Path to CCSK: ENISA

8 minute read

Introduction

The CCSK is the Cloud Security Alliance’s Certificate of Cloud Security Knowledge. It is one of the top two cloud-agnostic security certifications, along with the (ISC)² CCSP (see: CCSK vs CCSP: An Unbiased Comparison). I am currently self-studying for this certificate, and documenting that process.

There are three core documents in the body of knowledge for the CCSK(v4):

  1. ENISA report: Cloud Computing: Benefits, Risks and Recommendations for Information Security
  2. CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4
  3. CSA Cloud Controls Matrix 3.0.1

This post will capture my notes from a review of the ENISA report (a 125 page document).

ENISA: Executive Summary

Scale and flexibility are both friend and foe

The cloud model mainly causes technical change in Scale and Architecture.

  • Massive distribution and redundancy
  • Security can benefit from scale
  • Confidentiality and liability for infrastructure are core concerns
  • For Governments: Legal, Regulatory, and Public Perception concerns

Contract evaluation and negotiation are key to legal issues

  • some priorities: rights/obligations for notification of incidents
  • limitations on liability

Identified research topics:

  • End-to-end confidentiality, high assurance clouds
  • Forensics, incident handling, international differences in relevant regulations
  • resource isolation, interoperability, resilience

Top security benefits:

  • Standard interfaces to managed security services, auto-update mechanisms
  • auto-scaling, automatic & cost effective audit/evidence gathering
  • resource concentration allows cheaper perimeterization and security process application

Top risks:

  • loss of governance, lock-in, isolation failures, compliance risks
  • management interface compromise, data handling/protection, data deletion, malicious insiders

You can’t outsource accountability


Definition

Cloud computing is an on-demand service model for IT provision, often based on virtualization and distributed computing technologies.

  • abstracted, shared, pay-as-you-go resources
  • fast scalability, flexibility, and provisioning
  • programmatic management
  • spans IaaS, PaaS, SaaS, as well as Public, Private, and Partner clouds

Security Benefits

  • Benefits of scale
    • cost reduction for filtering, patch management, hardening, redundancy, access control enforcement, robust identity management
    • locations and redundancy, edge networks
    • providers’ specialist threat management
  • CP’s known security posture as a market differentiator
  • Standard interfaces to managed security services
  • Smart scaling, cost effective log storage
  • Mandatory audit and SLAs

Risks

  • Risk is a balance of opportunity and appetite
    • Cloud risk should be looked at as a delta from on-premises
    • Risk is heavily coupled to cloud architecture
    • Some risk is transferable to the CP

Policy & Organizational

  1. Lock-in: hard to migrate in, out, or across clouds. Providers are not incentivized to reduce.
    • SaaS: export/import routines need to be customized
    • PaaS: platform specific API, component, and data lock-in
    • IaaS: non-open virtual machine standards
  2. Loss of Governance: control is ceded to the CP. Conflicts may exist between CP and customer hardening standards. CP outsourcing and acquisition are both high risks.
  3. Compliance challenges: CP compliance, ability for customer audits, and some compliance may not be supported by/in the CP.
  4. Co-tenant activities: IP blacklists, subpoenas
  5. Service termination/failure: CP business or service failure
  6. CP Acquisition: Could result in a strategic shift
  7. Supply Chain Failures: Keep an eye out for transparency in contracts, especially on any outsourcing related to core IT services

Technical

  1. Resource Exhaustion: service unavailability, fail-open, infrastructure oversizing (failures of compartmentalization)
  2. Isolation Failure: failure of mechanisms including storage, memory, routing, reputation
  3. CP Malicious Insider: in addition to CP employees as targets
  4. Management Interface Compromise: internet accessibility, mediates broad access
  5. Interface Data in Transit: distribution of cloud infrastructure, confidentiality or non-disclosure
  6. Data Leakage (between CP & customer): on up/download, intra-cloud
  7. Ineffective Data Deletion: “true data wiping” requirement, effective encryption can be mitigation
  8. DDoS
    1. Economic DDoS: identity theft, lack of limits on paid resources, metered resources use via public channel
  9. Loss of Encryption Keys
  10. Malicious Probes/Scans: customer to customer
  11. Compromise of Service Engine: hypervisor failures, check for CP segregation of responsibilities
  12. Conflicts between customer hardening and CP: “shared responsibility model”, technology, policy, and transparency
  1. Subpoena & E-discovery: jurisdiction, lack of resource isolation
  2. Changes of Jurisdiction: data centers in autocratic or otherwise high-risk jurisdictions
  3. Data Protection: hard to vet CPs data processing, compliance with data protection laws, CP breach notifications, customer loss of data control
  4. Licensing: per seat licenses or online validation, intellectual property clauses

Non-Cloud Risks

  • Network Outage
  • Network Management
  • Modifying Network Traffic
  • Privilege Escalation
  • Social Engineering
  • Operational Log Compromise
  • Security Log Compromise
  • Lost/Stolen Backups
  • Physical Data Center Compromise
  • Theft of Computer Equipment
  • Natural Disasters

Vulnerabilities (Cloud)

  1. AAA
    • storage of credentials, insufficient role complexity/availability, credentials on transitory machines
    • password based attacks are more impactful (so use 2FAC!)
  2. User Provisioning
    • identity at registration, sync delays, credential interception/relays
  3. User De-Provisioning
    • revocation delays
  4. Remote Access to Management Interfaces
  5. Hypervisor Vulnerabilities
    • guest-to-host mistake
  6. Lack of Resource Isolation
    • cartography, co-residence, side-channels
    • ToS/SLA enforcement
  7. Reputational Isolation
  8. Encryption Vulnerabilities
    • MITM attacks, self-signed certificates, bad authentication
  9. Lack of or Weak Encryption (at rest of in transit)
    • key management
  10. Process Encrypted Data (impossibility)
    • CP must be trusted
  11. Poor Key Management
    • HSM distribution, Internet Key Management Interfaces, revocation
  12. CRNG Key Generation
    • shared cloud systems may have less entropy
  13. Lack of Standards
    • lock-in, can block MSSPs usage
  14. No Source Escrow
  15. Inaccurate Modeling of Resource Usage
    • resource provisioning algorithm failures, extraordinary events, failures of allocation
  16. No Control over Vulnerability Assessment Process
    • ToU problem
  17. Internal Network Probing
  18. Co-residence Checks
  19. Lack of Forensic Readiness
  20. Sensitive Media Sanitization
    • problem of shared tenancy
  21. Cloud-external Contracts/Responsibilities
    • shared responsibility model
  22. Cross-cloud Dependencies
    • third-parties, sub-contractors
  23. SLA conflicts, SLA with excessive business risk
  24. CP Lacks Audit/Certification
  25. Cloud Infrastructure not Supported by Certifications
  26. Inadequate CP Investment in Infrastructure
  27. CP Lacks Policies for Resource Capping
  28. Data Storage Jurisdictions
  29. Lack of Transparency in ToU

Vulnerabilities (non-cloud)

  • Lack of Security Awareness
  • Lack of Vetting of CP Staff
  • Unclear Roles within CP
  • Poor Role Enforcement
  • Lack of Need to Know
  • Lack of Physical Security
  • Misconfiguration
  • System or OS Vulnerabilities
  • Untrusted Software
  • Bad Business Continuity
  • Bad Asset Inventory
  • Bad Asset Classification
  • Unclear Asset Ownership
  • Poor Identification of Project Requirements
  • Poor Provider Selection
  • Lack of Supplier Redundancy
  • App Vulnerabilities or Poor Patch Management
  • Resource Consumption Vulnerabilities
  • Breach of NDA by CP
  • CP Liability from Data Loss
  • Bad Log Collection or Retention
  • Bad Filtering

Assets

  • Customer Reputation
  • Customer Trust
  • Employee Loyalty/Experience
  • Intellectual Property
  • Personal Sensitive Data
  • (Critical) Personal Data
  • HR Data
  • (RTS) Service Delivery
  • Access/Authentication/Authorization
  • Credentials
  • User Directory (Data)
  • CP Management Interface
  • Management Interface APIs
  • Network
  • Physical Hardware
  • Physical Buildings
  • CP Source Code
  • Certification
  • Operation Log
  • Security Log
  • Backup/Archive Data

Recommendations

Information Assurance Framework

  1. Assess risk of moving to Cloud
  2. Compare CP offers
  3. Assurance from CP
  4. Reduce assurance burden on CPs by establishing framework for responding
Division of Liabilities
Liability Customer Provider
Lawfulness of Content Security EU Data Protection Laws
Full Due Diligence (ToS) Data Controller
Partial Due Diligence Data Processor
Division of Responsibilities: (S = SaaS, P = PaaS, I = IaaS)
Responsibility Customer Provider
S/I Compliance with DPL of Customer Infra support, security, avail
S/P/I Maintenance/Management of Identity OS patching, hardening
S/P/I Management of Auth Platform Security Platform configuration
S/P/I Systems monitoring
S/P/I Security platform maintenance
S/P/I Logging/Monitoring
S/P/I Configuration of guest security platform Host Systems (hypervisor, etc.)
I Guest systems monitoring
I Maintenance of security platform
I Log collection & security monitoring
I Manage guest OS patch/hardening

Application Security in IaaS

Customers fully own security for cloud-deployed applications

  • Design for the Internet threat model
  • Design or embed standard security countermeasures
  • Prioritize application patch management
  • Use reliable AAA solutions
  • Follow vendor configuration guidance

Government Data

  • Control data location
  • Data classification
  • Isolation guarantees
  • Secure data destruction
  • 2FAC support and enforcement
  • ISO27001/ISO27002

Information Assurance Requirements

1. Personnel Security

  • policies/procedures for employee vetting, regionality of these policies
  • security education program
  • continuous evaluation (security access/privilege reviews)

2. Supply Chain

  • define outsources/subcontracted components
  • procedures for third-party access, audits of third parties
  • third-party redundancy and SLAs
  • contractual security policies and controls for third parties

3. Operational Security

  • change control
  • remote access
  • documented procedures
  • staging/QA

  • logging
  • host/network controls
  • malicious code controls
  • backup policies/procedures

Software Assurance: validate new releases, practices for AppSec, pentests & remediation

Patch Management: cover all layers

Network Architecture: mitigate DDoS, defense in depth, levels of isolation, VLAN security

Host Architecture

  • golden image hardening
  • golden image change control
  • hardcoded credentials

  • minimal firewall
  • HIPS

PaaS Application Security

  • isolation mechanisms for multi-tenancy
  • security features support
  • sandboxing
  • access to your data

SaaS: Administrative and permissions controls, fine-grained access controls

Resource Provisioning:

  • maximum resources in the minimal period
  • speed of scaling
  • how large scale trends are handled

4. CP Identity and Access Management

Authorization:

  • CP system-wide accounts
  • how are high privileged accounts managed
  • authorization for critical decisions
  • segregation of duties
  • RBAC
  • principle of least privilege
  • “break-glass” roles
  • customer Admin

Identity Provisioning: checks on identity at registration, de-provisioning, elevated identity checks

Personal Data Management

  • user directory controls and exportation
  • customer data access as need to know

Key Management

  • CP key control security
  • security controls for usage
  • revocation
  • simultaneity
  • customer system images

Encryption: data sensitivity identification, 2FAC, at rest/in use/in transit

Credential Compromise/Theft: anomaly detection, detection, revocation, evidence collection

5. Customer Identity and Access Management

Identity Management: federation, CP interoperability with third party IdPs, SSO support

Access Control: separation of roles/responsibilities/domains, customer system images

Authentication: mutual and federated authentication

6. Asset Management: automated inventory, sensitive asset classification

7. Portability

  • procedures/APIs for export
  • interoperable export formats
  • SaaS standard APIs
  • export user created applications
  • testing export process
  • self-service export

8. Business Continuity

  • disruption impact calculations
  • root cause analysis
  • customer communication
  • roles/responsibilities
  • recovery prioritization categorization
  • third-party dependencies
  • separation of backup site

9. Incident Management/Response

  • formal process
  • process rehersals
  • detection capabilities
  • customer reports to CP
  • ability for customer MSSP to engage
  • RTSM
  • incident reports
  • log retention
  • HIPS/HIDS support
  • severity leveling
  • escalation procedures
  • documentation/evidence collection
  • defense against insiders
  • forensic imaging
  • incident metrics reporting
  • helpdesk security testing
  • pentest
  • vulnerability assessment

10. Physical Security

  • assurance of physical security
  • who has access
  • access review and revocation
  • risk and perimeter assessment
  • risk assessments (neighboring buildings)
  • control/monitor security access
  • policies for load/install equiptment
  • delivery inspection
  • armored cabling/conduits
  • survey for offsite equiptment
  • employee portable devices
  • access cards
  • media destruction
  • authorization for equiptment movement
  • physical inventory

11. Environmental

  • Policies and procedures
  • natural disasters
  • temperature/humidity
  • lightening strikes
  • backup power, utilities
  • re-evaluation, maintenance schedules

12. Legal requirements

  • geolocation of company
  • geolocation of infrastructure
  • third-party geolocation
  • physial data location
  • jurisdiction for contract terms
  • subcontacts/outsourcing
  • data collection and processing
  • contract termination

13. Legal recommendations: contracts, ToUs, VLAs, SLAs, large organizations can negotiate

14. Legal rights/obligations

  • breach notification
  • data transfer
  • change of control
  • limited liability

Case Study

Identity Management

  • single sign-on
  • single sign-off
  • single identity directory
  • single pane
  • provision/de-provision
  • key management
  • ACLs and policy enforcement