Domain 11 - Data Security and Encryption Flashcards
_______ is a key enforcement tool for information and data governance. As with all areas of
cloud security, its use should be risk-based since it is not appropriate to secure everything equally.
Data security
3 Buckets of Data Security Controls
- Controlling what and where data goes into the cloud
- Protecting and managing cloud data
- Enforcing Information Life-cycle Management Security
what are the Key Control and Processes for protecting and managing data in the Cloud?
- Access controls
- Encryption
- Architecture
- Monitoring/alerting (of usage, configuration, lifecycle state, etc.)
- Additional controls, including those related to the specific product/service/platform of
your cloud provider, data loss prevention, and enterprise rights management.
Cloud Data Storage Types
- Object Storage
- Volume Storage
- Database
- Application/Platform
______ (sometimes also known as data fragmentation of bit splitting). This process takes chunks of
data, breaks them up, and then stores multiple copies on different physical storage to provide high
durability
Data Dispersion
Data Migration process to the Cloud
- Define policies data types that are allowed and where
- Tie policies to baseline requirements
- Identify key repositories
- Monitor for large migration
Data Migration Monitoring tools
- CASB
- URL Filtering
- DLP
Cloud Data Access controls should be implemented at minimum in three layers. What are these?
- Management Plane
- Public and Internal Sharing Controls
- Application Level Controls
_______ protects data by applying
a mathematical algorithm that “scrambles” the data, which then can only be recovered by running
it through an unscrambling process with a corresponding key.
Encryption
_______ is often used when the format of the data is important (e.g. replacing credit card
numbers in an existing system that requires the same format text string).
Tokenization
______ encrypts data with a key but also keeps the same structural format as tokenization, but it
may not be as cryptographically secure due to the compromises.
Format-preserving Encryption
what are the three components of an encryption system:?
data, the encryption engine, and key
management.
Different methods of Data Encryption in IaaS
- Volume Storage Encryption
- instance managed
- externally managed - Object and file Storage
- Client-side
- Server Side
- Proxy
It is a volume storage encryption encryption engine runs within the instance, and the key is stored in the
volume but protected by a passphrase
or keypair.
Instance managed encryption
It is a volume storage encryption where The encryption engine runs in the instance, but the keys are managed externally and issued to the instance on request.
Externally managed encryption
When object Server storage is used as the back-end for an application (including mobile HSM, SECaaS, VM, or Server applications), encrypt the data using an encryption engine embedded in the application or client.
Client-side encryption
Data is encrypted on the server (cloud) side after
being transferred in. The cloud provider has access to the key and runs the encryption engine.
Server side encryption
In this model, you connect the volume to a special instance or appliance/
software, and then connect your instance to the encryption instance. The proxy handles all
crypto operations and may keep keys either onboard or externally.
Proxy Encryption
Different methods of Data Encryption in PaaS
- Application Level Encryption
- Database Encryption
- Other
Different methods of Data Encryption in SaaS
- Provider Managed Encryption
- Proxy Encryption
Data is encrypted in the PaaS application or the client accessing
the platform
Application layer encryption
Data is encrypted in the database using encryption that’s built in and is
supported by a database platform like Transparent Database Encryption (TDE) or at the field level.
Database encryption
Data is encrypted in the SaaS application and generally managed
by the provider.
Provider-managed encryption
Data passes through an encryption proxy before being sent to the SaaS
application
Proxy encryption
Key Management main considerations
- performance
- accessibility
- latency
- security
4 Potential options for handling key management
- HSM/Appliance
- Virtual Appliance/software
- Cloud Provider Service
- Hybrid
True/False: A customer-managed key allows a cloud customer to manage their own encryption key while the
provider manages the encryption engine.
True
_________ is typically a way to monitor and protect data that your employees
access via monitoring local systems, web, email, and other traffic. It is not typically used within data
centers, and thus is more applicable to SaaS than PaaS or IaaS, where it is typically not deployed.
Data Loss Prevention (DLP)
2 Types of DRM
- Full DRM
- Provider Based Control
2 ways to protect development cloud data
- Test Data Generation
- Dynamic Masking
This is traditional, full digital rights management using an existing tool. For example,
applying rights to a file before storing it in the cloud service.
Full DRM
The cloud platform may be able to enforce controls very similar to full
DRM by using native capabilities
Provider based control
This is the creation of a database with non-sensitive test data based on a “real”
database. It can use scrambling and other randomization techniques to create a data set that
resembles the source in size and structure but lacks sensitive data.
Test Data generation
This rewrites data on the fly, typically using a proxy mechanism,
to mask all or part of data delivered to a user. It is usually used to protect some sensitive data
in applications, for example masking out all but the last digits of a credit card number when
presenting it to a user.
Dynamic Masking
