CCSK

 View Only
  • 1.  Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted Jan 11, 2023 10:01:00 PM
    Hi all,
    Sorry for the clumsy title.
    I'm reviewing the CCSK security guidance firstly so I can attain my CCSK and secondly so I can adopt it in my organisation as a cloud consumer.
    When it comes to immutable environments the guidance in domain 10 talks about being able to have the same templates between different non production and production environments migrated through the CI/CD pipeline through approved baselines and templates etc.
    The chapter also talks about the different needs of development environments (for developers) and production environments. In order to ensure that permissive entitlements don't get migrated from non production to production, is it the locked down production configuration which gets migrated from dev through to prod? Are more permissive rules in a different segmented development environment added through additional configurations in the non production environments?
    Thanks

    ------------------------------
    Nic Bishop
    ------------------------------


  • 2.  RE: Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted Jan 12, 2023 03:24:00 PM

    Hi Nic,

    Thanks for reaching out. I am following up with one of our instructors to see if I can get your question answered. I will be in touch.

    Best, 



    ------------------------------
    Anna Campbell Schorr
    Training Program Manager
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 3.  RE: Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted Jan 12, 2023 05:44:00 PM
    Thank you

    ------------------------------
    Nic Bishop
    ------------------------------



  • 4.  RE: Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted Jan 23, 2023 03:04:00 PM

    Hi Nic,

    This is what I got back from one of our instructors, I hope this helps:

    1. Is it the locked down production configuration which gets migrated from dev through to prod?          
    The final approved released version from the development environment in the CI/CD pipeline gets deployed based on the organization policy, manually or automatically into the production environment. No changes should be allowed in the production environment through access controls. Any changes must be done and tested in the development environment prior to re-deployment.
    2. Are more permissive rules in a different segmented development environment added through additional configurations in the non production environments?
             Correct. The development environment allows the developers to interact with the code. Therefore, they need access that is prohibited in the production environment. However, the least and minimum privileges must be enforced and access activities must be monitored. This is especially critical when the organization is using production data, which is advised against, in the non-production environment.



    ------------------------------
    Anna Campbell Schorr
    Training Program Manager
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 5.  RE: Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted Jan 24, 2023 01:43:00 PM
    Thank you Anna.
    That helps

    ------------------------------
    Nic Bishop
    ------------------------------



  • 6.  RE: Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted Jan 17, 2023 07:23:00 AM
    This would even be a great webinar topic 👍

    ------------------------------
    Andrew Vance
    Executive Director
    Cyber Institute
    ------------------------------



  • 7.  RE: Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted Feb 20, 2023 08:01:00 AM

    Totally agree. Production staging scenario situations are not covered enough ever or anywhere. Legal implications, responsibilities of all parties involved, all of this can be subject to a great webinar and of extreme importance to some of us still studying to get the CCSK. 



    ------------------------------
    João Ferreira
    Student
    Self
    ------------------------------



  • 8.  RE: Domain 10: Application Security - differences between Dev (and other non production) and production environments

    Posted Feb 21, 2023 11:23:00 AM

    Hi all,

    Thanks for the feedback. I have passed it along to our webinar team.

    Best, 



    ------------------------------
    Anna Campbell Schorr
    Training Program Manager
    Cloud Security Alliance
    [email protected]
    ------------------------------