Join Malcolm Shore for an in-depth discussion in this video Reference sites, part of Cybersecurity with Cloud Computing.
- There are two issues in today's information and communications technology, which inspire passion in practitioners: Security and Cloud. Whether you love them or hate them, they're both here to stay. And it's becoming increasingly obvious that they need to coexist. Before we get into the details of Cloud, let's position key reference sites for cloud security. The Cloud Security Alliance, or CSA, has emerged as the leading organization for cloud guidance, is a recognized source of practitioner's certification with its Certificates of Cloud Security Knowledge, or CCSK, and is a source of guidance on Security as a Service.
The CCSK is an examination for broad knowledge across a number of areas in cloud security, which are considered to be critical to the successful adoption of Cloud. Version 3 of the CCSK guidance covers 14 domains or areas of study. The first domain covers the architecture of cloud systems, providing a consistent terminology for Cloud. The essential characteristics of the three primary cloud service offerings: infrastructure, platform, and software under deployment options for private, public, and hybrid clouds.
The next five domains are Governance and Enterprise Risk, Legal and Electronic Discovery, Compliance and Audit, Information Lifecycle Management, and Portability and Interoperability. The following seven domains cover the operational areas of Traditional Security, Data Center Operations, Incident Response, Application Security, Encryption and Key Management, Identity and Access Management, and Virtualization. The final domain is Security as a Service, and this is a special domain which discusses the particular challenge of delivering security as a cloud service.
Together, these domains form the framework for this course. Let's now look at the website of the European Network and Information Security Agency, ENISA, which in 2009 published guidance on the risks associated with cloud. And this is included in the CCSK examination. The most current version of the document can be downloaded from the ENISA site by clicking the hyperlink here. The second useful document from ENISA is the Cloud Computing Information Assurance Framework, available for download by clicking the hyperlink here.
The information in this publication is arranged into ten areas of assurance: Personnel Security, Supply Chain Assurance, Operational Security, Identity and Access Management, Asset Management, Data and Services Portability, Business Continuity Management, Physical Security, Environmental Controls, and Legal Requirements. The Assurance Framework is presented as a series of questions to be answered by the service provider to verify the existence of a baseline of common controls, such as: "Are credentials provisioned and deprovisioned "simultaneously throughout the cloud system", or "Are there any risks in deprovisioning them across "multiple geographically distributed locations".
The final reference site I'll visit is the National Institute of Standards and Technologies Cloud Computing Collaboration Site. This site provides access to the working groups on cloud computing that NIST has established to encourage the private sector to collaborate on defining guidelines, metrics, and standards on cloud computing. We can see across the top and in the right-hand list the link to NIST's Working Group Homecloud Security. Let's click on that link and go there. This is the site of the Cloud Security Collaboration Group.
Details for joining the Working Group's mailing list, and dialing details for participating in meetings are available on this page. We can see from item four that one of the deliverables from this group is a Cloud Security Reference Architecture, and this has been published as NIST's Special Publication 500-299. The Security Reference Architecture and SP 500-299, sometimes referred to as the NCCSRA, introduces the five roles relevant to Cloud: Consumer, Broker, Service Provider, Carrier, and Auditor.
It references the three key services: infrastructure, platform, and software, on top of the resource abstraction and physical resources. It addresses service management, and from the broker perspective service intermediation, aggregation, and arbitration. The goal of this architecture is to identify the core set of security components that can be implemented in a cloud ecosystem, and where the responsibilty lies for implementing them. Importantly security and privacy are included as key provider functions.
- Essential cloud concepts: infrastructure, deployment models, and more
- Defining trust models for clouds
- Identifying governance and risk
- Complying with legal and audit requirements
- Managing incident response
- Maximizing application security
- Managing encryption and keys
- Implementing virtualization
- Introducing SABSA and the cloud attribute taxonomy