CS计算机代考程序代写 database file system AWS Hive COMPX527 Lecture 6.1

COMPX527 Lecture 6.1

Assignment 2
+

Cloud Data Security
1

Assignment 2

• Cloud Based Application Development
• Live Demo and Presentation
• Report

2

Assignment 2

• Work in a group
• Start early
• Project Management is Important
– Trello Board
– Shared workspace, google drive, github

• Communication is also important
– Set up regular meetings

• Document what you are doing and often.

3

Example

4

Using Open Street Maps and road fatality data from
NZTA to provide safest route between source and
destination

Solution Architecture

5

Limit Your Expenditure

• Each group will be given a fixed budget
– You need to stay within your budget

• Monitor your services
– Set up cloudwatch alarms

• Only switch the services on when being used
• Do not leave services on for long period of times

– If we see a service not being used we will terminate it at our end which may result in loss
of data on your end.

• You may be allowed extra budget but you will need to make a case for it.
– For example, an expensive service that is critical to the project outcome

• Monitor your budget
– If you go over your budget and have no reasonable justification you may not

be allowed more credits thus affecting the project and your grade

6

Security Considerations

• Identity and Access Management
– Team members/Employees
– Applications
– Users

• Data Security
– Application Data
– User Data

• Other appropriate security considerations

7

Data

8

All computing systems are built to
consume, serve and / or manipulate data

Data

• User data
– Financial Data
– Personally Identifiable Information
– Etc.

• Employee Data
– Accounting data
– Personally Identifiable Information
– Etc.

• Business Data
• Operational Data
• Security Data

– Keys,
– Information used for MFA
– Etc.

9

Data in various cloud service models

• Data in IaaS
– Volume Storage

• Volumes attached to IaaS instances, usually as a virtual hard drive.
Examples Amazon EBS, VMware VMFS

– Object Storage
• Object storage also referred as file storage. Instead of virtual hard

drives, object storage is like share file accessed via APIs or web
interface

– Raw Storage
• Includes physical media where data is stored. May be mapped for

direct access in certain private cloud configuration.

10

Data in various service models

• Data in PaaS
– Structured Data (Database as a Service)
• A multitenant database architecture that is directly

consumable as a service. Databases may be relational,
flat, or any other common structure. Example AWS
RDS, Azure MSSQL, Oracle offerings

– Unstructured Data(Big Data as a Service)
• Data is typically stored in Object Storage or another

distributed file system. Data typically needs to be close
to the processing environment. Example Google Big
Table

11

Data in various service models

• Data in SaaS
– Information Storage and Management
• Data entered into the system using a web interface or

APIs. This data may further be stored on other PaaS or
IaaS data storages. Example Gmail etc.

– Content/File Storage
• File-based content is stored within the SaaS application

(reports, image files and documents). Example Dropbox
etc.

12

What data to protect?

• How do I know what data to protect?
– Laws and Industry Regulation for Compliance
– GDPR, PCI-DSS, Privacy Act 2020, HIPPAA(US)

– Threat Model your business/application
– STRIDE, DREAD etc.

– Data Inventory and Classification
• High-level description of important information

categories.
• Label information into categories according to

sensitivity and value to the organisation

13

What data to protect?

– Information Management Policies
• Policies to define what activities are allowed for

different information types

– Location and Jurisdiction Policies
• Where data may be geographically located, which also

has important legal and regulatory ramifications

14

Data Security Life Cycle

Store

Share

Use Archive

15

Create Destroy

Data Security Life Cycle

• Creation
– Creation is the generation of new digital content,

or the alteration/updating of existing content.
– This phase can take place in the cloud or can be

external to the cloud
– Classify data according to
• Sensitivity
• Value to the organisation

16

Data Security Life Cycle

Store

Share

Use Archive

17

Create Destroy

Data Security Life Cycle

Store

Share

Use Archive

18

Create Destroy

Data at Rest

Data Security Life Cycle

• Data at Rest
– Data is stored after creation or is archived after

leaving active use
– Data spends most of its time in this phase
– Data should be protected in accordance to its

classification
– Is data securely stored? How are the keys managed?

Security from malicious insiders? Tamper protection?
– Controls such as encryption, integrity control,

monitoring, and backup mechanisms should be
implemented.

19

Is data securely stored? How are the keys managed? Is data secure from
malicious insiders? Tamper protection?

Data Security Life Cycle

Store

Share

Use Archive

20

Create Destroy

Data in Motion

Data Security Life Cycle

• Data in use/processing
– Data is being viewed, processed or otherwise being

used in some sort of activity.
– Data is most vulnerable at this stage

• Some security controls may need to be turned off for data to
be used

• Data may have been transported to unsecure locations for
processing

– Computation guarantee? Information leakage?
– Data should be monitored for checking malicious

activity and audit purposes

21

Computation guarantee? Information leakage? Unauthorized access?

Data Security Life Cycle

Store

Share

Use Archive

22

Create Destroy

Data in Processing

Data Security Life Cycle

• Data in motion
– Data is being transported between clouds or between

cloud and the user
– Data is being shared
– Data integrity? Information rights management? SLA

compliance?
– Secure channels must be established before data is

put in motion (in accordance with the classification
level)

– Mechanisms for maintaining data integrity should be
implemented

– Information/digital rights must be managed

23

Secure Transmission? Data integrity? Information rights management? SLA
compliance?

Data Security Life Cycle

• Destroy
– Data ceases to be available for use
– This can mean different things based on the usage

of data, data content and its application
– Data destruction can mean
• Logically erasing pointers

– Is the data truly deleted? Is it required to be truly deleted?
• Physically permanent data deletion

24