CISSP All-in-One Exam Guide PDF

CISSP All-in-One Exam Guide 276 But what if you have remote users who are not connected to your organization through a VPN? What about staff members trying to access the cloud services through a personal device (assuming that is allowed)? In those situations, you can set up a reverse proxy. The way this works is that the users log into the cloud service, which is configured to immediately route them back to the CASB, which then completes the connection back to the cloud. There are a number of challenges with using proxies for CASBs. For starters, they need to intercept the users’ encrypted traffic, which will generate browser alerts unless the browsers are configured to trust the proxy. While this works on organizational computers, it is a bit trickier to do on personally owned devices. Another challenge is that, depending on how much traffic goes to cloud service providers, the CASB can become a choke point that slows down the user experience. It also represents a single point of failure unless you deploy redundant systems. Perhaps the biggest challenge, however, has to do with the fast pace of innovation and updates to cloud services. As new features are added and others changed or removed, the CASB needs to be updated accordingly. The problem is not only that the CASB will miss something important but that it may actually break a feature by not knowing how to deal with it properly. For this reason, some vendors such as Google and Microsoft advise against using CASBs in proxy mode. The other way to implement CASBs is by leveraging the APIs exposed by the service providers themselves, as you can see on the right side of Figure 6-7. An API is a way to have one software system directly access functionality in another one. For example, a properly authenticated CASB could ask Exchange Online (a cloud e-mail solution) for all the activities in the last 24 hours. Most cloud services include APIs to support CASB and, better yet, these APIs are updated by the vendors themselves. This ensures the CASB won’t break anything as new features come up. Chapter Review Protecting data assets is a much more dynamic and difficult prospect than is protecting most other asset types. The main reason for this is that data is so fluid. It can be stored in unanticipated places, flow in multiple directions (and to multiple recipients) simultane- ously, and end up being used in unexpected ways. Our data protection strategies must account for the various states in which our data may be found. For each state, there are multiple unique threats that our security controls must mitigate. Still, regardless of our best efforts, data may end up in the wrong hands. We want to implement protection methods that minimize the risk of this happening, alert us as quickly as possible if it does, and allow us to track and, if possible, recover the data effectively. We devoted particular attention to three methods of protecting data that you should remember for the exam and for your job: Digital Rights Management (DRM), data loss/leak prevention (DLP), and cloud access security brokers (CASBs). Quick Review Data at rest refers to data that resides in external or auxiliary storage devices, such as hard drives or optical discs. Every major operating system supports whole-disk encryption, which is a good way to protect data at rest. Chapter 6: Data Security 277 Data in motion is data that is moving between computing nodes over a data network such as the Internet. TLS, IPSec, and VPNs are typical ways to use cryptography to protect data in motion. Data in use is the term for data residing in primary storage devices, such as volatile memory (e.g., RAM), memory caches, or CPU registers. Scoping is taking a broader standard and trimming out the irrelevant or otherwise PART II unwanted parts. Tailoring is making changes to specific provisions in a standard so they better address your requirements. A digital asset is anything that exists in digital form, has intrinsic value to the organization, and to which access should be restricted in some way. Digital asset management is the process by which organizations ensure their digital assets are properly stored, protected, and easily available to authorized users. Steganography is a method of hiding data in another media type so the very existence of the data is concealed. Digital Rights Management (DRM) refers to a set of technologies that is applied to controlling access to copyrighted data. Data leakage is the flow of sensitive information to unauthorized external parties. Data loss prevention (DLP) comprises the actions that organizations take to prevent unauthorized external parties from gaining access to sensitive data. Network DLP (NDLP) applies data protection policies to data in motion. Endpoint DLP (EDLP) applies data protection policies to data at rest and data in use. Cloud access security brokers (CASBs) provide visibility and control over user activities on cloud services. Questions Please remember that these questions are formatted and asked in a certain way for a reason. Keep in mind that the CISSP exam is asking questions at a conceptual level. Questions may not always have the perfect answer, and the candidate is advised against always looking for the perfect answer. Instead, the candidate should look for the best answer in the list. 1. Data at rest is commonly A. Using a RESTful protocol for transmission B. Stored in registers C. Being transmitted across the network D. Stored in external storage devices

CISSP All-in-One Exam Guide PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue