Domain 2 Data Security

Question 1

Data Lifecycle

Answer 1

Create
Store
Use
Share
Archive
Delete

Question 2

Create Phase

Answer 2

New data created
Data added to system
Data modified

Classification should always be done

Question 3

Store Phase

Answer 3

. Must be stored in a way that is usable

. First place where security controls are used for data at rest

. Ensure that all storage methods employ the tech necessary for the classification level

Question 4

Use Phase

Answer 4

. Data is consumed and processed by an application or user

. Exposed in an unencrypted state

Question 5

Share Phase

Answer 5

. Data is made available for use outside the system it was intended for

. Ensure proper protections are in place

Question 6

Archive Phase

Answer 6

. Moving data to long term storage.

. Must be able to retrieve and recover

Question 7

Destroy Phase

Answer 7

. Where data is either made inaccessible or permanently erased and protected.

. Method and approach being based on the classification and sensitivity

Overwriting
Cryptographic erasing

Question 8

Storage Types - IaaS

Answer 8

.Volume - virtual hard drive, see live a traditional server model.

. Object - File storage that operates as an API or web service call.
. Files are stored as objects in an independent system and given a key value. for reference and retrieval

Question 9

Storage Types - PaaS

Answer 9

Structured - data is organized and categorized in a way to be easily placed within a database or other storage system that is created with rule sets and a normalized design.
. Allows application developed to easily import from other data sources or non-productions

Unstructured - data that cannot be used or easily used in a rigid and formatted database structure.
. Multimedia, photos, MS office files

Question 10

Storage Types - SaaS

Answer 10

Information and Storage Management - data within databases that the application uses and maintains
. generated by the application or imported via the application interfaces.

Content and file storage - allows for uploading of the data that is not part of the underlying database.

Question 11

DLP Components

Answer 11

Discovery and classification - focuses on finding of the data that is pertinent to the DLP strategy and insuring that is know to the DLP.
. Determining the security classification

Monitoring - watching the data as it move through various states of usage to ensure used in appropriate and controlled ways.

Implementation - enforcement of policies and any potential violations

Question 12

Data Security Strategies

Answer 12

. Encryption
. Key Management
. Masking
. Obfuscation
. Anonymization
. Tokenization

Question 13

Encryption

Answer 13

. Key management central challenge
. Ensures confidentiality, not integrity
. Applied to data at wholesale or granular level.
. For object storage applied at the file level.

Question 14

Data Masking or Obfuscation

Answer 14

. Hide or remove data from sensitive data from data sets.
. Use random or substitute data
. Non-production and development environments

Static masking - a separate and distinct cope of data set is created with masking in place.

Dynamic masking - masking process is implemented between the application and data layers of the application.

Question 15

Data Anonymization

Answer 15

Data is manipulated in a way to prevent the identification of an individual through the various data objects.

Question 16

Tokenization

Answer 16

.Practice of utilizing a random and opaque token value in data to replace what otherwise would be sensitive or protected data objects.
. Token value usually created by the application with a means to map back to the actual real value.

Question 17

Data Privacy Roles

Answer 17

Physical environment - cloud provider

Infrastructure - PaaS Saas cloud provider. IaaS provider and customer

Platform - SaaS cloud provider. PaaS shared. IaaS customer

Application - SaaS shared. PaaS IaaS customer

Data - Cloud Customer

Governance - Cloud Customer

Question 18

Data Discovery

Answer 18

Prime method for and application or system owner to show and ensure compliance with data privacy and regulations

Question 19

CCM

Answer 19

Cloud Security Alliance Cloud Control Matrix- provides a framework and applicable security control domains within a cloud environment that encapsulates the various requirements set forth with privacy acts as well as various industry certification and regulatory bodies.

Question 20

Data Rights Management (DRM)

Answer 20

extension of normal data protection, where controls and ACLs are placed onto data sets that require additional permissions or conditions to access and use beyond just simple and traditional security controls.

Question 21

Information Rights Management (IRM)

Answer 21

.Organizational side of information and privacy protection.

.Additional layer of security and control over documents beyond what is achieved from normal file systems permissions.

Can be used as a means for data classification and control

Question 22

IRM Tools

Answer 22

.Auditing
.Expiration
.Policy control
.Protection
.Support for applications and formats

Question 23

Data Deletion

Answer 23

Overwriting- process of using random data or null pointers to write over data sectors that previously contained sensitive information
.Unlikely for a customer to be able to ensure they know all locations of the date to overwrite.

Cryptographic shredding- destroy data via encryption , with the resulting key being permanently destroyed to ensure the data can never the recovered.

Question 24

Data Archiving Considerations

Answer 24

Format

Technology - the technology or standard to maintain and store data

Regulatory Requirements - may specify minimum duration for data archiving as well as the procedures and reasons why retrieval is required or could be requested.

Testing - proper testing required to validate and audit he policies and procedures to ensure that their program is valid and usable

Question 25

Event Sources

Answer 25

System events that are available for capture vary by cloud model

IaaS - virtually all log and data events should be exposed and available for capture

PaaS - exposure of events from the application is a combination of standard logging and custom logs made available by application developers

SaaS - log data is minimal and highly restricted.

Question 26

SIEM

Security Information and Events Manager

Answer 26

Aggregation and correlation
Alerting
Reporting and Compliance
Dashboards Retention and Compliance
Continuous Optimization

Question 27

Raw Disk Storage

Answer 27

Permanently allocated storage space that exists independently of a server instance

Question 28

Ephemeral storage

Answer 28

Temporary storage associated with a specific instance that is destroyed with when the instance is stopped