Security & Privacy

Question 1

What are the key security constructs in the cloud environment?

Answer 1

Information, Identity, and Infrastructure

Question 2

what is the objective of information security?

Answer 2

The objective of information security is to protect information as well as information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Information security is required to protect confidentiality, integrity, and availability of the data

Question 3

What type of issues does data governance address?

Answer 3

IP Protection, regulatory governance, industry compliance requirements, and data mobility

Question 4

Why is it necessary to understand the security policies of an organization?

Answer 4

To create a security framework, it is necessary to base the security standards
on the org’s policies.

The policies are needed to identify sensitive information, control its transmission, storage, and use in the cloud , and sharing it among users and devices.

The policies must be consistently enforced across private and public clouds, and physical infrastructure.

Take traditional enterprise identity to control user access and entitlement - of on-premises information and application assets. Extend the principle to identities at cloud service providers, controlling what information employees can access in which clouds, from which devices, and in which locations.

Question 5

What is NIST definition of cloud computing?

Answer 5

Cloud computing is a model for enabling ubiquitous, convenient, on‐demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

This cloud model is composed of five essential characteristics, three service models, and four deployment models.

Three service-delivery models:

a) Infrastructure-as-a-service
b) Platform-as-a-service
c) Software-as-a-service

Four cloud deployment models:

a) Public cloud
b) Private cloud
c) community cloud
d) Hybrid cloud

Question 6

What are key security issues in cloud computing?

Answer 6

Trust (conferred to providers),
architecture,
identity management,
software isolation,
data protection,
availability

Question 7

What are vulnerabilities in IaaS?

Answer 7

• Due to hypervisor and virtual infrastructures, such as leaks of sensitive data through the virtual machines (VMs) and lack of intrusion and detection systems in virtual networking infrastructure
• multi-tenancy (due to the cloud characteristic of resource sharing - main source of threats for data protection)
• compliance (no way for users to track data location)
• availability (due to DDoS attacks, permanent and temporary outages)

Question 8

What are the three levels of cloud security?

Answer 8

Identity security
Information security
Infrastructure security

Question 9

Define five major actors in the cloud (per NIST definition)

Answer 9

Cloud consumer – A person or organization that maintains a business relationship with and uses services offered by cloud providers.
Cloud provider – A person, organization, or entity responsible for offering various services to cloud consumers.
Cloud auditor – A party that can conduct independent assessments of cloud services, information system operations, performance, and security of cloud implementations.
Cloud broker – An entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between cloud providers and cloud consumers.
Cloud carrier – The intermediary that provides connectivity and transport of cloud services from cloud providers to cloud consumers.

Question 10

Define Identity security

Answer 10

Requires strong authentication and granular authorization.

for both users and infrastructure components

Covers E2E identity management, 3rd party authentication services, and federated identities to preserve integrity and confidentiality of data and apps

Question 11

Define information security

Answer 11

SysAdmin, Audit, Network, Security (SANS) defines information security as processes and methodologies that are intended to protect sensitive information or data from unauthorized access, disclosure, modification, or use.

Question 12

What are the security attributes associated with information security?

Answer 12

Information security encompasses security attributes such as the following:

Confidentiality – This attribute is concerned with protecting sensitive information from unauthorized disclosure.

Integrity – This attribute is concerned with the accuracy, completeness, and validity of information in regard to business requirements and expectations.

Availability – This attribute is concerned with information being operational and accessible whenever it is required by the business process, now as well as in the future. Further, the information must be inaccessible to unauthorized users.

Accountability – This attribute is concerned with responsibility. An organization is obligated to be answerable for its actions.

Nonrepudiation – This attribute is concerned with the ability to prevent users from denying responsibility for the actions they performed.

Question 13

What is confidentiality?

Answer 13

Confidentiality refers to only authorized parties or systems having the ability to access protected data.

Question 14

Define Data remanence

Answer 14

Data remanence is the residual representation of data that has been in some way nominally erased or removed.

Question 15

Define Electronic authentication

Answer 15

Electronic authentication is the process of establishing confidence in user identities that are electronically presented to an information system. Lack of strong authentication can lead to unauthorized access to users account on a cloud, leading to a breach in privacy.

Question 16

What is Software Confidentiality?

Answer 16

It refers to trusting that specific applications or processes will maintain and handle the user’s personal data in a secure manner.

Software applications interacting with the user’s data must be certified not to introduce additional confidentiality and privacy risks.

Question 17

Define Privacy

Answer 17

Privacy refers to the desire of a person to control the disclosure of personal information. Organizations dealing with personal data are required to obey to a country’s legal framework that ensures appropriate privacy and confidentiality protection

Instead of data being stored on the company’s servers, data is stored on the service provider’s servers, which could be in Europe, Asia, or anywhere else. This tenet of cloud computing conflicts with various legal requirements, such as European laws that require that an organization know where the personal data in its possession is at all times

Question 18

Define Integrity

Answer 18

Integrity means that assets can be modified only by authorized parties or in authorized ways and refers to data, software, and hardware.

Question 19

Define data integrity

Answer 19

Data integrity refers to protecting data from unauthorized deletion, modification, or fabrication

(prevent unauthorized access)

Question 20

Define authorization

Answer 20

Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secure resources controlled by the system

Authorization is crucial

Question 21

Define software integrity

Answer 21

Software integrity refers to protecting software from unauthorized deletion, modification, theft, or fabrication

Deletion, modification, or fabrication can be intentional or unintentional.

Cloud computing providers implement a set of software interfaces or application programming interfaces (APIs) that customers use to manage and interact with cloud services.

Question 22

Define availability

Answer 22

Availability refers to the property of a system being accessible and usable upon demand by an authorized entity. System availability includes a system’s ability to carry on operations even when authorities misbehave. The system must be able to continue operations even in the event of a security breach. Availability refers to data, software, and hardware being available to authorized users upon demand.

reliance on resource infrastructure and network’s availability

Question 23

Define accountability

Answer 23

Accountability can decrease regulatory complexity in global business environments, which is especially helpful in the European Union (EU) due to the complex matrix of national laws that makes compliance with data‐protection legislation especially difficult.

Need three capabilities:
Validation – It allows users to verify at a later time whether the system has performed data processing as expected.
Attribution – In case of a fault, users can assign responsibility.
Evidence – It can produce evidence that can be used to convince a third party when a dispute arises.

Customers of an accountable cloud can check whether the cloud is performing as agreed. If a problem occurs, the customer and the provider can use the evidence to decide who is responsible; and, if a dispute arises, they can present the evidence to a third party, such as an arbitrator or a judge

Question 24

Is accountability same as fault tolerance or responsibility?

Answer 24

No

Fault tolerance is defined as the ability of a system to respond gracefully to an unexpected hardware or software failure. What makes accountability different from fault tolerance is that it does not attempt to mask faults, but it provides evidence and may detect arbitrary faults

Question 25

What is nonrepudiation?

Answer 25

Nonrepudiation means ensuring that a traceable legal record is kept and is not changed by a malicious entity. A loss of nonrepudiation would result in the questioning of a transaction that occurred. A simple example of nonrepudiation is signing a contract. The signer cannot claim they did not agree to a contract, because there is evidence that they did agree. The difference is that a signature can be forged, but good encryption cannot.

Question 26

What are the key considerations to understand information security in cloud deployments?

Answer 26

Understanding provider security practices and controls is essential for public and community cloud offerings.
Encryption and digital signatures are the primary means of confidentiality and integrity protection for data stored or transmitted in a public or community cloud.
Without appropriate protections, data may be vulnerable while being processed in a public or community cloud.
Deleted data may remain in persistent storage when the storage is released back to the cloud vendor as a shared, multitenant resource.
Existing internal applications may need analysis and enhancement to operate securely in a public or community cloud.
Data replication provided by a cloud provider is not a substitute for backing up to another independent provider or out of the Cloud.
Privacy protection responsibilities should be reviewed if considering moving personally identifiable information (PII) to the Cloud.
Cloud identity and access management (IdAM) capabilities vary widely. Integration of cloud and enterprise IdAM mechanisms may be challenging.

Question 27

What are some security standards and regulatory organizations that have most direct effect on cloud computing?

Answer 27

Payment Card Industry Data Security Standard (PCI DSS)
Federal Information Security Management Act ( FISMA)
Health Insurance Portability and Accountability Act (HIPAA)
Cloud Security Alliance Cloud Controls Matrix ( CSA CCM)
Service Organization Control 2 ( SOC 2)
Tier standard
Information Technology Infrastructure Library ( ITIL)
Safe Harbor
SAS 70
Statement on Standards for Attestation Engagements (SSAE) No. 16
International Standards for Assurance Engagements (ISAE) No. 3402
ISO 9001:2008
ISO/IEC 27001:2005
ISO 31000:2009
Control Objectives for Information and related Technology ( COBIT)
NIST Special Publication 800‐53
Federal Information Processing Standard ( FIPS) Publication 140‐2