How CSA help shaping proper cloud services through CCSK and CCM Tanat Tonguthaisri https://LinkedIn.com/in/epicure/

How CSA help shaping properly secured cloud services through CCSK and CCM Tanat Tonguthaisri https://LinkedIn.com/in/epicure/

Agenda (1) In your current role at xxxx, as a xxxx, you do xxx (insert your job description). Can you tell us about what your job involves? (2) Can you share with us some complexities in managing cloud computing projects? (3) In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls? (4) What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why? (5) How does CCM help communicate with customers? (6) Whatโ€™s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important? (7) Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why? (8) What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?

Days of Future Past (1) In your current role at xxxx, as a xxxx, you do xxx (insert your job description). Can you tell us about what your job involves?

Next Endeavour (1) In your current role at xxxx, as a xxxx, you do xxx (insert your job description). Can you tell us about what your job involves?

(2) Can you share with us some complexities in managing cloud computing projects? Contractor controls access to applications and data on cloud. Monitoring is not easy for Thai cloud.

(3) In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls? As contracting office, designated officers should have at least read access to cloud resources.

Motivation What made you decide to earn your CCSK?

CCSK Plus #1, November 2014

Nantawan Wongkachonkitti, Ph.D. CIO & Deputy Manager General of Student Loan Funds, first CCSK passer in Thailand

Two attempts per CCSK exam token

Preparation What part of the material from the CCSK has been the most relevant in your work and why? DEPA program KMITL

CCSK, CCSP & vendor specific cert Whatโ€™s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important? Broad and general knowledge, plus overall best practices. AWS, Azure, GCP, Alibaba, Huawei, Tencent

Certificate vs Certification A certificate recognizes a candidateโ€™s knowledge, skills and abilities typically as framed by a job role. A certificate scope is narrower, and only provides proof of a training course completion.

Certificate vs Certification A certification grants a candidate access to a membership organization, and almost always requires an annual continuing professional education (CPE) commitment to maintain the certification. But a certificate does not often associate one with any membership organization, and the body of knowledge gained does not evolve over time or require a CPE.

CCSP Domain 1. Cloud Concepts, Architecture and Design Domain 2. Cloud Data Security Domain 3. Cloud Platform and Infrastructure Security Domain 4. Cloud Application Security Domain 5. Cloud Security Operations Domain 6. Legal, Risk and Compliance

CCSK

CCSK

On-demand self-service A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Rapid elasticity Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Without essential characteristics, it can never be a โ€œproperโ€ cloud service, but rather a Virtual Private Server (VPS).

Data Security Lifecycle

Common networks underlying IaaS

Software Defined Perimeter

deployment pipeline for creating images for immutable VMs or containers.

Virtual networks move packets in software and monitoring canโ€™t rely on sniffing the physical network connections.

Incident Response Lifecycle

Secure application design and development phases

continuous deployment pipeline

Managing data migrations to the cloud.

SECaaS https://cloudsecurityalliance.org/research/artifacts/?term=security-as-a-service 1. 2. 3. 4. 5. Identity and Access Management Data Loss Prevention Web Security Email Security Security Assessments 6. 7. 8. 9. 10. Intrusion Management Security, Information and Event Management Encryption BC/DR Network Security

The current list of Related Tech includes: โ€ข Big Data โ€ข Internet of Things (IoT) โ€ข Mobile devices โ€ข Serverless computing

(5) How does CCM help communicate with customers? https://downloads.cloudsecurityalliance.org/initiatives/ccm/CSA_CCM_v3.0.xlsx https://docs.google.com/presentation/d/1qFr9Mm8jiCzfm2roGsfhTR8GaUKwudfgw-t JLYOwnfg/edit?usp=sharing

CCMโ€™s Control Domains 1. 2. 3. 4. 5. 6. 7. 8. Application & Interface Security Audit Assurance & Compliance Business Continuity Management & Operational Resilience Change Control & Configuration Management Data Security & Information Lifecycle Management Datacenter Security Encryption & Key Management Governance and Risk Management 9. 10. 11. 12. 13. 14. 15. 16. Human Resources Identity & Access Management Infrastructure & Virtualization Security Interoperability & Portability Mobile Security Security Incident Management, E-Discovery & Cloud Forensics Supply Chain Management, Transparency and Accountability Threat and Vulnerability Management

Application & Interface Security

Application Security Customer Access Requirements Data Integrity Data Security / Integrity

Audit Assurance & Compliance

  1. Audit Planning 2. Independent Audits 3. Information System Regulatory Mapping

Business Continuity Management & Operational Resilience 1. 2. 3. 4. 5. 6. Business Continuity Planning 7. Equipment Maintenance Business Continuity Testing 8. Equipment Power Failures Datacenter Utilities / Environmental Conditions 9. Impact Analysis Documentation 10. Management Program Environmental Risks 11. Policy Equipment Location 12. Retention Policy

Change Control & Configuration Management 1. 2. 3. 4. 5. New Development / Acquisition Outsourced Development Quality Testing Unauthorized Software Installations Production Changes

Data Security & Information Lifecycle Management 1. 2. 3. 4. Classification Data Inventory / Flows eCommerce Transactions Handling / Labeling / Security Policy 5. 6. 7. 8. Information Leakage Non-Production Data Ownership / Stewardship Secure Disposal

Datacenter Security 1. 2. 3. 4. 5. Asset Management Controlled Access Points Equipment Identification Off-Site Authorization Off-Site Equipment 6. 7. 8. 9. Policy Datacenter Security - Secure Area Authorization Unauthorized Persons Entry User Access

Encryption & Key Management

Entitlement Key Generation Sensitive Data Protection Storage and Access

Governance and Risk Management 1. 2. 3. 4. 5. 6. Baseline Requirements Data Focus Risk Assessments Management Oversight Management Program Management Support/Involvement Policy 7. 8. 9. 10. 11. 12. Policy Enforcement Policy Impact on Risk Assessments Policy Reviews Risk Assessments Risk Management Framework Risk Mitigation / Acceptance

Human Resources 1. 2. 3. 4. 5. 6. Asset Returns Background Screening Employment Agreements Employment Termination Industry Knowledge / Benchmarking Mobile Device Management 7. 8. 9. 10. 11. 12. Non-Disclosure Agreements Roles / Responsibilities Technology Acceptable Use Training / Awareness User Responsibility Workspace

Identity & Access Management 1. 2. 3. 4. 5. 6. Audit Tools Access Credential Lifecycle / Provision Management Diagnostic / Configuration Ports Access Policies and Procedures Segregation of Duties Source Code Access Restriction 7. 8. 9. 10. 11. 12. 13. Third Party Access Trusted Sources User Access Authorization User Access Reviews User Access Revocation User ID Credentials Utility Programs Access

Infrastructure & Virtualization Security 1. 2. 3. 4. 5. 6. Audit Logging / Intrusion Detection Change Detection Clock Synchronization Information System Documentation Management - Vulnerability Management Network Security 7. 8. 9. 10. 11. 12. OS Hardening and Base Conrols Production / Non-Production Environments Segmentation VM Security - vMotion Data Protection VMM Security - Hypervisor Hardening Wireless Security

Interoperability & Portability 1. 2. 3. 4. 5. APIs Data Request Policy & Legal Standardized Network Protocols Virtualization

Mobile Security 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Anti-Malware Application Stores Approved Applications Approved Software for BYOD Awareness and Training Cloud Based Services Compatibility Device Eligibility Device Inventory Device Management 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. Encryption Jailbreaking and Rooting Legal Lockout Screen Operating Systems Passwords Policy Remote Wipe Security Patches Users

Security Incident Management, E-Discovery & Cloud Forensics 1. 2. 3. 4. 5. Contact / Authority Maintenance Incident Management Incident Reporting Incident Response Legal Preparation Incident Response Metrics

Supply Chain Management, Transparency and Accountability 1. 2. 3. 4. 5. Data Quality and Integrity Incident Reporting Network / Infrastructure Services Provider Internal Assessments Supply Chain Agreements 6. 7. 8. 9. Supply Chain Governance Reviews Supply Chain Metrics Third Party Assessment Third Party Audits

Threat and Vulnerability Management

  1. Anti-Virus / Malicious Software 2. Vulnerability / Patch Management 3. Mobile Code

Scope Applicability 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. AICPA, TS Map AICPA, Trust Service Criteria (SOC 2SM Report) BITS Shared Assessments, AUP v5.0 BITS Shared Assessments, SIG v6.0 BSI Germany CCM V1.X COBIT 4.1 CSA Enterprise Architecture / Trust Cloud Initiative CSA Guidance V3.0 ENISA IAF 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. FedRAMP Security Controls (Final Release, Jan 2012) โ€”LOW IMPACT LEVEL-FedRAMP Security Controls (Final Release, Jan 2012) โ€”MODERATE IMPACT LEVEL-GAPP (Aug 2009) HIPAA / HITECH Act ISO/IEC 27001-2005 Jericho Forum NERC CIP NIST SP800-53 R3 NZISM PCI DSS v2.0

ENISAโ€™s Cloud Computing Risk Assessment European Network and Information Security Agency European Union Agency for Cybersecurity https://www.enisa.europa.eu/publication s/cloud-computing-risk-assessment

  1. Security benefits of cloud computing 2. Risk assessment 3. Risks 3.1 Policy and organizational risks 3.2 Technical risks 3.3 Legal risks 3.4 Risks not specific to the cloud 4. Vulnerabilities 5. Assets 6. Recommendations and key messages 6.1 Information assurance framework 6.2 Informational assurance requirements 6.3 Research recommendations, e.g. trust in the cloud, data protection, large-scale systems engineering

(7) Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why? CCSK then CCAK to understand how to assess proper cloud services.

(8) What is the best advice you will give to IT professionals in order for them to scale new heights in their careers? In organizations that can never keep up with ever expanding IT resources, cloud is a must. Knowing how to manage cloud resources and maintain reliable & resilient cloud operations, one needs proper cloud certification.