Cloud shared considerations

- [Instructor] Welcome to this lesson on cloud shared considerations. In this lesson, there are four key learning objectives. The first one is some key terminology that we'll use to set the stage for future lessons. Next step, we'll talk a little bit about security and privacy, which are probably terms you're already familiar with, but we're going to dive a little bit into how they affect cloud specifically. Next step, we'll talk about some governance and compliance topics, and then finally, some service management. So getting into it, starting with terminology, the first term we're going to go over is interoperability. This is a system's ability to integrate and communicate with other diverse systems. So most modern applications today communicate using something called APIs or application programming interfaces, and that's essentially an application's way of sending and receiving data from other systems. So the more interactive a system or an application is able to be with other applications, the more interoperable it is. Next step, we have portability, and this is the ability of a system or an application to be transferred, both between CSPs and even back and forth between the cloud and on-premises systems without significant disruption to the application's ability to operate. Next up, we have reversibility, which is similar to portability, but very specifically focusing on the ability of an application or a system to move from the cloud back to on-premises without disruption. Next up, we have availability, which is a term you might already be familiar with, but in this case, the CCSP exam guide specifically wants you to understand availability as being a CSPs responsibility to ensure reliable access to infrastructure, which is typically outlined in something called a service level agreement or an SLA. Next up, we have resiliency, which once again, common term, but in this case, you should specifically focus on it as being a CSPs ability to enable business continuity and disaster recovery, and this is especially capable with CSPs that have multiple regions and zones that are geographically dispersed, which maximize an organization's ability to create robust infrastructure. Next up is performance, and in most cases, major CSPs have pretty high performance because they have a lot of excess capacity and redundancy built into their systems. However, there are certain limitations such as network issues that influence this design because ultimately there are many scenarios in which cloud customers are still traversing public infrastructure that is managed by major telecom companies that is going to have a finite amount of bandwidth that you can send through those networks. Finally, we have maintenance and versioning, and this is the process of updating, patching, and managing the software versions of systems and software running inside the cloud environment. And the responsible party for updating the systems does vary based on the service. So thinking back to the shared responsibility model, in some cases, it's either this cloud service providers or even the cloud service customer's responsibility to update and patch those software solutions. Moving on to security and privacy, once again, these are probably terms you're familiar with. Security being the protection against unauthorized access and privacy being safeguarding users' personal data and information, however, specifically when it comes to the cloud, it's important to understand how to identify where your data is when using a CSP. CSPs make significant efforts to make their environment secure, but at the end of the day, the data security is always the customer's responsibility. And complex cloud solutions also make the cloud much more susceptible to security issues such as misconfigurations, which is one of the common vulnerabilities that we see in the OWASP top 10. When it comes to privacy, the involvement of third party providers is always going to be complex. Some important terms that we'll go over throughout the course are going to be related to the GDPR regulation, which are terms like data owner, custodian, and subject that are all going to be related to privacy. Okay, jumping into governance and compliance, these are some key terms that will be important to understand for the exam. The first one is that governance is specifically relating to the development and enforcement of policies, procedures, controls, and oversight of a cloud environment. Next up, we have regulation or regulatory compliance, which is a requirement to adhere to both federal and contractual regulations. So you might be familiar with HIPAA, GLBA, or SOX requirements, all of which we will go over later in the course. But regulation also covers contractual requirements where organizations are required to adhere to agreements that they have made with other organizations. Finally, we have auditability, and this is the concept of ensuring that a CSP meets security standards via external evaluations. So some common ones you might hear of are going to be SOC or FedRAMP. In fact, most major, if not all major CSPs, should have a SOC three report published for public consumption to ensure that the CSP itself is meeting certain requirements. Finally, we have service management, and the first term to go over in this category is going to be the service level agreement or SLA, and this is referring to a contract between organizations where you establish a required performance metric of a solution or a service provided. So ones that you might be familiar with hearing are going to be availability, so you might have a requirement of let's say 99% availability of a SaaS application, and in the event that this SLA requirement is not met, then either the service provider of that SaaS application would owe some damages to the organization that was impacted by that loss of availability, or in some cases, the customer of that service provider may be within their rights to terminate a contract. And then finally, we have the concept of outsourcing, which once again is not a term that's unique to the cloud, but in this case, we're talking about contracting with an external party to provide a system or service. However, there are certainly complications when it comes to compliance in the cloud because there may be certain regulatory requirements that require customer data is only handled within certain geographical locations, such as a country. So when it comes to outsourcing in the cloud, it's certainly important to consider the advantages and risks of outsourcing when developing business strategies. In this lesson, we talked about some key terminology that will be important for the CCSP exam. Following that, we talked about some additional terminology in the categories of security and privacy, governance and compliance, and finally, service management. Thanks for watching, I'll see you in the next lesson.