in this video, we're going to take a step away from the slide shows
and examine the cloud security matrix, the cake and the star registry. In the first module, we talked about downloading some materials from Cloud Security Alliance. I hope you did that. But if you didn't, some of the materials were looking at in this particular video are also posted there. So I ask that you go back to Cloud Security alliance dot org's
take a look at the assurance and we're gonna be looking at the different Star Tools. First thing is going to be the CCM. The cloud controls matrix.
As you can see, the purpose of this is to map the variety of different standards with different regulations, frameworks and controls that you want to have in place for your cloud security.
If you don't haven't done it already, go ahead and download the CCM. It's going to require you provide some information about yourself and then you're going to get an Excel sheet.
And once you've downloaded the CCM,
go ahead, give it an open and let's take a look at it. I'm gonna go through the different columns first.
We're certainly not going to look at each and every row in the CCM. As you can see quick glance. Think last it was up to 130 different controls that it discusses looks like it's growing. New versions of this are coming out on a regular basis. Now we could see we have almost 100 end.
How about 135 different controls that get examined in the CCM? So I've mentioned that this is one of the tools when we're talking about vendor assessments looking at risk doing cap gap analysis, really understanding. What is your cloud provider giving you?
And then what are the other things that you need to put in to fill that gap, to mitigate the different risks that are outstanding?
CCM and the other utilities that we're going to be looking at in this video are not fancy software in their own right. But they have a lot of real powerful information that could make your life much easier when making these decisions. So the first we have the control domain that's going to describe a variety of different general domains
of control in the cloud you want,
Ah, unique. I D According to this CCM in the CCS K, you're going to need to not understand each and every facet of the CCM, and you're definitely gonna want to have a copy of the CCM out and ready when you're taking the exam. But it's very important that you also understand the purpose in the intention in the use of the CCM,
because there's a lot of questions around that
over the columns. See, there's a description. What is the thing? The control that we're talking about? So this very 1st 1
application programming interfaces shall be designed, developed, deployed and tested in accordance with leading industry standards, such as a watch for Web applications and in here to applicable legal, statutory or regulatory compliance obligations.
So that's the content that that's that's the standard that that's what you need to be doing. Continuing along, we can see there's architectural relevance columns.
Is this something that's applicable? The physical layer, the network compute storage app player that data let layer Is this control something to be considered for corporate governance?
What is this cloud service delivery model that this particular control provides two. So this is the big three. We've spoken about several times. It's asked past I *** in the supplier consumer relationship. Who is the majority of the burden fall upon to realize this control service provider, the tenant consumer.
And then we have a whole lot of other columns,
these air, different specifications and standards and regulations that exist out there in future videos. I'm gonna touch on many of these. You don't need to know what each and every one of these is for the CCS K exam. However, in your day to day practice and your life,
there are going to be certain standards that air very applicable to the company you're working at the industry that it resides in. So it will be helpful to give this again because you may find that some of these standards air very applicable to your day to day. For example, Copa Child Online Privacy Protection Act is
very common to pretty much anybody who is
providing a means for users to register with their service. And if the user is 13 years or younger, they should not be allowed to sign up on your service. So go through, check him out. You could see there are a lot. This is a very valuable utility.
When you're evaluating the gaps, you're looking at a cloud provider
and you want to see that the cross relationships between the different standards you want to see what do they map to and commonality between the different standards as well as the underlying cloud controls? And it's just gonna make things a lot simpler. Instead of having to be an expert in each and every standard yourself,
you're going to be ableto evaluate something like this.
Evaluate the cloud provider Cross reference. What are the controls in place with the cloud provider? And how does that relate to compliance with the variety of different standards that the CCM outlines here?
Once again, you're not going to be required to know all these different standards in the CCS K exam. Who will be glossing over some of these standards in future videos in this lesson.
But the biggest point that you're gonna want to understand is what is the purpose of the CCM?
Why would you want to use it? What is the value it brings? And I personally find this a very helpful tool and go ahead and explore it for a little bit. Just so you understand the different domains control domains and takes, um, samples of different control specifications that you find. Now I'm gonna hop back to
the cloud security alliance dot org's
and we're going to proceed to take a look at an additional star tool called the Cake. And so this is the consensus assessment initiative questionnaire. So just like the CCM, you're going to need to fill out a little form, download the video If you haven't done so, pause this video for a second and then come back.
I'm gonna shoot over to the cake right now my own coffee that I've downloaded and have
open and, well, let's take a look at this. The first few columns have ah, try correlation with CCM.
We have the application domain, and we also have the control i d. So there's a direct mapping between the control ID's defining the cake and those defined over in the CCM. If I shoot over to that
and just give me a second, So here's a s 01 to come back to the cake A s 01 there.
And then there's the control specifications Also lines up directly with the CCM. Here's the control step specifications text so you can see the relationship there. Now. Where the cake comes into value is the assessment questionnaire. You remember the difference when assessments and audits, assessments arm or just stated not actually proven, in fact.
So these sequence of questions
allows you when you're doing the evaluation or allows the call provider themselves when they're doing it on an introspective evaluation and assessment on how their compliance with these different points
these questions help them understand breakdown. Okay, to get this control specifications met, what are some of the things we need to ask ourselves? And based on those answers, we're going to get a better gauge on the specifics of how well we are meeting this particular control specifications.
So as a cloud customer,
you can use the cake and have a conversation with your cloud provider, and it'll help you and walk you through asking the right questions. If you're on the cloud provider side, you can use the cake to take.
If you're the cloud provider side, you can proactively address questions and use the cake as a basis to examine these things go through these different questions based on your answers in the different control I DS that you are able to realize and enforce internally, you can then come back, look at the CCM
and say OK, we're check box on this particular control.
So if somebody asks us about the specific one of these regulations and certifications, we can also, with a good amount of confidence, say that these particular points on the sort of the regulation were adhering to those as well.
Hopefully you realize the value of the cake both for cloud providers and cloud consumers. This continues to move on and have flying items that line up directly with the CCM itself.
I do recommend you make sure that you're always downloading the latest update off the cake. It does get revised. You can see here This is the change log for the most recent revision. I'm actually looking at one updated as of April 14th 2020
and at the time you're watching this, you may be looking at even a newer
revision of this. Ah, lot of time and effort is has spent improving the questions
to get that alignment between the security control and assessing how well is the cloud provider, fulfilling that security control with their own internal procedures. So jumping back to Cloud Security alliance dot org's,
we can also see that there is a light version of the cake, some simpler questionnaires not addressing each and every item.
Take a look at that from your practical day to day use perspective, but it's not something that's gonna be covered on the sea. CSK exam.
Finishing off this video What I'd like to go through is the star registry. So
the Star Registry brings some value to you in that you don't have to use this cake to assess each and every individual cloud provider. Star Registry actually provides a different cloud. Providers themselves with the opportunity to perform this assessments on themselves,
walk through the cake, answered the different questions
and then upload their results to a centralized repository. So you, as a cloud consumer, can then search for the cloud provider and examined the evaluations and assessment that they may have submitted to the star registry. That's prevents you from having to go through that whole assessment process
with the cloud provider.
Encourage you used to start registry is you're looking at in evaluating different cloud providers for purposes of the Sea CSK exam. There's not a ton of focus on the actual star registry. Certainly, they don't get into the individual cloud providers that are in that registry. Off Thing to note, though,
is there's a few different tiers that the providers themselves can fall upon once they submit.
There's the self assessment, meaning the provider they assessed themselves, and they answered the questionnaire themselves.
But then there's also some certified cloud providers as well, where an external party has come in and actually done an audit. And then the submitted their audit results So you can see a little bit on the select a submission path.
You could be a cloud for certified kind of the level one here
or you're just saying, Here's what I do Level two is where you're actually making an test stations legally binding assertions off. This is indeed what I do well, but above and beyond an assessment. And then you can, of course, hire 1/3 party to come in and make additional infestations on your behalf. And they themselves
are saying we've gone throwing out it, and we've really made sure that this cloud provider is
adhering to these different controls. And on that note, we have gotten deep enough into the star registry to teach you everything you're gonna know relatives with CCS K exam. We've also talked about the cloud controls matrix. And then we reviewed the cake itself,
and it wraps it up for this video is Well, I look forward to seeing you in future videos.