CCSP Domain 2 : Cloud Data Security - Part 1

OMG! I can't believe that it's a year passed by, and I did not write up for the last 2 topics that I'd like to covered in RHCE! Those posts were prepared after I have finished and passed RHCE. Anyway, I am in preparation for another certification, CCSP. Thought of "document" my study notes in order to help me to organize my notes, and also help me to reinforce my understanding on the topics.

I am going to start from Domain 2.

D2 : Cloud Data Security



M1 : Understand Cloud Data Life Cycle




Process overview
This table is to layout the possible access and allowed access by functions/actor/location. The access control requirement and design can be retrieved from this table.



M2 : Understand Implication of Cloud to Enterprise Risk


Risk management


Risk framework


Key roles associate with data management

Data subject : individual who is the subject of personal data
Data controller : person who determines the purpose and how to process personal data
Data processor : person who process the data on behalf of the data controller
Data stewards : responsible for data content, context and associated business rules
Data custodian : responsible for the safe custody, transport and storage of the data and implementation of business rules
Data owners : hold the legal rights and complete control over data elements; define distribution and associated policies

Service-Level Agreement (SLA)
Should covers
  • Availability
  • Performance
  • Security/privacy of the data
  • Logging and reporting
  • DR expectation
  • Location of the data
  • Data format/structure
  • Portability of the data
  • Identification & problem resolution
  • Change management process
  • Dispute mediation process
  • Exit strategy
  • Uptime gurantees
  • SLA penalties
  • SLA penalty exclusions
  • Suspension of service
  • Provider liability
  • Data protection requirements
  • DR
  • Security recommendations

Key SLA Elements
  • Assessment of risk environment
  • Risk profile
  • Risk appetite
  • Responsibilities
  • Regulatory requirements
  • Risk mitigation
  • Different risk frameworks

Quality of service (QoS)
To meet cloud consumers' business, audit, performance, and SLA requirements:
  • Availability
  • Outage duration
  • Mean time between failures
  • Capacity metric
  • Performance metric
  • Reliability percentage metric
  • Storage device capacity metric
  • Server capacity metric
  • Instance startup time metric
  • Response time metric
  • Completion time metric
  • Mean time to switchover metric
  • Mean time system recovery metric
  • Scalability component metric
  • Storage scalability metric
  • Server scalability metric

Risk Assessment/Analysis
Policy and Organization Risks
  • Provider lock-in
  • Loss of governance
  • Compliance risks
  • Provider exit
Technical Risk
  • Consolidation of IT : single point of failure can have a bigger impact
  • A larger scale allows for more technical skills to be available at CSP
  • Control over technical risks shift towards CSP
  • Management plane compromise 
  • Shared resources can lead to resource exhaustion
  • Resource/control isolation across multi tenants
  • Data disposal
Legal Risk
  • law enforcement / civil legal activity
  • Jurisdiction (related to data storage locations across multiple jurisdictions)
  • Data protection
  • Licensing 
Non-Cloud-Specific Risk
  • Natural disasters
  • Unauthorized facility access
  • Social engineering
  • Network attacks
  • Default password


M3 : Understand & Implement Data Discovery & Classification Technology


Data Discovery
  • emphasize interactive, visual analytics
  • to find meaningful and important information in data
Data Discovery Trends
  •  Big data
  • Real-time analytics
  • Agile analytics and agile business intelligence
Different Data Discovery Techniques
  • Metadata
  • Labels
  • Content analysis
Data Discovery Issues
  • Poor data quality
  • Dashboards - is data accurate/analytical method correct? Sensitive data handling
  • Hidden costs - in-memory analytics for performance...
Challenges with Data Discovery in the Cloud
  • Data location for DIU/DAR/DIM
  • Accessing the data
  • Preservation and maintenance

Data Classification
  • A tool for categorization of data to know
    • available data types
    • data location
    • Access level implementations
    • Protection level implementation and if it is compliance to regulations
  • Recommended for implementing data controls (DLP, encryption)
  • Requirement of certain regulations/standards - ISO 27001, PCI DSS 
  • Data labelling - top secret, secret, classified

Classification categories
  • Data type (format, structure)
  • Jurisdiction and other legal constraints
  • Context
  • Ownership
  • Contractual or business constraints
  • Trust levels and source of origin
  • Value, sensitivity and criticality
  • Obligation for retention and preservation
Challenges with Cloud Classifications
  • Data creation
  • Classification controls
  • Metadata
  • Classification data transformation
  • Reclassification consideration


M4 : Design and Implement Data Right Management


DRM : A technology aimed at controlling the use of digital content.
  • Consumer DRM
  • Enterprise DRM
DRM features and use cases
  • Extra layer of access control - printing/copying/saving...
  • DRM protection travel with the file and provide continuous protection
  •  Not limited to documents, but also emails, web pages, DB columns and etc.
  • Setting up a baseline for default information protection policy
DRM Cloud Challenges
  • Each resource will be provisioned with an access policy - automated policy provision
  • Role-based access control RBAC policy
  • Identity infrastructure for users management/authentication
  • Local DRM agent is required may limit external user/usage
  • Reader software must be DRM-aware
  • DRM compatibility with different OS/document readers
  • To integrate into other security controls : DLP, document discovery tools

Key Capabilities to DRM solutions
  • Persistent protection
  • Dynamic policy control
  • Automatic expiration
  • Continuous audit trail
  • Support for existing authentication security infrastructure
  • Mapping for repository ACL
  • Integration with all third-party email filtering engines
  • Prohibiting printing of an entire document or selected portions
  • Disabling copy/paste and screen capture capabilities
  • Watermarking pages if printing privileges are granted
  • Expiring or revoking document access at anytime
  • Tracking all document activity through a complete audit trail
  • Accessibility


M5 : Design and Implement Relevant Jurisdictional Data Protection for Personally Identifiable Information (PII)


Data Privacy Acts (DPA)
To provide safeguards to individuals (data subjects) for the processing of their personal data with respect to their privacy.

US : Federal and state levels laws; Federal Trade commission (FTC)
EU : EU Directive 95/46/EC; 2002/58/EC (ePrivacy); GDPR
APEC : APEC Privacy Framework

Applicable law : determines the legal regime applicable to a certain matter
Jurisdiction : determines the ability of a national court to decide a case or enforce a judgement or order


Main Input Entities for Data Classification for P&DP Purpose
Primary Set
  • P&DP law
  • Scope and purpose of the processing
  • Categories of the personal data to be processed
  • Categories of the processing to be performed
Secondary Set
  • Data location allowed
  • Categories of user allowed
  • Data retention constraints
  • Security measures to be ensured
  • Data breach constraints
  • Status

Key Privacy Cloud Service Factor
  • Applicable law
  • Relationships : Customer - Service Providers - Subcontractors
  • Fundamental Principles : transparency, purpose specifications and imitation, data retention/erasure
  • Contractual Safeguards, Data Transfers in 3rd countries

Privacy Level Agreement
  • Fulfillments toward the data subjects
    • Notice
    • Consent
    • Exercise of Rights
  • Fulfillments toward the DPA
    • Notification for specific processing or for specific data breach cases
    • DPA prior checking for specific cases of privacy risks 
    • Authorizing for specific processing
  • Organizational-Contractual measures
    • Controller-processor privacy agreement 
    • Data transfer agreement
    • Training, appointment, and control for personnel in charge of data processing
  • Technical-Procedural measures
    • Technical/procedural security measures
    • Data breach identification and management
    • Data retention requirements for specific processing
Privacy Level Agreement Outline Annex by CSA can be download at here.
  1. Identify the CS privacy role contact data of relevant privacy persons
  2. Categories of personal data that the customer is prohibited frokm sending to or processing in the cloud
  3. Ways in which the data will be processed
  4. Data transfer
  5. Data security measures
  6. Monitoring
  7. Third-party audits
  8. Personal data breach notification
  9. Data portability, migration and transfer back assistance
  10. Data retention, restitution, and deletion
  11. Accountability
  12. Cooperation
  13. Law enforcement acces
  14. Remedies
  15. Complaint; dispute resolution
  16. Cloud service provider's insurance policy

Application of Defined Controls for Personally Identifiable Information (PII)

Cloud Security Alliance Cloud Controls Matrix (CCM)
Security domains:
  • Application and Interface Security
  • Audit Assurance and Compliance
  • Business Continuity Management and Operational Resilience
  • Change Control and Configuration Management
  • Data Security and Information Life Cycle Manament
  • Data Center Security
  • Encryption and Key Management
  • Governance and Risk Management
  • Human Resources
  • Identity and Access Management
  • Infrastructure and Virtualization Security
  • Interoperability and Portability
  • Mobile Security 
  • Security Incident Management; E-discovery, and Cloud Forensics
  • Supply Chain Management, Transparency, and Accountability
  • Threat and Vulnerability Management
This can be downloaded here.

Management Control for Privacy and Data Protection Measures



P/S: I like to give credits to draw.io for providing a web based platform that allows me to draw the charts for my notes.




Comments

Popular Posts