Domain 3 of 6 · Chapter 4 of 5

Security Controls Planning

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • The control taxonomy: function by nature
  • Who owns which control: the shared responsibility split
  • Implementing IAAA: the preventive technical chain
  • Audit mechanisms: collection, correlation, capture
  • Exam-pattern recognition

The control-type taxonomy: function (rows) by nature (columns)

Control functionPhysicalTechnical / logicalAdministrative
Preventive (stop the act before it happens)Locked cages, mantraps, biometric door locks, bollardsIAM deny policies, MFA, encryption, firewalls, security groups, network segmentationAcceptable-use policy, separation of duties, background checks, security training
Detective (notice it after it happens)CCTV, motion sensors, guard patrols, tamper sealsCloudTrail / control-plane logs, flow logs, IDS/IPS, SIEM correlation, packet captureLog review procedures, periodic access recertification, internal audit
Corrective (recover and limit damage)Fire suppression, redundant power and HVAC, spare hardwareAutomated isolation, key rotation/revocation, backup restore, auto-scaling replacementIncident response plan, disciplinary action, post-incident review and policy update

Decision tree

Is this control yours undershared responsibility?No (provider)Verify, do not build:SOC 2 / ISO 27017 / CSA STARYes (your share)What is the control's goalrelative to the attack?Stop it happeningNotice it happenedRecover afterPreventiveIAM deny, MFA, encryptionDetectiveaudit logs, SIEM, IDSCorrectiverestore, isolate, revokePick the nature for the layerphysical / technical / adminCarry required attributesidentity, IP, geolocationAlways: layer functions across the grid (defense in depth)map to a NIST SP 800-53 family and record the owner

Cheat sheet

  • Classify every control on two axes: function and nature
  • Preventive stops it, detective notices it, corrective recovers from it
  • Defense in depth means diverse control types, not redundant ones
  • Map each control to a NIST SP 800-53 family
  • Plan only the controls your service tier leaves you
  • Data and identity controls are always the customer's, in every tier
  • Verify provider-owned controls through attestations, do not re-implement them
  • IAAA runs in order: identify, authenticate, authorize
  • Authentication and authorization are separate decisions
  • Prefer federation over local credentials in the cloud
  • MFA proves a factor was used, not that it was used recently
  • Authorize by least privilege, and an explicit deny always wins
  • Give workloads short-lived role credentials, not embedded static keys
  • Plan audit mechanisms up front, alongside IAAA
  • Audit events must carry identity, source IP, and geolocation
  • Correlate logs in a SIEM, and make the store tamper-resistant
  • The tenant boundary limits what you can audit in a public cloud
  • Control-plane logging is the audit control you cannot lose
  • Use a control matrix to satisfy several frameworks at once
  • System, storage, and communication protection are distinct SC planning targets
  • HSMs zeroize keys on tamper; FIPS 140-2 Level 3 mandates tamper-evidence and tamper-response
  • In SAML SSO the IdP authenticates users and issues signed assertions the SP trusts
  • Broken Object Level Authorization is OWASP's top API risk; check authorization in the backend
  • ABAC with resource tags scales to new resources without editing policies, unlike RBAC
  • Just-in-time PAM grants time-bound, approved elevation to remove standing privilege

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations Whitepaper
  2. CSA Cloud Controls Matrix (CCM) Whitepaper
  3. CSA Security Guidance for Critical Areas of Focus in Cloud Computing (shared responsibility) Whitepaper
  4. AICPA — SOC 2: Reporting on Controls at a Service Organization
  5. CSA STAR Registry
  6. NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle Management Whitepaper
  7. NIST SP 800-92 — Guide to Computer Security Log Management Whitepaper