Week 9: Securing the Cloud - Data Flashcards
Requirements for data security vary depending on the __, the ___, as well as on your tolerance for __
service model, deployment model, risk
Entrusting data to an external custodian may result in better and more cost effective___
security
Two examples that emphasize the importance of entrusting data to an external provider are the commercial offerings to
- store highly sensitive data for disaster recovery
- assure the destruction of magnetic media
In both cases, many highly concerned organizations tightly control how they use these services
- However, they often end up using external services
Some data may be so sensitive that the consequence of data exposure is too great for a customer to consider a public cloud
- It is not the case that security needs for such data can’t be met in a public cloud, rather the ___is incompatible with its ___
cost
cost model
We might also expect that future higher-assurance clouds would reduce risk by limiting access by ___
selective screening of customers
When data is stored with a CSP, the CSP assumes at least partial responsibility (____) if not full responsibility (____) in the role of data custodian
PaaS
SaaS
By the nature of the service offerings, a data owning organization can benefit from their CSP having control and responsibility for___ in the ___model
customer data
SaaS
The data owning organization is progressively responsible beginning with ___and expanding with ___
PaaS laaS
Data at rest refers to any data in ___
computer storage
Protecting___ in a cloud is not radically different than protecting it outside a cloud, except for the partial lack of owner’s control
data at rest
A data owning organization has several opportunities in proactively ensuring data assurance by a CSP
- Selecting a CSP should be based on verifiable attestation that the CSP follows industry best practices and implements security that is appropriate for the kinds of data they are entrusted with
- Higher assurance cloud services may come with indemnification (compensation for loss) as a means of monetary backing of assurance for a declared level of security
___ refers to data as it is moved from a stored state – a file or database entry – to another form in the same or a different location
Data in motion
Because data in motion only exists as it is in transition between points, securing this data focuses on __ and __
integrity
confidentiality
There is no better protection strategy for data in motion than ___
encryption
Phishing
Tricking end users into providing their credentials for access
Some cloud providers have implemented safeguards to help address cloud-targeted phishing attacks
Salesforce.com Login Filtering
- A subscriber can instruct Salesforce not to accept logins, even if valid credentials are provided, unless the login is coming from a whitelisted IP address range
Google Apps & other Google services
- These services may randomly prompt users for their passwords, especially in response to suspicious events
- A login from China shortly after a login from the US
for the same account
Amazon Web Services Authentication
- When a subscriber uses EC2 to provision a cloud hosted virtual server, Amazon creates PKI keys and requires them to be used for authentication
- If you provision a new LINUX VM and want to SSH
to it, you have to use SSH with key-based
authentication and not a static password
Phishing is a threat largely because most cloud services currently rely on __
simple username/password authentication
Some issues related to protection from phishing attacks
Referring URL Monitoring: Does the CSP actively monitor the referring URLs for authenticated sessions?
Behavioral Policies: Does the CSP employ policies that prohibit weak security activities that could be exploited?
- E-mails with links that users can click to automatically
access data
- Password resets to occur without actively proving
user identity
Outsourced services – be they cloud-based or not – can bypass the typical ___controls enforced by IT organizations
physical and logical
CSP Privileged Access risk is a function of two primary factors
The potential for exposure with unencrypted data
Privileged cloud provider personnel access to both data and keying materials
The ___of data can be a primary concern in cloud computing
origin
For compliance purposes, it may be necessary to have exact records as to
what data was placed in a public cloud
when it occurred
what VMs and storage it resided on
where it was processed
Reporting on data lineage may be difficult with a public cloud
This is largely due to the___
degree of abstraction that exists between physical and virtualized resources
According to Bruce Schneier, the practice of encrypting data at rest deviates from the historical use of cryptography for ___
protecting data in transit
For data in motion, encryption keys can be ___, whereas for data at rest, keys must be ___
ephemeral
retained
“Much of the data stored on the Internet is … primarily intended for use by other computers. And therein lies the problem. Keys can no longer be stored in people’s brains. They need to be stored on ___, that the data resides on. And that is much riskier”
the same computer, or at least the network
___has been recognized as a critical enabling technology for security in cloud computing
Cryptography
Cryptography has expanded from protecting ___to techniques for assuring ___, ___, and ___
confidentiality
integrity
authentication
digital signatures
To ensure ___, plaintext is converted into ___using mathematical functions meeting several requirements
confidentiality
cyphertext
Cryptographic Requirements
The algorithm and implementation must be computationally efficient
The algorithm must be open to analysis by the cryptography community
The resulting output must withstand the use of brute force attacks even by vast numbers of computers
Plaintext is encrypted into cyphertext using an___ and the resulting cyphertext is ___using a decryption key
encryption key
decrypted
In ___cryptography, encryption / decryption keys are the same
symmetric
It is also very difficult to establish a ___ between communicating parties when a secure channel does not already exist for them to securely exchange a ___
secret key
shared secret key
In ___cryptography (aka ___), the two keys (public and private key) are different but mathematically related
asymmetric
public-private key cryptography
The primary advantage of asymmetric cryptography is that only the ___ must be kept secret
private key
Although public-private key pairs are related, it is infeasible to derive a ___from the corresponding___
private key
public key
Block Ciphers
take as input a key along with a block of plaintext and output a block of cyphertext
Stream Ciphers
operate against an arbitrarily long stream of input data, which is converted to an equivalent output stream of cyphertext
Cryptographic Hash Functions
take an arbitrarily long input message and output a short, fixed length hash
- A hash can serve various purposes, such as verifying the integrity of a message
Uses of cryptography
block cipher, stream cipher, cryptographic hash, authentication
Common Errors with Data Encryption
Failing to use cryptographically secured protocols when they are available
Developing your own cryptographic algorithms
Implement an existing cryptographic algorithm instead of using a proven implementation
Storing keys with data
Not planning how to recover keys if the individuals / entities keeping them suffer a disaster
Using traditional ___approaches in a cloud environment is problematic when the enterprise uses multiple CSPs
identity management
Synchronizing identity information with the enterprise is not scalable
___is an effective foundation for identity management in cloud computing
federated identity management (FIM or FIdM)
Federated identity uses a ___ model
claim-based token
Discretionary Access Control (DAC)
Access privileges are determined by the owner of the object who decides who will have access and what privileges they will have
Nondiscretionary Access Control
Mandatory Access Control (MAC)
- Rely upon the use of classification labels for both subjects and objects
Role Based Access Control (RBAC)
- Access privileges are determined based on the role of the user
Task Based Access Control (TBAC)
- Access privileges are determined based on the tasks assigned to a user
The objective of ___ is to enable an information-centric framework for data handling
information identification and categorization
Data at different sensitivity levels require different ___
protection strategies
Tools to protect categorized data include
Encryption
Procedures for ensuring security across phases of the data life cycle
Mechanisms to detect unauthorized access to valuable data
___and ___ are examples of OSs supporting data categorization and DoD-style mandatory access controls
SELinux
Trusted Solaris
There are many consequences when all data is uniformly treated as being equal in sensitivity or value
Without any data sensitivity oriented controls, a relatively small percentage of sensitive data is mixed in with far more non-sensitive data and is accessible to anyone with overall access
Failing to identify sensitive data complicates incident resolution and can be problematic when compromised data includes data subject to regulatory compliance
A second problem with sensitive information is a common inclination to __
classify or label everything as sensitive
Over-classification can lead to a reduction in care in handling actually sensitive data and to increased costs
There are multiple ways of encrypting data at rest
Full Disk
Directory Level (or Filesystem):
File Level
Application Level
Full Disk Encryption
The entire content of the disk is encrypted (OS, apps, data)
This entails performance and reliability concerns
Even a minor disk corruption can be fatal
Directory Level (or Filesystem) Encryption
Entire directories are encrypted
This approach can also be used to segregate data of identical sensitivity into directories that are individually encrypted with different keys
File Level Encryption
Individual files can be independently encrypted
Application Level Encryption
The application manages encryption and decryption of application-managed data
The two goals of securing data in motion are
Integrity: preventing data from being tampered with
Confidentiality: ensuring that data remains confidential
The most common way to protect data in motion is to utilize ___ to create channel in which safely pass data to or from the cloud
encryption combined with authentication
___are typical protocols used for secure data transfer
HTTPS, TLS, SSL
___ public cloud might not allow subscribers to encrypt their data
A Software-as-a-Service
This may be due to functional limitations with the actual service itself
Many SaaS providers might not be able to provide revenue generating services if they have to maintain strict data isolation among users
The U.S. Department of Defense has an excellent and well accepted definition illustrating the two key aspects of data deletion
Clearing
Sanitization
Clearing (Deletion of Data)
Clearing is the process of eradicating the data on media before reusing the media in an environment that provides an acceptable level of protection for the data that was on the media before clearing. All internal memory, buffer, or other reusable memory shall be cleared to effectively deny access to previously stored information
Sanitization (Deletion of Data)
Sanitization is the process of removing the data from media before reusing the media in an environment that does not provide an acceptable level of protection for the data that was in the media before sanitizing. IS resources shall be sanitized before they are released from classified information controls or released for use at a lower classification level
Often, data stored in public clouds is not ___to DoD levels
sanitized
Under various circumstances, deleted data can be restored
Computer data is stored in magnetic form or as electrical charges
- Very advanced techniques enable to identify magnetic or electrical charge remnants and recreate the data they still represent
Even more simply, when a file is deleted, the blocks that comprised it are released to the file system for reuse
Deleted data can also be accessed well after simply because it also exists in archives or data backup volumes
Data masking
(aka data obfuscation, depersonalization) preserves data privacy by removing all identifiable and distinguishing attributes, in order to render the data anonymous, although still useful
A common data masking technique involves replacing actual data values (e.g., person names) with ___to an ___
keys
external lookup table holding the actual values
Data masking must be performed carefully, or the resulting masked data can still ___
reveal sensitive data
Storage-as-a-Service
In the cloud storage model, data is stored on multiple virtualized servers
Physically, the resources will span multiple servers and can even span multiple storage sites
Among the additional benefits of such generally low-cost services are the ___performed by the CSP
storage maintenance tasks
Backup, replication, and disaster recovery
Replication of data is performed at a low level by such mechanisms as ___ or by a ___
RAID
file system
- One such file system is ZFS, which was designed by Sun Microsystems as both a file system and a volume manager
One of the more recent trends in online cloud-based storage is the ___
cloud storage gateway
cloud storage gateway
Translation of client-used APIs and protocols to those that are used by cloud-based storage services
- The goal is to enable integration with existing applications
Backup and recovery capabilities that work with in-cloud storage
Onsite encryption of data that keeps keys local to the onsite appliance
What might happen when an external public cloud becomes business-critical for an organization?
It may be extremely difficult to switch to another provider (lock-in)
Metadata
Metadata is data about data, including things as to where the data came from, who performed what operations against it, and when changes were made
Cloud metadata may include other very valuable information
What happens to the metadata if the subscriber decides to discontinue use of the service?
Fortunately, many of the large public cloud providers currently provide the ability to export not only ___ but also ___generated by its subscribers
data
metadata
The presence of an export feature is not sufficient
Cloud Data Export Feature
If the data is exported in a proprietary file format, then that format might not be able to be intelligibly parsed
If it is exported in a plaintext format or in a standard format such as XML, it can be easily imported into the new system
Google has gone so far as creating what they call the
Data Liberation Front
An example of this can be seen in Google Docs (now Google Drive)
Google Takeout is an interface to export data from different products
Data Liberation – Digital Afterlife
Not many of us like thinking about death — especially our own. But making plans for what happens after you’re gone is really important for the people you leave behind. So today, we’re launching a new feature that makes it easy to tell Google what you want done with your digital assets when you die or can no longer use your account.”
