CISSP Domain 3 Review / Mind Map (5 of 9) | Cloud

hey i'm rob witcher and i'm here to help you pass the cissp exam we're going to go through a review of the major topics related to cloud in domain three to understand how they interrelate and to guide your studies this is the fifth of nine videos for domain 3. i've included links to the other mind map videos in the description below computing everybody and their dog is moving their infrastructure their applications and their data to the cloud and innovating with emerging technologies like ai and blockchain over the last 14 or so years cloud has quickly

become a massive part of most organizations iit infrastructure if not the dominant part you would therefore expect that the cissp exam would have a large percentage of questions dedicated to cloud but that is not the case you will certainly see questions related to cloud security on the exam but the reason there is relatively few questions related to cloud security despite its importance to organizations is due to isc squared creating a separate certification focused on cloud security the ccsp certified cloud security professional so let's go through some of the basics of cloud security you need to

know for the cissp exam we'll begin with the three most common cloud service models essentially the most common types of cloud computing infrastructure as a service is an environment where customers can deploy virtualized infrastructure servers appliances storage and network components basically allowing a customer to recreate an entire physical data center as virtualized components virtual firewalls virtual routers virtual servers and so forth platform as a service provides the services and functionality for customers to develop and deploy custom applications customers can create their own applications without having to worry about all the underlying complexity like servers and

the network and storage and software as a service is where customers can rent access to an application hosted in the cloud while likely not covered on the exam let's look at containers as a service and server list or more aptly called functions as a service containers and especially serverless are becoming increasingly popular and have a lot of developer momentum behind them so i think they're worth mentioning here containers as a service fits in between infrastructure as a service and platform and serverless fits in between platform as a service and software as a service for any

flavor of cloud it is critically important to understand who is responsible for what if there's no clearly defined responsibilities as to who is doing what you can generally assume no one is doing it this diagram shows varying levels of who is responsible for what for the different service models you should absolutely not memorize the specifics of what the customer is responsible for the pink boxes and the cloud service provider is responsible for the purple boxes just know this responsibilities must be clearly identified and assigned and the onus for doing this is on the customer the

customer ultimately remains accountable for the protection of any data and services they outsource to the cloud so the customer must ensure responsibilities are clearly defined in contracts and service level agreements and the customer must ensure that the cloud service provider has controls in place which are operating effectively to meet the defined requirements this assurance can be provided through service level reports or more commonly via sock 2 reports which i talk about in the first mind map video for domain 6 link in the description below now let's talk about cloud deployment models public cloud is cloud

services that are available to anyone to the public a cloud service provider owns and operates cloud infrastructure that is open for use by the general public private cloud on the other hand is cloud infrastructure provisioned for exclusive use by a single customer private clouds can be owned and operated by the customer or by a cloud service provider and private clouds may exist on or off premise and private clouds can be physically or logically separated from one customer to the other honestly it's pretty complicated but the exam likely won't get into that complexity so just remember

that private cloud is reserved for one customer community cloud is cloud infrastructure that is only accessible by a small community of organizations or customers they have similar shared concerns similar security and regulatory requirements for instance and hybrid cloud is simply some combination of public private and community cloud for instance it is very common for large organizations to have their own dedicated on-premise private cloud for sensitive data and they also use the public cloud for less sensitive data and workloads thus they have a hybrid model we're now going to spend a fair bit of time talking

about identification authentication and authorization in the cloud the use of cloud basically destroys the last vestiges of the formally pervasive practice of organizations having well-defined perimeters and tightly controlling access to their trusted internal network when an organization moves to the cloud this concept of a trusted internal network essentially disappears identity is the new perimeter in the cloud in the cloud you should assume that all traffic is a potential threat there is no trusted internal network anymore therefore as security professionals we must ensure that all traffic all users are very thoroughly verified so we know exactly

who is accessing what this approach is often referred to as the zero trust model for security and it requires very robust identification authentication and authorization controls so let's dig into these controls by first talking about where we store users identities the two main places where we can store our users identities are locally or in the cloud locally implies that some system usually active directory is being maintained by the organization on premise in the organization's own data center to store user identities and cloud obviously implies that a cloud service is being used to store an organization's

users identities octa is a good example of a cloud-based identity provider next we have several options as to the types of identities that we can use i talk about these in the second video for domain 5 and i'm including them here again a cloud identity is an identity which is created and managed solely in the cloud linked identities are two separate identities one in the cloud and one local there is simply some indication of a linkage between the two but changes to one are not automatically synchronized to the other linked account synced identities are very

similar you have two identities one in the cloud and one local the key difference here is that these identities are synchronized a change to one identity automatically is reflected synchronized in the other identity and federated identities a user has one identity that allows them to gain access to both local and cloud-based services via federated access there are various protocols that can be used to enable identification authentication and authorization in the cloud service provisioning markup language spml is an xml-based framework for exchanging provisioning information things like setup change and revocation of access between cooperating organizations basically

spml standardizes and simplifies the process of provisioning access across multiple systems in multiple organizations the next three protocols all enable federated access i talk about federated access in a lot more detail in the second video of domain five again linked below saml the security assertion markup language is a protocol that provides both authentication and authorization in federated access and saml is very commonly on the exam so make sure you understand it open id provides only authentication and oauth provides only authorization capabilities i've already mentioned that it is incredibly important to have clearly defined accountabilities and

responsibilities in the cloud let's define these terms accountability refers to an individual who has ultimate ownership answerability blameworthiness and liability for an asset they are the owner of the asset accountability should be assigned to only one person for each asset because ultimately accountability means who is the throat that gets choked if something goes wrong that is the accountable person accountability cannot be delegated the accountable person can set the policies and requirements for protecting an asset and then delegate those responsibilities to others responsibility therefore means the doer the person or multiple people that are in charge

of the requirements that we're defined by the accountable person multiple people can be responsible and responsibility can be delegated let's now talk about the various common roles in the cloud and their accountabilities and or responsibilities the cloud consumer is the customer the person or organization that is using that is paying for cloud services individuals within the cloud consumer will be the owners also known as data controllers of any data that is stored in the cloud and very importantly the owners the data controllers will be accountable for the protection of any data they store and process

in the cloud and remember the owner cannot delegate their accountability they remain accountable even if they outsource data to a cloud provider the cloud provider also known as the processor is of course the cloud service provider the cloud provider will be responsible for protecting consumer data in the cloud based on the requirements set by the data owner the cloud provider will be accountable for running their own infrastructure and protecting their own data cloud brokers are middlemen cloud brokers are organizations that exist between the consumer and the cloud service provider and brokers exist to do things

like aggregation arbitrage and intermediation essentially they package together various cloud services for a consumer or add additional functionality to a cloud service provider's offering and cloud auditors rather obviously are the people that no one likes because they show up to audit stuff and see if the controls are properly designed and operating effectively by the way i'm allowed to say that because i've conducted a lot of cloud audits and no one likes me when i did so all right what is a hypervisor hypervisors are software which allows multiple operating systems virtual machines to share the resources

of a single hardware server often referred to as a compute node hypervisors virtualize the components of a server hypervisors will create virtual cpus virtual ram virtual network cards and they do this so that multiple operating systems can run simultaneously on a hardware server you may see hypervisors referred to as vm monitors on the exam virtual machines are an emulation of a computer system virtual machines are essentially an operating system and some installed applications running on top of a hypervisor you may see vms referred to as instances or guests as well when an organization decides to

move some of their systems and data to the cloud there is a lot they need to think about from a security perspective how do they ensure proper access controls confidentiality availability and integrity of the data portability interoperability reversibility resiliency and compliance among many other things one way to tackle this problem is to take a data centric view cloud consumers can focus on the data they plan to migrate to the cloud the classification of the data and therefore the security controls that need to be in place for each stage of the data life cycle creation storage

use sharing archiving and destruction one important contractual tool that a cloud consumer can use to communicate their requirements to the cloud provider are slas service level agreements slas are documented commitments by the cloud service provider to a consumer covering things like confidentiality integrity availability responsiveness and so forth and slas are addendums to the overall contract conducting forensic investigations in the cloud especially in the public cloud introduces some significant challenges as well as some opportunities one of the primary sources of evidence when conducting an investigation in the cloud is obtaining a copy of a vm instance

or snapshot a vm snapshot is a copy of a vm that preserves the state and data of a virtual machine at a specific point in time very useful for investigations all right one final interesting challenge i will talk about related to cloud defensible data destruction many laws and regulations around the world require a data owner to ensure sensitive data particularly personal data is defensively demonstratively destroyed one possible method of defensively destroying data in the cloud is known as crypto shredding or crypto erase the idea is that sensitive data is encrypted with an excellent algorithm like

aes and then every single copy of the encryption key must be physically destroyed with no possibility of recovering the encryption key the data has effectively been cryptoshredded and is unrecoverable therefore the data has been defensively destroyed and that is an overview of cloud within domain 3 covering the most critical concepts to know for the exam if you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this mind map series then please subscribe and hit the bell icon to get notifications i'll

provide links to the other mind map videos in the description below thanks very much for watching and all the best in your studies you