Cloud Security Knowledge Sharing By Guy-Bertrand Kamga

To promote a Secure Cloud-Based Digital Transformation

Tag: Cloud Security

Key milestone in my Multi-Cloud Security expertise development

I’m very glad of what have been accomplished so far in the development of my Multi-Cloud Security expertise.

I started this journey after having completed 3 vendor neutral security certifications (CISSP & CCSK in 2014 and CCSP in 2016).

Then, I decided to focus on the leading cloud IaaS platform (AWS) with the completion of its Solutions Architect and Security Specialty certifications in 2019.

The journey continues with the successful completion of Azure Security, Google Cloud Security and Google Cloud Architect certifications in April, May and November 2021 respectively.

I want to thank Nokia for providing a working environment which makes possible such Multi-Cloud Security expertise development.

Special thank to learning platforms such as Udemy, Pluralsight, Qwiklabs and Whizlabs which provide useful self-paced contents to prepare for those certifications.

AWS SAAAWS SCSAZ SECGoogle Cloud PCSE

Defining Effective Cloud Security Baseline

One key aspect of an effective Cloud Security Strategy, is to have an organizational Cloud Security Policy defined and enforced.

An organization adopting cloud technologies without an effective Cloud Security Policy will certainly put its entire organization at risk.

I released an article entitled “How to define and implement an effective Cloud Security Policy” on Peerlyst security community, showing how an organization can formalize how it wants to benefit from the cloud technologies without jeopardizing its assets.

To facilitate and support a seamless & effective application of its Cloud Security Policy, an organization should define the subsequent Cloud Security Baselines, describing how its Cloud Security Policy should be implemented within each main cloud platform or solution.

For this purpose, I released on Peerlyst security community, a couple of articles that share some insights about the establisment of effective Cloud Security Baseline.

Those articles include:

  1. How to define effective Cloud Security Baselines
  2. How to define effective Cloud Security Baselines – Part 2
  3. How to define effective Cloud Security Baselines – Part 3: Application to Microsoft Azure

Introduction to Microsoft Azure Security

According to several studies including the RightScale 2018 State of the Cloud Report, although Amazon Web Services (AWS) remains the leading platform in the public IaaS/PaaS worldwide cloud market, the adoption of Microsoft Azure is growing faster than for AWS.

Thanks to the significant Microsoft footprint (e.g. Windows OS, Office tools, Active Directory, etc.) within most of organizations, Microsoft Azure is being selected as strategic platform for implementing the public and/or hybrid cloud solutions.

If this is the case for your organization and/or you want to understand the Microsoft Azure security capabilities, the series of posts I released on Peerlyst (web comunity of security professionals) might interest you.

These posts include:

 

Dealing with Shared Responsibility Model in public Cloud

Cloud computing radically changes the way computing services are provided and consumed, both cloud service providers and cloud service customers need to adapt themselves to this new information technology service delivery model.

On one hand, for public cloud services, customers must rent resources (e.g. software or applications, platforms, servers, etc.) running on platforms owned and operated by external service providers. Cloud customers generally pay for the services proportionally to their consumptions (known as pay as you go billing or pricing model), and they can automatically scale (horizontally or vertically) based on their needs. These are only few of numerous benefits of public clouds.

On the other hand, public clouds are shared platforms between several customers (including competitors, hackers, criminal organizations, etc.). That’s why, since the beginning of the 1st public cloud service offering launched by Amazon Web Services (AWS) in 2006, security and compliance risks are always among the top barriers for public cloud adoption.

When it comes to security in the public cloud, one of the main concept to understand, is the Shared Responsibility Model‍.

I released on Peerlyst (web comunity of security professionals), a series of 3 posts focusing on the shared responsibility in public cloud.

In the first post, you will learn some tips that can help to understand how the security responsibility is shared between the Cloud Service Provider (CSP) and the Cloud Service Customer (CSC), and how a cloud customer should consider this aspect during the definition and implementation of its cloud security strategy‍.

In the second post of the series, I provided some tips‍ that can be helpful for a CSC to have a detailed view of the shared responsibility in public cloud. I particularly highlighted how much a clear understanding of the chain of responsibility at CSP and CSC sides is important, as well as the key role of a cloud security RACI matrix.

In that second post, I also briefly introduced a Cloud Responsibility Checklist which can help a CSC to evaluate to what extend its security responsibilities in a public cloud are under control.

In the third and last post of the series, I proposed a process that can be used by a CSC to keep control of the shared responsibility model in public cloud. This process includes the following 3 main steps:

  • Clarification of the responsibility scope
  • Identification and agreement on the responsibility delimitation with the CSP & partners
  • Evaluation of the alignment to the CSC’s cloud strategy

This process can help a CSC to not only ensure that it understands and takes care of its responsibilities in the cloud, but also to make sure that the CSP, as well as all involved partners have formally agreed with the CSC on their scope of responsibility.

Pyramidal view of Cloud Security Risks

As I described in most of my previous articles, defining and implementing an effective cloud security strategy requires the involvement of several stakeholders within and outside of an organization.

Indeed, defining and implementing the cloud security strategy‍ within an organization should include people from diverse entities, including:

  • Business Groups or Units
  • Information Technology (IT)
  • Cyber Security
  • Procurement and Supply Chain
  • Legal & Compliance
  • External partners (Cloud Service Providers, IT partners, Managed Service Providers, etc.)

Having all these diverse profiles involved, ensures that most of aspects will be taken into account in the cloud security strategy on one hand but on the other hand, this may lead to endless debates as the members will not have the same level of knowledge in terms of cloud computing.

Learn in this article posted on Peerlyst community, the common stakeholders’ positions or attitudes with regards to cloud security‍ as well as the multi-level or pyramidal view of cloud security risk‍s.

Introduction to Cloud Governance

Cloud Computing is very attractive as business transformation enabler but obtaining the maximum benefits from the cloud is not come by default.

Learn in this article published on Peerlyst Community how to leverage Cloud Governance to make your cloud adoption a success for your organization.

Test your Cloud Security Knowledge

Test your Cloud Security Knowledge (English or French)

Either you are a Cloud or Security specialist who is learning Cloud Security, you can anonymously test your Cloud Security knowledge, using one of the following quizzes, including several multiple choice questions:

Some questions come from the (ISC)2 official study guide for the CCSP certification.

7 steps to become a CCSP (Certified Cloud Security Professional)

If you are in one of the following situations:

  • looking for a new IT Security Certification
  • looking for a way to challenge your Cloud Security knowledge and expertise
  • looking for a vendor-neutral Cloud Security Certification
  • planning to pass the CCSP but don’t know what effort it requires

Learn in this article how to get the CCSP certification, one of the highest cloud security certification recognized in the industry.

1) Start by learning some facts about the CCSP

The below table lists the number of CCSP vs CISSP in OECD countries as of Jan 1, 2018.

Number of CCSP vs CISSP in OECD Countries as of Jan 1, 2018

The number of CCSP for all countries can be found in this (ISC)2 website.

2) Check the CCSP‘s pre-requisites or requirements

CCSP requires 5 years of cumulative, paid and full-time work experience in IT, including 3 years in information security and 1 year in one or more of 6 domains of CCSP Common Body of Knowledge (CBK).

CCSP CBK

CCSP Common Body of Knowledge (CBK)

Important: earning the CSA’s CCSK (Certificate of Cloud Security Knowledge) can be substituted for one year of experience in one or more of the six domains of the CCSP CBK. Earning the (ISC)2 CISSP (Certified Information Systems Security Professional) can be substituted to the whole CCSP’s experience requirements.

3) Review the potential CCSP’s benefits

  • Instant credibility and differentiation (earn trust from your clients or senior leadership)
  • Unique recognition (highest standard for cloud security expertise)
  • Staying ahead (keep you current on evolving technologies, new threats and new mitigation strategies)
  • Versatility (vendor-neutral, valuable across a variety of different cloud platforms)
  • Career advancement (e.g. moving from internal subject matter expert to more strategic roles)

4) Check if the CCSP is appropriate for you

Ideal candidates for CCSP are generally people working (or planning to work) with cloud technologies as:

  • Systems Engineer
  • Systems Architect
  • Enterprise Architecture
  • Security Engineer
  • Security Analyst
  • Security Architecture
  • Security Consultant
  • Security Administrator
  • Security Manager

5) Select the right training format

Several training formats are available to prepare for CCSP. Depending on your level of cloud security knowledge and funding capabilities, one of the following formats can be selected:

  • In-person training seminars (classroom based training or private on-site training), 5 full days (40 hours)
  • Online training seminars (instructor-led or self-paced training), 2 to 3 months (2 to 5 hours per week)
  • Self-study using the (ISC)2 CCSP official study guide book available on Amazon’s e-commerce site and covering 100% of CCSP exam objectives.

The self-paced online training or self-study requires less budget and gives more flexibility to CCSP candidates, but they are appropriate for candidates already having enough experience on the 6 domains of CCSP CBK.

A training seminar with an instructor would be appropriate for those having less experience on the 6 domains of CCSP CBK.

Whatever the selected training format, several additional study tools are available for free on the (ISC)2 website.

6) Schedule for the exam

When you are ready, you must schedule your exam in a Pearson Vue testing center.

CCSP exam has the same structure as CISSP exam but with less number of questions and duration:

  • Duration: 4 hours
  • Number of questions: 125
  • Question format: Multiple choice
  • Passing grade: 700 out of 1000 points
  • Available language: English

7) Maintain the CCSP

To maintain the CCSP certification, you need to:

  • Abide by the (ISC)² Code of Ethics
  • Earn and post 30 Continuing Professional Education (CPE) credits per year
  • Pay your Annual Maintenance Fee (AMF), USD$100 per year

Additional information to prepare for the CCSP can be found on the (ISC)2 website.

Cloud Usage Profile driven Cloud Security Strategy

Agile & Effective Cloud Security Strategy: A Cloud Usage Profile based approach

Your organization (as many other organizations around the world) are certainly looking for transforming your business by leveraging cloud services.

You (as a CEO, CIO, CISO, Security Manager, Solutions/Services Owner, Cloud Subject Matter Expert, etc.) are probably faced the following challenges:

  • Do we have a clear Cloud Strategy for our organization?
  • Do we know the real Cloud Usage within our organization?
  • How different is our real Cloud Usage compared to our target Cloud Usage?
  • Does our Cloud Usage compliant with the industry standards & best practices?
  • Does our Cloud Usage compliant with the relevant laws & regulations?
  • Does our Cloud Usage put our organization at risk?

Learn in this article, how you can define & maintain an Agile & Effective Strategy to address the above challenges.

Diverse and increasing usage of Cloud Services

Thanks to the promised benefits of cloud computing (e.g. flexibility, pay as you go model, reduced time to market, less capital costs, improved business continuity & disaster recovery, collaboration, etc.), organizations are currently using various types of cloud services (e.g. for content/file sharing, application development, hosting, business intelligence, etc.).

According to the last cloud usage trends published in the Skyhigh’s Cloud Adoption & Risk Report, the number of total cloud services can exceed 1400 for the average organization, which represents an increase of roughly 24% in 1 year.

Then, developing and maintaining an agile & effective Cloud Security Strategy to address the security risks inherent to these diverse cloud usages become more and more challenging.

Key components of a Cloud Security Strategy

A Cloud Security Strategy within an organization (acting as Cloud Customer) consists of a set of policies, processes, people and technologies required for ensuring the proper processing/storage of the organization’s information with cloud services, in accordance with the organization’s risk appetite (generally stated in the corporate security policies).

Key components of a Cloud Security Strategy

Key components of a Cloud Security Strategy

The definition of an effective Cloud Security Strategy within an organization  requires a better understanding of all the elements which can significantly impact the cloud security posture of that organization.

Such elements can be identified by analyzing what I called the “Cloud Usage Profile” of the organization.

Core dimensions of an organization’s Cloud Usage Profile

Core dimensions of an organization's Cloud Usage Profile

Core dimensions of a Cloud Usage Profile

The 10 dimensions depicted in the above figure (data classification, user profile or pattern, device profile or pattern, user network connectivity, service model, hosting model, tenancy model, operation model, use cases and relevant compliances) should drive the definition of the corporate cloud security policies & baselines, the selection of cloud solutions, the selection of security controls for cloud services, the implementation of cloud solutions and all the rest of Cloud Security Strategy related activities within an organization, whatever its size, from small to large organizations.

The Cloud Usage Profile of an organization itself, should be governed by the organization’s overall strategy, the business requirements, the industry’s standards & trends and the laws & regulations.

The Cloud Usage Profile should be captured & regularly maintained by a multi-disciplinary team (e.g. Cloud Governance Steering Team, Cloud Competence Center, etc.) including the main impacted stakeholders (e.g. Business, IT, Cyber/Information Security, Legal & Compliance, Procurement, etc.) of the organization.

Not a unique Cloud Usage Profile within an organization

Obviously, there are two types of Cloud Usage Profile within an organization: the target and the real Cloud Usage Profiles.

The target Cloud Usage Profile is the one that the organization would like to have while the real Cloud Usage Profile is the one reflecting the exact cloud usages and practices within the organization, including the Shadow IT practices.

Ideally, the real Cloud Usage Profile should be as close as possible to the target Cloud Usage Profile, but it’s not easy to be aware of all the Shadow IT practices within an organization (e.g. employees can easily subscribe to cloud services for legitimate/illegitimate purposes using their credit card, their corporate ID, their corporate/personal devices, processing/storing corporate data). Solutions such as CASB (Cloud Access Security Broker) can help an organization to have a better visibility of its cloud usages, including some shadow IT practices and to adapt its Cloud Strategy (e.g. definition of corporate cloud security policies & baselines aligned to its risk appetite, employees’ training & awareness, etc.), resulting in a gap reduction between the target and real Cloud Usage Profiles.

Target Cloud Usage Profile as key enabler for an agile & effective Cloud Security Strategy

In addition to drive the definition of an organization’s Cloud Security Strategy, the Cloud Usage Profile is also a key support for the assessment of the completeness and effectiveness of that Cloud Security Strategy, as well as its continuous improvement.

Whenever, the organization’s Cloud Usage Profile changes (e.g. adoption of new cloud service and/or hosting models, new cloud operations model, processing/storage of more sensitive data in public clouds, authorization of new device pattern, introduction of new standard or regulation, etc.), it’s easy to figure out what needs to be changed or adapted in the Cloud Security Strategy.

Cloud Usage Profile driven Cloud Security Strategy

Main steps of a Cloud Usage Profile driven Cloud Security Strategy

With this Cloud Usage Profile based approach, consisting in 7 steps structured following the PDCA:Plan-Do-Check-Act model, an organization can seamlessly address all the continuous changes in the cloud area, whatever the nature and source of the changes (from the Business, the Industry and/or the Regulations), by relying on a flexible Security Strategy adapted to cloud services. In short, this approach enables a Cloud Security Strategy which can better support the organization’s business transformation in an agile mode.

Although I only described in this article how the approach can be applied to an entire organization, it can obviously be applied to a business group within an organization, a subsidiary of an organization, a specific functional domain (e.g. Human Resources, Finance) within an organization, etc.