Cloud Bursting
When a company uses its own computing infrastructure for normal usage and accesses the cloud when it needs to scale for high/peak load
... [Show More] requirements, ensuring a sudden spike in usage does not result in poor performance or system crashes.
No; under current laws, liability and risk for safeguarding PII and meeting regulations reside with the organization, even if they have contracted with a cloud provider.
Can an organization transfer risk and liability for safeguarding PII to a cloud provider?
- Elasticity
- Scalability
- The ability to acquire resources as you need them and release resources when you no longer need them
- This is similar, but usually relates more to environments with more predictable workloads. Usually done in advance to give resources room to grow. For example, purchasing additional room to allow a database to grow larger in the coming months due to projected business growth.
- SaaS
- PaaS; it is everything included in IaaS which the addition of operating systems
- IaaS
- Physical access to the devices on which their data resides
- This cloud service model includes applications, CRM, hosted HR, and email
- This model includes operating systems and is popular with DevOps for creating and testing software
- This model includes hardware, blades, connectivity, and utilities; it is similar to a "warm site"
- What does a customer give up in all three of these models?
- The customer. The vendor provides all hardware, but not logical resources such as software
- The vendor
- Who is responsible for all logical resources, such as software, in an IaaS service model?
- Who is responsible for administering, patching, and updating the OS in a PaaS service model?
- Public
- Private
- Community
- This type of cloud deployment model is owned by a specific company and offered to anyone who contracts it services.
- This type of cloud is owned by a specific organization but is only available to users authorized by that organization; it is similar to a legacy IT structure or what used to be considered an itranet
- This type of cloud features infrastructure and processing owned or controlled by distinct individuals and organizations, but they come together in some fashion to perform joint tasks; an example is the Playstation gaming network
CASB (Cloud Access Security Broker)
A software tool or service that enforces cloud-based security requirements such as IAM (Identity and Access Management). It is placed between the organization's resources and the cloud, monitors all network traffic, and can enforce security policies.
1. NIST 800-53
2. NIST 800-61
3. NIST 800-37
4. ISO 31000:2009
5. ISO/IEC 28007:2007
1. A guidance document with the primary goal of ensuring that appropriate security requirements and controls are applied to all U.S. federal government information in information management systems.
2. A guidance document which outlines a framework for incident response plans
3. A guidance document for implementing RMF (Risk Management Framework)
4. This is an international standard that focuses on designing, implementing, and reviewing risk management processes & practices
5. This standard refers to addressing risks in a supply chain
FIPS 140-2
Primary goal of this is to accredit and distinguish secure and well-architected cryptographic modules produced by private sector vendors who seek to have their solutions and services certified for use in regulated industries that collect, store, transfer, or share data that is deemed to be "sensitive" but not classified.
TCI (Trusted Cloud Initiative) Reference Architecture
A methodology and a set of tools that enables security professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.
- Vendor Lock-in
- Vendor Lock-out
- This is when a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or non-technical constraints.
- This is when a customer is unable to access their data because a cloud vendor has gone out of business or otherwise left the marketplace.
- IaaS: the customer is responsible for everything from OS on down including choosing, installing, and administering software and supplying and managing data. Vendor provides buildings and hardware for the datacenter. The customer can still collect and review logs from the software.
- In which Cloud Model does the customer have the most responsibility and authority?
- PaaS
- In which Cloud Model is the vendor responsible for installing and administering the OS but not other software?
- SaaS; the vendor owns the hardware, software, and admin duties for both. The customer only supplies the data. The customer is essentially the same as a basic user in legacy IT environments: they have little to no admin rights or privileged accounts and few permissions and responsibilities.
- In which Cloud Model does the customer have the least amount of control over the environment?
Homomorphic Encryption
This technology is still theoretic. It would enable processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider for processing without the requirement to decipher the data first. [Show Less]