Eric D.

MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

I hope this helps out the discord! There are a lot of good notes here but this will not have everything but
more than any study I have seen. Good luck to all and please make changes to this and improve its look.

Objective of the cloud – Shift from CapEx to OpEx.

Risk – Threat coupled with a vulnerability or R * T. Sometimes Asset is part of this as R*T*A.

Data life cycle – Create, Store, Use, Share, Archive, Destroy. Read maps to all phases. Process for create
and use. Store for store and archive.

 Must consider Functions, Actors, and Location

Data is classified based on its value or sensitivity level. This is performed in the create phase of the data
lifecycle.

Application broken down by – Data, Functions, and processes

Standards:

27001 – ISMS policy

27002 – Controls and how ISO/IEC 27001 is accomplished.

27017 – Cloud Security

27018 – Privacy

27034 – Software/Application security

27042 - Guide for digital evidence analysis

27050 – Forensics

15408 – The basis for evaluation of security properties of IT products. Common Criteria

17789 – Cloud Computing Reference Architecture. User, Service, Access, and Resource layers.

28000 - SCRM

31000 – Risk management

800-123 - General server security

800-37 – Risk Management Framework

800-39 - Managing Information Security Risk.

800-40 - Patch Management

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

800-92 – Log capture and management

800-145 – Definition of cloud computing

800-146 - Describes cloud computing benefits and open issues, presents an overview of major classes of
cloud technology, and provides guidelines and recommendations.

800-161 - SCRM

ISO27001 – Standard ISO27002 – Framework ISO 27002:2013 – Provide guidelines ISO27017:2015 –

Guidelines for information and use of cloud services by providing additional implementation guidance
for relevant control specified in ISO/IEC 27002. Provides control and implementation guidance for both
CSP and Customer.

COBIT - Framework created by the ISACA for IT governance and management.

SABSA - A means of looking at security capabilities from a business perspective.

NERC/CIP – Used by electric utilities/critical infrastructure.

CWG- Cloud working group. End user advocate.

TCI (Trusted Cloud Initiative) – Made by CSA and helps CSPs with identity and compliance management.
The TCI Reference Architecture is both a methodology and a set of tools that enable security architects,
enterprise architects and risk management professionals to leverage a common set of solutions.

PDCA is (plan–do–check–act) and is also known as the Deming cycle. It is an iterative four-step
management method used in business for the control and continuous improvement of processes.

ENISA – Focused on cloud security. The European NIST basically.

Gartner defines IAM (Identity and access management) as “the security discipline that enables the right
individuals to access the right resources at the right times for the right reasons.”

Software as a Service (SaaS) - The applications are accessible from various client devices through a thin
client interface such as a Web browser (e.g., Web-based email). The consumer does not manage or
control the underlying cloud infrastructure including network, servers, operating systems, storage, or
even individual application capabilities, with the possible exception of limited user specific application
configuration settings. Application responsibility would be shared between the cloud customer and
cloud provider within Software as a Service.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Platform as a Service (PaaS) - The consumer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems, or storage, but has control over the
deployed applications and possibly application hosting environment configurations.

Infrastructure as a Service (IaaS) - The consumer does not manage or control the underlying cloud
infrastructure but has control over operating systems, storage, deployed applications, and possibly
limited control of select networking components (e.g., host firewalls).

Use of insecure APIs can be reduced with proper vetting. All APIs must be vetted.

Safe Harbor: US Department of Commerce and EU Privacy Shield replaced Safe Harbor.

…..but There is another final method that American companies can use if they want to have EU citizen
PII and if they don’t want to subscribe to Privacy Shield. They can create internal policies called binding
corporate rules and standard contractual clauses that explicitly state full compliance with the GDPR. To
prove that it will be offering the “adequate level of protection” required, a company may use one of
several methods, such as executing Standard Contractual Clauses (SCC), signing up to the EUUS Privacy
Shield, obtaining certification of Binding Corporate Rules (BCRs).

The two layers of the OSI Model abstracted from the cloud model are Session and Presentation.

AICPA relates to SOC and is tied to SOX Act as well.

SOC - Service Organizational Control

SOC Type 1 – Point in time description and suitability of design of controls. PIT is 1 POT is 2 (Think
alphabetical order)

SOC Type 2 is over a period of time and suitability of design and operating effectiveness of the controls.
PIT is Type 1 POT is Type 2 (Think alphabetical order)

SOC 1 – Financial - These reports are restricted to the management of the service organization, user
entities, and auditors.
SOC 2 – Security, Availability, Processing Integrity, Confidentiality, and Privacy (Think of CSA and PP). It
would be most interesting to an IT pro.

SOC 3 – General Use and Public

SOC 3 - Kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider.

Auditing – Define audit objectives, then audit scope, conduct audit, and refine audit/lessons learned.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

SSAE16 replaced SAS70

Mapping – Data classification process that ensures that sensitive data in one environment is treated as
sensitive data in another. This is different than Labels. Labels attach a data classification to a resource.

GLBA - IS program is critical component. Tied to financial orgs and privacy of customer info.

SOX – Publicly traded companies GLBA – Financial Companies

FedRAMP - Dictates that American federal agencies must retain their data within the boundaries of the
United States, including data within cloud datacenters.

GAPP – Generally Accepted Privacy Principles. Assist Chartered Accountants and Certified Public
Accountants in creating an effective privacy program for managing and preventing privacy risks.

 Was previously known as the AICPA/CICA Privacy Framework

GAAP – Generally Accepted Accounting Principles.

 A common set of accounting principles, standards, and procedures issued by the Financial
Accounting Standards Board (FASB).

HITECH Act - Legislation that was created to stimulate the adoption of EHR and the supporting
technology in the United States.

EAR - U.S. Commerce Department controls on technology exports. (Export Administration Regulations)

ITAR - U.S. State Department controls on technology exports. (International Traffic in Arms Regulations)

EAR covers the restriction of commercial and dual-use items and technologies. You can find ITAR-
covered items on the USML, while EAR items are listed on CCL.

Common Criteria or CC is international set of guidelines and specs for evaluating IS products to ensure
they meet security standards for gov entities. Verified by vendor neutral 3rd party.

There are three steps to successfully submit a product for evaluation according to the

Common Criteria:

1. The vendor must detail the security features of a product using what is called a security target.

2. The product, along with the Security Target, goes to a certified laboratory for testing according to
evaluate how well it meets the specifications defined in the protection profile.

3. A successful evaluation leads to an official certification of the product.

CC has EALs or earned assurance levels from 1 (functionally tested) to 7 (formally verified and tested).
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

CSA Star Ratings – Level 1 is self-assessment using CAIQ or CCM.

Level 2 is Attestation which is release of assessment carried by 3rd party against 27001 or CCM.

Level 3 is Ongoing Monitoring Certification with release of results secure property monitoring based on
CTP.

CAIQ - A self-assessment performed by cloud providers, detailing their evaluation of the practice areas
and control groups they use in providing their services.

Shadow IT: Defined as money spent on technology to acquire services without the IT department’s
dollar or knowledge (Expense of no use).

Enterprise risk management – Process and structures used in managing enterprise risk.

Risk Profile: Determined by the organization’s willingness to take the risk and the threats to which it is
exposed.

• Risk: Likelihood an impact will be realized.

• Risk Appetite: How much risk an organization can accept or finds acceptable. Risk App Acceptable

• Data Subject: Individual with personal data.

• Data Controller: Determines the purpose and manner that the personal data will process. Often the CC

• Data Processor: Processes data on behalf of data controller. Often the CSP

• Data Custodian: Responsible for safe custody, transport, data storage, and implementation.

• Data Owners: Owns the data (have legal rights).

Total Risk – Risk before any control is implemented.

Residual Risk - Leftover risk after applying control.

Secondary Risk – When one risk triggers another.

KPIs - Examined before you meet your goals. Backward looking.

KRIs - KRIs examine what might cause you to not meet your performance. Forward looking.

BIA – Business impact analysis determines critical paths, processes, and assets of on organization.

Trade secret - Intellectual property protection for a confidential recipe, design, etc.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Copyright - Intellectual property protection for the tangible expression of a creative idea.

With SaaS providing a fully functioning application that is managed and maintained by the cloud
provider, cloud customers incur the least amount of support responsibilities themselves of any service
category.

Data analytics modes – Datamining, Agile business intelligence, Real-time analytics.

Data owner or the cloud customer is ultimately responsible for the data and compliance.

Cloud carrier – Intermediary providing connectivity and transport of cloud services between provider
and consumer. Often an ISP.

Management Plane – Can manage the VMs or virtualized services.

Gap analysis – Benchmarks and identifies relevant gaps against frameworks or standards.

SSO - Multiple applications over a single set of credentials in an enterprise.

DNSSEC – Ensures FQDNs are validated.

Zone Signing - Process of a client using digital signatures to validate a DNS resolution request back to an
authoritative source.

Reservations - Ensure that a minimum level of resources will always be available to a cloud customer for
them to start and operate their services. In the event of a DoS attack against one customer, they can
guarantee that the other customers will still be able to operate.

Shares – Prioritize hosts in cloud environment using a weighting system. For resource contention.

Cloud orchestration – Receiving, fulfilling, managing, monitoring, and metering customer services across
all data centers, AV zones, and regions.

Cloud provisioning – Deployment and integration of cloud computing services within an enterprise IT
infrastructure. This is a broad term that incorporates the policies, procedures and an enterprise's
objective in sourcing cloud services and solutions from a cloud service provider.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Maintenance mode - Remove all active production instances, ensure logging continues, and prevent new
logins.

Management Plane Breach – Most significant risk in a managed cloud environment.

Rate Limiting – Way to control the number of API requests made in a certain time frame.

Object storage – Contains metadata that allows easy access from the web.

4 core components of cloud computing – CPU, Disk, Memory, Network

SDN – is a form of direct management, not indirect.

 Network devices operate at the infrastructure layer, business apps at the application layer,
network services and SDN software at the control layer.
 APIs bridge between App and Control layer and Control data plane is bridge between
control and infrastructure. Think of the A in APIs so APIs bridge App to Control. Think of
“control infrastructure” as well.
 APIs act as a bridge between the application and control layers using the NBI.
 Architectural components:
 SDN Application (SDN App) - programs that communicate their network requirements and
desired network behavior to the SDN Controller via a northbound interface (NBI).
 SDN Controller - in charge of translating the requirements from the SDN Application layer
down to the SDN Datapaths.
 SDN Datapath - A logical network device.
 SDN Northbound Interfaces (NBI) - The interfaces between SDN Applications and SDN
Controllers.
 SDN Control to Data-Plane Interface (CDPI) Southbound - The interface defined between an
SDN Controller and an SDN Datapath.

Data dispersion is much like traditional RAID technologies; spreading the data across different storage
areas and potentially different cloud providers spread across geographic boundaries. This comes with
inherent risk. If data is spread across multiple cloud providers, there is a possibility that an outage at one
provider will make the dataset unavailable to users, regardless of location. This would be a threat to
availability.

SSMS – Secret sharing made short is encrypting data, splitting data in pieces, splitting the key in pieces,
and then signing and distributing them to various storage locations.

AONT-RS - Integrates the AONT and erasure coding. This method first encrypts and transforms the
information and the encryption key into blocks in a way that the information cannot be recovered
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

without using all the blocks, and then it uses the IDA to split the blocks into shares that are distributed
to different cloud storage services (similar to SMSS).

Application virtualization - Concept of isolating an application from the underlying operating system for
testing purposes.

Sandbox - Isolated space where untested code and experimentation can safely occur separate from the
production environment. Physical Sandbox – Isolation of devices and cabling. May be called air gapped.
Logical Sandbox – Isolated memory space where untrusted or untested code can be run in isolation.

DAM – Prevents malicious code from executing (as on an SQL server).

API Gateways provide rate limiting, access control, logging, metrics, and filtering.

WAF – Filters HTTP traffic and can prevent DOS attacks.

Digital forensics – Preserve and collect evidence from most volatile to least volatile.

Chain of evidence is a series of events that, when viewed in sequence, account for the actions of a
person during a certain time period, or the location of a piece of evidence during a specified time period.

Commodity (low risk low cost impt)

Operational (low risk,mid-high cost/impt or mid-high risk, low cost/impt)

Tactical (mid risk/mid cost impt)

Strategic (high for all)

1.Strategic procurement is a systematic, long term and holistic approach to acquiring current & future
needs of an organization. Partners may be the fewest in number but they are the most critical to the
success of the buying organization.

2. Tactical procurement on the other hand is a short term, transactional activity, commonly practiced in
small to medium size manufacturing organizations. Focuses on processes and procedures that can save
time and money while also meeting customer demands and providing value.

3.Operational Procurement deals with meeting the daily purchasing needs of organization.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Orchestration: The goal of cloud orchestration is to automate the configuration, coordination, and
management of software and its interaction.

Distributed resource scheduling – Used within all clustered systems as the method for providing high
availability, scaling, management, workload distribution, and the balancing of jobs and processes.

Recovery service level (RSL) measures the percentage of operations that would be recovered during a
BCDR situation. The recovery point objective (RPO) sets and defines the amount of data an organization
must have available or accessible to reach the determined level of operations necessary during a BCDR
situation. The recovery time objective (RTO) measures the amount of time necessary to recover
operations to meet the BCDR plan.

 MTD = Maximum Allowable Downtime — Cannot be down longer than this. (or company fails,
perhaps), aka MTD = Maximum Tolerable Downtime

 RTO = Recovery Time Objective — We want to be back up this soon. (significantly faster than
MTD)

 MTTR = Mean Time To Recovery — On average, recovery takes this long.

MTD – Maximum time that can be continued without a resource.

Data archiving - tied to BC/DR.

API:

REST API - Most prevalent in web applications and relies on HTTP and supports various formats such as
JSON, and XML, which is the most widely used, allows caching for performance.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

REST does not require an enduring session where a server has to store data.

REST – Uses URIs for web requests. It relies on stateless, client-server, and cacheable comms.

Rest supports caching but SOAP does not.

REST HTTP methods correspond to CRUD methods: [C]reate (POST) [R]ead (GET) [U]pdate (PUT)
[D]elete (DELETE)

SOAP API - Exchanges information between web services. Encapsulates information in what is known as
a SOAP envelope. SOAP only allows for XML formatted data and does not allow for caching. Lower
performance and scalability compared to REST.

SOAP allows programs to operate independently of the client operating system.

SOAP envelope and then HTTP, FTP, or SMTP.

Since everything must be "put in an envelope and addressed properly" it adds overhead.

Provides WS-* features, should only be used when REST is not available, and SOAP uses message-level
encryption.

SOAP uses Asynchronous processing, Format contracts and Stateful operations.

HTTP is over TCP and IP. SOAP is over HTTP.

Software Testing:

Validation: Ensures software meets requirements. “Are we building the right software?” Validate
Requirements

Verification: Ensures software functions correctly. “Are we building the software right?” Verify
Software

A generator transfer switch should bring backup power online before the UPS duration is exceeded.

UPS – Last long enough for graceful shutdown.

Cloud provider is usually data processor and the cloud customer is the data controller.

Cloud washing - Deceptive practice where cloud is used for a non-cloud service.

In the cloud motif, the data processor is usually the cloud provider.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Metadata – Provides data its meaning and describes attributes. “Data about data”

Labels- Provide a logical grouping of data and provides a tag to describe the data.

Content Analysis examines the data itself.

Masking – Obscures content but not format. Typically for the purpose of “testing” using replaced data.

Data masking: Or Obfuscation is a process of hiding, replacing, or omitting sensitive information e.g. PII,
PHI, PCI. It is also used in the test environment to scrub the production or real data and for training
purposes.

Few common methods are:

o Algorithmic substitution: Values are replaced based on an algorithm. Allows the real data to be
regenerated.

o Shuffle: Shuffles different values from the dataset.

o Masking: 1234 xxxx xxxx 4321

Data Anonymization: It is a technique for information sanitization with an intent to protect privacy.

o Direct Identifier: Such as Name, e-mail, phone number and other PII (protected by masking).

o Indirect Identifier: Such as demographic information, dates, events. (protected by anonymization).

Tokenization: Substituting sensitive information with non-sensitive information. Tokenization is the

practice of utilizing a random or opaque value to replace what would otherwise be sensitive data.
Can be used to map back to original data. Typically needs 2 databases. Tokenization generates a token
that is used to substitute sensitive data, which itself is stored in a secured location such as a database.
When accessed by a nonauthorized entity, only the token string is shown, not the actual data.

Purge - A method of sanitization that applies physical or logical techniques that render Target Data
recovery infeasible using state of the art laboratories.

Cybersecurity activities – Identify, protect, detect, respond, and recover.

SNAPshots cannot take patches.

IAM efforts are typically regulation driven.

Encryption is always safe for data disposal in the cloud.

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

X.509 is a standard defining the format of public key certificates. X.509 certificates are used in many
Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the
web. Contains a public key and an identity (a hostname, or an organization, or an individual).

TLS is more performance intensive than IPSEC. More devices support TLS than IPsec.

IPsec does not always tunnel traffic. GRE is a technology leveraged by IPsec that performs tunneling. IKE
is another aspect of IPsec that provides encryption.

X500 – LDAP (Lightweight directory access protocol)

Object storage is typically flat and uses HTTP and file storage is hierarchical. “Flat object”

Volume can be associated with block or raw storage. Block associated with a SAN, RAID, and iSCSI.

Challenges of block storage include: Requires greater administration and may require OS or application
to store, sort, and retrieve data.

Use case for block storage include: Data of multiple types and kinds, such as enterprise backup services.

IaaS – Object and Volume storage.

PaaS – Structured and Unstructured data. Structured would be database like and searchable.
Unstructured would be text, multimedia, email, web pages, etc.

SaaS – Data entered via web interface. Content and file storage is within the application. CDN Storage.

CDN – Stored in object storage then distributed geographically. multimedia streaming services. Rather
than dragging data from a datacenter to users at variable distances across a continent, the streaming
service provider can place copies of the most requested media near metropolitan areas where those
requests are likely to be made,

Biggest IaaS concern is lack of proper segmentation of resource between tenants. Includes isolation of
VMs.

Cloud Broker – Provides service intermediation, aggregation, and arbitrage. Manages the use,
performance and delivery of cloud services. Negotiates relationships between cloud providers and
cloud consumers.

Logical Design: Part of the Design phase in SDLC

o It lacks technology detail and standards.

o It communicates with abstract concepts (network, routers, system.)

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Physical Design: To show the hardware used to deliver the system.

o Created from logical design.

o Expands element from logical design.

Shibboleth – Usually associated with academic institutions.

CSRF – Think cookies

XXS – Invalid input from untrusted data

Injection attack is where a malicious actor will send commands or other arbitrary data through input and
data fields with the intent of having the application or system execute the code as part of its normal
processing and queries.

Digital Signatures – Use sender’s private key plus a hash to guarantee integrity and origin. PKI

TLS and IPSec can be used to prevent eavesdropping.

TLS record protocol – Ensure connection is private and reliable. Think private/recording for memory. It is
also leveraged to verify integrity and origin of the application data.

TLS handshake protocol – Negotiates encryption algorithm and keys before data sent or received. Think
of negotiating with a handshake for your memory.

 Cipher suite negotiation

 Authentication of the server
 Client Session key information exchange

Tunnel mode – Most secure mode for IPSec. It secures the IP payload and the IP Header. The transport
mode encrypts only the payload or data.

The AH part of IPSec is integrity and authentication and ESP is confidentiality.

Rapid elasticity vs rapid scalability – RE allows cloud customers to allocate resources as needed for
immediate usage and RS is ability of cloud to quickly meet demand. Resource pooling – Allows access to
resources as needed.

Best way to protect an RDP session is with a smart card.

CASB – Cloud access security broker handles identity and access management (IDAM).
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

FIPS 140-2 Tested by an independent lap. Has 4 levels. Level 4 zeroizes data if compromised any way.

Level 1 - There are no physical security requirements at Level 1. An example of a Security Level 1
cryptographic module is a personal computer (PC) encryption board.

Level 2 - Requires role-based authentication where a cryptographic module is used for actual
authentication processes. Shows evidence of tampering, has tamper-evident coatings/seals that must be
broken to attain physical access to the cryptographic keys and critical security parameters (CSPs) in
module, or resistant locks on covers or doors. The module must also have mechanisms that show
evidence of any attempts to tamper with it.

Level 3 - Requires physical protection methods to ensure a high degree of confidence that any
attempts to tamper are evident and detectable. It requires the cryptographic module to not only
authenticate the user to the system but also to verify authorization. Physical security mechanisms
required at Level 3 are intended to have a high probability of detecting and responding to attempts at
physical access. Tamper-detection/response circuitry that zeroes all plaintext CSPs when the
covers/doors are removed.

Level 4 – Highest level. Penetration of the cryptographic module enclosure from any direction
has a very high probability of being detected, resulting in the immediate deletion of all plaintext CSPs.

All of the tests under the CMVP are handled by third-party laboratories that are accredited as
Cryptographic Module Testing laboratories by the National Voluntary Laboratory Accreditation Program
(NVLAP). Vendors interested in validation testing may select any of the twenty-two accredited labs.

Data Centers Design Standards

• Building Industry Consulting Service International INC (BICSI):

o Cabling and Design installation

• The International Data Center Authority (IDCA):

o Data center location, facility structure, and infra-structure and application. Not tiered. The
Infinity Paradigm covers data center location, facility, structure, and infrastructure and
applications.

• National Fire Protection Association (NFPA):

o Requirement for temperature or emergencies.

• The Uptime Institute created the standard Tier Classification System to evaluate various data center
facilities in terms of potential site infrastructure performance, or uptime.

Tier 1 - Has a single path for power and cooling and few, if any, redundant and backup components. It
has an expected uptime of 99.671% (28.8 hours of downtime annually).

Tier 2 - Redundant components but only one path/source or partial redundancy in data center
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Tier 3 – A Tier III data center is concurrently maintainable with redundant components as a key
differentiator, with redundant distribution paths to serve the critical environment.99.982% Guaranteed
availability.

Tier 4 – Fault tolerant and zero single points of failure. Several independent and physically isolated
systems that act as redundant capacity components and distribution paths. 99.995 % uptime.

CSA or cloud service agreement describes relationship between the provider and the customer.

CCM is designed to provide guidance for cloud vendors and to assist cloud customers with assessing the
overall security risk of a CSP. Can be used to perform security control audits. A fundamental richness of
the CCM is its ability to provide mapping and cross relationships with the main industry-accepted
security standards, regulations, and controls frameworks (such as ISO 27001/27002, ISACA COBIT,and
PCI DSS).

SLA - A cloud SLA (cloud service-level agreement) is an agreement between a cloud service provider and
a customer that ensures a minimum level of service is maintained.

OLA – SLA negotiated between internal business units.

UC – Underpinning contracts – External contracts between organizations and vendors or suppliers.

Release and deployment management needs to be tied to change management, config management,
and problem management. With Release Management think of software and releasing versions.

Change management involves the creation of an RFC ticket and obtaining approval.

Verification and validation should occur at each stage of the SDLC. User input is considered in define
phase. Software construction is related to the design phase.

Puppet and Chef can help during the secure operations phase.

Application Virtualization – Encapsulation of application software execution, not emulation.

NIDS – Should be deployed on the segment being monitored.

Vendor scorecard – Provides ranking of vendors based on risk.

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

DLP – Uses media-present checks for IP data.

Network based or gateway DLP the engine is deployed near the org gateway to monitor
outgoing protocols like HTTP, HTTPS, and SMTP. For data in use it is on the user’s workstation or
endpoint.

Biggest challenge for protecting data at rest with DLP is resource pooling.

DNSSEC – Set of DNS extensions that provide authentication, integrity, and authenticated DOE for DNS
data.

Risk Management Process – (FARM) – Framing, Assessing, Responding, and Monitoring

Restatement of Law - Uses relevant factors of applicable law. Articulate the principles or rules for a
specific area of law. Judges use these restatements to assist them in determining which laws should
apply when conflicts occur.

Doctrine of Proper Law – Addresses jurisdictional disputes. Think proper jurisdiction.

Applicable Law - This determines the legal standing of a case or issue.

Plain View Doctrine - Exception to the Fourth Amendment's warrant requirement that allows an officer
to seize evidence and contraband that are found in plain view during a lawful observation.

Common Law - The existing set of rulings and decisions made by courts, informed by cultural motives
and legislation. These create precedents, which each party will cite in court as a means to sway the court
to their own side of a case.

Tort Law - Refers to the body of rights, obligations, and remedies that set out reliefs for persons who
have been harmed as a result of wrongful acts by others. Tort actions are not dependent on an
agreement between the parties to a lawsuit.

Prudent Person Rule - Based on a judge's discretion, can demonstrate a party acted responsibly as a
prudent person would.

*OS and Application files: Responsibility of Patching is with subscriber instead of CSP.

*Data Fluidity: Data is fluid in Cloud computing (on-Prem to off-Prem).

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Threat modeling – To determine any weaknesses in the app and the potential ingress, egress, and actors
before the weakness is introduced in production.

OWASP Dependency-Check – Tool that identifies project dependencies and checks whether there are
known or disclosed vulnerabilities.

STRIDE – Spoofing, Tampering, Repudiation, Info disclosure, Denial of service, and elevation of privilege.

Dread

 Damage – how bad would an attack be?

 Reproducibility – how easy is it to reproduce the attack?
 Exploitability – how much work is it to launch the attack?
 Affected users – how many people will be impacted?
 Discoverability – how easy is it to discover the threat?

API Gateway – Filters API traffic. Proxy or application stack focused.

SIEM can help prevent escalation of privilege.

DLP aids in BC/DR efforts. Can also help in the legal task of data collection.

Data Center traffic - More specifically, northbound interfaces go towards the core of the data center or
towards the Internet-facing egress of the network. Southbound goes towards the
end-users/servers/VMs. East-West Traffic denotes a direction of traffic flow within a data center.

DNSSEC: Protection against DNS poisoning

Threats to DNS infrastructure:

• Foot Printing: Process where attacker obtains DNS Zone data.

• DOS Attack

• Data Modification

• Redirection

• Spoofing

IPsec: Uses mutual authentication at the time of session establishment. Provides Confidentiality,
Authenticity, Integrity, and Non-repudiation. Remember CAIN

Challenges with IPsec

o Configuration Management: Components in cloud may not be IPsec compatible.

o Performance: There is a slight degrade in performance. More degradation with TLS though.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Certificate pinning is a method of associating X.509 certificate and its public key to a specific CA or root.
Typically, certificates are validated by checking a verifiable chain of trust back to a trusted root
certificate. Certificate pinning bypasses this validation process and allows the user to trust “this
certificate only” or “trust only certificates signed by this certificate.”

Authoritative Source - The “root” source of an identity, such as the directory server that manages
employee identities.

TPM – Full disk encryption capability. Integrity and authentication to boot process. Has unique RSA key
burned into it.

Trusted Platform Module: Cloud-based software applications can use a Trusted Platform.

(TPM) to authenticate hardware devices. A TPM is a chip placed on the main board of the device, such
as a laptop. It may also be used to create and store keys as well as performs tasks as a crypto processor.

HSM – Manages, generates, and stores crypto keys. Can be added to a system or network. Can’t be
added if not shipped with one. Review of HSMs are done by an independent lab.

HSM is a removable or external device that can generate, store, and manage RSA keys used in
asymmetric encryption. HSMs are used with high-volume e-commerce sites to increase the performance
of SSL sessions.

Hardware Security Module: A hardware security module (HSM) is a physical computing device that
provides crypto processing and safeguards and manages digital keys for strong authentication.

The key difference between HSM and TPM is that an HSM manages keys for several devices, whereas a
TPM is specific to a single device.

DAM (Database activity monitoring) – Can help prevent SQL based attacks.

XML GTW – Can be a reverse proxy and perform content inspection.

Data Center needs to be between 64 and 81 degrees. Thermostat on return air may result in high energy
costs.

Data center needs to be between 40 and 60 percent humidity. Too low increases static, too high
increases corrosion and bio creep.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Release management vs change management – Release Management involves planning, coordinating,

executing, and validating changes and rollouts to the production environment.

Change management - Higher-level component than release management and also involves stakeholder
and management approval, rather than specifically focusing the actual release itself.

Deployment management is similar to release management, but it's where changes are actually
implemented on systems.

Cloud service operations manager - Responsible for preparing systems for the cloud, administering and
monitoring services, providing audit data as requested or required, and managing inventory and assets.

Core components to an encryption system architecture – Software, Data, Keys

Privacy shield is voluntary for non-EU entities. It replaces the Safe Harbor Act. Tied to the Department
of Commerce. Federal Trade Commission is enforcement body.

WORM - Write once read many (WORM) describes a data storage device in which information, once
written, cannot be modified. Is considered long term.

UPS – Needs to last long enough for graceful shutdown.

Generator should last 12 hours.

Portability – Enables the migration of cloud services from one cloud provider to another or between a
public cloud and a private cloud.

Profile Protection: Identifies security requirements for a class of security devices.

• Security requirements & protection.

• What customer needs (security desire).

• Products can comply with more than one PP.

Security Targets: Claims of security from the vendor that are built into a TOE (Target of Evaluation).

• The document that identifies the security properties of the TOE.

• The ST may have one or more PP's.

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Data masking – Similar, inauthentic dataset used for training and software testing.

SOAP relies on encryption for security………..NOT TLS or SSL.

Identification establishes user accountability for actions on a system.

Authentication – Authorization – Access are the 3 steps in order. Alphabetical order for first 2

Authentication – Identifies individual and ensures who he/she is … establishes adequate certainty of ID.

Authorization – What access does the individual have.

SSO – Think within an enterprise. Allows a user to access multiple apps with a single set of credentials.

Federated SSO – Think outside the enterprise. For facilitating inter org and inter security domain access
leveraging federated identity management.

Federation – An association of organizations that come together to exchange info about users and
resources for collaboration and transactions.

Federated Identity/SAML- The identity provider holds all the identities and generates a token for known
users. The relying party is the service provider or parties and consumes these tokens.

SAML – XML based framework. Allows business to make assertions on identity, attributes, and
entitlements. Parts of SAML are attributes, bindings, protocols, profiles. Used to exchange information
used in the authentication and authorization process. In a federated system, it sends a SAML assertion
to the service provider containing all the information that the service provider requires to determine
the identity, level of access warranted, or any other information or attributes about the entity.

OpenID – An authentication protocol but not authorization. Let’s developers authenticate their users
across websites and apps. Is designed to provide developers with an easy and flexible mechanism to
support authentication across organizations and utilize external identity providers, alleviating the need
to maintain their own password stores and systems. Developers can leverage OpenID as an open and
free authentication mechanism and tie it into their code and applications, without being dependent on
a proprietary or inflexible system. Relies on REST and JSON.

OAuth - Allows API authorization between apps. “Enables 3rd party application to obtain limited access
to an HTTP service” - behalf of resource owner, or by allowing 3rd parties to obtain access on own
behalf. Allows 3rd party app to retrieve user data without user needing to share login credentials. It is
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

most often used for delegating access control/authorizations between services.

OAuth 2.0 - Authorization framework enables a third party application to obtain limited access to an
HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the
resource owner and the HTTP service, or by allowing the third-party application to obtain access on its
own behalf.

WS-Federation – Defines mechanism to allow different security realms to federate such as authorized
access to resources. Relies on SOAP.

Proxy federation could use a 3rd party to optimize compliance with security governance. A federation
server proxy collects credentials or home realm details from Internet client computers by using the
logon, logout, and identity provider discovery. 3rd party for identification federation=proxy

Cross-certification – Each group approves each other. Also called web of trust.

Proxy - A forward proxy is the intermediary that the client puts forward between itself and any server.
The reverse proxy is at the other end – something the server puts forward between itself and any client.
In short, a reverse proxy is an intermediary on the side of the server you are connecting to. And the
forward proxy is the intermediary on your side of the internet.

CSP is responsible for the hypervisor.

WAF – Layer 7 FW that can understand HTTP traffic. Useful against DoS attacks

DAM – Layer 7 monitoring that understands SQL. Can stop malicious commands from being executed.
Database activity monitoring (DAM) – Can be Host-based or Network-based.

XML GTW – Transforms ways services and data is exposed as APIs to developers. Can provide AV and
DLP security controls. Popularly implemented in service-oriented architectures to control XML-based
web services traffic, and increasingly in cloud-oriented computing to help enterprises integrate on
premises applications with off-premises cloud-hosted applications.

API GTW – Filters API traffic. Can be installed as a proxy or part of app stack.

XML firewall - Most commonly deployed in line between the firewall and application server to validate
XML code before it reaches the application. An XML firewall is intended to validate XML before it
reaches the application.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

TLS – provides privacy/security, and integrity. Is successor to SSL. Asymmetrically sends symmetric key.

Record protocol of TLS performs the authentication and encryption of data packets, and in some cases
compression as well. Handles the secure communication and transit of data.

Handshake negotiates and establishes the connection.

SSL - Establishes encrypted link between web server and browser.

Symmetric encryption uses a single key that needs to be shared among the people who need to receive
the message while asymmetric encryption uses a pair of public key and a private key to encrypt and
decrypt messages when communicating.

Symmetric encryption involves a shared secret.

Cross-site scripting - Involves the sending of untrusted data to a user's browser to be executed with their
own credentials and access.

Tokenization – Used to satisfy PCI-DSS requirements. Uses token or string of characters to substitute
sensitive data that is stored.

Masking - Keeps the form but alters the content. Can be used for testing inauthentic data sets.

MTD – Focused on point in time after the outage.

CSA CCM – Provides a good list of cloud controls required by multiple compliance bodies.

Shadow IT is money spent on tech to acquire services without IT knowledge or dollars.

APIs are REST or SOAP.

API programming optimizing XML request is done by SOAP.

Gateways are application layer.

Storage controllers – Distribute workloads to each server, manage the transfer, and provide access to all
files regardless of physical location.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Comparing OSI and Cloud Model the session and presentation layers are abstracted.

SaaS stores CDN content PaaS is structured and unstructured IaaS is volume and object

Key capability or characteristic of PaaS – Ability to reduce Lock-In.

RTO – Think of amount of time and RPO as amount of data.

Certification - Accreditation - and then operation.

Certification is used for verifying that personnel have adequate creds to practice certain disciplines.

Accreditation is the formal declaration by a neutral third party that the certification program is
administered in a way that meets the relevant norms or standards of certification program (e.g., ISO/IEC
17024).

Certification bodies are getting accredited, while companies are getting certified. (The certification body
needs to be compliant with the standard ISO 17021 if they want to get accredited for certifying
management systems.)

UPS – Should last long enough for a graceful shutdown.

Hot aisle containment - Backs of servers where exhaust air is facing the backs of the other
servers/devices and closed.

REST – Software architecture style of guidelines and best practices for scalable web services - Supports
many formats and uses HTTP - Faster

SOAP – Protocol specification for exchanging structured info in the implementation or web services - It
only supports XML – Slower

Forklifting – Process of migrating entire app the way it runs in a traditional environment with minimal
code changes. NOT ALL APPS ARE CLOUD READY.

When dealing with EU Nations then the answer should be private cloud over the other deployments.

Tiers of zones: Data center, then availability zones, and then regions.

Information Storage and Management: Data entered in system via web UI are stored in SaaS
(DATABASE).

Content and File storage: File-based content is stored within application.

Ephemeral storage: Ephemeral means short-lived. For instance, storage; and it exists till the time
instance is up.

Content Delivery Network (CDN): Content is stored and distributed to multiple geographical locations to
improve internet speed.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Raw storage: Raw Device Mapping (RDM) is an option in the VMware server that enables storage logical
unit number (LUN) to be connected to VM from SAN.

Long-Term storage: Some CSP provides tailored services to store archived data that enterprises can
access by using API (Write Once Read Many).

Problem Management: Objective is to minimize the impact of problems on the organization.

o A problem is the unknown cause of one or more incidents, often identified as a result of multiple
similar results. Unknown cause of one or more incidents. A known error is the root cause of a problem.

o A workaround is a temporary way of overcoming technical difficulties.

Overwriting is not feasible in the cloud because logical location is impossible to determine.

Physical destruction is preferred method but not available for cloud.

ALE=SLE x ARO

Methods of data discovery – Label, Content, and User based.

Type 1 Hypervisor – More secure and “bare metal” - With a Type 1 hypervisor, the management
software and hardware are tightly tied together and provided by the same vendor on a closed platform.
This allows for optimal security, performance, and support.

Type 2 Hypervisor – Less secure and depends on OS.

Event - Defined as a change in state that has significance for management of IT and an incident is
defined as an unplanned interruption to an IT service or reduction in policy.

Incident management – Restore service as quickly as possible. Minimize adverse impact. Ensure
availability and quality are maintained.

Incident classification - Priority = Urgency x Impact.

Incident management process – Incident, then report, then classify, then investigate and collect data,
then resolution with approval and then implement changes.

Utility is functionality of product.

Warranty is assurance the product will meet requirements.

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

ONF to ANF – One to many relationship. ONF used to create multiple ANFs.

ONF – Framework of containers for all components of app security……leveraged by the organization.

There is a one-to-many ratio of ONF to ANF; each organization has one ONF and many ANFs (one for
each application in the organization). Therefore, the ANF is a subset of the ONF.

Application Security Management Process (ASMP): ISO / IEC 27034-1 defines ASMP to manage and
maintain each ANF. Specifying app requirements, Assessing risks, Creating and Maintaining ANF,
Provisioning and operating, Auditing the security (SAC PA).

• Specifying the application requirements and environment.

• Assessing application security risks.

• Creating and maintaining the AMF.

• Provisioning and operating the application.

• Auditing the security of the application.

WS-Security specifications, as well as the WS-Federation system, are built upon XML, WDSL, and SOAP.
SAML is a very similar protocol that is used as an alternative to WS.XML. WDSL, and SOAP are all integral
to the WS-Security specifications.

Converged networking model – Optimized for cloud deployments and underlying storage. Maximizes
benefits of a cloud workload.

With governance - the contract defines the roles and responsibilities for risk management between a
cloud provider and a cloud customer.

Dynamic software testing – uses Path coverage and not code or user coverage. Is also done in a
runtime state.

DAST – Considered black box. Looks at execution paths and in a running state. Web vulnerability testing
and fuzzing are considered DAST tests.

RASP – Focuses on apps that that have self-protection capabilities in runtime environments. Works
without human intervention in response to attacks.

SAST – Generally considered white box test. Inspects the code and can help against XSS, SQL injection,
and buffer overflows. Performed in an offline manner; SAST does not execute the application. It usually
delivers more results and more accuracy than DAST.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Fuzzing - Automated software testing technique that involves providing invalid, unexpected, or random
data as inputs to a computer program.

Vulnerability scans depend on vulnerability signatures.

Mobile number is considered PII in EU but not US.

Broken authentication and session management – Avoid using custom authentication schemes.

Synthetic performance monitoring can be better than real user monitoring because it is more
comprehensive but it is not real time. Synthetic agents can simulate user activity in a much faster
manner than real-user monitoring and perform these actions without rest. Synthetic performance
monitoring approximates user activity and thus, is not as accurate as RUM.

Chicken coop datacenter – Long side facing the prevailing wind to allow for natural cooling.

BISCI – Covers cabling design and installation.

IDCA – Covers data location. Not tiered. Infinity Paradigm.

Uptime institute – Tier 1 is Basic Data Center Structure Tier 2 is Redundant Site Infrastructure Tier 3 is
Concurrently maintainable Tier 4 is Fault-tolerant.

Raised floors need to be 24 inches.

Hot aisle has backs of racks facing each other and Cold aisle has back of racks facing away from each
other and cold air flowing between the intake side.

4 9s or 99.99% – 52.56 minutes of downtime per year

5 9s or 99.999 – 5.26 minutes of downtime per year. Think 5 9s is 5 mins

RSL - Refers to the percentage of production level restoration needed to meet BCDR objectives.

HA is loosely coupled and Fault tolerant is tightly coupled.

• Data in Motion (DIM): All the connections from host to cloud should be encrypted in transit (TLS 1.2).

• Data at Rest (DAR): Data stored in database, or any repository should be encrypted (AES 256).

3 types of data discovery – Label, metadata, content

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

• Static Application Security Testing (SAST):

o White box testing. Done without executing the application.

o Determines coding errors. Early development life cycle.

o Useful for XSS, SQL Injection, Backdoors.

• Dynamic Application Security Testing (DAST):

o Black box testing. Done at the runtime.

o Useful to test exposed HTTP and HTML Interfaces.

• Runtime Application Self Protection (RASP):

o Considered to focus on application that possesses self-protection capabilities. Prevents attacks

by self-protecting without human intervention.

Access controls are physical or logical.

GDPR – General Data Protection Regulation. European Union. Based on 7 principals

PIPEDA - Personal Information Protection and Electronic Documents Act. Canada. Contains various
provisions to facilitate the use of electronic documents. The act was also intended to reassure the
European Union that the Canadian privacy law was adequate to protect the personal information of
European citizens.

COPPA - Children's Online Privacy Protection Act. US. FTC in 1998. Requirements on operators of
websites or online services directed to children under 13 years of age.

APEC – Asia Pacific Economic Cooperation

Part 1: Preamble

Part 2: Scope

Part 3: Information Privacy Principles

Part 4: Implementation

OECD - Standards organization made up of representatives from many countries, and it publishes policy
suggestions. Its standards are not legally binding and do not have the effect of a treaty or other law
(such as GDPR). The OECD published the first set of internationally accepted privacy principles and
recently published a set of revised guidelines governing the protection of privacy and transborder flows
of personal data.

Puppet: Configuration management system, which allows to define the state of IT Infrastructure and
enforces correct state. PC-Puppet/Configuration
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Chef: Automates the build, deploy, and manage infrastructure. Stores recipe as well as other
configuration data. CA-Chef/Automates

Portability - The most important cloud concept when considering BCDR planning.

iSCSI – Protocol that uses TCP to transport SCSI commands. For TCP/IP network infrastructure as a SAN.
Makes block devices available via the network. LAN tech.

iSCSI - Subject to oversubscription. Should use a dedicated LAN for traffic. It is transmitted
unencrypted so use only on trusted networks. It does support IPSec/IKE.

iSCSI Supports Kerberos authentication. SRP and CHAP as well.

iSCSI is unencrypted - Encryption must be added separately through IPsec (tunneling) and IKE (security).

NAS – Presents devices at a file level.

SOC Type 2 audits include five principles: security, privacy, processing integrity, availability, and
confidentiality. SAC PA

A host intrusion detection system (HIDS) monitors network traffic as well as critical system files and
configurations.

After the accreditation of a system by the designated approving authority (DAA), an authorization to
operate (ATO) is granted for 3 years.

Security requirements should be incorporated into the software development lifecycle (SDLC) from the
earliest requirement gathering stage and should be incorporated prior to the requirement analysis
phase.

SDLC Define (requirements documented), Design (user stories), Develop (code written), Test (pen tests
and vuln assessments), Secure ops, Disposal.

Measured service - Most attractive aspect of cloud computing for use with BCDR. Measured service is
also a characteristic of cloud computing would be most attractive to management when looking to save
money.

Virtualization makes it very difficult to perform repeat audits over time to track changes and compliance.

Object storage - Typically used to house virtual machine images that are used throughout the
environment.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Volume and object storage – Used when the cloud customer is responsible for deploying all services,
systems, and components needed for their applications. (IaaS)

Inter-cloud provider - Manages memberships in federations and the use and integration of federated
services.

Systems staff (not cloud customer or developer) would be responsible for implementing IPsec to secure
communications for an application.

Operating system of the host controls the formatting and security settings of a volume storage system
within a cloud environment.

Homomorphic - Experimental technology that is intended to create the possibility of processing

encrypted data without having to decrypt it first. Can be considered end to end.

End to End encryption - System of communication where only the communicating users can read the
messages.

Challenges of data discovery in cloud

• Identifying where your data is?

• Accessing the data. Not all data stored in cloud could be accessed by everyone.

• Data preservation needs to be decided between customers and CSP in the contract.

Private Cloud: Cloud infrastructure exclusively for a single organization. May be owned and managed by
the organization or Third party. Exists on or off-premise a.k.a organization’s internal cloud.

Benefits

1. Increased control over data, applications and systems.

2. Ownership and retention of governance controls.

3. Assurance over data location, removal of multiple jurisdictions, legal, and compliance requirements.

▪ Hybrid Cloud: Two or more distinct cloud infrastructure (Public, Private or Community).

Retain control of IT environments.

Hybrid = Public + Private. It can provide cloud bursting.

(Non-mission critical) (Mission critical)

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Colocation: Multiple VMs residing on a single server and sharing the same resources increases the attack
surface and risk of VM to VM and VM to Hypervisor compromise.

Physical server is offline → safe from attack of…… VM is offline → can still be attacked, malware
infections due to the unavailability of patching.

Infrastructure as a Service

Consumer CSP

OS Storage

Software Network

Host Firewall Processing

Software as a Service

Consumer CSP

Data Infrastructure

Network, storage

OS,Servers, Application

DLP architecture

• Data in Motion: Network-based or gateway DLP. Used for HTTP, HTTPS, FTP, SMTP etc.

• Data at Rest: Looks for data loss on storage.

• Data in Use: DLP is installed on user’s workstation and endpoint devices. Challenges are complexity,
time, and resources to implement.

Cloud based DLP considerations.

• Data in the cloud tends to move and replicate.

• Admin access for enterprise data in the cloud could be tricky.

• DLP technology can affect overall performance.

Encryption Implementation:

• Data in Motion: IPSec, VPN, TLS

• Data at Rest: Retention of data, AES -256

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

• Data in Use: Data being shared, processed or viewed. Focus on IRM and DRM solution.

Data encryption in IaaS

In IaaS, encryption encompasses both volume and object storage solutions.

• Basic storage level encryption: Encryption engine is located at the management level and CSP holds
keys. Protects from the hardware theft or loss. Does not protect from CSP admin accessing the data.

• Volume storage encryption: Encrypted data reside on volume storage. Protects against:

o Physical loss or theft.

o External admins accessing the data.

o Snapshot of storage level backups being taken and removed from the system.

Methods to implement volume storage encryption.

• Instance based: Encryption engine is located in the instance. Keys are managed externally.

• Proxy based: Encryption engine running on proxy instance. Proxy instance handles all cryptographic
actions.

• Object storage encryption: Majority of object storage services offer server-side encryption (less
effective).

Object storage can use the following types of encryption:

 File-level encryption. This is typically in the form of IRM/DRM. The encryption engine is
commonly implemented at the client side (in the form of an agent) and preserves the format of
the original file.
 Application-level encryption. The encryption engine resides in the application that is using the
object storage. This type of encryption can be used with: Database encryption, Object storage
encryption, and proxy encryption.

Client-side encryption: When object storage is used as the back-end for an application (including mobile
applications), encrypt the data using an encryption engine embedded in the application or client.

Database Encryption

• File-level encryption: Encrypting volume or folder of Database with the encryption engine and keys
residing on the instance.

• Transparent encryption: Database Management System (DATABASEMS) can encrypt entire database
or specific tables. Encryption engine resides within database and is transparent to applications.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

• Application-level encryption: Encryption engine resides at application that is utilizing the database.

Key storage in cloud

• Internally managed: Keys stored on virtual machine or application component used for storage level,
internal DATABASE, or back-up application encryption.

• Externally managed: Keys are maintained separately from the encryption engine and data.

• Managed by Third party: Trusted Third party provides key escrow services. It's important to evaluate
the security of third-party storage.

 Key distribution. Keys should never be distributed in the clear. Often, passing keys out of band
is a preferable, yet cumbersome and expensive, solution.

Information Rights Management (IRM)

• Adds an extra layer of access control (ACL).

• As IRM has ACL, controls are independent of file location.

• IRM can be used to protect various documents.

• It can be used as a baseline for default information protection.

IRM Qualities

Persistent Protection: Everything is protected at rest and in transit.

Dynamic Policy control: Allows content owners to define and change user permission or even
expire the content.

Automatic Expiration: Automatically revokes access.

Continuous audit trail: Ensuring delivery of the message content.

Security Information and Event Management (SIEM)

Security Information Management + Security Event Management = SIEM

(Storage, analysis, and reporting) (Real-time monitoring, correlation, and notification)

• Data Aggregation

• Correlation

• Alerting
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

• Dashboards

• Compliance

• Retention

• Forensic Analysis

The primary difference of a CSRF attack requires an authenticated session, whereas an XSS attack
doesn't. XSS is believed to be more dangerous because it doesn't require any user interaction. XSS
requires a vulnerability to happen, whereas CSRF relies on tricking the user to click a link or access a
page.... CSRF is restricted to the actions the victim can perform. On the other hand, XSS works on the
execution of malicious script broadening the scope of actions the attacker can perform. XSS can only
send an HTTP request but cannot view the response, whereas XSS (not CSRF) can send and receive HTTP
requests and responses to extract the required data.

Identity provider – Resides at the user’s home organization and performs authentication and then
passes it to a relying party to grant access. Think of them as the ones providing the identity.

Relying party - Entity that takes the authentication tokens from an identity provider and grants access to
resources in federation. The relying party is usually the service provider and consumes these tokens.

Limits – Cannot be placed on a hypervisor but can be put on a customer, VM, or service.

Management Plane: Allows admin to manage any or all the hosts remotely.

Key Functionality: Create, start and stop VM instance, and provision them with virtual resources like
CPU, memory, etc.

It’s used by privileged users who install and remove hardware, software, firmware. The primary
interface is API. *APIs allow automation of controls tasks.

Virtualization Risks

• Guest Breakout: Guest OS can access hypervisor or the Guest OS.

• Snapshot and Image Security: It contains sensitive information which needs to be protected.

• Sprawl: Loose control of the amount of content on your image store.

VM sprawl is defined as a large amount of virtual machines on your network without the proper IT
management or control. For example, you may have multiple departments that own servers begin
creating virtual machines without proper procedures or control of the release of these virtual machines.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Configuration management tracks and maintains detailed information about all IT components within an
organization. Availability management is focused on making sure system resources, processes,
personnel, and toolsets are properly allocated and secured to meet SLA requirements. Continuity
management (or business continuity management) is focused on planning for the successful restoration
of systems or services after an unexpected outage, incident, or disaster. Problem management is
focused on identifying and mitigating known problems and deficiencies before they occur.

BCP: Allows a business Plan to decide what it needs, to ensure that its key products and services
continue to be delivered in case of Disaster. Disruption of top business is minimized.

BCM – Defined as a holistic management approach that identifies potential threats to an org and the
business impacts. Ensuring that mission critical systems are able to be restored to service following a
disaster.

DR: Allows business to plan what needs to be done immediately after a disaster to recover from the
event.

*Cloud has resilient infrastructure, broad network connectivity and can be quickly deployed.

*Its pay per use, which means BCDR can be a lot cheaper.

BCDR Steps: Define, Analyze, Assess Risk, Design, Implement, Test. DAAD IT

RSL (Recovery Service Level): Percentage measurement (0-100%) of how much computing power is
necessary based on the percentage of production system needed during a disaster.

Resiliency - The ability to restore normal operations after a disruptive event. Redundancy is the
foundation of resiliency.

Urban Design for data centers – Municipal codes can restrict building design.

Walk-through test – Also called a sim test is more involved than a table-top. Simulates a disaster but
only includes operations and support personnel.

Functional Drill – Also called a parallel test, it involves moving personnel to recovery site. All employees
are involved here.

Full interruption – Most involved and include moving key services and transactions to backup and
recovery sites. Close to real life scenario.

3 Ps – Power, Pipe, and Ping - The ping means that computers are accessed remotely; the power is the
electricity, and the pipe is the connection to the Internet.

Forklifting – Moving everything to the cloud. Large migration.

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

Data security and GRC are always customer responsibility.

IDAM:

• IDAM-2: Software platforms and apps are inventoried.

• IDAM-3: Org communication and Dataflow are mapped.

• IDAM-5: Resources are prioritized based on classification, clarity, and business value.

IDRA:

• IDRA-1: Asset vulnerabilities are identified and documented.

• IDRA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine the risk.

Federation Standard

SAML 2.0 is most commonly used. SAML 2.0 is XML based framework for communicating user
authentication, entitlement, and attribute information.

SAML is also standard for exchanging authentication and authorization data between security domains.

Entitlement maps identities to authorizations and any required attributes (e.g. user x is allowed access
to resource y when z attributes have designated values). We commonly refer to a map of these
entitlements as an entitlement matrix.

WS-Federation: Defines mechanisms to allow different security realms to federate, such that
authorized access to resource at one realm can be provided to security principles, whose identities are
managed in other domains. WS-Federation can be used directly by SOAP applications and web services.
WS-Fed is a protocol that can be used to negotiate the issuance of a token. You can use this protocol for
your applications (such as a Windows Identity Foundation-based app) and for identity providers (such as
Active Directory Federation Services or Azure AppFabric Access Control Service).

Open ID Connect: Interoperable authentication protocol based on OAuth 2.0.

OAuth: Used for authorization OAuth 2.0. Not Designed for SSO.

Shibboleth Standard: User authenticates with their organization’s credentials and the organization
(Identity Provider) passes information to service providers. Usually used by Universities.

Using Storage Clusters: Use of 2 or more storage servers working together to increase performance,
capacity, or reliability.

Clustered Storage Architecture:

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

• Tightly Coupled: Both nodes work together to increase performance. Has a set max capacity. A tightly
coupled cluster should see improved performance as more drives and nodes are added to the
environment. Delivers a high-performance interconnect between servers. Allows for load-balanced
performance. Allows for maximum scalability as the cluster grows (array controllers, I/O ports, and
capacity can be added into the cluster as required to service the load). Fast, but loses flexibility*

• Loosely Coupled: Loosely coupled clusters have the downside that maximum performance and
capacity is limited to the performance of the node that houses the data. The performance does not scale
up as nodes are added like a tightly coupled cluster does. As a result loosely coupled clusters tend to be
applied where performance is important but inexpensive capacity is more important. This allows
performance to scale with capacity. Scalability is limited by the performance of the interconnect.

Loose Coupling for cloud resources is by far the most desired paradigm for RESTful API development.
RESTful APIs should be able to transform, remix, scale, extend and morph from use case to use case
across multiple resources.

Goals of Cluster Storage:

• Meet SLA

• Separate customer data in multitenant hosting

• Protect CIA of data

High Availability (HA) in Cloud:

• Redundant Architecture

• Multiple vendors for the same service

Object Storage for IaaS needs synchronization across all the data.

Air gapped push buttons – KVMs and physically break a connection before a new one is made.

Using cloud storage is considered “processing” by most frameworks and laws.

There are three different types of SAML Assertions – authentication, attribute, and authorization
decision.

 Authentication assertions prove identification of the user and provide the time the user logged
in and what method of authentication they used (I.e., Kerberos, 2 factor, etc.)
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

 The attribution assertion passes the SAML attributes to the service provider – SAML attributes
are specific pieces of data that provide information about the user.

 Assertions can contain authentication statements, attribute statements, and authorization

decision statements.

 An authorization decision assertion says if the user is authorized to use the service or if the
identify provider denied their request due to a password failure or lack of rights to the service.

Kerberos is a network authentication protocol that uses secret-key (symmetric) cryptography.

Reads and writes being slow on the cloud – disk related.

Level 2 STAR Assessment – 3rd party review against SOC2 SOC 2 Attestation

Level 2 STAR Certification - 3rd party review against ISO ISO Cert

Level 2 C-Star – Chinese Standards

Cloud Certification Schemes List (CCSL) provides an overview of different existing certification schemes.

Risk Treatment

 Accept the risk = Cost of opportunity is higher over risk.

 Transfer the risk = Financial burden transfer, still risk own by customer.

 Avoid the risk = Business Decision.

 Mitigate risk = Implement countermeasure to reduce to an acceptable level.

Remote Key Management Service – A remote key management service is maintained and controlled by
the customer at their own location. This offers the highest degree of security for the consumer.

Client-Side Key Management Service – Most common with SaaS implementations, client-side KMS is
provided by the cloud provider but is hosted and controlled by the consumer. This allows for seamless
integration with the cloud environment. But also allows complete control to still reside with the
consumer. Client-Side Key Management is PROVIDED by the provider for you to use, and mainly used
with SaaS solutions, versus providing the Remote Key management yourself, which is a higher degree of
security. But it is important to note both reside on your own premises.
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

For containers - Use physical or virtual machines to provide container isolation and group containers of
the same security contexts on the same physical and/or virtual hosts. Ensure that only approved,
known, and secure container images or code can be deployed. Appropriately secure the container
orchestration/management and scheduler software stack(s). Implement appropriate role-based access
controls and strong authentication for all container and repository management.

With Cloud Storage clustering, which of these is true?

A) Tightly coupled clusters have the downside that maximum performance and capacity is limited
to the performance of the node that houses the data.
B) Loosely coupled clusters should see improved performance as more drives and nodes are added
to the environment.
C) Tightly Coupled clusters have multiple nodes working together to increase performance and
have a set max capacity.
D) Loosely coupled clusters tend to be applied where performance is important but inexpensive
capacity is more important and performance scales up as nodes are added.

• Tightly Coupled: Both nodes work together to increase performance. Has a set max capacity. A tightly
coupled cluster should see improved performance as more drives and nodes are added to the
environment.

• Loosely Coupled: Loosely coupled clusters have the downside that maximum performance and
capacity is limited to the performance of the node that houses the data. The performance does not scale
up as nodes are added like a tightly coupled cluster does. As a result loosely coupled clusters tend to be
applied where performance is important but inexpensive capacity is more important.

Virtual Switches Secure Configuration:

Physical NIC redundancy to redundant physical switches

Port channeling

Network isolation (management plane vs. virtual switches vs. VM traffic)

Internal and external network isolation

Use security applications that are virtual network aware (IPS, etc.)

Virtual Machine Introspection (VMI)

Allows for agentless retrieval of the guest OS stage, such as the list of running processes, active network
connections, and opening files. An agentless means of ensuring a VM's security baseline does not
Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

change over time. It examines such things as physical location, network settings, and installed OS to
ensure that the baseline has not been inadvertently or maliciously altered.

 Used for malware analysis, memory forensics, and process monitoring and for externally

monitoring the runtime state of a virtual machine. The introspection can be initiated in a

separate virtual machine, within the hypervisor, or within another part of the virtualization

architecture. The runtime state can include processor registers, memory, disk, network, and

other hardware-level events.

Common Protections for Data in Motion/Transit

 VPN (IPsec) to provide confidentiality.

 TLS/SSL/HTTPS to prevent eavesdropping or tampering.
 VLANs help provide confidentiality and integrity.
 DLP provides control between demarcation network zones by using activity monitoring and
egress filtering.

Common Protections for Data in Use

 Digital signatures and encryption to protect APIs.

 IRM can be used as a means for data classification and control.
 DRM is an extension of normal data protection which is encapsulated within the concept of IRM.
In DRM, advanced security controls such as extra ACLs and permission requirements are placed
onto the data.

Agile Characteristics:

Often involves daily meetings called Scrums

Favors customer collaboration and prototyping instead of an elaborate contract mechanism.

Works in short, iterative work periods (between a week and month in duration).

Prototyping is favored over testing Relies on cooperative development instead of expertise.

Does not depend on planning.

Earned assurance levels:

EAL1 Functionally tested

EAL2 Structurally tested

Eric D. MSc, CISSP, CCSP, PMP, CISM, CISA, CRISC, CCISO, AWS, CCSK, CDPSE, CNDA, CEH, ITILv4

EAL3 Methodically tested and checked

EAL4 Methodically designed, tested, and reviewed

EAL5 Semiformally designed and tested

EAL6 Semiformally verified design and tested

EAL7 Formally verified design and tested

PCI DSS is a comprehensive and intensive security standard that lists both technical and nontechnical
requirements based on the number of credit card transactions for the applicable entities.

Merchant 1 is highest (6 million plus transactions a year) 4 is lowest (20k to 1 million).

12 requirements list more than 200 controls.