Tuesday, September 18, 2018

CCSP Domain 2 : Cloud Data Security - Part 2

D2 : Cloud Data Security

M6 : Ensure Compliance with Regulations and Controls

IT Service Management (ITSM)
Management and oversight to ensure alignment between IT and business.

Configuration Management
Maintain information about configuration items required to deliver an IT service, including their relationship.

Change Management
An approach to transitioning individuals, teams, and organizations to a desired future state.
  • Respond to acustomer's changing business requirements
  • Respond to business and IT requests
  • Ensure changes are recorded and evaluated
  • Ensure the authorized changes are prioritized, planned, tested, implemented, documented and reviewed in a controlled manner
  • Ensure all changes to configuration items are recorded in configuration management system
  • Optimize overall business risk.
Incident Management
To identify, analyze, and correct hazards to prevent a future re-occurrence of an incident.
Event : A change of state that has significance for the management of an IT service or other configuration item
Incident : an unplanned interruption to an IT service or reduction in the quality of an IT service.

Problem Management
To minimize the impact of problems on the organization.
Play important role in the detaction of problems (workaround and known errors), providing solutions, and preventing their recurrence.

Release and Deployment Management
To plan, schedule, and control the movement of releases to test and live environments.

Service-Level Management
To negotiate service-level agreements with customer and to design services in accordance with the agreed-upon service-level target.

Availability Management
To define, analyze, plan, measure, and improve all aspects of the availability of IT services.

Capacity Management
To ensure that the capacity of IT services and the IT infrastructure is able to deliver the agreed service-level targets in a cost-effective and timely manner.

Continuity Management
Business continuity : the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
Business continuity management : a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.

Information Security Management
Documentation and operational plan to cover :
  • security management
  • security policy
  • information security organization
  • asset management
  • human resources security
  • physical and environmental security
  • communications and operations management
  • access control
  • information systems acquisition, development, and maintenance
  • provider and customer responsibilities
Continual Service Improvement
A formal procedure to collect and analyze metrics on all services and processes to find areas of improvement.

M7 : Design and Implement Auditability, Traceability, and Accountability of Data Events

Event sources or log availability depends on cloud service model (IaaS, PaaS, SaaS), and need to be specified in contract to allow access for investigation.

Continuous Monitoring
A concept that has grown in importance during the transition to cloud computing.
ISCM : maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

SEM : real-time monitoring, correlation of events, notifications, and console views
SIM : long-term storage, analysis, and reporting of log data
  • Data aggregation
  • Correlation
  • Alerting
  • Dashboards
  • Compliance
  • Retention
  • Forensic analysis

Continuous Operations
Principles to be adopted as part of security operations policies
  • Audit logging
    • new events detection
    • adding new rule
    • reduction of false positives
  • Contract/authority maintenance
  • Data governance (secure disposal)
  • Incident response legal preparation

Chain of Custody and Nonrepudiation
Digital evidence preservation/protection.

Oh my! This is becoming more like a content index of what I have studied than notes... Let's see if I can change this a bit...

M8 : Design and Apply Data Security Strategies


Cloud Encryption Challenges

  • Encryption key management
  • CSP to process encrypted data
  • Data highly portable
  • Multitenant
  • Secure hardware is not applicable for cloud environment and software-based key storage is more vulnerable
  • Storage-level encryption is less complex but easy to be exploit; app-level encryption is more effective but complex
  • Performance
  • Using encryption engine will impact availability and performance
  • Data can change location, format and etc.
  • When backup/DR is taking into consideration for encryption, key usage and management could pose impact on data availability
  • Does not solve data integrity threat

Encryption Architecture

Data Encryption in IaaS
  1. Basic storage-level encryption
  2. Volume-storage encryption
    • Instance-based encryption
    • Proxy-based encryption
  3. Object-storage encryption
    • File -level encryption
    • Application-level encryption
Database Encryption

Key Management

Common challenges
  • Access to the keys
  • Key storage
  • Backup and replication
Key storage in the cloud
  • Internally managed (stored in local VM)
  • Externally managed
  • Managed by a third party
Data Masking/Data Obfuscation
Hiding. replacing or omitting sensitive information from data set.
  • Random substitution
  • Algorithmic substitution
  • Shuffle
  • Masking
    • Static masking - new copy of data created with masked value
    • Dynamic masking - on-the-fly masking
  • Deletion - use null
Data Anonymization
Removing the indirect identifiers in order to prevent data analysis tools or other intelligent mechanisms from collating or pulling data from multiple sources to identify an indifidual.

Process to substituting a sensitive data element with a nonsensitive equivalent, referred to as a token.

Tokenization Architecture

Application Security Considerations

Emerging Technologies

Bit Splitting
Involves splitting up and storing encrypted information across different cloud storage services.
  • Secret Sharing Made Short (SSMS) : user can reconstruct the original data by accessing only m arbitrarily chosen fragments of the data and encryption key.
    • encryption of information
    • use information dispersal algorithm (IDA) to split the data using erasure coding into fragments
    • splitting the encryption key using the secret-sharing algorithm
  • All-or-Nothing-Transform with Reed-Solomon (AONT-RS) : integrates the AONT and erasure coding. The information cannot be recovered without using all the blocks.
    • encryption of information
    • transform the information and encryption key into blocks
    • Use IDA to split the blocks
Homomorphic Encryption
Enable the processing of encrypted data without the need to decrypt the data.

Quantum Computing
Use quantum-bits (qubits) to encode information as 0s, 1s, or both at the same time.

Neural Networks
Computational approach to solve problems in the same way that the human brain would.

Guess I have to stopped here. My brain starts to reluctant to process the text... This post took me ~ 2 hours to complete...

No comments:

Post a Comment