Domain 11 - Data Security & Encryption Flashcards
What are the three major categories of data security controls?
- Controlling what data goes into the cloud - driven by policies.
- Protecting and managing data in the cloud - encryption, access control, architecture, monitor/log
- Enforcing information lifecycle management security - data location/residency, compliance, backup and BCP.
What are the cloud data storage types?
- Object store - access through APIs (e.g. S3)
- Volume store - virtual hard drive (e.g. EBS)
- Database -RDBMS, No SQL
- Application/Platform -e.g. CDN
What tools are available to control what data goes into cloud?
- Governance through policies which establish which data goes to cloud and which does not
- Use of DLP tools, DAM, CASB, URL Filtering, Proxies
- Secure data transfers to the cloud - e.g. using TLS connections
DLP tools are challenged by encrypted connections.
How do you use access controls to secure data in the cloud?
- Management plane: secure user access
- Controls for sharing data with public and partners
- Application level controls
Fine grained access controls (entitlement matrix)
Frequently validate that controls meet your requirements
What are various ways of protecting data at rest?
- Encryption
- Tokenization
- Masking
- Bit Splitting
- Data Dispersion
- Randomizing/Scrambling
What are IaaS Encryption Options?
- Volume encryption - keys controlled either by the instance or externally
- Object/File Storage - a) client side encryption b) server-side or c) encryption operations done by a proxy.
What are PaaS Encryption Options?
- Application level encryption
- DB level - TDE or field level
- Other: e.g. leveraging underlying IaaS encryption options.
What are SaaS encryption options?
- Provider managed
- Proxy - data passes through an encryption proxy (e.g. CASB) before sent to the SaaS.
What are key management options available to customers?
- Use on-prem HSM to manage keys and provide to the cloud via secure channel as needed
- Virtual HSMs based in the cloud
- Cloud provider service (for key management -e.g. KMS)
- Hybrid: Use on-prem HSM, but deliver application specific keys to a virtual appliance in the cloud.
What is an example of leveraging data architectures to improve security?
Run application components in different virtual networks (e.g. VPCs)
Bridge them by using the provider’s network -e.g. message queue (e.g. SQS)
For an attacker to succeed, they’d have to breach both the customer and the providers virtual networks.