D320 Flashcards

Existing State

Evaluate and understand the business processes, assets, and requirements; after collecting sufficient data, a detailed analysis is necessary; a BIA (business impact analysis) takes place.

BIA (Business Impact Analysis)

An assessment of the priorities given to each asset and process within the organization; analysis considers the effect (impact) any hard or loss might mean to the organization overall; identify critical paths and single points of failure; determine costs of compliance (legislative and contractual requirements mandated).

Metered service

The organization only pays for what it uses.

Rapid Elasticity

Excess capacity available to be apportioned to cloud customers.

Cloud bursting

Organizations use hosted cloud service to augment internal, private data center capabilities with managed services during times of increased demand; an org can rent the additional capacity as needed from an external cloud provider.

ROI (Return on Investment)

Term related to cost-benefit measures; used to describe a profitability ratio; calculated by dividing net profits by net assets.

Elasticity

Customers can contract cloud providers to use virtualization to flexibly allocate only the needed usage of each resource to the organization, while holding costs while maintaining profitability.

Simplicity

Allow a user to seamlessly use the service without frequently interacting with the cloud service provider.

Scalability

Increasing/reducing services can be easily, quickly, and cost-effectively accomplished.

IaaS (Infrastructure as a Service)

Most basic service; allows customer to install all software and OSs on hardware housed and connected by the cloud vendor; can be considered a warm site for BC/DR purposes.

PaaS (Platform as a Service)

Includes services from IaaS and OSs; vendor is responsible for patching, administering, and updating the OS; customer can install any software.

Data Storage Types

Used: structured/unstructured.

Unstructured Data Types

Qualitative data; natural-language text; incorporate media (audio, video, images); contains JSON, XML, binary objects (images encoded as text strings).

Structured Data Types

Quantitative data; organized and decipherable by machine learning algorithms; SQL (relational) can be used to quickly input, search, and manipulate data.

SaaS (Software as a Service)

Includes everything from IaaS and PaaS with the addition of software programs; vendor is responsible for administering, patching, and updating everything.

Public Cloud

Resources are owned and operated by a vendor and sold, leased, or rented to anyone; multitenant environments.

Private Cloud

Resources dedicated to a single customer; might be owned and maintained by the entity that is the sole customer.

Community Cloud

Features infrastructure and processing owned and operated by/for an affinity group; orgs come together to perform joint tasks and functions.

Hybrid Cloud

Contains elements of other models; org might want to retain some private cloud resources but lease some public cloud space.

Cloud Broker

Company that purchases hosting services from a provider and resells them to its own customers.

CASB (Cloud Access Security Broker)

Third-party entity offering independent IAM (identity and access management) services to CSPs and cloud customers.

Regulators

Ensure orgs are incompliance with regulatory framework for which they are responsible for; HIPAA, GLBA, PCI DSS, ISO, SOX, etc.

Cost-Benefit Analysis

Comparing potential positive impact (profit, efficiency, market share) of a business decision to potential negative impact (expense, detriment to production, risk).

FIPS 140-2

NIST document that describes the process for accrediting and cryptosystems for use by the federal government.

NIST 800-53

Guidance document with primary goal of ensuring appropriate security requirements and controls are applied to all US federal government information in management systems.

TCI (Trusted Cloud Initiative) Reference Model

Guide for cloud providers, allowing them to create a holistic architecture that customers can purchase.

Vendor Lock-In

Situation where a customer is unable to leave, migrate, retrieve, or transfer data to an alternate provider due to technical/nontechnical constraints.

Vendor Lock-Out

When a customer is unable to recover/access their own data due to provider going into bankruptcy or leaving the market.

Blockchain

Open means of conveying value using encryption technologies/algorithms; transactional ledger where all participants can view every transaction.

Containers

Logical segmentation of memory space in a device, creating two or more abstract areas that cannot interface directly.

Quantum Computing

Emerging technology that allows IT systems to operate beyond binary math.

Homomorphic Encryption

Theoretical phenomenon that allows processing of encrypted material without needing to first decrypt it.

STRIDE Threat Model

Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of Privilege.

Apache cloud stack

Open source cloud computing software for creating, managing, and deploying infrastructure cloud services.

Business Requirement

Operational driver for decision-making and input for risk management.

SPOFs (Single Points of Failure) methods to reduce

Adding redundancies; creating alternative processes; cross-training personnel; back up data; load sharing/balancing for IT assets.

Quantitative Risk Assessment

Use specific numerical values such as 1,2, and 3; employ a set of methods, principles, or rules for assessing risk.

Qualitative Risk Assessment

Use nonnumerical categories that are relative in nature; high, medium, and low; employ a set of methods, principles, or rules for assessing risk.

Risk

Likelihood an impact will be realized; can be reduced, never eliminated.

Residual Risk

When risks are mitigated by applying countermeasures and controls the remaining leftover risk is residual risk.

Security Considerations for Cloud

The cloud customer is always legally liable for any loss of data, even if cloud provider demonstrates negligence or malice.

IaaS Considerations

Customer has the most responsibility and authority; provider is responsible for building, land, connectivity, power, and hardware assets.

PaaS Consideration

Same as IaaS but provider controls the OSs; customer can still monitor and review software events.

SaaS Consideration

Customer only supplies and processes data; security controls are limited because provider supplies all needs of customer.

Data Ownership

Assign responsibilities according to who has possession and legal ownership of that data; roles are assigned to allocate this.

Data Owner

Org that collected/created the data; usually department head/business unit manager; cloud customer is usually the data owner (international treaties/frameworks refer to as the data controller).

Data Custodian

Person or entity tasked with the daily maintenance/administration of the data; role of proper security controls and processes as directed by the data owner; sometimes a database admin.

Data Processor

Any org or person who manipulates, stores, or moves the data on behalf of the data owner; cloud provider is a data processor (international law).

Data Lifecycle

Understand it in order (Create > Store > Use > Share > Archive > Destroy).

Create

Data owner will be identified in this first phase; data security and management responsibilities require action; data owner will categorize the data.

Data Categorization

The process of categorizing data based on various criteria such as regulatory compliance, business function, functional unit, and project.

Regulatory Compliance

Can categorize by specific datasets (GLBA, PCI, SOX, HIPAA, GDPR, other international, national, and local compliance).

Business Function

Different use of data (billing, marketing, operations).

Functional Unit

Department or office with its own category and data controls.

By Project

Define datasets by projects associated with as means of creating discrete, compartmentalized projects.

Data Classification

Responsibility of the data owner; assigned by the org's policy based on characteristics of dataset.

Sensitivity

Used by the US military; assigned to the sensitivity of the data, based on negative impact an unauthorized disclosure would cause.

Jurisdiction

Geophysical location of the source/storage point of the data might determine how the data is handled; PII gathered from citizens from EU is subject to the EU privacy laws.

Criticality

Data deems critical to org survival classified in a manner distinct from trivial, basic operational data; BIA helps determine this.

Data Mapping

Data between organizations (or departments) normalized and translated so it is meaningful to both parties.

Data Labeling

When data owner creates, categorizes, and classifies the data, it also must be labeled; should indicate who the data owner is (office or role, not name or identity).

Data Discovery

Used to refer several kinds of tasks to determine and accurately inventory the data under its control.

E-Discovery

Legal term for how electronic evidence is collected as part of an investigation/lawsuit.

Label-Based Discovery

Labels created will aid in any data discovery efforts; org can determine what data it controls and amounts of each kind.

Metadata-Based Discovery

Data about data, a listing of traits and characteristics about specific data elements/sets; can be useful for discovery purposes.

Content-Based Discovery

Discovery tools can be used to locate and identify specific kinds of data by delving into the content of datasets.

Data Analytics

Technological options to provide additional findings and assigning types to data.

Datamining

An outgrowth of the possibilities offered by regular use of the cloud (big data); when org collects data streams and runs queries across the feeds.

Real-Time Analytics

Tools can provide datamining functionality concurrently with data creation and use.

Agile Business Intelligence

State-of-the-art datamining involves recursive, iterative tools and processes that can detect trends and identify more oblique patterns in historical and recent data.

Jurisdictional Requirements

Different regions have varying levels of privacy protection and intellectual property laws.

IRM (Information Rights Management)

Managing information in accordance with who has rights to it; can be DRM (digital/data rights management), ERM (enterprise).

Intellectual Property Protections

Intangible assets of the mind.

Copyright

Legal protection for expressions of ideas; lasts for 70 years after the author's death/120 years after the first publication of a work for hire.

Trademarks

Intended to be applied to specific words and graphics; representations of an org - its brand.

Patents

Legal mechanism for protecting intellectual property in the form of inventions, processes, materials, decorations, and plant life; lasts about 20 years from time of patent application.

Trade Secrets

Has same aspects as patented material; includes aggregations of information (list of clients/supplies).

IRM Tool Traits

Material protected by IRM solutions need some form of labeling/metadata associated with the material for the IRM tool to function properly.

Rudimentary Reference Checks

Content itself can check for proper usage/ownership.

Online Reference Checks

Microsoft software packages requiring product key at installation; program will check against online database when connected to the Internet.

Local Agent Checks

User installs reference tool that checks the protected content against the user's license.

Presence of Licensed Media

Disks for example, is required to be present when the content is being used.

Support-Based Licensing

Predicated on the need of continual support for content.

IRM in the Cloud Complications

Challenges that arise when managing information rights in cloud environments.

Replication Restrictions

IRM often prevent unauthorized duplication; the cloud may create, close, and replicate virtualized host instances.

Jurisdictional Conflicts

Cloud extends across boundaries and borders, often posing problems when intellectual property rights are restricted by locale.

Agent/Enterprise Conflicts

IRM solutions that require local installation of software agents for enforcement purposes might not always function properly in the cloud environment, virtualization engines, or various platforms used in BYOD enterprise.

Mapping IAM and IRM

The extra layer of access control (ACLs) will cause a conflict between IRM IAM and enterprise/cloud IAM; more possible if these functions are outsourced to a third party (CASB).

API Conflicts

IRM tool is often incorporated into the content; usage of material might not offer the same level of performance across different applications (content readers/media players).

Persistent Protection

Follow the content it protects regardless of location, if it's duplicated or original file, or how it's being utilized.

Dynamic Policy Control

Should allow content creators and data owners to modify ACLs and permissions for the protected data under their control.

Automatic Expiration

Because of the nature of legal protections of intellectual property, a significant amount of digital content will not be protected in perpetuity; protection should cease when legal protections cease; licenses also expire, access and permissions for protected content should expire.

Continuous Auditing

Allow for comprehensive monitoring of the content's use and access history.

Replication Restrictions

Purpose of IRM is to restrict illegal or unauthorized duplication of protected content; IRM solutions should enforce restrictions across the many forms of copying that exist (screen-scraping, printing, electronic duplication, email attachments).

Remote Rights Revocation

Owner of rights to intellectual property should have ability to revoke rights at any time; used because of litigation/infringement.

Data Control

Protect data other than in the CREATE lifecycle phase; each aspect of data management (retention, audit, disposal) will need a specific policy addressing it.

Data Retention Policy

Policy that outlines how long data should be kept and under what conditions.

Retention Periods

Length of time organization should keep data; expressed in number of years, set by regulation/legislation; can be mandated/modified by contractual agreements.

Applicable Regulation

Can be mandated by statute/contract; policy should refer to all applicable regulatory guidance.

Retention Formats

Contain description of how data is actually archived (type of media storage, handling specifications); Ex: some types of data are required to be encrypted while in storage, policy should include description of encryption engine, key storage and retrieval procedures, and reference to regulation(s).