It has Integrity!

Alrighty, we are wrapping up Domain Two. Remember these posts are to get you heading in the right direction. Please be sure to research the different domains and really dive into the weeds when studying for the CCSP. Stay tuned for Domain Three: Cloud Platform and Infrastructure Security!

 

Domain Two: Cloud Data Security (Four)

Integrity Issues:

  • Focus on Data Control
  • Quality of Data stored
  • Hash it to check for modification
  • A hash of a file AKA – Message Digest

Learn about that, Hash, Yo! – https://www.howtogeek.com/67241/htg-explains-what-are-md5-sha-1-hashes-and-how-do-i-check-them/

  • Digital Signatures: Provide Non-Repudiation in its purest form. They can also be used to detect malicious and accidental modification of data.

Reasons to Hash a file:

  • Unreliable or Unsecure Connection
  • Detect malicious or unintentional alteration
  • The receiver of the data could verify the integrity by comparing the original file hash vs. the file received

Digital Signatures – Use the Sender’s Private Key + hash = integrity

  • Places a lot of overhead on the PKI infrastructure

 

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Note: The CCSP, initially developed by CSA, and later adopted by ISX2

  • Provides controls framework of Cloud Security and Principles Organized by Domain
  • Designed to be a fundamental security principles guide for Cloud Vendors and assist potential customers.
  • Provides a Map of Industry accepted \ recognized standards: ISO 27001 | 27001 | COBIT | PCI-DSS

Domains of the CCM:

Free download: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v3-0-1/

  1. Audit Assurance and Compliance
  2. Application and Interface Security
  3. Business Continuity Management and Operational Resilience
  4. Change Control \ Configuration Management
  5. Datacenter Security & Information Life Cycle Management
  6. Encryption and Key Management
  7. Governance \ Risk Management
  8. Human Resources
  9. Identity and Access Management
  10. Interoperability and Portability
  11. Infrastructure \ Virtualization Security
  12. Mobile Device Management and Security
  13. Incident Management | E-Discovery | Cloud Forensics
  14. Threat and Vulnerability Management
  15. Supply Chain Management, Transparency, and Accountability

Policy Controls for Privacy and Data Protection

  • Separation of Duties
  • Training – Quarterly, Semi-Annually, Annually
  • Authentication and Authorization Procedures
  • Vulnerability Assessments
  • Back & Recovery: What are your RTOs and RPOs
  • Logging | Data Retention | Secure Disposal

 

Essential Questions to ask yourself:

What Tools do you have in place to manage your Cloud Deployment?

  • How are objects created, managed, and accessed?
  • Where are Standard Operating Procedures stored? How are they managed?
  • Justification for why a specific CSP was chosen.
  • How does data move in the Cloud?
  • Auditing, SLAs evaluations, and requirements.

References

https://www.isc2.org/Certifications/CCSP

https://resources.infosecinstitute.com/category/certifications-training/ccsp/ccsp-domain-overview/domain-2-cloud-data-security/   

#dontcodealone