Module 13: Cloud Data Concepts and Data Lifecycle

Domain 2 carries 20% of the CCSP exam — the highest weight. When data questions appear, the exam is testing whether you understand who owns the data, who controls it, and what obligations each role carries throughout the data lifecycle.

Data Roles in the Cloud

Before diving into the lifecycle, you must understand the data roles that the exam relies on throughout Domain 2. These roles determine accountability at every lifecycle phase.

Data Owner

The entity with legal rights and control over a dataset. In cloud contexts, the data owner is typically the cloud customer — the organization that collected or created the data. The data owner defines classification, access policies, and acceptable use. Crucially, ownership does not transfer when data moves to the cloud.

Data Custodian

The entity responsible for implementing controls defined by the data owner. In cloud, the CSP is often the data custodian — they implement encryption, backups, and access controls as directed. The custodian has operational responsibility but not authority over data classification or policy.

Data Controller

Under GDPR and similar regulations, the controller determines the purposes and means of data processing. The cloud customer is typically the data controller. This role carries regulatory accountability.

Data Processor

Processes data on behalf of the controller. The CSP is typically the data processor. Processors must follow controller instructions and may face direct regulatory obligations under GDPR.

Exam trap: Do not confuse data custodian with data processor. The custodian is a security role focused on implementing controls. The processor is a legal/regulatory role focused on data handling instructions. A CSP may be both, but the exam may test them separately.

The Data Lifecycle in Cloud Context

You saw the CSA data lifecycle in Module 11. Here in Domain 2, we go deeper into each phase with a data security focus:

Create

Classification and labeling should occur at creation. In cloud environments, automated classification tools can tag data as it enters the system. The exam expects you to know that delaying classification creates a window where data may be mishandled.

Store

Cloud storage introduces new considerations: geographic distribution, replication across availability zones, and shared storage infrastructure. The exam tests whether you account for all copies of data, not just the primary store.

Use

Data in use is most vulnerable because it is typically in plaintext. Controls include DLP monitoring, access logging, and ensuring non-production environments use masked or synthetic data.

Share

Cloud makes sharing easy — too easy. The exam tests scenarios where overly permissive sharing (public URLs, open APIs, misconfigured permissions) leads to data exposure.

Archive

Long-term storage requires ongoing encryption viability, format accessibility, and retention policy enforcement. The exam may ask about the risk of cryptographic algorithm deprecation during long retention periods.

Destroy

Crypto-shredding is the primary cloud data destruction method. Physical destruction is not possible when you do not own the hardware.

Data Dispersion in the Cloud

Cloud providers distribute data across multiple locations for availability and performance. This dispersion creates challenges: jurisdictional compliance, increased attack surface, and complexity in data destruction. The exam tests whether you understand that a single file in the cloud may exist in multiple physical locations simultaneously.

Key Takeaways

Data ownership stays with the customer. The CSP acts as custodian and processor but does not acquire ownership. Classification must happen at creation. Data dispersion means accounting for all copies. Crypto-shredding handles destruction across distributed storage. Every lifecycle phase requires controls matched to the data's classification level.