Cloud Data Security

Question 1

Name all 6 steps in the Cloud Data Lifecyle

Answer 1

1. Create
2. Store
3. Use
4. Share
5. Archive
6. Destroy

Question 2

Cloud Data Lifecycle: Describe: Create

Answer 2

Data creation may occur in a multitude of locations. Data may be created in the cloud environment, it can be created on premises or at a remote location, or it can be created in another cloud.

The threats to data in the Create phase vary based on where it is created and how it will be transferred to the cloud for storage.

Data Created within the Cloud Data created within the cloud should also be encrypted upon creation.
This helps to protect against both attackers who might gain access to the environment and the staff who work for the cloud service provider itself, gaining access to it in unencrypted form.

As with data created remotely, key management remains a critical part of securing the data - if the keys can be obtained by malicious actors, encryption is not a useful protection!

Question 3

Cloud Data Lifecycle - Create: What should you do if data is created remotely?

Answer 3

Data created by the user should be encrypted before uploading to the cloud in order to protect against attacks like packet capture and on-path attacks as well as inside r threats at the cloud data center.

That means selecting strong encryption methods and implementing good key management practices, which we will cover later in this chapter.

Of course it is also desirable to ensure that the network traffic itself is secured - most often using Transport Layer Security (TLS) through an HTTPS connection.

Question 4

Cloud Data Lifecycle: Describe: Use

Answer 4

As you review the data lifecycle diagram, you may be wondering why there is a Store and an Archive phase - they can sound pretty similar. The Store phase is what occurs immediately after creation and describes what happens to data when it is created.

Here, critical security controls include provisioning access rights to the storage locations, ensuring that the storage locations are properly secured, and continuing to protect data through encryption at rest where it is needed or required.

Question 5

Cloud Data Lifecycle: Describe: Share

Answer 5

Although global collaboration and massive scale to many locations are both powerful capabilities afforded by the cloud, they come with risks.

If users, systems, and data can be anywhere on the planet, so can threats.

Many of the same security controls implemented in prior phases will be useful when defending the storage phase:

• encrypted files and communications
• using information rights management (IRM) solutions
• and the use of tagging and permissions models
  all remain key controls.

Question 6

Cloud Data Lifecycle: Share:
Do you need sharing restrictions?

Answer 6

Yes!

We also have to craft sharing restrictions based on jurisdiction and legal requirements. Organizations may need to limit or prevent data being sent to certain locations in accordance with regulatory requirements or contractual obligations.

These restrictions can take the form of either export controls or import controls, so the security professional must be familiar with both for all regions where the organization’s data might be shared.

Question 7

Name 2 Export restrictions?

Answer 7

1. International Traffic in Arms Regulation, or ITA (United States)
2. Export Administration Regulations, or EAR (United States)

Question 8

What is the International Traffic in Arms Regulation, or ITA (United States)?

Answer 8

International Traffic in Arms Regulation, or ITA (United States): State Department prohibitions on defense-related exports; can include cryptography systems.

Question 9

What is the Export Administration Regulations, or EAR (United States)?

Answer 9

Export Administration Regulations, or EAR (United States): Department of Commerce prohibitions on dual-use items (technologies that could be used for both commercial and military purposes).

Question 10

Name 2 Import Restrictions.

Answer 10

1. Cryptography (Various)
2. The Wassenaar Arrangement

Question 11

Describe Cryptographic import restrictions.

Answer 11

Many countries have restrictions on importing cryptosystems or material that has been encrypted.

When doing business in or with a nation that has crypto restrictions, it is the security professional’s responsibility to know and understand these local mandates.

Question 12

What is the Wassenaar Arrangement?

Answer 12

A group of 41 member countries have agreed to mutually inform each other about conventional military shipments to nonmember countries.

Not a treaty, and therefore not legally binding, but may require your organization to notify your government in order to stay in compliance.

Question 13

Cloud Data Lifecycle: Describe: Archive

Answer 13

This is the phase for long-term storage, and thus you will have to consider data security over a longer time frame when planning security controls for the data.

Cryptography remains an essential consideration, but the strength of the cryptosystem and its resistance to long-term attacks and future attacks are both considerations.

Key management is still extremely important since mismanaged keys can lead to exposure or to total loss of the data, no matter how strong your encryption is.

Question 14

What of the utmost importance in regards to key management and storage?

Answer 14

Key management is still extremely important since mismanaged keys can lead to exposure or to total loss of the data, no matter how strong your encryption is.

If the keys are improperly stored (especially if they are stored alongside the data), there is an increased risk of loss, and modern attackers are aware of and look for keys as part of their attacks.

Question 15

How could elliptical cure cryptography (ECC) benefit the Archive - data lifecycle

Answer 15

One aspect of cryptography to be aware of is elliptical curve cryptography (ECC).

ECC uses algebraic elliptical curves that result in much smaller keys that can provide the same level of security as the much larger ones used in traditional key cryptography.

Question 16

Cloud data Lifecycle: Archive: What 6 common questions when you are choosing your long-term storage solutions in the cloud environment do you need to consider?

Answer 16

• Where is the data being stored by the cloud provider ?
  Are multiple cloud providers involved?
• What environmental factors will pose risks in that location (natural disasters, climate, etc.)?
• What jurisdictional aspects might bear consideration (local and national laws)?
• Will it be feasible to access the data during contingency operations (for instance, during a natural disaster)?
• Is it far enough away to be safe from events that impact the production environment?
• Is it replicated in multiple locations or in multiple clouds?
  Does that replication create any additional concerns such as an inability to ensure deletion?

Question 17

Archive: Cloud-Data-Format: What 5 things do you need to consider?

Answer 17

• Is the data being stored on some physical medium such as tape backup or magnetic storage and in an offline mode, or it is online and replicated?
• Is the media highly portable and in need of additional security controls against theft?
• Will that medium be affected by environmental factors?
• How long do you expect to retain this data?
• Will it be in a format still accessible by production hardware when you need it ?

Question 18

Archive: What do you need to consider in regards to staffing?

Answer 18

Staffing for cloud service providers may directly impact the data that you can store and process in their cloud.

Some contractual, government, or other requirements may require that foreign national employees not have access to certain types of data, creating a hurdle you will have to overcome before using a cloud provider.

At the same time, it is important to ensure that providers are performing appropriate personnel security checks like background checks and ongoing monitoring.

Question 19

Archive: What 3 things should your procedures include?

Answer 19

How is data recovered when needed?
- How is it ported to the archive on a regular basis?
- How often are you doing full backups (and incremental or differential backups)?

Question 20

Explain the Destroy Step in the Cloud Data Lifecycle

Answer 20

We discussed destruction options for cloud environments in Chapter 2. Cryptographic erasure (crypto-shredding) is the only feasible and thorough means currently available for this purpose in the cloud environment.

Destruction of encryption keys is also important when you consider the end of data lifecycles because strong encryption without a key makes data very difficult to access, even over extended time frames, and can provide a useful additional control - particularly if it is difficult to ensure that your provider has truly deleted data due to how they architect underlying storage or services.

Question 21

Cloud Storage Architectures: What are the three specific types of storage?

Answer 21

The CCSP exam considers three specific types of storage:

• long-term
• ephemeral
• raw storage

Question 22

What is Long-Term storaeg?

Answer 22

Long-term storage is storage specifically designed to be used for extended periods of time.

Amazon’s Glacier, Azure’s Archive Storage, and Google’s Coldline and Archive tiers are all examples of long-term storage solutions.

In fact, each of the major cloud vendors has multiple tiers of storage, ranging from frequent use storage to nearline storage, often used for short-term storage like logs and media content, as well as the longer-term storage provided for backups and to meet regulatory requirements.

Question 23

What is Ephemeral storage?

Answer 23

Ephemeral storage in the cloud is used for data that often exists only as long as an instance does. Consider the /tmp directory that AWS’s lambda provides.

Data that is created and used can be stored there, but it is meant as an ephemeral scratch resource and shouldn’t be used for durable storage because it will be deleted when a new execution environment is created.

Question 24

What is Raw storage?

Answer 24

Raw storage is storage that you have direct access to. You can think of this like access to a hard drive, SSD, or storage volume where you have direct access to the underlying storage rather than a storage service.

Question 25

What are the two volume storage types?

Answer 25

• File Storage
• Block Storage

Question 26

Explain File Storage.

Answer 26

File Storage (also File-Level Storage or File-Based Storage)

The data is stored and displayed just as with a file structure in the traditional environment, as files and folders, with all the same hierarchical and naming functions. File storage architectures have become popular with big data analytical tools and processes.

Question 27

Explain Block Storage

Answer 27

Block storage is a blank volume that the customer or user can put anything into. Block storage might allow more flexibility and higher performance, but it requires a greater amount of administration and might entail installation of an OS or other app to store, sort and retrieve data.

Block storage might be better suited for a volume and purpose that includes data of multiple types and kinds, such as enterprise backup services or active volumes for online transaction processing (OLTP) databases.

Question 28

What is object-based storage?

Answer 28

Object storage is just what it sounds like: data is stored as objects, not as files or blocks. Objects include not only the actual production content, but metadata describing the content and object and a unique address identifier for locating that specific object across an entire storage space.

Object storage architectures allow for a significant level of description, including marking, labels, classification, and categorization.

This also enhances the opportunity for indexing capabilities, data policy enforcement (such as IRM and DLP, discussed later inn this chapter), and centralization of some data management functions.

Any cloud service model can include object storage architectures, but object storage is usually associated with IaaS.

Question 29

What are databases?

Answer 29

Like their traditional counterparts, databases in the cloud provide some sort of structure for stored data. Data will be arranged according to characteristics and elements in the data itself, including a specific trait required to file the data known as the primary key.

In the cloud, the database is usually back-end storage in the data center, accessed by users utilizing online apps for APIs through a browser.

Cloud providers may provide multiple different types of databases - common examples include:

• traditional relational databases
• nonrelational (NoSQL databases
  including key-value databases
  document-oriented databases
  to name a few.

Question 30

What are Threats to long-term Cloud Storage?

Answer 30

For [[3.2.1.1 Long-term storage|long-term storage]] like Amazon’s Glacier, threats include:

• exposure and malicious access
  
  • due to credential theft
  • compromise
  • privilege escalation
• risks to the integrity of the data due to issues with the underlying service
• exposure of the data due to attacks against the encryption protecting it.

They can also include denial of service and service outages and attacks that deny access to the data, like cryptographic malware-style attacks.

Question 31

What are Threats to Ephemeral data?

Answer 31

Ephemeral data shares the same risks and also presents risks to the incident response and forensics process, as ephemeral systems and storage devices may be automatically destroyed or removed when those systems are terminated.

Since many environments automatically scale as needed, this means that forensic artifacts may be lost unless they are intentionally preserved.

Question 32

What are Threats to Raw Cloud Storage?

Answer 32

Raw storage may be allocated directly on devices. In some cloud systems, reallocation of raw storage has left fragments of data available to the next user of that block storage.

While that has been remediated in major cloud providers infrastructure, that type of risk is another reason to always encrypt data throughout cloud infrastructure so that inadvertent exposure of your storage does not result in a breach.