Cloud Data Security Flashcards by Natasha WrightPope

What are the common stages of the data lifecycle?

Create
Store
Use
Share
Archive
Destroy

How well did you know this?

Not at all

Perfectly

Data created by the user should be ______ before uploading to the cloud or if created within the cloud.

Encrypted

How well did you know this?

Not at all

Perfectly

Packet capture, on-path attacks, and insider threats are all prevented by _____.

encryption on data created remotely

How well did you know this?

Not at all

Perfectly

______ helps to analyze networks, manage network traffic, and identify network performance issues. It also allows IT teams to detect intrusion attempts, security issues, network misuse, packet loss, and network congestion.

Packet capture

How well did you know this?

Not at all

Perfectly

An ________ is when an attacker sits in the middle between two stations and intercepts, and in some cases, changes the information being sent interactively across the network.

On-path attack

How well did you know this?

Not at all

Perfectly

What is a means to secure network traffic?

Using TLS (Transport Layer Security) through an HTPPS connection.

How well did you know this?

Not at all

Perfectly

Provisioning access rights
Securing storage locations
Protect data thru encryption at rest

Are all security controls that are vital during _____ phase?

Store

How well did you know this?

Not at all

Perfectly

What is the set of features an application provides so that a user may supply input to and receive output from the program.

An application interface

How well did you know this?

Not at all

Perfectly

What are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols?

APIs

How well did you know this?

Not at all

Perfectly

What contains information on how developers are to structure the communication (requests and responses) between two applications?

API documentation

How well did you know this?

Not at all

Perfectly

The application sending the request is called the _____, and the application sending the response is called the _____.

Client, server

How well did you know this?

Not at all

Perfectly

What is the most popular and flexible APIs found on the web today, where the client sends requests to the server as data, and the server uses this client input to start internal functions and returns output data back to the client.

REST APIs

How well did you know this?

Not at all

Perfectly

Data must be protected when it is:

Stored, in transit, and at rest.

How well did you know this?

Not at all

Perfectly

Strong protections in virtualization and shared service implementation
Ensure data on virtualized host can’t be read/detected by other VHs on same device
Implement personnel/admin controls so workers can’t access raw cust data

How CSPs ensure they provide secure environments for data use

How well did you know this?

Not at all

Perfectly

Encryption
IRM
Tagging and permissions models
Jurisdiction/legal restrictions (via export or import controls)
Egress monitoring

Key controls for the Share phase

How well did you know this?

Not at all

Perfectly

Export restriction that covers State Department prohibitions on defense-related exports:

International Traffic in Arms Regulations (ITAR)

How well did you know this?

Not at all

Perfectly

Export restriction that covers Dept of Commerce prohibitions on dual-use (commercial and military) items:

Export Admin Regulations (EAR)

How well did you know this?

Not at all

Perfectly

Import restriction on cryptosystems or encrypted material:

Cryptography

How well did you know this?

Not at all

Perfectly

Import restriction where 41 member countries agreed to mutually inform each other about conventional military shipments to non-member countries:

The Wassenaar Arrangement

How well did you know this?

Not at all

Perfectly

What are the security considerations for the Archive phase?

Cryptography and key management

How well did you know this?

Not at all

Perfectly

Cryptography methodology that uses an algebraic elliptical curve that results in smaller keys that can provide the same level of security as the larger ones:

Elliptical Curve Cryptography

How well did you know this?

Not at all

Perfectly

What areas of physical security are important to consider in Archive phase?

Location, format, staff, and procedure.

How well did you know this?

Not at all

Perfectly

What is storage specifically designed to be used for extended periods of time?

Long-term storage.

How well did you know this?

Not at all

Perfectly

Amazon Glacier, Azure Archive Storage, and Google Coldline and Archive

3 examples of long-term storage

How well did you know this?

Not at all

Perfectly

What is storage for data that exists only as long as an instance does?

Ephemeral storage

What is storage you have direct access to?

Raw storage

What are some examples of raw storage?

Hard drive, SSD. You have direct access to underlying storage rather than a storage service.

What is the type of storage that's represented as a drive attached to the user's virtual machine?

Volume storage

A type of volume storage where data is stored/displayed as files and folders:

File storage - file level storage - file based storage

A blank volume that the customer/user can put anything into.

Block storage.

Volume storage can be offered in any cloud service model but is often associated with _____.

IaaS

Object based storage includes:

Production content and metadata for object stored

Object storage can be in any service model but is usually associated with _____.

IaaS

In the cloud, the database is usually ________, accessed by users utilizing _______.

Back-end storage in the data center Online apps or APIs through a browser

- Traditional relational databases - Nonrelational databases (key-value databases) - Document oriented databases

Are types of databases CSPs may provide

Databases are most often configured to work with ______.

Paas and Saas

Security methods for databases are:

- Minimizing datasets - Anonymization/ pseudonymization

- Exposure and malicious access - Risks to data integrity - Exposure of data - DDoS

Long term storage threats

Same as long term + risk to IR and forensics b/c the devices may be automatically destroyed when systems are terminated unless intentionally preserved.

Ephemeral storage threats

Leaving fragments of data available to next user are _____ threats.

Raw storage

What is a security exploit that aims to gather information from or influence the program execution of a system by measuring or exploiting indirect effects of the system or its hardware -- rather than targeting the program or its code directly.

Side channel attack

Encryption is used to protect data ________.

At rest, in transit, and in use.

Encryption is used w/in the customer's enterprise environment to ______, and within the datacenter to ______.

Protect data Keep tenants from accessing each other's data.

What are strings of bits that allow for encryption/decryption to occur?

Encryption keys

Encryption keys must be at ______ as the data they protect.

Same level of control or higher

What type of encryption is where the encryption key is stored in the database itself?

Transparent encryption

What is a device that can safely create, store, and manage encryption keys and is used in servers, data transmission, and log files?

HSM = Hardware security module

This is used to hold keys in a secure way so they can be recovered by authorized parties.

Key escrow

What are two reasons a key escrow might be used?

Incident response Legal holds

T/F: Keys should be stored in the CP's data center.

False - somewhere other

What are 3rd party providers that handle IAM and key management services?

CASB - Cloud Access Security Broker

T/F: The cost of using a CASB is higher than maintaining keys within the org.

False - much lower

What are the commonly used CASBs?

Zscaler, Netskope, and McAfee's Enterprise CASB tool.

What is a common issue with keys in the cloud?

Inadvertent exposure of private keys in public repositories.

Malicious actors can scan _________ looking for private keys that may have been uploaded w/ other materials when coding projects are submitted.

GitHub and other code repositories

Certificates rely on a _______.

Public and private key

Certificates may be _______

Self-generated or generated by a CA (Certificate Authority)

What uses an algorithm to transform a given string of characters into another value?

Hashing

T/F: Hash output is smaller than input provided.

True

What are two uses of hashes?

- Checking if a file has changed - Storing and retrieving data quickly

T/F: You can decrypt a hash value.

False

T/F: Hashes are one-way functions that have keys.

F - they don't have keys

What allows you to determine what the input was for a given hash?

Rainbow table

What is the technique to make data less meaningful, detailed, or readable?

Obfuscation

What is the replacement of date or part of the data w/ randomized info?

Randomization

When is randomization useful?

When you want to remove the real data but maintain its attributes.

Removing identifiable data is _____.

Anonymization

What involves using a one-way cryptographic function to create a digest of the original data?

Hashing

What is using different entries from within the same dataset to represent the data?

Shuffling

What is hiding the data with useless characters?

Masking

What is deleting raw data before it is represented?

Nulls

What is replacing sensitive data with a replacement value called a token?

Tokenization

Obscuring can be done in ______ or _____ configurations.

Dynamic or static

New dataset is created as a copy from the original data.

Static obscuring

Data is obscured as it's accessed.

Dynamic obscuring

Tokenization is the process of having two distinct databases:

One w/ live, actual sensitive data and one with nonrepresentational tokens mapped to each piece of that data.

PCI DSS allows _______ instead of _______ for sensitive cardholder data.

Tokenization, encryption

DLP tools are also sometimes called:

Egress monitoring tools

DLP identifies controlled data using:

Tagging, pattern matching, etc.

- Search for numeric strings to detect SSN - Use categorization/labels/metadata - Use keyword searches

DLP functions

The monitoring task can be implemented:

At points of network egress or on all hosts that process data within the production environment.

Downsides of DLP:

- High processing overhead - Complicated config and usage due to insufficient data center access

What are Amazon, Azure, and Google monitoring services called?

CloudWatch, Azure Monitor, GCP Operations Suite

What are the basic elements of any log you capture:

Identity, IP address, geolocation, time stamps

ID what you log, what events are most important, which should be alerted, where logs are stored/analyzed, how long you will retain, and how you will secure when designing _____

data security models and architecture

What are the best practices for logging and analysis for Amazon, Azure, and Google?

Well-Architected Tools, Well-Architected Framework, Cloud Architecture Framework

- Centralize collection of log data - Enhance analysis capabilities - Dashboarding - Automated response

SIEM goals

SIEMs are only useful when:

Someone actually looks at what they produce.

Data should always be stored in

more than one location

– Local: replicas within a single datacenter – Zone: replicas to multiple datacenters within a region – Global: region level resiliency (replicas to backup region)

Cloud storage for IaaS levels of storage redundancy

Is useful to gain visibility and ensure that adequate security controls are implemented

data flow diagram

* Decreased development time and faster deployment of new system features. * Visibility into data movement, critical for regulatory compliance, where data security is often mandated in law. These are benefits of a _____.

data flow diagram

T/F: Creating the DFD can be both a risk assessment activity and a crucial compliance activity.

True

Ephemeral, raw, long term, volume, and object storage are associated with:

IaaS

Disk, databases, binary large object (blob) are associated with

PaaS

Information storage and management, content and file storage, content delivery network (CDN) are associated with

SaaS

- Raw Storage. Physical media, allows a VM access a storage LUN - Volume storage. Attached as IaaS Instance (EC) - Object storage. S3 storage bucket, Azure storage

IaaS

– Structured. Relational databases – Unstructured. Big data

PaaS

– Information Storage and Mgmt. Data entered via the web interface – Content/File Storage. File based content – Ephemeral Storage. It used for any temporary data such as cache, buffers, session data, swap volume, etc. – Content Delivery Network (CDN) Geo distributed content for (better UX)

SaaS

– Unauthorized access threatens – Improper modification threatens – Loss of connectivity threatens

C I A

— Jurisdictional issues — Denial of service — Data corruption/destruction — Theft or media loss — Malware and ransomware — Improper disposal

threats to storage

Primarily a cost and operational concern. Ease of use can lead to unofficial use, unapproved deployment, and unexpected costs

unauthorized provisioning - shadow IT

Privacy legislation bars data transfer to countries without adequate privacy protections, like _____

Germany

Defenses for data corruption/destruction are least privilege, _____, and offsite data backups

RBAC

Who retains responsibility for preventing the loss of physical media through appropriate physical security controls?

CSP

Who is responsible for hardware disposal?

CSP

- Back up your computer - Store backups separately - File auto versioning

ransomware countermeasures

- Update and patch computers - Use caution with web links - Use caution with email attachments - Verify email senders - Preventative software programs - User awareness training

ransomware prevention

Relies on the use of a single shared secret key. Lacks support for scalability, easy key distribution, and nonrepudiation

symmetric

Public private key pairs for communication between parties. Supports scalability, easy key distribution, and nonrepudiation

asymmetric

_____keys are shared among communicating parties. _____ keys are kept secret.

Public / Private

To encrypt a message: To decrypt a message:

use the recipient’s public key / use your own private key

To sign a message: To validate a signature:

use your own private key / use the sender’s public key

bridge, hierarchical, hybrid, and mesh.

trust models used with public key infrastructure ( PKI)

Many CSPs offer FIPS compliant virtualized _____ to securely generate, store, and control access to cryptographic keys.

HSMs

Organizations that use multiple cloud providers or need to retain physical control over key management may need to implement a _____

bring-your-own-key (BYOK) strategy

Provides encryption of data as it is written to storage, utilizing keys that are controlled by the CSP.

storage-level encryption

Provides encryption of data written to volumes connected to specific VM instances, utilizing keys controlled by the customer.

Volume-level encryption

Encryption of objects as they are written to storage, in which case the CSP likely controls the keys and could potentially access the data.

object-level encryption

Implemented in client apps, such as word processing apps like Microsoft Word or collaboration apps like SharePoint

file level encryption

Implemented in an application typically using object storage. Data entered by user typically encrypted before storage

Application level encryption

Transparent data encryption (database files, logs, backups), column level or row level encryption, or data masking

Database level encryption

The process of removing all relevant data so that it is impossible to identify original subject or person. If done effectively, then GDPR is no longer relevant for the data.

Anonymization

De identification procedure using pseudonyms (aliases) to represent other data. Can result in less stringent requirements than would otherwise apply under the GDPR.

Pseudonymization

A one way function that scrambles plain text to produce a unique message digest. Conversion of a string of characters into a shorter fixed length value. No way to reverse if properly designed

hashing

Verification of digital signatures Generation of pseudo random numbers Integrity services

uses of hashing

1. They must allow input of any length. 2. Provide fixed length output. 3. Make it relatively easy to compute the hash function for any input. 4. Provide one way functionality. 5. Must be collision free.

5 requirements of good hash functions

A system designed to identify, inventory, and control the use of data that an organization deems sensitive. Spans several categories of controls including detective, preventative, and corrective.

DLP

Is a way to protect sensitive information and prevent its inadvertent disclosure. Can identify, monitor, and automatically protect sensitive information in documents monitors for and alerts on for potential breaches, policy violations like oversharing

DLP

Are used to verify the identity of a communication party and can also be used for asymmetric encryption by providing a trusted public key. Often used to encrypt a shared session key or other symmetric key for secure transmission.

Certificates

This is an encrypted hash of a message, encrypted with the sender’s private key. In a signed email scenario, it provides three key benefits: Authentication. This positively identifies the sender of the email. Ownership of a digital signature secret key is bound to a specific user Non repudiation. The sender cannot later deny sending the message. This is sometimes required with online transactions Integrity. Provides assurances that the message has not been modified or corrupted. Recipients know that the message was not altered in transit

digital signature

Include cryptographic protocol design, key servers, user procedures, and other relevant protocols.

Key Management Design Considerations

Create digital certificates and own the policies.

Certification Authorities

A trust anchor in a PKI environment from which the whole chain of trust is derived.

the root certificate

A Domain Validated (DV) certificate is an X.509 certificate that

proves the ownership of a domain name.

Extended validation certificates provide _____ in identifying the entity that is using the certificate.

a higher level of trust

Usually maintained in an offline state. Issues certs to new subordinate CAs.

root ca

Also called a Policy CA or Intermediate CA. Issues certs to new issuing CAs. Have the ability to revoke certificates.

Subordinate CA

Certificates for clients, servers, devices, websites, etc. issued from here

issuing ca

If the issuing CA is breached, its certificate can be

revoked and a new one issued.

Contains information about any certificates that have been revoked by a subordinate CA due to compromises to the certificate or PKI hierarchy.

Certificate revocation list (CRL)

T/F: CAs are required to publish CRLs, but it’s up to certificate consumers if they check these lists and how they respond if a certificate has been revoked.

True

Two potential options for tracking revocation:

ask for the CRL or if available, OCSP endpoint/service.

Endpoint to query for CRL or OCSP is on the _____

certificate

Offers a faster way to check a certificate’s status compared to downloading a CRL in which the consumer of a certificate can submit a request to obtain the status of a specific certificate.

OCSP - online certificate status protocol

Records identifying information for a person or device that owns a private key as well as information on the corresponding public key. It is the message that's sent to the CA in order to get a digital certificate created.

Certificate signing request (CSR)

the Fully Qualified Domain Name (FQDN) of the entity (e.g web server)

CN (common name)

Metadata, or data that describes data, is a critical part of discovery in structured data Semantics, or the meaning of data, is described in the schema or data model and explains relationships expressed in data.

discovery methods for structured data

How does unstructured data discovery occur?

through content analysis, like: Pattern matching, which compares data to known formats like credit card numbers. Lexical analysis: attempts to find data meaning and context to discover sensitive info that may not conform to a specific pattern Hashing: attempts to identify known data by calculating a hash of files and comparing it to a known set of sensitive file hashes

JSON, XML, HTML, email messages, NoSQL

semi-structured data - may contain meta data to help organize

T/F: Network-based DLP may not analyze all traffic between on premises endpoints and cloud.

True

T/F: An optimal DLP approach will discover data in on-premises and in cloud repositories, as well as in transit

True

T/F: Tools must be able to scan unstructured data within structured data sources, such as relational databases.

True

T/F: If a single data classification label has to be placed on a large data source the most sensitive classification found will apply

True

T/F: Both unstructured and structured in same repository will increase tool cost and complexity and may present classification challenges

True

Exceptionally grave damage Serious damage Damage No damage

top secret/confidential/proprietary secret/private confidential/sensitive unclassified/public

Who regulates PHI?

HIPAA HITRUST

Brings understanding that enables implementation of security controls and classification polices. Usually precedes classification and labeling

mapping

Enforce data rights, provisioning access, and implementing access control model. Often implemented to control access to data designed to be shared but not freely distributed. Can be used to block specific actions, like print, copy/paste, download, and sharing. Provide file expiration so that documents can no longer be viewed after a specified time

IRM programs

persistence dynamic policy control expiration continuous audit trail interoperability

IRM objectives

- Centralized service for identity proofing and certificate issuance, store of revoked certificates, and for unauthorized identify information access. - Enables enforcement from anywhere. - Secrets storage: These solutions require local storage for encryption keys, tokens, or digital certificates used to validate users and access authorizations. - Local storage requires protection primarily for data integrity to prevent tampering

IRM

Provides inventor exclusive use of their invention for a period of time, generally 20 years.

patent

Retention happens b/w _____.

archive and destroy

- Data Encryption - Data Monitoring - eDiscovery and Retrieval - Backup and DR Options - Data Format - Media Type

key elements of data archiving

To maintain data governance, it is required that all data access and movements be _____

tracked and logged.

T/F: Accountability, traceability, auditability should be maintained in data archiving

True

Directly promotes good user behavior and compliance with the organization’s security policy.

auditing

Help ensure that management programs are effective and being followed. Commonly associated with account management practices to prevent violations with least privilege or need to know principles. Can also be performed to oversee many programs and processes

security audits and reviews

T/F: Because the cloud customer has nearly full control over their compute environment in IaaS, including system and network capabilities, virtually all logs and data events should be exposed and available for capture.

True - same level of detail on app level in PaaS

T/F: In SaaS, customer responsibility is limited to access control, shared responsibility for data recovery, and feature configuration

True

Sufficient user ID attribution should be accessible, or it may be impossible to determine who performed a specific action at a specific time.

identity attribution

What should logs be able to answer?

“Who did (source address and user identity) what, (event type, severity, flag, and description) when, (date, time, interaction identifier) and from where?” Application identifier (name, version, etc.), application address, Service, Geolocation, Window/for/page (URL and HTTP method), and Code location (script or module name)

Provides evidence integrity through convincing proof evidence was not tampered with in a way that damages its reliability.

chain of custody

Documents key elements of evidence movement and handling, including : - Each person who handled the evidence - Date and time of movement/transfer - Purpose evidence movement/transfer

chain of custody

Inclusion of sufficient evidence in log files Digital Signatures

methods to provide non-repudiation