The Official (ISC)2 Guide to the CCSP CBK

Introduction

THERE ARE TWO MAIN requirements that must be met to achieve the status of Certified Cloud Security Professional (CCSP); one must take and pass the certification exam and be able to demonstrate a minimum of five years of cumulative paid full-time information technology experience, of which three years must be in information security and one year must be in one of the six domains of the CCSP examination. A firm understanding of what the six domains of the CCSP Common Body of Knowledge (CBK) are and how they relate to the landscape of business is a vital element in successfully being able to meet both requirements and claim the CCSP credential. The mapping of the six domains of the CCSP CBK to the job responsibilities of the information security professional in today’s world can take many paths based on a variety of factors, such as industry vertical, regulatory oversight and compliance, geography, and public versus private versus military as the overarching framework for employment in the first place. In addition, considerations such as cultural practices and differences in language and meaning can play a substantive role in the interpretation of what aspects of the CBK will mean and how they will be implemented in any given workplace.

It is not the purpose of this book to attempt to address all these issues or provide a definitive prescription as to the path forward in all areas. Rather, it is to provide the official guide to the CCSP CBK and, in so doing, to lay out the information necessary to understand what the CBK is and how it is used to build the foundation for the CCSP and its role in business today. Being able to map the CCSP CBK to your knowledge, experience, and understanding is the way that you will be able to translate the CBK into actionable and tangible elements for both the business and its users that you represent.

The Architectural Concepts and Design Requirements domain focuses on the building blocks of cloud-based systems. The CCSP needs an understanding of cloud computing concepts such as definitions based on the ISO/IEC 17788 standard; roles like the cloud service customer, provider, and partner; characteristics such as multitenancy, measured services, and rapid elasticity and scalability; and building block technologies of the cloud such as virtualization, storage, and networking. The cloud reference architecture will need to be described and understood, focusing on areas such as cloud computing activities (as described in ISO/IEC 17789), clause 9, cloud service capabilities, categories, deployment models, and the cross-cutting aspects of cloud platform architecture and design, such as interoperability, portability, governance, service levels, and performance. In addition, the CCSP should have a clear understanding of the relevant security and design principles for cloud computing, such as cryptography, access control, virtualization security, functional security requirements like vendor lock-in and interoperability, what a secure data life cycle is for cloud-based data, and how to carry out a cost-benefit analysis of cloud-based systems. The ability to identify what a trusted cloud service is and what role certification against criteria plays in that identification—using standards such as the Common Criteria and FIPS 140-2—are further areas of focus for this domain.

The Cloud Data Security domain contains the concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems (OSs), equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity, and availability. The CCSP needs to understand and implement data discovery and classification technologies pertinent to cloud platforms, as well as be able to design and implement relevant jurisdictional data protections for personally identifiable information (PII), such as data privacy acts and the ability to map and define controls within the cloud. Designing and implementing digital rights management (DRM) solutions with the appropriate tools and planning for the implementation of data retention, deletion, and archiving policies are activities that a CCSP will need to understand how to undertake.

The Cloud Platform and Infrastructure Security domain covers knowledge of the cloud infrastructure components—both the physical and virtual—existing threats, and mitigating and developing plans to deal with those threats. Risk management is the identification, measurement, and control of loss associated with adverse events. It includes overall security review, risk analysis, selection and evaluation of safeguards, cost-benefit analysis, management decisions, safeguard implementation, and effectiveness review. The CCSP is expected to understand risk management, including risk analysis, threats and vulnerabilities, asset identification, and risk management tools and techniques. In addition, the candidate needs to understand how to design and plan for the use of security controls such as audit mechanisms, physical and environmental protection, and the management of identification, authentication, and authorization solutions within the cloud infrastructures she manages. Business continuity planning (BCP) facilitates the rapid recovery of business operations to reduce the overall impact of the disaster by ensuring continuity of the critical business functions. Disaster recovery planning includes procedures for emergency response, extended backup operations, and postdisaster recovery when the computer installation suffers loss of computer resources and physical facilities. The CCSP is expected to understand how to prepare a business continuity or disaster recovery plan (DRP), techniques and concepts, identification of critical data and systems, and the recovery of lost data within cloud infrastructures.

The Cloud Application Security domain focuses on issues to ensure that the need for training and awareness in application security, the processes involved with cloud software assurance and validation, and the use of verified secure software are understood. The domain refers to the controls that are included within systems and applications software and the steps used in their development (such as software development life cycle). The CCSP should fully understand the security and controls of the development process, system life cycle, application controls, change controls, program interfaces, and concepts used to ensure data and application integrity, security, and availability. In addition, the need to understand how to design appropriate identity and access management (IAM) solutions for cloud-based systems is important.

The Operations domain is used to identify critical information and the execution of selected measures that eliminate or reduce adversary exploitation of critical information. The domain examines the requirements of the cloud architecture, from planning of the data center design and implementation of the physical and logical infrastructure for the cloud environment to running and managing that infrastructure. It includes the definition of the controls over hardware, media, and the operators with access privileges to any of these resources. Auditing and monitoring are the mechanisms, tools, and facilities that permit the understanding of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate individual, group, or process. The need for compliance with regulations and controls through the applications of frameworks such as ITIL and ISO/IEC 20000 is also discussed. In addition, the importance of risk assessment across both the logical and the physical infrastructures and the management of communication with all relevant parties are focused on. The CCSP is expected to know the resources that must be protected, the privileges that must be restricted, the control mechanisms that are available, the potential for abuse of access, the appropriate controls, and the principles of good practice.

The Legal and Compliance domain addresses ethical behavior and compliance with regulatory frameworks. It includes the investigative measures and techniques that can be used to determine if a crime has been committed and methods used to gather evidence (including legal controls, e-discovery, and forensics). This domain also includes an understanding of privacy issues and audit processes and methodologies required for a cloud environment, such as internal and external audit controls, assurance issues associated with virtualization and the cloud, and the types of audit reporting specific to the cloud, such as the Statement on Standards for Attestation Engagements (SSAE) No. 16, and the International Standards for Assurance Engagements (ISAE) No. 3402.1 Further, examining and understanding the implications that cloud environments have in relation to enterprise risk management and the impact of outsourcing for design and hosting of these systems are important considerations that many organizations face today.

Conventions

To help you get the most from the text, we’ve used a number of conventions throughout the book.

WARNING

Warnings draw attention to important information that is directly relevant to the surrounding text.

NOTE

Notes discuss helpful information related to the current discussion.

As for styles in the text, we show URLs within the text like so: www.wiley.com.

Note

1 Many service organizations that previously had a SAS 70 service auditor’s examination (SAS 70 audit) performed converted to the SSAE No.16 standard in 2011 and now have an SSAE 16 report instead. This is also referred to as a Service Organization Controls (SOC) 1 report.

DOMAIN 1

Architectural Concepts and Design Requirements

THE GOAL OF THE Architectural Concepts and Design Requirements domain is to provide you with knowledge of the building blocks necessary to develop cloud-based systems.

You will be introduced to such cloud computing concepts as the customer, provider, partner, measured services, scalability, virtualization, storage, and networking. You will be able to understand the cloud reference architecture based on activities defined by industry-standard documents.

Lastly, you will gain knowledge in relevant security and design principles for cloud computing, including secure data lifecycle and cost-benefit analysis of cloud-based systems.

DOMAIN OBJECTIVES

After completing this domain, you will be able to do the following:

inline Define the various roles, characteristics, and technologies as they relate to cloud computing concepts

inline Describe cloud computing concepts as they relate to cloud computing activities, capabilities, categories, models, and cross-cutting aspects

inline Identify the design principles necessary for secure cloud computing

inline Define the various design principles for the different types of cloud categories

inline Describe the design principles for secure cloud computing

inline Identify criteria specific to national, international, and industry for certifying trusted cloud services

inline Identify criteria specific to the system and subsystem product certification

Introduction

"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

The NIST Definition of Cloud Computing1

Cloud computing (Figure 1.1) is the use of Internet-based computing resources, typically as a service, to allow internal or external customers to consume where scalable and elastic information technology (IT)-enabled capabilities are provided.

Figure 1.1 Cloud computing overview.

Cloud computing, or cloud, means many things to many people. There are indeed various definitions for cloud computing and what it means from many of the leading standards bodies. The previous National Institute of Standards and Technology (NIST) definition is the most commonly utilized, cited by professionals and others alike to clarify what the term cloud means.

It’s important to note the difference between a cloud service provider (CSP) and a managed service provider (MSP). The main difference is to be found in the control exerted over the data and process and by who. With an MSP, the consumer dictates the technology and operating procedures. According to the MSP Alliance, MSPs typically have the following distinguishing characteristics:2

Some form of network operations center (NOC) service

Some form of help desk service

Remote monitoring and management of all or most of the objects for the customer

Proactive maintenance of the objects under management for the customer

Delivery of these solutions with some form of predictable billing model, where the customer knows with great accuracy what the regular IT management expense will be

With a CSP, the service provider dictates both the technology and the operational procedures being made available to the cloud consumer. This means that the CSP is offering some or all of the components of cloud computing through a software as a service (SaaS), infrastructure as a service (IaaS), or platform as a service (PaaS) model.

Drivers for Cloud Computing

There are many drivers that may move a company to consider cloud computing. These may include the costs associated with the ownership of their current IT infrastructure solutions as well as projected costs to continue to maintain these solutions year in and year out (Figure 1.2).

Figure 1.2 Drivers that move companies toward cloud computing.

Additional drivers include but are not limited to the following:

The desire to reduce IT complexity

Risk reduction: Users can use the cloud to test ideas and concepts before making major investments in technology.

Scalability: Users have access to a large number of resources that scale based on user demand.

Elasticity: The environment transparently manages a user’s resource utilization based on dynamically changing needs.

Consumption-based pricing

Virtualization: Each user has a single view of the available resources, independent of their arrangement in terms of physical devices.

Cost: The pay-per-usage model allows an organization to pay only for the resources it needs with basically no investment in the physical resources available in the cloud. There are no infrastructure maintenance or upgrade costs.

Business agility

Mobility: Users can access data and applications from around the globe.

Collaboration and innovation: Users are starting to see the cloud as a way to work simultaneously on common data and information.

Security, Risks, and Benefits

You cannot bring up or discuss the topic of cloud computing without hearing the words security, risk, and compliance. In truth, cloud computing does pose challenges and represents a paradigm shift in the way in which technology solutions are being delivered. As with any notable change, this brings about questions and a requirement for clear and concise understandings and interpretations to be obtained, from both a customer and a provider perspective. The Certified Cloud Security Professional (CCSP) must play a key role in the dialogue within the organization as it pertains to cloud computing, its role, the opportunity costs, and the associated risks (Figure 1.3).

Figure 1.3 Cloud computing issues and concerns.

Risk can take many forms in an organization. The organization needs to carefully weigh all the risks associated with a business decision before engaging in an activity to minimize the risk impact associated with an activity. There are many approaches and frameworks that can be used to address risk in an organization, such as the Control Objectives for Information and Related Technology (COBIT) framework, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management Integrated Framework, and the NIST Risk Management Framework. Organizations need to become risk aware in general, focusing on risks within and around the organization that may cause harm to the reputation of the business. Reputational risk can be defined as the loss of value of a brand or the ability of an organization to persuade.3 To manage reputational risk, an organization should consider the following items:

Strategic alignment

Effective board oversight

Integration of risk into strategy setting and business planning

Cultural alignment

Strong corporate values and a focus on compliance

Operational focus

Strong control environment

Although many people think of cloud technologies as less secure or carrying greater risk, this is simply not possible or acceptable to say unless making a direct and measured comparison against a specified environment or service. For instance, it would be incorrect to simply assume or state that cloud computing is less secure as a service modality for the delivery of a customer relationship management (CRM) platform than a more traditional CRM application model, calling for an on-premise installation of the CRM application and its supporting infrastructure and databases. To assess the true level of security and risk associated with each model of ownership and consumption, the two platforms would need to be compared across a range of factors and issues, allowing for a side-by-side comparison of the key deliverables and issues associated with each model.

In truth, the cloud may be more or less secure than your organization’s environment and current security controls depending on any number of factors, which include technological components; risk management processes; preventative, detective, and corrective controls; governance and oversight processes; resilience and continuity capabilities; defense in depth; and multifactor authentication.

Therefore, the approach to security varies depending on the provider and the ability for your organization to alter and amend its overall security posture prior to, during, and after migration or utilization of cloud services.

In the same way that no two organizations or entities are the same, neither are two CSPs. A one-size-fits-all approach is never good for security, so do not settle for it when utilizing cloud-based services.

The extensive use of automation within the cloud enables real-time monitoring and reporting on security control points, allowing for the establishment of continuous security monitoring regimes, enhancing the overall security posture of the organization consuming the cloud services. The benefits realized by the organization can include greater security visibility, enhanced policy and governance enforcement, and a better framework for management of the extended business ecosystem through a transition from an infrastructure-centric to a data-centric security model.

Cloud Computing Definitions

The following list forms a common set of terms and phrases you will need to become familiar with as a CCSP. Having an understanding of these items puts you in a strong position to communicate and understand technologies, deployments, solutions, and architectures within the organization as needed. This list is not comprehensive and should be used along with the vocabulary terms in Appendix B, Glossary, to form as complete a picture as possible of the language of cloud computing.

Anything as a service (XaaS): The growing diversity of services available over the Internet via cloud computing as opposed to being provided locally or on premises.

Apache CloudStack: An open source cloud computing and IaaS platform developed to help make creating, deploying, and managing cloud services easier by providing a complete stack of features and components for cloud environments.

Business continuity: The capability of the organization to continue delivery of products or services at acceptable predefined levels following a loss of service.

Business continuity management: A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause. It provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.

Business continuity plan: The creation of a strategy through the recognition of threats and risks facing a company, with an eye to ensure that personnel and assets are protected and able to function in the event of a disaster.

Cloud app: Short for cloud application, cloud app describes a software application that is never installed on a local computer. Instead, it is accessed via the Internet.

Cloud Application Management for Platforms (CAMP): CAMP is a specification designed to ease management of applications—including packaging and deployment—across public and private cloud computing platforms.

Cloud backup: Cloud backup, or cloud computer backup, refers to backing up data to a remote, cloud-based server. As a form of cloud storage, cloud backup data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.

Cloud backup solutions: Cloud backup solutions enable enterprises or individuals to store their data and computer files on the Internet using a storage service provider rather than storing the data locally on a physical disk, such as a hard drive or tape backup.

Cloud computing: A type of computing, comparable to grid computing, that relies on sharing computing resources and using a network of remote servers to store, manage, and process data instead of using a local server or a personal computer.

Cloud computing accounting software: Cloud computing accounting software is accounting software that is hosted on remote servers. It provides accounting capabilities to businesses in a fashion similar to the SaaS business model. Data is sent into the cloud, where it is processed and returned to the user. All application functions are performed offsite, not on the user’s desktop.

Cloud database: A database accessible to clients from the cloud and delivered to users on demand via the Internet. Also referred to as database as a service (DBaaS), cloud databases can use cloud computing to achieve optimized scaling, high availability, multitenancy, and effective resource allocation.

Cloud enablement: The process of making available one or more of the following services and infrastructures to create a public cloud computing environment: CSP, client, and application.

Cloud management: Software and technologies designed for operating and monitoring the applications, data, and services residing in the cloud. Cloud management tools help ensure a company’s cloud computing–based resources are working optimally and properly interacting with users and other services.

Cloud migration: The process of transitioning all or part of a company’s data, applications, and services from onsite premises behind the firewall to the cloud, where the information can be provided over the Internet on an on-demand basis.

Cloud OS: A phrase frequently used in place of PaaS to denote an association to cloud computing.

Cloud portability: In cloud computing terminology, this refers to the ability to move applications and their associated data between one CSP and another—or between public and private cloud environments.

Cloud provisioning: The deployment of a company’s cloud computing strategy, which typically first involves selecting which applications and services will reside in the public cloud and which will remain onsite behind the firewall or in the private cloud. Cloud provisioning also entails developing the processes for interfacing with the cloud’s applications and services as well as auditing and monitoring who accesses and utilizes the resources.

Cloud server hosting: A type of hosting in which hosting services are made available to customers on demand via the Internet. Rather than being provided by a single server or virtual server, cloud server hosting services are provided by multiple connected servers that comprise a cloud.

Cloud storage: The storage of data online in the cloud, whereby a company’s data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.

Cloud testing: Load and performance testing conducted on the applications and services provided via cloud computing—particularly the capability to access these services—to ensure optimal performance and scalability under a variety of conditions.

Desktop as a service: A form of virtual desktop infrastructure (VDI) in which the VDI is outsourced and handled by a third party. Also called hosted desktop services, desktop as a service is frequently delivered as a cloud service along with the apps needed for use on the virtual desktop.

Enterprise application: Describes applications—or software—that a business uses to assist the organization in solving enterprise problems. When the word enterprise is combined with application, it usually refers to a software platform that is too large and complex for individual or small business use.

Enterprise cloud backup: Enterprise-grade cloud backup solutions typically add essential features such as archiving and disaster recovery (DR) to cloud backup solutions.

Eucalyptus: An open source cloud computing and IaaS platform for enabling AWS-compatible private and hybrid clouds.

Event: A change of state that has significance for the management of an IT service or other configuration item. The term can also be used to mean an alert or notification created by an IT service, configuration item, or monitoring tool. Events often require IT operations staff to take actions and lead to incidents being logged.

Host: A device providing a service.

Hybrid cloud storage: A combination of public cloud storage and private cloud storage in which some critical data resides in the enterprise’s private cloud and other data is stored and accessible from a public cloud storage provider.

IaaS: IaaS is defined as computer infrastructure, such as virtualization, being delivered as a service. IaaS is popular in the data center where software and servers are purchased as a fully outsourced service and usually billed on usage and how much of the resource is used—compared with the traditional method of buying software and servers outright.

Incident: An unplanned interruption to an IT service or reduction in the quality of an IT service.

Managed service provider: An IT service provider in which the customer dictates both the technology and the operational procedures.

Mean time between failure (MTBF): The measure of the average time between failures of a specific component or part of a system.

Mean time to repair (MTTR): The measure of the average time it should take to repair a failed component or part of a system.

Mobile cloud storage: A form of cloud storage that applies to storing an individual’s mobile device data in the cloud and providing the individual with access to the data from anywhere.

Multitenant: In cloud computing, multitenant is the phrase used to describe multiple customers using the same public cloud.

Node: A physical connection.

Online backup: In storage technology, online backup means to back up data from your hard drive to a remote server or computer using a network connection. Online backup technology leverages the Internet and cloud computing to create an attractive offsite storage solution with few hardware requirements for any business of any size.

PaaS: The process of deploying onto the cloud infrastructure consumer-created or acquired applications that are created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems (OSs), or storage but has control over the deployed applications and possibly the configuration settings for the application-hosting environment.

Personal cloud storage: A form of cloud storage that applies to storing an individual’s data in the cloud and providing the individual with access to the data from anywhere. Personal cloud storage also often enables syncing and sharing stored data across multiple devices such as mobile phones and tablet computers.

Private cloud: Describes a cloud computing platform that is implemented within the corporate firewall, under the control of the IT department. A private cloud is designed to offer the same features and benefits of cloud systems but removes a number of objections to the cloud computing model, including control over enterprise and customer data, worries about security, and issues connected to regulatory compliance.

Private cloud project: Companies initiate private cloud projects to enable their IT infrastructure to become more capable of quickly adapting to continually evolving business needs and requirements. Private cloud projects can also be connected to public clouds to create hybrid clouds.

Private cloud security: A private cloud implementation aims to avoid many of the objections regarding cloud computing security. Because a private cloud setup is implemented safely within the corporate firewall, it remains under the control of the IT department.

Private cloud storage: A form of cloud storage in which both the enterprise data and the cloud storage resources reside within the enterprise’s data center and behind the firewall.

Problem: The unknown cause of one or more incidents, often identified as a result of multiple similar incidents.

Public cloud storage: A form of cloud storage in which the enterprise and storage service provider are separate and the data is stored outside of the enterprise’s data center.

Recovery point objective (RPO): The RPO helps determine how much information must be recovered and restored. Another way of looking at the RPO is to ask yourself, How much data can the company afford to lose?

Recovery time objective (RTO): A time measure of how fast you need each system to be up and running in the event of a disaster or critical failure.

SaaS: A software delivery method that provides access to software and its functions remotely as a web-based service. SaaS allows organizations to access business functionality at a cost typically less than paying for licensed applications since SaaS pricing is based on a monthly fee.

Storage cloud: Refers to the collection of multiple distributed and connected resources responsible for storing and managing data online in the cloud.

Vertical cloud computing: Describes the optimization of cloud computing and cloud services for a particular vertical (for example, a specific industry) or specific-use application.

Virtual host: A software implementation of a physical host.

Cloud Computing Roles

The following groups form the key roles and functions associated with cloud computing. They do not constitute an exhaustive list but highlight the main roles and functions within cloud computing:

Cloud backup service provider: A third-party entity that manages and holds operational responsibilities for cloud-based data backup services and solutions to customers from a central data center.

Cloud computing reseller: A company that purchases hosting services from a cloud server hosting or cloud computing provider and then resells them to its own customers.

Cloud customer: An individual or entity that utilizes or subscribes to cloud-based services or resources.

Cloud service auditor: A third-party organization that verifies attainment of service-level agreements (SLAs).

Cloud services brokerage (CSB): Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple CSPs. It acts as a liaison between cloud services customers and CSPs, selecting the best provider for each customer and monitoring the services. The CSB can be utilized as a middleman to broker the best deal and customize services to the customer’s requirements. The CSB may also resell cloud services.

CSP: A company that provides cloud-based platform, infrastructure, application, or storage services to other organizations or individuals, usually for a fee; otherwise known to clients as a service.

Key Cloud Computing Characteristics

Think of the following as a rulebook or a set of laws when dealing with cloud computing. If a service or solution does not meet all of the following key characteristics, it is not true cloud computing.

On-demand self-service: The cloud service provided that enables the provision of cloud resources on demand (whenever and wherever they are required). From a security perspective, this has introduced challenges to governing the use and provisioning of cloud-based services, which may violate organizational policies.

By its nature, on-demand self-service does not require procurement, provisioning, or approval from finance, and as such, it can be provisioned by almost anyone with a credit card. For enterprise customers, this is most likely the least important characteristic because self-service for the majority of end users is not of utmost importance.

Broad network access: The cloud, by its nature, is an always on and always accessible offering for users to have widespread access to resources, data, and other assets. Think convenience—access what you want, when you need it, from any location.

In theory, all you should require is Internet access and relevant credentials and tokens, which give you access to the resources.

The mobile device and smart device revolution that is altering the way organizations fundamentally operate has introduced an interesting dynamic into the cloud conversation within many organizations. These devices should also be able to access the relevant resources that a user may require; however, compatibility issues, the inability to apply security controls effectively, and nonstandardization of platforms and software systems has stemmed this somewhat.

Resource pooling: Lies at the heart of all that is good about cloud computing. More often than not, traditional, noncloud systems may see utilization rates for their resources between 80 percent and 90 percent for a few hours a week and rates at an average of 10 percent to 20 percent for the remainder. What the cloud looks to do is group (pool) resources for use across the user landscape or multiple clients, which can then scale and adjust to the user’s or client’s needs, based on their workload or resource requirements. CSPs typically have large numbers of resources available, from hundreds to thousands of servers, network devices, applications, and so on, which can accommodate large volumes of customers and can prioritize and facilitate appropriate resourcing for each client.

Rapid elasticity: Allows the user to obtain additional resources, storage, compute power, and so on, as the user’s need or workload requires. This is more often transparent to the user, with more resources added as necessary seamlessly.

Because cloud services utilize the pay-per-use concept, you pay for what you use. This is of particular benefit to seasonal or event-type businesses utilizing cloud services.

Think of a provider selling 100,000 tickets for a major sporting event or concert. Leading up to the ticket release date, little to no compute resources are needed; however, when the tickets go on sale, they may need to accommodate 100,000 users in the space of 30–40 minutes. This is where rapid elasticity and cloud computing can really be beneficial, compared with traditional IT deployments, which would have to invest heavily using capital expenditure (CapEx) to support such demand.

Measured service: Cloud computing offers a unique and important component that traditional IT deployments have struggled to provide—resource usage can be measured, controlled, reported, and alerted upon, which results in multiple benefits and overall transparency between the provider and the client. In the same way you may have a metered electricity service or a mobile phone that you top up with credit, these services allow you to control and be aware of costs. Essentially, you pay for what you use and have the ability to get an itemized bill or breakdown of usage.

A key benefit being availed by many proactive organizations is the ability to charge departments or business units for their use of services, thus allowing IT and finance to quantify exact usage and costs per department or by business function—something that was incredibly difficult to achieve in traditional IT environments.

In theory and in practice, cloud computing should have large resource pools to enable swift scaling, rapid movement, and flexibility to meet your needs at any given time within the bounds of your service subscription.

Without all these characteristics, it is simply not possible for the user to be confident and assured that the delivery and continuity of services will be maintained in line with potential growth or sudden scaling (either upward or downward). Without pooling and measured services, you cannot implement the cloud computing economic model.

Cloud Transition Scenario

Consider the following scenario.

Due to competitive pressures, XYZ Corp is hoping to better leverage the economic and scalable nature of cloud computing. These policies have driven XYZ Corp toward the consideration of a hybrid cloud model that consists of enterprise private and public cloud use. Although security risk has driven many of the conversations, a risk management approach has allowed the company to separate its data assets into two segments: sensitive and nonsensitive. IT governance guidelines must now be applied across the entire cloud platform and infrastructure security environment. This also affects infrastructure operational options. XYZ Corp must now apply cloud architectural concepts and design requirements that would best align with corporate business and security goals.

As a CCSP, you have several issues to address to guide XYZ Corp through its planned transition to a cloud architecture.

What cloud deployment model(s) would need to be assessed to select the appropriate ones for the enterprise architecture?

Based on the choice(s) made, additional issues may become apparent, such as these:

Who will the audiences be?

What types of data will they be using and storing?

How will secure access to the cloud be enabled, audited, managed, and removed?

When and where will access be granted to the cloud? Under what constraints (time, location, platform, and so on)?

What cloud service model(s) would need to be chosen for the enterprise architecture?

Based on the choice(s) made, additional issues may become apparent, such as these:

Who will the audiences be?

What types of data will they be using and storing?

How will secure access to the cloud service be enabled, audited, managed, and removed?

When and where will access be granted to the cloud service? Under what constraints (time, location, platform, and so on)?

Dealing with a scenario such as this requires the CCSP to work with the stakeholders in XYZ Corp to seek answers to the questions posed. In addition, the CCSP should carefully consider the information in Table 1.1 to craft a solution.

Table 1.1 Possible Solutions

Building Blocks

The building blocks of cloud computing are composed of random access memory (RAM), the central processing unit (CPU), storage, and networking. IaaS has the most fundamental building blocks of any cloud service: the processing, storage, and network infrastructure upon which all cloud applications are built. In a typical IaaS scenario, the service provider delivers the server, storage, and networking hardware and its virtualization, and then it’s up to the customer to implement the OSs, middleware, and applications required.

Cloud Computing Functions

As with traditional computing and technology environments, a number of functions are essential for creating, designing, implementing, testing, auditing, and maintaining the relevant assets. The same is true for cloud computing, with the following key roles representing a sample of the fundamental components and personnel required to operate cloud environments:

Cloud administrator: This individual is typically responsible for the implementation, monitoring, and maintenance of the cloud within the organization or on behalf of an organization (acting as a third party).

Most notably, this role involves the implementation of policies, permissions, access to resources, and so on. The cloud administrator works directly with system, network, and cloud storage administrators.

Cloud application architect: This person is typically responsible for adapting, porting, or deploying an application to a target cloud environment.

The main focus of this role is to work closely and alongside development and other design and implementation resources to ensure that an application’s performance, reliability, and security are all maintained throughout the lifecycle of the application. This requires continuous assessment, verification, and testing throughout the various phases of both the software and systems development lifecycles.

Most architects represent a mix or blend of system administration experience and domain-specific expertise—giving insight to the OS, domain, and other components, while identifying potential reasons the application may be experiencing performance degradation or other negative impacts.

Cloud architect: This role determines when and how a private cloud meets the policies and needs of an organization’s strategic goals and contractual requirements from a technical perspective.

The cloud architect is also responsible for designing the private cloud, is involved in hybrid cloud deployments and instances, and has a key role in understanding and evaluating technologies, vendors, services, and other skillsets needed to deploy the private cloud or to establish and function the hybrid cloud components.

Cloud data architect: This individual is similar to the cloud architect. The data architect’s role is to ensure the various storage types and mechanisms utilized within the cloud environment meet and conform to the relevant SLAs and that the storage components are functioning according to their specified requirements.

Cloud developer: This person focuses on development for the cloud infrastructure itself. This role can vary from client tools or solutions engagements to systems components. Although developers can operate independently or as part of a team, regular interactions with cloud administrators and security practitioners are required for debugging, code reviews, and relevant security assessment remediation requirements.

Cloud operator: This individual is responsible for daily operational tasks and duties that focus on cloud maintenance and monitoring activities.

Cloud service manager: This person is typically responsible for policy design, business agreement, pricing model, and some elements of the SLA (not necessarily the legal components or amendments that require contractual amendments). This role works closely with cloud management and customers to reach agreement and alongside the cloud administrator to implement SLAs and policies on behalf of the customers.

Cloud storage administrator: This role focuses on the mapping, segregations, bandwidth, and reliability of storage volumes assigned. Additionally, this role may require ensuring that conformance to relevant SLAs continues to be met, working with and alongside network and cloud administrators.

Cloud Service Categories

Cloud service categories fall into three main groups: IaaS, PaaS, and SaaS. Each is discussed in the following sections.

IaaS

According to The NIST Definition of Cloud Computing, in IaaS, the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include OSs and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over OSs, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).4

Traditionally, infrastructure has always been the focal point for ensuring which capabilities and organization requirements could be met versus those that were restricted. It also represented possibly the most significant investments in terms of CapEx and skilled resources made by the organization. The emergence of the cloud has changed this traditional view of infrastructure’s role significantly by commoditizing it and allowing it to be consumed through an on-demand, pay-as-you-go model.

IaaS Key Components and Characteristics

The following form the basis for the IaaS service model:

Scale: The requirement for automation and tools to support the potentially significant workloads of either internal users or those across multiple cloud deployments (dependent on which cloud service offering) is a key component of IaaS. Users and customers require optimal levels of visibility, control, and assurances related to the infrastructure and its ability to satisfy their requirements.

Converged network and IT capacity pool: This follows from the scale focus, but it looks to drill into the virtualization and service management components required to cover and provide appropriate levels of service across network boundaries.

From a customer or user perspective, the pool appears seamless and endless (no visible barriers or restrictions, along with minimal requirement to initiate additional resources) for both the servers and the network. These are (or should be) driven and focused at all times in supporting and meeting relevant platform and application SLAs.

Self-service and on-demand capacity: This requires an online resource or customer portal that allows the customers to have complete visibility and awareness of the virtual IaaS environment they currently utilize. It additionally allows customers to acquire, remove, manage, and report on resources, without the need to engage or speak with resources internally or with the provider.

High reliability and resilience: To be effective, the requirement for automated distribution across the virtualized infrastructure is increasing and affording resilience, while enforcing and meeting SLA requirements.

IaaS Key Benefits

IaaS has a number of key benefits for organizations, which include but are not limited to the following:

Usage metered and priced on the basis of units (or instances) consumed. This can also be billed back to specific departments or functions.

The ability to scale up and down infrastructure services based on actual usage. This is particularly useful and beneficial when there are significant spikes and dips within the usage curve for infrastructure.

Reduced cost of ownership. There is no need to buy assets for everyday use, no loss of asset value over time, and reduced costs of maintenance and support.

Reduced energy and cooling costs along with green IT environment effect with optimum use of IT resources and systems.

Significant and notable providers in the IaaS space include Amazon, AT&T, Rackspace, Verizon/Terremark, and HP, among others.

PaaS

According to The NIST Definition of Cloud Computing, in PaaS, the capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, OSs, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.5

PaaS and the cloud platform components have revolutionized the manner in which development and software has been delivered to customers and users over the past few years. The barrier for entry in terms of costs, resources, capabilities, and ease of use have dramatically reduced time to market—promoting and harvesting the innovative culture within many organizations.

PaaS Key Capabilities and Characteristics

Outside of the key benefits, PaaS should have the following key capabilities and characteristics:

Support multiple languages and frameworks: PaaS should support multiple programming languages and frameworks, thus enabling the developers to code in whichever language they prefer or whatever the design requirements specify.

In recent times, significant strides and efforts have been taken to ensure that open source stacks are both supported and utilized, thus reducing lock-in or issues with interoperability when changing CSPs.

Multiple hosting environments: The ability to support a wide choice and variety of underlying hosting environments for the platform is key to meeting customer requirements and demands. Whether public cloud, private cloud, local hypervisor, or bare metal, supporting multiple hosting environments allows the application developer or administrator to migrate the application when and as required. This can also be used as a form of contingency and continuity and to ensure ongoing availability.

Flexibility: Traditionally, platform providers provided features and requirements that they felt suited the client requirements, along with what suited their service offering and positioned them as the provider of choice, with limited options for the customers to move easily.

This has changed drastically, with extensibility and flexibility now offered to meet the needs and requirements of developer audiences. This has been heavily influenced by open source, which allows relevant plug-ins to be quickly and efficiently introduced into the platform.

Allow choice and reduce lock-in: Learning from previous horror stories and restrictions, proprietary meant red tape, barriers, and restrictions on what developers could do when it came to migration or adding features and components to the platform. Although the requirement to code to specific application programming interfaces (APIs) was made available by the provider, developers could run their apps in various environments based on commonality and standard API structures, ensuring a level of consistency and quality for customers and users.

Ability to auto-scale: This enables the application to seamlessly scale up and down as required to accommodate the cyclical demands of users. The platform will allocate resources and assign these to the application, as required. This serves as a key driver for any seasonal organizations that experience spikes and drops in usage.

PaaS Key Benefits

PaaS has a number of key benefits for developers, which include but are not limited to these:

OSs can be changed and upgraded frequently, including associated features and system services.

Globally distributed development teams are able to work together on software development projects within the same environment.

Services are available and can be obtained from diverse sources that cross national and international boundaries.

Upfront and recurring or ongoing costs can be significantly reduced by utilizing a single vendor instead of maintaining multiple hardware facilities and environments.

Significant and notable providers in the PaaS space include Microsoft, OpenStack, and Google, among others.

SaaS

According to The NIST Definition of Cloud Computing, in SaaS, "The capability provided to the consumer is to use the provider’s