Managing Data Migrations

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> This video focuses on managing Cloud data migrations.
00:01
We'll start off talking about
00:01
Cloud application security brokers, data loss prevention.
00:01
We'll get into specifics of
00:01
managing Cloud data migrations and we'll
00:01
finish up with a review on securing data transfers.
00:01
Cloud application security brokers,
00:01
or CASB for short,
00:01
are primarily used to monitor and
00:01
protect the use of SaaS applications.
00:01
The CASB sits at egress points
00:01
on the network you are trying to monitor,
00:01
so it can view the outgoing traffic.
00:01
Initially, it just observes the flow and figures
00:01
out the various SaaS applications being used by
00:01
performing DNS lookups and relying on
00:01
databases that the CASB suppliers will manage.
00:01
This allows you to get a feel for what is being
00:01
used and sometimes the CASB can be
00:01
set up in such a way that it can tell you
00:01
who is accessing which SaaS providers.
00:01
After discovery, security admins can use the CASB to
00:01
set up preventative controls that
00:01
block access to certain SaaS products.
00:01
This capability is being quickly
00:01
replaced through integration of DLP,
00:01
something we will talk about shortly.
00:01
Through integration with DLP service,
00:01
you can allow access to certain SaaS products,
00:01
but also control the kind of activities or
00:01
information being sent to the SaaS provider.
00:01
For example, if somebody uses LinkedIn,
00:01
you can restrict certain keywords or
00:01
statements from being sent to the platform.
00:01
Consider making sure that somebody isn't divulging
00:01
upcoming financial results for
00:01
your company before they had been publicly announced.
00:01
Alternatively, you may want to keep a lid on
00:01
conversations about certain confidential projects.
00:01
API integration is another aspect
00:01
that some CASBs can offer.
00:01
When you're considering a CASB for API integration,
00:01
you're looking to determine how people are using
00:01
the different Cloud products in
00:01
understanding the meta structure of the offering.
00:01
This even allows you to monitor how
00:01
IaaS and PaaS services are being used.
00:01
For example, the CASB can
00:01
tell you the amount of logins that have
00:01
occurred and other details
00:01
about the Cloud environment itself.
00:01
You need to pay particular
00:01
attention to whether the CASB,
00:01
the vendor supports the platform
00:01
APIs that you are actually consuming.
00:01
CASB is a maturing technology
00:01
in undergoing rapid changes.
00:01
When you're investigating CASB,
00:01
it is very important that you
00:01
perform vendor comparisons based on
00:01
what you actually need
00:01
versus what the CASB vendors offer.
00:01
After all, who cares if the CASB
00:01
supports most APIs by volume if
00:01
it doesn't support any of the providers
00:01
you use or plan to use in the near future?
00:01
The same can be said for integrations being
00:01
able to leverage external DLP solutions.
00:01
Using CASB to control and monitor PaaS and
00:01
IaaS is a fairly new capability in the marketplace.
00:01
In other words, don't rely on the CASB to
00:01
be your application security testing tool,
00:01
or to be your point for performing
00:01
vulnerability assessments in
00:01
your PaaS and IaaS environments.
00:01
As we alluded to in the conversation about
00:01
CASB, a DLP tool,
00:01
data loss prevention,
00:01
may help detect data migrations to Cloud services.
00:01
But remember this isn't the panacea solution.
00:01
You need to train a DLP to
00:01
understand what is sensitive data and what is not.
00:01
Also, a DLP cannot
00:01
inspect network traffic that is encrypted.
00:01
Some cloud SDKs and APIs
00:01
may encrypt portions of data and traffic.
00:01
This will interfere with
00:01
the success of the DLP implementation.
00:01
The man-in-the-middle approach used to unwrap and
00:01
re-wrap TLS streams may break many of
00:01
the communications between PaaS services in the Cloud
00:01
and the client applications
00:01
communicating with those PaaS services.
00:01
An important step in managing
00:01
data migrations is to define
00:01
your policies about which data is
00:01
allowed to migrate in the first place.
00:01
This is part of the data classification exercise.
00:01
Then you identify key repositories of
00:01
the data meeting this classification,
00:01
and you monitor them for activity.
00:01
Tools like database activity monitoring and
00:01
file activity monitoring can really help in this case.
00:01
Be sure to monitor Cloud usage and
00:01
data transfers leaving your network with either CASB,
00:01
DLP or URL filtering.
00:01
We didn't talk about URL filtering previously,
00:01
but it plays a role very similar to the CASB.
00:01
It's much simpler, and then it monitors
00:01
the outgoing URLs and HTTP and looks
00:01
for what users are accessing and then can block
00:01
them from accessing certain URLs or blacklisting.
00:01
Unlike a CASB, it doesn't inspect the nuances of
00:01
the specific data in-transfer
00:01
between the client and the Cloud-based provider.
00:01
When migrating data to the Cloud,
00:01
use provider recommended methods whenever possible.
00:01
Many providers have API-based methods for uploading data.
00:01
If they don't, you can resort to
00:01
traditional methods of data transfer,
00:01
but don't use clear text methods like FTP,
00:01
at least go with something like
00:01
secure FTP as an alternative.
00:01
Remember, it's important that data in-transit is
00:01
encrypted during its journey to the Cloud provider.
00:01
Methods to accomplish this when moving data over network
00:01
include TLS, like HTTPS,
00:01
VPN but this only works if you
00:01
have a link between you and the provider,
00:01
and it can handle the amount of
00:01
data traffic going through that tunnel.
00:01
Finally, proxy. I mentioned this because it's a method
00:01
described in the CSA guidance and it may be on the exam.
00:01
Personally, I've never seen this approach used.
00:01
When you have large amounts of data,
00:01
shipping physical storage devices can be quicker and
00:01
safer than sending things over the Internet.
00:01
But keep in mind, somebody could still
00:01
snoop on the data when it is in physical transit.
00:01
So consider encrypting the data and sharing
00:01
the key with the provider through some other method.
00:01
But I beg you, please do not
00:01
send the key through normal email.
00:01
Use some secure transfer method
00:01
over the network to send the key.
00:01
So far, our conversation is really
00:01
focused on you sending data to a Cloud provider.
00:01
But a third party could also be
00:01
posting data to a Cloud provider for you to access.
00:01
In these situations, be sure to
00:01
sanitize the data before processing it.
00:01
It keeps you safe from processing
00:01
data that may contain Trojan horses,
00:01
SQL injection bombs, or other things of that nature.
00:01
In this video, we talked about CASBs,
00:01
we went over DLP,
00:01
what it is, when you use it.
00:01
Then we examined managing Cloud data migrations
00:01
at a more strategic and simplistic level,
00:01
and we touched on the different methods for securing
00:01
data transfers from you to the Cloud provider.
Up Next