all right. For our final section of the main two, we're gonna take a look at the cloud controls matrix. And that comes to us from C S A. Which is kind of the authority on cloud Security, the Cloud Security alliance. So the cloud controls matrix is essentially a group of rows and columns
that defined security domains and
controls associated with each of those domains. So it's got a couple of purposes. First of all, if I'm a cloud service provider, I use this is guidance to determine the elements of security that I need to bring I need to bring to the table. But as a cloud customer, it also helps me look at the remains
that I need my cloud service provider to account for
and to be able to demonstrate. So we've got several different domains we've got, you know, audit, business continuity, data security, encryption. You know, you can really see that those things that we talked about in security those on the next slides.
There's I am with identity and access management, mobile devices, threat management.
So ultimately, these domains are gonna be the categories of concern in relation to cloud security. I'm gonna just pull this up is really quick so we can take a look at it together just so you can get a feel for it. I always hate Thio
Give me just a second.
Basically, what you can see with this is as you go across, what you'll see is you will see the various
elements off. Hang on. I'm having scrolling crisis here Wouldn't be the first time I have miss scrolled. So basically, over on the left you see the control domain. Right now it's color coded for your enjoyment. Right now we see that application, inheritance
and application securities, of course,
cloud applications essential. Then we have audit. And as we continue to scroll down our list, we'll see those other domains continuity. See risk management, change control and so on. And then, as you scroll left to right, you'll see. You know, as far as the architecture
where those elements are applicable, you'll see whether or not it is a concern for different service models. You'll see how this fits into other standards like Canada's privacy laws, Kobe and so on. So again, this is just a really useful document
and for each security category provides a Siri's of controls of categories, then map to control. So something that definitely be on the exam again. I don't want you to worry about memorizing all 17 areas or 15. Can't again, can't remember which. But,
just to get the purpose of the cloud control matrix and how very useful it is because we're really looking for some tangibles, it's one thing to say Hey, you've gotta have authentication. But to say Here's how we provide authentication. That's much more helpful when you provide me with the controls. So that's whatthe CCM does
and then the very last element here. This isn't specific to the cloud controls matrix, but what I will mention as these is we're still talking about data security, these air, some important administrative controls for security, things like separation of Judy's.
We want to make sure our Cloud service provider enforces separation of beauties,
that no one entity has too much control too much write too much access to data. I want to know how my cloud service provider trains there people, what are their procedures for identity and access management? How did they conduct vulnerability assessments in pen past. So
I'm gonna read all of thes to you. But just some final reminders
when we're thinking about data security on the cloud
I want that cloud service provider to detail with their process is so far.