Domain 2: Cloud Data Security covers a wide range of technical and operational topics and is the most heavily weighted domain on the CCSP exam, representing 19 percent of the CCSP certification exam.
Storage types
IaaS uses volume and object storage, PaaS uses structured and unstructured data, while SaaS can use a wide assortment of storage types.IaaS
The infrastructure as a service model provides cloud customers with a self-service means to access and manage compute, storage, and networking resources. Storage is allocated to customers on an as-needed basis, and customers are charged only for what they consume.The IaaS service model uses two categories of storage:
- Volume: A volume is a virtual hard drive that can be attached to a Virtual Machine (VM) and utilized similar to a physical hard drive. The VM Operating System views the volume the same way any OS would view a physical hard drive in a traditional server model. The virtual drive can be formatted with a file system like FAT32 or NTFS and managed by the customer. Examples of volume storage include AWS Elastic Block Store (EBS), VMware Virtual Machine File System (VMFS), and Google Persistent Disk.
You may also see volume storage referred to as block storage. The two terms can be used interchangeably.
- Object: An object is file storage that can be accessed directly through an API or web interface, without being attached to an Operating System. Data kept in object storage includes the object data and metadata and can store any kind of information, including photos, videos, documents and more. Many CSPs have interfaces that present object storage in a similar fashion to standard file tree structures (like a Windows directory), but the files are actually just virtual objects in an independent storage structure that rely on key values to reference and retrieve them. Amazon S3 (Simple Storage Service) and Azure Blob Storage are popular examples of object storage.
PaaS
Platform as a service storage design differs from IaaS storage design because the cloud provider is responsible for the entire platform (as opposed to IaaS, where the CSP is only responsible for providing the volume allocation) and the customer only manages the application.The PaaS service model utilizes two categories of storage.
Structured versus unstructured data.- Structured: Structured data is information that is highly organized, categorized, and normalized. This type of data is able to be placed into a relational database or other storage system that includes rulesets and structure (go figure!) for searching and running operations on the data.
Structured Query Language (SQL) is one of the most popular database programming languages used to search and manipulate structured data(bases). Remembering that SQL is a database language is an easy way to associate structured data with databases.
- Unstructured: Unstructured data is information that cannot be easily organized and formatted for use in a rigid data structure, like a database. Audio files, videos, word documents, web pages, and other forms of text and multimedia fit into this data type.
SaaS
For software as a service, the cloud provider is responsible for managing not only the entire infrastructure and platform, but also the application itself. For this reason, the cloud user has minimal control over what types of data go into the system; their only data storage responsibility is to put permissible data into the application.While they’re not quite true data types, the SaaS service model commonly utilizes two types (or methods) of data storage:
- Information storage and management: This type of data storage involves the customer entering data into the application via the web interface, and the application storing and managing that data in a back-end database. Data may also be generated by the application, on behalf of the customer, and similarly stored and managed. This application-generated data is internally stored on volume or object storage, but is hidden from the customer.
- Content and file storage: With this type of data storage, the customer uploads data through the web application, but instead of being stored in an integral database, the content and files are stored in other storage mechanisms that users can access.
Some other terms you should be familiar with are ephemeral and raw-disk storage. Ephemeral storage is temporary storage that accompanies more permanent storage. Ephemeral storage is useful for temporary data, such as buffers, caches, and session information. Raw-disk storage is storage that allows data to be accessed directly at the byte level, rather than through a filesystem. You may or may not be tested on this information, but you’re likely to come across the terms at some point.
Threats to storage types
The ultimate threat to any storage type is a compromise that impacts the confidentiality, integrity, or availability of the data being stored. While specific attack vectors vary based on the storage type, the following list identifies some common threats to any type of data storage:- Unauthorized access or usage: This type of threat involves the viewing, modification, or usage of data stored in any storage type by either an external unauthorized party or a malicious insider who may have credentials to the environment but who uses them in an unauthorized manner. The attack vectors from external threat actors can be anything from using malware to gain escalated privileges to using phishing techniques to steal credentials from users who have credentials to access data. To protect against insider threats related to unauthorized access and usage, CSPs should have mechanisms and processes in place to require multiple parties to approve access to customer data, where possible. Mechanisms should also be in place to detect access to customer data and processes to validate that the access was legitimate. Cloud customers should consider using Hardware Security Modules (HSMs) wherever possible, to help control access to their data by managing their own encryption keys.
- Data leakage and exposure: The nature of cloud computing requires data to be replicated and distributed across multiple locations, often around the world. This fact increases threats associated with data leakage, if cloud providers don’t pay careful attention to how replicated data is protected. Customers want to know that their data is secured consistently across locations, not only for peace of mind against leakage, but also for regulatory compliance purposes.
- Denial of Service: DoS and DDoS attacks are a huge threat to the availability of data stored within cloud storage. Cloud networks that are not resilient may face challenges handling sudden spikes in bandwidth, which can result in authorized users not being able to access data when they need it.
- Corruption or loss of data: Corruption or loss of data can affect the integrity and/or availability of data and may impact specific data in storage or the entire storage array. These threats can occur by intentional or accidental means, including technical failures, natural disasters, human error, or malicious compromises (for example, a hack). Redundancy within cloud environments helps prevent complete loss of data, but cloud customers should carefully read CSPs’ data terms that include availability and durability SLOs and SLAs.
Durability (or reliability) is the concept of using data redundancy to ensure that data is not lost, compromised, or corrupted. The term has been used for years in traditional IT circles and is just as important in cloud security. Durability differs from availability in that availability focuses on uptime through hardware redundancy. It’s very possible (but not desirable) to have a system that stays up 100 percent of the time, but all of the data within it is corrupted. The goal of a secure cloud environment is, of course, to have as close to 100 percent availability (uptime) and durability (reliability). Despite this lofty goal, CSPs’ actual commitment for each tends to be 99 percent followed by some number of 9s (like 99.999999 percent).