M-209 cipher machine.

Cloud Data Security Domain

Intellectual Property

Data Rights Management / Information Rights Management

Data Storage Models

Database encryption

Data Masking — hide, replace, or omit sensitive data

Approaches:

Methods:

Data Anonymization

Similar to masking, also remove indirect identifiers to prevent analysis figuring out what PII would have directly shown.

Used to analyze statistics on large collection containing PII.

Data Tokenization

Replace a sensitive data element with a token, a random value with shape and form of original. A tokenization application maps between the tokens and actual values. Needs a second database.

PCI DSS requires either encryption or tokenization of PII and card data.

Bit Splitting

Encrypt, split ciphertext and key across storage locations. With redundancy, your data survives individual drive failures, or seizures of some media by law enforcement.

Generate a random 256-bit key, encrypt your data with AES-CBC. For each 8-bit block of the ciphertext and the key, store:

You could reassemble the ciphertext and key with the data from any two clouds. That's all you need to understand for the test.

In the real world, each data center and its corporate headquarters would have to be in a separate country. And in the really real world with the US CLOUD Act, no more than one could be in the U.S. or another Five Eyes country, or any other country where the U.S. has strong influence. Chile, South Africa, India, and Singapore might work, as long as the cloud providers have their headquarters in those countries.

More advanced, possible but less likely to appear:

Cryptography

Here is a set of terms you should know.

Quantum Science

Quantum computing is offensive, a threat to break ciphers and expose secrets. A truly general-purpose quantum computer with enough stable qubits could run Shor's algorithm to quickly solve the now "too difficult" problems that protect asymmetric ciphers — factoring for RSA and discrete logarithm for ECC. Symmetric ciphers should (as far as we currently understand) be relatively safe, Grover's algorithm reduces a 256-bit cipher to the resistance of a 128-bit cipher against brute-force search.

Quantum cryptography is defensive, to protect secrets. It's really about QKD or Quantum Key Distribution, using single-photon signaling to transmit a key to be used in a conventional symmetric cipher. China is a world leader in this, see one of my "Just Enough Cryptography" pages for details on the Chinese quantum Internet.

Responsibility depending on type of cloud service

IaaS PaaS SaaS
Security GRC
(Governance, Risk, and Compliance)
Enterprise Enterprise Enterprise
Data Security Enterprise Enterprise Enterprise
Application Security Enterprise Enterprise Shared
Platform Security Enterprise Shared CSP
Infrastructure Security Shared CSP CSP
Physical Security CSP CSP CSP

Shared because:

Now That You Know Cryptography...

There are some questions where knowing all the technology doesn't give you the correct answer. You must carefully analyze the English prose.

(ISC)2 isn't as bad as CompTIA about doing this, but they still do it on some questions.

Here are two examples from my CompTIA Security+ study suggestion page. In the second one, "BPA" means "Business Partnership Agreement". You can click "See the answer" to be taken to the answer and its explanation, and then "Return to main page" to get back here:

Here is another CCSP-specific example I added:

Example Question #3

Question: Your company has decided to start selling products through your website, accepting payment by credit and debit cards. You will do this in an public cloud setting and your staff will administer the servers' operating systems and applications. A secure tunnel connects your cloud server to the payment processing firm. Your staff must install client-side certificates on your VMs so they can automatically authenticate into the payment processor. All purchase records will be stored in your virtual private cloud, in object storage protected by encryption. (except, of course, not the CVV) The payment processor returns values which you store in the purchase records to support any later refunds. What do you need?

A: IaaS
B: TLS
C: X.509v3
D: AES-CBC
E: PCI-DSS
F: Tokenization

See the answer