Time
5 hours 31 minutes
Difficulty
Advanced
CEU/CPE
6

Video Description

This lesson covers privacy and discusses the following terms related to privacy: • Masking/Obfuscation • Data Anonymization • Tokenization All of these methods have different processes in how they protect sensitive information; which is very important for cloud security.

Video Transcription

00:04
Okay, let's talk about some techniques for protecting the privacy and the sensitivity of our information. So the first term we'll talk about is masking or obfuscation and obfuscation is where we're hiding
00:17
sensitive information, and usually we replace it with, uh, with special characters. So, for instance, when I go and I pull up one of my customer, maybe I'm a customer to bank
00:27
and I pull up their account number. I'll see ask risks and then the last four digits of their account number, credit card number, whatever that is. Everything else is masked out or is obfuscated.
00:40
So the idea is, we have the information that's necessary. But for me is a teller. All I can see those last four digits
00:47
now data anonymous ation is the process of getting rid of what's personally identifiable from the rest of the data set. So, for instance, if I'm tracking information about purchase history, I can take that from a demographic standpoint.
01:06
But then eliminate the individuals who making the purchases that makes sense. Maybe I'm looking to see
01:11
in a region. Maybe I'm a health insurance company, and I'm gonna find out if Silver Spring, Maryland, has a high concentration of sales of cigarettes, for instance, so I can track everybody's frequent shopper information, but then remove the individual's information and look at it is a big picture. That might be another way that we protect information.
01:32
Token ization. This is used a lot for financial
01:36
transactions, So ultimately, um,
01:40
it's more about the token is a pointer to the data rather than the data itself. So ultimately what we're looking at is to protect him, that we can reference that token store the token and make it accessible easily. But the data itself
01:57
is not accessible. I don't know if that makes sense, but it's like the tokens acting almost like an interface
02:02
to the Dow. All right, now, when we're further considering securing our dad in one of the ways that we do that is to classify our data appropriately. So the cloud service providers should make sure that the controls were placed based on the classification of the data based on our service level agreements,
02:22
Um, S O that, uh, that anything that's created that's modified follows those controls.
02:30
Implemented controls should be technical, administrative and physical controls for the security of the facility, but Also, we've got to think about prevention. We've got to think about deterrence detection, all of those different types of controls,
02:45
um, making metadata available. We'll talk a little bit about metadata, but ultimately it's what gives information, its meaning
02:53
or its value. So we can have this page of information. The metadata would say, That's secret or top secret or whatever that might be. Ah, the data needs to be protected the same to the same degree, whether it's a rest or in transit. And if that it needs to be reclassified, that should be supported within the cloud as well.
03:13
Data privacy turn. So when we're talking about privacy, as we will be a lot doing a lot in this class. So the data subject All right, so that, ultimately, is any individual that can be referenced based on this personally identifiable information.
03:31
So when we talk about that
03:34
ah, you know any sort of factors that would tie to the physical physiological mental, so that would include cover any sort of diagnostic information economic, cultural. Ah, you know, all of these different identify identifiable facets,
03:53
and then our personal data
03:54
is going to, uh, going to be something that ties to us is an individual. So biometrics, we think about that a lot. All right, Processing. What are the organizations that are gonna handle whether they collect or document, modify store our information?
04:14
We also have a controller
04:16
who is some entity that determines that we're meeting the compliance issues. Ultimately, that we're legally compliant within our regulations.
04:27
The processor is then gonna be obliged to follow the procedures as set out by the controller. And ultimately remember in the cloud that customers the controller of the data and we as customers a responsible toe, all the legal Judy's address
04:45
in privacy and data protection laws.
04:47
Ah, just like with hip A. For instance, if I'm a medical provider and I outsource the processing of those planes, I'm still liable for the privacy of that information. So we have to keep in mind shifting things through the cloud does not alleviate us of any sort of liability.
05:06
Now, the Cloud security alliance has given us a cloud control matric CCM. Ah, basically, that's gonna help us sort of match security. Uh, principles.
05:19
Um, ultimately, it's gonna break out into six different domains and these air kind of ah, mapped to industry specific standards. So just to show you what we look at, ah, the domains of the CCM and I, I doubt that they would ask you about these on the test, but I think it's a good idea to kind of go through
05:38
and you can see the various control. So
05:41
interface and application, security, auditing, business continuity, management, encryption, identity and access management. Virtualization. You know, so so many of these we've talked about. But this comes to us from the Cloud Security Alliance, and it's certainly worth taking a look at.

Up Next

ISC2 Certified Cloud Security Professional (CCSP)

This online course will guide you through the contents of the CCSP certification exam. Obtaining your CCSP certification shows that you are a competent, knowledgeable, cloud security specialist who has hands-on experience in the field.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor