Questions and Answers
What is an essential aspect of physical security in data centers?
What is a key benefit of using hash functions in password storage?
What is the primary purpose of asymmetric encryption in network connections?
What is a crucial aspect of physical access control in data centers?
Signup and view all the answers
Why is physical security important in the context of data handling?
Signup and view all the answers
What is a key component of site and facility design in physical security?
Signup and view all the answers
What is the role of symmetric encryption in network connections?
Signup and view all the answers
What is a potential consequence of an attacker obtaining access to the key?
Signup and view all the answers
What is a key aspect of physical security controls in data centers?
Signup and view all the answers
Why is it important to protect data center premises?
Signup and view all the answers
Study Notes
Protecting Privacy
- In 2018, the European Union enacted new legislation to protect citizens' personal data, affecting every consumer brand worldwide.
- By 2014, over 100 countries had passed privacy protection laws that affect organizations in their jurisdictions.
- Privacy laws vary among countries, with Argentina having the most restrictive and China having no restrictions.
Universal Requirements for Privacy
- Gather data fairly and lawfully.
- Use data only for the originally specified purpose.
- Use only adequate data.
- Allow subjects to view information about themselves.
- Store data securely.
- Destroy data after its purpose is fulfilled.
Data/Cyber Security Groups
- U.S. Department of Defence (DoD)
- U.S. National Security Agency (NSA)
- National Institute of Standards and Technology (NIST)
- European Union Cybersecurity Strategy
- European Network and Information Security Agency (ENISA)
- International Organization for Standardization (ISO)
Security Policy
- A sound data policy defines strategic long-term goals for data management across all aspects of a project or enterprise.
- Factors to consider: cost, ownership, privacy, sensitivity, existing legal and compliance requirements.
Data Ownership vs. Custodianship
- Determine criticality and understand value/replacement cost of data for the business.
- Understand who should access data and apply storage security based on criticality.
- Determine proper retention/destruction periods and establish compliance obligations.
Data Retention
- Ensure information is kept as long as required and no longer.
- Golden rules for retention:
- Understand where the data is.
- Classify and define the data.
- Archive and manage the data.
- Involve all stakeholders when defining the retention strategy.
- Eight steps to take:
- Evaluate requirements.
- Classify record types.
- Determine retention/destruction time.
- Draft and justify retention policy.
- Train staff.
- Audit retention.
- Periodically review policy.
- Document policy and implementation.
Data Handling
- Requirements for holding data include marking, handling, storing, and destroying data.
- Key vocabulary for destruction:
- Sanitized: erased of contents.
- Zeroization: overwriting all previous data.
- Degaussing: scrambling magnetic media with stronger magnets.
- Crypto-shredding: deleting data by deleting or overwriting encryption keys.
- Clearing: removing sensitive data so it cannot be recovered.
- Purging: making information unrecoverable even with extraordinary effort.
Cloud Computing Risks
- Emergency patches may have a 30% performance reduction initially and have not been thoroughly tested.
- There is no evidence of Spectre and Meltdown vulnerabilities being used in real attacks.
Cloud Deployment Models
- Private Cloud: In-house cloud under the organization's control.
- Public Cloud: Outsourced cloud not under the organization's control, transferring the risk.
- Hybrid Cloud: A combination of public and private cloud, where public cloud is used for some workloads and private cloud for others.
Cloud Service Model
- No additional information provided in the text.
Cloud-Unique Threats and Risks
- Consumers have reduced visibility and control.
- On-demand self-service simplifies unauthorized use.
- Internet-accessible management APIs can be compromised.
- Separation among multiple tenants may fail.
- Data deletion may be incomplete.
High Availability and Fault Tolerance
- High availability ensures operationally redundant systems are in place to continue operations even if one system fails.
- Fault tolerance helps protect a single system from failing in the first place by making it resilient to technical failures.
Datacenters
- Microsoft Azure has multiple datacenters (as of Feb 2021).
Client and Server Vulnerabilities
- Most businesses have a client-server network topology, where many workstations and wireless devices are connected to a central server.
Client Security Issues
- Executable code can be downloaded over the internet, allowing attackers to access the system.
- Machines may not have the latest security patches.
Encryption
- Hash functions are better than encryption because they are one-way functions.
- Combining asymmetric and symmetric encryption allows for secure key exchange and data transfer.
Physical Security
- Physical security controls, such as site and facility design, environmental controls, and access control, are essential to protect data centers and premises.
- Visitor management is also crucial to ensure only authorized personnel have access to sensitive areas.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Learn about the EU's 2018 legislation on protecting personal data and its implications for consumer brands worldwide. Understand limits on data collection and why it matters.
