CCSP Domain 2 - Data Security Strategies MindMap
Download a FREE Printable PDF of all the CCSP MindMaps!
Your information will remain 100% private. Unsubscribe with 1 click.
Transcript
Introduction
Hey, I’m Rob Witcher from Destination Certification, and I’m here to help you pass the CCSP exam. We are going to go through a review of the major topics related to data security strategies in Domain 2, to show you how they relate to one another, which should be a big help for your studies.

This is the third of five videos for domain 2. I have included links to the other MindMap videos in the description below. These MindMaps are a small part of our complete CCSP MasterClass.
Data Security Strategies
In this MindMap we are going to discuss all sorts of different ways that we can protect data in the cloud.
Encryption
The major way that we protect data in the cloud is through all sorts of encryption. We can encrypt data at rest, in motion, and in use. We can use encryption, and more broadly various cryptographic methods, to protect the confidentiality of data, ensure integrity, and even achieve super helpful things like authenticity, which lets us know who sent some data. Cryptography in the cloud is a huge topic so we’ll devote two MindMaps to the subject in Domain 4.
DRM
DRM–Digital Rights Management–are systems that protect digital content from unauthorized access and distribution by enforcing usage policies and access controls. DRM is another important topic that we’ll discuss in more detail in the last, fifth MindMap of Domain 2.
DLP
Let’s now get into the first topic that we are going to discuss in detail–DLP–Data Loss Prevention. DLP is a suite of technologies designed to prevent sensitive data (such as personal data, financial data, or intellectual property) from being accidentally or maliciously exposed, leaked, or lost. DLP ensures that sensitive information is securely stored and transmitted in compliance with policies and regulations.
The important keyword here is sensitive–sensitive data. A DLP system can’t and shouldn’t prevent all data from being viewed, saved, sent, printed, etc. So a critical requirement to an effective DLP system is knowing which data is your sensitive data. You need data classification.
Functionality
Let's now go through the major functionality that DLP systems provide.
Discovery & Classify
Discovery and classification is a DLP system’s ability to scan and identify sensitive data across an organization’s cloud storage, endpoints, and networks. DLP systems can then categorize the data based on sensitivity and business relevance. In other words, discovery involves automating the process of finding and classifying sensitive data. This is super helpful because as I mentioned it’s critical that data be properly classified for a DLP system to be useful.
Predefined templates, patterns, or AI-based algorithms can be used to identify sensitive data such as personal data, financial data, intellectual property, etc.
Monitoring
Monitoring is the DLP system’s ability to see how data is being used, what data is in motion across the network, and where data is being stored. Based on what the DLP systems are seeing, they can detect potential risks or policy violations in real-time, and then send alerts.
Enforcement
Enforcement refers to a DLP system's ability to go beyond just alerting and possibly blocking something. They can block some data from being copied to a USB drive, or stop it from being emailed out of the organization, or being stored unencrypted on a file server.
Enforcement goes beyond simply blocking, some DLP systems can take actions like encrypting files, redacting sensitive information, or notifying administrators when data use violates company policies. Enforcement can be tailored to business needs–to allow for legitimate business use of sensitive data, but restricting risky activities.
Architecture
Now, for a DLP system to be able to monitor and potentially perform enforcement actions across the organization, we need to talk about where we may need to put DLP capabilities–we need to talk about the architecture of a DLP solution.
Network
Network DLP focuses on monitoring and controlling data as it moves across the network, preventing unauthorized transmission of sensitive data through various communication channels (e.g., email, web traffic, file transfers).
Network DLP systems monitor traffic in real time to inspect data in motion. This is typically done through deep packet inspection (DPI) to analyze the content of data flowing through network gateways or proxies. If sensitive data is detected, the system can block, quarantine, or alert administrators based on predefined policies.
You will typically need multiple network based DLP sensors spread across your network in order to have visibility into various network segments, as well as ingress points into your network and egress points out of your network.
Storage
Storage DLP focuses on identifying and protecting sensitive data at rest, whether it's stored in databases, file systems, cloud storage, or shared network drives.
Storage DLP systems scan storage locations for sensitive data and classify it based on predefined patterns (e.g., PII, credit card numbers). It ensures data is encrypted, stored securely, and compliant with regulations. Alerts are triggered for non-compliant data storage practices, and access control can be enforced.
Endpoint
Endpoint DLP focuses on monitoring and securing data on user devices–for example laptops, desktops, mobile devices–to prevent unauthorized copying, printing, or transferring of sensitive data from endpoints.
A DLP agent will be installed on endpoint devices which provides monitoring activities such as copying data to USB drives, printing sensitive documents, or sending files to external cloud services. The DLP agent can enforce security policies by blocking certain actions or alerting in real time.
To sum it up:
Network-based DLP monitors data in motion, storage-based DLP monitors data at rest, and endpoint-based DLP monitors data use.
Components
Onward! Let’s now discuss the major DLP components.
Appliance (virtual / physical)
A DLP appliance is either a physical hardware device or a virtual machine that is deployed within a network to monitor, manage, and enforce data protection policies. These appliances handle the heavy lifting of monitoring traffic, inspecting content, and applying security policies.
Endpoint Agent
An endpoint agent is software installed on user devices such as laptops, desktops, and mobile devices. It monitors and controls sensitive data on endpoints.
Hypervisor Agent
A hypervisor agent is a DLP component deployed at the hypervisor level in a virtualized environment. It enables monitoring and enforcement of data protection policies across virtual machines running on a hypervisor without the need to install individual agents on each VM.
A hypervisor based DLP agent can also be very useful in eliminating blindspots from inter-VM communication. Let me explain that sentence. If you have two VMs running on the same hypervisor and they are sending packets back and forth to each other, these packets likely aren’t leaving the hypervisor and going across the network where a network-based DLP appliance could inspect the traffic. Instead the hypervisor will simply be moving the packets directly between the two VMs. This creates a blindspot if you want to monitor the data in-motion between the VMs. By installing a DLP capability on the hypervisor, it can eliminate this blindspot.
DLP SaaS
DLP SaaS could be where a SaaS application will have some DLP functionality built into it that a customer can tap into.
DLP SaaS can also refer to cloud-based DLP solutions delivered as a service. For example, a DLP capability that monitors data flows between cloud applications - like in Google Workspace.
And that concludes our discussion of DLP. Let’s now move on to other techniques that can be used to protect data in the cloud.
Masking

Masking is a data obfuscation technique where characters (like an X or a *) are used to hide all or part of the sensitive data. For example, receipts will mask the credit card number used for payment (e.g. **** **** **** 1234)
Here’s what masking looks like. Btw, that’s my business partner’s (John’s) credit card number in case you want to go on a shopping spree.
Random substitution
Random substitution is another data obfuscation technique where sensitive data is replaced with randomly generated characters or values that do not follow any specific pattern.
Algorithmic substitution
Algorithmic substitution is a data obfuscation technique where sensitive data is replaced by a value generated through an algorithm, ensuring that the resulting data has the same properties as the original data but without revealing sensitive information.
Shuffle
Shuffling is a data obfuscation technique where sensitive data is shuffled around within a dataset. For example one column of data is shifted up a few rows, and another column of data is shifted down a few roles, and so forth. This ensures the dataset retains the same data points but dissociates them from their original entities.
Static
Now, there are two ways these data obfuscation methods can be performed: statically or dynamically. Static obfuscation means creating a separate and distinct copy of the data where this data is obfuscated even in storage. This is often done to create a copy of production data to be used in a test environment, but you’re obfuscating the copied data to ensure sensitive data is protected.
Dynamic
Dynamic obfuscation means that sensitive data is protected by obfuscating it on-the-fly, ensuring that unauthorized users see only obfuscated data without altering the actual stored data. An example would be masking a customer’s credit card number on a call center agent’s screen.
Tokenization
Tokenization replaces sensitive data with unique tokens, which are random values that reference the original data stored in a separate secure database (token vault). The actual data is kept secure, and tokens are used for processing.
Deletion
Deletion, of course, is the complete removal of data from a system or database, often done to meet privacy or compliance requirements such as the GDPR or HIPAA. Once deleted, the data is no longer accessible or recoverable.
Data De-identification / anonymization
Data de-identification or anonymization refers to the process of removing or obscuring personal identifiers from a dataset to prevent the identification of individuals. The goal is to transform or remove personal data so that it can no longer be linked back to specific individuals.
Direct identifiers
Direct identifiers are pieces of information that can immediately and uniquely identify an individual without needing additional information. Perfect examples are Social Security Numbers, passport numbers, drivers license numbers, etc.
Indirect identifiers
Indirect identifiers are pieces of information that, on their own, may not directly identify a person, but when combined with other data, they can reveal an individual's identity. Examples include: gender, birth date, geographic indicator (like the ZIP or postal code), hair color, eye color, blood type, etc.
Emerging: Homomorphic encryption
Now let's talk about an emerging technology that is a brilliant idea. Homomorphic encryption is a form of encryption that allows computations to be performed directly on encrypted data without needing to decrypt it first. The result of the computation remains encrypted and can be decrypted later to reveal the result as if the operations were performed on the original, unencrypted data.
Very cool idea. Unfortunately, Homomorphic encryption is not yet practical for most mainstream use cases due to its high computational overhead. It’s just way too slow.

And that is an overview of data security strategies in Domain 2, covering the most important concepts you need to know for the exam.

If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.
I will provide links to the other MindMap videos in the description below.
Thanks very much for watching! And all the best in your studies!