Storage threats

- [Instructor] Welcome to this lesson on storage threats. In the previous lesson, we talked about a handful of different storage types broken down by service model. In this lesson, we're going to talk about threats that might affect those storage mechanisms in the different service models. So starting out, we have the first threat, which is going to be unauthorized access. As the name might imply, this is just going to be any access to storage data where we have not specifically provided permission to that data. To help protect against this, we can use things like strong access controls and multifactor authentication to make sure that any credentials that are exposed are not going to be able to be misused. Next step, we have unauthorized provisioning, and this is where we have a set of unnecessary permissions that's going to allow people or systems to be able to create cloud services that are not authorized, which can lead to both hidden costs and potential security concerns if we're not tracking vulnerabilities and remediating on those services that have been created. To help protect Ansys, we can implement mechanisms that are going to help monitor for unapproved services and enforce policies that prevent the creation of these types of things in the first place. Next, we have regulatory and non-compliance, and this is where we have cloud services that are not meeting specific compliance requirements. For example, if we're storing things like credit card data, it is very likely that we need to adhere to PCIDSS standards, and if the infrastructure is not in compliance, that's a threat to that storage type, which is that we're not meeting those regulatory requirements. Some methods we can use to protect against this are going to be regularly conducting audits and reviewing cloud services against compliance benchmarks. Next up, we have jurisdictional issues, and this is where we have data residency concerns due to global replication. Because many cloud service providers make it very easy to create services and place data into regions all over the globe. It's important for users of these services to understand where their data is and what their requirements are in terms of adhering to the local laws for jurisdiction. The best way we can make sure that we are adhering to that is creating and understanding data flows through our network and keeping track of the storage locations for all of the data that resides within our cloud service environment. Next, we have denial of service, and this threat occurs when a cloud service or storage location is disrupted, which renders the data inaccessible, and this threat can occur both intentionally and unintentionally by threat actors that might be targeting the network or by accidental misconfigurations, which render the data inaccessible. In order to protect against this, we can implement monitoring and alerting on the availability of our services so that we can implement corrections if the data does become unavailable. Next, we have data corruption or destruction, which is when data or storage mediums become unusable. And like many of these, this is not a threat that's necessarily unique to the cloud, but the cloud can enable us to become especially resilient against this type of threat by having robust backup and validation strategies for our data and some other protections that we can implement are regularly testing and validating the backups that we have within the cloud. Okay, getting into our final set of threats, we'll first talk about theft or media loss, and this is the physical theft of cloud data storage assets, which in most cases is very, very unlikely, but not technically impossible because at the end of the day, the data that you're storing in a cloud service provider does still exist somewhere on a physical system, and it's important that if those physical systems are not properly secured by the CSP, that as a customer of that cloud service provider, your data is still protected even if this happens. To enable this, we can make sure that the data that we're storing on that physical medium is encrypted using secure encryption algorithms and that the keys used to encrypt that data is stored separately from the data itself. This ensures that if the physical media is stolen from the cloud service provider, that the data that resides on it is still inaccessible to the perpetrator. Next, we have malware and ransomware, and once again, this is not specifically unique to a cloud environment, but it is definitely a growing threat as malicious actors in the world are developing new attack mechanisms that target the cloud specifically, and especially with the level of interconnectedness that cloud services has, it's something that we need to pay special attention to. In order to protect against this type of threat. We should always make sure that we're patching, monitoring, and backing up all of the data storage and systems that we have that are running in a cloud environment. And then finally, the last threat we'll talk about is going to be improper disposal, and this is when, sort of similar to the theft of the physical media, if the physical media is not destroyed in a way that is sufficient to render the data inaccessible, then it could technically reveal data of a cloud service customer if someone were able to get their hands onto that physical media that was improperly disposed of. For large CSPs such as AWS and Azure, they've committed to proper disposal in their shared responsibility model by nature of being solely responsible for the physical security of systems. But a policy in place doesn't always necessarily guarantee compliance. And on top of that, with dozens if not hundreds of smaller cloud service providers that are available for use, it may not be universal that every CSP is properly handling the physical disposal of that media. Once again, similar to the theft of the media, the protection that we can use here is going to be encrypting the data at rest and ensuring that the keys that we use to encrypt it are stored separately. In summary, we talked about a handful of different threats to the storage types that we may use in the cloud, and I want to highlight during the summary that many of these different threats affect both the cloud service provider and the cloud service customer. And depending on which one of those roles you might be fulfilling at any particular time, it is critical to acknowledge and apply controls that are sufficient to mitigate some of these threats. Thanks for joining. I'll see you in the next lesson.