Tel: 020 8456 3550
CCSP: Domain 2
 CLOUD DATA SECURITY
DOMAIN 2 CLOUD DATA SECURITY
Storage Architectures
 Data Lifecycle Security
 Database Security
 Data Loss Prevention (DLP)
 Data Encryption
 Key Management
STORAGE ARCHITECTURES: IaaS
Volume storage (block storage) Includes volumes/data stores attached to IaaS instances, usually a virtual hard drive. Should provide redundancy
 Object storage: Example: Dropbox. Used for write-once, read many; not suitable for applications like databases
 Independent of virtual machine
 Because of varying laws and regulations, customers should always know where their physical data is stored and is stored in compliance with their needs
DATA STORAGE: PaaS
PaaSutilizes the following data storage types:
 Structured: Highly organized, such that inclusion in a relational database is seamless and readily searchable
 Unstructured: Information that doesn’t reside in a traditional row-column database—text, multimedia content, email, etc.
DATA STORAGE: SaaS
Information Storage and Management: Data is entered into the system via the web interface and stored with the SaaS application (often a backend database)
 Content/file storage is stored within the application
DATA SECURITY LIFECYCLE
The Cloud Security Alliance has incorporated the data security lifecycle which enables the organization to map the different phases in the data lifecycle against the required controls that are relevant to each phase.
 The lifecycle contains three steps:
 Map the different lifecycle phases
 Integrate the different data locations and access types
 Map into functions, actors and controls
MAPPING THE LIFECYCLE PHASES
FUNCTIONS, ACTORS, AND CONTROLS
DATABASE SECURITY
Mainly supported by two key elements
 DAM Database Activity Monitoring that captures and records all SQL activity in real time or near real time. Can prevent malicious commands from executing on a server
 FAM File Activity Monitoring that monitors and records all activity for a specific file repository and can generate alerts on policy violations
 DLP Data Loss Prevention systems
DATA LOSS PREVENTION DLP
Can also be know as Data Leakage Prevention describes the controls put in place by an organization to ensure that certain types of data (SSNs, Account Numbers, etc) remain under organization controls in line with policies, standards, and procedures
 Detects exfiltration of certain types of key data (SSNs, Account number, etc.)
 Help ensure compliance with regulations like HIPAA, PCI-DSS and others
DATA SECURITY IN THE CLOUD
Protecting Data moving to and within the cloud
 SSL/TLS/IP Sec
 Protecting Data in the Cloud
 Encryption
 Detection of Data Migration to the Cloud
 DAM, FAM, DLP
 Data Dispersion: Data is replicated in multiple physical locations across your cloud.
 Data Fragmentation involves splitting a data set into smaller fragments (or shards), and distributing them across a large number of machines.
CASES FOR ENCRYPTION
When data moves in and out of the cloud
 Protecting data at rest
 Compliance with regulations like HIPAA and PCI-DSS
 Protection from 3rd party access
 Creating enhanced mechanisms for logical separation between different customers’ data
 Logical destruction of data when physical destruction is not feasible
ENCRYPTION BEST PRACTICES
Use Open and validated formats
 All encryption keys should be stored within the enterprise
 Identity-based key assignment and protection of private keys
 Use strong encryption
 Follow Key management best practices for location of keys
DATA ENCRYPTION IN ACROSS IMPLEMENTATIONS
IaaS Encryption uses Volume Storage Encryption and Object Storage Encryption
 PaaS Encryption with Client/Application Encryption, Databased encryption and proxy-based encryption
 SaaS Encryption is managed by the Cloud Service Provider by the applications and through Proxy encryption
MASKING/OBFUSCATION, ANONYMIZATION,
 AND TOKENIZATION
Masking/Obfuscation is the process of hiding, replacing or omitting sensitive information from a specific dataset. For instance, masking all but last 4 digits of SSN
 Data Anonymization is the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous
 Tokenization: Public cloud service can be integrated and paired with a private cloud that stores sensitive data. The data sent to the public cloud is altered and contains a reference to the data residing the in the private cloud.
DATA DISCOVERY
Emphasizes visual, interactive analytics rather than static reporting
 Provides a way to make sense of big data—the sheer volume and diversity of data makes this challenging for the old means of static reporting
 Can provide agile,  near real-time analytics
DATA DISCOVERY TECHNIQUES
Data Discovery is a user-driven process of searching for patterns or specific items in a data set. Data Discovery applications use visual tools such as geographical maps, pivot-tables, and heat-maps to make the process of finding patterns or specific items rapid and intuitive. Data Discovery may leverage statistical and data
 mining techniques to accomplish these goals. There are several different ways Data Discovery tools make their analysis
 Metadata provides data its meaning and describes its attributes
 Labels provide a logical grouping of data elements and gives them a “tag” describing the data
 Content analysis examines the data itself
DATA CLASSIFICATION
Categorizes data based on its value and drives the controls that are put in place to secure it.
 Within the cloud, the CSP should
 Ensure proper security controls are in place so that whenever data is created or modified by anyone, they are forced to classify or update the data as part of the creation/modification process
 Implement Controls (could be administrative, preventive or compensating)
 Make metadata available, as it could be used as a means of determining classification
 Protect data according to its classification at rest and in transit
 Should support the reclassification process.
DATA PRIVACY TERMS
Data subject: an identifiable subject who can be identified by reference to an id number, or one or more factors specific to the his physical, physiological, mental, economic, cultural, or social identity (Telephone number, SSN, IP address, etc.)
 Personal data: information relating to an identified or identifiable natural person—biometrics, health data, etc.
 Processing: Operations performed on personal data—collection, recording, organization, storage, etc.
 Controller: Person, public authority, agency that determines the purposes and means of processing to be in compliance with laws and regulations
 Processor:  One who processes data on behalf of the controller
 **The customer is the controller of the data and is responsible to all the legal duties addressed in the Privacy and Data Protection (P&DP) applicable laws. The service provider supplies the means and the platform, and is considered to be the processor.
CSA CLOUD CONTROLS MATRIX (CCMS)
Designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a provider
 Provides a controls framework in 16 domains that are cross-walked to other industry-accepted security standards, regulations, and controls frameworks to reduce audit complexity
 It provides mapping to the industry-accepted security standards such as ISO 27001/27002, COBIT, PCI-DSS
DOMAINS OF THE CCM
MANAGEMENT CONTROLS FOR PRIVACY AND DATA PROTECTION MEASURES
Separation of Duties
 Training
 Authentication and Authorization procedures
 Vulnerability Assessments
 Backup and Recovery processes
 Logging
 Data-retention control
 Secure disposal
DATA RIGHTS MANAGEMENT
DRM or IRM (Information Rights Management) adds an extra layer of access controls on top of the data object or document and provides granularity flowing down to printing, saving, copying and other options
 ACLs are embedded into the file, it is agnostic to the location of data. IRM will travel with the file
 Useful for protecting sensitive organization content and intellectual property
IRM CLOUD CHALLENGES
IRM requires that al users with access should have matching encryption keys. This requires a strong and comprehensive identity structure
 Each user will need to be provisioned with an access policy and keys
 Access can be identity based or role based (RBAC)
 Identity can be implemented with a single director location or across federated trust
 End users will likely have to install a local IRM agent for key storage or authenticating and retrieval of protected information
 Can be challenging with disparate systems and document readers
DATA PROTECTION POLICIES: RETENTION
Data retention: Established protocol for keeping information for operational or regulatory compliance needs.
 Cloud considerations:
 Legal, regulatory and standards requirements must be well-documented and agreed upon
 Data mapping should map all relevant data in order to understand formats, data types and data locations
 Data Classification based on locations, compliance requirements, ownership and business usage
 Each category’s procedures should be followed based on appropriate policy that governs the data type
DATA PROTECTION POLICIES: DATA DELETION
Safe disposal of data once it is no longer needed.
 Physical destruction
 Degaussing
 Overwriting
 Encryption (Crypto-shredding)
DATA PROTECTION POLICIES: DATA ARCHIVING
Data archiving is the process of identifying and moving inactive data out of current productions systems and into specialized long-term archival storage systems. Considerations include:
 Encryption
 Monitoring
 Granular retrieval
 Electronic discovery (also called e-discovery) any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case
 Backup and recovery
 Media Type
 Restoration procedures
AUDITABILITY
In order to be able to perform effective audits and investigations The CSP should provide an audit log with as much information as is relevant
 When: Time and date of logs and events
 Where: Application identifier, application address (cluster/host or IP Address)
 Who: Human or machine
 What: Type of event, severity of event and description
SECURITY AND EVENT MANAGEMENT
Software and products combining security information management and event management. It provides real-time analysis of security alerts generated by network hardware and applications. SEIM Systems often provide:
 Aggregation from many sources
 Correlation across common attributes
 Alerting to a pre-defined entity responsible for monitoring
 Dashboard tools to take event data and organize into charts or other formats
 Compliance tools automate the gathering of compliance data
 Retention employs long term storage of historical data to facilitate correlation of data over time to provide the retention necessary for compliance
 Forensic analysis provides the ability to search across logs on different nodes and time periods based on specific criteria
CHAIN OF CUSTODY
Chain of Custody is the preservation and protection of evidence from the time it is collected until the time it is presented in court.
 Documentation should exist for the collection, possession, condition, location, transfer, access to and any analysis performed on an item from acquisition through eventual final disposition
 Chain of Custody provision should be included in the service contract and ensure that the cloud provider will comply with requests
DOMAIN 2 CLOUD DATA SECURITY REVIEW
Storage Architectures
 Data Lifecycle Security
 Database Security
 Data Loss Prevention (DLP)
 Data Encryption
 Key Management