Domain 2 Data Security Flashcards
Data Lifecycle
Create Store Use Share Archive Delete
Create Phase
New data created
Data added to system
Data modified
Classification should always be done
Store Phase
. Must be stored in a way that is usable
. First place where security controls are used for data at rest
. Ensure that all storage methods employ the tech necessary for the classification level
Use Phase
. Data is consumed and processed by an application or user
. Exposed in an unencrypted state
Share Phase
. Data is made available for use outside the system it was intended for
. Ensure proper protections are in place
Archive Phase
. Moving data to long term storage.
. Must be able to retrieve and recover
Destroy Phase
. Where data is either made inaccessible or permanently erased and protected.
. Method and approach being based on the classification and sensitivity
Overwriting
Cryptographic erasing
Storage Types - IaaS
.Volume - virtual hard drive, see live a traditional server model.
. Object - File storage that operates as an API or web service call.
. Files are stored as objects in an independent system and given a key value. for reference and retrieval
Storage Types - PaaS
Structured - data is organized and categorized in a way to be easily placed within a database or other storage system that is created with rule sets and a normalized design.
. Allows application developed to easily import from other data sources or non-productions
Unstructured - data that cannot be used or easily used in a rigid and formatted database structure.
. Multimedia, photos, MS office files
Storage Types - SaaS
Information and Storage Management - data within databases that the application uses and maintains
. generated by the application or imported via the application interfaces.
Content and file storage - allows for uploading of the data that is not part of the underlying database.
DLP Components
Discovery and classification - focuses on finding of the data that is pertinent to the DLP strategy and insuring that is know to the DLP.
. Determining the security classification
Monitoring - watching the data as it move through various states of usage to ensure used in appropriate and controlled ways.
Implementation - enforcement of policies and any potential violations
Data Security Strategies
. Encryption . Key Management . Masking . Obfuscation . Anonymization . Tokenization
Encryption
. Key management central challenge
. Ensures confidentiality, not integrity
. Applied to data at wholesale or granular level.
. For object storage applied at the file level.
Data Masking or Obfuscation
. Hide or remove data from sensitive data from data sets.
. Use random or substitute data
. Non-production and development environments
Static masking - a separate and distinct cope of data set is created with masking in place.
Dynamic masking - masking process is implemented between the application and data layers of the application.
Data Anonymization
Data is manipulated in a way to prevent the identification of an individual through the various data objects.
Tokenization
.Practice of utilizing a random and opaque token value in data to replace what otherwise would be sensitive or protected data objects.
. Token value usually created by the application with a means to map back to the actual real value.
Data Privacy Roles
Physical environment - cloud provider
Infrastructure - PaaS Saas cloud provider. IaaS provider and customer
Platform - SaaS cloud provider. PaaS shared. IaaS customer
Application - SaaS shared. PaaS IaaS customer
Data - Cloud Customer
Governance - Cloud Customer
Data Discovery
Prime method for and application or system owner to show and ensure compliance with data privacy and regulations
CCM
Cloud Security Alliance Cloud Control Matrix- provides a framework and applicable security control domains within a cloud environment that encapsulates the various requirements set forth with privacy acts as well as various industry certification and regulatory bodies.
Data Rights Management (DRM)
extension of normal data protection, where controls and ACLs are placed onto data sets that require additional permissions or conditions to access and use beyond just simple and traditional security controls.
Information Rights Management (IRM)
.Organizational side of information and privacy protection.
.Additional layer of security and control over documents beyond what is achieved from normal file systems permissions.
Can be used as a means for data classification and control
IRM Tools
.Auditing .Expiration .Policy control .Protection .Support for applications and formats
Data Deletion
Overwriting- process of using random data or null pointers to write over data sectors that previously contained sensitive information
.Unlikely for a customer to be able to ensure they know all locations of the date to overwrite.
Cryptographic shredding- destroy data via encryption , with the resulting key being permanently destroyed to ensure the data can never the recovered.
Data Archiving Considerations
Format
Technology - the technology or standard to maintain and store data
Regulatory Requirements - may specify minimum duration for data archiving as well as the procedures and reasons why retrieval is required or could be requested.
Testing - proper testing required to validate and audit he policies and procedures to ensure that their program is valid and usable
Event Sources
System events that are available for capture vary by cloud model
IaaS - virtually all log and data events should be exposed and available for capture
PaaS - exposure of events from the application is a combination of standard logging and custom logs made available by application developers
SaaS - log data is minimal and highly restricted.
SIEM
Security Information and Events Manager
Aggregation and correlation Alerting Reporting and Compliance Dashboards Retention and Compliance Continuous Optimization
Raw Disk Storage
Permanently allocated storage space that exists independently of a server instance
Ephemeral storage
Temporary storage associated with a specific instance that is destroyed with when the instance is stopped
