Path to CCSK: ENISA

Jul 02, 20

The CCSK is the Cloud Security Alliance’s Certificate of Cloud Security Knowledge. It is one of the top two cloud-agnostic security certifications, along with the (ISC)² CCSP (see: CCSK vs CCSP: An Unbiased Comparison). I am currently self-studying for this certificate, and documenting that process.

There are three core documents in the body of knowledge for the CCSK(v4):

ENISA report: Cloud Computing: Benefits, Risks and Recommendations for Information Security
CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4
CSA Cloud Controls Matrix 3.0.1

This post will capture my notes from a review of the ENISA report (a 125 page document).

ENISA: Executive Summary

Scale and flexibility are both friend and foe

The cloud model mainly causes technical change in Scale and Architecture.

Massive distribution and redundancy
Security can benefit from scale
Confidentiality and liability for infrastructure are core concerns
For Governments: Legal, Regulatory, and Public Perception concerns

Contract evaluation and negotiation are key to legal issues

some priorities: rights/obligations for notification of incidents
limitations on liability

Identified research topics:

End-to-end confidentiality, high assurance clouds
Forensics, incident handling, international differences in relevant regulations
resource isolation, interoperability, resilience

Top security benefits:

Standard interfaces to managed security services, auto-update mechanisms
auto-scaling, automatic & cost effective audit/evidence gathering
resource concentration allows cheaper perimeterization and security process application

Top risks:

loss of governance, lock-in, isolation failures, compliance risks
management interface compromise, data handling/protection, data deletion, malicious insiders

You can’t outsource accountability

Definition

Cloud computing is an on-demand service model for IT provision, often based on virtualization and distributed computing technologies.

abstracted, shared, pay-as-you-go resources
fast scalability, flexibility, and provisioning
programmatic management
spans IaaS, PaaS, SaaS, as well as Public, Private, and Partner clouds

Security Benefits

Benefits of scale
- cost reduction for filtering, patch management, hardening, redundancy, access control enforcement, robust identity management
- locations and redundancy, edge networks
- providers’ specialist threat management
CP’s known security posture as a market differentiator
Standard interfaces to managed security services
Smart scaling, cost effective log storage
Mandatory audit and SLAs

Risks

Risk is a balance of opportunity and appetite
- Cloud risk should be looked at as a delta from on-premises
- Risk is heavily coupled to cloud architecture
- Some risk is transferable to the CP

Policy & Organizational

Lock-in: hard to migrate in, out, or across clouds. Providers are not incentivized to reduce.
- SaaS: export/import routines need to be customized
- PaaS: platform specific API, component, and data lock-in
- IaaS: non-open virtual machine standards
Loss of Governance: control is ceded to the CP. Conflicts may exist between CP and customer hardening standards. CP outsourcing and acquisition are both high risks.
Compliance challenges: CP compliance, ability for customer audits, and some compliance may not be supported by/in the CP.
Co-tenant activities: IP blacklists, subpoenas
Service termination/failure: CP business or service failure
CP Acquisition: Could result in a strategic shift
Supply Chain Failures: Keep an eye out for transparency in contracts, especially on any outsourcing related to core IT services

Technical

Resource Exhaustion: service unavailability, fail-open, infrastructure oversizing (failures of compartmentalization)
Isolation Failure: failure of mechanisms including storage, memory, routing, reputation
CP Malicious Insider: in addition to CP employees as targets
Management Interface Compromise: internet accessibility, mediates broad access
Interface Data in Transit: distribution of cloud infrastructure, confidentiality or non-disclosure
Data Leakage (between CP & customer): on up/download, intra-cloud
Ineffective Data Deletion: “true data wiping” requirement, effective encryption can be mitigation
DDoS
1. Economic DDoS: identity theft, lack of limits on paid resources, metered resources use via public channel
Loss of Encryption Keys
Malicious Probes/Scans: customer to customer
Compromise of Service Engine: hypervisor failures, check for CP segregation of responsibilities
Conflicts between customer hardening and CP: “shared responsibility model”, technology, policy, and transparency

Legal Risks

Subpoena & E-discovery: jurisdiction, lack of resource isolation
Changes of Jurisdiction: data centers in autocratic or otherwise high-risk jurisdictions
Data Protection: hard to vet CPs data processing, compliance with data protection laws, CP breach notifications, customer loss of data control
Licensing: per seat licenses or online validation, intellectual property clauses

Non-Cloud Risks

Network Outage
Network Management
Modifying Network Traffic
Privilege Escalation
Social Engineering
Operational Log Compromise
Security Log Compromise
Lost/Stolen Backups
Physical Data Center Compromise
Theft of Computer Equipment
Natural Disasters

Vulnerabilities (Cloud)

AAA
- storage of credentials, insufficient role complexity/availability, credentials on transitory machines
- password based attacks are more impactful (so use 2FAC!)
User Provisioning
- identity at registration, sync delays, credential interception/relays
User De-Provisioning
- revocation delays
Remote Access to Management Interfaces
Hypervisor Vulnerabilities
- guest-to-host mistake
Lack of Resource Isolation
- cartography, co-residence, side-channels
- ToS/SLA enforcement
Reputational Isolation
Encryption Vulnerabilities
- MITM attacks, self-signed certificates, bad authentication
Lack of or Weak Encryption (at rest of in transit)
- key management
Process Encrypted Data (impossibility)
- CP must be trusted
Poor Key Management
- HSM distribution, Internet Key Management Interfaces, revocation
CRNG Key Generation
- shared cloud systems may have less entropy
Lack of Standards
- lock-in, can block MSSPs usage
No Source Escrow
Inaccurate Modeling of Resource Usage
- resource provisioning algorithm failures, extraordinary events, failures of allocation
No Control over Vulnerability Assessment Process
- ToU problem
Internal Network Probing
Co-residence Checks
Lack of Forensic Readiness
Sensitive Media Sanitization
- problem of shared tenancy
Cloud-external Contracts/Responsibilities
- shared responsibility model
Cross-cloud Dependencies
- third-parties, sub-contractors
SLA conflicts, SLA with excessive business risk
CP Lacks Audit/Certification
Cloud Infrastructure not Supported by Certifications
Inadequate CP Investment in Infrastructure
CP Lacks Policies for Resource Capping
Data Storage Jurisdictions
Lack of Transparency in ToU

Vulnerabilities (non-cloud)

Lack of Security Awareness
Lack of Vetting of CP Staff
Unclear Roles within CP
Poor Role Enforcement
Lack of Need to Know
Lack of Physical Security
Misconfiguration
System or OS Vulnerabilities
Untrusted Software
Bad Business Continuity
Bad Asset Inventory
Bad Asset Classification
Unclear Asset Ownership
Poor Identification of Project Requirements
Poor Provider Selection
Lack of Supplier Redundancy
App Vulnerabilities or Poor Patch Management
Resource Consumption Vulnerabilities
Breach of NDA by CP
CP Liability from Data Loss
Bad Log Collection or Retention
Bad Filtering

Assets

Customer Reputation
Customer Trust
Employee Loyalty/Experience
Intellectual Property
Personal Sensitive Data
(Critical) Personal Data
HR Data
(RTS) Service Delivery
Access/Authentication/Authorization
Credentials
User Directory (Data)
CP Management Interface
Management Interface APIs
Network
Physical Hardware
Physical Buildings
CP Source Code
Certification
Operation Log
Security Log
Backup/Archive Data

Recommendations

Information Assurance Framework

Assess risk of moving to Cloud
Compare CP offers
Assurance from CP
Reduce assurance burden on CPs by establishing framework for responding

Division of Liabilities
Liability	Customer	Provider
Lawfulness of Content	Security	EU Data Protection Laws
Full	Due Diligence (ToS)	Data Controller
Partial	Due Diligence	Data Processor

Division of Responsibilities: (S = SaaS, P = PaaS, I = IaaS)
Responsibility	Customer	Provider
S/I	Compliance with DPL of Customer	Infra support, security, avail
S/P/I	Maintenance/Management of Identity	OS patching, hardening
S/P/I	Management of Auth Platform	Security Platform configuration
S/P/I		Systems monitoring
S/P/I		Security platform maintenance
S/P/I		Logging/Monitoring
S/P/I	Configuration of guest security platform	Host Systems (hypervisor, etc.)
I	Guest systems monitoring
I	Maintenance of security platform
I	Log collection & security monitoring
I	Manage guest OS patch/hardening

Application Security in IaaS

Customers fully own security for cloud-deployed applications

Design for the Internet threat model
Design or embed standard security countermeasures
Prioritize application patch management
Use reliable AAA solutions
Follow vendor configuration guidance

Government Data

Control data location
Data classification
Isolation guarantees
Secure data destruction
2FAC support and enforcement
ISO27001/ISO27002

Information Assurance Requirements

1. Personnel Security

policies/procedures for employee vetting, regionality of these policies
security education program
continuous evaluation (security access/privilege reviews)

2. Supply Chain

define outsources/subcontracted components
procedures for third-party access, audits of third parties
third-party redundancy and SLAs
contractual security policies and controls for third parties

3. Operational Security

change control
remote access
documented procedures
staging/QA
logging
host/network controls
malicious code controls
backup policies/procedures

Software Assurance: validate new releases, practices for AppSec, pentests & remediation

Patch Management: cover all layers

Network Architecture: mitigate DDoS, defense in depth, levels of isolation, VLAN security

Host Architecture

golden image hardening
golden image change control
hardcoded credentials
minimal firewall
HIPS

PaaS Application Security

isolation mechanisms for multi-tenancy
security features support
sandboxing
access to your data

SaaS: Administrative and permissions controls, fine-grained access controls

Resource Provisioning:

maximum resources in the minimal period
speed of scaling
how large scale trends are handled

4. CP Identity and Access Management

Authorization:

CP system-wide accounts
how are high privileged accounts managed
authorization for critical decisions
segregation of duties
RBAC
principle of least privilege
“break-glass” roles
customer Admin

Identity Provisioning: checks on identity at registration, de-provisioning, elevated identity checks

Personal Data Management

user directory controls and exportation
customer data access as need to know

Key Management

CP key control security
security controls for usage
revocation
simultaneity
customer system images

Encryption: data sensitivity identification, 2FAC, at rest/in use/in transit

Credential Compromise/Theft: anomaly detection, detection, revocation, evidence collection

5. Customer Identity and Access Management

Identity Management: federation, CP interoperability with third party IdPs, SSO support

Access Control: separation of roles/responsibilities/domains, customer system images

Authentication: mutual and federated authentication

6. Asset Management: automated inventory, sensitive asset classification

7. Portability

procedures/APIs for export
interoperable export formats
SaaS standard APIs
export user created applications
testing export process
self-service export

8. Business Continuity

disruption impact calculations
root cause analysis
customer communication
roles/responsibilities
recovery prioritization categorization
third-party dependencies
separation of backup site

9. Incident Management/Response

formal process
process rehersals
detection capabilities
customer reports to CP
ability for customer MSSP to engage
RTSM
incident reports
log retention
HIPS/HIDS support
severity leveling
escalation procedures
documentation/evidence collection
defense against insiders
forensic imaging
incident metrics reporting
helpdesk security testing
pentest
vulnerability assessment

10. Physical Security

assurance of physical security
who has access
access review and revocation
risk and perimeter assessment
risk assessments (neighboring buildings)
control/monitor security access
policies for load/install equiptment
delivery inspection
armored cabling/conduits
survey for offsite equiptment
employee portable devices
access cards
media destruction
authorization for equiptment movement
physical inventory

11. Environmental

Policies and procedures
natural disasters
temperature/humidity
lightening strikes
backup power, utilities
re-evaluation, maintenance schedules

12. Legal requirements

geolocation of company
geolocation of infrastructure
third-party geolocation
physial data location
jurisdiction for contract terms
subcontacts/outsourcing
data collection and processing
contract termination

13. Legal recommendations: contracts, ToUs, VLAs, SLAs, large organizations can negotiate

14. Legal rights/obligations

breach notification
data transfer
change of control
limited liability

Case Study

Identity Management

single sign-on
single sign-off
single identity directory
single pane
provision/de-provision
key management
ACLs and policy enforcement