Tuesday, September 18, 2018

CCSP Domain 2 : Cloud Data Security - Part 2

D2 : Cloud Data Security



M6 : Ensure Compliance with Regulations and Controls


IT Service Management (ITSM)
Management and oversight to ensure alignment between IT and business.

Configuration Management
Maintain information about configuration items required to deliver an IT service, including their relationship.

Change Management
An approach to transitioning individuals, teams, and organizations to a desired future state.
  • Respond to acustomer's changing business requirements
  • Respond to business and IT requests
  • Ensure changes are recorded and evaluated
  • Ensure the authorized changes are prioritized, planned, tested, implemented, documented and reviewed in a controlled manner
  • Ensure all changes to configuration items are recorded in configuration management system
  • Optimize overall business risk.
Incident Management
To identify, analyze, and correct hazards to prevent a future re-occurrence of an incident.
Event : A change of state that has significance for the management of an IT service or other configuration item
Incident : an unplanned interruption to an IT service or reduction in the quality of an IT service.


Problem Management
To minimize the impact of problems on the organization.
Play important role in the detaction of problems (workaround and known errors), providing solutions, and preventing their recurrence.

Release and Deployment Management
To plan, schedule, and control the movement of releases to test and live environments.

Service-Level Management
To negotiate service-level agreements with customer and to design services in accordance with the agreed-upon service-level target.

Availability Management
To define, analyze, plan, measure, and improve all aspects of the availability of IT services.

Capacity Management
To ensure that the capacity of IT services and the IT infrastructure is able to deliver the agreed service-level targets in a cost-effective and timely manner.

Continuity Management
Business continuity : the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
Business continuity management : a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.

Information Security Management
Documentation and operational plan to cover :
  • security management
  • security policy
  • information security organization
  • asset management
  • human resources security
  • physical and environmental security
  • communications and operations management
  • access control
  • information systems acquisition, development, and maintenance
  • provider and customer responsibilities
Continual Service Improvement
A formal procedure to collect and analyze metrics on all services and processes to find areas of improvement.


M7 : Design and Implement Auditability, Traceability, and Accountability of Data Events


Event sources or log availability depends on cloud service model (IaaS, PaaS, SaaS), and need to be specified in contract to allow access for investigation.

Continuous Monitoring
A concept that has grown in importance during the transition to cloud computing.
ISCM : maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

SIEM
SEM : real-time monitoring, correlation of events, notifications, and console views
SIM : long-term storage, analysis, and reporting of log data
Capabilities:
  • Data aggregation
  • Correlation
  • Alerting
  • Dashboards
  • Compliance
  • Retention
  • Forensic analysis

Continuous Operations
Principles to be adopted as part of security operations policies
  • Audit logging
    • new events detection
    • adding new rule
    • reduction of false positives
  • Contract/authority maintenance
  • Data governance (secure disposal)
  • Incident response legal preparation

Chain of Custody and Nonrepudiation
Digital evidence preservation/protection.

Oh my! This is becoming more like a content index of what I have studied than notes... Let's see if I can change this a bit...

M8 : Design and Apply Data Security Strategies


Encryption


Cloud Encryption Challenges

  • Encryption key management
  • CSP to process encrypted data
  • Data highly portable
  • Multitenant
  • Secure hardware is not applicable for cloud environment and software-based key storage is more vulnerable
  • Storage-level encryption is less complex but easy to be exploit; app-level encryption is more effective but complex
  • Performance
  • Using encryption engine will impact availability and performance
  • Data can change location, format and etc.
  • When backup/DR is taking into consideration for encryption, key usage and management could pose impact on data availability
  • Does not solve data integrity threat

Encryption Architecture


Data Encryption in IaaS
  1. Basic storage-level encryption
  2. Volume-storage encryption
    • Instance-based encryption
    • Proxy-based encryption
  3. Object-storage encryption
    • File -level encryption
    • Application-level encryption
Database Encryption


Key Management

Common challenges
  • Access to the keys
  • Key storage
  • Backup and replication
Key storage in the cloud
  • Internally managed (stored in local VM)
  • Externally managed
  • Managed by a third party
Data Masking/Data Obfuscation
Hiding. replacing or omitting sensitive information from data set.
  • Random substitution
  • Algorithmic substitution
  • Shuffle
  • Masking
    • Static masking - new copy of data created with masked value
    • Dynamic masking - on-the-fly masking
  • Deletion - use null
Data Anonymization
Removing the indirect identifiers in order to prevent data analysis tools or other intelligent mechanisms from collating or pulling data from multiple sources to identify an indifidual.

Tokenization
Process to substituting a sensitive data element with a nonsensitive equivalent, referred to as a token.

Tokenization Architecture


Application Security Considerations


Emerging Technologies

Bit Splitting
Involves splitting up and storing encrypted information across different cloud storage services.
  • Secret Sharing Made Short (SSMS) : user can reconstruct the original data by accessing only m arbitrarily chosen fragments of the data and encryption key.
    • encryption of information
    • use information dispersal algorithm (IDA) to split the data using erasure coding into fragments
    • splitting the encryption key using the secret-sharing algorithm
  • All-or-Nothing-Transform with Reed-Solomon (AONT-RS) : integrates the AONT and erasure coding. The information cannot be recovered without using all the blocks.
    • encryption of information
    • transform the information and encryption key into blocks
    • Use IDA to split the blocks
Homomorphic Encryption
Enable the processing of encrypted data without the need to decrypt the data.

Quantum Computing
Use quantum-bits (qubits) to encode information as 0s, 1s, or both at the same time.

Neural Networks
Computational approach to solve problems in the same way that the human brain would.


Guess I have to stopped here. My brain starts to reluctant to process the text... This post took me ~ 2 hours to complete...


Monday, September 17, 2018

CCSP Domain 2 : Cloud Data Security - Part 1

OMG! I can't believe that it's a year passed by, and I did not write up for the last 2 topics that I'd like to covered in RHCE! Those posts were prepared after I have finished and passed RHCE. Anyway, I am in preparation for another certification, CCSP. Thought of "document" my study notes in order to help me to organize my notes, and also help me to reinforce my understanding on the topics.

I am going to start from Domain 2.

D2 : Cloud Data Security



M1 : Understand Cloud Data Life Cycle




Process overview
This table is to layout the possible access and allowed access by functions/actor/location. The access control requirement and design can be retrieved from this table.



M2 : Understand Implication of Cloud to Enterprise Risk


Risk management


Risk framework


Key roles associate with data management

Data subject : individual who is the subject of personal data
Data controller : person who determines the purpose and how to process personal data
Data processor : person who process the data on behalf of the data controller
Data stewards : responsible for data content, context and associated business rules
Data custodian : responsible for the safe custody, transport and storage of the data and implementation of business rules
Data owners : hold the legal rights and complete control over data elements; define distribution and associated policies

Service-Level Agreement (SLA)
Should covers
  • Availability
  • Performance
  • Security/privacy of the data
  • Logging and reporting
  • DR expectation
  • Location of the data
  • Data format/structure
  • Portability of the data
  • Identification & problem resolution
  • Change management process
  • Dispute mediation process
  • Exit strategy
  • Uptime gurantees
  • SLA penalties
  • SLA penalty exclusions
  • Suspension of service
  • Provider liability
  • Data protection requirements
  • DR
  • Security recommendations

Key SLA Elements
  • Assessment of risk environment
  • Risk profile
  • Risk appetite
  • Responsibilities
  • Regulatory requirements
  • Risk mitigation
  • Different risk frameworks

Quality of service (QoS)
To meet cloud consumers' business, audit, performance, and SLA requirements:
  • Availability
  • Outage duration
  • Mean time between failures
  • Capacity metric
  • Performance metric
  • Reliability percentage metric
  • Storage device capacity metric
  • Server capacity metric
  • Instance startup time metric
  • Response time metric
  • Completion time metric
  • Mean time to switchover metric
  • Mean time system recovery metric
  • Scalability component metric
  • Storage scalability metric
  • Server scalability metric

Risk Assessment/Analysis
Policy and Organization Risks
  • Provider lock-in
  • Loss of governance
  • Compliance risks
  • Provider exit
Technical Risk
  • Consolidation of IT : single point of failure can have a bigger impact
  • A larger scale allows for more technical skills to be available at CSP
  • Control over technical risks shift towards CSP
  • Management plane compromise 
  • Shared resources can lead to resource exhaustion
  • Resource/control isolation across multi tenants
  • Data disposal
Legal Risk
  • law enforcement / civil legal activity
  • Jurisdiction (related to data storage locations across multiple jurisdictions)
  • Data protection
  • Licensing 
Non-Cloud-Specific Risk
  • Natural disasters
  • Unauthorized facility access
  • Social engineering
  • Network attacks
  • Default password


M3 : Understand & Implement Data Discovery & Classification Technology


Data Discovery
  • emphasize interactive, visual analytics
  • to find meaningful and important information in data
Data Discovery Trends
  •  Big data
  • Real-time analytics
  • Agile analytics and agile business intelligence
Different Data Discovery Techniques
  • Metadata
  • Labels
  • Content analysis
Data Discovery Issues
  • Poor data quality
  • Dashboards - is data accurate/analytical method correct? Sensitive data handling
  • Hidden costs - in-memory analytics for performance...
Challenges with Data Discovery in the Cloud
  • Data location for DIU/DAR/DIM
  • Accessing the data
  • Preservation and maintenance

Data Classification
  • A tool for categorization of data to know
    • available data types
    • data location
    • Access level implementations
    • Protection level implementation and if it is compliance to regulations
  • Recommended for implementing data controls (DLP, encryption)
  • Requirement of certain regulations/standards - ISO 27001, PCI DSS 
  • Data labelling - top secret, secret, classified

Classification categories
  • Data type (format, structure)
  • Jurisdiction and other legal constraints
  • Context
  • Ownership
  • Contractual or business constraints
  • Trust levels and source of origin
  • Value, sensitivity and criticality
  • Obligation for retention and preservation
Challenges with Cloud Classifications
  • Data creation
  • Classification controls
  • Metadata
  • Classification data transformation
  • Reclassification consideration


M4 : Design and Implement Data Right Management


DRM : A technology aimed at controlling the use of digital content.
  • Consumer DRM
  • Enterprise DRM
DRM features and use cases
  • Extra layer of access control - printing/copying/saving...
  • DRM protection travel with the file and provide continuous protection
  •  Not limited to documents, but also emails, web pages, DB columns and etc.
  • Setting up a baseline for default information protection policy
DRM Cloud Challenges
  • Each resource will be provisioned with an access policy - automated policy provision
  • Role-based access control RBAC policy
  • Identity infrastructure for users management/authentication
  • Local DRM agent is required may limit external user/usage
  • Reader software must be DRM-aware
  • DRM compatibility with different OS/document readers
  • To integrate into other security controls : DLP, document discovery tools

Key Capabilities to DRM solutions
  • Persistent protection
  • Dynamic policy control
  • Automatic expiration
  • Continuous audit trail
  • Support for existing authentication security infrastructure
  • Mapping for repository ACL
  • Integration with all third-party email filtering engines
  • Prohibiting printing of an entire document or selected portions
  • Disabling copy/paste and screen capture capabilities
  • Watermarking pages if printing privileges are granted
  • Expiring or revoking document access at anytime
  • Tracking all document activity through a complete audit trail
  • Accessibility


M5 : Design and Implement Relevant Jurisdictional Data Protection for Personally Identifiable Information (PII)


Data Privacy Acts (DPA)
To provide safeguards to individuals (data subjects) for the processing of their personal data with respect to their privacy.

US : Federal and state levels laws; Federal Trade commission (FTC)
EU : EU Directive 95/46/EC; 2002/58/EC (ePrivacy); GDPR
APEC : APEC Privacy Framework

Applicable law : determines the legal regime applicable to a certain matter
Jurisdiction : determines the ability of a national court to decide a case or enforce a judgement or order


Main Input Entities for Data Classification for P&DP Purpose
Primary Set
  • P&DP law
  • Scope and purpose of the processing
  • Categories of the personal data to be processed
  • Categories of the processing to be performed
Secondary Set
  • Data location allowed
  • Categories of user allowed
  • Data retention constraints
  • Security measures to be ensured
  • Data breach constraints
  • Status

Key Privacy Cloud Service Factor
  • Applicable law
  • Relationships : Customer - Service Providers - Subcontractors
  • Fundamental Principles : transparency, purpose specifications and imitation, data retention/erasure
  • Contractual Safeguards, Data Transfers in 3rd countries

Privacy Level Agreement
  • Fulfillments toward the data subjects
    • Notice
    • Consent
    • Exercise of Rights
  • Fulfillments toward the DPA
    • Notification for specific processing or for specific data breach cases
    • DPA prior checking for specific cases of privacy risks 
    • Authorizing for specific processing
  • Organizational-Contractual measures
    • Controller-processor privacy agreement 
    • Data transfer agreement
    • Training, appointment, and control for personnel in charge of data processing
  • Technical-Procedural measures
    • Technical/procedural security measures
    • Data breach identification and management
    • Data retention requirements for specific processing
Privacy Level Agreement Outline Annex by CSA can be download at here.
  1. Identify the CS privacy role contact data of relevant privacy persons
  2. Categories of personal data that the customer is prohibited frokm sending to or processing in the cloud
  3. Ways in which the data will be processed
  4. Data transfer
  5. Data security measures
  6. Monitoring
  7. Third-party audits
  8. Personal data breach notification
  9. Data portability, migration and transfer back assistance
  10. Data retention, restitution, and deletion
  11. Accountability
  12. Cooperation
  13. Law enforcement acces
  14. Remedies
  15. Complaint; dispute resolution
  16. Cloud service provider's insurance policy

Application of Defined Controls for Personally Identifiable Information (PII)

Cloud Security Alliance Cloud Controls Matrix (CCM)
Security domains:
  • Application and Interface Security
  • Audit Assurance and Compliance
  • Business Continuity Management and Operational Resilience
  • Change Control and Configuration Management
  • Data Security and Information Life Cycle Manament
  • Data Center Security
  • Encryption and Key Management
  • Governance and Risk Management
  • Human Resources
  • Identity and Access Management
  • Infrastructure and Virtualization Security
  • Interoperability and Portability
  • Mobile Security 
  • Security Incident Management; E-discovery, and Cloud Forensics
  • Supply Chain Management, Transparency, and Accountability
  • Threat and Vulnerability Management
This can be downloaded here.

Management Control for Privacy and Data Protection Measures



P/S: I like to give credits to draw.io for providing a web based platform that allows me to draw the charts for my notes.