CCSP Domain 1 - Cost Benefit Analysis & Evaluation Criteria MindMap

Download a FREE Printable PDF of all the CCSP MindMaps!

Your information will remain 100% private. Unsubscribe with 1 click.

Transcript

Introduction

Hey, I’m Rob Witcher from Destination Certification, and I’m here to help you pass the CCSP exam. In this video, we’ll be doing a review of the central topics in cost benefit analysis evaluation criteria in Domain 1. It will help you in your studies, by showing you how each of these topics interrelate.

Image of Cost Benefit Analysis & Evaluation Criteria table - Destination Certification

This is the fifth of five videos for Domain 1. I have included links to the other MindMap videos in the description below. These MindMaps are just a fraction of our complete CCSP MasterClass.

Cost Benefit Analysis

As I highlighted in the previous MindMap video, moving to the cloud is very much a business decision. We are now going to walk through a few cost-benefit analysis pieces that are important for the business to consider when deciding whether to move to the cloud.

Pay per usage

Pay-per-usage refers to the fact that cloud services follow a consumption-based pricing model, where users pay only for the resources they consume (for example, computing power, storage, network bandwidth, etc.). This can potentially offer consumers some nice cost efficiencies by eliminating the need for upfront investment in a lot of hardware and systems.

CapEx to OpEx

CapEx to OpEx highlights that moving to the cloud shifts capital expenditures (CapEx), like purchasing hardware and software, to operational expenditures (OpEx), which are ongoing expenses for using cloud services. This can improve cash flow management and flexibility. So ,instead of organizations having to pay a bunch of money upfront–capital expenditures–and then amortize those costs over time, they can just pay for whatever cloud services they use each month–OpEx.

Depreciation

Depreciation: In traditional on-premise setups, hardware depreciates over time and must be replaced; cloud computing reduces the need for such capital investments, as cloud providers handle infrastructure upgrades. So, if an organization were to move everything to the public cloud, it wouldn’t have to think about depreciation at all anymore. Of course, if an organization builds its own in-house private cloud with its own hardware, then depreciation is still an important consideration.

Datacenter / utility costs

Next, datacenter and utility costs: Public cloud services eliminate the need for maintaining physical data centers, reducing costs for electricity, cooling, and space, as the cloud provider absorbs these instead. So again, move everything to the public cloud, and now an organization doesn’t have to pay tons of data center and utility costs. They’ll just have a hefty monthly bill from their cloud service provider.

Resource pooling

Resource pooling: Cloud providers take advantage of resource pooling, in which their customers share computing resources like storage and network capacity, reducing per-user costs and increasing efficiency. This can potentially make the core resources (compute, network, and storage) cheaper in the cloud.

Software licensing

Software licensing: Traditional software licensing often requires large upfront costs, whereas cloud-based software services typically follow a subscription model, allowing organizations to scale and pay for only what they need. Watch out, though, as software licensing costs in the cloud can be very different from licensing costs on-premise for the same software. I’ve worked with a few organizations that faced significantly higher licensing costs when they lifted and shifted a system into the cloud.

Personnel & operational costs

Personnel and operational costs: Moving to the cloud reduces the need for large in-house IT teams to manage infrastructure, as cloud providers handle maintenance, updates, and security. This can result in major reductions in personnel and operational costs for an organization. But watch out–it’s a terrible idea to fire all of your in-house subject matter experts if you move to the cloud. This is a problem that has existed with outsourcing for decades. If you outsource a bunch of stuff and then fire all your in-house staff, you lose all your organizational expertise, and you have no one left who can keep an eye on your service provider and challenge them–you have no one to ensure the service provider is providing good services at a reasonable price. So, an organization may end up paying more to their service provider for a lower level of service than they used to have in-house.

Shift in focus

The final one is a shift in focus. By moving to the cloud, companies can shift their focus from managing infrastructure to strategic business functions and innovation, potentially increasing productivity and growth. So, moving systems to the cloud and letting the cloud provider take care of those systems can allow an organization to focus more on its core business, which could be beneficial.

Evaluation Criteria

Alright, let’s now move on to evaluation criteria, which are independent objective evaluation systems for products.

Here’s how this works: a vendor will create a product, and then the vendor will pay an independent testing lab to evaluate their product using one of the evaluation criteria we will discuss in a moment. The independent lab will test the product, give it a rating, and produce a report that the vendor can then hand out to their customers. Customers are going to trust the rating in the report because it was provided by an independent testing lab, not the vendor.

Certification

There are two major steps involved with evaluation criteria. The first is certification, and the second is accreditation. We’ll start with certification, which is the comprehensive technical analysis of a solution or a product to ensure it meets our needs. In other words, the certification step is where the independent testing lab evaluates a product and gives it a rating.

Common Criteria

Let's start with the most commonly used evaluation criteria in the world, the aptly named: Common Criteria for Information Technology Security Evaluation. Everyone just calls it the Common Criteria. It can be used to evaluate all sorts of different devices.

EAL1 – EAL7

After a product has been evaluated, it will be given an evaluation assurance level rating–an EAL rating between 1 and 7. An EAL rating of 7 is the highest and indicates the most secure, and an EAL rating of 1 is the lowest.

FIPS 140-2

Now let’s talk about the other evaluation criteria you need to know about: FIPS - the Federal Information Processing Standard 140-3. Unlike the Common Criteria which can be used to evaluate anything, FIPS 140-3 is focused on evaluating cryptographic modules–like TPMs and HSMs–we’ll talk about them in the fifth MindMap of domain 4.

Levels 1 - 4

FIPS defines four levels. Level 1 is the lowest level and it imposes limited requirements. Components must only be "production-ready". Level 2 adds requirement for physical tamper evidence and role-based authentication.
Level 3 adds physical tamper resistance and identity-based authentication
Finally, level 4 adds robustness against environmental attacks.

Image of table that summarizes the four FIPS levels - Destination Certification

Here’s a table that nicely summarizes the four FIPS levels. Remember that the physical security requirements are Level 2 and above.

Accreditation

Now, the final important part of evaluation criteria: accreditation.

As I discussed, the whole point of evaluation criteria is to help an organization evaluate and compare different products and choose the best solution for their organization.

The final step in selecting a product is to get management’s approval and for them to sign off. This is accreditation–it’s official management signoff for a set period-of-time to purchase and deploy a product in the organization.

Image of Cost Benefit Analysis & Evaluation Criteria table - Destination Certification

That’s it for our overview of cost benefit analysis and evaluation criteria within Domain 1. We’ve covered the essential topics you need to know for the exam.

Image of next mindmap - Destination Certification

If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.

I will provide links to the other MindMap videos in the description below.

Thanks very much for watching! And all the best in your studies!

Image of masterclass video - Destination Certification

The easiest way to get your CCSP Certification 


Learn more about our CCSP MasterClass

>