AWS Certified Solutions Architect - Associate
Many organizations are moving to the cloud and they need to do so with their eyes wide open. Some organizations and IT administrators may fear the cloud, but we all use cloud services in some way. Our organizations want to take advantage of the financial and operational benefits of cloud computing, but prevent exposing our organizations to undue risk. This presentation covers the topic of cloud security in a down-to-earth and practical way and covers how you can become knowledgeable about cloud security and obtain certification.
This presentation will review the current industry standard guidelines for cloud security
Discuss risks of cloud services used insecurely
Review the important security controls when operating in a cloud environment
We will also review a few of the popular cloud security certifications, namely:
Cloud Security Alliance (CSA) Certificate of Cloud Security Knowledge (CCSK)
(ISC)2 Certified Cloud Security Professional (CCSP)
Breaking Down Cloud Security
Proactively build security into your cloud architecture or reactively assess the security of your cloud
Presentation Abstract:
Many organizations are moving to the cloud and they need to do so with their eyes wide open. Some organizations and IT administrators may fear the cloud, but we all use cloud services in some way. Our organizations want to take advantage of the financial and operational benefits of cloud computing, but not expose our organizations to undue risk. This presentation covers the topic of cloud security in a down-to-earth and practical way and provides realistic security measures you can put in practice right away.
This presentation will review the current industry standard guidelines for cloud security
We will also review several popular Cloud Service Provider (CSP) security models and security controls.
No cloud security presentation would be complete without a brief introduction to software container security concepts.
This presentation will review several examples of cloud security controls that provide virtual firewalling, server/service security, encryption.
We will also review a few of the popular cloud security certifications, namely:
Cloud Security Alliance (CSA) Certificate of Cloud Security Knowledge (CCSK)
(ISC)2 Certified Cloud Security Professional (CCSP)
Learner Objectives:
After this session, the attendee will understand the common models for cloud security and the typical security domains and protection measures. The attendee will understand common security controls in public cloud providers and point-solutions to help secure access, data, and services. The attendee will be inspired to pursue one of the popular cloud security certifications to further build their cloud security capabilities.
Tech Bio:
Scott Hogg, CCIE #5133, CISSP #4610, is the CTO for Global Technology Resources, Inc. (GTRI). Scott helps organizations leverage cloud services securely and possess the CCSK and CCSP cloud security certifications. Scott also actively works on SDN security and network programmability and has formed the Denver Network Programmability User Group (NPUG) chapter. Scott is a founding member of the Rocky Mountain IPv6 Task Force (RMv6TF), and a member of the Infoblox IPv6 Center of Excellence (COE). Scott has authored the Cisco Press book on IPv6 Security and writes for NetworkWorld.com.
CSP Security Breaches
Google Drive, Dropbox, Box and iCloud Reach the Top 5 Cloud Storage Security Breaches List
https://psg.hitachi-solutions.com/credeon/blog/google-drive-dropbox-box-and-icloud-reach-the-top-5-cloud-storage-security-breaches-list
Dropbox
http://www.cnet.com/news/hackers-hold-7-million-dropbox-passwords-ransom/
http://www.networkworld.com/article/3114724/the-dropbox-data-breach-is-a-warning-to-update-passwords.html
iCloud
http://www.buzzfeed.com/rachelzarrell/jennifer-lawrence-ariana-grande-picture-leak#.am7DvxzM0
http://www.bankinfosecurity.com/crypto-keys-stolen-from-amazon-cloud-a-8581/op-1
Code Spaces
offered developers source code repositories and project management services using Git or Subversion
http://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html
http://www.information-age.com/technology/cloud-and-virtualisation/123458406/catastrophe-cloud-what-aws-hacks-mean-cloud-providers
Researchers steal secret RSA encryption keys in Amazon’s cloud
http://www.networkworld.com/article/2989757/cloud-security/researchers-steal-secret-rsa-encryption-keys-in-amazon-s-cloud.html
https://eprint.iacr.org/2015/898.pdf
Mexican voter info on AWS
https://www.databreaches.net/personal-info-of-93-4-million-mexicans-exposed-on-amazon/
Datadog breach
http://www.geekwire.com/2016/datadog-amazon-web-services-customers-hit-security-breach/
+++ Rhino Security Labs
https://rhinosecuritylabs.com/2016/02/aws-security-vulnerabilities-and-the-attackers-perspective/
9 data security tips for cloud migration
http://www.computerworld.com/article/3106908/cloud-security/9-data-security-tips-for-cloud-migration.html
Anthem 2015 breach – cloud service was used for exfiltration of data
Mid 2015 IRS breach – vulnerable APIs – exposing 300,000 records
https://en.wikipedia.org/wiki/Cloud_Security_Alliance
https://cloudsecurityalliance.org/
Cloud Security Alliance (CSA) is a non-profit group that aims to educate and promote the use of best practices for providing security assurance within Cloud Computing.
They freely publish their Security Guidance for Critical Areas of Focus in Cloud Computing v3.0.
Cloud Security Alliance’s Trusted Cloud Initiative (TCI) – Reference Architecture
https://research.cloudsecurityalliance.org/tci/
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
Got big data? The Cloud Security Alliance offers up 100 best practices
http://www.computerworld.com/article/3113127/security/got-big-data-the-cloud-security-alliance-offers-up-100-best-practices.html
https://cloudsecurityalliance.org/
Abuse and Nefarious Use of Cloud Computing
Insecure Interfaces and APIs (Application Programming Interfaces)
Malicious Insiders
Shared Technology Issues
Data Loss or Leakage
Account or Service Hijacking
Unknown Risk Profile
https://en.wikipedia.org/wiki/Cloud_computing#Security_and_privacy
https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
International Journal of Advanced Research in Engineering and Applied Sciences
SECURITY ANALYSIS OF CLOUD COMPUTING, By Anju Chhibber*, Dr. Sunil Batra**
http://garph.co.uk/IJAREAS/Mar2013/6.pdf
-- only lists 6 of the 7???
Gartner: Seven cloud-computing security risks
http://www.infoworld.com/article/2652198/security/gartner--seven-cloud-computing-security-risks.html
June 2008 report titled "Assessing the Security Risks of Cloud Computing."
Privileged user access
Regulatory compliance
Data location
Data segregation
Recovery
Investigative support
Long-term viability
https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
The top 12 cloud security threats
http://www.networkworld.com/article/3042610/security/the-dirty-dozen-12-cloud-security-threats.html
https://cloudsecurityalliance.org/group/top-threats/
The top 12 cloud security threats
http://www.networkworld.com/article/3042610/security/the-dirty-dozen-12-cloud-security-threats.html
Page 242 – CCSP class guide
Is your organization mandated to meet specific compliance requirements?
Look on their web site first
https://en.wikipedia.org/wiki/SAS70
Replaced by
https://en.wikipedia.org/wiki/SSAE_16
http://ssae16.com/SSAE16_overview.html
http://www.datacenterknowledge.com/archives/2011/09/27/why-data-centers-need-ssae-16/
http://www.aicpa.org/research/standards/auditattest/downloadabledocuments/at-00801.pdf
http://www.ifac.org/system/files/downloads/b014-2010-iaasb-handbook-isae-3402.pdf
ISO/IEC 15408-1:2009 – Common Criteria (CC)
http://www.iso.org/iso/catalogue_detail.htm?csnumber=50341
ISO/IEC 17788:2014 – Cloud Overview and vocabulary
Information technology -- Cloud computing -- Overview and vocabulary
http://www.iso.org/iso/catalogue_detail?csnumber=60544
ISO/IEC 17789:2014 – Cloud Reference Architecture
Information technology -- Cloud computing -- Reference architecture
http://www.iso.org/iso/catalogue_detail?csnumber=60545
ISO/IEC 27000:2014
Information technology – Security techniques – Information security management systems – Overview and vocabulary.
ISO/IEC 27001:2013 – ISMS - Information security management systems Requirements
Information technology — Security techniques — Information security management systems — Requirements
http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en
ISO/IEC 27018:2014 – PII Data
Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498
PII data in cloud
ISO/IEC 27034-1:2011 – Application Security – Overview and concepts
Information technology -- Security techniques -- Application security -- Part 1: Overview and concepts
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=44378
ISO/IEC 27037:2012 – Guidelines for identification, collection, acquisition and preservation of digital evidence
Information technology -- Security techniques -- Guidelines for identification, collection, acquisition and preservation of digital evidence
http://www.iso.org/iso/catalogue_detail?csnumber=44381
ISO/IEC 27041:2015 - Guidance on assuring suitability and adequacy of incident investigative method
Information technology -- Security techniques -- Guidance on assuring suitability and adequacy of incident investigative method
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=44405
ISO/IEC 27042:2015 - Guidelines for the analysis and interpretation of digital evidence
Information technology -- Security techniques -- Guidelines for the analysis and interpretation of digital evidence
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=44406
ISO/IEC 27043:2015 - Incident investigation principles and processes
Information technology -- Security techniques -- Incident investigation principles and processes
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=44407
ISO/IEC DIS 27050-1 - Electronic discovery -- Part 1: Overview and concepts
Information technology -- Security techniques -- Electronic discovery -- Part 1: Overview and concepts
http://www.iso.org/iso/catalogue_detail.htm?csnumber=63081
http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference_Architecture_2013.05.15_v1.0.pdf
https://www.fedramp.gov/
AWS, Microsoft cloud win US government security approval
http://www.networkworld.com/article/3088124/aws-microsoft-cloud-win-us-government-security-approval.html
AWS GovCloud, Microsoft's Azure GovCloud, and CSRA's ARC-P IaaS have received provisional authority to offer services under the high baseline of the government's Federal Risk and Authorization Management Program (FedRAMP), a set of security standards for cloud services.
AWS and Azure clouds gain security OK from feds
http://www.computerworld.com/article/3088130/security/aws-and-azure-clouds-gain-security-ok-from-feds.html
FedRAMP: A challenging path to operational excellence for cloud providers
http://www.networkworld.com/article/3082212/compliance/fedramp-a-challenging-path-to-operational-excellence-for-cloud-providers.html
https://en.wikipedia.org/wiki/FedRAMP
http://www.FedRAMP.gov
http://cloud.cio.gov/fedramp
FedRAMP is a collaboration of the GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council
https://www.fedramp.gov/marketplace/compliant-systems/
http://www.gsa.gov/portal/category/102375
FedRAMP Provisional ATO issued by the Joint Authorization Board (JAB)
Third-party, independent Assessor (3PAO)
https://www.fedramp.gov/participate/3paos/
https://www.coalfire.com/
AWS Compliance
http://aws.amazon.com/compliance/
http://aws.amazon.com/compliance/fedramp-faqs/
Federal Cloud Computing Strategy published in 2011, U.S. Chief Information Officer (CIO) Vivek Kundra
http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference_Architecture_2013.05.15_v1.0.pdf
NIST SP 500-291: Cloud Computing Standards Roadmap
NIST SP 500-292: NIST Cloud Computing Reference Architecture
NIST SP 500-293: US Government Cloud Computing Technology Roadmap Volume 1, High-Priority requirements to Further USG Agency Cloud Computing Adoption
NIST SP 500-293: US Government Cloud Computing Technology Roadmap Volume II, Useful Information for Cloud Adopters (Draft)
NIST SP 500-293: US Government Cloud Computing Technology Roadmap Volume III, Technical Considerations for USG Cloud Computing Deployment Decisions (Draft)
NIST SP 800-144: Guidelines on Security and Privacy in Public Cloud Computing,
NIST SP 800-145: The NIST Definition of Cloud Computing
NIST SP 800-146: Cloud Computing Synopsis and Recommendations (Draft)
Cloud-adapted Risk Management Framework (CRMF)
Consensus Assessments Initiative Questionnaire v3.0.1
Now color coded to match the CCM
https://cloudsecurityalliance.org/media/news/consensus-assessments-initiative-questionnaire-caiq-v-3-review/
Consensus Assessments Initiative Questionnaire v3.0.1
Now color coded to match the CCM
https://cloudsecurityalliance.org/media/news/consensus-assessments-initiative-questionnaire-caiq-v-3-review/
https://cloudsecurityalliance.org/star/
LEVEL ONE: CSA STAR Self-Assessment
LEVEL TWO: CSA STAR Attestation
LEVEL TWO: CSA STAR Certification
LEVEL TWO: CSA C-STAR Assessment
LEVEL THREE: CSA STAR Continuous Monitoring
STARWatch
SaaS Software that helps automate the assessment/compliance process
https://cloudsecurityalliance.org/star/#_watch
CSA STARWatch is a Software as a Service (SaaS) application to help organizations manage compliance with CSA STAR (Security, Trust and Assurance Registry) requirements. STARWatch delivers the content of the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ) in a database format, enabling users to manage compliance of cloud services with the CSA best practices
CSA Security Guidance for Critical Areas of Focus in Cloud Computing V3
https://cloudsecurityalliance.org/education/ccsk/
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
CSA has a vendor independent certification that focuses on the subject of cloud security.
GTRI has several people who have achieved this cert.
GTRI can rely on these individuals when we talk to our customers about how to secure a cloud deployment.
Preparing to take the CCSK exam – Study materials
https://cloudsecurityalliance.org/education/training/
https://ccsk.cloudsecurityalliance.org/
https://cloudsecurityalliance.org/education/ccsk/
https://cloudsecurityalliance.org/education/training/
https://cloudsecurityalliance.org/wp-content/uploads/2013/02/CCSK-V3-FAQ.pdf
https://cloudsecurityalliance.org/wp-content/uploads/2013/02/CCSK-Prep-Guide-V3.pdf
Udemy
https://www.udemy.com/understand-the-ccsk-cloud-security-certification/
CCSK v4 was planned for early 2016
https://cloudsecurityalliance.org/education/ccsk/#_about
https://www.isc2.org/ccsp-for-ccsks/default.aspx
CCSK counts for 1 year of experience requirement for the CCSP
CCSKs get discount on instructor-led classroom or live-on-line training
CCSKs get special pricing for self-study tools for CCSK and OnDemand Training ($395)
https://www.isc2.org/ccsp/default.aspx
Head in The Clouds & Feet on The Ground: The CCSP Certification
https://itspmagazine.com/from-the-newsroom/head-in-the-clouds-feet-on-the-ground-the-ccsp-certification
Converge Your Teams for Greater SDN/NFV Benefits
https://communities.cisco.com/people/shogg@gtri.com/blog/2016/06/14/converge-your-teams-for-greater-sdnnfv-benefits