Sunday, June 25, 2017

CCSK Certificate of Cloud Security Knowledge

The Cloud Security Alliance (CSA) promote the use of best practices for providing security assurance within Cloud Computing. 

The CCSK qualification is developed by the CSA. The aim is to bring a common understanding of cloud security concepts and help increase the quality of risk decisions when moving IT to the cloud. The qualification is generic and vendor neutral.

The body of knowledge covers 14 domains, and also the European Network & Information Security Agency Cloud Computing publication: Benefits, Risks and Recommendations for Information Security

CCSK domains
Domain 1 Architecture
Domain 2 Governance and Enterprise Risk Management
Domain 3 Legal Issues: Contracts and Electronic Discovery
Domain 4 Compliance and Audit Management
Domain 5 Information Management and Data Security
Domain 6 Interoperability and Portability
Domain 7 Traditional Security, BCP and DR
Domain 8 Data Center Operations
Domain 9 Incident Response
Domain 10 Application Security
Domain 11 Encryption and Key Management
Domain 12 Identity, Entitlement and Access Management
Domain 13 Virtualisation
Domain 14 Security As A Service

Policy and organizational risks
R.1 Lock-in
R.2 Loss of governance
R.3 Compliance challenges
R.4 Loss of business reputation due to co-tenant activities
R.5 Cloud service termination or failure
R.6 Cloud provider acquisition
R.7 Supply chain failure
Technical risks
R.8 Resource exhaustion (under or over provisioning)
R.9 Isolation failure
R.10 Cloud provider malicious insider - abuse of high privilege roles
R.11 Management interface compromise (manipulation, availability of infrastructure)
R.12 Intercepting data in transit
R.13 Data leakage on up/download, intra-cloud
R.14 Insecure or ineffective deletion of data
R.15 Distributed denial of service (DDoS)
R.16 Economic denial of service (EDOS)
R.17 Loss of encryption keys
R.18 Undertaking malicious probes or scans
R.19 Compromise service engine
R.20 Conflicts between customer hardening procedures and cloud environment
Legal risks
R.21 Subpoena and e-discovery
R.22 Risk from changes of jurisdiction
R.23 Data protection risks
R.24 Licensing risks
Risks not specific to the cloud
R.25 Network breaks
R.26 Network management (ie, network congestion / mis-connection / non-optimal use)
R.27 Modifying network traffic
R.28 Privilege escalation
R.29 Social engineering attacks (ie, impersonation)
R.30 Loss or compromise of operational logs
R.31 Loss or compromise of security logs (manipulation of forensic investigation)
R.32 Backups lost, stolen
R.33 Unauthorized access to premises (including physical access to machines and other facilities)
R.34 Theft of computer equipment
R.35 Natural disasters

Full documentation on V3 of CCSK knowledge available here

The CSA have also created the template Cloud Controls Matrix as a baseline standard of security controls to consider when selecting a Cloud Service Provider

The European Network and Information Security Agency (ENISA) whitepaper

Further info on the exam here

No comments: