CASP Domain 5: Technical Integration of Enterprise Components
Technical integration of enterprise components falls under the fifth and final domain of the CompTIA advanced security practitioner (CASP) exam, CAS-002, and constitutes 16% of the overall percentage of the exam. As a CASP, you must be able to undertake the responsibility of integrating enterprise components securely. Doing so requires you to understand the following essential topics, which we will explain in this article.
What Do I Need to Know About Integrating Hosts, Storage, Networks, and Applications for the CASP Exam?
Enterprise organizations must securely integrate hosts, storage, networks, and applications. As a CASP in an organization, you must understand how to integrate such components securely. Below is a comprehensive list of the essential security controls that you might be using in this regard.
Secure Data Flows to Meet Changing Business Needs: Business needs can change frequently and may require the deployment of security controls or devices in order to protect data flow. Within the organization, the CASP may undertake the responsibility of analyzing business changes, determining how these changes can affect a security, and deciding what security controls should be deployed to ensure protection. The security practitioners have to ensure confidentiality to protect data flows. Confidentiality ensures that the data is not intercepted by bad guys while it’s in transit over a network. In fact, confidentiality is one of the vital components of the so-called CIA triad (confidentiality, integrity, and availability).
Standards: Standards are tactical documents that depict specific processes or steps to meet certain requirements. IT standards are established by governing organizations, such as the International Standard Organization (ISO) and NIST. CASP professionals should be mindful of the varying types, including open standards, competing standards, adherence to standards, lack of standards, and de facto standards.
Interoperability Issues: The CASP must be aware of interoperability issues when integrating security solutions into a secure enterprise architecture. Interoperability issues can take place with legacy systems/current systems, application requirements, and in-house developed vs. commercial vs. commercial customized.
Technical Deployment Models: Technical deployment models can include outsourcing, insourcing, managed service, and partnership. Below are descriptions of some of these models:
- Cloud and virtualization consideration and hosting options—This section of the exam involves understanding four cloud deployment models, namely public cloud, private cloud, hybrid cloud, and community cloud, as well as two other cloud computing models, single tenancy and multi-tenancy.
- Vulnerabilities—Some virtualization deployments involve a single physical server that hosts multiple enterprises’ virtual machines (VMs). All these VMs share resources of that single physical server. This physical server must be protected with an adequate level of security because a disastrous event can impact all of the organizations using that server. To ensure protection, each VM must be protected with adequate security controls such as authentication mechanisms, antivirus software, and/or anti-malware software. In addition, CASP-certified professionals will also need to devise another approach whereby a single platform can host multiple corporations’ VMs. In this scenario, all servers that host VMs utilize the same platform. If malicious insiders discover this platform, all the servers using the platform could be on the brink of a data
- Secure Use of On-Demand/Elastic Cloud Computing—In this approach, cloud service providers (CSPs) offer cloud resources to organizations or end users on the basis of a pay-per-use model—this means that enterprises or customers will be charged only for the services they use. The resource allocation and deallocation must be protected with secure tools such as Secure Shell, as well as an encryption scheme created to protect the hosts from being compromised.
- Data Remnants—This is data that is left behind on a system or resource when the system or resource will no longer be utilized. An encryption solution is again recommended to protect data remnants. Security analysts report that misconfigured hypervisors can trigger a separation-of-data issue in a multitenant environment that can expose data remnants.
- Data Aggregation—Data aggregation is a process whereby data and information are searched, gathered, and expressed in a summary form to accomplish specific business goals. It’s a part of business intelligence (BI) solutions and is commonly used for big data. The security practitioners must use authentication mechanisms such as access control lists (ACLs) to prevent unauthorized access to the servers and domains performing data aggregation.
- Data Isolation—In databases, data isolation is used to prevent data from being corrupted by two simultaneous operations. In cloud computing, data isolation makes sure that the tenant (user) data in a multitenant environment is isolated from the data of other tenants by using the tenant ID in data labels. Data isolation often involves monitoring and transaction rollback procedures to ensure data protection.
- Resource Provisioning and Deprovisioning—Resource provisioning and deprovisioning involves allocating or deallocating space and resources to the appropriate number of virtual machines for the client. Concepts involve provisioning and deprovisioning of servers, applications, virtual devices, and users.
- Securing Virtual Environments—When a company deploys a virtual environment (such as applications, services, appliances, and equipment), the security practitioners must provide the appropriate level of security to ensure protection.
- Design Considerations—Design considerations are essential during mergers, acquisitions, and demergers/divestitures. Before merging two organizations, the security practitioners must take their structures into consideration. Conversely, when two organizations are demerged, the security analysts will determine how the resources will be divided between them. Crucially, data security must take utmost importance in both scenarios (mergers and demergers).
- Network Secure Segmentation and Delegation—Network secure segmentation and delegation is vital to enhance network performance and protect network traffic. Network segmentation is usually performed through firewalls, switches, and routers. For example, a network analyst can implement a demilitarized zone (DMZ) using firewalls or Virtual LANs (VLANs) using switches. Network secure segmentation can be performed through various security controls such as MAC filtering.
Logical and Physical Deployment Diagrams: Logical and physical deployment diagrams are the two main types of an enterprise’s deployment diagrams. A physical deployment diagram demonstrates the details of physical communication links such as servers, switches, routers, bridges, modems, hubs, printers, and so forth. By contrast, a logical deployment diagram indicates the architecture that includes a domain architecture with an existing domain hierarchy, name, and addressing scheme.
Secure Infrastructure Design: CASP students must understand how to secure an infrastructure design. Infrastructure design involves a variety of security controls, including virtual private networks (VPNs), virtual LANs (VLANs), and demilitarized zones (DMZs).
Storage Integration—When an organization integrates storage solutions, security analysts must participate in the design and deployment phase in order to make sure that the security considerations have been addressed properly. Security considerations for storage integration may involve the implementation of multi-factor authentication, ACLs, the creation of a private network for a storage solution, and limiting the access to that storage location.
Enterprise Application Integration Enablers—Enterprise application integration enablers make sure that the services and applications in an organization are able to communicate. The main concerns for CASPs are the understanding of which enabler is required in a particular scenario and making sure that the solution is deployed securely. Understanding the following solutions is essential for CASP candidates:
- Content management systems (CMSs)
- Domain name system (DNS)
- Configuration management database (CMDB)
- Directory services
- Service-oriented architecture (SOA)
- Governance, risk, and compliance (GRC)
- Enterprise service bus (ESB)
- Enterprise resource planning (ERP)
- Customer relationship management (CRM)
What Do I Need to Know About Integrating Advanced Authentication and Authorization Technologies?
Authentication and authorization technologies are the access control models that specify which user or device has a particular level of access or permission to access the resource. Previously, classical access control models involved the use of username and password. Today, this technology is evolving with more sophisticated methods, such as credential verifications. Below are descriptions of these latest technologies.
Authentication: Authentication is the process used to confirm the identity of a user. It ensures that only the legitimate person is accessing the system or resources. Authentication is one of the five essential pillars of information assurance (IA), along with non-repudiation, confidentiality, integrity, and availability. Examples of authentication include fingerprint, retina scan, and voice pattern, or print authorization. The CASP syllabus involves two types of authentication: certification-based authentication and single sign-on.
Authorization: After authentication, the next step will be to grant rights and permissions to the user being authenticated. This process is termed authorization. CASPs must know the following vital components of authorization:
- Open authorization (OAUTH)
- Extensible access control markup language (XACML)
- Service provisioning markup language (SPML)
Attestation: Attestation allows legitimate changes to a user’s machine to be detected by authorized persons. Attestation plays a crucial role in defining what the user is allowed to do and whether his/her machine is running effectively and doesn’t provide any porous hole to attackers. For example, security practitioners will determine if the user has a correct version of software installed on his/her machine. A practical example of attestation is its usage in TPM chips (TPM = trusted platform module).
Identity Propagation: This is the process of sharing or passing a user’s authenticated identity information from one part of the multi-tier system to another part. Identity propagation is mostly used in databases.
Federation: Federated identity management (FIM), also known as identity federation, is an arrangement that allows organizations with several disparate technologies, use-cases, and standards to share their applications by allowing users to utilize the same login credentials across security domains. As a CASP, you must know several FIM models, including security assertion markup language (SAML), OpenID, Shibboleth, and WAYF.
Advanced Trust Models: These models are developed to support network authentication. CASP students should learn about advanced trust models, including remote access dial-in user service (RADIUS), lightweight directory access protocol (LDAP), and active directory (AD).
Where Should I Focus My Study Time?
Though passing the CASP exam can feel like untying the Gordian knot, acquiring the right training and studying the appropriate material will lead you to your cherished goal of a CASP credential. Candidates should focus their study time on CompTIA’s official material, all of which receives the CompTIA Authorized Quality Curriculum (CAQC) seal. Here is a CASP Resources article that includes everything you need to know in this regard.
InfoSec’s CASP Boot Camp—Your Best Bet
Do you want to take the CompTIA CASP exam? Good news: InfoSec Institute offers a uniquely designed CASP Boot Camp for the candidates aspiring to CASP examination. The goal of this course is to provide IT experts with the most comprehensive accelerated environment for the CASP exam.
InfoSec also offers thousands of articles on a variety of security topics.