Case Study Scenario
The security team at your organization receives an alert from your organization’s cloud storage provider, DataStore. DataStore is a popular cloud-based data hosting service that your organization has contracted with to store public-facing information such as product briefs and advertisements in a “shared” platform with many other customers. Your organization has a policy against transferring confidential data to the cloud and has asked DataStore to alert your security team if they detect unusual data-transfer activities. DataStore noticed that an active connection transferred large numbers of files to their platform and promptly investigated. Upon closer inspection, the DataStore employee recognized that customer names and social security numbers were clearly displayed in the uploaded files.
The security team, with the help of DataStore, discovered that an intern was responsible for the large data transfer. The intern accidentally saved confidential email attachments to a folder on his system that synchronized with DataStore. The intern apologized and stated that he would delete the data from the cloud storage location. However, the problematic files were available for public download for a short period of time.
Prompt
After reading the scenario above, complete the Fundamental Security Design Principles mapping table in the Case Study Template and answer the short response questions. You’ll notice that the Fundamental Security Design Principles listed differ from those presented in previous activities. In the cybersecurity trade, there are many different design principles and frameworks. Successful practitioners learn to work with many different (but conceptually similar) principles to achieve their security goals.
Specifically, you must address the critical elements listed below:
Fundamental Security Design Principles Mapping: Fill in the table in the Module Three Case Study Template by completing the following steps for each control recommendation:
Specify which Fundamental Security Design Principle applies to the control recommendations by marking the appropriate cells with an X.
Indicate which security objective (confidentiality, availability, or integrity) applies best to the control recommendations.
Explain your choices in one to two sentences with relevant justifications.
Short Response Questions:
Is it possible to use Data Store and maintain an isolated environment? Explain your reasoning.
How could the organization have more effectively applied the principle of minimizing trust surface with Data Store to protect its confidential data? Explain your reasoning.
How can the organization build a more security-aware culture from the top down to prevent mistakes before they happen? Explain your reasoning.