CCSP (Certified Cloud Security Professional)

1. Architectural Concepts and Design Requirements
(ISC)²
4 min read

Introduction

The building blocks necessary to develop cloud-based systems.

Objectives

  • Define the various roles, characteristics, and technologies as they relate to cloud computing concepts.
  • Describe cloud computing concepts as they relate to cloud computing activities, capabilities, categories, models, and cross-cutting aspects.
  • Identify the design principles necessary for secure cloud computing.
  • Define the various design principles for the different types of cloud categories.
  • Identify criteria specific to national, international, and industry for certifying trusted cloud services.
  • Identify criteria specific to the system and subsystem product certification.

Definitions

  • Cloud computing is the use of Internet-based computing resources, typically “as a service”, to allow internal or external customers to consume where scalabale and elastic information technology (IT) enabled capabilities are provided.

  • A Managed Service Provider (MSP) tends to have:

    • Network Operations Center (NOC) service.
    • Help desk service.
    • Remote monitoring and management of all or most of the objects for the customer.
    • Proactive maintenance of the objects under management for the customer.
    • Delivery of these solutions with a predictable billing model, the customer knows what the IT management expense will be.
    • e.g. Armor

  • A Cloud Service Provider (CSP) dictates the technology and operational procedures made available. The CSP offers cloud computing through Software as a Service (SaaS), Infastructure as a Service (IaaS), or Platform as a Service (PaaS).

    • e.g. AWS, GCP, Azure

  • Anything as a Service (XaaS) is the growing diversity of services available over the internet via cloud computing instead of being provided locally or on-prem.

  • Apache CloudStack: An open source cloud computing and IaaS platform.

  • Business continuity: The capability of an organisation to continue deliver of products or services at acceptable pre-defined levels following the loss of a service.

  • Business continuity management: A management process that identifies potential threats and impacts to business operation and how to alleviate them in the interest of key stakeholders, reputation etc.

  • Business continuity plan: The strategy to continue business operations in the event of threats happening.

  • Cloud app: (Cloud application), a software application that is never installed on a local computer. It is accessed via the internet.

  • Cloud Application Management for Platforms (CAMP) is a specification designed to ease management of applications (including packaging and deployment) across cloud computing platforms.

  • Cloud backup refers to backing up data to a remote, cloud-based server in cloud storage.

  • Cloud backup solutions enable enterprises or individuals to store/backup data to a cloud storage service as opposed to a local, physical disk backup.

  • Cloud enablement is the process of creating a public cloud computing environment by making one or more the services available: CSP, client and application.

  • Cloud management is the software and technology designed for operating and monitoring the services and data residing in the cloud. Cloud management tools help ensure that cloud based resources are functioning optimally.

  • Cloud OS is a phrase frequently used in place of PaaS to denote an association to cloud computing.

  • Cloud portability refers to the ability to move applications and associated data from one CSP to another.

  • Eucalyptus is an open source cloud computing and IaaS platform for enabling AWS-compatible private and hybrid clouds.

Why use Cloud Computing?

  • Cost of ownership current IT infrastructure
    • Projected costs of maintaining IT infrastructure.
  • Shift from Capital Expenditure (CapEx) -> Operational Expenditure (OpEx).
  • Reduce IT complexity:
    • Risk reduction: test in the cloud before making major investments to solutions.
    • Scalability: On-demand access to cloud resources.
    • Elasticity: The environment transparently manages resource utilization based on dynamically changing needs.
  • Consumption-based pricing
    • Virtualizaion: Single view of the available resources, independent of their arangement in terms of physical devices
    • Cost: Pay-per-use (PAYG) model allows an organisation to pay for only the resources it needs with no physical investment requirement.
  • Business agility
    • Mobility: Accessible from around the globe.
    • Collaboration and innovation: The cloud is a way to work simultaneously on common data and information.

Cloud Computing issues and concerns:

  • Distributed Multitenant Security Environment (Business Ecosystem)
  • Risk (Business/Reputation)
  • Compliance (Legal/Regulatory)
  • Privacy

Risk

Frameworks to address risk:

  • Control Objectives for Information and Related Technology (COBIT)
  • Comittee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management Integrated
  • NIST Risk Management

To manage reputational risk, an organisation should consider:

  • Strategic alignment
  • Effective board oversight
  • Integration of risk into strategy setting and business planning
  • Cultural alignment
  • Strong corporate values and a focus on compliance
  • Operational focus

Measure security through:

  • Technological components
  • Risk management process
  • Preventative, detective and corrective controls
  • Governance and oversigt processes
  • Resilience and continuity capabilities
  • Defence in depth
  • Multifactor authentication