Professional Documents
Culture Documents
Domain 2
Coverage of every topic in
the official exam syllabus!
1 2 3 4 5 6
1
Cloud Data
Security
Cloud Data
Security
Cloud Data
Security
Data Dispersion
Data Flows
Create Cloud Secure data Lifecycle
The Cloud Security Alliance model
Destroy Store
Can be created by users
a user creates a file
Share
Create Cloud Secure data Lifecycle
The Cloud Security Alliance model
Destroy Store
Share
Create Cloud Secure data Lifecycle
The Cloud Security Alliance model
Destroy Store
Archive Use
Share
Create Cloud Secure data Lifecycle
The Cloud Security Alliance model
Destroy Store
Archive Use
Share
Create Cloud Secure data Lifecycle
The Cloud Security Alliance model
Destroy Store
Archive Use
Share
Create Cloud Secure data Lifecycle
The Cloud Security Alliance model
Destroy Store
Storage Types
(e.g. long term, ephemeral, raw-disk)
– Information Storage and Mgmt. Data entered via the web interface
– Content/File Storage. File-based content
– Ephemeral Storage. It used for any temporary data such as cache, buffers,
SaaS session data, swap volume, etc.
– Content Delivery Network (CDN). Geo-distributed content for (better UX)
All of these can happen in the cloud, it is
Threats to storage TYPES largely a question of “who is responsible?”
OTHER THREATS:
— Jurisdictional issues — Theft or media loss
— Denial of service — Malware and ransomware
— Data corruption/destruction — Improper disposal
Threats to storage TYPES
User accessing data storage without proper
authorization presents security concerns
Customer must implement proper access control,
CSP must provide adequate logical separation
Prevention
- Update and patch computers AI-driven cloud
- Use caution with web links services offer
- Use caution with email attachments help with these
- Verify email senders
- Preventative software programs
- User awareness training Most important defense!
Threats to storage TYPES
All the regulatory standards you need for the exam are covered in the exam cram series
2. Cloud Data Security
Design and Apply Data Security Technologies
2.3 and Strategies
Data Obfuscation
(e.g., masking, anonymization)
Tokenization
CONCEPT: Symmetric vs Asymmetric
Key escrow
Addresses the possibility that a cryptographic key may be lost.
The concern is usually with symmetric keys or with the private key in
asymmetric cryptography.
If that occurs, then there is no way to get the key back, and the user
cannot decrypt messages.
Organizations establish key escrows to enable recovery of lost keys.
Generation Key management strategy
FOR ENCRYPTION KEY LIFECYCLE
Destruction Distribution
Revocation Storage
Use
Generation Key management strategy
FOR ENCRYPTION KEY LIFECYCLE
Destruction Distribution
Revocation Storage
Destruction Distribution
Revocation Storage
Destruction Distribution
Revocation Storage
Use
Generation Key management strategy
FOR ENCRYPTION KEY LIFECYCLE
Destruction Distribution
Revocation Storage
Use EXAMPLE:
In PKI, you would revoke the certificate on
the issuing Certification Authority (CA)
Generation Key management strategy
FOR ENCRYPTION KEY LIFECYCLE
Use
Generation Key management strategy
FOR ENCRYPTION KEY LIFECYCLE
Destruction Distribution
Revocation Storage
Use
Generation Key management strategy
FOR ENCRYPTION KEY LIFECYCLE
Know the layers and services where you can enable encryption,
and your options for key storage and management.
Key storage CSP-managed or self-managed
Many CSPs offer FIPS compliant virtualized HSMs to securely
generate, store, and control access to cryptographic keys.
Self-managed keys typically not the default and may have a cost
Organizations that use multiple cloud providers or need to retain
physical control over key management may need to implement a
bring-your-own-key (BYOK) strategy. Regulatory compliance sometimes
necessitates BYOK or self-managed
Storage-level encryption
Provides encryption of data as it is written to storage, utilizing
keys that are controlled by the CSP.
Volume-level encryption
Provides encryption of data written to volumes connected to specific
VM instances, utilizing keys controlled by the customer.
Examples: Bitlocker (Windows), DM-Crypt (Linux)
Object-level encryption
Encryption of objects as they are written to storage, in which case the
CSP likely controls the keys and could potentially access the data.
CSSP EXAM CRAM
THE COMPLETE COURSE
Storage-level
encryption in the cloud
File-level encryption
Implemented in client apps, such as word processing apps like Microsoft
Word or collaboration apps like SharePoint
Will vary by app and CSP platform
Application-level encryption
Implemented in an application typically using object storage
Data entered by user typically encrypted before storage
Database-level encryption
Transparent data encryption (database files, logs, backups),
column-level or row-level encryption, or data masking
Will vary by RDBMS platform (MSSQL, MySQL, PostgreSQL)
DATA OBFUSCATION TECHNIQUES
Encryption
Encryption is a two-way function; what is encrypted can be decrypted with
the proper key.
Database-level
encryption in the cloud
are most often used for encryption operations and can be used to
uniquely identify a user or system.
Keys should be stored in a tool that implements encryption and
requires a strong passphrase or MFA to access. In the cloud, a key vault
(covered in Domain 1)
E.G., Azure Key Vault, AWS KMS, GCP Cloud KMS Vault
CSPs offer a cloud service for centralized secure storage and
access for application secrets called a .
A secret is anything that you want to control access to, such as API
keys, passwords, certificates, tokens, or cryptographic keys.
Service will typically offer programmatic access via API to support
DevOps and continuous integration/continuous deployment (CI/CD)
Access control at vault instance-level and to secrets stored within.
These basics should be more than enough for the CCSP exam
Public key infrastructure (pki) CONCEPTS
Key management
management of cryptographic keys in a cryptosystem.
Operational considerations include dealing with the generation, exchange,
storage, use, crypto-shredding (destruction) and replacement of keys.
Design considerations include cryptographic protocol design, key servers,
user procedures, and other relevant protocols.
Certificate authority (CA)
Certification Authorities create digital certificates and own the policies.
PKI hierarchy can include a single CA that serves as root and issuing, but
this is not recommended.
Two potential options for tracking revocation: ask for the CRL
or if available, OCSP endpoint/service.
Endpoint to query for CRL or OCSP is on the certificate
If the other client/server does not check the CRL or OCSP for
certificate validity, they may accept an invalid certificate as valid!
Public key infrastructure (pki) CONCEPTS
Structured Data
Unstructured Data
Semi-structured Data
Data Location
Data types
Excel, MSSQL, MySQL, PostgreSQL
Data contained in rows and columns, such as an Excel spreadsheet
or relational database.
Often includes a description of its format known as a or
, which is an abstract view of the data’s format in a system.
Data structured as elements, rows, or tuples is given context through
the schema.
Discovery methods include:
Metadata, or data that describes data, is a critical part of discovery
in structured data.
Semantics, or the meaning of data, is described in the schema or
data model and explains relationships expressed in data.
Data types
Images, video files, social media posts
Data that cannot be contained in a row-column database and does
not have an associated data model.
Discovery occurs through , which attempts parse all
data in a storage location and identify sensitive information.
Content analysis (discovery) methods include:
Pattern matching, which compares data to known formats like
credit card numbers. DLP tools often have pre-defined ‘sensitive data types’
Lexical analysis attempts to find data meaning and context to
discover sensitive info that may not conform to a specific pattern.
Hashing attempts to identify known data by calculating a hash of
files and comparing it to a known set of sensitive file hashes.
Only good for data that does not change frequently!
Data types
JSON, XML, HTML, email messages, NoSQL
A combination of structured and unstructured data.
Typically, content is unstructured, but may contain metadata to
help organize the data.
Fluid, but organizable by properties or metadata
Metadata-Based Discovery
A list of traits and characteristics about specific data
elements or sets.
Often automatically created at the same time as the data.
Label-Based Discovery
Based on examining labels created by the data owners
during the Create phase. or in bulk with a scanning tool
Can be used with databases (structured data) but is more
commonly used with file data.
2. Cloud Data Security
2.5 Implement Data Classification
Data Mapping
Data Labeling
D O M A I N 2 : DATA CLASSIFICATION
Secret Private
Class 2 Serious damage
Serious damage
Confidential Sensitive
Damage
Class 1 Damage
For legal and compliance reasons, you may need to keep certain
data for different periods of time.
A driver of classification and retention
EXAMPLES:
Some financial data needs to be retained for 7 years
Some medical data may need to be retained up to 20-30 years.
Data should be classified as soon
Data classification after creation as possible!
Destroy Store
Can be created by users
a user creates a file
Share
Create Cloud Secure data Lifecycle
The Cloud Security Alliance model
Destroy Store
Share
Create Cloud Secure data Lifecycle
The Cloud Security Alliance model
Destroy Store
Archive Use
Destroy Store
Archive Use
Classification dictates need
for protection
Share Data protection policies
may block external sharing
Create Cloud Secure data Lifecycle
The Cloud Security Alliance model
Destroy Store
Archive Use
Destroy Store
Objectives
(e.g., data rights, provisioning, access models)
Appropriate Tools
(e.g., issuing and revocation of certificates)
Information rights management
IRM programs enforce data rights, provisioning
access, and implementing access control models
Many popular SaaS file sharing platforms implement these concepts as sharing options,
which allow the document owner to specify which users can view, edit, download, share
D O M A I N 2 : INFORMATION RIGHTS MANAGEMENT
Destruction Distribution
Revocation Storage
Use
Generation Key management strategy
FOR ENCRYPTION KEY LIFECYCLE
Destruction Distribution
Revocation Storage
Use EXAMPLE:
In PKI, you would revoke the certificate
on the issuing Certificate Authority (CA)
Generation Key management strategy
FOR ENCRYPTION KEY LIFECYCLE
Destruction Distribution
Revocation Storage
Use EXAMPLE:
The revocation would be recorded on
the certificate revocation list (CRL).
DATA RIGHTS related info – will not be tested directly on exam!
Legal Hold
Create Cloud Secure data Lifecycle
Destroy Store
Archive Use
Destroy Store
Archive Use
Destroy Store
Share
Companies know they cannot produce
data they do not have for a legal case!
Create Cloud Secure data Lifecycle
Destroy Store
Share
Companies know they cannot produce
data they do not have for a legal case!
DATA DELETION PROCEDURES & MECHANISMS
AWS S3 and Azure Storage both offer cool tier (infrequent access)
storage for low-cost archiving and immutability to ensure integrity
Data archiving procedures and mechanisms
Key elements of data archiving in the cloud
- Data Encryption - Backup and DR Options
- Data Monitoring - Data Format
- eDiscovery and Retrieval - Media Type
Data Retention
— patch management
— vulnerability management
— change management
— configuration management
Event sources & event attributes
Which events are important and available for capture will vary based
on cloud service model employed (IaaS, PaaS, or SaaS)
Event sources & event attributes
IaaS
Within an IaaS environment, the cloud customer has the most access and
visibility into system and infrastructure logs of any cloud service model.
Because the cloud customer has nearly full control over their compute
environment, including system and network capabilities, virtually all logs
and data events should be exposed and available for capture.
— Source address
— User identity (if known)
Event sources & event attributes
The WHO, WHAT, WHERE, and WHEN of logging from to OWASP:
— Type of event
— Severity of event
— Security-relevant event flag
(if log contains non-security events)
— Description
Event sources & event attributes
The WHO, WHAT, WHERE, and WHEN of logging from to OWASP:
https://github.com/OWASP/CheatSheetSeries
The SIEM should be on a separate host with its own access control,
preventing any single user from tampering.
Logging, storage, and analysis of data events
Key necessary to optimize event
detection and visibility and scale security operations:
SIEMs can normalize incoming data to ensure that the data from a
variety of sources is presented consistently.
SIEM
Chain of custody
Tracks the movement of evidence through its
collection, safeguarding, and analysis lifecycle
Provides evidence integrity through convincing proof evidence was not tampered with
in a way that damages its reliability.
Documents key elements of evidence movement and handling, including:
- Each person who handled the evidence
- Date and time of movement/transfer
- Purpose evidence movement/transfer
THANKS
F O R W A T C H I N G!