Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CCSK v4 flashcards > Domain 11 - Data Security and Encryption > Flashcards

Domain 11 - Data Security and Encryption Flashcards

1
Q

_______ is a key enforcement tool for information and data governance. As with all areas of
cloud security, its use should be risk-based since it is not appropriate to secure everything equally.

A

Data security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

3 Buckets of Data Security Controls

A
  • Controlling what and where data goes into the cloud
  • Protecting and managing cloud data
  • Enforcing Information Life-cycle Management Security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

what are the Key Control and Processes for protecting and managing data in the Cloud?

A
  • Access controls
  • Encryption
  • Architecture
  • Monitoring/alerting (of usage, configuration, lifecycle state, etc.)
  • Additional controls, including those related to the specific product/service/platform of
    your cloud provider, data loss prevention, and enterprise rights management.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Cloud Data Storage Types

A
  • Object Storage
  • Volume Storage
  • Database
  • Application/Platform
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

______ (sometimes also known as data fragmentation of bit splitting). This process takes chunks of
data, breaks them up, and then stores multiple copies on different physical storage to provide high
durability

A

Data Dispersion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Data Migration process to the Cloud

A
  • Define policies data types that are allowed and where
  • Tie policies to baseline requirements
  • Identify key repositories
  • Monitor for large migration
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Data Migration Monitoring tools

A
  • CASB
  • URL Filtering
  • DLP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Cloud Data Access controls should be implemented at minimum in three layers. What are these?

A
  • Management Plane
  • Public and Internal Sharing Controls
  • Application Level Controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

_______ protects data by applying
a mathematical algorithm that “scrambles” the data, which then can only be recovered by running
it through an unscrambling process with a corresponding key.

A

Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

_______ is often used when the format of the data is important (e.g. replacing credit card
numbers in an existing system that requires the same format text string).

A

Tokenization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

______ encrypts data with a key but also keeps the same structural format as tokenization, but it
may not be as cryptographically secure due to the compromises.

A

Format-preserving Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

what are the three components of an encryption system:?

A

data, the encryption engine, and key

management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Different methods of Data Encryption in IaaS

A
  • Volume Storage Encryption
    - instance managed
    - externally managed
  • Object and file Storage
    - Client-side
    - Server Side
    - Proxy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

It is a volume storage encryption encryption engine runs within the instance, and the key is stored in the
volume but protected by a passphrase
or keypair.

A

Instance managed encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q 
It is a volume storage encryption where 
The encryption engine runs in the
instance, but the keys are managed
externally and issued to the instance
on request.
A

Externally managed encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q 
When object Server
storage is used as the back-end for
an application (including mobile
HSM, SECaaS, VM, or Server
applications), encrypt the data using
an encryption engine embedded in
the application or client.
A

Client-side encryption

17
Q

Data is encrypted on the server (cloud) side after

being transferred in. The cloud provider has access to the key and runs the encryption engine.

A

Server side encryption

18
Q

In this model, you connect the volume to a special instance or appliance/
software, and then connect your instance to the encryption instance. The proxy handles all
crypto operations and may keep keys either onboard or externally.

A

Proxy Encryption

19
Q

Different methods of Data Encryption in PaaS

A
  • Application Level Encryption
  • Database Encryption
  • Other
20
Q

Different methods of Data Encryption in SaaS

A
  • Provider Managed Encryption

- Proxy Encryption

21
Q

Data is encrypted in the PaaS application or the client accessing
the platform

A

Application layer encryption

22
Q

Data is encrypted in the database using encryption that’s built in and is
supported by a database platform like Transparent Database Encryption (TDE) or at the field level.

A

Database encryption

23
Q

Data is encrypted in the SaaS application and generally managed
by the provider.

A

Provider-managed encryption

24
Q

Data passes through an encryption proxy before being sent to the SaaS
application

A

Proxy encryption

25
Q

Key Management main considerations

A
  • performance
  • accessibility
  • latency
  • security
26
Q

4 Potential options for handling key management

A
  • HSM/Appliance
  • Virtual Appliance/software
  • Cloud Provider Service
  • Hybrid
27
Q

True/False: A customer-managed key allows a cloud customer to manage their own encryption key while the
provider manages the encryption engine.

A

True

28
Q

_________ is typically a way to monitor and protect data that your employees
access via monitoring local systems, web, email, and other traffic. It is not typically used within data
centers, and thus is more applicable to SaaS than PaaS or IaaS, where it is typically not deployed.

A

Data Loss Prevention (DLP)

29
Q

2 Types of DRM

A
  • Full DRM

- Provider Based Control

30
Q

2 ways to protect development cloud data

A
  • Test Data Generation

- Dynamic Masking

31
Q

This is traditional, full digital rights management using an existing tool. For example,
applying rights to a file before storing it in the cloud service.

A

Full DRM

32
Q

The cloud platform may be able to enforce controls very similar to full
DRM by using native capabilities

A

Provider based control

33
Q

This is the creation of a database with non-sensitive test data based on a “real”
database. It can use scrambling and other randomization techniques to create a data set that
resembles the source in size and structure but lacks sensitive data.

A

Test Data generation

34
Q

This rewrites data on the fly, typically using a proxy mechanism,
to mask all or part of data delivered to a user. It is usually used to protect some sensitive data
in applications, for example masking out all but the last digits of a credit card number when
presenting it to a user.

A

Dynamic Masking

CCSK v4 flashcards (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions