Cloud Data Security

CCSP: Domain 2
CLOUD DATA SECURITY

DOMAIN 2 CLOUD DATA SECURITY

Storage Architectures
Data Lifecycle Security
Database Security
Data Loss Prevention (DLP)
Data Encryption
Key Management

STORAGE ARCHITECTURES: IaaS

Volume storage (block storage) Includes volumes/data stores attached to IaaS instances, usually a virtual hard drive. Should provide redundancy
Object storage: Example: Dropbox. Used for write-once, read many; not suitable for applications like databases
Independent of virtual machine
Because of varying laws and regulations, customers should always know where their physical data is stored and is stored in compliance with their needs

DATA STORAGE: PaaS

PaaSutilizes the following data storage types:
Structured: Highly organized, such that inclusion in a relational database is seamless and readily searchable
Unstructured: Information that doesn’t reside in a traditional row-column database—text, multimedia content, email, etc.

DATA STORAGE: SaaS

Information Storage and Management: Data is entered into the system via the web interface and stored with the SaaS application (often a backend database)
Content/file storage is stored within the application

DATA SECURITY LIFECYCLE

The Cloud Security Alliance has incorporated the data security lifecycle which enables the organization to map the different phases in the data lifecycle against the required controls that are relevant to each phase.
The lifecycle contains three steps:
Map the different lifecycle phases
Integrate the different data locations and access types
Map into functions, actors and controls

MAPPING THE LIFECYCLE PHASES

FUNCTIONS, ACTORS, AND CONTROLS

DATABASE SECURITY

Mainly supported by two key elements
DAM Database Activity Monitoring that captures and records all SQL activity in real time or near real time. Can prevent malicious commands from executing on a server
FAM File Activity Monitoring that monitors and records all activity for a specific file repository and can generate alerts on policy violations
DLP Data Loss Prevention systems

DATA LOSS PREVENTION DLP

Can also be know as Data Leakage Prevention describes the controls put in place by an organization to ensure that certain types of data (SSNs, Account Numbers, etc) remain under organization controls in line with policies, standards, and procedures
Detects exfiltration of certain types of key data (SSNs, Account number, etc.)
Help ensure compliance with regulations like HIPAA, PCI-DSS and others

DATA SECURITY IN THE CLOUD

Protecting Data moving to and within the cloud
SSL/TLS/IP Sec
Protecting Data in the Cloud
Encryption
Detection of Data Migration to the Cloud
DAM, FAM, DLP
Data Dispersion: Data is replicated in multiple physical locations across your cloud.
Data Fragmentation involves splitting a data set into smaller fragments (or shards), and distributing them across a large number of machines.

CASES FOR ENCRYPTION

When data moves in and out of the cloud
Protecting data at rest
Compliance with regulations like HIPAA and PCI-DSS
Protection from 3rd party access
Creating enhanced mechanisms for logical separation between different customers’ data
Logical destruction of data when physical destruction is not feasible

ENCRYPTION BEST PRACTICES

Use Open and validated formats
All encryption keys should be stored within the enterprise
Identity-based key assignment and protection of private keys
Use strong encryption
Follow Key management best practices for location of keys

DATA ENCRYPTION IN ACROSS IMPLEMENTATIONS

IaaS Encryption uses Volume Storage Encryption and Object Storage Encryption
PaaS Encryption with Client/Application Encryption, Databased encryption and proxy-based encryption
SaaS Encryption is managed by the Cloud Service Provider by the applications and through Proxy encryption

MASKING/OBFUSCATION, ANONYMIZATION,
AND TOKENIZATION

Masking/Obfuscation is the process of hiding, replacing or omitting sensitive information from a specific dataset. For instance, masking all but last 4 digits of SSN
Data Anonymization is the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous
Tokenization: Public cloud service can be integrated and paired with a private cloud that stores sensitive data. The data sent to the public cloud is altered and contains a reference to the data residing the in the private cloud.

DATA DISCOVERY

Emphasizes visual, interactive analytics rather than static reporting
Provides a way to make sense of big data—the sheer volume and diversity of data makes this challenging for the old means of static reporting
Can provide agile,  near real-time analytics

DATA DISCOVERY TECHNIQUES

Data Discovery is a user-driven process of searching for patterns or specific items in a data set. Data Discovery applications use visual tools such as geographical maps, pivot-tables, and heat-maps to make the process of finding patterns or specific items rapid and intuitive. Data Discovery may leverage statistical and data
mining techniques to accomplish these goals. There are several different ways Data Discovery tools make their analysis
Metadata provides data its meaning and describes its attributes
Labels provide a logical grouping of data elements and gives them a “tag” describing the data
Content analysis examines the data itself

DATA CLASSIFICATION

Categorizes data based on its value and drives the controls that are put in place to secure it.
Within the cloud, the CSP should
Ensure proper security controls are in place so that whenever data is created or modified by anyone, they are forced to classify or update the data as part of the creation/modification process
Implement Controls (could be administrative, preventive or compensating)
Make metadata available, as it could be used as a means of determining classification
Protect data according to its classification at rest and in transit
Should support the reclassification process.

DATA PRIVACY TERMS

Data subject: an identifiable subject who can be identified by reference to an id number, or one or more factors specific to the his physical, physiological, mental, economic, cultural, or social identity (Telephone number, SSN, IP address, etc.)
Personal data: information relating to an identified or identifiable natural person—biometrics, health data, etc.
Processing: Operations performed on personal data—collection, recording, organization, storage, etc.
Controller: Person, public authority, agency that determines the purposes and means of processing to be in compliance with laws and regulations
Processor:  One who processes data on behalf of the controller
**The customer is the controller of the data and is responsible to all the legal duties addressed in the Privacy and Data Protection (P&DP) applicable laws. The service provider supplies the means and the platform, and is considered to be the processor.

CSA CLOUD CONTROLS MATRIX (CCMS)

Designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a provider
Provides a controls framework in 16 domains that are cross-walked to other industry-accepted security standards, regulations, and controls frameworks to reduce audit complexity
It provides mapping to the industry-accepted security standards such as ISO 27001/27002, COBIT, PCI-DSS

DOMAINS OF THE CCM

MANAGEMENT CONTROLS FOR PRIVACY AND DATA PROTECTION MEASURES

Separation of Duties
Training
Authentication and Authorization procedures
Vulnerability Assessments
Backup and Recovery processes
Logging
Data-retention control
Secure disposal

DATA RIGHTS MANAGEMENT

DRM or IRM (Information Rights Management) adds an extra layer of access controls on top of the data object or document and provides granularity flowing down to printing, saving, copying and other options
ACLs are embedded into the file, it is agnostic to the location of data. IRM will travel with the file
Useful for protecting sensitive organization content and intellectual property

IRM CLOUD CHALLENGES

IRM requires that al users with access should have matching encryption keys. This requires a strong and comprehensive identity structure
Each user will need to be provisioned with an access policy and keys
Access can be identity based or role based (RBAC)
Identity can be implemented with a single director location or across federated trust
End users will likely have to install a local IRM agent for key storage or authenticating and retrieval of protected information
Can be challenging with disparate systems and document readers

DATA PROTECTION POLICIES:  RETENTION

Data retention: Established protocol for keeping information for operational or regulatory compliance needs.
Cloud considerations:
Legal, regulatory and standards requirements must be well-documented and agreed upon
Data mapping should map all relevant data in order to understand formats, data types and data locations
Data Classification based on locations, compliance requirements, ownership and business usage
Each category’s procedures should be followed based on appropriate policy that governs the data type

DATA PROTECTION POLICIES:  DATA DELETION

Safe disposal of data once it is no longer needed.
Physical destruction
Degaussing
Overwriting
Encryption (Crypto-shredding)

DATA PROTECTION POLICIES:  DATA ARCHIVING

Data archiving is the process of identifying and moving inactive data out of current productions systems and into specialized long-term archival storage systems. Considerations include:
Encryption
Monitoring
Granular retrieval
Electronic discovery (also called e-discovery) any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case
Backup and recovery
Media Type
Restoration procedures

AUDITABILITY

In order to be able to perform effective audits and investigations The CSP should provide an audit log with as much information as is relevant
When: Time and date of logs and events
Where: Application identifier, application address (cluster/host or IP Address)
Who: Human or machine
What: Type of event, severity of event and description

SECURITY AND EVENT MANAGEMENT

Software and products combining security information management and event management. It provides real-time analysis of security alerts generated by network hardware and applications. SEIM Systems often provide:
Aggregation from many sources
Correlation across common attributes
Alerting to a pre-defined entity responsible for monitoring
Dashboard tools to take event data and organize into charts or other formats
Compliance tools automate the gathering of compliance data
Retention employs long term storage of historical data to facilitate correlation of data over time to provide the retention necessary for compliance
Forensic analysis provides the ability to search across logs on different nodes and time periods based on specific criteria

CHAIN OF CUSTODY

Chain of Custody is the preservation and protection of evidence from the time it is collected until the time it is presented in court.
Documentation should exist for the collection, possession, condition, location, transfer, access to and any analysis performed on an item from acquisition through eventual final disposition
Chain of Custody provision should be included in the service contract and ensure that the cloud provider will comply with requests

DOMAIN 2 CLOUD DATA SECURITY REVIEW

Storage Architectures
Data Lifecycle Security
Database Security
Data Loss Prevention (DLP)
Data Encryption
Key Management