I know you are chomping at the bit to get to the chapter about controls and how to use them to protect your assets. But before we get to controls, we need to think about where we are going to apply them. We apply them, of course, on our environments.

I use the term environments to mean three things, each of which has different cybersecurity and privacy needs. I will list them here briefly, and then we'll take a closer look at each environment in turn.

1. Computing Environments. There are four basic types.
   1. On-premises (in other words, the servers are under your direct control, literally in your office);
   2. Private cloud (the servers are elsewhere, but you still control them, as in, they live in someone else's building, but you have the only key to your own private office in that building);
   3. Public cloud (the servers are in someone else's office, many people have keys to that building, and you don't have a private office there); and
   4. Hybrid cloud (the servers are all over the place; some are in your private office, some are elsewhere).
2. The Internet of Things (IoT). For our purposes here, IoT means every device that is connected to the Internet, regardless of its location or function—from nanny cams to SCADA (supervisory control and data acquisition) systems. If it's not part of our standard end-point ...