Cloud Data Security Flashcards
What are the main types of storage in cloud ?
Volume, Object, CDN, Database
What are the two types of Volume based storage ?
File and Block
What is block based storage ?
Block - blank volume that the user can put anything on to - more flexibility and higher performance but may need higher admin and os installed
What is file based storage ?
Stored and Displayed as a file structure - popular with Big Data tools and processes.
What is object storage ?
Stored as objects alongside meta data and a unique address identifier allows for high classification and labelling. Storage is in a flat structure.
What is a CDN ?
Data Caching near geophysical or edge locations for high use or demand e.g. multimedia streaming
Name the six phases in the data lifecycle ?
Create Store Use Share Archive Destroy
Describe Archive storage ?
Long Term Storage - Cryptography essential
Location and Format should also be a consideration
Staff access both in and outside of the cloud
Procedure how is that data to be restored.
What features are within the Use stage of the lifecycle ?
All connections to be secured usually with an encrypted tunnel.
Data Owners should minimise access to data as well as the use of logging and audit trails. Virtual hosts must be separated from each other and provider should also have controls about what, where and when their own staff have access to infrastructure.
What is a consideration with the Share phase ?
Jurisdiction
What are the main features of DLP ?
Additional Security, Enhanced Monitoring, Policy Enforcement, Regulatory Compliance
When should encryption be used in cloud ?
Used to protect data at rest, in transit and in use.
What are the main characteristics of Key Management in cloud ?
Distribution, Escrow, Recovery, Revocation, Protection, Outsourcing
What is Key escrow ?
This is where a third party have a copy of the keys.
Name the 4 main goals of SIEM ?
Automated Response, Dashboarding, Enhanced Analysis, Log Centralisation
What is key outsourcing ?
Keys should not be stored with the data they are processing. One solution is for the cloud customer to retain the keys, but that requires an expensive and complicated set of infrastructure and skilled personnel. We can offload this to CASB to look after IAM and Key management.
Give two examples of SIEM enhanced analysis ?
Includes Trend Analysis
APT detection
What are the seven common obfucation techniques ?
Masking, Nulls, Shuffling, Randomisation,Tokenisation, Hashing and Anonymisation
What is anonymisation ?
Removing tell tale identifiers - difficult and
What is hashing ?
Converts data via cryptography into fixed length strings. Drawback is some characteristics such as format and length are lost.
What is masking ?
Hiding data with useless characters such as showing last four digits of SSN - keeps data characteristics
What is randomisation ?
Replacing data or part of data with random characters
What is shuffling ?
Using different enteries in the same data to represent the data - drawback is you are still exposing production data
What is tokenisation ?
Replace data with a token involves two databases one for token and one for the actual data - Significant overhead as we have to translate the token into true value and also read two databases when assigning, reading, updating and deleting.
Describe the problems with DLP in cloud ?
Placed on network edge locations DMZ and Cloud Public facing devices
In cloud can be problematic due to costs and insufficient access.
What does Obfuscation help with ?
Test Environments, Least Privilege, Secure Remote Access
Whats the difference between a NAS and a SAN ?
Both are designed to store large amounts of data. NAS is usually on a single server as part of a mixed network containing processing servers and laptops whereas a SAN is usually on thier own dedicated network with many SANs as part of that network.
What is a SAN ?
a SAN is usually on thier own dedicated network with many SANs as part of that network. It usually uses fibre channel for speed and LUNs to identify where data is rather than IP address of the box.
Two transport protocols FIBRE and ISCSI both designed for moving large amounts of data.
What is the difference between redundant servers and server clusters ?
Redundant servers are active/passive in failover where as clusters are active/active
What is distributed resource scheduling ?
DRS is a cloud feature where VM scheduling and location are dynamically done in the background according to best fit. So if a VM gets large it is moved over to a new server config seamlessly without the customer knowing. This can be automatic or depend on the configuration options you ticked when provisioning the resources.
What is the difference between dynamic optimisation (DO) and DRS ?
Unlike DRS DO involves the migrating of whole clusters to optimise performance - it can be storage dynamic optimisation or compute dynamic optimisation. DRS is individual virtual machines.
Describe the two definitions of VLANs ?
First definition relates to pre cloud where a virtual network was defined by an identification number that allowed switches to send information marked with that number to the relavant participating members - allowed distributed networks beyond physical ties. A more cloud specific definition is a network of resources defined on a server.
What is a VPN ?
Encrypted tunnel protecting data in transit
What is FIPS 140-2/FIPS 140-3 measuring ?
Tests the strength of a cryptographic product such as TPM, HSM etc
What is FIPS level 1
No physical security only security is in the software
What is FIPS level 2
Seals or Labels that will show if a box has been tampered with
What is FIPS level 3
Tamper detection/response circuitry that when it detects tampering will zero the chip
What is FIPS level 4
Level 3 plus tamper active response that will physically destroy the board or chip
What is data masking ?
The hiding of data without changing its underlying structure think of passwords being masked with *
What is tokenisation ?
To replace data item with a token from a second database. You can get back to the original data item.
What is obsfuscation ?
Confuses reader changing whole blocks of text - encryption can be thought as a form of obfuscation.
What is anonymisation ?
The manipulation of direct and indirect data so it no longer identifies and individual - key is you cant go back
What is data de-identification ?
The manipulation of direct data only so it no longer identifies and individual - key is you cant go back
Name two maturity models ?
CMMI and CMM ISO21827
What is the security based maturity model called ?
CMM ISO21827
What are the five levels in CMMI ?
Incomplete
Initial
Managed Process
Defined
Quantitatively Managed
Optimising
What are the five levels in CMM ISO21827
Perfomed Informally
Planned and Tracked
Well Defined
Quantitatively Controlled
Continually Improving
Ideally where should the key be stored ?
With the customer
If the key cant be stored with the customer where is the next best option ?
Third Party
If I have to store my key witht the provider what should I not do ?
Store it with VM
What is transparent encryption ?
Databases specific encryption is in the background and doesnt interfere with the users operations.
What is the pupose of a CASB ?
To uncover shadow IT operations such as people using cloud services with corporate email
What are the data center four tiers >?
1 - Basic
2 - Redundant Power and Cooling
3 - Concurrently Maintainable Hot Swappable architecture
4 - Fault Tolerance for topology
What are the three key terms in ISO27034 ?
ONF, ANF, ASMP
What is the Application Security Management Process of ISO27034 ?
The process that allows the development of the anf from the onf
Name some common orchestration tools
puppet, chef salt
What are the top 4 Owasp threats ?
Injection, XSS,CSRF,Insecure Direct Object Reference
What is XSS
A redirection to a compromised web site from a trusted source
What is a problem with Role Based Access ?
The assumption of roles that can lead to privilege escalation
