Domain 1 - Cloud Computing Concepts and Architectures Flashcards
True or False - taking an existing application or asset and simply moving it to a cloud provider without any changes will often reduce agility, resiliency, and even security, all while increasing costs.
True
_____ is a new operational model and set of technologies for managing shared pools of
computing resources.
Cloud Computing
_____ is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service
provider interaction.
NIST Cloud Computing Definition
Paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual
resources with self-service provisioning and administration on-demand
ISO/IEC Cloud Computing Definition
____ is the person or organization requesting and using the resources
Cloud User
_____ is the person or organization who delivers the resources
Cloud Provider
What are the key techniques to create a cloud?
Abstraction and Orchestration
True or False - The difference between cloud computing and traditional virtualization is that virtualization abstracts resources, but it typically lacks the orchestration to pool them together and deliver them to
customers on demand, instead relying on manual processes.
True
True or False - Clouds are multitenant by nature. Multiple different consumer constituencies share the same pool of resources but are segregated and isolated from each other
True
_____ allows the cloud provider
to divvy up resources to the different groups, and _____ ensures they can’t see or modify each
other’s asset
Segregation , Isolation
What is NIST 800-145?
NIST Working Definition of Cloud Computing
NIST defines cloud computing by describing how many essential characteristics, how many cloud service models and how many cloud deployment models?
5 Essential Characteristics
3 Cloud Service Models
4 Cloud Deployment Models
What are the 5 Essential Characteristics of Cloud Computing?
- Resource Pooling
- On Demand Self Service
- Broad Network Access
- Rapid Elasticity
- Measured Service
ISO/IEC 17788 list 6 essential cloud characteristics. Five are the same with NIST. What is the added one?
Multi tenancy
NIST 3 Cloud Service Models
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Infrastructure as a Service (IaaS)
\_\_\_\_ is the most fundamental characteristic of Cloud. The provider abstracts resources and collects them into a pool, portions of which can be allocated to different consumers (typically based on policies).
Resource Pooling On Demand Self Service Broad Network Access Rapid Elasticity Measured Service Multi tenancy
Resource Pooling
Consumers provision the resources from the pool using ______. They manage their resources themselves, without having to talk to a human administrator.
Resource Pooling On Demand Self Service Broad Network Access Rapid Elasticity Measured Service Multi tenancy
On Demand Self Service
It means that all resources are available over a network, without any need for direct physical access; the network is not necessarily part of the service.
Resource Pooling On Demand Self Service Broad Network Access Rapid Elasticity Measured Service Multi tenancy
Broad Network Access
This characteristic allows consumers to expand or contract the resources they use from the pool
(provisioning and deprovisioning), often completely automatically. This allows them to more closely match resource consumption with demand (for example, adding virtual servers as demand increases, then shutting them down when demand drops).
Resource Pooling On Demand Self Service Broad Network Access Rapid Elasticity Measured Service Multi tenancy
Rapid Elasticity
This meters what is provided, to ensure that consumers only use what they are allotted, and, if necessary, to charge them for it. This is where the term utility computing comes from, since computing resources can now be consumed like water and electricity, with the
client only paying for what they use.
Resource Pooling On Demand Self Service Broad Network Access Rapid Elasticity Measured Service Multi tenancy
Measured Service
Is a service model which is a full application that’s managed and hosted by the provider.
Consumers access it with a web browser, mobile app, or a lightweight client app.
IaaS
PaaS
SaaS
SaaS
Is another service model that abstracts and provides development or application platforms, such as databases, application platforms (e.g. a place to run Python, PHP, or other code), file storage and collaboration, or even proprietary application processing (such as machine learning, big data processing, or direct Application Programming Interfaces (API) access to
features of a full SaaS application). The key differentiator is that, you don’t manage the underlying servers, networks, or other infrastructure.
IaaS
PaaS
SaaS
PaaS
Is a service model that offers access to a resource pool of fundamental computing infrastructure, such as compute, network, or storage.
IaaS
PaaS
SaaS
IaaS
What are the four NIST/ISO/IEC Cloud Deployment Models
- Public Cloud
- Private Cloud
- Community Cloud
- Hybrid Cloud
Is a cloud deployment model where the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Public Cloud
Private Cloud
Community Cloud
Hybrid Cloud
Public Cloud
Is a cloud deployment model where the cloud infrastructure is operated solely for a single organization. It may be managed by the organization or by a third party and may be located on-premises or off-
premises.
Public Cloud
Private Cloud
Community Cloud
Hybrid Cloud
Private Cloud
Is a cloud deployment model where The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g. mission, security requirements, policy, or
compliance considerations). It may be managed by the organizations or by a third party and may be located on-premises or off-premises.
Public Cloud
Private Cloud
Community Cloud
Hybrid Cloud
Community Cloud
Is a cloud deployment model where The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). Hybrid is also commonly used to describe a non-cloud data center bridged directly to a cloud provider.
Public Cloud
Private Cloud
Community Cloud
Hybrid Cloud
Hybrid Cloud
True or False - Deployment models are defined based on the cloud user—that is, who uses the cloud
True
What are the cloud logical model that helps identify different layers based on functionality?
- Infrastructure
- Metastructure
- Infostructure
- Applistructure
A cloud logical model that defines the core components of a computing system: compute, network, and storage.
The foundation that everything else is built on. The moving parts.
Infrastructure
Metastructure
Infostructure
Applistructure
Infrastructure
A cloud logical model that defines the protocols and mechanisms that provide the interface between the
infrastructure layer and the other layers. The glue that ties the technologies and enables
management and configuration
Infrastructure
Metastructure
Infostructure
Applistructure
Metastructure
A cloud logical model that defines the data and information. Content in a database, file storage, etc.
Infrastructure
Metastructure
Infostructure
Applistructure
Infostructure
A cloud logical model that defines the applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial
intelligence analysis, or notification services.
Infrastructure
Metastructure
Infostructure
Applistructure
Applistructure
What is the key difference between cloud and traditional computing?
Infrastructure
Metastructure
Infostructure
Applistructure
Metastructure
Cloud metastructure includes the management plane
components, which are network-enabled and
remotely accessible. Another key difference is
that, in cloud, you tend to double up on each
layer. Infrastructure, for example, includes
both the infrastructure used to create the
cloud as well as the virtual infrastructure used
and managed by the cloud user. In private
cloud, the same organization might need to
manage both; in public cloud the provider
manages the physical infrastructure while the
consumer manages their portion of the virtual
infrastructure.
True or False - At a high level, security responsibility maps to the degree of control any given actor has over the architecture stack:
True
In this service or architecture model, The cloud provider is responsible for nearly all security, since the
cloud user can only access and manage their use of the application, and can’t alter how the
application works. For example, a SaaS provider is responsible for perimeter security, logging/
monitoring/auditing, and application security, while the consumer may only be able to manage
authorization and entitlements.
IaaS
PaaS
SaaS
SaaS
In this service or architecture model, The cloud provider is responsible for the security of the platform,
while the consumer is responsible for everything they implement on the platform, including
how they configure any offered security features. The responsibilities are thus more evenly
split. For example, when using a Database as a Service, the provider manages fundamental
security, patching, and core configuration, while the cloud user is responsible for everything
else, including which security features of the database to use, managing accounts, or even
authentication methods.
IaaS
PaaS
SaaS
PaaS
In this service or architecture model, Just like PaaS, the provider is responsible for foundational security,
while the cloud user is responsible for everything they build on the infrastructure. Unlike
PaaS, this places far more responsibility on the client. For example, the IaaS provider will likely
monitor their perimeter for attacks, but the consumer is fully responsible for how they define
and implement their virtual network security, based on the tools available on the service.
IaaS
PaaS
SaaS
IaaS
True or False - the most important security consideration is knowing exactly who is responsible for what in any given
cloud project.
True
CSA two recommendations for a Shared Security model:
• • Cloud providers should clearly document their internal security controls and customer security
features so the cloud user can make an informed decision. Providers should also properly
design and implement those controls.
• • Cloud users should, for any given cloud project, build a responsibilities matrix to document
who is implementing which controls and how. This should also align with any necessary
compliance standards.
A standard template for
cloud providers to document their security and compliance controls.
The Consensus Assessments Initiative Questionnaire (CAIQ)
Which lists cloud security controls and maps them to
multiple security and compliance standards. This can also be used to document security
responsibilities.
Cloud Control Matrix ( CCM )
Tools to help guide security decisions
Cloud Security Models
Reference Architectures
Design Patterns
Orchestration
Cloud Security Models
What are the 4 clouds security models?
- Conceptual Models or frameworks
- Control Models or frameworks
- Reference Architectures
- Design Patterns
Is a cloud security model that include visualizations and descriptions used to explain cloud
security concepts and principles, such as the CSA logical model in this document.
Cloud Security Models
Reference Architectures
Design Patterns
Orchestration
Conceptual Models or frameworks
Is a cloud security model that categorizes and detail specific cloud security controls or
categories of controls, such as the CSA CCM.
Cloud Security Models
Reference Architectures
Design Patterns
Orchestration
Controls Model or framework
Is a cloud security model which are templates for implementing cloud security, typically generalized (e.g.
an IaaS security reference architecture). They can be very abstract, bordering on conceptual,
or quite detailed, down to specific controls and functions.
Cloud Security Models
Reference Architectures
Design Patterns
Orchestration
Reference Architectures
Is a cloud security model which are are reusable solutions to particular problems. In security, an example is IaaS log management. As with reference architectures, they can be more or less abstract or
specific, even down to common implementation patterns on particular cloud platforms.
Cloud Security Models
Reference Architectures
Design Patterns
Orchestration
Design Patterns
There are relatively straightforward and high level processes for managing cloud security. What are these?
- Identify necessary security and compliance requirements, and any existing controls.
- Select your cloud provider, service, and deployment models.
- Define the architecture.
- Assess the security controls.
- Identify control gaps.
- Design and implement controls to fill the gaps.
- Manage changes over time.
CSA provides two tools to help meet shared responsibility requirements. What are these?
Consensus Assessments Initiative Questionnaire (CAIQ)
Cloud Control Matrix
describes automated arrangement, coordination, and management of complex computer systems, and services.
Orchestration
Abstraction
Orchestration
enables the rapid deployment of applications and data to reduce the cost and complexity of providing the underlying infrastructure, which also simplifies operations.
Orchestration
Abstraction
Abstraction
Since physical access is not an area of concern for cloud, what is the top security concern?
cloud management plane
From a security perspective, it is both the biggest difference from protecting physical infrastructure (since you can’t rely on physical access as a control) and the top priority when designing a cloud security program.
If an attacker gets into your management plane, they potentially have full remote access to your entire cloud deployment.
What does an IAAS consist of? (5 things)
IaaS consists of:
- a facility
- hardware
- an abstraction layer
- an orchestration (core connectivity and delivery) layer to tie together the abstracted resources
- APIs to remotely manage the resources and deliver them to consumers.
