Domain 2 (Cloud Data Security)

3. Storage In Cloud

Hey, guys. Good morning and let's start in this session by discussing how to create a storage and how to upload your data from your workstations to the cloud. And I look forward to the security where the data has been getting access.Okay, so first of all, I have logged in to Azure. You can log in like Portal Azure.com and you can go and create a free account. Okay, So, when you go to create resources, you'll notice there's a storage over there. I'm selecting the storage accountblock file table and queue. This video has been demonstrated earlier as well. I'm doing it for the second time and looking forward to the basic and advanced. So first of all, I'm using your pass resourcegroup is Udemy Storage Account Name, Casu Dami. When you get a green tick, the location is South Central United States. You can change it from here as well. performance standard or a premium account type. Here. I'm selecting this. and read replication access to Geo Redundancy Access Tier is hot or cold, which you can read about. The account access tier is the default here. That was influenced by the Blob without an explicit city. The hot access point is ideal in this case for frequently accessed data while also keeping the environment cool. The Access Tier is ideal for infrequently accessing data. So when you are frequently accessing and using it, that is a hot end. If you want to access your data once in a while, you can go for a ride. So now review and create. Or next is advanced, so you can go for better advanced and secure transfer required. If you click on this, https has been used and secure transfer is there. So when this is your machine and when you are uploading to the Claude, the secure transfer is there. So that is enabled. So keep in mind that if you are disabled, security is not there. Enable it. If you look for this network here, you can create a virtual network here. Over here right now, it's a none. But if you can create a virtual network, Microsoft Azure Virtual Network Service enables Azure resources to securely communicate. Look at this. Securely communicate with each other in a virtual network. so they can securely communicate with each other in a virtual network that is there. It can be created if you do not remove this. Okay? And then there's the next key if you want to set the key. But let's go for a review and create. And this is how I have created it. Now I need to look forward to reading that everything is okay. If you find it is not okay, you can go ahead and enable and disable it as per usual. Now I'm going to create. It will take a few seconds to create. Once it is ready, I will show you how to access it and how to monitor it from wherever people are downloading or uploading the data. Thank you very much.

4. Cloud Storage Architecture

Now, the lifecycle of data also requires location and access. Okay? So in the lifecycle, location access is not there. But to secure data as CCSP, we need to understand who is accessing it from and from where. So it is also important to access the data from where it is accessed. That's why lifecycle, location, and access. If the location is not secure, ultimately the threat is there. And if the channel is not secured to access, again, the threat is there. Now, controls are there. To determine the necessary control to be deployed,we need to understand two things. Number one, functions of data like access, store, and process. And number two, the location of your data. And number three, acting upon the data. So, lifecycle mapping, we have already talked about it. As a certified Cloud Security professional, you need to fully understand and incorporate this into your planning to manage the lifecycle effectively. And the CCSP should pose the following questions. Okay, first and foremost, who are the actors with potential access to the data that should be protected? Number two, what is the potential location of data that should be protected? Number three, what are the controls for each of those locations? And at what phase in each lifecycle can data move between locations? How does data move between locations via what channel? And where do these actors come from? What location? And they trusted or were untrusted. So these are the questions you should have asked. Controls Now, controls act as a mechanism to restrict the list of possible actions to allured or permitted actions. To determine the appropriate control to deploy, you must first understand the function of the data, its location, and the actors acting on the data. So, cloud storage architecture, volume storage usedby infrastructure as a service, BMFS Amazon It's Amazon Elastic Block Storage from VMware. A file-based storage or object base, similar to a file share, is used by infrastructure as a service. The third is block storage. Now, the data storage requirements for each type of garment vary, but the type of storage and other issues vary depending on the type of service model. So volume storage is getting a volume.File-based storage is an example. For example,your Dropbox, your Skydive OneDrive, or your GoogleDrive are file-based storage. Volume based is getting a C drive or a D drive or an entire volume or entire block of storage. I look forward to this. With volume storage, the customers allocate storage space within the Claude. This storage space is represented as an attached drive to the user's virtual machine. So this is a user's virtual machine in that C drive D drive. So this is volume storage. With your virtual machine, you're getting storage. There's a virtual storage from the customer representative. The virtual drive performs very much in the same manner as a physical drive attached to a tangible device. The user is unaware of the actual location and memory address. So this D drive is here if you open my computer's C drive and the drive is there in the virtual machine. But this D drive could be anywhere in the data center. It could be in any storage anywhere, but it will appear in Azure that it is attached to him and it is also transparent to the disusers. That is where it is. As a result, file-based storage is a type of storage volume storage. The data is stored and displayed as just a file structure and a hierarchy. And as I have already explained, Google Drive and OneDrive are the best examples. Okay, you get a web interface, you open Dropbox or any application, and you start uploading it. You do not know it's a volume where you are storing it. Block storage, whereas storage has a hierarchy, folders and files A block storage is a blank volume that the customer or user can put anything into. Block storage might be better suited for a volume purpose that includes data for multiple types, such as enterprise, backup, and all. It is mostly associated with infrastructure as storage. Okay, there are types of storage: object-based storage is data storage. Data stored as objects, not as files orblocks, includes not only the actual production content but metadata describing the content and object and a unique address identifier for locating that specific object across an entire storage space. Once again, they primarily associated infrastructure with storage. As a result, summaries for storage Infrastructure as a service is provided. Use volume storage and the Object Storage platform as a service. Use unstructured storage and software as a service. Uses ethermal storage and software-defined networking, file-based storage, and CDN. Thank you.

5. Content Delivery Network

Hey guys, let's start with this content delivery network. This CDN is used by software as a service for storage or web appliances. A content delivery network (CDN) is a type of datacaching that is typically located near a geographical location with high demand for copies of data frequently requested by users. So let's try to understand this here. A content delivery network is a form of datacasting, usually near the geographical location of high demand for copies of data commonly requested by users. Okay? So perhaps the most compelling reason for a company to use CDNis online multimedia streaming services is Instead of dragging data from a data centre to the user at a variable distance across the continent, the streaming service provider can place copies of the most requested media near the metro Platinum area where those requests are likely to be made,thus improving bandwidth and delivery quality. So I'll give you an example here. Now look, for example, this is my data center. We can say US East and here my storage is while using the Clot services. I have preferred the US East and this is my storage. So what I will do is, for example, this is Earth,probably not that front, but this is the US East. "This could be a US Westand probably that one is central. This one is Asian, and the other is Australian. So what happened is that when a user from Australia requests, okay, when a user from Australia requests some specific service, what happens is that they go straight from Australia to the US East and the response comes back. Okay, I'm talking about the dot CDN. But what if there are multiple users requesting the same content? There are some very popular videos or other content, and there are hundreds of users. It appears that the penguin is not a user at all. Okay, so they're all requesting What happened is he's making his own request, then another one will make his own request, another one will make his own request, and one user will make multiple requests. If he is frequently accessing the storage, one user may have 20 requests while he is browsing a web page or a storage has 60 requests. So what happened? They are accessing something from very remote locations in the United States' East. As a result, enable CDN for your content. This is my storage and I'm enabling CDN for it. That means I'm approving. I'm allowing to have multiple copies, not multiple copies, but CDN. That means when someone from Australia wants to access the storage, he will access it from its Australia location. because there are multiple locations. Even though this one is there, this one is there. So anyone from Australia will look for a CDN and CDN the user makes a request, the request goes to the CDN first, the CDN goes here, comes back to the CDN, and goes to the user. But if another user makes the same request, what happens? The first user may take their time, but the second user's access will be lightning fast, with no latency. So using CDN is good because, for example, somebody from Asia whose server is in the US east but when they try to go here, it goes to the default to theCDN CDN will take them there. However, there is a drawback to this. If this user has access to a particular file, it will take a long time to replicate. Then only the second user can access the actual file.

6. Threat to storage types

So guys, in this next video, we are learning about threats to the storage types. What are the threats? Unauthorized usage is one type of unauthorised access. Another type of liability due to regulatory noncompliance is data corruption, modification, and destruction. And data leakages and breaches are there and malware attack possibly.So these are the threats to your storage and how to protect your storage against those threads. We will go in the future, but the solutions are here. Cloud security. One is the encryption and the second is the key management. So in key management, make sure the level of protection for private key recovery is complex. Key distribution should be secure. If you have multiple people and are distributing keys to them, it should be secure. key revocation. You can revoke key escrowoutsourcing key management key should not be available on the same database. Okay? Like if you're accessing from www, your machine, Claude, and it should not be your keys should not be available on the same machine, or on the same Claude data basis. Thank you.

7. Encryption

So on the last slide, we talk about cloud security for encryption and key management. So we are starting with the encryption infrastructure as a service, Azure Desk Encryptionleverages the industry standard Bit Locker by default, the user Bit Locker feature of Windows and the DM encryption feature of Linux to provide volume encryption for the OS and the data disk. The solution is integrated with Azure keyword to help you control and manage this encryption key in your key vault subscription. So let's get to it. What we can do is, first of all, I'll go to the dashboard and this is my storage account. This is my storage drive here. If I click on this drive, I'll find herencryption and encryption. I'm using my own key. You can see here right now, by default, it will look like this and it is not encrypted. It is encrypted. But with the Microsoft Storage service, encryption protects your data at rest, okay? because of data in motion and data at rest. We have learned already that you storage encrypt your data as it is written in your data centre and automatically decrypt it when you access it. So by default, your data is encrypted with Microsoft managekey for Azure Blob, stable file and so on. So it is already encrypted by Microsoft. But if you want to use your own key, you can go for multiple ways there. One is to use your own key. Okay, I'm using mine here already. This is my URL, but you have to select the second option here. Select from the key vault and configure require setting.These are already in my key vault that I have already created. But I'm going to create a new keyword and I'm giving it the name Odemi Vault. Okay, and resource group with the same name, then virtual network access, all networks can access it again. You can look for it as a selected network,but that's not my concern right now. And then go make something. Okay, so the deployment is in progress. Let me pause it. Meanwhile, it takes time to deploy. OK, so the deployment succeeded and it is validating. Now it's coming here. The key vault name is Udemy Vault. Okay, and an encryption key. If I click create a new key and newkey I'm going to generate, and generate is DamienEncryption a name, I'm giving what kind of encryption? RSA, or EC. That's again? 20 483-072-4096. Do you want to set the activation date? Do you want to set the expiration date? You can do that too. And that's a good thing if you want to generate a key for a while or you are giving storage access to someone for a few days, a few hours, and so on. Do you want to enable it? Yes. And then click on Create. So now it is there with your key and your encryption. Now you can go for a save. Okay, so now this is your key URL. Okay, so the URL you created for expiry date or activation date, I made it unlimited. Now you can share it with others, or if you don't want to use it, by default, Microsoft secures your data encryption. Okay? When your data is addressed, you can still use your own key or you can use it here. There is a key vault for not only the storage but the multiple sources. If you simply click on this and click on the create, it will go for your name and for what you want to create, and select the URL and work with that. So that's what encrypting encryption is. There are three types of encryption. He has explained that if you are working with infrastructure as a service, infrastructure is having your entire volume. Okay? So, as we know, there are three types. Full Disk Encryption is there, volume-based encryption is there, and file-based encryption is there. So the full disc is encrypted. The full disc volume encrypts your C volume, D drive, or E drive. That volume and file level base encryption means that many files you have are going to be encrypted. So if you go to the entire file full diskencryption again, it will be somewhere here like Create resource, and if you say Full Disk Encryption standard, what it will do is encrypt your master boot record, operating system, and system files or whatever is there. It will encrypt everything inside your drive. You simply go about creating. So key management challenges access to the key,key storage, claw backup, and application purpose. So if you have a key, who has access to that key and where you are going to keep that key, Claude's backup and replication poses risk to the data. KMIP stands for key management interoperability protocol. The KMIP is a good extensible communication protocol that defines a message format for the manipulation of cryptography keys on a key management server. Okay, so what does it do? Does this facilitate data encryption by simply encrypting the key management key? The key may be created on a server and then retained, possibly wrapped by other keys. Okay, so it's like making a key, having a key ring, and putting multiple keys, you know, possibly multiple keys. So when you are configuring, you should say Okay, keychain key number three is the key for it. As a result, the Akmip service stores control objects such as symmetric and asymmetric keys. Asymmetric means that both the sender and the receiver use the same key. They use some secure mechanism to transfer the key over the public network. But as metrics, the sender and receiver have different keys. That is a digital certificate and a user-defined object. The client then used the protocol to access this object subject to a secure model that is implemented by the server.

ExamSnap's ISC CCSP Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, ISC CCSP Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.