Cloud Data Security Flashcards
What are the common stages of the data lifecycle?
- Create
- Store
- Use
- Share
- Archive
- Destroy
Data created by the user should be ______ before uploading to the cloud or if created within the cloud.
Encrypted
Packet capture, on-path attacks, and insider threats are all prevented by _____.
encryption on data created remotely
______ helps to analyze networks, manage network traffic, and identify network performance issues. It also allows IT teams to detect intrusion attempts, security issues, network misuse, packet loss, and network congestion.
Packet capture
An ________ is when an attacker sits in the middle between two stations and intercepts, and in some cases, changes the information being sent interactively across the network.
On-path attack
What is a means to secure network traffic?
Using TLS (Transport Layer Security) through an HTPPS connection.
- Provisioning access rights
- Securing storage locations
- Protect data thru encryption at rest
Are all security controls that are vital during _____ phase?
Store
What is the set of features an application provides so that a user may supply input to and receive output from the program.
An application interface
What are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols?
APIs
What contains information on how developers are to structure the communication (requests and responses) between two applications?
API documentation
The application sending the request is called the _____, and the application sending the response is called the _____.
Client, server
What is the most popular and flexible APIs found on the web today, where the client sends requests to the server as data, and the server uses this client input to start internal functions and returns output data back to the client.
REST APIs
Data must be protected when it is:
Stored, in transit, and at rest.
- Strong protections in virtualization and shared service implementation
- Ensure data on virtualized host can’t be read/detected by other VHs on same device
- Implement personnel/admin controls so workers can’t access raw cust data
How CSPs ensure they provide secure environments for data use
- Encryption
- IRM
- Tagging and permissions models
- Jurisdiction/legal restrictions (via export or import controls)
- Egress monitoring
Key controls for the Share phase
Export restriction that covers State Department prohibitions on defense-related exports:
International Traffic in Arms Regulations (ITAR)
Export restriction that covers Dept of Commerce prohibitions on dual-use (commercial and military) items:
Export Admin Regulations (EAR)
Import restriction on cryptosystems or encrypted material:
Cryptography
Import restriction where 41 member countries agreed to mutually inform each other about conventional military shipments to non-member countries:
The Wassenaar Arrangement
What are the security considerations for the Archive phase?
Cryptography and key management
Cryptography methodology that uses an algebraic elliptical curve that results in smaller keys that can provide the same level of security as the larger ones:
Elliptical Curve Cryptography
What areas of physical security are important to consider in Archive phase?
Location, format, staff, and procedure.
What is storage specifically designed to be used for extended periods of time?
Long-term storage.
Amazon Glacier, Azure Archive Storage, and Google Coldline and Archive
3 examples of long-term storage
What is storage for data that exists only as long as an instance does?
Ephemeral storage
What is storage you have direct access to?
Raw storage
What are some examples of raw storage?
Hard drive, SSD. You have direct access to underlying storage rather than a storage service.
What is the type of storage that’s represented as a drive attached to the user’s virtual machine?
Volume storage
A type of volume storage where data is stored/displayed as files and folders:
File storage - file level storage - file based storage
A blank volume that the customer/user can put anything into.
Block storage.
Volume storage can be offered in any cloud service model but is often associated with _____.
IaaS
Object based storage includes:
Production content and metadata for object stored
Object storage can be in any service model but is usually associated with _____.
IaaS
In the cloud, the database is usually ________, accessed by users utilizing _______.
Back-end storage in the data center
Online apps or APIs through a browser
- Traditional relational databases
- Nonrelational databases (key-value databases)
- Document oriented databases
Are types of databases CSPs may provide
Databases are most often configured to work with ______.
Paas and Saas
Security methods for databases are:
- Minimizing datasets
- Anonymization/
pseudonymization
- Exposure and malicious access
- Risks to data integrity
- Exposure of data
- DDoS
Long term storage threats
Same as long term + risk to IR and forensics b/c the devices may be automatically destroyed when systems are terminated unless intentionally preserved.
Ephemeral storage threats
Leaving fragments of data available to next user are _____ threats.
Raw storage
What is a security exploit that aims to gather information from or influence the program execution of a system by measuring or exploiting indirect effects of the system or its hardware – rather than targeting the program or its code directly.
Side channel attack
Encryption is used to protect data ________.
At rest, in transit, and in use.
Encryption is used w/in the customer’s enterprise environment to ______, and within the datacenter to ______.
Protect data
Keep tenants from accessing each other’s data.
What are strings of bits that allow for encryption/decryption to occur?
Encryption keys
Encryption keys must be at ______ as the data they protect.
Same level of control or higher
What type of encryption is where the encryption key is stored in the database itself?
Transparent encryption
What is a device that can safely create, store, and manage encryption keys and is used in servers, data transmission, and log files?
HSM = Hardware security module
This is used to hold keys in a secure way so they can be recovered by authorized parties.
Key escrow
What are two reasons a key escrow might be used?
Incident response
Legal holds
T/F: Keys should be stored in the CP’s data center.
False - somewhere other
What are 3rd party providers that handle IAM and key management services?
CASB - Cloud Access Security Broker
T/F: The cost of using a CASB is higher than maintaining keys within the org.
False - much lower
What are the commonly used CASBs?
Zscaler, Netskope, and McAfee’s Enterprise CASB tool.
What is a common issue with keys in the cloud?
Inadvertent exposure of private keys in public repositories.
Malicious actors can scan _________ looking for private keys that may have been uploaded w/ other materials when coding projects are submitted.
GitHub and other code repositories
Certificates rely on a _______.
Public and private key
Certificates may be _______
Self-generated or generated by a CA (Certificate Authority)
What uses an algorithm to transform a given string of characters into another value?
Hashing
T/F: Hash output is smaller than input provided.
True
What are two uses of hashes?
- Checking if a file has changed
- Storing and retrieving data quickly
T/F: You can decrypt a hash value.
False
T/F: Hashes are one-way functions that have keys.
F - they don’t have keys
What allows you to determine what the input was for a given hash?
Rainbow table
What is the technique to make data less meaningful, detailed, or readable?
Obfuscation
What is the replacement of date or part of the data w/ randomized info?
Randomization
When is randomization useful?
When you want to remove the real data but maintain its attributes.
Removing identifiable data is _____.
Anonymization
What involves using a one-way cryptographic function to create a digest of the original data?
Hashing
What is using different entries from within the same dataset to represent the data?
Shuffling
What is hiding the data with useless characters?
Masking
What is deleting raw data before it is represented?
Nulls
What is replacing sensitive data with a replacement value called a token?
Tokenization
Obscuring can be done in ______ or _____ configurations.
Dynamic or static
New dataset is created as a copy from the original data.
Static obscuring
Data is obscured as it’s accessed.
Dynamic obscuring
Tokenization is the process of having two distinct databases:
One w/ live, actual sensitive data and one with nonrepresentational tokens mapped to each piece of that data.
PCI DSS allows _______ instead of _______ for sensitive cardholder data.
Tokenization, encryption
DLP tools are also sometimes called:
Egress monitoring tools
DLP identifies controlled data using:
Tagging, pattern matching, etc.
- Search for numeric strings to detect SSN
- Use categorization/labels/metadata
- Use keyword searches
DLP functions
The monitoring task can be implemented:
At points of network egress or on all hosts that process data within the production environment.
Downsides of DLP:
- High processing overhead
- Complicated config and usage due to insufficient data center access
What are Amazon, Azure, and Google monitoring services called?
CloudWatch, Azure Monitor, GCP Operations Suite
What are the basic elements of any log you capture:
Identity, IP address, geolocation, time stamps
ID what you log, what events are most important, which should be alerted, where logs are stored/analyzed, how long you will retain, and how you will secure when designing _____
data security models and architecture
What are the best practices for logging and analysis for Amazon, Azure, and Google?
Well-Architected Tools, Well-Architected Framework, Cloud Architecture Framework
- Centralize collection of log data
- Enhance analysis capabilities
- Dashboarding
- Automated response
SIEM goals
SIEMs are only useful when:
Someone actually looks at what they produce.
Data should always be stored in
more than one location
– Local: replicas within a single datacenter
– Zone: replicas to multiple datacenters within a region
– Global: region level resiliency (replicas to backup region)
Cloud storage for IaaS levels of storage redundancy
Is useful to gain visibility and ensure that adequate security controls are implemented
data flow diagram
- Decreased development time and faster deployment of new system features.
- Visibility into data movement, critical for regulatory compliance, where data security is often mandated in law.
These are benefits of a _____.
data flow diagram
T/F: Creating the DFD can be both a risk assessment activity and a crucial compliance activity.
True
Ephemeral, raw, long term, volume, and object storage are associated with:
IaaS
Disk, databases, binary large object (blob) are associated with
PaaS
Information storage and management, content and file storage, content delivery network (CDN) are associated with
SaaS
- Raw Storage. Physical media, allows a VM access a storage LUN
- Volume storage. Attached as IaaS Instance (EC)
- Object storage. S3 storage bucket, Azure storage
IaaS
– Structured. Relational databases
– Unstructured. Big data
PaaS
– Information Storage and Mgmt. Data entered via the web interface
– Content/File Storage. File based content
– Ephemeral Storage. It used for any temporary data such as cache, buffers, session data, swap volume, etc.
– Content Delivery Network (CDN) Geo distributed content for (better UX)
SaaS
– Unauthorized access threatens
– Improper modification threatens
– Loss of connectivity threatens
C
I
A
— Jurisdictional issues
— Denial of service
— Data corruption/destruction
— Theft or media loss
— Malware and ransomware
— Improper disposal
threats to storage
Primarily a cost and operational concern. Ease of use can lead to unofficial use, unapproved deployment, and unexpected costs
unauthorized provisioning - shadow IT
Privacy legislation bars data transfer to countries without adequate privacy protections, like _____
Germany
Defenses for data corruption/destruction are least privilege, _____, and offsite data backups
RBAC
Who retains responsibility for preventing the loss of physical media through appropriate physical security controls?
CSP
Who is responsible for hardware disposal?
CSP
- Back up your computer
- Store backups separately
- File auto versioning
ransomware countermeasures
- Update and patch computers
- Use caution with web links
- Use caution with email attachments
- Verify email senders
- Preventative software programs
- User awareness training
ransomware prevention
Relies on the use of a single shared secret key. Lacks support for scalability, easy key
distribution, and nonrepudiation
symmetric
Public private key pairs for communication between parties. Supports scalability, easy
key distribution, and nonrepudiation
asymmetric
_____keys are shared among communicating parties. _____ keys are kept secret.
Public / Private
To encrypt a message:
To decrypt a message:
use the recipient’s public key / use your own private key
To sign a message:
To validate a signature:
use your own private key / use the sender’s public key
bridge, hierarchical, hybrid, and mesh.
trust models used with public key infrastructure ( PKI)
Many CSPs offer FIPS compliant virtualized _____ to securely generate, store, and control access to cryptographic keys.
HSMs
Organizations that use multiple cloud providers or need to retain physical control over key management may need to implement a _____
bring-your-own-key (BYOK) strategy
Provides encryption of data as it is written to storage, utilizing keys that are controlled by the CSP.
storage-level encryption
Provides encryption of data written to volumes connected to specific VM instances, utilizing keys controlled by the customer.
Volume-level encryption
Encryption of objects as they are written to storage, in which case the CSP likely controls the keys and could potentially access the data.
object-level encryption
Implemented in client apps, such as word processing apps like Microsoft
Word or collaboration apps like SharePoint
file level encryption
Implemented in an application typically using object storage. Data entered by user typically encrypted before storage
Application level encryption
Transparent data encryption (database files, logs, backups), column level or row level encryption, or data masking
Database level encryption
The process of removing all relevant data so that it is impossible to identify original subject or person. If done effectively, then GDPR is no longer relevant for the data.
Anonymization
De identification procedure using pseudonyms (aliases) to represent other data. Can result in less stringent requirements than would otherwise apply under the GDPR.
Pseudonymization
A one way function that scrambles plain text to produce a unique message digest. Conversion of a string of characters into a shorter fixed length value. No way to reverse if properly designed
hashing
Verification of digital signatures
Generation of pseudo random numbers
Integrity services
uses of hashing
- They must allow input of any length.
- Provide fixed length output.
- Make it relatively easy to compute the hash function for any input.
- Provide one way functionality.
- Must be collision free.
5 requirements of good hash functions
A system designed to identify, inventory, and control the use of data that an
organization deems sensitive. Spans several categories of controls including detective, preventative, and corrective.
DLP
Is a way to protect sensitive information and prevent its inadvertent disclosure. Can identify, monitor, and automatically protect sensitive information in documents monitors for and alerts on for potential breaches, policy violations like oversharing
DLP
Are used to verify the identity of a communication party and can also be used for asymmetric encryption by providing a trusted public key. Often used to encrypt a shared session key or other symmetric key for secure transmission.
Certificates
This is an encrypted hash of a message, encrypted with the sender’s private key. In a signed email scenario, it provides three key benefits:
Authentication. This positively identifies the sender of the email. Ownership of a digital signature secret key is bound to a specific user
Non repudiation. The sender cannot later deny sending the message. This is sometimes required with online transactions
Integrity. Provides assurances that the message has not been modified or
corrupted. Recipients know that the message was not altered in transit
digital signature
Include cryptographic protocol design, key servers, user procedures, and other relevant protocols.
Key Management Design Considerations
Create digital certificates and own the policies.
Certification Authorities
A trust anchor in a PKI environment from which the whole chain of trust is derived.
the root certificate
A Domain Validated (DV) certificate is an X.509 certificate that
proves the ownership of a domain name.
Extended validation certificates provide _____ in identifying the entity that is using the certificate.
a higher level of trust
Usually maintained in an offline state.
Issues certs to new subordinate CAs.
root ca
Also called a Policy CA or Intermediate CA. Issues certs to new issuing CAs. Have the ability to revoke certificates.
Subordinate CA
Certificates for clients, servers, devices, websites, etc. issued from here
issuing ca
If the issuing CA is breached, its certificate can be
revoked and a new one issued.
Contains information about any certificates that have been revoked by a subordinate CA due to compromises to the certificate or PKI hierarchy.
Certificate revocation list (CRL)
T/F: CAs are required to publish CRLs, but it’s up to certificate consumers if they check these lists and how they respond if a certificate has been revoked.
True
Two potential options for tracking revocation:
ask for the CRL or if available, OCSP endpoint/service.
Endpoint to query for CRL or OCSP is on the _____
certificate
Offers a faster way to check a certificate’s status compared to downloading a CRL in which the consumer of a certificate can submit a request to obtain the status of a specific certificate.
OCSP - online certificate status protocol
Records identifying information for a person or device that owns a private key as well as information on the corresponding public key. It is the message that’s sent to the CA in order to get a digital certificate created.
Certificate signing request (CSR)
the Fully Qualified Domain Name (FQDN) of the entity (e.g web server)
CN (common name)
Metadata, or data that describes data, is a critical part of discovery in structured data
Semantics, or the meaning of data, is described in the schema or data model and explains relationships expressed in data.
discovery methods for structured data
How does unstructured data discovery occur?
through content analysis, like:
Pattern matching, which compares data to known formats like
credit card numbers.
Lexical analysis: attempts to find data meaning and context to
discover sensitive info that may not conform to a specific pattern
Hashing: attempts to identify known data by calculating a hash of
files and comparing it to a known set of sensitive file hashes
JSON, XML, HTML, email messages, NoSQL
semi-structured data - may contain meta data to help organize
T/F: Network-based DLP may not analyze all traffic between on premises endpoints and cloud.
True
T/F: An optimal DLP approach will discover data in on-premises and in cloud repositories, as well as in transit
True
T/F: Tools must be able to scan unstructured data within structured data sources, such as relational databases.
True
T/F: If a single data classification label has to be placed on a large data source the most sensitive classification found will apply
True
T/F: Both unstructured and structured in same repository will increase tool cost and complexity and may present classification challenges
True
Exceptionally grave damage
Serious damage
Damage
No damage
top secret/confidential/proprietary
secret/private
confidential/sensitive
unclassified/public
Who regulates PHI?
HIPAA
HITRUST
Brings understanding that enables implementation of security controls and classification polices. Usually precedes classification and labeling
mapping
Enforce data rights, provisioning access, and implementing access control model. Often implemented to control access to data designed to be shared but not freely distributed. Can be used to block specific actions, like print, copy/paste, download, and sharing. Provide file expiration so that documents can no longer be viewed after a specified time
IRM programs
persistence
dynamic policy control
expiration
continuous audit trail
interoperability
IRM objectives
- Centralized service for identity proofing and certificate issuance, store of revoked certificates, and for unauthorized identify information access.
- Enables enforcement from anywhere.
- Secrets storage: These solutions require local storage for encryption keys, tokens, or digital certificates used to validate users and access authorizations.
- Local storage requires protection primarily for data integrity to prevent tampering
IRM
Provides inventor exclusive use of their invention for a period of time, generally 20 years.
patent
Retention happens b/w _____.
archive and destroy
- Data Encryption
- Data Monitoring
- eDiscovery and Retrieval
- Backup and DR Options
- Data Format
- Media Type
key elements of data archiving
To maintain data governance, it is required that all data access and movements be _____
tracked and logged.
T/F: Accountability, traceability, auditability should be maintained in data archiving
True
Directly promotes good user behavior and compliance with the organization’s security policy.
auditing
Help ensure that management programs are effective and being followed. Commonly associated with account management practices to prevent violations with least privilege or need to know principles. Can also be performed to oversee many programs and processes
security audits and reviews
T/F: Because the cloud customer has nearly full control over their compute environment in IaaS, including system and network capabilities, virtually all logs and data events should be exposed and available for capture.
True - same level of detail on app level in PaaS
T/F: In SaaS, customer responsibility is limited to access control, shared responsibility for data recovery, and feature configuration
True
Sufficient user ID attribution should be accessible, or it may be impossible to determine who performed a specific action at a specific time.
identity attribution
What should logs be able to answer?
“Who did (source address and user identity)
what, (event type, severity, flag, and description)
when, (date, time, interaction identifier)
and from where?” Application identifier (name, version, etc.), application address, Service, Geolocation, Window/for/page (URL and HTTP method), and Code location
(script or module name)
Provides evidence integrity through convincing proof evidence was not tampered with in a way that damages its reliability.
chain of custody
Documents key elements of evidence movement and handling, including :
- Each person who handled the evidence
- Date and time of movement/transfer
- Purpose evidence movement/transfer
chain of custody
Inclusion of sufficient evidence in log files
Digital Signatures
methods to provide non-repudiation
