Architecture, Monitoring and Additional Controls
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> Data security architecture, monitoring, auditing,
00:01
and alerting additional data security controls
00:01
are all topics that we will be covering in this video.
00:01
As a Cloud customer,
00:01
you rely on the provider
00:01
for strong metastructure security.
00:01
We previously discussed the financial incentives
00:01
of the provider to keep this level of security,
00:01
otherwise, nobody will want to use them.
00:01
The metastructure security protects the management plane,
00:01
but it also protects
00:01
the overall Cloud network from compromise.
00:01
You can then architect
00:01
your data security knowing it's safer
00:01
to keep things within the provider's metaphorical walls.
00:01
As an example, let's consider transferring data between
00:01
resources that reside in different AWS regions.
00:01
VPC is the AWS term for
00:01
a virtual network that you define using SDN.
00:01
A VPC cannot span more than one region,
00:01
which in this example it means
00:01
the different Cloud resources that need to
00:01
talk will be in different VPCs.
00:01
You could create public endpoints in each VPC
00:01
and have the resources
00:01
communicate over the general internet.
00:01
Assuming you encrypt the data in
00:01
transit between the two endpoints,
00:01
this is still going to expose
00:01
an attack surface that you can
00:01
avoid with other architectures.
00:01
AWS's VPC peering approach
00:01
allows you to connect two VPCs,
00:01
even if in completely different regions,
00:01
and the resources within
00:01
those separate VPCs can communicate.
00:01
However, all the communication goes over
00:01
the AWS network backbone and this
00:01
means it does not get exposed to the general internet.
00:01
If you've employed network isolation and
00:01
the VPCs have overlapping IP space,
00:01
this specific approach won't work.
00:01
Depending on the payload
00:01
size of the information that you're
00:01
transferring between resources in the two VPCs,
00:01
there are other options like message queuing
00:01
services and even S3 cross-regional replication,
00:01
both of which also benefit by
00:01
keeping the data within the provider's backbone.
00:01
I hope these different examples hit home to
00:01
you about using architecture,
00:01
leveraging the provider's infrastructure
00:01
to keep your data as secure as possible,
00:01
and keeping it within the walls,
00:01
within the constraints and
00:01
control of the provider's resources.
00:01
Domains 3, 6,
00:01
and 7 which are covered in Modules 4, 7,
00:01
and 8 of this training,
00:01
talk about monitoring, auditing,
00:01
and alerting in more detail.
00:01
Looking at these through
00:01
the specific lens of data security,
00:01
there are a few information sources you'll
00:01
want to lean on more than others.
00:01
For example, metastructure logging.
00:01
Focus on getting the API activity logging,
00:01
as well as logging related to
00:01
PaaS services that you might use.
00:01
Applistructure logging.
00:01
This is pulling traditional event logs
00:01
from virtual machines and applications running on
00:01
those virtual machines and you're going to pipe them all
00:01
into a software incident and event management system.
00:01
Also, consider using database access management
00:01
to monitor and keep track of all the data used.
00:01
Be sure these log files are all
00:01
in a safe and secure location.
00:01
This makes it hard for an attacker to remove
00:01
evidence of their escapades and also
00:01
establishes a good chain of custody in the event that you
00:01
need to rely on those logs in some prosecution.
00:01
We're going to cover
00:01
a few additional data security controls
00:01
to take into consideration.
00:01
Cloud platform and provider-specific controls
00:01
can be very valuable.
00:01
They vary based on the specific provider
00:01
and they're constantly expanding,
00:01
especially those IaaS providers.
00:01
For example, Azure has web application gateway
00:01
which provides a built-in
00:01
web application firewall capability.
00:01
Google's Cloud Security Command Center gives you
00:01
anomaly detection using machine learning,
00:01
and it also provides
00:01
some data loss prevention capabilities.
00:01
You're going to really want to rely
00:01
on your provider and knowledge of
00:01
the provider's documentation to
00:01
understand the specific capabilities that are out,
00:01
that are coming, and more importantly,
00:01
how to use them and integrate them
00:01
into your Cloud-based architectures.
00:01
We spoke about DLP earlier in this very domain.
00:01
Since it's repeated in the CSA security guidance,
00:01
it's something you really want to know
00:01
about for the CCSK exam.
00:01
So we'll summarize a few key points about DLP here.
00:01
It detects the data exfiltration and data misuse.
00:01
However, it requires a lot of configuration and training.
00:01
Often this will be done by
00:01
the DLP provider itself and then
00:01
tuned for your specific scenario
00:01
and the kind of data that you're on the lookout for.
00:01
It sits at either endpoints, network egress points,
00:01
or it can be pointed to
00:01
specific data storage locations
00:01
to monitor those and that's how
00:01
it gets integrated into the full picture so that it can
00:01
monitor accordingly the use and transfer of data.
00:01
We also spoke about CASBs and the fact that DLPs
00:01
often come bundled with or
00:01
integrate closely with the CASB providers,
00:01
since the two technologies often
00:01
go hand in hand when we're looking
00:01
specifically at the use of Cloud
00:01
and the use of SaaS-based services.
00:01
Enterprise rights management allows you to
00:01
control the actions performed on specific media.
00:01
Personally, I'm quite familiar with this.
00:01
You may recall that I worked in
00:01
the entertainment industry and so as a consumer,
00:01
you've been exposed to the consumer equivalent,
00:01
which is referred to as digital rights management.
00:01
This is where they're keeping track of and putting
00:01
controls around who can use which music files,
00:01
who can watch videos,
00:01
replay videos, send videos to your friends.
00:01
Long gone are the days of MP3s which had
00:01
absolutely no digital rights management in them.
00:01
Literally, if you had the file,
00:01
you could play the music.
00:01
In more modern situations such as the iPod,
00:01
the music that you get can only be played by
00:01
you and if you were to take that file and
00:01
send it to somebody else, they can't use it.
00:01
Well, under the covers, they're implementing
00:01
digital rights management technologies.
00:01
These actions also can be
00:01
applied into enterprise rights management,
00:01
since you're going to create digital media
00:01
yourself that you may want to have tighter controls on.
00:01
Full DRM actually relies on encrypting the file.
00:01
Technically, the files that you're
00:01
getting in your iPod, they're not MP3s,
00:01
they are encoded using
00:01
a particular technology called AAC Apple Audio Codec,
00:01
but then there's an additional layer
00:01
wrapping around them to encode
00:01
that information and it can only be
00:01
decrypted through the use of a centralized server,
00:01
which then says who you are,
00:01
do you have the right to view
00:01
this file and then it's going
00:01
to allow for the decryption to take place on the device.
00:01
Same situation applies for enterprise rights management.
00:01
If you were to send this encrypted file
00:01
to some SaaS provider,
00:01
they're not going to know what to do with it
00:01
unless they themselves support
00:01
this particular technology used
00:01
for rights management of the content.
00:01
However, providers may have their own controls available.
00:01
For example, you can restrict
00:01
how someone can interact with
00:01
your Office 365 document that you're sharing.
00:01
You can restrict it on the
00:01
device that they can view it on,
00:01
the actions they can take, etc.
00:01
Data masking and test data generation
00:01
is based on tokenization,
00:01
something we previously covered.
00:01
You may recall this is where you preserve
00:01
the format of specific data,
00:01
commonly textual string data,
00:01
but you're altering the values of
00:01
that actual data using either substitution techniques,
00:01
data shuffling, format-preserving encryption,
00:01
or just standard mask out.
00:01
So here I have a simple example.
00:01
You have a credit card number
00:01
and then the mask out technique,
00:01
you would be exing out all of
00:01
the values except for
00:01
the last four digits of the credit card.
00:01
You can accomplish data masking
00:01
through two different approaches.
00:01
There is the test data generation,
00:01
also referred to as static masking.
00:01
In this approach, you're going to do
00:01
an extract data from the production database.
00:01
You're going to transform it, in other words,
00:01
you're going to do a pass-through and perform
00:01
the masking activities and play
00:01
the different algorithms to essentially clean your data,
00:01
and then you're going to load it into a test environment.
00:01
Alternatively, there is the concept of dynamic masking,
00:01
which typically is going to involve
00:01
a proxy on the way the data is leaving,
00:01
either leaving the storage or leaving
00:01
the underlying database and it's going to
00:01
intercept that data in transit and
00:01
then modify and alter the data in transit.
00:01
In this video, we went over data security architecture,
00:01
leveraging the platform provider's capabilities.
00:01
We talked about monitoring,
00:01
auditing, and alerting,
00:01
specifically the kind of logs that you want to take into
00:01
account and how you want to be
00:01
sensitive in the way you treat those logs.
00:01
Then we went over a variety of
00:01
different data security controls that exist.
00:01
Cloud provider controls, DLP,
00:01
enterprise rights management,
00:01
data masking, and test generation.
Up Next
Similar Content
