Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
The CCSK v5 and Security Guidance v5 are now available!

What is Management Plane (Metastructure) Security

Home
Industry Insights
What is Management Plane (Metastructure) Security

Blog Article Published: 05/13/2024

Written by Ashwin Chaudhary, CEO, Accedere.

Metastructure refers to the protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration as per Cloud Security Alliance's Security Guidance v4.0.

The management plane is

  • The single most significant security difference between traditional infrastructure and cloud computing.
  • Refers to the interfaces for managing your cloud resources in the cloud and cloud deployments.
  • Different from traditional infrastructure security and the most critical piece to protect.
  • How you launch virtual machines and configure virtual networks.
  • Admin tab for SaaS environment.


Key Functions
  • Provisioning resources required in the cloud.
  • Starting/stopping/terminating services required in the cloud.
  • Configuring resources includes adding/modifying/removing resources in the cloud.


Securing Management Plane
  • Secure root account.
  • Manage non-root users.
  • Enable monitoring/auditing.


Security Considerations

Five major factors for building and managing a secure management plane.

  • Perimeter security: Protecting from attacks against the management plane’s components including web and API servers.
  • Customer authentication: Providing secure mechanisms for customers to authenticate to the management plane using existing standards (like OAuth or HTTP request signing). Customer authentication should support MFA as an option or requirement.
  • Internal authentication and credential passing: Cloud providers should always mandate MFA for cloud management authentication from internal users.
  • Authorization and entitlements: The right or permission that is granted to a system entity to access a system resource is authorization. The entitlements are available to customers and internal administrators. Granular entitlements enable customers to securely manage their users and administrators and internally reduce the impact of administrator's accounts being compromised.
  • Logging, monitoring, and alerting: Robust logging and monitoring of administrative activities is essential for effective security and compliance. This applies to what the customer does in their account, and what employees do in their day-to-day management of the service. Alerting of unusual events is an important security control to ensure that monitoring is actionable.


About the Author

Ashwin Chaudhary is the CEO of Accedere, a Data Security, Privacy Audit, and Training Firm. He is a CPA from Colorado, MBA, CITP, CISA, CISM, CGEIT, CRISC, CISSP, CDPSE, CCSK, PMP, ISO27001 LA, ITILv3 certified cybersecurity professional with about 20 years of cybersecurity/privacy and 40 years of industry experience. He has managed many cybersecurity projects covering SOC reporting, ISO audits, VAPT assessments, Privacy, IoT, Governance Risk, and Compliance.

Identity and Access ManagementRisk ManagementSecurity Guidance

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Download the New Security Guidance v5!
CCSK v5: The Benchmark for Cybersecurity Expertise
AI Model Risk Management Framework
Trending This Week
#1 Discover CCSK v5: The New Standard in Cloud Security Expertise
#2 CSA STAR Certifications: What are they?
#3 AI Safety vs AI Security: Navigating the Commonality and Differences
#4 CCSK vs CCSP: An Unbiased Comparison
#5 Six Pillars of DevSecOps Series
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Modern Terms and Concepts for a Zero Trust Mindset

Published: 07/26/2024

Top 4 Use Cases of Non-Human Identity Security: Live Event Recap

Published: 07/26/2024

Adding a Twist to the Epic of Vulnerability Management

Published: 07/25/2024

Asking the Right Questions About ASPM

Published: 07/24/2024