CCSK Domain 9: Data Security

9.1 Primer on Cloud Storage

Data classification: Categorise data by type, sensitivity, and criticality to apply appropriate security controls and align with compliance strategies.
Types of cloud storage:
- Object storage: Stores files as objects with metadata and unique IDs. Highly scalable, ideal for unstructured data. Provider manages redundancy; customer manages governance, backups, encryption.
- Volume/block storage: Acts as virtual hard drives attached to workloads. Customer manages redundancy, encryption, backups.
- Database storage: Managed relational (SQL) and non-relational (NoSQL) databases. Providers offer services like Amazon RDS, Google Cloud SQL, Azure SQL, DynamoDB, Cosmos DB.
- Other storage: Includes logging services, message queues, caches, in-memory databases, and SaaS storage (e.g., Google Drive, OneDrive).

Data classification: Categorises data by sensitivity and impact, guiding protection and compliance strategies. Requires continuous evaluation and clear ownership.
Identity and Access Management (IAM): Governs access to resources via policies, both user-based and resource-based.
Access policies: Define permissions and network rules to enforce security boundaries.
Encryption and key management: Protects data by converting it to ciphertext; keys must be securely stored and managed, ideally separate from the CSP.
Data Loss Prevention (DLP): Identifies, monitors, and protects sensitive data from unauthorised sharing or exfiltration. More common for SaaS due to cloud scale challenges. [D9 | PDF]

Encryption layers: Data can be encrypted at volume/object, file/API, database, or application layer. Higher layers offer more granular control but greater complexity.
Application-level encryption: Encrypts sensitive data before database storage; protects data even from DB admins.
File/API encryption: Granular protection for specific files or API-accessed data.
Database encryption: Secures entire databases or specific tables/columns; often uses transparent database encryption (TDE).
Object storage encryption: Automatic, provider-managed encryption for services like S3, Blob Storage; meets compliance standards.
Volume encryption: Secures virtual disks; seamless and automated, protects data at rest and in backups/snapshots.

Client-side encryption: Customer encrypts data before uploading; provider never sees plaintext.
Server-side encryption: Provider encrypts data using its own keys; easy to set up.
Customer-managed encryption keys: Customer controls key lifecycle via provider’s KMS.
Customer-provided encryption keys (BYOK): Customer creates and manages master keys; offers more control but greater responsibility.
Custom application-level encryption: Hybrid scenarios where customer manages both encryption and keys.

Use provider KMS for key management.
For SaaS, rely on provider’s encryption tools; some allow customer-managed keys.
Default encryption is often sufficient for compliance.
Use different keys for different services/deployments.
Apply IAM policies to keys for least privilege.
Align encryption strategies with threat models (e.g., protect against credential compromise).

DSPM tools focus on data-centred security: discovery, classification, access control evaluation, and remediation.
DSPM helps visualise who has access to data and how, offering recommendations and managing overlapping controls.

Object storage (e.g., S3, Blob Storage) poses exposure risks due to misconfigurations and complex access settings.
Providers offer tools to block public access; encryption with KMS adds security.
CDNs can enable safe public access to private storage.
Continuous monitoring with CSPM and DSPM is essential.

AI systems require robust data security for algorithms and data assets.
AI as a Service (AIaaS): Providers offer AI capabilities via subscription (e.g., Claude, ChatGPT, Vertex AI).
Key considerations:
- Data deletion/retention policies
- Data flow understanding
- Provider’s security measures against adversarial attacks
- SLAs, security practices, regulatory compliance

Subscribe to get the latest posts sent to your email.