Friday, August 9, 2013

CCSK Study - Domain 5: Information Managemetn and Data Security

Notes
  • This domain talks about the security of data in a global sense, with some emphasis on how data is secured as it moves into the cloud
  • Data security begins with managing internal data
  • Different cloud architectures offer different storage options
    • IaaS
      • Raw Storage: basically a physical drive
      • Volume Storage: virtual hard drive
      • Object Storage:  API access that stores data as "objects".
        • Sometimes called file storage
      • Content Delivery Network: Object storage which is then distributed to multiple geographically distributed nodes
    • PaaS
      • Database-as-a-Service
      • Big-Data-as-a-Service
        • Object storage with requirements such as broad distribution, heterogeneity, and currency/timeliness
      • Application Storage
        • Any storage that is consumable via API but does not conform to the above two
      • Consumes:
        • Databases
          • Information may be stored in databases directly that run on IaaS
        • Object/File Storage
          • IaaS object storage but only accessible via PaaS APIs
        • Volume Storage
          • May use IaaS Volume Storage
    • SaaS
      • As with PaaS, wide range of storage options/consumption models
      • Information Storage and Management
        • data is simply entered into the service
        • stored in a database (typically)
        • could provide some access to PaaS APIs for mass upload type functionality
      • Content/File Storage
        • File stores are made available via web-based user interface
      • Consumption
        • Database
        • Object/File Store
        • Volume Storage
        • Key is that the services that are consumed are only accessible via the SaaS service
  • Data Dispersion
    • Technique that can be used to secure data
    • Data is devided into chunks and those chunks are then signed
    • Chunks are distributed across multiple servers
    • In order to recreate the data, an attack must be able to target all servers that contain the chunks of data
    • Or attack the API that puts it all together?
  • Information Management
    • includes the processes and policies for both understanding how your information is used, and governing that usage
  • Data Security Lifecycle
    • Basically, we need to understand the "states" data can be in, the location where the data lives, and the functions/actors/controls in place to control data
    • 6 phases
      • Not liner, data can pass through some stages multiple times, or some stages not at all
      • Create: generation of new or modification of existing content
      • Store: Committing data to some sort of storage
      • Use: Data is viewed, processed, etc
      • Share: Information is made accessible to others
      • Archive: data enter long term storage
      • Destroy: data is permanently destroyed
    • Location and Access
      • Data can be accessed on a veriaty of end-user devices that all offer different security mechanisms
      • Data can live in traditional infrastructure
      • Data can live in cloud and hosting services
      • Key Questions
        • Who is accessing the data?
        • How can the access it?
    • Functions, Actors, and Controls
      • We need to identify what actions we can conduct on a given datum
        • Access
        • Process
        • Store
      • An Actor performs each function in a location
        • person, application, system, process
      • Controls
        • put in place to restrict the list of possible actions to the list of allowed actions
  • Information Governance
    • like information management, only different
    • Includes the definition and application of
      • Information Classification
        • Does not need to be super granular to work (ie: differentiate regulated content from non-regulated content)
      • Information Management Policies
        • Defines what types of actions are allowed on a given datum
      • Location and Jurisdictional Policies
        • defines where data may be located
      • Authorizations
        • Defines who is authorized to access which types of information
      • Ownership
      • Custodianship
  • Data Security
    • This section lists out some controls to protect data
    • Detecting and Preventing Migrations into the cloud
      • Monitoring Access to internal repositories
        • DAM: Database Access Monitoring
        • FAM: File Access Monitoring
      • Monitoring/Prevention of Data moving into the cloud
        • URL Filtering
          • Prevent access to mass upload apis, etc
        • Data Loss Prevention
      • Placement of network based tools must be understood and planned accordingly
    • Protecting data moving to the cloud or within it
      • Client/Application Encryption
        • Data is encrypted before it is sent to the cloud
      • Link/network encryption
        • Data is encrypted in transit (SSL)
      • Proxy-Based Encryption
        • Legacy apps
        • Not recommended
        • Data is sent to a proxy-based encryption device before being sent to the cloud
    • Protecting data in the cloud
      • Step 1: Detection
        • Content Discovery
          • Need to understand the content being stored in the cloud
      • Step 2: Encryption
        • The different cloud architectures offer different encryption options.
        • Generally: Volume encryption, object encryption
        • Key management is the important issue here
          • Provider-managed keys
          • Client-managed keys
          • Proxy-Managed keys
        • Should use per-customer keys if you have to use provider managed keys
          • SaaS and PaaS may not offer protections such as passpharses on the keys
    • Data Loss Prevention
      • Many different deployment options (endpoint, hypervisor, network, etc)
      • Definition:  Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deep content analysis
    • Database and File Activity Monitoring
      • duh!
    • Application Security
      • Remember, most data breaches are due to poor application security
    • Privacy Preserving storage
      • Similar concept to VPN  is VPS or virtual private storage
      • Doesn't matter if someone intercepts the data, they cannot use it / understand it
      • Certs are good, but are bound to the identity of the user
        • May violate some regulations if the authentication requestor knows the identity of the person accessing the information
        • ABCs or attribute-based credentials
          • Sorta like claims based authentication, do not need to know the user anymore, just the "rights" they have been granted
    • Digital Rights Management
      • encrypts content and then applies a series of rights
        • For example, can play, but cannot share/copy
      • Consumer DRM
        • music industry! (ugh)
        • emphasis on one way distribution
      • Enterprise DRM
        • emphasis on more complex rights, policies, and integration
    • Recommendations
      • Understand the cloud storage architecture in use
      • chose data dispersion when available
      • use the Data Security Lifecycle as a guide for building controls
      • monitor internal data repositories with DAM/FAM
      • Use DLP and Url filtering to track employee activity
      • Use content discovery
      • Encrypt data ruthlessly (my words)
        • Transit, storage layer, and if possible against viewing of the CSP
      • Remember that most data breaches are because of weak application security
Summary
This domain was a little bit more involved that the last one, but, once again I think focuses more on common sense than anything else.  I think the key point here is that data is hard to manage internally.  And that is okay, most corporations do not have a good way to manage that data internally, but at least the data in internal and only accessible by employees that are under contract.  Once you move to CSPs (or enable the internet...) you need to start having the right tools in place to monitor activity and usage of your data.  These includes concepts such as DAM/FAM/URL Filtering/DLP.  I personally think that the best solutions these days are those that allow data to enforce its own "security".  IE:  The data is encrypted and a client needs to be installed to un-encrypt it.  The client can then enforce policy and nobody can access the data unless the client is installed etc.  As stated in the document, this leads to expensive infrastructure to have this happen.  There are also ways around this (copy and paste for example).  To make the problem easier to tackle, create board generalizations for the data (regulated vs not-regulated) and go from there.  Understand also the concepts of key management.  Ultimately, when you do PaaS or SaaS the service on the other end will need to "understand" the data in order to be able to provide you a service.  Those risks need to be weighed out during the initial cloud discussions.