Posts

Data Security Lifecycle 2.0

Image
The Cloud Security Alliance Guidance explains the Data Security Lifecycle which mentions the various phases data undergoes in the cloud. This lifecycle was adopted from a blog article on Securosis. Rich Mogull, Analyst & CEO, stated that he was not happy with his work since it seemed rushed and did not sufficiently address the cloud aspects. They have released the Data Security Lifecycle 2.0 and this blog post is an attempt to present it in simple terms. Before we delve into the nuances of the improved version of the life cycle, a sneak peek into the old one would help us appreciate the changes. The V1.0 is depicted below.  The lifecycle has a total of six phases - Create, Store, Use, Share, Archive, and Destroy. While the depiction in a circular step-by-step manner may seem that one phase follows the other, it is not so. Creating and storing may happen simultaneously and archive may not happen if the information is not required to be stored for long-term purposes. In essence, the

Crypto-Shredding is NOT panacea for The right to be forgotten (RTBF)

Image
A recent survey by Trend Micro revealed alarming results. When asked for feedback on companies’ approaches to cloud data destruction, 25% of the population responded with “What’s that?” as the response. Another 31% said their cloud provider handles cloud data destruction, but they are not aware as to what happens in that case. Given the growth of cloud computing, it's imperative for security professionals to understand the details of data destruction in the cloud. This is required from a contractual point of view and a regulatory point of view. Crypto shredding is the concept of destroying data through the destruction of the cryptographic keys protecting the data. Without the decryption keys, the encrypted data is unusable — like a safe without the combination. From a cloud perspective, there are multiple tenants that a cloud provider serves. From a cloud customer perspective, the data is stored in physical locations where they cannot visit, let alone perform any data destructions

Holy Grail of Cryptography - Homomorphic Encryption

Image
What if it is possible to analyze or manipulate encrypted data without revealing the data to anyone? Make an encrypted search query to a search engine and the results come back in an encrypted form, payment data never decrypted, and still, transactions take place, & your PII even though processed by a third party but in an encrypted form, never to be seen by anyone but you!! I know you are intrigued and I have caught your attention. So let's explore this in detail. Before we delve into this exciting space, we must brush up on our basics (not everyone is as smart as you!). Encryption is a process where you convert plain text (readable) into a garbled language (unreadable) to ensure confidentiality. If a person wants to read it, he has to know the magic key ( Symmetric-key / Public-private Key). The idea here is that you ensure that the data is secured when sent across or when stored at rest. All sounds hunky-dory, right? While modern encryption algorithms are virtually unbreakab

Governance & Risk Management in the Cloud

Image
Governance and Risk management are some of the most important aspects of any business, irrespective of the fact whether you are running your applications (business) in the cloud / on-prem or even space. All businesses need to be governed and risks faced have to be managed. In the cloud context, there are some changes that get introduced in the way businesses govern and manage the risks associated with it.  For security professionals, cloud computing impacts four areas of governance and risk management: Governance Enterprise Risk Management Information Risk Management Information Security Governance mainly deals with the policies and procedures that focus on how an organization performs its operations. This includes day to day tasks to its strategic decisions. Policies influence the organization’s decision making and risk tolerance. Enterprise Risk Management includes managing the risks ( financial . political, regulatory, cybersecurity, etc.) faced by an organization. Information Risk

Zero Trust Model - The Present Necessity

Image
When I was preparing for CISSP 3 years back, a line from the book AIO guide - Shon Harris really made an impact on me. It goes like this “ There are only two people in the world I trust - You and I and I m not so sure about you.” This statement summaries the entire zero trust model, I presume. Given the current situation, a lot of organizations have enabled remote access for its employees. The remote access when enabled has increased the attack surface for the hackers. In this blog post, we will learn about the zero trust architecture and why it is essential to enable zero trust for everyone including the CEO of the organization.  What is Zero Trust? Simple terms - No trust in anyone. Everyone has to prove themselves via the identity verification whether the person is operating from the office or the comfort of his/ her home. Zero Trust is not about making a system trusted, but instead about eliminating trust. The term ‘zero trust’ was coined by an analyst at Forrester Research Inc. in

Cloud Computing - The Logical Model

Image
At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality.  The four layers are : Infrastructure: The core components of a computing system: compute, network, and storage.The foundation that everything else is built on. The moving parts. Metastructure: The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration. Infostructure: The data and information. Content in a database, file storage, etc. Applistructure: The applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services. The security at different levels is mapped to the different layers. The application security is managed at the applistructure layer while the data sec

The Blog turns 3 !!!

Image
Well, time flies and that is absolutely correct. One more year has gone by and the blog has turned 3 now. This year has been full of ups and downs, even from the blog perspective. I have been quite busy and hence the number of posts has been less. New initiatives are also in progress.  However, one aspect that has been just going up is the love and respect from the readers. This year saw mind maps, new courses on Simpliv, 50 posts and posters in the downloads section.  The  Udemy Courses also saw a jump in the number of students. Around 500+ students have enrolled in various courses from 37+ countries. They too have showered their love and support by rating the courses with 4 or 5 stars. By all means, keep this coming as such contributions help me subscribing to multiple channels to help you present the best content possible. While the year 2020 has brought a lot of challenges, the biggest challenge is fighting the global pandemic - Covid19. Hope and faith are the biggest powers in suc

Abstraction and Orchestration - In The Cloud

Image
In the previous blog post , we dissected the definition of cloud computing as per NIST and ISO/IEC. Before you proceed further, I urge you to read it before continuing. In this blog post, we will learn about traditional virtualisation and how cloud is an extension of it via the abstraction and orchestration mechanism. Consider this scenario : John is a security administrator and wants to implement a firewall ( primary & secondary), a mailing server and a server managing legacy applications. In the traditional IT workspace, John would require 2 separate physical boxes for implementing the firewall ( one for primary & the other one for secondary), a mailing server box and probably as many boxes as the number of applications. This would be highly cost-prohibitive. The intelligent minds gather together and hail virtualisation as the solution to reduce cost. Virtualization is a technology that lets you create useful IT services using resources that are traditionally bound to hardwar

Defining Cloud Computing

Image
When you download an image, where does it get stored? You select the path in your system and say then store in a folder in the D:. But if you upload a video on YOUTUBE, where does it get stored? If you own an Apple device and upload your documents to iCloud, where does it get stored? Answers to all these questions lie in just one word - The Cloud. But what exactly is the cloud? In most basic of the terms, a cloud is someone else’s computer which has insane crazy amounts of space in it. Companies like Google, Apple, Amazon, Microsoft and many more have built huge data centres around the world. These data centres are the places which have terabytes of information being stored and processed every second. The cloud hence is just the servers that are working around the clock from these data centres. But this is just a layman understanding of the cloud. We must understand what makes a cloud - A cloud. What if I have a small data centre with 10 Linux servers, Can I call that as a cloud servic

Let’s all float on the clouds .. digitally, of course!!!

Image
If you ask any of the companies where do they store the user’s data, most of the companies answer - It’s all in the cloud. It may be your digital identities or your food eating habits or the grocery items you order, all of them is ( not so safely, I doubt the security too) stored in THE CLOUD. But what exactly is the cloud that everyone seems to be on the top of these days? In the simplest terms, cloud computing means storing and accessing data and programs over the Internet instead of your computer's hard drive. hard drive. The cloud is just a metaphor for the Internet. If everyone’s data ( even if you did not sign up for it, believe me, your data is surely there) is stored in the cloud, shouldn’t we understand it in detail, especially the security aspect of it? Well, my aim is exactly that - To help you get to the bottom, I mean on the top of it, of this Mr Cloud.  I will cover all the 14 domains of the CCSK and overlapping domains of the CCSP going forward. This will entail the