Cloud Service/Infrastructure Models

Cloud computing architecture depends on the CSP and can include various models. Public use services are provided by an external provider. Private use services are implemented internally in a cloud design. A hybrid architecture offers a combination of public and private cloud services to accomplish an organization's goals.

A CSP has several cloud models that can be broken into several basic designs that include infrastructure as a service, monitoring as a service, software as a service, and platform as a service. Each design is described here:

• Software as a Service Software as a service (SaaS) is designed to provide a complete packaged solution. The software is rented out to the user. The service is usually provided through some type of front end or web portal. While the end user is free to use the service from anywhere, the company pays a per-use fee. As an example, www.salesforce.com offers this type of service.
• Platform as a Service Platform as a service (PaaS) provides a platform for your use. Services provided by this model include all phases of the software development life cycle (SDLC) and can use application programming interfaces (APIs), website portals, or gateway software. These solutions tend to be proprietary, which can cause problems if the customer moves away from the provider's platform. An example of PaaS is the G Suite; see gsuite.google.com.
• Infrastructure as a Service Infrastructure as a service (IaaS) describes a cloud solution where you are buying infrastructure. You purchase virtual power to execute your software as needed. This is much like running a virtual server on your own equipment, except that you are now running a virtual server on a virtual disk. This model is similar to a utility company model, as you pay for what you use. An example of this model is Amazon Web Services; see aws.amazon.com.

In Figure 5.1 you see how these different tiers build upon one another.

Cloud Computing Providers and Hosting Options

A wide range of companies provide cloud computing services. Some well-known examples include Amazon, Citrix, Dropbox, Google, IBM, iCloud, Microsoft, Rackspace, and VMware. These providers offer a range of services that include the following:

• Public Clouds Available to the general public. An example would be Google Drive.
• Private Clouds Operated for a single company or entity. An example would be a company's private cloud storage of travel expenses.
• Hybrid Clouds A combination of a public and private cloud. An example would be a company's cloud storage of projects with varied access for internal employees and vendors.
• Community Clouds Shared between several organizations. An example would be cloud storage for a group of schools.
• Multitenancy Used to host a single software application that hosts multiple customers. An example would be a collaborative workspace for several project contributors.
• Single Tenancy Hosts a single software application designed to support one customer. An example would be a specialized HR application for one organization.

In Exercise 5.1 you will examine the benefits of cloud computing.

Benefits of Cloud Computing

On-demand, or elastic, cloud computing changes the way information and services are consumed and provided. Users can consume services at a rate that is set by their particular needs. Cloud computing offers several benefits, including the following:

• Reduces Cost Cloud technology saves procurement and maintenance of a company's own infrastructure and/or applications. Additionally, a cloud service is paid for as needed.
• Increases Storage

  Cloud providers have more storage capability that is elastic and has lower costs.

• Provides a High Degree of Automation Fewer employees are needed because local systems have been replaced with cloud-based solutions. The user does not need IT personnel to patch and update servers that have been outsourced to the cloud.
• Offers Flexibility Cloud computing offers much more flexibility than local-based solutions.
• Provides More Mobility One of the big marketing plugs is that users can access their data anywhere rather than having to remain at their desks.
• Allows the Company's IT Department to Shift Focus No hardware updates are required by the company—the cloud provider is now responsible. Companies are free to concentrate on innovation.

The benefits of cloud computing are many. One of the advantages of cloud computing is the ability to use someone else's storage. Another advantage is that when new resources are needed, the cloud can be leveraged, and the new resources may be implemented faster than if they were hosted locally at your company. With cloud computing, you pay as you go. Another benefit is the portability of the application. Users can access data from work, from home, or at client locations. There is also the ability of cloud computing to free up IT workers who may have been tied up performing updates, installing patches, or providing application support. The bottom line is that all of these reasons lead to reduced capital expense, which is what all companies are seeking.

When making decisions about selecting a cloud computing or software vendor, there are other considerations such as legal requirements, change management, employee churn, and configurations. Prior to looking at available vendors, it is best to define the organization's needs and what the application or platform would do for you. Many businesses have complex business processes and regulatory requirements. Key legal or compliance requirement questions for vendor assessment should include the following:

• Security
  • What type of encryption is being used?
  • How and where is information stored?
  • What measures are taken to prevent a data breach?
  • If you go out of business, what type of source code escrow or repository will you have access to?
• Infrastructure
  • Are there redundant backups in multiple locations?
  • What type of supply chain visibility do you have?
• Network
  • What type of systems are they using?
  • When are updates applied?
  • What type of tiered technical support do they offer?
  • Is support offered 24/7 or only during business hours?
• Data
  • Who controls the data in the event you no longer decide to use the vendor?
  • Who has access to the data?
  • What process is in place when an employee leaves the organization that your data is still safe?
  • Where is the data stored geographically?
• Incident management and disaster recovery services
  • What is the vendor's responsibility to notify you in the event of data breach or data loss?
  • Do they have a disaster recovery plan?
• Compliance requirements
  • What is done to protect confidential information?
  • Is data stored in compliance with regulations such as GDPR, HIPAA, PCI DSS, or SOX?

Security of On-Demand/Elastic Cloud Computing

Although cost and ease of use are two great benefits of cloud computing, there are significant security concerns when considering on-demand/elastic cloud computing. As a typical rule, the cloud service provider (CSP) is responsible for security of the cloud, while the client is responsible for security of their information while in the cloud. In Figure 5.2, you see the distribution of responsibility of security based on the layers of cloud computing mentioned earlier.

Cloud computing is a big change from the way IT services have been delivered and managed in the past. One of the advantages is the elasticity of the cloud, which provides the online illusion of an infinite supply of computing power. Cloud computing places assets outside the owner's security boundary. Historically, items inside the security perimeter were trusted, whereas items outside were not. With cloud computing, an organization is being forced to place their trust in the cloud provider. The cloud provider must develop sufficient controls to provide the same level of security that the organization would have had if the cloud were not used—or a greater level.

You must be aware of the security concerns of moving to a cloud-based service. The pressures are great to make these changes, but there is always a trade-off between security and usability.

Geographic Location

The cloud exists on hard drives on individual servers found in datacenters and server farms globally. CSPs might be based in one country and their servers anywhere else on the globe. Nothing is stored locally on a machine. Cloud data is accessible from any location from many devices, anytime you need it. Security is of utmost importance, so much so that some organizations have compliance requirements or company policy specifying that data be hosted in datacenters that their country has legal control over.

Infrastructure

The cloud shared responsibility and security model varies from vendor to vendor. The confusion about how a CSP operates, as well as terminology used to describe service offerings across a diverse landscape, can be difficult when implementing a secure infrastructure built of hardware, software, and APIs. Hardware and software components include servers, storage, networking, and virtualization, and accessing these can be done a multitude of ways including IaaS, SaaS, and PaaS, all described in more detail earlier in the chapter.

Compute

As a rule, the CSP is responsible for the security of the cloud, and the customer is responsible for security in the cloud. The CSP is responsible for the physical security of the cloud servers, global infrastructure, and the virtualization layer, and the customer, depending on the platform and model, is responsible for the rest, including networking controls, access management, and customer data.

In cloud computing, the generic term compute describes the concepts related to software computation including processing power, memory, networking, and storage. In the case of the AWS shared responsibility model, compute falls under the purview of the CSP.

Storage

Shared responsibility requires excellent communication and understanding between the customer and the provider, especially when it comes to data storage. Storage in the cloud is ultimately the responsibility of the customer across all cloud models. Best practices for secure cloud storage include confirming there are no publicly accessible storage areas, data is in a life-cycle management program and being kept for the right amount of time, and encryption with customer-managed keys and object versioning is being enforced.

Networking

Many people are using the cloud in some way and some may be unaware they are doing so, which can put them at risk. Cybersecurity professionals use the confidentiality/integrity/availability (CIA) triad in the implementation of security controls within a cloud network. To secure cloud services, the first step is to use the strongest encryption available. Another best practice is to review the user agreements and understand how the service protects your information. When signing up for a cloud provider, configure the privacy settings to limit how long the service keeps data and what kind of information is stored. Privacy settings should be reviewed periodically because the cloud may update agreements, leaving a gap in security controls. Guides like CIS Benchmarks or the AWS Well-Architected Framework can help build the networking framework for a secure implementation.

These are other questions that a security professional should ask when considering cloud-based solutions:

• Does the data fall under regulatory requirements? Different countries have different requirements and controls placed on access. For example, organizations operating in the United States, Canada, or the European Union (EU) have many regulatory requirements. Examples of these include ISO 27002, Safe Harbor, Information Technology Infrastructure Library (ITIL), and Control Objectives for Information and Related Technology (COBIT). The CASP+ is responsible for ensuring that the cloud provider can meet these requirements and is willing to undergo certification, accreditation, and review as needed. The vendor's geographic location can be extremely important to compliance.
• Who can access the data? Defense in depth is built on the concept that every security control is vulnerable. Cloud computing places much of the control in someone else's hands. One big area that is handed over to the cloud provider is access. Authentication and authorization are real concerns. Because the information or service now resides in the cloud, there is a much greater opportunity for access by outsiders. Insiders might pose an additional risk.

  Insiders, or those with access, have the means and opportunity to launch an attack and lack only a motive. Anyone considering using the cloud needs to look at who is managing their data and what types of security controls are applied to individuals who may have logical or physical access.

• Does the cloud provider use a data classification system? A CASP+ should know how the cloud provider classifies data. Classification of data can run the gamut from a fully deployed classification system with multiple levels to a simple system that separates sensitive and unclassified data. Consumers of cloud services should ask whether encryption is used and how one customer's data is separated from another customer's data. Is encryption being used for data in transit or just for data at rest? Consumers of cloud services will also want to know what kind of encryption is being used.
• What training does the cloud provider offer its employees? This is a rather important item in that people will always be the weakest link in security. Knowing how your provider trains their employees is an important item to review. Training helps employees know what the proper actions are and understand the security practices of the organization.

  Staff turnover is very high in the technology industry. Training done well can reduce the likelihood of turnover while increasing the performance of an IT employee. Supervision can also be a major factor in staff leaving an organization. Training senior staff on how to lead teams more effectively and manage conflict is extremely beneficial.

• What are the service level agreement (SLA) terms? The SLA serves as a contracted level of guaranteed service between the cloud provider and the customer. An SLA is a contract that provides a certain level of protection. For a fee, the vendor agrees to repair, replace, or provide service within a contracted period of time. An SLA is usually based on what the customer specifies as the minimum level of services that will be provided.
• Is there a right to audit? This particular item is no small matter in that the cloud provider should agree in writing to the terms of audit. Where and how is your data stored? What controls are used? Do you have the right to perform a site visit or review records related to access control or storage?
• Does the cloud provider have long-term viability? Regardless of what service or application is being migrated to a cloud provider, you need to have confidence in the provider's long-term viability. There are costs not only to provision services but also for deprovisioning should the service no longer be available. If they were to go out of business, what would happen to your data? How long has the cloud provider been in business, and what is their track record? Will your data be returned if the company fails and, if so, in what format?
• Could we experience vendor lock-in or lock-out? Vendor lock-in can be difficult to plan for. Vendor lock-in happens when consumers become so integrated with a specific vendor or single cloud provider that they cannot easily move to another vendor without spending huge amounts of money, getting attorneys involved, or technical incompatibility; then the organization is at the mercy of the cloud provider. A related problem is vendor lock-out, when a consumer wants to leave a vendor but will have trouble transferring their data, services, and files. (In daily practice, you'll see that a lot of people use the terms vendor lock-in and vendor lock-out interchangeably.) The best way to avoid vendor lock-in and vendor lock-out is to understand the complex dependencies and commonalities of your technology stack as well as making apps portable, ensuring portability once migrated, and, as always, doing your due diligence.
• How will the cloud provider respond if there is a security breach?

  Cloud-based services are an attractive target to computer criminals. If a security incident occurs, what support will you receive from the cloud provider? To reduce the amount of damage that these individuals can cause, cloud providers need to have incident response and handling policies in place. These policies should dictate how the organization handles various types of incidents. Cloud providers must have a computer security incident response team (CSIRT) that is tied into customer notification policies for law enforcement involvement.

• What is the disaster recovery and business continuity plan (DR/BCP)? Although you may not know the physical location of your services, they are physically located somewhere. All physical locations face threats, such as fire, storms, natural disasters, and loss of power. In the case of any of these events, the CASP+ will need to know how the cloud provider responds and what guarantee of continued services they are promising. There is also the issue of retired, replaced, or damaged equipment. Items such as hard drives need to be decommissioned properly. Should sensitive data be held on discarded hard drives, data remanence is a real issue. Data remanence is the remaining data, or remnants, that remain on the media after formatting or drive wiping. The only way to ensure there are no data remnants is through physical destruction of the media.

  Cloud outages are not uncommon occurrences, and when they hit, they hit hard. In November 2021, Google Cloud, Snapchat, and Spotify experienced an outage for about an hour. More than 50,000 users reported the outage on downdetector.com. Many companies were affected, from Pokémon GO to Home Depot. In Figure 5.3, you see the Google Dashboard reporting the outage.

In Exercise 5.2, you will examine some common risks and issues associated with cloud computing as they would affect your organization.

Managing and Mitigating Risk

Companies must be aware of current and emerging threats and security trends to be able to adapt quickly. An example is the rise of advanced persistent threats (APTs). It is so important to remind users not to click unknown or suspicious links, even if they appear to be from someone they trust on a social networking site.

The need for proper controls is more critical when involving critical devices and technical configuration. Industrial control systems (ICSs) include Supervisory Control and Data Acquisition (SCADA), such as a system for managing a water or gas pipeline. When malware affects industrial control systems, it's conceivable that it could have disastrous consequences. If not causing imminent danger or widespread interruption to a community, ICS outages could at least produce costly results. Recall that the ICS malware Stuxnet targeted Iranian nuclear centrifuges. Their outage included permanent self-destruction of the industrial machinery.

A large number of emerging threats are driven by people out for financial gain, hacktivists, and nation-state hackers. Some believe that out of these three categories, the nation-state hackers are the most serious threat, both to corporations and to governments. To deal with emerging threats, companies should be prepared with a plan that lays out the key steps and resources to deploy immediately when a breach is detected.

Although many companies state financial issues as one of the items that are preventing better controls in dealing with security issues, the real question is when the company would prefer to spend the funds. Having a team come in after the security breach to fix the problem and figure out what occurred can be very costly. Implementing preventive controls before the event is more cost effective.

There is also the issue that money isn't always the solution. A big part of the solution in dealing with emerging threats is training and education. IT security policies need to be created, and employees must be educated on the value of the company's assets and how to protect them. At a minimum, the security awareness and training program should be documented in the enterprise-level policy and should include the following:

• Definition of security roles and responsibilities
• Development of program strategy and a program plan
• Implementation of the program plan
• Maintenance of the security awareness and training program

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers worldwide.

If your organization accepts credit cards, debit cards, or any other type of electronic payment, you connect to a multifaceted and complicated structure of networks, banking, and credit card institutions. In this digital age when many attackers are looking to monetize their processes, fraud must be defended against, and every organization connecting to this structure must meet a minimum set of standards to protect this sensitive financial data. This is the PCI DSS. Companies that process and handle any amount of credit card information must implement specific controls including policies, procedures, network architecture, and software design to protect cardholder data. Failure to meet PCI DSS compliance mandates can suffer negative impact including fees, fines, and lost business.

Visa and MasterCard between 1988 and 1998 lost more than $750 million due to credit card fraud. PCI was established in 2004 with PCI DSS version 1.0 Security Architecture with a basic yet comprehensive list of security controls for merchants accepting credit cards. PCI DSS outlines best practices for companies handling payment card information and was developed collectively by American Express, Discover Financial Services, JDB International, MasterCard, and Visa. These best practices are used to improve security and outline the policies used to safeguard security systems that carry sensitive cardholder information. The most current version of PCI DSS is version 3.2.1, released May 31, 2018. PCI DSS standards are based on 12 requirements that involve network security and internal controls:

• Installing/maintaining a firewall configuration for networks and systems
• Avoiding using vendor-supplied defaults for passwords and other security procedures
• Protecting cardholder data during storage
• Using encryption during cardholder data transmissions in open and public networks
• Using and updating antivirus software
• Developing and maintaining secure network systems and applications
• Restricting user access to cardholder data
• Creating a unique ID for users who need to access cardholder data
• Restricting any physical access to cardholder information
• Tracking and monitoring all access to network systems and data
• Testing security processes and systems
• Maintaining information security policies

PCI DSS helps sellers to protect their vital cardholder data that contains personally identifiable information (PII). PII is any data that could potentially identify a specific individual. TechTarget defines PII as “any data about an individual that could potentially identify that person, such as a name, fingerprints or other biometric data, email address, street address, telephone number or social security number.”

Protecting PII is essential for personal and data privacy as well as data and information security. Information that can uniquely identify someone as an individual, separate from everyone else, is PII and includes the following:

• Name
• Address
• Email
• Telephone number
• Date of birth
• Passport number
• Fingerprint
• Driver's license number
• Credit or debit card number
• Social Security number

Unfortunately, some companies have the preconceived notion that security controls will reduce the efficiency or speed of business processes. According to securitymagazine.com, the number of data breaches through September 30, 2021, has exceeded the total number of events in 2020 by 17 percent, with 1,291 breaches in 2021 compared to 1,108 breaches in 2020. These breaches affected millions of Americans. These companies did not have sufficient controls in place to protect personally identifiable information.

Your job as a security professional is to work with managers to help them see the importance of strong security controls. Good security practices are something that most managers or users do not instinctively know. They require education. A key component of the process is training and awareness for users. Part of the educational process is increasing the awareness of the costs involved if sensitive information is lost.

Here are some general privacy principles for PII:

• The PII data will be collected fairly and lawfully.
• The PII data will be used only for the purposes for which it was collected.
• The PII data will be kept secure while in storage and in transit.
• The PII data will be held only for a reasonable time.

Two areas of protection that a company's policy must address are protecting credit card data while it is at rest and while it is in transit. If your company deals with credit cards, PCI standards dictate that the stored cardholder data must be rendered unreadable or encrypted to protect customer privacy. To meet this requirement, your company must implement security controls that provide for encryption methods while the credit card data is being stored and while the credit card data moves across open, public networks. Companies that must comply with PCI standards state that documentation is one of the most tedious aspects of attaining and maintaining PCI compliance and is one area that typically needs more work.

A big component of providing the proper protection for PII is to make sure that there is a way to track privacy policy violations and measure their impact. One way to measure the impact is to verify that company policy has been based on a privacy impact assessment (PIA). A PIA should determine the risks and effects of collecting, maintaining, and distributing PII in electronic-based systems. The PIA should be used to evaluate privacy risks and ensure that appropriate privacy controls exist. Existing controls should be examined to verify that accountability is present and that compliance is built in every time new projects or processes are scheduled to come online.

You can read more about PCI DSS and the best practices surrounding payment card information at www.pcicomplianceguide.org/category/best-practices.

GDPR

Sweeping data privacy laws like the General Data Protection Regulation (GDPR) implement strict security and privacy requirements for the personal information of European Union (EU) residents worldwide. GDPR significantly restricts how certain types of information may be stored and used by organizations and will be used to enforce these regulations with stiff fines and penalties. This 88-page regulation was put into effect on May 25, 2018. The GDPR will levy punitive penalties against those who breach its privacy and security standards, with fines reaching into the tens of millions of euros.

The GDPR defines an array of legal terms at length. Here are some of the most important ones:

• Personal data: Personal data is any information that relates to an individual who can be directly or indirectly identified (PII). Pseudonymous data can also fall under the definition if it's easy to ID someone from it.
• Data processing: Any action performed on data, whether automated or manual. The examples cited on gdpr.eu include collecting, recording, organizing, structuring, storing, using, and erasing.
• Data subject: The person whose data is processed. These are customers or site visitors.
• Data controller: The person who decides why and how personal data will be processed. If you're an owner or employee in your organization who handles data, this is you.
• Data processor: A third party that processes personal data on behalf of a data controller.
• Data classification: Identifying the types of data that an organization stores and processes and the sensitivity of that data, based on a set of rules. Data will fall into four categories:
  • Public
  • Internal Only
  • Confidential
  • Restricted

Here is a rundown of data subjects’ privacy rights:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision-making and profiling

With various countries imposing so many different requirements, organizations face a regulatory patchwork of inconsistent, unclear, and often contradictory demands. The implications for multinational companies are substantial: threats of regulatory action, disruptions to established business processes, and requirements to tighten controls for handling and processing information that crosses national boundaries. The overturning of the Safe Harbor agreement, governing how data is moved between EU countries and the United States, forced many companies to reexamine their own legal and policy frameworks for protecting personally identifiable data.

To address the challenges emerging from new and pending data privacy regulations, business and technology leaders need to work collectively with their compliance, legal, and technology teams to understand the impact regulations have on their businesses.

Data sovereignty is the concept that information that has been converted and stored in binary digital form is subject to the laws of the country in which it is located. With data theft and breaches dramatically on the rise, national governments around the globe are strengthening laws to protect their citizens’ data, preserve national security, and, in some cases, protect local business interests.

Data sovereignty is different from data ownership. Data ownership is both the possession of the data and responsibility for the information. According to GDPR, data ownership refers to the explicit assignment of responsibility to every data element. A data owner can be a team or individual who has the right to access and edit the data and decide how it is used. Data ownership is important because it creates accountability. A data owner has a vested interest in the protection and integrity of their data and will create policies to ensure they are GDPR compliant. The data steward's role essentially is to support the user community. This individual is responsible for collecting, collating, and evaluating issues and problems with data. Typically, data stewards are assigned either based on subject areas or within line-of-business responsibilities. The main difference between a data owner and a data steward is that the latter is responsible for the quality of a defined dataset on day-to-day basis.

As regulations are drafted in a particular nation or region, even when they affect data and users around the globe, the question of jurisdictions is debated. Companies seek to minimize how a regulation affects their infrastructure and users. There is ongoing debate, but it seems that most data privacy regulation is tilted toward the user's benefit.

One side effect of GDPR is the resulting impact on cloud computing. Under GDPR, a company is considered the data controller and is responsible for keeping all the data safe, regardless of where that data is being stored. Key steps to take for geographical decisions regarding compliance in the cloud are strict privacy policies, terms of use, server location, security features, encryption, and legal guarantees for data protection.

ISO

The International Organization for Standardization (ISO) describes itself as “a network of the national standards institutes of 162 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system that forms a bridge between the public and private sectors.”

An important ISO document for cybersecurity that is definitely worth reviewing is ISO 27002. This standard is considered a code of best practice for information security management. It grew out of ISO 17799 and British Standard 7799. ISO 27002 is considered a management guideline, not a technical document. You can learn more at www.27000.org/iso-27002.htm. ISO 27002 provides best-practice recommendations on information security management for use by those responsible for leading, planning, implementing, or maintaining security. The ISO 27017 was created to include additional security controls for cloud computing.

The latest ISO 27002:2022 contains 93 controls; 11 are new, 24 have merged, and 58 are updated for guidance. The standard contains 14 control domains spread across four categories including organizational, physical, technological, and people. The 11 new controls are as follows:

• Threat intelligence: Understanding attackers and their methods in the context of your IT landscape
• Information security for the use of cloud services: Considering the introduction through operation to exit strategy regarding cloud initiatives
• ICT readiness for business continuity: Deriving the requirements for the IT landscape from the overall business processes and the ability to recover operational capabilities
• Physical security monitoring: Using alarm and monitoring systems to prevent unauthorized physical access
• Configuration management: Hardening and secure configuration of IT systems
• Information deletion: Compliance with external requirements, such as data protection deletion concepts
• Data masking: Using techniques that mask data, such as anonymization and pseudonymization, to bolster your data protection
• Data leakage prevention: Taking steps to help prevent sensitive data from being leaked
• Monitoring activities: Monitoring network security and application behavior to detect any network anomalies
• Web filtering: Helping prevent users from viewing specific URLs containing malicious code
• Secure coding: Using tools, commenting, tracking changes, and avoiding insecure programming methods to ensure secure coding

Another ISO document for cybersecurity professionals to be acquainted with is the ISO 15408, which was finalized after years of drafts and was initially published in 1997. It is currently in version 3.1, and it is more widely known as the Common Criteria. The purpose of the Common Criteria is to provide a common structure and language for expressing product and system IT security requirements. It's a way for vendors to describe what their products are capable of and for buyers to test such products to be sure they meet specific requirements. The Common Criteria provides assurance that the process of specification, implementation, and evaluation of a computer security product has been conducted in a rigorous and standard manner. As such, the Common Criteria can be used on a worldwide basis and is meaningful to a much larger audience.

CMMI

The Capability Maturity Model Integration (CMMI) was created by the Software Engineering Institute at Carnegie Mellon University as a method improvement tool for projects, divisions, or organizations. The DoD and U.S. government helped build the CMMI, which is a common requirement for DoD and U.S. government software development contracts. The CMMI is presently administered by the CMMI Institute, which was acquired by the ISACA in 2016. CMMI is a process and behavioral model that helps groups reorganize or restructure processes for improvement that decrease risk in software, product, and service development.

The CMMI model breaks down organizational maturity into five levels. While CMMI has its beginnings in software engineering, it has been generalized to incorporate other areas. There are three areas, all of which use the same five-level model:

• Product and Service Development: CMMI for Development (CMMI-DEV)
• Service Establishment and Management: CMMI for Services (CMMI-SVC)
• Product and Service Acquisition: CMMI for Acquisition (CMMI-ACQ)

For cybersecurity businesses that use CMMI, the aim is to raise the organization up to level 5, the “optimizing” maturity level. In Figure 5.4, you see the difference between the levels of CMMI from level 1 to level 5.

NIST

The National Institute for Standards and Technology (NIST) is responsible for developing cybersecurity standards across the U.S. federal government. The guidance and standard documents it produces often have wide applicability across the private sector and are commonly referred to by nongovernmental security analysts because they are available in the public domain.

In 2018, NIST released version 1.1 of a Cybersecurity Framework (CSF) (www.nist.gov/cyberframework), which provides a common language and systematic methodology for managing risk. The following are the five functions acting as the backbone in the core framework:

• Identify: Helps in developing an understanding of cybersecurity risks to people, systems, data, and assets
• Protect: Outlines the proper safeguards to make sure critical infrastructure is secure
• Detect: Defines how to identify a cybersecurity event
• Respond: Defines what action to take if a cybersecurity event occurs
• Recover: Identifies the plans necessary for resilience and restoration of services impaired due to a cybersecurity event

NIST also releases special publications for cybersecurity guidance such as the 800-100, which is the Information Security Handbook: A Guide for Managers, and 800-53, which is the Security and Privacy Controls for Information Systems and Organizations. NIST works closely with the Information Technology Laboratory (ITL) to promote the U.S. economy and public welfare by providing technical leadership for the nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof-of-concept implementations, and technical analyses to advance the development and productive use of information technology. ITL's responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of non-national, security-related information in federal information systems. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in information system security and its collaborative activities with industry, government, and academic organizations.

COPPA

Children today spend more time online than ever before. From virtual school to online games, children spend hours on the Internet and deserve protection so that they may learn and play safely. The Children's Online Privacy Protection Rule (COPPA) was passed in the Congress of the United States in 1998. The rule summary from the Federal Trade Commission, which can be found at ftc.gov, states that COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

Operators governed by COPPA must do the following:

• Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children.
• Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children.
• Give parents the choice of consenting to the operator's collection and internal use of a child's information but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents).
• Provide parents access to their child's personal information to review and/or have the information deleted.
• Give parents the opportunity to prevent further use or online collection of a child's personal information.
• Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security.
• Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access.
• Not condition a child's participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.

COPPA was implemented to protect children online, and fines for failing to comply with the law were recently increased to up to $43,280 per privacy violation per child. The FTC announced in September 2019 that Google and its subsidiary YouTube would pay a $170 million fine to settle the FTC's allegations that YouTube collected children's personal information without parental consent. YouTube collected information from children on pages specifically directed toward children, such as videos about children's toys and nursery rhymes.

CSA-STAR

The cybersecurity community offers many reference documents to help organizations come to a common understanding of the cloud and cloud security issues. The Cloud Security Alliance (CSA) is an industry organization focused on developing and promoting best practices in cloud security. It developed the Cloud Controls Matrix (CCM) as a reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory standards. The CCM is a lengthy Excel spreadsheet, available for download from cloudsecurityalliance.org.

The Security, Trust, Assurance, and Risk (STAR) incorporates the fundamental principles of transparency, auditing, and coordination of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show customers their security and compliance posture, including the regulations, standards, and frameworks they follow. In Figure 5.5, you see the STAR levels outlined in the CCM.

HIPAA, SOX, and GLBA

You should also be familiar with several other compliance, regulatory frameworks, or standards that relate to privacy and the security of health, financial, PII, and other data, including HIPAA, SOX, and GLBA.

The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect healthcare providers, health insurers, and health information clearinghouses in the United States. HIPAA was signed into law in 1996. It has two parts: Title I of the HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II requires the U.S. Department of Health and Human Services (DHHS) to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers.

Under HIPAA, the United States was required to publish a set of rules regarding privacy. The Privacy Rule dictates controls that organizations must put in place to protect personal information. The privacy rule defines three major purposes:

• “To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information.”
• “To improve the quality of health care in the United States by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care.”
• “To improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.”

The Sarbanes-Oxley (SOX) Act applies to the financial records of U.S. publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records. The SOX Act was signed into law in 2002. This act mandated a number of reforms to enhance corporate responsibility and financial disclosures and combat corporate and accounting fraud.

Sections 302 and 404 are the two sections that address IT infrastructures and information security.

• Section 302 requires the CEO and CFO to certify personally that the organization has the proper internal controls. It also mandates that the CEO and CFO report on the effectiveness of internal controls around financial reporting.
• Section 404 sets requirements on areas of the management's structure, control objectives, and control procedures. Staying compliant with Section 404 requires companies to establish an infrastructure that is designed to archive records and data and protect it from destruction, loss, unauthorized alteration, or other misuse. It requires that a set of comprehensive controls be put in place and holds CEOs and CFOs accountable.

Gramm-Leach-Bliley Act (GLBA) covers U.S. financial institutions, broadly defined. It requires that those institutions have a formal security program and designate an individual as having overall responsibility for that program. GLBA was signed into law in 1999 and resulted in the most sweeping overhaul of financial services regulation in the United States.

GLBA Title V addresses financial institution privacy with two subtitles. Subtitle A requires financial institutions to make certain disclosures about their privacy policies and to give individuals an opt-out capability. Subtitle B criminalizes pretexting, which can be described as the practice of obtaining personal information under false pretenses. In these situations, people misrepresent themselves to collect personal information.

Under GLBA, financial institutions are required to protect the confidentiality of individual privacy information. As specified in GLBA, financial institutions are required to develop, implement, and maintain a comprehensive information security program with appropriate administrative, technical, and physical safeguards. The controls specified in the information security program must include the following items:

• The assignment of a designated program manager for the organization's information security program
• A periodic risk and vulnerability assessment and audit
• A program of regular testing and monitoring
• The development of policies and procedures for control of sensitive information and PII

Remember that this is only a brief listing of security regulations. There are many other laws and obligations that apply to specific industries and data types. You should always consult your organization's legal counsel and subject matter experts when designing a compliance strategy for your organization. You'll need to understand the various national, territorial, and state laws that apply to your operations, and the advice of a well-versed attorney is crucial when interpreting and applying cybersecurity regulations to your specific business and technical environment.

1. An external audit is a formal process involving an accredited third party. It can be expensive and time intensive. What is a key to a component having an external audit?
   1. An internal agent and a security framework
   2. An independent authority against a recognized standard
   3. A global internal assessment with gap analysis
   4. A validated outcome and scheduled future audits
2. Your organization decided to outsource systems that are not mission critical. You have been tasked to calculate the risk of outsourcing these systems because a recent key risk indicator review shows that core business functions are dependent on these outsourced systems. What is the best tool to use?
   1. Gap analysis
   2. Annual loss expectancy
   3. Total cost of ownership
   4. Business impact analysis
3. You need an agreement that lets your business implement a comprehensive risk allocation strategy and provides indemnification, the method that holds one party harmless against existing or future losses. What contract should you negotiate?
   1. Master service agreement
   2. Business impact agreement
   3. Interconnection security agreement
   4. Memorandum of understanding
4. You are a financial provider accessing a cloud-based server where your collaboration tool resides. What is the most important question you need to ask the vendor/host of this cloud-based server?
   1. Is this server PCI-DSS compliant?
   2. Is this server SCADA compliant?
   3. What is your SLA if the server goes down?
   4. What is the TCO of this software?
5. A data user reached out to the data steward to request permission to give access to sensitive information to a third-party marketing agency. The third-party vendor has been vetted by security to make sure they are trusted and viable. Who should be contacted next before access is granted?
   1. Data owner
   2. CEO
   3. Board of directors
   4. Marketing VP
6. Your organization's security policy specifies a length of time to keep data, after which the data must be destroyed to help mitigate the risk of that data being compromised. This type of policy helps reduce legal liability if the data becomes unrecoverable. What type of policy is this?
   1. Data protection
   2. Data remanence
   3. Data retention
   4. Data destruction
7. You are a service provider responsible for ensuring that an audit for PCI DSS occurs and that the correct documentation is completed by the relevant parties. This is part of the assessment you provide. What is this process called?
   1. Service provider request
   2. Attestation of compliance
   3. Payment request
   4. Security standards council
8. Your global software organization is required to conduct a BIA for any new company acquisition. Your organization has acquired a new software startup. Your organization and the startup outsource the LMS and CMS for education to noncompatible third parties. What are you most concerned about?
   1. Data sovereignty
   2. Encryption
   3. Data migration
   4. Disaster recovery
9. You must identify a person who will have the administrative control of and be accountable for a specific set of information and dataset. It could be the most senior person in a department. What is their role?
   1. Cloud engineer
   2. Data user
   3. Data owner
   4. Chief financial officer
10. You researched and conferred with your legal department as to what your data retention policy should be. Which of the following compliances places restrictions on data retention?
    1. GLBA
    2. HIPAA
    3. SOX
    4. All of the above
11. Your company holds large amounts of company data in electronic databases as well as personally identifiable information (PII) of customers and employees. What do you do to ensure that implemented controls provide the right amount of protection?
    1. Best practices
    2. Forensics
    3. Due diligence
    4. Auditing
12. Your HR recruiter, Jane, is having problems finding skilled applicants for a role that you have open for an IT security manager. Your division has discussed moving operation solutions to a third party that will manage and sustain processes. Which of the following deployment solutions is this most likely to be?
    1. Cloud
    2. Hosted
    3. On-premises
    4. Automated
13. Your financial company hires a third party to provide cloud-based processing that will have several different types of virtual hosts configured for different purposes, like multiple Linux Apache web server farms for different divisions. Which of the following best describes this service?
    1. SaaS
    2. PaaS
    3. IaaS
    4. AaaS
14. Alonzo is a security architect, and he has decided to build multiple virtual hosts with different security requirements. Numerous virtual hosts will be used for storage, while others will be used as databases. What should he do with these hosts?
    1. Encrypt all hosts with AES
    2. Store each host on a separate physical asset
    3. Move these virtual hosts to the cloud for elasticity
    4. Verify that each server has a valid certificate
15. Craig is a project manager with a software company. His organization needs to be able to use a third party's development tools to deploy specific cloud-based applications. Platform as a service (PaaS) is the choice that has been approved to launch these cloud services. Which of the following is not a true statement?
    1. PaaS can use API to develop and deploy specific cloud-based services.
    2. Cloud storage is a term used to describe the use of a third-party vendor's virtual file system as a document or repository.
    3. You can purchase the resources you need from a cloud service provider on a pay-as-you-go basis.
    4. With PaaS, you must buy and manage software licenses.
16. Asher has a newly formed IT team that is investigating cloud computing models. He would like to use a cloud computing model that is subscription based for general services, and the vendor oversees developing and managing as well as maintaining the pool of computer assets shared between various tenants across the network. The best choice for this situation would be which of the following?
    1. Public
    2. Private
    3. Agnostic
    4. Hybrid
17. Shanyn works for a governmental agency. Her organization has opted into a public cloud solution for all of the business customers' testing environments. Which one of these is not a disadvantage?
    1. TCO can rise exponentially for large-scale use.
    2. Not the best solution for security and availability for mission-critical data.
    3. Low visibility and control of the environment and infrastructure, which might lead to compliance issues.
    4. Reduced complexity and requirement of IT experts as the vendor manages the environment.
18. The objectives and key results (OKR) being measured by management for this quarter are to realize benefits of multitenancy cloud architecture. Which one of these results would not be applicable to a multitenancy cloud service?
    1. Financial
    2. Usage
    3. Vulnerabilities
    4. Onboarding
19. Yaniv is a cloud security consultant working with a large supply chain management firm that is advocating applying the highest level of protection across all cloud assets. His manager has suggested this is not what the priority should be. What would be a more strategic priority?
    1. Determine what to protect through data discovery and classification.
    2. Run an anti-malware software on all cloud instances daily.
    3. Use vulnerability scanning software only on mission-critical servers.
    4. Implement threat mitigation strategies on IoT devices.
20. While running IaaS environments, you retain the responsibility for the security of all operating systems, applications, and network traffic. Which of these would not be advantageous to deploy to protect this cloud environment?
    1. Anti-malware should be installed.
    2. Application whitelisting should be used.
    3. Memory exploit prevention for single-purpose workloads.
    4. Negotiate an SLA that spells out the details of the data the provider will share in case of an incident.