CCSP

Application layer: data encrypted in PaaS application or client

Database: data encrypted in database using built in encryption (e.g. Transparent Database encryption, field level..)

Other: provider-managed layers in application

Provider-managed: data encrypted in SaaS-Application

Proxy-managed: data encrypted by encryption proxy before sending to SaaS-application

use per-customer keys when possible for tenancy isolation

OASIS Standard

XML

complex to initially configure

IETF-Standard

over HTTP

Web Services / consumer services

based on HTTP with URLs

attribute based access control

Policy language (Policy decision points, policy enforcement points)

can be used with SAML and OAuth

standard for exchanging identiy information between domains

• Level 1 – Over 6 million transactions annually
• Level 2 – Between 1 and 6 million transactions annually
• Level 3 – Between 20,000 and 1 million transactions annually
• Level 4 – Less than 20,000 transactions annually

 ISO/IEC 15408

ranking based on Common Criteria Security evaluation

to what extent was it the product tested?

EAL 1 Functionally tested

EAL 2 Structurally tested

EAL 3 Methodically tested and checked

EAL 4 Methodically designed, tested and reviewed

EAL 5 Semi-formally designed and tested

EAL 6 Semi-formally verified design and tested

EAL 7 Formally verified design and tested

 Evaluation criteria for IT security

EAL Levels 1-7

 U.S. government computer security standard used to approve cryptographic modules

Level 1: Requires production-grade equipment and externally tested algorithms.

Level 2: Adds requirements for physical tamper-evidence and role-based authentication. Software implementations must run on an Operating System approved to Common Criteria at EAL2.

Level 3: lvl2 + There must also be physical or logical separation between the interfaces by which “critical security parameters” enter and leave the module. Private keys can only enter or leave in encrypted form.

Level 4: This level makes the physical security requirements more stringent, requiring the ability to be tamper-active, erasing the contents of the device if it detects various forms of environmental attack.

RAID: striping data, adding parity bits for aiding in recovery

Data dispersion: bit splittting (make chunks and distribute them), adding erasure coding as paritiy bits

Randomization: replace (parts of) data with random characters, keep format 

Hashing: one-way hash, makes it unrecoverable (integrity checks)

Shuffling: use different entries from the same data set

Masking: hiding data with useless characters, keep format

Nulls: deleting raw data before it is represented

Tier 1: generally utilized by small businesses

Tier 2: 

Tier 3: utilized by larger businesses

Tier 4:  typically serve enterprise corporations 

Information technology — Security techniques — Application security

• Defining
• Designing
• Development
• Testing
• Secure Operations
• Disposal

• Spoofing
• Tampering
• Repudiation
• Information disclosure (privacy breach or data leak)
• Denial of service
• Elevation of privilege

All = Application Layer
People= Presentation Layer
Seem = Session Layer
To = Transport Layer
Need = Network Layer
Data = Data Link Layer
Processing = Physical Layer

TLS

SSL

Whole-Instance Encryption

Volume Encryption

Label-based

Metadata-based

Content-based

Data Analytics: Data mining, real-time, agile business intelligence

Type 1: Bare-metal

Type 2: runs on host

Measures maturity of software

1. Initial

2. Repeatable

3. Defined

4. Capable

5. Efficient