Domain 11 Knowledge Recap
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> We covered quite a bit in this module.
00:01
It's all focused on data security and encryption.
00:01
We spoke about security controls
00:01
and describe the different storage types,
00:01
ways to manage data migrations,
00:01
methods to secure the data once
00:01
it's already been migrated into the Cloud,
00:01
and we dove into specifics of IaaS, PaaS,
00:01
and SaaS strategies for managing this encryption of data.
00:01
We introduced keys and key management and
00:01
different techniques to manage the encryption keys.
00:01
Then we closed out looking at the way you want to
00:01
architecture to maximize your data security,
00:01
monitoring to enforce data security,
00:01
and then additional controls that you can put in
00:01
place to keep your data
00:01
secured once it's sitting in the Cloud.
00:01
Let's do a little end of
00:01
module quiz questions just to see
00:01
what information you've retained and maybe you need to go
00:01
back to some sections to revisit it.
00:01
Which storage type is mounted to
00:01
a single virtual machine and
00:01
stores data at the block level,
00:01
object storage, volume storage,
00:01
database storage, or application and platform storage.
00:01
The answer is B, volume storage.
00:01
Object storage you may
00:01
remember that's usually exposed via
00:01
APIs and multiple machines
00:01
or clients can be accessing this data at the same time,
00:01
like a shared network storage.
00:01
Volume storage is that virtual hard drive.
00:01
This mounts to the virtual machines themselves and is
00:01
used to persist information
00:01
that the operating system wants to store.
00:01
It's done at the block level.
00:01
Database storage that's going to be abstracted from
00:01
you because we are talking about a database PaaS service.
00:01
It's going to probably use
00:01
a similar technique to volume storage,
00:01
but it may really vary depending on the providers.
00:01
It's not something I'd bank on.
00:01
Then application platform storage
00:01
comparable to database storage.
00:01
It's up a level, so you really can't
00:01
say that it's mounted to a single virtual machine.
00:01
We have a lot of different strategies
00:01
that the platform providers are going to give you.
00:01
Let's proceed onto the next question.
00:01
What is the biggest shortcoming of encrypting data in
00:01
transit to assess using the proxy approach?
00:01
SAS capabilities that process the data
00:01
may not know how to interpret the encrypted data.
00:01
The SaaS doesn't have access to customer managed keys.
00:01
Unnecessary processing if the SaaS
00:01
is already using HTTPS,
00:01
and SaaS users can't view
00:01
decrypted data unless they are behind the proxy.
00:01
Think about it a second,
00:01
and the answer is A.
00:01
When you're sending the data using the proxy approach,
00:01
it's leaving the proxy and
00:01
heading into the SaaS and it's already encrypted.
00:01
That means certain SaaS capabilities may
00:01
not know how to deal with that data.
00:01
Search capabilities and so forth may not
00:01
work because the data is encrypted
00:01
as it's going into the SaaS.
00:01
It's even encrypted before the SaaS as opposed to having
00:01
the SaaS encrypt the data on the backend.
00:01
B is another one.
00:01
You could argue it's their SaaS doesn't
00:01
have access to customer managed keys.
00:01
If this SaaS did have access
00:01
to the customer managed keys,
00:01
then maybe they could build out
00:01
functionality to decrypt the encrypted data,
00:01
but that's really not the biggest shortcoming.
00:01
This is one of those, usually a little bit
00:01
of a judgment look at the keywords.
00:01
Biggest shortcoming being the key word here,
00:01
unnecessary processing if the SaaS already uses HTTPS.
00:01
Our objective in a lot of these conversations of
00:01
this module is really on
00:01
encrypting the data when it's at rest.
00:01
HTTPS, often using TLS
00:01
is a great way to encrypt the data when it's in transit
00:01
from the client to the server but the point of encrypting
00:01
the data using the proxy encryption
00:01
is that the data itself is encrypted,
00:01
not even when it's in transit,
00:01
but also when it is at storage.
00:01
Final answer. SaaS users can view
00:01
decrypted data and unless they are behind the proxy.
00:01
In fact, that's one of the reasons you
00:01
would want to use this proxy approaches.
00:01
You're limiting who can interact
00:01
with that SAS or more specifically,
00:01
who can make any sense heads or
00:01
tails out of the data coming out of the SaaS.
00:01
If they're not behind the proxy then they can.
00:01
If somebody outside your organization
00:01
does get access to your SaaS for some reason,
00:01
all the data is encrypted.
00:01
That really is actually the reason you'd want
00:01
to use proxy based encryption.
00:01
Continuing forward with the last question of this module,
00:01
what capability will most improve
00:01
a SaaS providers enforcement of tenant isolation?
00:01
Very important.
00:01
Using AES, 256 bit encryption.
00:01
Employing an HSM to store provider managed keys.
00:01
Using customer specific keys for data encryption.
00:01
Telling the customer they need to manage
00:01
keys and an on-premise HSM.
00:01
What will most improve a SaaS providers enforcement?
00:01
Which one will? The answer is going to be?
00:01
Let's see, C,
00:01
customers specific keys for data encryption.
00:01
Using AES encryption is
00:01
something that providers should do,
00:01
it's definitely helpful,
00:01
that ensures that data is encrypted at rest.
00:01
But that encryption is going to rely on a key.
00:01
Of all the tenants of
00:01
the same SaaS provider are using the same key,
00:01
then you get that key,
00:01
one tenant gets the key
00:01
and they can decrypt the data for every tenant.
00:01
That's not going to be a big gain
00:01
and enforcing this tenant isolation.
00:01
I'm employing an HSM to store provider managed keys.
00:01
Another good practice for the SaaS provider to do.
00:01
But again, if they're all data
00:01
at rest is using the same key,
00:01
it's not going to help you out a bunch or
00:01
compose customer specific keys for data encryption.
00:01
We talked about that definitely valuable.
00:01
One tenants data's encrypted using one key.
00:01
If that key gets lost, it reduces the blast impact.
00:01
We have defense in depth,
00:01
There's a lot of things that need to happen.
00:01
Your data is not necessarily at
00:01
risk until the key associated with
00:01
your data has been exfiltrated
00:01
or discovered in some method.
00:01
Finally, telling customer they need to
00:01
manage keys and an on-premise HSM.
00:01
That's not something that many customers will want to do.
00:01
That's why they're using SaaS is
00:01
to reduce the footprint and the amount of
00:01
effort required to take advantage of
00:01
the different services and certainly
00:01
building out on-premise won't work.
00:01
It also be a big burden on the SaaS
00:01
because they would then need to integrate with
00:01
all these different HSM that different customers are
00:01
using to retrieve the keys that are stored in the HSM.
00:01
Really just not a reasonable scenario.
00:01
That wraps it up for this module on
00:01
data encryption and protection in the Cloud.
00:01
I look forward to working with you on
00:01
these final few domains that this big
00:01
push here, we're covering a lot.
00:01
The CCSK is very broad.
00:01
I congratulate you for making it this far,
00:01
and I look forward to finishing this out. Thank you.
Up Next
Similar Content
