Certified Cloud Security Professional (CCSP)

Cloud Platform and Infrastructure Security

Vijay Luiz, CCSP, CISSP

Cybersecurity Consultant, PwC
About Me

Newly minted CCSP

Volunteers on-and-off with (ISC)2
Works at PwC HK as cybersecurity consultant

2
Presentation Rules

Feel free to ask questions.

Slides will not be distributed.

3
 PwCs Cloud Capabilities at a Glance
Diverse team
Cloud practitioners across our global network, across
industry segments
Cloud Tax, Assurance, and Risk & Regulatory services
in addition to our Advisory capabilities
Key capabilities
Capabilities to deliver strategy (e.g. cloud strategy design)
through execution (e.g. cloud security solution
implementation) through the lifecycle of a cloud adoption
journey
A Cloud innovation lab that is geared towards advancing
knowledge, leading practices, and insights (e.g. Blockchain)
Our proven High Velocity IT (HVIT) framework to enable
DevOps across Development teams
PwC
Key strategic partnerships
Cloud providers (e.g. GCP, Azure, AWS)
Cloud management Vendors (e.g. Cloud Genera)
Services partners (e.g. CTP, CSC)
Industry recognition
ALM Intelligence Vanguard of Cloud Consulting Providers,
ALM, 2016
Global Leader in Cloud Professional Services, IDC, 2016
Digital Transformation Leader, IDC, 2015
Partner in Innovation Award, SFDC
Worldwide leader in Enterprise Architecture consulting, IDC
Leader in Business Technology transformation, Forrester
Cloud Partner of the year, HPE
4
 PwCs Cloud Security Offerings 1. Strategy, Governance &
Management
Cloud Security Strategy
Sponsorship & Org Development / Re-
alignment
Training & Awareness
Security Metrics & SLA Monitoring
2. Security Architecture &
Services
Common Cloud Security Reference
Architecture
Infrastructure Virtualization & SaaS
Application Security
Encryption & Key Management
Mobile Security
Secure API Management, Secure
Development Lifecycle, DevSecOps
3. Threat, Intelligence &
Vulnerability Management
Logging & Audit
Vulnerability Identification &
Remediation
Event Correlation & Monitoring for
Cloud (including cloud to cloud
4. Identity & Access Management
Cloud Identity Integrated Lifecycle
Management (Registration,
Provisioning, Deprovisioning)
Cloud Access Management (SSO,
Federation, Multi Factor Auth)
Secure Gateway (API security, XML
based Firewall protection)
Privileged Access Management
PwC Identity Audit and Review
5. Information & Privacy
Protection
Asset Inventory (Business, Systems
and Applications )
Sensitive Data Ownership &
Classification (Data flows &
Contextual Attributes)
Data Detection, Loss Prevention and
Digital Rights Management for Cloud
Privacy and jurisdictional review and
requirements for data transfer and
access
6. Incident & Crisis Management
Configuration & Change Management
Cloud Forensics
Security Incident Response
Provider / Consumer Continuity and
Recovery
Security Audit Logging & Monitoring
& Predictive Analytics
7. Risk & Compliance Management
Cloud Risk Assessments
Business & IT Cloud Security Policies,
Standards & Guidelines
Regulatory compliance for cloud (PCI,
ISO, HIPAA, SOX, GLBA, etc.)
Cloud Vendor Risk Assessment &
Management (Supply Chain)
Cloud Security Sourcing & Contract
Management
8. Emerging Trends & Innovation
Emerging protocols and standards
Cloud to cloud integration security
Internet of Things (IoT)
5
Agenda

Introduction to CCSP
Moving to the cloud
Domain overview: Cloud platform and infrastructure security
Q&A

6
Introduction to CCSP
Role of the CCSP
The CCSP credential denotes professionals with deep-seated knowledge
and competency derived from hands-on experience with information
security and cloud computing. CCSPs help you achieve the highest
standard for cloud security expertise and enable your organization to
benefit from the power of cloud computing while keeping sensitive data
secure.

8
CCSP Domains

Domain 1: Architectural Concepts & Design Requirements

Domain 2: Cloud Data Security

Domain 3: Cloud Platform and Infrastructure Security

Domain 4: Cloud Application Security

Domain 5: Operations

Domain 6: Legal and Compliance

9
Becoming a CCSP

Pass the exam

Obtain the required experience
o 5 years full-time relevant work experience
o CCSK holders can substitute one year
o CISSP holders do not need to prove experience
o If experience is inadequate: Associate of (ISC)2 title
Get endorsed by an (ISC)2-certified professional

10
The CCSP Exam
Computer based testing
125 questions covering
the 6 CCSP CBK domains
Four-hour exam (multiple choice)
Passing grade required is a scaled score of 700
out of a possible 1,000 points
For additional information and to register for the
exam, go to www.ISC2.org/CBT

11
Training Tips

Flashcards
Practice exams

12
Moving to the cloud
Why Move to Cloud?

14
 ROI
Return on
Model Example Cloud Computing KPIs
Investment (ROI) Speed of
Optimizing
time to
Availability (Key Performance
model time
deliver / Time vs Recovery
Indicators)
reduction SLA
execution

Workload Workload
CAPEX vs
Predictable Variable
OPEX costs
Speed of Optimizing Optimizing Costs Costs
Workload vs
cost cost of Ownership Cost Utilization %
reduction Capacity Use Workload Instance to
type Ecosystem
Asset ratio
allocations

Optimizing SLA
cost to Green costs Intelligent
deliver / of Cloud
Quality Experiential Response
automation
error rate
execution

Market
Optimizing Revenue
Margin
Margin Efficiencies
Disruption
rate

15
Cloud Computing Adoption Lifecycle
1. Cloud Proof of 2. Cloud Strategy 3. Cloud Modeling 4. Cloud
Concept/Pilot and Roadmap and Architecture Implementation
Project Stage Adoption Adoption Planning

7. Cloud
5. Cloud 8. Cloud
6. Cloud Expansion Integration and
Implementation Collaboration
Interoperability

9. Cloud Steady
State

16
 Cloud Computing Transitions
Domain Transition From Transition To
Security framework Infrastructure-centric Data-centric
Application development Tightly coupled Loosely coupled
Data Mostly unstructured Mostly structured
Business processes Mostly serial Mostly parallel
Security controls Enterprise responsibility Shared responsibility
Economic model Mostly CAPEX Mostly OPEX
Infrastructure Mostly physical Mostly virtual
IT operations Mostly manual Mostly automated
Technology operational scope Local/regional International/global

17
Cloud Platform and Infrastructure
Security
Domain 3
Cloud Infrastructure

Cloud infrastructure consists of data centers and the hardware

that runs in them.

Storage and
Compute Virtualization Management
Networking
Nodes Software Layer
Hardware

24
Data Center Design

25
Network Functionality

Functionality in the network includes:

Address allocation
Access control
Bandwidth allocation
Rate limiting
Filtering
Routing

27
Software-Defined Networking (SDN)

A broad and developing concept addressing the

management of the various network components.
Provide a control plane to manage network traffic on a more
abstract level than through direct management of network
components.

28
Compute

The dominant performance parameters of a cloud server are

made up of:
The number of CPUs
The amount of RAM memory

29
Virtualization

Key technology that enables sharing of compute

infrastructure.
Hypervisor: A software component that provides a layer of
abstraction between:
o Physical hardware
o Peripherals
o Guest operating system

30
Key Drivers for Virtualization

Sharing underlying resources to enable more economical

use of hardware
Easier management through reduced personnel resourcing
and maintenance

31
Scalability

With virtualization, there is the ability to run multiple

operating systems (guests) and their associated applications
on a single host.
The guest is an isolated software instance that is capable of
running side by side with other guests on the host

32
The Hypervisor Question! Difference
between type 1 & type
2

A hypervisor can be a piece of software, firmware, or hardware

that gives the impression to the guest operating systems that
they are operating directly on the physical hardware of the
host.
Type 1 Type 2
Hypervisor Hypervisor

Works directly on
Software installed
the hardware of the
Bare-metal, Shares and manages on the host OS; Dependent on the
host and can
embedded, or hardware resources supports guest host OS for its
monitor OSs that
native between guest OSs. OSs running on it operations
run above the
as VMs
hypervisor.
33
Risks and Challenges

Security flaws in the hypervisor can lead to malicious

software.
A flawed hypervisor could facilitate inter-VM attacks (aka
VM hopping) when isolation between VMs is not perfect.
Network traffic between VMs is not necessarily visible to
physical network security controls.
Resource availability to VMs.
Virtual machines and their disk images are simply files
somewhere.
34
Container Virtualization
Container virtualization is
done at the operating
system level, rather than
the hardware level.
Each container sits on top
of the same kernel, sharing
most of the base operating
system.

35
 Storage
Traditional computer network storage typically consists of a storage area network
(SAN) or network-attached storage (NAS). Cloud offers additional off-premise
option.
Volume Storage
Similar to traditional storage, allocated on a VM and configured as a virtual
hard drive.
Appears to be dedicated resource
Logical UNits (LUNs) assigned to VM
Object Storage
Data stored on separate system
Storage access through API calls, network
36
requests or web interface
Allows dedicated resources for managing object storage system to optimize
Management Plane

Creates, starts, and stops virtual machine instances

Provisions CPU, memory, storage, and network connectivity.
Controls live migration of VM instances (when supported)
Manages resources across entire farm (when supported)

37
38
Supply Chain Management

Given that organizations have invested heavily to protect

their key assets, resources, and intellectual property in
recent years, changes to these practices present challenges
and complexities.
With the supply chain adjusting to include cloud service
providers, security truly is only as good as the weakest link.

39
Supply Chain Risk
A risk review includes:
Supplier dependencies
o List all dependencies on third parties
o Identify key suppliers
o Regularly update documentation
Single points of failure
o Challenge, fix and mitigate
Engage with key suppliers
o Contracts should cover risks
o Consider a right-to-audit clause

40
 Vendors

Understand vendor
capabilities and policies
Establish emergency
communication paths
Test communication
paths

41
Customers

If individual responsibilities are not clearly stated, the

customer may assume the provider has responsibility for a
specific area that may or may not be correct.
There are internal and external customers in most
organizations. You need to understand your customer bases
make-up and focus in terms of the consumption and use of
cloud services.

42
Service-Level Agreements (SLAs)
Appropriate SLAs should be in place to manage all services being
consumed by each customer segment.
Some metrics that SLAs may specify include:
o What percentage of the time services will be available
o The number of users that can be served simultaneously
o Specific performance benchmarks to which actual performance will be
periodically compared
o The schedule for notification in advance of network changes that may affect
users
o Help/service desk response time for various classes of problems
o Usage statistics that will be provided

43
Partners
Communications paths must be established with all partners that will
consume or support cloud services in the enterprise.
On-boarding Management
Ensure a clearly defined Ensure the partner is
on-boarding process for managed under the
all partners existing security
infrastructure as much as
possible so that access by
exception is avoided at all
costs
44
Off-boarding
Ensure that there is a
clearly documented and
communicated off-
boarding policy and
procedure in place to
efficiently terminate the
partners access to all
enterprise systems
Regulators

Early communication with regulators is essential when

developing a cloud environment.
If there are regulatory standards or laws that have to be
implemented or adhered to, you need to understand all of
the requirements and expectations of compliance to ensure
the enterprise is able to prove compliance when asked to do
so.

45
Compliance Regimes
The AICPA established three SOC reports to provide a framework to help
examine controls and related risks at service organizations.
Service Organization Controls 1 (SOC 1)
Service Organization Controls 2 (SOC 2)
o Type 1
o Type 2
Service Organization Controls 3 (SOC 3)
ISO 27001
Question! Which
FedRAMP standard requires x,y,z?

ITAR
FIPS Publication 140-2
CSA
MPAA 46
Cloud Service Brokers (CSBs)

An entity that manages the use, performance, and delivery

of cloud services and negotiates relationships between
cloud providers and cloud consumers.
Service intermediation
Service aggregation
Service arbitrage

47
Cloud Ecosystem
A term used to describe the complex system of interdependent
components that work together to enable cloud services.
Converting clouds considerable benefits into business opportunities
requires:
Determining the type of cloud environment best suited for your
organization
Developing your cloud adoption vision
Establishing use cases and a detailed plan
Understanding implications of adopting specific cloud service
Understanding layers
o IaaS, PaaS, SaaS

48
Cloud Security Ecosystems

Provide a more comprehensive set of security control

functions.
o Cloud management platforms
o Security as a service (SecaaS) offerings
o Secure Web gateway (SWG)
o Cloud access security brokers (CASBs)

52
Cloud Controls Matrix by CSA
Evidence that controls are actually operational.
Essential to audits

53
Questions & answers!
Thank you!
Vijay Luiz
vijay.x.luiz@hk.pwc.com
www.linkedin.com/in/vijay-luiz/
@vijayluiz