# Cloud Data Protection (SaaS, PaaS, IaaS) One-sentence definition: Applying shared responsibility and data-centric controls across cloud service models. ## Key Facts - SaaS: focus on identity, config, DLP/DRM, tenant isolation, exports. - PaaS: secure platform configs, secrets, storage encryption, network policies. - IaaS: responsibility for OS/apps; storage/network encryption, backups, CSPM. - Ensure region selection and residency compliance; vendor DPAs. - Logs and keys: customer-managed keys (CMK) where feasible. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose controls per service model and data sensitivity. **Mnemonic:** “SaaS = Settings; IaaS = Systems.” ## Mini Scenario Q: Need to prevent SaaS data sharing to personal accounts—control? A: CASB/DLP with export restrictions and domain allowlists. ## Revision Checklist - Map controls to SaaS/PaaS/IaaS. - Define CMK benefit. - Name two residency checks. ## Related [[CASB and SSPM/CSPM Overview]] · [[Data Residency and Sovereignty]] · [[Data Encryption Overview (Asset Security)]] · [[Key Management Basics (Asset Security)]] · [[Data Handling in Third-Party Contexts]] · [[Domain 2 - Index]]