Cloud Security and Governance

Similar documents
Appendix B. Syllabus. Syllabus

List of contributors. Lead Author: Vladimir Baranek, Deloitte

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

How to ensure control and security when moving to SaaS/cloud applications

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Professional Cloud Solutions and Service Practices

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

What You Need to Know About Cloud Backup: Your Guide to Cost, Security, and Flexibility

Cloud Security Trust Cisco to Protect Your Data

What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered

Cloud Security. DLT Solutions LLC June #DLTCloud

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Security Introduction and Overview

6 Cloud computing overview

Assessing Risks in the Cloud

Addressing Cloud Computing Security Considerations

A Flexible and Comprehensive Approach to a Cloud Compliance Program

What Cloud computing means in real life

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Cloud Security Certification

Things You Need to Know About Cloud Backup

Security Issues in Cloud Computing

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Securing the Microsoft Cloud

Cloud Computing Security Issues

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Cloud Computing What Auditors need to know

Top 10 Cloud Risks That Will Keep You Awake at Night

CompTIA Cloud+ 9318; 5 Days, Instructor-led

CLOUD MIGRATION STRATEGIES

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Module 1: Facilitated e-learning

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

IBM EXAM QUESTIONS & ANSWERS

Cloud Security and Managing Use Risks

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud Computing. What is Cloud Computing?

Managing Cloud Computing Risk

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

On Premise Vs Cloud: Selection Approach & Implementation Strategies

OVERVIEW Cloud Deployment Services

Public Cloud Workshop Offerings

Cloud models and compliance requirements which is right for you?

What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Ensuring Cloud Security Using Cloud Control Matrix

Key Considerations of Regulatory Compliance in the Public Cloud

Private & Hybrid Cloud: Risk, Security and Audit. Scott Lowry, Hassan Javed VMware, Inc. March 2012

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

Certified Information Systems Auditor (CISA)

Cloud Security for Federal Agencies

Security Issues in Cloud Computing

Cloud Computing and Data Center Consolidation

Cloud Data Security. Sol Cates

Open Certification Framework. Vision Statement

NSW Government. Data Centre & Cloud Readiness Assessment Services Standard. v1.0. June 2015

Cloud Computing. Bringing the Cloud into Focus

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Cloud Computing in a Government Context

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

Cloud computing: benefits, risks and recommendations for information security

INFRASTRUCTURE AS A SERVICE BUYER S CHECKLIST

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Leveraging the Cloud for Smarter Development On Oilfields; What Does that Entail? Kevin Wagner, Director - Energy

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Information security controls. Briefing for clients on Experian information security controls

Cloud Computing. Making legal aspects less cloudy. Erik Luysterborg Partner Cyber Security & Privacy Belgium EMEA Data Protection & Privacy Leader

Cloud Security Who do you trust?

University of Pittsburgh Security Assessment Questionnaire (v1.5)

What you need to know about cloud backup: your guide to cost, security and flexibility.

CLOUD TECH SOLUTION AT INTEL INFORMATION TECHNOLOGY ICApp Platform as a Service

Cloud Security: The Grand Challenge

Seeing Though the Clouds

Compliance and the Cloud: What You Can and What You Can t Outsource

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Security and Privacy in Cloud Computing

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

Microsoft s Compliance Framework for Online Services

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Guideline on Implementing Cloud Identity and Access Management

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Transcription:

Cloud Security and Governance Syllabus Syllabus for the certification course leading to the CCC Professional Cloud Security & Governance certification

List of contributors Lead Author: Mark Skilton Capgemini Contributors & Reviewers (to date): Todd Cioffi Navis Learning Ajeet Bagga VCE Vladimir Baranek Deloitte Al Dunn NJVC Peter HJ van Eijk Digital Infrastructures Kevin L. Jackson NJVC Mari J. Spina, D.Sc. NJVC Karl Childs HP 2

Contents 1. Overall Purpose of the Syllabus... 4 2. Structure of the Syllabus... 4 3. The Role of Professional Cloud Security and Governance... 4 4. Learning Level of the Syllabus... 5 5. Syllabus Core Skills... 5 Module 1. Security and Governance Concepts in Cloud Computing... 5 Module 2. Security Threats and Challenges in Cloud Computing... 7 Module 3. Physical Security and the Impact of Cloud Computing... 8 Module 4. Virtualization Management and Security in the Cloud... 9 Module 5. What Security does the Cloud Solve or Shift?... 10 Module 6. What Security Does Cloud Change or Introduce?... 11 Module 7. Existing Security Reference Models and Standards... 13 Module 8. Identifying the Delta in your IT and Business Architecture for Cloud Security... 13 Module 9. Risk Management and the Cloud... 15 Module 10. IT Governance and Security... 16 Module 11. Monitoring Users and Systems... 16 Module 12. Contract Management and T s & C s: Terms and Conditions... 18 Module 13. Legal Controls, IP Intellectual Property and Privacy... 19 6. Syllabus Advanced Skills... 20 Module 14. IaaS Security and Governance Policies... 21 Module 15. IaaS: Encryption and DRM Digital Rights Management... 24 Module 16. IaaS: Network Connectivity Security APIs and Gateways... 25 Module 17. IaaS: Disaster Recovery, Business Continuity, Capacity and Performance Planning... 26 Module 18. IaaS: Security Automation Tools and Cloud Computing Cloud Security Technology... 27 Module 19. PaaS Security and Governance Policies... 27 Module 20. PaaS: Version Management SDLC... 30 Module 21. SaaS Security and Governance Policies... 31 Module 22. SaaS: IDAM Identity and Access Management Federated Administration Credentials... 32 Module 23. SaaS: Single Sign-on... 33 Module 24. SaaS: Assurance and Audit... 34 7. Specific Security and Governance Knowledge for Cloud Computing... 35 8. Course & Exam Details... 38 9. Trainer Certification Criteria... 38 3

1. Overall Purpose of the Syllabus The purpose of this syllabus is to provide a clear statement of the knowledge and skills required for cloud security and governance. This syllabus informs courseware providers of the training content required for accreditation. Furthermore, it provides guidance to instructors on which areas must be emphasized to give candidates the best possible chance of exam success. Finally, the syllabus also provides candidates themselves with clarity on what they must do to pass the exam and achieve certification. 2. Structure of the Syllabus The structure of this syllabus is layered as follows: The security and governance function itself is briefly described in relation to the background context of cloud computing. Each module has a clearly-stated purpose and introductory synopsis followed by key topics and the specific learning objectives that must be met in order to achieve the required standard. The flow of the learning modules is designed to build both understanding of the topics and practice in applying that knowledge to managing security and governance in a cloud environment. 3. The Role of Professional Cloud Security and Governance The challenge for professionals in security and governance in IT is in understanding the risks, issues and trade-offs presented by cloud computing. The emergence of cloud computing has changed both the location and the domain of control of information technology. As on-premise hardware and software, and personal and corporate data are moved off-premise to a cloud or within the premises as a private cloud, the result is a change in ownership and responsibility for the systems, data and services. Current security and legal threats are shifting and new potential threats are being created. This syllabus is concerned with applying security and governance best practice to a cloud environment. It draws on security guidelines such as CSA and examines the key security issues of cloud computing and what types of business, commercial and technical governance are needed when managing cloud computing security. However, it is worth being aware that the management of cloud security and governance is carried out within the context of the following emerging issues: How to define trust domains and controls to manage levels of cloud computing securely. How to define identity, authentication, authorization and controls across single and federated business and IT environments. The emerging governance, audit and compliance processes needed in cloud environments. The choice of security standards and how to define contract and technical templates, certification and compliance rules (including the policy management of these issues). Encryption and repudiation in single and multi-tenancy environments. 4

How to evaluate the level of security threats and assurance of cloud services inside and outside an organization. The legal, contractual and commercial issues that need to be certified and managed. Determining the necessary security technology and tools from both the consumer and provider perspectives. The cost of security and its impact on SLA service levels. The definition of disaster recover (DR), business continuity (BC) and the assurance of quality of service (QoS) in order to maintain the integrity and fidelity of the architecture and external services. 4. Learning Level of the Syllabus The modern version of Bloom s taxonomy of learning is a widely used classification framework for course syllabi and assessments for certification. The taxonomy classifies learning into six ascending levels. Level 1 the Knowing Level: Exhibit memory of previously learned materials by recalling facts, terms, basic concepts and answers Level 2 the Comprehension level: Demonstrative understanding of facts and ideas by organizing, comparing, translating, interpreting, giving descriptions, and stating main ideas Level 3 the Application level: Using new knowledge. Solve problems to new situations by applying acquired knowledge, facts, techniques and rules in a different way. Level 4: the Analysis level: Examine and break information into parts by identifying motives or causes. Make inferences and find evidence to support generalizations. Level 5: the Evaluate level: Present and defend opinions by making judgments about information, validity of ideas or quality of work based on a set of criteria Level 6: the Creation level: Compile information together in a different way by combining elements in a new pattern or proposing alternative solutions The level of this advanced course for the Cloud Security and Governance role is level 3-4 (Apply, Analyse). 5. Syllabus Core Skills Module 1. Security and Governance Concepts in Cloud Computing The aim of this module is to explore the concept of risk and the impact of cloud computing so that the candidate is aware of the underpinning security concepts in a cloud environment. Risk and the impact of cloud computing must be understood in terms of both business and technical security challenges and their effect on business and technical governance and policy. What kinds of terminology are used to describe security threats and issues and in particular those in cloud computing? 5

Understanding risk, security and governance What do we mean by security and governance? What is risk? How do we evaluate risk and vulnerability? What are the costs associated with risk? Defining security and the types of security and risk Security is about- "locks and doors" Governance is about - "Policies and Procedures" Security is about access Governance is about behavior Assessing Security Risks in Cloud Lay out the types of issues to consider. Defining the evaluation of risk. Types of severity and impact assessment. Assessing Cost of Security Identifying the key costs of security and the impact of cloud Identifying examples of cost of cloud security Cost of replacing Cost of lost opportunity e.g. cloud platform goes down and hosted companies lose IT service for a period Reputational cost e.g. portable device is lost and data is stolen e.g. can you remotely shut done a lost device Identity theft cost (L2) Explains the key security concepts relevant to cloud computing. (L3) Shows the impact of cloud security on existing legacy data, systems and business. (L4) Analyzes the costs, trade-offs and consequences of severity of those risks relative to the types of cloud computing scenarios in XaaS. : Public and Private Sector Industry Policies on Risk and IT Practices (NIST, EU, UK.) Federal Electronic Government Act of 2002 Federal Information Security Management Act (FISMA) (protecting government information, operations and assets against natural or manmade threats.) EU standards and governance http://ec.europa.eu/enterprise/policies/european-standards/index_en.htm Cloud Computing Risk and Security ENISA, US equivalent 6

NIST. North America, Cloud Security assessment ENSIA European Network and Information Security Agency Assessment Federal Electronic Government Act of 2002 Federal Risk Authorization Management Program (FedRAMP) Examples of cloud risk topics Cloud Security Alliance CSA CSA Guidelines CSA STAR registry management Cloud security controls matrix related to ISO27001 and ISO27002 ISO/IEC/IEEE 29119 software and systems engineering - software testing Module 2. Security Threats and Challenges in Cloud Computing The aim of this module is to examine the need to test the compliance and certification of a cloud environment and its services so that the candidate can confidently address likely security challenges. The security needs of consumers and providers and those responsible for trading standards and government policy are impacted by the changes in cloud computing business models and usage. What different types of security challenges are there and how do these change in a cloud scenario? How are transparency, accountability and viability defined and accessed in cloud computing? Types of security and compliance issues in cloud Look at the familiar types of security issues and how cloud changes those. What is it about cloud that is specific to security issues? What is at risk in private, public, hybrid and community clouds? What are the risks exposed by SaaS, PaaS and IaaS? What kinds of compliance and certification is needed What are the types of security issues that exist regardless of whether it is a cloud or not? Examples of cyber attack Denial Of Service (DOS) attack Transparency, accountability and viability Accountability of service risk and security Stack of different providers offering different parts of the cloud service end to end Multiple XaaS providers correspondingly multiply security access points. How do remediation, rollbacks and compensation work? Trade-off of risk and scope How does it impact the SLA? It is an obligation risk versus opportunity risk? Understanding perception and reality of current security risk and status versus cloud security risk 7

(L2) Explains the potential types of security risk in cloud computing. (L3) Shows the risks of various cyber-attacks on data held in cloud environments. (L4) Differentiates the transparency, accountability and viability in relation to cloud computing. CSA Cloud Security Alliance Guidelines and https://cloudsecurityalliance.org/ https://cloudsecurityalliance.org/wp-content/uploads/2011/10/tci-reference-architecture-v1.1.pdf SEI CMMI standards compliance COBIT ISO 9362 SWIFT-BIC codes - banking PCI-DSS NIST NA cloud security assessment ENISA. European Network and Information Security Agency assessment Federal Risk Authorization Management Program (FedRAMP) Module 3. Physical Security and the Impact of Cloud Computing The aim of this module is to highlight physical security issues that may apply to cloud environments so that the candidate can apply that awareness to their specific cloud computing role. Physical security issues can apply to on-premise and off-premise devices, hardware, software and services. There are also different risks associated with corporate and non-corporate devices and their connection to company or public cloud services and networks. On-premise versus off-premise hardware The following topics are discussed: Network connection Topology Remote Distributed Tablets and devices BYOD (Bring your Own Device) Devices outside your corporate firewall You don t own everything in the stack anymore, so you don t control it Different monitoring controls Account management 8

(L3) Shows the critical physical security threats associated with data held in cloud environments. (L4) Distinguishes between ownership and access issues in both on-premise and off-premise hardware. http://www.27000.org/ ISO27001, http://www.27000.org/iso-27001.htm ISO27002, http://www.27000.org/iso-27002.htm ISO/IEC/IEEE 29119 software and systems engineering - software testing ISO/IEC 33063 process assessment model for software testing processes (dual standard number pending) SEI CMMI standards compliance Module 4. Virtualization Management and Security in the Cloud The aim of this module is to explore the virtual security issues that apply to cloud environments so that the candidate can apply that awareness to their specific cloud computing role. Virtual security issues can apply to on-premise and off-premise devices, hardware, software and services. This can also include corporate and non-corporate resources and environments that may be virtualized, for example the management of security access controls to virtual partitions of cloud resources and services that include virtual containers, storage, databases, networks, applications and data. Integrity use of ISO27002 to define the features of a security management system and how we would manage the integrity of that system. http://www.27000.org/iso-27002.htm For the term Integrity and its meaning, please refer to http://www.27000.org/iso-27002.htm Integration management control across the security management system Identity protection Federated security Data security Data integrity Isolation and segregation of virtual components Service assurance Encryption Profile management Access control Capacity management Dual factor authentication SAML - https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security 9

http://saml.xml.org/saml-specifications OAuth - the term OAuth can be found here http://oauth.net/ OID - the term can be found here http://openid.net/ PCI DSS - the term can be found here https://www.pcisecuritystandards.org/ (L3) Shows the critical virtual security threats associated with data held in cloud environments. (L4) Distinguishes between the issues specific to corporate and non-corporate resources and environments. https://cloudsecurityalliance.org/ https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security http://saml.xml.org/saml-specifications http://www.27000.org/iso-27002.htm http://oauth.net/ http://openid.net/ http://www.nist.gov/manuscript-publication-search.cfm?pub_id=909494 Module 5. What Security does the Cloud Solve or Shift? The aim of this module is to discuss what the cloud might solve or shift in relation to security so that the candidate understands the specific impact of cloud computing on data and system security. With more service providers integrated into operations, there is more reliance on the viability of other companies for operational running. This increases vulnerability, and therefore becomes a security issue. The key question is under what circumstances does the responsibility for security and compliance shift to the service provider. Cost effective data centre security Improved security expertise at the centre Improved security patching and monitoring Increased resilience Business agility vs. vendor lock-in; lock-in, lock-out and solution agility Assessing business and IT environments for security risks Company change and advantages of cloud. Choosing the right cloud solutions Ability to change / modify solutions Portability of data and system solutions Cost of swap versus change 10

Speed and cost of adoption and migration Business continuity Buying a generator vs. paying a utility Recovery (RTO, RPO) (L3) Demonstrates compliance and audit provisions relevant to operating in the cloud. (L4) Analyzes the balance of responsibility and liability between client and service provider in a given scenario. Cloud Computing, an auditors perspective http://www.isaca.org/journal/past-issues/2009/volume6/pages/cloud-computing-an-auditor-s-perspective1.aspx Trust Zones http://itlaw.wikia.com/wiki/trust_zone Uptime Institute http://uptimeinstitute.com/ RTO Recovery Time Objective http://en.wikipedia.org/wiki/recovery_time_objective RPO Recovery Point Objective http://en.wikipedia.org/wiki/recovery_point_objective ISO 22301 Business Continuity Management http://www.pas56.com/ Module 6. What Security Does Cloud Change or Introduce? The aim of this module is to explore the delta of the cloud from a security perspective so that the candidate can apply that awareness to their specific cloud computing role. The nature of cloud computing forces changes on issues of data and system security due to its unique nature and key factors such as portability, interoperability, multi-tenancy and the impact of open source. Multi-tenancy Lock-in Compliance Assurance Government interference Movability of data and applications Data confidentiality (e.g. cloud vs. USB) Configuration control Portability Interoperability Legal issues in cloud 11

What are the commonalities of the legal framework across countries and specific issues in country Intellectual property, copyright Government directives Contractual issues Types of compensation and quality of service issues Accountability of third parties Endpoint control Concentrated points of failure or distributed recovery? When things are this interconnected, can failures ripple more easily? Service provider / vendor relationship management Metering and billing if you don t pay your cloud bill does someone shut off your service? Open source and cloud Cloud based catalogs and marketplaces Cloud development Open source licensing Catalog and source code management in cloud (L3) Relates the implications of core cloud features on security and governance. (L4) Illustrates the impact of cloud computing on legal issues, such as copyright, legislative compliance and ownership. Digital Millennium Copyright Act - http://www.copyright.gov/legislation/dmca.pdf PATRIOT Act http://www.fincen.gov/statutes_regs/patriot/ Safe Harbor http://export.gov/safeharbor/ Data Protection EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 security data transfer Implemented as the Data Protection Act 1998 within the UK. Also EU Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 aka the e- Privacy Directive (to be implemented by May 2011) interception spam, cookies, notification, etc. PCI-DSS http://developer.amazonwebservices.com/connect/message.jspa?messageid=139547#139662 Government interference PATRIOT subpoena 12

http://www.wired.com/threatlevel/2012/08/ecpa-warrant-reform/ Module 7. Existing Security Reference Models and Standards The aim of this module is to establish the range and types of security reference models and emerging and current standards relating to security and the cloud so that the candidate can apply that awareness to their specific cloud computing role. An appreciation and detailed awareness of the security context and related standards in cloud computing is necessary for defining criteria to assess, evaluate and design management systems for the cloud that are both relevant and compliant. Explore the various types of Reference Architectures RA s CSA NIST ISO27000x (L2) Explains the key current security standards that apply to cloud computing CSA Cloud Security Alliance https://cloudsecurityalliance.org/ CSA Trusted Cloud Initiative CSA Trusted Cloud Security Architecture NIST http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf Jericho Forum ISO270001, 2 Module 8. Identifying the Delta in your IT and Business Architecture for Cloud Security The aim of this module is to walk through an example security risk assessment in a cloud computing environment so that the candidate understands the critical issues and criteria for different cloud models. The example will deal in terms of both technical and business risk and the wider context of risk and compliance in which cloud computing is just part of the overall business and operating model context. 13

This learning unit also examines issues and evaluation criteria for difference cloud scenarios, both new and existing or blended or legacy versus cloud risk comparisons. Auditing and Assessment Typical steps in conducting an assessment Identify and select Security Reference Models Identify compliance and certification requirements and standards (mandatory, ) Conduct survey and identify current Trust and Domain zones of an architecture and organization Identify gaps in current protection points and impact from cloud Methods of Security Auditing and Assurance Lifecycle stages of cloud Buyers Sellers Consumers Providers Intermediary Auditor Legislator Legal Issues and evaluation in assessment of green field new service Issues and evaluation in assessment of Brown field existing cloud environment Examples of recent media discussion on security and the cloud. There are many others Issues and evaluation of legacy and cloud environment comparisons (L4) Analyzes the security issues and risks in a given scenario. Reference http://www.nist.gov/itl/cloud/upload/sp_500_293_volumeii.pdf IT auditing and cloud http://www.enisa.europa.eu/ http://en.wikipedia.org/wiki/information_technology_audit 14

Module 9. Risk Management and the Cloud The aim of this module is to explore solutions for mitigating and managing risk in the cloud so that the candidate can apply that awareness from both consumer and provider perspectives. The specific focus is on Design for Assurance using cloud security and cloud assurance systems and specific security management components and tools designed for cloud computing. Design for Assurance Repudiation and Integrity Cloud products and services lifecycle management (governing products) and standards SOEs, PODS, and APIs standards, features and options, configuration and version management Sustainability, CSR and green cloud assessment planning AD, SSO, authentication, digital signatures, DRM digital rights management Disaster recovery and business continuity planning Recovery and audit planning and control Security Management in Cloud Access management and cloud Cryptography and cloud Integration security challenges in cloud: data/ service / feed / API Integration and transition management Environment fidelity and assurance User-centric policy issues Mobility and cloud Cloud risk assessment and quality assurance assessment Vertical industry sector security and compliance issues Compliance management issues and cloud computing Certification management issues and cloud computing Sustainability and green issues Environmental and socio political issues Processes / behaviors / boundaries (L2) Summarizes the design features that are required for a secure cloud environment. (L4) Analyzes the various security management components and tools currently available. 15

Risk management practice http://www.theirm.org/ http://www.businessweek.com/articles/2012-08-07/the-cloud-carries-risks-too Sustainability and cloud http://www.greenbiz.com/blog/2012/04/11/ethics-cloud-computing http://www.environmentalleader.com/2009/07/20/the-sustainability-potential-of-cloud-computing-smarterdesign/ http://www.gsa.gov/portal/category/102371 Module 10. IT Governance and Security The aim of this module is to examine the broad scope and processes of IT governance and security so that the candidate can apply that awareness to their specific cloud computing role. Concepts of operations, transition, change management and transformation Governance role and key governance processes Security protection points, governance information life cycle Trust management and domains control (internal and external to organization and device) Security planning, audit and controls Procurement ODCA models http://www.opendatacenteralliance.org/ Sprawl Version management (L5) Explains the core principles of governance in a cloud environment. COBIT http://www.isaca.org/cobit/pages/default.aspx Cloud governance http://www.informationweek.com/cloud-computing/infrastructure/governance-meetscloud-top-misconception/232901483 Module 11. Monitoring Users and Systems The aim of this module is to explore active and passive monitoring in cloud computing so that the candidate has an understanding of appropriate monitoring and tracking of both individual users and systems as a whole. 16

The monitoring of users and systems that are on premise and off premise involve a series of technologies and processes that include active and passive monitoring and detection systems. The scope of this in Cloud Computing from consumer, provider and intermediary perspectives are considered, the types of tools for cloud environment monitoring, integration with legacy systems; methods of intrusion detection monitoring, assurance and planning. Types of monitoring Consumer perspective of cloud usage Provider perspective of cloud usage Intermediaries perspective of cloud usage Monitor intrusion detection SLA monitoring Real time monitoring Diagnostics of attack Continuous monitoring and use of security performance metrics (L2) Explains the key concepts and issues of systems and business monitoring for on premise and off premise, remote services monitoring scenarios (L3) Analyzes the pros and cons of different monitoring systems in relation to the various cloud deployment possibilities. (L4) Outlines the types of tools for User and systems monitoring using scenarios for on premise, off premise and hybrid combinations Common Assurance Maturity Model Aims to provide a framework to provide the necessary transparency in attesting the information assurance maturity of a third party (e.g. Cloud provider). http://common-assurance.com/ ENISA European Network and Information Security Agency http://www.enisa.europa.eu/.../cloud-computing-risk-assessment CloudSleuth Real-time performance statistics of cloud providers https://cloudsleuth.net/ Cloutage Cloutage exists to empower organizations by providing cloud security knowledge and resources so that they may properly assess information security risks. The project aims to document known and reported incidents with cloud services while also providing a one-stop shop for cloud security news and resources. http://cloutage.org/ 17

Monitoring intrusion detection and assurance http://www.manageengine.com/products/applications_manager/four-keys-for-monitoring-cloud-serviceswhitepaper.html http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/files/2012/wp196_en.pdf http://gigaom.com/cloud/cloud-computing-fiascos-lessons-from-slideshare/ Module 12. Conditions Contract Management and T s & C s: Terms and The aim of this module is to explore the various contract management practices and issues within cloud computing so that the candidate can apply that awareness to their specific cloud computing role. Types of contract Contract and contract-less cloud services Licenses and open source Outsourcing and cloud sourcing impact and differences Terms and conditions in cloud computing issues Contract templates and standardization Rate card ad off-the menu contracting Open source Liability Incentives Penalties Negotiation Subscription and chargeback mechanisms Do s and don ts examples Key issues (L2) Explains the key concepts and types of contracts for technology and business and the imp[act of cloud on contracts management (L2) Explains the different hosting models ranging from onsite, CoLoc, Outsourcing, Managed hosting, Cloud Managed Hosting and the impact of cloud computing on these models. (L2) Explains the different contract options for the different cloud deployments, the use of contract templates and types of contract between single and multiple parties (L3) Relates the different types of monetization, metering and charging and subscription mechanisms and the impact on Terms and Conditions of service for different types of cloud computing scenarios 18

http://searchcloudsecurity.techtarget.com/tutorial/cloud-computing-legal-issues-developing-cloudcomputing-contracts http://libguides.law.gsu.edu/cloudcomputing http://libguides.law.gsu.edu/content.php?pid=197243&sid=1687549 http://www.brookings.edu/research/papers/2011/03/cloud-computing-contracts http://www.jisclegal.ac.uk/managecontent/viewdetail/id/2141/user-guide-cloud-computing-contractsslas-and-terms-conditions-of-use-31082011.aspx http://www.cio.com/article/591629/how_to_negotiate_a_better_cloud_computing_contract http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1662374 http://net.educause.edu/section_params/conf/ccw10/issues.pdf http://www.businessblogshub.com/2011/06/cloud-computing-legal-dos-and-donts/ http://www.slideshare.net/cloudlegal/cloud-computing-contracts-and-services-whats-really-happeningout-there-toulouse http://www.infolawgroup.com/uploads/file/pdf%20bna%20article.pdf http://www.infolawgroup.com/2010/05/articles/breach-notice/contracting-for-cloud-computing-services-2/ http://www.out-law.com/en/articles/2012/september/commission-seeks-model-contract-terms-and-newstandards-for-cloud-computing-services/ Module 13. Legal Controls, IP Intellectual Property and Privacy The aim of this module is to consider specific issues of legal concern, competition / anti-trust law, intellectual property, copyright, privacy and protection of rights relating to cloud computing so that the candidate can apply that awareness to their specific cloud computing role. These are matters that enforcement and enactment by government and intergovernmental legal functions and regulations affecting sovereignty, location, tax and property laws are seen as having significant impact on cloud computing. Legal jurisdiction Patriot act versus safe harbor Privacy Protection Copyright IP Contract law Employment law Personal data and privacy 19

NSP and ISP, telecoms impact and cloud computing security (L2) Summarizes the key legislative control issues that apply to cloud computing environments. Privacy - New EU policy; new DPD/DPR proposal http://www.stanfordlawreview.org/online/privacyparadox/right-to-be-forgotten Outsourcing and cloud - GOAL http://www.kpoconsultants.com/ http://www.gsa.gov/portal/category/102371 6. Syllabus Advanced Skills The aim of this module is to identify how Security and Governance is affected by Cloud computing and activities in-depth so that the candidate can apply their skills to specific tasks and types of cloud security and governance challenges. XaaS. The cloud computing ecosystem offers specific challenges to security and governance within and outside the enterprise, personal and corporate private and public data, the employee and social connections, and markets and trading mechanisms and services that ae increasingly in the cloud. Cloud is increasingly expanding the possibilities of solution architecture and enterprise services that can include big data analytics, embedded services in smart devices, Network as a Service (NaaS) providing a range of communication and on demand services. The boundary of cloud environments and the ecosystem of devices, wifi, tablets, smart phones and different cloud enables services are redefining how business models, business processes and markets and social interactions and services work in a modern economy. New Cloud services in encompassed in the XaaS term can include BPaaS Business Process as a Service, Mobility and BYOD that pushed Virtual Desktop and Remote services into now Mobile Cloud services, personal cloud services and storage and other new forms of Internet enables services sometimes referred to as Internet of Things IoT and Ubiquitous Computing and context location aware services presence This learning module explores the implications of the expanding business and technology domains and interactions and how security and governance is affected within and across cloud and legacy on premise and off premise. Security and governance needs to consider technical and business boundary implications and accountability as services are moved off premise or integrated with on premise systems and services. Use of third party external providers and the choices of single and multi-tenancy and their various issues in shared, reliable and robust performance of cloud services. IaaS. The IaaS cloud environment offers specific challenges for security and governance: types of virtual clouds, data centers and networks together with the standards and benchmarking processes needed to establish control and automation of these environments. In addition to the issues of workload definitions and VM deployment and maintenance lifecycles affect the service performance and user experience. Security and governance needs to consider the selection and design of IaaS architecture environments impact legacy architecture and types of application and data services that may be hosted in the IaaS environment and exposed through Marketplace stores, self-service and accessed on premise and remotely over the infrastructure. 20

Security implications in IaaS include network and data encryption and isolation in IaaS environments, data at rest and in transit. Protection of environments, testing and protection methods. Integration controls, certification non-repudiation and standardized templates and configuration compliance. PaaS. Platform as a Service is a rapid development environment that enables new cloud-enabled capabilities to be both used and developed. The Architecture decisions involve commodity or custom development of cloud services that may involve on premise or external development teams, architects, consumers and other stakeholders. Specific challenges in standards, tools, templates and how they are applied to solution architecture design and the overall enterprise architecture blue print and portfolio management of services, platform integration management and performance of the cloud solution architecture across different endpoint devices, locations and services. PaaS is part of the development of application functionality, its integration and the various cloud deployment models that can today include APIs, apps stores and mash-ups, RIA (Rich Internet Applications) and the middleware and federated integration, portability and interoperability of services. Security and governance of PaaS environments and usage have specific challenges that include Integrated Development environments controls, coding practices, due diligence, standardization management, staff and service skills certification. SaaS. Software as a Service usage and environments potentially cover many of the main business enterprise and social media services in a modern organization. Email, collaboration, productivity, social media storage as well as main stream sales, finance, work activity and across various on premise and off premise locations and the interactions with businesses, marketplaces and consumers. Cloud Architecture in the SaaS context may involve multiple SaaS solutions and services across a number of different SaaS providers, their impact on security, SLA contracts, Licensing and availability. There can be a number of potential architectural issues of mobility and smart device access using SaaS applications, the use of self-service marketplaces that may provide Apps on Demand to down load and use almost instantly across different devices and service networks owned by the enterprise or through 3rd party managed hosting services. Security and Governance needs to understand and evaluate specific issues relating to end point controls, application security management, monitoring, tests and audit controls, applying security and governance practices to gain control of the cloud environment and usage. Module 14. IaaS Security and Governance Policies The aim of this module is to examine specific security and governance issues for the IaaS model so that the candidate can apply that awareness to design and management of IaaS systems. Network encryption between cloud and on / off premise - - - Network encryption methods Impact of cloud computing on networks Impact on encryption system Data encryption methods and types and cloud environments Data encryption methods 21

Impact of cloud on data management and security Methods of data encryption in cloud environments Test and manage Test management methods Cloud testing systems Penetration tests Methods of penetration testing in IaaS environments Public IaaS Private IaaS Community IaaS Hybrid IaaS Vulnerability management Business vulnerabilities Technical vulnerabilities Robust design segregation and VPC (Virtual Private Cloud) Public and private IaaS security features IaaS components Security features Communication domain controls Communication domains Cloud issues Integration controls non-repudiation Integration inside cloud environments Integration outside cloud environments Non- repudiation Distributed infrastructure management issues Secure build Cloud security strategy Control of cloud environments Standardized builds, SOEs (Standard Operating Environments) PODs (Deployment Modules) Standardization Templates 22

Modularity Configuration Cloud issues (L2) Explains the key IaaS security issues and systems with example case studies (L4) Analyzes appropriate security strategies for the planning, building, testing and management of an IaaS cloud environment using scenarios with case studies Networks encryption Network Security http://datatracker.ietf.org/wg/nea/charter/ http://www.cnss.gov/assets/pdf/cnssi_4009.pdf Data encryption FIPS http://www.itl.nist.gov/fipspubs/geninfo.htm federal information processing standards http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf Public Sector view on Data Encryption - http://www.parliament.uk/documents/post/postpn270.pdf Cryptography http://www.cryptool.org/images/ct1/presentations/cryptoolpresentation-en.pdf Encryption http://en.wikipedia.org/wiki/encryption, http://i.cmpnet.com/v2.gocsi.com/pdf/csisurvey2008.pdf Test and manage http://searchcloudapplications.techtarget.com/answer/cloud-security-testing-strategies http://www.testandtry.com/2010/03/02/cloud-testing-three-best-solutions/ http://readwrite.com/2011/08/26/two-cloud-based-test-tools-thi https://www.corecloudinspect.com/microsite/index.html Penetration tests http://penetration-testing.7safe.com/ http://en.wikipedia.org/wiki/penetration_test Vulnerability management https://cloudsecurityalliance.org/wp-content/uploads/2011/11/csa_scanning_cloud_environment.pdf http://www.infoworld.com/t/vulnerability-assessment http://www.cloudave.com/1917/vulnerability-scanning-and-cloud-computing/ http://en.wikipedia.org/wiki/penetration_test Robust design and VPC Robust design http://www.martin-fuchs.net/files/pcird08.pdf Partitioning http://berkeley.intel-research.net/bgchun/dynamic-partitioning-mcs10.pdf Scalable partitioning http://web.iti.upv.es/~miruifue/pdf/maia10.pdf Command query responsibility segregation http://cloud.dzone.com/articles/cloud-architecture-command http://governmenttraininginc.com/govcloud-cloud-computing-handbook.asp https://education.emc.com/guest/cisco_emc_vmware/default.aspx 23

http://www.cloudsigma.com/blog/10-security-in-a-public-iaas-cloud-networking Communication domain controls IPSec http://en.wikipedia.org/wiki/ipsec VPN http://en.wikipedia.org/wiki/virtual_private_network http://searchwindowsserver.techtarget.com/tutorial/step-3-domain-controller-communications http://www.netlib.org/utk/papers/mpi-book/node129.html Integration controls non-repudiation http://www.infoworld.com/d/cloud-computing/how-integrate-the-cloud-714 Non-repudiation http://security.stackexchange.com/questions/1786/how-to-achieve-non-repudiation\ http://en.wikipedia.org/wiki/non-repudiation http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/778/687 Trust controls http://www.jitterbit.com/news/press_room/cloud-computing-integration-tips-041509.php Secure build http://www.dummies.com/how-to/content/how-to-create-a-cloud-computing-security-strategy.html http://cloudcomputing.sys-con.com/node/830646 Standardized builds, SOEs (Standard Operating Environments), PODs (Deployment Modules SOE Standard Operating Environment http://pleasediscuss.com/andimann/20100315/cloud-itil-soeheterogeneity-is-the-new-standard/ http://www.webopedia.com/term/s/standard_operating_environment.html IaaS templates http://www.rightscale.com/products/configuration-framework.php http://www.infoq.com/articles/problem-with-cloud-computing-standardization Module 15. IaaS: Encryption and DRM Digital Rights Management The aim of this module is to examine how data in cloud environments can be protected by encryption so that the candidate can apply that awareness to their specific cloud computing role. This learning module covers the specific examples and issues of legal concerns, competition / anti-trust Law, Intellectual Property, Copyright, Privacy and protection of rights relating to cloud computing. Intellectual Property and Copyright protection are key issues in ensuring the legal use and compliance of products and services. This includes understanding the role of Digital Rights Management, Digital Signatures and services to ensure identity controls and effective encryption to deter wrongful access and use. These are matters that enforcement and enactment of government and intergovernmental legal roles and regulations affecting sovereignty, location, tax and property laws are seen as having significant impact with cloud computing. 24

Encryption Obfuscation Encryption systems and standards Link to CRM and other systems Cloud impact (L2) Explains the key encryption systems for different types of cloud deployment and use. (L3) Shows the different types of Digital Rights and protection issues and potential tools and methods for Intellectual property, copy right and related to SLA contract compliance monitoring (L4) Outlines the types of tools for digital policy assurance of usage from consumer, provider and intermediary perspectives and case study scenarios Cryptography http://en.wikipedia.org/wiki/cryptography DRM http://www.stanfordlawreview.org/online/privacy-paradox/right-to-be-forgotten Module 16. Gateways IaaS: Network Connectivity Security APIs and The aim of this module is to explore the topic of network security in light of the advent of cloud computing so that the candidate can apply that awareness to their specific cloud computing role. Types of networks Wireless networks Mobile 3G, 4G, 4LTE networks Endpoints and nodes Physical and virtual switches Routers VPN, Virtual Private Networks Firewall access and policy controls Protocols and service APIs (L4) Relates the security issues in different types of network. 25

Next Generation Internet Book. Chapter on network systems: http://www.amazon.com/next-generationinternet-architectures-byrav-ramamurthy/dp/0521113687 Connectivity in cloud http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5936156&url=http%3a%2f%2fieeexplore.ieee.org %2Fxpls%2Fabs_all.jsp%3Farnumber%3D5936156 URL http://en.wikipedia.org/wiki/uniform_resource_locator Network endpoints http://datatracker.ietf.org/wg/nea/charter/ Module 17. IaaS: Disaster Recovery, Business Continuity, Capacity and Performance Planning The aim of this module is to establish the core issues surrounding continuity planning in cloud environments so that the candidate can take these factors into account when addressing cloud security. This module examines Disaster Recovery (DR) and Business Continuity (BC) Planning - Performance and Capacity Management DR and BC Planning Cloud Issues DR planning in Cloud Computing BC planning in Cloud Computing Virtualization Enabled Host/Resource Mobility as a Defense (L2) Explains the essential provisions of disaster recovery and business continuity planning in a cloud deployment (L4) Analyzes the different types of DR, BC planning solutions using cloud computing scenarios in case studies. (L4) Outlines for disaster recovery in a given case study scenario. NIST Contingency planning guide for federal information systems http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-nov11-2010.pdf DR disaster recovery http://en.wikipedia.org/wiki/disaster_recovery BC business continuity http://en.wikipedia.org/wiki/business_continuity 26

Module 18. IaaS: Security Automation Tools and Cloud Computing Cloud Security Technology The aim of this module is to explore the types of security systems that can be used in cloud computing so that the candidate can apply that awareness to their specific cloud computing role. The automation of security management in the cloud requires differing tools and involves differing issues depending on whether it is from the perspective of consumers, providers, intermediaries or seeking to address wider governance issues. Security tools Audit tools and cloud Policy automation Traceability and tracking in the cloud Cloud security tools reference architectures examples (L2) Explains the range of tools and automation methods relating to Security Management and the Security Reference Architecture and Policy standards (L4) Compares the differing security automation options according to the consumer, provider and intermediary perspectives using cloud computing scenarios with case studies. http://www.techrepublic.com/blog/datacenter/hardening-the-cloud-new-security-tools-help-to-seal-thegaps/5703 http://blog.savvis.com/2011/12/5-free-cloud-security-tools.html http://www.techrepublic.com/blog/datacenter/cloud-security-tool-basics-gpgtools-checksums-fingerprintsand-digital-signatures/5548 http://www.net-security.org/secworld.php?id=8639 Module 19. PaaS Security and Governance Policies The aim of this module is to examine specific security and governance issues for the PaaS model so that the candidate can apply that awareness to design and management of PaaS systems. 27

Code Review Methods and code quality assurance and review for cloud PaaS and IDE management IDEs Coding practices PaaS coding practices Code check list for PaaS Due diligence of code Issues in due diligence and cloud Due diligence processes Issues and resolutions Secure development code standards Practices in secure code development PaaS environment controls PaaS development practices Standardized component design builds Commoditization Change versus extensions Coding practices Open source and standardization Component reuse control Methods for component templates and version / configuration management for cloud PaaS and IDE management Designing modularity Licensing methods and cloud Version management and cloud Configuration management and cloud Code certification controls Methods for code and solution certification and review for cloud PaaS and IDE management Software quality controls systems Software certification Staff skills and certification (L2) Explains the key PaaS security issues and systems with example case studies 28

(L4) Analyzes appropriate security strategies for the planning, building, testing and management of an PaaS cloud environment using scenarios with case studies Code review Garbage in the cloud http://jasonbloomberg.sys-con.com/node/2099776/mobile http://www.projectpatterns.org/pattern/c2f80469-a8a8-459c-b521-19ebd61cf06a/software-developmentcode-review-checklist IDE Integrated Development Environment http://searchsoftwarequality.techtarget.com/definition/integrated-development-environment http://mashable.com/2010/10/06/ide-guide/ http://en.wikipedia.org/wiki/platform_as_a_service http://gigaom.com/cloud/cloud-cannibalism-is-paas-killing-saas/ http://www.businesscloud9.com/content/best-practice-developing-paas-strategy-deal-big-data/12236 http://searchcloudapplications.techtarget.com/news/2240158466/platform-as-a-service-evolves-fromdevelopment-to-application-management http://en.wikipedia.org/wiki/platform_as_a_service Due diligence of code Due diligence http://www.techbridge.org/documents/techbridge%20-%20due%20diligence%20- %2050%20Questions%20for%20Cloud%20Providers.pdf http://searchcloudcomputing.techtarget.com/tip/performing-due-diligence-before-signing-a-cloud-sla http://www.slideshare.net/jmorency1952/gartner-cloud-computing-due-diligence-guidelines http://blogs.reuters.com/financial-regulatory-forum/2012/07/13/u-s-bank-regulators-warn-on-due-diligencein-using-cloud-computing-services/ Secure development code standards http://www.safecode.org/publications/safecode_dev_practices1108.pdf CERT https://www.securecoding.cert.org/confluence/display/seccode/cert+secure+coding+standards 8 simple rules for developing more secure code http://msdn.microsoft.com/enus/magazine/cc163518.aspx Standardized component design builds http://www.techrepublic.com/blog/10things/10-signs-that-software-is-becoming-more-standardized/1650 Commoditization in IT http://ippathwaysia.wordpress.com/2011/01/20/commoditization-in-it-is-it-real/ http://www.imaginellc.com/avoiding-commoditization-part1 http://technorati.com/technology/cloud-computing/article/commoditizing-cloud-based-service-nichesopens/ Open source http://opensource.org/osr http://www.slideshare.net/petriaukia/commoditization-of-cloud-computing https://devcentral.f5.com/weblogs/macvittie/archive/2011/04/20/cloud-extend-because-one-size-does-notfit-all.aspx Component reuse control Software reuse 29

http://www.cse.wustl.edu/~schmidt/reuse-lessons.html Architecture building blocks http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap37.html http://www.ebizq.net/blogs/cloudsoa/2010/07/the-cloud-agility-and-reuse-part-1.php Cloud software reuse http://searchcio.techtarget.com/tip/cloud-development-can-make-the-dream-ofsoftware-reuse-a-reality Multi-tenancy http://en.wikipedia.org/wiki/multitenancy Cloud computing: private clouds - buy vs. reuse vs. build http://cloudcomputing.syscon.com/node/1748047 Configuration management http://www.zapthink.com/2012/01/25/cloud-configuration-managementwhere-the-rubber-hits-the-clouds/ http://www.cloudpractice.de/sites/default/files/downloads/cloudy_with_a_chance_of_configuration_management.pdf Version control - exploring cloud computing? say good-bye to version control http://www.infoworld.com/d/adventures-in-it/exploring-cloud-computing-say-good-bye-version-control-618 License management http://searchcloudcomputing.techtarget.com/tip/enterprise-cloud-licensing-basics http://searchcloudcomputing.techtarget.com/feature/cloud-computing-licensing-buyer-beware Code certification controls http://en.wikipedia.org/wiki/software_quality_assurance FISMA http://csrc.nist.gov/groups/sma/fisma/index.html G cloud accreditation process http://gcloud.civilservice.gov.uk/supplier-zone/accreditation/ SQS http://dl.acm.org/citation.cfm?id=1713207 Module 20. PaaS: Version Management SDLC The aim of this module is to highlight version issues of version and configuration management so that the candidate can successfully apply that awareness throughout the cloud development life cycle. Software Development Cycles (SDCs) Version management Configuration management Multi-tenancy and security issues IaaS version management PaaS version management SaaS version management (L4) Distinguishes version management issues and how they apply to each main cloud deployment model. 30

Multi-tenancy http://en.wikipedia.org/wiki/multitenancy http://www.wired.com/insights/2012/02/multitenancy-and-cloud-problems/ Module 21. SaaS Security and Governance Policies The aim of this module is to examine specific security and governance issues for the SaaS model so that the candidate can apply that awareness to design and management of SaaS systems. End-point controls Types of software and network endpoints Security issues Endpoint management and protection Application security controls Security concerns with SaaS solutions and environments SaaS application controls Issues and resolutions Penetration tests Types of penetration tests and cloud Types of SaaS penetration tests Issues and resolutions Audit and monitor usage Types of endpoints and security controls IT audit standards Issues in auditing SaaS Endpoint management API controls Monitoring SaaS usage e- Discovery (L2) Explains the key SaaS security issues and systems with example case studies 31

(L4) Analyzes appropriate security strategies for the planning, building, testing and management of an SaaS cloud environment using scenarios with case studies End-point controls Endpoint management http://techbuddha.wordpress.com/2009/02/19/how-cloud-virtualization-and-mobilecomputing-impact-endpoint-securtity-in-the-enterprise/ http://me-newswire.net/news/6323/en http://www.symantec.com/endpoint-protection-small-business-edition2013http://enterprise.bitdefender.com/solutions-and-services/hosted-security.html Application security controls http://esj.com/articles/2010/02/09/cloud-saas-security.aspx Problems with SaaS security http://www.networkworld.com/news/2010/092710-software-as-servicesecurity.html http://www.itworld.com/saas/60464/security-concerns-saas-environment Penetration tests http://penetration-testing.7safe.com/ http://en.wikipedia.org/wiki/penetration_test http://www.infosectoday.com/articles/securing_saas_applications.htm http://www.prudentcloud.com/saas/data-security-27052009/ http://blog.securestate.com/penetration-testing-the-cloud-3-important-points/ Audit and monitor usage SAS 70 audit http://sas70.com/ http://www.isaca.org/journal/past-issues/2010/volume-3/pages/it-audits-of-cloud-and-saas.aspx http://www.infoworld.com/d/virtualization/startup-copperegg-launches-new-saas-cloud-monitoring-solutioncalled-revealcloud-743 http://www.monitortools.com/saas/ API http://en.wikipedia.org/wiki/application_programming_interface ediscovery http://en.wikipedia.org/wiki/electronic_discovery Module 22. SaaS: IDAM Identity and Access Management Federated Administration Credentials The aim of this module is to consider the issues and design choices of identity management in cloud computing so that the candidate can manage identity and access issues in both on-premise/ off-premise systems and services. Explore the various types of identity management issues and architecture solutions 32

Identity management Trust domains and Identity rules and controls Scenarios for placing active directory controls inside and outside the firewall Federated identity management and cloud computing (L3) Shows the key identity management issues in cloud computing. (L4) Illustrates the placement of active directory controls in a given firewall scenario. Identity and access management http://en.wikipedia.org/wiki/identity_management SWIFT (Secure Widespread Identities for Federated Telecommunications) http://www.ist-swift.org/ http://www.computerweekly.com/feature/identity-management-the-expert-view Module 23. SaaS: Single Sign-on The aim of this module is to consider the issues and design choices of Federated Identity and SSO processes in cloud computing so that the candidate can ensure on-demand data center access. We examine aspects of partitioned Workflow, Decentralized Execution, Authentication, Authorization Processes and SSO Single Sign-on With the advent of many cloud services from multiple cloud and non-cloud sources through multiple devices, browsers, portals and marketplaces, access has become potentially a complicated issue, with a requirement to control and manage secure credentials and identity. It has been said, There is no point in having a cloud data center if you can not access the services. With applications and web services coming through APIs or with deeper access to IaaS and other types of ondemand environments, how identity access and account and security policy management is achieved is a key concern in modern cloud computing systems and architectures. Explore partitioned workflows, decentralized execution, SSO and authorization processes Partitioning workflows and decentralized execution Authentication Authorization Single sign on Uses of SSO in cloud Trust domains and identity rules and controls Scenarios for placing active directory controls inside and outside the firewall Federated identity management and cloud computing 33

(L2) Summarizes the significant authentication and authorization issues. (L4) Analyzes the different options for single sign on in different cloud architectures. Authentication and authorization http://searchsecurity.techtarget.com/definition/authentication SSO http://www.opengroup.org/security/sso/ Module 24. SaaS: Assurance and Audit The aim of this module is to identify the core audit and assurance standards and processes so that the candidate can apply that awareness to their specific cloud computing role. This module examines due Diligence e.g. SA70, ISO27001 and other related audit topics Audit and cloud computing Audit processes Audit issues and scenarios ENISA Federal audits (L4) Compares the practical implications for cloud management of the various audit and assurance standards. ENISA audits Federal audits Sa70 audits ISO2700x audits ediscovery audits Sarbanes-Oxley audits 34

7. Specific Security and Governance Knowledge for Cloud Computing The aim of this chapter is to suggest a variety of vendor-based potential courses of further study for cloud architects so that the candidate can plan their on-going personal development in the role. There is also an supplementary section after this listing current security standards related to the cloud environment so that the candidate can apply that awareness in their specific cloud computing role. CCSK Certificate of Cloud Security Knowledge - CSA Cloud Security Alliance PCI DSS in the Cloud CSA GRC Governance, Risk and Compliance Stack CSA ISO/IEC 27001 Information Security Training Certificate of Information Security Management Principles BCS / CIC CISSP Certified Information Systems Security Professional Symantec s Cloud Security Essentials training Cloud Security Training HP Cloud Security Readiness tool Microsoft Cisco Network security Certification McAfee Security training COBT 5 training and accreditation OWASP Open Web Application Security Project - Symantec A broad overview and resource containing the current security standards related to the cloud environment so that the candidate can apply that awareness in their specific cloud computing role. Multi-Media and Cloud Security Examples of recent media discussion on security and the cloud. There are many others. Context Diagram on Media and Cloud Security issues A new bill that focuses on the enforcement of criminal and civil law with regards to cloud computing was recently introduced by Senator Amy Klobuchar. The Cloud Computing Act of 2012 s primary purpose is to provide extra protection for cloud services as part of the Computer Fraud and Abuse Act. http://www.gpo.gov/fdsys/pkg/bills-112s3569is/pdf/bills-112s3569is.pdf Eric Goldman details what he considers the major problems with the bill and regulating the Internet in general. http://www.forbes.com/sites/ericgoldman/2012/10/02/the-proposed-cloud-computing-act-of-2012and-how-internet-regulation-can-go-awry/ Specific Cloud Security Standards CSA Cloud Security Alliance Guidelines CSA STAR registry management Cloud security controls matrix related to ISO27001 and ISO27002 NIST NA cloud security assessment ENISA. European Network and Information Security Agency Assessment 35

General Security Standards relevant to cloud computing ISO/IEC/IEEE 29119 software and systems engineering - software testing ISO/IEC 33063 process assessment model for software testing processes (dual standard number pending) SEI CMMI standards compliance COBIT ISO 9362 SWIFT-BIC codes - banking PCI-DSS Legal issues and Cloud Computing Data protection: (Security, Data Transfer) EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 - Implemented as Data Protection Act 1998 within the UK eprivacy: ( Interception, Spam, Cookies, Notification etc)eu Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 aka the e-privacy Directive (to be implemented by May 2011) Government Policy impacted on or by Cloud Computing Federal Electronic Government Act of 2002 Federal Information Security Management Act (FISMA) (protect government information, operations and assets against natural or man-made threats.) National egovernance Plan (NeGP) (an initiative by the government of India to connect egovernance systems throughout the country and create a nation-wide network for electronic delivery of government services.) China - cloud computing - http://www.datacenterdynamics.com/focus/archive/2012/05/china%e2%80%99s-growing-cloud-industry EU standards and governance http://ec.europa.eu/enterprise/policies/european-standards/index_en.htm Digital signatures (EU Crobies) http://ec.europa.eu/information_society/policy/esignature/crobies_study/index_en.htm Digital Policy (EU) - Digital Agenda http://ec.europa.eu/information_society/digitalagenda/index_en.htm egovernance Action Plan EU http://ec.europa.eu/information_society/activities/egovernment/action_plan_2011_2015/index_en.htm Industry Sector Certifications Examples Sarbanes-Oxley, HIPPA, GLBA SAS70 Type II VISA CISP Safe Harbor Patriot Act DOJ Level IV compliance 36

DITSLAP / DIACP Data Center Tier IL1, IL2, IL3, IL4 3/4 compliance Vendor Security Examples Google http://www.google.com/apps/intl/en/business/infrastructure_security.html Microsoft Azure http://msdn.microsoft.com/en-us/library/ff934690.aspx SalesForce.com http://wiki.developerforce.com/index.php/security Amazon Web Services http://aws.amazon.com/security/ Accredited Cloud Provider Certifications Examples for illustration AWS Microsoft VMware Symantec 37

8. Course & Exam Details Course Details Suggested delivery format is instructor led classroom based learning. Suggested duration: 24 learning hours. Exam Details Aspect Exam Type Nr of Questions 60 Duration Provisions for additional time relating to language Prerequisite Supervised (Proctored) Open Book Details Scenario Based, Complex Multiple Choice 75 minutes 15 minutes of additional time There are no formal prerequisites, however it is recommended to have the CCC Cloud Technology Associate certification. Yes No Pass Score 70% Delivery Online 9. Trainer Certification Criteria CCC Accredited Trainer for the CCC Professional Cloud Security and Governance track. The requirements are: 90% or higher passing grade for the exam proven training experience provide a resume references possibly an interview Further details for the requirements can be found on the CCC Accredited Trainer application form on cloudcredential.org. 38

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information