Excerpt from CSA v3.0

What does this mean? More specifically, can somebody provide an example?

Because of differences in how a client’s data is stored and the client’s access rights and privileges, not all of a client’s data in the cloud may be equally accessible. The client (and the cloud provider) should analyze requests for information and the pertinent
data structure for relevance, materiality, proportionality and accessibility.

Find more posts tagged with

Comments

khiyal

They may be referring to the 'jurisdiction' component of data. There may be cases where even it is stored at a place where you have no jurisdiction, consequently, they may have to fetch it for you. My 2 cents..

paul78

So - unlike your other post which was presumably written by a committee of architects, you are now reading a section undoubtedly written by a committee of lawyers

The section is about ediscovery concerns. However, I'm not entirely sure that I necessarily agree that this would be a common issue given the way that many companies would use cloud providers. However in a SaaS model, it's conceivable that as part of e-discovery, access to data such as the provider's logs may pertain to this section. For example, in e-discovery, there could be a request for log information which the client would not have ready access, but would be only available to the provider. The logs may generally not be accessible by the client but are relevant to the client and stored and processed by the provider. And if the log data is in a storage medium that is difficult to retrieve, that could be a concern. There is also a concern that data request would be analyzed because if there is a request for log data, only the relevant log data should be provided and not all log data - ie. ".. should analyze requests for information .... for relevance, materiality, proportionality..."

There are also several legal terms used:

The word "proportionality" refers to the concept of fairness - best description is here - https://en.wikipedia.org/wiki/Proportionality_(law)
And there is also a good explanation of "materiality" here - https://en.wikipedia.org/wiki/Materiality_(law)

I'm curious - why are you reading these docs?

ankurj.hazarika

paul78 wrote: »

So - unlike your other post which was presumably written by a committee of architects, you are now reading a section undoubtedly written by a committee of lawyers

The section is about ediscovery concerns. However, I'm not entirely sure that I necessarily agree that this would be a common issue given the way that many companies would use cloud providers. However in a SaaS model, it's conceivable that as part of e-discovery, access to data such as the provider's logs may pertain to this section. For example, in e-discovery, there could be a request for log information which the client would not have ready access, but would be only available to the provider. The logs may generally not be accessible by the client but are relevant to the client and stored and processed by the provider. And if the log data is in a storage medium that is difficult to retrieve, that could be a concern. There is also a concern that data request would be analyzed because if there is a request for log data, only the relevant log data should be provided and not all log data - ie. ".. should analyze requests for information .... for relevance, materiality, proportionality..."

There are also several legal terms used:

The word "proportionality" refers to the concept of fairness - best description is here - https://en.wikipedia.org/wiki/Proportionality_(law)
And there is also a good explanation of "materiality" here - https://en.wikipedia.org/wiki/Materiality_(law)

I'm curious - why are you reading these docs?

I am preparing for the CCSK and this excerpt is from the CCSK guide.

ankurj.hazarika

Paul78- Can you please help me understand the sentence in italics?

Data encryption comes at the price of complexity and performance, and there are effective alternatives to encryption:

Store a secure hash. Rather than storing the data directly, store a hash of the data. This allows your program to prove that the holder has the correct value without actually storing it.

paul78

ankurj.hazarika wrote: »

Store a secure hash. Rather than storing the data directly, store a hash of the data. This allows your program to prove that the holder has the correct value without actually storing it.

A hash is a mathematical function where if you have a piece of clear-text data and you run it through that function - you will get a hash which cannot be deciphered to produce the original clear-text. It's basically a one-way function.

An example of this use-case would be storing passwords as a hash. A database should never store user passwords, instead a cryptographically strong hash is used instead. So when a user types in a password, the password is run through the same hash function and the hashes are compared to authenticate the user. In this way, the database doesn't need to store the actual password.

There's a bit more this example, like using a salt, and choosing the correct hash algo - but that's the gist of it.

Hope that makes sense.

Good luck on the CCSK.

ankurj.hazarika

Paul78- Here's another one for you? What might this mean?

"To maintain interoperability the Network physical hardware and network & security abstraction should be in virtual domain. As far as possible API’s should have the same functionally"

I am fairly good at networking concepts myself and I also know what an API is. I just don't seem to understand the language here.