Architectural Concepts (Chapter 1)

Question 1

What is the definition of Cloud Computing based on NIST 800-145?

Answer 1

NIST 800-145 Cloud Computing Definition

“Cloud Computing is a model for:
enabling ubiquitous,
convenient,
on-demand network access
to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

Question 2

What are 5 common characteristics that are used to define cloud computing?

Answer 2

• Broad Network Access
• On-Demand Self-Service
• Resource pooling
• Rapid elasticity and scalability
• Measured Service

Question 3

Describe Broad Network Access.

Answer 3

Broad network access means services are consistently accessible over the network. We might access them by using a web browser or [[3. Secure Shell (SSH)|Secure Shell (SSH)]] connection, but the general idea is that no matter where we or our users are physically located, we can access resources in the cloud.

Question 4

Describe On-demand self-service.

Answer 4

On-demand self-service refers to the model that allows customers to scale their compute and/or storage needs with little or no intervention from or prior communication with the provider.

This means that technologists can access cloud resources almost immediately when they need them to do their jobs.

Question 5

What is Resource pooling?

Answer 5

Resource pooling is the characteristic that allows the cloud provider to meet various demands from customers while remaining financially viable.

The cloud provider can make capital investments that greatly exceed what any customer cloud provide on their own and can apportion these resources as needed so that the resources are not underutilized (which would mean a decrease in level of service).

Question 6

What is Rapid elasticity and scalability?

Answer 6

Rapid elasticity and scalability allows the customer to grow or shrink the IT footprint (number of users, number of machines, size of storage, and so on) as necessary to meet operational needs without excess capacity.

Question 7

Explain Scalability.

Answer 7

Scalability says that applications should be designed so that computing resources they require may be incrementally added to support increasing demand.

Question 8

What are the two different scalability types?

Answer 8

• vertical scaling
• horizontal scaling

Question 9

What is horizontal scaling?

Answer 9

horizontal scaling
It may also include adding additional instances to a pool, which is known as horizontal scaling, or scaling out.

Question 10

What is vertical scaling?

Answer 10

vertical scaling
This may include adding more resources to an existing computing instance, which is known as vertical scaling or scaling up.

Question 11

Describe Elasticity.

Answer 11

Elasticity goes a step further than scalability and says that applications should be able to automatically provision resources to scale when necessary and then automatically deprovision those resources to reduce capacity (and cost) when they are no longer needed.

You can think of elasticity as the ability to scale both up and down on an as-needed basis.

Question 12

Whatis a measured or metered service?

Answer 12

Measured service, metered service, means that almost everything you do in the cloud is metered.

Cloud providers measure the number of seconds you use a virtual server, the amount of disk space you consume, the number of function calls you make, and many other measures.

This allows them to charge you for precisely the services you use - no more and no less.
This is the same model commonly used by public utilities providing commodity services such as electricity and water.

Question 13

Business Requirements: What are functional requirements?

Answer 13

Functional requirements: Those performance aspects of a device, process, or employee that are necessary for the business task to be accomplished.

Example: A salesperson in the field must be able to connect to the organization’s network remotely.

Question 14

Business Requirements: What are nonfunctional requirements?

Answer 14

Nonfunctional requirements: Those aspects of a device, process or employee that are not necessary for accomplishing a business task but are desired or expected.

Example: The salesperson’s remote connection must be secure.

Question 15

What are possible methods for gathering business requirements?

Answer 15

• Interviewing functional managers
• Interviewing users
• Interviewing senior management
• Observing employees doing their jobs
• surveying customers
• collecting network traffic
• inventorying assets
• collecting financial records
• collecting insurance records
• collecting marketing data
• collecting regulatory mandates

Question 16

What is an Business Impact Analysis (BIA)?

Answer 16

The BIA is an assessment of the priorities given to each asset and process within the organization. A proper analysis should consider the effect (impact) any harm to or loss of each asset might mean to the organization overall.

During the BIA, special care should be paid to identifying [[Critical Path|critical paths]] and single points of failure.

You also need to determine the costs of compliance - that is, the legislative and contractual requirements mandated for your organization.

Question 17

Your organization’s regulatory restrictions will be based on many variables.

Name a 3 of those variables.

Answer 17

• jurisdictions where your organization operates,
• the industry the organization is in,
• the types and locations of your customers

etc.

Question 18

What are tangible assets?

Answer 18

Tangible assets refer to things you can touch, such as physical equipment.

Question 19

What are intangible assets?

Answer 19

Intangible assets refer to information and data, such as intellectual property.

Question 20

What is Cloud Bursting?

Answer 20

We refer to this as cloud bursting. The organization might have data center assets it owns, but it can’t handle the increased demand during times of elevated need (crisis situations, heavy holiday shopping periods, and so on), so it rents the additional capacity as needed from an external cloud provider.

Question 21

What are the three general Cloud Computing Service Categories?

Answer 21

These categories are:
- Software as a service (SaaS)
- Infrastructure as a service (IaaS)
- Platform as a service (PaaS)

Question 22

What is Software as a Service (SaaS)?

Answer 22

In software as a service (SaaS) offerings, the public cloud provider delivers an entire application to its customers. Customers don’t need to worry about processing, storage, networking, or any of the infrastructure details of the cloud service.

The vendor writes the application, configures the servers, and basically gets everything running for customers, who then simply use the service. Very often these services are accessed through a standard web browser, so very little, if any, configuration is required on the customer’s end.

Question 23

What is Infrastructure as a Service (IaaS)?

Answer 23

Customers of infrastructure as a service (IaaS) vendors purchase basic computing resources from vendors and piece them together to create customized IT solutions.

For example, IaaS vendors might provide compute capacity, data storage, and other basic infrastructure building blocks.

The four largest vendors in the IaaS space are Amazon Web Services (AWS), Microsoft Azure, Google Compute Engine, and Alibaba.

Question 24

What are common infrastructure capability types of Infrastructure as a Service?

Answer 24

• Virtualized servers that run on shared hardware
• Block storage that is available as disk volumes
• Object storage that maintains files in buckets
• Networking capacity to connect servers to each other and the Internet
• Orchestration capabilities that automate the work of administering cloud infrastructure.

IaaS vendors provide on-demand, self-service access to computing resources, allowing customers to request resources when they need them and immediately gain access to them.

Question 25

Explain Platoform as a Service (PaaS)?

Answer 25

In the final category of public cloud computing, platform as a service (PaaS), vendors provide customers with a platform where they can run their own application code without worrying about server configuration.

This is a middle ground between Infrastructure as a Service (IaaS) and Software as a Service (SaaS). With Platform as a Service (PaaS), customers don’t need to worry about managing servers but are still able to run their own code.

Function as a Service (FaaS) is a common Platform as a Service (PaaS) capability where the customer created specialized functions that run either on a schedule or in response to events.

Question 26

What are the 5 Cloud deployment models?

Answer 26

The major cloud deployment models are:

• private cloud
• public cloud
• hybrid cloud
• multi-cloud
• community cloud

Question 27

What is the Private Cloud deployment model?

Answer 27

Organizations using the private cloud model want to gain the:

• flexibility,
• scalability
• agility
• cost effectiveness

of the cloud but don’t want to share computing resources with other organizations. In the private cloud approach, the organization builds and runs its own cloud infrastructure or pays another organization to do so on its behalf.

A private cloud is typified by resources dedicated to a single customer; no other customers will share the underlying resources (hardware and perhaps software). Therefore, private clouds are not multitenant environments.

Question 28

What is the Public Cloud deployment model?

Answer 28

The public cloud uses the multitenancy model. In this approach, cloud providers build massive infrastructures in their data centers and then make those resources available to all comers.

The same physical hardware may be running workloads for many different customers at the same time.

Question 29

What is the Hybrid Cloud deployment model?

Answer 29

Organizations adopting a hybrid cloud approach use a combination of public and private cloud computing.

In this model, they may use the public cloud for some computing workloads but they also operate their own private cloud for some workloads, often because of data sensitivity concerns.

Question 30

What is the Hybrid Cloud deployment model?

Answer 30

While many organizations pick a single public cloud provider to serve as their infrastructure partner, some choose to adopt a multi-cloud approach that combines resources from two or more public cloud vendors.

This approach allows organizations to take advantage of service and price differences, but it comes with the cost of added complexity.

Question 31

What is the Hybrid Cloud deployment model?

Answer 31

Community clouds are similar to private clouds in that they are not open to the general public, but they are shared among several or many organizations that are related to each other in a common community.

Question 32

What is an example of a community cloud?

Answer 32

A community cloud can also be provisioned by a third party on behalf of the various members of the community.

For instance, a cloud provider might offer a FedRAMP cloud service, for use only by U.S. federal government customers. Any number of federal agencies might subscribe to this cloud service (say, the Department of Agriculture, Health and Human Services, the Department of the Interior, and so on), and they will all use underlying infrastructure that is dedicated strictly for their use.

Any customer that is not a U.S. federal agency will not be allowed to use this service, as nongovernmental entities are not part of this particular community. The cloud provider owns the underlying infrastructure, but its provisioned and made available solely for the use of the specific community.

Question 33

What is Multitenancy?

Answer 33

The public cloud is built upon the operating principle of multitenancy. This simply means that many different customers share use of the same computing resources. The physical servers that support our workloads might be the same as the physical servers supporting your workloads.

In an ideal world, an individual customer should never see the impact of multitenancy. Servers should appear completely independent of each other and enforce the principle of isolation.

Question 34

Multitenancy: What from a privacy perspective should never happen in a public cloud environment?

Answer 34

From a privacy perspective, one customer should never be able to see data belonging to another customer.

Question 35

Multitenancy: What from a performance perspective what should be the goal of isolation?

Answer 35

From a performance perspective, the actions that one customer takes should never impact the actions of another customer.

Preserving isolation is the core crucial security task of a cloud service provider.

Question 36

What is cloud oversubscription?

Answer 36

Oversubscription means that cloud providers can sell customers a total capacity that exceeds the actual physical capacity of their infrastructure because, in the big picture, customers will never use all of that capacity simultaneously. When we fit those workloads together, their total utilization doesn’t ever exceed the total capacity of the environment.

Multitenancy works because of resource pooling. The memory and CPU capacity of the physical environment are shared among many different users and can be reassigned as needed.

Question 37

Name 5 different Cloud COmputing Roles and Resonsibilities.

Answer 37

• Cloud Service Provider
• Customers
• Cloud service partners
• regulators
• cloud access security broker (CASB)

Question 38

What are the responsibilities of a Cloud Service Provider?

Answer 38

The cloud service provider is the business that offers cloud computing services for sale to third parties.

The cloud service provider is responsible for building and maintaining their service offerings. Cloud service providers may do this by creating their own physical infrastructure, or they might outsource portions of their infrastructure to other cloud service providers.

In that case, they are also cloud customers!

Question 39

What are the responsibilities of a Cloud Customer?

Answer 39

Customers are the consumers of cloud computing services. They use cloud services as the infrastructure, platforms, and/or applications that help them run their own businesses.

The relationship between cloud service provider and the customer varies depending upon the nature, importance, and cost of the service.

Question 40

What are the responsibilities of a Cloud Service Partner?

Answer 40

Cloud service partners play another important role in the cloud ecosystem. These are third-party companies that offer some product or service that interacts with the primary offerings of a cloud service provider.

For example, a cloud service partner might assist a company in implementing a cloud application, or it might offer a security monitoring service that provides operational assistance with using a cloud infrastructure product.

Question 41

What are the responsibilities of a Cloud Regulator?

Answer 41

Different regulatory agencies may have authority over your business depending upon the locations where your organization does business and the industries in which you operate. Make sure you consult the rules published by different regulators to ensure that your use of cloud computing resources doesn’t run afoul of their requirements.

Question 42

What are the responsibilities of a Cloud Access Broker (CASB)?

Answer 42

Finally, the last role that we will discuss is that of the cloud access security broker (CASB). These are cloud service providers who offer a managed identity and access management service to cloud customers that integrates security requirements across cloud services.

Question 43

What is Cloud Computing Reference Architecture?

Answer 43

The Internal Organization for Standardization (ISO) publishes a cloud reference architecture in its document ISO 17789.

This document lays out a common terminology framework that assists cloud service providers, cloud service customers, and cloud service partners in communicating about roles and responsibilities.

The reference architecture defines different cloud computing activities that are the responsibility of different organizations in the cloud ecosystem.

In the real world, these activities shift around depending upon the nature of each organization and the cloud services being provided.

However, the reference architecture provides us with a starting point.

Question 44

Cloud Computing Reference Architecture: What are the 10 responsibilities of the Cloud Service Customer?

Answer 44

• Use cloud services
• Perform service trials
• Monitor services
• Administer service security
• Provide billing and usage reports
• Handle problem reports
• Administer tenancies
• Perform business administration
• Select and purchase service
• Request audit reports

Question 45

Cloud Computing Reference Architecture: What are the 8 responsibilities of the Cloud Service Provider?

Answer 45

• Prepare systems and provide cloud services
• Monitor and administer services
• Manage assets and inventories
• Provide audit data
• Manage customer relationships and handle customer requests
• Perform peering with other cloud providers
• Ensure compliance
• Provide network connectivity

Question 46

Cloud Computing Reference Architecture: What are the 8 responsibilities of the Cloud Service Partner?

Answer 46

• Design, create, and maintain service components
• Test services
• Perform audits
• Set up legal agreements
• Acquire and assess customers
• Assess the marketplace

Question 47

History of Virtualization.

Answer 47

Data center managers realized that most of the time, many of their servers were sitting idle, waiting for a future burst in activity. That is not very efficient. Around that same time virtualization technology became available that allows many different virtual servers to make use of the same underlying hardware.

This shared hardware platform makes it easy to shift memory, storage, and processing power to wherever it is needed at the time. Virtualization platforms like VMware and Microsoft Hyper-V make this possible.

At a high level, virtualization platforms involve the use of a host machine that actually has physical hardware. That hardware then hosts several or many virtual guest machines that run operating systems of their own.

Question 48

What is a Hypervisor?

Answer 48

The host machine runs special software known as a hypervisor to manage the guest virtual machines (VMs).
The hypervisor basically tricks each guest into thinking that it is running on its own hardware when, in reality, it is running on the shared hardware of the host machine.

The operating system on each guest machine has no idea that it is virtualized, so software on that guest machine can function in the same way as it would on a physical server.

There are two different types of hypervisors, as shown in Figure 1.3

Question 49

Describe a Type 1 Hypervisor.

Answer 49

In a Type 1 hypervisor, also known as a bare metal hypervisor, the hypervisor runs directly on top of the hardware and then hosts guest operating systems on top of that.

Question 50

Describe a Type 2 Hypervisor.

Answer 50

In a Type 2 hypervisor, the physical machine actually runs an operating system of its own and the hypervisor runs as a program on top of that operating system.

This type of virtualization is commonly used on personal computers. Common hypervisors used in this scenario are VirtualBox and Parallels.

Question 51

What are two main security concerns in regards to virtualization security?

Answer 51

• VM escape attack
• VM sprawl

Question 52

What is a VM escape attack?

Answer 52

In a virtualized environment, this may not be the case if the attacker is able to break out of the virtualized guest operating system. This type of attack is known as a VM escape attack.

Virtualization technology is designed to enforce isolation strictly, and the [[1.6.1 Cloud Service Provider|providers]] of virtualization technology take seriously any vulnerabilities that might allow VM escape.

Security professionals working in virtualized environments should pay particular attention to any security updates that affect their virtualization platforms and apply patches promptly.

Question 53

What is a VM sprawl?

Answer 53

Virtualization makes it incredibly easy to create new servers in a data center. Administrators can usually create a new server with just a few clicks.

While this is a tremendous convenient, it also leads to a situation known as VM sprawl, where there are large numbers of unused and abandoned servers on the network.

This is not only wasteful, it is also a security risk because those servers are not being properly maintained and may accumulate serious security vulnerabilities over time if they are not properly patched.

Question 54

What is the CIA triade?

Answer 54

We have the three main goals of cybersecurity:

• confidentiality
• integrity
• availability

Question 55

What three new concerns introduces Cloud Computing?

Answer 55

• governance
• auditability
• regulatory oversight

Question 56

In which 4 realms does Cloud Computing Governance helps to ensure that you are compliant?

Answer 56

• security
• legal
• business
• and other constraints

Question 57

Why is Auditability a concern?

Answer 57

Auditability is an important component of governance. Cloud computing contracts should specify that the customer has the right to audit cloud providers, either directly or through a third party.

These audits may take place on a scheduled or unplanned basis, allowing the customer to gain assurance that the cloud vendor is meeting its security obligations.

The audits may also include operational and financial considerations.

Question 58

Name 4 regulations that a cloud service provider maybe subject to?

Answer 58

• HIPAA
• FERPA
• PCI DSS
• or other cybersecurity regulations

Question 59

What are three Cloud Computing considerations?

Answer 59

• availability
• resiliency
• and performance

Question 60

Name some of the Emerging Technologies?

Answer 60

1.10.1 Machine Learning and Artificial Intelligence
1.10.2 Blockchain
1.10.3 Internet of Things (IoT)
1.10.4 Containers
1.10.5 Quantum Computing
1.10.6 Edge and Fog Computing
1.10.7 Confidential Computing
1.10.8 DevOps and DevSecOps

Question 61

What is Machine learning?

Answer 61

Machine learning is a technical discipline designed to apply the principles of data science and statistics to uncover knowledge hidden in the data that we accumulate every day.

Machine learning techniques analyze data to uncover trends, categorize records, and help us run our businesses more efficiently.

Machine learning is a subset of a broader field called artificial intelligence (AI).

Question 62

What is Descriptive analytics?

Answer 62

Descriptive analytics simply seeks to describe our data.
For example, if we perform descriptive analytics on our customer records, we might ask questions like, what proportion of our customers are female? And how many of them are repeat customers?

Question 63

What is preditive analytics?

Answer 63

Predictive analytics seek to use our existing data to predict future events.

For example:
If we have a dataset on how our customers respond to direct mail, we might use that dataset to build a model that predicts how individual customers will respond to a specific future mailing.

That might help us tweak that mailing to improve the response rate by changing the day we send it, altering the content of the message, or even making seemingly minor changes like altering the font size or paper color.

Question 64

What is Prescriptive Analytics?

Answer 64

Prescriptive analytics seek to optimize our behavior by simulating many scenarios.

Example:
If we want to determine the best way to allocate our marketing dollars, we might run different simulations of consumer response and then use algorithms to prescribe our behavior in that context.

Similarly, we might use prescriptive analytics to optimize the performance of an automated manufacturing process.

Question 65

What is blockchain?

Answer 65

The blockchain is, in its simplest description, a distributed immutable ledger. This means that it can store records in a way that distributes those records among many different systems located around the world and do so in a manner that prevents anyone from tampering with the records.

The blockchain creates a data store that nobody can tamper with or destroy.

Question 66

What is the Internet of Things (IoT)?

Answer 66

The Internet of Things (IoT) is the third emerging technology covered on the CCSP exam.
IoT is a term used to describe connecting nontraditional devices to the internet for data collection, analysis, and control.

We see IoT applications arising in the home and workplace.
On the home front, it is hard to walk around your house or the local consumer electronics store without seeing a huge number of devices that are now called “smart this” or “smart that”.

Question 67

What are Containers?

Answer 67

Containers are the next evolution of virtualization. They are a lightweight way to package up an entire application and make it portable so that it can easily move between hardware platforms.

In traditional virtualization, we have hardware that supports a hypervisor and then that hypervisor supports guest virtual machines.

Each of those guest machines runs its own operating system and applications, allowing the applications to function somewhat independently of the hardware. You can move a virtual machine from hardware to hardware, as long as the machines running the same hypervisor.

Question 68

Explain Container packaging?

Answer 68

Container package up application code in a standardized format so that it can be easily shifted between systems.
Instead of running a hypervisor, systems supporting containers run a containerization platform.

This platform provides a standard interface to the operating system that allows containers to function regardless of the operating system and hardware. The major benefit of containers over virtual machines is that they don’t have their own operating systems kernel.

The containerization platform allows them to use the hosts operating system kernel.

Question 69

What is Edge Computing?

Answer 69

Edge computing is an approach that brings many of the advances of the cloud to the edge of our networks. It involves placing processing power directly on remote sensors and allowing them to perform the heavy lifting required to process data before transmitting a small subset of that data back to the cloud.

Question 70

What is Fog Computing?

Answer 70

Fog Computing is a related concept that involves placing gateway devices out in the field to collect information from sensors and perform that correlation centrally, but still at the remote location, before returning data to the cloud.

Question 71

Explain the concept of Confidential Computing.

Answer 71

Confidential computing is a new and emerging focus for organizations operating in extremely secure environments, such as the military and defense sector. It extends security throughout the entire computing process.

Question 72

What is the Confidential Computing Model?

Answer 72

Confidential computing adds protection for code and data in memory.

It does this by offering trusted execution environments (TEEs). These trusted environments guarantee that no outside process can view or alter the data being handled within the environment. That provides an added assurance that data is safe through all stages of the computing lifecycle.

Question 73

What is DevOps?

Answer 73

Cloud computing is one of the enabling technologies for DevOps environments. Specifically, DevOps shops embrace a concept known as infrastructure as code (IaC).

In this approach, operations teams no longer manually configure servers and other infrastructure components by logging in and modifying their configurations directly. Instead they write scripts that specify how to start with a baseline configuration image and then customize it to meet the specific requirements of the situation.

For example, an organization might have a standard baseline for a Linux system. When someone needs a new server they write a script that starts a server using the baseline configuration and then automatically configures it to meet the specific functional needs.

Infrastructure as code separates server configuration from specific physical or virtual servers. This has some clear advantages for the organization.

Question 74

What does Infrastructure as a Code (IaC) enable?

Answer 74

• Scalability
• Reduces user error through the use of immutable servers
• Makes testing easier

Question 75

What is DevSecOps?

Answer 75

When DevOps is used in a cybersecurity program, it is often referred to as DevSecOps and introduces a “security as code” approach to cybersecurity.
As organizations move to DevOps strategies, cybersecurity teams will need to evolve their practices to provide value in this new operating environment.