When studying for the old 10 domain CISSP exam, I merely glanced at the cloud computing section, and kept flipping through the pages.
I had somehow convinced myself that what general terms and definitions I already knew about cloud security would be enough for me to get by when taking the exam.
However, I probably would not make the same wager with myself for the new 8 domain CISSP exam.
The CISSP went through a Domain Refresh for a reason: to adapt the exam to the changes in technology.
Cloud security being one of those big changes.
Knowing the concepts of cloud computing may be one of the determining factors of you either passing or failing the exam.
Get to know it!
I wanted to let our readers become familiar with some cloud computing terms.
I hope you find it beneficial, and as always, let me know if you have any questions!
Massive warehouses located around the globe, full of high-powered computers bringing an abundance of computing power at your fingertips, that’s cloud computing.
It is a central place where you can upload your cat pictures from your mobile phone while riding the subway, and then have them available on your desktop when you get home.
It is a place where an organization can have their entire IT infrastructure virtually, instead of having to build their own.
Cloud Service Provider
The cloud service provider is the company which actually owns all the services and servers in the data center. A cloud service provider is allowing other companies to use their hosted and virtualized services. Much like how an ISP provides Internet access to customers.
Amazon Web Services, Microsoft Azure, Apple iCloud, or Google Drive are all examples of cloud service providers.
Companies that use the cloud are called tenants. It kind of makes sense, tenants in an apartment building are renting an apartment.
Tenants in a cloud are renting the services provided by cloud service providers.
Types of Clouds
This is where multiple tenants use the same service over the cloud. They all share the same hardware, software, and services.
You pay as you go.
If you want to use the server for 40 hours a week, or 8 hours a day, you will only be charged for that amount.
Amazon Web Services is an example of a public cloud. It can also be a private cloud, depending on your needs.
Check out the AWS service infrastructure below:
CISSP TIP: Public cloud service providers manage the security of the infrastructure. The customer has no insight nor say in the security of the service they are using, or their data! Of course, you can always pay a little bit and work it into your SLA for the cloud service provider to make sure your data is encrypted.
Private clouds allows customers to implement their own security measures, right alongside compliance standards like HIPAA, Sarbanes Oxley, or PCI.
Because it’s just one customer in the private cloud, all services are dedicated to that one customer. Private clouds are not shared with other tenants.
CISSP Tip: Companies that want to control their own security, bandwidth, and compliance, go with private clouds. These are usually mid to large-size enterprises.
Kind of like a public cloud, there is a multi-tenant design, but this time, everybody has the same requirements.
In a public cloud, one tenant may use IaaS, another tenant may use PaaS, while another tenant would use SaaS.
In a community cloud, multiple tenants use the same service, such as just PaaS or just SaaS.
The tenants also require the same assurance levels for their service.
If I wanted to use a type of cloud for Study Notes and Theory, I’d use a hybrid model.
With a hybrid model, I could store all private website data, like these subscriber-only CISSP newsletters, in a private cloud. I would be in control of the security and maintenance of the private data.
I would then host the website itself in a community or public cloud, where www.studynotesandtheory.com is hosted in data centers which are shared by other tenants for their own websites.
So a private cloud for personal data, and a community cloud for website hosting services. This is an example of a hybrid cloud.
Cloud Service Models
Want to throttle your proxy server’s CPU utilization?
Is managing the amount of virtual RAM allocated to different applications important to your business?
Do you want to use IPv6 instead of IPv4 in your network?
All these infrastructure specifications are provided by IaaS, Infrastructure as a Service.
Like the name, IaaS provides a customer full control of virtualized hardware, memory, and storage. Servers, firewalls, and routers are provided, and a network topology can be configured by the tenant.
This granular type of environment control is not provided by PaaS or SaaS.
Amazon Web Services, is an IaaS. Although, today they offer PaaS, and SaaS.
Before defining PaaS, Platform as a Service, let’s take some examples of PaaS.
Salesforce.com is a PaaS.
Windows Azure is a PaaS. Although, today they offer IaaS, and SaaS.
These companies provide a “platform” for customers to build their OWN applications. Essentially, they provide an application on which customers can build their own application.
For customers who want to focus on just their primary business function, and not have to worry about the networking, server, or operating system environment, PaaS is the best option.
Suppose for my YouTube videos I wanted to make super flashy animations with lots of slick graphics and sound effects.
A video editing software may cost $2,000.
Suppose a cloud service let you rent the video editing software for $5.99 per month. This is a much better deal!
You are using software that another company is renting to you for a fraction of the original price of the actual software.
This is SaaS, Software as a Service.
CISSP TIP: All cloud services offer prices that my save the company money, time, and the hiring of additional employees. It is up to the organization to perform a risk analysis, and an inventory count to determine if they should keep everything in-house and under their control, or in the cloud and little bit out of reach.
Thanks for reading, and I hope you learned something!