9 hours 59 minutes
a lot of the material we discussed in this module may seem like common sense. It really should have. One is very important that you understand the thought process both during the exam and when dealing with the flurry of day to day work.
We started out looking at governance. This is the culture that corporate governance establishes and drive the risk tolerance of an organization and its stance on enterprise risk management.
Then we talked about tools of governments. Remember that contracts to find the relationship between the providers and customers and those contracts of the primary tool for customers to extend governance to those cloud providers.
Artisans and assessments play a complementary role to the contract, as do ongoing compliance reports.
Knowing that you have minimal room to negotiate public cloud provider contracts, you then need to consider methods to mitigate, transfer except or avoid the residual risks.
We then reviewed different Cloud Service models and Claude diploma models to understand how they each effect risk management and concluded is very similar to the shared responsibility model used in effective security management that we discussed in the very first model of this course.
We then took a detour and explored the CCM cake and star to see practical methods that the C. S. A provides you to aid in evaluating a provider identifying controls you need based on adhering to the different regulations required by your company
and can be ultimately used to identify those gaps between the provider and yourself.
Finally, we reviewed the trade offs and concluded that you need to spend more time managing the relationship with your cloud providers.
The cloud assessment process is a good starting point to establish structure around how you evaluate and then reevaluate the cloud providers.
So with that quick recap of this entire domain, let's have a few questions.
Question number one.
When dealing with the public cloud provider, what aspect most commonly impacts how you can manage risk
co tenants wanna hack your space Economies of scale,
standard contracts that cannot be customized and changes to external regulations give you a second
so co tenants may wanna hack your space.
But that is not the most common impact that most common aspect impact your risk economies of scale that's gonna actually help drive down prices. But again, it's not something that's impacting how you manage risk,
however, standard contracts that can't be customized. And the boilerplate contracts, especially large providers, want to have in place so that they can control and have common operations for all the tenants.
That's an area that's going to impact how you manage risk because you don't have the additional flexibility to put the onus on the cloud provider to mitigate certain risks. That may be a concern for you, but aren't taken into account in their common contract
and then finally, changes to external regulations something you need to be aware of.
But again, when it comes to public cloud providers, that is not the most common area of impact when it comes to risk management,
the regulations are going to change no matter what. But it's just not the most common impact, so very important. You understand this question. The answer, because you're probably going to get this question or one very similar on the actual exam.
That's question Number two.
What is a key consideration when evaluating private cloud of governance,
the entity that owns and or manages the private cloud, the hyper visor technology, used control, plane authentication methods or public cloud governance?
Well, the answer is a the entity that owns or manages the private cloud is the key consideration you want to look at if you own it and you management
the considerations or the concerns of risk management aren't as much there. But if you are outsourcing it to 1/3 party, and you have to take care of really making sure that the contracts between yourself and the third party who is managing the private cloud, maybe they're just managing it, they don't on the equipment, but they are managing it.
You really need to make sure that that those contracts are comprehensive and they allow for things. And if you don't remember some of the specifics, feel free to hop back to earlier videos in this module. The hyper visor technology used
that really is not a major impact on private cloud governance control, playing authentication methods very important for security, but again, not governance and risk management. And finally, the public cloud governance that's not gonna have a huge impact on private cloud governance because
there's a lot of differences factors that the biggest being it is a private cloud, so you are the only tenant in the cloud.
Moreover, you have more control and leeway on negotiating that contract with 1/3 party and certainly of its internal ing in house, you have a whole lot of leeway on that contract,
so that wraps it up for this module as a whole. I look forward to seeing you in the next module.