Data Life Cycle
Create, Store, Use, Share, Archive, Destroy
Create
The generation or acquisition of new digital content or the alteration/updating of existing content. Preferred time to classify content.
Store
Act of committing digital data to some sort of storage repository protected in accordance with classification level
Use
Data is viewed or processed in some way, not including modification. When data is most vulnerable. DLP, IRM, FIM, DAM
Share
Information is made accessible to others. DLP, IRM
Archive
Data is leaving active use and entering long term storage. Must still be protected according to classification.
Destroy
Data is removed from the cloud provider.Consider regulation, sip model, classification when choosing method.
Location/Access
Not specified in data life cycle model
Key Data Functions(3)
Access, Process, Store
KDF Access
View data. Includes:copy, file transfer, information exchange
KDF Process
Perform transformation on the data, update.
KDF Store
Put Data in a file, db, etc.
Access Mapping to DL
All
Process Mapping to DL
Create and Use
Store Mapping to DL
Store and Archive
Functions/Locations/Actors
Must be documented and understood in order to apply appropriate controls.
Virtual Storage
VHD attached to a VM. EBS and Rackspace RAID. (IaaS)
Object Storage
Similar to File Share, access via API or Web Interface. s3 or Rackspace Cloudfiles (IaaS)
Structured
High degree of organization, like RDS. (PaaS)
Unstructured
Includes Text, multimedia (email, videos, photos) (PaaS)
Information Storage & Management
Data entered via Web and stored in DB on object or virtual storage (SaaS)
Content/File Storage
File based content stored in application (SaaS)
Ephemeral Storage
Lasts as long as the instance is running (IaaS)
Content Delivery Network (CDN)
Content stored in object storage then distributed to multiple geographic nodes (SaaS)
Raw Storage
Enables storage logical unit number (LUN) to be directly connected to a VM from SAN. VMware server
Long Term Storage
Service for Data Archiving
Storage Threats (9)
Unauthorized Use
Unauthorized Access
Compliance
(D)DOS
Modification/Destruction
Data Leak/Breach
Theft or Accidental Loss of Media
Malware Attack
Improper treatment or sanitization
Unauthorized Use
Manipulation of data by an unauthorized actor
Unauthorized Access
Can happen due to hijacking, improper permissions in a multi-tenant environment or CP employee
Compliance
Certain controls maybe required but not available
(D)DOS
Availability. No data and instances won't launch
Modification/Destruction
Caused by human error, HW/SW error, fire, flood, hacks.
Data Leakage/Breach
Can be external or CSP employee with storage access
Theft or accidental loss of media
Applies to portable storage
Malware attack
Goal is to reach data storage
Improper treatment or sanitization
Cannot enforce physical destruction in a cloud environment
DLP Components (3)
Discovery & Classification
Monitoring
Enforcement
Discovery & Classification
Maps cloud storage services and databases and enables classification based on data categories
Monitoring
Key DLP function. Checks usage of data across locations and enables administrators to define policies
Enforcement
Options include alert, log, block data transfer, re-route for additional validation, encryption
DLP Architecture Topology
DIM
DAR
DIU
DIM
Network/gateway based. Monitors protocols. SSL interception/broker required for HTTPS inspection
DAR
Storage based. Effective for discovery and tracking usage
DIU
Client/Endpoint based. Insight into how data is being used. Complex, resource intensive, difficult to implement.
DLP Considerations (3)
Data in cloud tends to move and replicate
Admin access for enterprise data in cloud, tricky
Can affect performance
DIM Encryption Implementations
IPSEC/VPN, TLS/SSL
DIU Encryption Implementations
Less Mature. IRM/DRM
Encryption Challenges (12)
Integrity based on key management
CP may be required to process data
Data is portable in cloud (regional/ksm)
Multi-tenancy & Co-Location
Secure HW may not exist in all CSP services
Storage Level less complex and less effective
Impacts performance
Cloud r
Basic Storage Encryption
Encryption engine on storage management and keys with provider. Helps theft or loss but not CP access or attack at higher layers.
Volume Storage Encryption
Addresses Physical loss or theft, external admin accessing storage snapshots, storage level backup theft. Not against access via the instance
Volume Storage Encryption methods (2)
Instance based
Proxy based
Object Storage Encryption
Offers server-side storage level encryption, recommend encryption prior to its arrival
Object Storage Encryption methods (2)
File level - IRM/DRM engine on client
App level - Engine on application or proxy
DB Encryption Types (3)
File level
Transparent
Application level
File Level DB Encryption
Engine and Keys on instance. Will not protect against application layer, OS, instance, or DB attacks
Transparent DB Encryption
Engine within the DB, keys can be within the instance or offloaded to KMS.
App Level DB Encryption
Engine inside application or proxy. Difficult to index, search, and collect metadata.
Key Management Challenges (3)
Access
Storage
Backup/Replication
KM Access
Compliance may dictate that the CP may not have access to keys
KM Storage
May not be able to put keys in secure dedicated HW
KM Backup/Replication
Multiple copies and formats may affect KM effectiveness
Key Storage Management (3)
Internally - keys stored on VM acting as engine
Externally - keys are separated from encrypt engine
3rd Party - keys are escrowed
KM in Software
Does not meet NIST, FIPS-140-2, FIPS 140-3 specifications
Encryption Alternatives (3)
Masking/Obfuscating
Anonymization
Tokenization
Masking Approaches (5)
Random Substitution
Algorithmic Substitution
Shuffle
Masking
Deletion
Masking Methods (2)
Static - New copy of the data is made
Dynamic - "on the fly", layer between DB and application
Masking/Obfuscating
Hiding/Replacing/Omitting sensitive data
Anonymization
Process of removing indirect identifiers to prevent data analytic tools from inferring subject
Tokenization
Substituting sensitive data with non sensitive data
Bit Splitting
Splitting up and storing encrypted information across different cloud storage solutions
Bit Splitting Benefits (3)
Increased Confidentiality
Harder to gain legal access
Scalable
Bit Splitting Challenges (3)
CPU intensive
Need to pull data over wire/security
Availability risks
Secret Sharing Made Short (SSMS)
Encrypt information
Run Dispersal Algorithm (IDA)
Split encryption key
All or Nothing with Reed Soloman
Encrypts and transforms into blocks
Dispersal (IDA) to split blocks
Homomorphic
Enables process of encrypting data without the need to de-encrypt
Data Discovery Trends(3)
Big Data
Real Time Analytics
Agile Analytics/Business Intelligence
Data Discovery Techniques (3)
Metadata
Labels
Content Analysis
DDT Metadata
Most common Data Discovery method; uses db store, column names, size, type
DDT Labels
Data elements must be grouped or tagged on creation or over time
DDT Content Analysis
Actual data looked at via probability analysis, LUHN
Data Discovery Issues (3)
Poor Data Quality
Dashboard Accuracy
Hidden Costs (RAM)
Data Discovery Challenges (3)
Where your data is
Accessing the data
Preservation and maintenance
Data Classification Challenges with Cloud Data (5)
Creation
Classification Controls
Metadata
Data Transformation
Re-Classification
DC Creation
CSP needs to ensure security controls are in place to force the classification
DC Controls
Controls must be in place to ensure who can create
DC Metadata
Controls must have this available if making classification based on this
DC Data Transformation
Controls need to be in place to ensure the classification property can survive an object format change
DC Re-Classification
Must support this process based on data life cycle
FTC
Has authority to issue and enforce privacy regulation in specific areas (telemarket, spam, children's privacy)
Personal Data Processing (2)
'opt-out' via consent
'opt-in' for sensitive health care
4th Amendment
Unreasonable search and seizure; applies to data stored in cloud
95/46/EC
Processing of personal data and free movement
2002/58/EC
protection of privacy in electronic communications sector. Data breaches and cookies
APEC Privacy Framework
Flexible approach to privacy protection and avoids unnecessary barriers to information flows
Applicable Law
Legal regime applicable to certain matter
Jurisdiction
Ability of national court to decide/enforce
Data Subject
Identifiable directly or indirectly via ID number or factors specific to their physical, physiological, mental, social identity
Personal Data
Any information relating to an identified person
Processing
Operations performed on personal data
Controller
The entity who determines the purpose and means of the processing of personal data
Processor
The entity that processes Personal Data on behalf of the controller
Classification of Personal Data
Not only the nature of the data should be traced with classifications but also its relationship to the P&DP law context in which the data itself should be processed.
Data Classification of Sensitive Data Primary Entities (7)
Scope and Purpose of processing
Categories of the personal Data
Category of users allowed
Data Retention Constraints
Security Measures
Data Breach Constraints
Status
DC Scope and Purpose Processing
Represents the main footprint that influences set of typical P&DP fulfillment
DC Categories of Personal Data
Type of data as identified for purposes of P&DP law
DC Category of Users Allowed
Accessibility of the data
DC Data Retention Constraints
Data must be retained for specific time then erased in accordance with P&DP
DC Security Measures
Provides basis for control based on data leakage prevention and data protection
DC Data Breach Constraints
Several P&DP laws around the world already provide for specific obligations for this
DC Status
Defines a specific state of the data which may require/prohibit necessary actions/processing
DC NOTE
Classification method itself may go against some law/jurisdictions. Extrapolation of data sets
Key Privacy Cloud Service Factor
Properly clarify in terms of contractual obligations the P&DP requirements between customer and CSP
Privacy Level Agreement (PLA)
CSA defined baseline for compliance with data protection legislation and leading practices
PLA Key Characteristics (3)
- Clear effective way to communicate level of DP by SP
- Tool to asses the level of an SP's compliance with DP legislation
- Offer contractual protection against financial damages due to non-compliance
CSA Cloud Control Matrix
Security control framework to provide mapping with main industry security standards
Information Rights Management features (4)
ACL on top of Data Object
File location agnostic
Not limited to documents (email, webpages)
Useful for IP policy baseline
IRM Cloud Challenges (7)
-Each resource provisioned w/access policy & each user with account and keys
-implementing right RBAC is crucial
-Can use central or federated ID model
-may need local IRM agent, external users?
-not compatible with all readers
-mobile compatibility
-IRM
IRM Key Capabilities (10)
- persistent protection
- dynamic policy control
- automatic expiration
- continuous audit trail
- supports existing authorization structure
- maps ACL permissions to policy
- integrates with 3rd party email filters
- supports email apps
- supports multip
IRM Additional Security features (6)
- who can access
- prohibit printing
- disable copy/paste
- watermark printing
- expire/revoke
- complete audit trail
Data Protection Policies (3)
Retention
Deletion
Archiving
DPP Retention
Organizations established protocol for keeping information for operational or regulatory compliance needs
DPP Retention Objectives (3)
Keep important information for future use
Organize information so it can be searched
Dispose of unneeded information
Data Protection Policy should define (4)
Retention periods
Data formats
Data Security
Retrieval Procedures
Data Retention Policy for Cloud (5)
Legislation, Regulation, and Standard Requirements
Data Mapping
Data Classification
Data Retention Procedure
Monitor and Maintenance
Data Deletion Options (4)
Physical
Degaussing
Overwriting
Encryption
Crypto-Shredding
Process of encrypting the data in order to dispose of it
Archiving
Process of identifying and moving inactive data out of current production systems into long term storage
Policy for Data Deletion in Cloud (6)
Data encryption procedures
data monitoring procedures
ability for eDiscovery and granular retreival
backup and DR options
Data format and media types
Data restoration procedures
OWASP Application Monitoring (9)
Input validation failures
Output validation failures
Authentication success/failures
Authorization success/failures
session management failures
application errors and system events
system startup/shutdowns
high risk functionality
Legal and other opt-ins
Preservation
ISO 27037:2012 Process to maintain and safeguard the integrity and/or original condition of potential digital evidence
SEM
Real time monitoring, correlation, notification, console view
SIM
Long term storage, analysis, and reporting of log data
SIEM Capabilities (7)
Data Aggregation
Correlation
Alerting
Dashboards
Compliance
Retention
Forensic Analysis
Continuous Operations Support (4)
Audit Logs
Contract/Authority Maintenance
Secure disposal
Incident response/legal preparation
Chain of Custody
Preservation and protection of evidence from time it is collected to time it is presented in court