WEBVTT

00:00:00.860 --> 00:00:01.150
[Autogenerated] Hi,

00:00:01.150 --> 00:00:05.130
this is Kevin Henry and welcome to the cloud data security course for

00:00:05.130 --> 00:00:09.110
the certified cloud security professional examination.

00:00:10.240 --> 00:00:16.210
This is the second domain of the sea CSP exam outline the first domain,

00:00:16.219 --> 00:00:22.120
cloud concepts, architecture and design was worth 17% of exam questions.

00:00:22.840 --> 00:00:28.590
This domain is the most important worth 20% of the examination.

00:00:29.530 --> 00:00:34.310
We divided this course into two main sections Cloud data security

00:00:34.310 --> 00:00:38.220
concepts and cloud data security technologies.

00:00:39.280 --> 00:00:41.560
This is the first one we'll look at here.

00:00:41.570 --> 00:00:44.070
Cloud data security concepts.

00:00:45.000 --> 00:00:47.960
When we take a look at cloud data security,

00:00:48.190 --> 00:00:52.740
we realize that data is an asset of the organization.

00:00:53.390 --> 00:01:00.180
It is in most cases essential for business operations and therefore we

00:01:00.180 --> 00:01:03.670
often measure data according to its criticality,

00:01:03.840 --> 00:01:10.180
criticality or availability means how important it is for the business to

00:01:10.190 --> 00:01:15.010
actually operate or be able to perform its business functions.

00:01:16.210 --> 00:01:21.230
We need to protect data according to its criticality and that is

00:01:21.240 --> 00:01:27.760
first of all done through identifying what data we even have and

00:01:27.760 --> 00:01:30.300
where that data is actually located.

00:01:30.860 --> 00:01:33.740
We need to know what data do we use,

00:01:33.750 --> 00:01:38.360
what data do we need and maybe even what data should we not be

00:01:38.360 --> 00:01:41.310
keeping because we don't really need to have it.

00:01:42.160 --> 00:01:47.400
It's important that we look at data in all forms that is electronic data,

00:01:47.430 --> 00:01:52.200
but also the protection of paper and even verbal communications,

00:01:52.210 --> 00:01:53.550
video as well.

00:01:54.640 --> 00:01:57.760
The important thing is when we want to protect data,

00:01:57.770 --> 00:02:01.860
we have to designate the person who is accountable for that.

00:02:02.100 --> 00:02:05.760
That is establishing ownership of the data.

00:02:07.450 --> 00:02:11.310
Data ownership is often required today by law.

00:02:11.460 --> 00:02:16.150
There are a number of countries that have laws that specify that a

00:02:16.160 --> 00:02:21.560
individual must be designated as the actual data owner.

00:02:21.900 --> 00:02:24.480
That person must be a senior manager,

00:02:24.670 --> 00:02:29.720
a person that has budgetary authority and is able to accept

00:02:30.090 --> 00:02:34.090
liability on behalf of the entire organization.

00:02:34.890 --> 00:02:39.750
Now a large organization quite often could have one or more data owners.

00:02:40.030 --> 00:02:42.490
There could be owners of financial data,

00:02:42.500 --> 00:02:45.800
but somebody else could be looking after the ownership

00:02:45.800 --> 00:02:48.490
of a research or other types of data.

00:02:50.020 --> 00:02:54.490
The role of the data owner is to ensure that the data is protected.

00:02:54.930 --> 00:02:58.390
But the important term here is the appropriate level of

00:02:58.390 --> 00:03:03.250
protection so that the data is not over protected but

00:03:03.250 --> 00:03:05.910
certainly not left vulnerable either.

00:03:06.490 --> 00:03:10.710
It's important that data is protected consistently as

00:03:10.710 --> 00:03:12.950
it moves through the organization.

00:03:13.550 --> 00:03:18.130
This is one of the reasons why we quite often can have data that moves

00:03:18.130 --> 00:03:22.210
from one department to another one system to another.

00:03:22.260 --> 00:03:26.090
And even in different formats at one point it was on paper and

00:03:26.090 --> 00:03:28.450
then it was scanned in to be electronic.

00:03:29.060 --> 00:03:33.960
The data must be protected the same on all of those systems

00:03:33.970 --> 00:03:37.100
in all of those departments and of course in all of those

00:03:37.100 --> 00:03:40.110
formats when we look at the cloud,

00:03:40.570 --> 00:03:45.770
we can often see that the person who actually looks after the data is

00:03:45.770 --> 00:03:50.360
often the data controller or also the data processor,

00:03:50.620 --> 00:03:53.920
they are the person that has control of the data within

00:03:53.920 --> 00:03:56.460
the cloud service providers environment.

00:03:57.050 --> 00:04:00.940
Now, this is not to say that they truly are the data owner,

00:04:01.210 --> 00:04:05.090
but they are the owner of the data while it's on the cloud.

00:04:05.400 --> 00:04:12.380
But the consumer that has engaged the services of the cloud provider still

00:04:12.380 --> 00:04:16.630
remains ultimately accountable for the protection of the data.

00:04:17.750 --> 00:04:20.510
This brings him the idea of liability.

00:04:21.320 --> 00:04:27.300
The idea is that by establishing accountability, the data owner is accountable.

00:04:27.600 --> 00:04:32.240
They also then become liable for the protection of the data,

00:04:32.480 --> 00:04:36.840
setting out the way the data should be protected appropriately and

00:04:36.840 --> 00:04:41.530
then taking steps to ensure that it is protected according to the

00:04:41.530 --> 00:04:44.140
mandates and the directions they have given.

00:04:44.660 --> 00:04:48.340
These are the two terms of due care and due diligence.

00:04:48.730 --> 00:04:53.620
Due care is to make sure that the policies are in place to

00:04:53.620 --> 00:04:57.910
protect the data and due diligence is to follow up and make sure

00:04:57.910 --> 00:04:59.970
that those policies are being followed.

00:05:01.150 --> 00:05:04.310
Even if our data is processed by a third party,

00:05:04.320 --> 00:05:06.410
such as a cloud service provider,

00:05:06.650 --> 00:05:11.820
we need to ensure that we have mandated the appropriate

00:05:11.820 --> 00:05:16.750
levels of protection for that data, even though it's on the premise,

00:05:16.760 --> 00:05:18.440
a say, a cloud provider,

00:05:18.920 --> 00:05:23.870
this becomes even more complex when one cloud provider engages

00:05:23.870 --> 00:05:26.870
the services of other subcontractors as well.

00:05:26.930 --> 00:05:31.570
So this need to protect data can actually go several

00:05:31.570 --> 00:05:34.360
layers deep within an organization.

00:05:35.290 --> 00:05:38.830
Some examples of data protection laws that are out there.

00:05:38.870 --> 00:05:43.110
The general data protection regulations in the european union

00:05:43.360 --> 00:05:47.200
Sarbanes Oxley dealing with financial data especially the United

00:05:47.200 --> 00:05:51.330
States though many other organizations and countries also have

00:05:51.330 --> 00:05:53.710
their own versions of socks as well.

00:05:54.470 --> 00:05:58.580
There's the Gramm Leach Bliley Act, also dealing with financial data,

00:05:58.580 --> 00:06:04.410
the United States and dealing with healthcare information HIPAA Many

00:06:04.410 --> 00:06:08.580
countries have data protection laws quite often.

00:06:08.580 --> 00:06:12.710
These are centered around privacy and it is important that

00:06:12.710 --> 00:06:15.300
when we are looking at protecting data,

00:06:15.310 --> 00:06:20.450
we have to be sure that we are compliant with the laws of the countries

00:06:20.560 --> 00:06:25.130
that are involved whether or not where the data is being hosted processed

00:06:25.140 --> 00:06:28.480
or where the data actually comes from as well.

00:06:29.560 --> 00:06:33.070
Some of the other roles and responsibilities related to the

00:06:33.070 --> 00:06:35.850
protection of data include the custodian.

00:06:36.260 --> 00:06:40.750
The custodian is a person who has custody or has the

00:06:40.750 --> 00:06:44.320
possession of a piece of data at a point in time.

00:06:44.590 --> 00:06:50.080
For example, a user within an organization can look up a customer record.

00:06:50.730 --> 00:06:55.230
The user does not own the data, but they have temporary custody of it.

00:06:55.590 --> 00:06:57.210
And as such,

00:06:57.210 --> 00:07:01.840
they need to make sure that they're only handling that data according

00:07:01.840 --> 00:07:04.530
to the policies and procedures that are mandated.

00:07:05.170 --> 00:07:06.380
This includes of course,

00:07:06.380 --> 00:07:10.430
even things like system administrators that do backups of data

00:07:10.430 --> 00:07:15.530
that they neither used nor even our owners of but they still are

00:07:15.530 --> 00:07:19.770
the custodian of that data and must make sure that it's properly

00:07:19.770 --> 00:07:22.020
protected in the cloud.

00:07:22.020 --> 00:07:23.540
We have the data processor,

00:07:23.850 --> 00:07:28.330
the person who's processing the data on behalf of a cloud consumer

00:07:28.470 --> 00:07:32.150
and they must also protect data appropriately.

00:07:32.680 --> 00:07:35.840
You also have the person whose data it is.

00:07:35.850 --> 00:07:40.320
We could call them the subject if I am a customer of an

00:07:40.320 --> 00:07:44.580
organization and I entrust them with my personal data,

00:07:44.800 --> 00:07:49.870
I am still the subject and therefore I have certain requirements

00:07:49.880 --> 00:07:56.600
and obligations to make sure that the data that I provide them is

00:07:56.600 --> 00:08:02.670
only provided with knowledge with appropriate and in some cases

00:08:02.670 --> 00:08:06.670
even I can request that they declare it's me what data they have on

00:08:06.670 --> 00:08:09.620
me as well as a user.

00:08:09.740 --> 00:08:15.270
A user is using the data and must make sure that they follow the handling

00:08:15.270 --> 00:08:19.200
procedures according to the classification of the data as well.

00:08:21.040 --> 00:08:23.680
Administrators are a special group.

00:08:24.030 --> 00:08:26.760
They very often have elevated privileges.

00:08:26.770 --> 00:08:28.030
They can do anything,

00:08:28.040 --> 00:08:31.090
they can see anything and in some cases they're not the

00:08:31.090 --> 00:08:33.570
highest paid people in the organization either,

00:08:34.000 --> 00:08:36.700
but they have elevated privileges.

00:08:36.710 --> 00:08:41.760
And it's really important that we inform them of what the appropriate

00:08:41.770 --> 00:08:45.340
actions that they can take with relation to data.

00:08:45.630 --> 00:08:48.380
They are therefore trusted staff.

00:08:48.400 --> 00:08:52.640
And this of course includes the people that work for the cloud service provider.

00:08:53.140 --> 00:08:57.300
The people that work for the cloud service provider must be informed

00:08:57.310 --> 00:09:01.200
of what they can see and they can't take a look at.

00:09:01.290 --> 00:09:06.350
So they don't step over the boundaries of what would be unauthorized disclosure.

00:09:07.330 --> 00:09:12.140
It also includes service operation staff who maybe even work in a

00:09:12.140 --> 00:09:15.160
different country but are providing help desk services.

00:09:15.420 --> 00:09:18.070
Do they misuse some of that access?

00:09:18.070 --> 00:09:22.720
They have We also have for most organizations,

00:09:22.730 --> 00:09:27.220
internal administrators, everything from network to system two.

00:09:27.220 --> 00:09:33.840
Database administrators and all of these have elevated access and elevated

00:09:33.840 --> 00:09:38.550
privilege and they must know what is appropriate that they can do with

00:09:38.550 --> 00:09:42.910
relation to that data when I give a person access,

00:09:42.920 --> 00:09:48.240
I also give them a level of accountability for what they do with that access.

00:09:48.920 --> 00:09:51.530
So we need to work with system administrators,

00:09:51.540 --> 00:09:54.960
network administrators, database administrators.

00:09:54.970 --> 00:09:59.590
So they all know what are the appropriate actions

00:09:59.590 --> 00:10:02.570
they can take with relation to data.

00:10:02.740 --> 00:10:06.020
In most cases they would be data custodians.

00:10:07.020 --> 00:10:12.110
An important graph here is this example of security responsibilities.

00:10:12.430 --> 00:10:15.040
We see that when we deal with the cloud,

00:10:15.260 --> 00:10:21.610
we have a differentiation of who has responsibility for what we

00:10:21.610 --> 00:10:26.330
could see though at the top line that data governance and rights

00:10:26.330 --> 00:10:32.120
management is always retained by the customer regardless of the

00:10:32.120 --> 00:10:34.180
deployment model of software,

00:10:34.180 --> 00:10:39.010
platform infrastructure or even on premises as a service.

00:10:40.070 --> 00:10:45.570
The idea of course is that the cloud consumer or customer

00:10:46.480 --> 00:10:49.180
must ensure the protection of the data.

00:10:49.550 --> 00:10:53.680
It is only when we get down to areas of identity and

00:10:53.680 --> 00:10:56.300
directory infrastructure applications,

00:10:56.420 --> 00:11:01.380
we start to see either shared responsibilities or eventually

00:11:01.380 --> 00:11:03.740
that the operating system for example,

00:11:03.740 --> 00:11:06.690
in a software as a service model is solely the

00:11:06.690 --> 00:11:09.270
responsibility of the cloud provider.

00:11:11.980 --> 00:11:16.540
The key points review data is perhaps the most

00:11:16.540 --> 00:11:19.120
important asset of many organizations.

00:11:19.630 --> 00:11:22.750
So before we jump headlong into something,

00:11:22.840 --> 00:11:29.190
we should say, should we trust our most important assets to somebody else?

00:11:30.520 --> 00:11:35.440
And obviously in today's world we do in many cases,

00:11:35.610 --> 00:11:41.100
but when we recognize data as our most important asset,

00:11:41.340 --> 00:11:46.040
then we must also recognize what precautions we should

00:11:46.040 --> 00:11:49.790
take to protect that data appropriately.