Cloud Data Security

Question 1

What are the main types of storage in cloud ?

Answer 1

Volume, Object, CDN, Database

Question 2

What are the two types of Volume based storage ?

Answer 2

File and Block

Question 3

What is block based storage ?

Answer 3

Block - blank volume that the user can put anything on to - more flexibility and higher performance but may need higher admin and os installed

Question 4

What is file based storage ?

Answer 4

Stored and Displayed as a file structure - popular with Big Data tools and processes.

Question 5

What is object storage ?

Answer 5

Stored as objects alongside meta data and a unique address identifier allows for high classification and labelling. Storage is in a flat structure.

Question 6

What is a CDN ?

Answer 6

Data Caching near geophysical or edge locations for high use or demand e.g. multimedia streaming

Question 7

Name the six phases in the data lifecycle ?

Answer 7

Create Store Use Share Archive Destroy

Question 8

Describe Archive storage ?

Answer 8

Long Term Storage - Cryptography essential
Location and Format should also be a consideration
Staff access both in and outside of the cloud
Procedure how is that data to be restored.

Question 9

What features are within the Use stage of the lifecycle ?

Answer 9

All connections to be secured usually with an encrypted tunnel.
Data Owners should minimise access to data as well as the use of logging and audit trails. Virtual hosts must be separated from each other and provider should also have controls about what, where and when their own staff have access to infrastructure.

Question 10

What is a consideration with the Share phase ?

Answer 10

Jurisdiction

Question 11

What are the main features of DLP ?

Answer 11

Additional Security, Enhanced Monitoring, Policy Enforcement, Regulatory Compliance

Question 12

When should encryption be used in cloud ?

Answer 12

Used to protect data at rest, in transit and in use.

Question 13

What are the main characteristics of Key Management in cloud ?

Answer 13

Distribution, Escrow, Recovery, Revocation, Protection, Outsourcing

Question 14

What is Key escrow ?

Answer 14

This is where a third party have a copy of the keys.

Question 15

Name the 4 main goals of SIEM ?

Answer 15

Automated Response, Dashboarding, Enhanced Analysis, Log Centralisation

Question 16

What is key outsourcing ?

Answer 16

Keys should not be stored with the data they are processing. One solution is for the cloud customer to retain the keys, but that requires an expensive and complicated set of infrastructure and skilled personnel. We can offload this to CASB to look after IAM and Key management.

Question 17

Give two examples of SIEM enhanced analysis ?

Answer 17

Includes Trend Analysis
APT detection

Question 18

What are the seven common obfucation techniques ?

Answer 18

Masking, Nulls, Shuffling, Randomisation,Tokenisation, Hashing and Anonymisation

Question 19

What is anonymisation ?

Answer 19

Removing tell tale identifiers - difficult and

Question 20

What is hashing ?

Answer 20

Converts data via cryptography into fixed length strings. Drawback is some characteristics such as format and length are lost.

Question 21

What is masking ?

Answer 21

Hiding data with useless characters such as showing last four digits of SSN - keeps data characteristics

Question 22

What is randomisation ?

Answer 22

Replacing data or part of data with random characters

Question 23

What is shuffling ?

Answer 23

Using different enteries in the same data to represent the data - drawback is you are still exposing production data

Question 24

What is tokenisation ?

Answer 24

Replace data with a token involves two databases one for token and one for the actual data - Significant overhead as we have to translate the token into true value and also read two databases when assigning, reading, updating and deleting.

Question 25

Describe the problems with DLP in cloud ?

Answer 25

Placed on network edge locations DMZ and Cloud Public facing devices In cloud can be problematic due to costs and insufficient access.

Question 26

What does Obfuscation help with ?

Answer 26

Test Environments, Least Privilege, Secure Remote Access

Question 27

Whats the difference between a NAS and a SAN ?

Answer 27

Both are designed to store large amounts of data. NAS is usually on a single server as part of a mixed network containing processing servers and laptops whereas a SAN is usually on thier own dedicated network with many SANs as part of that network.

Question 28

What is a SAN ?

Answer 28

a SAN is usually on thier own dedicated network with many SANs as part of that network. It usually uses fibre channel for speed and LUNs to identify where data is rather than IP address of the box. Two transport protocols FIBRE and ISCSI both designed for moving large amounts of data.

Question 29

What is the difference between redundant servers and server clusters ?

Answer 29

Redundant servers are active/passive in failover where as clusters are active/active

Question 30

What is distributed resource scheduling ?

Answer 30

DRS is a cloud feature where VM scheduling and location are dynamically done in the background according to best fit. So if a VM gets large it is moved over to a new server config seamlessly without the customer knowing. This can be automatic or depend on the configuration options you ticked when provisioning the resources.

Question 31

What is the difference between dynamic optimisation (DO) and DRS ?

Answer 31

Unlike DRS DO involves the migrating of whole clusters to optimise performance - it can be storage dynamic optimisation or compute dynamic optimisation. DRS is individual virtual machines.

Question 32

Describe the two definitions of VLANs ?

Answer 32

First definition relates to pre cloud where a virtual network was defined by an identification number that allowed switches to send information marked with that number to the relavant participating members - allowed distributed networks beyond physical ties. A more cloud specific definition is a network of resources defined on a server.

Question 33

What is a VPN ?

Answer 33

Encrypted tunnel protecting data in transit

Question 34

What is FIPS 140-2/FIPS 140-3 measuring ?

Answer 34

Tests the strength of a cryptographic product such as TPM, HSM etc

Question 35

What is FIPS level 1

Answer 35

No physical security only security is in the software

Question 36

What is FIPS level 2

Answer 36

Seals or Labels that will show if a box has been tampered with

Question 37

What is FIPS level 3

Answer 37

Tamper detection/response circuitry that when it detects tampering will zero the chip

Question 38

What is FIPS level 4

Answer 38

Level 3 plus tamper active response that will physically destroy the board or chip

Question 39

What is data masking ?

Answer 39

The hiding of data without changing its underlying structure think of passwords being masked with *

Question 40

What is tokenisation ?

Answer 40

To replace data item with a token from a second database. You can get back to the original data item.

Question 41

What is obsfuscation ?

Answer 41

Confuses reader changing whole blocks of text - encryption can be thought as a form of obfuscation.

Question 42

What is anonymisation ?

Answer 42

The manipulation of direct and indirect data so it no longer identifies and individual - key is you cant go back

Question 43

What is data de-identification ?

Answer 43

The manipulation of direct data only so it no longer identifies and individual - key is you cant go back

Question 44

Name two maturity models ?

Answer 44

CMMI and CMM ISO21827

Question 45

What is the security based maturity model called ?

Answer 45

CMM ISO21827

Question 46

What are the five levels in CMMI ?

Answer 46

Incomplete Initial Managed Process Defined Quantitatively Managed Optimising

Question 47

What are the five levels in CMM ISO21827

Answer 47

Perfomed Informally Planned and Tracked Well Defined Quantitatively Controlled Continually Improving

Question 48

Ideally where should the key be stored ?

Answer 48

With the customer

Question 49

If the key cant be stored with the customer where is the next best option ?

Answer 49

Third Party

Question 50

If I have to store my key witht the provider what should I not do ?

Answer 50

Store it with VM

Question 51

What is transparent encryption ?

Answer 51

Databases specific encryption is in the background and doesnt interfere with the users operations.

Question 52

What is the pupose of a CASB ?

Answer 52

To uncover shadow IT operations such as people using cloud services with corporate email

Question 53

What are the data center four tiers >?

Answer 53

1 - Basic 2 - Redundant Power and Cooling 3 - Concurrently Maintainable Hot Swappable architecture 4 - Fault Tolerance for topology

Question 54

What are the three key terms in ISO27034 ?

Answer 54

ONF, ANF, ASMP

Question 55

What is the Application Security Management Process of ISO27034 ?

Answer 55

The process that allows the development of the anf from the onf

Question 56

Name some common orchestration tools

Answer 56

puppet, chef salt

Question 57

What are the top 4 Owasp threats ?

Answer 57

Injection, XSS,CSRF,Insecure Direct Object Reference

Question 58

What is XSS

Answer 58

A redirection to a compromised web site from a trusted source

Question 59

What is a problem with Role Based Access ?

Answer 59

The assumption of roles that can lead to privilege escalation