Leslie Fife - The Official (ISC)2 CCSP CBK Reference

This can create some security and compliance concerns, when data cannot move freely across borders or jurisdictional issues exist. These issues are best handled during contract negotiation. Another concern is if the hypervisor is compromised, as it controls all VMs on a machine. If the hypervisor is compromised, all data can be compromised. The security of the hypervisor is the responsibility of the CSP.

A variety of storage solutions allow cloud computing to work. Two of these are storage area networks (SANs) and network-attached storage (NAS). These and other advances in storage allow a CSP to offer flexible and scalable storage capabilities.

A SAN provides secure storage among multiple computers within a specific customer's domain. A SAN appears like a single disk to the customer, while the storage is spread across multiple locations. This is one type of shared storage that works across a network.

Another type of networked storage is the NAS. This network storage solution uses TCP/IP and allows file-level access. A NAS appears to the customer as a single file system. This is a solution that works well in a cloud computing environment.

The responsibility for choosing the storage technology lies with the CSP and will change over time as new technologies are introduced. These changes should be transparent to the customer. The CSP is responsible for the security of the shared storage resource.

Shared storage can create security challenges if file fragments remain on a disk after it has been deallocated from one customer and allocated to another. A customer has no way to securely wipe the drives in use, as the customer does not control the physical hardware. However, the use of crypto-shredding can make these fragments unusable if recovered.

As all resources in a cloud environment are accessed through the network, a robust, available network is an essential element. The Internet is the network used by public and community clouds, as well as many private clouds. This network has proven to be widely available with broad capabilities. The Internet has become ubiquitous in society, allowing for the expansion of cloud-based services.

An IP-based network is only part of what is needed for cloud computing. Low latency, high bandwidth, and relatively error-free transmissions make cloud computing possible. The use of public networks also creates some security concerns. If access to cloud resources is via a public network, like the Internet, the traffic can be intercepted. If transmitted in the clear, the data can be read. The use of encryption and secure transport keeps the data in motion secure and cloud computing safer.

Databases allow for the organization of customer data. By using a database in a cloud environment, the administration of the underlying database becomes the responsibility of the CSP. They become responsible for patching, tuning, and other database administrator services. The exception is IaaS, where the user is responsible for whatever database they install.

The other advantage of databases offered through a cloud service is the number of different database types and options that can be used together. While traditional relational databases are available, so are other types. By using traditional databases and other data storage tools as well as large amounts of data resources, data warehouses, data lakes, and other data storage strategies can be implemented.

Cloud orchestration is the use of technology to manage the cloud infrastructure. In a modern organization, there is a great deal of complexity. This has been called the multicloud. An organization may contract through the VMO with multiple SaaS services. In addition, they may have accounts with multiple CSPs, such as AWS, IBM Cloud Foundry, and Microsoft Azure. In addition, they may be using public, private, and community clouds.

This complexity could lead to data being out of sync, processes being broken, and the workforce unable to keep track of all the part. Like the conductor of an orchestra, cloud orchestration partners keep all of these pieces working together including data, processes, and application services. Orchestration is the glue that ties all of the pieces together through programming and automation. Orchestration is valuable whether an organization runs a single cloud environment or a multicloud environment.

This is more than simply automating a task here and a task there. However, automation is used by the cloud orchestration service to create one seemingly seamless organizational cloud environment. In addition to hiding much of the complexity of an organization's cloud environment, cloud orchestration can reduce costs, improve efficiency, and support the overall workforce.

The major CSPs provide orchestration tools. These include IBM Cloud Orchestrator, Microsoft's OMS Management Suite, Oracle Cloud Management Solutions, and AWS Cloud Formation. Like all such offerings, they vary considerably in the tools provided and the integration with other vendors' cloud offerings.

The purpose of a reference architecture (RA) is to allow a wide variety of cloud vendors and services to be interoperable. An RA creates a framework or mapping of cloud computing activities and cloud capabilities to allow the services of different vendors to be mapped and potentially work together more seamlessly. An example of this approach is the seven-layer Open Systems Interconnection (OSI) model of networking, which is used to discuss many networking protocols. As companies are engaging in a wide variety of cloud solutions from multiple vendors, interoperability is becoming more important, and the reference architecture helps make that more easily occur.

The National Institute of Standards and Technology (NIST) provides a cloud computing reference architecture in SP 500-292 as do other organizations. Some models, such as NIST are role based. Other RAs, such as the IBM conceptual reference model, are layer based. The NIST RA is intended to be vendor neutral and defines five roles: cloud consumer, cloud provider, cloud auditor, cloud broker, and cloud carrier.

Cloud computing activities in an RA depend on whether the RA is role based or layer based. As an example, the role-based NIST RA will be used to describe cloud computing activities. A similar description could be made for a layer-based model. In a role-based RA, cloud computing activities are the activities of each of the roles. The NIST model includes five roles, with the following types of activities:

Cloud consumer: The procurement and use of cloud services. This involves reviewing available services, requesting services, setting up accounts and executing contracts, and using the service. What the activities consist of depends on the cloud service model. For a SaaS consumer, the activities are typical end-user activities such as email, social networks, and collaboration tools. The activities with a PaaS customer center around development activities, business intelligence, and application deployment. IaaS customers focus on activities such as business continuity and disaster recovery, storage, and compute.

Cloud provider: The entity that makes a service available. These activities include service deployment, orchestration, and management as well as security and privacy.

Cloud auditor: An entity capable of independent examination and evaluation of cloud service controls. These activities are especially important for entities with contractual or regulatory compliance obligations. Audits are usually focused on compliance, security, or privacy.