Okay, let's talk about some techniques for protecting the privacy and the sensitivity of our information. So the first term we'll talk about is masking or obfuscation and obfuscation is where we're hiding
sensitive information, and usually we replace it with, uh, with special characters. So, for instance, when I go and I pull up one of my customer, maybe I'm a customer to bank
and I pull up their account number. I'll see ask risks and then the last four digits of their account number, credit card number, whatever that is. Everything else is masked out or is obfuscated.
So the idea is, we have the information that's necessary. But for me is a teller. All I can see those last four digits
now data anonymous ation is the process of getting rid of what's personally identifiable from the rest of the data set. So, for instance, if I'm tracking information about purchase history, I can take that from a demographic standpoint.
But then eliminate the individuals who making the purchases that makes sense. Maybe I'm looking to see
in a region. Maybe I'm a health insurance company, and I'm gonna find out if Silver Spring, Maryland, has a high concentration of sales of cigarettes, for instance, so I can track everybody's frequent shopper information, but then remove the individual's information and look at it is a big picture. That might be another way that we protect information.
Token ization. This is used a lot for financial
transactions, So ultimately, um,
it's more about the token is a pointer to the data rather than the data itself. So ultimately what we're looking at is to protect him, that we can reference that token store the token and make it accessible easily. But the data itself
is not accessible. I don't know if that makes sense, but it's like the tokens acting almost like an interface
to the Dow. All right, now, when we're further considering securing our dad in one of the ways that we do that is to classify our data appropriately. So the cloud service providers should make sure that the controls were placed based on the classification of the data based on our service level agreements,
Um, S O that, uh, that anything that's created that's modified follows those controls.
Implemented controls should be technical, administrative and physical controls for the security of the facility, but Also, we've got to think about prevention. We've got to think about deterrence detection, all of those different types of controls,
um, making metadata available. We'll talk a little bit about metadata, but ultimately it's what gives information, its meaning
or its value. So we can have this page of information. The metadata would say, That's secret or top secret or whatever that might be. Ah, the data needs to be protected the same to the same degree, whether it's a rest or in transit. And if that it needs to be reclassified, that should be supported within the cloud as well.
Data privacy turn. So when we're talking about privacy, as we will be a lot doing a lot in this class. So the data subject All right, so that, ultimately, is any individual that can be referenced based on this personally identifiable information.
So when we talk about that
ah, you know any sort of factors that would tie to the physical physiological mental, so that would include cover any sort of diagnostic information economic, cultural. Ah, you know, all of these different identify identifiable facets,
and then our personal data
is going to, uh, going to be something that ties to us is an individual. So biometrics, we think about that a lot. All right, Processing. What are the organizations that are gonna handle whether they collect or document, modify store our information?
We also have a controller
who is some entity that determines that we're meeting the compliance issues. Ultimately, that we're legally compliant within our regulations.
The processor is then gonna be obliged to follow the procedures as set out by the controller. And ultimately remember in the cloud that customers the controller of the data and we as customers a responsible toe, all the legal Judy's address
in privacy and data protection laws.
Ah, just like with hip A. For instance, if I'm a medical provider and I outsource the processing of those planes, I'm still liable for the privacy of that information. So we have to keep in mind shifting things through the cloud does not alleviate us of any sort of liability.
Now, the Cloud security alliance has given us a cloud control matric CCM. Ah, basically, that's gonna help us sort of match security. Uh, principles.
Um, ultimately, it's gonna break out into six different domains and these air kind of ah, mapped to industry specific standards. So just to show you what we look at, ah, the domains of the CCM and I, I doubt that they would ask you about these on the test, but I think it's a good idea to kind of go through
and you can see the various control. So
interface and application, security, auditing, business continuity, management, encryption, identity and access management. Virtualization. You know, so so many of these we've talked about. But this comes to us from the Cloud Security Alliance, and it's certainly worth taking a look at.