Managing Cloud Security and Risk

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:00
>> This video is a recap of
00:00
the managing Cloud security and risk-related domains,
00:00
2, 3, 4, and 5.
00:00
May recall contractual controls are
00:00
a key piece to Cloud Governance.
00:00
The contracts define the relationship between
00:00
the Cloud customer and the Cloud provider.
00:00
From the Cloud customers perspective,
00:00
this is the key way to extend their own policies,
00:00
it ensures service levels are delivered by
00:00
the Cloud provider and more generally,
00:00
these contracts provide the ability to define the roles
00:00
and their responsibilities as they're
00:00
divided between the Cloud customer,
00:00
and the Cloud provider.
00:00
The supplier provider assessments,
00:00
often combine with the contracts,
00:00
these assessments, which are made
00:00
available to the Cloud customer,
00:00
ensure that the supplier meets or exceeds
00:00
existing standards in the way they
00:00
organize and operate their technology business.
00:00
Typically, these assessments are done by
00:00
a third party and that third party makes legal statements
00:00
legally binding attestations of
00:00
the supplier adhering to these existing standards.
00:00
They can include not just the operations,
00:00
not just the technology,
00:00
but they can also require certain financial viability,
00:00
financial history information be
00:00
adhered to by the Cloud provider,
00:00
this can prevent situations where
00:00
a very large Cloud customer develops
00:00
a critical dependency on a Cloud provider,
00:00
but then the provider goes out of business,
00:00
putting the Cloud user in a very hard spot.
00:00
Compliance reports provide very detailed review,
00:00
which are essentially the proof and
00:00
the evidence that the assessments use,
00:00
and then the assessments,
00:00
those are the extension of the contract.
00:00
When you think about
00:00
these three different document types,
00:00
understand the relationships between each other,
00:00
and understand the different purposes
00:00
for the document types.
00:00
As a Cloud customer,
00:00
you have contracts with your own customers.
00:00
You also have to meet
00:00
certain legal regulations as being
00:00
a business and operating in certain countries.
00:00
These create restrictions on
00:00
how you can handle data in the Cloud.
00:00
As a Cloud customer,
00:00
you need to understand those
00:00
legal implications and evaluate
00:00
the Cloud provider before you enter
00:00
any signs or legally binding agreement.
00:00
Personally identifiable information needs
00:00
to be handled according to privacy laws,
00:00
and you need make sure
00:00
your provider can support those privacy's laws.
00:00
There are any privacy laws across the globe,
00:00
but they all center around certain themes.
00:00
For starters, the data controller
00:00
is ultimately held liable.
00:00
Even if they hand off information to
00:00
a data processor such as a Cloud provider,
00:00
they will still be held accountable
00:00
for how that data is used,
00:00
and then once you have this identifiable information,
00:00
it's generally expected both the controllers
00:00
and the processors are taking
00:00
appropriate and diligent levels of
00:00
security measures to protect
00:00
that identifiable information.
00:00
However, if it does get accessed,
00:00
you need to report data breaches,
00:00
and the agency you reported to
00:00
is going to vary depending on
00:00
the citizenship of the individuals
00:00
whose information was stolen.
00:00
Certain countries like China and Russia have
00:00
very strong data sovereignty laws were data about
00:00
their citizens needs to remain in
00:00
the physical borders and territory of the country itself.
00:00
Many other countries do allow
00:00
transfer of information across borders so long
00:00
as the information is being transferred into
00:00
a country that has data privacy laws that are as strict,
00:00
if not more strict than
00:00
the country the information is being transferred out of.
00:00
Compliance is not a single point in time thing.
00:00
It is continually reinforced by performing
00:00
recurring audits to ensure ongoing operational adherence.
00:00
Security is not a single point in time thing,
00:00
it is also something you need to
00:00
be continually mindful of
00:00
and make changes to and
00:00
adjust as the underlying applications,
00:00
network controls and technologies
00:00
of what you have and what you're building,
00:00
adjust and change too.
00:00
Being compliant doesn't mean you're secure,
00:00
conducting audits doesn't mean you're compliant
00:00
and being secure doesn't mean you're
00:00
going to pass those audits,
00:00
so the three different things all do have
00:00
a centerpiece which requires an ongoing,
00:00
active level of effort to attain
00:00
initially and continue to retain over the course of time.
00:00
When you're planning for an audit,
00:00
the first thing you want to do is
00:00
define the purpose, then the scope.
00:00
What is being audited is
00:00
a specific applications, products, processes.
00:00
A risk analysis is used
00:00
to determine how deep you're going to go into
00:00
the audit based on the criticality of
00:00
the systems which are in the scope
00:00
you previously defined.
00:00
From there, you examine
00:00
the different resources that you need to use.
00:00
You're going to create schedules
00:00
based on the availability of those resources.
00:00
Finally, conduct and execute
00:00
the audit and generate an outcome report,
00:00
which may say everything is green,
00:00
but it may say there are
00:00
certain corrective actions that need to
00:00
take place before compliance can be fully realized,
00:00
and with that said, it brings
00:00
a conclusion to this module,
00:00
highlighting key points about
00:00
Cloud information security and Risk management.
Up Next