Chapter

CCSP 1 1
- Chapter
Cloud
CloudConcepts,
Concepts,Architecture,
Architecture,and
andDesign
Design
 Agenda
Cloud Computing Concepts
Cloud Service Partner
Cloud Shared Responsibility Model Table
Broad Network Access
Resource Pooling
Networking
Cloud Service Capabilities
Interoperability and Portability
Resiliency and Performance
Regulatory and Outsourcing
Artificial Intelligence
Containerization in Cloud Computing

SON NGUYEN – 0985.963.404

1.1.1
Understand
Cloud
Computing
Concepts

SON NGUYEN – 0985.963.404

Cloud 5W1H:
Computing
Concepts • What is “Cloud”?
• Why Cloud?
Practical
opening • Who need Cloud?
• Popular Clouds?

SON NGUYEN – 0985.963.404

Cloud
Computing • Cloud Computing Overview
• Defined by NIST 800-145 as a model for on-demand
Concepts network access to shared resources
• Requires network, self-service, and automated provisioning
• Cloud Computing Example
• Dropbox as a cloud-based file storage system
• Users can self-manage service levels and resources
• Financial Accounting in Cloud Services
• Capital expenditures (CapEx) vs. operating expenditures
(OpEx)
• OpEx preferred for tax benefits
• Service and Deployment Models
• Three service models: SaaS, PaaS, IaaS
• Four deployment models: public, private, community,
hybrid

SON NGUYEN – 0985.963.404

1.1.2
Cloud
Computing
Roles and
Responsibilities

SON NGUYEN – 0985.963.404

Cloud Service
Customer

• Definition of Cloud Service Customer

(CSC)
• An individual or company acquiring
cloud services
• Internal CSC refers to employees
using cloud services within an
organization

SON NGUYEN – 0985.963.404

 • Definition of CSPs
• Companies or
entities offering cloud
services
• Types of Services
• SaaS, PaaS, and IaaS
in various
Cloud Service combinations
• Major CSP Examples
Provider • AWS, Microsoft
Azure, Google Cloud
(PaaS and IaaS)
• Salesforce, Dropbox,
Microsoft 365,
Google Workspace
(SaaS)
• Viet Nam CSP?

SON NGUYEN – 0985.963.404

 • Cloud Service Partner (CSP)
• Offers cloud-based services using
Cloud Service associated CSPs like AWS
• Provides customized interfaces, load
Partner balancing, and services
• Facilitates easier entry into cloud
v.s. computing for customers
Cloud Service • Cloud Partner Network
• Extends CSP reach and offers branded
Broker •
associations
Aligns with multiple CSPs for customer
flexibility
• Sells additional services and support to
skill-lacking organizations

• Cloud Service Broker (CSB)

• Acts as a broker to find cloud
computing solutions
• Packages services from multiple CSPs
for customer benefit

SON NGUYEN – 0985.963.404

Regulator • Regulation of Cloud Data Processing
• EU GDPR, GLBA, and PIPEDA govern data in the cloud
• Organizations must safeguard collected, processed, or
stored data
QUY ĐỊNH VỀ • Security of Cloud Data
(HAY LIÊN QUAN
• Encryption required for data at rest and in transit
ĐẾN) CLOUD?
• Shared services and third-party administrators necessitate
strict controls
• Guidance and Shared Responsibility
• Regulatory bodies provide guidance for sensitive data
handling
• CSPs offer compliant service configurations
• Consumer's Role
• Consumers must ensure cloud solutions meet regulatory
demands
• Regulator Guidance Examples

SON NGUYEN – 0985.963.404

Cloud Shared
Responsibility IAAS PAAS SAAS
Responsibility Model
Table Data classification C C C

Identity and access C C/P C/P

management

Application security C C/P C/P

Network security C/P P P

Host infrastructure C/P P P

Physical security P P P

SON NGUYEN – 0985.963.404

Continuum of Table 1.1: Key Areas of Responsibility in Cloud Service
Responsibilities Models
Service CSP Customer Shared
• Shared Responsibility in Cloud Security
Model Responsibility Responsibility Responsibility
• CSP and customer share security
Physical
responsibilities Data security Varies by
• Continuum of responsibility varies by IaaS access
controls agreement
service model controls
• Service Model Impact on Security Roles
• IaaS: Customer has larger security role Platform Application Varies by
PaaS
• SaaS: CSP has larger security role security security agreement
• PaaS: Responsibilities are intermediate
Application
• Operational and Data Security Data Varies by
SaaS and data
• CSP handles operational security controls governance agreement
• Customer implements data security security
controls
• Collaborative Security Efforts
• Both provider and customer act in some
areas SON NGUYEN – 0985.963.404
CSP-Specific Shared
Responsibility
• Understanding CSP Shared Responsibilities Shared Responsibility in CSPs

• Distinct responsibilities for customers and providers Customer

CSP Provider Responsibility
Responsibility
• Varies with service models and compliance frameworks
Hardware, Software,
Amazon Web Data, Cloud Apps
• Amazon Web Services (AWS) Services (AWS) Configuration
Environmental Controls,
Physical Security
• Customers manage cloud apps and configuration
Users, Devices, Physical Security, OS
• Amazon secures cloud infrastructure Microsoft Azure
Data Security Configuration (SaaS)

• Microsoft Azure Google Cloud Customer Data Physical Security, Compliance

Platform (GCP) Security Documentation
• Customers handle user, device, and data security
• Microsoft ensures physical security
• Google Cloud Platform (GCP)
• Google offers framework-specific documentation
• Physical security managed by Google

SON NGUYEN – 0985.963.404

1.1.3
Key Cloud
Computing
Characteristics

SON NGUYEN – 0985.963.404

On-Demand • Definition and Ease of Provisioning
• Services rapidly provisioned with minimal effort
Self-Service • User-friendly interfaces for immediate access
• Advantages Over Traditional IT
• Speed and flexibility in service provisioning
• Risks of Shadow IT
• Potential for sensitive data storage outside corporate
controls
• Bypassing of company policies and security measures
• Financial and Security Implications
• Lower costs may evade spending reviews and approvals
• Risk of losing control over sensitive data and processes
• Impact on Costs

SON NGUYEN – 0985.963.404

 • Essentiality of Network Access
• Cloud services require network access,
predominantly the Internet.
• Private clouds may use corporate networks with
secure remote access.

Broad • Choosing Secure Protocols

• Implement secure protocols to protect data in
Network motion.
• Prefer HTTPS and SFTP over unencrypted HTTP
Access and FTP.
• Enhanced Security Measures
• Identification and authentication are critical for
public-facing services.
• Use of MFA, VPNs, and zero trust architecture for
improved security.

SON NGUYEN – 0985.963.404

Multitenancy • Shared Infrastructure Efficiency
• Cloud Service Providers offer shared resources: memory,
computing power, storage.
• Virtualization gives the illusion of single tenancy within a
multitenant environment.
• Data Privacy and Security
• Each tenant's data should remain private and secure, akin to
personal belongings in an apartment.
• Potential risks include incorrect access settings and
virtualization software flaws.
• Tenant Responsibilities
• Tenants must ensure data integrity and confidentiality.
• Comparable to securing an apartment door to prevent theft.
• Impact of Shared Actions
• Actions by CSP or other tenants can temporarily block data
access.
• Disaster Recovery and Business Continuity

SON NGUYEN – 0985.963.404

Rapid Elasticity • Adaptable Infrastructure
• Cloud services adjust to customer demand
and Scalability • Supports pay-as-you-go model, avoiding wasted
resources
• Challenges for CSPs
• Must maintain excess capacity without incurring high
costs
• Poor estimation can lead to customer dissatisfaction
• Cost Sharing Model
• Customers share the cost of excess capacity
• Enables cost savings during nonpeak seasons
• Banking Analogy
• Similar to banks maintaining cash reserves
• Customer's Resource Management
Resource • Core Concept: Resource Pooling
• Shared IT resources among multiple customers
Pooling • Enables self-service and elasticity in cloud
computing
• Cybersecurity Challenges
• Potential exposure of sensitive data due to shared
hardware
• Importance of data encryption and key
management
• Benefits of Measured Service
• Enables cost-effective resource usage tracking
• Facilitates shift from CapEx to OpEx
• Transparency in IT Resource Consumption
• Provides detailed metrics for capacity planning

SON NGUYEN – 0985.963.404

1.1.4
Building
Block
Technologies

SON NGUYEN – 0985.963.404

Virtualization • Resource Sharing and Efficiency
• Physical server resources shared among multiple virtual servers
• Enables hosting multiple services like email and web servers on
a single machine
• Cloud Computing Expansion
• Virtualizes all aspects of an information system
• Resources shared among services and customers, enhancing
resource efficiency
• Geographic Distribution and Compliance
• CSPs operate in multiple locations for workload distribution
and regulatory compliance
• High-speed connectivity for seamless service and data
movement
• Security Concerns and Solutions
• Technological Aspects
• Evolution to Containers

SON NGUYEN – 0985.963.404

Storage • Storage Solutions in Cloud Computing
• Essential for the functionality of cloud services.
• Includes SANs and NAS for flexible, scalable
storage.
• Storage Area Networks (SANs)
• Secure storage across multiple locations.
• Utilizes block-level storage for efficiency.
• Network-Attached Storage (NAS)
• Provides file-level access using TCP/IP.
• Supported by many operating systems.
• Responsibilities and Security
• CSPs choose and secure storage technology.
• Dealing with Data Remnants ➔ crypto-shredding

SON NGUYEN – 0985.963.404

Networking &
Database
• Networking in Cloud Computing
• Internet as a backbone for public, community, and
private clouds
• IP-based network with low latency and high
bandwidth
• Security measures like encryption for data in motion
• Databases in the Cloud
• Storage and organization of customer data
• CSP-managed administration for databases
• Various database types and big data applications
SON NGUYEN – 0985.963.404
Orchestration • Complexity in Modern Organizations
• Mix of on-premises and multiple cloud services
• Use of SaaS applications like Google Workspace, GitHub,
Salesforce
• Role of Cloud Orchestration
• Ensures data synchronization and process integration
• Automates tasks for seamless cloud environment
management
• Tools for Cloud Orchestration
• IBM Cloud Orchestrator, Microsoft OMS, AWS Cloud
Formation
• Multi-cloud tools like Kubernetes for various CSPs
• Reference Architectures
• NIST's vendor-neutral, role-based model
• IBM's layer-based Cloud Computing Reference
Architecture (CCRA)

SON NGUYEN – 0985.963.404

1.2
Describe
Cloud
Reference
Architecture

SON NGUYEN – 0985.963.404

1.2.1 • Cloud Consumer

Cloud • Procures and uses cloud services

• Responsible for setup, configuration, and usage
Computing
• Activities vary by service model (SaaS, PaaS, IaaS)
Activities
• Cloud Service Provider
• Deploys and manages services
• Constructs physical infrastructure
• Ensures security and privacy
• Cloud Auditor
• Independently evaluates cloud service controls
• Cloud Broker
• Cloud Carrier

SON NGUYEN – 0985.963.404

1.2.2 Cloud • Service Models and Security

Service • Three main models: SaaS, PaaS, and IaaS

• Varied levels of service and control
Capabilities
• Different shared security responsibilities
• Application Capabilities
• Network access to applications
• Customizable user interfaces
• Integration with other tools
• Platform Capabilities
• Tools for cloud-based development
• Cost-effective development sandbox
• Infrastructure Capabilities

SON NGUYEN – 0985.963.404

1.2.3 • Primary Cloud Service Models
• SaaS: Software as a Service for end users
Cloud Service • PaaS: Platform as a Service for developers
Categories • IaaS: Infrastructure as a Service for system
administrators
• Shared Security Responsibility
• Varies by service category and provider
• Major CSPs outline responsibility models
• Service Model Usage
• SaaS: Common tasks like Google Docs, Dropbox
• PaaS: Development environment for custom
applications
• IaaS: Building and managing cloud infrastructure
• Consumer and Provider Responsibilities

SON NGUYEN – 0985.963.404

2.1.4
Cloud Deployment
Models Comparison of Cloud Deployment Models
Model Ownership Access Cost Security
Public Open to Subscription-
Third-party Standard SLAs
Cloud public based
• Public Cloud
Accessible via the internet, subscription-based, third- Private Single Company Customizable
• Higher
party managed Cloud company use only controls
• Concerns over privacy, security, and vendor lock-in
Restricted
Community Multiple
• Private Cloud to Varies Shared interests
Cloud organizations
• Owned by a single company, customizable, more community
secure
Hybrid Complex
• Higher costs due to lack of shared infrastructure Combined Flexible Varies
Cloud management
• Community Cloud
Distributed
• Shared among organizations in the same industry Multi-cloud Multiple CSPs Varies Varies
system
• Restricted access, may facilitate data sharing

• Hybrid Cloud
• Combines private and public clouds for flexibility

• Multi-cloud

SON NGUYEN – 0985.963.404

2.1.5 • Interoperability: Key to Avoiding Vendor Lock-In
Cloud shared • Enables communication and data sharing across platforms

considerations • Facilitates choices in cost, features, and vendor services

• Portability: Ensuring Seamless Service Migration
• Refers to data and architecture portability

Interoperability • Crucial for multi-cloud strategies and cloud bursting

scenarios
and Portability • Significance of Data Movement
• Allows for efficient data transfer between cloud services
• Prevents data loss and system unavailability during transfers
• Architecture Portability
• Supports a wide range of devices and operating systems
• Facilitates collaboration and data sharing among users

SON NGUYEN – 0985.963.404

Reversibility • Reversibility Challenges
• Separation from portability
and Availability • Concerns with moving applications in and out of
CSPs
• Elements of Reversibility
• Tools for data import/export
• Standardized PaaS for easy replication
• System Operations Impact
• Migration duration and system downtime
• Potential for vendor lock-in
• Availability in Cloud Services
• Essential for service reliability
• Elasticity and Scalability

SON NGUYEN – 0985.963.404

Security and • Cloud Security Complexities
• Shared resources in CSPs offer both security and new
Privacy challenges like multitenancy.
• Attractive targets for attackers due to the fundamental
architecture.
• Regulations like GDPR add complexity to data and service
portability.
• Data Ownership and Jurisdiction
• Location of data can be a challenge with cloud computing.
• Data owners retain responsibility for security, regardless of
services used.
• Law enforcement may face jurisdictional issues with data stored
outside their area.
• Privacy and Third-Party Providers
• Off-premises data handling introduces data protection
challenges.
• Privacy laws enforce rights of data subjects and define roles of
data owners/processors.

SON NGUYEN – 0985.963.404

Resiliency and • Understanding Cloud Resiliency
• Capability to operate during adverse conditions via continuity and
Performance disaster recovery plans.
• Multi-regional data storage for uninterrupted operations.
• Disaster Recovery in the Cloud
• Cloud strategies enable operation post severe incidents like weather or
terrorism.
• Data and processes remain accessible with network connectivity.
• Redundancy and Recovery Strategies
• Major CSPs use multiple regions and zones for redundancy.
• Single CSP or multi-cloud strategies to ensure system availability.
• Performance Metrics
• SLAs define performance, with CSPs ensuring capacity and redundancy.
• Network availability and bandwidth are critical for performance.

SON NGUYEN – 0985.963.404

Governance • Cloud Governance Essentials
• Policies, procedures, controls, and oversight for
and cloud solutions
Maintenance • Use of encryption, ACLs, and identity management
• Cloud governance frameworks for multi-vendor
services
• Maintenance and Versioning in Cloud
• Responsibilities divided among CSPs and customers
• Advantages of virtualization for easy maintenance
• Snapshot creation for rollback support
• Update and Patch Management
• Automated updates in SaaS/PaaS may be unnoticed
• Customer control over IaaS updates and patches
• SaaS centralizes control to prevent unlicensed
software

SON NGUYEN – 0985.963.404

Service Levels • Service Level Agreements (SLAs)
• Defines performance parameters of cloud
and solutions
Auditability • Stricter requirements influence pricing
• Options range from 24-hour to 4-hour support
• Customer and CSP Negotiations
• Customers select from predefined SLAs or specify
requirements
• SLA customization may not be cost-effective for
smaller entities
• Auditability of Cloud Solutions
• Independent audits assure data protection
• Third-party assessments provided to customers
• Details covered in Chapter 6

SON NGUYEN – 0985.963.404

Regulatory and • Regulatory Compliance in CSPs
• Implementation of policies and controls for meeting
Outsourcing requirements
• Payment Card Industry Data Security Standard (PCI
DSS) as an example
• Types of Regulations
• Governmental laws like HIPAA, GLBA, SOX, and
GDPR
• Contractual obligations such as SLAs and PCI DSS
• Standards from ISO, NIST, and other organizations
• Outsourcing Considerations
• Benefits and risks of reduced control in cloud
computing
• Security risks from international data sharing
• Specialized CSP services for regulatory compliance

SON NGUYEN – 0985.963.404

1.2.6
Impact of Related
Technologies

SON NGUYEN – 0985.963.404

Data Science • Expansion and Application of Data Science
• Combines scientific methods with data management
• Essential for handling large volumes of network log
data
• Machine Learning and Anomaly Detection
• Trains models to monitor system behavior
• Identifies unexpected patterns and novel threats
• Training Data Models
• Crucial for developing accurate ML platforms
• Requires high-quality datasets for reliability
• Data Storage Security Challenges
• Data warehouses and lakes as big data solutions
• Need for robust authentication due to sensitive data

SON NGUYEN – 0985.963.404

Machine • Machine Learning in the Cloud
• Enables solutions to learn and improve autonomously
Learning • Widely used for building ML models and recognition
services
• Data Storage and Computing Power
• Increased effectiveness with affordable data storage
• Data lakes and warehouses hold vast amounts of data
• Security and Privacy Concerns
• Need for tight control over data access in data lakes
• Impact on individual privacy and potential discrimination
• Regulatory and Ethical Oversight
• Governmental and NGO involvement to address ML
concerns
• EU GDPR Article 22 prohibits automated decision-making
without human intervention

SON NGUYEN – 0985.963.404

Artificial • AI's Human-like Capabilities
• Strives for machines indistinguishable from humans
Intelligence • Handles unforeseen situations without preprogramming
• Impact on Workforce and Consumer Behavior
• Potential job displacement in non-critical thinking roles
• Risks of manipulation by unethical individuals
• Security and Privacy Concerns
• AI's data aggregation and manipulation raise alarms
• Shared concerns with ML on data mining and decision
making
• AI in Security Solutions
• Supplements human analysts in data-heavy tasks
• Future of AI in Intrusion Detection

SON NGUYEN – 0985.963.404

 • Blockchain in Financial Systems
• Records transactions within cloud computing
frameworks.
• Implemented by CSPs and IT service providers for

Blockchain data integrity.

• High-Integrity Data Storage
Technology • Utilized for applications requiring robust data
integrity.
and • Potential for vendor lock-in issues similar to CSP
usage.
Applications • Security and Audit Evidence
• Blockchain secures audit artifacts like access
reviews.
• Provides assurance of security control execution
and functionality.

SON NGUYEN – 0985.963.404

Internet of • Manufacturing Oversights
• Lack of cybersecurity considerations in IoT device
Things (IoT) production.
Growth and • Insufficient software development and security practices.

Challenges • Vulnerability to Cyber Attacks

• Devices may become part of botnets, like the Mirai botnet.
• Use of IoT features for surveillance purposes.
• Organizational Challenges
• Low maturity in protecting IoT devices.
• Devices are rarely monitored, increasing risk.
• Cloud Monitoring and Control
• Centralized device management via cloud services.
• Privacy and safety concerns with audio/visual feeds.

SON NGUYEN – 0985.963.404

Containerization • Containerization Overview
• No hypervisor or guest OS, uses container runtime
in Cloud
• Virtualization occurs higher in the stack, with quicker
Computing startup and fewer resources
• Advantages of Containers
• Smaller image size and low overhead
• Increased portability and multi-cloud deployment
potential
• Deployment and Portability
• Can be deployed across different CSPs
• Runtime available for common OS and environments
• Security Concerns
• Containers treated as privileged users
• Quantum Computing Threat

SON NGUYEN – 0985.963.404

Edge • Availability and Reduced Failures
• Edge devices operate independently, mitigating single
Computing points of failure.
• Devices synchronize with centralized systems when
available.
• Customization and Energy Savings
• Building zones with different sun exposure can have
tailored temperatures.
• Potential for significant energy cost reductions.
• Bandwidth Consumption
• On-device data processing minimizes bandwidth use.
• Facilitates service extension to poorly connected areas.
• Security Challenges
• IoT and edge devices may lack traditional security
measures.
• Data Integrity Concerns

SON NGUYEN – 0985.963.404

Confidential • Protecting Data in Use
• Utilizes cryptography to secure data during processing in
Computing the cloud.
• Prevents unauthorized access by malware or compromised
applications.
• Trusted Execution Environment (TEE)
• Decrypts data only for authorized program access.
• Secure enclave with strict access controls.
• Benefits for Organizations
• Enables cloud computing advantages while managing
security risks.
• Ensures data is readable only by authorized applications.
• Applications and Developments
• Supports distributed workloads and edge computing.
• Confidential Computing Consortium established for best
practices.

SON NGUYEN – 0985.963.404

 • Early Integration of Security Measures
• Embedding security activities throughout the
system lifecycle
• Cost-effective and easier fixes with early detection
• DevSecOps vs. Traditional Security Teams
DevSecOps • Hiring resources directly for specific tasks

Evolution
• Eliminating bottlenecks from separate security
teams
• Compatibility with Modern Development Practices
• DevOps and Agile development align with cloud
computing
• Ensuring security without compromising project
timelines

SON NGUYEN – 0985.963.404

1.3
Understand
Security Concepts
Relevant to Cloud
Computing

SON NGUYEN – 0985.963.404

1.3.1 • Essential Cryptography for Cloud Security
• Encryption protects data in transit and at rest
Cryptography • Integrity checks via hashing ensure data reliability
and key • Key Management Challenges
management • Complexities in multi-cloud strategies
• Questions on key storage, generation, and management
• Key Management Service (KMS) Advantages
• Separate key storage enhances data breach resilience
• Compliance with data breach and privacy laws
• Choosing the Right KMS
• Automation, monitoring, and policy enforcement
considerations
• Assessing features and prices for organizational fit

SON NGUYEN – 0985.963.404

Security • Physical Access Control
• Managed by Cloud Service Providers (CSPs)
Concepts • Includes server and data center security
Relevant to • User Access Management
Cloud • Administrative policies for system access
Computing • Shared responsibility with CSPs for technical
controls
• Privilege Access Control
• Focus on privileged account management (PAM)
• Stronger authentication and frequent reviews
• Service Access Control
• CSP access to customer data for maintenance
• Data and Media Sanitization

SON NGUYEN – 0985.963.404

Security • Hypervisor Security
• Hyper-V, VMware ESXi, Citrix XenServer as type I
Concepts hypervisors
Relevant to • VM escape risks and security patch importance

Cloud • Container Security

• Benefits of Docker, LXC, and multi-cloud strategies
Computing • Risks of misconfiguration and software bugs
• Ephemeral Computing
• Definition and benefits in cloud computing
• Security through proper configuration and data disposal
• Serverless Technology
• On-demand computing capacity without traditional OS
vulnerabilities
• Importance of API call authentication

SON NGUYEN – 0985.963.404

Common • Importance of Software Patching
• Crucial for removing software flaws and vulnerabilities.
Threats and • Traditional patching windows are becoming obsolete due to rapid
exploitation risks.
Security • Cloud Environment Patching Responsibilities

Hygiene • SaaS patches managed by CSP; PaaS underlying software by CSP,

custom software by customer.
• IaaS underlying systems by CSP, all other systems and applications by
customer.
• Baselining for Security Hygiene
• Ensures new systems follow a known set of secure configuration
attributes.
• Infrastructure as code (IAC) helps maintain consistency and security in
cloud deployments.
• Auditing Against Baselines
• Tools available to alert deviations from baselines.
• Immutable architecture re-establishes baselines with each rebuild.

SON NGUYEN – 0985.963.404

1.4
Understand
Design
Principles of
Secure Cloud
Computing

SON NGUYEN – 0985.963.404

 Key Phases in Cloud Secure Data Lifecycle
Security
Phase Main Activity
Design Principles of Secure Controls

Cloud Computing Create

Content Labeling,
creation/modification encryption
Storage
Storing in data
Store location
Secure by Design Principle repositories
• selection
• Security integrated from the beginning of system
design Encryption,
Viewing, processing
• Focus on data lifecycle phases with risks and controls Use access
data
• Cloud Secure Data Lifecycle Phases controls
• Creation and modification of content with encryption
Encryption,
• Storage in appropriate repositories
Share Data exchange access
• Handling activities like viewing and processing
• Exchange of data with confidentiality
controls
• Archiving with retention schedules Retention
• Business Continuity and Disaster Recovery Archive Long-term storage schedules,
• Resiliency and Multi-region Planning encryption
• Business Impact and Cost-Benefit Analysis Permanent data Sanitization
Destroy
destruction methods

SON NGUYEN – 0985.963.404

 Security Responsibilities Across Cloud
Models
Security Considerations for Service Model
Provider Customer
Different Cloud Categories Responsibility Responsibility
Infrastructure,
Application-
OS,
specific
• Security in Cloud Services SaaS Application,
security,
• SaaS: Most security handled by provider Networking,
Access control
• PaaS: Infrastructure secured by provider, Storage
application security by developer
• IaaS: Customer responsible for security Infrastructure,
above the hypervisor OS, Data, APIs,
• Customer's Role PaaS Virtualization, Applications,
• Understand provider's security policies Storage, Middleware
• Ensure secure data transfer and sharing Networking
• Implement access security measures
Virtualization, OS,
Computing, Applications,
IaaS
Storage, Security above
Networking hypervisor
SON NGUYEN – 0985.963.404
Cloud Design • SANS Security Principles
• Lightweight control framework for cloud security
Patterns • Risk management with asset inventory and mitigation
strategies
• Well-Architected Framework
• Best practices for cloud infrastructure management
• Security, reliability, and performance pillars
• Cloud Security Alliance Enterprise Architecture
• IT resource architecture aligned to business needs
• Focus on infrastructure protection services
• DevOps Security
• Integration of security into development and
operations
• Shifting left to embed security earlier in the lifecycle

SON NGUYEN – 0985.963.404

1.5
Evaluate
Cloud Service
Providers

SON NGUYEN – 0985.963.404

 Key Cloud Computing Compliance Standards
Evaluate Cloud Standard Focus Area Controls
Service Providers ISO 27017 Cloud Security
35 supplemental,
7 extended
14
• Regulatory and Voluntary Standards
ISO 27018 PII Protection supplementary,
• ISO/IEC standards and PCI DSS for cloud computing
• FedRAMP audit for U.S. government CSPs 25 extended
• ISO Standards for Cloud Security
Payment
• ISO 27017 and 27018 extend guidance from ISO 27001 PCI DSS 12 requirements
and 27002 Security
• Focus on ISMS and protection of PII in the cloud
Government Risk-based
• PCI DSS Requirements
FedRAMP
• 12 requirements designed to protect payment Data controls
information
• Adaptable to various computing environments
Security Self-assessment,
CSA STAR
• Government Cloud Standards
Assurance Audit
• CSA STAR Registry

• System/Subsystem Product Certifications

SON NGUYEN – 0985.963.404

Chapter Summary

• Cloud Computing Characteristics

• Understanding the fundamental features and capabilities
• Service & Deployment Models
• Exploring various cloud service and deployment options
• Role of Cloud Service Providers (CSP)
• Examining the responsibilities and impact of CSPs
• Shared Security Model
• Assessing the collaborative security approach between CSP and customers
• Protection of Cloud Services & Data
• Ensuring adequate security measures for services and data
• Supporting & Emerging Technologies
• Discussing current and future technologies enhancing cloud computing
SON NGUYEN – 0985.963.404
Practice Questions

SON NGUYEN – 0985.963.404

1. Alice is the CEO for a software company; she is considering migrating
the operation from the current on-premises legacy environment into the
cloud. Which cloud service model should she most likely consider for
her company’s purposes?
A. Platform as a service (PaaS)
B. Software as a service (SaaS)
C. Backup as a service (Baas)
D. Information as a service (IaaS)

SON NGUYEN – 0985.963.404

SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
SON NGUYEN – 0985.963.404
 THE END

CÁC GIẢI PHÁP BẢO MẬT

SON NGUYEN – 0985.963.404