cloud Computing provide specialized software
Security
components and programming
Platform tools
Software Components

Infrastructure
Servers and Computing Resources
Infrastructure as a Service
(IaaS) Group of technologies and
applications which provide
computing infrastructure
resources as a service

Copyright © 2016 | 7

Examples of SaaS services: E-mail, collaboration, productivity, CRM, marketing, finance, and
personnel enterprise applications.
Examples of PaaS services: Software development, software testing, and systems integration.
Examples of IaaS services: Storage, database, computer, network, service management, and data
center management.
Professional Cloud
Security Cloud Cloud Deployment
Manager Deployment Models Models

Private Community Public Hybrid

Cloud Cloud Cloud Cloud
Cloud Computing
Basics

Information Security
Management
Exclusive use by Exclusive use Open use by the A composition of two
a single by a specific general public. It or more distinct cloud
IT Governance
organization community of may be owned, infrastructures, such
Cloud Computing
comprising consumers from managed, and as private and public
Security multiple organizations operated by a community that remain
consumers, for that have business, unique entities but are
example, shared academic or bound together by
business units. concerns. government standardized or
organization, or proprietary technology
combination of that enables data and
these. application portability.

Source: NIST definition of cloud computing

Copyright © 2016 | 8

Source: NIST definition of cloud computing

Sample material – Not for Resale

 In addition to the cloud services models, there are a number of other ways to deliver or roll out these
cloud services. In some development models, the financial commitment lies with the organizations
sional Cloud that use these clouds.
ty Manager Cloud Reference Model
Cloud Reference Model
The
Thefollowing figure
following shows
figure a generic
shows cloud
a generic reference
cloud model.
reference model.

Cloud Computing
Basics Presentation Modality Presentation Platform

ormation Security APIs

Management
Applications

IT Governance Data Metadata Metadata

Cloud Computing Integration and Middleware

Security

Software as a Service (SaaS)

Platform as a Service (PaaS)
APIs

Infrastructure as a Service
Core Connectivity and Delivery

(IaaS)
Abstraction
Hardware
Facilities

Copyright © 2016 | 9

Understanding the relationships and dependencies between cloud computing models is critical for
understanding the security risks in cloud computing. In cloud computing, cloud service provider
bears a responsibility for security. The figure depicts the idea that just as capabilities are inherited,
information security issues and risks are also inherited.
Some salient points depicted through the cloud reference model are:
●● IaaS is the foundation of all cloud services.
●● PaaS is building upon IaaS.
●● SaaS, in turn, is building upon PaaS.

It is important to note that commercial cloud providers may not neatly fit into the layered service models.
Nevertheless, the reference model is important for relating real-world services to an architectural
framework and understanding the resources and services requiring security analysis.
Some common cloud computing reference models are:
●● NIST Cloud Computing Reference Architecture
○○ http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505
●● IBM Cloud Computing Reference Architecture
○○ https://www.ibm.com/developerworks/community/wikis/home/wiki/Wf3cce8ff09b3_
49d2_8ee7_4e49c1ef5d22/page/IBM%20Cloud%20Computing%20Reference%20
Architecture%204.0?lang=en

Sample material – Not for Resale

 ●● ISO/IEC 17789:2014 Information technology -- Cloud computing -- Reference architecture
○○ http://www.iso.org/iso/catalogue_detail?csnumber=60545
●● The Open Group Cloud Ecosystem Reference Model 
○○ http://www.opengroup.org/cloud/cloud/cloud_ecosystem_rm/model.htm
●● Microsoft Private Cloud Reference Model
○○ https://social.technet.microsoft.com/wiki/contents/articles/4399.private-cloud-reference-
model.aspx

Exercise: Cloud Computing Basics

Read the given scenario and outline a business use case to present the benefits of the cloud computing
using the IaaS service model.
Stelford is a leading steel manufacturing organization operating globally. The organization has
manufacturing plants in three countries and the Sales and Operations teams and regional offices in
more than 30 countries.
Stelford uses an ERP application that works in a distributed architecture, where the manufacturing
plants and regional offices have the local deployment of the application.  Every night the data from all
the different sites is collected within the central site and synced backed to the other local sites. The
syncing of the data takes approximately 24 hours.
The Executive team wants to have a just-in-time ordering for a better customer experience, but the
time gap in syncing of data is a hindrance for the Sales and Operations teams to receive the real-time
stock position and for the manufacturing plants to estimate the requirements.
As an IT Manager, you propose to migrate to the cloud to achieve high availability and scalability. In
addition, as the ERP application is built and maintained internally, you want to have the administration
control of the development environment. Considering the problem description and business
requirements, outline a business use case to present the benefits of the cloud computing using the
IaaS service model.
Outcome:
This exercise will help to recall the cloud characteristics, service, and deployment model.

Sample Answer
Company Background
Stelford is a leading steel manufacturing company with factories spread across three countries and
Sales and Operations teams and regional offices in more than 30 countries.
Problem Description
The ERP application works in distributed architecture and the manufacturing sites and regional sales
offices have the local deployment. The syncing of data between the central site and local sites takes
approximately 24 hours. This is hindrance for the Sales and Operations teams to receive the updated
stock position in real-time mode and place just-in-time orders for the customer.

Sample material – Not for Resale

 Business Requirements
●● Fast and efficient synchronization between the sites and regional offices at different locations
●● Availability of complete, integrated, and updated data from all sites and regional offices in
real-time mode
●● Centralized control of the ERP application
●● In-house control of the development environment

Benefits from Cloud Computing (using IaaS service model)

●● Access to the centralized ERP application and data
●● Specific development environment for the current ERP
●● Complete administration access for the entire environment
●● Scaling of the infrastructure to be controlled by the Stelford IT team
ud
r Information Security:
●● Extensive resiliency Definition

Information
Information Security
security (also known asManagement
cyber security or INFOSEC) is security as applied to
computing devices
Information and computer
Security: networks.
Definition
ing
ics
Information security (also known as cyber security or INFOSEC) is security as applied to computing
devices and computer networks.
rity
ent
Integrity
Availability
nce

ing
rity INFORMATION

Non-repudiation Authentication

Confidentiality

Source: InfoSec Institute - Guiding Principles in Information Security and NIST 800-33
Source: InfoSec Institute - Guiding Principles in Information Security and NIST 800-33

Information security covers all the processes and mechanisms by which information and services are
Copyright © 2016
protected from unintended or unauthorized access, change, or destruction. Information security also
includes protection from unplanned events and natural disasters.
The Confidentiality, Integrity, and Availability (CIA) triad is a venerable and well-known model for
security policy development, used to identify problem areas and necessary solutions for information
security.

Sample material – Not for Resale

onal Cloud
Manager The CIA Principle

The CIA Principle

The CIA triad is a simple but widely-applicable security model. It stands for Confidentiality,
The CIA triad isand
Integrity, a simple but widely-applicable
Availability security which
- the three key principles, model.should
It stands for Confidentiality,
be guaranteed Integrity,
in any kind
and Availability
ud Computing of security- system.
the three key principles, which should be guaranteed in any kind of security system.
Basics
The following
The following figurefigure
showsshows thetriad.
the CIA CIA triad.
ation Security
Management Ability to hide information
from unauthorized users
T Governance

ud Computing
Security

Non-repudiation Authentication

Ability to ensure accurate Ability to make information

and complete representation accessible to the authorized
of original information viewers when it is needed

Copyright © 2016 | 14

These principles are applicable across the whole subject of security analysis, from access to a user’s
Internet history to security of encrypted data across the Internet. If any one of the three is breached,
it can have serious consequences for the parties concerned.
Confidentiality
Confidentiality is the ability to hide information from those who are unauthorized to view it. It is perhaps
the most obvious aspect of the CIA triad when it comes to security. However, correspondingly, it is
also the one that is attacked most often. Cryptography and encryption methods are used to maintain
confidentiality, especially for the data transferred from one computer to another.
Integrity
Integrity is the ability to ensure that data is an accurate and complete representation of the original
secure information. A type of security attack is to intercept some important data and make changes to
it before sending it on to the intended receiver.
Availability
Availability is the ability to ensure that the information concerned is readily accessible to the authorized
viewers when it is needed. Distributed Denial of Service (DDoS) is one example of the attack to make
an online service unavailable by staggering it with traffic from multiple sources. Some types of security
attacks may attempt to deny access to the appropriate user for gaining some secondary effect. For
example, by breaking a website for a particular search engine, a rival may try to become more popular.
The CIA being a simple model is augmented by others concepts such as non-repudiation and
authentication. The concept of non-repudiation assures that the sender of information is provided
with proof of delivery and recipient is provided with proof of the sender’s identity. The concept of
authentication aims to verify the identity of an individual, a computer, a software, or similar.

Security Management
Security management is a set of policies and procedures for systematically securing and managing
organizations’ data, information, systems, and services.

Sample material – Not for Resale

Security Management
The primary goal of security management is to ensure the confidentiality, availability, and integrity of
organization’s information, systems, and services.
Security
Security management is amanagement involves various key areas including risk assessment, security assessment,
set of policies and
procedures for and
systematically
calculation securing and on
of return managing
security investment.
organizations’ data, information, systems, and
services.
The primary goal of security management is to ensure Risk
the confidentiality, availability, and integrity of Assessment

organization’s information, systems, and services.

Security management involves various key areas
including risk assessment, security assessment, and
calculation of return on security investment. Security
Assessment

Return on
Security
Investment

Source: ISO/IEC 27001:2005

Copyright © 2016 | 15

Source: ISO/IEC 27001:2005

Assets, Threats, Vulnerability, and Risk

Key terms for assets identification:
●● Assets: What we are trying to protect.
●● Threat: What we are trying to protect against.
●● Vulnerability: Is a weakness or gap in our protection efforts.
●● Risk: Is the intersection of assets, threats, and vulnerabilities.

Further explanation of threats, vulnerability, and risks are given.

●● Assets: Any information, system, software, or hardware that is owned by the organization.
●● Threat: Anything that can exploit a vulnerability, intentionally or accidentally, and obtain,
damage, or destroy an asset.
●● Vulnerability: Weaknesses or gaps in a security program that can be exploited by threats to
gain unauthorized access to an asset or make it unavailable to its rightful users.
●● Risk: The potential for loss, damage, or destruction of an asset as a result of a threat exploiting
a vulnerability.

Examples of Assets:
●● People: People may include employees and customers.
●● Property: Property assets consist of both tangible and intangible items that can be assigned
a value. Intangible assets include reputation and proprietary information.
●● Information: Information may include databases, software code, critical company records,
and many other tangible items.

Sample material – Not for Resale

 Example of threats: Angry employees, dishonest employees, criminals, hackers, malware, virus,
and rogue software.
Example of vulnerability: Software bugs, broken processes, ineffective controls, hardware
malfunctions, business change, legacy systems, and human error.
Example of risks: Business disruption, financial loss, loss of privacy, damage to reputation, and legal
penalties.
d
Risk Assessment
It is important to understand the difference between the terms - threats, vulnerability, and risks - in
order to understand the true risk to assets.

The following
Risk figure depicts the four important tasks carried out during risk assessment. In
Assessment
order to perform a comprehensive risk assessment, it is very important to identify all the
The following figure depicts the four important tasks carried out during risk assessment. In order to
g assets, threats and vulnerabilities. Based on these three, the risk is calculated.
s perform a comprehensive risk assessment, it is very important to identify all the assets, threats and
vulnerabilities. Based on these three, the risk is calculated.
y
nt
How much time, What am I trying to
e effort, and money protect?
can I spend to obtain
g adequate protection?
y Risk
Assessment

Is it a weakness in
What do I need to
a service or
protect against?
system?

Source: Information Systems Audit and Control Association, (ISACA) – IT Governance

Source: Information Systems Audit and Control Association, (ISACA) – IT Governance

While conducting a risk assessment, the formula used to determine risk is as given: Copyright © 2016 | 17

R=AxTxV
(Risk = Asset x Threat x Vulnerability)
Risk assessment is a comprehensive process that comprises various model, tools, and methodologies:
●● Examine assets – Asset management helps to identify the assets and how they are maintained,
changed, and depreciated.
●● Identify threat and vulnerabilities – Threat modeling is a common tool to identify threats and
vulnerabilities.
●● Identify, categorize, and prioritize risks – Risk acceptance plan and risk assessment result
matrix are the tools to assess, categorize, and prioritize risks.
●● Plan security/risk remediation tasks - Risk treatment and risk remediation plan are the tools to
identify, plan, and implement risk remediation tasks.

Sample material – Not for Resale

onal Cloud
Manager Risk Assessment Result Matrix
Risk Assessment Result Matrix
The
Thefollowing
followingfigure represents
figure a sample
represents risk assessment
a sample result matrix,
risk assessment resultwhich identifies
matrix, which low, medium,low,
identifies
and high risks across nine business risk areas.
medium, and high risks across nine business risk areas.
ud Computing Governance, Risk
Basics Delivery Strategy and Identity and Access
Management, and Infrastructure Security Data Management
Architecture Management
Compliance

ation Security Governance Strategy System Security Identity Management Data Acquisition
Management
Risk Management Architecture Vulnerability Management Access Management Data Usage

Compliance Network Security Data Storage

T Governance
Application Security Data Transfer

Encryption Data Disposal

ud Computing
Security
Business Resiliency
IT Operations Vendor Management Business Operations
and Availability

Technology Resilience Asset Management Vendor Selection Human Resources

Business Continuity Project Management Contracting Legal

Low Risk
Supply Chain Continuity Change Management Monitoring Finance Medium Risk
Incident Management Vendor Lock-in Tax High Risk

Operations Resource Provisioning

Physical and Environmental

oud The decision to bear, transfer, or mitigate risk will depend on the severity of the risk and vary on a case-to-case basis.

er Executive Risk Treatment and Remediation Plan: Example Click the image to get an enlarged view.
Copyright © 2016 | 18

Executive Risk Treatment and Remediation Plan: Example

Governance-Policy
Governance Develop IT Implement Enterprise Monitor and
Process Governance Model Governance Update Plan
uting
Risk Management-
asics Risk Assessment Define Assessment Conduct Risk Evaluation
Strategic

Framework Assessments of
Approach
curity Compliance-
ment Common IT Compliance
Define Control Policy Adoption
Controls Framework Framework Refresh

Vendor
ance Management - Design/Update Establish Third-Party Risk Monitor
Monitoring Contracting Policy Management Process Program

uting Business Resiliency

curity -Business
Conduct Enterprises Establish Enterprise Define Testing
Process

Continuity Conduct Testing

BIA RTO/RPO Policy and
Procedures
Application Security
(SDLC) Develop SDLC Define Testing Define Monitoring
Process Process Process
Data Protection
Management-Data
Transfer Design Classification Establish Data Establish Data Update Data Loss
Tactical

Procedures Security Lifecycle Protection Standards Prevention Process

Network Security Monitor and
Security Incident Update Plan
Current State Design Incident Establish the
Management Plan Analysis Management Plan Plan

Legend: Milestone High Priority Workstream Input to other workstream

Copyright © 2016

Sample material – Not for Resale

 This figure represents an example of a risk treatment and remediation plan. It highlights the differences
between strategic, process, and tactical elements of focus. The controls on each layer can be
implemented accordingly as per the business preference.

y Management Lifecycle
Security Assessment
The goal of a security assessment, also known as a security audit or security review, is to ensure that
necessary security controls are integrated into the design and implementation of a project.
A properly completed security assessment should provide documentation outlining any security gaps
between a project design and approved corporate security policies.
Management can address security gaps in the following three ways:
on and ●● Itspecification of security controls for an informat
can decide to cancel the project.

ed as●● part of an organization-wide information security

It can allocate the necessary resources to correct the security gaps.
●● It can accept the risks, based on an informed risk/reward analysis.
nt ofSecurity
organizational
Management Lifecycle
risk.
anagement lifecycle consists of six steps ofthat are param
The selection and specification of security controls for an information system is accomplished as part
of an organization-wide information security program that involves the management organizational

nt ofrisk.risk resulting from the operation and use of inform

Security management lifecycle consists of six steps that are paramount to the effective management
of risk resulting from the operation and use of information systems.
ng figure
The followingshows the
figure shows the security
security management lifecycle.
management lifecycle.

1
CATEGORIZE
Information System

6 Define criticality/sensitivity of 2
inform ation system according to
MONITOR potential worst-case, adverse SELECT
Security State im pact to m ission/business. Security Controls

Continuously track changes to Select baseline security controls;

the inform ation system that m ay apply tailoring guidance and
affect security controls and supplement controls as needed
reassess control effectiveness. based on risk assessment.

Security
Life-Cycle
5 3
AUTHORIZE IMPLEMENT
Information System Security Controls

Determ ine risk to organizational 4 Implement security controls

operations and assets,
individuals, other organizations,
and the Nation; if acceptable,
authorize operation.
within enterprise architecture
ASSESS using sound system s engineering
Security Controls practices; apply security
configuration settings.

Determ ine security control

effectiveness
(i.e., controls im plem ented
correctly, operating as intended,
m eeting security requirem ents for
inform ation system ).

Source: NIST SP 800-37 Applying the Risk Management Framework

37 Applying the
NISTRisk Management
SP 800-30 Framework
Risk Management Guide for Information Technology Systems
Management Guide for Information Technology Systems Click the

Sample material – Not for Resale

 Using these corresponding requirements in an integrated way can provide a methodical, repeatable,
and risk-based approach for selecting, specifying, and implementing security controls to adequately
essional Cloud protect within the cloud.
urity Manager Return on (Security) Investment
Return on (Security) Investment
1. Have you ever faced a situation where you have been told that your security measures are
1. Have you ever faced a situation where you have been told that your security measures are too
too expensive?
expensive?
Cloud Computing 2.
2. Have youever
Have you everfaced
faced a situation
a situation where
where youit find
you find very itdifficult
very difficult totoexplain
to explain to management
management the the
Basics
consequences of an incident in terms of profit or loss?
consequences of an incident in terms of profit or loss?
Information Security
Management
Return on Security Investment Formula:
IT Governance ROSI = Monetary Risk Mitigation – Cost of Control
Cloud Computing
Security For each threat, we can then calculate:
Annualized Loss Expectancy = Annual Rate of Occurrence * Single Loss Expectancy

A security investment is judged to be profitable, if the risk mitigation effect is greater

than the expected costs.

Source: Christian Locher, Methodologies for evaluating information security investments, 2005
Source: Christian Locher, Methodologies for evaluating information security investments, 2005

Some common metrics for security investment are:

Copyright © 2016 | 22

●● Single Loss Expectancy (SLE): SLE is the expected amount of money that will be lost
when a risk occurs. It can be considered as the total cost of an incident assuming its single
occurrence.
●● Annual Loss Expectancy (ALE): ALE is the annual monetary loss that can be expected from
a specific risk on a specific asset. It is calculated as follows: ALE = ARO * SLE
●● Annual Rate of Occurrence (ARO): ARO is a measure of the probability that a risk occurs in
a year.

Return on Security Investment: Example

The Acme Corp. is considering investing in an anti-virus solution. Each year, Acme suffers 5 virus
attacks (ARO=5). The CSO estimates that each attacks cost approximately 15.000€ in loss of data and
productivity (SLE=15.000). The anti-virus solution is expected to block 80% of the attacks (Mitigation
ratio=80%) and costs 25.000€ per year (License fees 15.000€ + 10.000€ for trainings, installation,
maintenance etc.).
The Return on security investment for this solution is then calculated as follows:
ROSI = (5*15000)*0.8 - 25000 = 140%
------------------------------
25000
Source: https://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security-investment/at_download/
fullReport

Sample material – Not for Resale

Information Security Management System
Information Security Management System (ISMS) is a set of policies concerned with information
security management or IT-related risks. It includes managing people, processes, and IT systems by
applying a security/risk management process.
An ISMS can help your organization manage the security of assets such as financial information,
intellectual property, employee details, or information entrusted to you by third parties.
The best known standard providing the requirements for an ISMS is the ISO/IEC 27001.
Source: ISO/IEC 27001:2005

As with all management processes, an ISMS must remain effective and efficient in the long term,
adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005,
therefore, incorporated the ‘Plan-Do-Check-Act’ (PDCA) or Deming cycle approach. The activities
carried out in the four phases are:
Plan: This phase is about designing the ISMS, assessing information security risks, and selecting
appropriate controls.
Do: This phase involves implementing and operating the controls.
Check: The objective of this phase is to review and evaluate the performance (efficiency and
effectiveness) of the ISMS.
Act: In this phase, changes are made, where necessary, to bring the ISMS back to peak performance.
Source: http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

COBIT 5, a framework for the governance and management of enterprise IT, uses a very similar
approach as PDCA (Plan - APO, Build - BAI, Run - DSS, Monitor - MEA).
●● Align, Plan, and Organize (APO)
●● Build, Acquire, and Implement (BAI)
●● Deliver, Service, and Support (DSS)
●● Monitor, Evaluate, and Assess (MEA)

Another competing standard for ISMS is Information Security Forum's Standard of Good Practice
(SOGP). It is more best practice-based as it comes from ISF's industry experiences.
Some other best-known ISMSs are Common Criteria (CC) international standard and IT Security
Evaluation Criteria (ITSEC).
●● Some nations use their own ISMS, such as:
○○ Department of Defense Information Technology Security Certification and Accreditation
Process (DITSCAP) of USA
○○ Department of Defense Information Assurance Certification and Accreditation Process
(DIACAP) of USA and Trusted Computer System Evaluation Criteria (TCSEC) of USA
○○ IT Baseline Protection Manual (ITBPM) of Germany
○○ ISMS of Japan
○○ ISMS of Korea and Information Security Check Service (ISCS) of Korea

Sample material – Not for Resale

 Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward
creating a governance framework for information and IT more generally. COBIT has a companion
framework “Risk IT”, which is dedicated to information security. ITIL has RESILIA best practice portfolio
to address security and improve cyber resilience.

IT Governance

Governance: Definition
Enterprise Governance: The set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction, ensuring that objectives are
inition achieved, ascertaining that risk is managed appropriately and verifying that the enterprise’s resources
are used responsibly.
IT Governance: IT governance is an integral part of Enterprise Governance and focuses on IT
e: The set ofstructures
responsibilities
and processes to ensure that organization’s IT supports and extends the organization’s
strategies
by the board and objectives.
and executive
oal of providing strategic
objectives are achieved, Provide
Strategic
managed appropriately and Direction
rise’s resources are used

Resource Achieving
ernance is an integral part of Management Governance Objectives
and focuses on IT structures
e that organization’s IT
he organization’s strategies
Risk
Management

Source: http://www.isaca.org/Pages/Glossary.aspx
spx

IT governance is a subset discipline of corporate governance, focused on IT and its performance and
Copyright © 2016 | 27
risk management. The interest in IT governance is due to:
●● The on-going need within organizations to focus value creation efforts on an organization’s
strategic objectives.
●● Better manage the performance of those responsible for creating this value in the best interest
of all stakeholders.

Sample material – Not for Resale

Governance Structure
Governance Structure
The structure of a governance consists of three main components: policies, standards, and procedures
The and
structure of a governance consists of three main components: policies, standards, and
guidelines.
procedures and guidelines.

Sets the tone of an organization’s risk tolerance.

Defines mandatory performance criteria and acceptable

levels of control.

Explains how to carry out policy in step by step directions.

Copyright © 2016 | 28
Policies
Policies are high-level statements regarding principles and requirements that set the tone and
temperament of management’s risk tolerance and direction for logical, physical, and managerial
practices. A policy is a governing principle that provides the basis for standards and carries the highest
authority in the organization. Policies are generally not technology, process, or vendor specific and
therefore should not change frequently.
Standards
Standards provide detailed, mandatory performance criteria to ensure conformity with company policies.
Standards define an acceptable level of control and associated measurable compliance criteria. Any
deviation from a standard must be approved by management and be documented. Standards may be
technology, process, and vendor-specific and, typically, require frequent maintenance.
Procedures and Guidelines
Procedures are detailed step-by-step activities and tasks that the personnel are required to follow
when performing certain aspects of their job responsibilities. Standards may include corporate, local,
and business unit specific procedures. Procedures are also structured into ‘Guidelines’ and typically
require frequent maintenance.

Sample material – Not for Resale

Cloud
ager IT Governance Practices and Standards

Over the years, a number of IT practices and standards have emerged. The following table
depicts the common
IT Governance practices
Practices and
and standards for IT Governance.
Standards
mputing
Basics Over the years, a number of IT practices and standards have emerged. The following table depicts
the common practices and standards for IT Governance.
Security
agement Common Practices Industry Standards

ernance  AICPA Privacy Framework  Payment Card Industry

 ISO/IEC 38500 (PCI) DSS
 ISO 17799  FISMA
mputing
Security  ISO 27001  HIPAA
 ISO 13335
 COBIT

Governance Regulatory Example

A common example of enterprise governance of information technology is ISO/IEC 38500 - an
international standard published jointly by the International Organization for Standardization (ISO)
and the International Electrotechnical Commission (IEC). ISO/IEC 38500 provides a framework
for effective IT governance to assist the organizations’ policy maker to understand and fulfill their
legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is
Copyright © 2016 | 29
applicable to organizations of all sizes, including public and private companies, government entities,
and not-for-profit organizations.

Cloud Computing Security

Cloud Computing: Shared Security Responsibility

It is critical to recognize that security is a cross-cutting aspect of cloud computing, which spans across
Cloud all layers of the various deployment/service models, ranging from physical security to application
ager Cloudsecurity.
Computing: Shared Security Responsibility
The figure depicts the security aspects for different deployment/service models.
It is critical to recognize that security is a
Software as a Service
cross-cutting aspect of cloud computing,
mputing which spans across all layers of the Presentation Platform and Modality
Basics
various deployment/service models,
ranging from physical security to Applications APIs
ecurity
gement application security.
Data Metadata Content
The figure depicts the security aspects
rnance
for different deployment/service models. Platform as a Service
mputing APIs
ecurity
Integration and Middleware

Infrastructure as a Service
APIs
Core Connectivity and
Access
Delivery
Hardware Facilities Storage
Source: Cloud reference architecture
Copyright © 2016 | 31

Source: Cloud reference architecture

Sample material – Not for Resale

 In traditional IT systems, an organization has control over the whole stack of computing resources and
entire lifecycle of the systems. However, in the cloud the security is not solely under the purview of the
cloud providers but also depends on the cloud subscribers and other relevant services, for example,
layered services. Cloud providers and cloud subscribers collaboratively design, build, deploy, and
ud operate cloud-based systems. The split of control means both parties share the responsibilities in
r Security Risk Elements by Service Models
providing adequate protections to the cloud-based systems.

Security Risk Elements by Service Models

Eachservice
Each service model
model hashas specific
specific security
security elements
elements and considerations,
and considerations, but it takes but it takes
a ‘Shared a
Security
‘Shared Security Responsibility’ approach to be successful. The following figure is a
Responsibility’ approach to be successful. The following figure is a visual example of the different visual
ng example
security of the different
elements within thesecurity elements
various service within the various service models.
models.
ics
Infrastructure Security Elements
rity  Physical Security
ent  Data Transfer Security
 Network Security
ce

ng
Audit and Awareness
rity Platform Security Elements Access Configuration
Report Training
Control MGMT
 Session Security
 Data Storage Security
 Presentation Security Media System and Risk
Physical
Protection Program MGMT
Security
MGMT

Incident Contingency Comm. Privacy

Response Planning Protection Program

oud
er Risks to Consider in the Cloud Software Security Elements
Copyright © 2016 | 32

Risks to Consider in the Cloud

Despite
Despite the
the existence
existence of different
of different deployment
deployment and service
and service models,models,
there arethere are fewconsiderations
few generic generic
related to the deployment of cloud services. The following key risk questions should be questions
considerations related to the deployment of cloud services. The following key risk considered
uting should be considered before
before deployment of cloud services.deployment of cloud services.
asics
 How will we monitor usage of the cloud and avoid taking on
curity unacceptable risks or getting into compliance hot water?
ment Governance, Risk, and Compliance  How do we provide proper assurance to our auditors and regulators?

ance  Will cloud fundamentally change the business?

Business Transformation  Do new license models need to be created to be compatible with a
uting cloud computing model?
curity
 How is our data controlled throughout its lifecycle while in a shared
Security and Privacy Risks environment?
 How can we protect against unauthorized usage or sharing?

 Will industry specific regulatory changes impact how we use

Industry Risks cloud computing?

 How do we manage rapid SaaS application changes?

 Do processes and procedures need to change?
Operational Risks  What are the new roles and responsibilities and who take
them up?

Copyright © 2016 | 33

Sample material – Not for Resale

Some prominent risk aspects that should be considered in the cloud are as follows:
●● Environmental security: The concentration of computing resources and users in a cloud
computing environment also represents a concentration of security threats. Because of their
size and significance, cloud environments are often targeted by virtual machines and bot
malware, brute force attacks, and other attacks. Ask your cloud provider about access controls,
vulnerability assessment practices, and patch and configuration management controls to see
that they are adequately protecting your data.
●● Data privacy and security: Hosting confidential data with cloud providers involves the transfer
of a considerable amount of an organization’s control over data security to the provider. It is
important that cloud provider understands the consumer’s data privacy and security needs.
Also, the cloud provider should be aware of particular data security and privacy rules and
regulations that apply to the consumer entity, such as HIPAA, the Payment Card Industry
Data Security Standard (PCI DSS), the Federal Information Security Management Act of 2002
(FISMA), or the privacy considerations of Gramm-Leach-Bliley Act.
●● Data availability and business continuity: A major risk to business continuity in the cloud
computing environment is loss of Internet connectivity. If a vulnerability is identified, you may
have to terminate all access to the cloud provider until the vulnerability is rectified. Additionally,
the seizure of a data-hosting server by law enforcement agencies may result in the interruption
of unrelated services stored on the same machine.
●● Record retention requirements: If your business is subject to record retention requirements,
make sure your cloud provider understands what they are and so they can meet them.
●● Disaster recovery: Hosting your computing resources and data at a cloud provider makes
the cloud provider’s disaster recovery capabilities vitally important to your company’s disaster
recovery plans. Know your cloud provider’s disaster recovery capabilities and ask your provider
if they been tested.
●● Loss of governance: For using cloud infrastructures, the client necessarily cedes control to
the cloud provider on a number of issues that may affect security. At the same time, Service
Level Agreements may not offer a commitment to provide such services on the part of the
cloud provider, thus leaving a gap in security defenses. This also includes compliance risks
because investment in achieving a required certification (e.g., industry standard or regulatory
requirements) may be put at risk by migration to the cloud.
●● Malicious insider: Although less likely, the damage which may be caused by malicious insiders
is often far greater. Cloud architectures necessitate certain roles which are extremely high-
risk. Examples include CP system administrators and managed security service providers.
●● Isolation failure: Multi-tenancy and shared resources are defining characteristics of cloud
computing. This risk category covers the failure of mechanisms separating storage, memory,
routing and reputation between different tenants (for example, the so-called guest-hopping
attacks). However it should be considered that attacks on resource isolation mechanisms (for
example, against hypervisors) are still less numerous and much more difficult for an attacker
to put in practice compared to attacks on traditional OSs.

Sample material – Not for Resale

Cloud
ager CIA Within the Cloud

The CIA protection goals that form the basis for the security requirements must be fulfilled
CIA Within the Cloud
by IT systems in general.
mputing The CIA protection goals that form the basis for the security requirements must be fulfilled by IT
Basics
Within cloud computing systems, the CIA protections methodologies have split
systems in general.
responsibilities or a shared security responsibility depending on the type of service model
ecurity beingcloud
Within deployed.
computing systems, the CIA protections methodologies have split responsibilities or a
gement
shared security responsibility depending on the type of service model being deployed.
rnance

mputing
ecurity

Cloud
Cloud Confidentiality Cloud Provider
Provider and Integrity Subscriber (Availability)

The implementation of CIA within the cloud is explained as given:

●● Confidentiality: Confidentiality within a cloud environment may be shared between the
provider and subscriber or may be a dual or inherited security process.
●● Integrity: Integrity within the cloud may also be a shared element that needs to be considered
Copyright © 2016 | 35

as a part of cloud service deployment.

●● Availability: Availability is usually a cloud provider responsibility across all service and
deployment models.

Multi-Tenancy
Multi-tenancy refers to a principle within software architecture where a single instance of the software
runs on a server, serving multiple client-organizations (tenants).
It contrasts with multi-instance architectures where separate software instances (or hardware systems)
operate on behalf of different client organizations.
With a multi-tenant architecture, a software application is designed to virtually partition its data and
configuration, and each client organization works with a customized virtual application.
Difference with Virtualization
In a multi-tenancy environment, multiple customers share the same application, running on the same
operating system, on the same hardware, with the same data-storage mechanism.
The distinction between the customers is achieved during application design, thus customers do not
share or see each other's data.
Compare this with virtualization where components are abstracted enabling each customer application
to appear to run on a separate virtual machine.
Multi-tenancy in the Cloud
Multi-tenancy in the cloud means sharing of resources and services to run software instances
serving multiple consumers and client organizations (tenants). It means physical resources (such as
computing, networking, and storage) and services are shared. The administrative functionality and
support may also be shared. One of the big drivers for providers is to reduce cost by sharing and
reusing resources among tenants.

Sample material – Not for Resale

 Security Risks Within Multi-Tenancy Design
Some of the security risks within multi-tenancy design are:
●● Inadequate logical security controls: Physical resources (CPU, networking, storage and
databases, and application stack) are shared between multiple tenants.
●● Malicious or ignorant tenants: If the provider has weaker logical controls between tenants,
a malicious or an ignorant tenant may reduce the security posture of other tenants.
●● Shared services can become single point of failure: If the provider has not architected the
common services well, they can easily become single point of failure, due to misuse or abuse
by a tenant.
●● Uncoordinated change controls and misconfigurations: When multiple tenants are sharing
the underlying infrastructure, all changes need to be well coordinated and tested.
●● Comingled tenant data: To reduce cost, providers may be storing the data from multiple
tenants in the same database table-spaces and backup tapes.

Specific risks by service model include:

●● SaaS: Multiple clients (tenants) may be sharing the same application stack (database, app
and web servers, and networking).
●● PaaS: Platform stack is shared among the tenants. Vulnerability in the platform stack can
allow bleeding among tenants, shared data backups, and archives.
●● IaaS: Cross network traffic listening. Core residents with lower security posture, where they
nal Cloud are less concerned about keeping their hosts hardened and patched.
Manager Cloud Risk Considerations
Cloud Risk Considerations
The table
The table includes
includesthe
thehigh-level considerations
high-level for cloud
considerations computing
for cloud from different
computing aspects:aspects:
from different
 Monitoring usage of cloud
d Computing Governance and
Basics  Monitoring compliance with regulatory requirements
Compliance  Compliance with multijurisdictional data privacy laws
tion Security  Delineating ownership of data across organizational lines
Management Privacy and Data
 Managing access to appropriate levels of data
Protection  Implementing data storage and retention policies at the cloud vendor
Governance  Managing incident investigations in a virtualized environment
Security Incident  Limiting incident spill over to multiple cloud tenants
d Computing Response  Handling complicated troubleshooting due to continuous
Security environment changes
 Access controls for cloud management interfaces
Access Control  Access controls for segregation of duties
 Due diligence prior to assignment of access privileges
 Managing virtualization induced vulnerabilities
Vulnerability
 Ensuring timely security patches
Management  Adequate vulnerability testing of cloud components
 Obtaining assurance on cloud vendor’s solution
Vendor
 Monitoring vendor’s performance
Management  Building in the cloud portability and interoperability

Copyright © 2016 | 38

Sample material – Not for Resale

 oud
ger Cloud Risk Considerations (Contd.)

Given various countries and regulatory authorities, controls for supporting appropriate
Geography cross border data views/use must be maintained.
puting
asics
Clear establishment of rights and obligations associated with data assets must be
curity
Ownership, Rights, and established. Often rights and obligations are dependent on the physical location of the
ement Obligations data owner, custodian, and user. Designing and implementing effective controls to
support appropriate rights and obligations may be complex.

nance In a multi-tenant cloud environment, users may access shared resources, possibly
Multi-Tenancy gaining unauthorized access or may attack other tenants. This may have less risk in a
private cloud, but more risk in a vendor-hosted cloud.
puting
curity
In a cloud provider environment, server seizures for one customer may include other
customer, simply because they were on the same physical server. Seizing the
Data Seizures hardware may lead to data loss or data disclosure of other customers in multi-tenant
storage models.

On ephemeral or transient systems, a cloud-vendor-provider-instance-failure may lead

Data Loss to permanent loss of system information, including system configuration and data
stored locally.

Ephemeral and Transient

‘Disposable’ server concept challenges the role of change control.
d Systems
Cloud Computing Security Reference Architecture
Copyright © 2016 | 39

Cloud Computing Security Reference Architecture

The CloudComputing
The Cloud Computing Security
Security Reference
Reference Architecture
Architecture formal
formal model modelfrom
is derived is derived from the
the NIST
Reference
NIST Architecture
Reference (NIST RA). (NIST RA).
Architecture
g
s

y
nt

g
y

Cross Cutting Concerns: Security, Privacy, etc.

Source: NIST SP 500-292: NIST Cloud Computing Reference Architecture

Copyright © 2016
Source: NIST SP 500-292: NIST Cloud Computing Reference Architecture

Sample material – Not for Resale

Professional Cloud
Security Manager Consumer: Cloud Computing Security Reference Architecture
Consumer: Cloud Computing Security Reference Architecture
The following figure shows the consumer cloud computing security reference architecture by model
The following figure shows the consumer cloud computing security reference architecture
and access elements. Cloud consumers need Service Level Agreements (SLAs) to specify the
by model and access elements. Cloud consumers need Service Level Agreements (SLAs)
technicaltorequirements
Cloud Computing
fulfilled by a cloud provider.
specify the technical requirements fulfilled by a cloud provider.
Basics
Human Resources

Information Security ERP Social Networks

Management
Billing Financials
Sales
IT Governance Content
CRM Management

Cloud Computing Collaboration SaaS E-mail and Office

Security Consumer Productivity
Document
Management
Cloud Consumer

Business Services
Database
Intelligence Storage Management

Application Platform
Deployment CDN Hosting

Development Compute Backup and Compute

and Testing PaaS Recovery IaaS
Consumer Consumer

Copyright © 2016 | 41

A few important points to be considered are:

●● SaaS applications in the cloud are made accessible through a network to the SaaS consumers.
●● PaaS can employ the tools and execution resources provided by cloud providers to develop,
test, deploy, and manage the applications.
●● IaaS subscribers have access to virtual computers, network-accessible storage, network
infrastructure components, and other fundamental computing resources on which they can
deploy and run arbitrary software.

Cloud Provider: Cloud Computing Security Reference Architecture

A cloud provider is an organization responsible for making a service available to subscribers. It
provides the following services:
●● Software as a Service: The cloud provider deploys, configures, maintains, and updates the
operation of the software applications on a cloud infrastructure. The SaaS provider assumes
most of the responsibilities in managing and controlling the applications and the infrastructure,
while the cloud consumers have limited administrative control of the applications.
●● Platform as a Service: The cloud provider manages the computing infrastructure for the
platform and runs the cloud software, which provides the components of the platform, such as
runtime software execution stack, databases, and other middleware components.
○○ The PaaS cloud provider typically also supports the development, deployment, and
management process of the PaaS cloud consumer by providing tools such as Integrated
Development Environments (IDEs), development version of cloud software, Software
Development Kits (SDKs), deployment, and management tools.

Sample material – Not for Resale

 ●● Infrastructure as a Service: The cloud provider acquires the physical computing resources
underlying the service, including the servers, networks, storage, and hosting infrastructure.
The cloud provider runs the cloud software necessary to make computing resources available
to the IaaS cloud consumer through a set of service interfaces and computing resource
abstractions, such as virtual machines and virtual network interfaces.
○○ IaaS cloud consumer, in turn, uses these computing resources, such as a virtual computer,
for their fundamental computing needs compared to SaaS and PaaS cloud consumers.
An IaaS cloud consumer has access to more fundamental forms of computing resources
and thus has more control over the more software components in an application stack,
including the OS and network.

Exercise: Cloud Computing Security

Explain the risks and the impacts of cloud computing in terms of both business and technical security
challenges and their effect on business and technical governance and policy.
Outcome:
This exercise will enable you to look at a business and identify the risks of cloud computing.

Sample Answer
Business risks and impacts:
●● Lock-in and data portability: Lock-in refers to the inability of a cloud consumer to move
their data away from a cloud service provider. In addition, data portability issues can hinder to
change the service provider.
●● Data security and privacy: The data integrity, confidentiality and privacy is a major challenge
of cloud computing.
●● Data storage location: The location of data storage may hinder compliance to government
and other regulatory bodies. Cloud computing introduces the risk that data belonging to one
organization may be stored in several locations and coexist with another organization’s data.
●● Loss of governance: Loss of governance to cloud service providers is perceived as a potential
security risk by organizational leaders. Businesses are exposed to many types of risks when
they entrust their data to a third party. The impact from the loss of control may lead to the
inability to comply with security requirements, a lack of confidentiality, availability, and integrity
of data, a decline in the performance and quality of service.

Technical risks and impacts:

●● Availability of service: Availability of service can be a major challenge in cloud computing.
The cloud computing service can be impacted because of various reasons such as use of
cheap commodity hardware and network downgrade.
●● Resource exhaustion: Cloud computing services are on-demand and resources are allocated
by the cloud service provider based on statistical projection. There is a potential of calculated
risk and high performance computing applications and transactional database systems may
lead to performance unpredictability and/or resource exhaustion.
●● Distributed Denial of Service: Cloud computing systems are easy target for attackers and
transmission of viruses or the victims of a hack

Sample material – Not for Resale

Module Summary
The module includes the following topics.

Cloud Computing Basics

●● Cloud Computing Primer: What is the Cloud?
●● Characteristics of Cloud Computing
●● Cloud Service Models
●● Cloud Deployment Models
●● Cloud Reference Models

Information Security Management

●● Information Security: Definition
●● The CIA Principle
●● Security Management
●● Assets, Threats, Vulnerability, and Risk
●● Risk Assessment
●● Risk Assessment Result Matrix
●● Executive Risk Treatment and Remediation Plan: Example
●● Security Assessment
●● Security Management Lifecycle
●● Return on (Security) Investment
●● Return on Security Investment: Example
●● Information Security Management System

IT Governance
●● Governance: Definition
●● Governance Structure
●● IT Governance Practices and Standards

Cloud Computing Security

●● Cloud Computing: Shared Security Responsibility
●● Security Risk Elements by Service Models
●● Risks to Consider in the Cloud
●● CIA Within the Cloud
●● Multi-Tenancy

Sample material – Not for Resale

●● Security Risks Within Multi-Tenancy Design
●● Cloud Risk Considerations
●● Cloud Computing Security Reference Architecture
●● Consumer: Cloud Computing Security Reference Architecture
●● Cloud Provider: Cloud Computing Security Reference Architecture

Sample material – Not for Resale