Cloud Computing Security Knowledge (CCSK)

Course Syllabus

1: Architecture

• NIST Definitions
• Essential Characteristics
• Service Models
• Deployment Models
• Multi-Tenancy
• CSA Cloud Reference Model
• Jericho Cloud Cube Model
• Cloud Security Reference Model
• Cloud Service Brokers
• Service Level Agreements

2: Governance and Enterprise Risk Management

• Contractual Security Requirements
• Enterprise and Information Risk Management
• Third Party Management Recommendations
• Supply chain examination
• Use of Cost Savings for Cloud

3: Legal Issues: Contracts and Electronic Discovery

• Consideration of cloud-related issues in three dimensions
• eDiscovery considerations
• Jurisdictions and data locations
• Liability for activities of subcontractors
• Due diligence responsibility
• Federal Rules of Civil Procedure and electronically stored information
• Metadata
• Litigation hold

4: Compliance and Audit Management

• Definition of Compliance
• Right to audit
• Compliance impact on cloud contracts
• Audit scope and compliance scope
• Compliance analysis requirements
• Auditor requirements

5: Information Management and Data Security

• Six phases of the Data Security Lifecycle and their key elements
• Volume storage
• Object storage
• Logical vs physical locations of data
• Three valid options for protecting data
• Data Loss Prevention
• Detection Data Migration to the Cloud
• Encryption in IaaS, PaaS & SaaS
• Database Activity Monitoring and File Activity Monitoring
• Data Backup
• Data Dispersion
• Data Fragmentation

6: Interoperability and Portability

• Definitions of Portability and Interoperability
• Virtualization impacts on Portability and Interoperability
• SAML and WS-Security
• Size of Data Sets
• Lock-In considerations by IaaS, PaaS & SaaS delivery models
• Mitigating hardware compatibility issues

7: Traditional Security, Business Continuity, and Disaster Recovery

• Four D’s of perimeter security
• Cloud backup and disaster recovery services
• Customer due diligence related to BCM/DR
• Business Continuity Management/Disaster Recovery due diligence
• Restoration Plan
• Physical location of cloud provider

8: Data Center Operations

• Relation to Cloud Controls Matrix
• Queries run by data center operators
• Technical aspects of a Provider’s data center operations for customers
• Logging and report generation in multi-site clouds

9: Incident Response

• Factor allowing for more efficient and effective containment and recovery in a cloud
• Main data source for detection and analysis of an incident
• Investigating and containing an incident in an Infrastructure as a Service environment
• Reducing the occurrence of application level incidents
• How often should incident response testing occur
• Offline analysis of potential incidents

10: Application Security

• Identity, entitlement, and access management (IdEA)
• SDLC impact and implications
• Differences in S-P-I models
• Consideration when performing a remote vulnerability test of a cloud-based application
• Categories of security monitoring for applications
• Entitlement matrix

11: Encryption and Key Management

• Adequate encryption protection of data in the cloud
• Key management best practices, location of keys, keys per user
• Relationship to tokenization, masking, anonymization and cloud database controls

12: Identity, Entitlement, and Access Management

• Relationship between identities and attributes
• Identity Federation
• Relationship between Policy Decision Point (PDP) and Policy Enforcement Point (PEP)
• SAML and WS-Federation
• Provisioning and authoritative sources

13: Virtualization

• Security concerns for hypervisor architecture
• VM guest hardening, blind spots, VM Sprawl, data comingling, instant-on gaps
• In-Motion VM characteristics that can create a serious complexity for audits
• How can virtual machine communications bypass network security controls
• VM attack surfaces
• Compartmentalization of VMs

14: Security as a Service

• 10 categories
• Barriers to developing full confidence in security as a service (SECaaS)
• Deployment of Security as a Service in a regulated industry prior SLA
• Logging and reporting implications
• How can web security as a service be deployed
• What measures do Security as a Service providers take to earn the trust of their customers
• ENISA Cloud Computing: Benefits, Risks and Recommendations for Information Security
• Isolation failure
• Economic Denial of Service
• Licensing Risks
• VM hopping
• Five key legal issues common across all scenarios
• Top security risks in ENISA research
• OVF
• Underlying vulnerability in Loss of Governance
• User provisioning vulnerability
• Risk concerns of a cloud provider being acquired
• Security benefits of cloud
• Risks
• Data controller vs data processor definitions in Infrastructure as a Service (IaaS), who is responsible for guest systems monitoring