Wednesday, July 31, 2013

CCSK Study - Section 1: Cloud Architecture

I am currently studying for the CCSK and I thought I would post some of my notes here.

These notes are taken from the CSA : Security Guidance for Critical Areas of Focus in Cloud Computing V3.0.

Section 1 talks about cloud architecture and contains 1 domain which is titled Cloud Computing Architectural Framework.

The goal of Domain 1 is to establish a baseline of terminology as to facilitate the rest of the discussion around cloud security.

  • Cloud computing is defined as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (newtorks, servers, storage, etc).
    • This is the definition from NIST 800-145
  • NIST further describes cloud computing by defining essential characteristics, cloud service models, and cloud deployment models.
  • Essential Characteristics
    • Board Network Access
      • Capabilities are available over the network and accessed via standard protocols
    • On-Demand Self Service
      • Customer is in control to provision required services (network, storage, server) as needed
    • Resource Pooling
      • Providers resources are pooled to provide service to multiple customers in a "multi-tenant" model
      • Provider provides a "location independence" 
        • Customer is not really aware of where the resources are being provided from
        • Customer has no control over this either (except at higher levels of abstraction)
      • Security Impact: visibility or trace of operations by other uses or tenants
    • Rapid Elasticity
      • Capabilities can scale with demand (inward and outward)
      • Capabilities appear to the customer as "unlimited"
    • Measured Service
      • Cloud providers leverage a metering capability whereby usage can be monitored, controlled, and reported
  • Service Models
    • Service models build upon each other (ie:  PaaS builds upon IaaS and SaaS builds upon PaaS)
    • IaaS - Infrastructure as a service
      • Provides a set of API that allow management by consumers
    • PaaS - Platform as a service
      • Provides Integration and middleware services
      • Databases, messaging, queuing and development frameworks
    • SaaS - Software as a service
      • self-contained operating environment that is used to deliver the entire user experience including content, presentation, applications and management
    • Represents a tradeoff of security aspects between provider and tenant
    • "It should be clear in all cases that one can assign/transfer responsibility but not necessarily accountability"
  •  Deployment Models
    • Private Cloud
      • Cloud is provisioned for exclusive use by a single organization
      • Can be on or off permises
      • Can be serviced by a 3rd party
    • Community Cloud
      • Subset of Public cloud
      • Services are available to a specific community of consumers from organizations that have shared concerns
    • Public Cloud
      • Provisioned for use by the general public
    • Hybrid Cloud
      • Composition of two or more distinct cloud infrastructures
  •  Re-perimiterization of the network
    • Basically, trust boundaries are changing and so should the discussion and terms used
    • Cannot refer to services as "internal vs external" anymore as, for example, private cloud offerings could be considered internal as they are commissioned for a single customer but could be located externally to the traditional dmark points.
    • Risk conversation now has to include
      • Types of assests that are being managed
      • Who manages them and how
      • Who consumes them
      • Which controls are selected and how they are integrated
      • Compliance issues
  •  Gap analysis for security controls becomes a collaborative effort
    • Basically, we need to rely on the accuracy and transparency of a cloud provider to disclose the security controls in place (and provide access to output) and an organization must trust that it knows what security controls are required based on the compliance model it has chosen.
    • The ability to comply with any requirement is a direct result of the services and deployment model used and the design, deployment and management of the resources in scope.
  • Security controls are no different in the cloud than they are in traditional IT departments
    • maturity of posture defined by the completeness of the risk-adjusted security controls implemented
      • layered approach
      • Controls should be implemented at the people and process level as well as the technical level

My understanding is that the goal of this domain was to provide some basic definitions of cloud computing and to describe some global aspects and problems.   The NIST definition is pretty good, but, as described in the recommendations section of this domain, does not describe "Cloud Service Brokers".  CSBs seem to be a way of providing a unified model for security, governance, portability, etc across a number of CSPs.  It will be interesting to see how this all takes shape.  The cloud presents the same problems as traditional IT, except it doesn't reside all under your control.  The main point here is that while you can assign the responsibility, you as the customer are still accountable for the security of the whole solution.  Another point here is that many of the security controls that you would typically put in place must now be placed "in a contract" and that you must have sufficient provisions in that contract to have access/transparency into those controls.