Domain 11 - Data Security and Encryption

Question 1

_______ is a key enforcement tool for information and data governance. As with all areas of
cloud security, its use should be risk-based since it is not appropriate to secure everything equally.

Answer 1

Data security

Question 2

3 Buckets of Data Security Controls

Answer 2

• Controlling what and where data goes into the cloud
• Protecting and managing cloud data
• Enforcing Information Life-cycle Management Security

Question 3

what are the Key Control and Processes for protecting and managing data in the Cloud?

Answer 3

• Access controls
• Encryption
• Architecture
• Monitoring/alerting (of usage, configuration, lifecycle state, etc.)
• Additional controls, including those related to the specific product/service/platform of
  your cloud provider, data loss prevention, and enterprise rights management.

Question 4

Cloud Data Storage Types

Answer 4

• Object Storage
• Volume Storage
• Database
• Application/Platform

Question 5

______ (sometimes also known as data fragmentation of bit splitting). This process takes chunks of
data, breaks them up, and then stores multiple copies on different physical storage to provide high
durability

Answer 5

Data Dispersion

Question 6

Data Migration process to the Cloud

Answer 6

• Define policies data types that are allowed and where
• Tie policies to baseline requirements
• Identify key repositories
• Monitor for large migration

Question 7

Data Migration Monitoring tools

Answer 7

• CASB
• URL Filtering
• DLP

Question 8

Cloud Data Access controls should be implemented at minimum in three layers. What are these?

Answer 8

• Management Plane
• Public and Internal Sharing Controls
• Application Level Controls

Question 9

_______ protects data by applying
a mathematical algorithm that “scrambles” the data, which then can only be recovered by running
it through an unscrambling process with a corresponding key.

Answer 9

Encryption

Question 10

_______ is often used when the format of the data is important (e.g. replacing credit card
numbers in an existing system that requires the same format text string).

Answer 10

Tokenization

Question 11

______ encrypts data with a key but also keeps the same structural format as tokenization, but it
may not be as cryptographically secure due to the compromises.

Answer 11

Format-preserving Encryption

Question 12

what are the three components of an encryption system:?

Answer 12

data, the encryption engine, and key

management.

Question 13

Different methods of Data Encryption in IaaS

Answer 13

• Volume Storage Encryption
  - instance managed
  - externally managed
• Object and file Storage
  - Client-side
  - Server Side
  - Proxy

Question 14

It is a volume storage encryption encryption engine runs within the instance, and the key is stored in the
volume but protected by a passphrase
or keypair.

Answer 14

Instance managed encryption

Question 15

It is a volume storage encryption where 
The encryption engine runs in the
instance, but the keys are managed
externally and issued to the instance
on request.

Answer 15

Externally managed encryption

Question 16

When object Server
storage is used as the back-end for
an application (including mobile
HSM, SECaaS, VM, or Server
applications), encrypt the data using
an encryption engine embedded in
the application or client.

Answer 16

Client-side encryption

Question 17

Data is encrypted on the server (cloud) side after

being transferred in. The cloud provider has access to the key and runs the encryption engine.

Answer 17

Server side encryption

Question 18

In this model, you connect the volume to a special instance or appliance/
software, and then connect your instance to the encryption instance. The proxy handles all
crypto operations and may keep keys either onboard or externally.

Answer 18

Proxy Encryption

Question 19

Different methods of Data Encryption in PaaS

Answer 19

• Application Level Encryption
• Database Encryption
• Other

Question 20

Different methods of Data Encryption in SaaS

Answer 20

• Provider Managed Encryption

- Proxy Encryption

Question 21

Data is encrypted in the PaaS application or the client accessing
the platform

Answer 21

Application layer encryption

Question 22

Data is encrypted in the database using encryption that’s built in and is
supported by a database platform like Transparent Database Encryption (TDE) or at the field level.

Answer 22

Database encryption

Question 23

Data is encrypted in the SaaS application and generally managed
by the provider.

Answer 23

Provider-managed encryption

Question 24

Data passes through an encryption proxy before being sent to the SaaS
application

Answer 24

Proxy encryption

Question 25

Key Management main considerations

Answer 25

- performance - accessibility - latency - security

Question 26

4 Potential options for handling key management

Answer 26

- HSM/Appliance - Virtual Appliance/software - Cloud Provider Service - Hybrid

Question 27

True/False: A customer-managed key allows a cloud customer to manage their own encryption key while the provider manages the encryption engine.

Answer 27

True

Question 28

_________ is typically a way to monitor and protect data that your employees access via monitoring local systems, web, email, and other traffic. It is not typically used within data centers, and thus is more applicable to SaaS than PaaS or IaaS, where it is typically not deployed.

Answer 28

Data Loss Prevention (DLP)

Question 29

2 Types of DRM

Answer 29

- Full DRM | - Provider Based Control

Question 30

2 ways to protect development cloud data

Answer 30

- Test Data Generation | - Dynamic Masking

Question 31

This is traditional, full digital rights management using an existing tool. For example, applying rights to a file before storing it in the cloud service.

Answer 31

Full DRM

Question 32

The cloud platform may be able to enforce controls very similar to full DRM by using native capabilities

Answer 32

Provider based control

Question 33

This is the creation of a database with non-sensitive test data based on a “real” database. It can use scrambling and other randomization techniques to create a data set that resembles the source in size and structure but lacks sensitive data.

Answer 33

Test Data generation

Question 34

This rewrites data on the fly, typically using a proxy mechanism, to mask all or part of data delivered to a user. It is usually used to protect some sensitive data in applications, for example masking out all but the last digits of a credit card number when presenting it to a user.

Answer 34

Dynamic Masking