CCT 178: Data Security Controls, Labeling, and Cloud Access Security (CISSP Domain 2.6)
Sep 23, 2024ver wondered how a TI-84 calculator can be transformed into a powerful tool for ChatGPT? Join me, Sean Gerber, on this thrilling episode of the CISSP Cyber Training Podcast as we uncover this fascinating tale and explore the evolving landscape of data security. We'll dissect the crucial elements of Domain 2.6 of the CISSP exam, from protecting data-at-rest to data-in-motion, and delve into the significance of Digital Rights Management (DRM) and Data Loss Prevention (DLP). This episode promises to enlighten you on the challenges and solutions of safeguarding data in today's tech-driven world.
Next, we'll explore the meticulous process of establishing a robust labeling schema for data within an organization. Learn how to effectively implement physical and digital labels—such as unclassified, secret, top secret, and confidential—using color coding for easy identification. We'll stress the importance of consistent terminology, well-documented procedures, and controlled access to data classification changes. Discover how to tailor security controls to fit various organizational needs and the pivotal role of IT security leaders in guiding departments to enhance their security measures.
Finally, we address the critical task of aligning IT security controls with an organization's risk tolerance and operational needs. Understand how focusing on critical assets can optimize data protection without spreading resources too thin. We'll highlight the importance of adhering to security frameworks like NIST, GDPR, or PCI DSS, and the role DRM and DLP play in preventing unauthorized data exfiltration. Plus, we'll introduce Cloud Access Security Brokers (CASBs) and discuss their crucial function in enforcing security policies between organizational networks and cloud service providers. This episode is packed with invaluable insights to prepare you for the CISSP exam and elevate your cybersecurity knowledge.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
TRANSCRIPT
Speaker 1:
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge All right let's get started.
Speaker 2:
Good morning everybody. This is Sean Gerber with CISSP, cyber Training, and hope you all are having a beautifully blessed day wherever you're at today. Today is going to be about Domain 2, and specifically we're going to get into Section 6, or Domain 2.6, as it relates to data security controls, and so we're going to be rolling into how do you protect your data from data states to DRM, to DLP and so forth, and this is the part around 2.6. And if you have the ISC Squarebook, it'll kind of match to that. But before we do, we're going to get just.
Speaker 2:
I wanted to real quickly talk about an article that I saw that was for the geeks at heart. This was an interesting that I saw that was for the geeks at heart. This was an interesting article out there that, if any of you all have ever had to take a test where you had a computer or not a computer, but a calculator with you, there is a hack out there it was a T84 hack that occurred that allowed you to add chat GPT to the device. So it's an engineering calculator, and this engineering calculator would typically doesn't have this functionality, but an individual decided to. You know what. I want to try to figure this out so that when I'm taking my tests I can use chat GPT versus having to figure it out on their own. So, as a professor, when I was teaching, or the adjunct professor, I should say one of the things that came up, this was right.
Speaker 2:
When ChatGPT came out, my students came up to me and said well, hey, can we use ChatGPT to help us pass the CISSP, but pass the course? And I told them, I said the point comes right down to and they're very blunt. And I even came out and said if you're going to use it, that's fine, you can use it for the exam. But you also have to understand that if I do get any notification, I feel like you are actually using it and your answers aren't from you. I will call you in and then you're going to talk about your actual test and you're going to talk about what answer you gave, why you gave it, what was the purpose behind it. So it actually limited somebody from doing that, or they may have just decided to maybe modify ChatGPT a little bit to give them what they wanted, but at the end of the day, the interesting part is, this guy had a graphing calculator and he decided to use ChatGPT using the get and put functions that are on the device itself and then was able to make a cut. And again he made some changes to this device so that it wasn't like this out of the box, but it was designed to be able to do that. And so he actually went out and he put in a Wi-Fi enabled microcontroller, which costs about five bucks, and then he also had some other components that he was able to put inside this TI-32 to make it so that it was compatible with connecting to the internet. And it was just interesting how he got this to work. So I put the link. You'll have to be able to see this link. It's called. It's from Ars Technica secret calculator hack brings chat GPT to TI-84. He did mention that during this time he had some voltage issues when he was putting it together and it didn't work. Real84. He did mention that during this time he had some voltage issues when he was putting it together and it didn't work real easily. He had to go out and make a lot of changes.
Speaker 2:
So from a professor standpoint, from a college standpoint, I'd say good on you, man. Right, there is a way to use something and you actually learn something different than what you were trying to accomplish. But the other, on the interesting side of that is yeah, you're. Now. These professors are going to have to start thinking outside the box, the old ways of just, hey, I've and I've got a son that is in education and he, they have tests and their tests have been created and they just no offense to him they regurgitate these tests over and over again when the new batch of students come in. Well, teachers are going to have to get outside the box a little bit, because this is just going to continue to get more and more pervasive, because people are going to try it. They're smart, they're very, very smart. They're going to try to do these different types of things. So, something to consider just, I would take a look at it and it's on Ars Technica and it is a T84, and it is for cheating on tests. So, yes, you all can try it and see if that's something you want to do. I wouldn't recommend cheating on tests, but hey, that's up to you.
Speaker 2:
Okay, so today we're going to be getting into 2.6, and 2.6 is around data states and determining data security controls. Now, all this information, like I said before, is available to you. On CISSP Cyber Training. You can head there and get access to all this information. It's available to you. This video will be posted on the website, so you'll have access to the video there. You can listen to the podcast, obviously, wherever you get your podcasts at, as well as on YouTube. We've been having a lot of success with this podcast. The podcast is getting good reviews, it's getting good downloads and so obviously you all are enjoying it, so that's positive. I get a lot of different feedback from people through email that they've been passing the CISSP, which is awesomeness, so we're excited about that.
Speaker 2:
Well, so today is the determining of data security controls. Now we're going to get into a couple different parts around data security controls, and this would get into data states as the first topic. Now, a data state and we've talked about this as we talk through CISSP training and the different types of stuff that you need for to be successful, to pass the test, but also to be successful as a security professional within your space. One of the things that came up was around we've talked about is data states Data at rest, data at transit, data in use those are the three types of data states. Data at rest this stores the data in a physical media such as a hard drive, a tape, cloud storage, anything like that is what the data is at rest. Now encryption on data at rest will help protect this from access to unauthorized people.
Speaker 2:
Now we talk about encryption. Encryption is a very slippery slope. You have to have the ability to have keys for your encryption. If you're going to have encryption in the cloud or you're going to have encryption on-premises, you have to have a way to manage these keys so that you can get the data out that is encrypted, unencrypted, and be able to use it. There's different types of encryption that have been out there and I've seen some of these in the investment space, where it's homomorphic encryption, where basically the data is always in an encrypted state. So when data is encrypted at rest it's not usable. So to get it out, you have to decrypt it to get the information out. There's different companies out there trying to homomorphic encryption that will basically allow the encryption to be enabled at any point in time during the transition periods. So data at rest, data transit, data, use it is all encrypted. The only time it's not encrypted is actually when you view it on some sort of device to be able to actually view the data itself, if that's what your need is, or if you are manipulating it, such as through an Excel document and so forth. The thing is with the homomorphic encryption is it's still in the beta phases. There's companies trying to make this work, but it works in certain situations. In others it doesn't work as well. So it'll be interesting to see where this goes in the future.
Speaker 2:
But again, data at rest. This is where you have to have different access controls in place to help restrict who can access this data. You also need to have in place a DLP product to prevent unauthorized data exfiltration, and we've talked about data exfiltration. Data exfiltration, and we've talked about data exfiltration. It can be a big challenge with companies because of the fact that there's so many ways out of your organization that it's not easy to protect it, and so, therefore, you need to have some sort of DLP in place to be able to help you with that.
Speaker 2:
Data in transit. Now, data in transit is when data is transmitted over networks. So this could be over wireless networks, it could be LAN networks any type of network is when the data is in motion. Obviously, encryption will help this. This helps from when you have point-to-point level encryption, so if you have a computer talking to another computer from point A to point B, then that's when the data will be protected and encrypted. Vpns can also help create this secure tunnel that will help for data transmissions, and we've talked about different types of VPNs in CISSP, cyber training, so the point comes into, though, is this is what helps when you're trying to transmit data between two locations. Another type is TLS and SSL encryption. These are secure protocols that are used a lot for different types of communication, but mainly for web communication, but you can use TLS in various different pieces. Now, the most current version is TLS 1.3. And therefore, if you use earlier versions, you need to make sure that they have not been deprecated and are still a valuable use.
Speaker 2:
Data in use this is where data is actively being processed. Access controls will help restrict that right. Who has access to the data? Data use this is where data is actively being processed. Access controls will help restrict that right. Who has access to the data? Data masking this is another part where the data is coming in. You have your, let's say, for example, social security numbers. Those are masked, maybe the first, however many six digits, or you just leave the last four digits are available. That's a masking technique. There's various applications that will do this. I've personally worked with Salesforce to make that happen, but there's various other applications will have that capability built into it Most ERP type solutions, which is your enterprise resource planning products, applications such as SAP. There's many other ones out there. Salesforce is another one. They will have data masking enabled.
Speaker 2:
Privileged user management this is where it will control access. For users with elevated privileges Maybe this when you have elevated privileges, you are not able to gain access to certain levels of data, or the vice versa If you don't have access to these elevated privileges, you don't have access to much of anything. So the bottom line is, when you have your data that's in use, this is data that's actively being processed, as it relates to a data state. Now the ultimate goal is again protecting the confidentiality of this data, and this is through the use of strong encryption and access controls, which we've kind of already recommended and mentioned. We talked about the examples that are available and one of the things like a data encryption example could be.
Speaker 2:
You have your data in your database and that database tables are, but kind of an interesting part about data at rest is it really truly never is at rest, except for when it's powered off and it's disconnected from the network. Data in many cases is being tagged and pulled on on a numerous basis. It doesn't mean that it's not idle, but most of the time when data is at rest they're meeting data in the storage of some kind, data in transit we talked about through HTTPS encryption, and then data in use through web applications and the various aspects around that. So when you're dealing with data states, you need to consider the sensitive information and you need to have a plan. One of the things that I've seen so often when I've talked to different companies, when I've been in companies myself the data. They don't really have a good plan because they don't have a good data owner that really understands what is going on with the information that's there, and so you need to have a plan around labels. One of the aspects is that how do you label this specific data? A data classification scheme is a really good thing to have. If you don't have one in place right now, it will go a long ways in helping you to be able to protect the information that's on your network, and I would recommend that, if you don't have one. Start small, get a small subset of data that you know that this is what its state is, this is the classification it should be, and then, from there, expand your way out. Now you can either do this manually, by yourself, or you can bring in a third party that can help you with your data classification plans. Now, there's various third parties out there that help you with this. The ultimate goal is that they want to have the ability so that, when you can flip on a switch, your data within your environment starts to become classified in a format that is best for your organization. So, again, you really need to have that. And then you need to document and manage the plan. Document how you're going to do it and then manage the overall plan.
Speaker 2:
Now we've talked about various labels that you can use. Obviously, there's physical labels. There's also digital labels, but from a physical standpoint, let's just think about what are some different labels you can use within your organization. You have unclassified, you have secret, you have top secret, you have confidential. Those are some basic Air Force type labels that we used, but there's multiple other types of labels that you can use within your organization. These labels could be private, they could be general. They could be sensitive. They could be pretty much anything you want to label them as, but there's different types of. You need to come up with a different type of labeling schema for your company and your organization.
Speaker 2:
Now the physical labels. One of the aspects around this is you could put them on drives themselves. So like, say, you have a hard drive and you will put this label saying this is a classified hard drive or this is a business sensitive hard drive. You also would want to recommend doing some level of color coding with it. That would include the name. The reason I say that is because people are visual people and they they will read it. But if you automatically notice, say, for instance, you're classified, your secret is red and you're free for financial use is yellow, or whatever you want to call it, and then what ends up happening is you're going through these different devices and you see these labels. Well, those are all red. So those are all this classification. Those are all yellow. These are all those classifications. So those are important part of when you're looking at creating some level of data classification, especially from a physical standpoint.
Speaker 2:
Watermarks on the data is really important. Do you put it like an unclassified label? Do you have it in the footer or the header? Another piece of aspect that you might want to consider. You see this a lot within lawyers. They will put this type of label on many of the documentation that they use. So, again, it's very simple. You see it, it's in your face. You have a hard time being able to walk through saying, hey, I didn't know, but you do want to stick with a standard nomenclature. What I mean by that is just make sure that whatever terminology you come up with for your organization, it stays standard and consistent throughout your organization.
Speaker 2:
And then you need to document these procedures from an upgrading, downgrading, sensitivity, transferring sensitive data files and then even destroying the sensitive data. How do you do that? Do you have a process to do that? So you really need to define this, especially if you're getting this level of classification, and it could be as simple as so. Upgrading and downgrading had a situation where there was many. We broke it into about four buckets, and of these four buckets, the two were the most highest sensitivity to the company. You as an individual could not go in and downgrade a document and put it on whatever you wanted. The same went for upgrading. You as an individual could not do that. There were certain people within the organization that could do it, but you as an individual could not. So it's important to have those individuals tied within your company so that they know who they are, so that they're not trying to, and this avoids then, one, having the rights to do it. But, two, if something does go sideways and something was changed, you now know who to go talk to, because only those certain people should be allowed to do it.
Speaker 2:
Now, scoping and tailoring. Now, scoping sets the baseline for the various security controls within your organization, and you want to set only the controls that apply to your area of operation. In this case it would be IT. Right, but you can help the different parts of the organization, especially with IT-related functions, scoping the security controls for their organization. As an example, if you're dealing with finance, you can help them scope what is best for them. If you all haven't figured out yet, many of these organizations don't have IT people that can help them understand all these different security controls. So you, as a security leader within your organization, it would really behoove you. One, it gives you a lot of street cred. Two, your job is to influence. Well, how better to influence people than by helping them reach their goals and their desires, and so, therefore, by you helping the finance department or the HR department or operations understand all these things, you have now helped elevate yourself into a position where you are influential and you can provide more value to the company.
Speaker 2:
You also need to tailor this based on the and I'll come back to the IT as an example. So when you're setting up controls specifically for IT, your system would only allow, potentially, one RDP session. You need more controls around remote access, all of those different types of scoping pieces you would come into play. What systems are you going to monitor? Are you only going to monitor just all of them? Are you going to monitor all of them or are you going to monitor only just a small subset? Again, that's the scoping piece of this Tailoring. So when you're dealing with tailoring, you need to list the controls that align with the baseline of the organization.
Speaker 2:
What is the risk tolerance for the organization? I was talking to a gentleman the other day about risk within their organization, and certain people do not understand the risk concept. They try to protect everything. Well, unfortunately, when you try to protect everything, you're going to protect almost nothing because you're not going to do any of them right. And the better part is that you want to focus on protecting the most crucial, the most critical to your organization, that are the highest risk to your company. That is where you want to focus on, and so that's where the tailoring comes into play, so you understand the risk tolerance for your company. That will go a long way with helping you understand what to best protect.
Speaker 2:
If you can take anything from all this stuff that we're talking about with the CISP and you're talking from a leadership standpoint, risk tolerance is key, and if you don't know the risk for your company, find out somebody who does. And if you talk like that the risk tolerance for your organization, if you talk like that to your leadership and to your senior leadership, you're going to win street creds with them, because the fact is that they live their entire life based on risk and you have to understand. If you're a protector of the data, you've got to understand what is their level of risk. How much are they willing to risk for the organization? Some of your senior leaders their risk tolerance is extremely low. They will not take much risk at all, but then that's good, because then you can focus on how to protect your company without taking on a lot of risk, but that would also mean that you need to focus on doing the basics, on the basics, the foundations, the fundamentals. That will take you to where you need to go if you have a low tolerance for risk. Another example about this is that we have a low tolerance for risk.
Speaker 2:
Another example about this is that we talk about risk tolerance. For an organization, it's the minimum security standards. Locations are using the NIST 800 series to help you with this. So, again, you need to understand what does the organization need, and then you can tailor your protection plans around what the organization actually needs and wants. Setting standards there's a base on internal or external needs for your organization, so GDPR, china's cyber law, pci DSS they all have standards, but not all standards apply to each and every one. So, as an example, the China cyber law. That is a very big thing within China. It does not apply within the United States, obviously right, so they don't always apply. That being said, the standards around security are pretty much the same whether you're in the United States or whether you're in China.
Speaker 2:
The point, though, is is how they implement those different types of standards is really the differences. So if you're with a company and your company says that I want to have security controls in place, that is, monitoring individuals as they come and go from the building, great, that's all, that's all I want to do. But then you have another part of the world that says I want to monitor everybody who comes and goes in and out of the building. I want to know who they are and I want to know their party affiliation. That's a different style. So you have very contradictory areas. Parts of the world are very draconian in what they want to protect their people. Other parts of the world are not as draconian, and then there's a lot in the middle.
Speaker 2:
So it comes right down to is setting the standards is really important, and using defined standards is even more useful, if even not required. You really need to come up with those standards and you need to define them, and it's for your own good and it's for your employees' good, because it's really hard to fly a plane when you're blind. And so if they don't know what the standards are for their organization, it's easy for them to make mistakes. It's also easy for them to then, when they do potentially make mistakes that are intentional to get out of any sort of actions against them because you didn't have a standard and so how would I know? So, again, having that information is really important. So organizational standards are an important factor. You can focus on HIPAA, gdpr, nist, iso 27001. All of those have different types of frameworks. If you follow some of them, depending on your business model, they will help you and guide you in the direction you need to go. And then you need to focus on best practices and staying updated on emergency threats and the vulnerabilities that are associated with them.
Speaker 2:
Now, digital rights management what are DRM, drm, what are? That was really good English, holy cow, wow, my wife. She tells me this all the time. You don't speak good. I'm like that's what happens when you get old I'm getting senile. Digital rights management this attempts to provide copyright protection for different types of data files. It's the goal is to prevent unauthorized use, modification and distribution of copyrighted data. Obviously, right. So this happened in the long days they used to have CDs back when CDs were something around the Sony would that's kind of the big case around this they actually put in some level of malicious. That wasn't malicious, but it was a software that did tracking and it was tied to their DRM.
Speaker 2:
Now the DRM the license will grant access to a product and determines its use. So a lot of times you'll get keys right. So if you want to use a product, there are keys that you must have that unlock the licensing around it. That's part of the DRM and many times this could be a very small file with an encryption key. It could just be, you know, really just a bunch of letters that it then calls home to the mothership and will confirm that you actually have the right license. I have used like a actual hard key fob to be used as a decryption key as well. So it really depends upon how you're going to use the software. But most software has some level of DRM built into it.
Speaker 2:
Now that does have a persistent online authentication. I'll use an example of this. This is Microsoft. So in the old days you could have not that I did this but you could actually have multiple bootleg copies of Microsoft Office, right, and it was really hard for Microsoft to understand what that was. You could get a key, you had key generators, you could put in fake keys, you could do all kinds of stuff and it would all work. I speak from friends telling me this type of stuff. The point then is is then Microsoft smart, as they always are? They had some level of persistent online authentication in place and then, when the system is on, it's tied to usernames. It's also watching. If it's on, it can then understand do you have the licensing for this product? That was a huge deal. So now you're in a situation where, instead of having so many and I know those bootleg CDs are still out there in many places, obviously, but as they've moved through Office 365, they're now in a situation where the data is always available to you. So now you have to pay the subscription. But it's good. It's a win for the consumer, because the prices for the Office 365 are lower than they were when you have to buy the entire package. So it's still the same amount when it's all said and done. But now you're paying it out over a monthly period. But again, it does require DM product to be connected to the internet and periodically this will connect with a licensed server to ensure that it's got activity. Now I've put in systems within side an organization and I had to actually build a licensed server specifically for the licensing of that application, and then that server itself would then communicate back to the mothership. So it just depends on the type of environment you have to connect to.
Speaker 2:
So when you're dealing with digital rights management, the ultimate goal is to prevent unauthorized copying, this unauthorized duplication or distribution of the content, and they may even have enforcing usage restrictions, which would limit the number of devices and or users that can access the content. Good example is Netflix. Netflix keeps popping up. Hey, if you want to share your Netflix account with your family, you can do that now for an extra fee. But they know through geolocation where you're using it. So if you're using it at home and then all of a sudden it gets used in Mumbai, you're going wait a minute so they may ask questions around that right, I do know they allow some of that activity, but again, they do enforce usage restrictions around limiting the number of devices and users. Disney Plus is another one A lot of these.
Speaker 2:
They do that. They implement levels of DRM technology to help protect their digital content as well. So if you buy CDs from Walmart or some other location, there is DRM technology built into those DVDs so that you can't just go out and copy them Again, that technology is designed specifically to protect their rights, and it should, because you know what. If you're copying them, more or less, you can break it out however you want. It's theft and so you. Therefore, they have to put these protections in place to protect their intellectual property.
Speaker 2:
Now, digital rights management. This is the key points with DRM. This is a continuous audit trail, so it does track the use of the copyright product, especially if it's connecting to the mothership. If it doesn't connect to the mothership, obviously it's pretty hard to do that. But today, most things with streaming, it knows where you're using it. When you're using it, it can detect abuse. I will say that I've known some individuals that tried to use the movies that had been hacked and were put onto their servers as an example. Then they go, and they go hey, watch this video. Well, unfortunately they're pulling it off of their Google Drive or they're pulling it somewhere else and it's going over the ISP. Well, the ISP knows hey, this is a duplicate of a movie that's out and therefore it will flag that. I don't know how they do it, but they've got a way that they figure out how to do that. So the interesting part is that's another level of DRM and it can detect abuse with different uses of products in different geographic locations. They also have automatic expiration. These products are sold on subscription basis, basically yearly. It can be month to month or you can buy the subscription one time, but bottom line is they have automatic expiration on them and therefore they get you to come back and buy some more. These expiration ends. Basically the product access is blocked and you all have dealt with this. I'm not telling you anything new, because you all have probably some level of streaming service in your own homes.
Speaker 2:
Drm functions. These can accomplish various protections on files. Obviously, they can limit printing, usb access, email access, all of those kind of pieces can be added to that as well. So, again, this will be discussed much more in our intellectual property sections, which will go in deeper around IP and IP protection mechanisms. But DRM is something that you will be dealing with as a security professional in almost all the time. Now, dlp so we have DRM, we have DLP, data loss prevention. I deal with DLP and the different types of access around data documents. Now, as life is changing, dlp is becoming a bigger deal for most companies and companies need to consider this because, one, you have intellectual property. Two, there's a lot of intellectual property theft going on, and this intellectual property can be as simple as just how you do business, say, you have a certain process by which you move widget A to widget B and that gives you a competitive advantage over your competitors, and so therefore, that process of widget A to widget B is sensitive and you want to potentially protect that. So this is where DLP can come into play.
Speaker 2:
Now it goes back to the part where we talked about sensitive data. We have to have an understanding of what is sensitive within our organization, and so therefore, once you determine that you can determine what needs to be protected, you then need to monitor the data movement data paths, where are they going to? I went through an entire exercise with the company before of where's my data paths going, where's all the data transferring to? One, I wanted to know where it was to protect it, but, two, I had regulations that were telling me from governmental officials saying what kind of data is coming and going from our country. So you have to understand the data movement. Just knowing where the data is one thing, but knowing where it's stored and knowing where it goes is another. If you like security, if you like puzzles, security is a good thing because you have to think abstractly, you have to think very outside the box to really try to understand where everything is moving to, and you still will not be 100% perfect or accurate guaranteed. But having that knowledge also I'm going to just say from an ego perspective puts you in a very good position within the organization. That you understand where the dead bodies are. You understand where all the data goes Very good place to be, prevent unauthorized exfiltration.
Speaker 2:
You need to look at ways to block attempts to transfer data out of your organization. You need to look at ways to classify data and assign to different levels of protection based on the sensitivity of the data. And then you need to implement these various DLP products to monitor and control the data movements. There's lots of different products out there that will do that. Microsoft has some stuff that they're rolling out more and more. I would say they're probably the industry leader, just because of all the office products, that most of the things that are created today are built in an office type format and I know there's the Google Sheets folks out there. I get it, but most of it's in an office format and so the DLP products. It works out where they can actually be embedded within those types of products as well. So we talked about the different types of labels that are there. You need to use labels, and these will have meta tags on them that will then help understand what is the best protection for that document, help understand what is the best right or protection for that document. As an example, you may have a document that says you can you have printing and you can view it online, but you can't email it and you can't download it from a certain location. Those are the meta tags that will be tied to it as well, and so that's really helpful, especially when you're trying to sort through all of your data.
Speaker 2:
You might need to have documented procedures around transferring sensitive data you need to have. Is it using FTP? Can you use an email for transport? Are you using USB sticks? If you do any of these, this transports for sensitive data. One are you going to have encryption? Are you going to have PKI certificates for your email? Are you going to use the FIPS 140 series encryption for USB sticks in case they're lost? You need to kind of consider how do you transmit this data to individuals and how you transport it. So something to think about for your procedures and you need to document that and this is the problem it runs into right.
Speaker 2:
Auditors want you to have a full level documentation from soup to nuts, everything in between. I still to have a full level documentation from soup to nuts, everything in between. I still never really understood what that means, soup to nuts. But if, from the beginning to the end, they want you to have everything documented, as we all know, that is almost impossible. So you need to document the basics and then you need to understand how to manage all those basics and then you need to have that in a place where people can reference it. But going to every extreme big $10 word, extreme on the words yeah, see, I'm screwing that up To go from adding everything in there to just having it to where it's more of a run book, it's more of an A plus B plus C plus C, a more condensed version. You want the condensed because the more stuff you put in, people just are going to ignore it and it will go bad over time. Over time it'll become is not nearly as useful.
Speaker 2:
Storing of sensitive data we talked about encryption, access controls, logging and monitoring. Big factor you want to have logging and monitoring. That being said, make sure that you figure out how much logging you're going to be collecting, because it comes at a cost Destruction and deletion of data. How are you going to deal with it after the end of this is all over? Okay, last part we're going to talk about is a cloud access security brokers.
Speaker 2:
What is a CASB? Okay, so a CASB is like a security policy enforcement point for your cloud services and your applications. Basically, it sits between your organization's network and the cloud service provider, so they're sitting in the middle, and it provides visibility, control, protection, all of these pieces around cloud based data and the applications itself. And the reason is that you have all this data that's coming and going from your on-prem environment all the way to the cloud. It needs to be best protected, but you need to have visibility into it as well. So the functions of a CASB you've got visibility, you've got control.
Speaker 2:
When you're dealing with visibility, this will track the cloud usage and identify potential risks that are going on. This could be too much data going to or from the cloud. The nice part about tracking the usage. It also will help you with your financial aspects of it too. It understands how much data is going in because you're getting charged for the data that's going in and coming down. Usually the data going up isn't charged nearly as much. If not, it's almost air quotes free. But where you get caught is when you try to download the data. That's when it gets really expensive and or it takes a lot of time. It monitors data movement and access patterns. It also provides insight into cloud costs and the usage itself From a control standpoint.
Speaker 2:
It enforces security policies for cloud applications and services, restricts access to sensitive data and applications and prevents unauthorized data exfiltration. So again, it does all of that for you and they're becoming more and more popular, obviously because we have a much larger footprint in the cloud. But you want to really consider the use of your CASB. They also get into protections and integration. Now they protect the data stored in the cloud, obviously because they can add that level of encryption that goes up there. They can detect and respond to security threats. A lot of times the CASBs will have a key management system in them, so therefore that helps with the data protection Integration. This integrates with existing security infrastructure, connects to identify with access management systems and then works with other security tools like firewalls, intrusion detection systems and the like. So there's a lot of great things that a CASB will bring to bear. So the benefits we talked about again improve visibility, enhance security, reduce risk. It's a simplified compliance and it helps with compliance, as well as any sort of industry regulations that you may have, any sort of types of frameworks you got to follow. It will help with that as well, and it does give you improved governance and control over your cloud environment.
Speaker 2:
All right, that's all I've got for you today. I hope you guys have a wonderful day Again. Head on over to CISSP Cyber Training. Head on over there. Get access to the CISSP training documentation that I have. Get access to my courseware, any of the courseware or any of the mentoring ship that you want to purchase at CISSP Cyber Training. All of the information, all of the money that is used to purchase that information, it goes to our nonprofit for adoptive families.
Speaker 2:
That's the ultimate goal. For us is to provide a way for adoptive families to be able to adopt kids and help reduce some of the costs associated with that, because it's very expensive to adopt children. It's terribly expensive, but the point is that that is there and available. If anything you purchase, all goes to our adoptive. I think it's called the Shepherd's Hope my wife is just finishing up the name on that but the ultimate goal is that we want you to pass the CISSP. We want you to get successful in your security career. That is the purpose of CISSP. Cyber Training is. We're here for you. All right, have a wonderful day and we will catch you on.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!