Domain 11 - Data Security & Encryption Flashcards

1
Q

What are the three major categories of data security controls?

A
  1. Controlling what data goes into the cloud - driven by policies.
  2. Protecting and managing data in the cloud - encryption, access control, architecture, monitor/log
  3. Enforcing information lifecycle management security - data location/residency, compliance, backup and BCP.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the cloud data storage types?

A
  1. Object store - access through APIs (e.g. S3)
  2. Volume store - virtual hard drive (e.g. EBS)
  3. Database -RDBMS, No SQL
  4. Application/Platform -e.g. CDN
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What tools are available to control what data goes into cloud?

A
  1. Governance through policies which establish which data goes to cloud and which does not
  2. Use of DLP tools, DAM, CASB, URL Filtering, Proxies
  3. Secure data transfers to the cloud - e.g. using TLS connections

DLP tools are challenged by encrypted connections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How do you use access controls to secure data in the cloud?

A
  1. Management plane: secure user access
  2. Controls for sharing data with public and partners
  3. Application level controls

Fine grained access controls (entitlement matrix)
Frequently validate that controls meet your requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are various ways of protecting data at rest?

A
  1. Encryption
  2. Tokenization
  3. Masking
  4. Bit Splitting
  5. Data Dispersion
  6. Randomizing/Scrambling
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are IaaS Encryption Options?

A
  1. Volume encryption - keys controlled either by the instance or externally
  2. Object/File Storage - a) client side encryption b) server-side or c) encryption operations done by a proxy.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are PaaS Encryption Options?

A
  1. Application level encryption
  2. DB level - TDE or field level
  3. Other: e.g. leveraging underlying IaaS encryption options.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are SaaS encryption options?

A
  1. Provider managed
  2. Proxy - data passes through an encryption proxy (e.g. CASB) before sent to the SaaS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are key management options available to customers?

A
  1. Use on-prem HSM to manage keys and provide to the cloud via secure channel as needed
  2. Virtual HSMs based in the cloud
  3. Cloud provider service (for key management -e.g. KMS)
  4. Hybrid: Use on-prem HSM, but deliver application specific keys to a virtual appliance in the cloud.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is an example of leveraging data architectures to improve security?

A

Run application components in different virtual networks (e.g. VPCs)
Bridge them by using the provider’s network -e.g. message queue (e.g. SQS)
For an attacker to succeed, they’d have to breach both the customer and the providers virtual networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly