The cloud customer is always ultimately legally liable for any loss of data. This is true even if the cloud provider demonstrates negligence or malice.

• Create
• Store
• Use
• Share
• Archive
• Destroy

Data categorization and classification are up to the responsibility of the data owner, which takes place in the create phase.

• IaaS
• Personnel Threats
• External Threats
• Lack of Specific Skillsets
• PaaS
• Interoperability Issues
• Persistent Backdoors
• Virtualization
• Resource Sharing
• SaaS
• Proprietary Formats
• Virtualization
• Web Application Security

• Internal Audit – performed by employees of the organization
• External Audit – performed by auditors outside of the organization
• Audit Preparation – parameters that are discussed and negotiated prior to the start of the audit

• SOC 1 - Strictly for auditing the financial reporting instruments of a corporation
• SOC 2 - Intended to report audits of any controls on an organization’s security, availability, processing integrity, confidentiality, and privacy.
• Type 1 - Reviews the design of controls, not how they are implemented or maintained.
• Type 2 - Used for getting a true assessment of an organization’s security posture
• SOC 3 - Designed to be shared with the public. Seal of approval. Does not contain any actual data about the security controls of the audit target.

Focused on identifying the business requirements of the application, such as accounting, database, or customer relationship management.

Begin to develop user stories (what the user will want to accomplish, what interface will look like and whether it will require the use or development of any APIs).

Where the code is written.

Activities such as initial penetration testing and vulnerability scanning against the application is performed. Will use both dynamic and static testing or DSAT (Dynamic Application Security Testing) or SAST (Static Application Security Testing).

After testing, the application is deemed secure.

Once it’s reached the end of life or has been replaced with a newer or different application.

STRIDE – Created by Microsoft. Describes threats by their attributes.

• S (Spoofing)
• T (Tampering)
• R (Repudiation)
• I (Information Disclosure)
• D (Denial of Service)
• E (Elevation of Privilege)

• Tier 1
• UPS
• Sufficient Cooling
• Power Generator w. minimum 12hours fuel
• WILL CAUSE DOWNTIME
• Tier 2
• Critical operations do not have to be interrupted for scheduled replacement or downtime
• MAY CAUSE DOWNTIME
• Tier 3
• Dual Power Supplies for all IT Systems
• Can continue with a single component or power element
• Tier 4
• Redundancy of both IT and electrical

• Electronic Communications Privacy Act (ECPA)
• Graham-Leach-Bliley Act (GLBA) – allow banks to merge and own insurance companies
• Sarbanes-Oxley Act (SOX) – increase transparency into publicly traded corporations’ financial activities
• HIPPA (1996)– protect patient records and data (ePHI)
• FERPA – prevent academic institutions from sharing student data other than parents or student
• DMCA – protect owned data on the internet
• CLOUD Act – Allows US law enforcement and courts to compel American companies to disclose data stored in foreign data centers

FedRAMP – US federal program that mandates a standardized approach to security assessments, authorization, and continuous monitoring of cloud products and services.

EU General Data Protection Regulation (GDPR) – most significant, powerful personal privacy law in the world. Describes the appropriate handling of personal and private information of all EU citizens.

GDRP has 7 principals:

• Notice
• Choice
• Purpose
• Access
• Integrity
• Security
• Enforcement

Canada’s Personal Information Protection and Electronic Document Act (PIPEDA)

Asia-Pacific Economic Cooperation (APEC) Privacy Framework

Australian Privacy Act of 1988