CCSK

Course
Time
9 hours 29 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Transcription

00:01
this video focuses on managing cloud data. Migrations will start off talking about cloud application security brokers. Data loss prevention will get into specifics of managing cloud data migrations,
00:14
and we'll finish up with the review on securing data transfers.
00:20
Cloud Application security brokers, or casby for short are primarily used to monitor and protect the use of sad as applications. The casts its egress points on the network you are trying to monitor so it can view the outgoing traffic.
00:36
Initially, it just observes the flow and figures out the various SAS applications being used by performing DNS lookups
00:44
and relying on databases that the cat as suppliers will manage. This allows you to get a feel for what is being used,
00:51
and sometimes the calves can be set up in such a way that it can tell you who is accessing which says providers After Discovery. Security admin is confuse the cab to set up preventative controls that block access to certain, says products. This capability is being quickly replaced through integration of DLP,
01:10
something we will talk about shortly
01:11
through integration with deal piece service. You can allow access to certain SAS products, but also control the kind of activities or information being sent to the SAS provider.
01:22
For example, if somebody uses linked in, you can restrict certain keywords or statements from being sent to the platform, consider making sure that somebody isn't divulging upcoming financial results for your company before they have been publicly announced. Alternatively, you may want to keep a lid on conversations about certain confidential projects.
01:41
AP I Integration is another aspect that some castes can offer
01:44
when you're considering a cast for a P I integration, you're looking to determine how people are using the different cloud products and understanding the meta structure of the offering. This even allows you to monitor how I as and pads services air being used. For example, the castor can tell you the amount of Loggins that have occurred
02:01
and other details about the cloud environment itself.
02:05
You need to pay particular attention to whether the Casbah vendor supports the platform AP eyes that you are actually consuming Casby is a maturing technology and undergoing rapid changes when you're investigating, cast is very important that you perform vendor comparisons based on what you actually need versus what the Cavs vendors offer.
02:23
After all, who cares about the cast supports most AP eyes by volume.
02:27
If it doesn't support any of the providers you use or plan to use in the near future, the same could be said for integrations being ableto leverage. External DLP solutions using Casby to control and monitor pass and I ask, is a fairly new capability in the marketplace. In other words, don't rely on the cash to be
02:46
your application security testing tool or to be your point for performing vulnerability assessments
02:52
in your pass and I as environments, as we alluded to in the conversation about cab a DLP tool data loss prevention help detect data migrations to cloud services. Remember, this isn't the panacea solution. You need to train a DLP to understand what is sensitive data and what is not.
03:09
Also, a DLP cannot inspect network traffic that is encrypted. Some cloud s decays and AP eyes may encrypt portions of data and traffic. This will interfere with the success of the DLP implementation. The man in the middle approach used to unwrap and rewrap TLS streams
03:25
may break many of the communications between past services in the cloud
03:30
and the client applications. Communicating with those past services. An important step in managing data migrations is to define your policies about which data is allowed to migrate in the first place. This is part of the date of classification exercise. Then you identify key repositories of the data meeting this classification
03:47
and you monitor them for activity tools like database activity, monitoring and file activity. Monitoring
03:53
can really help. In this case. Be sure to monitor cloud usage and data transfers, leaving your network with either casby de L P or you R L filtering. We didn't talk about your URL filtering previously, but it plays a role very similar to the cast. It's much simpler, and then it monitors Thea outgoing girls and http
04:12
and looks for what users are accessing
04:14
and then can block them from accessing certain girls or blacklisting. Unlike a casby, it doesn't inspect the nuances of the specific data in transfer between the client and the cloud based provider. When migrating data to the Cloud use provider recommended methods whenever possible,
04:30
many providers have a P I based methods for uploading data.
04:34
If they don't, you can resort to traditional methods of data transfer,
04:39
but don't use clear text methods like ftp at least go with something like secure FTP is an alternative.
04:45
Remember, it's important that data in transit is encrypted during its journey to the cloud provider.
04:49
Methods to accomplish this when moving data over network include TLS like https VPN. But this only works if you have a link between you and the provider, and it can handle the amount of data traffic going through that tunnel
05:03
and finally, proxy. I mention this because it's a method described in the C S. A guidance and it may be on the exam. Personally, I have never seen this approach juice.
05:13
We have large amounts of data shipping. Physical storage devices can be quicker and safer than sending things over the Internet. But keep in mind, somebody could still snoop on the data when it is in physical transit. So consider encrypting the data and sharing the key with the provider through some other method.
05:28
But I beg you, Please, please do not send the key through normal email you some sort of secure transfer method over the network to send the key. So far, our conversation is really focused on you sending data to a cloud provider, but 1/3 party could also be posting data to a cloud provider for you to access
05:46
in these situations. Be sure to sanitize the data
05:48
before processing. It keeps you safe from processing data that may contain Trojan horses, sequel, injection bombs or other things of that nature.
05:58
In this video, we talked about casts. We went over DLP what it is when you use it.
06:03
Then we examined managing cloud data migrations at a more strategic and simplistic level, and we touched on the different methods for securing data transfers from you to the cloud provider.

Up Next

CCSK

This course prepares you to take the CCSK certification by covering material included in the exam. It explains how the exam can be taken and how CCSK certification process works.

Instructed By

Instructor Profile Image
James Leone
Cloud, IoT & DevSecOps at Abbott
Instructor