Chapter 3 - Security and Compliance
Basic Components of Encryption System
1. Data 2. Encryption engine 3. Encryption keys
DLP Data States
1. Data At Rest 2. Data In Transit 3. Data In Use
Cloud Encryption Challenges
1. Dependence on key sets - if you can't secure the keys you can't secure the encryption process. 2. Use of shared software-based encryption components in multi-tenant environment presents a risk to processors and memory. Memory may be vulnerable to exposure and this could compromise implementations of encryption operations.
AWS Support Plans
1. Developer 2. Business 3. Enterprise
DLP Components
1. Discovery & Classification 2. Monitoring 3. Enforcement
AWS Enterprise Support Plan Highlights
1. Highly personal and responsive service to AWS customers at the highest level. 2. 24/7 access to supports engineers via phone, chat, or email. Tickets can be opened by unlimited number of contacts. -- General Guidance Response Time: < 24 hours -- System Problems And Issues Response Time: < 12 hours -- Production System Problems Response Time: < 4 hours -- Production System Outages Response Time: < 1 hour -- Critical System Outage Response Time: < 15 minutes 3. Proactive support programs to review your services and implementations in areas of architecture, operations, and infrastructure event management. 4. Dedicated support concierge team to review your services and implementations in areas or architecture, operations, and infrastructure event management. 5. Your very own AWS TAM (Technical Account Manager) to work with you on all issues and outages as well as access to AWS resources. TAM will participate in Disaster Recovery planning and drills, as well as provide a personal and direct contact for any support or account issues.
AWS Developer Support Plan Highlights
1. Ideal for those starting their early testing or development with AWS and want access to general guidance. 2. Access to seven core advisor checks for guidance on best practices of reducing cost, along with improving performance, fault tolerance, and security. 3. Access to an API which allows for integration with monitoring or management systems and AWS Personal Health Dashboard that provides a view of overall AWS services and their current health, along with the impact of any issues on specific resources. 4. Technical support access to cloud engineers during normal business hours where one designated contact on your account can open unlimited number of support cases (IAM account users cannot access support). -- General Guidance Response Time: < 24 hours -- System Problems And Issues Response Time: < 12 hours 5. Architecture support for general guidance on AWS services and how they can be optimized for various use cases, expected workloads, or particular application requirements.
What are the cloud key management techniques?
1. Internal Storage 2. External Storage 3. External and Independent Service or System
AWS Business Support Plan Highlights
1. The plan offers architectural guidance and is geared towards those with production workloads hosted in AWS who desire 24/7 support. 2. Access to all 115 core advisor checks that cover fault tolerance, optimization, performance, security, and service limits. Each check comes with recommendations based on best practices. 3. Access to AWS Personal Health Dashboard that provides a personalized view of AWS services in use along with alerts about potential impacts. 4. 24/7 access to supports engineers via phone, chat, or email. Tickets can be opened by unlimited number of contacts. -- General Guidance Response Time: < 24 hours -- System Problems And Issues Response Time: < 12 hours -- Production System Problems Response Time: < 4 hours -- Production System Outages Response Time: < 1 hour 5. Specific guidance for architectural support geared towards AWS services and how they suit your needs, workloads, and application configuration. 6. Access to programmatic APIs for AWS support center which enables you to open, update, or close support tickets as well as manage Trust Advisor requests and statuses. 7. Assistance with AWS interoperability with commonly used third-party software and/or platforms. 8. Access to proactive support programs which allow the options to purchase access to infrastructure event management services that provide architecture and scaling guidance in real time for support during preparation and rollout of planned events, releases, or migrations.
Which AWS support service gives a report on configuration compliance with best practices?
AWS Trusted Advisor provides a dashboard to check if account configurations comply with established best practices.
AWS Root Account
Account that has access to E-VE-RY-THING. You can create users, provision resources, and incur financial obligations. It is considered best practice not to use Root account and instead create and use accounts with more limited access. Root user should be secured with a strong password as well as MFA.
Which area of responsibility lies with the customer in PaaS implementation?
Application Code
Multi-factor authentication (MFA)
Combination of at least two of the following requirements: 1. Something the user knows - almost exclusively, this is a password. 2. Something the user possesses - could be a USB device, RFID chip, access card, RSA token, text message code sent to mobile device, etc.. 3. Something the user is - biometrics such as fingerprints, retina scans, palm prints, finger prints, and so on.
AWS Partner Network
Consulting services and software to help with cloud adoption and optimization.
Underutilized systems will be flagged under which components of the Trusted Advisor?
Cost Optimization flags any resources that are incurring billing charges but are either inactive or underutilized.
Shared Responsibility Model - PaaS
Customer Responsibility - Deploy app: 1. Data 2. Application Code Cloud Provider Responsibility - Entire platform: 1. Database 2. Operating System 3. Virtualization 4. Networking 5. Storage 6. Hardware This is heavily used in DevOps
Shared Responsibility Model - SaaS
Customer Responsibility: 1. Data Cloud Provider Responsibility: 1. Application Code 2. Database 3. Operating System 4. Virtualization 5. Networking 6. Storage 7. Hardware
Shared Responsibility Model - IaaS
Customer Responsibility: 1. Data 2. Application Code 3. Database 4. Operating System Cloud Provider Responsibility 1. Virtualization 2. Networking 3. Storage 4. Hardware Responsibilities are similar to that of a data center.
Data At Rest Encryption
DAT encryption should be high performing, vendor neutral, and provide high levels of protection.
DLP Data States - Data In Transit
DLP is deployed near the network perimeter to capture HTTP/HTTPS and SMTP traffic leaving the network that does not meet security policy. Encrypted traffic adds a layer of complexity because DLP needs to be able to understand what is leaving.
DLP Data States - Data In Use
DLP is deployed on users workstation to monitor data access and use from endpoint. This will grow in complexity as you have more users and need to cover more endpoints.
DLP Data States - Data At Rest
DLP is installed on systems such as servers or workstations which usually contain archived or long-term data that will be at rest.
AWS Trusted Advisor
Dashboard that checks account configurations to verify they comply with established best practices in the areas of: 1. Cost Optimization 2. Fault Tolerance 3. Performance 4. Security 5. Service Limits
What type of encryption mechanism is used for data that is hosted and stored on a system?
Data At Rest - information stored on a system or device (versus data being transmitted across a network). Data can be stored in different forms such as a database, file sets, spreadsheets, documents, tapes, archives, and even mobile devices.
Data At Rest
Data stored on a system/device as opposed to being actively transmitted across the network.
Encryption Data State - Data In Use
Data that is actively accessed and processed.
Encryption Data State - Data In Transit
Data that is in active transmission across the network.
Which AWS support plan is best suited for those exploring AWS services and beginning to test deployments?
Developer plan is ideal for those starting their early testing of AWS or development within AWS.
Which AWS support plan offers response time of less than 15 minutes for critical system outages?
Enterprise
Hashing
Given a string of any size, length, or type, a function will map a fixed size value to the string which will be used to verify the integrity of the data. This is also known as checksum, digest, or fingerprints.
AWS IAM Roles
Granular user permissions that can be attached to users or groups that allow for different activities such reading/writing data, deploying services, provisioning access, and so on. AWS has a large number of predefined roles that can be leveraged when creating a group based on particular needs. These can be modified at any time.
Which security technique involves taking data of an arbitrary size of length and converting it to a fixed size?
Hashing - function maps a fixed size value to a piece of data of an arbitrary size, length, or type. Hashing can be applied to virtually any type of data - from string to blob to virtual machine image.
DLP Challenges In Cloud
How data will be stored in cloud is unpredictable. Data could be spread amongst large storage systems with varying degrees of replication and redundancy. It becomes a moving target and it is a challenge to keep track and apply policies to a moving target. Since cloud services are metered costs and since DLP adds load and resource consumption, potential for higher costs above and beyond the cost of DLP solution is a real concern.
AWS Support - Developer Plan
Ideal plan for early stages of development and testing in AWS where support may be needed during business hours.
AWS Support - Business Plan
Ideal plan for those with production workloads in AWS where support may be needed 24/7
Encryption Data State - Data At Rest
Idle data within an environment and storage system where encryption method should depend on the location of the data, such as an independent file or a database.
Cloud Key Management - External and Independent Service or System
Key storage is handled by an organization dedicated to the specific task.
Cloud Key Management - External Storage
Keys are maintained separately from the system and security process. The external host could be anywhere so long as it is not on the same system that is performing the encryption functions.
Tokenization
Lookup to replace protected data in order to remove sensitive data from the application.
Dynamic Masking
Masking process is implemented between the application and data layers where the masking translation is live during normal application of processing data.
Data In Transit Encryption
Most common methods are SSL and TSL under HTTPS (same methods used by clients and browsers to communicate with internet). Other common methods are VPN and IPsec which are often used in parallel to provide highest level of protection. To maintain portability and interoperability DIT encryption should be vendor neutral.
Volume Storage Encryption
Most useful with DAR scenario. Since the application can read encrypted data on the volume any compromise of the application will render the file system encryption ineffective when it comes to protecting data.
What should be configured to improve the security of the root user for your account?
Multi-factor Authentication (MFA)
Cost of Managed Resources vs Unmanaged Resources
Naturally managed resources have a higher direct cost but once you factor the time and staff it takes to perform same level of responsibilities, managed resources are almost always a benefit over unmanaged resources. Ex: You can install SQL Server but then you become then you implicitly become the DBA. In contrast you could opt to use AWS RDS. You offset the burden of DBA responsibilities. The cost is offset by focusing time on business operations rather than performing system administration.
AWS Professional Services
Offerings that include activities, white-papers, tech-talks, webinars, documentation, best practices, and ability to work with AWS Partner Network to form methodologies and best practices to help with moving to the cloud.
AWS Artifact
On demand download of security and compliance documents. AWS undergoes certification reviews and audits from various governing bodies. Among these are: 1. PCI-DDS for financial / credit card transactions 2. FedRAMP for U.S. Federal Government Systems 3. SOC for Service Organization Reports You also have the ability to ask your users to acknowledge compliance agreements for individual accounts. And agreements can be terminated if it is no longer needed (i.e., employee leaves).
AWS IAM User Groups
Package of settings used to assign a standard set of permissions to users as they are added to the system where anyone added to the group automatically inherits appropriate permissions.
AWS Support - Enterprise Plan
Plan with highest level of support geared towards full optimization of AWS experience.
DLP Components - Enforcement
Process of enforcing policies such as logging, alerting, and stopping any violations caught during the monitoring stage.
DLP Components - Discovery & Documentation
Process of identifying the right data, determining the proper security classification, and so on.
Data Anonymization
Process of securing sensitive data to prevent the ability to identify an individual through various data elements.
DLP Components - Monitoring
Process of watching the data as it moves through various states of usage to ensure it is being used in appropriately by those who are authorized to do so
Credential Report
Report that identifies users, their level of access, date last logged in, status of keys issued, when the key was last rotated, and so on.
Unmanaged Resources
Resources hosted within the cloud environment where the customer is responsible for host functions.
Managed Resources
Resources owned by the cloud provider where the cloud provider is responsible for installation, patching, maintenance, and security.
What term refers to capabilities that are attached to an account and enable them to perform specific functions or control services?
Roles - granular permissions that are granted to the users
Which protocol is most commonly used for federated authentication systems?
SAML (Security Assertion Markup Language) - open standard that facilities the exchange of authentication and authorization data between two parties
SAML
Security Assertions Markup Language is an XML assertion for exchanging information used in authentication processes between identity providers and service providers. SAML 2.0 has been the adopted standard since 2005.
Static Masking
Separate and distinct copy of the data is created with masking in place. This is appropriate for non-production environments.
Data Loss Prevention (DLP)
Set of controls and practices to ensure data is only accessible and exposed to those authorized to have it.
AWS Trusted Advisor - Cost Optimization
Set of system checks that flag allocated resources you are being billed for that are either inactive or are not being used to their full capacity.
Cloud Key Management - Internal Storage
Simplest implementation method that ties the system and keys together such that the keys are stored and accessed within the same virtual machine as the encryption engine.
AWS Trusted Advisor - Fault Tolerance
System checks that flag any allocated resources that are configured in ways that make them vulnerable to interruption - such as resources with single point of failure with non-replicated systems or any system that do not have backups.
AWS Trusted Advisor - Performance
System checks that flag any configurations implemented in ways that prevent resources from running at peak performance.
AWS Trusted Advisor - Security
System checks that flag any deficiencies in security configurations that do not meet established best practices.
AWS Trusted Advisor - Service Limits
System checks that flag any services approaching a limit - such as number of instances or regional limitations.
Data In Transit
The state of data as it is moved from point A to point B, where the exposure of data to unauthorized capture is most vulnerable Users who are part of a multi-tenant are at risk from other systems within the same environment.
Database Storage Encryption
There are typically two layers of encryption. Actual database is on a volume storage that resembles a file system of a server. Thus, actual database files can be protected through encryption methods at the file system level. Within the database, encryption could be applied to the datasets - such as table, columns, and so on.
Federated Access in AWS
Tools such as SAML or Microsoft AD can be leveraged to provision users, rather than creating them manually through IAM account process. This allows organizations to use existing security and account practices without having to worry about maintaining them in another system. The benefit is that users can use existing credentials to access AWS. And if users are terminated in the organization they are automatically terminated in AWS.
Data De-identification
Using masking, obfuscation, or anonymization to sensor sensitive data to make it available for dev or testing environments.
Object Storage Encryption
With Information Rights Management (IRM) encryption can be applied to objects to control their usage after they left the system.