Cloud Data Security Flashcards

1
Q

What are the main types of storage in cloud ?

A

Volume, Object, CDN, Database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the two types of Volume based storage ?

A

File and Block

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is block based storage ?

A

Block - blank volume that the user can put anything on to - more flexibility and higher performance but may need higher admin and os installed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is file based storage ?

A

Stored and Displayed as a file structure - popular with Big Data tools and processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is object storage ?

A

Stored as objects alongside meta data and a unique address identifier allows for high classification and labelling. Storage is in a flat structure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a CDN ?

A

Data Caching near geophysical or edge locations for high use or demand e.g. multimedia streaming

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Name the six phases in the data lifecycle ?

A

Create Store Use Share Archive Destroy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Describe Archive storage ?

A

Long Term Storage - Cryptography essential
Location and Format should also be a consideration
Staff access both in and outside of the cloud
Procedure how is that data to be restored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What features are within the Use stage of the lifecycle ?

A

All connections to be secured usually with an encrypted tunnel.
Data Owners should minimise access to data as well as the use of logging and audit trails. Virtual hosts must be separated from each other and provider should also have controls about what, where and when their own staff have access to infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a consideration with the Share phase ?

A

Jurisdiction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the main features of DLP ?

A

Additional Security, Enhanced Monitoring, Policy Enforcement, Regulatory Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When should encryption be used in cloud ?

A

Used to protect data at rest, in transit and in use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the main characteristics of Key Management in cloud ?

A

Distribution, Escrow, Recovery, Revocation, Protection, Outsourcing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Key escrow ?

A

This is where a third party have a copy of the keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Name the 4 main goals of SIEM ?

A

Automated Response, Dashboarding, Enhanced Analysis, Log Centralisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is key outsourcing ?

A

Keys should not be stored with the data they are processing. One solution is for the cloud customer to retain the keys, but that requires an expensive and complicated set of infrastructure and skilled personnel. We can offload this to CASB to look after IAM and Key management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Give two examples of SIEM enhanced analysis ?

A

Includes Trend Analysis
APT detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the seven common obfucation techniques ?

A

Masking, Nulls, Shuffling, Randomisation,Tokenisation, Hashing and Anonymisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is anonymisation ?

A

Removing tell tale identifiers - difficult and

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is hashing ?

A

Converts data via cryptography into fixed length strings. Drawback is some characteristics such as format and length are lost.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is masking ?

A

Hiding data with useless characters such as showing last four digits of SSN - keeps data characteristics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is randomisation ?

A

Replacing data or part of data with random characters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is shuffling ?

A

Using different enteries in the same data to represent the data - drawback is you are still exposing production data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is tokenisation ?

A

Replace data with a token involves two databases one for token and one for the actual data - Significant overhead as we have to translate the token into true value and also read two databases when assigning, reading, updating and deleting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Describe the problems with DLP in cloud ?

A

Placed on network edge locations DMZ and Cloud Public facing devices
In cloud can be problematic due to costs and insufficient access.

26
Q

What does Obfuscation help with ?

A

Test Environments, Least Privilege, Secure Remote Access

27
Q

Whats the difference between a NAS and a SAN ?

A

Both are designed to store large amounts of data. NAS is usually on a single server as part of a mixed network containing processing servers and laptops whereas a SAN is usually on thier own dedicated network with many SANs as part of that network.

28
Q

What is a SAN ?

A

a SAN is usually on thier own dedicated network with many SANs as part of that network. It usually uses fibre channel for speed and LUNs to identify where data is rather than IP address of the box.

Two transport protocols FIBRE and ISCSI both designed for moving large amounts of data.

29
Q

What is the difference between redundant servers and server clusters ?

A

Redundant servers are active/passive in failover where as clusters are active/active

30
Q

What is distributed resource scheduling ?

A

DRS is a cloud feature where VM scheduling and location are dynamically done in the background according to best fit. So if a VM gets large it is moved over to a new server config seamlessly without the customer knowing. This can be automatic or depend on the configuration options you ticked when provisioning the resources.

31
Q

What is the difference between dynamic optimisation (DO) and DRS ?

A

Unlike DRS DO involves the migrating of whole clusters to optimise performance - it can be storage dynamic optimisation or compute dynamic optimisation. DRS is individual virtual machines.

32
Q

Describe the two definitions of VLANs ?

A

First definition relates to pre cloud where a virtual network was defined by an identification number that allowed switches to send information marked with that number to the relavant participating members - allowed distributed networks beyond physical ties. A more cloud specific definition is a network of resources defined on a server.

33
Q

What is a VPN ?

A

Encrypted tunnel protecting data in transit

34
Q

What is FIPS 140-2/FIPS 140-3 measuring ?

A

Tests the strength of a cryptographic product such as TPM, HSM etc

35
Q

What is FIPS level 1

A

No physical security only security is in the software

36
Q

What is FIPS level 2

A

Seals or Labels that will show if a box has been tampered with

37
Q

What is FIPS level 3

A

Tamper detection/response circuitry that when it detects tampering will zero the chip

38
Q

What is FIPS level 4

A

Level 3 plus tamper active response that will physically destroy the board or chip

39
Q

What is data masking ?

A

The hiding of data without changing its underlying structure think of passwords being masked with *

40
Q

What is tokenisation ?

A

To replace data item with a token from a second database. You can get back to the original data item.

41
Q

What is obsfuscation ?

A

Confuses reader changing whole blocks of text - encryption can be thought as a form of obfuscation.

42
Q

What is anonymisation ?

A

The manipulation of direct and indirect data so it no longer identifies and individual - key is you cant go back

43
Q

What is data de-identification ?

A

The manipulation of direct data only so it no longer identifies and individual - key is you cant go back

44
Q

Name two maturity models ?

A

CMMI and CMM ISO21827

45
Q

What is the security based maturity model called ?

A

CMM ISO21827

46
Q

What are the five levels in CMMI ?

A

Incomplete
Initial
Managed Process
Defined
Quantitatively Managed
Optimising

47
Q

What are the five levels in CMM ISO21827

A

Perfomed Informally
Planned and Tracked
Well Defined
Quantitatively Controlled
Continually Improving

48
Q

Ideally where should the key be stored ?

A

With the customer

49
Q

If the key cant be stored with the customer where is the next best option ?

A

Third Party

50
Q

If I have to store my key witht the provider what should I not do ?

A

Store it with VM

51
Q

What is transparent encryption ?

A

Databases specific encryption is in the background and doesnt interfere with the users operations.

52
Q

What is the pupose of a CASB ?

A

To uncover shadow IT operations such as people using cloud services with corporate email

53
Q

What are the data center four tiers >?

A

1 - Basic
2 - Redundant Power and Cooling
3 - Concurrently Maintainable Hot Swappable architecture
4 - Fault Tolerance for topology

54
Q

What are the three key terms in ISO27034 ?

A

ONF, ANF, ASMP

55
Q

What is the Application Security Management Process of ISO27034 ?

A

The process that allows the development of the anf from the onf

56
Q

Name some common orchestration tools

A

puppet, chef salt

57
Q

What are the top 4 Owasp threats ?

A

Injection, XSS,CSRF,Insecure Direct Object Reference

58
Q

What is XSS

A

A redirection to a compromised web site from a trusted source

59
Q

What is a problem with Role Based Access ?

A

The assumption of roles that can lead to privilege escalation

60
Q
A