CCSP Domain 1: Cloud concepts, Architecture, and Design

From my gitbook notes.

1.1 Understanding Cloud Computing Concepts

Roles

  • Customer – Generally, the cloud service consumer. Us.
  • Service Provider – Offers cloud services (Google Compute Platform, Amazon Web Services, Microsoft Azure)
  • Partner – Entity that helps organizations obtain and deploy cloud services. (Not on exam)
  • Broker – an object that governs the use, performance, and delivery of cloud services, and mediates connections between cloud providers and cloud consumers. (Not on exam)
  • Cloud Carrier – Internet service provider or telco.

Characteristics

  • On-Demand Self Service – You can sign up for cloud services on a website with a credit card.
  • Broad Network Access – Access the cloud services from anywhere there is an internet connection
  • Multi-Tenancy – More than 1 customer consuming compute resources.
  • Rapid Elasticity and Scalability – Add or remove compute resources as needed.
  • Resource Pooling – Shared CPU, RAM, and Networking
  • Measured Service – Pay for what you are using.

Building Block Technologies

  • Virtualization – Abstracts applications away from underlying resources (CPU, RAM)
  • Storage – Covered in topic 2.2
  • Networking – Covered in topic 3.1
  • Databases – Data stored that makes it searchable.
  • Orchestration – Functions that work together without creating dependencies.
  • Containers – Synthetic platforms for apps to run
  • Type 1 Hypervisor – Runs on bare metal (VMware ESXi for example)
  • Tyle 2 Hypervisor – Runs on the operating system (Hyper-V for example)

NIST 800-145 – Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

Guest escape – Moving from virtual machine to hypervisor or other virtual machines.

1.2 Cloud Reference Architecture

Cloud Service Categories

  • Infrastructure as as Service (IaaS) – Provider owns the datacenter. Customer builds VMs, OS, Apps, and Data. Cheapest and most flexible
  • Platform as a Service (PaaS) – Provider owns datacenter and they typically build the VMs and install OS. Customer provides apps and data. Good for a software development environment. Typically used for database services or coding environments.
  • Software as a Service (SaaS) – Provider owns nearly everything. Customer is responsbile for data. Least flexible.

Deployment Models

  • Public – Multiple customers share resources. Cheaper.
  • Private – One customer accesses a resource. More limited and expensive.
  • Community – A specific group shares resources.
  • Hybrid – A combination of any other deployment models. A good example is called “bursting”, which is where resource demand for a private cloud temporarily extend into a public cloud temporarily.

Considerations

  • Interoperability – Move or reuse components of an application at the same time
  • Portability – Easily and seamlessly move between different cloud providers. Disaster recovery, locality diversity, and high availability are things to consider. Good for protection from vendor lock in (can’t move your data from vendor) and lock out (can’t access your data from a vendor).
  • Reversibility – The ability to undo, or restore to a point back in time.
  • Availability – Uptime. Usually laid out in the SLA.
  • Security – Responsibilities laid out in the cloud contract. Non disclosure agreements completed before engaging in active discussions.
  • Privacy – Check privacy laws of where the data is geographically located, whos accessing it, and from where.
  • Resiliency – The abilitiy of services to recover quickly and continue operations in the event of an equipment failure.
  • Performance – Provisioning, elasticity, and other components should be measured for performance.
  • Governance – Define actions, assign responsibilities, and verify performance. Access relevant reporting, metrics, and current statistics related to usage.
  • Maintenance and Versioning – An incremental approach to maintaining an information system and keeping components up to date
  • Service Level Agreements (SLAs) – minimum levels of service, availability, security, controls, processes, communications, support, and other business elements are stated and agreed upon by both the customer and provider.
  • Auditability – the ability to have evidence to support audits.
  • Regulatory – an organizations requirement to adhere to the law.

Related Technology

  • Machine Learning – a technical discipline designed to apply the principles of data science and statistics to uncover knowledge hidden in the data we accumulate every day. A subset of articficial intelligence.
  • Artificial Intelligence – A collection of techniques that are designed to mimic human though processes in computers.
  • Blockchain – A distributed cryptographic public ledger
  • Internet of Things (IoT) – Connecting nontraditional devices to the internet for data collection, analysis, and control.
  • Containers – Next evolution of virtualization. A lightweight way to package up an entier application and make it portable so it can move easily between hardware platforms.
  • Quantum Computing – Beyond base 2 (binary zeros and ones) by analyzing electrons.
  • Uptime Institute Tier Classification System
    • The data center Tier levels are:
    • Tier I: Basic Capacity
    • Tier II: Redundant Capacity
    • Tier III: Concurrently Maintainable
    • Tier IV: Fault-Tolerant

1.3 Understand Security Concepts Relevant to Cloud Computing

Cryptography basics

  • Plaintext – unencrypted readable text
  • Ciphertext – data that is encrypted
  • Encryption – turns plaintext into ciphertext
  • Decryption – turns ciphertext into plaintext
  • Cryptographic key – element to be kept secret. Keeps confidentiality.
  • Work factor – time and resources to decrypt without the key. Brute force.
  • Key space – Number of possible keys that exist for a cryptosystem. Product of key length.
  • Initialization vector – random data appended to plaintext before encryption to obscure ciphertext.

Symmetric encryption – same key encrypts and decrypts. Shared key. Fast. Only provides confidentiality. Does not scale well. Requires out of band communication.

(N∗(N−1))/2=TotalKeys(N * (N-1))/2 = Total Keys(N∗(N−1))/2=TotalKeys

Asymmetric encrtyption – two keys. Can provide confidentiality and/or nonrepudiation depending on how its used. Often combined with hashing for integrity.

Losing encryption keys is bad and potentially expensive.

Key escrow – paid services to keep protected copies of keys.

Not a good idea to store keys with the ciphertext. This is difficult in the cloud.

Key management in the cloud:

  • Providers has both the keys and the data. They have the ability to unencrypt.
  • Customer generates keys (Bring your own key). Customer retains control of data, but technically more difficult.
  • Third party. Cloud access security broker (CASB)

Identity and Access Management (IAM)

  • Also called IAAA
    • Identification – Knowing a particular subject. User IDs. Not confidential.
    • Authentication – Confirm a subject. Usually a password
    • Authorization – granting access toa subject based on authenticated identity
    • Accountability – means of knowing which subjects conducted transactions. Logs.
  • Or IdM: identitiy managment

Provisioning – Create credentials and accounts

Managmenet – Review access to resources

Deprovisioning – Remove access. Terminations, resignations, changing roles. Avoid permission creep.

Data sanitization – Covered in Topic 2.7

Network Security

  • Segmentation – Physically or logically
  • Virtualized version of segmentation for cloud: Security Groups

Virtualization Security

  • Hypervisor secuirty – access control for hypervisor

Container Security

  • Infrastructure the containers run on
  • Communications within a container
  • Communications between containers
  • Apps have integral security
  • Access control
  • Orchestration
  • Vulnerability scanning
  • Version control

Common threats

  • Data being managed/stored by someone who isn’t me.
  • Intercepted communications.
  • Cloud provider goes down.
  • Internet Service Provider goes down.
  • Another cloud customer accesses our data and systems.
  • Cloud provider abuses our trust.

1.4 Understand Design Principals of Secure Cloud Computing

Cloud Secure Data Lifecycle – See topic 2.1

Cloud based Business Continuity Disaster Recovery

  • Perspective 1 – Production is a traditional datacenter. The cloud is the backup environment.
  • Perspective 2 – Cloud native environment with a cloud backup environment.

Cost Benefit Analysis

  • Benefits:
    • Potential cost savings per user/seat
    • Speed of deploying new users/assets
    • Capital expenditure vs operational expenditure
    • Foster Technology adoption
    • Inoovation not limited by technology
    • Access to capabilities not available or affordable at a smaller scale
    • Workforce is not tethered to a location
  • Costs
    • Loss of control, regulatory, vendor lock in, vendor lock out.
    • Loss of depreciation
    • Cost of migration
    • Recurring cost of maintaining the cloud
  • Functional Security Requirements
    • Portability: propriatary fromat, volume, bandwidth, contract terms
    • Interoperability: does it work how we need it to?
    • Vendor lock in: loss of portability. Lack of interoperability.
    • Vendor lock out: provider goes out of business.

1.5 Evaluate Cloud Service Providers

Customers can’t perform direct evaluation on cloud provider

  • Not your property
  • Other customers/tenants don’t want to be exposed to your inspection

Rely on 3rd party audit reports

Leave a Reply