CCSP Domain 2 : Cloud Data Security － Part 2
D2 : Cloud Data Security
M6 : Ensure Compliance with Regulations and Controls
IT Service Management (ITSM)
Management and oversight to ensure alignment between IT and business.
Maintain information about configuration items required to deliver an IT service, including their relationship.
An approach to transitioning individuals, teams, and organizations to a desired future state.
- Respond to acustomer's changing business requirements
- Respond to business and IT requests
- Ensure changes are recorded and evaluated
- Ensure the authorized changes are prioritized, planned, tested, implemented, documented and reviewed in a controlled manner
- Ensure all changes to configuration items are recorded in configuration management system
- Optimize overall business risk.
To identify, analyze, and correct hazards to prevent a future re-occurrence of an incident.
Event : A change of state that has significance for the management of an IT service or other configuration item
Incident : an unplanned interruption to an IT service or reduction in the quality of an IT service.
To minimize the impact of problems on the organization.
Play important role in the detaction of problems (workaround and known errors), providing solutions, and preventing their recurrence.
Release and Deployment Management
To plan, schedule, and control the movement of releases to test and live environments.
To negotiate service-level agreements with customer and to design services in accordance with the agreed-upon service-level target.
To define, analyze, plan, measure, and improve all aspects of the availability of IT services.
To ensure that the capacity of IT services and the IT infrastructure is able to deliver the agreed service-level targets in a cost-effective and timely manner.
Business continuity : the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
Business continuity management : a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.
Information Security Management
Documentation and operational plan to cover :
- security management
- security policy
- information security organization
- asset management
- human resources security
- physical and environmental security
- communications and operations management
- access control
- information systems acquisition, development, and maintenance
- provider and customer responsibilities
A formal procedure to collect and analyze metrics on all services and processes to find areas of improvement.
M7 : Design and Implement Auditability, Traceability, and Accountability of Data Events
Event sources or log availability depends on cloud service model (IaaS, PaaS, SaaS), and need to be specified in contract to allow access for investigation.
A concept that has grown in importance during the transition to cloud computing.
ISCM : maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
SEM : real-time monitoring, correlation of events, notifications, and console views
SIM : long-term storage, analysis, and reporting of log data
- Data aggregation
- Forensic analysis
Principles to be adopted as part of security operations policies
- Audit logging
- new events detection
- adding new rule
- reduction of false positives
- Contract/authority maintenance
- Data governance (secure disposal)
- Incident response legal preparation
Chain of Custody and Nonrepudiation
Digital evidence preservation/protection.
Oh my! This is becoming more like a content index of what I have studied than notes... Let's see if I can change this a bit...
M8 : Design and Apply Data Security Strategies
Cloud Encryption Challenges
- Encryption key management
- CSP to process encrypted data
- Data highly portable
- Secure hardware is not applicable for cloud environment and software-based key storage is more vulnerable
- Storage-level encryption is less complex but easy to be exploit; app-level encryption is more effective but complex
- Using encryption engine will impact availability and performance
- Data can change location, format and etc.
- When backup/DR is taking into consideration for encryption, key usage and management could pose impact on data availability
- Does not solve data integrity threat
Data Encryption in IaaS
- Basic storage-level encryption
- Volume-storage encryption
- Instance-based encryption
- Proxy-based encryption
- File -level encryption
- Application-level encryption
- Access to the keys
- Key storage
- Backup and replication
- Internally managed (stored in local VM)
- Externally managed
- Managed by a third party
Hiding. replacing or omitting sensitive information from data set.
- Random substitution
- Algorithmic substitution
- Static masking - new copy of data created with masked value
- Dynamic masking - on-the-fly masking
- Deletion - use null
Removing the indirect identifiers in order to prevent data analysis tools or other intelligent mechanisms from collating or pulling data from multiple sources to identify an indifidual.
Process to substituting a sensitive data element with a nonsensitive equivalent, referred to as a token.
Application Security Considerations
Involves splitting up and storing encrypted information across different cloud storage services.
- Secret Sharing Made Short (SSMS) : user can reconstruct the original data by accessing only m arbitrarily chosen fragments of the data and encryption key.
- encryption of information
- use information dispersal algorithm (IDA) to split the data using erasure coding into fragments
- splitting the encryption key using the secret-sharing algorithm
- All-or-Nothing-Transform with Reed-Solomon (AONT-RS) : integrates the AONT and erasure coding. The information cannot be recovered without using all the blocks.
- encryption of information
- transform the information and encryption key into blocks
- Use IDA to split the blocks
Enable the processing of encrypted data without the need to decrypt the data.
Use quantum-bits (qubits) to encode information as 0s, 1s, or both at the same time.
Computational approach to solve problems in the same way that the human brain would.
Guess I have to stopped here. My brain starts to reluctant to process the text... This post took me ~ 2 hours to complete...