Data Security in the Cloud
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:01
>> Our next topic is going
00:01
>> to be data security in the Cloud.
00:01
>> The world's really changed
00:01
a lot in the last 10 years or so
00:01
when everything's been moved from being
00:01
On-premises to being stored
00:01
with their Cloud service providers.
00:01
In many ways we see a lot of
00:01
benefits like easier access,
00:01
we see a reduction in cost.
00:01
But there are certainly trade-offs for that,
00:01
so we have to consider how do we protect data that's at
00:01
our Cloud service provider
00:01
and what strategies do we have in place?
00:01
If we think about data in the Cloud, first of all,
00:01
we have to think about moving
00:01
to and moving from the Cloud.
00:01
We're storing data at our Cloud service provider that's
00:01
going across our Internet access
00:01
or whatever means we have in place.
00:01
Once again, we don't have
00:01
secure protocols when we think
00:01
about IP as far as moving data to and from,
00:01
we have to add Transport Security.
00:01
SSL and TLS,
00:01
we also talked about IPSec in the previous section,
00:01
and I didn't have it mentioned here,
00:01
but also SSH or Secure
00:01
Shell can help us
00:01
protect data moving to and from the Cloud.
00:01
Now, once data is in the Cloud
00:01
stored on their Cloud service provider servers,
00:01
then we need encryption.
00:01
Now the degree of encryption where we store the keys,
00:01
who has the responsibility
00:01
of verifying the encryption and securing the data.
00:01
Remember, data security, I am
00:01
always liable for the protection of my data.
00:01
We can't just say, oh,
00:01
it's now the Cloud service provider's responsibility.
00:01
They may have to compensate us if there's a breach,
00:01
but ultimately, the liability resides with us,
00:01
so we want to make sure that our data is
00:01
protected according to our security policies,
00:01
and that's going to require that we have
00:01
good third party governance in place,
00:01
that we make sure that our service level agreements
00:01
meet the needs of our organization.
00:01
Usually, our Cloud service provider isn't going to
00:01
change what they provide their SLAs to meet our needs,
00:01
so it's our job to make sure that we choose
00:01
a Cloud service provider
00:01
that fits the requirements of the company.
00:01
Now protection of data migration to the Cloud,
00:01
really we think about exfiltration.
00:01
Data that shouldn't leave the premises,
00:01
being moved up to the Cloud for
00:01
storage or for distribution or
00:01
whatever purpose and in
00:01
the last section we mentioned
00:01
our data loss prevention systems,
00:01
and that's really their benefit.
00:01
They're going to be able to
00:01
alert or even block data that's being
00:01
transferred to a location that it
00:01
shouldn't be as the DLP system is configured.
00:01
It's primarily looking at
00:01
specific formats or specific types of data,
00:01
data with specific perhaps,
00:01
classifications associated with it or certain labels,
00:01
and being able to prevent
00:01
things like emailing, transferring,
00:01
uploading, downloading,
00:01
printing, whatever for those specific file types.
00:01
Now, data dispersion,
00:01
if you've ever gone to download a file and it asks you,
00:01
"Would you like to download from the server in
00:01
San Diego or the server in New York?"
00:01
You're giving us a couple of
00:01
different destinations from which to download the file,
00:01
and a lot of times that's to increase performance.
00:01
But that also gives us redundancy of
00:01
data and gives us an increase availability,
00:01
which is a concern of security as well so that's helpful.
00:01
Cloud service providers may
00:01
fragment our data, and for instance,
00:01
I have a set of data in our CSP may shard the data,
00:01
which means dividing our data up into smaller fragments,
00:01
in those fragments are usually
00:01
stored across distributed systems,
00:01
and that way if a single system is compromised,
00:01
that attacker doesn't have full access to the data,
00:01
but only a portion of it.
00:01
Now, of course, that causes performance issues,
00:01
but from a security perspective that's helpful.
00:01
Then the last point I'll make here for data security
00:01
in the Cloud is the need for crypto-shredding,
00:01
and in a little bit we'll talk about data remnants
00:01
and the importance of removing data
00:01
from systems that were no longer working with,
00:01
and that could involve sometimes
00:01
>> physical destruction of
00:01
>> a drive or overriding that drive with ones and zeros.
00:01
But really, when we think about
00:01
>> data stored in the Cloud,
00:01
>> we don't have a lot of ways that we
00:01
can ensure data remnants are removed.
00:01
I don't get to shred the hard drive of
00:01
my Cloud service provider or
00:01
even to override it with ones and zeros.
00:01
But what I can do is I can encrypt my data with
00:01
a strong publicly known algorithm and destroy the key,
00:01
and that's referred to as crypto-shredding.
00:01
Now I did want to stress
00:01
that I'm going to encrypt it with
00:01
a strong publicly known algorithm.
00:01
You know, there's a lot of discussion in
00:01
the security community about what's best.
00:01
Open source, close source.
00:01
As a general rule,
00:01
the CISSP exam is going to favor open,
00:01
so if we use a strong publicly known algorithm,
00:01
that means that this is an algorithm
00:01
>> that's been around,
00:01
>> it's tried and true,
00:01
and the cryptographic community has had access to.
00:01
Because the cryptographic community,
00:01
if they have access to it,
00:01
they can break it, put it back together stronger.
00:01
It's the idea that many heads are better than one.
00:01
With these publicly known algorithms,
00:01
if survived the test of time
00:01
and usually the assumption is we have peer review.
00:01
I got to tell you the reality is,
00:01
that's not always the case.
00:01
Not all open algorithms are
00:01
more secure than closed algorithms.
00:01
But just as a general rule,
00:01
usually the security community
00:01
does prefer that idea of openness.
00:01
To wrap up, we just talked about
00:01
some specific types of threats for data in the Cloud.
00:01
We talked about the idea of storage access control,
00:01
exfiltration and then we talked about making
00:01
sure that our Cloud service provider resources,
00:01
that all data remnants have been removed from
00:01
those resources that are
00:01
the property of our Cloud service provider.
00:01
Just some ideas about how to protect data in the Cloud.
Up Next
Instructed By
Similar Content
