Cloud Data Security
Follow one record through six lifecycle phases and the whole domain falls into place
A customer record is written by an app (Create), lands in object storage (Store), is read by a report (Use), is handed to a partner API (Share), drops to cold storage after a year (Archive), and is finally erased at end of retention (Destroy). That ordered path is the CSA cloud data lifecycle, and it is the spine the entire 20% Cloud Data Security domain hangs on. The one organizing idea: data security in the cloud is lifecycle security, so you match each control to the phase the data is in rather than to the data itself. The classic exam trap leans the other way, naming a control that protects a record in the wrong phase, such as offering full-disk encryption (a Store and Archive control) as the answer for protecting data while a partner is actively using it. Name the phase first and the right control usually follows.
The domain unfolds in eight subtopics, read them in order as the lifecycle's toolkit
Read this page as a map, then walk the subtopics in their numbered order. Cloud Data Concepts sets the six-phase lifecycle and data dispersion, the model everything else uses. Cloud Data Storage Architectures names what holds the data (volume, object, structured, ephemeral) because the storage type decides which threats and controls apply. Data Security Technologies and Strategies is the toolbox of encryption, tokenization, masking, anonymization, hashing, and DLP, sorted by whether the original is recoverable. Data Discovery finds the data you must protect, and Data Classification then labels it by impact of disclosure, the label every later control reads. Information Rights Management (IRM) enforces that label inside the file even after it leaves your perimeter. Data Retention, Deletion, and Archiving governs the end of the lifecycle, where crypto-shredding replaces wiping a disk you do not own. Data Event Auditability and Accountability proves what happened to the data across every phase. Each subtopic carries the mechanisms, numbers, and traps; this overview only shows how they connect.
When two controls both work, classify and apply the control that travels with the data
Across the whole domain the exam rewards a single instinct: protect the data, not just the place it currently sits. Classify at Create so the label follows the record everywhere, prefer controls that stay attached as the data moves (a persistent classification binding, an IRM policy that rides inside the file, an encryption key you alone can destroy) over perimeter controls that stop enforcing the moment the data crosses a boundary. Data dispersion and replication silently scatter copies across regions and services you never picked, so a control bound to one bucket or one network is the weaker answer. The default that wins is the lifecycle-aware, data-bound control over the location-bound one.
The eight subtopics mapped to the data lifecycle phase each owns
| Subtopic | Lifecycle phase it owns | Core job | Drill into |
|---|---|---|---|
| Cloud Data Concepts | All six phases (the model) | Define the Create -> Store -> Use -> Share -> Archive -> Destroy lifecycle, data dispersion, and data flows | Cloud Data Concepts |
| Cloud Data Storage Architectures | Store and Archive | Name the storage type (volume, object, structured, ephemeral) so the right threats and controls apply | Cloud Data Storage Architectures |
| Data Security Technologies & Strategies | Store, Use, and Share | Pick encryption, tokenization, masking, anonymization, hashing, or DLP by whether the original is recoverable | Data Security Technologies & Strategies |
| Data Discovery | Before Use (find what you hold) | Inventory data across every store by metadata, label, or content analysis, and track where it physically lives | Data Discovery |
| Data Classification | Create (label that follows the data) | Assign a sensitivity label by impact of disclosure, the label every downstream control reads | Data Classification |
| Information Rights Management | Share (enforcement beyond the perimeter) | Bind protection inside the file so policy is enforced at every open, even off your network | Information Rights Management |
| Data Retention, Deletion & Archiving | Archive and Destroy | Govern retention windows, legal holds, and defensible crypto-shredding at end of life | Data Retention, Deletion & Archiving |
| Data Event Auditability & Accountability | Every phase (the proof) | Log each data event with the required attributes and protect the log so actions are non-repudiable | Data Event Auditability & Accountability |