As the first domain in the CCSP curriculum, Cloud Concepts, Architecture and Design forms the bedrock of your journey. This foundational knowledge lays the groundwork for understanding how cloud computing fundamentally works and why it matters for security professionals.
We'll explore the core principles of cloud computing, dive into reference architectures, and examine crucial security concepts. You'll gain insights into design considerations, provider evaluation, and emerging technologies that are reshaping the cloud landscape. This knowledge isn't just theoretical—it's the foundation you'll build on throughout your cloud security career.
Ready to demystify cloud computing? Let's start with the fundamentals that every cloud professional should master.
1.1 Understand cloud computing concepts
Defining cloud computing
In the simplest terms, cloud computing involves cloud service providers pooling computing resources and then divvying them up to customers as they need them. Cloud computing has been one of the major technological shifts of the past few decades, because its model of sharing resources can be much more efficient, agile, and scalable.
Let’s get a little more technical and introduce a definition of cloud computing from the National Institute of Standards and Technology (NIST):
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”
An understanding of these characteristics, service models, deployment models and other aspects is critical for wrapping your head around the technology as a whole.
The roles and responsibilities involved in cloud computing
There are a number of different roles involved in cloud computing and it’s important to understand them in order to secure cloud systems appropriately. The table gives us a brief overview of the definitions of the major cloud roles.
Note: The reason that some of the roles have two names is because the important documents, ISO/IEC 17788:2014 and NIST Special Publication 500-292, name some of these roles slightly differently.
Role | Definition |
---|---|
Cloud service customer/Cloud consumer | An Individual or organization that uses cloud services. |
Cloud service provider/Cloud provider | An individual or organization that provides cloud services. |
Cloud service partner | A party that supports the activities of cloud service customers, cloud service providers, or both. Cloud service partner sub-roles are discussed in the next column. | Cloud auditor | It’s generally not possible for a cloud service customer to access the premises of a cloud service provider to audit the service. Instead, third-party auditors evaluate the security and compliance of providers. These auditors play a trusted role in the cloud ecosystem, and they issue reports that allow cloud service customers to evaluate cloud service providers. |
Cell | Cell | Cloud service broker/Cloud broker | A cloud broker will often aggregate a bunch of different cloud services from separate cloud providers, and then offer these in a bundle to cloud service customers. They can act as an intermediary between the two parties, simplifying the process of managing cloud services and often bringing the cost down through economies of scale. |
Cell | Cell | Cloud service developer | Cloud developers take care of many development-related tasks, including designing, developing, testing and maintaining services. |
Network provider/cloud carrier | A cloud carrier is often an organization like an internet service provider, which enables cloud services to run on top of it by providing the underlying transport and connectivity. |
Out of the major roles, the two most important roles are the cloud service provider (cloud provider) and the cloud service customer (cloud consumer). The former provisions the cloud service, while the latter consumes the cloud service. Cloud service partners act in support of either providers or customers. Each of these roles can be further divided into sub-roles.
Cloud Service Customer
Cloud service customers are the people or organizations that use cloud services. These cloud services are provisioned by cloud service providers in accordance with a service-level agreement (SLA) that stipulates the terms of the service.
Cloud service customers can have a variety of needs and there is a wide range of different cloud services for them to choose from. Cloud service customers may be able to access and administer cloud services through a self-service portal, or their service may also be administered through a human representative from the cloud service provider.
Cloud service customers have a number of sub-roles:
Cloud service user | A cloud service user is basically just a human or another entity that uses cloud services. |
Cloud service administrator | A cloud administrator administers and monitors the cloud on behalf of the customer to ensure things run smoothly. |
Cloud service business manager | A cloud service business manager manages the business aspects of the cloud service on behalf of the cloud service customer. This includes billing administration, managing the customer relationship, purchasing cloud services, and requesting audit reports when necessary. |
Cloud service integrator | A cloud service integrator works to integrate existing ICT (information, communications and technology) systems with cloud services. Cloud service customers will often have their own existing IT systems as well as multiple cloud services from different cloud service providers. It’s the cloud service integrator’s job to make them all work together. |
Cloud Service Provider
Cloud service providers are entities that provide cloud services. Cloud service providers are responsible for creating, deploying, maintaining, monitoring, administering and securing the service. However, they don’t necessarily do everything in-house. Cloud service providers may outsource certain aspects, including some or all of their infrastructure. This means that cloud service providers can also be cloud service customers.
There are also a number of cloud service provider sub-roles:
Cloud service operations manager | A cloud service operations manager is responsible for making sure that the cloud service operates smoothly and meets operational targets. |
Cloud service deployment manager | A cloud service deployment manager is responsible for defining the environments and processes, gathering metrics on cloud services, managing cloud deployments, and overseeing the deployment process. |
Cloud service manager | A cloud service manager is responsible for the provisioning and delivery of cloud services, and the overall management of cloud services. |
Cloud | A cloud service business manager manages the business aspects of a cloud service, including business plans, customer relationships and financial processing. |
Customer care and support representative | As the name suggests, a customer care and support representative is responsible for helping customers with the cloud service. |
Inter-cloud provider | An inter-cloud provider is responsible for managing third-party cloud services that the cloud service provider may use to complement its cloud offerings. |
Cloud service security and risk manager | A cloud service security and risk manager is responsible for managing security and risk for a cloud provider. |
Network provider | Network providers provide the underlying networks. A good example is an ISP. |
Cloud Service Partner
ISO/IEC 17788:2014 defines a cloud service partner as:
A cloud service partner is a party which is engaged in support of, or auxiliary to, activities of either the cloud service provider or the cloud service customer, or both. A cloud service partner's activities vary depending on the type of partner and their relationship with the cloud service provider and the cloud service customer. Examples of cloud service partners include cloud auditors and cloud service brokers.
In essence, cloud service partners are entities that play support roles to cloud service providers and/or cloud service customers. Cloud service partners have sub-roles of:
- Cloud service broker - responsible for designing, creating and maintaining service components, as well as composing and testing services.
- Cloud auditor - performs audit and reports audit results.
- Cloud developer - sets up legal agreements, acquires and assesses customers, as well as assesses the marketplace.
Cloud Service Broker
A cloud service broker is an entity that sits in between a cloud service provider and the cloud service customer. Over time, the cloud ecosystem has become more complex, and it can be difficult for organizations to manage the multiple cloud services that they need in order to effectively carry out their business tasks. Cloud service brokers can help to simplify the ecosystem and make things more efficient.
Their major activities include:
- Acquiring and assessing customers
- Assessing the marketplace
- Setting up legal agreements
Cloud service brokers offer three different categories of service:
Intermediation | Intermediation essentially means that cloud service brokers step in as an intermediate party. They improve and add on to the cloud services that they offer from cloud service providers. |
Aggregation | Aggregation means that cloud service brokers integrate multiple cloud services and help to ensure the smooth flow of data between them. |
Arbitrage | Arbitrage basically means that cloud service brokers can flexibly switch between various services from cloud service providers. They can do this as their needs and the needs of their clients change, or as better cloud services come to market. |
Cloud | A cloud service business manager manages the business aspects of a cloud service, including business plans, customer relationships and financial processing. |
Customer care and support representative | As the name suggests, a customer care and support representative is responsible for helping customers with the cloud service. |
Inter-cloud provider | An inter-cloud provider is responsible for managing third-party cloud services that the cloud service provider may use to complement its cloud offerings. |
Cloud service security and risk manager | A cloud service security and risk manager is responsible for managing security and risk for a cloud provider. |
Network provider | Network providers provide the underlying networks. A good example is an ISP. |
Regulator
Regulators are governing bodies that manage the regulations that organizations must abide by within the regulator’s jurisdiction. They play a vital role in keeping cloud ecosystems safe, but they also add an additional layer of complexity. Regulators vary across geographic regions, so it’s your responsibility to find out which regulations apply to your organization in all jurisdictions that it operates, as well as those in which it may store, transfer, or process data.
Accountability vs Responsibility
Accountability and responsibility are important concepts that can easily be confused. An accountable person has ultimate ownership of a given asset. Responsibility is a little different, because it refers to being in charge of something, like a task or a project.
The table sums up the differences between the two concepts.
Accountability | Responsibility |
---|---|
Refers to someone having ultimate ownership, answerability, blameworthiness, and liability. | Refers to someone who is in charge of a task or an event. |
Can only be held by one person. | Can be held by multiple people. |
Cannot be delegated or outsourced. | Can be delegated or outsourced. |
Obliges the asset owner to set rules and policies. | Refers to someone being in charge, who develops plans and makes things happen. |
The key characteristics of cloud computing
There are five essential characteristics of cloud computing. Public clouds include a sixth characteristic, multi-tenancy:
On-demand self-service | On demand self-service means that cloud service customers can access cloud services on-demand, whenever they need them, all via self-service. |
Broad network access | Broad network access means that cloud services can be accessed from basically any device or location where there is a network connection. |
Resource pooling | Resource pooling means that cloud service providers pool together their compute, storage and network resources, then allow their customers to draw their services from this pool. |
Rapid elasticity | Rapid elasticity means that the virtual resources can rapidly scale up and scale down as needed. |
Measured service | Cloud service usage is measured, and customers only pay for what they use. |
Multi-tenancy | Separate cloud service customers use the same resources, but they are isolated from each other. |
The building blocks of cloud computing
Cloud computing is made possible by a range of underlying technologies. The CCSP Exam Outline lists the following five technologies as building blocks of cloud computing:
- Virtualization
- Storage
- Networking
- Orchestration
- Databases
Databases, storage, and networking are all fundamental, but the most interesting enablers of cloud computing are orchestration and virtualization. Let’s just give you a quick summary of the first four technologies:
- Databases – A collection of data that is stored in an organized and accessible manner.
- Storage – The recording of data onto a medium.
- Networking – The ability of computers to share resources, often over wires or through various wireless technologies.
- Orchestration – Orchestration involves the use of various technologies to manage the immense complexity of cloud computing.
Before we get too deep into virtualization, let’s cover some important background information. Prior to the arrival of cloud computing, companies needed their own computing infrastructure to conduct their business tasks. These physical resources can be divided into three major categories:
- Compute – The processors that do the computing work.
- Network – The infrastructure that we use to move data around.
- Storage – Where we put data so that we can access it later.
When companies had to have their own infrastructure on hand for their compute, storage, and network needs, it was incredibly inefficient. Companies would have to stockpile a lot of additional hardware so that they could handle peak demands. In off-peak times much of this infrastructure sat largely unused, going to waste.
In contrast, cloud computing offers rapid elasticity and scalability, while being able to take advantage of economies of scale. Much of this is achieved through resource pooling and multitenancy. When multiple different customers share the same resources, and they can each scale up and down as needed, it means that the underlying infrastructure can be shared far more efficiently. This leads to reduced costs for customers, and it gives them a far more flexible way to deploy technology for achieving their business goals.
One of the most important components in delivering this efficiency is virtualization. In most cloud service deployments, cloud service providers and their customers will generally be in separate physical locations. This means that it isn’t possible for them to physically share the underlying infrastructure. However, it is possible to abstract the resources away from this infrastructure via virtualization. This allows cloud service customers to share virtualized versions of these physical resources.
Looking for some CCSP exam prep guidance and mentoring?
Learn about our personal CCSP mentoring
Virtualization
NIST Special Publication 800-125 defines virtualization as “…the simulation of the software and/or hardware upon which other software runs.” One of the most common examples of virtualization is when someone runs a different operating system on their computer as a virtual machine. As an example, the host computer could be running Linux, while the virtual machine (also known as a guest machine) could be running Windows. The Windows virtual machine runs much the same way it would if it was directly installed on the hardware.
The same principles apply beyond compute to both storage and networking as well. Virtualization allows cloud service providers to divide up their physical resources as needed, in order to share them between customers and utilize the underlying infrastructure more effectively. Virtualization is covered in more depth in Domain 3.
1.2 Describe cloud reference architecture
The cloud computing reference architecture (CCRA) is a framework from ISO/IEC 17789 that aims to give people an effective way of conceptualizing cloud computing. It covers:
- Cloud computing roles and sub-roles.
- Cross-cutting aspects.
- The functional components of cloud computing.
Cloud Service Capabilities
Cloud services can be broken down into three different classes based on the functionality that a service provides to cloud service customers. These classes are known as cloud capability types, and the key distinction between them is the type of resources that are provided for customers to use.
Application capabilities type | A type of cloud service where customers use the provider’s applications. Under this capabilities type, customers do not need their own hardware, or have to develop their own apps. Instead, they use the provider’s software, and the provider takes care of all the underlying infrastructure. |
Platform capabilities type | A cloud service where customers use the provider’s platform. This capabilities type makes it easy for customers to develop their own apps, because they do not have to worry about configuring the underlying infrastructure and virtualization. |
Infrastructure capabilities type | A cloud service where customers use the provider’s infrastructure. Under this capabilities type, the customer rents virtualized infrastructure from the provider. This gives the customer the greatest amount of control, but this also means that the customer is responsible for much of the configuration and security. |
Cloud Service Categories
ISO/IEC 17788 defines a cloud service category as “…a group of cloud services that possess some common set of qualities.” NIST refers to these categories as cloud service models.
Infrastructure as a service (IaaS) | A service where customers rent infrastructure from a cloud service provider. Infrastructure as a service gives customers the flexibility to build on top of the cloud service provider’s infrastructure, without the headaches of having to set up and manage the hardware. Examples of infrastructure as a service include:
|
Platform as a service (PaaS) | A service where customers rent a platform from a cloud service provider. This gives the customer a development environment where they don’t have to set up or manage the servers, network, operating systems, and storage. However, the customer still has control over the applications that they deploy. Examples of platform as a service include:
|
Software as a service (SaaS) | A service where customers rent applications from cloud service providers. This software can generally be accessed through web browsers or apps on the customer’s devices. Customers only have control over application-specific settings, and don’t have to worry about what is happening under the hood. Everything else is taken care of by the provider. Examples of software as a service include:
|
The diagram below shows some of the major components that make up IaaS, PaaS and SaaS.
Other common service models that you may run into include containers as a service (CaaS) and functions as a service (FaaS).
Cloud Deployment Models
Cloud computing can also be classified according to deployment model. These deployment models describe different ways that cloud computing systems can be organized. They can be roughly broken down according to who is able to access the cloud service, where the infrastructure is located, as well as who manages and owns the cloud service.
Deployment model | Definition |
---|---|
Public cloud | A cloud service that is open for anyone to subscribe to. |
Private cloud | A cloud service that is used by a single party, however, the service may be provided by a third party. Other parties cannot subscribe to a private cloud service. |
Community cloud | A cloud service that is used by a specific community. The public cannot subscribe to community cloud services, only members of the community can. |
Hybrid cloud | A cloud infrastructure that is built from two or more of the other deployment models; public, private or community. These individual cloud models are integrated for data and application portability within the overarching hybrid cloud. |
Another increasingly prominent cloud deployment model that you may come across is multi-cloud. ISO/IEC 22123-1:2023 says that multi-cloud is a, “…cloud deployment model in which a cloud service customer uses public cloud services provided by two or more cloud service providers”.
Cloud shared considerations (Cross Cutting Aspects)
Many of the CCSP Certification Exam Outline’s “cloud shared considerations” trace their way back to a list of “cross-cutting aspects”, which appears in ISO/IEC 17788:2014. The document defines these cross-cutting aspects as:
“…behaviors or capabilities which need to be coordinated across roles and implemented consistently in a cloud computing system. Such aspects may impact multiple roles, activities, and components, in such a way that it is not possible to clearly assign them to individual roles or components, and thus become shared issues across the roles, activities and components.”
In other words, these cross-cutting aspects (or “cloud shared considerations”, as the exam outline refers to them) are basically just capabilities or properties that are important in cloud computing.
Cloud service properties | Definition |
---|---|
Auditability | The ability to keep track of important auditing information such as logs. Auditability is about recording information that gives you oversight of your systems and processes. It’s important for things like compliance and incident response. |
Availability | The ability for authorized parties to access important systems and data when needed. Service level agreements (SLAs) often include a guaranteed amount of availability, such as 99.999% uptime, meaning that the service is guaranteed to be available 99.999% of the time. |
Governance | How a cloud service is controlled and managed. This is generally a set of policies, procedures, controls and oversight. These outline how the service should be provisioned, used, administered and secured. Governance involves assigning tasks and roles to ensure that the various aspects are administered correctly. Appropriate cloud governance involves centralizing many of the different aspects of cloud services. It can help to minimize overlaps in cloud services, reduce costs, and increase security. |
Interoperability | How easy it is for customers to interact and exchange information with a cloud service. Interoperability is important if an organization wants to be able to integrate its existing apps and data. |
Maintenance and versioning | Maintenance refers to bug fixes and upgrades of the cloud service. Versioning refers to the accurate labeling of a given cloud service so that customers know which version they are using. |
Performance | A number of different measures can be included in performance. Performance levels are often stipulated in SLAs and they can include things like speed and availability. |
Portability | A measure of how easy it is to migrate data and apps from one cloud service to another. Portability is important if an organization wants to be able to move its apps and data from one cloud provider to another. |
Regulatory | The varying regulatory obligations that a cloud service may be subject to in a given region or sector. |
Resiliency | The ability of a system to provide acceptable service during faults, interruptions or breakdowns, such as power outages or disasters. |
Reversibility | The ability for customers to retrieve their data from providers, and have the provider sanitize all copies of the customer’s data. |
Security | Security is a broad term, that usually means systems and data maintain their confidentiality, integrity and availability, as well as ensuring that a number of other controls are in place. |
Service levels and service level agreements (SLAs) | Service level agreements are contracts signed between providers and customers. They stipulate the levels of service that must be met. This could include performance or availability (such as 99.99% uptime), as well as the roles and responsibilities of each party. |
The CCSP Certification Exam Outline also references two other cloud shared considerations.
Outsourcing | Arranging for a third party to take on a process or task. |
Privacy | These definitions of privacy differ quite substantially, ranging from an individual right to control their information, to a security principle that protects individuals. |
Impact of Related Technologies
There are a number of technologies that aren’t directly related to cloud computing but are often deployed in intertwining ways. There are others that are still emerging but are expected by some to play significant roles in the future. You should be aware of the following technologies and their relation to cloud computing:
- Data science – Takes structured or unstructured data and uses various algorithms to analyze it. It combines statistics, science, computing and other methodologies to produce insights from data.
- Artificial intelligence – The science of making intelligent machines. It includes a range of different technologies that aim to help machines perform advanced tasks. These can include the cognitively demanding processes that humans are capable of, as well as tasks that go well beyond human levels.
- Machine learning – A subdiscipline of AI that aims to develop methods that enable machines to learn from large sets of data.
- Blockchain – At its core, blockchain uses cryptography to build decentralized immutable ledgers (immutable means unable to be changed). These distributed ledgers give blockchain users a way to keep records that are extremely difficult to tamper with, even when there is no trusted central body.
- The Internet of things (IoT) – The Internet of things describes everyday objects that are enhanced through processors, networking, sensors, software and other technologies. It includes things like internet-connected CCTV cameras, thermostats and remote health-monitoring tools.
- Containers – Containers are a more agile and lightweight approach to virtualization that is now used pervasively in cloud computing.
- Quantum computing – Quantum computing is a field of computing that relies on aspects of quantum mechanics. Current quantum computers are relatively weak, but when they progress, they will be able to perform a lot of computations that classical computers can’t.
- Edge computing – Edge computing is a distributed computing approach that can reduce latency, speed up response times, and increase bandwidth availability. Instead of processing data in a central data center, much of the processing is done closer to the source of the data, often on the devices themselves, or on a local server.
- Confidential computing – In the current digital landscape, many devices have full-disk encryption and a range of apps encrypt data from end-to-end. This means that data is protected throughout much of its lifecycle. However, when data is being processed, it’s generally decrypted and accessible to whoever is in the system, which creates a significant point of weakness. Confidential computing aims to mitigate this problem by keeping data in a hardware-based trusted execution environment (TEE) during processing.
- DevSecOps – DevOps is the integration of software development (Dev) and IT operations (Ops) in order to make the software development life cycle more responsive and agile. DevOps is similar to the Agile approach in that both techniques look at software development as a continuous and integrated process. DevSecOps is an approach that incorporates security (Sec) as well, decentralizing some security practices and instead making delivery teams responsible for security controls in their software.
1.3 Understand security concepts relevant to cloud computing
Security in the cloud is critical, because so much of our data is now kept online. All it takes is a few minor slipups, and a trove of people’s sensitive information could end up in the hands of hackers.
While cloud security is incredibly important, we will be discussing most of the topics from section 1.3 of the CCSP Certification Exam Outline in other domains. It will be a lot easier for us to cover these topics once in detail, instead of bringing them up each time they are tangentially related to another topic.
Cryptography and Key Management
We discuss cryptography and key management in Domain 4.6.
Identity and Access Control
We discuss identity and access management in 4.7 Design appropriate identity and access management (IAM) solutions.
Data and Media Sanitization
We discuss media sanitization in Domain 2.7.
Network security
We discuss Network security groups in Domain 5.2.
Traffic inspection involves looking at the packets passing through a network. Important traffic inspection tools include Firewalls as well as Intrusion detection systems (IDS) and intrusion prevention systems (IPS), both of which we discuss in Domain 5.2.
Geofencing involves creating virtual perimeters over a physical geographic area. When a user’s device approaches the physical area, it can send alerts or trigger other actions. It is often used for marketing purposes, but it can also be implemented for purposes like preventing drones from flying into restricted airspace. We can also incorporate a device’s geolocation into our authentication controls and prompt extra authentication methods if a device attempts to gain access from a suspicious location. We discuss geolocation further in Domain 2.8.
We discuss zero trust networks in Domain 3.1 under Zero trust architecture.
Virtualization security
We discuss virtualization security in Domain 3.1.
Common threats
We discuss threats to cloud computing in Domain 4.3.
Security hygiene
Security hygiene involves maintaining the basic health and security of software and hardware. We discuss it in further detail in Domain 5.2. More specifically, we discuss baselining in 5.2 and patching in 5.2.
1.4 Understand design principles of secure cloud computing
Systems can’t be secured appropriately by just slapping on security controls in a haphazard manner. Instead, they need to be carefully designed to ensure that gaps are limited and there are mitigations against most of the major threats. In this section, we will discuss some of the most important design principles for secure cloud computing.
The secure data life cycle
We discuss the secure data life cycle in Domain 2.1.
Cloud-based business continuity (BC) and disaster recovery (DR) plan
We discuss BC/DR plans in depth in Domain 3.5.
Business impact analysis (BIA)
We discuss BIAs in depth in Domain 3.5.
Risk assessment
We discuss risk assessment in Domain 6.4.
Functional security requirements
We defined portability and interoperability as part of the cloud shared considerations in Domain 1.2.
- Vendor lock-in – Refers to when a customer can’t easily switch away from their existing service to another service, often due to excessive switching costs, or a lack of interoperability.
- Vendor lock-out – Instead of being trapped into a service that you want to switch out of, you end up locked out of your systems and data at a service that you do want to use. The main reasons for vendor lock-out include the provider going out of business, or the provider suddenly suspending the service.
Security considerations and responsibilities for different cloud categories
We introduced cloud categories in Domain 1.2. In each category, both the customer and the provider have security responsibilities under what is known as the shared responsibility model.
A good rule of thumb is that at the software-as-a-service side of the spectrum, the cloud service provider has more of the responsibility and the cloud service customer has less. As we move to platform as a service, which sits in the middle, the provider has less responsibility and the customer has more. At the other end of the spectrum, infrastructure as a service, the provider has even less responsibility and the customer must take up the slack.
The shared responsibility model
The level of responsibility is related to what each party actually has control over. The rough breakdown of how responsibility is shared is shown in the image above, with pink representing customer responsibilities and purple representing provider responsibilities. However, the specifics will vary according to the service-level agreement (SLA) between the customer and the provider.
Cloud design patterns
As security professionals, we are faced with a barrage of cloud tools that are changing every day. How can we possibly build secure systems in such a complicated landscape? Thankfully, you aren’t on your own, and there are cloud design patterns that help us to securely configure and use cloud services. There are a range of different design patterns that can help you.
SANS security principles
The exam outline refers to SANS security principles. These are the Center for Internet Security (CIS) Controls, which were formerly administered by SANS and eventually handed over to CIS. The current CIS Controls are a set of 18 controls that aim to give you actionable ways to mount your cyber defenses.
The CIS Controls | |
---|---|
1. Inventory and control of enterprise assets | 10. Malware defenses |
2. Inventory and control of software assets | 11. Data recovery |
3. Data protection | 12. Network infrastructure management |
4.Secure configuration of enterprise assets | 13. Network monitoring and defense |
5. Account management | 14. Security awareness and skills training |
6. Access control management | 15. Service provider management |
7. Continuous vulnerability management | 16. Application software security |
8. Audit log management | 17. Incident response management |
9. Email and web browser protections | 18. Penetration testing |
Well-architected frameworks
Some cloud providers have their own frameworks for evaluating and administering cloud services. Some of the most common ones include:
The Cloud Security Alliance (CSA) Enterprise Architecture framework
The Cloud Security Alliance (CSA) Enterprise Architecture (EA is another important framework. It’s both a set of tools and a methodology that aims to provide a comprehensive approach to building secure cloud infrastructure. It is broken up into four domains:
- Business Operation Support Services (BOSS)
- Information Technology Operation and Support (ITOS)
- Technology Solution Services (TSS)
- Security and Risk Management (SRM)
Another important document from the CSA is the Cloud Controls Matrix (CCM). The CCM is a spreadsheet broken up into 16 domains, with a large number of control objectives within each domain. It can be used to assess cloud implementations in a systematic manner, giving you a comprehensive guide regarding which security controls need to be implemented.
DevOps security
We discuss DevOps security in Domain 4.2.
1.5 Evaluate cloud service providers
There are a host of different cloud service providers, each offering wide-ranging services. The specifics of each service are incredibly complex, which makes it challenging to evaluate both which is the right option for your business, and which can help you meet your compliance obligations.
Thankfully, there are a number of different standards that cloud providers can try to qualify for as a way of proving the quality of their service.
Verification against criteria
The importance of a given standard varies between industries and jurisdictions. The value of voluntary standards is dependent on whether a provider thinks that it will be worth the effort to go through the process. If the process is expensive and burdensome, it would only be worthwhile if it helped the provider attract customers.
International Organization for Standardization (ISO) and International Electrical Commission (IEC) frameworks
The international Organization for Standardization (ISO) and the International Electrical Commission (IEC) have produced lots of important documents that you may frequently come across in your work. There are four standards that are particularly relevant when it comes to cloud design patterns:
- ISO/IEC 27001 — This is the gold standard for information security management systems (ISMSs). It is internationally recognized and forms the backbone of security for many organizations throughout the world. It specifies how to establish, implement, maintain and improve an ISMS. It also sets out requirements for assessing and mitigating security risks.
- ISO/IEC 27002 — This is another important document that sets out implementation guidance. Much of it focuses on how to implement ISO/IEC 27001 to follow security best practices.
For our purposes, the biggest issue with ISO/IEC 27001 and 27002 is that neither framework is focused on cloud services. Thankfully, ISO and IEC released a couple of complementary documents that focus on cloud-specific issues:
- ISO/IEC 27018 — This was originally published in 2014 as a framework for protecting personally identifiable information (PII) in cloud contexts. It includes objectives, controls and guidelines to help protect this information.
- ISO/IEC 27017 — ISO/IEC 27017 was first released in 2015. This framework outlines appropriate information security controls for using cloud services. It adds implementation guidance for controls specified in ISO/IEC 27002, as well as additional cloud-specific advice.
The Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a standard for securing payment card data. Companies that want to process card payments must comply with the PCI DSS. The PCI DSS is a set of technical and operational requirements. It aims to limit access to sensitive financial information and also reduce payment fraud. It applies to all organizations that process, store or transmit cardholder data.
The Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) registry
The Cloud Security Alliance (CSA) Security, Trust, Assurance and Risk (STAR) program is a publicly accessible registry where cloud service providers can document their privacy and security controls. It follows the standards outlined in the CSA Cloud Controls Matrix (CCM), which we briefly discussed in Domain 1.4. The STAR registry allows providers to show what controls they have in place, which makes it far easier for customers to evaluate various options.
The Federal Risk and Authorization Management Platform (FedRAMP)
The Federal Risk and Authorization Management Platform (FedRAMP) was designed to give federal government agencies a cost-effective and risk-based approach for cloud service adoption. It provides a standardized platform that aims to help agencies adopt cloud services in a secure manner.
System/subsystem product certifications
System and subsystem product certifications apply to smaller components of a system. The Common Criteria is focused on evaluating the security of IT products, while the Federal Information Processing Standard (FIPS) 140 only specifies security requirements for cryptographic modules.
The Common Criteria
The Common Criteria for Information Technology Security Evaluation is usually just referred to as the Common Criteria, or even the CC. It’s a framework that allows information security products to be evaluated by independent laboratories in a standardized manner. The Common Criteria assesses products both in terms of their security functionality and assurance measures. It is heavily relied upon by governments.
Evaluation assurance levels (EALs) are indicators of whether functional security requirements are met by a product. The higher the level of a given product, the more confidence you can have in the quality of the testing and the security of the product.
The seven evaluation assurance levels (EALs)
EAL1 – Functionally tested | This level applies when threats are not viewed as serious concerns, and the main requirement is for tests to show that the product works properly. |
EAL2 – Structurally tested | This level indicates an amount of testing that gives low to moderate security assurances. |
EAL3 – Methodically tested and checked | This level requires a moderate amount of independent assessment. The product is investigated thoroughly, but without significant reengineering. |
EAL4 – Methodically designed, tested and reviewed | This level applies when users require moderate to high independent security assurance. The testing requires some additional expense for the extent of the security engineering required. |
EAL5 – Semi-formally designed and tested | This level indicates a high level of independent security assurance. The testing requires rigorous development and specialized security engineering. |
EAL6 – Semi-formally verified design and tested | This level is for products intended for extremely high-risk situations, especially in circumstances where high value assets are at risk. The testing requires extensive security engineering, which comes at a high cost. |
EAL7 – Formally verified design and tested | This level is for products intended for extremely high-risk situations, especially in circumstances where high value assets are at risk. The testing requires extensive security engineering, which comes at a high cost. |
Federal Information Processing Standard (FIPS) 140-3
Federal Information Processing Standard (FIPS) 140-3 is a federal government standard that sets out the security requirements for designing and implementing cryptographic modules. The documentation specifies security requirements for:
- Cryptographic module specification
- Cryptographic module interfaces
- Roles, services and authentication
- Firmware and software security
- Operating environment
- Physical security
- Non-invasive security
- Sensitive security parameter management
- Self-tests
- Life-cycle assurance
- Mitigation of other attacks
Policies, standards, baselines, guidelines, and procedures
The security of an organization must be aligned with the organization’s overall goals and objectives. In order for an organization to maintain a strong security posture, a top-down approach is most effective. This should involve creating a governance committee that reports directly to the board of directors and the CEO.
This governance committee is responsible for developing an overarching security policy (also known as a foundational security policy) that is aligned with organizational goals and objectives. Beneath this overarching security policy, organizations should have a range of functional policies concerned with different aspects of an organization’s security, such as a data classification policy or a data retention policy.
Beneath these policies, there should be a range of more specific standards, baselines, guidelines and procedures, which are discussed in the table below.
Policies | Policies are high-level documents that communicate management’s goals and objectives. In the security context, they range from overarching documents that define an organization’s overall security approach, down to more specific documents, such as an organization’s media sanitization policy. |
Standards | Standards set out the requirements of how to implement and use technology and security controls. They provide specific and compulsory direction for using hardware and software in a uniform way. |
Baselines | Baselines establish the minimum level of security that each of an organization’s systems must meet. A baseline is a foundational state for a given system, on top of which other security measures can be placed. |
Guidelines | Guidelines describe how to accomplish something, such as how to implement a standard or a baseline. They need to be flexible to accommodate the wide range of unique scenarios that security professionals and users may face. |
Procedures | Procedures are detailed, step-by-step requirements. |
CCSP Domain 1 key takeaways
Note: Many of the concepts introduced in this domain are discussed in greater detail in subsequent domains. For these topics, we've provided references to their corresponding domains within the relevant sections above. As these topics are explored more thoroughly elsewhere, they are not included in the Key Takeaways for this domain.
1.1 Understand cloud computing concepts
Defining cloud computing
The roles and responsibilities involved in cloud computing
The key characteristics of cloud computing
The key characteristics of cloud computing