Once you have data in the cloud, you need to secure it. This is done by employing data access controls, using techniques like the entitlement matrix and technologies such as encryption and token ization
data. Access controls are your primary security control for data
granularity of the controls and how the controls air implemented very massively between platforms, services and technologies of the different providers. Keep in mind many things look the same on the surface, but the provider implementation convey vary wildly in practice. The finer grained, the access control, the better for security.
But at the same time, this is also harder to manage. Over the long term,
he should implement data control and the minimum of three layers, the first being the management plane. Make sure nobody can access the data through this management plane unless they need to do so. Be mindful of public and internal sharing controls, inadvertently exposing days that the public has happened to many
see if there is a way to require extra actions be performed before a publicly accessible data share is created. Sometimes this happens inadvertently, and providers often allow you controls to restrict what information can be made, read all to the world.
Applications themselves must have appropriate controls designed and implemented to manage access.
This includes both your own applications those built in I as or pass as well as any sass applications your organization consumes.
With the exception of application level controls. Your options for implementing access controls will vary based on the cloud provider's service model, and the providers specific features and entitlement matrix can help you plan appropriate access controls around platform specific capabilities. This entitlement matrix is essentially grid that lists the users
groups and rolls with access levels for resource is and functions.
Just to reiterate, it's critical to create platform specific entitlement matrices. The primary purpose of an entitlement matrix is to implement application level operational risk controls. If the provider doesn't offer you the ability to find tune permissions at the appropriate level of granularity needed to implement your entitlements,
you should look for a different provider.
I have put together the example matrix describing access controls, toe blob storage as you can see each rows of control, and each column is a role. This example assumes the provider gives you the controls to manage who can create blobs, view contents of those edit contents and then separately manage and view the backups of the storage.
Not all providers give you these controls.
I know this will work when we're talking about storage accounts on answer. But if you're doing this kind of an exercise with a provider that doesn't allow certain controls like, say, the backup related actions, then you need to use a different matrix or maybe a different provider. If you really want these kind of controls in place for managing backups
when we're talking about encryption in this video, it's really about encrypting data at rest.
Symmetric encryption is the most common method for encrypting data at risk. With symmetric encryption data is encoded in such a way that can only be subsequently decoded, using the same secret value that was used during the initial, including process. There are many different algorithms to perform this encryption, some stronger than others, but we won't get into all those details here.
The C s. A guidance paints a good way to look at encryption systems.
You have the data, whether encrypted or not. You have the engine that performs the encryption using certain encryption algorithms. Then you have the keys that engine relies on, and you need to have a good way to manage those keys. When thinking about data encryption in the cloud, it's important to ask yourself some questions.
Can we trust the CSP with a copy of those encryption keys?
Can the CSP fully managed the keys? In other words, are we okay with not having visibility and access controls to those encryption keys? How much data is being encrypted? Where should the encryption engine be located
in the ensuing videos will speak further on ways to implement, based on the different answers you may have to these questions. But this should stimulate the mind set and approach you want to take When thinking about encryption of data in the cloud organization is different than encryption, Toe Organization replaces each element of a data set with a random value.
The token ization system stores both the original data and the randomized virgin and secured database for later retrieval.
The organization is a method proposed by the payment card industry as a means to protect credit card numbers in a PC. I token ization system it publicly accessible to organization server can be used as a front end to protect actual credit card information that is held in a secure database. On the back end,
when a payment is processed, the vendor receives a token that acts like a reference I D that could be used to perform actions on a transaction such as refunds. At no time does the vendor need to store the actual credit card number. Rather, they just store the tokens. Remember for your exam that encryption will often dramatically increase the size of text,
while token ization and data masking techniques can keep the same length and format of data while rendering it unusable to anyone who may access it.
So just to recap in this video, we went over data access controls, the entitlement matrix strategy, encryption and token ization.