Describe security and compliance concepts Flashcards
On-premises datacentres
In an on-premises datacenter, you have responsibility for everything from physical security to encrypting sensitive data.
Infrastructure as a Service (IaaS)
IaaS is a cloud service model where the cloud provider offers computing infrastructure.
It requires the most management by the customer among all cloud services.
The customer uses the provider’s infrastructure but is not responsible for physical components or datacentre security.
The customer is responsible for software components, including operating systems, network controls, applications, and data protection.
Platform as a Service (PaaS)
PaaS is a cloud service model for building, testing, and deploying software applications.
The focus of PaaS is on rapid application development without managing the infrastructure.
The cloud provider handles hardware and operating system management.
The customer’s responsibility lies in developing and managing applications and data.
Notes on Software as a Service (SaaS):
SaaS is a cloud service model where software is hosted and managed by the provider.
It is accessed through a subscription and examples include Microsoft 365, Skype, and Dynamics CRM Online.
SaaS requires minimal management from the customer.
The provider manages everything except data, devices, accounts, and identities.
Customer responsibilities in the cloud:
Cloud customers own their data and identities.
Customers are responsible for protecting the security of their data and identities.
On-premises resources, including devices like mobile devices, PCs, and printers, are the responsibility of the customer.
Customer responsibilities include information and data, devices, accounts, and identities.
The shared responsibility model clarifies the responsibilities of both the customer and the cloud provider.
Defence In Depth
Défense in depth employs multiple layers of security instead of relying on a single perimeter.
Each layer adds protection, making it difficult for attackers to gain unauthorized access to data.
Example layers of security include:
- Physical security restricts access to authorized personnel in datacentres.
- Identity and access security controls include multifactor authentication and condition-based access.
- Perimeter security protects corporate networks from DDoS attacks.
- Network security involves segmentation and access controls to limit resource communication.
- Compute layer security secures access to virtual machines by closing specific ports.
- Application layer security ensures applications are free of vulnerabilities.
- Data layer security manages access to data and uses encryption for protection.
Confidentiality, Integrity, Availability (CIA)
CIA (Confidentiality, Integrity, Availability) is a key aspect of a cybersecurity strategy:
Confidentiality ensures sensitive data remains secret and can be achieved through encryption.
Integrity focuses on maintaining the correctness and accuracy of data or messages.
Availability ensures data is accessible to authorized users when needed.
Microsoft offers solutions to help organizations achieve the goals of the CIA triad.
Zero Trust principles and practices:
- Zero Trust assumes an untrusted network and does not trust resources behind firewalls.
- The model operates on the principle of “trust no one, verify everything.”
- Conventional access controls are no longer sufficient due to attackers bypassing them.
- Security is strengthened by not relying solely on the integrity of the corporate network.
- Multi-factor authentication is used to enhance user validation beyond passwords.
- Access is granted only to specific applications or data that users need, rather than all devices on the corporate network.
Zero Trust guiding principles
Zero Trust Model principles:
- Verify explicitly: Authentication and authorization are based on multiple data points, such as user identity, location, device, service/workload, data classification, and anomalies.
- Least privileged access: Limit user access through just-in-time and just-enough access (JIT/JEA), risk-based adaptive policies, and data protection. This approach safeguards both data and productivity.
- Assume breach: Segment access by network, user, devices, and application. Utilize encryption for data protection and leverage analytics to gain visibility, detect threats, and enhance overall security.
The six foundational pillars of the Zero Trust model
- Identities: Verify identities with strong authentication and adhere to least privilege access principles.
- Devices: Monitor device health and compliance to mitigate security risks.
- Applications: Discover and manage all applications, including permissions and access control.
- Data: Classify, label, and encrypt data based on its attributes to ensure its protection.
- Infrastructure: Assess and secure infrastructure for vulnerabilities, configurations, and just-in-time access. Use telemetry for attack detection and protective actions.
- Networks: Implement network segmentation, micro segmentation, real-time threat protection, end-to-end encryption, monitoring, and analytics.
Encryption in cybersecurity
Encryption makes data unreadable and unusable to unauthorized viewers.
To decrypt encrypted data, a secret key is required.
Two top-level types of encryption: symmetric and asymmetric.
Symmetric encryption uses the same key for encryption and decryption.
Asymmetric encryption uses a public-private key pair and requires a paired key for decryption.
Asymmetric encryption is used for HTTPS protocol and electronic data signing.
Encryption can protect data at rest or in transit.
Encryption for data at rest
- Data at rest refers to data stored on a physical device, like a server.
- Encryption of data at rest ensures that the data is unreadable without the necessary decryption keys and secrets.
- Even if an attacker gains access to encrypted data, without the encryption keys, they cannot read the data.
- Encryption provides an additional layer of security to protect sensitive information stored on physical devices.
Encryption for data in transit:
- Data in transit refers to data moving between locations, such as over the internet or through a network.
- Encryption of data in transit ensures that the data is protected during its transmission.
- Secure transfer can be achieved by encrypting the data at the application layer or using protocols like HTTPS.
- Encryption in transit safeguards the data from unauthorized access and reduces the risk of exposure during transmission.
Encryption for data in use:
- Data in use refers to data being actively processed or accessed by the CPU or other components.
- Encryption of data in use involves securing data in nonpersistent storage, such as RAM or CPU caches.
- Technologies can create secure enclaves to protect and keep the data encrypted while it is being processed.
- Encrypting data in use helps maintain data confidentiality and prevent unauthorized access or exposure during processing.
Hashing
- Hashing converts text to a unique fixed-length value called a hash using an algorithm.
- The same text hashed with the same algorithm will always produce the same hash value.
- Hashing doesn’t use keys, and the hash value is not decrypted back to the original text.
- Hashing is commonly used to store passwords, comparing the hash of the entered password with the stored hashed version.
- Hashing is more secure than storing plain text passwords, but hackers can use brute-force attacks to guess passwords by hashing and comparing them.
- To enhance security, passwords are often “salted” by adding a random value before hashing to create unique hashes for the same input.
