(ISC)2 CERTIFIED CLOUD

SECURITY PROFESSIONAL (CCSP)

DOMAIN 2

CLOUD DATA SECURITY

19% OF THE TEST

©TACTICAL SECURITY INC. 2021

DATA LIFE
CYCLE

©Tactical Security Inc. 2021

 Generation or alteration/updating or modifying content.
Create • Data should be classified at this point.

Store Committing to storage repository – nearly simultaneous with create.

THE LIFE Use Viewed, processed, or used (not modification)

CYCLE Share Made accessible to others.

Archive Leaves active use and enters long term storage.

Destroy Permanently destroyed using physical or digital means.

©Tactical Security Inc. 2021

DATA PROTECTION
POLICY

©TACTICAL SECURITY INC. 2021

 Policy

Backups

IAM
PROTECT Encryption

DATA DLP

THROUGH DRM

Data retention policy

LIFE CYCLE Data deletion procedures

Data archiving procedures

Legal hold

©Tactical Security Inc. 2021

INFORMATION
CLASSIFICATION

©TACTICAL SECURITY INC. 2021

 INFORMATION
CLASSIFICATION
• Data Classification Policy
• Meets the needs of the business
• The data owner classifies according to the policy
• The data owner is not the business owner
• The data owner is responsible for a piece (a word
document) or a set of data (a database)
• Ownership must be assigned, and they must receive
training on how classification levels are to be assigned

©Tactical Security Inc. 2021

 CLASSIFICATION

Policy reflects classification levels and

appropriate data handling per level

Level should make sense to the business &

it’s employees

There should be as few levels as possible

©Tactical Security Inc. 2021

 Can the data be in the cloud?

CLOUD Which cloud?

QUESTIONS

Internet accessible?
What type of
A network security
configuration? group?

©Tactical Security Inc. 2021

DATA MAPPING/LABELING
 DATA
SCIENCE

©TACTICAL SECURITY INC. 2021

 The conduct of data analysis as an empirical science, learning
directly from data itself.

This can take the form of collecting data followed by open-

ended analysis without preconceived hypothesis (sometimes
referred to as discovery or data exploration).
DATA
SCIENCE The second empirical method refers to the formulation of a
hypothesis, the collection of the data—new or preexisting—to
address the hypothesis, and
The analytical confirmation or denial of the hypothesis (or the
determination that additional information or study is needed.)

In both methods, the conclusions are based on the data. –NIST

SP 1500-1

©Tactical Security Inc. 2021

 Data governance is a fundamental element in the
management of data and data systems.

Data governance refers to administering, or formalizing,

discipline (e.g., behavior patterns) around the management
of data.
DATA
GOVERNANCE The definition of data governance includes management
across the complete data life cycle, whether the data is at
rest, in motion, in incomplete stages, or transactions.

To maximize its benefit, data governance must also consider

the issues of privacy and security of individuals of all ages,
individuals as companies, and companies as companies.

©Tactical Security Inc. 2021

 Do they still own their data, or is the
data owned by the hosting company?
GOVERNANCE
Do the data producers have the
AND THE ability to delete their data?
CLOUD
Can they control who is allowed to
see their data?

©Tactical Security Inc. 2021

STRUCTURED DATA
 A collection of data

Most of the data in business systems was structured data, where

each record was consistently structured and could be described
efficiently in a relational model.

DATABASE Relational DBMS organize data into tables

Records all have all the same value fields.

Unstructured data types, such as text, image, video, and relationship

data, have been increasing in both volume and prominence.

©Tactical Security Inc. 2021

DATA WAREHOUSE

A data warehouse Data warehouses are

centralizes and solely intended to
consolidates large perform queries and
amounts of data from analysis and often
multiple sources. ~ contain large amounts of
Oracle historical data. ~ Oracle
©Tactical Security Inc. 2021
 • Metadata describes additional information about the data
META DATA such as how and when data was collected and how it has
been processed.

©Tactical Security Inc. 2021

SEMI-STRUCTURED DATA
UNSTRUCTURED DATA
 “Consists of extensive datasets - primarily in the
characteristics of volume, variety, velocity,
and/or variability - that require a scalable
architecture for efficient storage, manipulation,
and analysis” -NIST
BIG DATA
The Big Data paradigm consists of the
distribution of data systems across horizontally
coupled, independent resources to achieve the
scalability needed for the efficient processing of
extensive datasets.

©Tactical Security Inc. 2021

 Volume – size Variety –
of the data from
dataset multiple
sources
BIG DATA –
THE FOUR VS Variability –
Velocity –
rate of data change in
flow other
characteristics

©Tactical Security Inc. 2021

4-V

This Photo by Unknown Author is licensed under CC BY-SA-NC

 Answer specific question or solve specific problem

Data exploration

Data preparation

DATA
DISCOVERY Big-data analysis

Business Intelligence

Data visualization

Hadoop

©Tactical Security Inc. 2021

DATA STORAGE

©TACTICAL SECURITY INC. 2021

FUNDAMENTALLY TWO TYPES
OF STORAGE
• Structured
• Block Storage
• This is perfect for something like a database. Data will
be stored in volumes and blocks. The file or the data is
split into equal sized pieces (blocks). A block can be
located but does not have associated metadata with it.
• Unstructured
• Object Storage
• Storage of a piece of data at a time. Each object could
be a file, video, picture, etc. Object storage is not a
hierarchical storage like file storage is. Each object is
stored with metadata and a unique identifier that allows
it to be located.
IAAS TERMINOLOGY

• Structured
• Volume
• Database

• Unstructured
• Object (File)
• Big data
• Database
 Structured
• Block
PAAS
TERMINOLOGY
Unstructured
• Blob
DATA
DISPERSION
DATA IS CHUNCKED AND STORED ON DIFFERENT
DRIVES THROUGH THE CLOUD
 APPLICATION
DESCRIPTION AND
PROGRAMMING REQUIREMENTS
INETERFACE

©TACTICAL SECURITY INC. 2021

 APIs are fundamentally a
request and response protocol.
SOAP
API

ReST – REpresentation State

Transfer
 Heavy and complicated

Has many features.

SOAP
XML based.

Has encryption capabilities built in.

 Lighter protocol

Uniform Resource Indicator (URI) based.

• Uniform Resource Locator (URL)

• Identifies the location or domain name such as
“https://ISC2.org/Certifications/CCSP.”
REST • URI
• Identifies a particular resource such as “CCSP” in the above URL.

Uses JSON (JavaScript Object Notation) or XML.

Can be encrypted through the addition of TLS.

ENCRYPTION

©TACTICAL SECURITY INC. 2021

ENCRYPTION

• Protection of Data at Rest, Data in Use, Data

in Transit
• Confidentiality
• Integrity
ENCRYPTION OF DATA IN USE

• Theoretical
• Work is being done to figure out how to keep
data encrypted while it is being used.
• This would be most useful when processing
something like credit cards through a transactional
database.
• The encryption methodology that applies to this is
known as homomorphic cryptography
ENCRYPTION OF DATA AT REST

• Based on the design of the software

• Encrypt:
• A single file
• A partition
• A folder
• An entire drive
• An instance
ENCRYPTION OF DATA
IN TRANSIT
• SSH
• TLS
• IPSec
SSH
• Secure Shell

• OSI Layer 5

• Computer to computer

• Perfect for Administrative

connections to routers,
switches, servers, etc.
• Can be used for VPN.
TLS

• Transport layer security.

• OSI Layer 4
• Client – Server structure
• Most used for Web site connection (HTTPS)
• Can be used for VPN.
 IPSEC

• IP Security.
• OSI Layer 3
• Can be used for anything.
• Great for site to site (Router to
Router) connections
• Can be used for VPN.

This Photo by Unknown Author is licensed under CC BY-SA

 SYMMETRIC

• Single key cryptography

• Key is shared between transmitter and
receiver
• Used to protect data/voice/video
• Used to encrypt drives/folders/partitions

This Photo by Unknown Author is licensed under CC BY-SA

ASYMMETRIC

• Used to exchange/negotiate symmetric

keys
• Used to authenticate source with digital
signature
• Can be used for general confidentiality,
but it is very slow
• There are two keys that are a pair.
This Photo by Unknown Author is licensed under CC BY-SA

• Public/private key pair per person

USE OF PUBLIC KEY

• If the public key encrypts, the private

must decrypt
• The private key is… private
• So only the owner of the private key
can decrypt
• Therefore, achieving confidentiality
• Used to encrypt a symmetric key for This Photo by Unknown Author is licensed under CC BY-SA

exchange
 USE OF PRIVATE KEY

• If the private key encrypts the

public key must decrypt
• The public key is… public
• Anyone can decrypt.
• This does not achieve
confidentiality
• But it does prove source
This Photo by Unknown Author is licensed under CC BY-SA
HASHING

• A one-way function

• Used to prove integrity of

the message

• Not keyed so only proves

accidental changes

• If hash is encrypted then

proves/protects from
intentional changes

This Photo by Unknown Author is licensed under CC BY-SA

KEY LOCATION

• Note the ‘control by’

and the ‘keys’ sections
TRANSPARENT
ENCRYPTION
• This is for databases specifically
 • Enterprise key manager can communicate with all
cryptographic clients
KEY
MANAGEMENT • A single consistent model of objects, operations and
attributes.
INTEROPERABILITY
PROTOCOL • Standardizes communication amongst all
(KMIP) • Object = keys and certificates
SPECIFICATION • Operations = obtaining key from KMS, etc.
• Attributes = type of object, unique identifier, etc.
KEY MANAGEMENT
• Internally managed
• Keys are stored on the
VM

• Externally managed
• Keys are stored separate
from encryption engine
 • Key is on-premises with the customer
Remote-key • Data encryption/decryption
management processing done with cloud provider
• Key is sent to the cloud for processing

KEY
MANAGEMENT
• Key is on-premises with the customer
Client-side • Data encryption/decryption
key processing done at customer site
management • Data is sent to the customer for
processing
PUBLIC KEY
INFRASTRUCTURE

©TACTICAL SECURITY INC. 2021

PKI

• PKI is the infrastructure of trust involved

with obtaining, managing and verifying
public keys
• PKI manages key generation and
distribution
• Public keys are verified thru CA signed
certificates
• Without PKI it is very difficult to verify
a public key belongs to a specific entity

©Tactical Security Inc. 2021

 Used to verify the identity of the user that the
Public Key belongs to
Identity could be confirmed by:

Email address
RA
In person

Government issued ID (Drivers License or Passport)

 Digital Signatures and Asymmetric key
cryptography rely on public keys to provide
proof of origin

Certification Authorities bind an individual or

CA an organization to a public key

Certification Authorities are the trusted third

parties required to make the non-repudiation
work
X.509 CERTIFICATE

• Contains the public key and the name

of its owner
• Signed by the CA
 KEY STORAGE

• As in real estate... Location, location, location

• Primary site location is with the customer NOT the cloud
provider.
• Should be stored securely NOT in a VM. If the key is
stored in the VM that means that it would be saved in
the object-based file that is the VM.
• Store in HSM or TPM

This Photo by Unknown Author is licensed under CC BY-SA-NC

TRUSTED PLATFORM MODULE
(TPM)

• Designed for one thing. Security of

the Key
• A chip that is mounted on a mother
board.
HARDWARE SECURITY
MODULE (HSM)

• Designed for one thing. Security of the Key. It can

be used to create keys or store keys. Access to the
HSM should be physically limited. Logical and
physical controls need to be built into the box itself.
• Key ceremonies are used to generate or duplicate
keys. This can take many people and many hours.
• Rack mountable
• Test against FIPS 140-2
• https://aws.amazon.com/cloudhsm/
FIPS 140-2/FIPS 140-3

• Security Requirements for Cryptographic

Modules
• Aligns with ISO/IEC 19790:2012(E)
• Testing for these requirements will be in
accordance with ISO/IEC 24759:2017(E)
 Level 1 – Lowest level. Must have basic security requirements such as an
approved algorithm but NO physical security mechanisms.

Level 2 – level 1 plus tamper evident coatings or seals

FIPS 140-2/3 Level 3 – level 2 plus attempts to prevent the intruder from gaining
access such as tamper detection/response circuitry that zeroizes the
data/key when the cover is removed

Level 4 – level 3 plus complete protection with an elevated level of

probability of detecting and responding to attempts at physical access
that results in the immediate zeroization of data/keys. Tamper active.
MASKING, TOKENS,
OBFUSCATION,
ANONYMIZATION

©TACTICAL SECURITY INC. 2021

DATA PROTECTION

• Masking
• Tokenization
• Obfuscation
• Anonymization
 To hide data from visibility of the user
(e.g., stars instead of password on the
screen)
To cover the credit card number on a
MASKING screen, either the users, or customer
service
People use a lot of different masking
interpretations, but nothing defined by
CSA or NIST or ISO
 To replace data with another value.

Requires another database that stores the

TOKENIZATION original data and the associated token to
convert the token back to original data value.

Great for credit card numbers in transit e.g.,

PayPal, ApplePay, etc
 To confuse by obscuring data.

Think about the font of Wingdings.

OBFUSCATION
If you convert normal text to Wingdings than it
is obfuscated.

You could say that encryption is obfuscation,

but not all obfuscation is encryption.
 De-identification

Bill 64 provides that personal information

ANONYMIZATION is de-identified if it no longer allows the
person concerned to be directly identified.
Personal information is anonymized if
it irreversibly no longer allows the person
to be identified directly or indirectly.
 Emerging technology

BIT SPLITTING
Secret sharing made short
(SSMS)
All-or-Nothing with Reed-
Solomon (AONT-RS)
NEURAL NETWORK

• Neural networks reflect the

behavior of the human brain,
allowing computer programs to
recognize patterns and solve
common problems in the fields of
AI, machine learning, and deep
learning. ~IBM
DATA LOSS (LEAK)
PREVENTION
(PROTECTION)

©TACTICAL SECURITY INC. 2021

 Prevent data from leaking out of a corporation’s network.

A leak is an unacceptable transmission, either the format of

DLP the transmission or the destination

‘Describe the controls put in place by an organization to

ensure that data (structured and unstructured) of value
remains under authorized use and care’ ~SecaaS Category
2
DLPAAS
USING TECHNOLOGY AND ADMINISTRATORS
TO CONTROL THE LOSS OF INFORMATION
DIGITAL
RIGHTS
MANAGEMENT

©TACTICAL SECURITY INC. 2021

 DRM software controls access to Intellectual Property
(IP)

Allows control of content to include, but not limited

to:
• Length of access
DRM • Print capability.
• Screen capture capability
• Copy/Paste capability
• Sharing controls
Examples: Netflix app, Kindle, iTunes, Spotify,
Locklizard
DOCUMENT REVOCATION

• Documents are revoked from DRM/IRM software

for many reasons
• There is an updated version
• Revoke after a certain number of views
• Revoke at a specific time after first
opening/viewing it
• Revoke after it has been printed a certain
amount of times
DATA RETENTION, ARCHIVAL, DELETION

©Tactical Security Inc. 2021

DATA RETENTION POLICIES
• GDPR
• HIPAA
• Copyright
• Patents
• Tax records

• There are many reasons data must be retained, or can no longer be retained
LEGAL HOLD
DATA ARCHIVAL
DATA DELETION
 MATURITY
MODELS

©TACTICAL SECURITY INC. 2021

 • CMM was invented in 1986 by Carnegie Mellon for the
DoD

• Capability Maturity Model

•
CMM – THE •
Maturity is related to processes.
How mature is your process?
BEGINNING • First time and chaotic

• Getting pretty good

• Or…. Simply very good at what you do in comparison to

most everyone on the planet?
ORIGINAL CMM

1 – Initial
2 – Repeatable
3 – Defined
4 – Capable
5 – Efficient
 CMM was insufficient so it evolved to CMMI so that it would integrate into the business
better. This is the current MM for software development

Level 0 – Incomplete. Ad-hoc and unknown

CMMI –
Level 1 – Initial. Process unpredictable, reactive
CAPABILITY
MATURITY Level 2 – Managed. Process characterized for projects and reactive.

MODEL Level 3 – Defined. Process characterized for the organization and proactive.

INTEGRATION Level 4 – Quantitatively managed. Process measured and controlled.

Level 5 – Optimizing. Focus on continuous process improvement

CMM ISO 21827

‘Standard metric for security engineering practices’ ~ISO 21827

Level 1 – Performed Informally

Level 2 – Planned and Tracked

Level 3 – Well Defined

Level 4 – Quantitatively Controlled

Level 5 – Continuously Improving

 From Oracle

1 – Ad hock

2 – Opportunistic
CLOUD CMM
3 – Systematic

4 – Managed

5 – Optimized
SECURITY AWARENESS
MATURITY MODEL
• Level 1: Non-Existant Program
• Level 2: Compliance Focused
• Level 3: Promoting Awareness & Change
• Level 4: Long Term Sustainment
• Level 5: Metrics
PMM

1 – Initial

2 – Managed – Repeatable practices

3 – Defined – Competency-based practices

4 – Predictable – Measured & empowered practices

5 – Optimizing – Continuously improving practices

AUDITABILITY TRACEABILITY AND
ACCOUNTABILITY

©Tactical Security Inc. 2021

DESIGN AND IMPLEMENT AUDITABILITY
TRACEABILITY AND ACCOUNTABILITY OF
DATA EVENTS
• Definition of event sources and requirements of event attributes (e.g.,
identity, IP address, geolocation
• Logging storage and analysis of data events
• Chain of custody and non-repudiation
EVENT SOURCES
 QUESTIONS?

©Tactical Security Inc. 2021

This Photo by Unknown Author is licensed under CC BY-NC