this video is a recap of the managing cloud security and risk related domains.
You may recall contractual controls are a key piece to cloud governments
the contracts to find the relationship between the cloud customer and the cloud provider from the Cloud customers perspective, this is the key way to extend their own policies that ensure service levels air delivered by the cloud provider.
And more generally, these contracts provide the ability to define the roles and their responsibilities as they're divided between the cloud customer and the cloud provider,
the supplier provider assessments often combined with the contracts thes assessments, which are made available to the cloud customer, ensure that the supplier meets or exceeds existing standards in the way they organize and operate their technology business.
Typically, these assessments are done by 1/3 party, and that third party makes legal statements legally binding at test stations off the supplier. Adhering to these existing standards,
they could include not just the operations, not just the technology, but they can also require certain financial viability financial history information be adhered to by the cloud provider. This can prevent situations where a very large cloud customer develops a critical dependency on a cloud provider.
But then the plot provider goes out of business, putting the cloud user in a very, very hard spot. Compliance reports provide very detailed review, which are essentially the proof in the evidence that the assessments use and then the assessments. Those air the extension of the contract. So when you think about these
three different document types, understand the relationships
between each other and understand the different purposes for the document types As a cloud customer, you have contracts with your own customers. You also have to meet certain legal regulations as being a business in operating in certain countries.
The's create restrictions on how you can handle data in the cloud. As a cloud customer, you need to understand those legal implications and evaluate the cloud provider before you enter any signs or legally binding agreement.
Personally identifiable information needs to be handled according of privacy laws, and he didn't make sure your provider can support those privacies loss.
There are many privacy laws across the globe,
but they all centre around certain themes. For starters, the data controller is ultimately held liable even if they hand off information to a data processor such as a cloud provider. They will still be held accountable for how that data is used, and then once you have this identifiable information, it's generally expected. Both the controllers and the processors
are taking appropriate and diligent levels of security measures
to protect that identifiable information. However, if it does get access, you need to report data breaches. And the agency you reported to is gonna vary depending on the citizenship off the individuals whose information was stolen. Certain countries like China and Russia have very strong data. Sovereignty laws were data about their citizens
needs to remain in the physical borders and territory
of the country itself. Many other countries do allow transfer of information across borders so long as the information is being transferred into a country that has data privacy laws that are as strict if not more strict than the country. The information is being transferred out off.
Compliance is not a single point in time thing. It is continually reinforced by performing recurring audits to ensure ongoing operational adherence.
Security is not a single point in time thing. It is also something you need to be continually mindful off and make changes to Anna. Just as the underlying applications, network controls and technologies of what you have and what you're building adjusted change to being compliant doesn't mean you're secure. Conducting audience doesn't mean you're compliant,
and being secure doesn't mean you're gonna pass those audits.
So the three different things all to have a centrepiece which requires an ongoing active level of effort to attain initially and continue to retain over the course of time
when you're planning for not at the first thing you want to do is to find the purpose than the sculpt. What is being audited is a specific applications products processes. A risk analysis is used to determine how deep you're going to go into the audit based on the criticality of the systems, which are in the scope you previously defined.
From there you examine the different resource is that you need to use you're going to create schedules based on availability of those resource is finally conduct and execute the audit and generate an outcome report which may say everything is green. But it may say there are certain corrective actions that need to take place before compliance can be fully realized
and with that said, it brings a conclusion to this module, highlighting key points about cloud information, security and risk management.