1. Understanding the Cloud (20-25%)
Describe cloud principles & delivery mechanisms.
Differentiate between on-premise IT service models.
On-Premise Online (Cloud)
Control over all systems/data. Customizable No software licensing costs.
Corporate dta is stored/handled internally. No new infrastructure requirements, I.e.
servers. Resources are configurable, but no
full control over data & processes.
Dedicated IT staff for mntc/support. Low cost for services.
Initial investment is high, but pays off over
time.
3rd parties are doing the work, but are also
handling sensitive data.
Ref.1
Differentiate between subscription or pay-as-you-go vs. Upfront CapEx/OpEx funding
model.
Pay-as-you-go is OperationalExpense (OpEx) funding model.
It's advantageis that users can pay for processor time and storageas needed, by a
company offering external cloud serviceaka cloud service provider (CSP).
OpEx model is on-going investment. It's non committal, allowing flexibility.
OpEx is a preferred option, since capital investment is limited. Pay-as-you-go offers
scalability, whereusers can consume moreor less power as needed. Ref. 5
o Paying upfrontrequires companies to pay for direct, indirect & overhead costs of ruing
& owning datacenters (CapEx).
o As capital assets ages, it will cost morefor upgrades, replacements, personnel& mntc.
o Pay up frontdoes not allow flexibility nor scalability. Ref. 5
o Paying upfrontalso incurs an on-going OpExas well as CapEx. Ref. 9
Use cloud services to expand capacity (elasticity of the cloud), scalability, redundancy &
availability.
o Elasticity – expands or shrinks storagecapacity as needed.
o Scalability – allows addition/contraction of power (I.e., moreusers, drivespaceor RAM)
in the formof enabling more connections (customer requests).
2. o Scale up – add more resources.
o Scale out – add 1 or more subscription(s).
o Redundancy – Automatic recovery, having an extra server built-in, in the event of an
outage/disaster.
o Availability – providehigh level of service, regardless of vicissitudes in demand/system
failure.
o Recovery of failure – five 9s, 99.999% systemavailability through elasticity,
scalability & redundancy. Ref. 2
o High availability chart – shows acceptable uptime percentage. Ref. 2
Differentiate between configurable vs. Customizable
Configurable – systemis complete, but
allows users to make granular changes
to fit needs.
Saves $$$ & time, b/c don't need to
hire developers to recode.
Cloud services that are on-line are
configurable.
Customizable –systemis incomplete
& developers need to recode &
implement changes.
Changes are $$$ & significant.
Changes affect the service.
On-premiseis customizable.
Describe cloud security requirements & policies
Describehow cloud services manage privacy
1. Cloud serviceproviders (CSPs) - adhereto standards, I.e. SSAE-16, PCI DSS or ISO27001
to protect data that is stored, processed & transmitted.
2. Encryption secures data being transferred by using key encryption management
program.
a. Data is hidden in code in transit & reassembled into readable data @ rest.
b. SSL & HTTPS are forms of encryption that protects data in transit.
3. Tokens – offer KMS the encrypts data on the server side & provides audittrail of usage.
4. Versioning – prevents accidental deletion/overwriting.
5. Logging – protects data by tracking requests for server access. Ref. 9
3. How compliance goals are met:
Microsoft(MS) has privacy standards that:
1. Privacy by design – MS is the custodian of customer data. MS has a trust center where
transparency & trustbetween organizations & MS is est.
2. MS has independent verification in place to maintain privacy.
MS has 6 key privacy principles:
1. Control – customers are in control of their data.
2. Transparency - MS is transparentabout data collection & use, so customers are
informed.
3. Security – MS protects data through security measures & encryption.
4. Legal protections – MS respects local privacy laws & fights for legal protection of your
privacy.
5. No content-based targeting – MS will not use your data for advertising.
6. Benefits to you – When MS collects data, it is used to benefit the customer & improve
UX. Ref. 13
How data is secured @ rest or on-the-wire
1. Defense indepth approach to providephysical, logical and data layers of security
features & operational best practices. Ref. 12
2. Physical security –24hr monitoring data centers, multi-factor authentication, separate
internal & external networks, roleseparation. Bad drives & hw are destroyed. Ref. 12
3. Logical security –Lockboxprocess limits data access. Whitelisted servers run. Threat
mgmt teams that act as hackers to learn how to preventattacks. Ports & perimeter are
scanned. Use of intrusion detection.
4. Data security –encryption @ rest & in-transitwith SSL/TLS. Threat mgmt. Security
monitoring. File/data integrity are guarded from tampering. Exchange Online Threat
Protection offers advanced security & reliability againstspam& malware. Ref. 12
5. User controls – O365 msg encryption allows user to send encrypted email, DLP & RTS.
Policies can be config to protect data. S/MINEoffers msg security w/ certified-based
email access. AzureRights Mgmt preventss file-level access w/o credentials.
6. Admincontrols – multi-factor authentication protects access to servicewith 2nd
factor,
I.e. phone. DLP prevents data leaks. MDM allows mgmt of corporatedata. MAM –
4. fromIntune, allows more controlto securedata in apps. Built-in anti-virus & antispam
protection in Exchange Online.
How data & operations transparency requirements are met
Self assessment& 3rd
party audits help meet compliance & transparency goals.
Describe how cloud services stay up-to-date & available
Describe the service/featureimprovementprocess:
1. Monitor service health – O365 admin ctr/servicesettings/get updates Request 1st
release – available immediately. Affects whole organization, but can "select group of
people" to rcv 1st
release. Standard release – available in 2 weeks.
2. Service mntc – redundancy, resilience, distributed services & monitoring.
3. Future roadmap publishing –overview of updates & future releases.
4. Identify guarantees –MS offers 99.9% guaranteeof uptime that's financially backed.
5. Service Level Agreement(SLA) - minimum level of acceptable service, with 99.9% rateof
recovery.
6. Capping of liability – liable up to 12 months or $5k.
Describe various cloud services
Deployment models:
Private cloud – privately owned by an organization; allows privacy & control. Hosted in
customer's own data center. More secure, but limited size & scalability. CapEx & OpEx for
physicalresources.
On-premprivatecloud is best for those who want control & configurability of infrastructure&
security. Ref. 7
Externally hosted private cloud is through a 3rd
party, off-premise& offers privacy. Ref. 7
Community cloud – Shared by several organizations & supports a specific community that has
shared concerns, I.e. gov't. May be managed by the organization or 3rd
part. May exist on-
premise or off-premise.
Public cloud – Available to the public that shared the sameinfrastructurepool with limited
configurations & security protections. This is owned by an org selling cloud services.
5. It's off-premise& low costmodel, b/c it's pay-as-you-go. Largein scale to allow on-demand
scalability. Ref. 7
Hybridcloud – consists of 2 or moreclouds (private, community or public) that are unique, but
bound together by standardized or proprietary technology that enables data & application
portability (e.g. cloud bursting for load balancing between clouds).
Hybrid clouds offer on-demand, externally-provisioned scalability. Ref. 7
Differentiate between types of cloud services & characteristics.
Software as a Service (SaaS)- allows little customization, b/c vendor manages everything
(apps, data, runtime, middleware, OS, virtualization, servers, storage, networking).
This is "on-demand SW"
Reduces OpExby outsourcing HW, SW mntc & supportto CSP.
Examples: CRM, email, virtual desktop, communications, games, O365 & SalesForce. Ref. 2, 4
Platformas a Service (PaaS)- vendor provides HW & some SW, including OS, db, web server &
programming tools.
Users havelittle control over HW, but can manage apps installed & controldata.
Users can build apps, define & create storagestructures & upload it onto the platform.
Users don't haveto worry aboutconfig load balancing or DNS.
Primary useis for development, testing & deployment.
Vendor provides OS or platform the application is running on.
Examples: Executive runtime, db, web server, developmenttools, WindowsAzure. Ref. 4
Infrastructure as aService (IaaS)- Offers computers, physicalor VMs & other resources.
IaaS is a cloud-servicemodel that refers to online services whereusers don'tworry about
infrastructure, location, data partitioning, scaling, security & backups.
IaaS supportmany VMs & can scale service, according to needs.
IaaS offers firewalls, load balancing, IP addresses and SW bundles on a on-demand basis, but
the client is responsiblefor installing & maintaining OS, apps, data, runtime & middleware.
IaaS offers virtualization & HW (servers, storage& networking)