BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
The cloud is typically associated with three key characteristics: scalability, simplicity and elasticity. In this video, expert Adam Gordon, author of The Official (ISC)2 Guide to the CCSP CBK, Second Edition, explains the importance of building cloud services with a fourth characteristic in mind -- security. Service providers need to ensure that a robust cloud computing security architecture remains at the center of everything they do.
The following is a full transcript of Adam Gordon's video.
CCSP® is a registered mark of (ISC)²
Transcript - Time to get real about cloud computing security architecture
Hello and welcome to the Architectural Concepts and Design Requirements Domain of the CCSP. In domain one, we'll be discussing the various things and features that make up the cloud overall in trying to go through and better understand the overarching concepts that allow us to engage cloud computing but also talk about securities and overlay within the cloud. If you look on the screen in front of you, the domain objectives are discussed, and you'll see them. Defining the various roles, characteristics, and technologies as they relate to cloud computing concepts, be one of the first things that we engaged in doing. Describe in cloud computing concepts as it relates to cloud computing activities, capabilities, categories, models, and cross-cutting aspects. As well, we'll identify the design principles necessary for cloud computing security architecture.
We'll take a look at defining the various design principles, the different types of cloud categories. We'll talk about describing those design principles that make up secured cloud computing. We'll identify criteria specific to national, international, and industry-related verticals for certifying trusted cloud services. We'll identify criteria specified for the system and subsystem product certifications around cloud computing. Within the domain itself, those are the overall objectives, the agenda for the domain specifically is made up of five modules, you'll see them on the screen.
Understanding cloud computing concepts, describing cloud reference architectures, what are they, why are they important, how do we understand them. Understanding security concepts relevant to cloud computing, understanding design principles of cloud computing security architecture, and identifying trusted cloud services, these will be the five topical areas in the domain that we'll move through one after the other during our discussions.
Defining cloud computing
Let's begin by looking at how to understand cloud computing concepts, what they are at a high level and the language, if you will, that helps us to make up and understand how to have a discussion about the cloud. Within this module, we'll take a look at cloud computing definitions, cloud computing roles, the key cloud computing characteristics, and the building block technologies that allow us to discuss and talk about the cloud. We'll begin with an introduction. The idea overall is really to set the tone, set the pace if you will, for our discussions of cloud computing.
You'll see that we've quoted the initial discussion or setup the initial discussion from an introductory perspective with a quote from NIST and NIST definition of cloud computing. The cloud computing, as you could see on the screen in front of you, cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources. Examples include the four things we traditionally look at and monitor, if you will, and could track of, networks, servers, storage, both applications and services and the compute resources to make them up. That could be rapidly provisioned to release with minimal management effort or service provider interaction.
Now, this definition frames the discussion for us from the perspective of cloud computing security architecture but also more broadly from a cloud computing perspective. Because what NIST has done in the initial setup of the definition of cloud computing with their document is to broadly layout for the cloud security professional, the cloud computing professional, the end-user customer of cloud services, the cloud service provider, and everybody in between the broad parameters of what cloud computing is made up of, the broad parameters of the supporting elements of cloud computing, and the broad parameters of the thought process required to understand how to engage cloud computing today.
You know, the NIST documentation on cloud computing is certainly well-known, hopefully well-known to you as a person that is either interested in cloud computing, to understand more while becoming a CCSP, perhaps a current either cloud service provider or cloud costumer, or perhaps one or the other and both within a private enterprise today, if you work with NIST in a global enterprise solution or small and medium size business, and you are providing some form of cloud services to the enterprise and to customers within the enterprise, then the definitions of cloud computing that NIST provides and the building block elements we will begin to discuss about them, become very important because effectively they let us not only frame the discussion, but also have a common reference point and a common vocabulary that we can use as providers, as customers, and as industry professionals to discuss cloud computing.
You may work in a part of the world geographically where NIST and NIST-related documentation is very prevalent. North America, for instance, NIST is very well known. A lot of the NIST standards are often referenced in architecture and in the implementation guidance. You may be working in a part of the world where NIST is not so well-known, and that's perfectly fine as well. But I would encourage you as a consumer of cloud services, as an IT professional, ultimately somebody who may be looking to become a CCSP, to become more familiar with NIST not because it is the only option available for you in the cloud security and cloud services conversation, but because it is a fairly straightforward one, it is a fairly standardized one, and one that is, for the most part, recognized worldwide as being a good beginning point on your journey to understanding things like the definitional criteria and the requirements that help us to understand or to have the cloud conversation both from a provider as well as from a customer perspective.
If you have to go out and find the NIST documentation, you certainly can use any search engines today on the internet, but point yourself to nist.gov, be able to find that information on the NIST websites. NIST is a North American-centric organization, but you will be able to find freely available the documentation that NIST provides across a broad spectrum of areas not just related to cloud computing, and we will refer to various NIST documents throughout our discussions in the modules of the course, so it's definitely something for you to at least be aware of going into our discussions and also have general comfort with and knowledge of. So I encourage you to think about that and take a look at that as you're able to.
Understanding cloud requirements
The drivers for cloud computing. You'll see on the screen in front of you, we have three arrows. One representing elasticity, one representing simplicity, one representing expandability, and some different sub-bullet points under one or more of those. The ideas that these three areas, together, the idea of elasticity, the idea of simplicity, the idea of expandability are really the key underlying thought processes, the concepts, if you will, that help us to make up cloud computing today. Cloud computing is imminently scalable, right? So we can scale up as well as scaling out, and that idea of expandability from a scalability perspective becomes very important.
We talk about elasticity, being able to scale quickly upwards but also, if the necessary, pull back on that scalability so that way we are paying as we go, paying for what we use, if you will. But as a result of that on/off ability very quickly being able to spin up, if you will, demand when it is required for us to be able to use a lot of resources, we can quickly do so when it is not required because maybe we have a low-end activity or we're no longer necessarily spending a lot of money or need to spend a lot of money in order to be able to service a customer's need. We can spin down certain infrastructure in order to be able to better align our provider capabilities with our customer's demand, and the elasticity thought process helps us to do that.
Simplicity allows us, as you can see, to be able to control cost. We pay as we go. We pay for what we consume typically on in as needed basis, and when we pair that with elasticity and expandability, what we find is a model that allows the cloud customer to make a request for services, the cloud provider to be able to then broker that conversation and set up and provide those services almost, if not immediately, then certainly with a very little bit of time delay on demand. And as a result, customers get what they need. Providers are able to use infrastructure that they have brought online more efficiently, more effectively. Customer pays for what they are consuming, doesn't pay for additional infrastructure they may not need, and everybody ultimately is able to consume in their forthright way with an understanding of what their responsibilities, their requirements, but also their capabilities are within the cloud.
What we're not seeing on this particular slide in front of you and in this initial part of the conversation is where cloud computing security architecture comes in. Although we do mention risk reduction under simplicity, we're not seeing the security piece, so to speak, built into the conversation. It is there. We do need to think about it. It is a key driver, a key requirement around cloud computing. The ability to build this scalable platforms and consume on-demand is great but if we don't have an idea of how to do that securely, and we don't really think about that from a security perspective from the initial moments that we start to envision what cloud computing may be able to do for our enterprise, as customer also as an internal consumer and provider, we may actually, unfortunately, get to a point where we're consuming ahead of our ability to secure. And this becomes a very big risk for us in cloud computing, a very big liability for the enterprise, and it is incumbent on us, as the cloud security professionals, to really focus the conversation around cloud computing security architecture in that platform and our use of it from the very beginning of the dialogue.
When the initial discussions around computing are recurring in the business, we have to be thinking about from a cloud computing security architecture perspective what that may mean, what are the risks associated with cloud computing, what are the threats that potentially we may face, using a cloud security cloud computing platform. What are the vulnerabilities that cloud computing infrastructure may be subjected to? Are there denial of service attacks that may be launched? And the answer is, of course, yes, there are. Are there threats that maybe be coming either from an internal malicious bad actor? And the answer is yes, there maybe, if we're not careful about how we set up and control access and indicate both the logical as well as the physical controls that may be required to do so in a forthright way. We document them, we go through and we analyze these controls, making sure we understand what they are and we make sure we are auditing the application of those controls consistently within the enterprise and within the cloud space in particular.
All the things that we know and that we think of as a cloud security professional about what must happen to secure the platform are going to be relevant to any conversation about security. The initial discussions, in other words, about cloud computing security architecture should really be not that much different than the traditional security conversations we have in non-cloud environments. We have to think about defense in depth, we have to think about the ability to have auditability and traceability, we have to have good documentation, we have to have separation of duties and good documentation of role-based assignment of access.
Security is an enabler, not a barrier
So in other words a user that is assigned a contributor role versus a user that may be assigned a provider role of those roles we choose to define, what are the responsibilities associated with those roles, and what do they mean from our perspective as a security practitioner, a security professional that has to oversee the access in authentication control mechanisms for those roles? A lot of those conversations are very similar to what happens in the physical world outside of cloud infrastructure. But cloud brings its own unique challenges with it.
And so, as we look at drivers for cloud computing we have to also be thinking consistently about the driver that's not on this list, but is very important, which is the need to make sure we are securing the infrastructure and doing so in such a way that we allow for usability. We leverage, in other words, the great abilities that cloud computing brings to the table for customers which is the scalability, the ability to have elasticity, ubiquitousness, broad network access, and on-demand computing. All those things are very important, and security can be overlaid in and among and on the top of those requirements in order to ensure that we consume in the proper way.
But if we're not careful, as is the case in traditional discussions, cloud computing security architecture may get in the way of those things so we have to make sure we understand that it's not just about locking down a frontend access point or some sort of access control mechanism that needs to be applied. But what it has to be is a thought process that holistically apply to security throughout a life cycle of service provisioning, service consumption and, ultimately, service management. And if we do so in a way that's going to allow us to be able to focus, as a security professional, on that thought process we will have good cloud computing security architectures, good secure environments for our customers to consume in, and for our providers to provide value-add services through, but we will hopefully minimize and mitigate as many of the risks associated with cloud computing as possible.
You can never get rid of all of them, by the way. And just like in the physical world, we always try to strive for a zero-risk solution. We always try to mitigate and minimize as much risk as we can once those risks have been properly identified and properly validated. But there's always unknown risks in our discussion. We will talk significantly about those risks in various ways but there's always going to be an element of unknown risks and it's always going to be an element of risk that we're not able to 100% completely eradicate or mitigate or in any way minimize inside the infrastructure. So we are going to strive to make it as safe as possible for our consumers, our customers of cloud services if we are a cloud service provider.
Understanding customer needs
If we are a consumer, a customer of cloud services, we want to be able to consume as securely as possible. The cloud security professional is going to sit between those two audiences, if you will, or those two particular providers and customers and the thought process between and among them. We're going to broker that conversation, sit on the fence and really think about how to service both parties, both audiences, because the discussion about cloud computing security architecture from a provider perspective is going to be very different than the discussion about cloud computing security architecture from the consumer or customer perspective. Both have very valid and legitimate needs and concerns about security, but also both are going to have a different approach, a different advantage point or context around what security means for them, and blending those two together and providing the right level of guidance and direction around how to achieve the desired end results for security for both audiences is one of the key primary jobs that the cloud security professional has to engage in today.
So to begin our discussions, when we think about the drivers for cloud computing, please make sure you're thinking about that, please make sure you understand that, and most importantly, as we begin, let me challenge you with an assumption which is think about the ways in which if you are indeed involved in cloud security today, using cloud computing environments either as a customer or providing them as a provider or perhaps both, as I indicated maybe the case inside of an enterprise, if you are using private cloud services and providing them, think about the ways in which you approach cloud computing security architecture today. It could be something as simple as you deciding that you will or will not engage with a vendor that uses online services through the cloud to provide the appropriate interface for you to be able to check your account, if it's an online banking solution for instance or perhaps pay a bill if it's a utility company or a vendor of some sort that gives you an online interface to do so.
You may use an online ticketing system to submit information or make a request for services. You may book an airline ticket or perhaps a train ticket or a ticket on a cruise ship or something like that in the travel industry through an online interactive environment today whether it's through Expedia or whether it's through Kayak or whatever vendor you may be comfortable using. The idea is that as individual consumers, we all use cloud services probably on a very regular basis. Most of us may have smartphones and mobile devices that allow us to interact with the cloud as well. You'll think about how you, as an individual, share and consume cloud-based information today. Do you do so securely? What is your definition of cloud computing security architecture? And what is that bar for security in terms of a pain or risk threshold for you as an individual? Take that next step and then challenge yourself to think about what it is inside the business. How does the business consume cloud services? How does your enterprise be able to or how are they able to consume those cloud services? Are they able to do so securely? And if so, what is that threshold? What is that risk solution or that ability to manage risk look like?
These are the things we have to really be thinking about as cloud security professionals today. And as we think about drivers for cloud computing, I want you to start thinking about the security interactions that we have although they're not listed specifically here under the three drivers, they interact with or interwoven around, and are interspersed among every conversation we have in every one of these areas.