CCSP = Domain 2: Cloud Data Security


Describe Cloud Data Concepts

    1. Cloud Data Life Cycle Phases
      1. Aspirants who all are preparing for the CCSP exam, this section is critical. It would be best if you had a good understanding of this section
      2. Cloud Security Data life cycle phases are
        1. CREAT  = In this phase we classify the Data
        2. STORE = It is the First Phase, where we implement security control. Appropriate Backup and Redundancy need to be defined in this phase
        3. USE  = This phase purely read-only mode of data. Data is most vulnerable in this phase.
        4. SHARE = In this phase, Data is sent across the network. In this phase, we utilized DRP and DLP
        5. ARCHIVE =In this phase Data moved to long term storage
        6. DESTROY = In this phase overwriting and cryptographic erasure
    2. Data Dispersion
      1. Data dispersion is similar to RAID. In private clouds, you configure this yourself in storage level. Dispersion is great for resiliency, and the security file is divided into blocks and distributed across multiple storages.
      2. Data Dispersion Type
        1. Data Dispersion and Security in the Cloud
        2. Dispersed Storage vs. RAID
        3. Data Dispersion off Prem-Risk
      3. Source Links
        1.  Link
        2. Link
  1. Design and Implement Cloud Data Storage Architectures
    1. Infrastructure as a Service
      1. Raw Storage = Like physical media
      2. Volume storage = Attached as IaaS Instance (EC)
      3. Object storage = Like S3 Bucket
      4. Content Delivery Network = Used to improve speed and latency issues
    2. Platform as a Service
      1. Structured = RDBMS
      2. Unstructured = Bigdata
    3. Software as a Service
      1. Information Storage and Management = data entered via the web interface
      2. Content/File Storage = File-based Content
      3. Ephemeral Storage = It used for any temporary data such as cache, buffers, session data, swap volume, etc.
  1. Design and Apply Data Security Technologies and Strategies
    1. Encryption and Key Management
    2. Hashing = Hashing is the conversion of a string of characters into a shorter fixed-length value
    3. SHA = More Secure
    4. MD 5 = Less Secure
    5. Masking
      1. Static Masking = Used in development and testing without disclosing sensitive information
      2. Dynamic Masking = Process the sensitive data in running the state like input password in the login page
    6. Tokenization 
      1. It takes the data and replaces it with a random value. Tokenization where public cloud service can be integrated/paired with a private cloud that stores sensitive data. The data sent to the public cloud is altered and would contain a reference to the data residing in the private cloud.
    7. Data Loss Prevention
    8. Data Obfuscation
    9. Data De-identification
      1.  De-identification is the process used to prevent a user from access personal identity from being revealed
      2. De-identification is the main approaches of data privacy protection. It is used in fields of communications, multimedia, biometrics, cloud computing, data mining, internet, social networks, and audio-video surveillance.
  2.  Implement Data Discovery = Help us accurately inventory the data under its control
    1. Label-Based Discovery
      1. labels created by data owners
    2. Metadata-Based Discovery
      1. Data more in granular
  3. Implement Data Classification
    1. Mapping
    2. Labeling
    3. Sensitive Data
  4. Design and Implement Information Rights Management (IRM)
    1.  Objectives (e.g., data rights, provisioning, access models)
      1.  Digital Rights Management encrypts the content, and then applies a series of rights. Rights can be as simple as preventing copying etc
      2. DRM is used to protect Intellectual Property
      3. DRM with DLP provides persistent Security and prevent data exfiltration
      4. Two Catagories of DRM
        1. Consumer DRM = More is on oneway distribution.
        2. Enterprise DRM = integration within business environments and particularly with the corporate Directory Service.
      5. DRM Protection Function
        1. Persistent Protection
        2. Dynamic Policy Control
        3. Continuous Auditing
        4. Remote Rights Revocation
    2.  Appropriate Tools (e.g., issuing and revocation of certificates)
  5. Design and Implement Auditability, Traceability, and Accountability of Data Events
    1.  Data Retention Policies
      1. A high-value regulated asset might entail audit and data retention requirements
      2. Data retention and destruction schedules are the responsibility of the data owner
    2.  Data Deletion Procedures and Mechanisms
    3.  Data Archiving Procedures and Mechanisms legal hold
  6. Design and Implement Auditability, Traceability, and Accountability of Data Events
    1. Definition of Event Sources and Requirement of Identity Attribution
    2. Logging, Storage and Analysis of Data Events
    3. Chain of Custody and Non-repudiation
      1. Chain of custody  is legal contexts is the documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence
      2. Non-Repudiation
        1. Authentic means an original copy of an item or piece of information that was sent
        2. Non-repudiation means you cannot deny that you were the one who sent it that original sender