Describe Security and Compliance Concepts Flashcards
which type of hosting requires the least amount of management by the cloud customer? and vice versa
Saas Hosting type requires the least amount of management by the cloud customer.
On-premise requires the most amount of management by the cloud customer.
Paas is the second least.
Iaas is the third least.
what are the responsibilities always retained by the customer organization?
-Information and Data
-Devices (Mobile & PCs)
-Accounts and Identities
Describe Defense in Depth.
A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack.
Example of layers:
Physical - security at data center
Identity and Access - such as multifactor authentication
Perimeter -security of corporate network to filter large-scale attacks
Network -network segmentation and access controls, to limit communication between resources.
Compute -securing access to virtual machines either on-premise or in the cloud
Application -ensure applications are secure and free of security vulnerabilities.
Data - controls to manage access to business and customer data and encryption to protect data.
What are Zero Trust Guiding principles?
1.) Verify Explicitly: always authenticate based on the available data points, including user identity, location, device, service or workload, data classification, and anomalies.
2.) Least privileged access: Limit user access with just-in-time and just-enough access (JIT/JEA).
3.) Assume breach: Segment access. Use encryption to protect data, and use analytics to get visibility, detect threats, and improve your security.
What are the six foundational pillars of the Zero Trust model?
1.) Identities: Identities like users, services, and devices must be verified with strong authentication.
2.) Devices: Monitoring devices for health and compliance is an important aspect of security.
3.) Applications: Discovering all applications being used, sometimes called Shadow IT.
4.) Data: should be classified, labeled, and encrypted based on its attributes.
5.) Infrastructure:
6.) Networks: should be segmented, and real-time threat protection, end-to-end encryption, monitoring, and analytics should be employed.
Describe encryption and the two types.
Encryption is the process of making data unreadable and unusable to unauthorized viewers.
1.) Symmetric: uses the same key to encrypt and decrypt the data.
2.)Asymmetric: uses a public key and a private key pair. Either key can encrypt data, but the key used to encrypt can’t be used to decrypt. So if you used the public key to encrypt you must use the private key to decrypt, and vice versa.
What is Hashing?
Hashing uses an algorithm to convert text to a unique fixed-length value called a hash. Each time the same text is hashed using the same algorithm the same hash values is produced. It is often used to store passwords.
Describe governance, risk, and compliance (GRC) concepts
1.) Governance: is the system of rules, practices, and processes an organization uses to direct and control its activities.
2.) Risk: is the process of identifying, assessing, and responding to threats or events that can impact company or customer objectives. There are external and internal risks. External can be weather events and pandemics. Internal risks can be leaks of sensitive data and theft of computers.
- Compliance: refers to the country/region, state or federal laws and regulations that an organization must follow.
