Cloud Concepts, Architecture and Design Flashcards
What are the 5 NIST characteristics of a cloud service
On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service or metered service
On-demand self-service
A characteristic of cloud that allows a cloud service customer to provision cloud resources and capabilities with little or no interaction with the cloud service provider
Rapid elasticity
allows a cloud customer to quickly obtain additional cloud resources as the user’s needs require without the cloud customer’s intervention, by automatically scaling and provisioning (referred to as auto-scaling and auto-provisioning) resource based on load
Measured Service
Delivery of cloud services in such a way that its usage can be monitored, accurately reported, and precisely billed
Resource Pooling
AKA Multi tenant environment - multiple customers share the same underlying hardware, software, and network assets
Cloud provider can apportion resources as needed so that resources are not underutilized or overtaxed
Aggregation of cloud service provider’s resources to provide cloud service to one or more cloud service customers
Data Portability
The ability to move data from one system to another without needing to reenter the data
Why is data ownership important to be considered when selecting a cloud service provider?
It is important that cloud providers provide clear terms as to what data they own and what the customer owns, as this has an effect on who is responsible for securing what
Multitenancy
Allocation of cloud resources such that multiple tenants and their data are inaccessible from other tenants who share those resources
Reversibility
Capability for a cloud service customer to retrieve their cloud service customer data and for the cloud service provider to delete this data after a specified period or upon request
What concerns does BYOD raise as it related to cloud?
Concerns around device management and secure access methods to the cloud must be considered. Be mindful of company BYOD policies and consider how cloud systems impact them.
Considerations before moving data to the cloud or from one cloud to another?
Interoperability - can cloud services understand data formats, APIs, configurations, AuthN/AuthZ mechanisms
Portability and reversibility - can customers move applications/services from one cloud provider to another or move between cloud deployment models
Availability
Resiliency - know cloud SLAs or resiliency commitments made in contracts
Security and Privacy - baseline security features provided, advanced features often incur costs; understand security defaults and features; must be aware of what data is in your control vs CSP control
Performance
Governance - most CSPs offer the ability to schedule and automate reporting which enhances governance activities
SLAs - look for many of these considerations (e.g. availability, governance, performance, resilience, etc.)
Maintenance and versioning - should be agreed up on and well understood (e.g. upgrade responsibilities or rollback, is downgrade possible, etc.)
Regulatory Compliance - a shared responsibility between a CSP and customer
Auditability - shared responsibility so must know what you are responsible for and what the CSP is responsible for
Data at rest
What are ways to secure data at rest?
What are ways to secure data at rest in the cloud? What do you have to know as a CSC WRT CSP to secure data at rest?
Data at rest refers to data that is stored on a system or device, and not actively being read, written to, transmitted, or processed.
Consider encryption of sensitive files prior to storage and or encrypting the entire storage volume or drive
Consider CSP support for encryption by default for data at rest or what type of configuration is required. Either way know what your CSP supports and provides and what your responsibility is.
Data in transit
Security considerations?
Data in transit (or data in motion) refers to data that is actively being transmitted across a network or between multiple networks.
Use encryption implemented via TLS, SSL, HTTPS or VPNs to protect data in transit, beware of incompatible encryption between systems.
Data in use
Security considerations?
Data in use is information that is actively being processed by an application. Is synonymous with data that resides in a systems RAM or cache memory.
Impossible or impractical to encrypt data in use so you should use other security controls to mange risks to data in use.
What are Standard Methods of Data Deletion potentially used by CSPs?
overwrite content with a series of random 0s and 1s, sometimes multiple times
crypto-shredding (or cryptographic erasure)
Account hijacking
Account hijacking occurs when an unauthorized party gains access to privileged accounts.
Insider threat
Insider threat is the potential for someone who has or has had legitimate system or data access to intentionally or unintentionally compromise a system, data, or organization.
Metastructure
Metastructure is the set of mechanisms that connects the infrastructure layer to the applications and data being used
It enables and supports infrastructure management and configuration, and is typically the line of demarcation between the cloud provider and customer.
includes the cloud management plan components
Applistructure
Applistructure includes the applications that are deployed in the cloud and the underlying services used to build them.
What typically causes failure of Metastructure and Applistructure?
weak API security or poorly implemented and exposed APIs
Measured Service
AKA
a service where the customer is only charged for what they use
Metered Service
ROI
Return on investment (ROI) is a term related to cost-benefit measures. ROI is a term used to describe a profitability ratio. It is generally calculated by dividing net profit by net assets.
Cloud Backup
Backing up data to a remote, cloud-based server. As a form of cloud storage, cloud backup data is stored in an accessible form from multiple distributed resources that make up a cloud.
Cloud Computing
The use of computing, storage, and network resources with the capabilities of rapid elasticity, metered service, broad network access, and pooled resources.
Cloud Bursting
One way an organization can use hosted cloud services is to augment internal, private data center capabilities with managed services during times of increased demand (e.g. seasonal, crisis scenario, etc)
Cloud Migration
The process of transitioning all or part of a company’s data, applications, and services from on-site premises to the cloud, where the information can be provided over the Internet on an on-demand basis.
Cloud Portability
The ability to move applications and associated data between one cloud provider and another or between legacy and cloud environments.
Managed Service Provider
An IT service where the customer dictates both the technology and operational procedures, and an external party executes administration and operational support according to a contract.
Blockchain
Blockchain is an open means of conveying value using encryption techniques and algorithms. It is often referred to as “cryptocurrency.” It is basically a transactional ledger, where all participants can view every transaction, thus making it extremely difficult to negatively affect the integrity of past transactions.
What should always drive management decisions?
Business Needs which include security and risks decisions; Sometimes security and risk may overtake business and/or operational requirements
ISC2 Code of Ethics Canons
Protect society, the common good, necessary public trust and confidence and the infrastructure
Act honorably, honestly, justly, responsibly and legally
Provide diligent and competent service to principals
Advance and protect the profession
CSP Data Center
Individual data centers that comprise of physical servers, storage, data center networking, environmental management equipment and electrical power. Functionality may fail over to other data centers within the same AZ.
CSP AZ
Multiple geographical local data centers create an AZ. The AZ data centers should have independent sources of power and data connectivity for failover. If an AZ experiences failure, customers’ instances can fail over to other AZs.
CSP Region
Multiple AZs.
Cloud providers couple multiple availability zones to create regions, and cloud providers create multiple regions with redundant infrastructures and mutual replication capability to ensure full redundancy in the event of regional failure.
Capital Expenditure
Ever growing expenses in traditional IT resources to implement new systems or accommodate potential peak loads
Assets purchased will depreciate over time, depending on the asset
Increased time required to achieve ROI
Operational Expenditure (OpEx)
Can eliminate or reduce long-term investments when exploring new business models or help exploit short term business opportunities with pay as you go model in cloud or rent/lease only what is needed.
all expenses involved acquiring and paying for services are immediately tax deductible
List typical drivers for cloud adoption
- Decrease CapEx for increase in OpEx
- Cost
Mobility - Collaboration
- Risk Reduction
Scalability - Elasticity
- Virtualization
- Shared Responsibility Model
Cloud Computing Security Risks
Distributed/Multi-tenant Environment Risk
Business/Reputational Risk
Compliance (Legal, Regulatory) Risk
Privacy Risk
Vendor Lock-in
Vendor lock-in occurs in a situation where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or nontechnical constraints.
Vendor Lock-out
Vendor lock-out occurs when a customer is unable to recover or access their own data due to the cloud provider going into bankruptcy or otherwise leaving the market.
