Logical Model

• Infrastructure layer Infrastructure security

• Metastructure layer Virtual environment security

• Infostructure layer Data security

• Applistructure layer Application and operating system security

 Infrastructure: The core components of a computing system: compute, network, and storage.
The foundation that everything else is built on. We deal with Infrastructure level security here.
 Metastructure: The protocols and mechanisms that provide the interface between the
infrastructure layer and the other layers. The glue that ties the technologies and enables
management and configuration. This deals with Virtual tools and interface requires to manage
and orchestrate cloud infra. Virtulization and Management Security Handled at this layer. This is
management plane for Cloud Infrastruture.
 Applistructure: The applications deployed in the cloud and the underlying application services
used to build them. For example, Platform as a Service features like message queues, artificial
intelligence analysis, or notification services.
 Infostructure: The data and information. Content in a database, file storage, etc. The security at
this layzer focuses on protecting data.

Key difference between cloud and Tradition Security Model

 The key difference between cloud and traditional computing is the metastructure. Cloud
metastructure includes the management plane components, which are network-enabled and
remotely accessible.

 Another key difference is that, in cloud, you tend to double up on each layer. Infrastructure, for
example, includes both the infrastructure used to create the cloud as well as the virtual
infrastructure used and managed by the cloud user. In private cloud, the same organization
might need to manage both; in public cloud the provider manages the physical infrastructure
while the consumer manages their portion of the virtual infrastructure.
The CSA has tools that you can use to assess security controls in a cloud environment in the Cloud
Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ). CSA even offers a
freely available repository of provider-completed CAIQ responses, called the Security Trust Assurance
and Risk (STAR) registry.

STAR Registry
The highlight of the STAR registry is its collection of filled-out CAIQ responses from vendors. This
repository is freely available, and you can use it to perform a “stealth” inspection of a provider’s security
controls before even engaging the provider. The CAIQ entries are considered “self assessments.” Each
self assessment is referred to as a “Level 1” STAR entry.

STAR Level 1: Self Assessment There is no oversight or third-party inspection regarding what is listed
here and what is actually the truth. That said, I like to think that no vendor would be careless enough to
list “mistruths” in their STAR entry, because this would eventually be discovered and the vendor would
likely suffer tremendous reputational damage. Still, just be aware that it’s called “Self Assessment” for a
reason. If you want a third party to sign off on statements, you need to look for the Level 2 STAR entry.

• STAR Level 2: Third-Party Certification There are actually two ways providers can be listed as having
achieved STAR Level 2: STAR Certification or STAR Attestation. The STAR Certification requires that ISO
27001 requirements are followed in a cloud environment being consumed. The STAR Attestation
requires that Service Organization Control 2 (SOC 2) criteria are followed. Both require an independent
third party having assessed the provider’s environment.

• STAR Level 3: Continuous Auditing This level is a placeholder for future continuous audit. At this time,
it is unavailable to any providers because the standard is still being developed.
EXAM TIP Remember that the STAR Registry contains CAIQ entries that are filled out by vendors and
uploaded to the Cloud Security Alliance without any third-party review or assessment.

Architecture must be guided by business requirements. In the case of the Enterprise Architecture, these
requirements come from a controls matrix guided by regulations such as Sarbanes-Oxley and Gramm-
Leach-Bliley, standards frameworks such as ISO-27002, the Payment Card Industry Data Security
Standards, and the IT Audit Frameworks, such as COBIT, all in the context of cloud delivery models such
as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Services (IaaS).

From these requirements, a set of security capabilities have been defined and organized according to
best practice architecture frameworks. The Sherwood Business Security Architecture (SABSA) defines
security capabilities from a business perspective. The Information Technology Infrastructure Library
(ITIL) defines the capabilities needed to manage the IT services of the company, and thus, the security
capabilities necessary to manage those services securely. The Jericho Forum defines technical security
capabilities that arise from the reality of the traditional in-the-datacenter technology environments
shifting to one where solutions span the internet across multiple datacenters, some owned by the
business and some purely used as an outsourced service. Lastly, The Open Group Architecture
Framework (TOGAF) provides an enterprise architecture framework and methodology for planning,
designing, and governing information architectures, and thus provides a common framework to
integrate the work of the security architect with the enterprise architecture of an organization.
Business Operation Support Services
Partners with the business

The BOSS domain is all the corporate support functions such as Human Resources, Compliance, and
Legal that are critical to a security program. It is also the place where the operations of the company and
its systems are monitored for any signs of abuse or fraud.

DESCRIPTION

BOSS was designed based on best practices and reference frameworks with proven success of aligning
the business and transforming the information security practice across organizations into a business
enabler.

Most of the security architectures focus only on technical capabilities, missing the opportunity to create
a dynamic synergy with the business, transforming reactive practices into proactive areas, that
eventually can enable business command centers that provide relevant information about the health
around information assets and business processes.

A common concern when organizations decide to integrate services with cloud providers is the level of
security the provider will offer, as well as the amount of exposure when data is hosted on a multi-tenant
model. This domain outlines aspects that must be considered besides the technological solutions, such
as legal guidance, compliance and auditing activities, human resources, and monitoring capabilities with
a focus on fraud prevention.

EXAMPLE

The security monitoring tool alerts an analyst that a customer withdrawal transaction was initiated from
a workstation in the IT department instead of the customer contact center. A special investigation is
held with the help of HR and Legal to determine that a disgruntled system administrator has been
stealing from the company.

SERVICES PROVIDED

Compliance: The main focus for Compliance capabilities is to track internal, external, third parties (such
as customers), audit activities, and related findings.

Data Governance: outlines and looks for compliance on how data is massaged, transformed, and stored
throughout the IT infrastructure, including internal and external services

Operational Risk Management: Operational Risk Management provides a holistic perspective for risk
evaluation from the business perspective.

Human Resources Security: Often, security incidents and breaches happen to organizations because
there are no formal controls, awareness, and guidelines for the most important asset that organizations
will have — people.
This section was created to make sure that formal procedures, codes of conduct, personnel screening,
and other best practices are in place for the organization, especially for third parties that will support
the cloud services that an organization may have.

Security Monitoring Services: The security and availability monitoring services were positioned in the
Business Operations and Support Services Domain to ensure that the business is the focus, not the
events or hardware.

Legal Services: As security incidents occur, the need for legal counsel is critical for organizations. There
are several capabilities included that may help legal counsels lead compliance activities, deal with
lawsuits, and track preventive awareness across the organization.

Internal Investigation: The role for Internal Investigations is for performing forensic activities and
internal and/or external fraud activities.

Information Technology Operation & Support

Managing IT Processes

ITOS is the IT Department. It is the help desk that takes the call when a problem is found. It is the teams
that coordinate changes and roll them out in the middle of the night. It is the planning and process that
keep the systems going even in the event of a disaster.

DESCRIPTION

ITOS outlines all the necessary services an IT organization will have in order to support its business
needs. This domain provides alignment of industry standards and best practices (PM BOK, CMMi,
ISO/IEC 27002, COBIT, and ITIL v3), providing a reference from two main perspectives that enable the
organization to support its business needs.

EXAMPLE

An employee receives a suspicious email, which she thinks may contain a malware program. She notifies
the help desk. The help desk opens a security incident, and a response team works to block the sender,
identify other affected users, and restore any damage that may have been done.

SERVICES PROVIDED

IT Operation: IT Operation defines the organizational structure, skill requirements of an IT organization,

and standard operational management procedures and practices to allow the organization to manage an
IT operation and associated infrastructure.

Service Delivery: Service Delivery deals with technologies essential in maintaining uninterrupted
technical services. Services in this category typically include those that are more appropriate to the
technical staff, such as availability management, service level management, service continuity, and
capacity management.
Service Support: Service Support is focused on the users and is primarily concerned with ensuring they
have access to the appropriate services to support the business functions.

Incident Management: Architectural patterns for incident management include services for trouble
ticketing, and incident classification. Incident Management interacts with other areas of the architecture
either directly (as with the service desk), indirectly (through manipulation of common data), or
asynchronously (as part of a business process for incident management).

Problem Management: Problem Management deals with the incident after it has started to cycle
through the remediation process. Problem Management architecture interacts with the service desk.

Knowledge Management: The Knowledge Management Process accumulates root cause solutions, or
information regarding how incidents were resolved.

Change Management: Change Management is a major pattern that acts as an intermediary between
request, release, and configuration/provisioning. It allows for management of scope, impact analysis, as
well as scheduling of change. Change Management provides one of the primary inputs into
configuration management from a data maintenance perspective to keep application data up-to-date.

Release Management: The Release Management architecture is the set of conceptual patterns that
support the movement of pre-production technical resources into production. Pre-production includes
all the activities that are necessary to prove that a particular resource is appropriate for the technical,

Technology Solution Domains: Presentation, Application,

Information, and Infrastructure Services

Presentation Services
Interaction with the user

Presentation is the website you see when you go to the online bank. It is the voice on the phone when
you call the airline reservation system.

DESCRIPTION

The Presentation Services domain is where the end-user interacts with an IT solution. The security
requirements for the Presentation Domain will vary on the type of user and the type of service being
provided.

SERVICES PROVIDED

Presentation Modality: The Presentation Modality Services focus on the security concerns that differ
based on the type of user and type of service. The two major types are consumer service platforms like
Social Media, Collaboration, Search, Email, e-Readers, and Enterprise Service Platforms like Business-to-
Consumer (B2C), Business-to-Employee (B2E), Business-to-Business (B2B), and more.
Presentation Platform: The Presentation Platform Services focus on the different types of end-points
that end-users utilize to interact with a solution such as desktops, mobile devices (smart phones,
tablets), portable devices (laptops) or special purposes devices such as medical devices or smart
appliances. The presentation platform also includes the different interaction technologies such as
Speech Recognition or Handwriting Recognition that could be used to interact with a solution.

Application Services
Development and implementation of business logic

Think of application services as the processes that developers use to write code, as well as the code itself.

DESCRIPTION

Application services are the rules and processes behind the user interface that manipulate the data and
perform transactions for the user.

SERVICES PROVIDED

Development Process: The Development Process must address security concerns while the solution is
being built, using tools like source code scanners that can locate common security flaws in the code and
web application vulnerability scanners that can test if a web application can be manipulated with
common techniques used by hackers.

Security Knowledge Lifecycle: In order to build secure applications, a development team must keep up-
to-date with the latest threats and appropriate countermeasures to use in development processes. A
security framework is often used to provide reusable components when a development team is building
multiple applications.

Programming Interfaces: Programming Interfaces allow one application to talk to another or allow
pieces of an application to talk to each other.

Integration Middleware: Integration Middleware are tools like service buses and message queues that
allow applications to exchange information without talking directly to each other.

Connectivity & Delivery: Connectivity & Delivery services are the underlying mechanisms that
Integration Middleware uses to move the messages between applications.

Abstraction: When multiple applications do the same thing, they often use the concept of abstraction so
that they have a common language others will understand.

Information Services
Managing Data

Information Services refers to the storage of data, usually in databases, but sometimes just in files.
DESCRIPTION

One of the most common pain points across organizations is the amount of data generated across the
company sometimes including redundant data (different perspectives for the same threat or gap). All
this data needs to be transformed into useful information that business asset owners can use to
prioritize, strategize, and manage the risk portfolio they own. This section manages the extraction,
transformation, cleansing, and loading of information into a common data model either for analytical or
operational goals.

All data containers are allocated on this domain, where eventually they can be extracted, transformed,
and loaded into the following:

• Operational data store: All day-to-day and transactional information will be allocated here, using
a 360 degrees perspective around information assets (i.e. application and infrastructure
vulnerabilities, patching gaps, penetration test results, audit findings, and controls per asset).

• Data Warehouse: All historical transactions will be used to develop a data warehouse or data
mart that can measure the success obtained with the risk management program. Also, this
model can be used to identify behavior patterns, trends, tendencies, and systemic gaps across
the organization.

SERVICES PROVIDED

User Directory Services: All authentication and authorization repositories will be allocated in this
section, with the goal to simplify the technology footprint for user directories.

Security Monitoring Data Management: All data related to Security Monitoring will be allocated here,
considering the following main groups:

• External monitoring: brand protection, honey-pots, web crawling prevention, and cyber
intelligence.

• Internal monitoring: SIEM related data, trends, behavior patterns, and forensic information.

• Executive reporting: balance scorecard, executive dashboard, and ODS (risk registry).

Threat and vulnerability management data — application compliance, patching, configuration health-
checking, infrastructure, application, and vulnerabilities.

Service Delivery Data Management: SDDM focuses on structure or unstructured data related to the
management of IT services across the company.

Service Support Data Management: All data related to providing services to the business across the
company will reside here. This includes information related to the service desk, incident management,
configuration management, problem management, and knowledge management.

Data Governance Data Management: As applications and IT services are rolled and managed across the
organization, this section will store evidence, and proper compliance data throughout the software
development lifecycle.
Risk Management Data Management: All information related to the information security technical
capabilities will be stored here, including data governance, application security, and data loss prevention
among other sources of information that help improve the risk profile gathered per information asset.

ITOS Data Management: This section will have data related to the strategy and typica operations for an
IT organization, such as the quality management, PMO, enterprise architecture compliance, business
and IT alignment, and how all these services are transformed into agreements as we support the
business needs.

BOSS Data Management: All sources of data related to the Business Operations Support Services
domain will be allocated here.

Reporting Services: All tools used to generate operational reports, decision making, balance scorecards,
dashboards, and other capabilities that will transform the different data sources and data models into
useful information for the business and proper support (operational and strategic) for the risk
management strategy will reside here.

Infrastructure Services
Facilities, Hardware, Network and Virtual Environments

Infrastructure Services can be visualized as the rows of computers, network cables, power supplies,
cooling vents, and fire suppression pipes you will see inside any standard data center.

DESCRIPTION

Infrastructure Services (IaaS) provide the basic core capabilities that support higher-level capabilities in
other areas of the architecture. This is the service layer that supporting cloud applications that are
visible to the majority of cloud users. This level is comprised of the virtual machines, applications, and
databases. Often, IaaS services will be deployed centrally and will run standard machine images, with all
necessary services preconfigured to support ease of integration and reliable connectivity and access.

Internal Infrastructure Services

The Internal Infrastructure services are mainly concerned with the physical assets used by the cloud
service provider to support the virtualized services actually seen by cloud users.

Facility Security: Concerned with the security controls applied at the cloud computing facility that
assure a safe and secure operational environment for the physical components of a cloud infrastructure.

Servers: Concerned with the software images that are installed on the physical servers and the controls
applied to assure secure builds of those software images and how those images are managed.

Storage Services: Concerned with the provisioning, migration, and sanitization of physical storage in the
infrastructure..

Network Services: Concerned with managing the security risks posed by the network environment.
Controls at this level include proper network segmentation (for example, assets used by organization A
are not visible to organization B) and provision of basic network services, such as an accurate and
traceable time standard.

Availability Services: Concerned with assuring the availability of infrastructure components to match
the service level objectives.

Patch Management: Concerned with assuring that required software fixes are applied in a controlled
and timely fashion within the infrastructure. This includes both inventorying the services (operating
systems, applications, embedded software, etc.) actually present in the infrastructure to identify the
applicability of a particular fix, and monitoring the infrastructure to assure that required fixes are
actually present and installed.

Equipment Maintenance: Concerned with assuring that physical infrastructure devices are appropriately
maintained to assure their continuous operations.

Virtual Infrastructure Services

The Virtual Infrastructure inherits some of the same services as are present in the physical
Infrastructure. For example, software images must be securely built and managed for the virtual servers
that are hosted on the virtualization platform provided on the physical server. However, there are also
unique requirements for the virtualized infrastructure itself.

Desktop “Client” Virtualization: Concerned with how virtual instances of the traditional desktop are
created, presented, and managed.

Storage Virtualization: Concerned with how virtualized storage is created, allocated, and managed. This
includes both “block-based” storage such as a SAN (Storage Area Network) and “file-based”
virtualization such as NAS (Network Attached Storage) whether provided by a file server or appliance.

Server Virtualization: Concerned with creating, accessing, and managing a virtual server. Controls at this
level assure that a server is configured correctly and includes the proper software image and hypervisor.

Network Virtualization: Concerned with providing appropriate virtual network services. Controls at this
level assure that the virtual network implements proper isolation (see “segmentation” above), required
connectivity, and proper access controls.

Security and Risk Management

Protecting data and managing risk

Security and Risk Management is the passwords, firewalls, and encryption that protect computer
systems and data. It is the processes that define policies and audit systems against those policies. It uses
ethical hackers and tools to test for weak spots in the systems. These services are what most people
think of when they think of cyber security.

DESCRIPTION
The Security and Risk Management domain provides the core components of an organization’s
Information Security Program to safeguard assets and detect, assess, and monitor risks inherent in
operating activities. Capabilities include Identity and Access Management, GRC (Governance, Risk
Management, and Compliance), Policies and Standards, Threat and Vulnerability Management, and
Infrastructure and Data Protection.

SERVICES PROVIDED

Governance Risk and Compliance: GRC encompasses, integrates, and aligns activities such as corporate
governance, enterprise risk management, and corporate compliance with applicable laws and
regulations. Components include compliance management (which assures compliance with all internal
information security policies and standards), vendor management (to ensure that service providers and
outsourcers adhere to intended and contractual information security policies applying concepts of
ownership and custody), audit management (to highlight areas for improvement), IT risk management
(to ensure that risk of all types are identified, understood, communicated, and either accepted,
remediated, transferred, or avoided), policy management (to maintain an organizational structure and
process that supports the creation, implementation, exception handling and management of policy that
represent business requirements), and technical awareness and training (to increase the ability to select
and implement effective technical security mechanisms, products, process and tools).

Information Security Management: The main objective of Information Security Management is to

implement the appropriate measurements in order to minimize or eliminate the impact that security-
related threats and vulnerabilities might have on an organization.

Privilege Management Infrastructure: Privilege Management Infrastructure ensures users have access
and privileges required to execute their duties and responsibilities with Identity and Access
Management (IAM) functions such as identity management, authentication services, authorization
services, and privilege usage management.

Threat and Vulnerability Management: This discipline deals with core security, such as vulnerability
management, threat management, compliance testing, and penetration testing. Vulnerability
management is a complex endeavor in which enterprises track their assets, monitor and scan for known
vulnerabilities, and take action by patching the software, changing configurations, or deploying other
controls in an attempt to reduce the attack surface at the resource layer. Threat modeling and security
testing are also part of activities in order to identify the vulnerabilities effectively.

Infrastructure Protection Services: Infrastructure Protection Services secure Server, End-Point, Network
and Application layers. This discipline uses a traditional defense in-depth approach to make sure
containers and pipes of data are healthy. The controls of Infrastructure Protection Services are usually
considered as preventive technical controls such as IDS/IPS, Firewall, Anti-Malware, White/Black Listing
and more. They are relatively cost-effective in defending against the majority of traditional or non-
advanced attacks.

Data Protection: In the information age, data is an asset. However, most data remains valuable only if it
is protected. Data protection needs to cover all data lifecycle stages, data types, and data states. Data
stages include create, store, access, roam, share, and retire. The controls of Data Protection are data
lifecycle management, data leakage prevention, intellectual property protection with digital rights
management, and cryptographic services such as key management and PKI/symmetric encryption.
Policies and Standards: Security policies are part of a logical abstraction of Enterprise Security
Architecture. Security Policies are statements that capture requirements specifying what type of security
and how much should be applied to protect the business. Policies typically state what should be done,
while avoiding reference to particular technical solutions. Security Standards are an abstraction at the
component level and are needed to ensure that the many different components can be integrated into
systems.
Chapter-2

 Governance includes the policy, process, and internal controls that comprise how an
organization is run. Everything from the structures and policies to the leadership and other
mechanisms for management.

 Enterprise risk management includes managing overall risk for the organization, aligned to the
organization’s governance and risk tolerance. Enterprise risk management includes all areas of
risk, not merely those concerned with technology.

 Information risk management covers managing the risk to information, including information
technology. Organizations face all sorts of risks, from financial to physical, and information is
only one of multiple assets an organization needs to manage.

 Information security is the tools and practices to manage risk to information. Information
security isn’t the be-all and end-all of managing information risks; policies, contracts,
insurance, and other mechanisms also play a role (including physical security for non-digital
information). However, a—if not the—primary role of information security is to provide the
processes and controls to protect electronic information and the systems we use to access it.

In a simplified hierarchy, information security is a tool of information risk management, which I

a tool of enterprise risk management, which is a tool of governance. The four are all closely
related but require individual focus, processes, and tools.
Governance
 Cloud computing affects governance, since it either introduces a third party into the process (in
the case of public cloud or hosted private cloud) or potentially alters internal governance
structures in the case of self-hosted private cloud. The primary issue to remember when
governing cloud computing is that an organization can never outsource responsibility for
governance,
 Cloud computing changes the responsibilities and mechanisms for implementing and managing
governance.
 Responsibilities and mechanisms for governance are defined in the contract, as with any
business relationship.
 If the area of concern isn’t in the contract, there are no mechanisms available to enforce, and
there is a governance gap.
 Governance gaps don’t necessarily exclude using the provider, but they do require the customer
to adjust their own processes to close the gaps or accept the associated risks.

Tools of Cloud Governance

 Contract
 Contracts define the relationship between providers and customers, and they are the
primary tool for customers to extend governance to their suppliers
 The contract is your only guarantee of any level of service or commitment
 If the provider breaks the terms of the contract or doesn’t fulfill the terms of a service level
agreement, you’re looking at a legal dispute.

 Supplier Assessments

 Assessment is part of the due diligence a customer must perform in advance of using a cloud
provider.
 They combine contractual and manual research with third-party attestations
(legal statements often used to communicate the results of an assessment or
audit) and technical research
 The assessment should leverage all available information, ranging from contract reviews to
provider-supplied audit reports and reviews of technical documentation of the system.
 Assessments include financial viability, history, feature offerings, third-party attestations,
feedback from peers, and so on.

 Compliance Reporting

 These are documents related to internal (i.e. self) and external compliance assessments
done by Cloud Provider.
 These Audits are performed by provider himself or by trusted third party.
 Two simple words summarize this governance tool —standards and scope. When evaluating
and revieing these compliance reports, both Standard used and scope for which you are
hiring services should have been included.
  The Cloud Security Alliance ( Security Trust Assurance & Risk) STAR Registry is an assurance
program and documentation registry for cloud provider assessments based on the CSA
Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire.

 System and Organization Controls (SOC, pronounced “sock”). The SOC (formerly known as
Service Organization Control) by the American Institute of Certified Public Accountants
(AICPA) is used by the vast majority of service providers to report on controls at a service
organization. The SOC report is generated by an independent CPA and is available from the
provider via a nondisclosure agreement (NDA).

 Although multiple report types are available (SOC 1, SOC 2, SOC 3), these reports are based
on the AICPA Statements on Standards for Attestation Engagements 18 (SSAE 18)
(previously SSAE 16) standard. Here’s a breakdown of the three SOC levels:

 SOC 1: This SOC report is used for Internal Control over Financial Reporting (ICFR) and is
used for entities that audit financial statements.
 SOC 2: This SOC report is titled “Report on Controls at a Service Organization Relevant to
Security, Availability, Processing Integrity, Confidentiality, or Privacy.”
 SOC 3 This publicly available high-level SOC report contains a statement from an
independent CPA that a SOC engagement was performed, plus the high-level result of the
assessment (for example, it could indicate that the vendor statement of security controls in
place is accurate).
 AICPA thought it would be a great idea to have different types of report levels as well:
o Type 1 A point-in-time look at the design of the controls
o Type 2 An inspection of the operating effectiveness of the controls
 The bottom line here is that as a security professional, you want to get access to a provider’s
SOC 2, Type 2, report. It will offer great detail into the security controls in place, tests
performed, and test results.

Enterprise Risk Management

 Enterprise Risk Management (ERM) is the overall management of risk for an organization.
 Enterprise Risk Management is depending on both contracts and documentation
 the contract defines the roles and responsibilities for risk management between a cloud
provider and a cloud customer.
 A review of the provider’s documentation, assessments, and audits will provide much more
information to help with an effective risk decision.
 You can never outsource your overall responsibility and accountability for risk management to
an external provider
 Risk tolerance is the amount of risk that the leadership and stakeholders of an organization are
willing to accept.
 Standards
o ISO 31000:2009
o ISO 31010:2009
o NIST 800:37

Software as a Service
  SaaS is essentially renting access to a turnkey application that is supplied by the provider.
 This Service Model requires maximum need of a proper negotiated contract as ownership pf
governance from infra to application layer lies with cloud provider.
 It is also critical as cloud provider might also be outsourcing PAAS and IAAS to other cloud
providers
 Major responsibility is with SAAS provider, however accountability is still with Customer
 Contract created here will protect the ability to govern or validate risk as it relates to data
stored, processed, and transmitted with and in the application.

Platform as a Service
 Here the Governance and Risk Management responsibility is with Both Customer and Provider.
 Ownership of provider is to provider secure shared platform with acceptable risk.
 Customer ownership is to ensure the application deployed and platform are secure by
implementing tools and solutions to bring the risk to acceptable level.
 In this scenario, information risk management and information security are focused primarily on
the platform being procured and, of course, the application itself.
 Given that PaaS is breaking up the IT stack in novel ways, it is important that you review in detail
how the contract provisions map to required controls and control opportunities.
 The likelihood of a fully negotiated contract is lower with PaaS than with either of the other
service models. That’s because the core driver for most PaaS providers is to deliver a single
capability with very high efficiency.

Infrastructure as a Service

 IaaS service model is the closest to a traditional data center. And that why governance and
risk management activities that organizations have already built and utilize are
directly transferable.
 Customer having the most responsibility to configure controls, be they supplied by the provider
(such as logging) or implemented by the customer (such as host-based firewalls in an instance).
 The issue with governance and risk management lies in the orchestration and management
layers supplied by the provider.
 As most IaaS is built on virtualization technology, the provider’s selection and configuration of
the hypervisor and its subsequent ability to isolate workloads properly is completely out of your
control.
 The only thing you can do about addressing potential isolation failure is to understand how the
provider mitigates against this possibility and make an informed decision in advance of using
that provider.
 As you will likely have no access to audit these controls yourself, this becomes a document
review exercise, assuming the provider is transparent with their processes.
Public Cloud
 In Public Cloud, provider is responsible for the management and governance of their
infrastructure, employees, and everything else. Cloud customers have a reduced
ability to govern the assets and operations.

 The Contracts are fixed and inflexible. The customers also often have reduced ability
to negotiate contracts, which impacts how they extend their governance model into
the cloud.

 you will have to assess the controls implemented by the provider, perform a gap
assessment, and fill in the gaps yourself. Or you will have to accept the risk.

 Inflexible contracts are a natural property of multitenancy: Providers can’t

necessarily adjust contracts and operations for each customer as everything runs on
one set of resources, using one set of processes.

Private Cloud

 Governance in a private cloud boils down to one very simple question: which party
owns and manages the private cloud?

 You could call a provider and have them spin up and manage a private cloud for you,
or you could have your people install the private cloud automation and orchestration
software to turn your data center into a “private cloud.” In the event that your
company owns and operates the private cloud, nothing changes.

 If, on the other hand, you have outsourced the build and management of your private
cloud, you have a hosted private cloud, and you have to treat the relationship as you
would any other third-party or outsources relationship. Here you are dealing with a
one-to-one type of relationship.

 Terms of the relationship and contract with outsourced provider needs to be finalized
in advance. These are fully customized. Only the services, standard, process and
governance details defined in the contract will be provided. If you request something
and the provider is not obligated to supply that service, you will likely face the
dreaded “change order” charges as you would with any other supplier today.

 If you are asked a question about governance in a private cloud, pay attention to who
owns and manages the infrastructure. An outsourced private cloud can incur much
more change than insourced.

Hybrid Cloud
 Governance of Hybrid Cloud = Governance Program of Cloud Provider + Internal
Governance Program of Datacenter/private cloud

Community Cloud :
 Governance of Hybrid Cloud = Governance relationship between organization part of
community + Governance relationship with the Cloud provider
 For community clouds specifically, governance extends to the relationships with
those organizations that are part of the community that shares the cloud, not just the
provider and the customer.
 This includes community membership relations and financial relationships, as well as
how to respond when a member leaves the community.
Chapter-4- Compliance and Audit

Following points and Issues should be considered by Provider, Auditor and Cloud customer
when engaging for Cloud services

 Using a specific cloud provider will have Regulatory Implication and Jurisdictional Issues which
needs to be understood when selecting a cloud provider

 Compliance is Shared responsibility of Customer and provider + provider’s provider. Assignment

of compliance responsibilities between the provider and customer, including indirect providers
(i.e., the cloud provider of your cloud provider).

 This includes the concept of compliance inheritance where a provider may have parts of their
service certified as compliant which removes this from the audit scope of the customer, but the
customer is still responsible for the compliance of everything they build on top of the provider.
Consider PCI, for example. The IaaS provider you use to host a credit card processing system
may be Payment Card Industry (PCI) Level 1 certified, but your application must meet all other
PCI requirements as well.

 To meet the compliance customer will require documents from Provider. But this needs to
evaluated based on Provider’s capabilities for demonstrating compliance, including document
generation, evidence production, and process compliance, in a timely manner.

 Scope relevance Are the features and services of a cloud provider within the scope of your
previously performed audits and assessments?

 Providers Clear understanding of which services are part of which audit and assessments

 Compliance management How does the provider manage compliance and audits—not just now,
but over time as well?

 Provider & Auditors experience Does the provider have experience working with regulatory
bodies? Does the Regulators and auditors have understanding of Cloud environments?

Compliance

 Compliance generally means conformance and adherence to regulations, laws, policies,

standards, best practices, and contracts.

 A compliance framework is the set of policies, procedures, processes, and technologies

implemented by an organization to identify and adhere to applicable requirements based on
laws, regulations, and standards.
  Compliance also involves an assessment of the costs of noncompliance and can act to prioritize
and fund compliance initiatives.

 Governance defines corporate obligations (from laws and regulations, to protecting the interests
of stakeholders and shareholders, corporate ethics, and social responsibilities) that determine
how a company operates.

 Governance helps the company form and manage its risk tolerance.

 This Feeds to Risk Management which implements the required controls to address both
regulations and risk tolerance.

 Compliance then uses audits to ensure that appropriate controls are indeed in place.

How cloud change compliance

 As with security, compliance in the cloud is a shared responsibility model. Both the
cloud provider
and customer have responsibilities, but the customer is always ultimately
responsible for their own compliance. These responsibilities are defined through
contracts, audits/assessments, and specifics of the compliance requirements.

 Cloud provider performs the audit and attestation from certified auditors. In most
cases cloud customer doesn’t typically get to define the scope or perform the audit
themselves. They will instead need to rely on these reports and attestations to
determine if the service meets their compliance obligations.

 Many cloud providers are certified for various regulations and industry requirements,
such as PCI
DSS, SOC1, SOC2, HIPAA, best practices/frameworks like CSA CCM, and
global/regional regulations like the EU GDPR. These are sometimes referred to as
pass-through audits. A pass-through audit is a form of compliance inheritance.
Compliance Inheritance basically means, that a provider is compliant with the areas
for which they are responsible via vendor-supplied audit results or certifications, and
then you ensure that your systems running in the cloud environment are also
compliant.

 Key points of Pass through and compliance inheritance

 They certify that the provider is compliant.

 It is still the responsibility of the customer to build compliant applications and
services on the cloud. This means the provider’s infrastructure/services are not
within scope of a customer’s audit/assessment. But everything the customer
builds themselves is still within scope.
 The customer is still ultimately responsible for maintaining the compliance of
what they build
and manage. For example, if an IaaS provider is PCI DSS-certified, the customer
can build their own PCI-compliant service on that platform and the provider’s
infrastructure and operations should be outside the customer’s assessment
 scope. However, the customer can just as easily run afoul of PCI and fail their
assessment if they don’t design their own application running in the cloud
properly.
 Not all features and services within a given cloud provider are necessarily
compliant and certified/audited with respect to all regulations and standards. It is
incumbent on the cloud provider to communicate certifications and attestations
clearly, and for customers to understand the scopes and limitations. It is also
customers responsibility to demand these compliance report from provider to
understand the scope and limitation.

Audit Management

 Audits and assessments are mechanisms to document compliance with internal or

external requirements (or identify deficiencies).

 Audit Report needs to include a compliance details, as well as a list of identified

issues, risks, and remediation recommendations

 All audits have variable scope and statement of applicability, which defines what is
evaluated (e.g., all systems with financial data) and to which controls (e.g., an
industry standard, custom scope, or both).

 An attestation is a legal statement from a third party, which can be used as their
statement of audit findings.

How Cloud Change Audit Management

 Audits are done isn primarily following ways

o Self audit and assessment done by the cloud provider using tools and
solutions
o Attestation is a alegal statement or declaration from third party that
something existis and which can be used as their statement of audit findings.
o Certification – This is official document from organization confirmation status
or level of achievement
o Arctifacts are logs, Activity reports, configuration details and changes collects
which can be used to full fill audit finding and compliance

 Customers working with cloud providers will have to rely more on third-party
attestations and certifications rather than audits they perform themselves

 For customers to have access to these attestation, they have to under a

nondisclosure agreement (NDA), which means customers will need to enter into a
basic legal agreement before gaining access to attestations for risk assessments or
other evaluative purposes.

 Cloud providers should understand that customers still need assurance that the
provider meets their contractual and regulatory obligations, and should thus provide
rigorous third-party attestations to prove they meet their obligations, especially when
the provider does not allow direct customer assessments. These should be based on
industry standards, with clearly defined scopes and the list of specific controls
 evaluated. Publishing certifications and attestations (to the degree legally allowed)
will greatly assist cloud customers in evaluating providers. The Cloud Security
Alliance STAR Registry offers a central repository for providers to publicly
release these documents.

 Providers should be clear about which services and features are covered in the
certifications and attestation and , and it is the responsibility of the customer to pay
attention and understand the implications on their use of the provider.

 Certain types of customer technical assessments and audits (such as a vulnerability

assessment)
may be limited in the provider’s terms of service, and may require permission. This is
often to help the provider distinguish between a legitimate assessment and an
attack.

 Attestations and certifications are point-in-time activities. An attestation is a

statement of an “over a period of time” assessment and may not be valid at any
future point. Providers must keep any published results current or they risk exposing
their customers to risks of non-compliance. Depending on contracts, this could even
lead to legal exposures to the provider. Customers are also responsible for ensuring
they rely on current results and track when their providers’ statuses change over
time.

 Both providers and customers have responsibilities for producing and managing their
respective artifacts. Customers are ultimately responsible for the artifacts to support
their own audits, and thus need to know what the provider offers, and create their
own artifacts to cover any gaps. For example, by building more robust logging into an
application since server logs on PaaS may not be available.
Chapter-1

EXAM TIP You’ll be seeing quite a few references to standards by NIST and other
organizations in this book. Don’t jump away from this book and start studying these
documents. The CCSK exam is about cloud security according to the CSA; it’s not about NIST
standards. The exam is open-book, so if you’re facing a question about a Special Publication
number (the number, not the content within), you can quickly look it up in the CSA Guidance
document. As for the content of the CSA Guidance document itself, this book covers
everything you need to know (and then some!) for your exam.

EXAM TIP Understand these layers of the logical model! These layers are key to
understanding cloud security responsibility shifts and passing your CCSK exam.

EXAM TIP Remember that the management plane is part of the metastructure.

EXAM TIP Here’s a reminder about the essential characteristics, and it’s a big one for your
exam. The five characteristics are from NIST (SP800-145).
ISO/IEC 17788 calls out multitenancy as an additional essential characteristic. NIST includes
multitenancy as part of resource pooling, and CSA states that clouds are multitenant by
nature. Just remember that all three organizations see the cloud as a multitenant
environment, but only ISO/IEC lists multitenancy separately.

EXAM TIP It’s important to remember that an IaaS system can be summarized as consisting
of facilities (physical data center), hardware (proprietary or standard), abstraction
(virtualization), and orchestration
(APIs).

EXAM TIP Don’t get lost in applistructure thoughts when you’re considering the cloud
bursting example! How your web application handles things like state transfer and other
application-level issues is out of scope for this discussion. For the exam, just recall the
example of having a load balancer that will send incoming traffic to a web server that can be
in your data center or a cloud-hosted system, depending on current load.

EXAM TIP The CCSK exam will likely test you on the shared responsibility between providers
and customers. Take note of the following high-level recommendations for providers and
customers: First, providers should properly design and implement controls. They should
clearly document internal security controls and customer security features so the cloud user
can make an informed decision. Second, customers should build a responsibilities matrix to
document who is implementing which controls and how. This should be done on a per-
workload basis. Selected controls should align with any necessary compliance standards.

EXAM TIP Don’t waste your time memorizing all of the controls checked by the CSA tools!
Download the most recent version of the CCM and the CAIQ, understand the format of each
document and its purpose, and have it open when you take your CCSK exam. Remember,
the exam is open-book.

EXAM TIP Remember that the CCM is an excellent starting point to build a cloud assessment
program based on your existing compliance requirements, but it will need to be tailored to
meet your needs.

EXAM TIP You should be aware of a couple of things about the whole STAR program. The
CAIQ entries are considered “self assessments.” Each self assessment is referred to as a
“Level 1” STAR entry.

EXAM TIP Remember that the STAR Registry contains CAIQ entries that are filled out by
vendors and uploaded to the Cloud Security Alliance without any third-party review or
assessment.

Chapter-2

EXAM TIP For the exam, remember that contracts define the relationship between providers
and customers, and they are the primary tool for customers to extend governance to their
suppliers.

EXAM TIP If you are asked a question about governance in a private cloud, pay attention to
who owns and manages the infrastructure. An outsourced private cloud can incur much
more change than insourced.

Chapter-3

EXAM TIP You don’t need to do a deep dive into the various EU standards, the differences
between them, and release dates for the CCSK exam. They’re highlighted in this introduction
because GDPR is a huge deal these days.

EXAM TIP Of the three models, you should get your head around the role of the
controller/custodian and remember that jurisdiction is very important to determine
applicable laws.

EXAM TIP The 2018 update to this law is not covered as part of the CSA Guidance and
therefore not likely to be part of the CCSK exam. However, from a real-life perspective, if
you operate outside of the Chinese market but want to do business in China, it is highly
advisable that you discuss both localization and governmental access to data stored in
China with your legal counsel.

EXAM TIP Remember that the NIS Directive applies to companies outside of the EU/EEA
whose services are available in the European Union and that an EU-based representative
must be established to ensure NIS Directive compliance.
EXAM TIP Remember that many states have laws and regulations that require organizations
to ensure that service providers provide adequate privacy protections and security
measures for personal data.

EXAM TIP Remember that the FTC has taken the charge from a federal perspective on
consumer privacy rights. State attorneys general deal with consumer privacy rights at a
state level.

EXAM TIP The concept of periodic monitoring, testing, and evaluation of your requirements
and the vendor relationship is applicable for basically every subject in the CSA Guidance.
You need to be aware of any changes— technical and legal!

Chapter-4

EXAM TIP Remember that audits are a key tool to prove or disprove compliance.

EXAM TIP Earning a CCSK is a great way for auditors to demonstrate their knowledge of
cloud services. Remember that customers should work with auditors who have knowledge of
the differences between traditional IT and the cloud.

EXAM TIP You won’t see any general questions in the CCSK exam on either compliance or
auditing basics, but do expect to see questions on cloud specific changes to compliance and
audits

Chapter-5

EXAM TIP The main goal of the data security lifecycle as far as the CCSK exam goes is not to
know every possible control to limit every possible action by any possible actor on every
possible data set (or the validity of doing so!). The goal for the exam is to understand that
you have basic functions that map
to phases of the data lifecycle. Based on the location of the data or the access device (that’s
the key for the exam!), you may have different data security lifecycles.

Chapter-6

EXAM TIP Seriously, implement least privileges. If you are asked about appropriate
permissions, the answer will always be related to the principle of least privilege.

Chapter-7

EXAM TIP For the exam, remember that using an immutable approach enables you to
perform the bulk of security tests on the images before they go into production.

EXAM TIP Here’s the good news for your CCSK exam—you won’t be asked about how this is
done at the applistructure layer. You will be asked only about the metastructure (or virtual
infrastructure) implementation.

Chapter-8
EXAM TIP For the exam, remember that compute virtualization abstracts the running of code
(including operating systems) from the underlying hardware.

EXAM TIP Remember that volatile memory contains all kinds of potentially sensitive
information (think unencrypted data, credentials, and so on) and must be protected from
unapproved access. Volatile memory must also have strong isolation implemented and
maintained by the provider.

EXAM TIP For image repository, I’m using the naming used in the CSA Guidance, but you
should know about two related concepts—image registries and image repositories. An image
registry is used to host and distribute images. An image repository is technically different,
because it is defined as a collection of related images. Long story short, this means that an
image registry can contain multiple repositories. You’ll often see these terms used
interchangeably. Your CCSK exam will use the term “image repository.”

Chapter-9

EXAM TIP For the exam, remember that the CCM states the control and the responsible
party, whereas the CAIQ provides questions you can ask in plain language.

Chapter-10

EXAM TIP You will likely be tested on your understanding that credentials and encryption in
an application are the primary differences between applications that run in a cloud versus
those that run a traditional
data center.

EXAM TIP Remember that immutable deployments and IaC can greatly improve security. You
will likely be tested on this.

EXAM TIP If you’re asked about the difference between software-defined security and event-
driven security, remember that software-defined security is a concept, whereas event-driven
security puts that concept into action.

Chapter-11

EXAM TIP Anything that you will be tested on as part of your CCSK exam regarding CASB has
been covered in this section, but there is much more to know about this technology, which is
covered in the backgrounder.

EXAM TIP Remember for your exam that encryption will often dramatically increase the
string of a text, while tokenization and data masking techniques can keep the same length
and format of data while rendering it unusable to anyone who may access it.

EXAM TIP These additional services and how they can be leveraged are provider-specific, so
you won’t be tested on them as part of your CCSK exam. The following technologies are in
the guidance, however, so you do need to understand them prior to attempting the exam.

Chapter-12

EXAM TIP Remember IAM terms for your exam.

EXAM TIP The identity service offered by the provider may be referred to as the “internal”
identity system on the exam.
Chapter-13

EXAM TIP Remember that you’re procuring security software that meets the essential
characteristics of the cloud, and you’ll be fine.

EXAM TIP Remember that a major benefit of SecaaS is the ability to enforce your policy
using someone else’s infrastructure.

EXAM TIP It’s important to remember that whether you are procuring a dedicated
“encryption as a service” provider or using customer-managed keys from an IaaS provider,
you are procuring a SecaaS.

EXAM TIP Remember that encryption breaks SaaS. This may help you answer multiple
questions in your CCSK exam.

Chapter-14

EXAM TIP Remember the three components listed here: data gets collected, stored, and
processed.

EXAM TIP For your CCSK exam, remember that all components and workloads required of
any technology must have secure AAA in place. This remains true when underlying cloud
services are consumed to deliver big data analytics for your organization. An example of a
cloud-based big data system could consist of processing nodes running in instances that
collect data in volume storage.

Chapter-15

EXAM TIP Keep in mind that malicious insiders aren’t limited to administrators. A similar risk
is posed by auditors, because they may have intimate knowledge of the inside architecture,
processes, and weaknesses of a provider.

EXAM TIP If you’re presented with any questions on OVF on the CCSK exam, remember that
portability is the most important element of OVF.

EXAM TIP You’ll be seeing quite a few references to standards by NIST and other
organizations in this book. Don’t jump away from this book and start studying these
documents. The CCSK exam is about cloud security according to the CSA; it’s not about NIST
standards. The exam is open-book,
so if you’re facing a question about a Special Publication number (the number, not the
content within), you can quickly look it up in the CSA Guidance document. As for the content
of the CSA Guidance document
itself, this book covers everything you need to know (and then some!) for your exam.