Great Caeser’s Ghost! It’s Encrypted!

Domain Two: Cloud Data Security (Part Two)

My TriForceCoder’s here is the next installment of the Certified Cloud Security Professional series. I hope everyone is staying safe during these crazy times and keeping their Cloud Secure as well.

Unauthorized User Access

  • Authorized users trying to access areas outside their Scope
  • Unauthorized users trying to gain access to the network (i.e. a hacker)

Safeguards Include:

  • Strong Authentication on the network and objects
  • Data Classification Levels (e.g., Public, Confidential, Unclassified, Secret, Top Secret)
  • Identity and Access Management
  • Industry recognized Encryption protocols
  • TPM 2.0 (trusted platform module)
  • Anti-Malware
  • Network Monitoring
  • Proper Sanitization of data, both hard and soft copies.
  • Obfuscation, tokens, masking

Data Classification:

  • Managed data based on its value. How will its loss affect the organization?
  • Enforce controls, and provide annual training
  • Control read, write, and modify. Set alerts for modification of sensitive data
  • Metadata can be used as a means for classification.
  • Protect data at rest and in transit
  • What is your organization’s Re-Classification Process?

Note: Data on the Cloud is always the owner’s responsibility unless the CSP violates the SLA.

Strong Authentication

  • Type 1 – Something you know (e.g., password, pin)
  • Type 2 – Something you have (e.g., CaC, physical token, OTP)
  • Type 3 – Something you are (biometrics)

Note: When combined this is called MFA (Multi-factor Authentication)

Information Rights Management (IRM)

AKA – DRM (Digital Rights Management)

  • Necessary for Intellectual Property and Trademarked information
  • Enforce ACLs – Access Control Lists. Who can access the data? What is the Scope of their Access?
  • Access Control and its policies should be Dynamic. This will allow them to be altered as necessary and when required.

IRM Challenges in the Cloud

  • Users with access should have matching encryption keys
  • Access control can either be Identity based or Role-Based
  • Identity Access – Single Location or Federated Trust
  • End Users may need to utilize and IRM agent for key storage or authentication\retrieval

Note: IRM \ DRM in short think of them as embedded permissions within a file.


  • Plaintext to Ciphertext
  • Data – What information requires encryption?
  • Encryption Engine – What tool or software will be used to encrypt your data?
  • Encryption Keys – What safeguards are in place to protect encryption keys?

Storage Level Encryption – Can encrypt the full disk or just selected objects. If the harddrive is stolen, it will be unreadable to attackers unless they have access to the encryption keys or if it is a weak form of encryption.

Volume Storage Encryption – Instead of encrypting the entire harddrive, only encrypt one volume on the drive (e.g, your D:\ drive.)

Object Storage

  • File Level Encryption – Embeding of permissions based on attributes (IRM\DRM) Protected regardless of 3rd party access.
  • Application Level – encryption engines resides in the application. They can reside within object storage, can be implemented, or it can be a customer gateway\proxy.

Database Encryption – Utilize File or Application level Encryption. Modern Database Management Systems (DBMS) provide encryption that is transparent and seamless to the user. The Encryption Engine resides within the database itself.

Encyption Best Practices: