CCSP 2019 - Cloud System Architecture Design

2/22/2021 CCSP 2019: Cloud System Architecture Design Transcript
CCSP 2019: Cloud System Architecture Design

Cloud services vary in size and complexity, and deployed architecture carries a direct impact on service and data asset security. In this 15-video
course, learners explore aspects of cloud computing architectural design, along with associated cloud systems and components. Begin by looking at
cloud component definitions and various cloud system participants: consumers, providers, partners, auditors, and regulators. Next, view operational
characteristics of cloud computing: on-demand, self-service, broad network access, multi-tenancy, rapid elasticity and scalability, resource pooling,
and measured service. Look at supporting architectural components and infrastructure of cloud computing such as virtualization and storage. Examine
details of Cloud Computing Activities with reference to ISO/IEC 17789, clause 9. Learn how cloud service categories are based on supported services
and capabilities such as application, platform, and infrastructure capability types, and examine cloud deployment categories and models. Learn about
the responsibility of cloud services between customers and providers. Explore the impact of technologies such as machine learning, and examine
business requirements and contracts and aspects of vendor and contract management. A final exercise covers supply chain management. This course
will help a learner prepare for the (ISC)2 Certified Cloud Security Professional (CCSP) exam.
Objectives
discover the key concepts covered in this course
define and describe cloud components
define cloud system participants - consumers, providers, partners, auditors, and regulators
outline the operational characteristics of cloud computing such as on-demand self-service, broad network access, multi-tenancy, rapid elasticity
and scalability, resource pooling, and measured service
outline the supporting architectural components and infrastructure of cloud computing such as virtualization, storage, networking, databases,
and orchestration
detail Cloud Computing Activities with reference to ISO/IEC 17789, Clause 9
define how cloud services are categorized based on supported services and capabilities such as application capability types, platform capability
types, and infrastructure capability types
describe the industry-defined standard categories of cloud computing such as Software as a Service, Infrastructure as a Service, and Platform as
a Service
describe the responsibility of cloud services between customers and providers
recognize the impact of technologies such as machine learning, artificial intelligence, blockchain, Internet of Things, containers, and quantum
computing
describe business requirements such as Service Level Agreement, Master Service Agreement, Statement of Work, and stakeholders
differentiate between vendor and contract management, including right to audit, metrics, definitions, termination, litigation, assurance,
compliance, access to cloud/data, and cyber risk insurance
describe the significance of surfacing the Supply Chain with reference to cloud-hosted application software
summarize the key concepts covered in this course
Table of Contents
file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/1. Cloud System Architecture Design Transcript.html 1/15
1. Course Overview
2. Cloud Computing Definitions
3. Cloud Computing Participants
4. Cloud Computing Characteristics
5. Cloud Computing Infrastructure
6. Cloud Computing Activities
7. Cloud Computing Service Capabilities
8. Cloud Deployment Categories and Models
9. Cloud Shared Responsibility
10. Impact of Related Technologies
11. Business Requirements
12. Contract and Vendor Management and Assessment
13. Supply Chain Management
14. Course Summary
Course Overview
[Video description begins] Topic title: Course Overview [Video description ends]
Hi, I'm Dan Lachance.
[Video description begins] Your host for this session is Dan Lachance . He is an IT trainer and consultant. [Video description ends]
I've worked in various IT roles since the early 1990s. Including as a technical trainer, as a programmer, a consultant, as well as an IT tech author and
editor. I've held and still hold IT certifications related to Linux, Novell, Lotus, CompTIA, and Microsoft. Some of my specialties over the years have
included networking, IT security, cloud solutions, Linux management, and configuration and troubleshooting across a wide array of Microsoft
products.
CCSP or Certified Cloud Security Professional proves to the world that you have the cloud security skills necessary to use the best practices and
guidelines set out by ISC-squared to properly design, manage, and secure applications, infrastructure, and data in the cloud.
Cloud services vary in size and complexity. And the deployed architecture has a direct impact on cloud service and data security. In this course, I'll
explore key aspects of cloud computing architectural design and associated cloud systems and cloud components. Some of the specific topics covered
will include cloud computing definitions, cloud computing participants such as consumers, providers, partners, auditors, regulators.
We'll also take a look at cloud computing operational characteristics, key cloud computing infrastructure components. We'll take a look at cloud
computing activities and computing services capabilities. And then we'll take a look at industry defined standard categories of cloud computing. Such
as software as a service, SaaS, infrastructure as a service, IaaS, and platform as a service, PaaS. We'll then take a look at cloud shared responsibility
considerations. And finally, I'll discuss the impact of technologies. Such as machine learning, artificial intelligence, blockchain, Internet of Things,
containers, and quantum computing.

Cloud Computing Definitions

[Video description begins] Topic title: Cloud Computing Definitions. Your host for this session is Dan Lachance . [Video description ends]
In a general sense, you could say that cloud computing uses technology that's been around for a while in a different way than it was used previously.
And so to clarify that, we need to go through some cloud computing definitions. The first of which is on-premises. When we talk about an on-
premises IT infrastructure, we're talking about the technology, the equipment, and the services that are running on the customer network.
An organization's private network running on their own equipment. As opposed to running on cloud infrastructure which is owned and managed by
the cloud service provider and then accessed by customers over a network. Because cloud service providers have so many clients, in other words,
cloud tenants, they can afford to offer their services at a discounted price to cloud customers. Because things are cheaper in bulk on a larger scale.
So the cloud tenants or customers would be paying a monthly subscription cost along with cloud service usage fees. So the more that they use in the
cloud, such as cloud storage, or the longer they have cloud virtual machines running, the more the cloud customer pays. The other thing to bear in
mind is that on-premises, if an organization wants to deploy a new IT infrastructure, that is considered a capital expenditure. It's a large cost to acquire
all of the hardware to support those IT systems.
Capital expenditures are referred to as capex. Now in the cloud, you could call it an operating expenditure. Because the cloud provider is responsible
for acquiring all the hardware and making that large up-front investment. The cloud customer simply pays for the monthly usage of the cloud services
running on that infrastructure. And so you call that opex, for operating expenditure. The cloud also uses hypervisors. Hypervisors can also be used
without cloud computing. There are two types of hypervisors, Type 1 and Type 2.
Now we'll dive into Type 1 and Type 2 hypervisors in a moment, but let's first talk about some different types of virtualization. So we know that we've
got Type 1 and Type 2 hypervisors. The hypervisor is the operating system that actually runs virtual machines. But we also have application
virtualization. You can virtualize an app, such as running it within a container environment, so it's isolated from other processes running on a host. Of
course, hypervisors support operating system virtualization.
We also have desktop virtualization, where client devices would make a network connection to a central server that hosts their user desktop interface.
It's all host on a central server environment. A Type 1 hypervisor is one that runs directly on physical hardware. So it is the operating system. It can
sometimes be called the bare metal hypervisor because it runs directly on the hardware.
It offers better performance and stability than a Type 2 hypervisor that we'll describe in a moment. And Type 1 hypervisors are what you'll see in use
at the enterprise level, such as with cloud service providers. Examples of Type 1 hypervisors would include products like Microsoft Hyper-V,
VMware ESXi, and Citrix XenServer.
Now, Type 2 hypervisors run within the operating system. In other words, they are an application that runs on top of an existing multipurpose OS.
This means that any problems with the OS can affect the hypervisor in a bad way. And OS performance issues can also affect virtual machines
running in that environment. So Type 2 hypervisors then are better suited for small scale use, such as on developer stations or IT technician stations
for testing purposes.

Examples of Type 2 hypervisors would include products such as VMware Fusion, VMware Workstation, and Oracle VM VirtualBox. Now with
operating system virtualization, we're talking about virtual machines running on a hypervisor where each virtual machine is allocated virtual
hardware. Such as a certain number of virtual CPUs, central processing units, one or more virtual network interface cards, a certain amount of RAM,
and so on.
So the operating system or OS, then runs within the virtual machine. This means that we get overall better physical hardware utilization when we
have multiple virtual machines running on one hypervisor than having physical servers that might remain idle for part of the time. So they don't really
use the hardware efficiently. So many virtual machines then, of course, can run on a single hypervisor at the same time.
Now this terminology is important not only if you are using the services of a public cloud provider over the Internet, but even if you are working in a
private cloud that is owned and managed by a single organization, the terminology still remains the same.
Cloud Computing Participants

[Video description begins] Topic title: Cloud Computing Participants. Your host for this session is Dan Lachance . [Video description ends]
Cloud computing involves a number of different stakeholders or participants. One of which is the customer, otherwise called a tenant. Now there
could be multiple tenants whose services and data are kept isolated from one another even within the same cloud service provider. So the cloud
service provider or the CSP can come in a variety of forms. There is a private cloud service provider.
A private cloud really means that we've got the characteristics of cloud computing. Such as users self provisioning of services, metered usage, and so
on, that is available only to a single organization. So the cloud infrastructure is managed and used by one company essentially.
But then we've got, of course, what most of us are used to a public cloud service provider, available from companies such as Google through Google
Cloud Platform. Or Amazon Web Services, Microsoft Azure, IBM Cloud, to name just a small subset of what's actually available online. So public
cloud service providers then make their service offerings available potentially to anyone that has a connection to the Internet.
So we know that we've got cloud computing participants in the form of the tenant or subscriber, and the CSP, cloud service provider. But then on a
larger scale, in larger enterprises, we've also got cloud computing resellers. Cloud computing resellers, like the name implies, would be available to
larger organizations that are seeking specific types of IT computing services in the cloud environment.
And the cloud computing reseller would then find those services that meet organizational needs and make them available to the customer. Then there's
the cloud services broker. So this is normally a company or a third-party entity of some kind that would take a look at multiple cloud service providers
in the backend to find the absolute best match for organizational needs. Then there's a cloud backup service provider.
Again, this is another organization or another third party entity that makes backup service provisions available to cloud customers over the Internet.
So specifically for the backup and the safeguarding of data. So they assume some of the responsibility. Customers, in other words, transfer some of
the risk of storing offsite backups in the cloud to the cloud backup service provider. And finally, there's the cloud service auditor.
As the name implies, the cloud service auditor is an individual or a team that works together in order to audit the use of cloud computing services over
time. There might be a periodic review to make sure that things are performing properly, that cloud resources are being used efficiently, that
compliance with laws and regulations being adhered to, and so on.
Cloud Computing Characteristics

[Video description begins] Topic title: Cloud Computing Characteristics. Your host for this session is Dan Lachance . [Video description ends]
There are a number of characteristics that really define cloud computing. Just because you're using virtualization, for example, on premises, if you've
got hypervisors hosting virtual machines, that doesn't constitute a cloud. There's more to it than that. The first characteristic is resource pooling.
Followed by self-provisioning, rapid elasticity, metered usage, and broad access. We're going to dive into each and every one of these cloud
computing characteristics in more detail. So let's start with resource pooling. What are we talking about?
We are talking about the underlying infrastructure. So the networks, the storage arrays, the physical servers that run virtual machines. All of that
infrastructure is provided by the cloud service provider, CSP. And due to economies of scale, that means having so many cloud customers than the
cloud service provider can afford to offer the use of these services at a discounted cost to the consumer, to the cloud customer. The self-provisioning
characteristic simply means that quick access to cloud computing services are available to cloud customers.
They can self-provision their own resources as they need them or de-provision them when they no longer need them. This can be done using
command line tools, or using graphical user interface or GUI tools. The next cloud computing characteristic is rapid elasticity. This allows for quick
resource provisioning or de-provisioning. Horizontal scaling, for example, means scaling in and scaling out.
Scaling in means removing virtual machines, for example, to support an application. Whereas scaling out means adding additional virtual machine
nodes to support a busy application. Vertical scaling comes in the form of scaling up and scaling down. Where scaling up means on an individual
virtual machine level in the cloud adding more underlying horsepower. Maybe adding more virtual CPU cores or adding more RAM. Where scaling
down means removing those items since they might not be needed.
Now, the more horsepower you have as you scale up means the more cost you incur for that virtual machine. Metered usage is often simply referred to
as pay-as-you-go. It means that your cloud computing charges are based on resource consumption. So the more you use, the more you pay. Kind of
like water or electricity. So you can shut down or disable or remove cloud resources that you are not using.
For example, if you're being charged by the second while a virtual machine is running in the cloud, shutting it down when you no longer require it
means you are saving on cloud computing costs. The broad access cloud computing characteristic means that cloud services are accessible over a
network. So you don't have to have it running on your local machine.
Now, that could be a private network, in the case of a private cloud computing environment. Or it could be over a public network such as the Internet
when it comes to public cloud service providers. This means that we can use any type of device to make a connection over the network to the cloud
services.
So whether it's an IoT device that makes a connection to a cloud service, where an IoT or Internet of Things device could be something as simple as a
baby monitor reporting metrics to a centralized location in the cloud. Or it could be a smart medical device that reports data to the cloud centrally
about a patient's vital statistics.

We also have manufacturing devices that might make a connection over a network to cloud computing services. And of course in the standard
corporate environment, devices like laptops, tablets, and smartphones. So when all of these characteristics are met, then we can correctly say that
cloud computing is being used.
Cloud Computing Infrastructure

[Video description begins] Topic title: Cloud Computing Infrastructure. Your host for this session is Dan Lachance . [Video description ends]
Cloud computing infrastructure is referred to as Infrastructure as a Service, or IaaS. This is a collection or a pool of cloud service provider resources
that are made available to cloud computing customers. Where the resources might involve virtual machines running on physical hypervisor servers,
storage, or also networking components, network configurations available to cloud customers.
Now, this is available to cloud customers so that they can rapidly provision these items as they need them, or remove them, or de-provision them,
when they no longer need them to save on cloud computing costs. However, the cloud computing infrastructure is the responsibility of the cloud
service provider. Service level agreements, or SLAs, will offer the specifics about things like virtual machine guaranteed uptime, and storage
availability, and so on. Cloud virtualization is important. Cloud computing depends on virtualization at many levels, including desktop virtualization,
where user desktops are accessible from user devices over a network from a centralized server.
Operating system virtualization, where virtual machines are running on cloud provider hypervisor hardware. And also application virtualization, in
other words, using things like application containerization to isolate application components from other running components on a system. All of this
is considered cloud virtualization. And when we talk about operating system virtualization with the virtual machines, we are talking about
infrastructure.
Cloud storage is also infrastructure, where we have to determine the physical location of where cloud data is actually being stored or replicated to. So
the physical region, and that might be required in order to remain compliant with regulations where we might need to control the fact that data needs
to reside within national boundaries, as an example.
Cloud storage would include the storage of files, or the deployment of databases in the cloud, or even the use of message queues by developers, which
are used to exchange messages between software components. Cloud infrastructure also includes networking. Things that you might normally be
familiar with configuring already with your own on-premises network, things like routing table entries to control network traffic flow.
The definition of virtual networks, such as configuring VLANs within a network switch, or configuring firewalls to control which traffic is allowed or
not allowed into networks and hosts. All of this is also configurable in the cloud, it's all configured as cloud infrastructure as a service. Now, VPN
connectivity is also an option whether you're linking an entire on-premises network to the cloud, so the site VPN through an encrypted tunnel. Or
whether you have individual client devices, maybe for users working from home or traveling, that need secured connectivity to the cloud, again,
through an encrypted tunnel.
So that is available. Now, all of this configuration can be done through what's called software defined networking, or SDN. Software defined
networking means that the underlining technical intricacies and complexities of how to configure a Cisco switch versus a Juniper network switch for
virtual networks and so on, is hidden from the customer. Customer uses easy to use command line tools or GUI interfaces to configure their virtual
firewall settings, and virtual networks, and routing table entries. And the underlying equipment is configured using the user settings.
Cloud orchestration is another important part of the overall cloud infrastructure. Now, what do we mean when we say orchestration? One thing that
we're talking about here is automation. Automation includes the use of templates. Now, templates can contain the definition of cloud resources that
are to be deployed, in other words created, or even modified in some way. And so that can help automate the deployment or the modification of
resources, especially if you have to do it on a large scale to many resources.
Same is true of command line tools. We can use command line tools or even put those commands in scripts so we can reuse scripts to deploy or
manage cloud resources. And even use what are called runbooks, essentially workflows of different events that will fire off in order to deploy or
manage cloud resources. The other aspect of cloud orchestration beyond automation is integration. When we talk about integration, we're talking
about hooking into cloud resources in some way to integrate them with other environments.
Whether that's at the programmatic level through APIs, application programming interfaces, or through the use of third-party components. There are
many companies that make software components that allow you to link, for example, your on-premises IT systems to a variety of cloud solutions.
Cloud Computing Activities

[Video description begins] Topic title: Cloud Computing Activities. Your host for this session is Dan Lachance . [Video description ends]
To effectively use cloud computing services at the enterprise level requires a lot of experts working together. And so one of the cloud computing roles
that applies in that case would be the cloud planner. Cloud planning is important as is ongoing cloud management after the planning has been put in
place, so after it's been implemented. Now the ISO/IEC documentation for 17789 is an international standard related to cloud computing activities and
the related roles. So let's talk about those roles and the activities related to them.
Starting with the cloud architect role. The cloud architect is one person or a team of persons that have expertise in the specific cloud platform that will
be used. Whether it's Amazon Web Services, IBM Cloud, Microsoft Azure, Google Cloud Platform, Rackspace, and so on. Now risk management is
also an important part of architecting a cloud solution.
There are many aspects of risk, one of which is through outsourcing. Because with cloud computing, you are outsourcing part of the responsibility
such as for the underlying infrastructure to make sure it's up and running, and secured properly. You're outsourcing that risk or transferring that risk to
the cloud service provider. And so this has to be accounted for.
Then there's legal and regulatory compliance. You might have certain rules that you must abide by in the treatment of data, and where it's stored, and
how it's stored, such as whether or not it's encrypted. Then there is the deployment and the migration planning. So the migration planning, of course,
would determine any on-premises IT services that we might want to move into the cloud or migrate into the cloud.
And there are a variety of ways that that could be done. In some cases, if you're lucky, some on-premises IT services might require little to no
modification to run them in the cloud. Otherwise, they might have to be essentially completely rebuilt. That's part of migration planning. The cloud
administrator implements the cloud design as architected by the cloud architect team and provides ongoing support maintenance where applicable.
Now a managed cloud service is one where the underlying infrastructure configuration is handled by the cloud service provider. So imagine, for
example, that you're deploying a managed cloud database, it with your cloud service provider. What that means is that the underlying virtual machines

are handled by the cloud service provider. You don't have to specifically configure those and create them. And also, the database software is already
installed, and configured, and ready to go. That's a managed service.
The opposite is an unmanaged service, where you have to do everything. And so that's an important aspect of cloud administration. The cloud
application architect deals with application design, software design, and deployment within a cloud computing environment. And that means that the
cloud architect will use cloud components that adhere to the SDLC, the software development life cycle. Which is a phased approach from the
inception of the design of an app all the way through to the development of it, the testing, the deployment, and the ongoing maintenance.
And of course, the eventual decommissioning of that solution over time. So security must be accounted for at all SDLC phases because it's quite
expensive to fix security issues, after the fact, instead of simply integrating it in all SDLC phases. The cloud developer can also use continuous
integration and delivery tools in the cloud environment, otherwise called CI/CD tools.
This means that they could have their software builds and testing done directly within the cloud computing environment to expedite how quickly
software updates, or fixes, or even software deployments for brand new software are made available to the consumers of that software solution. The
cloud data architect is more interested in the data aspect of cloud computing. Ensuring that data privacy laws and regulations are adhered to, and that
data is backed up in accordance with organizational requirements, and retained over time as required.
Cloud Computing Service Capabilities

[Video description begins] Topic title: Cloud Computing Service Capabilities. Your host for this session is Dan Lachance . [Video description ends]
Cloud computing provides customers with a variety of ways in which they can configure their cloud services. The first way is manual configuration,
where the customer is responsible for the underlying virtual infrastructure. So for example, if we were deploying a database solution in the cloud with
manual configuration, it means the customer would be responsible for configuring the virtual machines that would support the database software, then
getting the database software installed and configured and up and running.
And ultimately getting the database solution up and running on that platform. So there's much more configuration flexibility but at the same time, it's
much more responsibility in this case for the cloud customer, and it takes more time to get the database solution deployed. Now, that's in opposition to
a managed service where the underlying infrastructure is the responsibility of the cloud service provider, the CSP.
Now this means of course quicker deployment, but at the same time less configuration flexibility for the cloud customer. Another aspect of cloud
computing service capabilities is sizing. With sizing, for example for a virtual machine, we can add storage, we can add memory RAM, we can add
more virtual CPU processors each of these items are listed here in the diagram. When you add more of these items, you are increasing the cost, and
this is vertical scaling in the sense of scaling up. We can also scale down.
You might have added too many resources, for example through a virtual machine to support a workload where it doesn't need that much horsepower.
So in that case, you would be paying unnecessarily for the charges for that increased horsepower, so you could size it down. So that would be scaling
down vertically. The other thing to consider is the platform support. When we deploy cloud computing services, they will be based upon virtual
machines running either the Linux or the Windows operating system.

You can also determine whether those virtual machines use hard disk drive or magnetic traditional disk storage in the background or solid state drives
SSDs. SSDs provide better throughput at the disk I/O level. You also need to determine if you need to use big data analytics clustering.
So you have multiple virtual machines working together to perform complex tasks related, for example, to pharmaceutical or medical research or
weather forecasting or financial modeling. Load balancing can be used for applications so that incoming client requests are funneled through a single
entry point that then determines the least busy backend server to handle that client request.
Cloud Deployment Categories and Models

[Video description begins] Topic title: Cloud Deployment Categories and Models. Your host for this session is Dan Lachance . [Video description
ends]
Before we talk about various cloud computing types, let's start by first defining what constitutes cloud computing. Cloud characteristics include
metered usage, this is also called pay-as-you-go. You are charged for the cloud resources that you use. Resource pooling means all of the underlying
IT infrastructure owned by the cloud service provider is pulled together and made available for cloud tenants.
Access from anywhere, often called broad network access, means that all of these services on the cloud service provider infrastructure are made
available over a network. Also, elasticity, which means that we can provision or deprovision resources as required, such as adding more storage space
in the cloud. Or reducing the number of virtual machines in a load balanced application solution. Self-provisioning means that the cloud customer has
an easy way to provision and deprovision cloud resources.
Whether it be through API programmatic calls using command line tools or even through really easy-to-use GUI interfaces. The public cloud is
accessible, potentially, to all Internet users that might want to sign up with that provider. And so the public cloud provider has worldwide geographic
locations where they have data centers and physical servers that run their services. So the cloud provider, then, is responsible for the IT hardware.
Private clouds are a little bit different because the infrastructure is accessible only to a single organization, hence, private. So the organization, then,
would own the hardware infrastructure and be responsible for managing it. However, it still adheres to all of the cloud characteristics that we outlined
at the beginning of this discussion. So self-provisioned, rapid elasticity of pooled IT resources.
It applies to public as well as private cloud types, and even others that we'll discuss. So private clouds are often used with departmental chargeback,
where within the organization, the usage is tracked per department. And each department is built accordingly for their usage of the private cloud
resources. A hybrid cloud, as you might guess, is a combination of the best of both worlds, so what are those worlds? Well, you can combine on-
premises IT infrastructure and cloud components. So you could have on-premises IT infrastructure that isn't a private cloud that links to a public cloud
provider.
Or you could link in on-premises private cloud to a public cloud. Either way, it's considered to be a hybrid cloud computing type of environment. So
with a hybrid cloud environment, you would sometimes use this because you want to migrate on-premises IT systems and data to the cloud. And that
can take time, so you would be running, perhaps, both systems in parallel on-premises and in the cloud for a while, until you get to the cutover point
where you might run it only in the cloud.

Examples would include data that's stored on-premises that gets replicated or synchronized to the cloud. Or another example would be having a
hardware VPN on-premises that links the on-premises network to a cloud VPN appliance. A community cloud means that the same computing needs
are serviced across multiple tenants that have those same computing requirements. So the requirements, then, might include things like sensitive data
that is encrypted in a specific manner.
For regulatory compliance, which could also include controlling where data exists physically, where it's replicated to. And it also, for example, might
require that the data centers be managed by United States citizens in the case of some regulations that might be adhered to related to the United States.
We might also, in the US, have to use a community cloud solution that is FedRAMP compliant.
FedRAMP stands for Federal Risk and Authorization Management Program. Really, it's about government agencies using a standardized security
approach when cloud computing's going to be used for IT services. Now, cloud services come in many forms, whether it's deploying virtual machines
in the cloud, databases, websites, storage, just to name a few possibilities.
Infrastructure as a service, otherwise called IaaS, would include deploying things like virtual machines, cloud storage solutions, and cloud virtual
networks. All the type of infrastructure that you might normally deal with on-premises. Platform as a service or PaaS includes things like databases
that you might deploy into the cloud, whether they are SQL or NoSQL types of databases. Search facility solutions, cluster-based processing for more
complex data analysis requirements.
Programming components that developers might use, such as the creation or use of APIs and message queues to store messages between different
software components. These are all considered platform as a service. Then we have software as a service, otherwise called SaaS.
This is end-user productivity software that would also include interface tools for other infrastructure as a service items like cloud storage, would
include things like cloud e-mail or cloud office productivity tools, such as presentation type of software or word processing and spreadsheet type of
software. Bear in mind that there are also variations on a theme. For example, you might sometimes see storage as a service represented as STaaS.
Essentially, anything in the cloud can be referred to as a service, such as DBaaS, database as a service.
Cloud Shared Responsibility

[Video description begins] Topic title: Cloud Shared Responsibility. Your host for this session is Dan Lachance . [Video description ends]
From the cloud customer's perspective, the use of cloud computing means outsourcing some of the risk and responsibility to the cloud service
provider. But all of the responsibility does not fall upon the cloud service provider. So let's have a discussion about cloud shared responsibility, and
how it might apply. In the case of a public cloud environment, the IT responsibility is split between the cloud customer and the cloud service provider,
depending on the specific cloud services being used.
So for example, if you are deploying a virtual machine manually in a public cloud environment, then the public cloud provider would be responsible
for ensuring that the underlying architecture, the infrastructure, is there to support creation and the running of that virtual machine. But the
management of the virtual machine, including applying software updates for security reasons, is entirely the responsibility of the cloud customer.
So in that case we have an example of shared responsibility between those two parties. So the other thing to bear in mind is that cloud service
offerings can also vary from one geographical region to another when it comes to public cloud providers. So the deployment of certain types of virtual
machines, for example, may be limited in one part of the world as opposed to others. And that can affect of course, the shared responsibility.
Shared responsibility for cloud computing also applies to private clouds. Now, from one perspective, all of the IT responsibility for the private cloud,
the infrastructure, supporting it and managing it, falls upon the organization. The organization that owns the private cloud. However, they can also use
departmental chargeback to charge based on usage for departments that have used cloud computing services within the private cloud environment.
But again, as per our previous example of deploying a virtual machine manually. If that were to happen, if a department manager were to deploy a
virtual machine manually in a private cloud, he or she would be responsible for managing that virtual machine's configuration and updates. The
underlying infrastructure to support it, once again, would fall upon the responsibility of the private cloud service provider.
Infrastructure as a service, or IaaS, is what we've been really talking about when we talk about deploying a virtual machine manually. But it would
include shared responsibility. But that also means that the cloud provider has to adhere by the rules of the service level agreement, or the SLA. Where
guaranteed uptime and network response time is related to virtual machines, other infrastructures as a service items like storage, and virtual network
connectivity as well. Cloud provider has a service level agreement that stipulates those details. So that the cloud customer can expect a certain level of
performance when using infrastructure as a service.
Impact of Related Technologies

[Video description begins] Topic title: Impact of Related Technologies. Your host for this session is Dan Lachance . [Video description ends]
Most technological solutions that would be available on-premises are also available from cloud providers. An example of this would be artificial
intelligence, or AI, where this comes in many forms. Where it could include image processing or video processing, and adding metadata tags related
to things like locations based on landmarks seen in pictures and videos, facial recognition, language analysis, intelligent search capabilities.
The great thing about this is that it would come at a cheaper cost than having to set up the infrastructure on-premises to run these more advanced
technologies. Technology in the cloud also includes machine learning, otherwise called ML. This means that we've got a configuration where large
amounts of data are being processed so that we can gain insights from that that otherwise might not be visible.
So the result here is that machine learning can be used for predictive analysis of data. And it comes in the form of many different services from a
variety of different public cloud providers, including Microsoft Azure. So Microsoft Azure Machine Learning or Amazon Web Services, AWS
Machine Learning. Machine learning comes in many different forms.
Developers can access machine learning capabilities by writing code or by using GUI drag-and-drop canvas environments, where you can drag and
drop components and different data sources together to determine how that data will be manipulated, analyzed, and presented.
So you can use these tools to create machine learning models. The idea is to identify patterns to aid in forecasting of some type and to aid in decision-
making, whether it's related to finance, medical research, climate change, anything along those lines. Another type of technology that you'll find
available in the cloud is blockchain solutions. Blockchain essentially is a transaction record, a public transaction record, and each record or piece of
data is called a block, and they're all chained together.

So each block is linked to the previous one using data, such as the unique hash value that is generated for the previous block, the date and timestamp
of when the transaction occurred, and the data within the block, and the participants that are involved. So this blockchain public ledger, so to speak, is
publicly visible. But that's not to say that user's individual personal information about conducting some kind of a financial transaction is made
available, because it's not
The most that would be visible would be things like digital signatures related to users that have gone through transactions or things like usernames.
Internet of Things, or IoT, is another type of technology you'll find in the cloud. IoT devices include things like water and pressure valves and gauges
that are used in utilities like water for municipalities. Also devices like baby monitors, smartphones, smart cars, medical equipment, all of this type of
device information can be fed into the cloud for further analysis.
The thing about Internet of Things devices is they are notorious for their lack of security in many cases. Especially when it comes to consumer grade
IoT devices. So the cheaper stuff that people might use at home, like baby monitors or IoT devices to monitor their hot water tank levels or to set
environmental controls and lighting within their homes. So security's just not a priority with these devices. In some cases, the firmware built into the
devices can't even be updated or configuration changes might not even be able to be made, so it depends on the devices.
So one thing that can be done from a security perspective is to place IoT devices on an isolated and secured network that would also include data that
might be fed into the cloud from IoT devices. Pictured on the screen, we see the Shodan IoT search engine where I've searched for home automation.
And we can see there are a number of home automation devices that are shown to be vulnerable with the directory traversal exploit.
That would be for the the web server engine built into the firmware for those consumer grade IoT devices. Other technology solutions that you might
find in the cloud also include the use of application containers so that all of the components required for a specific application are within this isolated
boundary called a container.
So it's kept separate from other processes running on hosts. Then we have quantum computing, which really applies quantum physics to processing of
information. Where today's computing uses zeros and ones, binary bits to represent the state of something, quantum computing uses many more
possible states based on photons, electrons, or atoms.
And so as a result, it can run calculations, it can process information much quicker than today's computing solutions can. And many cloud service
providers are beginning the journey of implementing quantum computing solutions in their cloud computing service offerings.
Business Requirements
[Video description begins] Topic title: Business Requirements. Your host for this session is Dan Lachance . [Video description ends]
There are many business aspects to the use of cloud computing, including requirements to meet business needs when using cloud computing services.
The first consideration is to bear in mind that when you use cloud computing, you are outsourcing some of the risk. You are also essentially
outsourcing some of your supply chain and security to another third party. And so you have to have confidence in that third party, in this case, that's
the cloud service provider, that they are doing their due diligence to adhere to security practices.
For example, you might select a cloud provider that has specific security accreditations like PCI DSS cardholder data. Although just because the
cloud service provider might have done their part to meet those security standards. Ultimately, it falls upon you, the cloud customer, to also do your
part to make sure that the solutions at use in the cloud are secured properly. You need to make sure that you meet stakeholder expectations.
An example of this might include having a master service agreement, an MSA, that essentially covers the use of a multitude of different cloud
computing services and what can be expected in terms of uptime. You might even be involved with statement of work documents, SoWs. Where you
might, for example, have a government contract that stipulates you can use cloud computing for some of your work related to that contract, given that
it meets certain standards. Such as the use of certain types of encryption.
Cloud computing considerations are many, including the cloud services that will be specifically selected to meet business needs. Data privacy laws
and regulations that must be adhered to, the use of on-premises systems or data that might be replicated to the cloud. So you would have a hybrid
cloud computing environment in that case. You also have to consider the technical expertise of the IT staff on premises that will be using these cloud
services and making them available to the business.
And then there is always the consideration of total cost of ownership, or TCO, over time. While with the use of cloud computing services, the
organization doesn't have to assume the initial expenditure, capital expenditures for large IT investments. Over time, they are paying for the use of the
cloud services where the cloud service provider has initially assumed that upfront capital expenditure cost. Service level agreements or SLAs are a big
part of doing business in the cloud.
The SLA is a contractual document between the cloud service provider and the cloud service consumer, or the tenant. So the customer and the cloud
service provider are involved in this case, or it could be a customer and an Internet service provider with an SLA guaranteeing Internet connectivity. It
could also be between the sales department and the usage of internal IT resources.
And if we're talking about an internal private cloud, that would be referred to as departmental chargeback. So the key to service level agreements is
that each specific cloud service has its own SLA. So you would have an SLA for a specific cloud storage solution, a different SLA for deploying
virtual machines in the cloud. And yet a different SLA, once again, if you're deploying databases in that cloud computing environment.
The service level agreement document is broken up into multiple sections, one of which is definition of terms that are used throughout the service
level agreement. Then there is a portion of that document that deals with service credits that are allocated to the cloud customer if the SLA terms are
not met.
There are also SLA exclusions, like acts of nature that might cause disruption of services or acts of terrorism, that type of thing. The service level
agreement deals with performance and reliability. And often what you'll see when you look closely at a service level agreement is a percentage of
uptime that's guaranteed by the provider, either within a calendar month or a calendar year.
So for example, the SLA might guarantee uptime for virtual machines, within a certain part of the world, within a certain region, to be 99.99%. If it's
less than 99.99% over a calendar month or a calendar year, whatever the case might be, then the cloud customer that's affected might be awarded a
three-day service credit for future cloud computing charges. Whereas if we end up with less than 95% of availability, then that might result in a seven-
day service credit. Now, this is important from a business perspective where we might depend upon cloud deployed services and their availability.
Contract and Vendor Management and Assessment

[Video description begins] Topic title: Contract and Vendor Management and Assessment. Your host for this session is Dan Lachance . [Video
description ends]
Working with the cloud service provider at the enterprise level means negotiation. It means looking at contracts that might be applicable and
negotiating the terms in those contracts to manage the cloud service provider. In this case, that is the vendor over time. So the first key item is that, of
course, the use of cloud computing needs to provide solutions that meet business needs. It has to serve business interests.
Now, in order to do that, we first have to make sure that we've carefully identified business objectives. And then mapped any available cloud services
to business IT requirements that will end up resulting in meeting those objectives. So for example, if the requirement is to analyze vast datasets in as
quick a time as possible at a reduced cost, then using cloud services to allow big data analysis would make sense.
To have clusters of virtual machines so that we could gain insights that we otherwise wouldn't be able to gain from those vast datasets. Another aspect
of managing or negotiating exactly how the relationship will form between a cloud service provider and a customer is to take a look at auditing.
Cloud service provider auditing specifically, to make sure that CSPs, the providers, have the appropriate security accreditations that might be required
by the cloud customer, to provide assurances to the customer. Because bear in mind that the use of cloud computing means you are transferring some
responsibility and risk to a third party. And of course, when it comes to security, we all know that your security posture is only as good as the weakest
link in the chain. And we don't want that weakest link to be the unknown in the form of the cloud service provider.
The other thing to bear in mind, is a legal affirmation that certain standards will be met. So again, that could be data privacy standards for applicable
laws where data is being stored in the cloud to make sure that we avoid litigation. It can also relate to legal and regulatory compliance as we've
mentioned and then ownership of the cloud data. Again, the ownership of the data would determine the data source, where it comes from.
So for example, if it's citizen private information that results from the use of government websites, well the ownership of that data technically would
fall to the citizen. Although the government agency that's working with that data is considered the data steward. And must adhere to certain laws and
regulations. The other thing is cyber insurance. This is an important part of outsourcing some of your compute services to the cloud computing
environment.
So it means talking to your insurance company and negotiating how this will apply. You might have cyber insurance so that if there's a security breach
that is determined to be the responsibility of the cloud service provider. If it was their issue, then you might be covered with some type of cyber risk
insurance. So it's another aspect of contract and vendor management.
Supply Chain Management

[Video description begins] Topic title: Supply Chain Management. Your host for this session is Dan Lachance . [Video description ends]
Supply chain management means taking a look at an organization's reliance upon outsourced services or products. In order to make sure that
everything in the supply chain that results in your organization's services or products has adhered to specific security standards. So we need to always
consider where the weakest link in the chain might exist, because that's really the definition of your organization's security posture. And this is very
important when it comes to cloud computing. So think of a physical chain and the links in the chain.

Now, when we map that to the business world and the use of cloud computing, we're really talking about employees. Now, that's employees within
your own organization as well as the employees in the cloud computing environment, so cloud service provider employees. Contractors that you
might hire, outsourcing services to organizations, such as cloud service providers. And even using IT solutions that might come from external sources,
such as the use of open source software. You need to make sure that these are trusted.
So supply chain management also means taking a look at cloud service level agreements, SLAs, for each specific cloud service that will be used. To
make sure that we know that the guaranteed uptime of that service adheres to or at least meets, ideally exceeds, business requirements.
We need to carefully research cloud service provider's security accreditations. To make sure that there are third-party audits that take place
periodically that result in the security assertions related to the cloud service provider. We need to take a look at employee background checks. Now,
this will be important for, of course, our own organizations. But also determining that security audits take a look at this for cloud service providers.
The last thing we want is an inside type of job for a sensitive security breach within a cloud service provider environment. Developers in the cloud
need to think about how they build their code and test it and deploy it in the cloud environment. For example, if we've got a centralized cloud code
build environment where developers make code changes, check in the code after it's been tested properly, and then have it automatically built and
deployed.
Well, if a malicious user has injected malware within the code build chain, then that means the resultant deployed software might be infected. And so
we have to think about all of the different chain links, so to speak, where there could be security deficiencies. And make sure that they are addressed,
and the appropriate security controls are put in place to mitigate those threats.
Course Summary
[Video description begins] Topic title: Course Summary. [Video description ends]
So in this course, we've examined key aspects of cloud computing architectural design, as well as associated cloud systems and cloud components.
We did this by exploring cloud computing definitions, participants, operational characteristics, and supporting infrastructure components.
We also explored cloud computing activities and computing service capabilities. Standard categories of cloud computing such as software as a
service, SaaS, infrastructure as a service, IaaS, and platform as a service, PaaS.
We then explored the definition of deployment models of cloud services, and the impact of related technologies such as machine learning, artificial
intelligence, Internet of Things, and quantum computing. In our next course, we'll move onto explore cloud security technologies, data encryption,
cloud system management, and operational considerations.

CCSP 2019 - Cloud System Architecture Design

Uploaded by

Copyright:

Available Formats

CCSP 2019 - Cloud System Architecture Design

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCSP 2019 - Cloud System Architecture Design

Uploaded by

Copyright:

Available Formats

2/22/2021 CCSP 2019: Cloud System Architecture Design Transcript

CCSP 2019: Cloud System Architecture Design

Hi, I'm Dan Lachance.

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/1. Cloud System Architecture Design Transcript.html 2/15

Cloud Computing Definitions

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/1. Cloud System Architecture Design Transcript.html 3/15

Cloud Computing Participants

Cloud Computing Characteristics

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/1. Cloud System Architecture Design Transcript.html 5/15

Cloud Computing Infrastructure

Cloud Computing Activities

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/1. Cloud System Architecture Design Transcript.html 7/15

Cloud Computing Service Capabilities

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/1. Cloud System Architecture Design Transcript.html 8/15

Cloud Deployment Categories and Models

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/1. Cloud System Architecture Design Transcript.html 9/15

Cloud Shared Responsibility

Impact of Related Technologies

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/1. Cloud System Architecture Design Transcript.html 11/15

Contract and Vendor Management and Assessment

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/1. Cloud System Architecture Design Transcript.html 13/15

Supply Chain Management

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/1. Cloud System Architecture Design Transcript.html 14/15

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/1. Cloud System Architecture Design Transcript.html 15/15

You might also like