Describe security and compliance concepts Flashcards
Shared Responsibility Model
The shared responsibility model identifies which security tasks are handled by the cloud provider, and which security tasks are handled by you, the customer. The responsibilities vary depending on where the workload is hosted: SaaS, PaaS, IaaS and On-premises datacenter.
For all cloud deployment types you, the cloud customer, own your data and identities. You’re responsible for protecting the security of your data and identities, and on-premises resources including mobile devices, PCs, printers, and more.
In summary, responsibilities always retained by the customer organization include: Information and data, Devices (mobile and PCs) and Accounts and identities.
Defense-in-depth
Defense in depth uses a layered approach to security, rather than relying on a single perimeter. A defense in-depth strategy uses a series of mechanisms to slow the advance of an attack.
-Physical security such as limiting access to a datacenter to only authorized personnel.
-Identity and access security controls, such as multifactor authentication or condition-based access, to control access to infrastructure and change control.
-Perimeter security of your corporate network includes distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
-Network security, such as network segmentation and network access controls, to limit communication between resources.
-Compute layer security such as securing access to virtual machines either on-premises or in the cloud by closing certain ports.
-Application layer security to ensure applications are secure and free of security vulnerabilities.
-Data layer security including controls to manage access to business and customer data and encryption to protect data.
Confidentiality, Integrity, Availability (CIA)
-Confidentiality refers to the need to keep confidential sensitive data such as customer information, passwords, or financial data. You can encrypt data to keep it confidential, but then you also need to keep the encryption keys confidential.
-Integrity refers to keeping data or messages correct.Integrity is about having confidence that data hasn’t been tampered with or altered.
-Availability refers to making data available to those who need it, when they need it.
Zero Trust - Model
Zero Trust assumes everything is on an open and untrusted network, even resources behind the firewalls of the corporate network. The Zero Trust model operates on the principle of “trust no one, verify everything.”
The Zero Trust model has three principles which guide and underpin how security is implemented:
-Verify explicitly. Always authenticate and authorize based on the available data points, including user identity, location, device, service or workload, data classification, and anomalies.
-Least privileged access. Limit user access with just-in-time and just-enough access (JIT/JEA), risk-based adaptive policies, and data protection to protect both data and productivity.
-Assume breach. Segment access by network, user, devices, and application. Use encryption to protect data, and use analytics to get visibility, detect threats, and improve your security.
Six Foundational Pillars
These six elements are the foundational pillars of the Zero Trust model:
-Identities may be users, services, or devices. When an identity attempts to access a resource, it must be verified with strong authentication, and follow least privilege access principles.
-Devices (Endpoints) create a large attack surface as data flows from devices to on-premises workloads and the cloud. Monitoring devices for health and compliance is an important aspect of security.
-Applications are the way that data is consumed. This includes discovering all applications being used. This pillar also includes managing permissions and access.
-Data should be classified, labeled, and encrypted based on its attributes.
-Infrastructure, whether on-premises or cloud based, represents a threat vector. To improve security, you assess for version, configuration, and JIT access, and use telemetry to detect attacks and anomalies.
-Networks should be segmented, including deeper in-network micro-segmentation. Also, real-time threat protection, end-to-end encryption, monitoring, and analytics should be employed.
Encryption
Encryption is the process of making data unreadable and unusable to unauthorized viewers.
There are two top-level types of encryption:
-Symmetric encryption uses the same key to encrypt and decrypt the data.
-Asymmetric encryption uses a public key and private key pair. The public key is used to encrypt, then only the corresponding private key can be used to decrypt.
Types of encryption:
-Data at rest is the data that’s stored on a physical device, such as a server.
-Data in transit is the data moving from one location to another, such as across the internet or through a private network.
-Data in use involves securing data in nonpersistent storage, such as RAM or CPU caches.
Hashing
Hashing uses an algorithm to convert text to a unique fixed-length value called a hash. Each time the same text is hashed using the same algorithm, the same hash value is produced.
-That hash can then be used as a unique identifier of its associated data.
Hashing is often used to store passwords. When a user enters their password, the same algorithm that created the stored hash creates a hash of the entered password. This is compared to the stored hashed version of the password.
Governance
Governance is the system of rules, practices, and processes an organization uses to direct and control its activities. Many governance activities arise from external standards, obligations and expectations. For example, organizations establish rules and process that define the who, what, where, and when users and applications can access corporate resources and who has administrative privileges and for how long.
Risk
Risk management is the process of identifying, assessing, and responding to threats or events that can impact company or customer objectives. Organizations face risk from both external and internal sources.
-External risks can come from political and economic forces weather related events, pandemics, and security breaches.
-Internal risks are risks that come from within the organization itself. Examples include leaks of sensitive data, intellectual property theft, fraud, and insider trading.
Compliance
Compliance refers to the country/region, state or federal laws or even multi-national regulations that an organization must follow. These regulations define what types of data must be protected, what processes are required under the legislation, and what penalties are issued to organizations that fail to comply.
Some compliance-related concepts include:
-Data residency - When it comes to compliance, data residency regulations govern the physical locations where data can be stored and how and when it can be transferred, processed, or accessed internationally.
-Data sovereignty - Data, particularly personal data, is subject to the laws and regulations of the country/region in which it’s physically collected, held, or processed. This can add a layer of complexity when it comes to compliance because the same piece of data can be collected in one location, stored in another, and processed in still another; making it subject to laws from different countries/regions.
-Data privacy - Providing notice and being transparent about the collection, processing, use, and sharing of personal data are fundamental principles of privacy laws and regulations.