Security & Privacy Flashcards
What are the key security constructs in the cloud environment?
Information, Identity, and Infrastructure
what is the objective of information security?
The objective of information security is to protect information as well as information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Information security is required to protect confidentiality, integrity, and availability of the data
What type of issues does data governance address?
IP Protection, regulatory governance, industry compliance requirements, and data mobility
Why is it necessary to understand the security policies of an organization?
To create a security framework, it is necessary to base the security standards
on the org’s policies.
The policies are needed to identify sensitive information, control its transmission, storage, and use in the cloud , and sharing it among users and devices.
The policies must be consistently enforced across private and public clouds, and physical infrastructure.
Take traditional enterprise identity to control user access and entitlement - of on-premises information and application assets. Extend the principle to identities at cloud service providers, controlling what information employees can access in which clouds, from which devices, and in which locations.
What is NIST definition of cloud computing?
Cloud computing is a model for enabling ubiquitous, convenient, on‐demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model is composed of five essential characteristics, three service models, and four deployment models.
Three service-delivery models:
a) Infrastructure-as-a-service
b) Platform-as-a-service
c) Software-as-a-service
Four cloud deployment models:
a) Public cloud
b) Private cloud
c) community cloud
d) Hybrid cloud
What are key security issues in cloud computing?
Trust (conferred to providers), architecture, identity management, software isolation, data protection, availability
What are vulnerabilities in IaaS?
- Due to hypervisor and virtual infrastructures, such as leaks of sensitive data through the virtual machines (VMs) and lack of intrusion and detection systems in virtual networking infrastructure
- multi-tenancy (due to the cloud characteristic of resource sharing - main source of threats for data protection)
- compliance (no way for users to track data location)
- availability (due to DDoS attacks, permanent and temporary outages)
What are the three levels of cloud security?
Identity security
Information security
Infrastructure security
Define five major actors in the cloud (per NIST definition)
Cloud consumer – A person or organization that maintains a business relationship with and uses services offered by cloud providers.
Cloud provider – A person, organization, or entity responsible for offering various services to cloud consumers.
Cloud auditor – A party that can conduct independent assessments of cloud services, information system operations, performance, and security of cloud implementations.
Cloud broker – An entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between cloud providers and cloud consumers.
Cloud carrier – The intermediary that provides connectivity and transport of cloud services from cloud providers to cloud consumers.
Define Identity security
Requires strong authentication and granular authorization.
for both users and infrastructure components
Covers E2E identity management, 3rd party authentication services, and federated identities to preserve integrity and confidentiality of data and apps
Define information security
SysAdmin, Audit, Network, Security (SANS) defines information security as processes and methodologies that are intended to protect sensitive information or data from unauthorized access, disclosure, modification, or use.
What are the security attributes associated with information security?
Information security encompasses security attributes such as the following:
Confidentiality – This attribute is concerned with protecting sensitive information from unauthorized disclosure.
Integrity – This attribute is concerned with the accuracy, completeness, and validity of information in regard to business requirements and expectations.
Availability – This attribute is concerned with information being operational and accessible whenever it is required by the business process, now as well as in the future. Further, the information must be inaccessible to unauthorized users.
Accountability – This attribute is concerned with responsibility. An organization is obligated to be answerable for its actions.
Nonrepudiation – This attribute is concerned with the ability to prevent users from denying responsibility for the actions they performed.
What is confidentiality?
Confidentiality refers to only authorized parties or systems having the ability to access protected data.
Define Data remanence
Data remanence is the residual representation of data that has been in some way nominally erased or removed.
Define Electronic authentication
Electronic authentication is the process of establishing confidence in user identities that are electronically presented to an information system. Lack of strong authentication can lead to unauthorized access to users account on a cloud, leading to a breach in privacy.
What is Software Confidentiality?
It refers to trusting that specific applications or processes will maintain and handle the user’s personal data in a secure manner.
Software applications interacting with the user’s data must be certified not to introduce additional confidentiality and privacy risks.
Define Privacy
Privacy refers to the desire of a person to control the disclosure of personal information. Organizations dealing with personal data are required to obey to a country’s legal framework that ensures appropriate privacy and confidentiality protection
Instead of data being stored on the company’s servers, data is stored on the service provider’s servers, which could be in Europe, Asia, or anywhere else. This tenet of cloud computing conflicts with various legal requirements, such as European laws that require that an organization know where the personal data in its possession is at all times
Define Integrity
Integrity means that assets can be modified only by authorized parties or in authorized ways and refers to data, software, and hardware.
Define data integrity
Data integrity refers to protecting data from unauthorized deletion, modification, or fabrication
(prevent unauthorized access)
Define authorization
Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secure resources controlled by the system
Authorization is crucial
Define software integrity
Software integrity refers to protecting software from unauthorized deletion, modification, theft, or fabrication
Deletion, modification, or fabrication can be intentional or unintentional.
Cloud computing providers implement a set of software interfaces or application programming interfaces (APIs) that customers use to manage and interact with cloud services.
Define availability
Availability refers to the property of a system being accessible and usable upon demand by an authorized entity. System availability includes a system’s ability to carry on operations even when authorities misbehave. The system must be able to continue operations even in the event of a security breach. Availability refers to data, software, and hardware being available to authorized users upon demand.
reliance on resource infrastructure and network’s availability
Define accountability
Accountability can decrease regulatory complexity in global business environments, which is especially helpful in the European Union (EU) due to the complex matrix of national laws that makes compliance with data‐protection legislation especially difficult.
Need three capabilities:
Validation – It allows users to verify at a later time whether the system has performed data processing as expected.
Attribution – In case of a fault, users can assign responsibility.
Evidence – It can produce evidence that can be used to convince a third party when a dispute arises.
Customers of an accountable cloud can check whether the cloud is performing as agreed. If a problem occurs, the customer and the provider can use the evidence to decide who is responsible; and, if a dispute arises, they can present the evidence to a third party, such as an arbitrator or a judge
Is accountability same as fault tolerance or responsibility?
No
Fault tolerance is defined as the ability of a system to respond gracefully to an unexpected hardware or software failure. What makes accountability different from fault tolerance is that it does not attempt to mask faults, but it provides evidence and may detect arbitrary faults
