Compensating Controls in a Hybrid Cloud

So I’d never hear of “compensating controls in a hybrid cloud” before.  I learned about today while reading the CCSP book. I knew the concept, but never formally. I’ve always made a point to keep things monitored. I’ve also implemented redundant monitoring  before. But reading about this has made me want to standardize this technique as a new baseline going forward.

CCSP Logo on the Compensating Controls post pageI’m envisioning redundant systems with automatic provisioning. One set to a higher warning threshold. Icinga2 and LibreNMS perhaps? Will have to include the deployment of their configuration into the system build process. Though I could also  automate it externally I suppose.  I already have Icinga2 pulling computer objects directly from Active Directory via LDAP query. That works well. I’ll need something similar for Libre though. Still, that shouldn’t be a heavy lift.

I also want to check into Azure specific offerings. I know they have Azure Monitor. But having recently discovered Operations Management Suite. I’m now wondering what else is out there.

Another thing to consider would be automatic remediation actions. With two monitoring systems it’s possible for both  to attempt remediation.  This could lead to some undesired and potentially unexpected behavior. So there would have to be some more logic in B to detect if A had run. If it had, B wouldn’t do so as well.

Probably something like a log file would do the job. If system A runs the last step is to log “success” in a file. System B looks for that file entry before  running. If system A is down or fail, system B will act.

Anyway, there’s my thoughts for today. Time to start work.  Check out some other professional development posts .

Getting CCSP Certified: Progress Update

So, following up to my last post, I’m making progress on getting CCSP certified. 120 pages into The Official (ISC)² Guide to the CCSP CBK and it’s basically what I expected. Dry as a desert, but good knowledge regardless. It’s been good really digging into the technical and policy differences surrounding IaaS, PaaS, and Saas. These are one of the topics I’ve always worked with, but never really studied in any serious depth.


One new technology I’ve read about is “bit splitting” which is just a cloud version of cryptographic splitting. Conceptually, I like the idea of splitting up data into multiple locations. There are some obvious challenges, especially the increased chance for availability issues, but assuming those can be effectively managed what a great idea.

I’m also growing more interested in a true DRM system. Looking into Azure Rights Management. The idea of basically encrypting damn near everything kind of has me uneasy, but the benefits that come with it are very tempting indeed.

Learned about homomorphic encryption which was  totally new to me. So that’s neat.

Another thing I’ve since learned about is Azure Stack. From the sound of it, this is basically what openstack wants to be, but much more heavily integrated into Azure. (for obvious reasons)  I will absolutely be setting up a test/dev of this going forward. The ability to spin up a hybrid cloud using the same toolset for on-prem and public cloud sounds AMAZING. But, that said, this is Microsoft. My experience with them has always involved some bizarre gotcha somewhere. So I’m sure that when I do go to build it out, I’ll find something somewhere that blows the idea all to hell.

I took a couple of practice tests as well. 83% on the first and 30% on the second one. CLEARLY some more reading to do… so much for passing this exam cold.

That’s it for today, stay tuned if this is of any interest and I’ll add about working towards getting CCSP certified as things progress.

CCSP: Here We Go

So, given that I won’t be doing any travelling, conferences, or really anything for a while I’ve decided to pursue CCSP certification as a compliment to my existing CISSP. Today is day one down that path. I recently bought both the official study guide and the exam  questions from (ISC)².


It’s been a few years since I did my last certification exam. I’m actually kind of looking forward to it.  Learning new things has always thrilled me. A large portion of the material in the books is review, but there is definitely some new stuff.

HackTheBox and red teaming practice is great for learning about things like breaking and entering, but regulatory framework? Not so much. Even though I have experience with HIPAA/PCI/CALEA yada yada, it’s mostly been OJT.  It’s good to dig in and do some more formalized study. Given that my new position at work is very much blue team, some supplemental research  is necessary anyway, so why not get certified for all that reading, right?

I think I’m going to spin up a home lab to complement the book materials as well. I’m thinking a hybrid on-prem/Azure  environment. The goal there will be to build a best practices to the max fortress. Play with all the bells and whistles. OMS, ATP, etc. That should be fun. I already have a vSphere 6.5 environment with shared storage, layer 3 switching, and all the trimmings in my basement. (Even a 24u rack! The electricity company loves me…) So most of the pre-work for that is done.

As my studies progress toward getting that CCSP certification I’m going to keep a running log on this page mostly for my own benefit. I’ve also created a new category called Professional Development to keep things organized. So if this interests you, stay tuned. Feel free to reach out if this interests you as well. Email is my title of this site @ Proton Mail.

About Pyrrh1c

The entire purpose of this blog is to track the things I’m learning as I study offensive security. It will act as a reference point for the future.

It’s called Pyrrh1c in reference to the phrase “phyrrhic victory“. I always accomplish my objectives, even if the effort and cost is disproportionate to the goal. So since this study has already occupied a ridiculous amount of my time why not embrace the madness?