I am going to start from Domain 2.
D2 : Cloud Data Security
M1 : Understand Cloud Data Life Cycle
Process overview
This table is to layout the possible access and allowed access by functions/actor/location. The access control requirement and design can be retrieved from this table.
M2 : Understand Implication of Cloud to Enterprise Risk
Risk management
Risk framework
Key roles associate with data management
Data subject : individual who is the subject of personal data
Data controller : person who determines the purpose and how to process personal data
Data processor : person who process the data on behalf of the data controller
Data stewards : responsible for data content, context and associated business rules
Data custodian : responsible for the safe custody, transport and storage of the data and implementation of business rules
Data owners : hold the legal rights and complete control over data elements; define distribution and associated policies
Service-Level Agreement (SLA)
Should covers
- Availability
- Performance
- Security/privacy of the data
- Logging and reporting
- DR expectation
- Location of the data
- Data format/structure
- Portability of the data
- Identification & problem resolution
- Change management process
- Dispute mediation process
- Exit strategy
- Uptime gurantees
- SLA penalties
- SLA penalty exclusions
- Suspension of service
- Provider liability
- Data protection requirements
- DR
- Security recommendations
Key SLA Elements
- Assessment of risk environment
- Risk profile
- Risk appetite
- Responsibilities
- Regulatory requirements
- Risk mitigation
- Different risk frameworks
Quality of service (QoS)
To meet cloud consumers' business, audit, performance, and SLA requirements:
- Availability
- Outage duration
- Mean time between failures
- Capacity metric
- Performance metric
- Reliability percentage metric
- Storage device capacity metric
- Server capacity metric
- Instance startup time metric
- Response time metric
- Completion time metric
- Mean time to switchover metric
- Mean time system recovery metric
- Scalability component metric
- Storage scalability metric
- Server scalability metric
Risk Assessment/Analysis
Policy and Organization Risks
- Provider lock-in
- Loss of governance
- Compliance risks
- Provider exit
- Consolidation of IT : single point of failure can have a bigger impact
- A larger scale allows for more technical skills to be available at CSP
- Control over technical risks shift towards CSP
- Management plane compromise
- Shared resources can lead to resource exhaustion
- Resource/control isolation across multi tenants
- Data disposal
- law enforcement / civil legal activity
- Jurisdiction (related to data storage locations across multiple jurisdictions)
- Data protection
- Licensing
- Natural disasters
- Unauthorized facility access
- Social engineering
- Network attacks
- Default password
M3 : Understand & Implement Data Discovery & Classification Technology
Data Discovery
- emphasize interactive, visual analytics
- to find meaningful and important information in data
- Big data
- Real-time analytics
- Agile analytics and agile business intelligence
- Metadata
- Labels
- Content analysis
- Poor data quality
- Dashboards - is data accurate/analytical method correct? Sensitive data handling
- Hidden costs - in-memory analytics for performance...
- Data location for DIU/DAR/DIM
- Accessing the data
- Preservation and maintenance
Data Classification
- A tool for categorization of data to know
- available data types
- data location
- Access level implementations
- Protection level implementation and if it is compliance to regulations
- Recommended for implementing data controls (DLP, encryption)
- Requirement of certain regulations/standards - ISO 27001, PCI DSS
- Data labelling - top secret, secret, classified
Classification categories
- Data type (format, structure)
- Jurisdiction and other legal constraints
- Context
- Ownership
- Contractual or business constraints
- Trust levels and source of origin
- Value, sensitivity and criticality
- Obligation for retention and preservation
- Data creation
- Classification controls
- Metadata
- Classification data transformation
- Reclassification consideration
M4 : Design and Implement Data Right Management
DRM : A technology aimed at controlling the use of digital content.
- Consumer DRM
- Enterprise DRM
- Extra layer of access control - printing/copying/saving...
- DRM protection travel with the file and provide continuous protection
- Not limited to documents, but also emails, web pages, DB columns and etc.
- Setting up a baseline for default information protection policy
- Each resource will be provisioned with an access policy - automated policy provision
- Role-based access control RBAC policy
- Identity infrastructure for users management/authentication
- Local DRM agent is required may limit external user/usage
- Reader software must be DRM-aware
- DRM compatibility with different OS/document readers
- To integrate into other security controls : DLP, document discovery tools
Key Capabilities to DRM solutions
- Persistent protection
- Dynamic policy control
- Automatic expiration
- Continuous audit trail
- Support for existing authentication security infrastructure
- Mapping for repository ACL
- Integration with all third-party email filtering engines
- Prohibiting printing of an entire document or selected portions
- Disabling copy/paste and screen capture capabilities
- Watermarking pages if printing privileges are granted
- Expiring or revoking document access at anytime
- Tracking all document activity through a complete audit trail
- Accessibility
M5 : Design and Implement Relevant Jurisdictional Data Protection for Personally Identifiable Information (PII)
Data Privacy Acts (DPA)
To provide safeguards to individuals (data subjects) for the processing of their personal data with respect to their privacy.
US : Federal and state levels laws; Federal Trade commission (FTC)
EU : EU Directive 95/46/EC; 2002/58/EC (ePrivacy); GDPR
APEC : APEC Privacy Framework
Applicable law : determines the legal regime applicable to a certain matter
Jurisdiction : determines the ability of a national court to decide a case or enforce a judgement or order
Main Input Entities for Data Classification for P&DP Purpose
Primary Set
- P&DP law
- Scope and purpose of the processing
- Categories of the personal data to be processed
- Categories of the processing to be performed
- Data location allowed
- Categories of user allowed
- Data retention constraints
- Security measures to be ensured
- Data breach constraints
- Status
Key Privacy Cloud Service Factor
- Applicable law
- Relationships : Customer - Service Providers - Subcontractors
- Fundamental Principles : transparency, purpose specifications and imitation, data retention/erasure
- Contractual Safeguards, Data Transfers in 3rd countries
Privacy Level Agreement
- Fulfillments toward the data subjects
- Notice
- Consent
- Exercise of Rights
- Fulfillments toward the DPA
- Notification for specific processing or for specific data breach cases
- DPA prior checking for specific cases of privacy risks
- Authorizing for specific processing
- Organizational-Contractual measures
- Controller-processor privacy agreement
- Data transfer agreement
- Training, appointment, and control for personnel in charge of data processing
- Technical-Procedural measures
- Technical/procedural security measures
- Data breach identification and management
- Data retention requirements for specific processing
- Identify the CS privacy role contact data of relevant privacy persons
- Categories of personal data that the customer is prohibited frokm sending to or processing in the cloud
- Ways in which the data will be processed
- Data transfer
- Data security measures
- Monitoring
- Third-party audits
- Personal data breach notification
- Data portability, migration and transfer back assistance
- Data retention, restitution, and deletion
- Accountability
- Cooperation
- Law enforcement acces
- Remedies
- Complaint; dispute resolution
- Cloud service provider's insurance policy
Application of Defined Controls for Personally Identifiable Information (PII)
Cloud Security Alliance Cloud Controls Matrix (CCM)
Security domains:
- Application and Interface Security
- Audit Assurance and Compliance
- Business Continuity Management and Operational Resilience
- Change Control and Configuration Management
- Data Security and Information Life Cycle Manament
- Data Center Security
- Encryption and Key Management
- Governance and Risk Management
- Human Resources
- Identity and Access Management
- Infrastructure and Virtualization Security
- Interoperability and Portability
- Mobile Security
- Security Incident Management; E-discovery, and Cloud Forensics
- Supply Chain Management, Transparency, and Accountability
- Threat and Vulnerability Management
Management Control for Privacy and Data Protection Measures
P/S: I like to give credits to draw.io for providing a web based platform that allows me to draw the charts for my notes.
No comments:
Post a Comment