CCSK

 View Only
  • 1.  Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted 18 days ago
    Hi all,
    Sorry for the clumsy title.
    I'm reviewing the CCSK security guidance firstly so I can attain my CCSK and secondly so I can adopt it in my organisation as a cloud consumer.
    When it comes to immutable environments the guidance in domain 10 talks about being able to have the same templates between different non production and production environments migrated through the CI/CD pipeline through approved baselines and templates etc.
    The chapter also talks about the different needs of development environments (for developers) and production environments. In order to ensure that permissive entitlements don't get migrated from non production to production, is it the locked down production configuration which gets migrated from dev through to prod? Are more permissive rules in a different segmented development environment added through additional configurations in the non production environments?
    Thanks

    ------------------------------
    Nic Bishop
    ------------------------------


  • 2.  RE: Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted 17 days ago

    Hi Nic,

    Thanks for reaching out. I am following up with one of our instructors to see if I can get your question answered. I will be in touch.

    Best, 



    ------------------------------
    Anna Campbell Schorr
    Training Program Manager
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 3.  RE: Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted 17 days ago
    Thank you

    ------------------------------
    Nic Bishop
    ------------------------------



  • 4.  RE: Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted 6 days ago

    Hi Nic,

    This is what I got back from one of our instructors, I hope this helps:

    1. Is it the locked down production configuration which gets migrated from dev through to prod?          
    The final approved released version from the development environment in the CI/CD pipeline gets deployed based on the organization policy, manually or automatically into the production environment. No changes should be allowed in the production environment through access controls. Any changes must be done and tested in the development environment prior to re-deployment.
    2. Are more permissive rules in a different segmented development environment added through additional configurations in the non production environments?
             Correct. The development environment allows the developers to interact with the code. Therefore, they need access that is prohibited in the production environment. However, the least and minimum privileges must be enforced and access activities must be monitored. This is especially critical when the organization is using production data, which is advised against, in the non-production environment.



    ------------------------------
    Anna Campbell Schorr
    Training Program Manager
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 5.  RE: Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted 5 days ago
    Thank you Anna.
    That helps

    ------------------------------
    Nic Bishop
    ------------------------------



  • 6.  RE: Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted 13 days ago
    This would even be a great webinar topic 👍

    ------------------------------
    Andrew Vance
    Executive Director
    Cyber Institute
    ------------------------------