Leslie Fife - The Official (ISC)2 CCSP CBK Reference

If you are able to access the cloud service and obtain access to your data anywhere in the world, so can others. The requirement for identification and authentication becomes more important in this public-facing environment. The security of accessing your cloud services over the Internet can be improved in a number of ways including improved passwords, multifactor authentication (MFA), virtual private networks (VPNs), etc. The increased security needs of a system available over the network where security is shared between the CSP and customer makes these additional steps more important.

One way to get the improved efficiencies of cloud computing is through the sharing of infrastructure. A server may have more than one company purchasing access to its resources. These resources are shared by the tenants. Like an apartment building, these tenants share resources and services but have their own dedicated space. Virtualization allows the appearance of single tenancy in a multitenancy situation. Each tenant's data remains private and secure in the same way that your belongings (data) in an apartment building remain secure and isolated from the belongings (data) of your neighbor.

However, as the building is shared, it is still the responsibility of each tenant to exercise care to maintain the integrity and confidentiality of their own data. If the door is left unsecured, a neighbor could easily enter and take your things. It is also necessary to consider the availability of the data as the actions of another tenant could make your data inaccessible for a time due to no fault of your own. In our example, if another tenant is involved in illegal activity, the entire building could be shut down. Or, if another tenant damaged the building, your access might be reduced or eliminated. A multitenancy environment increases the importance of disaster recovery (DR) and business continuity (BC) planning.

In a traditional computing model, a company would need to buy the infrastructure needed for any future, potential, or anticipated growth. If they estimate poorly, they either will have a lot of excess capacity or will run out of room. Neither situation is optimal. In a cloud solution, the space needed grows and shrinks as necessary to support the customer. If there is a peak in usage or resource needs, the service grows with the needs. When the needs are gone, the resources used decrease. This supports a pay-as-you-go model, where a customer pays only for the resources needed and used.

For the CSP, this presents a challenge. The CSP must have the excess capacity to serve all their customers without having to incur the cost of the total possible resource usage. They must, in effect, estimate how much excess capacity they must have to serve all of their customers. If they estimate poorly, the customer will suffer and the CSP's customer base could decrease.

However, there is a cost to maintaining this excess capacity. The cost must be built into the cost model. In this way, all customers share in the cost of the CSP, maintaining some level of excess capacity. In the banking world, a bank must keep cash reserves of a certain percentage so that they can meet the withdrawal needs of their customers. But if every customer wanted all of their money at the same time, the bank would run out of cash on hand. In the same way, if every customer's potential peak usage occurred at the same time, the CSP would run out of resources, and the customers would be constrained (and unhappy).

The customer must also take care in setting internal limits on resource use. The ease of expanding resource use can make it easy to consume more resources than are truly necessary. Rather than cleaning up and returning resources no longer needed, it is easy to just spin up more resources. If care is not taken to set limits, a customer can find themselves with a large and unnecessary bill for resources “used.”

In many ways, this is the core of cloud computing. Multiple customers share a set of resources including servers, storage, application services, etc. They do not each have to buy the infrastructure necessary to provide their IT needs. Instead, they share these resources with each other through the orchestration of the CSP. Everyone pays for what they need and use. The goal is that resources are used efficiently by the group of customers.

This resource pooling presents some challenges for the cybersecurity professional. When resources are pooled, it can lead to multitenancy. A competitor or a rival can be sharing the same physical hardware. If the system, especially the hypervisor, is compromised, sensitive data could be exposed.

Resource pooling also implies that resources are allocated and deallocated as needed. The inability to ensure data erasure can mean that remnants of sensitive files could exist on storage allocated to another user. This increases the importance of data encryption and key management.

Metering service usage allows a CSP to charge for the resources used. In a private cloud, this can allow an organization to charge each department based on their usage of the cloud. For a public cloud, it allows each customer to pay for the resources used or consumed. With a measured service, everyone pays their share of the costs.

The cloud is especially advantageous for organizations with peaks in their resource needs or cycles of usage. For example, a tax preparer uses more resources in the United States in the beginning of the year, peaking on April 15. Many industries have sales dates: Memorial Day, President's Day, Black Friday, Cyber Monday, Arbor Day, etc. Okay, maybe not Arbor Day. Resource needs peak at these times. A company can pay for the metered service for these peak times rather than maintaining the maximum resource level throughout the year. Maintaining the maximum resources in-house would be expensive and a waste of resources.

These technologies are the elements that make cloud computing possible. Without virtualization, there would be no resource pooling. Advances in networking allow for ubiquitous access. Improvements in storage and databases allow remote virtual storage in a shared resource pool. Orchestration puts all the pieces together. The combination of these technologies allows better resource utilization and improves the cost structure of technology. Providing the same resources on-premise can also be accomplished by these technologies, but with lower resource utilization and at a higher cost in many situations. Where costs are not decreased by cloud computing, a case for on-premise resources can be made.

Virtualization allows the sharing of servers. Virtualization is not unique to cloud computing and can be used to share corporate resources among multiple process and services. For example, a service can have VMware installed and run a mail server on one virtual machine (VM) and a web server on another VM, both using the same physical hardware. This is resource sharing.

Cloud computing takes this idea and expands it beyond what most companies are capable of doing. The CSP shares resources among a large number of services and customers (also called tenants ). Each tenant has full use of their environment without knowledge of the other tenants. This increases the efficient use of the resources significantly.

In addition, a CSP may have multiple locations. This allows services and data to move seamlessly between locations, improving resource use by the CSP. Services and data can easily be in multiple locations, improving business continuity and fault tolerance. The CSP can use the ease with which virtualization allows the movement of data and services to take advantage of available space and excess capacity, wherever it may be located.