10 Class 02: Learning Journal - VascoLucas01/cybersecurity-reading-notes GitHub Wiki

Introduction

[Date: 2023/04/12]

In this Class 02: Learning Journal, I am going to talk about the main ideas/concepts covered in the cloud security lecture.

After that, I am going to make a refletion based on the question referred at the end of this page.

Today I Learned

Today, Cloud Security was the topic addressed and some questions appeared during the lecture, such as:

1. Why do we care about cloud security framework?

  • Frameworks are very useful for organizations that are worried about security in order to make daily security analyses.
  • "Computing paradigms shift as we move into cloud systems."

2. Why do organizations adopt cloud services?

  • Rapid and simple deployment
  • Less time to market for services
  • Cost efficiency
  • Increase utilization of server resources
  • Less capital and server resources
  • Better perceived security by managing and controlling it internally

3. Who secures what part of the cloud?

  This is where the "Shared Responsibility Model" emerges. Indeed, cloud security operations also differ significantly from on-premises environments because cloud customers must divide responsibilities between one or more service providers and the customer's own cybersecurity teams. This type of operating environment is known as Shared Responsibility Model.

For example, the "AWS Shared Responsibility Model delineates who is responsible for the security of what parts of the cloud".

Three Cloud Types

  • Private Cloud. Inaccessible to the general public
  • Public Cloud. Accessible to the cloud (examples.: AWS, Azure, ...)
  • Hybrid Cloud. Catch-all term used to describ cloud deployments that blend public and private cloud services together

Key Terms

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)

Cloud Service Provider (CSP)

  • AWS
  • Azure
  • Google
  • Heroku

The Cloud Service Providers offer some components of cloud computing.

ISO 27001

ISO 27001 is a comprehensive set of standards for information security including best practices for security and risk management, compliance, and technical implementation.

"Which certificates and best practices organization should have to show some kind concern for protecting the organization."

Additionally, there are organizations that look for services provided by others CSP that have ISO 27001.

ISO 31000

ISO 31000 is a comprehensive set of standards for Enterprise Risk Management (ERM).

  • It is not focused on information security risks
  • Usable for any type of risks including business continuity, market, currency, credit, operational, etc
  • Less technical specific than ISO 27001
  • Provides an excellent framework for ERM

Cloud Security Alliance (CSA)

Cloud Security Alliance is an industry organization focused on developing and promoting best practices in cloud security. They developed the Cloud Controls Matrix (CCM) as framework and a reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory compliance.

CSA also developed the Security Guidance v4.0

System and Organization Control (SOC 2)

The Service Organization Control (SOC 2) framework evaluates the internal controls implemented by the service provider to ensure compliance with Trust Services Criteria (TSC) when storing and processing customer data.

Artifact Portal

"It is a central resource for compliance-related information that matters to you".

Reflection

How do you think your prior life and professional experience will help you in this new endeavor?

As a cybersecurity student with a background in electronics, telecommunications, and computer engineering, I am excited to leverage my prior experiences and skills to excel in the cybersecurity field. My engineering background has equipped me with a strong foundation in problem-solving, logical reasoning, and critical thinking, which are essential skills in the cybersecurity domain.

Furthermore, I have a strong willingness to learn and a curious nature, which I believe will be instrumental in my journey as a cybersecurity student. The cybersecurity field is constantly evolving, and being open to learning new skills and technologies is essential to stay up-to-date with the latest threats and vulnerabilities.

My expertise in electronics and computer engineering has given me a deep understanding of computer hardware and software, which are fundamental components of cybersecurity. I have worked on designing and implementing electronic circuits, including microcontrollers and digital signal processors, and developed software solutions using programming languages like C, Java, and Python. These experiences have given me an in-depth understanding of hardware components and their interaction with software, as well as the ability to identify vulnerabilities in code.

Additionally, my experience in telecommunications has taught me about different communication protocols and network architectures, including routing and switching, and wireless communication technologies. I have a good understanding of how data is transmitted across networks, and I have worked with communication protocols like TCP/IP and Wi-Fi protocols, which will be valuable in securing communication networks.

In conclusion, I am excited to apply my prior knowledge and experience to the cybersecurity field and learn new skills and technologies to excel in this domain. With my curiosity and willingness to learn, I am confident that I can make significant contributions to the cybersecurity field and help protect our digital world.