CCSP Domain 2 - Cloud Data Lifecycle MindMap

Download a FREE Printable PDF of all the CCSP MindMaps!

Your information will remain 100% private. Unsubscribe with 1 click.

Transcript

Introduction

Hey, I’m Rob Witcher from Destination Certification, and I’m here to help you pass the CCSP exam. In this video, we’ll review the major cloud data lifecycle topics in Domain 2. We’ll show you the connections between each of them to show you how they interrelate, to guide your studies.

Image of Cloud Data Lifecycle table - Destination Certification

This is the first of five videos for Domain 2. I have included links to the other MindMap videos in the description below. These MindMaps are a small part of our complete CCSP MasterClass.

Cloud Data Lifecycle

Moving to the cloud isn’t easy from a security perspective. If you are taking some data that was safely ensconced within an application deep in your internal network and you’re moving it to the cloud, such as in a SaaS application in the public cloud, then suddenly a lot of the controls that you used to have in place to protect the data may no longer exist or be relevant. You may no longer have the same defense in depth that you used to, and you may need to rely on different controls to a greater degree. How do you go about figuring this out?

Well one good way to go about this is to have a data-centric view. In other words, think carefully about the data you are moving to the cloud, and think about how you should protect that data in the cloud throughout its lifecycle. How will you protect the data when it’s newly created, when it’s stored, used by employees, potentially shared with others, etc.

Focusing on the data throughout its lifecycle, is a good way of thinking through all the controls that you should have in place to protect it.

Phases

So that’s why we are going to take a few minutes here to talk through the cloud data lifecycle and the six phases it defines. This is an important topic. Make sure you know the six phases I’m about to walk through: create, store, use, share, archive and destroy.

Create

Create is the first phase of the cloud data life cycle and it’s focused on the generation and creation of new data, as well as the alteration, updating or modification of existing data. Remember that last part. The create phases covers not only creating new data, but also existing data that has been modified.

Store

As soon as you create some new data, or modify existing data, you’re going to have to store the data somewhere, which brings us to phase two, store. The store phase is focused on committing data to some sort of storage repository. Important considerations related to storage include encryption, data redundancy, scalability, and availability to ensure that data is secure and reliably accessible.

Use

Phase three is use. This is where the data is actively accessed and used by applications or users. This involves reading, updating, and processing data. Remember, when changes are saved, that brings us back to the create phase.

Share

Phase four is share. It focuses on sharing data between users, applications, or systems, potentially across different cloud environments, and with various partners, contractors, etc. Sharing can involve various data formats and access permissions.

Archive

Phase five is archive, which is focused on when data leaves active use and enters long-term storage. Certain data may need to be retained for a long period of time, and major cost savings can be achieved by moving archived data to much slower or cheaper storage solutions in the cloud.

Destroy

The final phase is destroy. When data is no longer needed, it is securely deleted or destroyed to ensure it cannot be recovered. Properly destroying data can be important to ensure compliance with data privacy and regulatory requirements.

Image of visual summary of the cloud data lifecycle - Destination Certification

Here’s a nice visual summary of the cloud data lifecycle, and I want to point out one more critical requirement here. Data must be properly classified when it is created. Classification defines how valuable data is to an organization and what controls are cost justified. Therefore, the classification will drive the requirements for all the subsequent phases of the data lifecycle. The classification drives the requirements for the storage phase: whether data needs to be encrypted, replicated, etc. The classification will drive who can use the data and for what purposes during the use phase. The classification will drive who the data can be shared with and with which security controls, like DRM, etc. The classification defines whether the data needs to be archived and if so, for how long. Finally, the classification drives whether there is a defensible data destruction requirement–whether the data must be securely and provably destroyed.

Classification

So, classification is super important! Data needs to be properly classified when it is created.

Data Roles

Alright, let’s now move onto another important topic related to protecting data: roles. Who is accountable and who is responsible for what?

Owner / controller

Starting with the data owner or data controller–these terms are used interchangeably. It’s very, very importantly, the data owner is accountable for the protection of data. Remember, accountability can never be delegated. The data owner will set the requirements for protecting the data, and then the owner can delegate various responsibilities to the following roles.

Processor

Data processors are responsible for processing data on behalf of the owner or controller. The data processor is typically the cloud service provider.

Custodian

Data custodians have a technical responsibility for data. Data custodians ensure the requisite controls are in place to protect data in the cloud: confidentiality, availability, integrity, whether there is sufficient capacity, redundancy, whether data is backed up, etc. This is technical responsibility for the data.

It’s worth noting here, that if an organization moves data to the cloud, the job for any in-house data custodians is going to get a lot harder. Data custodians are expected to have full and comprehensive knowledge of the internal design and architecture of their data systems–it’s going to be very challenging if the data has been moved to the public cloud, especially if it’s a SaaS application.

Steward

Data stewards have a business responsibility for data. Data stewards typically work for the business so they understand the business context of the data–how the data is used by the business, what constitutes good data quality, which governance or compliance requirements exist for the data. This is all business responsibility.

Subject

A data subject is the individual to whom personal data relates. In other words, if an organization collected my personal data, I would be the data subject. It’s my personal data.

Controlling Access

Okay, final section of this MindMap–controlling access. In all honesty, this is not super important, but these items are in the exam outline and in the CSA guidance, so it’s worth covering briefly.

Here’s the idea: in order to properly control access to data, think about:

Actors

Actors, which are the subjects, the people or the processes that want to access data.

Functions

Functions are what they can do with the data. Can they delete the data, modify it, access it, etc.?

Locations

The third and final part is locations. You contemplate, both where the data is physically stored, and also where it is being accessed from by the actors. It’s about the locations of the data and the actors.

Possible

Next you identify what is technically possible. Is it possible for this actor to access that data, from these locations? You think through all the permutations of what is possible and you can create a table of all these possibilities.

Allowed

Finally, you review what is possible and decide what should be permissible–what should be allowed. You can then implement controls to restrict a list of possible actions down to the allowed or permitted actions.

Image of Cloud Data Lifecycle table - Destination Certification

That’s it for our overview of the cloud data lifecycle in Domain 2, covering the most critical concepts you need to know for the exam.

Image of next mindmap - Destination Certification

If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.

I will provide links to the other MindMap videos in the description below.

Thanks very much for watching! And all the best in your studies!

Image of masterclass video - Destination Certification

The easiest way to get your CCSP Certification 


Learn more about our CCSP MasterClass

>