Limited deployment options

Manual management of resources

Automation of deployment and scaling

Increased hardware dependency

It identifies issues before full deployment, saving time and resources.

It increases the overall testing time and costs.

It allows skipping final verification tests.

It eliminates the need for continuous integration.

Inability to monitor cloud infrastructure for threats

IAM failures

Lack of encryption for data at rest

Vulnerabilities in cloud provider's physical infrastructure

Generating logs within the SaaS applications

Managing the financial costs of SaaS subscriptions

Providing training sessions for staff on using SaaS tools

Evaluating the security measures and compliance requirements

Component credentials

Immutable infrastructure

Infrastructure as code

Application integration

Implementing dynamic network segmentation policies

Employing Role-Based Access Control (RBAC) for container access

Regular vulnerability scanning of deployed containers

Use of immutable containers

Focusing exclusively on signature-based detection for known malware

Deploying behavioral detectors for IAM and management plane activities

Implementing full packet capture and monitoring

Relying on IP address and connection header monitoring

Enhances security by supporting authorizations based on the current context and status

Reduces log analysis requirements

Simplifies regulatory compliance by using a single sign-on mechanism

These are required for proper implementation of RBAC

Through virtualization, with administrators allocating resources based on SLAs

Through abstraction and automation to distribute resources to customers

By allocating physical systems to a single customer at a time

Through manual configuration of resources for each user need

Defining and maintaining the governance plan

Adherence to internal policies, laws, regulations, standards, and best practices

Implementing automation technologies to monitor the control implemented

Conducting regular penetration testing as stated in applicable laws and regulations

Cloud Service Customers (CSCs) are solely responsible for security in the cloud environment. The Cloud Service Providers (CSPs) are accountable.

Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) share security responsibilities. The exact allocation of responsibilities depends on the technology and context.

Cloud Service Providers (CSPs) are solely responsible for security in the cloud environment. Cloud Service Customers (CSCs) have an advisory role.

Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) share security responsibilities. The allocation of responsibilities is constant.

Post-Incident Activity

Detection and Analysis

Preparation

Containment, Eradication, and Recovery

Network Attached Storage (NAS)

Block storage

File storage

Object storage

Implementing real-time visibility

Deploying container-specific antivirus scanning

Using static code analysis tools in the pipeline

Full packet network monitoring

To automate the data encryption process across all cloud services

To reduce the overall cost of cloud storage solutions

To apply appropriate security controls based on asset sensitivity and importance

To increase the speed of data retrieval within the cloud environment

It allows for quick restoration points during updates or changes

It is used for load balancing VMs

It enhances VM performance significantly

It provides real-time analytics on VM applications

They reduce the cost of cloud services.

They provide visibility into cloud environments.

They enhance physical security.

They encrypt cloud data at rest.

They represent the logging of different networking solutions, and DNS Logs are more suitable for a ZTA implementation

DNS Logs record domain name resolution requests and responses, while Flow Logs record info on source, destination, protocol

They play identical functions and can be used interchangeably

DNS Logs record all the information about the network behavior, including source, destination, and protocol, while Flow Logs record users' applications behavior

Formalizing cloud security policies

Implementing best-practice cloud security control objectives

Negotiating SLAs with cloud providers

Establishing a governance hierarchy

To create a separation between development and operations

To eliminate the need for IT operations by automating all tasks

To enhance collaboration between development and IT operations for efficient delivery

To reduce the development team size by merging roles

PBAC eliminates the need for defining and managing user roles and permissions.

PBAC is easier to implement and manage compared to Role-Based Access Control (RBAC).

PBAC allows enforcement of granular, context-aware security policies using multiple attributes.

PBAC ensures that access policies are consistent across all cloud providers and platforms.

It solely focuses on user authentication improvements

It replaces existing network protocols with new proprietary ones

It filters traffic near user devices, reducing the need for backhauling

It requires all traffic to be sent through central data centers

Contracts

Shared Responsibility Model

Service Registry

Risk Register

Role-Based Access Control

Unlimited Access

Mandatory Access Control

Least-Privileged Access

Infrastructures as a Service

A Private Cloud

A Community Cloud

A Hybrid Cloud

Jericho Cloud Cube Model

The CSP server facility

The logs of all customers in a multi-tenant cloud

The network components controlled by the CSP

The CSP office spaces

Their own virtual instances in the cloud

The development of a routine that covers all necessary security measures.

The diligent habits of good security practices and recording of the same.

The timely and efficient filing of security reports.

The awareness and adherence to obligations, including the assessment and prioritization of corrective actions deemed necessary and appropriate.

The process of completing all forms and paperwork necessary to develop a defensible paper trail.

Planned Outages

Resiliency Planning

Expected Engineering

Chaos Engineering

Organized Downtime

False

True

False

True

False

True

Auditors working in the interest of the cloud customer

Independent auditors

Certified by CSA

Auditors working in the interest of the cloud provider

None of the above

False

True

Mappings to well-known standards and frameworks

Service Provider or Tenant/Consumer

Physical, Network, Compute, Storage, Application or Data

SaaS, PaaS or IaaS

Intrusion Prevention System

URL filters

Data Loss Prevention

Cloud Access and Security Brokers (CASB)

Database Activity Monitoring

False

True

Nothing. There are simply limitations around the data that can be logged in the cloud.

Ask the cloud provider to open more ports.

You can instrument the technology stack with your own logging.

Ask the cloud provider to close more ports.

Nothing. The cloud provider must make the information available.

False

True

False

True

More efficient and timely system updates

ISO 27001 certification

Provider can obfuscate system O/S and versions

Greater compatibility with customer IT infrastructure

Lock-In

Governance and Retention Management

Governance and Risk Management

Governing and Risk Metrics

An entitlement matrix

A support table

An entry log

A validation process

An access log

Platform-as-a-service (PaaS)

Desktop-as-a-service (DaaS)

Infrastructure-as-a-service (IaaS)

Identity-as-a-service (IDaaS)

Software-as-a-service (SaaS)

Sales

Marketing

Legal counsel

Auditors

Accounting

The physical location of the data and how it is accessed

The fragmentation and encryption algorithms employed

The language of the data and how it affects the user

The implications of storing complex information on simple storage systems

The actual size of the data and the storage format

Create, Store, Use, and Share

Create and Store

Create and Use

Create, Store, and Use

Create, Use, Store, and Delete

You should apply cloud firewalls on a per-network basis.

You should deploy your cloud firewalls identical to the existing firewalls.

You should always open traffic between workloads in the same virtual subnet for better visibility.

You should implement a default allow with cloud firewalls and then restrict as necessary.

You should implement a default deny with cloud firewalls.

False

True

Infrastructure

Datastructure

Infostructure

Applistructure

Metastructure

Discovery

Custody

Subpoena

Risk Assessment

Scope