Data Access

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Let's talk about administrative responsibility
00:00
over data access and Cloud infrastructure.
00:00
In this lesson, we'll talk about
00:00
data access concerns and Cloud environments,
00:00
how responsibility is often shared
00:00
between the Cloud customer, the provider,
00:00
and potentially an access security broker
00:00
or another third party.
00:00
Then we want to talk about cloud data access controls.
00:00
When we look at this diagram,
00:00
the important thing is to remember that
00:00
regardless of service model,
00:00
regardless of deployment model,
00:00
the Cloud customer is always
00:00
the data owner when it comes
00:00
to data classification and accountability.
00:00
The customer is always
00:00
responsible for protecting the data.
00:00
In both theoretical sense and the legal sense,
00:00
the hosting provider is not legally
00:00
accountable or culpable for
00:00
the protection of data on their environment.
00:00
They are maintaining the hardware.
00:00
It's always up to the customer to ensure that there's
00:00
adequate data protection and administration.
00:00
Now, it also depends on the model to a certain extent.
00:00
In the infrastructure as a service category,
00:00
the hosting provider is going to have next to
00:00
no interaction or
00:00
administration over anything data-related.
00:00
They are maintaining that physical infrastructure
00:00
that the customer is using to provision
00:00
their development environments or
00:00
databases or host their applications.
00:00
However, when we get into the software as a service and
00:00
platform as a service,
00:00
there is a little more need for shared administration.
00:00
As we said, the customer
00:00
>> is always the owner of the data.
00:00
>> They really should be responsible for
00:00
determining the criticality of the data
00:00
and approving any access
00:00
or roles or responsibilities regarding the data.
00:00
Now, when it comes to
00:00
software as a service and platform as a service,
00:00
sometimes the customer may want
00:00
the Cloud provider to do certain administrative tasks.
00:00
Now these need to be really provisioned
00:00
and authorized within
00:00
a specific verified process
00:00
and should be laid out very explicitly.
00:00
A customer may also want another third party,
00:00
such as a Cloud Access Security Broker,
00:00
to do administrative tasks.
00:00
Tasks related to the identity
00:00
and access and authorization of access to
00:00
their Cloud data or they may have another third party
00:00
do different tests that for
00:00
the maintenance of their Cloud environments,
00:00
whether it's patching or logging and monitoring,
00:00
auditing of the security.
00:00
In all of these instances,
00:00
the customer really has to be responsible
00:00
for ensuring that they set the rules
00:00
and limitations and that they
00:00
document any approvals when it comes to allowing
00:00
either the provider or another third party
00:00
to access and make changes in their Cloud environment.
00:00
To reflect for a moment,
00:00
how many groups need access to your Cloud environments?
00:00
That you might be thinking, I don't
00:00
have any Cloud environments,
00:00
but you should really think about this.
00:00
What are they going to be the instances
00:00
or what service model you'll use where you would
00:00
want the Cloud provider to
00:00
have access to your data or
00:00
>> make changes on your behalf.
00:00
>> What is your process going to be to enable
00:00
third parties to access
00:00
your Cloud environments, should they need to.
00:00
Then let's also consider
00:00
>> how could the administration of
00:00
>> Cloud data access at your organization be improved.
00:00
This is where the devil is in the details.
00:00
You really have to figure out
00:00
strong administration when it comes to logging,
00:00
monitoring and that identity and access management over
00:00
your Cloud environment to have
00:00
a strong sense of how things are done,
00:00
how do you know when it violations occur,
00:00
and be able to address them accordingly.
00:00
In summary, we talked about
00:00
the shared responsibilities over
00:00
Cloud data access administration and we've talked
00:00
about some of the different administrative
00:00
perspectives from
00:00
the Cloud to Cloud customer,
00:00
the provider, and then potentially that
00:00
of a security access broker,
00:00
and also any other third parties.
00:00
I'll see you in the next lesson.
Up Next