Cloud services are the next generation of information technology that enterprises must master. In order to mitigate the risk associated with the cloud, businesses, providers and users must invest the time and resources to properly understand how to secure their assets.
The Cloud Security Alliance (CSA) is a non-profit organization formed to promote the use of best practices for providing security assurance within cloud computing and to provide education on the uses of cloud computing to help secure all other forms of computing.
The CSA is comprised of many subject-matter experts from a wide variety disciplines, united in common objectives:
• Promote a common level of understanding between the consumers and providers of cloud computing regarding the necessary security requirements and attestation of assurance.
• Promote independent research into best practices for cloud computing security.
• Launch awareness campaigns and educational programs on the appropriate uses of cloud computing and cloud security solutions.
• Create consensus lists of issues and guidance for cloud security assurance.
The Cloud Security Alliance has developed a widely adopted catalogue of security best practices, the Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1. In addition, the European Network and Information Security Agency (ENISA) white paper “Cloud Computing: Benefits, Risks and Recommendations for Information Security” is an important contribution to the cloud security body of knowledge. Both documents can be found at www.cloudsecurityalliance.org.
The Certificate of Cloud Security Knowledge (CCSK)
Trainings and professional certifications are critical needs of the cloud industry in order to assure that cloud computing is implemented responsibly with the appropriate security controls. The CCSK provides evidence that an individual has successfully completed an examination covering the key concepts of the CSA guidance and ENISA white paper. More information is available at www.cloudsecurityalliance.org/certifyme.
In conjunction with the CCSK launch, the CSA has released a short document advising test takers how to read the source documents to optimize their study time. In the fourth quarter of 2010, the CSA released third-party training affiliations and partnerships to provide a variety of educational programs related to their certification.
The CCSK draws on three main sources for its content: 70 percent of the questions are based on the CSA guidance, 20 percent of the questions are based on the ENISA report and 10 percent of the questions are applied knowledge questions related to the best practices in both documents. The best way to prepare for the CCSK examination is to thoroughly read and understand these two documents.
CCSK Key Examination Concepts
Here is a summary of the key concepts that are covered by the CCSK.
CSA Guidance
Domain One: National Institute of Standards and Technology (NIST) Definition of Cloud Computing
• Multi-tenancy
• Cloud reference model
• Jericho cloud cube model
• Cloud security reference model
• Cloud service brokers
Domain Two: Governance and Enterprise Risk Management
• Contractual security requirements
• Enterprise and information risk management
• Third-party management recommendations
Some of the topics discussed include legal precedence for agreement breaches, ability of user organizations to adequately assess risk of a cloud provider, the responsibility to protect sensitive data when both user and provider may be at fault and how international boundaries may affect these issues.
Domain Three: Legal and Electronic Discovery
• Cloud vs. outsourcing
• Three dimensions of legal issues
• Contract enforceability
• eDiscovery considerations
• Jurisdictions and data locations
Protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements and international laws are some of the topics covered in this domain.
Domain Four: Compliance and Audit
• Compliance impact on cloud contracts
• SAS 70 Type II
• ISO 27001/27002
• Compliance analysis requirements
• Auditor requirements
Topics addressing evaluating how cloud computing affects compliance with internal security policies, as well as various compliance requirements (regulatory, legislative and otherwise) are discussed here. This domain also includes some direction on proving compliance during an audit.
Domain Five: Information Lifecycle Management
• Six phases of the data security lifecycle and their key elements
• Data remanence
• Data commingling
• Data backup
• Data discovery
• Data aggregation
Items surrounding the identification and control of data in the cloud as well as compensating controls, which can be used to address the loss of physical control when moving data to the cloud, are discussed in this domain. Other topics, such as who is responsible for data confidentiality, integrity and availability, are also discussed.
Domain Six: Portability and Interoperability
• Key portability objectives of S-P-I (software as a service (S), platform as a service (P), infrastructure as a service (I)
• Lock-In risk mitigation techniques by cloud delivery model
This domain covers the concerns surrounding interoperability among providers. It also discusses the ability to move data and/or services from one provider to another, or how to bring it entirely back in-house.
Domain Seven: Traditional Security, Business Continuity and Disaster Recovery
• Insider abuse
• Business continuity management/disaster recovery due diligence
• Provider employee considerations
This section discusses how cloud computing affects the operational processes and procedures currently used to implement security, business continuity and disaster recovery. The focus is to discuss and examine possible risks of cloud computing in hopes of increasing dialogue and debate on the overwhelming demand for better enterprise risk management models. Further, the section helps people identify where cloud computing may assist in diminishing certain security risks.
Domain Eight:Data Center Operations
• Provider selection
• Resource sharing
• Patch management
• Technical support
This section focuses on helping users identify common data center characteristics that could be detrimental to ongoing services, as well as characteristics that are fundamental to long-term stability.
Domain Nine:Incident Response, Notification and Remediation
- Remediation
- Recommended provider tools and capabilities
- Response tradeoffs
- Questionable provider offerings
This domain addresses items that should be in place at both provider and user levels to enable proper incident handling and forensics. It will help readers understand the complexities the cloud brings to their current incident handling program.
Domain Ten:Application Security
• Software development lifecycle (SDLC) impact and implications
• Differences in S-P-I models
This section includes items such as whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate. Some specific security concerns related to the cloud are also discussed.
Domain Eleven:Encryption and Key Management
• Key management best practices
• Key management standards
• Encryption practices in S-P-I models
This section addresses why key management best practices are needed and how to identify issues that arise in use (both for protecting access to resources and for protecting data).
Domain Twelve: Identity and Access Management
• Identity federation
• Authorization
• Access control
• Provisioning
This domain focuses on issues encountered when extending an organization’s identity into the cloud. It also provides insight into assessing an organization’s readiness to conduct cloud-based Identity and Access Management (IAM).
Domain Thirteen: Virtualization
• Virtual Machine (VM) security features
• VM attack surfaces
• Compartmentalization of VMs
This section addresses items such as risks associated with multi-tenancy, VM isolation, VM co-residence, hypervisor vulnerabilities, etc. The domain focuses on the security issues surrounding system/hardware virtualization, rather than a more general survey of all forms of virtualization.
ENISA White Paper
This section will test for general familiarity with the ENISA standard including:
• Security benefits of cloud
• Risks R.1 – R.35 and underlying vulnerabilities
• Information assurance framework
• Division of liabilities
• Key legal issues
Applied Knowledge
This section tests fundamental industry knowledge including:
• Classifying popular cloud providers into S-P-I model
• Redundancy
• Securing popular cloud services
• Vulnerability assessment considerations
• Practical encryption use cases
This information will help you prepare for the CCSK examination. However, if you do not immediately pass the test, you will have the opportunity to take it again. The CSA recommends that you do not immediately retake the examination, but instead take several days to go back through the source material because many of the questions will likely stand out on a second reading.
About the Author:
Dennis Hurst is Applications & Security Specialist for HP Software and a founding member of the Cloud Security Alliance.