M-209 cipher machine.

Cloud Data Security Domain

Intellectual Property

Data Rights Management / Information Rights Management

Data Storage Models

Database encryption

Data Masking — hide, replace, or omit sensitive data

Approaches:

Methods:

Data Anonymization

Similar to masking, also remove indirect identifiers to prevent analysis figuring out what PII would have directly shown.

Used to analyze statistics on large collection containing PII.

Data Tokenization

Replace a sensitive data element with a token, a random value with shape and form of original. A tokenization application maps between the tokens and actual values. Needs a second database.

PCI DSS requires either encryption or tokenization of PII and card data.

Bit Splitting

Encrypt, split ciphertext and key across storage locations. With redundancy, your data survives individual drive failures, or seizures of some media by law enforcement.

Responsibility depending on type of cloud service

IaaS PaaS SaaS
Security GRC
(Governance, Risk, and Compliance)
Enterprise Enterprise Enterprise
Data Security Enterprise Enterprise Enterprise
Application Security Enterprise Enterprise Shared
Platform Security Enterprise Shared CSP
Infrastructure Security Shared CSP CSP
Physical Security CSP CSP CSP