Time
9 hours 48 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Transcription

00:00
Okay, let's take a look at security risks. Now. Of course, since this is a security professional exam, we're gonna be talking about security all the way through out. So I'm just gonna hit a couple off the big risks upfront,
00:14
and then we'll talk about the moors. We move forward. All right, Now, this first bullet point after I've said all that, that's not really a risk. It's just a fact. I'm gonna shift from spending a lot of money upfront to spending money on a monthly basis, for instance,
00:30
so I don't have this big capital expense charge. I have a pay month by month charge. That's not really a risk. That's just a fact. She's something
00:39
you know about. That's true of the clouds. But when we start getting into really looking at the risks distributed location, location, location,
00:49
where is my Yeah, it's not here. Where is it?
00:54
Well, I may not even know where it's being stored, and if I need to, that better be specified in the service level agreement. Um,
01:02
it really could be anywhere in the world, and each locale has is a different jurisdiction. Some countries don't have the same degree of privacy requirements that we do have here in the U. S. Or they may not follow,
01:18
you know, requirements of due process for seizing evidence. You know, if my dad is stored in a country that doesn't have that due process and the law enforcement's able to come in and seize the server on which my dad a resides, where does that leave me?
01:34
Do I have done it copies? Is that data secure? Am I still in compliance? Now it's in the third parties hands, you know, just lots of questions to ask. Location, location, location.
01:47
Now, um,
01:49
multi tendency. To me, that's the greatest risk, and it really it's multi tendency of the public cloud.
01:57
We just talked about the beauty of virtual ization. Here's this massive server and Internet service provider has bought. They loaded it up with RAM and processing capability to start all these different elements, and then ultimately they'll create multiple virtual systems.
02:15
And, you know, there may be 30 different clients sharing the single servers. Hardware resource is
02:22
any time you're sharing a physical system with an unknown entity, anytime that introduces risk, right
02:31
and the best we can do is mitigate that risk, you cannot eliminate the risk of multi tendency in the public cloud. That's just the way the public cloud works, right. You could reduce that risk by having a good service level agreement by performing,
02:49
you know, auditing on a regular basis. You could produce the risk in a lot of ways, but you can't eliminate the risk of multi tenancy.
02:55
Um, and that goes along with this idea.
03:01
Responsibility cannot be transferred.
03:07
It's a matter of fact. I would say it again, that I'm gonna drink some coffee while you, Paul's, could think of that.
03:12
Responsibility cannot be transferred.
03:21
Risk can be transferred, but not responsibility. And when I say responsibility, I'd like you to think, why a. Built?
03:30
So let's say that I'm a health care provider and I've got some patient information. But I'm just a small, you know, single doctor practice. I don't have a lot of money to spend on Resource is or, you know, technology. So I've decided that I can't process healthcare forms and still be in compliance with Pippa.
03:49
I just can't do it. It's just not financially. I'm just not capable.
03:53
Okay, so I hire company A and I say, Hey, you guys specialize in hip A compliance. I'm gonna store my information with you and I'm gonna have you guys, uh, you know, process these claims or protect these. This information, according to him
04:08
and company ace is great.
04:10
Here's your service level agreement that says we abide by hip hop.
04:14
All right, so I store my data with company and all of a sudden company has a compromise.
04:20
Who is liable for that comparable office?
04:24
Me,
04:25
right? Just because I outsource something to another entity, you can ask yourself that if you've ever outsourced any work to a vendor, does that mean you can go? I don't have any trouble anymore. I've got a vendor to take care of that always good.
04:41
I don't think any of us say that we have higher offender, because the bottom line is liability is still mine.
04:49
If Vendor A didn't meet its service level agreement and provide the degree of security that they guaranteed, I could sue Vendor A throughout the course of my service level agreement for violation of contract. But that's not the same has been being held liable. There's only three entities
05:09
that could be held liable per HIPPA.
05:11
And it's a hospital,
05:13
medical provider, a medical provider, hospital,
05:18
health insurance organizations, and then clearing house agencies, which do some of the backlog of processing flights. All right, so I store my God with you. You promised to keep it safe. If you don't keep it safe. It's still my dad. I'm still the data custodian. Okay.
05:35
In that instance, a cloud service provider is the processor of death
05:40
processor data handles the data, but is not liable for hope. I've said that right now I can transfer the risk through the service level agreement, but transferring a risk means we share in lost potential.
05:54
It doesn't mean that I've made you koa liable under of all. It just means if we do have a compromise, use the cloud service provider gonna pay your only some money.
06:04
Talk about that. All right. Privacy. How much privacy or you guaranteed
06:10
nothing
06:12
other than what's in the service level. Agreement? That s L. A. Is the basis for every security element that we have. Okay, it's all about the S l. A. We make no assumptions, especially on this exam. They're gonna continue to just go back to the fact that you can't assume
06:30
anything.
06:32
And again, regardless of what you've been promised or what you would expect, you're still liable for the privacy of information of your information, right? So it's always will always have an element to participate in the privacy of our information, and I'll always be a peace. That's important.
06:53
All right. Now, um,
06:56
the Cloud service provider.
07:00
Ah, let's see.
07:01
Yeah, I think we've got a little typo on the side. See, essay that they're not talking about the auditors. They're, um
07:09
what? They're just simply saying with that bottom bullet point is that requirements may vary. Your cloud service provider may have higher standards than your internal organization.
07:19
We're not
07:20
that idea of Well, they'll protect it better than we will. That's that may be true, but that's not just something you say off the cuff, right? You look at your internal risks as they are restoring yours. Resource is on. Prem.
07:36
You look at your risk exposure after your mitigating strategies,
07:42
you do the same thing at the Cloud service provider. You look at your risk exposure after mint and strategies through the cloud, and then you make that decision on call spin. If it analysis, you examine, am I spending? What am I getting back? And how's that balancing for me?
07:59
So it's just a very casual idea tossed around off. Well, it's Amazon. They've got this,
08:05
you know,
08:07
and organizations only as good as it circled service level agreement and that service level agreements only as good as it's on it. And it's carrying Ryan. So just some odd years to think about in relation to some security ideas with the club.

Up Next

Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor