The Cloud Security Alliance (CSA) promote the use of best
practices for providing security assurance within Cloud Computing.
The CCSK qualification is developed by the CSA. The aim is to bring a
common understanding of cloud security concepts and help increase the quality
of risk decisions when moving IT to the cloud. The
qualification is generic and vendor neutral.
The body of knowledge covers 14 domains, and
also the European Network & Information Security Agency Cloud Computing
publication: Benefits, Risks and Recommendations for Information Security
CCSK domains
Domain 1
Architecture
Domain 2
Governance and Enterprise Risk Management
Domain 3 Legal
Issues: Contracts and Electronic Discovery
Domain 4
Compliance and Audit Management
Domain 5
Information Management and Data Security
Domain 6
Interoperability and Portability
Domain 7
Traditional Security, BCP and DR
Domain 8 Data Center
Operations
Domain 9
Incident Response
Domain 10
Application Security
Domain 11
Encryption and Key Management
Domain 12
Identity, Entitlement and Access Management
Domain 13
Virtualisation
Domain 14
Security As A Service
ENISA Risks
Policy and organizational risks
R.1 Lock-in
R.2 Loss of
governance
R.3 Compliance
challenges
R.4 Loss of
business reputation due to co-tenant activities
R.5 Cloud
service termination or failure
R.6 Cloud
provider acquisition
R.7 Supply
chain failure
Technical risks
R.8 Resource
exhaustion (under or over provisioning)
R.9 Isolation
failure
R.10 Cloud
provider malicious insider - abuse of high privilege roles
R.11
Management interface compromise (manipulation, availability of infrastructure)
R.12 Intercepting
data in transit
R.13 Data
leakage on up/download, intra-cloud
R.14 Insecure
or ineffective deletion of data
R.15
Distributed denial of service (DDoS)
R.16 Economic
denial of service (EDOS)
R.17 Loss of
encryption keys
R.18
Undertaking malicious probes or scans
R.19
Compromise service engine
R.20 Conflicts
between customer hardening procedures and cloud environment
Legal risks
R.21 Subpoena
and e-discovery
R.22 Risk from
changes of jurisdiction
R.23 Data
protection risks
R.24 Licensing
risks
Risks not specific to the cloud
R.25 Network
breaks
R.26 Network
management (ie, network congestion / mis-connection / non-optimal use)
R.27 Modifying
network traffic
R.28 Privilege
escalation
R.29 Social
engineering attacks (ie, impersonation)
R.30 Loss or
compromise of operational logs
R.31 Loss or
compromise of security logs (manipulation of forensic investigation)
R.32 Backups
lost, stolen
R.33
Unauthorized access to premises (including physical access to machines and
other facilities)
R.34 Theft of
computer equipment
R.35 Natural
disasters
Full documentation on V3 of CCSK knowledge available here
The CSA have also created the template Cloud Controls
Matrix as a baseline standard of security controls to consider when selecting a
Cloud Service Provider
The European Network and Information Security Agency
(ENISA) whitepaper
Further info on the exam here
No comments:
Post a Comment