CSA CCSK – Protecting data from Un-Authorized Access

1. Cloud Deployment Model and Security Concerns

Hello friends. So welcome to this lecture on cloud deployment model and security concerns. So we have already gone through that there are different models like public cloud, private cloud, hybrid cloud, community cloud and each of the model they are having their different security concerns. From organization perspective, the first point that organization needs to consider is that what are the different compliance or legal requirements they are having and what those requirements say. Let’s say the firewall should be there or some DDoS protection should be there, the antivirus should be there. So on the basis of those legal requirements or contractual requirements, organization can place the list of controls, let’s say from the application to the physical that okay, these are the controls which are required in order to be compliant or to meet the regulatory requirements.

So depending on those controls, organization really need to assess that whichever model they are going to choose, will they be able to apply all those controls depending on the responsibility they are having. So let’s see that okay, what are the different deployment models and the concerns we have? So again, like we discussed, depending on the organization legal and contractual requirement, organization need to assess what kind of risk they are having and different controls which they need to have in order to get compliant.

So it is the organization decision that, depending on their requirement, actually, or depending on their legal requirement, you can say that they need to take a decision that okay. Whether they’ll be choosing less secure public cloud because it is totally managed and owned by the third party or a potentially more secure hybrid cloud, wherein they have their own premise and the cloud connectivity and then potentially most secure, which is the private cloud. So it is the customer who should select a first deployment model and then make sure that the social controls are in place to protect the data.

So let’s see that okay, what are the different, you can say security concerns or who is taking the ownership in case of the different deployment model. So we have our cloud deployment models listed like public cloud, private and hybrid. And then it is on the basis of who is managing and owning the infrastructure and who will be accessing that infrastructure or who will be consuming the cloud services. So if you’ll see, if you’ll talk about the infrastructure managed, so when we say that okay, managed, it means it includes everything, your governance, operations, security and infrastructure includes your physical infrastructure and where the data centers are, it all includes your storage, compute, all the infrastructure used to provide the services to the customers.

And then infrastructure located means what is the location where the data centers are there in order to provide the services and then accessible and consume is who is actually consuming those services. So let’s say in case of public cloud, it is infrastructure and managed by the infrastructure, managed by the third party provider. So like AWS and Zio they are managing the infrastructure and infrastructure owned definitely they are owning the infrastructure and where the data center or you can see the infrastructure is located so it is the off premise, it is their AWS or as your data centers then accessible and consumed by the untrusted.

So untrusted if you’ll see go by the definition so it says that untrusted consumers are those that may be authorized to consume some or all services, but not the part of logical extension of the organization and trusted who? Are actually the part of you can say, the logical extension of the organization or who are under the contractual or legal obligations of the organization. So those we can see it as trusted in case of private and community cloud, who is managing the infrastructure? In case of private we have already studied that okay, it may be managed by the organization, individual organization or it may be hosted by some other organization. Like we have a rack in a case of colo location so in that case it could be managed by the third party.

So who is owning that infrastructure? So if it is the organization then organization is owning the infrastructure and then it could be by the third party as well and it could be managed similarly by the third party. If we have the rack and we want that okay, it should be managed by some third party like Vipro or other CLS in that case it can be managed by the third party. So where the infrastructure is located it could be the on premise as well as off premise and then who is accessible and consuming those services so it is the trusted people who are under the organization legal and contractual policies. So you can see these arrows and the combination. That okay. If it is the infrastructure is managed by the organization, then it could be owned by the third party as well.

And then if the infrastructure is owned by the third party and it could be the infrastructure could be located on premise. And similarly, if the infrastructure is owned by the organization then it could be located at the off premise as well. And in case of private cloud, who is managing the infrastructure both organization and the third party, because organization, when we say that, okay, you are managing your own premise, infrastructure and then third parties, like when it is managed by, let’s say, public cloud provider only AWS or Azure or Google, and then infrastructure owned both by the organization and the third party. Infrastructure located both on premise and off premise and accessible and consumed both by the trusted and the untrusted.

So in this way there are the different security concerns with the different deployment model. So it is the organization decision that they need to assess or organization and the business partner security teams, they actually need to understand that these are the deployment models these are the risks. What kind of data we want to put into the public cloud or into the cloud, depending on that? One needs to take a decision because ultimately the goal is to protect the organization data and where the maximum control is so that that particular deployment model can be chosen to put the security, to put the data or to migrate the data onto the cloud so that there is no exposure to the sensitive data. So this is it, friends, in this lecture. So thank you for watching this lecture. Meet you in the next lecture. Thank you.

2. Location of Data In Cloud

Hello friends. So welcome to this lecture on location of data in cloud. So this is again a very important concept we need to understand to prevent the unauthorized access to data which is there in the cloud. And apart from the unauthorized access, there are certain legal issues or certain complications which we need to understand from the location perspective because there are a number of legal issues which are very unique to the cloud in terms of data allocation. And certain questions generally come up into the mind where is the location of data, where the data is located, who is aware about the data location, who controls the data location, and what the jurisdiction basically applies in case something tomorrow happens. There are some cross border legal issues.

So we’ll try to understand the various jurisdictional issues which are there in case of cloud. So the first thing the cloud customers should know that, okay, where the data have been exactly kept or hosted, for which country their data is residing. See, due to the nature of the cloud we’ll study in this, we have already seen that there are different regions and Availability Zones. In this example, if you’ll see I’ll move on to the next slide, then you probably will come back to the slide. Because if you’ll see this is the Azure snapshot I have taken worldwide, the number of regions and Availability Zones they are having. So see, in case of Azure, they are having 50 regions worldwide and 140 Availability Zones. So when we say regions, these are the different regions they are having. West central us. West us two. Right. Then us grow. Arizona is their texas central US. Right? And then these are the Canada and East US. East us two. Then North Virginia, West Europe, Germany.

And you can see China, Asia. So there are different regions. You can see the African regions. Brazil is there, australia is there down the line. So these are the different locations mean the countries in which they are having their data centers. And then within the regions they are having their Availability Zones. So think of Availability Zone as a combination of one or three data centers. You can see the circles with the dark lines are basically the Availability Zones they are having.

So think the number of data centers they are having and how they are connected with each other, how the data can be moved. So really getting the location of the data and where exactly the data is very you can see a crucial step, one on which one needs to pay attention that and one should be very serious about that. Okay, where the location of my data is, which region or Availability Zone I have chosen, when I am choosing the cloud services. So that I should know that, okay, let’s say if tomorrow something happens, what I need to do. So location of the data, think of a GDPR, or in case of GDPR also the question is like where are you keeping my data? Is popping up more these days if you have seen the news and all those concerns.

And so from that perspective, we need to understand that what are the what could be the legal challenges in case of something happens? And even many contracts impose auditing possibilities that include physical inspection as well. How can these be auditing? Requirements can be compiled with the geographical data centers they are having and also the applicable law and the competent code if it is, let’s say, outside your own country. And litigation can become very expensive. What happens in case of bankruptcy of the cloud service provider? So, all these things needs to be considered in case of cloud computing but specifically to the location of data. If we talk about, we need to understand that the physical location of the data raises a question that okay, which law will be applicable and which jurisdiction will handle the case?

Or jurisdiction means which court will handle the case? So, just think from a perspective that you as an owner of the data or organization, you are based out of India and the cloud service provider, that could be any, let’s say Google or your AWS or Air is your A. So it is based in the US. Then in that case, the vendor or the cloud service provider will prefer the jurisdiction of the American code, definitely. But the honor it could be difficult for the honor to submit all the things or to have that court, US court listen to the hearing. So in that case, we really need to understand that, okay, where is the location of my data and which jurisdiction will apply? And it is very crucial to know the prevailing law in that particular nation. So, what if dispute arises?

What will be the place of jurisdiction means which court will handle the case? And data owner means the organization who owns the data. And remember, always cloud processor is always the data processor who is the processing the data on your behalf. And data owner is the customer always who is migrating the data.

Because it is always data owner is the responsible if anything happens or any dispute happens, any breach happens in case of cloud because ultimately, in the shared responsibility model I’ve seen that GRC is the responsibility of the customer, right? So data owner should be aware about the court system which will actually govern the case or handle the case in case something dispute arises. So, from that perspective, to prevent the unauthorized access to avoid unnecessary expenses, right? So the location of the data or knowing the location of the data where my data is, is very important concept in case of cloud we need to understand. So, this is it friends in this lecture. So, thank you for watching this lecture. We’ll meet you in the next lecture.

3. Data Sensitivity and Legal Obligations

Hello friends. So welcome to this lecture on data sensitivity and legal obligations. So, in the last lecture we have already seen there are different deployment models and there are different security issues with the deployment model. So the thing is, we need to understand in order to protect the unauthorized access to your data, which is there in the cloud, we need to understand that, okay, what kind of data will be putting onto the cloud? So that there should not be any kind of legal obligations. And what could be the legal obligations we have when you migrate your data to the cloud? The first issue we all know is that in the traditional It environment or in the on premise, what is the good thing, which organization always felt confident that, okay, data which is there hosted in their data center, they are having at least control on to the data center.

They can put the policies which they want and they can use the security measures which they want. They can do the vulnerability scanning, they can have the penetration testing in order to make sure that the infrastructure or you can say the servers and the storage which is there within the perimeter that is well protected and firewalls are being used or dissolved protection is being used. But as we move on to the cloud, since it is managed by the third party and even if I talk today, it is not like they are having the cloud vendors. They are much more concerned about the security and they are doing the vulnerability assessment and penetration testing and they’ll providing you each and every report. But from an organization perspective, we always need to be vigilant that, okay, what could be the security risk? So the first thing which is kind of a worry for the organization or the security individual is that lack of control because it is totally in their hand. They are providing us the audit reports and everything, but ultimately it is the cloud vendor who are managing the infrastructure. So the first thing is that, okay, we don’t have any control.

And the other thing is that if you want to put your sensitive data and think of a GDPR where the personal data, like name, location, data, identification number, IP address, cookies data, and some sensitive information could be like health data or general data, biometric data, or it all depends on the regulation. Like if PCI is there, then the customer credit card data is there, that is the sensitive data. So in order to put the sensitive data onto the cloud, we really need to understand that there are different concerns because we exactly don’t know the way the cloud operates. We already know that, okay, there are different regions and availability zones like in different countries, they are having their data center. So if we exactly don’t know where the data is, then there is a big security issue because a couple of regulations they are very strict about that.

The customer should know that where the location of the data is and what kind of processing is being done onto that data. So that is another concern we have, because if you really don’t know that, okay, who access your data, then there is a security concern, because you’ll not be able to apply appropriate security concerns onto that. And another thing in case of cloud is, it is difficult to know that who is accessing your data, because it is not only your It people or It department who access the data, or your senior management access the data. So the other thing is that Cloud Service Provider employees, they also might have access to the data, your critical information. In that case, you need to make sure of the organization needs to make sure that appropriate security controls are there. Now we’ll talk about security controls. The thing is, we need to make sure that proper NTRS is there, right? Or we need to make sure that wherever the sensitive data we are storing, the encryption is there.

Or let’s say if the sensitive data is stored onto the volumes, or in the hardest within the cloud, or into the object store, then we need to make sure that proper encryption has been applied, or Cloud provider is providing us the encryption options. And we’ll see in the subsequent lectures that whatever the keys we are using to encrypt the data, how we can manage the keys to have a better key management. And the other thing is, we need to think from a both perspective that, okay, data sensitivity while traveling or in transit, or at the rest, at the both level, it should be protected. Because the way the application process data in the cloud, we also need to be very sure that how the actual packet flows between the application and the database. And then we need to make sure that when the data flows between the application, it is also encrypted.

We can use the SSL encryption, right? So all those things we need to assess, and then we need to work with the cloud vendor as well. That how we can protect the sensitive data. And if we’ll talk about the Regions and Availability Zones, we also need to make sure that if my regulation says that my data, let’s say, should not move out of the EU region, or should not move out of a certain region, then I can work with the cloud vendor. Or these days, it is very simple. We can choose the particular location in case of using the Cloud services. So the concern is really that if you are not aware that, okay, where the data is, who accesses the data, then there are security concerns. And another thing is that the organization, let’s say if there is a sensitive data, we need to make sure that whatever the sensitive data is there, who has access, who can modify the data, and if we really don’t know who has modified the data or change the data, deleted the data.

So in that case, it is difficult for the organization to if the data got breached or accessed by some unauthorized person, then there could be serious implications in terms of regulation violations or it could be serious penalties. Think of a GDPR if the sensitive data gets lost. The kind of fine these days Facebook, Google has to pay to the authorities. So in that case, before moving on to the data and to the cloud, we really need to think that okay, how we can have proper encryption where our sensitive data is and how we can protect the sensitive data. By having the appropriate controls, like putting that using the encryption at both the levels, let’s say data address or data in intra and who is having access by having the proper identity and access management system and then again logging those requests, that who is accessing? Who has modified the data?

So it is not like a single approach. Again, in order to protect the data in the cloud as well, there should be a layered approach or defense in depth mechanism so that we can make sure that the sensitive data is secure and we are not violating any of the legal or regulatory requirements. So this is it. Friends in this lecture. Thank you for watching this lecture. Meet you in the next lecture.

4. Media Sanitization in Cloud

Hello friends. So welcome to this lecture on Media sanitization cloud. So this is again a good concept to understand which will help to prevent unauthorized access to your data in case of cloud. So media sanitization like the other issues we have in cloud the shared media or the way the storage is there in the customers get storage in the cloud is really in a security issue and if it is not properly managed, it could lead to the sensitive data leakage because data destruction policies could not be implemented the same way that used to that we implement in a traditional data center environment. See, the media in case of cloud cannot be physically destroyed because the disk is still being used by the another talent. So you can see that in case of like we have in a typical sand environment, let’s say if this is a storage pool in which there is a terabyte of hard disk, and then we have done that logical partition and the different volumes, or you can say hard disks are given to the different customers.

So in case of cloud, think of a possibility that, okay, this particular, let’s say hard drive portion has been given to, let’s say one employee, and then from this particular disk as well, the second option, the second volume is given to the another employee. So in a traditional data center environment, we can go ahead and physically destroy that disk. But think in terms of cloud, it is really impossible to destroy the disk with that particular disk might be holding the volume or data of another talent or some other organization. So in that case, you cannot sanitize the media directly.

So there are different threats to the data. So in case of unauthorized access, if somebody gets so that is a threat to the organization. So for that we do the encryption and then for the media sanitization, the solution is the crypto shredding means how we can destroy the disk so that no one should be able to read the data from that disk, even though if it is in the cloud. So before moving further, we need to understand that, okay, whatever the media or the volumes or the storage we get so that is shared even though it is there on the disk, but that disk is not dedicated to us, only it is shared. So that is why we cannot destroy the disk or sanitize the disk so that when it is no longer required, no one should be able to read the data from that. And see, in case of traditional data center environment, this is like we can destroy the disk, we can dig off the desk.

And so, like we discussed in the previous slide, since it is here, it is not possible in the cloud. So what is the solution in the case of cloud? So see, media sanitization solution in cloud is the word that technology, we call it as or the terminology is called as Crypto Shredding. So what does crypto shredding mean? So, if you’ll see, crypto is definitely means erased or we can say we can crypt certain. So that cryptid encrypted means it is not in the normal readable form or it is encrypted text or a cipher text then shared. Is that okay, we destroy that. So the technology is called as Crypto Shredding. So what is crypto Shredding? See, disconnect encryption is a technology which protects right, the information by converting into the unrubbed form that cannot be read easily by the unauthorized people that we know. See, this is the technique we use that okay, we use some kind of master key or CMK or customer master key.

There are different concepts with the different cloud vendors. And then let’s say this is the volume we have, or the disk you have, logical volume you get. So we can go ahead and encrypt the volume with a certain key. So that is the encryption we have done. Now, think from that perspective that okay, this particular disk is encrypted and keys with you. Then only you’ll be able to encrypt that data. And this data is in the ciphertext format. So the core idea behind the crypto Shredding is that, okay, you have encrypted the data, right, store the data in an encrypted form and then to delete the data, we have just thrown away the key that keys with no one.

We have deleted the key itself. So if the key is not there, if this particular key is not there, this volume will remain encrypted and no one will be able to read that. So this is the best technique till date possible in case of cloud for the media sanitization is crypto shedding. So remember that whenever you have a policy, in case of your organization, that okay, before handing over or exiting the media, removing the media or removing the volumes from your servers, in case of cloud, make sure that crypto shredding is done.

Because even though if that particular volume cloud vendor will assign, because let’s say if you had done the crypto shredding and if this volume will be assigned to some other vendor or another organization, in that case, no one will be able to read or write. If someone tries to read the data, no one will able to do that because that is encrypted and no one has the key. So that is the beauty of that. So this is it, friends in the media sanitization lecture in case of cloud. So this is it, friends, thank you. Thank you for watching this lecture. Meet you in the next lecture.

5. Auditing of Cloud Service Provider Security Posture.

Hello friends. So welcome to this lecture on auditing of the CSP security posture or Cloud Service provider security posture. See, one thing we are studying over here is that, okay, we are trying, that how we can prevent the unauthorized access to the data. Now, since if we are moving the data to the cloud or planning to move the data to the cloud, so we need to understand or we need to make sure that whatever the data, data is there, the data’s confidentiality integrity is being maintained, someone is doing the auditing, someone is providing the reports to us. And how we can check that, okay, there is effectiveness of the controls are there, someone is checking the effectiveness of those controls. Someone is checking or doing the audit as per the different standards. So let’s see, that how it is different from the traditional Arment.

See, in a general sense, if we’ll talk about leaving the cloud service provider audit or cloud audit, it security audits generally determine that weather and information systems and its maintenance both basically made the legal and the legal expectations of the customer and the company standard for achieving the financial success against the various security threats. See, the goals are still relevant in the case of cloud computing as well. But there is a customization over there because all the data or all the servers which the infrastructure which is holding the data you can say is in the data centers which are there with the cloud vendor. So from that perspective, we need to understand that, okay, there are different responsibilities over here and for certain things we need to rely on the cloud service providers. So some of the questions that an organization or individual need to ask that, okay, can I audit the CSP implementation of the security measures? If they say that they have done the audit as per the 27,001, so can I audit that?

How can I order that? If there is a regular audit happening at the CSP end, what is the frequency if there is audit happening? If let’s say they are saying that the audit is happening, is there any reputable third party that has performed the audit? So most of the organizations that the vendor reports I have seen the cloud audit reports are done by the Eui and different organizations or maybe delete, they are providing the audits and providing the auditing reports. So what sort of internal audits or kind of compliance reports or vendor has done the audits as per against which standards like Azure 27,000 and 127 thing or PCI? DSS. See, one thing we need to understand that cloud or the cloud vendors are there. So different organizations like banking is there, healthcare is there and insurance industry is there. Then organizations who are manufacturing the drugs, they are there, ecommerce is there.

So each and every organization, they are having different kind of needs when they’ll be using the cloud. So depending on the need as well. They also come under the different legal and regulatory requirements because there is a HIPAA, there is GXP is there, Sox is there and PCI DSS is there. So from that perspective, we need to understand that cloud providers should also audit their infrastructure on the different legal or regulatory terms as well, so that in that way they can attract the different customers. So, depending on the organization business, we need to check that particular report. That okay, if it is related to the Pharma, which manufacturing the drug, then you need to check for the GXP. Similarly, if Ecommerce is there and you are doing the credit card processing, then we need to check for the PCI DSS report. And for a genetic security posture, we can go ahead for the ISO 27,001 audit report. So it really depends on the organization business.

And then we need to check that okay, how we can get that report of the base infra which cloud provider is providing to us, let’s say hypervisor storage. We need to check what kind of controls are implemented over there and then how often those controls are being checked, what is the effectiveness of those controls. So in cloud, it is like we need to rely on the reports which are provided by the vendors and we need to make sure that, okay, whatever the reports they are provided, they are validated, they are up to date, and it is the responsibility of the CSP to provide the customer the updated report. So as a customer, we can go ahead and we can check the different kind of reports which cloud vendors provide to us. Some of the reports are readily available.

For some of the reports, you might need to sign an NDA with them because some of the reports are confidential reports. They have the data related to their vulnerabilities or related to their infrastructure. So that is why a couple of reports you can get easily in a couple of reports, you need to sign the NDA for that. So this is a friend and the auditing of the cloud service provider security posture. That how we can perform the audit, by getting the audit reports onto the various standards from the cloud service providers. So in the upcoming video, we’ll also see that okay, which are the different links, how we can see the audit reports in case of Azure which are publicly available. So, thank you friends. Thank you for watching this lecture. Meet you in the next lecture.