CyberIT CCSK Study Guide 1 1

Study Guide
CCSK
Created By: Nafeel Ahmed, Teaching Assistant
Module 1: Course Overview
Lesson 1.1: Introduction
Skills Learned From This Lesson: Cloud Security, CCSK prep, Cloud Technologies
● Prerequisites of this course:
○ IT Professional pursuing cloud expertise.
○ No experience minimums to take to take the exam.
■ 6 months of cloud experience recommended.
○ Awareness of various cyber-security disciplines.
■ Fundamental Technologies.
■ Governance, compliance, privacy.
■ Incident response.
■ Identity Access Management principles.
● Target Audience:
○ IT Executives, Directors, Managers.
○ Security Architects.
○ Information Security.
○ Technology Consultants.
● Learning Objectives of this course:
○ Cover all material for domains of CCSK written exam.
○ Understanding cloud models, architectures, and shared responsibilities to
consider in a cloud security program.
○ Know the impacts of cloud computing on governance, legal, risk, and regulatory
compliance.
○ Adapt traditional security practices and principles to cloud.
Lesson 1.2: Overview
● Overview of the CCSK Exam.
● The exam is administered by Cloud Security Alliance (CSA).
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
1
● CSA is defining and raising awareness of secure cloud best practices.
● Chapters throughout the globe, hosting local, regional and national summits.
● Operates CSA Security, Trust & Assurance Registry(STAR).
● CCSK was created in 2010.
● CSA worked with ISC2 to develop CCSP in 2015.
Module 2: Cloud Computing Concepts and Architectures

Lesson 2.1: Cloud Computing Concepts and Architectures
Skills Learned From This Lesson: Cloud Computing, Cloud Architecture, CCSK
● This module includes the following learning objectives::
○ Define cloud computing.
○ Explore the cloud logical model.
○ Decompose the cloud conceptual, architectural, and reference model.
○ Cloud security and compliance scope, responsibilities, and models
● Definition by NIST - Cloud Computing is a model for enabling ubiquitous, convenient, on
demand network access to a shared pool of configurable computing resources that can
be rapidly provisioned and released with minimal management effort of service provider
interaction
● . Cloud as a pool of resources:
○ Cloud User.
○ Client.
○ Consumer
○ Cloud Actor.
○ Cloud Provider.
○ Service
○ Cloud Service Provider.
○ Cloud Broker.
○ Cloud Carrier
● Video Summary:
○ Definitions of Cloud Computing.
○ Resource pooling in cloud model.
Lesson 2.2: Cloud Computing Benefits
Skills Learned From This Lesson: Cloud Computing, Cloud Architecture, Cloud Benefits
● Objectives of this Video:
2
○ Understand the role of abstraction and automation.
○ Discuss high-level benefits of cloud.
● Public Cloud ups:
○ High abstraction through virtualization.
○ Self-service provisioning and expandable resource pools.
○ Significant automation capabilities with orchestration .
● Traditional Virtualization downs:
○ Abstraction of certain physical infrastructure.
○ Humans manage resource allocation.
○ Self-service/Automation often minimal.
● Benefits of Cloud include the following:
○ Cloud Agility - you don’t need to buy hardware, everything is software designed.
○ Cloud Resiliency - Less Downtime, Many servers, Data availability 99.9% of time.
○ Cloud Economics - it is a form of outsourcing, really beneficial.
○ Cloud Security - Security is a shared responsibility.
Lesson 2.3: Essential Characteristics
○ Describing the 5 essential characteristics common to NIST and ISO/IEC 17788
○ Cover the 6th essential characteristics of ISO/IEC 17788
● 5 Essential Characteristics common to NIST and ISO/IEC 17788 include:
○ Resource pooling.
○ Broad Network Access
○ Rapid Elasticity.
○ Measured Service.
○ On-Demand Self-Service.
● The 6th essential characteristic of ISO/IEC 17788 is the Multi-tenancy.
Lesson 2.4: Service Models
Skills Learned From This Lesson: Cloud Computing, SaaS, PaaS, IaaS
● Understanding the 3 major service models for cloud.
● SPI 3 -
○ SaaS.
○ PaaS.
○ IaaS.
3
● IaaS provides resource pools of virtualized infrastructure (compute, network, and
storage).
● Platform as a Service(PaaS) further abstracts capabilities and provides resource pools of
pre-configured services where the cloud consumer does not manage the underlying
infrastructure.
● Software as a Service (SaaS) fully abstracts everything except the application itself.
Cloud consumers use the application but have no insight or management of the
underlying resources.
● In the real-word these service models are often mixed, matched and have blurry lines
between the categories.
Lesson 2.5: Deployment Models
Skills Learned From This Lesson: NIST Layers, Cloud Architecture, NIST models
● Objectives of this video:
○ Review all 4 of the NIST deployment models.
○ Learn layers of the NIST logical model.
● Public cloud
○ Infrastructure Managed by - Third Party Provider
○ Infrastructure Owned by - Third party Provider.
○ Infrastructure Located - Off-Premise
○ Accessible and Consumed By - Untrusted
● Private cloud
○ Infrastructure Managed by - Organization
○ Infrastructure Owned by - Organization
○ Infrastructure Located - On-Premise
○ Accessible and Consumed By - Trusted
● Hybrid cloud
○ Infrastructure Managed by - Both Organizations & Third Party Provider
○ Infrastructure Owned by - Both Organizations & Third party Provider.
○ Infrastructure Located - Both On-Premise & Off-Premise
○ Accessible and Consumed By -Trusted & Untrusted
● Community cloud
○ Infrastructure Managed by - Third Party Provider
○ Infrastructure Owned by - Third party Provider.
○ Infrastructure Located - Off-Premise
4
○ Accessible and Consumed By - Trusted
● 4 layers of logical model
○ Infostructure.
○ Applistructure.
○ Metastructure.
○ Infrastructure.
Lesson 2.6: Cloud Security Responsibilities
Skills Learned From This Lesson: Cloud Security , Cloud Architecture , Security Model
○ Review Security responsibilities between provider and consumer.
○ Introduce tools for assessing a provider’s security controls.
○ Walk through the cloud security process model.
● Top cloud security concern: Know who is responsible for what.
● Balance of security responsibilities between provider and consumer.
● Cloud Security Alliance has tools for cloud providers to define the controls:
○ CAIQ - Consensus Assessment Information Questionnaire.
○ CCM - Cloud Controls Matrix.
● CAIQ and CCM for assessing a provider’s security controls.
● Steps sequences for building and maintaining security controls.
Lesson 2.7: Domain 1 Knowledge Recap
● Differences between traditional virtualization and cloud computing; impacts of
abstraction and automation on security.
● NIST model for cloud computing and shared responsibilities.
● CSA CAIQ to assess security and compliance requirements.
● Simple cloud security process model to select providers, identify control gaps, and
implement compensating controls.
Module 3: Governance and Enterprise Risk Management

Lesson 3.1: Governance and Enterprise Risk Management
Skills Learned From This Lesson: Cloud Governance, Risk Management, Cloud computing
● This module includes the following learning objectives:
○ Governance basics.
○ Tools of cloud governance.
5
○ How cloud affects enterprise risk management.
○ Effect of service and deployment models on risk management.
○ Cloud risk trade-offs.
○ Tools from Cloud Security Alliance to help assess and manage risk.
● Liability cannot be outsourced.
● Relationship to enterprise risk management.
● Relationship to information risk management and information security.
Lesson 3.2: Tools of Cloud Governance
Skills Learned From This Lesson: Cloud Governance, Risk Management, Audit Reporting
○ Contracts.
○ Compliance Assessments.
○ Audit Reporting.
● Tools of Cloud Governance:
○ Contracts
■ Primary tool to extend governance.
■ Only guarantee of service level.
■ Defines roles within shared responsibilities model.
○ Supplier/Provider Assessments:
■ Combine with contractual terms.
■ Assess against existing standards.
■ 3rd party attestations.
■ Financial viability, history, etc.
○ Compliance reporting:
■ Audits of controls.
■ Internal compliance assessments.
■ Prefer trusted 3rd party.
■ Assess against existing standards.
■ May be restricted to NDA(Non-Disclosure Agreement).
Lesson 3.3: ERM and Impacts of Cloud Model
○ Expand on considerations for enterprise risk management.
○ Examine impacts Service Models on governance.
6
○ Evaluate ramifications of deployment models on governance.
● NIST 800-39 - In a Nutshell:
○ Managing information Security Risk
■ Organization.
■ Mission.
■ Information System view.
● Core steps in risk management :
○ Framing risk - Set organizational risk tolerance.
○ Assessing risk - Identify and prioritize.
○ Responding to risk - Apply risk tolerance to address identified risks.
○ Monitoring risk - Make sure you follow-through on the plan.
● ERM - Enterprise Risk Management
○ Overall risk management for the organization.
○ Key tenets of Risk management:
■ Mange
■ Transfer
■ Accept
■ Avoid
Lesson 3.4: CCM, CAIQ and STAR
Skills Learned From This Lesson: Cloud Governance, CCM & CIAQ , STAR
● Practical Registry to CCM, CAIQ and STAR.
● Cloud control matrix.
● CAIQ registry.
Lesson 3.5: Tradeoffs and Assessment
● ERM Trade offs in Cloud:
○ LESS:
■ Less physical control over the assets and management procedures.
■ Cost associated with those things the provider accepts risk for.
○ MORE:
○ Reliance on contracts, audits, and assessments.
○ Reliance of 3rd party assessments.
○ Need to manage relationships with vendors.
● Supplier Assessment Process:
7
○ Request documentation.
○ Review security program.
○ Review legal, regulatory, industry, contact obligations.
○ Evaluate service based on context of information assets involved.
○ Evaluate provider(finances, reputation, insurers, outsources).
● Module Summary:
○ Governance basics.
○ Tools of cloud governance.
○ How cloud affects enterprise risk management.
○ Effect of service and deployment models on risk management.
○ Cloud risk trade-offs.
○ Tools from Cloud Security Alliance to help assess and manage risk.
Module 4: Legal Issues, Contracts and electronic Discovery

Lesson 4.1: Legal Issues, Contracts and Electronic Discovery
Skills Learned From This Lesson: Legal Issues, Contracts, CCSK
● This module objectives are as follows:
○ Legal considerations for data in the cloud.
○ Contracts with cloud service providers.
○ Electronic discovery as part of litigation.
● Data Privacy terminology:
○ Data Controller: entity with primary realtionshipo with the consumer(Custodian).
○ Data Processor: the consumer, individual, person that the data pertains to(End
User).
○ Data Subject: third party entrusted by data controller to process collected data
(provider).
● Common themes of privacy law are discussed and are very important.
● Depending on the following factors the privacy always apply:
○ Location of the business.
○ Location of the provider.
○ Data subject location.
○ Citizenship
8
Lesson 4.2: Regional Privacy Laws
○ Overview of Data privacy laws across the globe.
● Major Privacy laws around the globe:
○ Australia (APAC)
■ ACL - Australian Consumer Law.
○ China
■ 2017 Cyber Security Law.
○ Japan (APAC)
■ APPI - Act of Protection of Personal information.
○ European Union (EMEA)
■ GDPR - 2018 General Data Protection Regulation.
○ United States (Federal Laws):
■ Gram-Leach-Bliley Act (GLBA).
■ HIPAA (Health Insurance Portability and Accountability Act).
■ State level laws
Lesson 4.3: Contracts and Provider Selection
○ Highlight aspects of Customer/Provider contract impacted by Data Privacy.
○ Revisit the due diligence process.
● Provider Contracts:
○ Contract terms may obligate providers to exceed regulation requirements.
○ Organizations must guarantee they can continue to meet promises in their terms
& conditions and privacy statements.
■ Data collector is responsible regardless of provider.
○ Customers and providers must stay abreast of changing regulations.
● Due Diligence:
○ Internal - Existing contracts between business and it’s clients.
○ External - Evaluate the cloud provider using a risk-based approach.
Lesson 4.4: Electronic Discovery
9
○ Basics of discovery.
○ Examine real-world cases.
● Discovery is the compulsory disclosure of relevant documents between opposing parties
in litigation.
● Destroying materials to avoid disclosure is very bad.
● Data must be “authentic” to be admissible.
● Your data in the cloud is subject to discovery.
● United States CLOUD Act.
○ Microsoft Corp. Vs. United States
● What we learned in this module:
● Legal considerations for data in the cloud.
● Contracts with cloud service providers.
● Electronic discovery as part of litigation.
Module 5: Compliance and Audit Management

Lesson 5.1: Compliance and Audit Management and Standards
Skills Learned From This Lesson: Compliance management, Audit Management, Standards
○ Basics of compliance & audits.
○ Compliance & audits in the cloud.
○ Audit management process.
○ Popular standards & compliance certifications.
● Compliance - validated awareness of an adherence to corporate obligations.
● Governance - corporate obligations & values that determine how a company operates.
● Risk Management - implementation and ongoing maintenance of controls necessary to
meet risk tolerance.
● Aduit - an official inspection of an individual’s or organizations accounts, typically by an
independent body.
Lesson 5.2: Audit Management and Standards
10
○ How security relates to compliance and audits.
○ Audit management process.
○ Popular standards & compliance certifications.
● Popular standards:
○ NIST 800-53
○ FedRAMP
○ ISO/IEC 27002
○ COBIT
○ PCI(DSS)
○ HIPAA/HITRUST
○ SOC 1
○ SOC 2
○ SOC 3
● Audit planning is very important for auditing to be successful.
● Module Summary:
● Basics of Compliance & Audits
○ GRC discipline.
○ Audits are a key tool for proving compliance.
● Compliance & audits in the cloud.
● Audit management process.
● Popular standards and compliance certifications.
Module 6: Information Governance

Lesson 6.1: Information Governance
Skills Learned From This Lesson: Data Security, Information Governance, CCSK
○ Governance Domains.
○ Data Security lifecycle.
○ Functions, Actors, and Controls.
● Information classification is important:
○ Grouping data to identity applicable security controls.
○ Building block for other information governance decisions.
1 1
○ Classifications levels determine what can go in the cloud, encryption
requirements, etc.
● Information Management policies:
○ Ties to classification levels
○ Define what data can go.
○ Define what controls are required:
■ SaaS.
■ PaaS.
■ IaaS.
● Location and Jurisdiction policies:
○ Jurisdiction policies vary based on type of data.
■ PII, PHI, Payment info
○ Legal requirements must be considered.
○ Work with legal teams.
● Authorizations:
○ Who can access information.
■ Least privilege and segregation of duties.
○ Very similar in cloud to on-premise.
■ Physical access controls..
■ Limitations in controls provider supports.
● Ownership & Custodian:
○ Who owns customer provided data?
○ Who manages the data?
○ Is there a chain of custody on data management?
Lesson 6.2: Data Security Lifecycle
○ Data Security lifecycle.
○ Functions, Actors, and Controls.
● Data Security lifecycle phases:
○ Create.
○ Store.
○ Use.
○ Share.
12
○ Archive.
○ Destroy.
● Module Summary is as follows:
● Information Governance:
○ Information Classification.
○ Information management policies.
○ Location and jurisdiction policies.
○ Authorizations.
○ Ownership.
○ Custodianship.
○ Privacy.
○ Contractual controls.
○ Security Controls.
● Data Security lifecycle.
● Functions, Actors, and Controls.
Module 7: Management Plane and Business Continuity

Lesson 7.1: Management Plane and Business Continuity
Skills Learned From This Lesson: Management Plane, Business Continuity, CCSK
○ Management plane.
○ Business Continuity.
○ Define the management plane & its role.
○ Review methods of access.
○ Examine security considerations for provider and customer.
● Management planes play a critical role in your cloud.
● Management planes are accessed through the web and API.
● Always secure the root account for your cloud.
● Use Multi factor authentication for cloud accounts that access management plane
whenever possible.
13
● Enforce least privilege by using RBAC structures for different accounts.
● Individuals and services interact with the management plane and use different methods
of authentication.
Lesson 7.2: Business Continuity Part 1
○ Examine business continuity considerations in the cloud.
○ Learn strategies to plan business continuity.
● BCP - Business Continuity Planning - playboor to address large scale failures.
● DR - Disaster Recovery - tactic plan to restore technology systems that are critical to key
people and processes.
● Risk Based approach is good, it involves:
○ Defining uptime needs based on business criticality(risk) at a level to justify cost
(BIA).
○ Keep in mind existing Recovery Time Objectives (RTOs) and Recovery Point
Objectives(RPOs).
○ Examine provider performance before over-optimizing.
Lesson 7.3: Business Continuity Part 2
● Continuity within the cloud provider:
○ Backup cloud configurations.
○ Software defined infrastructure.
○ More difficult with SaaS.
● Provider Outages and Portability:
○ Prepare in advance for the outage
○ Start with cross-region DR within the provider, but if you are compelled to think
cross-provider:
■ Lock-IN.
■ Portability.
● Cost of BC/DR is comparable to the traditional datacenter model.
● Be aware of contractual obligations.
● Take into account geography obligations when determining failover location.
14
● Module summary includes the following;
● Management plane is important - secure it:
○ Strong Authentication.
○ Use RBAC to realize privilege strategy.
● Business continuity is different in the cloud.
○ Assume failure and take a risk-based approach to appropriately mitigate failure.
○ Use cloud providers capabilities to fail across zones and regions.
○ Consider provider fail-over only in most critical cases.
Module 8: Infrastructure Security

Lesson 8.1: Infrastructure Security
Skills Learned From This Lesson: Infrastructure Security, Cloud Security, Cloud Virtualization
○ Cloud Network Virtualization.
○ Cloud Networking Security.
○ Cloud Computer and Workload Security.
● Gain perspective on where in the stacks we are focused.
● Common design for underlying cloud networks.
● Review OSI model in traditional networking.
Lesson 8.2: Software Defined Network
Skills Learned From This Lesson: SDN, Cloud Security, Cloud Virtualization
● This module includes the following learning objectives: include the following:
○ Common approaches to cloud network virtualization.
○ Deeper look at software defined networks.
● Virtual Local Area Networks (VLANs) is a good approach to cloud network virtualization.
○ Not effective as a security barrier.
● Software Defined Networking(SDN) is a good approach to cloud network virtualization
○ Very flexible for multi-tenant.
● OpenFlow protocol:
○ First released 2011 by Open Networking Foundation.
● Software defined networks include the following planes:
○ Application Plane.
○ Control Plane.
15
○ Data Plane.
Lesson 8.3: Virtual Appliances
○ Appliances.
○ Challenges of Appliances in the cloud.
● Appliances are anything physical or virtual, including:
○ Firewall.
○ VPN Endpoint.
○ Virtual machine image.
○ Serve a specific set of purposes.
○ Hardware devices.
● There are a lot of challenges to both physical & virtual appliances.
Lesson 8.4: SDN Security Benefits
○ SDN security Benefits.
● Isolation - Isolation in between and within tenants. It is easier.
● SDN Native Firewalls.
● Traditional Network attacks are removed.
Lesson 8.5: Microsegmentation and SDP’s
Skills Learned From This Lesson: Microsegmentation, Cloud Security, Cloud Virtualization
● Vide Objectives:
○ Defense in depth.
○ Microsegmentation
○ Software defined parameter
● Microsegmentation is also referred to as Hyber Segregation. It is a way to design the
flow of traffic.
● SDP, Software Defined Parameter combines both the user device and user
authentication.
Lesson 8.6: Hybrid Cloud and Shared Responsibilities
Skills Learned From This Lesson: Hybrid Cloud, Cloud Security, Shared Responsibilities
○ Hybrid cloud design and Bastion networks.
16
○ Shared responsibilities in Cloud Network Security.
● Shared Responsibilities in Network Security:
○ Consumers :
■ Proper virtual network design.
■ Implement security controls within virtual networks.
■ Secure the management plane and below.
○ Provider :
■ Secure the underlying network,
● Ensure tenant isolation.
■ Provide consumers with security controls.
■ Perimeter security to protect and minimize impact on workloads.
Lesson 8.7: Compute Technologies
Skills Learned From This Lesson: Compute Technologies, Cloud Security, Cloud Virtualization
○ Virtual Machines.
○ Containers.
○ Serverless
○ Platform based.
● Virtual Machines - hypervisor coordinates execution of a base machine image (OS) on
underlying hardware.
● Containers - Segregated execution environment that leverages resources of host OS.
Multiple containers run on the same machines.
● Serverless - Application code executing in a runtime environment managed by the
provider.
● Platform based - Workloads running on a shared platform.
Lesson 8.8:Immutable Workloads
Skills Learned From This Lesson: Immutable Workloads, Cloud Security, Cloud Virtualization
○ Evolution to Immutable workloads.
○ Immutable workload pipeline.
● Uses based image with all OS and applications deployed, remote login disables.
● No patching or deployments to running instances;
Lesson 8.9: Cloud Workload Security
Skills Learned From This Lesson: Workload Security, Cloud Security, Cloud Virtualization
17
○ Compute.
○ Controls.
○ Monitoring and logging.
○ Vulnerability Assessments.
● Tenants share compute nodes.
● Provider must maintain isolation.
● Minimal control on where workload physically executes.
● Can’t run agents on non-VM workloads.
● Agents need to support SDNs.
● Agents should not increase attack surface (Extra surface).
● An IP address is not a good identifier.
● Logging architecture may not work in cloud topology.
● Assessments are limited by provider.
● Assess images instead.
● Default deny networks limit effectiveness
● Module Summary:
● Cloud Network Virtualization.
● Cloud Networking Security.
● Cloud Workloads.
● Security changes in Cloud based workloads.
Module 9: Virtualization and Containers

Lesson 9.1: Virtualization and Containers
Skills Learned From This Lesson: Virtual Security, Container Security, Virtualization Categories
○ Major Virtualization Categories.
○ Virtual Compute Security.
○ Virtual Network Security.
○ Virtual Storage Security.
○ Container Security.
18
● Key Principles:
○ It's completely different.
○ New security layers in a virtual world.
■ Security of virtualization technology.
■ Security controls for the virtual asset.
● Major Virtualization Categories in cloud are as follows:
○ Compute.
○ Network.
○ Storage.
○ Containers.
Lesson 9.2: Virtualized Compute
Skills Learned From This Lesson: Virtual Security, Container Security, Virtualization Computing
● This module includes the following learning objectives: include:
○ Cloud Provider Responsibilities.
○ Cloud Consumer Responsibilities.
● Compute: Provider Responsibilities include the following:
○ Enforce isolation
■ Compute processes should not see each other.
■ Limit access to serverless host environments.
○ Secure virtualization infrastructure.
■ Harden and patch hypervisor & hosts.
○ Secure boot chain.
■ Ensure integrity throughout the stack.
● Compute: UserResponsibilities include the following
○ Take advantage of security controls you are given
○ Least privilege security settings.
■ Who can update the virtual resources?
■ Who can log into the compute environments?
○ Monitoring and logging
■ Ephemeral assumption.
■ Application logging(especially serverless)
○ Image asset management.
○ Use dedicated hosting when needed
Lesson 9.3: Virtualized Networking
19
Skills Learned From This Lesson: Virtual Security, Container Security, Virtualization Networking
○ Network Monitoring and filtering.
○ Network management Infrastructure.
● Network: Management infrastructure:
○ Provider
■ Tenant segregation and isolation is top priority.
■ Disable packet sniffing.
■ Provide built-in firewall capabilities to cloud users.
○ Users:
■ Configuring cloud deployments and virtual firewall rules.
■ Isolate networks and compartmentalize
■ Enforce tested configurations; Leverage templates(IaC) to manage
change.
■ Virtual appliance when unavoidable.
Lesson 9.4: Virtualized Storage
Skills Learned From This Lesson: Virtualized Storage, Container Security, Virtualization
Categories
○ Storage Areas Networks(SAN).
○ Network Attached storage(NAS).
○ Storage Virtualization.
● Storage Area Network (SAN) - provides a pool of resources that can be managed
centrally and allocated.
● SAN consists of dedicated network devices, usually connected using high speed fiber
cable.
● Block level storage allows for fast, efficient and reliable data storage.
● SANS are constructed in three levels:
○ Host Servers.
○ Fabric Switches.
○ Storage Devices.
● Network Attached Storage(NAS) - Shared storage over shared network.
● It accesses storage as files.
● NAS is easier to manage
20
● Storage Virtualization:
○ Multiple copies of data spread across multiple storage locations.
○ Provider usually, encrypts data at physical level.
○ Data can also be encrypted at virtual level.
○ Access rules defined in the control plane.
Lesson 9.5: Containers
Skills Learned From This Lesson: Virtual Security, Container Security, Virtual Containers
○ Container System Components:
■ Container Engine.
■ Image Repository.
■ Orchestrator and Scheduler.
○ Container Security Basics.
● Container already contains everything needed for the application to execute.
● The code runs inside a restricted environment, with access only to the required
configurations.
● Docker Daemon is the container engineer, it sits between the executing containers and
the underlying host operating system.
● Container Security Basics:
○ Underlying infrastructure - this is the provider’s responsibility(to secure the
physical infrastructure)
○ Container tasks and configurations - since containers host cloud applications, we
want to make sure the task itself is secure. Weak security is not limited to
containers but also ports, data volume and credentials.
○ Image repositories.
○ Orchestration and scheduling - can provide resources to manage this easily.
Skills Learned From This Lesson: Virtual Security, Container Security, Virtualization Categories
● Major Virtualization categories.
● Virtual Compute Security
● Virtual Network Security.
● Virtual Storage Security.
● Container Security.
21
Module 10: Incident Response
Lesson 10.1: Incident Response
Skills Learned From This Lesson: Incident Response, Incident Recovery, Incident Lifecycle
● This module objectives includes the following:
○ Incident Response Lifecycle.
○ Preparation.
○ Detection & Analysis.
○ Containment, Eradication & Recovery.
○ Post-Incident Activities.
○ Defining an incident.
○ Overview of the Incident Response lifecycle.
○ Soap box speech: Incident communications.
● Event - Any observable occurrence in a system or network.
● Adverse event - an event with a negative consequence.
● Computer security incident - a violation or imminent threat of violation of computer
security policies, acceptable use policies, or standard security practices.
● The Incident Response lifecycle includes the following steps:
○ Preparation.
○ Detection & Analysis
○ Containment, Eradication & Recovery.
○ Post-Incident Activities.
Lesson 10.2: Preparation
Skills Learned From This Lesson: Incident Response, Incident Recovery, Incident Preparation
● This module includes the following learning objectives: include the following:
○ Preparation basics.
○ Cloud impacts the preparation process.
● Fundamental Preparation:
○ Define a process to handle the various types of incidents.
○ Communication.
○ Incident analysis hardware and software.
○ Internal documentation on normal behaviors.
22
○ Training.
○ Proactive system scanning and network monitoring.
○ Subscription to third-party intelligence services.
● Cloud impacts on preparation:
○ Governance and SLAs acts as a key tool to address this impacts:
■ Understand the allocation of responsibilities.
■ Establish support plans.
■ Define notification and response times.
■ Document data and logs to retain.
● Communication includes the following.
○ Demarcate how the customer contacts the provider and vice/versa.
○ Define the Incident Response(IR) teams between customer/provider.
○ Avoid using a single individual as a contact point.
○ Establish out of band communication methods.
○ Test the process before a real incident.
● Data and logs provide the following:
○ Understand the data you can collect.
○ Set expectations on retention periods.
○ Less visibility IaaS to PaaS to SaaS.
○ Establish a cloud jump kit.
● Consider IT in your architecture:
○ Application instrumentation.
○ Store logs in a secure location that investigators can access.
○ Leverage segmentation to isolate the blast radius.
○ Immutable servers to simplify detection and recovery.
○ Infrastructure as code to programmatically resync the environment.
○ Employ threat modeling and tabletop exercises.
Lesson 10.3: Detection and Analysis
Skills Learned From This Lesson: Incident Response, Incident Recovery, Detection & Analysis
● This module includes the following learning objectives: includes the following:
○ Building Alerts.
○ Responding to Alerts.
○ Analyzing the attack.
● Building Alerts:
23
○ Know your data sources(provider and application).
○ Don't forget to monitor the management plane.
○ Establish automated alerting on unexpected events or behaviors.
■ Integrate w/ existing monitoring or may require new monitoring.
○ Validate alerts and escalations(look out for false positives).
○ Leverage automated IR workflows when possible.
■ Snapshot VM (forensics review)
● Responding to Alerts:
○ Estimate incident scope.
○ Assign an Incident Manager to coordinate further.
○ Designate communication handler to provide containment and recovery status.
● Analyzing the attack:
○ Collect logs and machine images.
○ Be aware of chain of custody when handling forensic data.
○ Build a timeline of the attack.
○ Determine extent of potential data loss.
Lesson 10.4: Containment, Eradication and Recovery
Skills Learned From This Lesson: Containment, Eradication, Recovery.
● Step#1 - Clear the management plane
○ Make sure the attacker is off the cloud management plane!.
○ User “break-glass” procedures to login with a master cloud account.
○ Use full visibility to find masked or hidden attackers.
● Containment, Eradication & Recovery tactics includes:
○ Rebuild SDN and use data backups.
○ Isolate individual VMs.
○ Cloud providers may take actions - at your expense.
Lesson 10.5: Post Incident Activity
Skills Learned From This Lesson: Incident Response, Incident Recovery, Post-Incident
● Lessons Learned:
○ Review timelines of incidents.
○ Ask blameless questions.
○ Produce a report(for major incidents).
● Using Collected Data:
○ Lessons learned reports should include actionable insights.
24
○ Overall incident metrics.
○ Incident assessments.
○ Forensics and evidence retention for future persecution.
Skills Learned From This Lesson: Incident Response, Incident Recovery, Incident Lifecycle
● Life cycle of Incident Response.
● Preparation.
● Detection & Analysis.
● Containment, Eradication & Recovery.
● Post-Incident Activity.
Module 11: Application Security

Lesson 11.1: Application Security
Skills Learned From This Lesson: Application Security, SDLC, DevOps
● This module includes the following Objectives:
○ Opportunities & Challenges of App Sec in the cloud.
○ Secure SDLC.
○ Application design and Architectures.
○ All about DevOps.
● Opportunities in cloud brings to application security:
○ Higher baseline security.
○ Responsiveness.
○ Isolated Environment.
○ Independent virtual machines.
○ Elasticity.
○ DevOps.
○ Unified Interface.
Lesson 11.2: Challenges
Skills Learned From This Lesson: Application Security, AppSec Challenges, DevOps
● Video Objectives:
○ Key challenges to application security in cloud.
● Challenges to application security in cloud
25
● Limited detailed visibility:
○ Monitoring and logging impacted.
○ No physical network monitoring.
○ No server logs in PaaS paradigm.
● Increased application scope:
○ Management plane provides lots of power.
○ Could expose sensitive data on the management plane.
○ Automation interacts with the management plane.
● Changing threat models.
○ Cloud provider’s responsibilities need to be included in the threat model.
○ Threat models need to account for new tech (especially PaaS).
● Reduced Transparency:
○ Less visibility into certain aspects of applications.
○ Shared responsibilities model.
Lesson 11.3: Secure SDLC
Skills Learned From This Lesson: Application Security, secure SDLC, DevOps
● Video objectives:
○ Secure Software Development Lifecycle.
○ Overview of the meta-phases.
● SSDLC is Secure Software Development Life Cycle.
● Series of security activities embedded throughout the SDLC.
● SSDLC Meta-Phases per CSA:
○ Secure Design & Development.
○ Secure Deployment.
○ Secure Operation.
Lesson 11.4: Secure Design and Development
● 5 phases of Secure Design and Development as follows:
○ Training.
○ Define.
○ Design.
○ Develop.
○ Test.
● Training:
26
○ Provider agnostic cloud security fundamentals.
○ Provider specific technical security training.
○ Development and security tool specific training.
● Define:
○ Coding standards.
■ SEI CERT.
■ OWASP.
○ Security Requirements.
■ 256-bit TLS for data in transit.
■ MFA to escalate privilege.
■ HSM for root key storage.
● Design:
○ Focus on integrating security into architecture.
○ Leverage cloud provider capabilities & features.
○ Automating security for deployment and operations.
○ Threat modeling.
● Develop:
○ Isolated development environment.
○ Code review before pushing changes to QA.
○ Automated unit testing.
○ SAST and DAST.
● Test:
○ Automation is key.
○ Functional tests.
○ Vulnerability assessment.
Lesson 11.5: Secure Deployment Part 1
Skills Learned From This Lesson: Application Security, Secure Deployment, DevOps
● Deployment Pipeline:
○ Focuses between develop and test include.
● Code Review:
○ General items:
■ Architectural guidelines.
■ Calculation algorithms and performance.
■ Maintainability.
27
■ Testability.
○ Cloud Security things to watch for:
■ Calls to the management plane.
■ Authentication and encryption.
■ Application runs with least privileges entitlements.
● Testing:
○ Unit Testing.
○ Regression testing.
○ Functional testing.
● SAST - Static application insecurity testing - look at the code.
○ Cannot detect errors in business logic.
○ Very good at detecting errors and vulnerabilities in code constructs.
● DAST - Dynamic application security testing - the application is running.
○ Fuzz Testing.
○ May require provider permission.
○ More extensive assessments take time.
Lesson 11.6: Secure Deployment Part 2
Skills Learned From This Lesson:Application Security, Secure Deployment,, DevOps
● Vulnerability Assessment Patterns:
○ Test images in pipeline.
○ Host-based agent.
● Vulnerability Assessment:
○ Identify vulnerabilities.
○ Get provider permission.
● Pen testing:
○ Exploit vulnerabilities.
○ Get provider permission.
● Pentesting in the cloud:
○ Use a firm that has experience with cloud providers.
○ Include developers and admin in scope of the test.
○ Provide access to test multi-tenant isolation.
● Deployment Pipeline Security.
● Impact Infrastructure as Code and Immutable.
○ Use templates to define infrastructure.
28
○ Put templates in version control.
○ Disable login on servers.
○ Consistent control and integrated auditability.
Lesson 11.7: Secure Operations and Architecture
○ Importance practices for secure operation in the cloud.
○ Impacts of application design in the cloud.
○ Automated and event driven security.
● Secure Operations:
○ Double look production management plane.
○ Active monitoring for changes from approved baselines.
○ Continual testing.
○ Infrastructure is included in changes management.
● Software & Event driven Security:
○ Software Defined Security - Automating security operations and response.
○ Event-driven-security - Invoking automated response based on events.
Lesson 11.8: DevOps
○ DevOps Basics.
○ Improving Cloud Security with DevOps.
● DevOps is a set of principles and practices that affect the functioning of a company.
● Key principles of DevOps:
○ Measure Everything.
○ Implement small and frequent.
○ Leverage tooling and automation.
○ Accept failure will happen.
○ Reduce organizational silos.
● DevOps to improve cloud security:
○ Standardization.
○ Automated testing.
○ Immutable.
○ SecDevOps, DevSecOps, Rugged DevOps.
29
● We learned the following in this module:
● How Cloud changes AppSec.
● SSDLC Meta-Phases as per CSA.
● Application Design & Architecture Impacts.
● DevOps.
● Impact of DevOps to improve cloud security.
Module 12: Data Security and Encryption

Lesson 12.1: Data Security and Encryption
Skills Learned From This Lesson: Data Security, Data Encryption, Cloud Security
● This Module includes the following objective:
○ Security controls and storage types.
○ Managing data migrations.
○ Securing data in the cloud.
○ IaaS, PaaS, and SaaS Encryption.
○ Key Management.
○ Architecture, Monitoring & Additional Controls.
● Data Security Controls components:
○ Define - Determine which data is allowed to store in the cloud.
○ Protect.
○ Enforce.
● Data Storage Types:
○ Object Storage
■ Accessed through API.
■ High resilient.
○ Volume Storage:
■ Virtual HD for VMs.
○ Database:
■ Relational and non relational.
■ Hosted by the provider.
○ Application/Platform:
30
■ Edge cache/CDN.
■ File storage SaaS.
●
Lesson 12.2: Managing Data Migrations
Skills Learned From This Lesson: Data Security, Data Encryption, Data Migrations
○ Cloud Application Security Brokers.
○ Data Loss Prevention.
○ Managing cloud data migrations.
○ Securing data transfers.
● CASB - Cloud Application Security Broker is used to monitor and protect SaaS
applications.
● It looks at the flow of SaaS applications by performing some functions like DNS lookup.
● Securing Cloud Data Transfers:
○ Use provider recommended methods.
○ Encrypt data in transit.
○ Sanitize public or entrusted data before processing.
Lesson 12.3: Securing Data in the Cloud
● Video Objectives includes:
○ Data Access Controls.
○ Entitlement Matrix.
○ Encryption.
○ Tokenization.
● Data Access Controls:
○ Your primary security control for data.
○ Capabilities vary based on CSP.
○ Implementation will vary too.
● Entitlement Matrix is a grid which lists the access levels of users.
● Encryption:
○ Symmetric encryption - process of encoding data in a manner that it can only be
decoded with the secret key used during initial encoding.
○ Encryption system.
● Cloud Encryption:
31
○ Can we trust CSP with a copy of the encryption key ?
○ How Much data is being encrypted?
○ Where should the encryption engine be located?
● Tokenization:
○ Obfuscates data with random values.
○ Preservers Structural format of the tokenized data.
○ To get original data back:
■ Maintain encrypted versions of original data.
■ Format Preserving Encryption (FPE).
Lesson 12.4: IaaS, PaaS and SaaS Encryption
● IaaS encryption:
○ Volume Storage Encryption includes:
■ Instance - Managed encryption.
■ Externally managed encryption.
○ Object and File storage:
■ Storage is not bound to any compute machine.
■ Client Side encryption is embedded in the application.
■ Proxy encryption for networks.
■ Server-side encryption for storage.
● PaaS encryption:
○ Application encryption includes:
■ Encryption performed within the app.
■ Data encrypted before going to the platform.
○ Database encryption include:
■ Transparent Database encryption(at-rest).
■ Field level encryption.
○ Other encryptions includes:
■ Encryption integrated into the provider platform.
■ Customer managed key capability varies.
● SaaS encryption:
○ Provider managed encryption.
○ Proxy encryption(3rd party).
Lesson 12.5: Key Management
32
Skills Learned From This Lesson: Data Security, Data Encryption,Key Management
● Primary Considerations for key management:
○ Strong Key management is the primary consideration.
○ Performance, Accessibility, Latency and Security are also important
considerations.
● Hardware Security Module(HSM) key management:
○ Software running on tuned hardware (FIPS 140-2).
○ Deployment models:
■ On-prem.
■ Provider manages device.
● Virtual Appliance/Software key management:
○ No hardware required.
○ Can be deployed in an IaaS environment.
○ Allows control over encryption key access(provider can’t access).
● Cloud provider service model management :
○ Check SLAs and examine risk of key exposure.
○ Convenient to use.
○ Provider has access to keys id demanded by external parties.
● Provider vs Customer Managed Keys management includes:
○ Providers may build encryption into their platform.
○ Obligated to decrypt by legal authorities
○ Customer control may vary.
○ Providers often allow customers to supply keys (or root keys).
○ Default option typically has provider managed keys.
Lesson 12.6: Architecture, Monitoring and Additional Controls
Skills Learned From This Lesson: Data Security, Data Encryption, Data Controls
● Data Security Architecture:
○ Demand strong metastructure security.
○ Leverage secure metastructure assumptions in your design.
○ Keep data within the “walls” of your provider.
● Monitoring, Auditing and Alerting:
○ Metastructure focuses on the following:
■ API activity logging.
■ PaaS service logs.
33
○ Applistructure focuses on the following.
■ Event logs.
■ Pipe to SIEM.
■ Consider DAM.
● Additional Data Security Controls are also implemented.
● Security controls and storage types.
● Managing data migrations.
● Securing data in the cloud.
● IaaS, PaaS, and SaaS encryption.
● Key Management.
● Architecture, Monitoring & Additional controls.
Module 13: Identity, Entitlement, and Access Management

Lesson 13.1: Identity, Entitlement and Access Management
Skills Learned From This Lesson: IAM, IAM Standards, IAM management
● This module consists of the following Objective:
○ IAM Terminology.
○ IAM standards for cloud.
○ Managing Identities in the cloud.
○ Authentication and Credentials.
○ Entitlement and access Management.
● Identity access management (IAM) is the security discipline that enables the right
individuals to access the right resources at the right times for the right reasons.
● IAM definitions:
○ Authentication.
○ Authorization.
○ Access Control.
○ Entitlement.
● Federated Identity Management - process of asserting an identity across different
systems/organizations.
Lesson 13.2: IAM standards for Cloud
34
● IAM in the cloud:
○ Customers may have 100s of different SaaS providers.
○ Cloud characteristics affecting IAM.
■ Rapid rate of change.
■ Distributed applications (across jurisdictional boundaries).
■ Broad network communication (over the general internet).
○ Shared responsibility.
● Federated Identity Basics:
○ Simplify operations managing IAM across providers.
○ Reduce the number of identities.
○ Centralize account and access management.
○ Opportunity to use the latest IAM technologies.
● Popular IAM Technology Standards:
○ Security Assertion Markup Language (SAML).
○ OAuth.
○ OpenID.
Lesson 13.3: Managing Identities in the cloud
Skills Learned From This Lesson: IAM, IAM Standards, Identity management
○ Planning Identity Management.
○ Federation Patterns:
■ Free Form.
■ Hub and Spoke.
○ Process & Architectural Decisions.
● Planning Identity Management:
○ Cloud providers offers:
■ Identity service to customers.
■ Standards-based federation services.
○ Cloud customers determine:
■ How to manage identities.
■ Where to manage identities.
■ Architectural models to employ.
■ Technologies they want to support.
35
● Federation Patterns: Free form
○ Disadvantages of this:
■ Authoritative source exposure.
■ VPN link to auth source.
■ Federating to an external provider may be technically complex.
● Federation Patterns: Hub and spoke:
○ Advantages:
■ Identity broker is cloud based.
■ Internal IdPs become an authoritative source.
■ Internal idPs feed identity brokers.
■ Avoids Free Form disadvantages.
● Process & Architectural Decisions is also important.
Lesson 13.4: Authentication and Credentials
Skills Learned From This Lesson: Authentication , Credentials, IAM management
● Impacts of Cloud on Authn:
○ Broad network access.
○ Single Sign On - same account; multiple providers.
○ More severe consequences with credential leak.
○ MFA dramatically reduces account takeovers.
● MFA Options are as follows:
○ Hard Token.
○ Soft Token.
○ Out of Band passwords.
○ Biometrics.
● FIDO U2F:
○ FIDO Alliance.
○ Open authentication standard.
○ Deployed to many large-scale services.
Lesson 13.5: Entitlement and Access Management
○ Terminology.
○ RBAC vs. ABAC.
○ Entitlement Matrix.
36
○ Access Management: Provider vs. Customer.
● Authorization (Authz) - permission to do something.
● Access Control - Allows or denies the expression of the authorization.
● Entitlement - maps identities to authorizations and required attributes.
● RBAC:
○ Role Based Access Controls.
○ Traditional method.
○ Entitlement provided based preassigned roles.
● ABAC:
○ Attribute Based Access Controls.
○ Entitlement includes the value of dynamic attributes.
○ More granular and flexible.
○ Preferred for cloud.
● Access Management : Provider:
○ Different authorization capabilities often must be configured in the cloud platform.
○ Enforces authorizations and access controls.
○ Should support ABAC; always preferred over RBAC.
● Access Management : Customer:
○ Defines/configures entitlements.
○ Maps federated identity attributes to provider access controls.
● IAM Terminology.
● IAM Standards for cloud.
● Managing identities in the cloud.
● Authentication and Credentials.
● Entitlement and Access Management.
Module 14: Security as a Service

Lesson 14.1: Security as a Service
Skills Learned From This Lesson: SecaaS, SecaaS Benefits, SecaaS Characteristics
● This module includes the following objectives:
37
○ Definition and Characteristics.
○ Benefits and Concerns.
○ Major Categories.
● SecaaS: Security as a Service.
○ Security product or service.
○ Delivered as a cloud service.
○ Securing environments.
● Characteristics of SecaaS:
○ Security product delivered as a cloud service.
○ Meets essential NIST characteristics.
Lesson 14.2: Benefits and Concerns
Skills Learned From This Lesson: SecaaS, SecaaS Benefits, SecaaS Concerns
● Benefits of SecaaS:
○ Cloud computing benefits.
○ Staffing and expertise.
○ Intelligence-sharing.
○ Deployment flexibility.
○ Insulation of clients.
○ Pay as you grow cost.
● Concerns of SecaaS:
○ Lack of visibility.
○ Regulation differences.
○ Handling of regulated data.
○ Data leakage.
○ Changing providers.
○ Migrates to SecaaS
Lesson 14.3: Major Categories
Skills Learned From This Lesson: SecaaS categories, SecaaS providers, SecaaS
● Categories of SecaaS providers:
● Identity Access Management(IAM) Services:
○ Federated identity brokers.
○ Strong authentication.
○ Directory as a Service.
● CASB - Cloud Access Security Broker.
38
● Web Security Gateways:
○ Real-time protection by flowing traffic through providers.
○ Provider examines and insulates.
○ More general purpose than CASB.
● Email Security:
○ Examines inbound & outbound email.
○ Filters phishing or virus attachments.
○ Spam prevention policies.
○ Policy based encryption.
○ Digital signatures and non-repudiation.
● Security Assessments:
○ Cloud based tool to assess cloud services or on-premise.
○ Main Categories:
■ Traditional vuln assessments.
■ App security.
■ Cloud platform assessment.
● Web Application Firewall.
● SIEM - Security Information & Event management:
○ Aggregate log and event data.
○ Analyze and trigger real-time reports/alerts.
○ Cloud SIEM collects/analyzes data in the cloud.
● Encryption & Key management.
○ Encrypt data and/or manage encryption keys.
○ May be limited to protected cloud provider assets.
● BC/DR:
○ Backup data to a cloud platform.
○ May use a local gateway.
Skills Learned From This Lesson: SecaaS, SecaaS Benefits, SecaaS Characteristics
● Definition and characteristics of SecaaS.
● Benefits and concerns of SecaaS.
● Major categories SecaaS.
39
Module 15: Related Technologies
Lesson 15.1: Related Technologies
Skills Learned From This Lesson: Big Data, IoT & Mobile, Serverless
● This module includes the following learning objectives:
○ Big Data.
○ IoT.
○ Mobile.
○ Serverless.
○ Big Data:
■ The 3 V’s
■ Distributed components.
■ Security Considerations.
○ Serverless.
● Big Data’s 3 V’s:
○ High Volume.
○ High Velocity.
○ High Variety.
● The Distributed Components of Big Data are as follows:
○ Distributed Data Collection.
○ Distributed Storage.
○ Distributed Processing.
● Big Data Cloud Security includes the following:
○ Securing the Storage - Include intermediary storage(containers, volimes, swap
palace).
○ Encryption Key Management - Key management principles remain. Customers
managed key is likely for PaaS.
○ Secure the Platform - Big Data platforms have relatively low security.
○ Know Your platform - Capabilities and security vary between providers and
platforms.
● Serverless:
○ Moves more security responsibilities to the cloud provider.
○ PaaS and function as a Service.
40
○ New frameworks being rapidly released.
○ Affects IAM, logging, and incident response.
○ Closely monitor provider compliance mappings.
Lesson 15.2: IoT and Mobile
○ Internet of Things.
○ IoT Security Considerations.
○ Mobile Security Considerations.
● IoT - Internet of Things, variety of computer devices intended for a specific use.
● IoT brings its own Security considerations as follows:
○ Secure data collection and sanitization.
○ Device registration, authentication & authorization.
○ Encrypt device to cloud communication.
○ API security for device to cloud communication.
○ Device patching and tamper detection.
● Mobile security considerations:
○ Device registration, authentication, authorization.
○ API Security
● Big Data.
● Serverless.
● Internet of Things (IoT).
● Mobile.
Module 16: ENISA Recommendations

Lesson 16.1: ENISA Recommendations
Skills Learned From This Lesson: ENISA, Security Benefits, Key legal issues
● ENISA report was created in 2009, it influenced CSA guidance.
● This module includes the following objectives:
○ Security benefits of cloud.
41
○ Risk assessment.
○ Top Security Risks.
○ Key Legal Issues.
● The 8 Security Benefits of cloud in ENISA report are as follows:
○ Security and benefits of scale.
○ Security as a Market differentiator.
○ Standardized interfaces for Managed Security Services.
○ Rapid, Smart Scaling of Resources.
○ Audit and Evidence Gathering.
○ More timely, effective, and efficient updates and defaults.
○ Audit and SLAs for Better Risk Management.
○ Benefits of resource concentration.
Lesson 16.2: Risks and Legal Issues
Skills Learned From This Lesson: ENISA, Risk Assessment, Key legal issues
● Video objectives includes:
○ Risk Assessment.
○ High Risks.
○ Key legal issues.
● Risk Assessment is based on the risk levels on ISO/IEC 27005:2008.
● Risk 1(R.1): Lock-In.
● Risk 2(R.2): Loss of Governance.
● Risk 3(R.3): Compliance Challenges.
● Risk 9(R.9): Isolation Failure
● Risk 10(R.10): Cloud Provider Malicious Insider.
● Risk 21(R.21): Subpoena & E-Discovery.
● Risk 22(R.22): Risk from Changes of Jurisdiction.
● Risk 23(R.23): Data Protection.
● Key Legal Issues includes the following:
○ Data Protection.
○ Confidentiality.
○ Intellectual Property.
○ Professional Negligence.
○ Outsourcing Service and Changes in Control.
42
Module 17: Summary
Lesson 17.1: Course Summary
● This Module Objectives includes:
● Key take-aways by domain group.
● Register and prepare for the CCSK Exam.
● Definition : Cloud Computing
● Essential Characteristics.
● Service Models.
● Deployment Models.
● CSA, CCM and CAIQ.
○ CCM is used to assess and document security and compliance controls.
○ CAIQ is used to evaluate how cloud providers fulfil CCM controls.
● Cloud Security Process Model.
Lesson 17.2: Infrastructure Security for Cloud
Skills Learned From This Lesson: Cloud Security, Infrastructure Security, Cloud Technologies
○ Domain 6 - Management Plane and Business Continuity.
○ Domain 7 - Infrastructure Security.
○ Domain 8 - Virtualization and Containers.
● Major Virtualization Categories in cloud:
○ Compute.
○ Network.
○ Storage.
○ Containers.
● Network: Management Infrastructure:
○ Provider.
○ Users.
● Immutable Workload Pipeline from CSA Security Guidance v4.0
● Securing Management Plane (Customer).
● Continuity within the cloud provider:
○ Metastructure.
43
○ Infrastructure.
○ Infostructure.
○ Applistructure.
Lesson 17.3: Managing Cloud Security and Risk
○ Domain 2 - Governance and Enterprise Risk Management.
○ Domain 3 - Legal Issues, Contracts, and Electronic Discovery.
○ Domain 4 - Compliance and Audit Management.
○ Domain 5 - Information Governance.
● Tools of Cloud Governance:
○ Contracts.
○ Supplier/Provider Assessments.
○ Compliance reporting.
● Common Themes of Privacy Laws.
○ Data Controller is ultimately held liable.
○ Controller and Processor are both taking measures for confidentiality.
● Compliance, Audits & Security is a continuous process.
● Audit Planning Steps.
Lesson 17.4: Data Security for Cloud
Skills Learned From This Lesson: Cloud Security, Data Security, Cloud Technologies
● This video is going to cover Domain 11 - Data Security.
● Types of Data storage:
○ Object Storage.
○ Volume Storage.
○ Database.
○ Application/Platform.
● Managing Data Migrations.
● The Entitlement Matrix should be accurate and a real representation.
● Key management - Encryption.
Lesson 17.5: Securing Cloud Applications, Users and Related Technologies
○ Domain 10 - Application Security.
44
○ Domain 12 - Identity Entitlement and Access Management.
○ Domain 14 - Related Technologies.
● SSDLC Meta-Phases per CSA.
● Secure Design & Development.
● Secure Deployment.
● Secure Operation.
● How Cloud Changes AppSec:
○ Opportunities.
○ Challenges
● Identity Management.
○ Develop a formalized plan for managing identities with cloud services.
○ Identity broker/Hub spoke model is preferred.
● Access Management: Provider v. Customer:
● Popular IAM Technology Standards.
○ SAML.
○ OAuth.
○ OpenID.
Lesson 17.6: Cloud Security Operations
Skills Learned From This Lesson: Incident Respoinse, SecaaS, Cloud Technologies
● This video objectives includes:
○ Domain 9 - Incident Response.
○ Domain 13 - Security as a Service
● Incident Response Life Cycle involves:
○ Preparation.
○ Detection & Analysis.
○ Containment, Eradication, Recovery.
○ Post-Incident Activity.
● Incident Communication plan with a proper team.
● SecaaS:
○ IAM Services.
○ CASB.
○ Web Security gateways.
○ WAF.
○ SIEM.
45
○ Email Security.
○ BC/DR.
○ Key management.
Lesson 17.7: Register and Prepare
● Register for CCSK Exam:
● Create an account and purchase a token.
● Set a date to take the exam - don’t put it off.
● You get two attempts to pass.
● CSA Guidance:
○ Study guidance several times.
○ Review associated videos for any areas of guidance that are unclear.
○ 87% of tests are on this material.
● ENISA Risk Report.
○ Skim ENISA report 1-2 times.
○ Understand topics covered.
○ 6% of test material.
● CCM:
○ Review 16 domains.
○ Read 133 controls.
○ Examine 1-2 compliance mappings.
● CAIQ:
○ 7% of test material.
○ Read all 295 questions and understand alignment to CCM.
○ Examine 2-4 provider CAIQ submissions in STAR Registry.
● CCSK Prep Kit:
○ Common Body of Knowledge.
○ 16 Sample Questions.
○ Additional resources.
○ Testing Details.
46

CyberIT CCSK Study Guide 1 1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CyberIT CCSK Study Guide 1 1

Uploaded by

Copyright:

Available Formats

Study Guide

Module 2: Cloud Computing Concepts and Architectures

Module 3: Governance and Enterprise Risk Management

Module 4: Legal Issues, Contracts and electronic Discovery

Module 5: Compliance and Audit Management

Module 6: Information Governance

Module 7: Management Plane and Business Continuity

Module 8: Infrastructure Security

Module 9: Virtualization and Containers

Module 11: Application Security

Module 12: Data Security and Encryption

Module 13: Identity, Entitlement, and Access Management

Module 14: Security as a Service

Module 16: ENISA Recommendations

You might also like

CyberIT CCSK Study Guide 1 1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CyberIT CCSK Study Guide 1 1

Uploaded by

Copyright:

Available Formats

Study Guide

Module 2: ​Cloud Computing Concepts and Architectures

Module 3: ​Governance and Enterprise Risk Management

Module 4: ​Legal Issues, Contracts and electronic Discovery

Module 5: ​Compliance and Audit Management

Module 6: ​Information Governance

Module 7: ​Management Plane and Business Continuity

Module 8: ​Infrastructure Security

Module 9: ​Virtualization and Containers

Module 11: ​Application Security

Module 12: ​Data Security and Encryption

Module 13: ​Identity, Entitlement, and Access Management

Module 14: ​Security as a Service

Module 16: ​ENISA Recommendations

You might also like

Module 2: Cloud Computing Concepts and Architectures

Module 3: Governance and Enterprise Risk Management

Module 4: Legal Issues, Contracts and electronic Discovery

Module 5: Compliance and Audit Management

Module 6: Information Governance

Module 7: Management Plane and Business Continuity

Module 8: Infrastructure Security

Module 9: Virtualization and Containers

Module 11: Application Security

Module 12: Data Security and Encryption

Module 13: Identity, Entitlement, and Access Management

Module 14: Security as a Service

Module 16: ENISA Recommendations