Section 10.0 Comprehending Security Compliance and Troubleshooting

Data localization

States that information about a country’s citizens must be stored in that country and that rules govern cross-border exchanges of that data

Data Privacy

Impact cloud architecture and implementation. Specifically, it applies to situations where data flows between governing bodies, such as local, regional, and national borders

Data Ownership

An internal governing principle for data management. It determines who is responsible and accountable for data within the organization

Data steward

Responsible for day-to-day administration and maintenance.

Data Residency

Refers to control over the geographical location of data storage. Policy, tax, or other reasons may suggest benefits to specific data locations in particular regions or nations.

Also tied to legal and regulatory compliance

Data Sovereignty

Deals with legal and regulatory issues around data storage.

The goal is to maintain data within the context of specific laws or legal systems to exercise legal protections and/or punishments. These may include tax or privacy laws

Data Localization

Covers control over data created within a governing region, such as a country or state.

It usually pertains to personal data submitted by users who have specific expectations governing that information and its storage based on their local or national laws

Data Locality

Deals information management and processing. It is still relevant to the geographical storage location but does not refer to legal implications

Refers to moving compute power to data to avoid the potential bottlenecks involved with moving large amounts of data to processing centers

Data Classification

Involves identifying internal data and understanding the impact of a security breach

Who is responsible for data classification in the cloud?

Customer's responsibility

Data Retention Policies

Specify how long to retain information to comply with legal, contractual, or regulatory requirements.

These policies normally specify a minimum time for data retention. They may also indicate a maximum time for data retention

Legal hold

A formal process that freezes specific information in anticipation of legal proceedings.

The holds prevent data modification through methods such as deletion, compression, or other means that raise questions about the data’s integrity

Regulatory compliance Examples

Financial information, including tax and accounting data.

Customer personal information.

Employee HR information

Systems and Organization Controls 2 (SOC2)

Standard ensures the service providers you partner with meet or exceed a specific level of data privacy and management

A flexible mechanism that aligns with your business processes. It generates reports based on vendor systems and capabilities to ensure they meet your organization's needs

Payment Card Industry Data Security Standards (PCI DSS)

Define secure practices around credit and debit card transactions. The guidelines and requirements are designed to protect consumers and vendors from theft and fraud

International Organization For Standardization (ISO) 27000 Standards

Guide organizations and consumers through the implementation of information security management systems

International Organization for Standardization (ISO) 27001

A set of guidelines and practices for managing an information security management system (ISMS), helping providers and consumers address risks and weaknesses

Cloud Security Alliance

Provides research, publications, training, and certification on cloud security practices.

Organizations join the Cloud Security Alliance (CSA) to benefit from the research and training by working collaboratively with other members and organizations

Cloud Controls Matrix (CCM)

This framework provides a means for assessing, implementing, and auditing cloud deployments. It includes expectations for which entities perform which roles (cloud consumer versus cloud provider)

Principle of Least Privilege

This idea states that consumers should be given the minimum level of access to accomplish assigned tasks.

Additional privileges can be assigned, if necessary, after approval.

Zero Trust Cloud Security

Begins with the assumption that no devices—even internal systems—should be trusted.

Instead, every entity in the environment must authenticate and be explicitly granted access to resources

Granular access controls:

Uses microsegmentation and policy-driven rules to enforce the principle of least privilege in cloud (and on-premises) environments

Continuous authentication verification:

Requires proof of identity for each request rather than an authenticated credential generated at system sign-on

Zero implicit trust

Distrusts all devices, whether internal or external, client or server, etc

Dynamic security

Dynamic response to security deviations by users and systems

Zero trust works based on the following approaches:

Strict IAM and account management policies.

Effective micro-segmentation of resources.

Increased access monitoring and automated responses.

End-to-end encryption of data in transit.

Encryption of data at rest

Benchmarks

Provide a way to measure risk, establish minimum security settings, and demonstrate return on investment (ROI) results

Center for Internet Security (CIS) Benchmarks for Cloud Security

Provides best practices and configuration information for security public cloud deployments. These practices integrate well with other standards and are vendor-neutral, enabling them to work in many different environments

The CIS benchmarks include two levels of recommendations. They are:

Level 1: Baseline configurations offering immediate returns.

Level 2: Additional layered settings that may impact performance or functionality

Hardening

Consists of several specific tasks, but it can be summed up as, “remove what you don’t need and use the most current version of what’s left.”

Configuration Baselines

Refers to an agreed-upon standard OS version and configuration

Configuration management

Controls OS settings and application deployment by using tools like Ansible

Allows for quick changes to the system’s configuration

Security Patching

May be applied at the operating system (OS) or application/service levels

OS vendor manages security patches and releases them on a predictable schedule. A centralized service typically handles on-premises patch management, allowing administrators to deploy patches to a test environment before production

Hotfixes

Address a specific software bug. They are more focused than patches and may be customer or situation-specific

More urgent than patches, so they are not scheduled for a specific release schedule

Rollups

A combination of a series of patches into a single deployable unit.

Patch Application

Organizations should test and approve patches before deployment. Patch deployment can be prioritized based on threat level, feature enhancements, or network location.

Automated patching tools use a centralized dashboard to schedule and manage updates efficiently

What are signature updates, and why are they important?

Are periodic updates for antivirus and anti-malware solutions that help recognize known threats

Ensure security software remains effective against new and evolving malware. In cloud environments, cloud service providers (CSPs) manage and update these signatures automatically

Encryption

Process of encoding data so that only those with the proper decryption key can access it. Those who do not have the related key cannot decrypt the data and access its contents

Non-repudiation:

The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.

Symmetric Encryption

Uses a single key to encrypt and decrypt information. The process is quick

Asymmetric Encryption

Uses two mathematically related keys. One is a public key and the other is private. If one key is used to encrypt data, only the other key can decrypt it

Slower than symmetric, but it solves the key delivery problem

Asymmetric Encryption: Encrypt with the public key; decrypt with the private key

Useful for confidentiality where user Bob encrypts data with user Alice's public key, knowing only Alice's private key can decrypt it

Asymmetric Encryption: Encrypt with the private key; decrypt with the public key

This is useful for digital signatures that prove where information came from and guarantee its integrity.

If Bob encrypts a message with his private key, Alice can decrypt it with Bob's public key and be confident the message came from Bob

Hash Cryptography

Method of generating a fixed-length unique value (hash) from input data using a cryptographic hash function

Used for data integrity verification, password storage, and digital signatures by ensuring that even a small change in the input produces a completely different hash

HTTPS

Relies on digital certificates to prove the web server's identity and begin the encryption process.

Transport Layer Security (TLS)

Combines symmetric and asymmetric encryption

Encrypts data transmitted between clients and servers

IPsec Network Encryption

Encrypts data before it leaves the computer. Data remains encrypted across the network and is not decrypted until it enters the destination computer

Server-side encryption (SSE)

A cloud provider or storage service encrypts data at rest on the server before storing it

Disk encryption

The entire drive (or partition) is encrypted during the shutdown process and decrypted during startup. The data is protected while the server is offline. If the drive is stolen, the contents are encrypted

Ex. Bitlocker

File integrity monitoring (FIM)

A type of software that reviews system files to ensure that they have not been tampered with.

Application Programming Interfaces (APIs)

Allow services to get information from each other programmatically for business processes

Use API gateways to:

Authenticate connections.

Control traffic.

Implement rate limiting and request throttling to manage traffic.

Log and monitor tools usage.

Cloud-based container security tasks include the following practices:

Use trusted registries for container images and verify authenticity with digital signatures.

Manage container secrets using tools like Kubernetes Secrets.

Network segmentation to isolate traffic and implement connection rules.

Privileged containers

Are created and run by root (the Linux administrator account). Processes inside the container also run as root.

Unprivileged Container Configuration

Do not run with root privileges. These non-privileged accounts are mapped to non-root accounts on the local host system, further ensuring that escaped processes cannot control the entire host

Better isolated from the host's configuration, better isolated from other containers, and have a reduced attack surface

SHA256 (Secure Hash Algorithm)

More secure than other hash algorithms

MD5 (Message Digest 5S

Should not be used to send confidential information since it easily generates collisions

AES (Advanced Encryption Standard

An encryption algorithm. Advanced Encryption Standard is a symmetric block cipher that encrypts data on a per-block basis

Which of the following statements BEST describes the effectiveness of IPsec in network security compared to application-layer encryption methods like HTTPS?

IPsec is more effective because it encrypts all data at the network layer, regardless of the application

Public Key Infrastructure (PKI)

A framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.

If the problem is Credentials have been leaked to unauthorized personnel, consider the following:

Reset passwords

Ensure the use of SSH key-based authentication for all SSH connections

Ensure the use of multifactor authentication (MFA)

Review procedures and credential storage to determine how the leak occurred

Ensure use of the principle of least privilege

Authorization

The ability to access resources after authentication

Problems usually relate to misconfigured permissions, rights, or other access controls. These may include privilege escalation problems and unauthorized access to resources

Privilege Escalation

Allows users (usually administrators) to sign on to a system as a non-privileged (non-administrator) account and then escalate their privileges to admin levels for specific delegated tasks

If the problem is you Cannot access SaaS resources, consider the following:

User subscription access is active for the software

Group access is active for the software

Confirm compatibility between the user’s system and the software

If the problem is you Cannot access PaaS resources, consider the following:

Identity and Access Management (IAM) or other access policies

Maximum user access limit has been reached

Firewall or other filtering configurations

Resource is available and running

If the problem is you Cannot access IaaS resources, consider the following:

IAM or other access policies

Virtualization administrator privileges for access to hypervisor configuration

Instance administrator privileges for access to the virtual machine (VM) instance

Directory services groups

Control access to folders, files, or printer resources.

In Windows, these groups are granted New Technology Filing System (NTFS) permissions to access a resource. In Linux, standard permissions manage access

Security groups are what?

Virtual firewalls.

Misconfigurations can block connectivity to one or more instances

Access control list (ACL) rules

Specify permitted traffic for security group members.

By default, all inbound traffic is denied until the cloud administrator explicitly permits specified connections

Network access controls (NACs)

May check the relative health and security configuration of devices participating in the network.

Troubleshooting these devices involves ensuring the appropriate network nodes are associated with the NAC system and confirming its configuration

If the problem is NAC is not checking all devices, consider the following:

Which devices are being checked or excluded

Which network entry points are checked (VPN, remote access, on-site)

If the problem is Exposure of intellectual property, consider the following:

Data Loss Prevention (DLP) infrastructure covers all data storage

Unencrypted network traffic

Unencrypted stored data

Data Misclassification

Leads to incorrect access controls. If secret information is misclassified as public, automated systems may grant public access, resulting in data exposure

Cipher suites

Are collections of algorithms used for data security. Various suites exist, but weaknesses are regularly discovered. It's essential to use current versions and avoid older solutions

The US National Security Agency (NSA)

Provides security guidelines and requirements for US government agencies.

It recommends using only current cipher suites and confirming the removal of deprecated approaches

What are two common cipher suites used to secure web traffic?

Transport Layer Security (TLS) and Secure Sockets Layer (SSL).

Recommended cipher suites for web communications:

TLS 1.2

TLS 1.3

TLS 1.3

Offers performance and security enhancements, such as faster handshakes and more secure cipher suites

What should be checked if there is no connectivity to one or more VM instances in a cloud deployment?

Ensure the instance has the correct security group assigned.

Which of the following is a potential reason why a Network Access Control (NAC) system is not checking all devices?

The devices are not associated with the NAC system.

This can happen if:

Devices are connected outside of NAC enforcement zones.

They are not registered or authenticated through the NAC solution.

NAC is only applied to certain network segments or device types