Scott Hogg - Gtri cloud security knowledge and certs

© 2016 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be copied.
Cloud Security Knowledge and
Certifications
Presented by Scott Hogg, CTO GTRI
CCIE #5133, CISSP #4610, CCSP, CCSK, AWS CSA-Associate
Colorado CSA Fall Summit – 11/10/2016

© 2016 Global Technology Resources, Inc. All Rights Reserved. Contents may
contain confidential information and are not to be copied.
• Securing Cloud Services
– Cloud Security Standards and Guidelines
• Cloud Security Certifications
– Cloud Security Alliance (CSA) Certificate of Cloud
Security Knowledge (CCSK)
– (ISC)2 Certified Cloud Security Professional (CCSP)
Today’s Agenda

• Cloud Service Security Concerns/Threats
• Cloud Service Provider Security Certifications
Cloud Security Concepts

• A breach of the Cloud Service Provider’s infrastructure can lead to a
“Hyperjacking” even whereby many customer’s data is exposed
• Examples of CSP Data Breaches:
– Google failure March 2011 deletion of 150k Gmail info
– Code Spaces goes out of business in June 2014 after AWS hack
– Google Drive breach in July 2014 hyperlink vulnerability
– Apple iCloud exposure of celebrity photos, August 2014
– Dropbox security breach in October 2014, compromising 7M user
passwords held for Bitcoin (BTC) ransom
– Worcester Polytechnic Institute (WPI) claims cross-VM RSA key
recovery in AWS, October 2015
– Datadog password breach for their AWS customers in July 2016
Concern About CSP Security

• Cloud Security Alliance (CSA) provides advice for
securing cloud computing environments
• CSA is a US Federal 501(c)6 not-for-profit org, formed in
late 2008, now has over 48,000 members
• Mission = “promote the use of best practices for
providing security assurance within Cloud Computing,
and to provide education on the uses of Cloud
Computing to help secure all other forms of computing”
• https://cloudsecurityalliance.org/
Cloud Security Alliance (CSA)

• CSA stated that the top three cloud computing threats are Insecure
Interfaces and API's, Data Loss & Leakage, and Hardware Failure.
• CSA’s Top 7 Security Threats (March 2010)
– https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
• In February 2013, the CSA published their “The Notorious Nine” cloud
computing top threats
– https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notor
ious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
CSA – The Notorious Nine
1. Data Breaches
2. Data Loss
3. Account or Service Traffic
Hijacking
4. Insecure Interfaces and APIs
5. Denial of Service (DoS)
6. Malicious Insiders
7. Abuse of Cloud Services
8. Insufficient Due Diligence
9. Shared Technology Vulnerabilities

• CSA published their newest Top 12 cloud computing
threats at 2016 RSA conference
• Threat No. 1: Data breaches
• Threat No. 2: Compromised credentials and broken
authentication
• Threat No. 3: Hacked interfaces and APIs
• Threat No. 4: Exploited system vulnerabilities
• Threat No. 5: Account hijacking
• Threat No. 6: Malicious insiders
CSA Treacherous 12 (or the Dirty Dozen)

• Threat No. 7: The APT parasite
• Threat No. 8: Permanent data loss
• Threat No. 9: Inadequate diligence
• Threat No. 10: Cloud service abuses
• Threat No. 11: DoS attacks
• Threat No. 12: Shared technology, shared dangers
CSA Treacherous 12 (or the Dirty Dozen)

• Customer bears more responsibility with IaaS than SaaS
Cloud Security Responsibility – A Sliding Scale
IaaS PaaS SaaS
Security GRC
Data Security
App Security
Platform Security
Infrastructure Security
Physical Security

• Cloud Service Providers (CSPs) can obtain certifications
attesting their compliance with security standards.
– SOC 1/SSAE 16/ISAE 3402, SOC2, SOC3 American Institute of
Certified Public Accountants (AICPA) audit reports may be
requested from the provider.
– International Organization for Standardization (ISO) 27001
– Cloud Security Alliance (CSA) Security, Trust & Assurance Registry
(STAR)
– U.S. Health Insurance Portability and Accountability Act (HIPAA)
– Payment Card Industry (PCI) Data Security Standard (DSS) Level 1
service provider
– Motion Picture Association of America (MPAA)
Cloud Compliance Assurance

• American Institute of Certified Public Accountants (AICPA)
– Wants to make sure organizations are using reliable and secure
services that their business relies upon
– Compliance with Sarbanes Oxley's (SOX) requirement (section
404)
• Statement on Auditing Standards No. 70 (SAS 70)
• Statement on Standards for Attestation Engagements (SSAE)
16
– American standard that replaces SAS 70
– Similar to the International standard ISAE 3402
– Service Organization Controls (SOC) 1, 2, & 3
– http://ssae16.com/SSAE16_overview.html
AICPA SSAE16 SOC 1/2/3

• Service availability is a critical component of any cloud service
• CSPs operate within data centers that they may own and manage or
collocate their systems
• The Uptime Institute provides a “Tier Certification System” for assessing
critical data center infrastructure to promote increased availability
• Data Center Site Infrastructure Tier Standard: Topology
– Tier I: Basic Site Infrastructure
– Tier II: Redundant Site Infrastructure Capacity Components
– Tier III: Concurrently Maintainable Site Infrastructure
– Tier IV: Fault Tolerant Site Infrastructure
• Check the tier rating of your current data center or cloud provider
– https://uptimeinstitute.com/TierCertification/
– https://uptimeinstitute.com/TierCertification/certMaps.php
The Uptime Institute Tier Standard: Topology

• ISO/IEC 27001:2013
– Information Security Management System (ISMS)
• ISO/IEC 17788:2014
– Information technology -- Cloud computing --
Overview and vocabulary
• ISO/IEC 17789:2014
– Information technology -- Cloud computing --
Reference architecture
ISO/IEC Cloud Security Standards

• U.S. Federal organizations have specialized requirements for
secure cloud services.
• Civilian and DOD organizations may have to meet NIST 800-
37 and DoD Information Assurance Certification and
Accreditation Process (DIACAP) and Federal Information
Security Management Act (FISMA) compliance.
• Cloud providers may also be required to meet US
International Traffic in Arms Regulations (ITAR) compliance.
• Federal customers also need to have FIPS 140-2 security
systems running in the cloud.
• Federal Risk and Authorization Management Program
(FedRAMP) certified cloud providers are required.
U.S. Federal Cloud Security Requirements

• The OMB requires federal agencies to use FedRAMP (Federal Risk and Authorization
Management Program) accredited cloud services for FIPS 199 Low and Moderate
system categories (Based on FISMA and NIST 800-53 Rev3 standards)
– http://www.FedRAMP.gov
• FedRAMP established the Joint Authorization Board (JAB) to approve cloud services
and monitor the process
• The JAB defines the standards by which Third Party Assessment Organizations
(3PAOs) will assess the cloud providers
• Third Party Accreditation Organizations (3PAOs) include: Coalfire, Kratos SecureInfo,
Veris Group, among others
– https://www.fedramp.gov/marketplace/accredited-3paos/
• FedRAMP Provisional Authority To Operate (ATO) issued by the JAB (after review of
security assessment package) to the federal agency consuming the cloud services
• List of FedRAMP Compliant Systems
– https://www.fedramp.gov/marketplace/compliant-systems/
FedRAMP

• NIST Cloud Computing Public Security Working Group
• NIST SP 500-292
– NIST Cloud Computing Reference Architecture
• NIST SP 500-293
– US Government Cloud Computing Technology Roadmap Volume 1, 2 & 3
• NIST SP 500-299
– NIST Cloud Computing Security Reference Architecture
• NIST SP 800-144
– Guidelines on Security and Privacy in Public Cloud Computing
• NIST SP 800-145
– The NIST Definition of Cloud Computing
• NIST SP 800-146
– Cloud Computing Synopsis and Recommendations
NIST Guidelines on Cloud Security

• CSA’s CCM is a gigantic spreadsheet that lists over 130
prominent control specifications across 15 control domains
and relates each to pertinent cloud security standards and
best practices
• Mappings for FedRAMP Low/Moderate, ISO/IEC 27001, NIST
800-53, among others
• This is a valuable resource to help remind you of all the
controls to consider when operating in a cloud environment
• Cloud Controls Matrix (CCM) v3.0.1 (6-6-16 Update)
– https://cloudsecurityalliance.org/group/cloud-controls-matrix/
– https://cloudsecurityalliance.org/download/cloud-controls-matrix-
v3-0-1/
CSA Cloud Controls Matrix (CCM)

CSA Cloud Controls Matrix (CCM)

• Customers want to evaluate their CSPs against their
requirements and select the best provider
• Consider the CSPs position when they receive numerous
individual separate security questionnaires and assessments
from customers
• The CAIQ provides a standard template that answers most
customer queries for information
– 300-line spreadsheet that can help streamline CSP evaluation
– https://cloudsecurityalliance.org/download/consensus-
assessments-initiative-questionnaire-v3-0-1/
Consensus Assessments Initiative Questionnaire

Consensus Assessments Initiative Questionnaire

• The CSA created the STAR certification for CSPs
• The STAR certification rates the CSP based on their adherence
and adoption to cloud security best practices and controls
• CSA STAR is based on the CSA’s Cloud Controls Matrix (CCM)
and the Consensus Assessments Initiative Questionnaire
(CAIQ)
• CSA STAR program provides a complimentary registry for CSPs
– https://cloudsecurityalliance.org/star/#_registry
• There are 3 levels of assurance
CSA Security Trust & Assurance Registry (STAR)

• https://cloudsecurityalliance.org/star/
CSA Security Trust & Assurance Registry (STAR)

• CSA CCSK
• (ISC)2 CCSP
Cloud Security Certifications

• The CSA created a certification for individuals
• The CCSK validates that an individual has the
understanding and skills to help protect an organization
who is consuming cloud services
• The CCSK shows you the best practices and things to
consider when protecting cloud-based assets
• The CCSK domains provide a holistic cloud security
controls framework
– https://cloudsecurityalliance.org/education/ccsk/
Certificate of Cloud Security Knowledge

• CCSK Guidance V3 has 14 domains
CCSK Body of Knowledge Domains
1. Cloud Architecture
2. Governance and Enterprise
Risk
3. Legal and Electronic Discovery
4. Compliance and Audit
5. Information Lifecycle
Management
6. Portability and Interoperability
7. Traditional Security, BCM, D/R
8. Data Center Operations
9. Incident Response
10. Application Security
11. Encryption and Key
Management
12. Identity and Access
Management
13. Virtualization
14. Security-as-a-Service

• CCSK Training Classes are available (HP Education
Services)
– CCSK Foundation (2 days), CCSK Plus (3 days)
• CSA guidance version 3.0, Security Guidance for Critical
Areas of Focus in Cloud Computing, V3 (92% of test)
• European Network and Information Security Agency
(ENISA) whitepaper (8% of test)
– Cloud Computing: Benefits, Risks and Recommendations
for Information Security
• NIST documents (800-144, 800-145, 800-146, 500-292)
Preparing for the CCSK

• Read the v3 FAQ and the v3 Prep guide
– https://downloads.cloudsecurityalliance.org/ccsk/CCS
K_FAQ_v3.pdf
– https://cloudsecurityalliance.org/wp-
content/uploads/2013/02/CCSK-Prep-Guide-V3.pdf
• CCSK online open-book exam costs $345
– 60 questions, 90 minutes, >80% to pass, 2 attempts
• https://ccsk.cloudsecurityalliance.org/
Taking the CCSK Exam

• CCSK can be used for CPEs for other certs
• CSA drafted CSA Guidance version 4.0 (GitHub)
– https://github.com/cloudsecurityalliance/CSA-
Guidance
• CCSK version 4 (coming soon)
• CCSK Developer certification (in the works)
• CCSK Assurance certification (in the works)
What’s Next for the CCSK?

• CSA and ISC2 collaborated on developing a new
cloud certification that builds upon the CCSK
Certified Cloud Security Professional (CCSP) – (ISC)2

• The CCSP Common Body of Knowledge (CBK) consists of
the following six domains:
– 1 Architectural Concepts & Design Requirements
– 2 Cloud Data Security
– 3 Cloud Platform & Infrastructure Security
– 4 Cloud Application Security
– 5 Operations
– 6 Legal & Compliance
• ISO/IEC 17788 and NIST 800-145, 800-146, 500-299
• https://www.isc2.org/ccsp/default.aspx

• Live In-Person CBK Training Class, 5 days, $1995
• Live On-Line CBK Training Class, 5 days, $1395
• On-Demand On-Line CBK Training - $495 ($395 for CISSPs)
• The Official (ISC)2 Guide to the CCSP CBK, by Adam Gordon
– ISBN: 978-1-119-20749-8, 560 pages, November 2015
– http://www.wiley.com/WileyCDA/WileyTitle/productCd-
1119207495.html
– $80, Members get 50% off with code ISC50
• Free Flash Cards On-Line
• Pearson VUE Computer-Based Exam
– 4 hours, 125 questions (>700/1000) - $549

Cloud Security Summary

• Security has more to do with people and processes than
technology. Good security comes down to discipline.
• If you have good InfoSec hygiene in your on-premises IT
infrastructure, you can have good cloud security operations.
• Cloud services can be less secure, equally secure, or more
secure than your traditional on-premises data center.
• It is easier to be secure from the beginning rather than try to
add security in after systems are in production.
• Good design, implementation using best practices, proper
maintenance, and vigilance will make your cloud system
secure.
• We encourage you to achieve cloud security certification to
validate your understanding of the topic area.
Cloud Security – The Bottom Line

© 2016 Global Technology Resources, Inc. All Rights Reserved. Contents may contain confidential information and are not to be copied.
Thank You For Your Time!
Scott Hogg, CTO GTRI
303-949-4865 | SHogg@gtri.com | @ScottHogg

Scott Hogg - Gtri cloud security knowledge and certs

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Scott Hogg - Gtri cloud security knowledge and certs

Similar to Scott Hogg - Gtri cloud security knowledge and certs (20)

More from Trish McGinity, CCSK

More from Trish McGinity, CCSK (16)

Recently uploaded

Recently uploaded (20)

Scott Hogg - Gtri cloud security knowledge and certs

Editor's Notes