+ Reply to Thread
Results 1 to 7 of 7
  1. Member ankurj.hazarika's Avatar
    Join Date
    Feb 2015
    Location
    Hyderabad, India
    Posts
    56

    Certifications
    Security+ SYO-401, ITIL v3, EXIN CC Foundation
    #1

    Default Excerpt from CSA v3.0

    What does this mean? More specifically, can somebody provide an example?

    Because of differences in how a client’s data is stored and the client’s access rights and privileges, not all of a client’s data in the cloud may be equally accessible. The client (and the cloud provider) should analyze requests for information and the pertinent
    data structure for relevance, materiality, proportionality and accessibility.
    Reply With Quote Quote  

  2. SS -->
  3. Junior Member Registered Member
    Join Date
    Jan 2015
    Location
    Flushing, NY
    Posts
    5

    Certifications
    MCSE GIAC-Security Essentials ITIL Prince2 CISSP, ISSAP
    #2
    They may be referring to the 'jurisdiction' component of data. There may be cases where even it is stored at a place where you have no jurisdiction, consequently, they may have to fetch it for you. My 2 cents..
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Feb 2012
    Posts
    2,426
    #3
    So - unlike your other post which was presumably written by a committee of architects, you are now reading a section undoubtedly written by a committee of lawyers

    The section is about ediscovery concerns. However, I'm not entirely sure that I necessarily agree that this would be a common issue given the way that many companies would use cloud providers. However in a SaaS model, it's conceivable that as part of e-discovery, access to data such as the provider's logs may pertain to this section. For example, in e-discovery, there could be a request for log information which the client would not have ready access, but would be only available to the provider. The logs may generally not be accessible by the client but are relevant to the client and stored and processed by the provider. And if the log data is in a storage medium that is difficult to retrieve, that could be a concern. There is also a concern that data request would be analyzed because if there is a request for log data, only the relevant log data should be provided and not all log data - ie. ".. should analyze requests for information .... for relevance, materiality, proportionality..."

    There are also several legal terms used:

    The word "proportionality" refers to the concept of fairness - best description is here - https://en.wikipedia.org/wiki/Proportionality_(law)
    And there is also a good explanation of "materiality" here - https://en.wikipedia.org/wiki/Materiality_(law)

    I'm curious - why are you reading these docs?
    Reply With Quote Quote  

  5. Member ankurj.hazarika's Avatar
    Join Date
    Feb 2015
    Location
    Hyderabad, India
    Posts
    56

    Certifications
    Security+ SYO-401, ITIL v3, EXIN CC Foundation
    #4
    Quote Originally Posted by paul78 View Post
    So - unlike your other post which was presumably written by a committee of architects, you are now reading a section undoubtedly written by a committee of lawyers

    The section is about ediscovery concerns. However, I'm not entirely sure that I necessarily agree that this would be a common issue given the way that many companies would use cloud providers. However in a SaaS model, it's conceivable that as part of e-discovery, access to data such as the provider's logs may pertain to this section. For example, in e-discovery, there could be a request for log information which the client would not have ready access, but would be only available to the provider. The logs may generally not be accessible by the client but are relevant to the client and stored and processed by the provider. And if the log data is in a storage medium that is difficult to retrieve, that could be a concern. There is also a concern that data request would be analyzed because if there is a request for log data, only the relevant log data should be provided and not all log data - ie. ".. should analyze requests for information .... for relevance, materiality, proportionality..."

    There are also several legal terms used:

    The word "proportionality" refers to the concept of fairness - best description is here - https://en.wikipedia.org/wiki/Proportionality_(law)
    And there is also a good explanation of "materiality" here - https://en.wikipedia.org/wiki/Materiality_(law)

    I'm curious - why are you reading these docs?
    I am preparing for the CCSK and this excerpt is from the CCSK guide.
    Reply With Quote Quote  

  6. Member ankurj.hazarika's Avatar
    Join Date
    Feb 2015
    Location
    Hyderabad, India
    Posts
    56

    Certifications
    Security+ SYO-401, ITIL v3, EXIN CC Foundation
    #5
    Paul78- Can you please help me understand the sentence in italics?

    Data encryption comes at the price of complexity and performance, and there are effective alternatives to encryption:

    Store a secure hash. Rather than storing the data directly, store a hash of the data. This allows your program to prove that the holder has the correct value without actually storing it.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Feb 2012
    Posts
    2,426
    #6
    Quote Originally Posted by ankurj.hazarika View Post
    Store a secure hash. Rather than storing the data directly, store a hash of the data. This allows your program to prove that the holder has the correct value without actually storing it.
    A hash is a mathematical function where if you have a piece of clear-text data and you run it through that function - you will get a hash which cannot be deciphered to produce the original clear-text. It's basically a one-way function.

    An example of this use-case would be storing passwords as a hash. A database should never store user passwords, instead a cryptographically strong hash is used instead. So when a user types in a password, the password is run through the same hash function and the hashes are compared to authenticate the user. In this way, the database doesn't need to store the actual password.

    There's a bit more this example, like using a salt, and choosing the correct hash algo - but that's the gist of it.

    Hope that makes sense.

    Good luck on the CCSK.
    Reply With Quote Quote  

  8. Member ankurj.hazarika's Avatar
    Join Date
    Feb 2015
    Location
    Hyderabad, India
    Posts
    56

    Certifications
    Security+ SYO-401, ITIL v3, EXIN CC Foundation
    #7
    Paul78- Here's another one for you? What might this mean?

    "To maintain interoperability the Network physical hardware and network & security abstraction should be in virtual domain. As far as possible API’s should have the same functionally"

    I am fairly good at networking concepts myself and I also know what an API is. I just don't seem to understand the language here.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks