CISA* Official Review Manual 28th Edition | Chapter 5

• Data security—Homomorphic encryption allows while still producing a valid resuit. This should be the
users to add up various values in an unbiased desired end goal of homomorphic encryption.
way while keeping their values private, protecting
data from manipulation and making it available for Challenges With Homomorphic Encryption
independent vérification by authorized third parties. Challenges related to homomorphic encryption include:
This is useful in activities such as general démocratie • Inefficiency—The major challenge with fully
élections. homomorphic encryption is inefficiency. Meeting
• Regulatory compliance—Régulations such as the the requirements of full homomorphism results in
General Data Protection Régulation (GDPR) hâve algorithms that are slow, as the requirements are quite
provided data subjects with extensive rights and extensive.
placed additional responsibilities and restrictions • High storage requirements—Homomorphic
on businesses. With homomorphic encryption, an encryption can hâve very high storage requirements
organization can store and process data on Systems due to the huge processing workloads involved with
outside the EU and then decrypt it only on servers in its implémentation.
locations that comply with GDPR requirements. • Reduced performance—The new and improved
• Data analytics—Businesses often collect information version is still much slower than plaintext operations,
about their users, process it and sell it to third on average.
parties for targeted advertising. However, this practice • Inability to scale—Homomorphic encryption may
of monetizing personal data is controversial. With not fully protect personal data from providers if there
homomorphic encryption, an organization could are too many users. The solution to this would be
perform data analytics without the ability to view or for the provider to hâve a separate database for every
access the original data. user, encrypted under that user’s public key. However,
• Privacy—Homomorphic encryption enables that is usually infeasible for a large number of users.
organizations to share private data, especially with • Large and complex algorithms—Homomorphic
customers, without affecting privacy. It provides enciyption solutions typically hâve a large overhead
organizations with the ability to guarantee privacy ratio of computation time in the encrypted
by performing mathematical operations on encrypted version versus computation time in the clear.
data without exposing the data itself. Such an overhead is typically a large polynomial,
which increases runtimes substantially and makes
Types of Homomorphic Encryption
homomorphic computation of complex functions
Homomorphic encryption types are: impractical.
• Partially homomorphic encryption—Partially
homomorphic encryption algorithms allow an infinité 5.6.8 Digital Signatures
amount of operations to be performed. For instance, a
An important property of public key Systems is that the
particular algorithm may be additively homomorphic
underlying algorithm works even if the private key is
(i.e., adding two ciphertexts together produces the
used for encryption and the public key for decryption.
same resuit as encrypting the sum of the two
This may seem counterintuitive, but a public key System
plaintexts). These algorithms are relatively easy to
enables a digital signature scheme that can authenticate
design and deploy. The IS auditor should note that
the origin of an encoded message. Because the private
some common encryption algorithms, such as RSA,
key is known only by the owner of the key-pair, it is
are partially homomorphic.
certain that if a ciphertext is correctly decrypted using
• Somewhat homomorphic encryption—A somewhat
a public key, the owner of the public key cannot deny
homomorphic encryption algorithm allows a finite
having performed the encryption process. This is called
number of any operation rather than an infinité
nonrepudiation.
number of a particular operation. For instance, the
algorithm can support any combination of up to In most practical implémentations of digital signature
six additions or multiplications; however, a seventh schemes (figure 5.33), the public key algorithm is not
operation of either type would give an invalid resuit. applied to the whole document as it would take a lot of
• Fully homomorphic encryption—A fully processing power to calculate the signed data. Instead, a
homomorphic encryption algorithm allows an infinité digest (or “pre-hash”) is first derived from the document
number of additions or multiplications of ciphertexts to be signed; then the public key algorithm is applied

446 | ©ISACA. Ail Rights Reserved.

 CISAS Official Review Manual 28th Edition | Chapter 5

to the digest to produce an encoded piece of data (the • Authentication—The récipient can ensure that the
signature) that is sent along with the document. document has been sent by the claimed sender
because only the claimed sender has the private key.
To authenticate the sender as the originator of the
• Nonrepudiation—The claimed sender cannot later
document, the récipient applies the same hashing
deny generating the document.
function upon receiving the document and the resulting
digest (or post-hash) is compared with the decrypted pre- Notice that there is no guarantee that the owner of
hash. In case of a match, the receiver can conclude that the public key actually sent the document. A malicious
the document was actually signed by the owner of the attacker could intercept the signed document and resend
public key. it to the récipient. To prevent this kind of attack (known
as replay attack), a signed timestamping or a counter may
Therefore, digital signature schemes ensure:
be attached to the document.
• Data integrity—Any change to the plaintext message
would resuit in the récipient failing to compute the
same document hash.

Figure 5.33—Verifying Message Integrity and Proof of Origin Using Digital Signatures

Sender ' Receiver

Private Key

Source: ISACA, CRISC Review Manual 7,h Editon Revised, USA, 2023

5.6.9 Digital Enveiope provides cryptographie privacy and data communication

authentication, is a typical example of a digital enveiope.
Similar to a digital signature, a digital enveiope is
an electronic “container” that can be used to protect 5.6.10 Applications of Cryptographie
data or a message through the use of encryption and Systems
data authentication. The message is first encoded using
symmetric encryption. Then the code to decrypt the Asymmetric and symmetric Systems can be combined to
message is secured using public key encryption. This leverage each system’s peculiarities. A common scheme
provides a more convenient option for encryption. A is to encrypt data using a symmetric algorithm with a
digital enveiope can also be decrypted by using a secret key that is randomly generated. The secret key is
receiver’s private key to decrypt a secret key, or by then encrypted using an asymmetric encryption algorithm
using a secret key to decrypt encrypted data. Pretty Good to allow secure distribution among the parties who need
Privacy (PGP), a popular data cryptography software that access to the encrypted data. Secure communications

©ISACA. Ail Rights Reserved. | 447

 OSA* Official Review Manual 28th Edition | Chapter 5

can thus be sent with both the speed of symmetric communication channel for data transmission. The
Systems and the ease of key-distribution of asymmetric whole process is completed before data is transmitted.
Systems. In addition, because creating the secret key is 2. TLS Record Protocol—The TLS Record Protocol is
an effortless operation, it can be employed just for a the actual secure communications
limited amount of data, after which a new secret key can
method for transmitting data. It supports the
be chosen. This limits the possibilities of malicious third
encryption and authentication of packets throughout their
parties decrypting the whole set of data because they
transmission between the parties. It also performs some
would be required to attack multiple secret keys. This
compression of the packets and relies entirely upon the
combined scheme is used in protocols to protect web
handshake protocol for its operation.
traffic, such as SSL/TLS, and to encrypt email, such as
S/MIME. In the latter case, the resulting document—the TLS replaced a similar protocol, SSL, for which a
combination of the encrypted message and the encrypted significant vulnerability was found in 2014. Although
secret key—is called a digital envelope. TLS and SSL are distinct protocols and are not
compatible, references to SSL are common when the
Transport Layer Security intent is to refer to TLS. IS auditors evaluating TLS
TLS is a cryptographie protocol that provides implémentations should take care to détermine whether
secure communications on the Internet. TLS is a a reference to SSL is legitimate (suggesting a security
session- or connection-layered protocol widely used vulnerability) or might instead refer to TLS in practice.
for communication between browsers and web servers.
IP Security
Besides communication privacy, it also provides
endpoint authentication. The protocols allow client- IPSec is used for securing the communications at IP-
server applications to communicate in a way designed to level among two or more hosts, two or more subnets,
prevent eavesdropping, tampering and message forgery. or hosts and subnets. This IP network layer packet
security protocol establishes VPNs via transport and
TLS involves a few basic phases:
tunnel mode encryption methods. For the transport
• Peer negotiation for algorithme support
method, the data portion of each packet—referred to as
• Public-key, encryption-based key exchange and
the encapsulation security payload (ESP)—is encrypted,
certificate-based authentication
achieving confidentiality over the process. In the tunnel
• Symmetric cipher-based traffic encryption
mode, the ESP payload and its header are encrypted.
During the first phase, the client and server negotiate To achieve nonrepudiation, an additional authentication
the cryptographie algorithms that will be used. Choices header (AH) is applied. In establishing IPSec sessions in
supported by current implémentations are: either mode, security associations (SAs) are established.
• For public-key cryptography—RSA, Diffie- SAs define the security parameters that should be
Hellman, Digital Signature Algorithm (DSA) or applied between the communicating parties as encryption
Fortezza algorithms, keys, initialization vectors, life spans of keys,
• For symmetric ciphers—RC4, International Data etc. Within either the ESP or AH header, respectively,
Encryption Algorithm (IDEA), Triple DES or AES an SA is established when a 32-bit security parameter
• For one-way hash functions—SHA-1 or SHA-2 index (SPI) field is defined within the sending host.
(SHA-256) The SPI is a unique identifier that enables the sending
host to reference the security parameters to apply, as
TLS runs on layers above the TCP transport protocol
specified, on the receiving host. The steps for computers
and provides security to application protocols, even if
to exchange data with the IPSec protocol are:
it is most used with HTTP to form HTTPS. HTTPS
• The sender System détermines whether data
serves to secure World Wide Web (WWW) pages for
transmission requires IPSec by confirming with its
applications. In e-commerce, authentication may be used
security policy. If it does, it initiâtes a secure IPSec
in business-to-business (B2B) activities, in which the
transmission with the récipient System.
client and the server are authenticated, and business-to-
• Both Systems negotiate the requirements to establish a
consumer (B2C) interaction, in which only the server is
secure connection, including mutually agreeing on the
authenticated. TLS consists of two protocols:
1. Handshake Protocol—The TLS Handshake Protocol encryption, authentication and SA parameters.
negotiates and establishes the TLS connection • The System sends and receives encrypted data,
between the two parties. It provides a secure validâtes that it came from a trusted source and
ensures the content is reliable.

448 | ©ISACA. Ail Rights Reserved.

 CISA* Official Review Manual 28th Edition | Chapter 5

• Once the transmission is complété or the session has cryptography. SAs on Internet Protocol version 4 (IPv4)
timed out, the System ends the IPSec connection. and Internet Protocol version 6 (IPv6) packets can use
automatic key management.
Security Association
An IPsec SA is a simple (one-way) connection used 5.6.11 Kerberos
to negotiate ESP or AH parameters. The entire SA Kerberos is a ticket authentication mechanism that
process is managed by the Internet Security Association employs a third-party entity to prove identification
and Key Management Protocol (ISAKM), which is a and provide authentication in a Distributed Computing
framework for the negotiation and communication of Environment (DCE). It offers an SSO solution for users
SAs. Information an SA contains includes: and provides protection for logon credentials while
• Material for encryption and authentication keys allowing principals to positively identify themselves and
• The algorithms that can be used participate in a DCE. The current version ofKerberos,
• The identifies of the endpoints Kerberos 5, uses the AES symmetric encryption protocol.
• Other parameters that are used by the System The major advantage of Kerberos is that it provides
SAs require keying material for authentication and confidentiality and integrity for authentication traffic
encryption. The managing of keying material that SAs using end-to-end security. This protects the organization
require is called key management. The IKE protocol against eavesdropping and replay attacks. Kerberos also
handles key management automatically using asymmetric uses several different éléments, as shown in figure 5.34.

Figure 5.34—Components ofKerberos

Component Description

Key Distribution Center (KDC) The KDC is the trusted third party that provides authentication services to clients.
It supports symmetric encryption and maintains secret keys for ail members. Both
clients and servers should be registered with the KDC.

Ticket-Granting Server (TGS) A TGS is a logical KDC component used as a trusted third party. It validâtes the use of
a ticket for a specified purpose, such as database access.

Authentication Server (AS) The purpose of the AS is to host the TGS for ticket distribution. It also vérifiés or
rejects the authenticity and timeliness of tickets.

Ticket-Granting Ticket (TGT) TGT is a user authentication token issued by the KDC for requesting access tokens
from the TGS. It proves that a subject has successfully authenticated through a
KDC and is therefore authorized to request tickets to access other objects. Subjects
présent the encrypted TGT when requesting tickets to access objects.

Service Ticket (ST) ST is the encrypted proof that a subject is authorized to access an object. Subjects
request tickets to access objects with spécifie usage parameters and lifespans. If a
subject is successfully authenticated and therefore authorized to access an object,
the Kerberos System issues a ticket.

Kerberos maintains a directory service for the storage of • The KDC encrypts the symmetric key using the
ail the data pertaining to its operations. In brief, the steps hash of the user’s password. It also simultaneously
in the Kerberos logon process are: generates an encrypted Ticket-Granting Ticket (TGT).
• First, the user logs on with a username and password. • The KDC transmits the encrypted symmetric key and
• The client encrypts the username with a symmetric TGT to the client.
encryption algorithm (e.g., AES) for transmission to • The client installs the TGT and decrypts the
the Key Distribution Center (KDC). symmetric key using a hash of the user’s password.
• The KDC vérifiés the username credentials stored in • The client then requests a service ticket by
its directory service. sending the TGT to the Ticket-Granting Server
• Upon successful vérification, the KDC generates a (TGS). Once the service ticket is provided, the
symmetric key for client use and for the Kerberos authentication process is deemed successful and
server. secure communication begins.

©ISACA. AH Rights Reserved. | 449

 CISA8 Official Review Manual 28th Edition I Chapter 5

The IS auditor should note that the client’s password to eliminate key sprawl. Key sprawl occurs when
is never transmitted over the network but only verified. an organization stores keys in many varions places,
However, Kerberos présents a major risk to the which increases the chances for key breaches due to
organization because it présents a single point of failure the increased attack surface.
in the form of the KDC. If the KDC gets compromised, • Changing the default SSH port—Changing the
the secret key for every System on the network also default SSH port is a simple best practice associated
gets compromised. Also, if a KDC is ofïline, no subject with the defense-in-depth principle. It éliminâtes a
authentication takes place. Kerberos has strict time huge amount of basic attack vectors that rely on
requirements. If a System is not correctly synchronized default ports to gain entry. Default ports are generally
or if the time changes, the TGT becomes invalid and the well-known to attackers.
System cannot receive any new tickets. In short, the client • Disabling the SSH root login—Root login provides
is denied access to System resources. access to the core components of SSH. The
organization should ensure that the SSH root login
5.6.12 Secure Shell is disabled. Eliminating the SSH root account,
especially from remote access, significantly reduces
SSH is a client-server program that provides a secure,
the organization’s attack surface.
encrypted command-line shell session from the Internet
• Implementing key attribution—Key attribution
for the purpose of remote logon. It is similar to a VPN
involves tying the SSH keys back to an individual,
and uses strong cryptography to protect data, including
not a shared, account. When implemented effectively,
passwords and administrative commands transmitted
the key provides an effective SSH audit trail and more
between Systems on a network. SSH has largely
direct oversight over SSH keys.
supplanted Telnet as the foremost remote login protocol.
• Implementing key rotation—Key rotation is an
It is typically implemented between two parties by
important component of the SSH key security
validating each other’s credentials through the use of
best practices. The organization should ensure
digital certificates. The implémentation of SSH was
that users are forced to generate SSH keys on
critical in replacing Telnet, which transmitted passwords
a regular basis. The repeated use of the same
in the clear, making them availabié to unauthorized
passwords and passphrases across multiple accounts
parties. SSH is implemented at the application layer,
or itérations should be disallowed. This protects the
as opposed to being implemented at the network layer,
SSH technology infrastructure from password re-use
just like the IPSec implémentation. The SSH protocol
attacks.
uses encryption to secure the connection between a
• Performing continuons audits—To keep up to
client and a server; ail user authentication, commands,
date with the operations of SSH technologies, an
output and file transfers are encrypted to protect
organization should perform continuous audits. The
against attacks in transit through the network. SSH is
focus of the audits should include recording and
designed to provide strong, encrypted vérification and
verifying ail privileged sessions started through SSH
communication between the user and a remote computer.
key authentication. Continuous audits also assist
SSH technology is based on the client-server model and
the organization in meeting legal and compliance
provides an idéal way to access remote devices over
requirements.
unsecured networks, like the Internet. The technology
• Implementing firewall technology—An
is typically used by administrators for several functions
organization can implement firewall technology
including:
for securing SSH. It should define rules that
• Logging into remote Systems for support and
accept incoming SSH traffic emanating only from
maintenance allowlisted sources by IP address, port or protocol.
• Transferring files from one computer to another
The firewall can be configured to block IP addresses
• Remote execution of command based on the rate they connect to the SSH. Port
• Offering support and updates
knocking can also be implemented to make it harder
for threat actors to detect open SSH ports.
SSH Key Security Best Practices
There are several best practices for securing SSH keys,
including:
• Centralizing SSH key management—Identify and
inventory ail SSH keys and manage them centrally

450 | ©ISACA. AH Rights Reserved.

 CISA® Official Review Manual 28th Edition | Chapter 5

5.6.13 Domain Name System Security (DDoS) attacks where a System is disrupted by traffic
Extensions from multiple devices at once.
• Increase in query responses—DNSSEC increases
Domain name System security extensions (DNSSEC) is the number of DNS query responses, as the
a cryptographie technology developed to résolve DNS technology needs additional fields and cryptographie
security issues as DNS is inherently insecure and does information to properly verify records. High-volume
not consist of any security measures. It provides DNS responses afford malicious actors greater attack
clients (also known as resolvers) with DNS data origin volume than they would hâve if DNSSEC were not
authentication, authenticated déniai of existence and data implemented.
integrity services. It adds digital signatures to a DNS to • Slow performance—Since TCP is a slow
détermine the authenticity of the source domain name. It connection-oriented protocol, DNSSEC relies on
also uses a chain to verify that the source domain name UDP, a faster yet riskier protocol. UDP has
matches the DNS record stored at the authoritative DNS. no spécifie security requirements for opening,
If it fails to find the source, it discards the response. maintaining or terminating connections. It also does
This ensures that the user always connects to the actual not guarantee delivery of data to its destination and
address for a domain name. provides a basic functionality for checking errors
using checksum. As it requires no handshake, data
DNSSEC is composed of two stages: signing and
transmitted using UDP can be easily intercepted by
validation during the signing process. DNSSEC signs
malicious attackers.
ail the data sent on DNS records to enable vérification
of its authenticity. DNS records are signed with the
5.6.14 Email Security
private key and the signatures are stored in DNS
name servers. Security validation is carried out through Email security is the security practice of ensuring email
PKI authentication using two cryptographie keys: one CIA. It helps protect an organization’s email attack
public and one private. By checking the signature that surfaces from unauthorized access, compromise and/or
corresponds to a requested DNS record, a user can verify loss. Email security is critical because emails, especially
that the record originates directly from its authoritative enterprise emails, contain sensitive information that can
name server. be tampered with by threat actors.
DNSSEC prevents third parties from forging records and
Common Email Attacks and Techniques
guarantees a domain’s identity by preventing DNS cache
poisoning and DNS false zones: Email attacks often cause serious damage to the
• DNS cache poisoning—DNS cache poisoning is a organization’s sensitive data and in some cases to its
man-in-the-middle attack in which attackers flood a réputation. There are many tactics that threat actors use
DNS resolver with false DNS information and insert to attack emails. Some of the most common email attacks
false results into the cache of the DNS resolver. The and techniques are:
DNS resolver provides the erroneous or malicious • Bombing—Characterized by abusers repeatedly
web address to those seeking to access the legitimate sending an identical email message to a particular
website. address
• DNS False zones—DNSSEC can protect against • Spamming—Spamming refers to sending emails,
malicious DNS attacks that provide phony results often unsolicited commercial email or junk email, to
for zones that are not in existence by exploiting hundreds or thousands of users (or to lists that expand
gaps between zones. With DNSSEC, the entire zone to many users). It may also be carried out by sending
is secured with added mechanisms to prevent gap a message to a mailing list or using an automated
exploitation in unsigned zones. This is commonly response, such as a vacation alert, that is not set up
referred to as authenticated déniai of existence. correctly.
■ Spam is considered a business risk because it
DNSSEC can unintentionally introduce critical causes inconvenience and has severe impacts on
vulnerabilities. The IS auditor should be aware of productivity.
security vulnerabilities arising out of the implémentation ■ Responding to spam validâtes the email address of
of DNSSEC, including: the récipient and gives away information.
• DoS risk—DNSSEC can increase the risk and ■ Spam may be combined with email spoofing,
amplify the effects of distributed déniai of service making it more difficult to détermine the sender.

©ISACA. AH Rights Reserved. | 451

 CISA® Official Review Manual 28th Edition | Chapter 5

■ Spam is managed using the Sender Permitted the attacker. BEC attacks involve a lot of planning
Framework (SPF) protocol and with the help of and research in order to be effective. For example,
tools such as Bayesian filtering and grey listing. the attacker has to amass large quantities of
• Spoofing—Spoofing may take different forms, but information relating to the target organization’s
ail hâve a similar resuit: A user receives an email executives, employées, customers, business partners
message that appears to hâve originated from one and potential business partners, and statutory bodies.
source but actually came from a different source. This information is critical in tricking victims and
Email spoofing is often an attempt to trick a user convincing them to pay funds. To address BEC,
into making a damaging statement or releasing employées must be trained to be alert to emails with
sensitive information, such as passwords or account a fake domain or emails that impersonate a vendor.
information. Examples of spoofed email that could They also need to show a strong sense of urgency if
affect the security of a site include: they encounter anything that looks suspicions.
■ Email claiming to be from a System administrator
and requesting users change their passwords to a Implementing security on email is possible, but
specified string and threatening to suspend their the efforts should be in tune with the value and
account if they do not make the change confidentiality of the messages being exchanged. An
■ Email claiming to be from a person in authority organization can use several protocols, services, and
and requesting users send a copy of a password solutions to add security to emails without requiring
file or other sensitive information a complété overhaul of the entire Internet-based
• Business email compromise (BEC)—A BEC attack Simple Mail Transfer Protocol (SMTP) infrastructure.
targets spécifie employées, typically those who Figure 5.35 explains some of the most common email
authorize financial transactions, to trick them into security solutions.
transferring money into an account controlled by

Figure 5.35—Email Security Technologies

Email Security Solution Description

Secure Multipurpose Internet Mail S/MIME is an email security standard that offers authentication and
Extensions (S/MIME) confidentiality for email through the application of public key encryption
and digital signatures. It authenticates both the identity of the sender and
receiver through X.509 digital certificates, vérifiés message integrity, and
ensures the privacy of a message and its contents. S/MIME provides secure
signed messages and envelopes to ensure integrity, sender authentication,
confidentiality and nonrepudiation.

MIME Object Security Services (MOSS) MOSS is a protocol that uses encrypted frameworks signed by multiple parties.
It applies digital signatures to MIME objects and can provide authentication,
confidentiality, integrity and nonrepudiation for email messages. However, MOSS
has never been widely used.

Privacy Enhanced Mail (PEM) PEM is a set of email protocols and mechanisms that provide authentication,
integrity, confidentiality and nonrepudiation. It uses Rivest-Shamir-Adleman
(RSA) and Data Encryption Standard (DES) encryption and is based on the X.509
standard. It enables secure and safe email communication over the Internet.

Domain Keys Identified Mail (DKIM) DKIM is an email authentication method that uses a digital signature to inform
the receiver that the message was sent and authorized by the domain owner.
It is used to ensure that valid emails are sent by an organization through
vérification of domain name identity. Its primary purpose is to detect forged
sender addresses. Forging addresses is one of the most common techniques
used in email phishing and spam attacks.

452 | ©ISACA. Ail Rights Reserved.

 CISA° Official Review Manual 28th Edition | Chapter 5

Figure 5.35—Email Security Technologies (cont.)

Email Security Solution Description

Pretty Good Privacy (PGP) PGP is a public-private key System that uses a variety of encryption algorithms
to encrypt files and email messages. It has gained wide popularity, as it
provides key aspects of security—namely authentication, integrity, privacy and
nonrepudiation-in email communications. The major advantage of PGP is that it
is an open-source software package freely available to everyone.

Email Security Controls • Secure email gateway (SEG)—An SEG filters out
potentially unwanted emails in line with the settings
Email security should be part of the overall security
as configured by the IS security administrator. The
Framework in an organization because email use
main advantage is that it can be deployed either on-
is widespread and often involves communication of
premises or in the cloud, which offers ease of use.
sensitive data. The IS auditor should give adéquate
An SEG increases security by contributing to the
attention to email security, as email is often the primary
effectiveness of the multilayered security protection
attack vector used by threat actors to launch other
architecture.
sophisticated attacks, such as social engineering attacks
• Email attachment control (EAC)—Most email
and installation of malware. Some of the Controls that can
attacks and attacks that use email as an attack
be implemented to enhance email security are:
vector rely on tricking users into exposing sensitive
• Spam filters—Spam filters detect spam and prevent
information through clicking on links or attachments
it from landing in victims’ inboxes, directing it
in an email that contains malicious software. An EAC
instead to a spam or junk mail folder. Spam filters
System allows users to see the type of files sent before
identify and block unwanted emails by examining
opening them. This helps users to verify email before
email contents and searching for certain patterns that
opening it.
constitute abnormal email traffic.
• Email encryption—Email can be encrypted in transit 5.6.15 Encryption Audit Procedures
so that even when attackers manage to intercept
an email, they cannot understand it without the When carrying out an encryption audit in an
decryption key. This reduces the risk of data leakages organization, the primary objective of an IS auditor
and regulatory and policy violations while enhancing is to ensure that the organization has Controls in
email communication security. place to manage the overall data encryption processes.
• Antivirus protection—An antivirus tool screens Figure 5.36 outlines some of the encryption audit
emails and their associated attachments for viruses procedures that can be followed in an audit of data
and warns users when something suspicious is encryption.
detected. Viruses are a major security risk, as they
can infect an entire email network as well as email
servers and applications.

Figure 5.36—Encryption Audit Procedures

Encryption • Verify that written encryption policies and procedures are in place.
governance • Ascertain the presence of a data classification System.
• Détermine if encryption risk assessments are regularly carried out.
• Verify that there is no duplication of encryption.
• Verify that management has instituted Controls to support encryption, such as dual control and
séparation of duties.
• Verify that the organization compiles with ail data protection rules and régulations.
• Verify the existence of an audit System associated with encryption.

©ISACA. AH Rights Reserved. | 453

 CISA6 Official Review Manual 28th Edition | Chapter 5

Figure 5.36—Encryption Audit Procedures (cont.)

Encryption • Verify that the process and the sélection of an encryption algorithm are effective and efficient.
design • Review documentation from management attesting that the chosen algorithm ensures adéquate
protection.
• Verify that management has implemented processes to ensure minimal effect on interfacing and
other Systems.
• Détermine if management has applied respected standards such Transport Layer Security (TLS) as
part of its cryptographie System.
• Check whether the cryptographie System in place is compatible with the applications.
• Verify that the keys contain ail the required properties, including the length, composition and
management of the key according to policy.
• Ascertain the difficulty of key génération and modification.

Key • Verify whether changes to the cryptographie System are adequately controlled.
management • Détermine whether changes or updates to the cryptographie System are performed only by
authorized individuals.
• Verify that the key transmission is controlled according to a spécifie written procedure.
• Détermine if the création, rotation and destruction of keys based on time is in accordance with policy
or best industry standards.
• Verify that users and operators do not handle keys.

Digital • Verify that private keys are never backed up, as backing up private keys increases exposure.
signatures • Détermine whether the organization uses different key pairs for encryption and digital certificates.

Encryption • Ascertain if management has considered the need for the complex mathematical équations.
algorithms • Verify that the cost of deciphering does not exceed the value of the information the encryption
System is supposed to protect.

5.7 Public Key Infrastructure certificates should be used, how keys should be generated
and how certificate naines should be selected.
Public key infrastructure (PKI) is a System for
distributing public keys through digital certificates. A As well as issuing certificates, a CA maintains a list of
PKI is made up of policies, procedures, hardware, compromised certificates (i.e., those whose private key
software and personnel required to create, manage, store, has been leaked or lost) called the certificate révocation
distribute and revoke public key certificates. list (CRL). In some cases, certificates may be marked as
revoked in the CRL when the owner of the certificate
5.7.1 Digital Certificates voluntarily déclarés not to use the corresponding key
pair any longer. This allows a party to reject a signed
A PKI System validâtes that the public key distributed document when a signature is generated after the private
through the certificate belongs to the individual or key has been compromised or revoked.
organization. Essentially, an individual obtains a digital
certificate through a certificate authority (CA), such as Certificates usually contain a certificate practice
Verisign or Thawte, containing one’s public key. The statement (CPS), which is a statement about the way a
CA digitally signs the certificate, validating it, and thus CA issues certificates. It may contain:
the public key belongs to the alleged owner. CAs also • The type of certificates issued
sell digital certificates for varying prices, depending on • Policies, procedures and processes for issuing,
the type of certificate. An individual or organization renewing and recovering certificates
may hâve to présent a form of authentication (such as • Cryptographie algorithms used
an address or crédit report), depending on the type of • The key length used for the certificate
certificate. • The lifetime of the certificate issued by the CA
• Policies for revoking certificates
A certificate policy (CP) is a document that identifies • Policies for CRLs
the varions actors in PKI as well as their rôles, duties • Policies for renewing certificates
and responsibilities. It spécifiés practices such as how

454 | ©ISACA. AH Rights Reserved.

 CISA0 Official Review Manual 28th Edition | Chapter 5

Registration authorities (RAs) are delegated some • Assign names for identification purposes.
administrative functions for a spécifie community by the • Generate shared secrets for use during the
CA. For example, an international corporation may hâve initialization and certificate pick-up phases of
a PKI setting if national branches act as RAs for the registration.
employées in that nation. The administrative functions • Initiate the registration process with the CA on behalf
that a particular RA implements will vary based on of the subject entity.
the needs of the CA but must support the principle of • Initiate the key recovery process.
establishing or verifying the identity of the subscriber. • Distribute the physical tokens (such as Smart cards)
These functions may include: containing the private keys.
• Verify information supplied by the subject (personal
authentication functions). 5.7.2 Key Management
• Verify the right of the subject to requested certificate
The IS auditor should be cognizant of the various
attri butes.
activities involved in key management. The auditor
• Verify that the subject actually possesses the private
should also remember that key management is typically
key being registered and that it matches the public
difficult with symmetric encryption but is much simpler
key requested for a certificate (generally referred to as
with asymmetric encryption. Several tasks related to key
proof of possession).
management are detailed in figure 5.37.
• Report key compromise or termination cases where
révocation is required.

Figure 5.37—Key Management Practices

Area Description

Key création Also known as key génération, création is the process of generating keys for use in cryptographie
processes through a device or program known as the key generator.

Key distribution Key distribution is the process of transferring a key to a user or System. This process must be secure,
and secure encryption technologies are often used for the purpose.

Key storage and Keys must be stored securely on the computing device. Often, they are stored in a protected storage
custody facility such as the Windows certificate store. Methods such as dual custody, split knowledge and
custody generally require two or more people to share access to a key. It is crucial for the IS auditor to
be aware that some keys may be placed under key escrow.

Key rotation Keys are typically not meant to be used forever, as this increases the risk of them getting stolen
or lost, or malfunctioning. To mitigate this risk, it is advisable that organizations retire old keys and
implement new ones.

Key recovery and Key recovery is a critical element in key management. Losing a private key often leads to losing data
backup if the key is not placed in escrow. Key escrow enables the organization to safely store keys for later
recovery. There is also a need to hâve a backup method in case the key malfunctions. PKIs typically
offer inbuilt backup and recovery facilities.

Key destruction A key can be suspended (placed on temporary hold), revoked (no reinstatement is possible), expired
(inactive until renewed) or destroyed. Key destruction often happens at the end of the key lifecycle or
after a compromise is detected on the key. The IS auditor should monitor the key destruction process
to ensure that it is appropriate and secure.

5.7.3 Certificate Révocation IS auditors should advise management on the risk

involved in the continuai use of certificates that would
Certificate révocation is the process through which the hâve been revoked. Once certificates are revoked, they
use of a certificate is terminated prior to the expiration of become invalid, and transacting parties will cease to
its validity period. The decision to revoke a certificate place reliance on them for their security. Various reasons
involves determining the reasons for the révocation, lead to certificate révocation, such as:
mapping the révocation reasons to the organization’s • Changes in affiliation—This includes circumstances
révocation policy, and then performing the révocation. in which an individual is terminated, resigns or dies,

©ISACA. Ail Rights Reserved. | 455

 CISA° Official Review Manual 28th Edition | Chapter 5

or the computer account to which the certificate was the location on an LDAP directory server or web server
issued is no longer in use. Affiliation change can where the CA publishes its CRLs.
also occur when individuals change rôles within an
There are two different States of révocation—revoked
organization and no longer require the certificate
and hold. A certificate is irreversibly revoked if it
associated with their previous rôles.
was improperly made by the CA, the private key was
• Compromise of the private key—If the private key
compromised and/or there was nonadherence to spécifie
is suspected to hâve been compromised and/or is in
policy requirements. The hold State of a certificate is
the hands of an unauthorized individual, a certificate
réversible and is used to note the temporary invalidity of
can be revoked. Typical examples include stolen
the certificate—for example, if a user is unsure whether
laptops and tablets causing ail private keys stored on
the private key has been lost or stolen. If the private key
the devices to be compromised. The IS auditor should
is found and nobody accessed it, the certificate status
be aware that once a CA’s private key is revoked, the
could be reinstated and become valid again.
CA hierarchy considers ail certificates below that CA
revoked as well. While CRLs may vary, they should include:
• Cessation of operation—Cessation of operation • CRL issuer name/common name (CN)
includes such events in an organization as a server • Révocation date and time
or workstation getting decommissioned. This renders • Reasons for the révocation
ail the certificates issued to the server revoked as the • Spécifie révocation time period
certificates are no longer required. In other words, the • Certificate’s extensions
CA is also decommissioned. • Signature algorithm of the certificate
• Superseded—In PKI, best practice dictâtes that a • The certificate’s serial number
new certificate must be issued if an issued certificate • The date the next CRL will be issued
is replaced for any reason. For example, if a
certificate template is updated or the CA issues the Online Certificate Status Protocol
certificate in error and certificates are reissued, the Online Certificate Status Protocol (OCSP) is a protocol
previous certificate can be revoked. used to request the révocation status of a digital
• Unspecified—An organization can simply revoke a certificate. Instead of downloading multiple CRLs and
certificate without providing a spécifie révocation analyzing them annually, a client can query the CA’s
reason. However, this is not recommended, as it server and instantly know whether a certificate is valid,
provides an audit trail pinpointing the reasons the revoked or unknown. The other advantage is that OCSP
certificate was revoked. provides more updated information about a certificate’s
• CA compromise—A certificate may be revoked révocation status.
due to compromise of the CA itself. For example,
the details listed in the certificate may hâve been An emerging solution is to use OCSP stapling, which
tampered with and the CA needs to reissue the is an enhancement of OCSP protocol. Where OCSP
certificate. A certificate may also be illegitimate, such stapling is enabled, it becomes unnecessary for a
as when the certificate was fraudulently signed with a browser or application to send OCSP requests directly
stolen key. to the CA. Instead, the web server caches the OSCP
response from the CA and then “Staples” the OSCP
5.7.4 Certificate Révocation List response to the certificate it sends to the browser. OCSP
improves performance by eliminating the costs involved
A CRL is a list of digital certificates that hâve been in communicating with the issuing CA. There is also
revoked by the issuing CA before their scheduled increased security due to the réduction in the attack
expiration date.42 These should no longer be trusted. surface. As the CA gets requests for websites and not
CRLs are a type of blacklist used by browsers to users, user privacy is also enhanced.
verify the validity and trustworthiness of a certificate.
Depending on a CA’s operating policies and procedures,
CRLs are typically published on a regular periodic basis.
When checking for the révocation status of a certificate,
an application or browser retrieves the current CRL from
a specified CRL distribution point (CDP). The CDP is

42 Op cit CSRC glossary

456 | ©ISACA. Ail Rights Reserved.

 CISAS Official Review Manual 28th Edition | Chapter 5

5.7.5 PKI Infrastructure Risk security professionals can alter éléments of the PKI
infrastructure.
While PKI is very important in an organization, it has its • Lack of policies—It is crucial for organizations to
own associated risk, including: enforce well-defined rules and certificate policies to
• Outdated protocols—Outdated cryptographie minimize the chances of errors and ensure that the
protocols are a major risk as they leave the policies are adhered to strictly. A lack of enterprise-
organization prone to security incidents and data wide PKI policies and inconsistencies in policy
breaches. application provide room for noncompliance and risk
• Weak cryptographie keys—Weak cryptographie of fines and penalties.
key lengths smaller than 2,048 bits are considered • Limited visibility—Both lack of centralized
vulnérable and insecure. A large number of weak keys inventory and visibility into ail certificates in use
cause issues with the privacy and confidentiality of across the organizational environment and lack
the data, communications and transactions encrypted of a centralized certificate inventory contribute to
using the keys. weakening the overall PKI architecture. Rogue and
• Infrequent key rotation—Weak key lengths smaller insecure temporary certificates may exist and operate
than 2,048 bits are considered vulnérable and in stealth mode, practically impossible to detect.
insecure. Because keys do not expire, the frequent • Poor private key management—In PKI, private
rotation of keys is not a common security practice, keys must remain private since they are a gateway
giving room to cybercriminals to manipulate users. to critical information in the organization’s entire
• Mismanaged certificates—Failure to properly infrastructure. Improper key management can resuit
manage, issue, renew or revoke digital certificates in private key compromise in which an attacker
has a huge impact on organizational security. Expired manages to obtain the private key and decrypt
certificates can lead to unexpected outages and can sensitive information.
be gateways for bad actors to move laterally within • Compromised root CA—The root certificate
an organizational network, leading to data breaches provides the signature that is used to bind the identity
that impact an enterprise’s security and compliance to the public key. It lays a foundation of trust in the
posture. PKI architecture by indicating whether a certificate
• Lack of automation—Managing large volumes is valid or not. If the root CA is untrustworthy, the
of digital certificates and private keys taxes overall PKI cannot be trusted. It is pivotai to store
an organization’s time and resources. Manually the root CA offline in a well-protected vault. A
monitoring the multitude of certificates, their compromised root CA can break the entire chain of
locations, owners and expiry dates créâtes additional trust and cripple the overall PKI architecture.
complexities and is prone to errors. Keys can also be • Poor patch management—Knowledge of patch
lost or stolen. management is critical in PKI. Inefficient patch
• Insufficient skills and resources—The talent gap management often leads to failure by the
and lack of resources are some of the major problems organization’s IS security teams to promptly detect
organizations face in PKI. Organizations require PKI vulnerabilities and reduce response time.
highly skilled IS security professionals for effective
PKI architecture and maintenance. However, due to 5.7.6 Audit Procedures for PKI
the current talent gap, many organizations eventually
hire less-skilled professionals. A secure PKI relies on effective audit procedures that
• Unclear certificate ownership—The primary aim can identity risk in PKI and enable IS auditors to
of assigning certificate owners and approvers provide assurance and advice on the security of PKI
is to manage and organize the certificate life in an organization. IS auditors typically apply several
cycle processes and ensure that only authorized procedures in an audit of PKI (figure 5.38).

©ISACA. AH Rights Reserved. | 457

 CISA° Official Review Manual 28th Edition | Chapter 5

Figure 5.38—Audit Procedures for Public Key Infrastructure

Audit Category Audit Procedures

Certificate authority (CA) • Détermine whether the CA has an information security policy in place.
• Evaluate the CA's physical Controls.
• Verify that the CA performs background checks on its personnel.
• Détermine whether the CA backs up audit logs.
• Inspect how the CA performs key management throughout the entire key
management life cycle.
• Verify whether the CA Systems are appropriately isolated.
Registration authority (RA) • Verify whether enrollment of RAs is as specified in the CPS.
• Verify that the rôle of the RA is restricted to the submission of details to the
CA and no other rôles are assigned.
• Ascertain whether the RA onboarding and termination procedures are
defined.
• Détermine whether communication channels between the CA and the RA are
sufficiently secure for the certificates.
• Verify that ail activities of the RA are logged.
• Verify that RA access to CA Systems is based on multifactor authentication
(MFA).
• Inspect the previous audit reports undertaken on the RA operations and
identify issues of noncompliance.
• Verify the list of RA violations (if any) and corresponding actions taken by the
CA.
Certificate • Verify that the certificate information is published on the CA's website.
• Ascertain whether certificate renewal is per the CPS.
• Verify whether certificate suspension and révocation is per the CPS.
• Ascertain the availability of a secure certificate distribution System.
Key management • Check the hardware used to generate keys for Fédéral Information
Processing Standards (FIPS) compliance.
• Verify that the keys are distributed using secure mechanisms.
• Détermine the appropriateness of procedures available to address cases of
key compromise.
• Verify that the storage of the keys is secure and appropriate.
• Verify whether the CA maintains key escrow.
• Check on the availability and operation of key backup and archiving
procedures.
• Ascertain whether procedures for key destruction are appropriate and prevent
data remaining.
Certificate policy (CP) • Verify that the organization has an approved CP in place.
• Ascertain whether the CP in place is current.
• Détermine whether the CP is being followed by ail PKI parties, and document
identified gaps.
Certificate practice statement (CPS) • Check whether the CPS compiles with applicable laws and régulations.
• Verify that the CPS is available to relevant parties.
• Ascertain whether responsibilities for maintaining the CPS are appropriately
assigned.
• Verify that the modification of the CPS follows defined processes and
procedures.
• Ascertain whether the CPS has a valid object identifier.

458 | ©ISACA. Ail Rights Reserved.

 CISAÆ Official Review Manual 28th Edition | Chapter 5

Figure 5.38—Audit Procedures for Public Key Infrastructure (cont.)

Audit Category Audit Procedures

Certificate révocation list/ Online • Verify whether the CRL or OCSP is in place.
Certificate Status Protocol (CRL/OCSP) • Détermine whether the CRL issued is digitally signed by the CA.
• Verify that a secure mechanism for CRL distribution is in place.
• Take a sample of CRL entries and verify that the revoked certificate remains
on the CRL up to the end of the certificate's validity period.
• Détermine whether the OCSP response processes and procedures are
automated.
• Verify that the CRL and OCSP services comply with relevant industry
standards and régulations.

5.8 Cloud and Virtualized Environments The most common use for full virtualization is
operational efficiency, which streamlines the use of
Virtual ization and cloud-based infrastructure hâve existing hardware by placing greater loads on each
brought dramatic changes and risk to IS infrastructure. computer. Second, using full virtualization of desktops
These technologies hâve significantly altered the enables end users to hâve one computer hosting
management of IS environments. While Virtualization multiple OSs if needed to support various OS-dependent
and cloud environments hâve huge similarities, they applications. Furthermore, an IT team can better control
are not the same. Virtualization is a broad concept deployed OSs to ensure they meet organizational security
and generally refers to the transformation of physical requirements, that security threat détection and respective
technologies into Virtual resources. Cloud, on the other control requirements are dynamic, and that the Virtual
hand, delivers virtualized resources on demand to users desktop images can be changed to respond to new
over the Internet. It is critical for IS auditors to threats.
understand the types of risk such Systems face and
advise on the implémentation of appropriate mitigating Eléments of the virtualized computing environment
measures. normally include:
• Server or other hardware product
5.8.1 Virtualization • Virtualization hypervisor—A piece of computer
software, firmware or hardware that créâtes and runs
Virtualization provides an enterprise with a signifïcant Virtual machine environment, normally called the
opportunity to increase efficiency and decrease costs of “host”
IT operations. However, virtualization also introduces • Guest machine—Virtual environment éléments (e.g.,
additional risk. At a high level, virtualization allows OS, switches, routers, firewalls, etc.) residing on the
multiple OSs (guests) to coexist on the same physical computer on which a hypervisor host machine has
server (host) in isolation from one another. Virtualization been installed
créâtes a layer between the hardware and the guest
OSs to manage shared processing and memory resources A fully virtualized environment can be deployed using:
on the host. Often, a management console provides • Bare metal/native virtualization—Bare métal
administrative access to manage the virtualized System. virtualization occurs when the hypervisor runs
directly on the underlying hardware without a host
Data centers and many other organizations use OS.
virtualization techniques to create an abstraction of the • Hosted virtualization—Hosted virtualization occurs
physical hardware and make large pools of logical when the hypervisor runs on top of the host OS
resources consisting of CPUs, memory, disks, file (Windows, Linux or MacOS). Architectures usually
storage, applications and networking. This approach hâve an additional layer of software (the virtualization
enables greater availability of these resources to the user application) running in the guest OS that provides
base. The main focus of virtualization is to enable a utilities to control the virtualization while in the guest
single physical computing environment to run multiple OS, such as the ability to share files with the host OS.
logical, yet independent, Systems at the same time. • Containerization—Containers include an application
and ail of its dependencies but share the kernel with

©ISACA. AH Rights Reserved. I 459

 CISA0 Official Review Manual 28th Edition | Chapter 5

other containers. A container runs as an isolated Figure 5.39 compares two virtualization architectures.
process in user space on the host OS.

Figure 5.39—Full Virtualization Architectures

Application Application Application

Application Guest OS Guest OS

Application Hypervisor

Host OS

Hardware

Bare Métal Hosted

Source: Reprinted courtesy of the National Institute of Standards and Technology, US Department of Commerce. Not copyrightable in the
United States.

IS auditors need to understand the advantages and virtualized server environment that it would use for a
disadvantages of virtualization to détermine whether server farm. These include:
the enterprise has considered the applicable risk in • Strong physical and logical access Controls, especially
its decision to adopt, implement and maintain this over the host and its management console
technology. Figure 5.40 summarizes several advantages • Sound configuration management practices and
and disadvantages of virtualization. System hardening for the host, including patching,
antivirus, limited services, logging, appropriate
Although virtualization offers significant advantages, it
permissions and other configuration settings
brings risk that an enterprise must manage effectively.
• Appropriate network séparation, including the
Because the host in a virtualized environment represents
avoidance of Virtual machines (VMs) in the DMZ
a potential single point of failure within the System,
and the placement of management tools on a separate
a successful attack on the host could resuit in a
network segment
compromise that is larger in both scope and impact.
• Strong change management practices
To address risk, an enterprise can often implement and
adapt the same principles and good practices for a

460 | ©ISACA. AH Rights Reserved.

 CISA* Official Review Manual 28th Edition | Chapter 5

Figure 5.40—Advantages and Disadvantages of Virtualization

Advantages Disadvantages
• Server hardware costs may decrease for both server Inadéquate configuration of the host can create
builds and server maintenance. vulnerabilities that affect not only the host, but also the
• Multiple operating Systems (OSs) can share Processing guests.
capacity and storage space that often goes to waste in Exploits of vulnerabilities within the host’s configuration,
traditional servers, thereby reducing operating costs. or a denial-of-service attack against the host, can affect
• The physical footprint of servers may decrease in the ail the host’s guests.
data center. A compromise of the management console can grant
• A single host can hâve multiple versions of the same OS, unapproved administrative access to the host's guests.
or even different OSs, to facilitate testing of applications Performance issues of the host’s own OS can impact
for performance différences. each of the host’s guests.
• Création of duplicate copies of guests in alternate Data can leak between guests if memory is not released
locations can support business continuity efforts. and allocated by the host in a controlled manner.
• Application support personnel can hâve multiple Insecure protocols for remote access to the
versions of the same OS, or even different OSs, on a management console and guests can resuit in exposure
single host to more easily support users operating in of administrative credentials.
different environments.
• A single machine can house a multi-tier network
in an educational lab environment without costly
reconfigurations of physical equipment.
• Smaller organizations that previously performed tests in
the production environment may be better able to set up
logically separate, cost-effective development and test
environments.
• If set up correctly, a well-built, single access control
on the host can provide tighter control for the host's
multiple guests.

Typical Controls security services can allow security monitoring even

when the guest OS is compromised.
Some concepts IS auditors should understand:
• Host inspection capabilities should be enabled to
• Hypervisors and guest images (OSs and networks) are
monitor the security of activity occurring between
securely configured according to industry standards.
guest OSs. Of spécial focus is communications in
Hardening should be applied to these Virtual
a nonvirtualized environment carried and monitored
components as closely as to a physical server, switch,
over networks by network security Controls (such as
router, firewall or other computing device.
network firewalls, security appliances and network
• Hypervisor management communications should be
IDS/IPS sensors).
protected on a dedicated management network.
• File integrity monitoring of the hypervisor should be
Management communications carried on untrusted
used to monitor for signs of compromise.
networks should be encrypted, and encryption should
encapsulate the management traffic. Overall, migrating computing resources to a virtualized
• The hypervisor should be patched as the vendor environment does not change the threat plane for most of
releases the fixes. the Systems’ vulnerabilities and threats. If a service has
• The virtualized infrastructure should be synchronized inhérent vulnerabilities on a physical server or network
to a trusted authoritative timeserver. product and it is migrated to a virtualized server, the
• Unused physical hardware should be disconnected service remains vulnérable to exploitation. However,
from the host System. the use of virtualization may also provide additional
• Ail hypervisor services, such as clipboard- or file- Virtual environment attack vectors (e.g., hypervisor
sharing between the guest OS and the host OS, should misconfiguration or security flaws, memory leakage,
be disabled unless needed. etc.), thus increasing the likelihood of successful attacks.
• Host inspection capabilities should be enabled to
monitor the security of each guest OS. Hypervisor

©ISACA. AH Rights Reserved. 1 461

 CISA® Official Review Manual 28th Edition | Chapter 5

Types of high-level risk that are représentative of the over a packet-switched network between two spécifie
majority of Virtualized Systems in use are: network endpoints. There are two types of Virtual
• Rootkits on the host installing themselves as a circuits:
hypervisor below the OS, enabling the interception of • Permanent Virtual circuits (PVC)—A PVC
any operations of the guest OS (i.e., logging password functions like a dedicated leased line. It always exists
entry, etc.)—Antivirus software may not detect this, and is available for the user to send data. The IS
because the malware runs below the entire OS. auditor should monitor the operations of the PVC to
• Default and/or improper configuration of the ensure that it is always available, closed down when
hypervisor partitioning resources (CPU, memory, disk not in use, and instantly reopened whenever required.
space and storage)—This can lead to unauthorized • Switched Virtual circuit (SVC)—An SVC is created
access to resources, one guest OS injecting malware on demand using the best paths available at the time
into another or placing malware code into another and disassembled after the transmission is complété.
guest OS’s memory. An SVC is more secure than the PVC as it reduces the
• On hosted Virtualization, mechanisms called guest length of the exposure of the circuit. It also requires
tools enable a guest OS to access files, directories, less monitoring when compared to a PVC.
the copy/paste buffer, and other resources on the
host OS or another guest OS—This functionality can 5.8.3 Virtual Local Area Network
inadvertently provide an attack vector for malware
A VLAN is used for hardware-imposed network
or allow an attacker to gain access to particular
segmentation that logically segments a network without
resources.
changing its physical topology. It is created by switches.
• Snapshots/images of guests’ environments contain
Ail ports on a switch are part of VLAN by default, which
sensitive data (e.g., passwords, personal data, etc.)
like a physical hard drive—These snapshots pose a makes it possible to group varions ports into distinct
greater risk than images because snapshots contain segments on the same physical network. There are two
types of VLANs:
the contents of random-access memory (RAM) at
the time they were taken and might include sensitive • Static VLAN—This is sometimes referred to as port-
information that was not stored on the drive itself. based VLAN. With this type of VLAN, switch ports
• In contrast to bare métal installations, hosted are assigned to the VLAN in a way that is transparent
virtualization products rarely hâve hypervisor access to the user.
• Dynamic VLAN—In a dynamic VLAN, a user
Controls—Therefore, anyone who can launch an
application on the host OS can run the hypervisor. negotiates VLAN characteristics with the switch. The
The only access control is whether someone can log IP or hardware address can also be used to détermine
into the host OS. the VLAN.

The IS auditor should keep in mind that the primary VLAN characteristics that are of security interest to the
software component in virtualization is a hypervisor, IS auditor include:
which acts as an additional layer of software on the • Communication between ports within the same
physical server. The security concern of the hypervisor VLAN occurs without hindrance.
is that it represents an additional attack surface in that • Communication between VLANs can be denied or
an attacker penetrating the physical host can potentially enabled using a routing function.
access ail the Virtual Systems hosted on the physical • Routing can be provided by an external router or by
server. It is critical to ensure that Virtual hosts are the internai software of the switch.
hardened and that VMs are updated individually, as • VLANs can be used to:
■ Control traffic for security or performance
updating the host System does not automatically update
reasons:
the VMs. Organizations should maintain backups of their
■ Control and restrict broadeast traffic
Virtual assets using built-in tools to create full backups
■ Block broadeasts between subnets and VLANs
and periodic snapshots.
■ Isolate traffic between network segments
■ Reduce a network’s vulnerability to sniffers
5.8.2 Virtual Circuits
■ Protect against broadeast storms (floods of
A Virtual circuit, also known as a communication path, is unwanted broadeast network traffic)
a logical pathway or circuit created
While VLANs work in similar fashion as subnets, the
IS auditor should remember that they are not subnets.

462 | ©ISACA. Ail Rights Reserved.

 CISAe Official Review Manual 28th Edition | Chapter 5

VLAN are created by switches while subnets are created that are found in virtualized environments. It can
by IP address and subnet mask assignments. deliver fast and dependable storage performance and
enable an organization to migrate on-premises data to
5.8.4 Virtual Storage Area Networks cloud and virtualized environments without incurring
significant downtime.
A Virtual storage area network (VSAN) is a logical
• Flexibility—A VSAN supports both block and file
partition used to create and manage storage for VMs. It
storage allowing organizations to choose the options
is intended for use in scénarios that leverage Virtualized
best suited to their requirements. It is also easier
infrastructure and cloud computing and enables isolation
to relocate data that is frequently accessed to high
of network traffic within certain portions of a SAN.
performance data storage Systems while moving
This means that when a problem occurs in one logical
rarely used data to low-performance storage.
partition, it can be addressed with minimum disruption
• Security—A VSAN is a highly secure solution that
of the entire network. Isolated VSANs also simplify
incorporâtes technologies such as data réplication and
the configuration and scaling out of the physical
snapshots to prevent data leakage while guaranteeing
storage System. A VSAN provides greater visibility
availability of information. Availability is one of the
by combining several physical servers into a single
core components of the CIA triad. A VSAN allows
shared storage medium. A VSAN dynamically allocates
an organization to concentrate on the remaining two
availabié storage for a VM as per requirements using
components of security: confidentiality and integrity.
a distributed architecture model. A VSAN is suited
• Simplicity—One of the major advantages of a VSAN
for cloud computing environments, Virtual desktop is that it is simple to provision as it is directly
infrastructure (VDI) environments, backup and archiving,
embedded within the hypervisor. Its installation
and data center/disaster recovery processes.
and configuration can be carried out rapidly and
efficiently. It is also easy to manage, as it can be
Benefits of VSAN
integrated with other virtualized technologies on a
Benefits organizations can get from implementing VSAN single management plane.
technology include:
• Cost-effectiveness—The implémentation of a VSAN SAN and VSAN Compared
does not require any physical storage arrays, leading The IS auditor should be able to distinguish between
to a significant réduction in costs. SAN and VSAN technologies and be in a position
• Scalability—A VSAN can be scaled to meet the
to ad vise on the appropriate implémentation for the
growing storage requirements of the organization. organization. Figure 5.41 shows the différences between
This is the major reason it is a preferred solution for these two technologies.
cloud and virtualized Systems that demand rapid and
efficient scalability.
• Performance—A VSAN improves performance by
making use of high-speed network interconnections

Figure 5.41—Différences Between SAN and VSAN

Parameter Storage Area Network (SAN) Virtual Storage Area Network (VSAN)
Purpose Provides dedicated block-level access to storage Aggregates physical storage resources of hosts in
devices a cluster and offers a single, shared data storage
facility
Infrastructure Requires dedicated physical storage hardware Leverages the hosfs physical resources
like disk arrays and switches for implémentation
Scalability Difficult to achieve and often requires additional Dynamically allocates more storage resources when
physical resources needed
Cost Can be costly; requires specialized and Less costly; uses existing infrastructure so no
dedicated hardware and a separate network specialized hardware is required and does not
require a separate storage network

©ISACA. Ail Rights Reserved. | 463

 CISA® Official Review Manual 28th Edition | Chapter 5

Figure 5.41—Différences Between SAN and FSAN (cont.)

Parameter Storage Area Network (SAN) Virtual Storage Area Network (VSAN)
Performance Requires specialized hardware such as high- Uses caching, data mirroring and data distribution to
speed switches to optimize performance optimize performance and no specialized hardware
is required

5.8.5 Software-Defined Networking The Advantages of SDN

SDN is a network virtualization approach based on The overall advantage of an SDN is that it can control
the reasoning that traditional networks with on-device the network reconfiguration of an organization by
configuration are often subject to vendor lock-in, which simplifying network management processes. Additional
limits network flexibility. Traditional networks rely on benefits include:
physical infrastructure such as switches and routers to • Provides centralized control—An SDN virtualizes
make connections and run properly, while SDNs allow both the data and network control planes allowing
the user to control the allocation of resources at a the user to provision physical and Virtual éléments
Virtual network level through the control plane. The user from a single location. It éliminâtes the challenge
interacts with the software to provision new devices. of monitoring distributed Systems that are associated
An SDN also has more ability than a traditional switch with traditional infrastructure. Through an SDN
to communicate with hardware devices throughout the centralized control architecture an organization has a
network. holistic view of its Systems.
• Abstracts the network—Services and applications
A software-defined wide area network (SD-WAN) is running on SDN technology abstract the underlying
a solution that allows organizations to link numerous technologies and hardware that provide physical
distributed locations using broadband and multiprotocol connectivity from those providing network control.
label switching. The main différence between SDNs The séparation of the infrastructure layer from
and SD-WANs is that SDNs are designed to operate the control layer éliminâtes traditional networking
on LANs whereas SD-WANs are designed to sustain concepts like IP addressing, subnets and routing,
WANs over a large geographical area. The advantage thereby simplifying network management.
of SD-WANs is that they eliminate the need to maintain • Facilitâtes scalability—The benefit of centralized
lots of network hardware. Another particularly important provisioning is that an SDN provides more
distinction between the two is that SDNs are configured scalability. An SDN allows an organization to
entirely by the user or administrator. SD-WAN services provision resources as changes occur in the network
are managed by vendors, making deployment simpler. infrastructure. The positive effect of scalability in an
SDN networking protocols can be divided into three SDN is noticeable when compared with traditional
planes of functionality: network setups in which resources are configured
• Data plane—The data plane consists of the manually.
forwarding of actual user data through applications • Enhances security—An SDN controller provides a
like TCP/IP to their final destinations. centralized location for the administrator to control
• Control plane—The network control plane dictâtes the security of the entire network. While this cornes
which path flows apply before they reach the data at the cost of making the SDN controller a target,
plane. This is done using a flow protocol. This it provides users with a clear perspective of the
segment is where an administrator interacts with an infrastructure for effective security management of
SDN and manages the network. It consists of routing the entire network.
protocols that fmd the path to send data. • Lower operating costs—An SDN helps an
• Management plane—This plane is generally to organization reduce its operating costs. With an
provide performance and fault management as well as SDN regular network administration-related tasks
manage configuration of devices remotely connected and issues can be automated, and older hardware
to an SDN. Protocols such as SNMP help in can be optimized and repurposed. Resources are
configuration and monitoring of network éléments. easily shared, unlike in a traditional network where
hardware is confined to a single purpose.

464 | ©ISACA. Ail Rights Reserved.

 CISA0 Official Review Manual 28th Edition | Chapter 5

• Promûtes network programmability—An SDN • Limited management—In virtualization

enables network behavior to be controlled by software environments an organization can manage the
that résides away from the networking devices services of devices throughout the network, but it is
that provide physical connectivity. De-coupling the impossible to manage the devices themselves. This
hardware from the software enhances innovative affects the upscaling of the network, as ail the devices
development activities by moving them away from need to be monitored, patched and upgraded regularly,
the restrictions of closed platforms. leaving maintenance requirements unaddressed.
• Enhances openness—An SDN provides open • Network management complexity—While
architectures that enable multi-vendor interoperability traditional networks hâve limitations, there are
and foster a vendor-neutral ecosystem. The open API s standards for responding to security threats and
support a wide range of applications while intelligent developing procedures. An SDN has neither standards
software can control hardware from multiple vendors nor consensus, with numerous SDN solution
with open programmatic interfaces like OpenFlow. providers operating independently. This results in
Intelligent network services and applications can also complexifies and créâtes challenges in terms of
run within a common software environment. network management necessitating the hiring of
• Supports API security—SDN technology can ski lied network personnel.
provide network operators with API platforms • Dependency on the controller—The centralized
to write programs. Applications interact with the controller is one of the critical components of an
network through APIs, instead of via management SDN. If the controller fails, the entire network can go
interfaces that are tightly coupled to the hardware. down, which affects the security aspect of availability.
This enables the development of secure applications. The organization should therefore ensure that the
controller is always up and running and that a robust
The Disadvantages of SDN backup and disaster recovery plan is in place.
Organizations should be aware of some potential
SDN Attacks and Vulnerabilities
disadvantages with an SDN, including:
• Latency—A major problem that arises from It is critical for an IS auditor to be able to provide
Virtualizing infrastructure is latency. The speed of assurance on the détection and mitigatory Controls in
the interaction with an appliance is dépendent on place to address attacks and vulnerabilities. Some of the
the number of virtualized resources available, while attacks and vulnerability prévalent in SDN environments
service dépends on how the hypervisor divides up are shown in figure 5.42.
the usage available. Each active device on a network
takes its toll on network availability.

Figure 5.42—SDN Attacks and Vulnerabilities

Type of Attack/
Vulnerability Description
Unauthorized access A compromised controller/application can gain access to network éléments and manipulate
actions.
Data loss Credentials can be stolen using compromised switches. This typically happens when switches
are instantiated as part of a virtualization thrust in an organization.
Data modification Man-in-the-middle attacks between the controller and data plane are possible in a software-
defined network (SDN) if Transport Layer Security (TLS) is not mandatory. This provides room
for the modification of data.
Déniai of service (DoS) This typically targets the SDN controller. It involves attackers sending bogus calls to the
controller switch, which results in a packet flood, thereby denying legitimate service.
Malicious/compromised The intégration of third-party applications with the controller may lead to malicious/
applications compromised applications capable of taking control of the network.

©ISACA. AH Rights Reserved. | 465

 CISA° Official Review Manual 28th Edition | Chapter 5

Figure 5.42—SDN Attacks and Vulnerabilities (cont.)

Type of Attack/
Vulnerability Description
Misconfiguration SDN allows the installation of third-party applications on various network éléments, often
leading to inconsistencies and creating vulnerabilities.

SDN Deployment Best Practices with various security layers residing on the same
underlying network.
While SDN provides several advantages, its deployment
• Maintain quality of service (QoS)—The SDN
is generally complex. Best practices for SDN include:
network and associated infrastructure should be
• Perform careful deprovisioning processes—One
monitored regularly to ensure that the QoS is always
of the most significant benefits provided by an
maintained. IS security professionals and IS auditors
SDN solution is the ability to deploy new resources
should ensure that the default settings on the SDN
quickly. However, this capability needs to be closely
network are removed to enhance security and quality
managed to maintain performance by regularly de­
of network performance.
provisioning resources when they are not in use or
needed. Leaving resources active when not required 5.8.6 Containerization
consumes valuable Virtual network resources that
would be better used elsewhere in the organizational Containerization is a form of virtualization that runs a
network. single OS instance with multiple user spaces to isolate
• Regularly perform network monitoring—The SDN processes from each other. It involves packaging of
requires regular network monitoring to pinpoint any an application with the configuration files, libraries
security loopholes affecting the mitigatory Controls in and dependencies required across different computing
the network and devices. To effectively monitor an environments. The technology is generally considered a
SDN, the organization requires APIs for intégration lightweight alternative to full virtualization and involves
with the SDN, and this process is usually complex to encapsulating an application in a container within its own
undertake. operating environment. Instead of installing an OS for
• Consider onboarding security risk—When each VM, containers employ the host OS. Each container
onboarding an SDN, the organization needs to is treated as an exécutable package of software that runs
consider new security risk as new vulnerabilities that on top of a host OS with each host able to support many
can be targeted by malicious actors. The organization containers concurrently (figure 5.43).
should always be ahead in terms of current security
The most common tools used in containerization are
threats and how to address them. The IS auditor
Docker and Kubernetes. Docker is basically a suite
should understand that an SDN is a form of
of software development tools for building, sharing,
virtualization and not a security solution itself.
running and orchestrating individual containers, while
• Combine an SDN with other security technologies
Kubernetes is a platform for running and managing
—One benefit of an SDN is that it can be combined
containerized applications at scale. These tools operate
with other security technologies, such as a VPN, to
in a complementary manner in the entire containerization
simplify a large and complex network and make it
process.
easier for IS security professionals to visualize and
manage. The resuit is a layered defense architecture

466 | ©ISACA. Ail Rights Reserved.

 CISA" Official Review Manual 28th Edition | Chapter 5

Container Engine

Host Operating System

Hardware

Some of the benefîts of containers are: organization. Containerization reduces the number of
• Faster deployment—Containers are lightweight physical machines required and the skills needed to
and faster to deploy. In the traditional Systems operate the technology.
environment, the larger an application, the longer • Provides scalability—Containerization provides high
the deployment period. Containerization solves scalability and can handle increasing workloads by
this challenge by dividing and compartmentaiizing reconfiguring existing architectures. More containers
applications into smaller parts. can be added with ease within a defined cluster.
• Platform-agnostic—Containers are platform- In addition, new functions, updates and features
agnostic and can be deployed and/or redeployed can be added without interfering with the original
in any platform or environment. This means that application.
containerization can be implemented in any IS • Enhances portability—Containerization créâtes
ecosystem. exécutable software packages that are abstracted from
• Improved security—The isolation aspects that are the host OS. No container is tied to the host OS; thus,
introduced by containerization provide an additional it can be run consistently and uniformly across any
layer of security. If one container is compromised, platform or in the cloud. This enhances application
other containers residing on the same host will remain portability.
secure.
The limitations of containerization include the following:
• Promûtes flexibility—Containerization provides the
• Containerization is well-supported on Linux-based
developers with the flexibility to operate in both
Systems but not on Windows.
virtualized and non-virtualized environments. This
• If vulnerabilities are présent in the container kernel, it
is critical in an organization when resources
makes ail containers vulnérable to attacks.
unexpectedly change without any prior indications.
• Networking is difficult with each container running
• Enhance operational efficiency—Containerization
on a single server. The container architecture requires
can improve efficiency by using ail the available
a network bridge for mapping container network
resources and minimizing associated overheads.
interfaces to host interfaces.
Isolated containers can perform their own operations
• Monitoring can sometimes be challenging. In fact,
without interfering with other containers. This
monitoring several containers containing individual
configuration allows a single host to perform a variety
processes can prove more difficult than monitoring
of functions.
multiple processes on a single VM instance.
• Cost réductions—The lightweight nature of
• Containerization requires effective management by
containers results in significant cost réductions for the
employées who hâve the required expertise. If

©ISACA. Ail Rights Reserved. | 467

 CISA® Official Review Manual 28th Edition | Chapter 5

containerization is not properly monitored and identify known vulnerabilities and configuration
managed, it can resuit in lower performance overall. issues.
• Patching—Patching is different in a containerized
Best Practices for Container Security environment. With containers, there are two
The process of securing containers is continuous. It components: the base and the application image.
should be integrated into the development process It is critical to update the base image and then
and ideally automated. Container security involves the rebuild the application image, thereby enforcing a
implémentation and maintenance of security Controls more complex patching process and more interaction
that protect containers and underlying infrastructures. between infrastructure support and development.
Integrating security into the development pipeline can • Isolation—Migrating to containers lessens the
help ensure that ail components are secured, starting with isolation that was once available with VM and/or bare
the initial development phase and continuing through métal Systems since containers share the same kernel.
the end of their life cycle. When securing containers, One approach some organizations are using is to run
the main concerns include security of the host, network containers from an operating System on a VM.
traffic and applications within the container as well as the • Incident response—Migrating to containers greatly
container management stack. limits an organization’s ability to perform forensics
since the instance or host could hâve been replaced
Some of the best practices for container security include: already. Reviewing ail incident management and
• Systems hardening—A good starting point to response processes specifically for containers is
détermine security Controls and guidance is to use required.
the vendor-provided security benchmark or hardening • Securing the container management stack—It is
guidelines. advisable to implement a strong access control
• Monitoring—Monitoring containers is difficult strategy throughout the pipeline, starting with code
and spécifie tools to support the détection of repositories and branching strategy and extending
malicious activity within the container (like host- to the container repository. POLP should also be
based firewalls, antimalware, antivirus, etc.) are not implemented and access rights audited regularly.
readily available. Having knowledge of what each • Securing images—Container images are used
container includes, down to the libraries, is key in to create containers. A misconfiguration or
understanding what the threats and vulnerabilities are. malicious activity in container images can introduce
• Continuous auditing—Continuous auditing is vulnerabilities into containers deployed in production.
always recommended, and logs are key to A container image holds a subset of the OS along
determining gaps in security, especially when an with the application designed to run in the container.
organization is rebuilding instances repeatedly and
may not notice an issue until after an instance is Figure 5.44 compares virtualization and containerization.
rebuilt.
• Vulnerability assessments—Vulnerability scanners
offer some container security scanning to help

Figure 5.44—Comparison of Virtualization and Containerization

Virtualization Containerization
Isolation Enables full isolation from the host operating Enables lightweight isolation from the host and other
System and other Virtual machine (VM) containers. This means that ail containers will be at
instances risk if an attacker compromises the host.
Operating Runs more than one complété operating System Runs ail containers through the user mode of the
System operating System
Guest support Runs a wide range of operating Systems (OSs) Runs on the same operating System as the host.
insidethe VM For example, Linux containers cannot be run on
Windows.

468 | ©ISACA. Ail Rights Reserved.

 CISA* Official Review Manual 28th Edition | Chapter 5

Figure 5.44—Comparison of Virtualization and Containerization (cont.)

Virtualization Containerization
Deployment Deploys VMs individually using the hypervisor Deploys individual and multiple containers
software; each VM has its own hypervisor.
Storage Uses Virtual hard disk (VHD) for each VM and Uses local disks for local storage per node and SMB
server message block (SMB) for multiple servers for multiple nodes
Load balancing Runs VMs in other clusters in failover cluster Is managed automatically by the orchestrator, such
as Kubernetes
Networking Uses Virtual network adapters for networking Uses multiple isolated views of Virtual network
adapters

5.8.7 Secure Cloud Migration activities required to meet regulatory requirements.

Moving to the cloud may increase an organization’s
Cloud adoption continues to increase as cloud technology compliance risk. It is critical to ensure that the
transforms the conduct of business in the current digital target cloud environment supports the organization in
world. While there are many considérations with the meeting compliance requirements.
adoption of cloud technologies, the IS auditor should • Uncontrolled growth—Cloud migration is not a
be most concerned about the security implications. one-time process. After migrating applications to
Cloud migration refers to the process of transferring an the cloud, the organization typically adds more
organization’s data and applications from its on-premises resources, consumes new cloud services and adds
servers to a cloud infrastructure. It typically takes three more applications. It is very common to start using
major forms: additional SaaS applications once they are running in
1. On-premises to the cloud the cloud. These new services and applications must
2. Cloud-to-cloud migration be properly secured, creating a major operational
3. Reverse cloud migration challenge.
• Data loss—During the migration process there is a
Cloud Migration Security Risk
possibility of data being lost, incomplète or corrupt
The process of cloud migration leaves data vulnérable due to various factors that include technical issues,
to attacks and requires careful planning by management. power outages and human error. To address this risk,
Risk factors associated with cloud migration include: the organization should back up data on a disk and
• Multi-tenancy—Multi-tenancy is a situation in which ensure that the CSP has data backup, restoration
cloud users share cloud resources with other users and failover facilities. It is also a good idea to hâve
through common software virtualization layers. The backup with more than one cloud.
challenge of multi-tenancy is that tenants are usually • Data security—Data security is a major risk during
unaware of other tenants’ identities. The migration by the migration process. Migrating to the cloud involves
one tenant may bring inconsistencies and challenges security risk such as insecure APIs, accidentai errors,
in terms of resource provision to the other tenants. malware and external attacks while the data is in
• API vulnerabilities—APIs act as communication transit. Encryption for data at rest, in process and
channels between environments. APIs must be in transit is essential to reduce security risk during
secured at ail stages of the cloud migration process. the data migration process. Configuration of firewalls
Clients of CSPs often employ APIs to set up and the isolation of individual workloads can also be
software-server interactions, but they might not be implemented to minimize security risk.
reliable enough and could significantly boost the risk • Incompatibility of existing architecture—Cloud
of unauthorized network pénétration and in-house migration is risky for organizations that dépend
data theft. on legacy infrastructure. Legacy infrastructure
• Compliance risk—Compliance requirements, such often relies on programming languages, execution
as data protection and privacy régulations, are a environments and System libraries that may not be
major risk in cloud migration. Régulations typically readily supported in the cloud. Because of this,
require that data governance frameworks address data a migration may fail, forcing an organization to
ownership, responses to breaches, and coordination

©ISACA. AH Rights Reserved. | 469

 CISA® Official Review Manual 28th Edition | Chapter 5

purchase new compatible infrastructure to reduce the are well prepared for the disruptions involved. Ail
risk. employées who are targeted to use cloud services
• Reduced visibility—Reduced visibility is a major should be aware of the security risk involved in the
risk of cloud migration that can affect security. When migration process.
the organization migrâtes to external cloud services, • Secure the DevSecOps pipeline code—Attackers
responsibilities automatically transfer to the CSP typically attempt to exploit vulnerabilities in
leading to reduced visibility for the organization. cloud applications throughout the development and
Continuons monitoring during the migration process distribution pipeline as developers often maintain
greatly helps in mitigating this risk. security identifiers as source code stored on shared
• Data remanence—It may be necessary for an storage or public repositories. Organizations should
organization to migrate valuable data to the cloud secure source code by removing secrets and
and destroy useless data during the migration process. automatically monitor and control access to source
Sometimes the data removal tools used by the code.
organization may not permanently remove data, • Evalua te regulatory requirements—When
leading to data remanence. A typical example is migrating to the cloud it is critical to meet regulatory
délétion, which just changes pointers on storage requirements. Organizations should identify the
media but does not permanently remove data. régulations to be met and devise a plan for complying
Organizations should invest in effective data removal with them to avoid costly penalties associated with
technologies to reduce this risk. noncompliance.
• Talent gap—This often arises both at the CSP and • Assess infrastructure—This assessment will reveal
the organization. Both may lack skilled cloud security whether the infrastructure an organization migrâtes
personnel to support the migration process, or the to meets information security standards. It also
skills may only be résident on either side. This may détermines whether the data centers are secure.
lead to errors in handling the migration process. It Checking on the certification of the data centers
is therefore critical for an organization to develop its against international standards is also key in making
own personnel in cloud security and choose a CSP the migration process secure.
with strong skills to mitigate the risk. • Encrypt data with secure protocols—It is very
important to ensure that ail organizational data subject
Some of the steps an organization can take to ensure that
to transfer to the cloud is encrypted with secure
a cloud migration process is secure are:
protocols such as HTTPS and TLS. Encryption should
• Develop a plan for secure migration—A proper
be in place for both data at rest and in transit for
plan helps an organization to détermine the
maximum security.
applications and data to be migrated, the migration
• Ensure clear, efficient and effective communication
strategy, personnel involved in the migration and
—Communication plays a critical rôle in the
how to reduce migration risk. From this plan, an
migration process. Ail parties involved in the
organization can dérivé its cloud migration strategy
migration process should receive adéquate and clear
for implémentation.
communication, especially pertaining to what is
• Assess current security measures on on-site
expected of them.
premises—This assessment will help an organization
• Enable strict access control—Cloud migration
avoid or reduce data leakage during the migration
security should include strict access control features
process.
so that the connectivity between on-premises Systems
• Establish security standards and map the security
and the cloud is secure. Also, access to data
requirements—The security risk in the cloud are
prior, during and after migration should be tightly
more pervasive than in traditional on-premises sites.
controlled to reduce risk from malicious attackers.
If an attack occurs in the cloud the security
Security administrators should hâve visibility of ail
holes may remain open. Organizations should
data as it travels from on-premises Systems to the
establish security standards and map ont security
cloud.
requirements. Monitoring should be undertaken to
• Automate the migration process—The migration
assess compliance with standards for each application
process should be automated to avoid
in the migration process.
misconfigurations so that the cloud migration strategy
• Train employées on cloud security—Training
is viable. AI and ML capabilities can be incorporated
should be prioritized when introducing a new
in the migration process to enable continuous and
technology, such as the cloud, so that employées

470 | ©ISACA. Ail Rights Reserved.