CCSP Domain 2: Cloud Data Security

Question 1

Encryption approaches for DAR, DIT, and DIU

Answer 1

The high-level architecture for encryption has three (3) components: the data, the encryption engine, and the encryption keys.

DAR / data at rest is idle within storage; encryption aligned to the characteristics / features of the Store type is recommended – i.e. field level, transparent (if supported by the db), or whole disk encryption, etc.

DIT / data in transit is under active transport across the network – TLS/SSL, VPN, IPSec, and HTTPS are recommended to protect DIT.

DIU / data in use is being actively accessed or processed; IRM / information right management or DRM / data right management are recommended to protect DIU.

Question 2

Tokenization

Answer 2

Substitutes non-sensitive data (the token) for sensitive data using a process that allows for mapping between the token and the sensitive data.

To illustrate: the token server stores the token and sensitive data; token stored and used by the user / application is translated to the sensitive data for downstream processes, when a request from the user / application is granted to the downstream process by the token server. (i.e. User / Application only ever sees the token.)

Question 3

High-level architecture of DLP

Answer 3

High-level architecture for Data Loss Prevention (DLP):

1) Discovery and Classification: crawls data and uses profiles to match and classify data – e.g. if ###-##-#### then mark as social security number (SSN) and classify as Restricted Use, etc.
2) Monitoring: classified data is monitored to ensure its use falls within the limits and constraints (i.e. policies) of the firm
3) Enforcement: violations of policy result in alerts or are dis-allowed automagically – e.g. if e-mail of Restricted Use data is not allowed, an email with SSN in the body is not sent.

Question 4

Data De-Identification: static and dynamic methods

Answer 4

Use of masking or obfuscation to make sensitive data less volatile to disclosure – e.g. SSN is reduced last four of SSN.

Static masking creates a separate and distinct copy of the data with masking in place – one copy masked, one copy in the clear – and is often used in pre-production environments to support development without undue risk to sensitive data.

Dynamic masking applies masking between the data and the application layers to limit exposure in production environments.

Question 5

CSA CCM

Cloud Security Alliance Cloud Control Matrix

Answer 5

Security domains of the CCM:

Application and Interface Security
Audit Assurance and Compliance
Business Continuity Management & Operation Resilience
Change Control & Configuration Management
Data Security & Information Lifecycle Management
Data Center Security
Encryption & Key Management
Governance & Risk Management
Human Resources
Identity & Access Management
Infrastructure & Virtualization Security
Interoperability and Portability
Mobile Security
Security Incident Management, eDiscovery, and Cloud
Supply Chain Mgmt, Transparency, and Accountability
Threat & Vulnerability Management

Question 6

DRM

Digital Rights Management

Answer 6

In the context of CCSP, DRM applies to the protection of consumer media such as music, publications, video, movies, etc.

Note that (ISC)2 training materials equate DRM to IRM / information rights management.

Question 7

IRM tools breakdown
Information Rights Management

Auditing
Expiration
Policy Control
Protection

Answer 7

Auditing: monitors and records who accesses what data

Expiration: bounds access to a given period of time – allows for expiration of access rights

Policy Control: granular control of data use and storage – who can copy, save, print, forward, or access data; with the ability to change these policies, at any point in time and have those policy changes affect the whole of the user base

Protection: IRM systems provide persistent protection of data – i.e. DAR and DIT (data at rest and data in transit)

Question 8

Data Archiving Concepts

  Regulatory Requirements
  Disaster Recovery Requirements
  Format
  Technology
  Testing

Answer 8

Regulatory requirements: what specification applies to the data – i.e. PCI, HIPPA, etc.?

Disaster recovery: RPO / recovery point objective, RTO / recovery time objective, and RSL / recovery service level need to be factored into your people, process, and technology decision.

Format: How is the data represented and stored?

Technology: What are the technologies that will be used to create and maintain the archive? What media will be used and with what redundancy / fail safes in place?

Testing: ensure that the data can be retrieved and used if needed / QA the recovery process.

Question 9

What are the six (6) phases of the cloud data lifecycle?

Answer 9

The cloud data lifecycle consists of :

1) Create
2) Store
3) Use
4) Share
5) Archive
6) Destroy

Question 10

Describe the “create” phase of the cloud data lifecycle.

What controls should a CSP consider in this phase?

Answer 10

Data is newly imported, created, or modified in this phase.

At “create” data classification should occur as controls in all other phases of the cloud data lifecycle can benefit from this classification tag – i.e. it enables customization of controls based on the value of the data to the firm.

Question 11

Describe the “store” phase of the cloud data lifecycle.

What controls should a CSP consider in this phase?

Answer 11

Data is moved into ephemeral and persistent storage (e.g. volume, object, structured, unstructured, etc.).

At “store” securing data transport and data at rest via encryption is essential; as with all phases post Create, controls / control strength may vary dependent upon information classification.

Question 12

Describe the “use” phase of the cloud data lifecycle.

What controls should a CSP consider in this phase?

Answer 12

Data is utilized by an application or user – it goes from data at rest to data in transit to data in use.

As data is “in the clear” when in use, identity and access management (IAM), network security (e.g. NAC, etc.), and data rights / information rights management (DRM / IRM) controls are needed to secure data use; as with all phases post Create, controls / control strength may vary dependent upon information classification.

Question 13

Describe the “share” phase of the cloud data lifecycle.

What controls should a CSP consider in this phase?

Answer 13

Data is moved outside of the system where Create occurred.

Share requires process controls to ensure the rights of the data subject, data owner, and data partner are maintained; data rights / information rights management (DRM / IRM) may be used to enforce process and mitigate the options available to bad actors. As with all phases post Create, controls / control strength may vary dependent upon information classification.

Question 14

Describe the “archive” phase of the cloud data lifecycle.

What controls should a CSP consider in this phase?

Answer 14

Data is removed from the active system and placed into long term storage.

Archive relies on identity and access management (IAM) controls to ensure least privilege, encryption to protect data in transit and at rest, and should include a process to test and ensure data recovery is possible.

Question 15

Describe the “destroy” phase of the cloud data lifecycle.

What controls should a CSP consider in this phase?

Answer 15

Data is made irretrievable.

Destroy may utilize deletion, overwriting, cryptographic erasure, or a mixture of all three of these to ensure irretrievability; as with all phases post Create, controls / control strength may vary dependent upon information classification.

Question 16

What are the storage characteristics of infrastructure as a service (IaaS)?

Answer 16

Storage may be ephemeral or long term:

Ephemeral storage means that data is processed, moved, and stored only so long as the instance is live – i.e. when the instance spins down the data is lost.

Long term storage means that the data is stored or archived and may be retrieved as needed.

Storage methods are file (volume) or object:

In file or volume storage, data is stored as a single piece of information inside a folder, just like you’d organize pieces of paper inside a manila folder – e.g. the hard drive on a vm.

Object storage, also known as object-based storage, is a flat structure in which files are broken into pieces and spread out among hardware. In object storage, the data is broken into discrete units called objects and is kept in a single repository, instead of being kept as files in folders or as blocks on servers – e.g. AWS S3.

Question 17

What are the storage characteristics of platform as a service (PaaS)?

Answer 17

All in One: notes that data is structured (e.g. relational database: name, address, phone number) or unstructured (e.g. NoSQL database: email, video, images).

(ISC)2: notes that data is in databases or big data as a service.

Question 18

What are the storage characteristics of software as a service (SaaS)?

Answer 18

Data storage architecture is determined by the SaaS provider; the cloud consumer has management / configuration options and backup options.

(ISC)2 notes three (3) use cases:

1) information storage and management : data is entered into a form and stored in the SaaS backend (e.g. Salesforce)
2) content file storage : data / a file is dropped into an interface then uploaded to the SaaS backend (e.g. Box)
3) content delivery network : data is stored via object storage, then dispersed to multiple nodes or geo-locations.

Question 19

Anonymization

Answer 19

Removes indirect identifiers to lessen or prevent aggregation of indirect data into direct identification of a data subject.

Question 20

Data Masking / Obfuscation

random
algorithmic
shuffle
masking
deletion

Answer 20

The process of hiding, replacing, or omitting elements from sensitive data to reduce or eliminate the risks of use and share of sensitive data.

Methods:

random: 123 becomes (=>) .random = 087
algorithmic: 123 always => 456
shuffle: 123 => 231
masking: 123 => **3 or ***
deletion: 123 => 000

Question 21

Static Masking

Answer 21

A new copy of the data set is created with masked values – i.e. resulting in one sensitive data set and one masked data set.

Often used to create “safe” non-production environments.

Question 22

Dynamic Masking

Answer 22

Masking occurs between the database (db) and the application; masking occurs on-the-fly / in-real-time.

Question 23

Direct Identifiers

Answer 23

Data that allows for unique identification of a data subject – e.g. legal name, SSN, home address, etc.

Question 24

Indirect Identifiers

Answer 24

Data that describes conditions that are true of a data subject (and populations), but may or may not allow for unique identification – e.g. age, zip code, party affiliation, Facebook events, etc.

Question 25

Symmetric Encryption

Answer 25

Encryption in which a single key is used for both encryption and decryption.

Also known as, single, same, or shared key encryption; examples include AES and DES; key benefits are high speed for operations and low cost.

Question 26

Asymmetric Encryption

Answer 26

Encryption in which both a public and a private key are required.

Also known as PKI (public-private key infrastructure); examples include RSA and GPG; key benefit is decreased key count and complexity (total number of keys required is lower and public key allow for easier distribution).

Question 27

Hashing

Answer 27

One way encryption process in which input of any length produces an output of fixed length.

Hashing is used to produce integrity checks for data or applications over remote channels: Originator hashes the item and posts the item and the hash value, User downloads the item, runs the same hash function locally, then compares the local hash to the value posted by the Originator, when equal, the User can assume the item has not been altered by a third party.

Question 28

Transparent Encyption

Answer 28

Specific to databases (db): rows (tuples) are encrypted, as opposed to the whole of the db – an encryption engine within the db – i.e. invisible to the db user, ergo “transparent.”

Question 29

Key management options:

XKMS: XML key management system
KMIP: key management interoperability protocol
TPM: trusted platform module
HSM: hardware security module

Answer 29

XML Key Management (XKMS): protocol for distribution and registration of public keys

Key Management Interoperability Protocol (KMIP): defines message formats for the manipulation of cryptographic keys on a key management server.

Trusted Platform Module (TPM): an authentication chip placed on the main board of a device.

Hardware Security Module (HSM): a physical device that provides crypto-processing, safeguards, and management of keys for strong authentication.

Question 30

FIPS 140-2

Answer 30

NIST guidance on cryptography; key artifact is Security Level 1 (low) to Security Level 4 (high) with regard to quality of solutions.

Question 31

Bit splitting

Answer 31

Splitting and storing encrypted “bits” of data in different storage services within a vendor, and / or different zones of a service.

Methods include secret sharing made short (SSMS) and all-or-nothing-transform with Reed-Solomon (AONT-RS); both use erasure coding but SSMS allows for data retrieval with only part of the data while AONT-RS requires all the data else you get nothing.

Question 32

Homomorphic Encryption

Answer 32

Enables processing (compute) of encrypted data; current implementations are partial and consume additional compute… but, worth watching as this would offer a mitigation for DIU / data in use disclosure risk.

Question 33

Quantum Computing

Answer 33

Use of quantum bits (0, 1, both 0 and 1), entanglement, and tunneling to achieve faster and larger compute; implementations are currently limited… but, worth watching as quantum computing will change the value of many controls – e.g. most encryption will become crackable, etc.

Question 34

Neural Networks

Answer 34

Collections of notes (i.e. artificial neurons) that work in ways similar to human intelligence.

Could be used to automate attacks, automate defense, supplement human operators by filtering noise out of signal, etc.

Question 35

Data Sanitization / Destroy options

Physical destruction
Degaussing
Overwrite
Cryptographic erasure

Answer 35

Physical destruction: shred, incinerate, pulverize the media

Degaussing: erase the media by repeated exposure to strong magnets

Overwrite: write over the data with random stuff until its to noisy to be useful / cannot be recovered

Cryptographic erasure: destroy the encryption keys to make the data unreadable so long as the encryption holds.

Question 36

Data discovery techniques:

metadata
labels
content analysis

Answer 36

Data discovery is the process of finding data across your environment: clients, file shares, SaaS, etc.

metadata: data about the data is used to discover data – e.g. find all items where author : ‘John Doe’ and like.
labels: uses tags generated at create to discover data – e.g. find all data labelled ‘secret’ or find all data labelled ‘internal use only’ and like.

content analysis: uses pattern matching, hashing, lexical search, etc., to discover data – e.g. find all data with ‘###-##-####’ format, find all applications or documents that match hash x, or find all instances of “credit card,” and like.

Question 37

Data Policy

Answer 37

A good policy will include standards or guidance regarding retention, data formats, data security, and the data retrieval process.