CCSK Domain 4 Notes: Organization Management

Introduction

• Purpose: Manage and secure the entire cloud footprint (multi-cloud, hybrid, and SaaS).
• Cloud sprawl (growth through mergers, acquisitions, etc.) creates management complexity.
• Goals:

• Manage organization-level security.
• Use hierarchy for structured deployment control.
• Understand hybrid & multi-cloud management.

Organization Hierarchy Models

Key Terms:

Level	AWS	Azure	GCP
Organization	Organization	Tenant	Organization
Group	Organizational Unit (OU)	Management Group	Folder
Deployment	Account	Subscription	Project

• Organization: Top-level structure in CSP.
• Group: Collection of deployments (logical isolation).
• Deployment: Individual, isolated environment.

Benefits: Segmentation, reduced “blast radius,” logical separation, and compliance alignment.

Key Capabilities in Cloud Hierarchy

All major CSPs offer:

1. Groups → Create isolation hierarchy.
2. Policies → Define what services or APIs are allowed/blocked.
3. Centralized IAM → Federated identity management across deployments.
4. Shared Security Services → Central logging, monitoring, and governance.

Landing Zone / Account Factory:

• Automates account setup with pre-configured security, compliance, and governance controls.
• Ensures consistency across multiple deployments.

Building Hierarchies (Three Models)

Model	Description	Strength
Business Unit & App-Based	BU → App → Env	Aligns IAM with org units
Environment-Based	Env (Prod, Dev, Test) → BU → App	Simplifies policy mgmt
Geography-Based	Region → BU → Env	Meets regional compliance needs

Hybrid approach often works best — mix based on organization needs.

Organization-Level Security

Goal: Control cloud footprint & maintain acceptable risk without hindering agility.

Identity Management

• Minimize root access.
• Restrict who can create deployments.
• Use landing zones/account factories for consistent setup.

Policy Scopes

1. Organization-wide: Affects all deployments (rarely used due to broad scope).
2. Group-level: Commonly used; cumulative & restrictive.
3. Deployment-level: For specific, fine-grained needs.

Policy Use Cases

• Enable/disable unapproved services.
• Block risky API calls.
• Restrict regions for compliance.
• Enforce IP-based access controls.

Shared Organization Services

Used across deployments for consistency and visibility:

• Centralized IAM → unified access control.
• Centralized Logging → forward telemetry to SIEM or security data lake.
• Threat Detection → detect malicious activities in real time.
• Cost Management → tagging policies for accountability.
• Account Factories → IaC-based automated secure deployment setup.

Hybrid Cloud Management

Definition: Integration of on-prem data centers with public cloud.

Security Goals:

1. IAM: A compromised identity can affect both environments.
2. Network Security: Prevent misconfigurations & overexposure.

Best Practices:

• Avoid “connection sprawl.”
• Use a central bastion network to manage all hybrid connections.
• Keep security controls distinct for cloud vs. on-prem; don’t normalize.

Multi-Cloud Management

Definition: Use of multiple IaaS/PaaS CSPs (AWS, Azure, GCP).

Challenges: High complexity, different tooling, and greater security overhead.

Strategies:

1. Single Provider: Consolidate into one CSP.
2. Primary/Secondary: Main provider + limited secondary (for special cases).
3. Full Multi-Cloud: Equal support for all CSPs — requires advanced maturity.

Best Practice: Mature security in one CSP before expanding to others.

Container Misconception:

• Containers increase workload portability — NOT infrastructure portability.
• Shared services (DB, queues, etc.) are not easily portable.

Tooling & Staffing for Multi-Cloud

• Each CSP requires dedicated expertise.
• Use Managed Service Providers (MSPs) for support, but accountability stays with CSC.
• Ensure MSP aligns with CSC’s governance and security strategy.

SaaS Management in Hybrid & Multi-Cloud

Challenges:

• Many SaaS vendors with varying security levels.
• Uncontrolled integrations = data exposure.

Best Practices:

• Maintain a SaaS registry (approved vendors & data categories).
• Require justification for duplicates.
• Evaluate SaaS vendors before approval.
• Control integrations & data flows between SaaS apps.

Key Tools:

1. Federated Identity Brokers – Centralized access for multiple SaaS apps.
2. CASB (Cloud Access Security Broker) – Visibility & enforcement over SaaS use.
3. API Gateways – Manage and secure inter-SaaS data flows.

Flashcards: https://quizlet.com/in/1101683851/ccsk-domain-4-flash-cards/?i=4jehw4&x=1qqt