scott hogg - gtri cloud security knowledge and certs

© 2016 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be copied.

Cloud Security Knowledge and Certifications

Presented by Scott Hogg, CTO GTRICCIE #5133, CISSP #4610, CCSP, CCSK, AWS CSA-AssociateColorado CSA Fall Summit – 11/10/2016

© 2016 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be

copied.

• Securing Cloud Services– Cloud Security Standards and Guidelines

• Cloud Security Certifications– Cloud Security Alliance (CSA) Certificate of

Cloud Security Knowledge (CCSK)– (ISC)2 Certified Cloud Security Professional

(CCSP)

Today’s Agenda


copied.

• Cloud Service Security Concerns/Threats• Cloud Service Provider Security Certifications

Cloud Security Concepts


copied.

• A breach of the Cloud Service Provider’s infrastructure can lead to a “Hyperjacking” even whereby many customer’s data is exposed

• Examples of CSP Data Breaches:– Google failure March 2011 deletion of 150k Gmail info– Code Spaces goes out of business in June 2014 after AWS hack – Google Drive breach in July 2014 hyperlink vulnerability– Apple iCloud exposure of celebrity photos, August 2014– Dropbox security breach in October 2014, compromising 7M user

passwords held for Bitcoin (BTC) ransom– Worcester Polytechnic Institute (WPI) claims cross-VM RSA key

recovery in AWS, October 2015– Datadog password breach for their AWS customers in July 2016

Concern About CSP Security


copied.


copied.

• Cloud Security Alliance (CSA) provides advice for securing cloud computing environments

• CSA is a US Federal 501(c)6 not-for-profit org, formed in late 2008, now has over 48,000 members

• Mission = “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”

• https://cloudsecurityalliance.org/

Cloud Security Alliance (CSA)


copied.

• CSA stated that the top three cloud computing threats are Insecure Interfaces and API's, Data Loss & Leakage, and Hardware Failure.

• CSA’s Top 7 Security Threats (March 2010)– https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

• In February 2013, the CSA published their “The Notorious Nine” cloud computing top threats– https://downloads.cloudsecurityalliance.org/initiatives/top_threats/

The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

CSA – The Notorious Nine

1. Data Breaches2. Data Loss3. Account or Service Traffic

Hijacking4. Insecure Interfaces and APIs5. Denial of Service (DoS)

6. Malicious Insiders7. Abuse of Cloud Services8. Insufficient Due Diligence9. Shared Technology Vulnerabilities


copied.

• CSA published their newest Top 12 cloud computing threats at 2016 RSA conference

• Threat No. 1: Data breaches• Threat No. 2: Compromised credentials and broken

authentication • Threat No. 3: Hacked interfaces and APIs• Threat No. 4: Exploited system vulnerabilities• Threat No. 5: Account hijacking• Threat No. 6: Malicious insiders

CSA Treacherous 12 (or the Dirty Dozen)


copied.

• Threat No. 7: The APT parasite• Threat No. 8: Permanent data loss• Threat No. 9: Inadequate diligence• Threat No. 10: Cloud service abuses• Threat No. 11: DoS attacks• Threat No. 12: Shared technology, shared

dangers

CSA Treacherous 12 (or the Dirty Dozen)


copied.

• Customer bears more responsibility with IaaS than SaaS

Cloud Security Responsibility – A Sliding Scale

IaaS PaaS SaaS

Security GRC

Data Security

App Security

Platform Security

Infrastructure Security

Physical Security

Enterprise Responsibility

Shared Responsibility

Provider Responsibility


copied.

CERTIFIED• Cloud Service Providers (CSPs) can obtain certifications attesting their compliance with security standards.– SOC 1/SSAE 16/ISAE 3402, SOC2, SOC3 American Institute of

Certified Public Accountants (AICPA) audit reports may be requested from the provider.

– International Organization for Standardization (ISO) 27001– Cloud Security Alliance (CSA) Security, Trust & Assurance

Registry (STAR)– U.S. Health Insurance Portability and Accountability Act (HIPAA) – Payment Card Industry (PCI) Data Security Standard (DSS) Level

1 service provider– Motion Picture Association of America (MPAA)

Cloud Compliance Assurance


copied.

• American Institute of Certified Public Accountants (AICPA) – Wants to make sure organizations are using reliable and secure

services that their business relies upon– Compliance with Sarbanes Oxley's (SOX) requirement (section

404)• Statement on Auditing Standards No. 70 (SAS 70)• Statement on Standards for Attestation Engagements (SSAE) 16

– American standard that replaces SAS 70– Similar to the International standard ISAE 3402– Service Organization Controls (SOC) 1, 2, & 3– http://ssae16.com/SSAE16_overview.html

AICPA SSAE16 SOC 1/2/3


copied.

• Service availability is a critical component of any cloud service• CSPs operate within data centers that they may own and manage or

collocate their systems• The Uptime Institute provides a “Tier Certification System” for assessing

critical data center infrastructure to promote increased availability• Data Center Site Infrastructure Tier Standard: Topology

– Tier I: Basic Site Infrastructure– Tier II: Redundant Site Infrastructure Capacity Components– Tier III: Concurrently Maintainable Site Infrastructure– Tier IV: Fault Tolerant Site Infrastructure

• Check the tier rating of your current data center or cloud provider– https://uptimeinstitute.com/TierCertification/– https://uptimeinstitute.com/TierCertification/certMaps.php

The Uptime Institute Tier Standard: Topology


copied.

• ISO/IEC 27001:2013– Information Security Management System (ISMS)

• ISO/IEC 17788:2014– Information technology -- Cloud computing --

Overview and vocabulary• ISO/IEC 17789:2014– Information technology -- Cloud computing --

Reference architecture

ISO/IEC Cloud Security Standards


copied.

• U.S. Federal organizations have specialized requirements for secure cloud services.

• Civilian and DOD organizations may have to meet NIST 800-37 and DoD Information Assurance Certification and Accreditation Process (DIACAP) and Federal Information Security Management Act (FISMA) compliance.

• Cloud providers may also be required to meet US International Traffic in Arms Regulations (ITAR) compliance.

• Federal customers also need to have FIPS 140-2 security systems running in the cloud.

• Federal Risk and Authorization Management Program (FedRAMP) certified cloud providers are required.

U.S. Federal Cloud Security Requirements


copied.

• The OMB requires federal agencies to use FedRAMP (Federal Risk and Authorization Management Program) accredited cloud services for FIPS 199 Low and Moderate system categories (Based on FISMA and NIST 800-53 Rev3 standards)– http://www.FedRAMP.gov

• FedRAMP established the Joint Authorization Board (JAB) to approve cloud services and monitor the process

• The JAB defines the standards by which Third Party Assessment Organizations (3PAOs) will assess the cloud providers

• Third Party Accreditation Organizations (3PAOs) include: Coalfire, Kratos SecureInfo, Veris Group, among others– https://www.fedramp.gov/marketplace/accredited-3paos/

• FedRAMP Provisional Authority To Operate (ATO) issued by the JAB (after review of security assessment package) to the federal agency consuming the cloud services

• List of FedRAMP Compliant Systems– https://www.fedramp.gov/marketplace/compliant-systems/

FedRAMP


copied.

• NIST Cloud Computing Public Security Working Group• NIST SP 500-292

– NIST Cloud Computing Reference Architecture• NIST SP 500-293

– US Government Cloud Computing Technology Roadmap Volume 1, 2 & 3• NIST SP 500-299

– NIST Cloud Computing Security Reference Architecture• NIST SP 800-144

– Guidelines on Security and Privacy in Public Cloud Computing• NIST SP 800-145

– The NIST Definition of Cloud Computing• NIST SP 800-146

– Cloud Computing Synopsis and Recommendations

NIST Guidelines on Cloud Security


copied.


copied.

• CSA’s CCM is a gigantic spreadsheet that lists over 130 prominent control specifications across 15 control domains and relates each to pertinent cloud security standards and best practices

• Mappings for FedRAMP Low/Moderate, ISO/IEC 27001, NIST 800-53, among others

• This is a valuable resource to help remind you of all the controls to consider when operating in a cloud environment

• Cloud Controls Matrix (CCM) v3.0.1 (6-6-16 Update)– https://cloudsecurityalliance.org/group/cloud-controls-matrix/– https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-

0-1/

CSA Cloud Controls Matrix (CCM)


copied.

CSA Cloud Controls Matrix (CCM)


copied.

• Customers want to evaluate their CSPs against their requirements and select the best provider

• Consider the CSPs position when they receive numerous individual separate security questionnaires and assessments from customers

• The CAIQ provides a standard template that answers most customer queries for information– 300-line spreadsheet that can help streamline CSP evaluation– https://cloudsecurityalliance.org/download/consensus-

assessments-initiative-questionnaire-v3-0-1/

Consensus Assessments Initiative Questionnaire


copied.

Consensus Assessments Initiative Questionnaire


copied.

• The CSA created the STAR certification for CSPs• The STAR certification rates the CSP based on their adherence

and adoption to cloud security best practices and controls• CSA STAR is based on the CSA’s Cloud Controls Matrix (CCM)

and the Consensus Assessments Initiative Questionnaire (CAIQ)

• CSA STAR program provides a complimentary registry for CSPs– https://cloudsecurityalliance.org/star/#_registry

• There are 3 levels of assurance

CSA Security Trust & Assurance Registry (STAR)


copied.

• https://cloudsecurityalliance.org/star/

CSA Security Trust & Assurance Registry (STAR)


copied.


copied.

• CSA CCSK• (ISC)2 CCSP

Cloud Security Certifications


copied.

• The CSA created a certification for individuals• The CCSK validates that an individual has the

understanding and skills to help protect an organization who is consuming cloud services

• The CCSK shows you the best practices and things to consider when protecting cloud-based assets

• The CCSK domains provide a holistic cloud security controls framework– https://cloudsecurityalliance.org/education/ccsk/

Certificate of Cloud Security Knowledge


copied.

• CCSK Guidance V3 has 14 domains

CCSK Body of Knowledge Domains

1. Cloud Architecture2. Governance and Enterprise Risk3. Legal and Electronic Discovery4. Compliance and Audit5. Information Lifecycle

Management6. Portability and Interoperability7. Traditional Security, BCM, D/R

8. Data Center Operations9. Incident Response10. Application Security11. Encryption and Key

Management12. Identity and Access

Management13. Virtualization14. Security-as-a-Service


copied.

• CCSK Training Classes are available (HP Education Services)– CCSK Foundation (2 days), CCSK Plus (3 days)

• CSA guidance version 3.0, Security Guidance for Critical Areas of Focus in Cloud Computing, V3 (92% of test)

• European Network and Information Security Agency (ENISA) whitepaper (8% of test)– Cloud Computing: Benefits, Risks and Recommendations

for Information Security• NIST documents (800-144, 800-145, 800-146, 500-292)

Preparing for the CCSK


copied.

• Read the v3 FAQ and the v3 Prep guide– https://downloads.cloudsecurityalliance.org/

ccsk/CCSK_FAQ_v3.pdf– https://cloudsecurityalliance.org/wp-content/

uploads/2013/02/CCSK-Prep-Guide-V3.pdf• CCSK online open-book exam costs $345– 60 questions, 90 minutes, >80% to pass, 2

attempts• https://ccsk.cloudsecurityalliance.org/

Taking the CCSK Exam


copied.

• CCSK can be used for CPEs for other certs• CSA drafted CSA Guidance version 4.0

(GitHub)– https://github.com/cloudsecurityalliance/CSA-

Guidance• CCSK version 4 (coming soon)• CCSK Developer certification (in the works)• CCSK Assurance certification (in the works)

What’s Next for the CCSK?


copied.

• CSA and ISC2 collaborated on developing a new cloud certification that builds upon the CCSK

Certified Cloud Security Professional (CCSP) – (ISC)2


copied.

• The CCSP Common Body of Knowledge (CBK) consists of the following six domains: – 1 Architectural Concepts & Design Requirements– 2 Cloud Data Security– 3 Cloud Platform & Infrastructure Security– 4 Cloud Application Security– 5 Operations– 6 Legal & Compliance

• ISO/IEC 17788 and NIST 800-145, 800-146, 500-299• https://www.isc2.org/ccsp/default.aspx



copied.

• Live In-Person CBK Training Class, 5 days, $1995• Live On-Line CBK Training Class, 5 days, $1395• On-Demand On-Line CBK Training - $495 ($395 for CISSPs)• The Official (ISC)2 Guide to the CCSP CBK, by Adam Gordon

– ISBN: 978-1-119-20749-8, 560 pages, November 2015– http://www.wiley.com/WileyCDA/WileyTitle/productCd-

1119207495.html– $80, Members get 50% off with code ISC50

• Free Flash Cards On-Line• Pearson VUE Computer-Based Exam

– 4 hours, 125 questions (>700/1000) - $549



copied.

Cloud Security Summary


copied.

• Security has more to do with people and processes than technology. Good security comes down to discipline.

• If you have good InfoSec hygiene in your on-premises IT infrastructure, you can have good cloud security operations.

• Cloud services can be less secure, equally secure, or more secure than your traditional on-premises data center.

• It is easier to be secure from the beginning rather than try to add security in after systems are in production.

• Good design, implementation using best practices, proper maintenance, and vigilance will make your cloud system secure.

• We encourage you to achieve cloud security certification to validate your understanding of the topic area.

Cloud Security – The Bottom Line

© 2016 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be copied.

Thank You For Your Time!

Scott Hogg, CTO GTRI303-949-4865 | [email protected] | @ScottHogg