ISC2-CCSP Course

Giảng viên:

www.netpro.com.vn
Module/Chuyên đề

Giảng viên:

www.netpro.com.vn
 Content Outline

• Introduction
• Domain 01 – Concept, Architecture and Design
• Domain 02 – Cloud Data Security
• Domain 03 – Platform and Infra Security
• Domain 04 – Application Security
• Domain 05 – Security Operations
• Domain 06 – Legal, Risk and Compliance
 OVERVIEW

• CCSP – Certificate Cloud Security Professional

• A part of (ISC)2
• Release the latest 3rd edition
• Exam: 125 questions / 3 hours
• Pass: 700+/1000
• (My opinions:
– CCSP is not hard as CISSP
– Not trick and need remember too much
– CISSP Knowledge is a foundation )
 PREPARE AFTER PASS

• Need to submit application and demonstrate your experiences in

(cloud) security
• If you are endorsed by CISSP’er, it will easier.
• Member fee: 125$/year + 90 CPEs/3 years
• 4-6 weeks to get approval.
0 – INTRODUCTION

Giảng viên:

www.netpro.com.vn
 WHY CCSP…?

• New certificate and era

• Trend
• Almost the (new) concepts;
and it does not focus on any technical or solution or vendor
• (at least) number of questions are not much and not tricky
like CISSP
• Good fundamental and overview and evaluate (basic) features of
cloud.
• Consider to all aspects (domains) of Cloud – this is
Pro(fessional), matching for:
 Consultant
 Audit | QA/QC
 Project
 Management (a little)
 DELIVERY…

• This course (CCSP), in my opinion, it will:

– Provide the knowledge of CCSP course
– Preparation to CCSP exam
– Important notes in the exam and/or study guide (you don’t’ waste your
time to check)
– Work together to discover some situation (may be in real) and how to
overcome
• Important note: don’t focus too much in specific technology
and/or solution, these are good and not in scope CCSP
 AFTER CCSP…

• If focusing on tech, please go forward and chosen

Azure/AWS/GCP or continuous with CI/CD (DevOps –
DevSecOps; Automation…)

• If focusing on Audit, Compliance  CCAK, and/or CISA,

CSA Star Auditor
DOMAIN 01 – Architecture, concept and design

Giảng viên:

www.netpro.com.vn
 DOMAIN 01:
Architecture, concept and design

• Definition, characteristics of cloud and cloud

model
• Fundamental of shared model, roles and
responsibility
• Carefully to choose cloud service
 DOMAIN OBJECTVES

• Definitions and Roles

• Cloud Service Categories (SaaS, PaaS, IaaS)
• Deployment Models
• Key Principles of Enterprise
• Network Security and Perimeters
• IAM, Media Sanitization, Virtualization
• Threats - BCP
 Cloud Definition & Characteristics

• “a model for enabling

ubiquitous, convenient, on-
demand network access to
shared pool of configurable
computing resource…that can
be rapid provisioned and release
with minimal management effort
or service provider interaction”
– NIST_ SP_800-145

5 characteristics of Cloud
 Deployment Model

• 4 deployment Models:
– Public
– Private
– Hybrid
– Community

• Discuss:
– Community Cloud vs others ?
 Service Model

• 3 Service Model
– IaaS (Infrastructure as a Service)
– PaaS (Platform as a Service)
– SaaS (Software as a Service)

• CCSP mentions 3 service models, other models like DBaaS,

DRaaS, XaaS…are not clear
5 – 4 – 3 Model
Shared Model
Shared Model
 Shared Model

• Transition from: self-managed to ‘out-source’/tenancy/lease (pay as

you go)
• Known as Roles & Responsibilities of Cloud (service provider and
customer)
– First Rule: Data is always accountability (ultimate responsibility) of Customers
– Shared Models is a fundamental rights reference (shared between CSP and
customer)
Service Model
 Multi-tenancy

• Mode of operation of software where multiple independent

instance share the same environment
• Physical environment is generally shared:
– Segmentation: separating tenant resources / data / application…
– Isolation: logical isolation is often through virtualization
– Governance: proposed a data governance framework to ensure the privacy,
availability, integrity and overall security of data in different cloud models
– Service level: document minimum expected performance
– Charge back and metering refers to the ability of an IT organization to track and
measure the IT expenses per business unit and charge them back accordingly
 LOCK-IN vs LOCK-OUT

• Cloud lock-in:
– Restrict customers move to another cloud via proprietary technology or strict
SLA

• Cloud lock-out:
– Out-of-business

• Discussion:
– How to “lock” and overcome/avoid ?
 CONSIDERATION (CLOUD)

• Interoperability
• Portability
• Reversibility (multi-cloud needs feature)
• Availability
• Security + Privacy
• Resiliency
• Performance
• Governance
• Maintain & Versioning
• SLA
• Auditability + Regulatory
 SLA

• Availability (99% uptime)

• Performance (maximum response time)
• Security / privacy of data (encrypt data…)
• DR expectation (worse case recovery commitment)
• Location of the data
• Access to the data (data retrievable from provider in readable format)
• Portability of the data
• Helpdesk, Incident Report / Escalate
• Exit strategy
 Key Principle of EA

• Define protections that enable trust in the cloud

• Develop cross-platform capabilities and patterns for proprietary and

open source providers
• Facilitate trusted and efficient access, administration and resiliency to
the customer
• Provide direction to secure information that is protected by regulations.

• Facilitate proper and efficient identification, authentication,

authorization, administration and auditability.
 Key Principle of EA

• Centralize security policy maintenance operation, and oversight functions.

• Access to information must be secure yet still easy to obtain
• Delegate or federate access control where appropriate
• Must be easy to adopt and consume, supporting the design of security
patterns
• The architecture must be elastic, flexible and resilient, supporting multi-
tenant, multi-platforms
• Architecture must address and support multiple levels of protection,
including network, operating system, and application security needs.
 Players in Cloud

• CSP (Cloud Service Provider)

• Cloud Customer/Consumer
• Cloud Broker
• CASB (Cloud Access Security Broker)
• Cloud carrier
• ….
 CRYTPGRAPHY IN THE CLOUD

• Data in Motion & Data at rest

– Details in Domain 02.
 IAM

• IAM = Identity and Access Management

– 2 features: Identity Management & Access Management
– Identity Management:
• Identity Provider (Tradition: AD, LDAP) + (3rd identity: Partner); ex: Facebook id, Google id…
• Authentication method support: 2FA, MFA…
• Enhance: SSO support

– Access Management
• Application and Grant permission per profile
 PROVISIONING AND DE-PROVISIONING
• The goal of provisioning is to standardize, streamline, and create an
efficient account creation process, while creating a consistent,
measurable, traceable and auditable framework for providing access to
end users.

• De-Provisioning is the process whereby a user account is disabled

when the user no longer requires access to the cloud-based services
and resources. Includes users leaving the organization, as well as
changing roles or functions or departments
 CENTRALIZED DIRECTORY SERVICE

• Most common protocol is LDAP, which stores, processes and

facilitates a structured repository of information stored, coupled
with unique identifiers and locations

• LDAP Is the communications protocol used to interact with Active

Directory
 PRIVILEGED USER MANAGEMENT

• Focuses on process and ongoing requirements to manage

the lifecycle of user accounts with the highest privileges

• These accounts carry the highest risk and impact

• Should include the ability to: track usage, authentication

successes and failures, authorization times/dates, log
successful and failed events, enforce password management
and contain sufficient levels of auditing and reporting
 AUTHORIZATION & ACCES MANAGEMENT

• Regulates what a subject can do to an object

• Users require authorization and access management to
access required/appropriate resources
• Should be functional, operational and trusted
 Should be based on sound security principles such as separation of
duties, privilege management, password management, etc.
 DATA & MEDIA SANITIZATION

• When leaving or migrating from a cloud provider, considerations

must be made for export/import of data in standards-based formats
• “Vendor lock-in” describes situation where proprietary formats,
technology, etc. make it more difficult to move data out of the cloud
or from on provider or another
• How is media sanitized after removal?
– Degaussing/physical destruction is rarely an option.
– Overwriting is frequently used.
 COMMON THREATS

• Data Breaches: Disclosure

• Data Loss: Loss of integrity or destruction
• Account of Service Hijacking: Attacker sniffing or MITM
• Insecure Interfaces/APIs: provided by vendors to access their
networks
• DoS or DDos
 COMMON THREATS

• Malicious insiders
• Abuse of cloud services: Inherent weakness of any
internet service
• Insufficient Due Diligence/Due Care
 Due diligence investigating and understanding risks
 Due care: Developing policies and procedures to address risks
• Shared Technology Vulnerabilities: multiple tenants
brings in risks
 SECURITY…

• IaaS:
– VM attack /Virtual Switches/Network
– VM Based Rootkits/malicious hypervisor
– Single Point of Access

• PaaS:
– System/Resource isolation
– User-level permissions /User Access Management
– Protection against malware

• SaaS:
– Data (segregation), Data Access & Policy
– Web Application Security
 BCP & DRP

• Business Continuity
– is the process in which risks and threats to the ongoing availability
of services, business functions and the organization are actively
reviewed and managed at set intervals
– (Plan) Business operates and maintain at the minimum

• Disaster Recovery Planning

– Focuses on restoration of most critical business functions in the
event of large impact events
 DISCUSS

• How to determine BCP/DRP and where we need start ?

• What are factors considered?

• BIA – Business Impact Analysis – and start with …?

• (see 2nd edition you will see factors need to consider)

 RESTORATION PLAN

• RPO – RTO – MTD

– Recovery Point Object  how much data restored (how much data allowance

lost)

– Recovery Time Object  how fast recovery systems

– Maximum Tolerance Downtime  maximum time before system totally down

 COST-BENEFIT

• Key driver for adoption of cloud computing

• Resource pooling
• Time and efficiencies
• No deprecation of resources
• Savings of utilities costs
• Software licensing and maintenance cost
• Thin clients (similar VDI)
• Pay per usage
 STANDARD BASE APPROACH

• Standard:
– ISO 27001, 27002, 27017, 27018, 27701;
– PCI-DSS

• SOC (Service Organization Control)

– SOC 1, SOC 2 (Type 1, Type 2), SOC 3

• Regulation:
– SOX, GDPR, HIPPA…
 Note:

• CCSP acting in some roles:

– Cloud Service Provider --> consult about security and compliance; know threats

(modeling) and integration (to other cloud service )

– Cloud Customer  choose providers/3rd-parties; evaluate strength/weak of

cloud service

– Independence  evaluate cloud service offer

NOTES
 NOTES

• Important:
– Shared Roles & Responsibilities

– Characteristic of Cloud  applied to many questions and foundation to start thinking

– BCP & DRP  DRaaS  not by default.

– Ultimate Response of data is Customer.

• Due Care is set out by the policy; activities that support policy are

demonstration of Due Diligence
• Impact of technology:
– AI – ML

– Blockchain | IoT

– Quantum
 OTHER NOTES

• CCSP 2nd edition  need to read and learn experience about

moving to cloud, changing (user) behaviors and some pitfalls
need to overcome
• Remember Cloud is “boderless” and compliance (regulatory)
need to evaluate (responsibility of legal department) and
negotiate.
• Chapter 02 of 2nd edition  find “bottleneck” and overcome
(straight thinking)  valuable
DOMAIN 02 – CLOUD DATA SECURITY

Giảng viên:

www.netpro.com.vn
 DOMAIN 02 – CLOUD DATA SECURITY

• Storage Architecture
• Data Lifecycle Security
• Database security
• Data Loss Prevention (DLP)
• Data Encryption
• Key Management
 Storage Architecture - IaaS

• Volume storage (block storage): includes volumes/data storages

attached to IaaS instances, usually a virtual hard drive. Should
provide redundancy
• Object storage: example – Dropbox – used for write-once, read
many; not suitable for application like databases
• Independent of virtual machine
• Because of varying laws and regulations, customers should always
know where their physical data is stored and is stored in
compliance with their needs
 Data storage - PaaS

• PaaS utilizes the following data storage types:

– Structured: High organized, such that inclusion in a relational database is
seamless and readily searchable
– Unstructured: information that doesn’t reside in a traditional row-column
database-text, multimedia, content, email….
 DATA SECURITY LIFECYCLE

• The CSA has incorporated the data security lifecycle which

enables the organization to map the different phases in the data
lifecycle against the required controls that are relevant to each
phase.
• The lifecycle contains three steps
– Map the different lifecycle phases

– Integrated the different data locations and access types

– Map into functions, actors and controls

 MAPPING TO LIFECYCLE PHASES

• Create – Store – Use Create

– share – archive -
Destro
destroy Store
y

Archive Use

Share
 FUNCTIONS, ACTORS AND CONTROLS

Applied to Data Security Lifecycle

 FUNCTIONS, ACTORS AND CONTROLS
Business process / Applications
/ Features (in cloud / of cloud)

Users /
Customers /
CSP Where (store,
operate…)
data

Controls to Controls to
enhance security enhance
security

It’s similar “Use case” or “Information

Flow” – a first step in Threat Modeling
 DATABASE SECURITY

• Mainly supported by two elements

– DAM (Database Activity Monitoring) that captures and records all SQL activity
in real time or near real time. Can prevent malicious commands from executing
on a server
– FAM (File Activity Monitoring) that monitors and records all activity for a specific
repository and can generate alerts on policy violations
– DLP (Data Loss Prevention) systems
 DLP

• Can also know as Data Leakage Prevention describes the controls

put in place by an organization to ensure that certain types of data
(SSNs, Account Numbers, etc) remain under organization controls
in line with policies, standards, and procedures
• Detects exfiltration of certain types of key data (SSNs, Account
number, etc…)
• Help ensure compliance with regulations like HIPPA, PCI-DSS and
others
 DATA SECURITY
IN THE CLOUD

• Protect data moving to and within the cloud

– SSL/TLS/IP Sec

• Protecting Data in the Cloud

– Encryption

• Detection of Data Migration to the Cloud

– DAM, FAM, DLP

• Data Dispersion: Data is replicated in multiple physical locations across

your cloud
• Data Fragmentation involves splitting a data set into smaller fragments (or
shards), and distributing them across a large number of machine
 CASES FOR ENCRYPTION

• When data moves in and out of the cloud

• Protecting data at rest
• Compliance with regulations like HIPPA and PCI-DSS
• Protection from 3rd party access
• Creating enhanced mechanisms for logical separation between
different customers’ data
• Logical destruction of data when physical destruction is not
feasible
 ENCRYPTION - BEST PRACTICES

• Use Open and validated formats

• All encryption keys should be stored within the enterprise
• Identify-based key assignment and protection of private keys
• Use strong encryption
• Follow key management best practices for location of keys.
 DATA ENCRYPTION IN ACROSS IMPLEMENTATION

• IaaS encryption uses volume Storage Encryption and Object

Storage Encryption
• PaaS encryption with Client/Application, Database encryption and
proxy-based encryption
• SaaS Encryption is managed by the Cloud Service Provider by
the applications through Proxy encryption
– Ephemeral Encryption --> SaaS
 MASKING/OBFUSCATION, ANONYMIZATION,
AND TOKENIZATION

• Masking and obfuscation is the process of hiding, replacing or omitting

sensitive information from specific dataset. For instance, masking all but
4 digits of SSN
• Data Anonymization is the process of either encrypting or removing
personal identifiable information from data sets, so that the people whom
the data describe remain anonymous
• Tokenization: public cloud service can be integrated and paired with a
private cloud that stores sensitive data. The data sent to the public cloud
is altered and contains a reference to data residing in the private cloud
TOKENIZATION
Database Encryption
 ENCRYPTION VS MASKING

• Discuss….(some notes)
– Encryption need decrypt (in process data)
– Need resource to perform (slow ...)
– ….
 DATA DISCOVERY

• Emphasizes visual, interactive analytics rather than static report

• Provides a way to make sense of big data – the sheer volume and
diversity of data makes this challenging for the old means of
static reporting
• Can provide agile, near real-time analytics
 DATA DISCOVERY TECHNIQUES

• Data Discovery is a user-driven process of searching for patterns or specific items in a data
set.
– Data Discovery applications uses visual tools such as geographical maps, pivot-tables, and heat-maps to make the
process of finding patterns or specific items rapid and intuitive.

• Data Discovery may leverage statistical and data mining techniques to accomplish these goals.

• There are several different ways Data Discovery tools make their analysis:
– Metadata provides data its meaning and describes its attributes
– Labels provide a logical grouping of data elements and gives the a “tag” describing the data
– Content analysis examines the data itself
 DATA CLASSIFICATION

• Categorizes data based on its value and drives the controls that are
put in place to secure it

• Within the cloud, the CSP should

– Ensure proper security controls are in place so that whenever data is created or
modified by anyone, they are forced to classify or update the data as part of the
creation/modification process
– Implement controls (could be administrative, preventive or compensating)
– Make metadata available, as it could be used as means of determining classification
– Protect data according to its classification at rest and in transit
– Should support the reclassification process
 DATA PRIVACY TERMS

• Data subject: an identifiable subject who can be identified by

reference to an id number, or one or more factors specific to
the his physical, physiological, economic, cultural, or social
identify (telephone number, SSN, IP address…)
• Personal data: information relating to an identified or
identifiable natural person – biometrics, health data …
• Processing: operations performed on personal data –
collection, recording, organization, storage, …
• Control: One who processes data on behalf of the controller
 DATA PRIVACY TERMS

• The customer (in the cloud context) is the

controller of the data and responsible to all the
legal duties addressed in the Privacy and Data
Protection applicable laws.

• The service provider (CSP) supplies the means

and platform, and is considered to be the
processor
 NOTES

• Data Security Strategy:

– Data type (PII, PHI)
– Data structure and format Applied to …
– Cloud Service Module lifecycle
– Cloud storage option
– Define data ownership
– Protection of data control
– Ongoing monitoring
 CSA - CCM

• CCM – Cloud Controls Matrix

• Designed to provide fundamental security principles to guide
cloud vendors and to assist prospective cloud customers in
assessing the overall security risk of a provider
• Provides a control framework in 16 domains that are across-
walked to other industry-accepted security standards,
regulations and controls frameworks to reduce audit
complexity
• Mapping to: ISO 27001/27002, COBIT, PCI-DSS…
• Link to CCMv4
 MANAGEMENT CONTROLS: (Privacy and data protection)

• Separation of Duties
• Training
• Authentication and Authorization procedures
• Vulnerability Assessments
• Backup & Recovery processes
• Logging
• Data-retention control
• Secure disposal
 DATA RIGHTS MANAGEMENT

• DRM or IRM (Information Rights Management) adds an extra layer of

access controls on top of data object or document and provides
granularity flowing down to printing, saving, copying and other
options
• ACLs are embedded into the file, it is agnostic to the location of data.
IRM will travel with the file
• Useful for protecting sensitive organization content and intellectual
property
 IRM CLOUD CHALLENGES

• IRM requires that all users with access should have matching encryption
key. This requires a strong and comprehensive identity structure
• Each user will need to be provisioned with an access policy and keys
• Access can be identity based or role based (RBAC)
• Identity can be implemented with a single director location or across
federated trust
• End users will likely have to install a local IRM agent for key storage or
authenticating and retrieval of protected information
• Can be challenging with disparate systems and document readers
 DATA PROTECTION POLICES: RETENTION

• Data Retention: established protocol for keeping information for

operational or regulatory compliance needs.
• Cloud considerations:
– Legal, regulatory and standards requirements must be well-documented and agreed upon
– Data mapping should map all relevant data in order to understand formats, data types and
locations
– Data classification based on locations, compliance, requirements, ownership and business
usage
– Each category’s procedures should be followed based on appropriate policy that governs
the data type
 DATA PROTECTION POLICIES: DATA DELETION

• Safe disposal of data once it is no longer needed.

– Physical destruction
– Degaussing
– Overwriting
– Encryption (crypto-shredding)
 DATA PROTECTION POLICIES: ARCHVING

• Data archiving is the process of identifying and moving inactive data out
of current production systems and into specialized long-term archival
storage systems. Considerations include:
– Encryption
– Monitoring
– Granular retrieval
– Electronic discovery (e-discovery) any process in which electronic data is sought, located,
secured and searched with the intent of using it as evidence in a civil or criminal legal case
– Backup & recovery | Media type
– Restoration procedures
 AUDITABILITY

• In order to be able to perform effective audits and

investigation the CSP should provide an audit log with
as much information as is relevant
• WHEN: time and data of logs and events
• WHERE: Application identifier, application address
(cluster/host or IP address)
• WHO: Human or machine
• WHAT: Type of event, severity of event and description
 SECURITY AND EVENT MANAGEMENT

• Software and products combining security information and event management

(SIEM) - provides real-time analysis of security alerts generated by network
hardware and applications. SIEM system often provide:
– Aggregation from many sources
– Correlation across common attributes
– Alerting to a pre-defined entity responsible for monitoring
– Dashboard tools to take event data and organize into charts or other formats
– Compliance tools automate the gathering of compliance data
– Retention employs long term storage of historical data to facilitate correlation of data over time the
retention necessary for compliance
– Forensic analysis provides the ability to search across logs on different nodes and time periods based
on specific criteria
 CHAIN OF CUSTODY

• Chain of Custody is the preservation and protection of evidence

from the time it is collected until the time it is presented in court.
• Documentation should exist for the collection, possession,
condition, location, transfer, access to and any analysis performed
on an item from acquisition through eventual final disposition
• Chain of Custody provision should be included in the service
contract and ensure that the cloud provider will comply with
requests
 DOMAIN 2 SUMMARY

• Shredding-crypto has 2 key (system)

– 1 key for encrypting target data
– 1 key to encrypting the encryption-key (secret key)

• Key-management is the most important in the cloud

– HSM
– Based on application (SaaS)

• In US, almost Opt-out except HIPPA (Opt-in)

 DOMAIN 02 - SUMMARY

• Data (Security) Lifecycle and Controls applied to each phase

• Review the process that are need to govern for applying entire
lifecycle:
– Classification (data owner)  regulatory and suggestion (& applied new
technology such as AI – ML for discovery + DLP …)
– Protection and how to start BCP (& Risk Assessment)

• Combine chapter 01 and review again to link together

DOMAIN 02 – CLOUD DATA SECURITY

Giảng viên:

www.netpro.com.vn
 DOMAIN 03 - OBJECTIVE

• Hypervisor security
• VM Concerns, vulnerabilities and weaknesses
• Performance and operational complexity
• Data Center Operations
• Perimeter security
• Physical Security
 SECURING THE HYPERVISOR

• Install all update to the hypervisor as they are released by the vendor.
Centralized patch management solutions can also be used to administer
updates.
• Restrict administrative access to the management interfaces of the hypervisor
• Protect all management communication channels using a dedicated
management network
• Synchronize the virtualized infrastructure to a trusted authoritative time server.
• (con’t)
 SECURING THE HYPERVISOR

• Disconnect unused physical hardware from the host system (external drives,
NICs)
• Disable all hypervisor services such as clipboard or file sharing between the
guest OS and the host OS unless they are needed
• Consider using introspection capabilities to monitor the security of each
guest OS and their interactions
• Carefully monitor the hypervisor itself for signs of compromise. This includes
using self-integrity monitoring capabilities that hypervisors may provide, as
well as monitoring and analyzing hypervisor logs on an ongoing basis
 SECURING THE GUEST OS

• Follow the recommended practices for managing the physical OS,

e.g, time synchronization, log management, authentication,
remote access...
• Install all updates to the guest OS promptly. All modern Oss have
features that will automatically check for updates and install them
• Backup the virtual drives used by the guest OS on a regular
basis, using the same policy for backups as is used for non-
virtualized computers in the organization
 SECURING THE GUEST OS

• In each guest OS, disconnect unused virtual hardware. This is particularly important for

virtual drives (usually virtual CDs and floppy drives), but is also important for virtual

network adapters other than primary network interface and serial and/or parallel ports.

• Use separate authentication solutions for each guest OS unless there is a particular

reason for two guest OSs to shar credentials

• Ensure that virtual devices for the guest OS are associated only with the appropriate

physical devices on the host system, such as the mappings between virtual and

physical NICs
 VIRTUALIZATION CONCERNS

• Inter-VM attacks
– Traffic between the VMs traverses a virtual network and are visible to the physical security elements and is sometimes

referred to as the “blind spot”

• Monitoring of the virtual network is as essential as that of the physical

• Performance:
– Many security tools affect performance, perhaps more so on VMs

– Understanding the virtual environment and the use of proper sizing, planning and balancing the needs of the environment

• VM Sprawl:
– The increasing number of VMs in use leaves the potential for oversights and misconfigurations

– Automation and proper governance and long term framework to mitigate the risk associated with operational complexity
 VIRTUALIZATION CONCERNS

• Instant-on Gaps
– Vulnerabilities exists from when a VM is powered on and when its security rules
can be updated.
– Best practices include network based security and “virtual patching” that inspect
traffic for known attacks before it can get to newly provisioned or newly started
VM. (enforce NAC, isolated state VMs until their rules and pattern files are
updated and scan has been run)
• VM theft or modification
– VM encryption is necessary as VMs are susceptible to modification or theft but it
can affect performance
 VIRTUALIZATION CONCERNS

• Data Comingling:
– Data of different classifications could potentially be stored on the same
physical device
– combination of VLANs, firewalls, and IDS/IPS to ensure VM isolation as a
mechanism for supporting mixed mode deployments.
– We also recommend using data categorization and policy based
management to prevent this.
– In Cloud Computing environments, the lowest common denominator of
security could potentially be shared by all tenants in the multi-tenant
virtual environment.
 RECOMMENDATION FOR CUSTOMER

• Identify which types of virtualization your cloud provider uses, if any

• Consider a zone approach, with production separate from test/dev,
and highly sensitive data/workloads in different environments than
low-need content
• Consider performance when testing and installing virtual machine
security tools, as performance varies widely. Virtualization-aware
server security tools are important to consider
• Evaluate, negotiate and refine the licensing agreements with major
vendors for virtualized environment
 RECOMMENDATION FOR CUSTOMER

• Secure each virtualized OS by using software in each guest or using an inline virtual machine
combined with hypervisor-based APIs such as VMware vShield.

• Virtualized OSs should be augmented by built-in security measures, leveraging 3rd party security
technology to provide layered security controls and reduce dependency on the platform provider
alone.

• Secure by default configuration must be assured by following or exceeding available industry

baselines.

• Explore the efficacy and feasibility of segregating VMs and creating security zones by type of
usage (e.g., desktop vs. server), production stage (e.g., development, production, and testing) and
sensitivity of data on separate physical hardware components such as servers, storage, etc. *:
encrypt virtual machine if not use

• Make sure that the security vulnerability assessment tools or services cover the virtualization
 DATA CENTER OPERATIONS

• Cloud providers running data center operations should

demonstrate to customers their compliance to current regulation
and standards
• CSP can/should share results of independent audits
– Establish digital trust between a cloud computing customer and provider and
create transparency about: provider’s configurations, vulnerabilities, access,
authorizations….
– Cloud audit: provides automated audit, assertion, assessment and assurance
 PERIMETER SECURITY

• Should add distance, time and scale to the physical access of

system
• Focuses on 4Ds:
– Deter
– Detect
– Delay
– Deny
 BACKUP & RECOVERY

• CSPs should provide assurance in securing customer data backed

up to the cloud for the purpose of fault tolerance and disaster recover
• Solution might include:
– SSL/TLS secure transfer
– Encrypted storage / Password protections
– Geo-redundant storage
– Continuous backup
– Express restore
– Deduplication
 PHYSICAL LOCATION OF CLOUD INFRA

• Physical location of CSP should be evaluated for location

in relation to:
– Regions with a high rate of natural disasters (flood, landslides, seismic
activity, etc.)

– Regions of high crime, social/political unrest

– Frequency of inaccessibility
TO BE MATCH SENSE…
TO BE MATCH SENSE…

Operations (domain)
needs this info
TO BE MATCH SENSE…

IaaS need to know

(SDN – Software
Defined Network)
 TO BE MATCH SENSE…

IaaS need to know (SDN –

Software Defined Network)
 TO BE MATCH SENSE…

IaaS need to know (SDN –

Software Defined Network)
 SUMMARY

• SDN is the core of IaaS and need to know (in the real world) to
enhance security
• Auditable  attestation via certificate like ISO, SOC with
independence (audit) agency
• Think again about backup (cloud)
– You can’t use on-premise to backup on-cloud

• Restriction in IaaS (or PaaS) when implement with organization

(device) security control.
 SUMMARY

• Risk in Virtualization

– Host-Escape vs Guest-Escape

– Common risk in the cloud (some new and some old)

• Encryption, encryption and encryption

(updated)
(updated)
(updated)
DOMAIN 04 – CLOUD APPLICATION SECURITY

Giảng viên:

www.netpro.com.vn
 CLOUD APPLICATION SECURITY

• Determining Data Sensitivity

• Security Responsibilities Across Models

• The Software Development Lifecycle

• OWASP Top Ten Vulnerabilities

• IAM and Federated identity management

• Application Security Testing

 DETERMINING DATA SENSITIVITY

• Six key questions in relation to determining data sensitivity. What

would the impact be if:
– Information was widely distributed

– An employee of cloud provider accessed the application

– The process was manipulated by an outsider

– The process failed to provide the expectedly changed

– The application or information was unavailable for a period of time

 Shared model (security)

• Remind
 SDLC for the cloud

• Planning & Requirement Analysis: All business requirements

should be defined and risks should be identified
• Defining: Clearly defines the requirements through a requirement
specification document
• Designing: Specifies hardware and system requirements and
helps define overall architecture
 SDLC for the cloud

• Developing: work is divided into modules and the actual coding

starts

• Testing: code is tested against requirements: Unit testing,

integration testing, system testing and user acceptance testing

• Maintenance: continuous monitoring and update as needed

 VULNERABILITITY DATABASE & RESOURCES

• OWASP

• CVE

• CWE

• NVD

• US CERT
 OWASP TOP TEN

• OWASP is international non-profit organization and offers a broad

consensus on the most common security flaws/exploits

• Designed to raise awareness and the stress the need for security

in web-based applications
 OWASP TOP 10

• Check for the latest release (CCSP Ref OWASP TOP 10 2017)
– Injection
– Cross-site scripting (XSS) / CSRF
– ….
 CSRF MITIGATE STRATEGIES

• Do not save username/password in the browser

• Do not check “Remember me” option
• Do not use the same browser to surf the Internet and access
sensitive website at the same time, if you are accessing both
from the same machine
• Read standard emails in the plain text
• Explicit log off after using a web application
• Use client-side browser extensions that mitigate CSRF attacks
 CSRF MITIGATES (DEVELOPERS)

• Implement the software to use a unique session specific token (called a

nonce) that is generated in a random, non-predictable, non-guessable
and/or sequential manner
• CAPTCHAs can be used to establish specific token identifiers per session
• The uniqueness of session tokens is to be validated on the server side
and not be solely dependent on client based validation
• User POST methods instead of GET requests for sensitive data
transactions and privileged and state change transactions, along with
random session identifier generation and usage
 INSECURE DIRECT OBJECT REF

• Defined as an unauthorized user or process which can invoke the

internal functionality of the software by manipulating parameters
and other object values that direct reference this functionality.
Issues resulting include:
– Data disclosure
– Privilege escalation
– Authentication and authorization check bypass
– Restricted resource access
 SECURITY MISCONFIGURATION

• Good security requires having a sequence configuration defined

and deployed for application, frameworks, applications server,
web server, database server and platform.
• Secure settings should be defined, implemented, and maintain,
as defaults are often insecure
• Additionally, software should be kept up to date
 MISSING FUNCTION LEVEL ACCESS CONTROL

• Most web application verify function level access rights before

making that functionality visible in the UI.
• However, applications need to perform the same access control
checks on the server when each function is accessed.
– If request are not verified  attackers can access functionality without proper
authorization
• Failure to restrict access to privileged functionalities or URLs 
implement RBAC of function and URLs that denies access by
default
 KNOWN VULNERABLE
COMPONENT USAGE

• Components such as library, framework, and

other software modules, almost always run with
full privileges
• Applications using components with known
vulnerabilities may undermine application
defenses and enable a range of possible attacks
and impacts
• Deprecated, insecure and banned APIs
 THREAT MODELING

• Identify Security Objectives

– Legislative Drivers
– Contractual Requirements
– Alignment with Business Objectives

• CIA Triad
• Tools for Threat Modeling
– Data Flow Diagram
– Use/Misuse Cases
Threat Modeling (EX)
USE/MISUSE CASE
 THREAT MODELING

• Common Threat Modeling:

– STRIDE – Spoofing, Tampering, Repudiation, Information Disclosure, Denial of
Service, Escalation of Privilege
– OWASP Threat Modeling (Dragon…)
– DREAD
– ….
https://
insights.sei.cmu.edu/blog/
threat-modeling-12-
available-methods/
 RISKS IN DESGIN

• Code Reuse

• Flaws vs Bug

– Flaw: inherent fault with the design of code

– Bug: Implementation fault

• Open vs Closed design

 CONTROLS EVALUATION

• Efficacy of Controls

• Economy of Mechanism

• Cost/Benefit Analysis

• Psychological Acceptability
 SUPPLEMENTAL SECURITY DEVICES/CONTROLS

• WAF

• DAM

• XML Gateway  support API,DLP, Antivirus/malware

• Firewalls

• API Gateway  access control, rate limiting, logging, metrics and

filtering
 APPLICATION SECURITY TESTING

• SAST (Static Application Security Testing): white-box test used to determine

structure and logic and detect coding errors without executing the code. Should
be done early in the lifecycle

• DAST (Dynamic Application Security Testing): is used with application in their

running state and is considered a black-box test

• RASP (Runtime Application Self Protection): enable application to protect

themselves by identifying and blocking attacks in real time.
• Remember:
– Always check guidance/SOPs/contracts before perform Penetration Testing.
– CSP does not like Penetration Testing without notice, and CSP can terminate or
ban contract/services
– Consideration about penetration testing and condition to perform this  you
should follow or use some customers who use and perform pentest on the
same platform
 Know something about ISO

• ISO does not make application more security, however, it helps to

integrated and inter-connect better
• Help to control and management about software (security),
evidence and reduce audit time (compliance…)
• ….(summary iso 27034:
https://www.johner-institute.com/articles/software-iec-62304/and-
more/iso-27034-on-application-security/
)
ISO 27034-1
ISO 27034-1
SUMMARY
(update)
Need to remember (in exam)
DOMAIN 5 – OPERATIONS

Giảng viên:

www.netpro.com.vn
 DOMAIN 5: OPERATIONS

• Physical and Environment Control for the Data Center

• Logical Cloud Infrastructure

• Risk Assessments of Physical and Logical Infrastructure

 PHYSICAL AND ENVIRONMENT DESIGN

• In establishing a physical security function within a cloud

environment, the following must be considered:
– The security needs for the equipment and services being protected
– The human resources that are in place for physical security
– How legacy physical security efforts have been managed and staffed prior to
transition to cloud
– The financial resources available for these efforts
 PHYSICAL AND ENVIRONMENT DESIGN

• Physical security normally takes one of four forms in design and

implementation
• Environment design
• Mechanical, electronic and procedural controls
• Detection and response procedures
• Personnel identification, authentication and access control
 HUMAN RESOURCE CONTROL

• The purpose of the human resources physical control is to minimize

the risk of the personnel closest to the data disrupting operations
and compromising the cloud. Consider the following measures:
– Roles and responsibilities
– Background Agreements
– Employment Agreement
– Employment Termination
– Separation of Duties (SoD) / Job Rotation
– Mandatory Vacations
 PHYSICAL LOCATION OF THE CSP FACILITY

• Check if the location of the facility falls under any active seismic zone

and the risk thereof

• Facility should not be located in a geographic region which is prone to:

– Flooding, landslides or other natural disasters

– Political, ethnic, communal or social unrests

– Easy and quick accessibility of the facility’s location

 DOCUMENT REVIEW

• Physical & Environmental Security Policy

• User Account Termination Procedures
• Contingency Plan
• Incident Reporting & Response Plan
• Emergency Response Plan
• Facility Layout – emergency exits, positioning of CCTV cameras,
secure entry points
• File Exit Route Map & Fire Order Instructions
 DOCUMENT REVIEW

• Emergency Evacuation Plan & Procedures

• Crisis Communication Procedures

• Emergency Contact Numbers

• User Facility Access Review/Audit Records

• Security Awareness Training documentation, presentation,

handouts…
 DOCUMENT REVIEW (AUDIT)

• Security Awareness Attendance Records

• Succession Planning for key executives
• Technical Documents – electrical wiring diagrams, BMS, UPS…
• Maintenance Schedule of Electric, Generator & CCTV
• List of Authorized Personnel allowed entry inside facility
• Security Staff Profiles – bio & background
• Background check report of security Staff (must be performed at least once per
year)
• Annual maintenance contracts for key equipment & devices (focus on SLA for
equipment/device downtime & restoration)
 CSP ASSESSMENT

• Check whether all the documents are updated and current.

(Review) At least once per year + revision + sign-off
• Check available to employees and relevant partners

• Ref to ISO 27001 & ISO 27002

– Good framework (security controls)

– look evidence of resource allocation

– internal audit reports (if have) and external audit report

 PERIMETER SECURITY

• Ref to TIER-2, 3, 4

• Data Center – Administrative areas – Reception – Storage Area –

Locker Room – CCTV Command Center …

• Fire Exits – Parking Area – Generator Room – Fuel Storage

 SECURITY INFRA

• Secure Entry Points – Access control systems • Fire Exits (must not be locked) Panic Bars in fire
(proximity cards/biometric access) exits

• Access Control System linked with fire control • CCTV Cameras and DVR server (including
backup timelines)
panel for emergency release
• Door Closures and time-delay door
• Emergency auto-release buttons near all
access card readers alarms

• Motion-sensing alarms, thermal • Gas-based fire suppressants inside

tracking devices Data Centers

• Paper Shredders near printers
• Fire Safety Equipment – Wet Riser, Hydrants,
Hoses, Emergency Response Team Kit (ERT Kit)

• Smoke Detectors & Water • Two-way Radio devices (Walkie-talkie handsets)

for security staff
Sprinklers
• Duress Alarms underneath security
• Fire Extinguishers
desk and vantage (concealed) points
 SECURITY GUARDS

• (blank for discussion)

 SECURITY OPERATIONS (CLOUD)

• Discuss about guidance (standard) that applied to cloud security

(ISO 27017, ISO 27018)

• Remind and review all controls that need apply to cloud

• What role are you acting? (Customer or Partners or Audit…)

– What evidence do you want to check/observe?

–…
 SUMMARY

• Tier-* requires power backup in 12 hours, UPS’s batteries not included

• Data center: 64-81o F (~16-27o C)
• SaaS need to enable logging (enhance, maybe using command to
enable  Office 365)
• The contract penalty will be fined by Regulators
• Consents, Opt-in/Opt-out different
• Privacy is the most important
• Notify to relevant factors and follow the guidance
DOMAIN 6 – LEGAL, COMPLIANCE, RISK

Giảng viên:

www.netpro.com.vn
 NOTE

• This domain, only domain, you need to remember

• Know and familiar question and answer (because, compliance is very
complexity, and based on cultural – aware)
• Cloud operation are applied (at least):
– International law (internet act)
– Law of Country (your organization plant)
– Law of Countries and/or location that cloud (data center) operate
– Your customers (if have) live (GDPR, CCPA,…) and sometime agency (facebook ads
campaign can listed)
– ….(industry standard)
TERMS
TERMS
EVIDENCE (Forensic)
CLOUD FORENSIC
 CONFLICT INTEREST

• Between national vs national, country vs country and …group of

• GDPR vs CCPA vs Russia/China

• Asia (Japan, Singapore, Indo…)

• US & EU have the guidance to protect and transfer data

(personal/privacy)
 PROCESS If have a breach

• Always remember and action:

– Notice & confirm (incident)

– Follow incident response

• Notify to relevant parties (CSP, partners, suppliers …) and “customers”

• Check and follow the guidance/support of CSP (to investigate), prepare evidences (follow to
forensic steps)

– Fix and quick report (GDPR – 72 hours)

 RISK & OTHER COMPLIANCE

• ISO 31000 (Risk Management), NIST

• CSA Star Certificate
– Level 1: Self Assessment, Level 2: have independence Audit, Level 3:
Continuous
• SOX
• GLBA
• HIPPA
 SUMMARY

• Spoliation is the term used to describe the destruction of

potential evidence (intentionally or otherwise); in various

jurisdiction, it can be a crime or ground another lawsuits

• Civil  preponderance of evidence; base on %

chance/opportunity and will pay 100% cost (if lose)

 Summary

• Remember Privacy by-design principles  similar to GDPR

(implementation) and other Privacy in other countries.

• Remember:

– Standard  based on your organization want

– Regulatory / Law  enforce

• Finance can be transferred and accountability will be yours

 Discussion

• Legal team need action first to negotiate and/or support the

decision if any new regulatory/law enforce
• Compliance (in the cloud) is very complexity, need legal – risk
and business understand to exploit new opportunity
• Remind: check the process Incident notify, support in emergency,
DC-DC switch, BCP ….
DOMAIN X – PRACTICE & EXAM NOTE

Giảng viên:

www.netpro.com.vn
 (ISC)2 STYLE

• Questions
– Overall and sometime not in Official book
– Always have a little survey question (not mark) for detecting trending, evaluating
– Trick is the a part of question
• Not familiar word  easy to be wrong context
• Carefully to ‘NOT’ in the exam
• Choose the best answer in 4 options

– Technical experience is good and needs more thinking to be more

comprehensive
• Practices with question & answer
– Recheck with other options, explains and take your notes

– Need to commitment if take the exam, because …don’t wait CCSP become
CISSP
– Number of questions  1000 or less
• Almost the concept and not much to absorb

• A lot of changing & updating/adjusting will soon

• Join to group and/or some communities on social network

• Don’t trust Pass4Sure or similar but learn the style of question

and update new knowledge

• Always check and confident your-self when take the exam.

1