List of contributors. Lead Author: Mark Skilton Capgemini

Transcription

1

2 List of contributors Lead Author: Mark Skilton Capgemini Contributors & Reviewers (to date): Todd Cioffi Navis Learning Ajeet Bagga VCE Vladimir Baranek Deloitte Al Dunn NJVC Peter HJ van Eijk Digital Infrastructures Kevin L. Jackson NJVC Mari J. Spina, D.Sc. NJVC Karl Childs HP Copyright 2014 Cloud Credential Council. All rights reserved. 2

3 Contents 1. Overall Purpose of the Syllabus Structure of the Syllabus The Role of Professional Cloud Security and Governance Learning Level of the Syllabus Syllabus Core Skills... 5 Module 1. Module 2. Module 3. Module 4. Module 5. Module 6. Module 7. Module 8. Module 9. Module 10. Module 11. Module 12. Module 13. Security and Governance Concepts in Cloud Computing... 5 Security Threats and Challenges in Cloud Computing... 7 Physical Security and the Impact of Cloud Computing... 8 Virtualization Management and Security in the Cloud... 9 What Security does the Cloud Solve or Shift? What Security Does Cloud Change or Introduce? Existing Security Reference Models and Standards Identifying the Delta in your IT and Business Architecture for Cloud Security Risk Management and the Cloud IT Governance and Security Monitoring Users and Systems Contract Management and T s & C s: Terms and Conditions Legal Controls, IP Intellectual Property and Privacy Syllabus Advanced Skills Module 14. Module 15. Module 16. Module 17. Module 18. Module 19. Module 20. Module 21. Module 22. Module 23. Module 24. IaaS Security and Governance Policies IaaS: Encryption and DRM Digital Rights Management IaaS: Network Connectivity Security APIs and Gateways IaaS: Disaster Recovery, Business Continuity, Capacity and Performance Planning IaaS: Security Automation Tools and Cloud Computing Cloud Security Technology PaaS Security and Governance Policies PaaS: Version Management SDLC SaaS Security and Governance Policies SaaS: IDAM Identity and Access Management Federated Administration Credentials SaaS: Single Sign-on SaaS: Assurance and Audit Specific Security and Governance Knowledge for Cloud Computing Course & Exam Details Copyright 2014 Cloud Credential Council. All rights reserved. 3

4 1. Overall Purpose of the Syllabus The purpose of this syllabus is to provide a clear statement of the knowledge and skills required for cloud security and governance. This syllabus informs courseware providers of the training content required for accreditation. Furthermore, it provides guidance to instructors on which areas must be emphasized to give candidates the best possible chance of exam success. Finally, the syllabus also provides candidates themselves with clarity on what they must do to pass the exam and achieve certification. 2. Structure of the Syllabus The structure of this syllabus is layered as follows: The security and governance function itself is briefly described in relation to the background context of cloud computing. Each module has a clearly-stated purpose and introductory synopsis followed by key topics and the specific learning objectives that must be met in order to achieve the required standard. The flow of the learning modules is designed to build both understanding of the topics and practice in applying that knowledge to managing security and governance in a cloud environment. 3. The Role of Professional Cloud Security and Governance The challenge for professionals in security and governance in IT is in understanding the risks, issues and trade-offs presented by cloud computing. The emergence of cloud computing has changed both the location and the domain of control of information technology. As on-premise hardware and software, and personal and corporate data are moved off-premise to a cloud or within the premises as a private cloud, the result is a change in ownership and responsibility for the systems, data and services. Current security and legal threats are shifting and new potential threats are being created. This syllabus is concerned with applying security and governance best practice to a cloud environment. It draws on security guidelines such as CSA and examines the key security issues of cloud computing and what types of business, commercial and technical governance are needed when managing cloud computing security. However, it is worth being aware that the management of cloud security and governance is carried out within the context of the following emerging issues: How to define trust domains and controls to manage levels of cloud computing securely. How to define identity, authentication, authorization and controls across single and federated business and IT environments. The emerging governance, audit and compliance processes needed in cloud environments. The choice of security standards and how to define contract and technical templates, certification and compliance rules (including the policy management of these issues). Encryption and repudiation in single and multi-tenancy environments. Copyright 2014 Cloud Credential Council. All rights reserved. 4

5 How to evaluate the level of security threats and assurance of cloud services inside and outside an organization. The legal, contractual and commercial issues that need to be certified and managed. Determining the necessary security technology and tools from both the consumer and provider perspectives. The cost of security and its impact on SLA service levels. The definition of disaster recover (DR), business continuity (BC) and the assurance of quality of service (QoS) in order to maintain the integrity and fidelity of the architecture and external services. 4. Learning Level of the Syllabus The modern version of Bloom s taxonomy of learning is a widely used classification framework for course syllabi and assessments for certification. The taxonomy classifies learning into six ascending levels. Level 1 the Knowing Level: Exhibit memory of previously learned materials by recalling facts, terms, basic concepts and answers Level 2 the Comprehension level: Demonstrative understanding of facts and ideas by organizing, comparing, translating, interpreting, giving descriptions, and stating main ideas Level 3 the Application level: Using new knowledge. Solve problems to new situations by applying acquired knowledge, facts, techniques and rules in a different way. Level 4: the Analysis level: Examine and break information into parts by identifying motives or causes. Make inferences and find evidence to support generalizations. Level 5: the Evaluate level: Present and defend opinions by making judgments about information, validity of ideas or quality of work based on a set of criteria Level 6: the Creation level: Compile information together in a different way by combining elements in a new pattern or proposing alternative solutions The level of this advanced course for the Cloud Security and Governance role is level 3-4 (Apply, Analyse). 5. Syllabus Core Skills Module 1. Security and Governance Concepts in Cloud Computing The aim of this module is to explore the concept of risk and the impact of cloud computing so that the candidate is aware of the underpinning security concepts in a cloud environment. Risk and the impact of cloud computing must be understood in terms of both business and technical security challenges and their effect on business and technical governance and policy. What kinds of terminology are used to describe security threats and issues and in particular those in cloud computing? Copyright 2014 Cloud Credential Council. All rights reserved. 5

6 Key Topics Understanding risk, security and governance What do we mean by security and governance? What is risk? How do we evaluate risk and vulnerability? What are the costs associated with risk? Defining security and the types of security and risk Security is about- "locks and doors" Governance is about - "Policies and Procedures" Security is about access Governance is about behavior Assessing Security Risks in Cloud Lay out the types of issues to consider. Defining the evaluation of risk. Types of severity and impact assessment. Assessing Cost of Security Identifying the key costs of security and the impact of cloud Identifying examples of cost of cloud security Cost of replacing Cost of lost opportunity e.g. cloud platform goes down and hosted companies lose IT service for a period Reputational cost e.g. portable device is lost and data is stolen e.g. can you remotely shut done a lost device Identity theft cost (L2) Explains the key security concepts relevant to cloud computing. (L3) Shows the impact of cloud security on existing legacy data, systems and business. (L4) Analyzes the costs, trade-offs and consequences of severity of those risks relative to the types of cloud computing scenarios in XaaS. : Public and Private Sector Industry Policies on Risk and IT Practices (NIST, EU, UK.) Federal Electronic Government Act of 2002 Federal Information Security Management Act (FISMA) (protecting government information, operations and assets against natural or manmade threats.) EU standards and governance Cloud Computing Risk and Security ENISA, US equivalent NIST. North America, Cloud Security assessment ENSIA European Network and Information Security Agency Assessment Copyright 2014 Cloud Credential Council. All rights reserved. 6

7 Federal Electronic Government Act of 2002 Federal Risk Authorization Management Program (FedRAMP) Examples of cloud risk topics Cloud Security Alliance CSA CSA Guidelines CSA STAR registry management Cloud security controls matrix related to ISO27001 and ISO27002 ISO/IEC/IEEE software and systems engineering - software testing Module 2. Security Threats and Challenges in Cloud Computing The aim of this module is to examine the need to test the compliance and certification of a cloud environment and its services so that the candidate can confidently address likely security challenges. The security needs of consumers and providers and those responsible for trading standards and government policy are impacted by the changes in cloud computing business models and usage. What different types of security challenges are there and how do these change in a cloud scenario? How are transparency, accountability and viability defined and accessed in cloud computing? Key Topics Types of security and compliance issues in cloud Look at the familiar types of security issues and how cloud changes those. What is it about cloud that is specific to security issues? What is at risk in private, public, hybrid and community clouds? What are the risks exposed by SaaS, PaaS and IaaS? What kinds of compliance and certification is needed What are the types of security issues that exist regardless of whether it is a cloud or not? Examples of cyber attack Denial Of Service (DOS) attack Transparency, accountability and viability Accountability of service risk and security Stack of different providers offering different parts of the cloud service end to end Multiple XaaS providers correspondingly multiply security access points. How do remediation, rollbacks and compensation work? Trade-off of risk and scope How does it impact the SLA? It is an obligation risk versus opportunity risk? Understanding perception and reality of current security risk and status versus cloud security risk Copyright 2014 Cloud Credential Council. All rights reserved. 7

8 (L2) Explains the potential types of security risk in cloud computing. (L3) Shows the risks of various cyber-attacks on data held in cloud environments. (L4) Differentiates the transparency, accountability and viability in relation to cloud computing. CSA Cloud Security Alliance Guidelines and SEI CMMI standards compliance COBIT ISO 9362 SWIFT-BIC codes - banking PCI-DSS NIST NA cloud security assessment ENISA. European Network and Information Security Agency assessment Federal Risk Authorization Management Program (FedRAMP) Module 3. Physical Security and the Impact of Cloud Computing The aim of this module is to highlight physical security issues that may apply to cloud environments so that the candidate can apply that awareness to their specific cloud computing role. Physical security issues can apply to on-premise and off-premise devices, hardware, software and services. There are also different risks associated with corporate and non-corporate devices and their connection to company or public cloud services and networks. Key Topics On-premise versus off-premise hardware The following topics are discussed: Network connection Topology Remote Distributed Tablets and devices BYOD (Bring your Own Device) Devices outside your corporate firewall You don t own everything in the stack anymore, so you don t control it Different monitoring controls Account management Copyright 2014 Cloud Credential Council. All rights reserved. 8

9 (L3) Shows the critical physical security threats associated with data held in cloud environments. (L4) Distinguishes between ownership and access issues in both on-premise and off-premise hardware. ISO27001, ISO27002, ISO/IEC/IEEE software and systems engineering - software testing ISO/IEC process assessment model for software testing processes (dual standard number pending) SEI CMMI standards compliance Module 4. Virtualization Management and Security in the Cloud The aim of this module is to explore the virtual security issues that apply to cloud environments so that the candidate can apply that awareness to their specific cloud computing role. Virtual security issues can apply to on-premise and off-premise devices, hardware, software and services. This can also include corporate and non-corporate resources and environments that may be virtualized, for example the management of security access controls to virtual partitions of cloud resources and services that include virtual containers, storage, databases, networks, applications and data. Key Topics Integrity use of ISO27002 to define the features of a security management system and how we would manage the integrity of that system. For the term Integrity and its meaning, please refer to Integration management control across the security management system Identity protection Federated security Data security Data integrity Isolation and segregation of virtual components Service assurance Encryption Profile management Access control Capacity management Dual factor authentication SAML Copyright 2014 Cloud Credential Council. All rights reserved. 9

10 OAuth - the term OAuth can be found here OID - the term can be found here PCI DSS - the term can be found here (L3) Shows the critical virtual security threats associated with data held in cloud environments. (L4) Distinguishes between the issues specific to corporate and non-corporate resources and environments Module 5. What Security does the Cloud Solve or Shift? The aim of this module is to discuss what the cloud might solve or shift in relation to security so that the candidate understands the specific impact of cloud computing on data and system security. With more service providers integrated into operations, there is more reliance on the viability of other companies for operational running. This increases vulnerability, and therefore becomes a security issue. The key question is under what circumstances does the responsibility for security and compliance shift to the service provider. Key Topics Cost effective data centre security Improved security expertise at the centre Improved security patching and monitoring Increased resilience Business agility vs. vendor lock-in; lock-in, lock-out and solution agility Assessing business and IT environments for security risks Company change and advantages of cloud. Choosing the right cloud solutions Ability to change / modify solutions Portability of data and system solutions Cost of swap versus change Speed and cost of adoption and migration Business continuity Copyright 2014 Cloud Credential Council. All rights reserved. 10

11 Buying a generator vs. paying a utility Recovery (RTO, RPO) (L3) Demonstrates compliance and audit provisions relevant to operating in the cloud. (L4) Analyzes the balance of responsibility and liability between client and service provider in a given scenario. Cloud Computing, an auditors perspective 6/Pages/Cloud-Computing-An-Auditor-s-Perspective1.aspx Trust Zones Uptime Institute RTO Recovery Time Objective RPO Recovery Point Objective ISO Business Continuity Management Module 6. What Security Does Cloud Change or Introduce? The aim of this module is to explore the delta of the cloud from a security perspective so that the candidate can apply that awareness to their specific cloud computing role. The nature of cloud computing forces changes on issues of data and system security due to its unique nature and key factors such as portability, interoperability, multi-tenancy and the impact of open source. Key Topics Multi-tenancy Lock-in Compliance Assurance Government interference Movability of data and applications Data confidentiality (e.g. cloud vs. USB) Configuration control Portability Interoperability Legal issues in cloud What are the commonalities of the legal framework across countries and specific issues in country Intellectual property, copyright Government directives Contractual issues Copyright 2014 Cloud Credential Council. All rights reserved. 11

12 Types of compensation and quality of service issues Accountability of third parties Endpoint control Concentrated points of failure or distributed recovery? When things are this interconnected, can failures ripple more easily? Service provider / vendor relationship management Metering and billing if you don t pay your cloud bill does someone shut off your service? Open source and cloud Cloud based catalogs and marketplaces Cloud development Open source licensing Catalog and source code management in cloud (L3) Relates the implications of core cloud features on security and governance. (L4) Illustrates the impact of cloud computing on legal issues, such as copyright, legislative compliance and ownership. Digital Millennium Copyright Act - PATRIOT Act Safe Harbor Data Protection EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 security data transfer Implemented as the Data Protection Act 1998 within the UK. Also EU Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 aka the e- Privacy Directive (to be implemented by May 2011) interception spam, cookies, notification, etc. PCI-DSS Government interference PATRIOT subpoena Copyright 2014 Cloud Credential Council. All rights reserved. 12

13 Module 7. Existing Security Reference Models and Standards The aim of this module is to establish the range and types of security reference models and emerging and current standards relating to security and the cloud so that the candidate can apply that awareness to their specific cloud computing role. An appreciation and detailed awareness of the security context and related standards in cloud computing is necessary for defining criteria to assess, evaluate and design management systems for the cloud that are both relevant and compliant. Key Topics Explore the various types of Reference Architectures RA s CSA NIST ISO27000x (L2) Explains the key current security standards that apply to cloud computing CSA Cloud Security Alliance CSA Trusted Cloud Initiative CSA Trusted Cloud Security Architecture NIST Jericho Forum ISO270001, 2 Module 8.Identifying the Delta in your IT and Business Architecture for Cloud Security The aim of this module is to walk through an example security risk assessment in a cloud computing environment so that the candidate understands the critical issues and criteria for different cloud models. The example will deal in terms of both technical and business risk and the wider context of risk and compliance in which cloud computing is just part of the overall business and operating model context. This learning unit also examines issues and evaluation criteria for difference cloud scenarios, both new and existing or blended or legacy versus cloud risk comparisons. Copyright 2014 Cloud Credential Council. All rights reserved. 13

14 Key Topics Auditing and Assessment Typical steps in conducting an assessment Identify and select Security Reference Models Identify compliance and certification requirements and standards (mandatory, ) Conduct survey and identify current Trust and Domain zones of an architecture and organization Identify gaps in current protection points and impact from cloud Methods of Security Auditing and Assurance Lifecycle stages of cloud Buyers Sellers Consumers Providers Intermediary Auditor Legislator Legal Issues and evaluation in assessment of green field new service Issues and evaluation in assessment of Brown field existing cloud environment Examples of recent media discussion on security and the cloud. There are many others Issues and evaluation of legacy and cloud environment comparisons (L4) Analyzes the security issues and risks in a given scenario. Reference IT auditing and cloud Module 9.Risk Management and the Cloud The aim of this module is to explore solutions for mitigating and managing risk in the cloud so that the candidate can apply that awareness from both consumer and provider perspectives. The specific focus is on Design for Assurance using cloud security and cloud assurance systems and specific security management components and tools designed for cloud computing. Copyright 2014 Cloud Credential Council. All rights reserved. 14

15 Key Topics Design for Assurance Repudiation and Integrity Cloud products and services lifecycle management (governing products) and standards SOEs, PODS, and APIs standards, features and options, configuration and version management Sustainability, CSR and green cloud assessment planning AD, SSO, authentication, digital signatures, DRM digital rights management Disaster recovery and business continuity planning Recovery and audit planning and control Security Management in Cloud Access management and cloud Cryptography and cloud Integration security challenges in cloud: data/ service / feed / API Integration and transition management Environment fidelity and assurance User-centric policy issues Mobility and cloud Cloud risk assessment and quality assurance assessment Vertical industry sector security and compliance issues Compliance management issues and cloud computing Certification management issues and cloud computing Sustainability and green issues Environmental and socio political issues Processes / behaviors / boundaries (L2) Summarizes the design features that are required for a secure cloud environment. (L4) Analyzes the various security management components and tools currently available. Risk management practice Sustainability and cloud Copyright 2014 Cloud Credential Council. All rights reserved. 15

16 Module 10. IT Governance and Security The aim of this module is to examine the broad scope and processes of IT governance and security so that the candidate can apply that awareness to their specific cloud computing role. Key Topics Concepts of operations, transition, change management and transformation Governance role and key governance processes Security protection points, governance information life cycle Trust management and domains control (internal and external to organization and device) Security planning, audit and controls Procurement ODCA models Sprawl Version management (L5) Explains the core principles of governance in a cloud environment. COBIT Cloud governance Module 11. Monitoring Users and Systems The aim of this module is to explore active and passive monitoring in cloud computing so that the candidate has an understanding of appropriate monitoring and tracking of both individual users and systems as a whole. The monitoring of users and systems that are on premise and off premise involve a series of technologies and processes that include active and passive monitoring and detection systems. The scope of this in Cloud Computing from consumer, provider and intermediary perspectives are considered, the types of tools for cloud environment monitoring, integration with legacy systems; methods of intrusion detection monitoring, assurance and planning. Key Topics Types of monitoring Consumer perspective of cloud usage Provider perspective of cloud usage Copyright 2014 Cloud Credential Council. All rights reserved. 16

17 Intermediaries perspective of cloud usage Monitor intrusion detection SLA monitoring Real time monitoring Diagnostics of attack Continuous monitoring and use of security performance metrics (L2) Explains the key concepts and issues of systems and business monitoring for on premise and off premise, remote services monitoring scenarios (L3) Analyzes the pros and cons of different monitoring systems in relation to the various cloud deployment possibilities. (L4) Outlines the types of tools for User and systems monitoring using scenarios for on premise, off premise and hybrid combinations Common Assurance Maturity Model Aims to provide a framework to provide the necessary transparency in attesting the information assurance maturity of a third party (e.g. Cloud provider). ENISA European Network and Information Security Agency CloudSleuth Real-time performance statistics of cloud providers Cloutage Cloutage exists to empower organizations by providing cloud security knowledge and resources so that they may properly assess information security risks. The project aims to document known and reported incidents with cloud services while also providing a one-stop shop for cloud security news and resources. Monitoring intrusion detection and assurance Copyright 2014 Cloud Credential Council. All rights reserved. 17

18 Module 12. Conditions Contract Management and T s & C s: Terms and The aim of this module is to explore the various contract management practices and issues within cloud computing so that the candidate can apply that awareness to their specific cloud computing role. Key Topics Types of contract Contract and contract-less cloud services Licenses and open source Outsourcing and cloud sourcing impact and differences Terms and conditions in cloud computing issues Contract templates and standardization Rate card ad off-the menu contracting Open source Liability Incentives Penalties Negotiation Subscription and chargeback mechanisms Do s and don ts examples Key issues (L2) Explains the key concepts and types of contracts for technology and business and the imp[act of cloud on contracts management (L2) Explains the different hosting models ranging from onsite, CoLoc, Outsourcing, Managed hosting, Cloud Managed Hosting and the impact of cloud computing on these models. (L2) Explains the different contract options for the different cloud deployments, the use of contract templates and types of contract between single and multiple parties (L3) Relates the different types of monetization, metering and charging and subscription mechanisms and the impact on Terms and Conditions of service for different types of cloud computing scenarios Copyright 2014 Cloud Credential Council. All rights reserved. 18

19 Contracts-SLAs-and-Terms-Conditions-of-Use aspx Module 13. Privacy Legal Controls, IP Intellectual Property and The aim of this module is to consider specific issues of legal concern, competition / anti-trust law, intellectual property, copyright, privacy and protection of rights relating to cloud computing so that the candidate can apply that awareness to their specific cloud computing role. These are matters that enforcement and enactment by government and intergovernmental legal functions and regulations affecting sovereignty, location, tax and property laws are seen as having significant impact on cloud computing. Key Topics Legal jurisdiction Patriot act versus safe harbor Privacy Protection Copyright IP Contract law Employment law Personal data and privacy NSP and ISP, telecoms impact and cloud computing security (L2) Summarizes the key legislative control issues that apply to cloud computing environments. Copyright 2014 Cloud Credential Council. All rights reserved. 19

20 Privacy - New EU policy; new DPD/DPR proposal Outsourcing and cloud - GOAL Syllabus Advanced Skills The aim of this module is to identify how Security and Governance is affected by Cloud computing and activities in-depth so that the candidate can apply their skills to specific tasks and types of cloud security and governance challenges. XaaS. The cloud computing ecosystem offers specific challenges to security and governance within and outside the enterprise, personal and corporate private and public data, the employee and social connections, and markets and trading mechanisms and services that ae increasingly in the cloud. Cloud is increasingly expanding the possibilities of solution architecture and enterprise services that can include big data analytics, embedded services in smart devices, Network as a Service (NaaS) providing a range of communication and on demand services. The boundary of cloud environments and the ecosystem of devices, wifi, tablets, smart phones and different cloud enables services are redefining how business models, business processes and markets and social interactions and services work in a modern economy. New Cloud services in encompassed in the XaaS term can include BPaaS Business Process as a Service, Mobility and BYOD that pushed Virtual Desktop and Remote services into now Mobile Cloud services, personal cloud services and storage and other new forms of Internet enables services sometimes referred to as Internet of Things IoT and Ubiquitous Computing and context location aware services presence This learning module explores the implications of the expanding business and technology domains and interactions and how security and governance is affected within and across cloud and legacy on premise and off premise. Security and governance needs to consider technical and business boundary implications and accountability as services are moved off premise or integrated with on premise systems and services. Use of third party external providers and the choices of single and multi-tenancy and their various issues in shared, reliable and robust performance of cloud services. IaaS. The IaaS cloud environment offers specific challenges for security and governance: types of virtual clouds, data centers and networks together with the standards and benchmarking processes needed to establish control and automation of these environments. In addition to the issues of workload definitions and VM deployment and maintenance lifecycles affect the service performance and user experience. Security and governance needs to consider the selection and design of IaaS architecture environments impact legacy architecture and types of application and data services that may be hosted in the IaaS environment and exposed through Marketplace stores, self-service and accessed on premise and remotely over the infrastructure. Security implications in IaaS include network and data encryption and isolation in IaaS environments, data at rest and in transit. Protection of environments, testing and protection methods. Integration controls, certification non-repudiation and standardized templates and configuration compliance. PaaS. Platform as a Service is a rapid development environment that enables new cloud-enabled capabilities to be both used and developed. The Architecture decisions involve commodity or custom development of cloud services that may involve on premise or external development teams, architects, Copyright 2014 Cloud Credential Council. All rights reserved. 20

21 consumers and other stakeholders. Specific challenges in standards, tools, templates and how they are applied to solution architecture design and the overall enterprise architecture blue print and portfolio management of services, platform integration management and performance of the cloud solution architecture across different endpoint devices, locations and services. PaaS is part of the development of application functionality, its integration and the various cloud deployment models that can today include APIs, apps stores and mash-ups, RIA (Rich Internet Applications) and the middleware and federated integration, portability and interoperability of services. Security and governance of PaaS environments and usage have specific challenges that include Integrated Development environments controls, coding practices, due diligence, standardization management, staff and service skills certification. SaaS. Software as a Service usage and environments potentially cover many of the main business enterprise and social media services in a modern organization. , collaboration, productivity, social media storage as well as main stream sales, finance, work activity and across various on premise and off premise locations and the interactions with businesses, marketplaces and consumers. Cloud Architecture in the SaaS context may involve multiple SaaS solutions and services across a number of different SaaS providers, their impact on security, SLA contracts, Licensing and availability. There can be a number of potential architectural issues of mobility and smart device access using SaaS applications, the use of self-service marketplaces that may provide Apps on Demand to down load and use almost instantly across different devices and service networks owned by the enterprise or through 3rd party managed hosting services. Security and Governance needs to understand and evaluate specific issues relating to end point controls, application security management, monitoring, tests and audit controls, applying security and governance practices to gain control of the cloud environment and usage. Module 14. IaaS Security and Governance Policies The aim of this module is to examine specific security and governance issues for the IaaS model so that the candidate can apply that awareness to design and management of IaaS systems. Key Topics Network encryption between cloud and on / off premise - Network encryption methods - Impact of cloud computing on networks - Impact on encryption system Data encryption methods and types and cloud environments Data encryption methods Impact of cloud on data management and security Methods of data encryption in cloud environments Test and manage Test management methods Cloud testing systems Copyright 2014 Cloud Credential Council. All rights reserved. 21

22 Penetration tests Methods of penetration testing in IaaS environments Public IaaS Private IaaS Community IaaS Hybrid IaaS Vulnerability management Business vulnerabilities Technical vulnerabilities Robust design segregation and VPC (Virtual Private Cloud) Public and private IaaS security features IaaS components Security features Communication domain controls Communication domains Cloud issues Integration controls non-repudiation Integration inside cloud environments Integration outside cloud environments Non- repudiation Distributed infrastructure management issues Secure build Cloud security strategy Control of cloud environments Standardized builds, SOEs (Standard Operating Environments) PODs (Deployment Modules) Standardization Templates Modularity Configuration Cloud issues (L2) Explains the key IaaS security issues and systems with example case studies (L4) Analyzes appropriate security strategies for the planning, building, testing and management of an IaaS cloud environment using scenarios with case studies Copyright 2014 Cloud Credential Council. All rights reserved. 22

23 Networks encryption Network Security Data encryption FIPS federal information processing standards Public Sector view on Data Encryption - Cryptography Encryption Test and manage Penetration tests Vulnerability management Robust design and VPC Robust design Partitioning Scalable partitioning Command query responsibility segregation Communication domain controls IPSec VPN Integration controls non-repudiation Copyright 2014 Cloud Credential Council. All rights reserved. 23

24 Non-repudiation Trust controls Secure build Standardized builds, SOEs (Standard Operating Environments), PODs (Deployment Modules SOE Standard Operating Environment IaaS templates Module 15. Management IaaS: Encryption and DRM Digital Rights The aim of this module is to examine how data in cloud environments can be protected by encryption so that the candidate can apply that awareness to their specific cloud computing role. This learning module covers the specific examples and issues of legal concerns, competition / anti-trust Law, Intellectual Property, Copyright, Privacy and protection of rights relating to cloud computing. Intellectual Property and Copyright protection are key issues in ensuring the legal use and compliance of products and services. This includes understanding the role of Digital Rights Management, Digital Signatures and services to ensure identity controls and effective encryption to deter wrongful access and use. These are matters that enforcement and enactment of government and intergovernmental legal roles and regulations affecting sovereignty, location, tax and property laws are seen as having significant impact with cloud computing. Key Topics Encryption Obfuscation Encryption systems and standards Link to CRM and other systems Cloud impact (L2) Explains the key encryption systems for different types of cloud deployment and use. Copyright 2014 Cloud Credential Council. All rights reserved. 24

25 (L3) Shows the different types of Digital Rights and protection issues and potential tools and methods for Intellectual property, copy right and related to SLA contract compliance monitoring (L4) Outlines the types of tools for digital policy assurance of usage from consumer, provider and intermediary perspectives and case study scenarios Cryptography DRM Module 16. Gateways IaaS: Network Connectivity Security APIs and The aim of this module is to explore the topic of network security in light of the advent of cloud computing so that the candidate can apply that awareness to their specific cloud computing role. Key Topics Types of networks Wireless networks Mobile 3G, 4G, 4LTE networks Endpoints and nodes Physical and virtual switches Routers VPN, Virtual Private Networks Firewall access and policy controls Protocols and service APIs (L4) Relates the security issues in different types of network. Next Generation Internet Book. Chapter on network systems: Generation-Internet-Architectures-Byrav-Ramamurthy/dp/ Connectivity in cloud eee.org%2fxpls%2fabs_all.jsp%3farnumber%3d URL Network endpoints Copyright 2014 Cloud Credential Council. All rights reserved. 25

26 Module 17. IaaS: Disaster Recovery, Business Continuity, Capacity and Performance Planning The aim of this module is to establish the core issues surrounding continuity planning in cloud environments so that the candidate can take these factors into account when addressing cloud security. This module examines Disaster Recovery (DR) and Business Continuity (BC) Planning - Performance and Capacity Management Key Topics DR and BC Planning Cloud Issues DR planning in Cloud Computing BC planning in Cloud Computing Virtualization Enabled Host/Resource Mobility as a Defense (L2) Explains the essential provisions of disaster recovery and business continuity planning in a cloud deployment (L4) Analyzes the different types of DR, BC planning solutions using cloud computing scenarios in case studies. (L4) Outlines for disaster recovery in a given case study scenario. NIST Contingency planning guide for federal information systems DR disaster recovery BC business continuity Module 18. IaaS: Security Automation Tools and Cloud Computing Cloud Security Technology The aim of this module is to explore the types of security systems that can be used in cloud computing so that the candidate can apply that awareness to their specific cloud computing role. The automation of security management in the cloud requires differing tools and involves differing issues depending on whether it is from the perspective of consumers, providers, intermediaries or seeking to address wider governance issues. Copyright 2014 Cloud Credential Council. All rights reserved. 26

27 Key Topics Security tools Audit tools and cloud Policy automation Traceability and tracking in the cloud Cloud security tools reference architectures examples (L2) Explains the range of tools and automation methods relating to Security Management and the Security Reference Architecture and Policy standards (L4) Compares the differing security automation options according to the consumer, provider and intermediary perspectives using cloud computing scenarios with case studies Module 19. PaaS Security and Governance Policies The aim of this module is to examine specific security and governance issues for the PaaS model so that the candidate can apply that awareness to design and management of PaaS systems. Key Topics Code Review Methods and code quality assurance and review for cloud PaaS and IDE management IDEs Coding practices PaaS coding practices Code check list for PaaS Due diligence of code Issues in due diligence and cloud Due diligence processes Issues and resolutions Copyright 2014 Cloud Credential Council. All rights reserved. 27

28 Secure development code standards Practices in secure code development PaaS environment controls PaaS development practices Standardized component design builds Commoditization Change versus extensions Coding practices Open source and standardization Component reuse control Methods for component templates and version / configuration management for cloud PaaS and IDE management Designing modularity Licensing methods and cloud Version management and cloud Configuration management and cloud Code certification controls Methods for code and solution certification and review for cloud PaaS and IDE management Software quality controls systems Software certification Staff skills and certification (L2) Explains the key PaaS security issues and systems with example case studies (L4) Analyzes appropriate security strategies for the planning, building, testing and management of an PaaS cloud environment using scenarios with case studies Code review Garbage in the cloud IDE Integrated Development Environment Copyright 2014 Cloud Credential Council. All rights reserved. 28