CCSP Domain 1 - Cloud Concepts, Architecture and Design

In this video we will cover:

• Governance, Risk management & Compliance

• Why move to the cloud?

• What problem does cloud computing solve?

In this video you will learn:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources.

What is essential is that we must determine why we are moving into the cloud before making any changes. There are many things that cloud computing can provide to a business, but the decisions made must match the company's needs.

We encourage you to learn more about CCSP Domain 1 Introduction to Cloud by watching this video. See you in the next video.

I highly recommend that you download the two attachments here. One is domain 1 from my book Cloud Guardians. The other is the guidance 4.0 from the CSA. I HIGHLY recommend that you read that. All of it ;).

In this video we will cover:

• Governance, Risk management & Compliance

• Where does Security start for Clouds?

• Why do we need a Corporate Security Strategy?

• Where is Data going to be?

• ISMS (Information Security Management System)

In this video you will learn:

The security implemented within a business must forward the company. The corporate strategy and governance guide the security strategy and governance. This guidance must include the cloud and the corporation's relationship to the cloud.

Risk management should drive all decisions within the business.

Corporations must comply with laws and regulations within today's fast-changing threat environment. Audits are used to verify the correct level of compliance is in place.

Information security professionals should plan to get in and out of the cloud. CCSPs should do this planning before any move into the cloud is made.

We encourage you to learn more about GRC CCSP Domain 1 by watching this complete video. See you in the Next Video.

In this video we will cover:

• Three different service models are known as (SaaS), (PaaS) and (IaaS).

• IaaS Shared Responsibility Model.

• PaaS Shared Responsibility Model.

• SaaS Shared Responsibility Model.

• MSP VS. CSP

• Who builds the Cloud?

In this video you will learn:

Cloud computing has three different service models, each satisfying a unique set of business requirements. These three models are known as Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).

A shared responsibility model is a cloud security framework that dictates the security obligations of a cloud computing provider and its users to ensure accountability.

MSPs manage technology and infrastructure, usually for private clouds, while CSPs offer the general public access to technology and infrastructure.

Cloud administrators build a cloud structure according to the architect's design, and a cloud storage administrator builds the cloud data storage according to the architect's design.

We encourage you to learn more about CCSP Service Models by watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud and Its Contracts

In this video you will learn:

In (ISC)² courses and their books focus on service level agreements but there are a lot of other pieces to the contract. One is a master services agreement, which establishes the roles and responsibilities of each other. SLA is something specific like bandwidth or reliability. A privacy level agreement is called a data processing agreement under GDPR in Europe. A PLA informs the cloud provider that you will be storing personal data or (PII) in the cloud and what you expect of their security controls.

We encourage you to learn more about The cloud and its contracts by watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud Infrastructure

• What we need to build a Cloud.

• Storage Area Network

• Virtualization

• Who runs the Cloud?

• Hypervisor Type 1, Hypervisor Type 2

• Containers

• Application Virtualization

In this video you will learn:

Creating a cloud infrastructure requires a lot of time, effort, and money. The CapEx is spent by the cloud provider leaving the OpEx to the cloud customer.

Virtualization is what makes it possible for a cloud provider to sell IaaS, PaaS, and SaaS. For this to work we need compute, storage, and network services.

You will learn about Hypervisor and its types, containers, and virtualized applications.

We encourage you to learn more about Building the Cloud by watching this complete video. See you in the Next Video.

In this video we will cover:

Cloud Security

• ISO 27002

• NIST SP 800-53

• ISO 27017

• General Grouping Of Controls

• Control Types

• Control Categories

In this video you will learn:

We need to control the clouds that we build. Security controls can be found in two documents: ISO 27002 and NIST SP 800-53. In theory, these documents contain all security controls.

ISO 27017 is the code of practice for Information Security Controls based on ISO/IEC 27002. It is a subset of all the controls that are found inside ISO/IEC 27002 that apply to cloud environments.

Controls can be divided into safeguards and countermeasures. There are three types of controls: administrative, technical, and physical. The controls we choose should be tested and vetted.

We encourage you to learn more about Securing The Cloud by watching this complete video. See you in the Next Video.

In this video we will cover:

• Control Verification

• ISO 15408 Evaluation Assurance Levels

• Testing Cryptography Products

• FIPS 140-2 Levels

In this video you will learn:

The security controls we choose should be tested and vetted. ISO 15408 Common Criteria is a standardized test methodology so that a situation such as A Cisco FW and a Checkpoint FW can be tested by two different labs in two different countries, but the test results can be compared to determine the best FW for a given use.

There are seven levels of the test. The lowest level is 1 and the highest is seven. If we are testing cryptography specific then it is a different document named FIPS 140-2 and 140-3. A standard for the quality of physical security must be within a cryptographic module within a system. There are four levels of FIPS 140-2. One is the lowest and the four is the highest.

We encourage you to learn more about Control verification by watching this complete video. See you in the Next Video.

In this video we will cover:

• A Contract Vs Law

  
  

In this video you will learn:

PCI-DSS is not a law or regulation, basically, it’s a contract. It establishes a requirement to meet the Data Security Standards developed by the Payments Cards Industry. PCI-DSS is a contractual agreement with the payment card company to be able to process card charges and it falls under civil or tort law.

We encourage you to learn more about Intro to PCI by watching this complete video. See you in the Next Video.

In this video we will cover:

• PCI Requirements 1-3

  
  

In this video you will learn:

There are 12 requirements for PCI-DSS. It is highly recommended that you be familiar with the 12 requirements. You should know that building and maintaining a firewall is a part of PCI-DSS requirements, it is not necessary to remember that it is number one on the list though. The second one is: never use vendor-supplied default passwords or configurations. The third is you must protect stored cardholder data.

We encourage you to learn more about PCI Requirements 1-3 by watching this complete video. See you in the Next Video.

In this video we will cover:

• PCI Requirements 4-6

  
  

In this video you will learn:

The fourth is that you must encrypt cardholder data when it is transmitted over a public network. The fifth is that you should use regularly updated antivirus protection. The sixth requirement is to develop and maintain secure systems and applications.

We encourage you to learn more about PCI Requirements 4-6 by watching this complete video. See you in the Next Video.

In this video we will cover:

• PCI Requirements 7-12

  
  

In this video you will learn:

Seven - The next requirement is to restrict access to cardholder data on a need-to-know basis.

Eight - You should have a unique ID for all that have access to the cardholder data.

Nine - It is necessary to physically restrict access to cardholder data, which means the server that maintains the cardholder Information should be protected.

Ten - Track and monitor all network and cardholder data access.

Eleven - Also, you should be testing your security systems regularly.

Twelve - The last requirement is to maintain an information security policy.

We encourage you to learn more about PCI Requirements 7-12 by watching this complete video. See you in the Next Video.

In this video you will cover:

• Threats to the Cloud

• Provider Lock-In, Provider Lock-Out, and Provider Exit

• Guest Escape

• Guest Hopping

• Legal Responsibility

• Serious Control

• Treacherous 12

In this video you will learn:

Provider lock-In- You will have an issue If you are locked into a proprietary platform. Portability is the ability to easily transfer data from one system to another without being required to re-enter data.

Provider lock-Out (Bankruptcy)- It’s a problem from two major perspectives one is that you are locked out of your cloud and you don’t have access to your cloud and the second is that the courts are going to take the assets and sell that to pay the bills and your data is included in those assets.

Provider Exit is that the Cloud provider wants to get out of a line of business.

More problems to discuss within the cloud are Guest escape and Guest hopping.

You will also learn about the legal responsibilities, MITC, hyperJacking, and Treacherous 12.

We encourage you to learn more about Threats to the Cloud by watching this complete video. See you in the Next Video.

In this video we will cover:

• Artificial Intelligence

• Machine Learning

• BlockChain

• Internet Of Things (IoT)

• Quantum Computing

In this video you will learn:

AI aims at the ability of Computers to duplicate the thought process of the human brain. While we work on getting there, at least they can approximate humans' learning, reasoning, and problem-solving capabilities.

Machine learning is simply defined as the ability for Computers to learn using algorithms rather than to be specifically programmed to do something. Machine learning is arguably a subset of AI. The three different types of Machine learning are Supervised Learning, Unsupervised Learning, and Reinforced Learning.

Internet Of Things is a giant network of Connected things like Computers, Light bulbs, IP Cameras, Drilling rigs, pool pumps, and many more.

BlockChain is a timestamped series of unalterable records of data. The blocks of data are bound to each other using cryptographic principles.

You will also learn about Quantum Computing which relies on qubits or quantum bits to store data and information rather than traditional bits in today's Computers.

We encourage you to learn more about Related Technologies by watching this complete video. See you in the Next Video.

In this video we will cover:

• Symmetric Encryption

In this video you will learn:

Symmetric cryptography is also known as a single key, session key, and shared key cryptography because it is a single key that is actually shared between transmitter and receiver. You can use it to encrypt anything, like data, voice, or video. You can also encrypt anything in folders, drives, partitions whatever you want to encrypt, symmetric is great for it. It keeps things confidential.

We encourage you to learn more about Intro to Symmetric by watching this complete video. See you in the Next Video.

In this video we will cover:

• Key Management Interoperability Protocol (KMIP) Specification

• Key Management

• Remote- Key Management

• Client-Side Key Management

In this video you will learn:

Key Management Interoperability Protocol (KMIP) is a communication protocol for the maintenance of keys. It is a single consistent protocol that consists of objects, operations, and attributes.

There are two specific terms in key management, the first is internally managed and the second is externally managed. If the keys are stored in VM then they are internally managed and If not then they are externally managed. In externally managed keys are stored separately from the encryption engine.

Two more very specific terms are remote-key management and client-side key management. In both scenarios, the data is stored in the cloud and the customer has the key. The question to answer is where is the processing done?

In remote-key management, the key is on-premises with the customer, and data encryption/decryption processing is done with the cloud provider. The key is sent to the cloud for processing.

In client-side key management, the key is on-premises with the customer, and data encryption/decryption processing is done on the customer side. Data is sent to the customer for processing.

We encourage you to learn more about Key management by watching this complete video. See you in the Next Video.

In this video we will cover:

• Identity And Access Management

• Identification and Authentication

  
  

In this video you will learn:

We will cover the basics of Identity and Access Management (IAM). With that, we have Identification, Authentication, Authorization, and Accountability (IAAA).

Identification- Statement of who you say you are.
Authentication- Verification of claimed identity.
Authorization- Permissions granted or not.
Accountability- Log created so that someone can be held accountable for their actions.

In authentication, there are three factors.

Factor 1 is something you know, e.g., passwords.

Factor 2 is something we have, such as soft or hard tokens.

Factor 3 is something you are. A biometric which would be behavioral or physiological, such as a fingerprint or a vocal print.

We encourage you to learn more about Basic IAAA Introduction by watching this complete video. See you in the Next Video.

In this video we will cover:

• Single Sign-On

In this video you will learn:

The next important topic to discuss is you try to add Single Sign-On (SSO) to make things easier for users. Sometimes it makes things easier for bad guys as well. The number of accounts, passwords, tokens and other access mechanisms that we have to try and manage in business today is many per user.

Personally, you can think about your bank account, Amazon account, and many other places to log on that you have a user ID and password. It is a lot to manage.

Most people use a single account to log In, for e.g people use Facebook to log in at different places so they don't have to set up more identification and password combinations again and again.

We encourage you to learn more about Single Sign-On by watching this complete video. See you in the Next Video.

In this video we will cover:

• Network Security Group

• Storage Area Network (SAN)

• Fibre Channel

• World Wide Name (WWN)

• iSCSI

In this video you will learn:

Security Groups (SG) or Network Security Groups (NSG) is a virtual LAN protected by a Firewall. Microsoft is using NSGs to secure traffic flow within. It is a little bit of Firewall Logic and a little bit of VLAN Logic combined together.

The more data we have, the more we need a SAN. You can think of a SAN as many massive drives attached to a LAN that is dedicated to this purpose. Storage Area Network we have two protocols, Fibre Channel and iSCSI.

Fibre Channel uses a different addressing scheme of LUNs (Logical Unit Number). If necessary Fibre Channel can be run across Ethernet. SCSI (Small Computer System Interface) protocol runs over TCP/IP. SCSI is a protocol developed by ANSI for attaching something like a printer directly to a computer.

We encourage you to learn more about the NSG and SAN by watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud Infrastructure Risks

• Egregious 11

In this video you will learn:

There are so many Cloud Issues, there are two documents from Cloud Security Alliance and Egregious is one of them. It is not in the 2022 exam outline, but it is still good to look at. These are significant problems with the cloud today. It is worth your time to look into these and be familiar with them regardless of whether (ISC)2 mentions this document name.

Misconfiguration and Inadequate Change Control is a huge problems today. Moving to the cloud usually means that there will be more virtual machines than you had in the physical environment. Configuration issues are rising to the top of the problems that we are seeing. For example, the AWS S3 has a default configuration that does not include encryption of the stored data.

When you don't carefully control the configurations that you have of the servers that are in the cloud-like routers, switches, and everything that is virtualized it’s gonna be a problem. It leads us to the third risk which is the Lack of Cloud Security Architecture and Strategy.

We encourage you to learn more about Egregious 11 by watching this complete video. See you in the Next Video.

In this video we will cover:

• Egregious 11 6-11

In this video you will learn:

The egregious 11 continues with some threats that have neither changed nor improved. Insider threats and insecure APIs. It is a good idea to be familiar with APIs, but we will address that later.

There are some new threats that have been added (since the Treacherous 12) and they are weak control plane, metastructure, and aplistructure failures as well as limited cloud visibility. The CSA uses the term ‘control plane’ to refer to what is often referred to as the ‘management plane’. You must protect this connection. It is how you, or a hacker, can control your cloud. Again think multi-factor authentication.

We encourage you to learn about Egregious 11 by watching this complete video. See you in the Next Video.