CCSP Domain 1 - Cloud Shared Considerations & Frameworks MindMap
Download a FREE Printable PDF of all the CCSP MindMaps!
Your information will remain 100% private. Unsubscribe with 1 click.
Transcript
Introduction
Hey, I’m Rob Witcher from Destination Certification, and I’m here to help you pass the CCSP exam. We are going to go through a review of the major topics related to cloud shared considerations and frameworks in Domain 1. By the end of this video, you’ll have a better idea of how the concepts relate to one another, which should make your studies simpler.
This is the fourth of five videos for Domain 1. I have included links to the other MindMap videos in the description below. These MindMaps are a small part of our complete CCSP MasterClass.
Cloud Shared Considerations
Alright let’s start with the obvious: what the heck does cloud shared considerations mean? It’s in the exam outline so you need to know it for the exam. Cloud shared considerations are the aspects of cloud computing that involve shared responsibility and shared resources between the cloud service provider and the cloud customer. Put another way, this is important stuff you should be thinking about before you move something to the cloud.
Let me re-emphasize that–this is important stuff to think about before you start moving data and systems to the cloud. You definitely don’t want to start thinking about these things after you already have a bunch of stuff in the cloud.
You’ll understand what I mean shortly.
Cloud must be a business decision
Before we get into the specific considerations, it’s worth emphasizing here that, ultimately, moving to the cloud needs to be a business decision, definitely not just an IT decision. Moving to the cloud has big impacts on the business and it should be the business owner of a system or data that should make the decision on whether or not to move to the cloud. The business owner should be thinking about these cloud shared considerations as part of their business decision of whether or not to move to the cloud. If the final decision is to move to the cloud, these considerations are important in finding the cloud service provider that will best meet the needs of the business.
All right, let’s finally dive into them!
Interoperability
Interoperability refers to the ability of two cloud systems to talk to one another–to exchange messages and information in a way that both can understand. You want high interoperability. You want to make sure that whatever cloud service you're looking at using will play nicely and talk to other cloud services that you might want to integrate it with.
Data Portability
Data portability is the ability to move data (files, documents, database tables, etc.) from one cloud system to another, and have that data usable in the other system. Again, you want high data portability. You want it to be easy to move data from one cloud service to another. Otherwise you risk vendor lock-in–being stuck in a cloud service and not being able to easily get your data out. You really don’t want vendor lock-in.
Application Portability
Application portability is the ability to move executable software from one cloud system to another, and be able to run it correctly in the destination system. You guessed it: you want high application portability. You want it to be easy to move your application from one cloud service to another. Otherwise, again, you risk vendor lock-in.
Reversibility
Reversibility is the ability for a cloud consumer to easily remove their applications or data from a cloud environment, and ensure that all traces of their applications or data have been securely removed per a predefined agreement with the cloud provider. Put another way, reversibility is the ability for a customer to reverse their decision of moving to the cloud–how easily can data or a system be brought back on premise after moving it to the cloud. Cloud providers usually make it very easy for you to move to the cloud, they may not make it so easy to reverse that decision. You really want to look at this before you move anything to the cloud.
Availability
The next few items I’ll breeze through and these aren’t unique to the cloud and you are likely very familiar with them already.
Availability is focused on ensuring information is available to make decisions–that data and systems are accessible when they are needed.
Security
Security refers to the protection of systems, networks, and data from unauthorized access, attacks, damage, or theft–ensuring confidentiality, integrity, and availability, etc. We definitely need to consider the security of systems and data in the cloud!
Privacy
Privacy is the state or condition of being free from being observed or disturbed by other people. We need to ensure we are in compliance with the relevant privacy laws and regulations when using the cloud. This is often a major consideration when deciding to move to the cloud–or not.
Resiliency
Resilience is the ability of cloud infrastructure to maintain its operations and availability in the face of unexpected events, such as hardware or software failures, cyber-attacks, or natural disasters.
Performance
Performance refers to the efficiency and speed at which cloud services and applications respond to user requests, manage resources, and handle workloads, typically measured by latency, throughput, scalability, and uptime.
Governance
Governance refers to the frameworks and processes that ensure effective management, control, and compliance of cloud resources and services, aligning with organizational goals and objectives and policies.
Service-Level Agreements (SLAs)
Service-level agreements (SLAs) are part of formal contracts between cloud consumers and providers that define the expected level of service, including uptime, performance metrics, and penalties if these service levels are not met.
Auditability
Auditability refers to the ability to track, log, and review cloud activities and processes to ensure compliance, security, and transparency, enabling detailed examination of actions for accountability and regulatory purposes. You need visibility to ensure you are in compliance with policies, laws, etc.
Regulatory
Regulatory refers to the adherence to industry-specific laws, guidelines, and standards that govern the use, storage, and protection of data within cloud environments, ensuring compliance with legal and security requirements. If you are moving to the cloud you need to make sure you are in compliance with whatever laws and regulations are applicable to your organization. This is often not easy to do when moving to the cloud because a lot of laws and regulations do not have specifications for cloud.
Frameworks
All right let's now move on to the next big section: frameworks. Frameworks are super useful, as they can provide a structured set of guidelines, best practices, and tools that provides a foundation for developing and managing processes, systems, or software in a consistent, scalable, and efficient manner.
Provide comprehensive guidance
You can use frameworks to help guide you in establishing robust security at an organization, or a risk management function. Frameworks are essentially compendiums of best practices–written by experts. They are very useful in guiding the creation of new functions and practices within an organization.
You may also need to demonstrate compliance with certain frameworks.
Security Control Frameworks
All right, let’s dive into the first category of frameworks: General security frameworks.
ISO 27001
And there is only one framework that you need to know about in the category: ISO 27001. It is the most widely used security framework in the world. ISO 27001 provides best practice recommendations for an ISMS, an information security management system. ISO 27001 defines controls for all the best practices you should have in place for a well-run security program. It starts from the top with security governance and security policies, then moving down through onboarding, asset management, access control, cryptography, physical security, network security, and all the way to having a compliance function. It is important to remember that ISO 27001 defines controls, and an organization can be ISO 27001 certified. Remember that actually: cloud service providers, especially in Europe, will get ISO 27001 certified as a way of demonstrating to their customers that they have good security controls.
ISO 27002
ISO 27002 is a companion document to 27001. 27002 provides implementation guidance for the controls in 27001. It has lots of details and guidance on how to implement the controls. So, can an organization be certified against ISO 27002? No, it’s just a guidance document.
Cloud Security Control Frameworks
Next category: security control frameworks that are focused on the cloud.
CSA Cloud Controls Matrix (CCM)
The Cloud Controls Matrix–the CCM–is a framework from the Cloud Security Alliance (CSA) that is specifically designed to provide security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of cloud usage.
ISO 27017
ISO 27017 is another companion document to ISO 27001. 27017 provides guidelines for information security controls applicable to the provision and use of cloud services. So in other words, 27017 is just more guidance on how to implement the 27001 controls in the cloud.
ISO 27018
ISO 27018 is different. 27018 defines new controls specifically focused on protecting personal data in the cloud.
Cloud Design Patterns
The next category is cloud design patterns. These are reusable solutions to common challenges and architectural problems in cloud applications. Cloud design patterns provide best practices for achieving scalability, reliability, and security in cloud-based environments.
SANS security principles
The SANS security principles provide a set of guidelines that focus on protecting systems and data through core security practices like defense in depth, least privilege, and continuous monitoring, aiming to strengthen cybersecurity defenses.
Well-Architected Framework
The Well-Architected Framework provides best practices for designing and running cloud workloads, focusing on five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization.
CSA Enterprise Architecture
The CSA (Cloud Security Alliance) Enterprise Architecture outlines a framework to help secure cloud services, integrating key cloud security domains such as governance, compliance, data security, and risk management for enterprise-level cloud operations.
So, again, you can use these design patterns to help you design and implement better cloud solutions.
Risk Frameworks
Barreling on to the final category: risk frameworks. The risk frameworks can be used to provide a structured approach to identifying, assessing, and managing risks within cloud environments.
ISO 31000
ISO 31000 is an international standard for risk management that provides principles and guidelines for identifying, assessing, and managing risks across any organizational structure, including cloud environments.
ENISA
The ENISA–the European Union Agency for Cybersecurity–cloud security risk framework provides recommendations and guidelines for managing cloud-related risks in compliance with European cybersecurity regulations.
CSA
The Cloud Security Alliance (CSA) risk management framework focuses on providing best practices, tools, and standards like the Cloud Control Matrix (CCM) to help organizations address and manage cloud security risks.
NIST
The NIST (National Institute of Standards and Technology) Risk Management Framework (RMF) is a comprehensive guide that outlines best practices for managing risk and ensuring security in information systems, including cloud services, through a lifecycle approach.
Microsoft
Microsoft's cloud risk management framework includes a set of tools, guidelines, and best practices integrated into the Azure Security Benchmark and Well-Architected Framework to help organizations identify and mitigate risks in cloud deployments.
That’s it for our overview of cloud shared considerations and frameworks within Domain 1, covering some of the key topics you need to know for the exam.
If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.
I will provide links to the other MindMap videos in the description below.
Thanks very much for watching! And all the best in your studies!