CCSP Book Chapter 1: Architectural Concepts

Question 1

# 1. Define Cloud Computing
2. Cloud Characteristics

• Broad Network Access
• Resource pooling
• Rapid elasticity
• On-Demand self-service
• Measured or Metered Service

Answer 1

1. Cloud Computing - a model for convenient, on-demand network access to a shared pool of configurable computing resources (i.e. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
2. Cloud Characteristics

• Broad Network Access - service consistently accessible such as through the use of a web browser to access SaaS regardless of user location or OS, browser, etc.
• Resource pooling - cloud provider is able to meet demands from customers; able to make capital investments that exceed what any customer can provide on their own; resources are not under-utilized (wasteful investment) or over-taxed (decrease in level of service); aka MULTI-Tenant environment; Multiple customers share the same underlying HW, SW, NW assets;
• Rapid elasticity - allows customer to grow or shrink IT footprint (# of users, machines, storage, etc) as needed without excess capacity;
• On-Demand self-service - allow customer to scale compute and/or storage needs with little or no intervention with provider; happens in real time
• Measured or Metered Service - customer is charged for what they use

Question 2

• Functional vs Nonfunctional Requirements
• What is a BIA?
• Tangible vs Intangible Assets
• ROI
• CIA

Answer 2

• Functional requirements - performance aspect needed for task to be completed (i.e. salesperson must be able to connect remotely)
• Nonfunctional Requirements - a desired aspect for business (i.e. the salesperson’s remote connection must be secure)
• BIA - an assessment of priorities given to each asset and process
• Tangible Asset - something that can be touched; i.e. Routers, servers
• Intangible Asset - something that cannot be touched; i.e. Software Code, Expression of Ideas, Business methodologies
• Return on Investment (ROI) - related to cost-benefit measures; used to describe a profitability ratio; generally calculated: net profit / net assets
• CIA - Confidentiality (protect information from unauthorized access), Integrity (protect information from unauthorized modification), Availability (ensure authorized users can access information when they are permitted to do so)

Question 3

Benefits of moving to Cloud

Answer 3

Benefits of moving to Cloud

• Reduction in Capital Expenditure - you cannot partially buy a device, but in the cloud you can! Organizations buy what they need (metered service) and can deduct taxes on monthly subscriptions whereas if an organization buys their own device, tax benefits are not realized until years of use of that device; organizations are able to expand at the click of a button (rapid elasticity); Organizations can augment privacy data center capabilities with managed services during increased demand (cloud bursting);
• Reduction in Personnel Costs - organizations do not need to hire personnel to manage their data when moving to cloud
• Reductions in Operational Costs - maintaining internal environment costly; cost becomes part of the service when moving to cloud
• Transferring Some Regulatory Costs - CSP may have set of controls that can be applied to customer’s cloud environment (i.e. PCI)
• Reduction in Costs for Data Archival/Backup Services - can enhance BC/DR strategy
  *

Question 4

If there is a data breach, who is responsible for the release of PII? The customer or the cloud service provider

Answer 4

The customer is always responsible for any disclosure of PII.

Question 5

Cloud Terminology

• Elasticity
• Simplicity
• Scalability

Answer 5

• Elasticity - allocate only the needed usage of each resource
• Simplicity - able to use cloud services without much interaction with CSP
• Scalability - increase or reduce services quickly

Question 6

Cloud Computing Service Models

Answer 6

• Infrastructure as a Service (IaaS) - (i.e. Hardware, Blades, Connectivity, Utilities) The most basic cloud service; CSP responsibility: Hardware, racks, machines, cables; Customer responsibility: Software, Operating System, IT Staffing; AKA “warm site” in traditional environment (Hardware, wiring, cables are set up and is ready for customer software/OS/app installations); best for organizations who want the most control of security over their data or for limited purpose such as BC/DR or archiving; least expensive option;
• Platform as a Service (PasS) - (i.e. Operating Systems) CSP Responsibility: everything in IaaS + Operating Systems including patching, administering, updating; Customer Responsibility: Software they install; Software Development would be best here so software can be tested against a range of Operating Systems; PasS also includes Data Warehousing and Datamining; CSP offers backend access
• Software as a Service (SaaS) - (i.e. Applications, CRM, email, Hosted HR) CSP Responsibility: A full production environment; Customer Responsibility: Uploading and processing data

Question 7

Cloud Deployment Models - dealing with ownership

Answer 7

• Public - cloud is offered to anyone; public clouds are multitenant meaning multiple customers will share the underlying resources (i.e. Rackspace, Microsoft’s Azure, AWS)
• Private - resources are dedicated to a single customer; a co-located environment could be Org A owns their equipment and stores it at the CSP’s data center and uses their power, internet, etc.
• Community - several pieces owned or controlled by individuals or distinct organizations, but perform joint tasks and functions (i.e. Gaming Community, FedRAMP offering cloud services only for U.S. Federal Government Agencies)
• Hybrid - i.e. an organization may want to retain private cloud resources like their legacy production environment but also have some public cloud space like a PaaS for software testing which will lower risk of crashing production environment)

Question 8

Cloud Computing Roles and Responsibilities

• Cloud Broker
• CASB
• Regulators

Answer 8

• Cloud Broker - a company that purchases hosting services from a CSP and resells
• Cloud Access Security Broker (CASB) - a 3rd party entity offering independent Identity and Access Management (IAM) services to CSPs and cloud customers (i.e. SSO, certificate management, cryptographic key escrow)
• Regulators - they ensure the organization is compliant with the regulatory framework for which they’re responsible; i.e. HIPAA, GLBA, PCI DSS, ISO, SOX, SEC, FTC

Question 9

Cloud Computing Definitions

• Business Requirement
• Cloud Migration
• Cloud Portability
• Cost-Benefit Analysis
• FIPS 140-2
• Managed Service Provider
• Multitenant
• TCI Reference Model
• Vendor Lock-In
• Vendor Lock-Out

Answer 9

• Business Requirement - an operational driver for decision making and an input for risk management
• Cloud Migration - the process of transitioning all or part of a company’s data, applications, and services from on-site premises to the cloud, where information can be provided over the internet on an on-demand basis
• Cloud Portability - the ability to move applications and associated data between one CSP to another or between legacy and cloud environments
• Cost-Benefit Analysis - comparing potential positive impact to potential negative impact and weighing whether the two are equivalent or if the potential positive effect outweighs the potential negative; this is a business decision not a security decisions; best made by managers or business analysts
• FIPS 140-2 - NIST document, security requirements for crypto systems for use by Federal Government
• Managed Service Provider - An IT service where the customer dictates procedures and requirements and external party executes support according to contract at the organization’s location or in the cloud
• Multitenant - multiple customers using the same public cloud (and hosts)
• Trusted Cloud Initiative (TCI) Reference Model - a guide for CSPs to create a holistic architecture that customers can purchase with comfort and confidence
• Vendor Lock-In - customer may be unable to leave, migrate, or transfer, to another CSP due to technical or non-technical constraints
• Vendor Lock-Out - customer is unable to recover their own data due to CSP going bankrupt or CSP leaving the market

Question 10

Related and Emerging Technologies

• Machine Learning and AI
• Blockchain
• IoT
• Containers
• Quantum Computing
• Homomorphic Encryption

Answer 10

• Machine Learning and AI - programs and machines being able to process and interpret information without direct input from users; Cloud services have machine learning and AI such as Firewalls, IDS/IPS, A/V, etc
• Blockchain - aka “cryptocurrency”; a mean of conveying value using encryption technology; it is a transactional ledger where all participants can view every transaction thus making it difficult to affect the integrity of past transactions; Blockchain is considered cloud b/c each record (“block”) is distributed to all the users regardless of location, type of device, jurisdiction, etc
• Internet of Things (IoT) - anything that has internet connectivity
• Containers - logical segmentation of memory space in a device; i.e. when you BYOD to work, containers distinguish two distinct partitions - one for work and one for personal data
• Quantum Computing - emerging technology that is not commercially available; computers can calculate far beyond the presence of electrons (where the electrons exist in 2 states, present or not present); Quantum computing may use subatomic characteristics (i.e. Electron Spin, charm, etc) to perform calculations on a larger scale
• Homomorphic Encryption - theoretical phenomenon that would allow processing of encrypted material without decrypting it first; if achieved, this would allow customers to upload encrypted data and use it without ever sharing the encrypted keys with the CSP or have decryption as part of their process; this is appealing to customers with highly valuable or sensitive data