CCSP-2-Cloud-Data-Security
Key Management Challenges
1) Access to the keys 2) Key storage 3) Backup and replication
SIEM Features
1) Aggregation 2) Correlation 3) Alerting 4) Reporting 5) Compliance 6) Dashboards 7) Retention
Components of Data Control
Acts as a mechanism to restrict a list of possible actions down to allowed or permitted actions 1) Actor(s) of the data 2) Location(s) of the data 3) Function(s) of the data Hint: ALF controls the data
Key Management Interoperability Protocol (KMIP)
An extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server This facilitates data encryption by simplifying encryption key management
Indirect Indentifiers
Attributes such as demographic and location data that when used together could lead to the identity of the individual Think of inference
Data Archiving
Moving data from a production system and placing it onto other system that is configured for long-term storage and usually cheaper
Service Level Agreement (SLA)
Must clearly define the roles for both cloud provider and cloud customer and that the requirements and responsibilities for each aspect of the privacy acts are addressed
Key Management - Software Environments
Not as secure as hardware especially since it cannot provide evidence of tampering Will not meet the physical security requirements specified in FIPS 140-2 or 140-3
Object Storage Encryption
Offers server-side storage-level encryption with limited effectiveness Recommend integrating external encryption mechanisms to encrypt the data prior to its arrival within the cloud environments
Data Lifecycle - Create
Phase 1 of the cloud data lifecycle Can be data that is newly created, data that is imported into a system and new to that system or data that is already present and modified into a new form or value Most appropriate phase to classify and assign rights to the data
Data Lifecycle - Store
Phase 2 of the cloud data lifecycle The first place where security controls can be implemented to protect the data at rest Must ensure that all storage methods employ whatever technologies are necessary for its data classification level, including the use of access controls, encryption and auditing ACLs/Encryption should be used to protect the data 1) Access controls 2) Encryption 3) Rights management 4) Content discovery
Data Lifecycle - Use
Phase 3 of the cloud data lifecycle This phase is considered to be purely in a read-only mode because it does not cover modification in this sense, like the Create phase Controls such as DLP, IRM and database and file access monitors should be implemented for data protection and auditing its access 1) Activity monitoring and enforcement 2) Rights management 3) Logical controls 4) Application security
Data Lifecycle - Share
Phase 4 of the cloud data lifecycle Data is made available for use to external entities Once the data leaves the main system, it is no longer under the security control mechanisms employed there Technologies such as DLP can be used to detect unauthorized sharing and IRM technologies can be used to maintain control over the information 1) CMP/DLP 2) Encryption 3) Logical controls 4) Application security
Data Lifecycle - Archive
Phase 5 of the cloud data lifecycle Involves moving data to long-term storage, thus removing it from being active or "hot" within a system Regulatory and technologies (new vs. obsolete) must be considered 1) Encryption 2) Asset management
Data Lifecycle - Destroy
Phase 6 of the cloud data lifecycle The data is either made inaccessible or permanently erased and protected with the method and approach being based on the classification and sensitivity of the data Using methods such as overwriting and cryptographic erasure is far more feasible in a cloud environment than other traditional methods 1) Crypto-shredding 2) Secure detection 3) Content discovery
Ephemeral Storage
Relevant for IaaS instances and exists only as long as its instance is up Used for swap files and other temporary storage needs and will be terminated with its instance
Volume Storage Encryption
Requires that the encrypted data reside on volume 1) Instance-based 2) Proxy-based
Data Dispersion
Similar to a RAID solution, but it is implemented differently since storage blocks are replicated to multiple physical locations across the cloud Involves the use of erasure coding, which chunks a data object (think of a file with self-describing metadata) into segments Each segment is encrypted, cut into slices, and dispersed across an organization's network to reside on different hard drives and servers Provides high availability for data, assurance and performance storage applications
Data Responsibility
Sole responsibility of the cloud customer for all cloud models offered
Governance Responsibility
Sole responsibility of the cloud customer for all models
Physical Environment Responsibility
Sole responsibility of the cloud provider no matter what cloud model is offered
Security and Information Event Management (SIEM)
Combines SIM and SEM to provide real-time analysis of security alerts generated by network hardware and applications 1) Data aggregation 2) Correlation 3) Alerting 4) Dashboards 5) Compliance 6) Retention 7) Forensic analysis
Content Delivery Network (CDN)
Content is stored in object storage which is then distributed to multiple geographically distributed nodes to improve Internet consumption speed
Cloud Storage
Data storage that is made available as a service via a network
Encryption - Data at Use (DIU)
Data that is being shared, processed or viewed This stage is less mature than other data encryption techniques and typically focuses on IRM/DRM solutions
Structured Storage
Data that is highly organized and categorized that can easily be placed within a database or other storage system that is created with rule sets and a normalized design Allows application developers to easily import data from other data sources or nonproduction environments and have it ready to use for the production systems and readily searchable PaaS
The Right to be Forgotten
Encompass an individual's right to have their presence removed from search engine indexes and results EU laws fully support this
Data Encryption in IaaS
Encryption encompasses both volume and object storage solutions in this cloud model
Transparent
Encryption that is part of a database and not noticeable by the user Integrated with the actual database processes and works as part of the ongoing workflow
Database - File-level Encryption
Encrypts the volume or folder of a database with the encryption engine and keys residing on the instances attached to the volume
Encryption
Ensures confidentiality Should always be directly related to business considerations, regulatory requirements and any additional constraints that the organization may have to address The strength of encryption should be at least the same as the data it protections
Content and File Storage
File-based content is stored within the application Held by the application in another means of storage to be accessible to the users SaaS
Data Storage Types - PaaS
Structured and unstructured
DLP - Data in Use (DIU)
The DLP application is installed on a user's workstations and endpoint device This topology offers insights into how the data is used by users, with the ability to add protection that the network DLP may not be able to provide The challenge with client-based DLP is the complexity, time and resources to implement across all endpoint devices, often across multiple locations and significant numbers of users Sometimes referred to as client-based or endpoint-based
DLP - Data at Rest (DAR)
The DLP engine is installed where the data is at rest, usually one or more storage sub-systems, as well as file and application servers Sometimes referred to as storage-based data
Direct Indentifiers
The actual personal and associated private data
Basic Storage-Level Encryption
The encryption engine is located on the storage management level with the keys usually held by the cloud provider The engine will encrypt data written to the storage and decrypt it when exiting the storage Encryption is relevant to both object and volume storage, but it will only protect from hardware theft or loss, but NOT unauthorized, external administrators accessing the storage
Database - Application-level Encryption
The encryption engine resides in the application that is utilizing the database
Application-level Encryption
The encryption engine resides in the application that is utilizing the object storage It can be integrated into the application component or by a proxy that is responsible for encrypting the data before going to the cloud The proxy can be implemented on the customer gateway or as a service residing at the external provider
Database - Transparent Encryption
The encryption engine resides within the DB and it is transparent to the application Keys usually reside within the instance, although processing and managing them may also be offload to an external Key Management System (KMS) This encryption can provide effective protection from media theft, backup system intrusions and certain database and application-level attacks
DLP - Discovery and Classification
The first stage of a DLP implementation An ongoing and recurring process where the majority of cloud-based DLP technologies are predominantly focused on this component Maps data in cloud storage services and databases and enables classification based on data categories (regulated data, credit card data, public data, etc.).
Discovery and Classification Phase
The first stage of the DLP implementation Focused on the actual finding of data that is pertinent to the DLP strategy, ensuring that all instances of it are known and able to be exposed to the DLP solution and determining the security classification and requirements of the data once it has been found Allows the matching of data within the environment to any regulatory requirements for its protection and assurance
DLP - Data in Motion (DIM)
The monitoring engine is deployed near the organizational gateway to monitor outgoing protocols such as HTTP/HTTPS/SMTP and FTP The topology can be a mixture of proxy based, bridge, network tapping or SMTP relays Sometimes referred to as network-based or gateway DLP
Data Discovery
The process of analyzing data from a variety of sources in order to find useful intelligence from it
Static Masking
The process of creating a separate and distinct copy of the data in place that serves as the mask Most appropriate for data that is created for nonproduction environments where testing is necessary and the format needs to be the same
Data Anonymization
The process of either encrypting or removing PII from a dataset so that people whom the data describes remains anonymous Two data types: 1) Direct identifiers 2) Indirect identifiers
Cryptoshredding
The process of encrypting data with a strong encryption engine then taking the keys that were generated in that process and encrypting them with a different encryption engine then destroying those keys Most practical for the cloud
Masking
The process of hiding, replacing or omitting sensitive information from a specific dataset, like everything but the last four digits of a SSN ###-##-1234 Commonly used for test data sets for nonproduction and development environments
Data Retention
The process of keeping and maintaining data for a period of time as well as the methods used to accomplish these tasks Requirements could be based on regulatory laws and/or company policies Data should never be stored longer than what is required due to potential legal issues
Classification
The process of organizing data by relevant categories so that it may be used and protected more efficiently
Anonymization
The process of removing indirect identifiers in order to prevent data analysis tools or other intelligent mechanisms from collating or pulling data from multiple sources to identify individual or sensitive information
Tokenization
The process of substituting a sensitive data element with a non-sensitive equivalent A collection of random values with the same data structure that can be mapped to an additional database that stores THIS THIS is not encryption and presents different challenges and different benefits
Overwriting/Zeroing
The process of using random data or null pointers to write over the data sectors that previously contained sensitive or proprietary information Hard to cover in a cloud environment since data can be spread across multiple systems in multiple regions at any given time Not fullproof
Dynamic Masking
The process that allows the masking to take place in a live, production environment usually implemented between the application and its data access layer
DLP - Monitoring
The second stage of a DLP implementation Oversees the usage of data across locations and platforms while enabling administrators to define one or more usage policies Installed on gateways, servers, storage, workstations and endpoint devices, depending on the data state (DIM, DAR, DIU)
Monitoring Phase
The second stage of the DLP implementation Encompasses the core function and purpose of a DLP strategy Involves the actual process of watching data as it moves through the various states of usage to ensure it is being used in appropriate and controlled ways Ensures that those who access and use the data are authorized to do so and are using it in an appropriate manner
Raw Storage
The storage represented by the drives themselves Raw device mapping (RDM) is a method used by VMware that allows a virtual machine to directly access the storage device
DLP - Enforcement
The third stage of a DLP implementation Many DLP tools provide the capability to interrogate data and compare its location, use or transmission destination against a set of policies to prevent data loss If a policy violation is detected, specified relevant enforcement actions can automatically be performed
Enforcement Phase
The third stage of the DLP implementation The actual enforcement of policies and any potential violations caught as part of the monitoring stage If any potential violations are detected by the DLP implementation, a variety of measures can be automatically taken, depending on the policies set forth by management Can range from simply logging and alerting of a potential violation to actually blocking and stopping the potential violation when it is first detected
Encryption - Data in Motion (DIM)
This stage is most mature and well-defined and include IPSEC or VPN, TLS/SSL and other "wire level" protocols
Data Storage Types - IaaS
Volume and object
Encryption - Data at Rest (DAR)
When the data is archived or stored, different encryption techniques should be used The encryption mechanism itself will vary in the manner in which it is deployed, dependent on the timeframe or indeed the period for which the data will be stored Examples include extended retention vs. short-term storage, data located in a database versus a file system, etc.
Data Storage Architectures - PaaS
1) Structured 2) Unstructured
Data Storage Threats
1) Unauthorized usage 2) Unauthorized access 3) Liability due to regulatory non-compliance 4) DoS/DDoS attacks 5) Corruption/modification/destruction 6) Data leakage/breaches 7) Theft or accidental loss of media 8) Malware attack or introduction 9) Improper treatment or sanitization after end of use
Data Storage Architectures - IaaS
1) Volume 2) Object
Object Storage
A defined, hierachal file storage that operates as an API or a web service call Rather than being located in a file tree structure and accessible as a traditional hard drive, files are stored as objects in an independent system and given a key value for reference and retrieval Many cloud systems use THIS for virtual host images and large files Used for write-once and ready many Amazon S3, Dropbox, Rackspace Cloud Files IaaS
Homomorphic Encryption
A form of encryption that allows the manipulation of encrypted data without actually unencrypting it while in use Technology is still too new
Digital Rights Management (DRM)
A set of access control technologies that add an extra layer on top of a data object to protect its copyright works from theft ACLs are embedded into the file which make them agnostic to the location of the file
Data Loss Prevention (DLP)
A set of controls and practices put in place to ensure that data is only accessible and exposed to those users and systems authorized to have it The goal is for an organization is to manage and minimize risk, maintain compliance with regulatory requirements and show due diligence on the part of the application and data owner Detects exfilitration of certain types of data (SSN, account numbers, etc.)
Information Rights Management (IRM)
A subset of DRM technologies that protect sensitive information from unauthorized access Additional control layers (ACLs) are applied to a file (agnostic to location) that allow for much more granular and powerful control over what can be done with it beyond what can be achieved from normal file system permissions Requires that all users with data access should have matching encryption keys Protects documents, e-mails, web pages, database columns and other things worth protecting
Long-term Storage
A type of storage offered by many cloud providers that is ideal for data archiving Features include low cost, search, guaranteed immutability and data lifecycle management
Volume Storage
A virtual hard drive that is allocated by the cloud provider and attached to the virtual host The OS sees the drive the same way it would in the traditional server model and can interact with the drive in the same way The drive can be formatted and maintained as a file system in the traditional sense and utilized as such and should provide redundancy VMware VMFS, Amazon EBS, RackSpace RAID, OpenStack Cinder Another name for "block" storage IaaS
Open Web Application Security Project (OWASP)
A worldwide, not-for-profit, charitable organization focused on improving the security of web application software Also provides a comprehensive set of definitions and guidelines for identifying, labeling and collecting data events that are useful and pertinent to applications and security whether in a cloud or traditional data center
Information Storage and Management (ISM)
Data is entered into the system via the web interface and stored within the SaaS application (usually a backend database) This data storage utilizes databases, which in turn are installed on object or volume storage SaaS
User's Device
DLP solution to be located HERE for data-in-use monitoring
Cloud Controls Matrix (CCM) - Security Domains
1) Application and Interface Security 2) Audit Assurance and Compliance 3) Business Continuity Management and Operational Resilience 4) Change Control and Configuration Management 5) Data Security and Information Lifecycle Management 6) Data Center Security 7) Encryption and Key Management 8) Governance and Risk Management 9) Human Resources 10) Identity and Access Management 11) Infrastructure and Virtualization Security 12) Interoperability and Portability 13) Mobile Security 14) Security Incident Management, eDiscovery, and Cloud 15) Supply Chain Management, Transparency, and Accountability 16) Threat and Vulnerability Management
Log Data That Should Not Be Saved
1) Application source code 2) Session Ids 3) Access tokens 4) PHI/PII 5) Authentication passwords 6) DB connection strings 7) Encryption keys 8) Financially/Commercially sensitive data 9) Security classifications higher than logs 10) Illegal data to relevant jurisdiction 11) Opt-out/don't track data
IRM Features
1) Auditing 2) Data expiration 3) Policy control 4) Protection 5) Support for applications and formats like MS Office, Sharepoint, Azure, etc.
Cloud Data Lifecycle
1) Create 2) Store 3) Use 4) Share 5) Archive 6) Destroy Hint: CSU SAD
DLP Data States
1) Data at Rest (DAR) 2) Data in Transit (DIT) 3) Data in Use (DIU)
DLP Architecture
1) Data in Motion (DIM) 2) Data at rest (DAR) 3) Data in use (DIU)
Cloud-Based DLP Considerations
1) Data in the cloud tends to move and replicate 2) Administrative access for enterprise data in the cloud can be tricky 3) DLP technology can affect overall performance
DLP Components
1) Discovery and classification 2) Monitoring 3) Enforcement Hint: DME
DLP Phases
1) Discovery and classification 2) Monitoring 3) Enforcement Hint: DME
Data Security Strategies
1) Encryption 2) Key management 3) Masking 4) Obfuscation 5) Anonymization 6) Tokenization
Data Archiving Considerations
1) Format (standard/portable) 2) Technologies (obsolete) 3) Regulatory requirements (minimum) 4) Testing (can restore) Note: Size is NOT considered here
Cloud Provider's Restricted Logs
1) Hypervisor 2) DNS 3) Portal 4) Network perimeter SLA should dictate whether these logs are accessible to the cloud customer
Data Storage Architectures - SaaS
1) Information storage and management (ISM) 2) Content and file storage
Key Storage Implementations
1) Internal Storage 2) External Storage 3) External and Independent Storage
Management Types for Cloud Key Storage
1) Internally 2) Externally 3) Third-party
Methods of Data Discovery
1) Metadata 2) Labels 3) Content Analysis
Data Storage Types - SaaS
Can use the widest array of storage types including ephemeral, raw and long-term
File-level Encryption
DRM/IRM solutions can do this effectively The encryption engine is commonly implemented at the client side which preserves the format of the original file
Unstructured Storage
Information that cannot be used or easily used in a rigid and formatted database structure Includes text, large multimedia files (videos, audio), photos, files produced by office applications, email, etc. PaaS
Key Storage - Third-party Managed
Key escrow services are provided by a trusted third party Key management providers use specifically developed secure infrastructure and integration services for key management
External and Independent Storage
Key storage is handled by an organization dedicated to that specific task that maintains systems specifically scoped for that function with well-documented security configurations, policies and operations
Key Storage - Externally Managed
Keys are maintained separate from the encryption engine and data They can be on the same cloud platform, internally within the organization or on a different cloud The actual storage can be a separate instance like a hardware security module (HSM) When implementing external key storage, consider how the key management system is integrated with the encryption engine and how the entire lifecycle of key creation through to retirement is managed
External Storage
Keys are maintained separately from the systems and security processes (such as encryption) Can be anywhere so long as it is not on the same system performing the encryption functions, so typically this would be a dedicated host within the same environment, but it could be completely external too Availability could be an issue if keys are unaccessible
Internal Storage
Keys are stored and accessed within the same virtual machine as the encryption service or engine Keeps the entire process together and appropriate for some storage types such as database and backup system encryption, Could be easily compromised since both reside in the same image
Key Storage - Internally Managed
Keys are stored on the virtual machine or application component that is also acting as the encryption engine Used in storage-level encryption, internal database encryption or backup application encryption Helpful for mitigating against the risks associated with lost media
