
Welcome to Domain 2. Data must be protected. We finally have a domain in a certification exam about data!
I have added a few documents to this step that I highly recommend looking at.
The first - less exciting ;) is the ISC2 NDA. In the first 5 minutes that you are in the exam room you must agree to this. The test room should point it out as they sit you down and get you started, but I recommend you read it now. Now, as in, before the test. Don't wait till those 5 minutes. In test mode it is not enough time to read it. If you read it now it will just take a minute or so.
I have included here my slides for this domain. And this domain from my book Cloud Guardians. The full book is on Amazon.
Also you will find here the CSA Guidance 4.0. If you have not read it. I do recommend that you do. This is a CSA exam in a joint effort with (ISC)2. Within the guidance document I recommend that you read domains 8.1.3, 8.2, 11.1.4.2 and 11.1.4.3.
Everything has a lifecycle and the data life cycle is to create, store, use, share, archive, and destroy.
Creation according to the Cloud Security Alliance is both the generation and the alteration/updating or modifying of content. The second step is Store, when you create data you should classify the data.
The cloud Security Alliance definition of Use is a view, process, or use but not modification. You may or may not share the data and/or put the data in an archive or long-term storage.
The archive would be a separate distinct space and location where you are storing the data, so you go through a specific process to put data into the Archive. In the end, you may or may not destroy the Data. Some data like birth records are intended to be kept.
In this video we will cover:
Protect Data Through Lifecycle
In this video you will learn:
We can protect data through the data lifecycle. Protection mechanisms include Policy, Backup, IAM, Encryption, DLP, and DRM. Policies are something that we need to do and they should be written with consequences should someone not follow them. We also need to include data protection requirements from laws and regulations that we need to be in compliance with, such as GDPR or SOX.
We encourage you to learn more about Data Protection Policy by watching this complete video. See you in the Next Video.
In this video we will cover:
Information Classification
Classification
Cloud Questions
In this video you will learn:
Information classification is a process in which the organization assesses its data and Information and what should be done to secure them.
Whenever you are dealing with policies within a business so CISSPs are responsible for writing policies according to (ISC)² logic.
According to ISACA, we should have less than 24 information security policies within a business. We need to make sure that we match the needs of a business. Every business should have a classification policy about how to protect the data and information that you have.
The data protection policy should include classification. We need to know the number of levels, their names, and handling/securing requirements. The levels and their names should make sense to the business and its employees. It is best to ensure there are as few levels as possible to reduce confusion. Confusion causes under and over-classification problems.
We need to ensure that the data protection policy also includes information regarding our clouds. What data can be stored in the cloud? Which cloud? What type of configuration?
We encourage you to learn more about Data Classification by watching this complete video. See you in the Next Video.
In this video we will cover:
Data Science
In this video you will learn:
Data Science is the conduct of data analysis as an empirical science, learning directly from data itself. There are two ways to do that; the first one is by collecting data by open-ended analysis and the second one is the formulation of the hypothesis. In both methods, the conclusion is based on the data, —NIST SP 1500-1.
We encourage you to learn more about Data Science by watching this complete video. See you in the Next Video.
Data governance is a fundamental element in the management of data and data systems. Data governance is the management across the complete data lifecycle. To maximize its benefits data governance must consider the issues of privacy and security.
We need to extend the data governance logic again into the cloud. A database is a collection of data and we could have multiple databases for different departments.
In this video we will cover:
Database
Data Warehouse
Meta data
In this video you will learn:
A database is a collection of data and we could have multiple databases for different departments.
A data warehouse centralizes and consolidates a large amount of data from multiple sources. Data warehouses are solely intended to perform queries and analysis and often contain large amounts of historical data.
We encourage you to learn more about Structured Data - Database and Data Warehouse by watching this complete video. See you in the Next Video.
In this video you will learn:
Big data consists of extensive databases, primarily in the characteristics of the three original and the two added Vs of volume, variety, velocity, veracity, and/or variability. Big data requires a very scalable architecture for efficient storage and analysis.
We encourage you to learn more about Unstructured Data - Big Data by watching this complete video. See you in the Next Video.
In this video we will cover:
Data Storage
Structured Storage
Unstructured Storage
IAAS Terminology
PAAS Terminology
Data Dispersion
In this video you will learn:
There are two types of storage, structured and unstructured. Structured storage is block storage while unstructured is object storage. In structured storage, it is perfect for something like a database. Data will be stored in volumes and blocks. The file or the data is split into equal-sized pieces (blocks). A block can be located but does not have associated metadata with it.
Unstructured storage is object storage. Storage of one piece of data at a time. Each object could be a file, video, picture, etc. Object storage is not hierarchical storage like file storage is. Each object is stored with metadata and a unique identifier that allows it to be located.
In IAAS the structured option is called a Volume and the unstructured option is called object or files, according to the Cloud Security Alliance. In PAAS the structured option is called Block and the unstructured is called Blob.
We also covered data dispersion in this video. We encourage you to learn more about Data Storage by watching this complete video. See you in the Next Video.
In this video we will cover:
Data Dispersion
In this video you will learn:
In the Cloud data just does not end up on a single drive. Data dispersion is a normal thing that occurs in the cloud. So what happens first is data is chunked or sharded. Then each piece is going to be sent to a drive on a server. Then the next chunk or shard is sent somewhere else, to another server, to another drive. So the file itself is dispersed across the cloud. This is similar in nature to how RAID works within a single server. The difference is that the data is distributed between drives on different servers.
We have covered other important points as well. We encourage you to learn more about Data Dispersion by watching this complete video. See you in the Next Video.
In this video we will cover:
Application Programming Interface Approved
In this video you will learn:
API’s are fundamentally a request and response protocol. There is SOAP and there is ReST.
SOAP is heavy and complicated with a lot of features. Which might be why it is no longer an acronym because the S stood for simple. SOAP is XML based which requires more knowledge and work from the software developer. As a bonus, it does have security features built in such as encryption of the data in transit.
Meanwhile, ReST is a lighter Protocol. ReST can use XML, however most of the time it is constructed with JavaScript Object Notation (JSON). It is essentially web requests so TLS can be used to encrypt the data in transit.
We have covered other important points as well. We encourage you to learn more about Application Programming Interface by watching this complete video. See you in the Next Video.
In this video we will cover:
Encryption
In this video you will learn:
We need to know the basics of encryption for this test. There are three basic things to know here: Symmetric, Asymmetric, and MIC (Message Integrity Control).
Symmetric is perfect If you wanna keep something confidential. Messa Integrity control has to do with Integrity. Asymmetric has to do with Authenticity.
We encourage you to learn more about Encryption by watching this complete video. See you in the Next Video.
In this video we will cover:
Data In Use
In this video you will learn:
Encryption Of Data In Use is an approach in which work is being done to figure out how to keep data encrypted while it is being used. The encryption methodology that applies to this is known as homomorphic cryptography.
We encourage you to learn more about Encrypting Data In Use by watching this complete video. See you in the Next Video.
In this video we will cover:
Encryption Of Data At Rest
In this video you will learn:
What we actually use encryption for today is encryption data at rest and in transit. With data at rest, you can encrypt anything, you can encrypt a single file, a partition, a folder, or an entire drive.
We encourage you to learn more about Data at rest encryption by watching this complete video. See you in the Next Video.
In this video we will cover:
SSH
In this video you will learn:
We use encryption for data in transit all of the time, and there are three specific protocols that we use in transit today: SSH, TLS (formerly SSL), and IPSec.
SSH is used first and foremost by administrators when they are remotely connecting to and configuring devices such as routers, switches and servers. It can be used for other purposes though.
We encourage you to learn more about SSH by watching this complete video. See you in the Next Video.
In this video we will cover:
TLS
In this video you will learn:
We use encryption for data in transit all of the time, and there are three specific protocols that we use in transit today: SSH, TLS (formerly SSL), and IPSec.
TLS is used first and foremost for the purpose of web based connections. It is a client-server protocol originally developed by Netscape. It can be used for other purposes though.
We encourage you to learn more about TLS by watching this complete video. See you in the Next Video.
In this video we will cover:
IPSec
In this video you will learn:
We use encryption for data in transit all of the time, and there are three specific protocols that we use in transit today: SSH, TLS (formerly SSL), and IPSec.
IPSec is used first and foremost to protect single hop connections running over WAN or Internet service providers. It can be used for other purposes though.
We encourage you to learn more about IPsec by watching this complete video. See you in the Next Video.
In this video we will cover:
Symmetric Encryption
In this video you will learn:
Symmetric cryptography is also known as a single key, session key, and shared key cryptography because it is a single key that is actually shared between transmitter and receiver. You can use it to encrypt anything, like data, voice, or video. You can also encrypt anything in folders, drives, partitions whatever you want to encrypt, symmetric is great for it. It keeps things confidential.
We encourage you to learn more about Intro to Symmetric by watching this complete video. See you in the Next Video.
In this video we will cover:
Asymmetric Encryption
In this video you will learn:
There are two main purposes that Asymmetric encryption serves, one it is good for exchanging and negotiating symmetric keys. The second thing is it is used to authenticate the source with a digital signature.
We encourage you to learn more about Introduction to Asymmetric Encryption by watching this complete video. See you in the Next Video.
In this video we will cover:
Public Keys
Private Keys
In this video you will learn:
To verify the source whether it is the sender or receiver that is only possible when you have public and private key pairs.
If the public key is used for encryption then the private key must be used for decryption. Only the owner of the private key can decrypt because the key is kept private. It should never be shared with anyone. This achieves confidentiality of the transmitted information, a common use is to exchange the symmetric key.
If the Private key is used for encryption then the public key must be used for decryption. Anyone can decrypt since the public key is public so, this does not achieve confidentiality but it does prove the source. We call this a digital signature.
We encourage you to learn more about the Use Of Public and Private Keys by watching this complete video. See you in the Next Video.
In this video we will cover:
Hashing
In this video you will learn:
Hashes are one-way functions. A hash algorithm is run against the data which produces a fixed-length answer. Its purpose is to prove the integrity of the message. Hashing always helps you prove that accidental changes occurred, but not intentional/malicious changes.
If the hash is encrypted we can protect it from intentional, malicious changes. We have also highlighted the important points explaining hashing. We encourage you to learn more about Hashing by watching this complete video. See you in the Next Video.
In this video we will cover:
Key Location
Transparent Encryption
In this video you will learn:
The critical question to answer is where is the key?
Normally for SaaS, the key is with the provider, there is an exception with level encryption related to SaaS, we can keep the keys with customers.
At an application level relevant to Iaas and Paas the customer owns the application so the key can be with them.
In Infrastructure, you own the operating system and software on the virtual machines. So, you can add the key.
At the database level, relevant to IaaS and PaaS, customer and provider both have the key. When you are encrypting the database the database itself has to have the key in order to do transparent encryption which means the key must be stored with the database. Which is in Cloud Provider’s Network.
At the file level related to IRM (Information Rights Management), the customer has the key.
In Storage level encryption for IaaS, PaaS, and Saas you are encrypting a drive so the key is with the Cloud Provider.
Transparent Encryption is a very specific term that applies to databases. When someone does encryption it needs to be done transparently. We encourage you to learn more about Key storage locations by watching this complete video. See you in the Next Video.
In this video we will cover:
Key Management Interoperability Protocol (KMIP) Specification
Key Management
Remote- Key Management
Client-Side Key Management
In this video you will learn:
Key Management Interoperability Protocol (KMIP) is a communication protocol for the maintenance of keys. It is a single consistent protocol that consists of objects, operations, and attributes.
There are two specific terms in key management, the first is internally managed and the second is externally managed. If the keys are stored in VM then they are internally managed and If not then they are externally managed. In externally managed keys are stored separately from the encryption engine.
Two more very specific terms are remote-key management and client-side key management. In both scenarios, the data is stored in the cloud and the customer has the key. The question to answer is where is the processing done?
In remote-key management, the key is on-premises with the customer, and data encryption/decryption processing is done with the cloud provider. The key is sent to the cloud for processing.
In client-side key management, the key is on-premises with the customer, and data encryption/decryption processing is done on the customer side. Data is sent to the customer for processing.
We encourage you to learn more about Key management by watching this complete video. See you in the Next Video.
In this video we will cover:
Public Key Infrastructure
Registration Authority
Certification Authorities
In this video you will learn:
PKI is the Infrastructure of trust involved with obtaining, managing, and verifying public keys. PKI manages key generation and distribution. Public keys are verified through Certificate Authority (CA) signed X.509 certificates. Without PKI it is very difficult to verify that a public key belongs to a specific entity.
There is also a separate function called Registration Authority (RA). RA is used to verify the identity of the user to whom the public key belongs. Identity could be confirmed by email address, in-person, and govt. issued IDs to name a few methods.
CAs are the trusted third parties that bind an individual or an organization to a public key.
We encourage you to learn more about PKI by watching this complete video. See you in the Next Video.
In this video we will cover:
Key Storage
Trusted Platform Module (TPM)
Hardware Security Module (HSM)
FIPS 140-2/3
Data Protection
In this video you will learn:
The next question to answer is: Where do we store the key? A great answer is in a Hardware Security Module (HSM) or a Trusted Platform Module (TPM). It should not be in a Virtual Machine (VM). If the key is stored in a virtual machine that means that it would be saved in the object-based file that is the VM.
The TPM is designed for one thing and that is the security of the key. It is a chip that is mounted on the motherboard of a computer. E.g., laptop, tablet, desktop, phone
The HSM is also designed for one thing and that is the security of the key. It can be used to create keys and store keys. The HSM is a rack-mountable device for use in a data center with servers. Access to the HSM should be physically limited. Logical and physical controls need to be built into the box itself.
FIPS 140-2/FIPS 140-3 are security requirements for cryptographic modules. Aligns with ISO/IEC 19790:2012(E). Testing for these requirements will be in accordance with ISO/IEC 24759:2017(E).
We have also covered FIPS 140-2 /3 and the four levels a product could be tested to prove its physical security of that product. You will also learn about some key things related to data protection.
We encourage you to learn more about Key storage hardware by watching this complete video. See you in the Next Video.
In this video we will cover:
Masking
In this video you will learn:
Masking is used to hide data from the visibility of the user for e.g stars instead of passwords on the screen. It is also used to cover the credit card number on the screen, either the users or customer service.
People use a lot of different masking interpretations, but nothing is defined by CSA or NIST, or ISO. So to cover is the most straightforward description that I think is needed for the exam at this time.
We encourage you to learn more about Masking by watching this complete video. See you in the Next Video.
In this video we will cover:
Tokenization
In this video you will learn:
Tokenize is to replace, so when you tokenize data you take that piece of data out and put something else in its place. The best example is credit cards. Tokenization requires that another database is added to store the original data and the associated token. This allows the conversion from the token back to the original data value. So to tokenize is to replace, but not permanently.
We encourage you to learn more about Tokenization by watching this complete video. See you in the Next Video.
In this video we will cover:
Obfuscation
In this video you will learn:
Obfuscation is to confuse by obscuring data. You could say that encryption is obfuscation, but not all obfuscation is encryption. If you convert normal text to the font Wingdings then it is obfuscated. It is often used to protect source code and memory location information among other things. And hackers use it to hide their attacks from IDS/IPS and firewalls.
We encourage you to learn more about Obfuscation by watching this complete video. See you in the Next Video.
In this video we will cover:
Anonymization
In this video you will learn:
We have two things, de-identification, and anonymization. (ISC)² only points to anonymization but it can’t hurt to know more terms. Anonymization is irreversibly removing direct and indirect identifiers. You cannot go back, once you anonymize something and you remove the direct and indirect identifiers, you cannot recover them or put them back in place. Dee-identification removes only the direct identifiers.
We encourage you to learn more about Anonymization by watching this complete video. See you in the Next Video.
In this video we will cover:
Maturity Models
CMM - The Beginning
CMMI - Capability Maturity Model Integration
CMM ISO 21827
Original CMM
Security Awareness Maturity Models
In this video you will learn:
The beginning of maturity models trace back to CMM which was developed for the Department of Defense (DoD) in 1986. CMM is the capability maturity model. It is about the topic of processes and it was primarily for software development.
CMM did not integrate well into the rest of the business so Capability Maturity Model Integration (CMMI) was developed. This is the current Maturity Model (MM) for software development. So we have the original CMM from 1986 and it has five levels of maturity which were replaced by CMMI which also has five levels of maturity. There is another CMM defined under ISO 21827. The CMM is for security engineering practices.
The five levels of maturity in Original CMM are, Initial, Repeatable, Defined, Capable and Efficient.
The first two levels are reactive in nature. When you get to three, four, and five you are now proactive.
The levels for CMMI are Initial, Managed, Defined, Quantitatively Managed, and Optimizing.
ISO 21827 levels are Performed Informally, Planned and Tracked, Well Defined, Quantitatively Controlled, and Continuously Improved.
We have also highlighted some more important points in this video regarding Security Awareness Maturity Models and PMM. We encourage you to learn more about Maturity Models by watching this complete video. See you in the Next Video.
In this video we will cover:
Digital Rights Management
In this video you will learn:
Digital Rights Management is familiar with things like Netflix, Pandora, Kindle, etc. It’s all the stuff that controls the content. Inside of the business, you might actually call this IRM (Information Rights Management) which could be something like Locklizard.
So, very commonly, DRM is the term used for publicly accessible content and IRM is usually something within the business.
DRM software controls access to Intellectual Property (IP). It allows control of the content to include but is not limited to the length of access, print capability, screen capture capability, copy/paste capability, and sharing controls.
We have also highlighted some more important points in this video regarding DRM and IRM. We encourage you to learn more about DRM & IRM by watching this complete video. See you in the Next Video.
In this course we walk through all of the critical concepts within the Cloud Data Security domain. This domain is 20% of the test as of August 2022. I will guide you through all of the concepts that you need to know and advise you on the level of knowledge that you need to get comfortable with.
There are over three and a half hours of video content plus course notes based on information from my book: Cloud Guardians.
We will explore the data lifecycle. It is important to know the lifecycle and the security controls that can be added to each phase. In order to really understand that it is good to also take a look at data. How to we organize data? It is good to understand the basic differences of structured, unstructured, and semi-structured data.
I love talking about encryption and we will explore the basics of symmetric, asymmetric and hashing. It is just the basics as the primary focus here is the key. It is essential to protect the secret key, so storage locations must be explored.
There is also an exploration of masking, tokenization and obfuscation. Each serves a very particular purpose when protecting information.
We finish with discussion about maturity models and data rights management/information rights management and maturity models.