2 – CLOUD DATA SECURITY

19% of CCSP Test

Data, the golden core of our businesses that we are protecting. I am thrilled that there is, finally, there is a domain
dedicated to Data. The place to start our conversation is with its lifecycle. As with everything else there is a
beginning and an end.

Data Life Cycle

Data must first be created. Data is not just word documents. Data is created by humans and by machines. Logs
are just as much ‘data’ as is a ‘word document’. Here is the Data Life Cycle as defined by CSA in their guidance 4.0
1. Create – Generation or alteration/updating or modifying content
a. Data should be classified at this point
2. Store – Committing to storage repository – nearly simultaneous with create
3. Use – Viewed, processed, or used (not modification)
4. Share – Made accessible to others
5. Archive -Leaves active use and enters long term storage
6. Destroy – Permanently destroyed using physical or digital means

Functions, Actors and Controls

• Functions include Access, Process, and Store
o Access occurs at every step of the data life cycle
o Process occurs at only two steps of the data life cycle:
§ Create and Use
§ The data is being used in a transaction, updated, or just viewed
o Storage occurs at two steps of the data life cycle. Probably quite obviously:
§ Store and Archive
§ This data is held for future use or verification, etc.
• Actors is person, application, system/process
• Controls possible actions

Information Classification
What we should do is classify the data as soon as its created. That would be optimal. Instead, we might just have
to classify it when we find it…

Classification is the identification and labeling of the sensitivity of our data. Classification schemas must have at
least 2 different level to be able to distinguish the sensitivity of data. These levels should be identified with words
that assist the users in handling the data appropriately. Familiar identifiers for sensitivity levels include words like
secret, sensitive, public, or top secret

API – Application Programming Interface

• APIs are fundamentally a request and response protocol. They are used throughout cloud extensively, not just
for customer apps, but also for the fundamental building blocks of cloud to be able to function.
• APIs are not new, but their prevalence has raised them to the top of lists that describe attack prevalence. The
more we know and understand them the better we can use them properly
• The two types of APIs that are in use are:
• SOAP (Formerly Simple Object Access Protocol (it’s not simple))
o Heavy and complicated
o Has many features
 o XML based
o Has encryption capabilities built in
• REST – REpresenational State Transfer
o Lighter protocol
o Uniform Resource Indicator (URI) based
§ Uniform Resource Locator (URL)
• Identifies the location or domain name such as ISC2.org/Certifications/CCSP”
§ URI
• Is the whole of the address including the https://. So:
https://ISC2.org/certifications/CCSP
o Uses JSON (JavaScript Object Notation) or XML
o Can be encrypted through the addition of TLS

Data structure

• Structured data is something like a database. Each record within a table can be connected (RDBMS) to
another record in another table. This data works best in block storage.
• Unstructured data is data that does not have any relationship to each other. This type of data would be
something like an email, an invoice, a word document, a picture, etc. This type of data is best stored in
object storage.

Data storage

See chapter 3 – Cloud Platform and Infrastructure Security

Data terms
• Database – collection of data in an organized (structured/relational) format
• Metadata – data regarding data, describes additional information about data such as how and when data
was collected and how it has been processed
• Big Data – “consists of extensive datasets¾primarily in the characteristics of volume, variety, velocity,
and/or variability¾that require a scalable architecture for efficient storage, manipulation, and
analysis” (NIST SP 1500-1 A-1)
o The three Vs of Big Data:
§ Volume – size of the dataset
§ Variety – data from multiple sources
§ Velocity – rate of flow
§ Variability – change in other characteristics – (the other V)

Data Retention

A data retention policy should be created. Truly it should be a part of a larger policy regarding data and its
structure and storage.
• Data deletion – If data is not required, or must legally remove according to the law
• Data archiving – Holding data for long periods
• Legal hold – A requirement to store and protect data until a judge makes a decision regarding issuing a
warrant

Data Discovery
So now the question is how we find data. Location is only one question. We must also understand what kind of
data we have and its quality and sensitivity. We are now on the edge of what we should probably call ‘Data
Science’ that Dean Saxenian from UC Berkley has stated ‘should not just be about the tools. It’s also using the tools
in a way that allows you to solve problems and make sense of data in a systematic way. (Staff, 2019)

From the point of view of the CCSP truly comprehending the data and turning it into useful information is not our
job. Yet if we do not help those who do locate their data, we have not done our job.

Tools:
Content analysis

Data Rights Management (DRM) a.k.a. Information Rights Management (IRM)

DRM controls access to files through
• Control is agnostic to location
• Access controlled through application such as Kindle or iTunes
• Information Rights Management for corporate data such as LockLizard
• Audit trail created
Control:
• Print capability
• Screen shot capability
• Watermarked visible on screen or on printed version if allowed
• Automatic expiration
• Access control list or Role Based Access Control
• Copy/paste restriction

Data Security Strategies

• This is the core to this domain. This is a security exam. There are fundamentally two things that are used
nearly universally is encryption and access control.
• Encryption
o Data at Rest
§ Based on the design of the software
§ A single file can be encrypted
§ A partition can be encryption
§ A folder can be encrypted
§ An entire drive can be encrypted
§ An instance can be encrypted
o Data in Transit
§ SSH – Secure Shell. Layer 5
• Perfect for Administrative connections to Routers, Switches, etc.
• Can be used for VPN
§ TLS (formerly SSL). Transport layer security. Layer 4
• Client – Server structure
• Most commonly used for Web site connection (HTTPS)
• Can be used for VPN
§ IPSec – IP Security. Layer 3
• Can be used for anything
• Great for site to site (Router to Router) connections
• Can be used for VPN
o Data in Use – Keep data encrypted while in use. Theoretical/Partially theoretical. Work is being done
to figure out how to keep data encrypted while it is being used. This would be most useful when
 processing something like credit cards through a transactional database. The encryption methodology
that applies to this is known as homomorphic cryptography.
• Key Storage – location is critical
o Primary site location is with the customer NOT the cloud provider
o Should be stored securely NOT in a VM. If the key is stored in the VM that means that it would be
saved in the object-based file that is the VM.
§ Store in HSM or TPM
o Trusted Platform Module (TPM)
§ Designed for one thing. Security of the Key
§ A chip that is mounted on a mother board
o Hardware Security Module (HSM)
§ Designed for one thing. Security of the Key. It can be used to create keys or store keys.
Access to the HSM should be physically limited. Logical and physical controls need to be
built into the box itself.
§ Key ceremonies are used to generate or duplicate keys
§ Rack mountable
§ Test against FIPS 140-2
• Key management interoperability protocol specification
• Masking – To hide data from visibility to the user (stars instead of password). This seems to be a very debated
term as to its use. It is not defined in any of the standards around cloud. This is the simplest of definitions.
• Tokenization – To replace data with another value. Requires another database that stores the original and the
token version to convert back to original data value. Great for credit card numbers in transit
• Anonymization – To remove sensitive data. This process is not reversible.
• Obfuscation – To confuse by obscuring data. Think about the font of “Wingdings”. If you convert normal text
to Wingdings than it is
• Digital Rights Management (DRM) – a.k.a. Information Rights Management. Control over intellectually
property such as music or course content.

Capability Maturity Model Integration (CMMI)

The CMM Institute describes CMMI v2.0 as a proven set of global best practices that enables organizations to build
and benchmark the key capabilities that address the most common business challenges (CMMI Institute, 2019)

Measurement of maturity levels towards a mature software process.

• Level 0 – Incomplete. Ad-hoc and unknown

• Level 1 – Initial. Process unpredictable, reactive
• Level 2 – Managed. Process characterized for projects and reactive
• Level 3 – Defined. Process characterized for the organization and proactive
• Level 4 – Quantitatively managed. Process measured and controlled
• Level 5 – Optimizing. Focus on continuous process improvement

Capability Maturity Model ISO/IEC 21827

ISO/IEC 21827 describes itself as ‘standard metric for security engineering practices covering … the entire life
cycle… the whole organization’. This standard is used, hopefully with, ‘The objective is to facilitate an increase of
maturity of the security engineering processes within the organization’. (ISO/IEC, 2008)
CMMI Levels:

• Level 1 – Performed Informally

• Level 2 – Planned and Tracked
• Level 3 – Well Defined
• Level 4 – Quantitatively Controlled
• Level 5 – Continuously Improving