Congratulations – you have completed CCSK v4 Exam Simulator 5.You scored 0 points out of 60 points total.Your obtained grade isFailedSorry, you could not collect enough points to pass this quizYour answers are shown below:1. Private Cloud operated solely for a single organization can be located at-●Only On-premise●Only Off-premise●Both On-premise and Off-premise●Trusted third partyQuestion was not answered2. Which of the following essential characteristics of a cloud allows customers to closelymatch resource consumption with demand?●Resource Pooling●On-demand self-service●Broad network access●Rapid elasticity●Measured service Show
Question was not answered3. How can you prevent cloud providers from inappropriately accessing customer data? Get answer to your question and much more Question was not answered4. Which of the following is the most important aspects of incident response forcloud-based resources? Get answer to your question and much more Question was not answered5. ENISA: Lock-in is under which category of risk?
Get answer to your question and much more 6. ENISA: The lack of use of standards technologies and solutions by the cloud providermay lead to-●Isolation failure●Resource exhaustion●Loss of governance●Lock-in●Data leakage Question was not answered7. Role-Based Access Control (RBAC) model for IAM offers greater flexibility andsecurity than the Attribute-Based Access Control (ABAC) model. Get answer to your question and much more Question was not answered8. Which of the following regarding customer managed keys is true? Get answer to your question and much more ●Cloud customer and provider jointly manage the encryption engine and cloudcustomer manages their own encryption key.Question was not answered9. Which of the following are the most commonly seen networks that are isolated ontodedicated hardware since there is no functional or traffic overlap? Get answer to your question and much more Question was not answered10. Which of the following encryption methods is utilized when object storage is used asthe back-end for an application? Upload your study docs or become a Course Hero member to access this document Upload your study docs or become a Course Hero member to access this document End of preview. Want to read all 23 pages? Upload your study docs or become a Course Hero member to access this document Tags following regarding customer This domain provides the conceptual framework for the rest of the Cloud Security Alliance’s guidance. It describes and defines cloud computing, sets our baseline terminology, and details the overall logical and architectural frameworks used in the rest of the document. There are many
different ways of viewing cloud computing: It's a technology, a collection of technologies, an operational model, a business model, just to name a few. It is, at its essence, transformative and disruptive. It's also growing very, very quickly, and shows no signs of slowing down. While the reference models we included in the first version of this Guidance are still relatively accurate, they are most certainly no longer complete. And even this update can't possibly account for
every possible evolution in the coming years. Cloud computing offers tremendous potential benefits in agility, resiliency, and economy. Organizations can move faster (since they don't have to purchase and provision hardware, and everything is software defined), reduce downtime (thanks to inherent elasticity and other cloud characteristics), and save money (due to reduced capital expenses and better demand and capacity matching). We also see
security benefits since cloud providers have significant economic incentives to protect customers. However, these benefits only appear if you understand and adopt cloud-native models and adjust your architectures and controls to align with the features and capabilities of cloud platforms. In fact, taking an existing application or asset and simply moving it to a cloud provider without any changes will often reduce agility, resiliency, and even security, all
while increasing costs. The goal of this domain is to build the foundation that the rest of the document and its recommendations are based on. The intent is to provide a common language and understanding of cloud computing for security professionals, begin highlighting the differences between cloud and traditional computing, and help guide security professionals towards adopting cloud-native approaches that result in better security (and those other benefits), instead of
creating more risks. This domain includes 4 sections:
The Cloud Security Alliance isn't setting out to create an entirely new taxonomy or reference model. Our objective is to distill and harmonize existing models—most notably the work in NIST Special Publication 800-145, ISO/IEC 17788 and ISO/IEC 17789—and focus on what's most relevant to security professionals. 1.1 Overview1.1.1 Defining Cloud ComputingCloud computing is a new operational model and set of technologies for managing shared pools of computing resources. It is a disruptive technology that has the potential to enhance collaboration, agility, scaling, and availability, as well as providing the opportunities for cost reduction through optimized and efficient computing. The cloud model envisages a world where components can be rapidly orchestrated, provisioned, implemented and decommissioned, and scaled up or down to provide an on-demand utility-like model of allocation and consumption. NIST defines cloud computing as:
The ISO/IEC definition is very similar:
A (slightly) simpler way of describing cloud is that it takes a set of resources, such as processors and memory, and puts them into a big pool (in this case, using virtualization). Consumers ask for what they need out of the pool, such as 8 CPUs and 16 GB of memory, and the cloud assigns those resources to the client, who then connects to and uses them over the network. When the client is done, they can release the resources back into the pool for someone else to use. A cloud can consist of nearly any computing resources, ranging from our "compute" examples of processors and memory to networks, storage, and higher level resources like databases and applications. For example, subscribing to a customer relations management application for 500 employees on a service shared by hundreds of other organizations is just as much cloud computing as launching 100 remote servers on a compute cloud.
The key techniques to create a cloud are abstraction and orchestration. We abstract the resources from the underlying physical infrastructure to create our pools, and use orchestration (and automation) to coordinate carving out and delivering a set of resources from the pools to the consumers. As you will see, these two techniques create all the essential characteristics we use to define something as a "cloud". This is the difference between cloud computing and traditional virtualization; virtualization abstracts resources, but it typically lacks the orchestration to pool them together and deliver them to customers on demand, instead relying on manual processes. Clouds are multitenant by nature. Multiple different consumer constituencies share the same pool of resources but are segregated and isolated from each other. Segregation allows the cloud provider to divvy up resources to the different groups, and isolation ensures they can't see or modify each others' assets. Multitenancy doesn't only apply across different organizations; it's also used to divvy up resources between different units in a single business or organization. 1.1.2 Definitional ModelThe Cloud Security Alliance (CSA) uses the NIST model for cloud computing as our standard for defining cloud computing. The CSA also endorses the ISO/IEC model which is more in-depth, and additionally serves as a reference model. Throughout this domain we will reference both. NIST’s publication is generally well accepted, and the Guidance aligns with the NIST Working Definition of Cloud Computing (NIST 800-145) to bring coherence and consensus around a common language to focus on use cases rather than semantic nuances.
NIST defines cloud computing by describing five essential characteristics, three cloud service models, and four cloud deployment models. They are summarized in visual form in Figure 1 and explained in detail below. 1.1.2.1 Essential CharacteristicsThese are the characteristics that make a cloud a cloud. If something has these characteristics, we consider it cloud computing. If it lacks any of them, it is likely not a cloud.
ISO/IEC 17788 lists six key characteristics, the first five of which are identical to the NIST characteristics. The only addition is multitenancy, which is distinct from resource pooling. 1.1.2.2 Service ModelsNIST defines three service models which describe the different foundational categories of cloud services:
We sometimes call these the "SPI" tiers. ISO/IEC uses a more complex definition with a cloud capabilities type that maps closely to the SPI tiers (application, infrastructure, and platform capability types). It then expands into cloud service categories that are more granular, such as Compute as a Service, Data Storage as a Service, and then even includes IaaS/PaaS/SaaS. These categories are somewhat permeable: some cloud services span these tiers, others don't neatly fall into a single service model. Practically speaking, there's no reason to try and assign everything into these three broad categories, or even the more granular categories in the ISO/IEC model. This is merely a useful descriptive tool, not a rigid framework. Both approaches are equally valid, but since the NIST model is more concise and currently used more broadly, it is the definition predominantly used in CSA research. 1.1.2.3 Deployment ModelsBoth NIST and ISO/IEC use the same four cloud deployment models. These are how the technologies are deployed and consumed, and they apply across the entire range of service models:
Deployment models are defined based on the cloud consumer—that is, who uses the cloud. As the diagram below shows, the organization that owns and manages the cloud will vary even within a single deployment model. 1.1.3 Reference and Architecture ModelsThese days there is a wide range of constantly evolving technological techniques for building cloud services, making any single reference or architectural model obsolete from the start. The objective of this section is to provide both some fundamentals to help security professionals make informed decisions as well as a baseline to understand more complex and emerging models. For an in-depth reference architectural model, we again recommend ISO/IEC 17789 and NIST 500-292, which complement the NIST definition model. One way of looking at cloud computing is as a stack where Software as a Service is built on Platform as a Service, which is built on Infrastructure as a Service. This is not representative of all (or even most) real-world deployments, but serves as a useful reference to start the discussion. 1.1.3.1 Infrastructure as a ServicePhysical facilities and infrastructure hardware form the foundation of IaaS. With cloud computing we abstract and pool these resources, but at the most basic level we always need physical hardware, networks, and storage to build on. These resources are pooled using abstraction and orchestration. Abstraction, often via virtualization, frees the resources from their physical constraints to enable pooling. Then a set of core connectivity and delivery tools (orchestration) ties these abstracted resources together, creates the pools, and provides the automation to deliver them to customers. All this is facilitated using Application Programming Interfaces (APIs). APIs are typically the underlying communications method for components within a cloud, some of which (or an entirely different set) are exposed to the cloud consumer to manage their resources and configurations. Most cloud APIs these days use REST (Representational State Transfer), which runs over the HTTP protocol, making it extremely well suited for Internet services. In most cases, those APIs are both remotely accessible and wrapped into a web-based user interface. This combination is the cloud management plane, since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuring virtual networks. From a security perspective, it is the both the biggest difference from protecting physical infrastructure (since you can't rely on physical access as a control) as well as the top priority when designing a cloud security program. If an attacker gets into your management plane, they potentially have full remote access to your entire cloud deployment. Thus IaaS consists of a facility, hardware, an abstraction layer, an orchestration (core connectivity and delivery) layer to tie together the abstracted resources, and APIs to remotely manage the resources and deliver them to consumers. Here is a simplified architectural example of a compute IaaS platform:
A series of physical servers each run two components: a hypervisor (for virtualization) and the management/orchestration software to tie in the servers and connect them to the compute controller. A customer asks for an instance (virtual server) of a particular size and the cloud controller determines which server has the capacity and allocates an instance of the requested size. The controller then creates a virtual hard drive by requesting storage from the storage controller, which allocates storage from the storage pool, and connects it to the appropriate host server and instance over the network (a dedicated network for storage traffic). Networking, including virtual network interfaces and addresses, is also allocated and connected to the necessary virtual network. The controller then sends a copy of the server image into the virtual machine, boots it, and configures it; this creates an instance running in a virtual machine, with virtual networking and storage all properly configured. Once this entire process is complete, the metadata and connectivity information is brokered by the cloud controller and available to the consumer, who can now connect to the instance and log in. 1.1.3.2 Platform as a ServiceOf all the service models, PaaS is the hardest to definitively characterize due to both the wide range of PaaS offerings and the many ways of building PaaS services. PaaS adds an additional layer of integration with application development frameworks, middleware capabilities, and functions such as databases, messaging, and queuing. These services allow developers to build applications on the platform with programming languages and tools that are supported by the stack. One option, frequently seen in the real world and illustrated in our model, is to build a platform on top of IaaS. A layer of integration and middleware is built on IaaS, then pooled together, orchestrated, and exposed to customers using APIs as PaaS. For example, a Database as a Service could be built by deploying modified database management system software on instances running in IaaS. The customer manages the database via API (and a web console) and accesses it either through the normal database network protocols, or, again, via API. In PaaS the cloud consumer only sees the platform, not the underlying infrastructure. In our example, the database expands (or contracts) as needed based on utilization, without the customer having to manage individual servers, networking, patches, etc. Another example is an application deployment platform. That's a place where developers can load and run application code without managing the underlying resources. Services exist for running nearly any kind of application in any language on PaaS, freeing the developers from configuring and building servers, keeping them up to date, or worrying about complexities like clustering and load balancing. This simplified architecture diagram shows an application platform (PaaS) running on top of our IaaS architecture: PaaS doesn't necessarily need to be built on top of IaaS; there is no reason it cannot be a custom-designed stand-alone architecture. The defining characteristic is that consumers access and manage the platform, not the underlying infrastructure (including cloud infrastructure). 1.1.3.3 Software as a ServiceSaaS services are full, multitenant applications, with all the architectural complexities of any large software platform. Many SaaS providers build on top of IaaS and PaaS due to the increased agility, resilience, and (potential) economic benefits. Most modern cloud applications (SaaS or otherwise) use a combination of IaaS and PaaS, sometimes across different cloud providers. Many also tend to offer public APIs for some (or all) functionality. They often need these to support a variety of clients, especially web browsers and mobile applications. Thus all SaaS tends to have an application/logic layer and data storage, with an API on top. Then there are one or more presentation layers, often including web browsers, mobile applications, and public API access. The simplified architecture diagram below is taken from a real SaaS platform, but generalized to remove references to the specific products in use: These reference and architectural models should not be construed as being canonical. They are included to provide security professionals a deeper understanding of how cloud computing works and is constructed, but there are far too many different approaches in the real world to include them all. 1.1.4 Logical ModelAt a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality. This is useful to illustrate the differences between the different computing models themselves:
Different security focuses map to the different logical layers. Application security maps to applistructure, data security to infostructure, and infrastructure security to infrastructure. The key difference between cloud and traditional computing is the metastructure. Cloud metastructure includes the management plane components, which are network enabled and remotely accessible. Another key difference is that, in cloud, you tend to double up on each layer. Infrastructure, for example, includes both the infrastructure used to create the cloud as well as the virtual infrastructure used and managed by the cloud consumer. In private cloud, the same organization might need to manage both; in public cloud the provider manages the physical infrastructure while the consumer manages their portion of the virtual infrastructure. As we will discuss later this has profound implications on who is responsible for, and manages, security. These layers tend to map to different teams, disciplines, and technologies commonly found in IT organizations. While the most obvious and immediate security management differences are in metastructure, cloud differs extensively from traditional computing within each layer. The scale of the differences will depend not only on the cloud platform, but on how exactly the cloud consumer utilizes the platform. For example, a cloud-native application that makes heavy utilization of a cloud provider's PaaS products will experience more applistructure differences than the migration of an existing application, with minimal changes, to Infrastructure as a Service. 1.2 Cloud Security Scope, Responsibilities, and Models1.2.1 Cloud Security and Compliance Scope and ResponsibilitiesIt might sound simplistic, but cloud security and compliance includes everything a security team is responsible for today, just in the cloud. All the traditional security domains remain, but the nature of risks, roles and responsibilities, and implementation of controls change, often dramatically. Though the overall scope of security and compliance doesn't change, the pieces any given cloud actor is responsible for most certainly do. Think of it this way: cloud computing is a shared technology model where different organizations are frequently responsible for implementing and managing different parts of the stack. As a result security responsibilities are also distributed across the stack, and thus across the organizations involved. This is commonly referred to as the shared responsibility model. Think of it as a responsibility matrix that depends on the particular cloud provider and feature/product, the service model, and the deployment model. At a high level, security responsibility maps to the degree of control any given actor has over the architecture stack:
These roles are further complicated when using cloud brokers or other intermediaries and partners. The most important security consideration is knowing exactly who is responsible for what in any given cloud project. It's less important if any particular cloud provider offers a specific security control, as long as you know precisely what they do offer and how it works. You can fill the gaps with your own controls, or choose a different provider if you can't close the controls gap. Your ability to do this is very high for IaaS, and less so for SaaS. This is the essence of the security relationship between a cloud provider and consumer. What does the provider do? What does the consumer need to do? Does the cloud provider enable the consumer to do what they need to? What is guaranteed in the contract and service level agreements, and what is implied by the documentation and specifics of the technology? This shared responsibility model directly correlates to two recommendations:
The Cloud Security Alliance provides two tools to help meet these requirements:
Both documents will need tuning for specific organizational and project requirements, but provide a comprehensive starting template and can be especially useful for ensuring compliance requirements are met. 1.2.2 Cloud Security ModelsCloud security models are tools to help guide security decisions. The term "model" can be used a little nebulously, so for our purposes we break out the following types:
The lines between these models often blur and overlap, depending on the goals of the developer of the model. Even lumping these all together under the heading "model" is probably inaccurate, but since we see the terms used so interchangeably across different sources, it makes sense to group them. The CSA has reviewed and recommends the following models:
Throughout this Guidance we also refer to other domain-specific models. 1.2.2.1 A Simple Cloud Security Process ModelWhile the implementation details, necessary controls, specific processes, and various reference architectures and design models vary greatly depending on the specific cloud project, there is a relatively straightforward, high-level process for managing cloud security:
Since different cloud projects, even on a single provider, will likely leverage entirely different sets of configurations and technologies, each project should be evaluated on its own merits. For example, the security controls for an application deployed on pure IaaS in one provider may look very different than a similar project that instead uses more PaaS from that same provider. The key is to identify requirements, design the architecture, and then identify the gaps based on the capabilities of the underlying cloud platform. That's why you need to know the cloud provider and architecture before you start translating security requirements into controls. 1.3 Areas of Critical FocusThe thirteen other domains which comprise the remainder of the CSA guidance highlight areas of concern for cloud computing and are tuned to address both the strategic and tactical security "pain points" within a cloud environment, and can be applied to any combination of cloud service and deployment model. The domains are divided into two broad categories: governance and operations. The governance domains are broad and address strategic and policy issues within a cloud computing environment, while the operational domains focus on more tactical security concerns and implementation within the architecture. 1.3.1 Governing in the Cloud
1.3.2 Operating in the Cloud
1.4 Recommendations
1.5 Credits
Which of the following essential characteristics of a cloud allows customers to closely match resource consumption with demand?Which of the following essential characteristics of a cloud allows customers to closely match resource consumption with demand? Rapid elasticity. Rapid elasticity allows consumers to expand or contract the resources they use from the pool (provisioning and de-provisioning), often completely automatically.
Which of the following are characteristics of cloud storage?8 key characteristics of cloud computing. On-demand self-service. ... . Resource pooling. ... . Scalability and rapid elasticity. ... . Pay-per-use pricing. ... . Measured service. ... . Resiliency and availability. ... . Security. ... . Broad network access.. What are the 4 main tenets of cloud computing?Usable, Collaborative, Reproducible, and Extensible.
Which of the following elements is the responsibility of the cloud provider with respect to security?Simply put, the cloud provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud. Essentially, your cloud provider is responsible for making sure your infrastructure built within its platform is inherently secure and reliable.
|