Cloud Data Security

Question 1

List data lifecycle phases

Answer 1

Create
Store
Use
Share
Archive
Destroy

Nmemonic - Colorado State University Stinks at Dodgeball

Question 2

In the cloud data lifecycle list examples of data in the create phase?

Answer 2

New Data can be:
Freshly generated
Imported data new to the cloud
Data that has been updated/modified and has a new shape or state

Question 3

1. Describe the create phase.

2. What actions should be performed on data in the create phase?

Answer 3

1. Data/digital content is CREATED, ACQUIRED, VERSIONED OR MODIFIED

2. 
Classify, Tag/Label data
Ensure the right security controls are implemented
Tag data with important attributes
Assign access restrictions, as needed

Question 4

1. Describe the Store phase.

2. What activities happen during the Store phase of the cloud data lifecycle?

Answer 4

1. Committing the data to some sort of STORAGE repository
2. Store
   Assign and PROTECT with security controls (e.g. ENCRYPTION, ACL, logging, monitoring)
   Consider back up

Question 5

1. What happens in the Use phase of the cloud data lifecycle?
2. What is not included?

Answer 5

1. Viewing, processing, or using/consuming of data previously stored
   data is protected with DLP, DRM/IRM
2. Read-only phase, so no modifications

Question 6

What state must data be in order to be in the Use Phase?

Given this state what security mitigations should be taken?

Answer 6

Data must be unencrypted to be used

File access monitors, logging and monitoring, or Information Rights Management systems are important to detect and prevent unauthorized access during this phase

Should only be used based on NTK and Least Privileged

Question 7

Share Phase of Cloud Data Lifecycle

Answer 7

Data is made available for use by others, such as employees, customers, and partners.

Should only be shared based on NTK and Least Privileged

data is PROTECTED with DLP, DRM/IRM

Question 8

What security mitigations should be taken during the share phase of the cloud data lifecycle?

Answer 8

Proper encryption (in transit) is important during this phase, as well as IRM and Data Loss Prevention (DLP) technologies that help ensure sensitive data stays out of the wrong hands.

Question 9

Archive Phase of Cloud Data Lifecycle

Example activity during Archive Phase

Answer 9

The Archive phase involves data transitioning from active use to long-term “cold” storage. Archiving can entail moving data from a primary storage tier to a slower, less redundant tier that is less expensive or can include moving data off the cloud to a separate medium altogether (backup tape, for example).

Cost and availability considerations can affected data access (hard to get data back from LTS)

Ex of activity Data Retention Policy enacted, Encryption

Question 10

Destroy Phase of Cloud Data Lifecycle

Answer 10

Destroying data involves completely removing it from the cloud by means of logical erasure or physical destruction (like disk pulverizing or degaussing).

In cloud environments, customers generally have to rely on logical destruction methods like crypto-shredding, purge, clearing or data overwriting, but many CSPs have processes for physical destruction, per contractual agreements and regulatory requirements.

Question 11

Data dispersion

Answer 11

Data dispersion is the process of replicating data throughout a distributed storage infrastructure that can span several regions, cities, or even countries around the world.

each storage block is fragmented and storage application writes each bit into different physical storage containers

Question 12

Erasure coding

Answer 12

A more specific implementation of data dispersion, it enhances data security by segmenting a file, encrypting the segments and then spreading the segments out across multiple locations — meaning a compromise of any location would yield only a portion of the file.

Question 13

Volume

Answer 13

A volume is a virtual hard drive that can be attached to a Virtual Machine (VM) and utilized similar to a physical hard drive. The VM Operating System views the volume the same way any OS would view a physical hard drive in a traditional server model.

AKA Block Storage

Question 14

Object?

Object Storage?

Answer 14

An object is file storage that can be accessed directly through an API or web interface, without being attached to an Operating System

Object storage consist of the files that are actually just virtual objects in an independent storage structure that rely on key values to reference and retrieve them.

Question 15

What type of storage does PaaS utilize?

Answer 15

Structured storage - RDBMS and others for searching and running operations

Unstructured storage

Question 16

What type of data storage is used by SaaS

Answer 16

Information Storage and Management - customer data entry into app via web interface, the app storing int back end database and generating data on behalf of the customer and stored internally

Content and file storage

Content Delivery Network (CDN)

Question 17

Ephemeral storage

Answer 17

Ephemeral storage is temporary storage that accompanies more permanent storage. Ephemeral storage is useful for temporary data, such as buffers, caches, and session information.

Question 18

Raw-disk storage

Answer 18

Raw-disk storage is storage that allows data to be accessed directly at the byte level, rather than through a filesystem.

Question 19

Threats to storage types

Answer 19

Unauthorized access or usage (external or malicious insider)
Data Leakage and exposure - CSPs must protect data when replicated/distributed across regions
Denial of Service - CSP must manage spikes in bandwidth, otherwise data availability is at risk
Corruption or loss of data - read CSPs data terms that include availability and durability SLOs and SLA’s; can happen intentionally or accidentally

Question 20

Durability (or reliability)

Answer 20

Durability (or reliability) is the concept of using data redundancy to ensure that data is not lost, compromised, or corrupted.

Question 21

Durability vs Availability

Answer 21

Availability focuses on uptime through redundancy, Durability focuses on reliability through redundancy

Question 22

Data loss prevention (DLP)

Answer 22

Data loss prevention (DLP), also known as data leakage prevention, is the set of technologies and practices used to identify and classify sensitive data, while ensuring that sensitive data is not lost or accessed by unauthorized parties.

Question 23

Components of DLP?

Answer 23

Discovery and classification - first stage of DLP
Monitoring - monitoring the data against one or more policies; if policy is violated, the system provides an alert
Enforcement - policy violations are logged/alerted, or blocked from unauthorized exposure or loss and kept inside boundary

Question 24

DLP Implementation/Architecture

Answer 24

Data At Rest - At Rest Implementation runs where the data is stored (cloud or endpoint device, e.g. workstation, file server, and other storage system)

Data in Motion/Transit - Network-based DLP protect data in transit, monitors outbound traffic (HTTP, HTTPS, FTP, SMTP) near network perimeter

Data in Use - data being processed in RAM and/or CPU. DLP should be installed on endpoint device (host/client-based DLP) preventing sharing or processing of data that violates policy

Host-based or endpoint-based DLP run on workstation or other endpoint device

Question 25

Data de-identification/Anonymization

Answer 25

Data de-identification (or anonymization) is the process of removing information that can be used to identify a specific individual from a dataset.

Data sanitization technique with an intent to protect privacy

Question 26

Name Techniques available to de-identify or anonymize sensitive information

Answer 26

Masking (obfuscation)

Tokenization

Question 27

Masking

Answer 27

Masking is the process of partially or completely replacing sensitive data with random characters or other nonsensitive data.

Masking entails hiding, replacing, or omitting specific fields or data in particular user views in order to limit data exposure in the production environment.

Question 28

List masking techniques

Answer 28

Substitution SECRET=$3(837
Scrambling/Shuffling SECRET = TEESRC
Deletion or nulling SECRET = EE

Question 29

Substitution

Answer 29

Substitution is a de-identification or anonymization masking technique that mimics the look of real data, but replaces (or appends) it with some unrelated value.

Substitution can either be RANDOM or ALGORITHMIC, with the latter allowing two-way substitution — meaning if you have the algorithm, then you can retrieve the original data from the masked dataset

Question 30

Scrambling

Answer 30

Scrambling is a de-identification or anonymizing masking technique that mimics the look of real data, but simply jumbles the characters into a random order.

Question 31

Deletion or nulling

Answer 31

Deletion or nulling is a de-identification or anonymization masking technique is just what it sounds like. When using this masking technique, data appears blank or empty to anyone who isn’t authorized to view it.

Question 32

Data masking approach?

Answer 32

Static data masking - a new copy fo the data is created with the masked value

Dynamic data masking - on the fly masking that adds a layer of masking between app and DB

Question 33

Static Data masking - Typical Use-case

Answer 33

Static masking is the better option when you need to use “real” data in a development or test environment.

Question 34

Dynamic data masking - Typical Use-case

Answer 34

Requires a masking layer in between the storage component and the application. This type of masking is great when you need to use production environments in a confidential or private manner.

Question 35

Tokenization

Answer 35

Tokenization is the process of substituting a sensitive piece of data with a nonsensitive replacement, called a token. The token is merely a reference back to the sensitive data, but has no meaning or sensitivity on its own.

Tokenization is able to track back to the original data (two way function), but it is expensive.

Important to make sure proper authentication is being done when storing and accessing sensitive data

Question 36

Data discovery

Answer 36

Data discovery is the process of finding and identifying sensitive information in your environment.

Question 37

Approaches to data discovery

Answer 37

Metadata - use meta data to find it
Labels - label sensitive data to find it
Content - analyze the actual content

Question 38

Data classification

Answer 38

Data classification is the process of categorizing and organizing data based on level of sensitivity or other characteristics.

critical component for risk management, data security, and compliance.

Question 39

Categories of Sensitive Data

Answer 39

Protected Health Information (PHI)
Personally Identifiable Information (PII)
Cardholder data

Question 40

Describe types of PII

Answer 40

Nonsensitive PII includes data that can be used to identify an individual, but are publicly available
Sensitive PII information not publicly available

Direct identifiers can be used on their own to identify an individual. (e.g. SSN) 1:1 identification

Indirect identifiers can help narrow down a set of individuals, but cannot be used to identify a single individual on its own (e.g. birthdate)

Question 41

Aggregate risk

Answer 41

aggregate risk — multiple pieces of information can be combined to create something more sensitive than any of its individual components.

Question 42

PHI

Answer 42

Protected health information (PHI) is information related to the past, present, or future health status of an individual that was created, used, or obtained in the course of providing healthcare services, including payment for such services.

Can also include PII

Question 43

IRM

Answer 43

Information Rights Management (IRM) is a data security technology that protects data (typically files, but also emails, web pages, and other information) from unauthorized access by limiting who can view, copy, forward, delete, or otherwise modify or access information (e.g. print, download, etc).

Commonly implemented with IAM, ACLs and encryption

Question 44

Digital rights management (DRM)

Answer 44

Uses ENCRYPTION to enforce COPYRIGHT restriction on digital media

Done to protect intellectual property

Two types: Consumer DRM and Enterprise

Question 45

What recourse does the cloud customer have if inadvertent or malicious disclosure of PII occurs in the cloud WRT the cloud provider? Why?

Answer 45

None. Under current law, no cloud customer can transfer risk or liability associated with the onadvertent or malicious disclosure of PII

Question 46

Consumer Digital Rights Management

Answer 46

Controlling the access, execution, copying and alteration of copyrighted information from a publisher to the consumer

Question 47

Enterprise Digital Rights Management

Answer 47

A solution used by the organization to protect assets such as documents and/or email from within the organization or partners

Question 48

List Key Data Functions

Answer 48

Access

Process

Store

Question 49

Align Key Data Functions to Data Lifecycle

Answer 49

Access - happens in all phases (Create, Store, Use, Share, Archive, DestroY (ALL)

Process - happens in Create and Use (CPU)

Store - happens in Store and Archive (SAS)

Question 50

List Cloud IaaS Storage

Answer 50

Volume Storage - Block or File
Object Storage
Raw Storage
Ephemeral Storage
Long Term Storage

Question 51

List PaaS Storage

Answer 51

Unstructured - Non Relational or NoSQL

Structured - SQL or Relational (RDBMS)

Question 52

List SaaS Data Storage, Describe each

Answer 52

Information Storage and Management System - data entered into web interface and stored in SaaS back end DB

Content or File Storage - file based content stored within application

Content Delivery Network (CDN) - content in object storage distributed to multiple geolocations to improve consumption speed

Question 53

Data Annonymization - Indirect vs Direct

Answer 53

Direct - sanitization of data that uniquely identified a subject (e.g. name, email, PII)

Indirect - sanitization of data that consist of something other than direct so e.g. demographic, socioeconomic, events, etc.

Question 54

List Media Sanitization Techniques

Answer 54

1. Physical Destruction
2. Clearing/Overwriting
3. Purging
4. Cryptographic erasure/Crypto Shredding
5. Degaussing

Question 55

Degaussing

Answer 55

Magnetically scrambling data on a conventional hard drive or tape drive

Cannot degauss an SSD

Question 56

Clearing/Overwriting

Answer 56

Prepping the media for re-use at the same classification level

Data cannot be recovered ty using normal system functions or utilities

However the data may not be immune to recovery with special tools in a lab environment

Question 57

Purging

Answer 57

Removing sensitive data from a system with the intent that the data cannot be reconstructed by any known technique

Question 58

Crypto Shredding

Answer 58

involves encrypting data and when the data is ready to be retired, destroying the keys so that the data can’t be accessed because it can’t be decrypted

best used with symmetric key encryption because there is only one key to delete and original encrypt is cheaper, faster, and simpler

Question 59

Information Rights Management (IRM)

AKA

Answer 59

is a data security technology that protects data (typically files, but also emails, web pages, and other info) from unauthorized access by limiting who can view, copy, forward, delete or otherwise modify information

Provides:

• Encryption
• Protection of not just sensitive data but can also be used for the protection of web pages, emails, databases, etc.
• Access controls, even based on location
• A baseline for an information protection policy

Data Rights Management (DRM :(, not Digital Rights Management)

Question 60

-Feature Goals of Security Architecture When IRM is Incorporated

Answer 60

Continuous protection - despite location or data life cycle or at rest or in transit

Automatic expiration - using IRM, set policy that automatically revoke access to data after a predetermined lifetime

Dynamic Control - using IRM , manage access permissions even when data has been distributed

Auditability - IRM provides continuous audit trail

Integration and support - IRM is usually interoperable with email filters, data formats, and other infrastructure or software in the enterprise

Question 61

Data Retention Policies

Answer 61

Retaining information for organization or regulatory COMPLIANCE

Question 62

Data Backup vs Data Archive

Answer 62

Data backup - the process of backing up data the organization is CURRENTLY using/processing for disaster recovery purposes

Data archive - retrain data per retention policy that is NO LONGER being used/processed

Question 63

Continuous Monitoring

Answer 63

NIST 800-137: Information Security Continuous Monitoring (ISCM) maintaining ongoing AWARENESS of information security, VULNERABILITY, and threats to support organizational risk management decisions

NOT monitoring from a 24x7x365 concept; this is security monitoring as policy on a cyclical basis

Question 64

Information Security Continuous Monitoring (ISCM) Strategy

Answer 64

1. Clear understanding of the organization risk tolerance/appetite
2. METRICS to understand organizations security status
3. Ensure security controls are effective
4. Verifies compliance with corporate governance
5. Continuous awareness of threats and vulnerabilities

Question 65

Continuous Operations

Answer 65

The organization is following these principles:

1. Audit Logging - giving Sr. Management ASSURANCE the organization is adhering to legal, statutory and regulatory compliance
2. Contract/authority maintenance: having liaisons between organizations and applicable authorities (regulatory, local, national, legal, jurisdiction) and to be ready to engage with them in case of a forensic investigation
3. Data governance: POLICIES and PROCEDURES

(Make sure we are always available)