Chapter 4 – Cloud Data Security

Question 1

What are the phases of the Data Lifecycle?

Answer 1

Create > Store > Use > Share > Archive > Destroy

Question 2

What is the purpose of the Create phase?

Answer 2

Defines classification levels.

Question 3

How should data created remotely be handled?

Answer 3

Data created by the user should be encrypted before uploading to the cloud; protects against MIIM attacks/insider threats at cloud data center; connection should be secure too (IPsec or TLS VPN solution).

Question 4

How should data created within the cloud be handled?

Answer 4

Should be encrypted upon creation; allows both read and process functions to be performed.

Question 5

What does the Store phase refer to?

Answer 5

Usually refers to near-term storage; this phase will happen when the data is created (occurs simultaneously).

Question 6

What security measures should be taken during the Store phase?

Answer 6

Encryption at rest/transit should happen before this phase begins.

Question 7

What is important during the Use phase?

Answer 7

Platforms used to connect to data in the cloud need to be secure (VPN, IRM, DLP); data owners should restrict permissions; logging and audit trails are important when data are manipulated.

Question 8

What should be considered when sharing data?

Answer 8

Craft sharing restrictions based on jurisdiction; limit/prevent data being sent to certain locations (export/import controls); implement some form of egress monitoring.

Question 9

What are ITAR and EAR?

Answer 9

ITAR prohibits defense-related exports; EAR prohibits dual-use items (technologies used for both commercial/military purposes).

Question 10

What is the Wassenaar Arrangement?

Answer 10

A group of 41 members that have agreed to mutually inform each other about conventional military shipments to nonmember countries; not a treaty, not legally binding.

Question 11

What is the purpose of the Archive phase?

Answer 11

Phase for long-term storage; cryptography is the essential consideration.

Question 12

What is crucial for key management in the Archive phase?

Answer 12

Key management is important; if lost, it can lead to exposure or total loss.

Question 13

What is the only feasible means of destruction?

Answer 13

Crypto shredding is the only feasible and thorough means available.

Question 14

What is Volume Storage?

Answer 14

Customer is allocated storage space; represented as an attached drive to user’s VM.

Question 15

What are the threats associated with Volume Storage?

Answer 15

All traditional data storage threats remain; malware, deletion of data, and physical disk failure.

Question 16

What is Block Storage?

Answer 16

Provides low latency and high-performance values; useful for structured storage.

Question 17

What are the threats associated with Block Storage?

Answer 17

Requires greater amount of administration; risk of malware is reduced but parasitical viruses can infect specific files.

Question 18

What is File Storage?

Answer 18

Data stored/displayed with a file structure in a traditional environment (files/folders).

Question 19

What is Object-Based Storage best used for?

Answer 19

Best used for large unstructured data when durability, unlimited storage, scalability, and metadata management are factors for overall performance.

Question 20

What are the threats associated with Object-Based Storage?

Answer 20

Risk of malware is reduced but parasitical viruses can infect specific files; loss due to physical disk failure.

Question 21

What is Ephemeral Storage?

Answer 21

Temporary resource used for processing; referred to as instance store volumes.

Question 22

What are the threats associated with Ephemeral Storage?

Answer 22

Data will be lost if VM instance is shut down or physical drive fails.

Question 23

What is Long-Term Storage?

Answer 23

Durable data storage capacity; offered at low cost and large amounts; used for archiving/backups.

Question 24

What are the threats associated with Long-Term Storage?

Answer 24

Insider threat; intermediary (MiiM attacks); ransomware; vendor lock-in.

Question 25

What is SAN?

Answer 25

Dedicated high-speed network that interconnects and delivers shared pools of storage devices on multiple servers.

Question 26

What is iSCSI?

Answer 26

Makes it possible to set up a shared-storage network where multiple servers and clients can access central storage resources.

Question 27

What is NAS?

Answer 27

Remote storage accessed; hosted by 3rd party service provider.

Question 28

What do databases provide?

Answer 28

Some structure for stored data; arranged according to characteristics and elements in the data itself.

Question 29

What is a CDN?

Answer 29

Used for large amounts of data that require time-sensitive communication and low latency.

Question 30

What are the threats associated with CDN?

Answer 30

Intermediaries; insider threats; malware.

Question 31

What is Key Management?

Answer 31

How and where encryption keys are stored can affect the risk of data.

Question 32

What is an HSM?

Answer 32

Device that safely stores and manages encryption keys; used in servers, data transmission, and log files.

Question 33

What are Key Protection Methods?

Answer 33

Masking, Obfuscation, Anonymization, and Tokenization.

Question 34

What is DDM?

Answer 34

Dynamic Data Masking: replace sensitive data in transit leaving original at-rest data unaltered.

Question 35

What is SDM?

Answer 35

Static Data Masking: permanently replaces sensitive data by altering data at rest.

Question 36

What is Tokenization?

Answer 36

Practice of having two distinct databases: one with live, actual sensitive data; one with nonrepresentational tokens mapped to each piece of that data.

Question 37

What is SIEM?

Answer 37

Goals implementation of SIEM are to centralize collection of log data; enhance analysis capabilities; dashboarding; automated response.

Question 38

What is Egress Monitoring?

Answer 38

Examining data as it leaves the production environment; goals include additional security, policy enforcement, enhanced monitoring, and regulatory compliance.