Cloud Computing Key Areas Security Guidelines v5 - Overview Version

Co-authored with my friend Steve

Original article link: https://mp.weixin.qq.com/s/8CQkGt-lnffQdfKgNAjbFw

In the summer of 2020, right after finishing the college entrance examination, I participated in the study of CCSK v4 and obtained the certification. The wheels of fate may have started to turn at that time. On the last Friday of 2024, as this report is being released, I have many feelings to share. Growing from a beginner in cloud security to a translator and participant of this significant textbook, I am grateful to the King of Yellow and Black who holds good fortune, and to all the mentors and friends who have guided and accompanied me along the way. I hope this article can inspire and help friends who are learning and exploring the field of cloud security. Let us work together towards the next brilliant five years of the cloud security 3.0 era!

If you have questions or insights about this article and its "Guide," or if you find flaws and errors in the report, please contact me at B1ueD0g@duck.com.

“Cloud Computing Key Areas Security Guide” (abbreviated: Cloud Security Guide) was first published by the Cloud Security Alliance (CSA) in 2009, becoming a must-have manual for implementing cloud security globally, providing practical security strategies for cloud computing users, service providers, and security experts, helping them effectively implement security controls and protective measures in a rapidly changing cloud environment. As the official learning material for the CSA Cloud Security Knowledge Certification (CCSK) international cybersecurity certification, the Cloud Security Guide has been translated into six languages, becoming a classic textbook for cybersecurity practitioners worldwide.

It has now been updated to the "Cloud Computing Key Areas Security Guide v5." Based on previous versions, the Cloud Security Guide v5 has comprehensively updated technological advancements and emerging security threats. Especially in the context of the rapid development of cloud-native technologies, the guide strengthens cloud-native security measures and incorporates emerging security technologies/concepts such as AI and zero trust, providing theoretical guidance and practical direction for the rapid development of cloud security 3.0 (intelligent cloud security).

Below is a brief introduction to each area of the guide; for specific content, please read the original guide (180,000 words).

Area 1: Cloud Computing Concepts and Architecture#

Area 1 provides a conceptual framework for the other areas of the guide. This section mainly introduces the basic concepts of cloud computing, service models (such as IaaS, PaaS, SaaS), and deployment models (such as public cloud, private cloud, hybrid cloud). It emphasizes the multi-tenant characteristics of cloud computing, virtualization technology, and the security challenges of resource pooling, and proposes best practices for addressing these challenges.

Area 1 presents the concept of "Everything as a Service" (XaaS). XaaS, as the foundational model of cloud computing, encompasses various services provided over the internet, distinguishing it from traditional on-premises or proprietary IDC data centers. Under the XaaS model, "X" represents almost any resource delivered as a service, such as security as a service, containers as a service, AI as a service, etc. These services are often compatible with IaaS, PaaS, and SaaS models, but they are more specific and descriptive, helping enterprises choose the appropriate form of cloud service in different scenarios. By understanding XaaS, enterprises can more accurately select and design suitable cloud service architectures while addressing various challenges such as security and compliance.

Area 2: Cloud Governance#

Area 2 focuses on cloud governance, emphasizing the role of security. Governance is based on a framework composed of policies, procedures, and controls, aimed at promoting transparency and accountability to established standards. Effective governance practices involve strategic guidance, risk management and mitigation, compliance monitoring and remediation, budget allocation, and cost control. IT governance ensures that information and related technologies can support the realization of enterprise strategies and objectives.

Effective cloud governance requires establishing a robust framework and a set of policies to ensure the effective, secure, and compliant use of cloud resources. It necessitates the implementation of strong control frameworks and policies to manage cloud resources securely, compliantly, and efficiently. This includes:

Defining roles and responsibilities
Establishing a cloud center of excellence or similar entity
Conducting requirements gathering
Risk-based planning
Risk and remediation management
Data and digital asset classification
Compliance with legal and regulatory requirements
Maintaining a cloud registry
Establishing governance hierarchies
Utilizing cloud-specific security frameworks
Defining cloud security policies
Setting control objectives and specifying control standards

By implementing these components, organizations can maximize the benefits of cloud computing while minimizing potential risks.

Area 3: Risk, Audit, and Compliance#

Area 3 explores methods for assessing cloud service providers (CSPs). It covers the establishment of a cloud risk registry and the implementation of approval processes. Additionally, it references CSA's "Top Threats" to provide contextual information on common risks.

This area outlines compliance and auditing, different types of compliance, and the concept of compliance inheritance. To assist governance, risk, and compliance (GRC) processes, this area introduces various tools and technologies. This includes policies, procedures, controls, automation roles, software bill of materials (SBOM), and related technologies. Overall, these components support the governance framework and help manage complex cloud computing risk and compliance requirements.

The first step in managing cloud risk is to establish systematic processes to assess CSPs and their service products, and this assessment should align with business needs and risk tolerance. The following process aims to address these discrepancies: business requests, reviewing CSP documentation, examining external sources, mapping to compliance requirements, mapping to data classification, defining required controls and compensating controls, and approval processes.

Protecting the cloud environment requires comprehensive risk management, compliance, and continuous monitoring approaches. By utilizing both non-technical and technical tools, organizations can effectively manage cloud risks, ensure compliance, and maintain the security and resilience of their cloud infrastructure.

Area 4: Organizational Management#

Organizational management refers to the comprehensive management of the cloud environment, involving the organization and verification of the security measures of cloud service providers (CSPs) and ensuring the security of various cloud service deployments. These critical security issues span deployment strategies, aiming to achieve structured optimal "impact scope" control and security management. Although the underlying technologies of each CSP may differ, they typically provide sufficient functional equivalence to achieve consistent management practices.

Tenant management is a key mechanism for resource allocation in multi-tenant environments and plays a crucial role in cloud environment management. Establishing key controls to manage hierarchies and address primary security and compliance issues is essential for maintaining visibility and structure. Area 4 also explores various organizational hierarchy models for managing and protecting multiple cloud deployments, along with their functions and best practices. By studying structural differences and standardized approaches, cloud service customers (CSCs) can implement consistent security controls and policies, enhancing their cloud management strategies and minimizing security risks.

This area also involves details of organizational security management, including identity provider mapping, CSP policies, shared services, and considerations for hybrid and multi-cloud environments. The first step in achieving cloud security includes limiting unnecessary expansions, determining organizational occupancy, and implementing security controls across CSPs and internally to ensure the security of individual deployments. A primary task is to master how to divide cloud services into smaller control units and establish enterprise-level and tenant-level controls above the deployments.

Area 5: Identity and Access Management (IAM)#

Identity and access management ensures that only authorized identities can access the corresponding resources. As cloud platforms integrate the management functions and services of numerous data centers into a unified web console and application programming interface (API) accessible via the internet, IAM has become a new line of defense in cloud-native security, protecting sensitive resources from unauthorized access and abuse.

In both public and private clouds, cloud service providers (CSPs) and cloud service customers (CSCs) are responsible for managing IAM within acceptable risk tolerances. Compared to on-premises systems, cloud computing introduces new dimensions to IAM management. While core security issues may not be new, their impact is amplified and can create ripple effects in cloud environments.

The main differences between managing IAM in the cloud and managing IAM in on-premises systems are:

The relationship between cloud service providers (CSPs) and cloud service customers (CSCs), and their respective responsibilities.
Integration of multiple management interfaces.
The exposure of these interfaces to the internet, especially in public cloud environments.

IAM cannot be managed solely by either the CSP or the CSC. It requires a trust relationship between both parties, clear delineation of responsibilities, and technical mechanisms that facilitate IAM management. Additionally, dealing with multiple CSPs adds complexity for CSCs in managing multiple IAM solutions and aligning with each vendor's unique policies.

Area 6: Cloud Security Monitoring#

Area 6 presents unique security monitoring challenges and solutions for cloud environments. It emphasizes various aspects such as cloud telemetry, management plane logs, service and resource logs, and high-level monitoring tool integration. It explores the complexities of hybrid and multi-cloud setups, including interoperability and security considerations. Further, it highlights the critical role of logs, events, and configuration detection in comprehensive security monitoring. Finally, it introduces generative artificial intelligence (GenAI) as an innovative tool to enhance cloud security and provide multifaceted protection for cloud infrastructure.

Cloud telemetry sources allow organizations to understand the cloud environment, tracking everything from management operations to individual service interactions and resource performance. They provide the ability to "see" and "hear" what is happening in the cloud environment by continuously collecting and sharing detailed information. Security tools, administrators, or automated processes then handle this information to analyze and understand the operational status, performance, and security of the CSC's cloud environment.

Area 7: Cloud Infrastructure and Network Security#

Area 7 covers the management of overall infrastructure usage and network security. Protecting cloud infrastructure is a dual task, requiring the protection of both the CSP's setup and the configuration of the CSC's deployment. The core pillars of infrastructure security include creating a secure architecture, ensuring configurations are secure from the outset, integrating security early in the development lifecycle (left-shift practices), and maintaining vigilance through monitoring and application firewalls.

Cloud networks built on SDN principles provide advanced security features, such as implementing default deny policies, managing access and rules based on policies, and allowing for fine-grained network segmentation. These features significantly enhance the security framework within cloud environments.

Integrating zero trust principles (such as SDP and SASE) is crucial for ensuring secure multi-cloud connections and achieving secure remote access. These models ensure strict access control and provide access based on verified identities and context, thereby enhancing security in distributed environments.

Container networking adds an abstraction layer on top of traditional virtualized cloud networks, introducing new complexities. This necessitates applying security measures at both the container and cloud network layers to prevent vulnerabilities from being exploited. Finally, cloud network security is not limited to security groups. It also includes deploying preventive measures such as firewalls, IDS/IPS, and WAF, as well as detection controls like flow logs and traffic mirroring. These elements collectively form a robust defense against network threats, ensuring the integrity and resilience of enterprises utilizing cloud technologies.

Area 8: Cloud Workload Security#

Area 8 covers the protection of cloud workloads. Cloud workloads refer to various tasks, applications, services, and processes running in a cloud computing environment. Cloud workloads offer scalability, flexibility, and efficiency, allowing enterprises and individuals to access and run applications or data processing tasks without needing to invest heavily in physical hardware. Cloud workloads encompass a range of resources, including virtual machines (VMs), containers, serverless functions, AI, and platform as a service (PaaS). The dynamic nature of cloud environments and their ever-changing and expanding resources require security approaches that differ from traditional methods.

When using Kubernetes for container orchestration, customizing configurations to enhance security is crucial. Scanning for vulnerabilities in container images and controlling who has access to and manages these images are essential practices. Additionally, implementing runtime protection mechanisms ensures continuous monitoring of containers and defense against persistent threats.

Serverless applications require targeted security approaches, starting with strict IAM policies. Protecting API endpoints from unauthorized access and strictly managing secrets are key to preventing vulnerability exploitation.

The field of AI workload security is evolving rapidly and requires continuous learning. To protect AI workloads from attacks, adversarial training must be employed, safeguarding AI models from unauthorized access or theft, and utilizing data privacy techniques such as differential privacy.

Area 9: Cloud Data Security#

In the context of rapid development of cloud services and increasing network threats, Area 9 meets the demand for robust data security in cloud environments. It emphasizes the importance of data security for maintaining organizational integrity, confidentiality, customer trust, and regulatory compliance.

This area explores various aspects of data security, including data classification, types of cloud storage, and specific security measures for different data states (static data, in-transit data, and data in use). It covers fundamental security tools and techniques such as IAM, encryption, and access control policies, providing a comprehensive guide for protecting cloud data. Overall, this area serves as a foundational guide for organizations to strengthen their cloud data security practices.

Area 10: Cloud Application Security#

Area 10 covers application security, which is the practice of using security controls to protect computer applications from external threats. Cloud computing is a major driver of advancements in application security, requiring progress to be stable, scalable, and secure. The secure development lifecycle provides the necessary technical and methodological guidance to help create and maintain secure cloud applications.

The guide introduces the concept of left-shift (Shift-Left), which refers to moving security work to the early stages of the SSDLC to ensure that the product is designed securely and defaults to security.

Left-shift (Shift-Left) ensures that at every stage of the SSDLC, risks are examined through a security lens, achieving proactive security and preemptive security. Compared to passive remediation of vulnerabilities in later stages of the SSDLC, security left-shift is also more cost-effective.

Area 11: Incident Response and Resilience#

Area 11 aims to identify and explain best practices for cloud incident response and resilience, which security professionals can use as a reference when developing their incident plans and processes. This area discusses the cloud incident response framework and the preparations needed for effective incident response. It provides CSPs and CSCs with a transparent, shared framework to help them share cloud incident response practices and guide CSCs on how to prepare for and manage cloud incidents throughout the lifecycle of disruptive events.

The incident response lifecycle is a guide for cloud customers to effectively prepare for and manage cloud incidents. The incident response lifecycle described by NIST includes the following phases and key activities: preparation, detection and analysis, containment, eradication and recovery, and post-incident analysis.

Area 12 points out that to address increasingly complex cloud security challenges, organizations need to conduct comprehensive analyses from multiple dimensions. By combining both "perspectives" and "processes," we can examine issues from different angles and take informed actions in decision-making to ensure the security and compliance of cloud applications, systems, and data.

Currently, zero trust (ZT) strategies are one of the cores of cloud security, emphasizing continuous verification of all users and devices, minimizing trust, applying the principle of least privilege, and integrating multi-factor authentication, micro-segmentation, and encryption technologies to reduce the attack surface and enhance security resilience. Meanwhile, the application of artificial intelligence (AI) in cloud security is gradually increasing. Through AI, organizations can improve threat detection, access control, and policy enforcement, utilizing machine learning to enhance anomaly detection and risk management, thereby improving security defenses.

CCSK Course Introduction#

To meet the talent demand in the cloud security 3.0 (intelligent cloud security) era, CSA has upgraded the CCSK course and certification system while simultaneously updating the "Cloud Security Key Areas Security Guide v5." The CCSK course content closely aligns with the guide, ensuring that students can learn the latest cloud security concepts and best practices.

CCSK V5 introduces emerging technologies or concepts such as AI/GenAI, zero trust, DevSecOps, and data lakes on the foundation of traditional cloud security knowledge systems, providing a timely and comprehensive knowledge system for talent development in the cloud security 3.0 era, while offering students a clear training path and objectives.

CCSK (Certificate of Cloud Security Knowledge) is a certification program released by the internationally recognized organization Cloud Security Alliance (CSA) in 2011, and it is the first global security certification aimed at individual users. It has been translated into six languages and taught worldwide. Dubbed the "mother of cloud computing security certifications," there are over 80,000 CCSK certificate holders.