Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 09_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EG-Council
Tags
Related
- Certified Cybersecurity Technician Exam 212-82 PDF
- Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 01_ocred.pdf
- Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 02_ocred.pdf
- Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 09_ocred.pdf
- Chap 10 - 01 - Understand Virt Essential Concepts and OS Virt Security - 06_ocred_fax_ocred.pdf
- Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 01_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing NIST Recommendations for Cloud Security 01 Assess the risk posed...
Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing NIST Recommendations for Cloud Security 01 Assess the risk posed to the client’s data, software and infrastructure 02 Select an appropriate deployment model according to the needs 03 Ensure audit procedures are in place for data protection and software isolation 04 Renew SLAs in case of security gaps found between the organization’s security requirements and the cloud provider’s standards 05 Establish appropriate incident detection and reporting mechanisms 06 Analyze what are the security objectives of the organization 07 Enquire about who is responsible for data privacy and security issues in the cloud L All Rights Reserved. Reproduction is Strictly Prohibited NIST Recommendations for Cloud Security Assess the risk posed to the client’s data, software, and infrastructure. Select an appropriate deployment model according to needs. Ensure audit procedures are in place for data protection and software isolation. Renew SLAs in case of security gaps between the organization’s security requirements and cloud provider’s standards. Establish appropriate incident detection and reporting mechanisms. Analyze the security objectives of the organization. Enquire about who is responsible for data privacy and security issues in the cloud. Module 10 Page 1378 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Organization/Provider Cloud Security Compliance Checklist Is everyone aware of his or her cloud security responsibilities? Is there a mechanism for assessing the security of a cloud service? Does the business governance mitigate the security risks that can result from cloud-based “shadow IT”? Does the organization know within which jurisdictions its data can reside? Is there a mechanism for managing cloud-related risks? Does the organization understand the data architecture needed to operate with appropriate security at all levels? Can the organization be confident of end-to-end service continuity across several cloud service providers? Does the provider comply with all relevant industry standards (e.g. the UK’s Data Protection Act)? Does the compliance function understand the specific regulatory issues pertaining to the organization's adoption of cloud services? Copyright © by | AL All Rights Reserved. Reproduction is Strictly Prohibited Organization/Provider Cloud Security Compliance Checklist The below tables provide checklists for determining whether the security team, the rest of the organization, and any proposed cloud provider can assure cloud security. Checklists to determine if the CSP is fit and ready for cloud security: Security Team Are the members of the security team formally trained in cloud technologies? a Do the organization’s security policies consider cloud infrastructure? Q Has the security team ever been involved in implementing cloud infrastructure? a Has an organization defined security assessment procedures for cloud 0 infrastructure? Has an organization ever been audited for cloud security threats? a Will the organization’s cloud adoption comply with the security standards that 0 the organization follows? Has security governance been adapted to include cloud? Qa Does the team have adequate resources to implement cloud infrastructure and 0 security? Table 10.5: Checklist to determine if the security team is fit and ready for cloud security Module 10 Page 1379 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Operation Organization | Provider Are regulatory compliance reports, audit reports, and reporting i... a a information available from the provider? Are the organization’s incident handling and business continuity policies. S - a a and procedures designed considering cloud security issues? Are the cloud service provider’s compliance and audit reports accessible 0 0 to the organization? Does the CSP’s SLA address incident handling and business continuity. a concerns? Does the CSP has clear policies and procedures to handle digital i.. a Qa evidence in the cloud infrastructure? Is the CSP itself compliant with the industry standards? a a Does the CSP have skilled and sufficient staff for incident resolution and O 0 configuration management? Has the CSP defined procedures to support the organization in case of -... a a incidents in a multi-tenant environment? Does using a cloud provider give the organization an environmental 0 0 advantage? Does the organization know in which application or database each data = Q a entity is stored or mastered? Is the cloud-based application maintained and disaster-tolerant (i.e.,. i. Q a would it recover from an internal or external disaster)? Are all personnel appropriately vetted, monitored, and supervised? a a Does the CSP provide the flexibility of service relocation and 0 Q switchovers? Has the CSP implemented perimeter security controls (e.g., IDS, 0 0 firewalls) and does it provide regular activity logs to the organization? Does the CSP provide reasonable assurance of quality or availability of a 0 service? Is it easy to securely integrate the cloud-based applications at runtime et a Qa and contract termination? Does the CSP provide 24/7 support for cloud operations and security- 0 0 related issues? Do the procurement processes contain cloud security requirements? a a Does the CSP frequently perform vulnerability assessments to identify a 0 security gaps and apply necessary patches? Table 10.6: Checklist to determine if the organization/provider is fit and ready for cloud security based on its operations Module 10 Page 1380 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Technology Organization | Provider Are there appropriate access controls (e.g., federated single sign-on) i e a a that give users controlled access to cloud applications? Is data separation maintained between the organization and customer D ) information at runtime and during backup (including data disposal)? Has the organization considered and addressed backup, recovery, archiving, and decommissioning of data stored in the cloud a a environment? Are mechanisms in place for authentication, authorization, and key management in the cloud environment? Are mechanisms in place to manage network congestion, misconnection, misconfiguration, lack of resource isolation, etc., which a a affect services and security? Has the organization implemented sufficient security controls on the a a client devices used to access the cloud? Are all cloud-based systems, infrastructure, and physical locations a a suitably protected? Are the network designs suitably secure for the organization’s cloud a a adoption strategy? Table 10.7: Checklist to determine if the organization/provider is fit and ready for cloud security based on its technology Management Organization | Provider Is everyone aware of their cloud security responsibilities? a a Is there a mechanism for assessing the security of a cloud service? a a Does the business governance mitigate the security risks that can result D D from cloud-based “shadow IT”? “ " Does the organization know within which jurisdictions its data can. 0 reside? Is there a mechanism for managing cloud-related risks? a a Does the organization understand the data architecture needed to a a operate with appropriate security at all levels? Can the organization be confident of end-to-end service continuity a a across several cloud service providers? Does the provider comply with all relevant industry standards (e.g., the a a UK’s Data Protection Act)? Does the compliance function understand the specific regulatory issues a a pertaining to the organization's adoption of cloud services? Table 10.8: Checklist to determine if the organization/provider is fit and ready for cloud security based on its management Module 10 Page 1381 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing International Cloud Security Organizations Cloud security organizations are dedicated particularly to assist the security professionals with best practices, security awareness, and strong security policies that provide better cyber security resilience and a trusted cloud ecosystem € cloud security Alliance (CsB) Welcome to the The Cloud Security Alliance (CSA) is the world's leading Cloud Security 2 c 1 dedicated to defining and raising. » CSAis a nonprofit global organization a practices to help ensure a secure that provides rising awareness and Alliance cloud computing environment. promotes best practices and security policies to help and secure the cloud environment » It provides education and knowledge on Latest News from CSA the uses of cloud computing and helps in.- securing all other forms of computing s https://doudsecurityolliance.org Copyright © by G iL All Rights Reserved. Reproductionis Strictly Prohibited International Cloud Security Organizations Some international cloud security organizations are dedicated to assisting security professionals with best practices, security awareness, and strong security policies that provide better cyber security resilience and a trusted cloud ecosystem. Discussed below is an international organization that alerts and instructs industries and security professionals about the evolving threats and provides solutions for protecting cloud infrastructure against the cyber-attacks. = Cloud Security Alliance (CSA) Source: https://cloudsecurityalliance.org The CSA is a nonprofit global organization that provides rising awareness and promotes best practices and security policies to help and secure the cloud environment. CSA provides education and knowledge on the uses of cloud computing and helps in securing all forms of computing. CSA can be used to connect the subject matter expertise of the industries, governments, and corporate members to provide cloud-based research, education, certification, and products. Module 10 Page 1382 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing CIRCLE EVENTS BLOG cloud cs"‘ security Membership « Assurance v Certificates & Training Certificates v Research alliance* Welcome to the The Cloud Security Alliance (CSA) is the world’s leading Cloud Security organization dedicated to defining and raising awareness of best practices to help ensure a secure Alliance cloud computing environment. Latest News from CSA -- — wond Ry 9 Q_c,uRl‘ry"1
