1.15 Cloud Computing Standards Roadmap Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

9 hours 48 minutes
Video Transcription
All right, let's start with interoperability. So just like pieces of a jigsaw puzzle fit together, we wanna have devices service's interfaces that fit together in any environment and not just a specific vendors environment. Now don't get me wrong.
Vendors will disagree in some vendors put out very proprietary equipment.
I will tell you that if you're going to be successful with proprietary equipment or processes or systems, you better put out a very, very good system
or be profound, a perceived to put out a very, very good system, right? But there's gotta be a really reason that makes me choose your proprietary system over one that will fit in Indian part my preferences. Standardization. Now vendor Lock in is when
I'm using the service is of a cloud service provider
and that CSP stores my data maybe in a proprietary format, so that when I need to migrate back from the cloud or excuse to migrate to a different service provider or for any number of reasons, I want to remove my information, my files, my transactions, my whatever from the cloud.
It's in a proprietary format that can't be imported into another system easily. That's called vendor lock in.
So the ideas if I'll store your data that all started only such a way that you could use it with me again. The idea is, will keep people coming back to us from servant for service usually works the opposite way. So Vendor Lock in is when a vendor uses a propriety proprietary format or interface
that locks in the customer on Lee doing business with that vendor.
That's a bad thing. We don't like that you generally and then there's also something called Vendor Lock out, and I would know that term as well. The idea is sort of a similar situation, but the vendors gone on a business so you can't get your information. They, you know,
just unexpectedly
the service providers shuts their doors, puts a padlock out. They've got all your information, you're not able to retrieve it. Obviously, that's a bad thing as well. Well, we're done. Let's see business continuity Planning Those elements should make sure that you have a plan for just whatever should happen. But vendor lock in
proprietary vendor locked out the bender goes out of business
both ways. You're kind of in trouble if you want to take your material somewhere else, right? We like interoperability,
and that goes with portability. You know, those two are very tightly related because if you're elements air portable, you can take him anywhere. That means they'll interoperate. I don't know if that's a word, but today that's a word that he will operate well together. So I'm gonna be able to take this format,
you know, specific file format or an application type
transaction, type whatever. And I want to be able to move it from one location, maybe under my management under my cloud service provider won't be able to go to a different cloud service provider. You know, whatever it is, I want that portability and portability is a direct result of interoperability
availability. Always important. Um, 99.999
7% up time or 777 nines, Whatever. You'll hear different standards of availability, but we want a very high degree of up time in most environments, and that's almost always specified in the service level agreement. So we need to know what our cloud service provider has committed.
I need to know the highlights of how they're gonna provide us with that degree of up time, and we have to monitor and sure that they're meeting the word of their service. Love, Great
security. That seems like a good topic, since this is a cloud certified security professional. So are
you know what this place is the security professional piece of this exam. We've got to protect the confidentiality, integrity and availability of our information. And when it comes down to it, that's all we're trying to do anyway is we're trying to keep our Gava protected, were trying to protect secrets, were trying to make sure
that our information doesn't get modified that's available right times at the right place.
So ultimately, what it comes down to is you just don't know about security. You can't count on anything except, as it appears in the service level agreement and that's it. There no guarantees
again. You can't assume that they're more secure than your environment. You have to research. You have to look at your security policy versus the Cloud service provider service level agreement and determine if they meet your needs. Once again, that needs to be monitor. We need to have that assurance often through third party on it
that the Cloud service providers meeting there s L A
privacy. Privacy and security go pretty closely hand in hand. But when we're talking about privacy, we look at certain types of information's being private. I didn't information things like personal health care information, personal financial information.
Those generally fall under the category of
types of information that has to be kept private or whose privacy has to be protected.
So the European Union looks at privacy differently than here in the States. And I will tell you from testable perspective, I would not be surprised a couple of times for them to him at the idea that in the states we don't have a lot of very strong privacy laws, not a lot of federal directives
that indicate the degree of privacy
that is required. You know, you may have some regulations, like HIPPA or for health care brand leech wildly for banking. But even with payment cars, the payment card industry has the data security standard. But that's not a law that simply,
ah, set of requirements because the credit card industry self governing.
So there isn't that specific set of laws applying just particularly to privacy in general. So, you know, certain states,
maybe more active with privacy laws. Certainly nations are much more aggressive, like Canada, European Union, much more aggressive in protecting individuals privacy than then. We are here in the States, so ultimately, there really is a difference between privacy and security.
If you look down at the bottom of the slide, this actually says privacy versus confidentiality, but
privacy versus security. So privacy is gonna indicate that as the owner, I determine the right to how the information is disclosed. Toe what information is disclosed and how
so It's up to me to determine who has access to my health care information and how that information can be shared.
The security element means that my health care provider that collects that information, they have to implement security to protect my privacy.
A so security protects privacy. They go hand in hand, but they're not exactly the same right privacy. This is mine. This is mine To disclose security, since yours to disclose will protect
all right resilience. Resilience often goes with availability, high availability. Hi, resilience. Resilience is a little bit more because the idea with resilience is that it's the availability to withstand, you know, to take a licking and keeps on ticking. Is the old commercial used to say
so? Ultimately?
Yeah. You know, I never really realized how old I am until I find myself quoting some commercial from the 19 eighties, and I could just picture 85% of my students going. What is she talking about? What's tarn X? What?
So anyway, that used to be their phrase to indicate they could have a large number. Ah, lot of wear and tear and still survive. And that's what resiliency is. So can we keep going? Do we have failed over mechanisms in place? Sometimes files have the capability itself healing.
You're seeking out their source and restoring a file from,
you know, it's primary location. But being able to withstand to a degree, a loss or some sort of disruption,
All right, performance performance always matters, right? So usually when we're talking about performance, we're talking about speed. How quick, how much how fast Dad is transferred across a wire, how quickly a processor can process. What's the backlog
for the hard drive? Those might be ideas,
so we think about those in terms of the basic computing resource is like, uh, you know, Network Bend with usually compute would be processor memory storage, of course, could be permanent. Could be temporary storage
and then access to the data. How quickly can it be retrieved? How quickly can I locate
the correct amount of information? All that has to do with performance,
governance really important.
And the governance of an organization is important for my organization, but also, of course, for the Cloud Service Providers organization as well. Governance is,
you know, the governing body provides oversight, provides a foundation direction, support for the organization as a whole. So if we don't have strong governments, the organization's not gonna perform in a strong and steady fashion. So
examples of governance we might look at policies that exist. We might look at mission statements of the organization. We're gonna look at ideas like, um
ah, you know, the resiliency of the organization that's gonna call it. You know how performances addressed how security is addressed, how resiliency availability elders, how those air addressed the how is usually done by management.
But the fact that they need to be addressed is by governments. If that makes sense, of governance for an organization
is going to outline what the organization is attempting to do to please their stakeholders.
Um, prioritize. Now, his performance higher priority than security or not, you know, vice versa. Those ideas were solved by governments. So you'd be looking at the board of directors. You'd be looking at senior leadership.
Everything flows downhill, right? So if we don't have senior leadership that understands the security function
that has by in that funds and provides resource is for the security function and we're not gonna have secure organization.
So governance is important for our cloud service providers. It's important for us. It's in part important for managing relationships with third parties. What are we looking for from our service providers? What are the priorities? How do we select a service provider? How do we monitor how often doing monitor,
which the criteria that we're looking for?
I'd so governance
begins the process. You know, it satisfies what? What are we doing? Are we doing the right thing? Are we doing it right or we're getting the value?
Those questions are answered by governments
management, these air, the folks that figure out how these air your department leaders, Right, your head of I T. And down. We figure out how to get 99.9997% availability or whatever the requirements are. Government says. What governance says what we do, management says. Here's how
how you cloud service provider is going to perform. What is that? How it's in their service level Agreement
cannot stress enough s l. A's if it's not in the S L. A. You cannot take it for granted.
So whether you're concerned about the degree performance or up time or business continuity, disaster recovery requirements or any aspect of your relationship with the cloud service provider and the service they provide, you should be in the S L. A.
A. Uh, And again, this just continues a lot of the areas that are talked about in the standards road map, um
should be specified in your S L A. That's what we're looking for.
Regulatory compliance. Always important. Making sure that we understand this is from earlier. You cannot transfer liability.
You can trends for risk, which means I'm gonna share in the potential for loss.
But as the owner of the data, the custodian I always be legally liable. I cannot outsource that liability.
So even if the cloud service provider has a breach
and it's their breach doesn't mean we're off the hook because it's still our data
audit ability.
Gotta have that third party assurance off the process of the organization. Like I said, you know, with clouds you can't just walk up and say, Hey, let me in. First of all, I think about where would you even go to audit? You know, your your service is in the cloud,
that doesn't lessen the fact that we must have third party off. So, as I mentioned earlier, the Star Registry
Security Trust Insurance Registry Thio examine the relationship between cloud service providers, service level agreements and their actual processes that are in place. You gotta have that off.
All right, So those were the main categories covered by the Cloud computing standards Road map again. 70 some pages worth a quick read. Sit down with a highlighter and kind of go through those areas because a lot of the exam comes from this
Up Next
Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By