Cloud & Compromise Game Cards

Role Cards page 1
ROLE ROLE
CISO DEPUTY CISO

SALARY WORK CAPACITY SALARY WORK CAPACITY
$400k 5 hours $350k 10 hours
ADDITIONAL CONSIDERATIONS
More than five mitigations requires
More than ten employees requires a CISO
a Deputy CISO
ROLE ROLE
PROJECT MGR SR ENGINEER

$100k 1 + team 50% $200k 7 hours
ADDITIONAL CONSIDERATIONS ADDITIONAL CONSIDERATIONS
Remediation work capacity of rest of Adding additional tiers, such as a
team increases by 50% (1.5x) Principal or Fellow should include
There may be only one project manager similar cost and capacity multiplier
with a 10% hourly discount
Team size must be greater than 8
© Copyright 2023, Cloud Security Alliance. All rights reserved. 1

Role Cards page 1 backs

Role Cards page 2
ROLE ROLE
JR ENGINEER INTERN

$100k 3 hours $50k 1 hours
This is the base level of an employee ADDITIONAL CONSIDERATIONS
when planning the gaming scenarios More than two interns require at least
one managing engineer
Each headcount should cover roughly
one product
ROLE
CONTRACTOR
SALARY WORK CAPACITY
$250k per use 8 hours
Remediation work capacity may be
purchased in minimum blocks of 5, 10,
or 20-hour increments

Role Cards page 2 backs

Risk Cards page 1
RISK RISK
1 12 2
Insufficient identity, credential,

access and key management,
Insecure interfaces
privileged accounts and APIs
RISK RISK
3 4
Misconfiguration and Lack of cloud security

Inadequate Change architecture and
Control strategy

Risk Cards page 1 backs

Risk Cards page 2
RISK RISK
5 6
Insecure software Unsecure third party

development resources
RISK RISK
7 8
System Accidental cloud

vulnerabilities data disclosure


Risk Cards page 3
RISK RISK
9 10
Misconfiguration and Organized crime/

exploitation of serverless and
container workloads hackers/ APT
RISK
11
Cloud storage data

exfiltration


System Component Cards page 1
SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS
Register SaaS Yes

Cash Drawer PaaS Probably
Receipt Printer IaaS Possibly
Payment Encryption Hybrid No
Device
POINT OF REGULATED/ SENSITIVE POTENTIAL MITICATIONS

SALE INFORMATION (CCM CONTROLS)
PCI
Transaction
Information
PRODUCT EXAMPLES Revenue/Sales Data
Verifone, Toast, Clover
Customer Data
PII
SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS
SaaS Probably
HR Software
PaaS Probably
Database
IaaS Possibly
Directory Service
Hybrid Possibly
HUMAN REGULATED/ SENSITIVE POTENTIAL MITICATIONS

RESOURCES INFORMATION (CCM CONTROLS)
Employee Info
PRODUCT EXAMPLES
PII
WorkDay, SuccessFactors,
Internally Developed Salary & Bonus info

System Component Cards page 1 backs

SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS
Web Server SaaS Yes
Database PaaS Probably
Operating System IaaS Possibly
Certificate Authority Hybrid Possibly
WEB SITE REGULATED/ SENSITIVE

INFORMATION
POTENTIAL MITICATIONS
(CCM CONTROLS)
PCI
PRODUCT EXAMPLES PII
WordPress, Drupal,
Transaction
Joomla, Magento Information
SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS
HVAC hardware SaaS Probably
Communications Platform PaaS Possibly
Thermostat IaaS Possibly
Temperature Sensors Hybrid No
HVAC REGULATED/ SENSITIVE

INFORMATION
(CCM CONTROLS)
Network
PRODUCT EXAMPLES
Admin info
Honeywell, Allied, Amana,
Bosch, Bryant, Carrier Cost information


SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS
SaaS Yes
LMS Software
PaaS Probably
Database
IaaS Probably
Media Source
Hybrid Possibly
LEARNING
MANAGEMENT REGULATED/ SENSITIVE
INFORMATION
(CCM CONTROLS)
SYSTEM
HR Info
PRODUCT EXAMPLES Progress

MindTickle, Noodle, PII
TalentLMS, SAP
Proprietary Info
SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS
Inventory System
SaaS Probably
Scanners
PaaS Probably
Distribution Equipment
IaaS Probably
Labeling Devices
Hybrid Probably
Industrial Control Systems
SUPPLY CHAIN REGULATED/ SENSITIVE

INFORMATION
(CCM CONTROLS)
PRODUCT EXAMPLES
NetSuite, Katana, Soho, Product Info
Perpetual Inventory System, Proprietary Data
Periodic Inventory System, Contract Info
Barcode System, RFID
System


SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS
Customer Interface SaaS Yes

Database PaaS Probably
Trading Plattform IaaS Probably
Financial Transactions Hybrid Probably
Interface
RETIREMENT REGULATED/ SENSITIVE POTENTIAL MITICATIONS

SYSTEM INFORMATION (CCM CONTROLS)
PII
PRODUCT EXAMPLES Earnings Info

Fidelity, NetBenefits, HR Info
Merril Lynch, ADP
Trading Info
SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS
IoT Devices
SaaS Probably
Communications Platform
PaaS Probably
Storage
IaaS Probably
Dashboard
Hybrid Probably
Reporting Structure
INTERNET OF REGULATED/ SENSITIVE POTENTIAL MITICATIONS

THINGS (IOT) INFORMATION (CCM CONTROLS)
Sales Info
PRODUCT EXAMPLES Network Information

Microsoft Sphere, Apple, Telemetry Data
Motorola, Samsung
Cost information


Mitigation Tool Cards page 1
MITIGATION
TOOL
SETUP/ EASE
SPIH COST EFFECTIVENESS
OF USE
SaaS 80K 8 8
PaaS 40K 3 3
IaaS 70K 4 8
Private 60K 7 9
SECURITY &
INCIDENT EVENT Logging within cloud environments varies drastically between ease
of use and cost of storage. Off-line storage and/or accessibility
MONITORING limitations define the cloud SIEM space. SaaS solutions incentivize
tiered pricing increases, where the difference entails operational
expenses (OpEx). While PaaS solutions boast of covering
multi-cloud effectively, the current reality entails the CSP vendor’s
CCM CONTROL offering and features within the competing clouds with mixed
results. IaaS SIEM implementations do not avoid growing storage
costs. Private and on-premise costs will be lower in the long run,
overcoming scalability and tiered storage savings in 1.5 to 2 years.
Audit & Assurance
MITIGATION
TOOL
SETUP/ EASE
OF USE
SaaS 20K 7 3
PaaS 20K 5 3
IaaS 30K 8 5
Private 20K 9 5
STATIC & DYNAMIC

APPLICATION Application Security Testing includes both static and dynamic forms. Static
Application Security Testing includes checking DLLs and code repositories
SECURITY TESTING dependencies and coding practices such as boundary checking or standards
verification. Dynamic incorporates validation of software during operation,
fuzzing inputs of a running system, or checking edge cases. In contrast,
application security testing in the cloud may make adoption easier. Some SaaS
CCM CONTROL providers insert the complete code into the compiled application.
Communications between on-premise and cloud apps may be complex open
vulnerabilities. The agent that some systems require is loaded into the
development environment or on the application servers. Highly regulated
sectors or those with significant intellectual property concerns may need to
formulate requirements carefully considering deployment options. Ease of use
and deployment should keep in mind intellectual property exposure, privacy,
Application & sovereignty, speed of testing, and licensing for SPIH AppSec planning.
Interface Security

Mitigation Tool Cards page 1 backs

MITIGATION
TOOL
SETUP/ EASE
OF USE
SaaS 30K 9 5
PaaS 70K 6 4
IaaS 90K 6 5
Private 70K 8 6
RESILIENCY All resiliency products involve trade-offs. Cloud provides unlimited
PRODUCTS scalability and on-demand access of a cloud. The direct costs

associated with built-in cloud PaaS services, such as image
snapshots and database backups, primarily center on storage costs.
The drawbacks principally surround portability/vendor lock-in and
CCM CONTROL cross-region nuances, especially when implementing cryptography.
Well-defined on-premise backup technologies include Storage Area
Networks (SANs) and Network Attached Storage (NAS). Teams may
face challenges integrating these technologies into a private cloud.
Business Continuity
& Resiliency
MITIGATION
TOOL
SETUP/ EASE
OF USE
SaaS 10K 9 5
PaaS 5K 5 4
IaaS 40K 6 7
Private 20K 4 7
CONTINUOUS
INTEGRATION/ Implementing a continuous integration/continuous deployment solution
amounts to the penultimate change control implementation of DevOps.
CONTINUOUS DELIVERY Pipelines are not one-off developers trying a feature tweak or quickly
hacking together a fix for an immediate patch release. Changes occur
within a repository, potentially with automated quality assurance testing,
CCM CONTROL built-in SAST/DAST, and approval requirements. CI/CD pipelines are a
component of immutable software and infrastructure. Private or hybrid
CI/CD instantiations keep code repositories controlled. IaaS allows
dynamic scaling and at-rest confidentiality, similar to on-premise. PaaS
examples, such as Azure DevOps or AWS Production Manager, may be
found as a component of large service providers and typically
incompatible. SaaS protections surround typical expectations of BYOK,
Change Control blinding vendor administrator visibility to subscriber’s code.


MITIGATION
TOOL
SETUP/ EASE
OF USE
SaaS 80K 4 3
PaaS 30K 6 5
IaaS 50K 8 4
Private 40K 9 7
ENCRYPTION Cryptography encompasses a wide swath of capabilities. The CEK
PRODUCTS domain contains key management controls, encryption routines,

integrity checking, digital signatures, and the overall Public Key
Infrastructure (PKI). Synonymous with confidentiality, cryptography
scrambles data from the uninvited or unauthorized. This includes
CCM CONTROL data-at-rest, data-in-motion and data-in-use. Crypto additionally
provides integrity protections through hashing and digital
signatures. Key management effectiveness trade-offs include
vendor key access during initial setup (IaaS/PaaS Cloud HSMs) to
BYOK in virtual HSMs to complete the vendor's trust with fully
managed keys.
Cryptography and
Encryption
Management
MITIGATION
TOOL
SETUP/ EASE
OF USE
SaaS 80K 4 5
PaaS 70K 6 5
IaaS 80K 8 4
Private 90K 9 7
NETWORK Network defenses range broadly. Whether it’s WAF protections, net
DEFENSE flow monitoring, Perimeter Firewalls, or Intrusion Detection

Systems, all exist in this space. We generalized all of these types for
gamification purposes. The expected scalability of SaaS
implementations may surpass the TCP protections of a private
CCM CONTROL instance, but yield in application layer protocols analyzed. Private
and IaaS network flexibility and control are traded for network speed
and operational consistency in PaaS and SaaS implementations.
Infrastructure Virtual
Services


MITIGATION
TOOL
SETUP/ EASE
OF USE
SaaS 20K 8 5
PaaS 40K 9 8
IaaS 30K 7 10
Private 20K 6 8
ACCESS Authentication improvements impact an organization broadly. Single sign-on
CONTROL
(SSO) extends security requirements beyond the enterprise. For example, local
settings for password complexity, reuse, and credential rotation period are set
at the individual endpoints or service provider level. If these are not constantly
maintained or service providers adjust their settings, an inconsistent security
posture may result in exploitable gaps. On-boarding and off-boarding corporate
CCM CONTROL users also leave time gaps, where account privileges for a dismissed employee
may not be accounted for and terminated within a reasonable time. SSO
centralizes authentication within a company’s control, reclaiming trust from
third-party providers and ensuring corporate policies and standards will be met
in the third-party’s offering. SSO offerings come in multiple deployment
models, with several well-known SaaS providers commonly incorporating CSP
PaaS choices and build-your-own integrations. Integration effectiveness and
Identity and Access scalability typically run inversely proportional to ease of use.
Management
MITIGATION
TOOL
SETUP/ EASE
OF USE
SaaS 50K 8 3
PaaS 75K 6 6
IaaS 60K 4 8
Private 30K 2 10
MALWARE Operating System style Endpoint Protections provide waning
DEFENSE defenses as we move up the SPI stack. Licensing costs may become
troublesome in auto-scaling IaaS vs. on-premise installations. While
well understood in the on-premise server and virtualized system,
Legacy corporate EPP is not as effective in a PaaS or SaaS. There's
CCM CONTROL no location to operate or install services without going to another
PaaS or SaaS offering to watch the watchers. This requires an
additional Third Party security assessment and integration approach
to watch the endpoint services. Expect costs to accelerate by
adding multiple clouds or complex custom solutions.
Threat and
Vulnerability
Management


MITIGATION
TOOL
SETUP/ EASE
OF USE
Canned LMS 50K 6 4
Internal LMS 75K 8 6
Build your own 100K 8 10
In-person 125K 10 10
SECURITY &
AWARENESS Learning Management Systems provide cleaner and easier
consumption of training. In particular, security training provides a
TRAINING force multiplier, extending the impact of security with a champions

program. While prepared training delivered remotely may be
inexpensive and check the compliance box, studies show
customization increases learning effectiveness. Personalization,
CCM CONTROL interactivity, and especially in-person training prove the most
effective.
Human Resources
Security


Game Score Cards page 1
CCM Network Anti- Encryption Access Resiliency SAST/ Security
MITIGATION MATRIX SIEM Malware/ CI/ CD Training/
Controls Defense Endpoint Products Controls Products DAST LMS
SaaS 80K/4/5 80K/8/8 50K/8/3 10K/9/5 80K/4/3 20K/8/5 30K/9/5 20K/7/3 50K/6/4
PaaS 70K/6/5 40K/3/3 75K/6/6 5K/5/4 30K/6/5 40K/9/8 70K/6/4 20K/5/3 75K/8/6
Cost/ Ease of Use/
Effectiveness
IaaS 60K/8/4 70K/4/8 60K/4/8 40K/5/7 50K/8/4 30K/7/10 90K/6/6 30K/8/5 100K/8/10
Private 90K/9/7 60K/7/9 30K/2/10 20K/4/7 40K/9/7 20K/6/8 70K/8/6 20K/9/5 125K/10/10
DICE IVS A&A TVM CCC CEK IAM BCR AIS HRS
Pandemic Eleven ROLL
Insufficient Identity,
Credentials, Access, and Key 1, 12
Insecure Interfaces and APIs 2
Misonfiguration and
Inadequate Change Control 3
Lack of Cloud Security

Architecture and Strategy 4
Insecure Software
Development 5
Unsecured Third-Party
Resources 6
System Vulnerabilities 7
Accidental Cloud Data

Disclosure 8
Misconfig. and Exploit. of

Serverless and Container 9
Organized Crime/ Hackers/

APT 10
Cloud Storage Data

Exfiltration 11

SaaS 80K/4/5 80K/8/8 50K/8/3 10K/9/5 80K/4/3 20K/8/5 30K/9/5 20K/7/3 50K/6/4
PaaS 70K/6/5 40K/3/3 75K/6/6 5K/5/4 30K/6/5 40K/9/8 70K/6/4 20K/5/3 75K/8/6
Cost/ Ease of Use/
Effectiveness
IaaS 60K/8/4 70K/4/8 60K/4/8 40K/5/7 50K/8/4 30K/7/10 90K/6/6 30K/8/5 100K/8/10
Misonfiguration and

Insecure Software
Development 5
Resources 6

Disclosure 8


APT 10
Cloud Storage Data

Exfiltration 11

Game Score Cards page 2
SaaS 80K/4/5 80K/8/8 50K/8/3 10K/9/5 80K/4/3 20K/8/5 30K/9/5 20K/7/3 50K/6/4
PaaS 70K/6/5 40K/3/3 75K/6/6 5K/5/4 30K/6/5 40K/9/8 70K/6/4 20K/5/3 75K/8/6
Cost/ Ease of Use/
Effectiveness
IaaS 60K/8/4 70K/4/8 60K/4/8 40K/5/7 50K/8/4 30K/7/10 90K/6/6 30K/8/5 100K/8/10
Misonfiguration and

Insecure Software
Development 5
Resources 6

Disclosure 8


APT 10
Cloud Storage Data

Exfiltration 11

SaaS 80K/4/5 80K/8/8 50K/8/3 10K/9/5 80K/4/3 20K/8/5 30K/9/5 20K/7/3 50K/6/4
PaaS 70K/6/5 40K/3/3 75K/6/6 5K/5/4 30K/6/5 40K/9/8 70K/6/4 20K/5/3 75K/8/6
Cost/ Ease of Use/
Effectiveness
IaaS 60K/8/4 70K/4/8 60K/4/8 40K/5/7 50K/8/4 30K/7/10 90K/6/6 30K/8/5 100K/8/10
Misonfiguration and

Insecure Software
Development 5
Resources 6

Disclosure 8


APT 10
Cloud Storage Data

Exfiltration 11

Cloud & Compromise Game Cards

Uploaded by

Copyright:

Available Formats

Cloud & Compromise Game Cards

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cloud & Compromise Game Cards

Uploaded by

Copyright:

Available Formats

Role Cards page 1

CISO DEPUTY CISO

PROJECT MGR SR ENGINEER

© Copyright 2023, Cloud Security Alliance. All rights reserved. 1

© Copyright 2023, Cloud Security Alliance. All rights reserved. 2

SALARY WORK CAPACITY SALARY WORK CAPACITY

© Copyright 2023, Cloud Security Alliance. All rights reserved. 3

© Copyright 2023, Cloud Security Alliance. All rights reserved. 4

Insufficient identity, credential,

Misconfiguration and Lack of cloud security

© Copyright 2023, Cloud Security Alliance. All rights reserved. 5

© Copyright 2023, Cloud Security Alliance. All rights reserved. 6

Insecure software Unsecure third party

System Accidental cloud

© Copyright 2023, Cloud Security Alliance. All rights reserved. 7

© Copyright 2023, Cloud Security Alliance. All rights reserved. 8

Misconfiguration and Organized crime/

Cloud storage data

© Copyright 2023, Cloud Security Alliance. All rights reserved. 9

© Copyright 2023, Cloud Security Alliance. All rights reserved. 10

Register SaaS Yes

POINT OF REGULATED/ SENSITIVE POTENTIAL MITICATIONS

HUMAN REGULATED/ SENSITIVE POTENTIAL MITICATIONS

© Copyright 2023, Cloud Security Alliance. All rights reserved. 11

© Copyright 2023, Cloud Security Alliance. All rights reserved. 12

Web Server SaaS Yes

Database PaaS Probably

Operating System IaaS Possibly

Certificate Authority Hybrid Possibly

WEB SITE REGULATED/ SENSITIVE

HVAC hardware SaaS Probably

Communications Platform PaaS Possibly

Thermostat IaaS Possibly

Temperature Sensors Hybrid No

HVAC REGULATED/ SENSITIVE

© Copyright 2023, Cloud Security Alliance. All rights reserved. 13

© Copyright 2023, Cloud Security Alliance. All rights reserved. 14

PRODUCT EXAMPLES Progress

SUPPLY CHAIN REGULATED/ SENSITIVE

© Copyright 2023, Cloud Security Alliance. All rights reserved. 15

© Copyright 2023, Cloud Security Alliance. All rights reserved. 16

Customer Interface SaaS Yes

RETIREMENT REGULATED/ SENSITIVE POTENTIAL MITICATIONS

PRODUCT EXAMPLES Earnings Info

INTERNET OF REGULATED/ SENSITIVE POTENTIAL MITICATIONS

PRODUCT EXAMPLES Network Information

© Copyright 2023, Cloud Security Alliance. All rights reserved. 17

© Copyright 2023, Cloud Security Alliance. All rights reserved. 18

Audit & Assurance

STATIC & DYNAMIC

© Copyright 2023, Cloud Security Alliance. All rights reserved. 19

© Copyright 2023, Cloud Security Alliance. All rights reserved. 20

RESILIENCY All resiliency products involve trade-offs. Cloud provides unlimited

PRODUCTS scalability and on-demand access of a cloud. The direct costs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 21

© Copyright 2023, Cloud Security Alliance. All rights reserved. 22

ENCRYPTION Cryptography encompasses a wide swath of capabilities. The CEK

PRODUCTS domain contains key management controls, encryption routines,

DEFENSE flow monitoring, Perimeter Firewalls, or Intrusion Detection

© Copyright 2023, Cloud Security Alliance. All rights reserved. 23