Recently I participated in a one-day class on the contents required for the “Certificate of Cloud Security Knowledge” held by Peter HJ van Eijk in Trondheim as part of the conference Sikkerhet og Sårbarhet 2019 (translates from Norwegian to: Security and Vulnerability 2019). The one-day workshop was interesting and the instructor was good at creating interactive discussions – making it much better than the typical PowerPoint overdose of commmercial professional training sessions. There is a certification exam that I have not yet taken, and I decided I should document my notes on my blog; perhaps others can find some use for them too.
The CCSK exam closely follows a document made by the Cloud Security Alliance (CSA) called “CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4.0” – a document you can download for free from the CSA webpage. They also lean on ENISA’s “Cloud Computing Risk Assessment”, which is also a free download.
The way I’ll do these blog posts is that I’ll first share my notes, and then give a quick comment on what the whole thing means from my point of view (which may not really be that relevant to the CCSK exam if you came here for a shortcut to that).
Introduction to D1 (Cloud Concepts and Architecture)
Domain 1 contains 4 sections:
- Defining cloud computing
- The cloud logical model
- Cloud conceptual, architectural and reference model
- Cloud security and compliance scope, responsibilities and models
NIST definition of cloud computing: a model for ensuring ubiquitous, convenient, on-demand network access to a shared pool for configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.
A Cloud User is the person or organization requesting computational resources. The Cloud Provider is the person or organization offering the resources.
Key techniques to create a cloud:
- Abstraction: we abstract resources from the underlying infrastructure to create resource pools
- Orchestration: coordination of delivering resources out of the pool on demand.
Clouds are multitenant by nature. Consumers are segregated and isolated but share resource pools.
Cloud computing models
The foundation model of cloud computing of the CSA is the NIST model. A more in-depth model used as a reference model is taken from ISO/IEC. The guidance talks mostly about the NIST model and doesn’t dive into the ISO/IEC model, which probably is sufficient for most definition needs.
Cloud computing has 5 charcteristics:
- Shared resource pool (compute resources in a pool that consumers can pull from)
- Rapid elasticity (can scale up and down quickly)
- Broad network access
- On-demand self-service (management plane, API’s)
- Measured service (pay-as-you-go)
Cloud computing has 3 service models
- Software as a Service (SaaS): like Cybehave or Salesforce
- Platform as a Service (PaaS): like WordPress or AWS Elastic Beanstalk
- Infrastructure as a Service (IaaS): like VM’s running in Google Cloud
Cloud computing has 4 deployment models:
- Public Cloud: pool shared by anyone
- Private Cloud: pool shared within an organization
- Hybrid Cloud: connection between two clouds, commonly used when an on-prem datacenter connects to a public cloud
- Community Cloud: pool shared by a community, for example insurance companies that have formed some form of consortium
Models for discussing cloud security
The CSA document discusses multiple model type in a somewhat incoherent manner. The types of models it mentions can be categorized as follows:
- Conceptual models: descriptions to explain concepts, such as the logic model from CSA.
- Controls models: like CCM
- Reference architectures: templates for implementing security controls
- Design patterns: solutions to particular problems
The document also outlines a simple cloud security process model
- Identify security and compliance requirements, and existing controls
- Select provider, service and deployment models
- Define the architecture
- Assess the security controls
- Identify control gaps
- Design and implement controls to fill gaps
- Manage changes over time
The CSA logic model
This model explains 4 “layers” of a cloud enviornment and introduces some “funny words”:
- Infrastructure: the core components in computing infrastructure, such as servers, storage and networks
- Metastructure: protocols and mechanisms providing connections between infrastructure and the other layers
- Infostructure: The data and information (database records, file storage, etc)
- Applistructure: The applications deployed in the cloud and the underlying applications used ot build them.
The key difference between traditional IT and cloud is the metastructure. Cloud metastructure contains the management plane components.
Another key feature of cloud is that each layer tends to double. For example infrastructure is managed by the cloud provider, but the cloud consumer will establish a virtual infrastructure that will also need ot be managed (at least in the case of IaaS).
Cloud security scope and responsibilities
The responsibility for security domains maps to the access the different stakeholders have to each layer in the architecture stack.
- SaaS: cloud provider is responsible for perimeter, logging, and application security and the consumer may only have access to provision users and manage entitlemnets
- PaaS: the provider is typically responsible for platform security and the consumer is responsible for the security of the solutions deployed on the platform. Configuring the offered security features is often left to the consumer.
- IaaS: cloud provider is responsible for hypervisors, host OS, hardware and facilities, consumer for guest OS and up in the stack.
Shared responsibility model leaves us with two focus areas:
- Cloud providers should clearly document internal security management and security controls available to consumers.
- Consumers should create a responsibility matrix to make sure controls are followed up by one of the parties
Two compliance tools exist from the CSA and are recommended for mapping security controls:
- The Consensus Assessment Initiative Questionnaire (CAIQ)
- The Cloud Controls Matrix (CCM)
This domain is introductory and provides some terminology for discussing cloud computing. The key aspects from a risk management point of view are:
- Cloud creates new risks that need to be managed, especially as it introduces more companies involved in maintaining security of the full stack compared to a full in-house managed stack. Requirements, contracts and audits become important tools.
- The NIST model is more or less universally used in cloud discussions in practice. The service models are known to most IT practitioners, at least on the operations side.
- The CSA guidance correctly designates the “metastructure” as the new kid on the block. The practical incarnation of this is API’s and console access (e.g. gcloud at API level and Google Cloud Console on “management plane” level). From a security point of view this means that maintaining security of local control libraries becomes very important, as well as identity and access management for the control plane in general.
In addition to the “who does what” problem that can occur with a shared security model, the self-service and fast-scaling properties of cloud computing often lead to “new and shiny” being pushed faster than security is aware of. An often overlooked part of “pushing security left” is that we also need to push both knowledge and accountability together with the ability to access the management plane (or parts of it through API’s or the cloud management console).