CCSP: 11 Answers to Domain 1 Questions

Updated: Sep 15, 2020

Defining Cloud Computing

NIST 800-145 defines cloud computing as, "Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."


The following characteristics have become part of the generally accepted definition of cloud computing:

  • Broad network access - there should never be bandwidth bottlenecks

  • On-demand services - allows customers to scale compute and/or storage needs with little or no intervention from or prior communication with the provider

  • Resource pooling - the characteristic that allows the cloud provider to meet various demands from customers while remaining financially viable

  • Measured or "metered" service - the customer is charged for only what they use and nothing more.


Business Requirements





The IT department is not a profit center; it simply provides a support function. Security activities actually hinder business efficiency because the more secure something is, the less efficient it will be. This is why the business needs of the organisation drive security decisions, and not the other way around.

  • A successful organisation will gather as much information about operational business requirements as possible; this information can be used for many purposes, including several functions in the security realm.

  • The astute security professional needs to understand as much as possible about the operation of the organisation.


Quantifying Benefits and Opportunity Cost


Once you have a clear picture of what your organisation does in terms of lines of business and processes, you can get a better understanding of what benefits the organisation might derive from cloud migration, as well as the costs associated with the move.

  • The greatest driver pushing organisations toward cloud migration at the moment, is cost savings. Some of those considerations include

  • Reduction in capital expenditure

  • Reduction in personnel costs

  • Reduction in operational costs

  • Transferring some regulatory costs

  • Reduction in costs for data archival/backup services


Cloud Evolution, Vernacular, and Definitions

  • There are specific characteristics that are emblematic of cloud computing:

  • Elasticity - the flexibility of allocating resources as needed for immediate usage, instead of purchasing resources according to other variables. The organisation is paying not for a device, but for the use of a service, when it is being used.

  • Simplicity - proper cloud implementations should not require constant or even frequent interaction between the cloud provider and cloud customer.

  • Scalability - the organisation's computing needs won't remain static: there will be new users, customers, and data as the organisation continually matures. A cloud service can easily meet those needs in a more cost-efficient manner than a traditional environment.


Cloud customer and a cloud user

  • A cloud customer is anyone who is purchasing a cloud service (individual or company)

  • A cloud user is someone using cloud services (it could be an employee of a company who is a cloud customer or just a private individual)


Question #1 Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. Which cloud service model should she most likely consider for her company’s purposes?


  • Platform as a service (PaaS)

  • Software as a service (SaaS)

  • Backup as a service (Baas)

  • Infrastructure as a service (IaaS)




Cloud Computing Service Models

  • Cloud services are usually offered in terms of three general models, based on what the vendor offers and the customer needs, and the responsibilities of each according to the service contract. These models are

Infrastructure as a Service (IaaS)

  • It allows the customer to install all software, including OSs on hardware housed and connected by the cloud vendor. It might be optimum for organisations that want enhanced control over the security of their data, or are looking to the cloud for a limited purpose, such as BC/DR or archiving.

Platform as a Service (PaaS)

  • The cloud vendor usually offers a selection of OSs, so that the customer can use any or all of the available choices.

  • The vendor will be responsible for patching, administering, and updating the OS as necessary.

  • It is especially useful for software development operations (DevOps), as the customer can test their software in an isolated environment without risk of damaging production capabilities, and determine the viability of the software across a range of OS platforms.

Software as a Service (SaaS)

  • SaaS includes everything listed in the previous two models, with the addition of software programs.

  • The cloud vendor becomes responsible for administering, patching, and updating this software as well.

  • The cloud customer is only involved in uploading and processing data on a full production environment hosted by the provider.


Answer

  • Platform as a service (PaaS)

  • Software as a service (SaaS)

  • Backup as a service (Baas)

  • Infrastructure as a service (IaaS)



Question #2 Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. Which aspect of cloud computing should she be most concerned about, in terms of security issues?

  • Multi-tenancy

  • Metered service

  • Service-level agreement (SLA)

  • Remote access


Cloud Computing Deployment Models


In addition to viewing cloud offerings in terms of what levels of service are involved, another perspective has to do with ownership.

Public

  • The resources (hardware, software, facilities, and staff) are owned and operated by a vendor and sold, leased, or rented to anyone.

  • Examples include Microsoft's Azure, and Amazon Web Services (AWS).

Private

  • These are owned and operated by independent organisations, for the exclusive use of their customers and users.

  • Examples include such things as what used to be called intranets.

Community

  • A community cloud features infrastructure and processing owned and operated by an affinity group; disparate pieces might be owned or controlled by individuals or distinct organisations, but the come together in some fashion to perform joint tasks and functions.

Hybrid

  • A hybrid cloud contains elements of the other cloud models. For instance, and organisation might want to retain some private cloud resources (say, their legacy production environment, which is accessed remotely by their users), but also lease some public cloud spaces as well (maybe for a PaaS function for DevOps testing, away from the production environment, so that there is much less risk of crashing systems in operation).


Shared Cloud Platform Risks and Responsibilities

Because the cloud customer and provider will each be processing data that, at least in some part, belongs to the customer, they will share responsibilities and risks associated with that data. These risks and responsibilities will be codified in the service contract between the parties.

  • Although the risks and responsibilities will be shared between the cloud provider and customer, the ultimate legal liability for unauthorised and illicit data disclosures will remain with the customer as the data owner.

  • That said, the provider and customer still must come to terms regarding their particular responsibilities and obligations under the contract.


  • The cloud customer is concerned about the data. Breaches, failures, and lack of availability are the things that most affect the customer.

  • The provider is mostly concerned with the security and operation of their data center, which is the provider's core competency and the way it survives and maintains profitability.

Cloud Computing Risks by Deployment and Service Model

Private Cloud

  • Personnel threats - inadvertent and malicious threats

  • Natural disasters

  • External attacks

  • Regulatory noncompliance

  • Malware


Community Cloud

  • Resiliency through shared risks - the unit of configuration management and baselines is almost impossible.

  • With distributed ownership comes distributed decision making in terms of policy and administration.

  • Shared costs - overhead and cost of the control is shared among the members of the community, but so is access and control, which makes decision making complicated

  • Distributed administration for performance and monitoring - It removes the reliability of centralised and homogenised standards for performance and security monitoring

Public Cloud

  • Vendor lock-in

  • Vendor lock-in refers to a situation where the cost of switching to a different vendor is so high that the customer is essentially stuck with the original vendor.

  • For instance, if the provider uses a proprietary data format or medium to store information, the customer may not be able to move their data to another provider.

  • The contract itself can be considered a form of lock-in if it is punitive and puts undue responsibilities on the customer if the customer chooses to go to another provider.

  • Vendor lock-out

  • Vendor lock-out can be caused when the cloud provider goes out of business, is acquired by another interest, or ceases operation for any reason. In these circumstances, the concern is whether the customer can still readily access and recover their data.

  • Multi-tenant environments

  • Going into a public cloud means entering a multi-tenant environment. There are specific risks in the public cloud configuration that do not exist in other models:

  • conflict of interest

  • escalation of privilege

  • information bleed

  • legal activity - data and devices within a data center may be seized as evidence in a criminal investigation or as part of discovery for litigation purposes. Your data might therefore be seized because it is on the same box as the data of another customer who is a target of law enforcement.

Hybrid Cloud

  • Hybrid cloud configurations include all the risks of the various models they combine.

  • IaaS

  • Personnel threats

  • External threats

  • Lack of specific skills

  • PaaS

  • Interoperability issues

  • Persistent backdoors

  • Virtualisation

  • attacks on the hypervisor

  • guest/VM escape - allows for a user to leave the confines of their own virtualised instance

  • information bleed - processing performed on one virtualised instance may be detected, in whole or in part, by other instances on the same host

  • data seizure by law enforcement, etc

Answer

  • Multi-tenancy

  • Metered service

  • Service-level agreement (SLA)

  • Remote access


Question #3 Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. In order to protect her company’s intellectual property, Alice might want to consider implementing all these techniques/solutions except ___________________.

  • Egress monitoring

  • Encryption

  • Turnstiles

  • Digital watermarking






Cloud Data Lifecycle

  • Data will be created in both the cloud and from remote users.

  • It will be stored, in both the short term (Store phase) and long term (Archive phase), in the cloud.

  • In the Use phase, data will be manipulated and modified in the production environment hosted in the cloud.

  • It will be transmitted to other users and made available for collaboration in the Share phase within the cloud.

  • In addition, we will still have the need to remove data from the production environment and sanitise the media afterward, in the Destroy phase.

In the cloud, each phase of the data life cycle will require particular protections.


Create

  • Data will most often be created by users accessing the cloud remotely.

  • Data created remotely

  • Data created by the user should be encrypted before uploading to the cloud.

  • We want to protect against vulnerabilities, including man-in-the-middle attacks and insider threat to the data center.

  • The connection used to upload the data should also be secure, preferably with an IPsec VPN solution.

  • Data created within the cloud

  • Likewise, data created within the cloud via remote manipulation should be encrypted upon creation, to limit unnecessary access or viewing by data center personnel.

  • Key management should be performed according to industry best practices.

Store

  • The Store phase is usually meant to refer to near-term storage.

  • Encryption should be used to mitigate exposure to threats within the data center.

Use

  • Operations in the cloud environment will necessitate remote access, so those connections will have to be secured, usually with an encrypted tunnel.

  • The platforms with which users connect to the cloud have to also be secured

  • Users have to be trained to understand the risks that go along with cloud computing, and how they will be expected to use the technology (such as VPN, DRM, and/or DLP agents assigned to them) in a safe manner.

  • Data owners should be careful to restrict permissions for modifying and processing their data

  • Users should be limited to those functions that they absolutely require in order to perform their assigned tasks

  • Logging and audit trails are important when data is being manipulated in any fashion.

  • On the provider side, secure use requires strong protections in the implementation of virtualisation - personnel and administrative controls, so that the data center personnel can't access any raw customer data.

Share

  • Security controls at this phase include:

  • Encrypted files and communications

  • DRM solutions

  • Sharing restrictions based on jurisdiction

  • Egress monitoring (DLP)

Archive

  • This is the phase for long-term storage.

  • Cryptography will be an essential consideration

  • Key management is of utmost importance, because mismanaged keys can lead to additional exposure or to total loss of the data.

  • The physical security of the data in long-term storage is also important.

Destroy

  • In the legacy environment, where the organisation has ownership and control of all the infrastructure, data disposal options are direct and straightforward. Options include

  • physical destruction of media and hardware

  • degaussing

  • overwriting

  • crypto-shredding /cryptographic erasure - this involves encrypting the data with a strong encryption engine, and then taking the keys generated in that process, encrypting them with a different encryption engine, and destroying the keys.

  • Crypto-shredding is the sole pragmatic option for data disposal in the cloud.

Answer

  • Egress monitoring

  • Encryption

  • Turnstiles

  • Digital watermarking


Turnstiles are a physical security barrier to prevent piggybacking/tailgating (an unauthorised person coming through an entrance behind someone who is authorised), but they don’t really present much protection for intellectual property in this case. Egress monitoring (often referred to as “DLP” solutions) is a great way to reduce the likelihood of intellectual property leaving the owner’s control in an unexpected/unapproved manner. Likewise, strong encryption is useful in the cloud to reduce the impact of theft either from leakage to other cloud tenants or from insider threats (such as malicious admins in the employ of the cloud provider). Finally, digital watermarks aid protection of intellectual property by proving original ownership, which is essential for enforcing intellectual property rights (in the case of software design, mainly copyright protections).


Question #4 Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. What is probably the biggest factor in her decision?

  • Network scalability

  • Off-site backup capability

  • Global accessibility

  • Reduced overall cost due to outsourcing administration

Business Requirements





The IT department is not a profit center; it simply provides a support function. Security activities actually hinder business efficiency because the more secure something is, the less efficient it will be. This is why the business needs of the organisation drive security decisions, and not the other way around.

  • A successful organisation will gather as much information about operational business requirements as possible; this information can be used for many purposes, including several functions in the security realm.

  • The astute security professional needs to understand as much as possible about the operation of the organisation.


Quantifying Benefits and Opportunity Cost


Once you have a clear picture of what your organisation does in terms of lines of business and processes, you can get a better understanding of what benefits the organisation might derive from cloud migration, as well as the costs associated with the move.

  • The greatest driver pushing organisations toward cloud migration at the moment, is cost savings. Some of those considerations include

  • Reduction in capital expenditure

  • Reduction in personnel costs

  • Reduction in operational costs

  • Transferring some regulatory costs

  • Reduction in costs for data archival/backup services

Answer

  • Network scalability

  • Off-site backup capability

  • Global accessibility

  • Reduced overall cost due to outsourcing administration


While all of these are traits of cloud computing and will likely benefit Alice’s company, from her position as senior manager of the organization she is likely to consider the financial benefit first and foremost.

Question #5 In which of the following situations does the data owner have to administer the OS?

  • IaaS

  • PaaS

  • Off-site archive

  • SaaS

Cloud Computing Service Models

  • Cloud services are usually offered in terms of three general models, based on what the vendor offers and the customer needs, and the responsibilities of each according to the service contract. These models are

Infrastructure as a Service (IaaS)

  • It allows the customer to install all software, including OSs on hardware housed and connected by the cloud vendor. It might be optimum for organisations that want enhanced control over the security of their data, or are looking to the cloud for a limited purpose, such as BC/DR or archiving.

Platform as a Service (PaaS)

  • The cloud vendor usually offers a selection of OSs, so that the customer can use any or all of the available choices.

  • The vendor will be responsible for patching, administering, and updating the OS as necessary.

  • It is especially useful for software development operations (DevOps), as the customer can test their software in an isolated environment without risk of damaging production capabilities, and determine the viability of the software across a range of OS platforms.

Software as a Service (SaaS)

  • SaaS includes everything listed in the previous two models, with the addition of software programs.

  • The cloud vendor becomes responsible for administering, patching, and updating this software as well.

  • The cloud customer is only involved in uploading and processing data on a full production environment hosted by the provider.

Answer

  • IaaS

  • PaaS

  • Off-site archive

  • SaaS


Question #6 You are setting up a cloud implementation for an online retailer who will accept credit card payments. According to the Payment Card Industry Data Security Standard (PCI DSS), what can you never store for any length of time?

  • Personal data of consumers

  • The credit card verification (CCV) number (or card verification value - CVV)

  • The credit card number

  • Home address of the customer



Payment security is paramount for every merchant, financial institution or other entity that stores, processes or transmits cardholder data.


The PCI Data Security Standards help protect the safety of that data. They set the operational and technical requirements for organisations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.


Maintaining payment security is serious business. It is vital that every entity responsible for the security of cardholder data diligently follows the PCI Data Security Standards.


PCI DSS Goals and Requirements




PCI Data Storage Do's and Don'ts





Requirement 3 of the PCI DSS is to "protect stored cardholder data." Requirement 3 applies only if cardholder data is stored.

  • Merchants who do not store any cardholder data automatically provide stronger protection by having eliminated a key target for data thieves.

  • For merchants who have a legitimate business reason to store cardholder data, it is important to understand what data elements PCI DSS allows them to store and what measures they must take to protect those data.


Technical Guidelines for Stored Payment Card Data



Answer

  • Personal data of consumers

  • The credit card verification (CCV) number (or card verification value - CVV)

  • The credit card number

  • Home address of the customer


Question #7 The Payment Card Industry Data Security Standard (PCI DSS) distinguishes merchants by different tiers, based on ___________.

  • Number of transactions per year

  • Dollar value of transactions per year

  • Geographic location

  • Jurisdiction


The PCI DSS contains a set of requirements to help organisations prevent payment card fraud. There are four PCI compliance levels, which are determined by the number of transactions the organisation handles each year:

  • Level 1: Merchants that process over 6 million card transactions annually.

  • Level 2: Merchants that process 1 to 6 million transactions annually.

  • Level 3: Merchants that process 20,000 to 1 million transactions annually.

  • Level 4: Merchants that process fewer than 20,000 transactions annually.

PCI DSS Compliance

  • All organisations within the PCI DSS's scope must complete

  • an assessment (the specifics vary based on your level)

  • a quarterly network scan; and

  • the Attestation of Compliance Form.

For Level 1 organisations, the assessment should consist of an external audit performed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). They'll perform an on-site evaluation of your organisation to:

  • Validate the scope of the assessment

  • Review your documentation and technical information

  • Determine whether the PCI DSS's requirements are being met

  • Provide support and guidance during the compliance process; and

  • Evaluate compensating controls


The auditor will then submit a Report on Compliance (RoC) to the organisation's acquiring banks to demonstrate its compliance.


Organisations in PCI Levels 2-4 can complete a Self Assessment Questionnaire (SAQ) instead of an external audit. Level 2 organisations must also complete a RoC.


Answer

  • Number of transactions per year

  • Dollar value of transactions per year

  • Geographic location

  • Jurisdiction



Question #8 What is usually considered the difference between business continuity (BC) efforts and disaster recovery (DR) efforts?

  • BC involves a recovery time objective (RTO), and DR involves a recovery point objective (RPO).

  • BC is for events caused by humans (like arson or theft), whereas DR is for natural disasters.

  • BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.

  • BC involves protecting human assets (personnel, staff, users), whereas DR is about protecting property (assets, data).


Business continuity planning (BCP) involves

  1. assessing the risk to organisational processes, and

  2. creating policies, plans, and procedures to minimise the impact those risks might have on the organisation if they were to occur.

BCP is used to maintain the continuous operation of a business in the event of an emergency situation. The BCP process has four main steps:

  1. Project scope and planning

  2. Business impact assessment

  3. Continuity planning

  4. Approval and implementation

The distinction between BCP and disaster recovery (DR) is one of perspective. Both activities are designed to help prepare an organisation for disaster. The perspective difference is that

  • Business continuity activities are typically strategically-focused at a high level and center themselves on business processes and operations.

  • Disaster recovery plans tend to be more tactical in nature and describe the technical activities such as recovery sites, backups, and fault tolerance.

Disaster recovery planning (DRP) is the technical complement to the business-focused BCP exercise. It includes the technical controls that prevent disruptions and facilitate the restoration of service as quickly as possible after a disruption occurs.

Answer

  • BC involves a recovery time objective (RTO), and DR involves a recovery point objective (RPO).

  • BC is for events caused by humans (like arson or theft), whereas DR is for natural disasters.

  • BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.

  • BC involves protecting human assets (personnel, staff, users), whereas DR is about protecting property (assets, data).


Question #9 For business continuity and disaster recovery (BC/DR) purposes, the contract between the primary cloud provider and customer should include all of the following except ___________________.

  • Which party will be responsible for initiating a BC/DR response activity

  • How a BC/DR response will be initiated

  • How soon the customer’s data can be ported to a new cloud provider in the event a disruptive event makes the current provider unable to continue service

  • How much a new cloud provider will charge the customer if data has to be ported from the current cloud provider because of a disruptive event

The contract between the cloud customer and current cloud provider has no bearing on what the customer will have to pay to a new provider; that will be governed by the contract between the customer and the new provider.


All the other options are topics that should be addressed in the contract between the current cloud provider and the cloud customer in order to properly address BCDR needs.

Answer

  • Which party will be responsible for initiating a BC/DR response activity

  • How a BC/DR response will be initiated

  • How soon the customer’s data can be ported to a new cloud provider in the event a disruptive event makes the current provider unable to continue service

  • How much a new cloud provider will charge the customer if data has to be ported from the current cloud provider because of a disruptive event


Question #10 When the cloud customer requests modifications to the current contract or service-level agreement (SLA) for business continuity/disaster recovery (BD/DR) purposes, who should absorb the cost of modification?

  • The customer absorbs the cost.

  • The provider absorbs the cost.

  • The cost should be split equally.

  • Modifications don’t cost anything.


Answer

  • The customer absorbs the cost.

  • The provider absorbs the cost.

  • The cost should be split equally.

  • Modifications don’t cost anything.

63 views0 comments

Recent Posts

See All

© 2021 by CloudTAC