Sunday, June 25, 2017

CCSK Certificate of Cloud Security Knowledge



The Cloud Security Alliance (CSA) promote the use of best practices for providing security assurance within Cloud Computing. 

The CCSK qualification is developed by the CSA. The aim is to bring a common understanding of cloud security concepts and help increase the quality of risk decisions when moving IT to the cloud. The qualification is generic and vendor neutral.

The body of knowledge covers 14 domains, and also the European Network & Information Security Agency Cloud Computing publication: Benefits, Risks and Recommendations for Information Security

CCSK domains
Domain 1 Architecture
Domain 2 Governance and Enterprise Risk Management
Domain 3 Legal Issues: Contracts and Electronic Discovery
Domain 4 Compliance and Audit Management
Domain 5 Information Management and Data Security
Domain 6 Interoperability and Portability
Domain 7 Traditional Security, BCP and DR
Domain 8 Data Center Operations
Domain 9 Incident Response
Domain 10 Application Security
Domain 11 Encryption and Key Management
Domain 12 Identity, Entitlement and Access Management
Domain 13 Virtualisation
Domain 14 Security As A Service



ENISA Risks
Policy and organizational risks
R.1 Lock-in
R.2 Loss of governance
R.3 Compliance challenges
R.4 Loss of business reputation due to co-tenant activities
R.5 Cloud service termination or failure
R.6 Cloud provider acquisition
R.7 Supply chain failure
Technical risks
R.8 Resource exhaustion (under or over provisioning)
R.9 Isolation failure
R.10 Cloud provider malicious insider - abuse of high privilege roles
R.11 Management interface compromise (manipulation, availability of infrastructure)
R.12 Intercepting data in transit
R.13 Data leakage on up/download, intra-cloud
R.14 Insecure or ineffective deletion of data
R.15 Distributed denial of service (DDoS)
R.16 Economic denial of service (EDOS)
R.17 Loss of encryption keys
R.18 Undertaking malicious probes or scans
R.19 Compromise service engine
R.20 Conflicts between customer hardening procedures and cloud environment
Legal risks
R.21 Subpoena and e-discovery
R.22 Risk from changes of jurisdiction
R.23 Data protection risks
R.24 Licensing risks
Risks not specific to the cloud
R.25 Network breaks
R.26 Network management (ie, network congestion / mis-connection / non-optimal use)
R.27 Modifying network traffic
R.28 Privilege escalation
R.29 Social engineering attacks (ie, impersonation)
R.30 Loss or compromise of operational logs
R.31 Loss or compromise of security logs (manipulation of forensic investigation)
R.32 Backups lost, stolen
R.33 Unauthorized access to premises (including physical access to machines and other facilities)
R.34 Theft of computer equipment
R.35 Natural disasters
 

Full documentation on V3 of CCSK knowledge available here

The CSA have also created the template Cloud Controls Matrix as a baseline standard of security controls to consider when selecting a Cloud Service Provider

The European Network and Information Security Agency (ENISA) whitepaper

Further info on the exam here

Tuesday, June 6, 2017

GDPR – General Data Protection Regulation in 60 seconds



“Protecting the data of the people”

EU regulation comes into force on 25th May 2018.  It aims to simplify the existing laws and is an evolution of the pre-existing Data Protection Directive laws.   DPD has been implemented into national laws, leading to some inconsistencies between member states.  GDPR provides a more consistent definition of personal data creating a more uniform law across member states.   It is designed to bring much harsher penalties for non compliance.

Five roles are defined
Data Subject: citizen or resident of an EU member state. The rightful data owner
Data Controller: organisation that collects the data.
Data Processor: organisation that process the data on behalf of the controller
Data Protection Officer: works independently to ensure that an entity is adhering to GDPR regulations
Data Protection Authority: each EU member state must have an enforcement power

Personal Data: any information relating to the data subject

Important Principles
Consent:
data must be freely given i.e. individual may refuse and must affirm its use.
controller must clearly explain how data will be used.
Right Of Access:
data subject may obtain access to the data
data subject has right to erasure
Retention:
Data should only be retained when there is a compelling and valid reason
Enforcement:
3 days to report a breach

Lawful basis to process
There are 6 lawful basis under GDPR in order to process personal data. You must determine and document your lawful basis before you begin processing.
Consent
Consent must be unambiguous and involve a clear affirmative action (an opt-in). You must keep clear records to demonstrate consent.
Contract
You can rely on this lawful basis if you need to process someone’s personal data to fulfil your contractual obligations to them
Legal Obligation
You can rely on Legal Obligation if you need to process the personal data to comply with a common law or statutory obligation.
Vital Interests
Where processing is necessary in order to protect the vital interests of the data subjec. vital interests are intended to cover only interests that are essential for someone’s life e.g. emergency medical care
Public Task
Your overall purpose must be to perform a public interest task or exercise official authority, and that the overall task or authority has a sufficiently clear basis in law e.g. justic admin. government functions.
Legitimate Interests
Legitimate interests are most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact. requires a LIA legitimate Interest Assessment: purpose, necessity and balancing test