Practical Cloud Security



Download 1,76 Mb.
bet7/9
Sana31.12.2021
Hajmi1,76 Mb.
#252860
1   2   3   4   5   6   7   8   9
US FISMA or FedRAMP

Federal Information Security Management Act is per-agency, whereas Federal Risk and Authorization Management Program certification may be used with multiple agencies, but both require you to classify your data and systems in accordance with FIPS 199 and other US government standards. If you're in an area where you may need one of these certifications, you should use the FIPS 199 classification levels.

US ITAR

If you are subject to International Traffic in Arms regulations, in addition to your own controls, you will need to choose cloud services that support ITAR. Such services are available from some cloud providers and are managed only by US personnel.



Global PCI DSS

If you're handling credit card information, the Payment Card Industry Data Security Standard dictates that there are specific controls that you have to put in place, and there are certain types of data you're not allowed to store.

US HIPAA

If you're in the US and dealing with any protected health information (PHI), the Health Insurance Portability and Accountability Act mandates that you include

that information in your list and protect it, which often involves encryption.

There are many other regulatory and industry requirements around the world, such

as MTCS (Singapore), G-Cloud (UK), and IRAP (Australia). If you think you may be subject to any of these, review the types of data they are designed to protect so that you can ensure that you catalog and protect that data accordingly.

16 | Chapter 2: Data Asset Management and Protection

Data Asset Management in the Cloud

Most of the preceding information is good general practice and not specific to cloud

environments. However, cloud providers are in a unique situation to help you iden‐ tify and classify your data. For starters, they will be able to tell you everywhere you

are storing data, because they want to charge you for the storage!

In addition, use of cloud services brings some level of standardization by design. In

many cases, your persistent data in the cloud will be in one of the cloud services that store data, such as object storage, file storage, block storage, a cloud database, or a cloud message queue, rather than being spread across thousands of different disks attached to many different physical servers.

Your cloud provider gives you the tools to inventory these storage locations, as well as

to access them (in a carefully controlled manner) to determine what types of data are stored there. There are also cloud services that will look at all of your storage loca‐ tions and automatically attempt to classify where your important data is. You can then use this information to tag your cloud assets that store data.


When you're identifying your important data, don't forget about

passwords, API keys, and other secrets that can be used to read or modify that data! We'll talk about the best way to secure secrets in Chapter 4, but you need to know exactly where they are.

If we look at our sample application, there's obviously customer data in the database.

However, where else do you have important assets? Here are some things to consider:


• The web servers have log data that may be used to identify your customers.

• Your web server has a private key for a TLS certificate; with that and a little DNS

or BGP hijacking, anyone could pretend to be your site and steal your customers' passwords as they try to log in.

• Do you keep a list of password hashes to verify your customers? Hopefully you're

using some sort of federated ID system, as described in Chapter 4, but if not, the password hashes are a nice target3 for attackers.

• Your application server needs a password or API key to access the database. With

this password, an attacker could read or modify everything in the database that the application can.

3 Remember LinkedIn's 6.5 million password hashes that were cracked and then used to compromise other

accounts where users used the same password as on LinkedIn?

Data Asset Management in the Cloud | 17

Even in this really simple application, there are a lot of nonobvious things you need

to protect. Figure 2-1 repeats Figure 1-6 from the previous chapter, adding the data assets in the boxes.




Download 1,76 Mb.

Do'stlaringiz bilan baham:
1   2   3   4   5   6   7   8   9




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish