Cloud Concepts, Architecture and Design

Question 1

What are the 5 NIST characteristics of a cloud service

Answer 1

On-demand self-service 
Broad network access 
Resource pooling 
Rapid elasticity 
Measured service or metered service

Question 2

On-demand self-service

Answer 2

A characteristic of cloud that allows a cloud service customer to provision cloud resources and capabilities with little or no interaction with the cloud service provider

Question 3

Rapid elasticity

Answer 3

allows a cloud customer to quickly obtain additional cloud resources as the user’s needs require without the cloud customer’s intervention, by automatically scaling and provisioning (referred to as auto-scaling and auto-provisioning) resource based on load

Question 4

Measured Service

Answer 4

Delivery of cloud services in such a way that its usage can be monitored, accurately reported, and precisely billed

Question 5

Resource Pooling

Answer 5

AKA Multi tenant environment - multiple customers share the same underlying hardware, software, and network assets

Cloud provider can apportion resources as needed so that resources are not underutilized or overtaxed

Aggregation of cloud service provider’s resources to provide cloud service to one or more cloud service customers

Question 6

Data Portability

Answer 6

The ability to move data from one system to another without needing to reenter the data

Question 7

Why is data ownership important to be considered when selecting a cloud service provider?

Answer 7

It is important that cloud providers provide clear terms as to what data they own and what the customer owns, as this has an effect on who is responsible for securing what

Question 8

Multitenancy

Answer 8

Allocation of cloud resources such that multiple tenants and their data are inaccessible from other tenants who share those resources

Question 9

Reversibility

Answer 9

Capability for a cloud service customer to retrieve their cloud service customer data and for the cloud service provider to delete this data after a specified period or upon request

Question 10

What concerns does BYOD raise as it related to cloud?

Answer 10

Concerns around device management and secure access methods to the cloud must be considered. Be mindful of company BYOD policies and consider how cloud systems impact them.

Question 11

Considerations before moving data to the cloud or from one cloud to another?

Answer 11

Interoperability - can cloud services understand data formats, APIs, configurations, AuthN/AuthZ mechanisms

Portability and reversibility - can customers move applications/services from one cloud provider to another or move between cloud deployment models

Availability

Resiliency - know cloud SLAs or resiliency commitments made in contracts

Security and Privacy - baseline security features provided, advanced features often incur costs; understand security defaults and features; must be aware of what data is in your control vs CSP control

Performance

Governance - most CSPs offer the ability to schedule and automate reporting which enhances governance activities

SLAs - look for many of these considerations (e.g. availability, governance, performance, resilience, etc.)

Maintenance and versioning - should be agreed up on and well understood (e.g. upgrade responsibilities or rollback, is downgrade possible, etc.)

Regulatory Compliance - a shared responsibility between a CSP and customer

Auditability - shared responsibility so must know what you are responsible for and what the CSP is responsible for

Question 12

Data at rest

What are ways to secure data at rest?

What are ways to secure data at rest in the cloud? What do you have to know as a CSC WRT CSP to secure data at rest?

Answer 12

Data at rest refers to data that is stored on a system or device, and not actively being read, written to, transmitted, or processed.

Consider encryption of sensitive files prior to storage and or encrypting the entire storage volume or drive

Consider CSP support for encryption by default for data at rest or what type of configuration is required. Either way know what your CSP supports and provides and what your responsibility is.

Question 13

Data in transit

Security considerations?

Answer 13

Data in transit (or data in motion) refers to data that is actively being transmitted across a network or between multiple networks.

Use encryption implemented via TLS, SSL, HTTPS or VPNs to protect data in transit, beware of incompatible encryption between systems.

Question 14

Data in use

Security considerations?

Answer 14

Data in use is information that is actively being processed by an application. Is synonymous with data that resides in a systems RAM or cache memory.

Impossible or impractical to encrypt data in use so you should use other security controls to mange risks to data in use.

Question 15

What are Standard Methods of Data Deletion potentially used by CSPs?

Answer 15

overwrite content with a series of random 0s and 1s, sometimes multiple times

crypto-shredding (or cryptographic erasure)

Question 16

Account hijacking

Answer 16

Account hijacking occurs when an unauthorized party gains access to privileged accounts.

Question 17

Insider threat

Answer 17

Insider threat is the potential for someone who has or has had legitimate system or data access to intentionally or unintentionally compromise a system, data, or organization.

Question 18

Metastructure

Answer 18

Metastructure is the set of mechanisms that connects the infrastructure layer to the applications and data being used

It enables and supports infrastructure management and configuration, and is typically the line of demarcation between the cloud provider and customer.

includes the cloud management plan components

Question 19

Applistructure

Answer 19

Applistructure includes the applications that are deployed in the cloud and the underlying services used to build them.

Question 20

What typically causes failure of Metastructure and Applistructure?

Answer 20

weak API security or poorly implemented and exposed APIs

Question 21

Measured Service

AKA

Answer 21

a service where the customer is only charged for what they use
Metered Service

Question 22

ROI

Answer 22

Return on investment (ROI) is a term related to cost-benefit measures. ROI is a term used to describe a profitability ratio. It is generally calculated by dividing net profit by net assets.

Question 23

Cloud Backup

Answer 23

Backing up data to a remote, cloud-based server. As a form of cloud storage, cloud backup data is stored in an accessible form from multiple distributed resources that make up a cloud.

Question 24

Cloud Computing

Answer 24

The use of computing, storage, and network resources with the capabilities of rapid elasticity, metered service, broad network access, and pooled resources.

Question 25

Cloud Bursting

Answer 25

One way an organization can use hosted cloud services is to augment internal, private data center capabilities with managed services during times of increased demand (e.g. seasonal, crisis scenario, etc)

Question 26

Cloud Migration

Answer 26

The process of transitioning all or part of a company’s data, applications, and services from on-site premises to the cloud, where the information can be provided over the Internet on an on-demand basis.

Question 27

Cloud Portability

Answer 27

The ability to move applications and associated data between one cloud provider and another or between legacy and cloud environments.

Question 28

Managed Service Provider

Answer 28

An IT service where the customer dictates both the technology and operational procedures, and an external party executes administration and operational support according to a contract.

Question 29

Blockchain

Answer 29

Blockchain is an open means of conveying value using encryption techniques and algorithms. It is often referred to as “cryptocurrency.” It is basically a transactional ledger, where all participants can view every transaction, thus making it extremely difficult to negatively affect the integrity of past transactions.

Question 30

What should always drive management decisions?

Answer 30

Business Needs which include security and risks decisions; Sometimes security and risk may overtake business and/or operational requirements

Question 31

ISC2 Code of Ethics Canons

Answer 31

Protect society, the common good, necessary public trust and confidence and the infrastructure

Act honorably, honestly, justly, responsibly and legally

Provide diligent and competent service to principals

Advance and protect the profession

Question 32

CSP Data Center

Answer 32

Individual data centers that comprise of physical servers, storage, data center networking, environmental management equipment and electrical power. Functionality may fail over to other data centers within the same AZ.

Question 33

CSP AZ

Answer 33

Multiple geographical local data centers create an AZ. The AZ data centers should have independent sources of power and data connectivity for failover. If an AZ experiences failure, customers’ instances can fail over to other AZs.

Question 34

CSP Region

Answer 34

Multiple AZs.

Cloud providers couple multiple availability zones to create regions, and cloud providers create multiple regions with redundant infrastructures and mutual replication capability to ensure full redundancy in the event of regional failure.

Question 35

Capital Expenditure

Answer 35

Ever growing expenses in traditional IT resources to implement new systems or accommodate potential peak loads

Assets purchased will depreciate over time, depending on the asset

Increased time required to achieve ROI

Question 36

Operational Expenditure (OpEx)

Answer 36

Can eliminate or reduce long-term investments when exploring new business models or help exploit short term business opportunities with pay as you go model in cloud or rent/lease only what is needed.

all expenses involved acquiring and paying for services are immediately tax deductible

Question 37

List typical drivers for cloud adoption

Answer 37

1. Decrease CapEx for increase in OpEx
2. Cost
   Mobility
3. Collaboration
4. Risk Reduction
   Scalability
5. Elasticity
6. Virtualization
7. Shared Responsibility Model

Question 38

Cloud Computing Security Risks

Answer 38

Distributed/Multi-tenant Environment Risk
Business/Reputational Risk
Compliance (Legal, Regulatory) Risk
Privacy Risk

Question 39

Vendor Lock-in

Answer 39

Vendor lock-in occurs in a situation where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or nontechnical constraints.

Question 40

Vendor Lock-out

Answer 40

Vendor lock-out occurs when a customer is unable to recover or access their own data due to the cloud provider going into bankruptcy or otherwise leaving the market.