Your company is planning for migrating the on-premise E-Commerce system to a PaaS. As a security professional, which of the following is the least concern for the selection of cloud service providers?
A. The location of data persistence.
B. The elasticity of backend services.
C. The report on security controls at the user entity.
D. Rules of engagement when conducting pentesting.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. The report on security controls at the user entity.
The selection of cloud service providers is a concern of procurement or supply chain. There are many concerns to be considered, for example, reputation, costs, lock-in, lock-out, FOCI (foreign ownership, control, influence), service level, security controls, audit rights, and so forth.
User entities use the services from service organizations. It is the cloud service provider, as the service organization that should provide SOC reports to its customers (user entities). So, The report on security controls at the service organization is your concern, but not at the user entity (your company).
SOC for Service Organizations reports are designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent CPA. Each type of SOC for Service Organizations report is designed to help service organizations meet specific user needs:
- SOC 1® – SOC for Service Organization: ICFR
Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
- SOC 2® – SOC for Service Organizations: Trust Services Criteria
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
- SOC 3® – SOC for Service Organizations: Trust Services Criteria for General Use Report
Data persistence is a general term that refers to storing data for reuse. The location of data persistence matters because of compliance requirements, e.g., GDPR imposes requirements on cross border data processing.
Both your company and the CSP may replicate your data for redundancy. Cloud consumers may not know precisely in which servers their data resides. However, they have to know the global infrastructure of CSPs and be cautious about configuring their data replication or archiving solutions (e.g., CDN, AWS S3) to prevent unconscious cross-border data transfer that violates laws and regulations (e.g., GDPR).
AWS Regions and Zones
Amazon EC2 is hosted in multiple locations world-wide. These locations are composed of Regions, Availability Zones, Local Zones, and Wavelength Zones. Each Region is a separate geographic area.
Elasticity means the capability to scale out and scale in automatically per the demands of workload. It affects the performance and availability of a system. Elasticity can address burst in demand effectively.
The ability to acquire resources as you need them and release resources when you no longer need them. In the cloud, you want to do this automatically.
Almost every CSP establishes policies for penetration testing conducted by customers. It’s your due diligence to review the CSP’s rules or policies for conducting pentesting. The rules are part of your contractual requirement and your company has to comply with it.
AWS Customer Support Policy for Penetration Testing
AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services, listed in the next section under “Permitted Services.”
Please ensure that these activities are aligned with the policy set out below. Note: Customers are not permitted to conduct any security assessments of AWS infrastructure, or the AWS services themselves. If you discover a security issue within any AWS services in the course of your security assessment, please contact AWS Security immediately.
If AWS receives an abuse report for activities related to your security testing, we will forward it to you. When responding, please provide the root cause of the reported activity, and detail what you’ve done to prevent the reported issue from recurring. Learn more here.
Resellers of AWS services are responsible for their customer’s security testing activity.
- SOC for Service Organizations: Information for Service Organizations
- Guidelines for Developing Penetration Rules of Behavior
- Information Supplement: Penetration Testing Guidance
- CMS Penetration Testing Rules of Engagement Template
- The importance of Scope and Rules of Engagement in a Penetration Test
- Rules of Engagement in Pentesting
- Azure Storage Replication Explained
- AWS Regions and Zones
- AWS Regions and Availability Zones
- AWS Regions, Availability Zones, and Local Zones
- AWS Global Infrastructure
- AWS Region Table
- AWS Customer Support Policy for Penetration Testing
- How do I run security assessments or penetration tests on AWS?
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
您的公司正在計劃將本地電子商務系統遷移到PaaS。 您的公司正在計劃將本地電子商務系統遷移到PaaS。 作為安全專家，選擇雲服務提供商時最不用擔心以下哪項？
C. 用戶實體(user entity)的安全控制報告。