ccsp domain 1

isc2 ccsp exam

• Cloud app (cloud application)

Short for cloud application, cloud app is the phrase used to describe a software application that is never installed on a local computer. Instead, it is accessed via the internet.

• Cloud computing

A type of computing that relies on sharing computing resources in the delivery of computing services, rather than having local servers or personal devices to handle applications.

• Cloud computing role

A set of activities that serves a common purpose.

• Cloud database

A database accessible to clients from the cloud and delivered to users on demand via the internet. Cloud databases can use cloud computing to achieve optimized scaling, high availability, multitenancy and effective resource allocation.

• Cloud management

Software and technologies designed for operating and monitoring the applications, data and services residing in the cloud. Cloud management tools help ensure a company's cloud computing-based resources are working optimally and properly interacting with users and other services.

• Cloud migration

The process of transitioning all or part of a company's data, applications and services from on-site premises behind the firewall to the cloud, where the information can be provided over the internet on an on-demand basis.

• Cloud operating system (OS)

A software application responsible for orchestrating cloud computing services across multiple geographically separated data centers.

• Cloud service customer (CSC)

A party that is in a business relationship for the purpose of using cloud services.

Cloud auditor

responsible for conducting audits of cloud systems and cloud apps

cloud service broker

partner that serves as an intermediary between a cloud service customer and cloud service provider.

• Cloud service provider (CSP)

A service provider who offers customers storage or software solutions available via a public network, usually the internet.

• Cloud storage

The storage of data online in the cloud, wherein a company's data is stored in and accessible from multiple distributed and connected resources that make up a cloud.

• Cloud workload

An application, service or capability running within the cloud environment.

• Confidential computing

Confidential computing protects data in use by performing computation in a hardware-based Trusted Execution Environment. Source: Confidential Computing Consortium, https://confidentialcomputing.io/

• Hybrid cloud

A combination of public and private cloud storage where some critical data resides in the enterprise's private cloud while other data is stored and accessible from a public cloud storage provider.

Public Cloud

cloud is maintained and controlled by the cloud provider, but the services are available to any potential cloud customers.

• Infrastructure as a Service (IaaS)

Computer infrastructure, typically computer, storage and networking services, being delivered as a service. IaaS is popular in the data center where software and servers are purchased as a fully outsourced service and usually billed on usage and how much of the resource is used.

• Multitenancy

Describes multiple customers using the same public cloud.

• Peer cloud service provider

A cloud service provider who provides one or more cloud services for use by one or more other cloud service providers as part of their cloud services.

• Platform as a Service (PaaS)

A cloud service through which the cloud service customer can deploy, manage and run customer-created or customer-acquired applications using one or more programming languages and one or more executing environments supported by the cloud service provider.

• Portability

When applied to cloud services, it defines the ease with which applications or components are moved and reused elsewhere regardless of the provider, platform, OS, infrastructure, location, storage, format of data or APIs.

• Private cloud

The phrase used to describe a cloud computing platform that is implemented within the corporate firewall, under the control of the IT department. A private cloud is designed to offer the same features and benefits of cloud systems but removes a number of objections to the cloud computing model, including control over enterprise and customer data, worries about security and issues connected to regulatory compliance.

• Product catalog

A listing of all the cloud service products that cloud service providers make available to cloud service customers.

• Provisioning

When applied to cloud services, the processes associated with delivering and orchestrating cloud computing services. It also includes facilities for interfacing with the cloud's applications and services as well as auditing and monitoring who accesses and utilizes the resources.

• Software as a Service (SaaS)

A software delivery method that provides access to software and its functions remotely as a web-based service. SaaS allows organizations to access business functionality at a cost typically less than paying for licensed applications since SaaS pricing is based on a monthly fee.

• Sub-role

A subset of the activities of a given role.

• Virtual machine

A system that allows multiple virtual systems to share a common physical implementation.

Cloud application portability

migrate a cloud app from one cloud provider to another

cloud data portability

ability to move data between cloud providers

cloud deployment model

how cloud computing is delivered through a set of configurations: public, private, hybrid, community

Cloud Service

capabilities offered via a cloud provider and accessible via a client.

Cloud service category

group of cloud services that have a common set of features or qualities.

community cloud

cloud services model where the tenants are limited to those that have a relationship together with shared requirements, and are maintained or controlled by at least onemember of the community.

tenant

one or more cloud customers sharing access to a pool of resources.

data portability

ability to move data from one system or another without having to re-enter it.

Measured Service

cloud services are delivered and billed for in a metered way

on-demand self-service

cloud customer can provision services in an automatic manner, when needed, with minimal involvement from the cloud provider

resource pooling

aggregation of resources allocated to cloud customers by the cloud provider.

reversibility

ability of a cloud customer to remove all data and applications from a cloud provider and completely remove all data from their environment and move to new environment with minimal impact to operations.

cloud computing roles

auditor, service broker, service customer, service partner, service provider, service user

cloud computing characteristics

on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service

What are the fundamental keys to cloud implementation? (4)

CPU
memory/RAM
networking
storage solutions

Cloud computing activities

activities are performed by the cloud service customer

Roles for the cloud service customer

service user
service administrator
service business manager
service integrator

cloud service integrator

connects and integrates existing systems and services to the cloud

roles for cloud service providers

service operations manager
service deployment manager
service manager
service business manager
support and care representative
inter-cloud provider
service security and risk manager
network provider

cloud service operations manager

prepares systems for the cloud, administers service, monitors services, provides audit data when requested or required, manages inventory and assets.

cloud service deployment manager

gathers metrics on cloud services, manages deployment steps and processes, defines the processes and environment.

cloud service manager

delivers, provisions, and manages the cloud services

inter-cloud provider

responsible for peering with other cloud services and providers as well as overseeing

cloud service capabilities

infrastructure service capability
platform service capability
software service capability

infrastructure service capability

cloud customer can provision and have substantial configuration control over processing, storage, and net resources.

platform service capability

cloud customer can deploy code and apps using programming languages and libraries that are maintained by the CSP.

software service capability

cloud cust uses a fully established app provided by the cloud provider, with minimal user configuration options allowed.

cloud service categories

Infrastructure as a Service (IaaS)
Platform as a service (PaaS)
Software as a service (SaaS)

Infrastructure as a Service (IaaS)

limited control over network components for the customer, customer can deploy and run arbitrary software and systems.

Platform as a Service (PaaS)

customer is responsible for deploying their apps within the provided platform infrastructure, cloud provider is responsible for patching and deploying systems

Software as a Service (SaaS)

provider is responsible for maintaining the entire system and all underlying infrastructure, customer has limited configuration options

what are the key benefits/features of IaaS?

scalability
cost of ownership of physical hardware
high availability
physical security req via CSProvider
location and access independence
metered usage-only pay for what you need
potential for "green" data centers

what are the key benefits/features of PaaS?

auto-scaling
multiple host environments
choice of environments
flexibility
ease of upgrades
cost effective
ease of access
licensing

auto-scaling vs. scaling

auto-scaling is found in PaaS and the provider changes the size automatically
scaling- the user does all changes

what are the key features/benefits of SaaS?

supports costs and efforts
reduced overall costs
licensing
ease of use and administration
standardization

what are the cloud deployment models?

public
private
hybrid
community

what are the key benefits/features of the public cloud model?

easy setup
scalability
only pay for what you need

What standards does ISC cloud follow?

NIST SP standards

key benefits/features of private cloud

the customer owns it
ops and system parameters are controlled by the controlling org
control over data and software

hybrid cloud benefits/features

split systems for optimization - user can split resources between public and private
retain critical systems internally
disaster recovery - can mitigate data back and forth from private to public
scalability

interoperability

ease with which one can move or reuse comps of an app or service.

SLA

service level agreements - terms and cost agreements of services

what is the main way a cloud provider implements security?

by setting baselines and minimum standards with add-ons and extensions.

analytical AI

cognitive-based, focuses on systems to analyze data from past experiences for future decisions.

human-inspired AI

picks up where analytical AI leaves off by incorporating emotional intelligence.

machine learning

uses scientific and statistical data and algorithms to allow machines to adapt to situations and perform functions they are programmed to perform.

examples of machine learning

intrusion detection

e-mail filtering

virus scanning

blockchain

list of records that linked together via cryptography

types of blockchains(4)

public

private

consortium - req. permission to join

hybrid - combo of all three

mobile device management (MDM)

suite of policies, tech and infrastructure that enables an org to manage and secure mobile access to data.

How is MDM accomplished?

by installing software from the IT dept to enforce security configurations and policies.

containers

rapid deployment of applications throughout cloud environments

Security Concepts relevant to cloud computing

cryptography

access control

data and media sanitation

network security

virtualization security

common threats

data in transit

state of data when it is actually being used by an application and is traversing systems internally

data at rest

information stored on a system or device

types of key management systems(KMSs)

remote

client-side

remote KMS

system maintained by the customer at their location.

client-side KMS

provided by the cloud provider but is hosted and controlled by the customer

accounting when working with authentication and authorisation

maintains logs and records of all activities for both operation and reg needs.

LDAP

lightweight directory access protocol

what does an LDAP do?

authenticator when a user logs into a system

authorization vs. authentication

authorization is an on-going even during the authenticated session

two issues in data and media sanitation

1. ability to easily and efficiently move data from one cloud provider to another
2. ability to ensure that all data has been removed and sanitized when leaving a cloud provider or environment.

data overwriting

write over erased data with either arbitrary data or zero values.

what is the practice for destroying keys?

cryptographic erasing

type 1 hypervisor

tied to the underlying hardware and hosts virtual machines on top of it. operates between hardware and host layer.

type 2 hypervisor

software based and resides on the host itself.

common threats

data breaches

insufficient ID, cred, access management

insecure interfaces and APIs

system vulnerabilities

account hijacking

malicious insiders

advanced persistent threats

data loss

insufficient due diligence

abuse and nefarious use of cloud services

denial of service

shared technologies issues

security concerns for IaaS

multitenancy

co-location

hypervisor security and attacks

network security

VM attacks

virtual switch attacks

DoS

co-location

when multiple VM’s hosted by the same physical hardware start attacking each other including hypervisor.

Why is a virtual machine attack riskier than a physical server?

because a VM is sharing a host with other VMs and the attack can spread across the network faster and easier.

virtual and physical switches are attacked at layer…

2

security concerns for PaaS

system isolation

user permissions

user access

malware, trojans, backdoors, etc.