Cloud Data Security Flashcards
What are the common stages of the data lifecycle?
- Create
- Store
- Use
- Share
- Archive
- Destroy
Data created by the user should be ______ before uploading to the cloud or if created within the cloud.
Encrypted
Packet capture, on-path attacks, and insider threats are all prevented by _____.
encryption on data created remotely
______ helps to analyze networks, manage network traffic, and identify network performance issues. It also allows IT teams to detect intrusion attempts, security issues, network misuse, packet loss, and network congestion.
Packet capture
An ________ is when an attacker sits in the middle between two stations and intercepts, and in some cases, changes the information being sent interactively across the network.
On-path attack
What is a means to secure network traffic?
Using TLS (Transport Layer Security) through an HTPPS connection.
- Provisioning access rights
- Securing storage locations
- Protect data thru encryption at rest
Are all security controls that are vital during _____ phase?
Store
What is the set of features an application provides so that a user may supply input to and receive output from the program.
An application interface
What are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols?
APIs
What contains information on how developers are to structure the communication (requests and responses) between two applications?
API documentation
The application sending the request is called the _____, and the application sending the response is called the _____.
Client, server
What is the most popular and flexible APIs found on the web today, where the client sends requests to the server as data, and the server uses this client input to start internal functions and returns output data back to the client.
REST APIs
Data must be protected when it is:
Stored, in transit, and at rest.
- Strong protections in virtualization and shared service implementation
- Ensure data on virtualized host can’t be read/detected by other VHs on same device
- Implement personnel/admin controls so workers can’t access raw cust data
How CSPs ensure they provide secure environments for data use
- Encryption
- IRM
- Tagging and permissions models
- Jurisdiction/legal restrictions (via export or import controls)
- Egress monitoring
Key controls for the Share phase
Export restriction that covers State Department prohibitions on defense-related exports:
International Traffic in Arms Regulations (ITAR)
Export restriction that covers Dept of Commerce prohibitions on dual-use (commercial and military) items:
Export Admin Regulations (EAR)
Import restriction on cryptosystems or encrypted material:
Cryptography
Import restriction where 41 member countries agreed to mutually inform each other about conventional military shipments to non-member countries:
The Wassenaar Arrangement
What are the security considerations for the Archive phase?
Cryptography and key management
Cryptography methodology that uses an algebraic elliptical curve that results in smaller keys that can provide the same level of security as the larger ones:
Elliptical Curve Cryptography
What areas of physical security are important to consider in Archive phase?
Location, format, staff, and procedure.
What is storage specifically designed to be used for extended periods of time?
Long-term storage.
Amazon Glacier, Azure Archive Storage, and Google Coldline and Archive
3 examples of long-term storage
What is storage for data that exists only as long as an instance does?
Ephemeral storage
What is storage you have direct access to?
Raw storage
What are some examples of raw storage?
Hard drive, SSD. You have direct access to underlying storage rather than a storage service.
What is the type of storage that’s represented as a drive attached to the user’s virtual machine?
Volume storage
A type of volume storage where data is stored/displayed as files and folders:
File storage - file level storage - file based storage
A blank volume that the customer/user can put anything into.
Block storage.
Volume storage can be offered in any cloud service model but is often associated with _____.
IaaS
Object based storage includes:
Production content and metadata for object stored
Object storage can be in any service model but is usually associated with _____.
IaaS
In the cloud, the database is usually ________, accessed by users utilizing _______.
Back-end storage in the data center
Online apps or APIs through a browser
- Traditional relational databases
- Nonrelational databases (key-value databases)
- Document oriented databases
Are types of databases CSPs may provide
Databases are most often configured to work with ______.
Paas and Saas
Security methods for databases are:
- Minimizing datasets
- Anonymization/
pseudonymization
- Exposure and malicious access
- Risks to data integrity
- Exposure of data
- DDoS
Long term storage threats
Same as long term + risk to IR and forensics b/c the devices may be automatically destroyed when systems are terminated unless intentionally preserved.
Ephemeral storage threats
Leaving fragments of data available to next user are _____ threats.
Raw storage
What is a security exploit that aims to gather information from or influence the program execution of a system by measuring or exploiting indirect effects of the system or its hardware – rather than targeting the program or its code directly.
Side channel attack
Encryption is used to protect data ________.
At rest, in transit, and in use.
Encryption is used w/in the customer’s enterprise environment to ______, and within the datacenter to ______.
Protect data
Keep tenants from accessing each other’s data.
What are strings of bits that allow for encryption/decryption to occur?
Encryption keys
Encryption keys must be at ______ as the data they protect.
Same level of control or higher
What type of encryption is where the encryption key is stored in the database itself?
Transparent encryption
What is a device that can safely create, store, and manage encryption keys and is used in servers, data transmission, and log files?
HSM = Hardware security module
This is used to hold keys in a secure way so they can be recovered by authorized parties.
Key escrow
What are two reasons a key escrow might be used?
Incident response
Legal holds
T/F: Keys should be stored in the CP’s data center.
False - somewhere other
What are 3rd party providers that handle IAM and key management services?
CASB - Cloud Access Security Broker
T/F: The cost of using a CASB is higher than maintaining keys within the org.
False - much lower
What are the commonly used CASBs?
Zscaler, Netskope, and McAfee’s Enterprise CASB tool.
What is a common issue with keys in the cloud?
Inadvertent exposure of private keys in public repositories.
Malicious actors can scan _________ looking for private keys that may have been uploaded w/ other materials when coding projects are submitted.
GitHub and other code repositories
Certificates rely on a _______.
Public and private key
Certificates may be _______
Self-generated or generated by a CA (Certificate Authority)
What uses an algorithm to transform a given string of characters into another value?
Hashing
T/F: Hash output is smaller than input provided.
True
What are two uses of hashes?
- Checking if a file has changed
- Storing and retrieving data quickly
T/F: You can decrypt a hash value.
False
T/F: Hashes are one-way functions that have keys.
F - they don’t have keys
What allows you to determine what the input was for a given hash?
Rainbow table
What is the technique to make data less meaningful, detailed, or readable?
Obfuscation
What is the replacement of date or part of the data w/ randomized info?
Randomization
When is randomization useful?
When you want to remove the real data but maintain its attributes.
Removing identifiable data is _____.
Anonymization
What involves using a one-way cryptographic function to create a digest of the original data?
Hashing
What is using different entries from within the same dataset to represent the data?
Shuffling
What is hiding the data with useless characters?
Masking