Cloud Computing Concepts & Definitions: CCSP Exam Guide, Exams of Computer Networks

A comprehensive overview of key cloud computing concepts and definitions, essential for understanding the isc2 ccsp exam syllabus. It covers various aspects of cloud computing, including deployment models, service categories, capabilities types, and security risks. Particularly useful for individuals preparing for the isc2 ccsp exam, offering a structured and detailed explanation of fundamental cloud computing principles.

Typology: Exams

2023/2024

Available from 11/14/2024

expertee
expertee 🇺🇸

3.8

(44)

4.4K documents

1 / 43

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ISC2 CCSP Exam 282 Questions and Answers-Latest
Update 2024.
ISO/IEC 17788 - > ISO/IEC standard that provides an overview and vocabulary for cloud
computing.
Application Capabilities Type - > Cloud capabilities type in which the cloud service
customer can use the cloud service provider's applications
Cloud Application Portability - > Ability to migrate an application from one cloud service to
another cloud service.
Cloud Auditor - > Cloud service partner with the responsibility to conduct an audit of the
provision and use of cloud services.
Cloud Capabilities Type - > Classification of the functionality provided by a cloud service
to the cloud service customer, based on resources used.
The cloud capabilities types are application capabilities type, infrastructure capabilities
type and platform capabilities type.
Cloud Computing - > Paradigm for enabling network access to a scalable and elastic pool
of shareable physical or virtual resources with self-service provisioning and
administration on-demand.
Examples of resources include servers, operating systems, networks, software,
applications, and storage equipment.
Cloud Data Portability - > Data portability from one cloud service to another cloud service.
Cloud Deployment Model - > Way in which cloud computing can be organized based on
the control and sharing of physical or virtual resources.
The cloud deployment models include community cloud, hybrid cloud, private cloud and
public cloud.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b

Partial preview of the text

Download Cloud Computing Concepts & Definitions: CCSP Exam Guide and more Exams Computer Networks in PDF only on Docsity!

ISC2 CCSP Exam 282 Questions and Answers-Latest

Update 2024.

ISO/IEC 17788 - > ISO/IEC standard that provides an overview and vocabulary for cloud computing. Application Capabilities Type - > Cloud capabilities type in which the cloud service customer can use the cloud service provider's applications Cloud Application Portability - > Ability to migrate an application from one cloud service to another cloud service. Cloud Auditor - > Cloud service partner with the responsibility to conduct an audit of the provision and use of cloud services. Cloud Capabilities Type - > Classification of the functionality provided by a cloud service to the cloud service customer, based on resources used. The cloud capabilities types are application capabilities type, infrastructure capabilities type and platform capabilities type. Cloud Computing - > Paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand. Examples of resources include servers, operating systems, networks, software, applications, and storage equipment. Cloud Data Portability - > Data portability from one cloud service to another cloud service. Cloud Deployment Model - > Way in which cloud computing can be organized based on the control and sharing of physical or virtual resources. The cloud deployment models include community cloud, hybrid cloud, private cloud and public cloud.

Cloud Service - > One or more capabilities offered via cloud computing invoked using a defined interface. Cloud Service Broker - > Cloud service partner that negotiates relationships between cloud service customers and cloud service providers. Cloud Service Category - > Group of cloud services that possess some common set of qualities. A cloud service category can include capabilities from one or more cloud capabilities types. Cloud Service Customer - > Party which is in a business relationship for the purpose of using cloud services. A business relationship does not necessarily imply financial agreements. Cloud Service Customer Data - > Class of data objects under the control, by legal (ie. copyright) or other reasons, of the cloud service customer that were input to the cloud service, or resulted from exercising the capabilities of the cloud service by or on behalf of the cloud service customer via the published interface of the cloud service. It may be that the cloud service contains or operates on data that is not cloud service customer data; this might be data made available by the cloud service providers, or obtained from another source, or it might be publicly available data. However, any output data produced by the actions of the cloud service customer using the capabilities of the cloud service on this data is likely to be cloud service customer data, following the general principles of copyright, unless there are specific provisions in the cloud service agreement to the contrary. Cloud Service Derived Data - > Class of data objects under cloud service provider control that are derived as a result of interaction with the cloud service by the cloud service customer. Cloud service derived data includes log data containing records of who used the service, at what times, which functions, types of data involved and so on. It can also include information about the numbers of authorized users and their identities. It can also include any configuration or customization data, where the cloud service has such configuration and customization capabilities.

Data Storage as a Service (DSaaS) - > Cloud service category in which the capability provided to the cloud service customer is the provision and use of data storage and related capabilities. DSaaS can provide any of the three cloud capabilities types. Hybrid Cloud - > Cloud deployment model using at least two different cloud deployment models. Infrastructure as a Service (IaaS) - > Cloud service category in which the cloud capabilities type provided to the cloud service customer is an infrastructure capabilities type. The cloud service customer does not manage or control the underlying physical and virtual resources, but does have control over operating systems, storage, and deployed applications that use the physical and virtual resources. The cloud service customer may also have limited ability to control certain networking components (e.g., host firewalls). Infrastructure Capabilities Type - > Cloud capabilities type in which the cloud service customer can provision and use processing, storage or networking resources. Measured Service - > Metered delivery of cloud services such that usage can be monitored, controlled, reported and billed. Multi-Tenancy - > Allocation of physical or virtual resources such that multiple tenants and their computations and data are isolated from and inaccessible to one another. Network as a Service (NaaS) - > Cloud service category in which the capability provided to the cloud service customer is transport connectivity and related network capabilities. NaaS can provide any of the three cloud capabilities types. On-Demand Self Service - > Feature where a cloud service customer can provision computing capabilities, as needed, automatically or with minimal interaction with the cloud service provider. Platform as a Service (PaaS) - > Cloud service category in which the cloud capabilities type provided to the cloud service customer is a platform capabilities type.

Platform Capabilities Type - > Cloud capabilities type in which the cloud service customer can deploy, manage and run customer-created or customer-acquired applications using one or more programming languages and one or more execution environments supported by the cloud service provider. Resource Pooling - > Aggregation of a cloud service provider's physical or virtual resources to serve one or more cloud service customers. Public Cloud - > Cloud deployment model where cloud services are potentially available to any cloud service customer and resources are controlled by the cloud service provider. Private Cloud - > Serves only one customer or organization. Reversibility - > Process for cloud service customers to retrieve their cloud service customer data and application artefacts and for the cloud service provider to delete all cloud service customer data as well as contractually specified cloud service derived data after an agreed period. Software as a Service (SaaS) - > Cloud service category in which the cloud capabilities type provided to the cloud service customer is an application capabilities type. Tenant - > One or more cloud services users sharing access to a set of physical and virtual resources. Broad Network Access - > Feature where the physical and virtual resources are available over a network and accessed through standard mechanisms that promote use by heterogeneous client platforms. Rapid Elasticity & Scalability - > Feature where physical and virtual resources can be rapidly and elastically adjusted, in some cases automatically, to increase or decrease resources. CSA Egregious Eleven (As of 2019) - > Eleven top threats to cloud computing.

  1. Data Breaches
  2. Misconfiguration and inadequate change control

On-Demand Self-Service - > Cloud services can be requested, provisioned, and put into use by the customer through automated means without the need to interact with a person. Cloud Service Business Manager - > Oversees business and billing administration, purchases the cloud services, and requests audit reports as necessary. Cloud Service Integrator - > Connects and integrates existing systems and services to the cloud. Cloud Services Administrator - > Tests cloud services, monitors services, administers security of services, provides usage reports on cloud services, and addresses problem reports. Cloud Service Operations Manager - > Prepares systems for the cloud, administers services, monitors services, provides audit data when requested or required, and manages inventory and assets. Cloud Service Deployment Manager - > Gathers metrics on cloud services, manages deployment steps and processes, and defines the environment and processes. Cloud Service Manager - > Delivers, provisions, and manages the cloud services. Inter-Cloud Provider - > Responsible for peering with other cloud services and providers as well as overseeing and managing federations and federated services. Cloud Service Developer - > Develops cloud components and services and performs the testing and validation of services. Blockchain - > A digital ledger in which transactions made in cryptocurrency are recorded chronologically and publicly. This ledger is distributed and decentralized across many systems based on the application (hundreds to millions), avoiding a single point of failure/compromise situation and verifying integrity.

Container - > A digital wrapper that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside a single unit. This can then be rapidly deployed throughout host environments without the need for specific server configurations or underlying OSes or hardware. Quantum Computing - > Involves the use of quantum phenomena, such as the interactions between atoms or wave movements, to aid in computation. The most prominent use of this for cloud computing is cryptography. Quantum computing can break current PKI systems based on prime number factorization. Type 1 Hypervisor (Bare Metal) - > VM manager installed directly onto the computer and manages access to the host hardware without going through a host OS. Harder to inject malicious code than a type 2 hypervisor because it's directly on the hardware. Unstructured Data - > Data that does not exist in a fixed location/format and can include text documents, PDFs, voice messages, emails, pictures, and videos. Structured Data - > Data that is typically numeric or categorical, can be organized and formatted in a way that is easy for computers to read, organize, and understand, and can be inserted into a database in a seamless fashion. Network Segmentation - > The process of separating different parts of the network and/or restricting access to certain areas of the network. Can be done using physical separation methods or software/virtual separation methods. SDLC: Analysis - > Requirements of the project are put into a project plan, which will outline specifications for the features and functionality of the software or application to be created. At the end of this phase there will be formal requirements and specifications ready. What should be used to secure API communication? - > TLS (Transport Layer Security) should be used to secure API communications.

Dynamic Optimization - > The process in which cloud environments are constantly monitored and maintained to ensure that the resources are available when needed and that nodes share the load equally so that one node doesn't become overloaded. Cloud Controls Matrix (CCM) - > Outlines a detailed approach for handling controls in a cloud environment. Developed and published by the Cloud Security Alliance (CSA). Windows Server Update Service (WSUS) - > A tool that allows client machines to receive updates from local servers and gives administrators an opportunity to approve the updates before they get deployed. Microsoft Deployment Toolkit (MDT) - > Collection of tools to help automate the deployment of Windows server and desktop operating systems. ISO/IEC 27001 - > Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system. With the newest update of 27001:2013 it's now considered the gold standard in regard to the security of information systems and their data. Common Criteria: Evaluation Assurance Levels (EAL) - > EAL 1: Functionally tested EAL 2: Structurally tested EAL 3: Methodically tested and checked EAL 4: Methodically designed, tested, and reviewed EAL 5: Semi-formally designed and tested EAL 6: Semi-formally verified design and tested EAL 7: Formally verified design and tested Simple Object Access Protocol (SOAP) - > An XML-based communication protocol used for sending messages between applications via the Internet. TLS Handshake and Record Protocols - > Handshake Protocol: The TLS connection between two parties is negotiated and established (SYN, SYN/ACK, ACK)

Record Protocol: The actual secure communications method for transmitting data occurs. Business Continuity/Disaster Recovery (BCDR) Plan Steps - > 1. Define Scope

  1. Gather Requirements
  2. Analyze
  3. Assess Risk
  4. Design
  5. Implement
  6. Test
  7. Report
  8. Revise Representational State Transfer (REST) - > A relatively simple and fast protocol for communicating JSON or XML data between web service applications and the operating system using HTTP. Created to guide the design and development of the architecture for the World Wide Web. Employed throughout the software industry and is a widely accepted set of guidelines for creating stateless, reliable web APIs. Allows for caching, which increases performance and scalability. American Society of Heating, Refrigeration, and Air Conditioning (ASHRAE) - > Recommends that data centers have a moisture level of 40 - 60% relative humidity. Any more can cause condensation and damage systems while any less can cause excess electrostatic discharge, damaging systems. Also recommend that data centers should have a temperature of between 64.4 and 80. degrees Fahrenheit. PaaS Security - > Platform security is a responsibility for both the cloud service provider and the cloud customer. Framing Risk - > The first stage of the risk management process. Refers to determining what risk and levels are to be evaluated.

Data Discovery - > Business intel operation and user-driven process to look for patterns or specific attributes within data. Data Dispersion - > The concept that data can be distributed across many data centers in different geographical locations. This is a key benefit in cloud environments because it provides disaster recovery and natural avoidance to downtime due to natural disasters. vSphere Update Manager (VUM) - > Utility which is built into VMware. Able to automate patches of both the vSphere hosts as well as the virtual machines running under them. Also provides a dashboard which gives administrators a glimpse into their patching status across the environment. STRIDE Threat Model - > Derived from an acronym for the following six threat categories:

  1. Spoofing identity
  2. Tampering with data
  3. Repudiation
  4. Information disclosure
  5. Denial of service
  6. Elevation of privilege DREAD Model - > Derived from an acronym for the following five vulnerability details: Damage Potential Reproducibility Exploitability Affected Users Discoverability Uptime Institute Data Center Tiers/Topologies - > Tier I: Basic Capacity Tier II: Redundant Capacity Components Tier III: Concurrently Maintainable Tier IV: Fault Tolerance

NIST SP 800 - 145 Definition of Cloud Computing - > A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. OAuth - > Framework used for authorization. Enables a third-party application to obtain limited access to an HTTP service. VMware ESXi - > Type 1 hypervisor used to create and manage virtual servers. ISO/IEC 27050 - > Consists of six major components across the eDiscovery phase of a law suit, with an emphasis on the discovery of electronically stored information (ESI).

  1. Identification
  2. Preservation
  3. Collection
  4. Processing
  5. Review
  6. Analysis ISO/IEC 27018 - > International standard for security and privacy in cloud computing. Five key principles are:
  7. Communication
  8. Consent
  9. Control
  10. Transparency
  11. Independent and Annual Audits Dynamic Host Configuration Protocol (DHCP) - > Runs on a centralized server and is able to dynamically assign network configurations such as IP address, DNS server address, and other settings to systems on the network. This removes the need for administrators to go around to each computer and statically assign network information.
  1. System vulnerabilities
  2. Account hijacking
  3. Malicious insiders
  4. APTs (Advanced Persistent Threats)
  5. Data loss
  6. Insufficient due diligence
  7. Abuse and nefarious use of cloud services
  8. DoS (Denial of Service)
  9. Shared technology vulnerabilities Capacity Management - > Concerned with having and providing the required system resources to meet SLA requirements of customers in a cost-effective and efficient manner. It's important to ensure that systems are not under-provisioned, leading to service and performance issues, but also not over-provisioned, leading to higher costs to the organization. Generally Accepted Privacy Principles (GAPP) - > A set of principles determined jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). The ten principles are based on commonly accepted privacy standards for protecting personal information.
  10. Management
  11. Notice
  12. Choice and Consent
  13. Collection
  14. Use, retention, and disposal
  15. Access
  16. Disclosure to third parties
  17. Security for privacy
  18. Quality
  1. Monitoring and enforcement Operational Level Agreements (OLA) - > Agreement between two units within the same organization of what tasks will be performed by the agreed upon parties. Runtime Application Self-Protection (RASP) - > Security mechanism that allows an application to protect itself by responding and reacting to ongoing events and threats in real-time. Open Web Application Security Project (OWASP) Top 10 - > 1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities
  5. Broken Access Control
  6. Security Misconfigurations
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using components with known vulnerabilities
  10. Insufficient Logging and Monitoring Evidence Management - > Maintaining the chain of custody in a forensics investigation. Humanized AI - > Artificial intelligence that incorporates emotional intelligence, cognitive learning and responses, and also expands to include social intelligence. Federated Identity Management - > Should be implemented whenever users outside the organization will need to authenticate and access data. Works by establishing trust between systems within the federation. Members of a federation can share authentication tokens, access shared authentication servers, or otherwise behave as though they're part of a unified security system. Federation - > Set of base policies and technologies which allow systems to accept credentials without requiring an established user base to be present. This works by establishing policies and guidelines that each member of the federation must adhere to.

Public Key Infrastructure (PKI) - > System for creating public and private keys using a certificate authority (CA) and digital certificates for authentication. Data is encrypted with a symmetric key, this symmetric key is then encrypted with the receiver's public key. This ensure that only the receiver can decrypt the data. Session Key - > A unique symmetric encryption key chosen for a single secure session in a specific timeframe. In the context of Kerberos authentication, a key issued to both the client and the server by the authentication service that uniquely identifies their session. Kerberos - > An authentication system developed by MIT and used to verify the identity of networked users. Allows for mutual authentication between a client/user/service to a server/service. Key Distribution Center (KDC) = Authentication Server and Ticket Granting Server.

  1. Client sends access request to authentication server and gets a ticket granting ticket (TGT).
  2. Client sends TGT to Ticket Granting Server (TGS), and gets a service ticket.
  3. Service ticket is sent to the service, which then provides the client with a symmetric service session key. Management Plane - > Allows for cloud service providers to manage all the hosts from a centralized location instead of needing to log into each individual server when needing to perform tasks. Typically hosted on its own dedicated server. Typically accessible through APIs and GUIs. Homomorphic Encryption - > Allows users to manipulate encrypted data without taking it out of an encrypted state. Whole Instance Encryption - > Encrypts an entire instance (virtualized snapshot of a desktop or server environment) at rest. Used with virtualized environments.

Data Obfuscation/Masking - > Hiding data with useless characters (ie. *). Can also use nulls, randomization, and shuffling (different entries used within the same data set to replace other data. Not ideal because real data is still used). (ie. changing up the salaries associated with different employees). Ephemeral Storage/Disks - > Storage used for VM instances. Used for VM booting and ceases to exist once their task is complete. Raw Disk Storage - > Non-allocated disk space. Persistent Disks - > Virtual block storage. Data broken into different segments or "blocks." The blocks can then be distributed to multiple repositories. Storage Bucket - > Object storage where data and metadata are stored as "objects." This data is kept in a single repository. Data Labeling - > Applying tags to data to aid in searches and analytics. Can be predefined and then applied as data is created. Should meet the business needs of the organization. (ie. Name, age, cost, location, structure, etc). Data Mapping - > Matching two datasets to one another. Involves identifying relationships and creating a path from one label to another. Transforms data to allow two datasets to interact. A data leak is most likely to occur during which phase of the cloud data lifecycle? - > Use. Due to the nature of data being actively used, viewed, and processed in the use phase, it's more likely to be leaked in this phase than in others. Artificial Intelligence (AI) - > The ability of devices to perform human-like analysis. Operates by consuming a large amount of data and recognizing patterns and trends in the data. Payment Card Industry Data Security Standard (PCI DSS) - > InfoSec standard for organizations that handle branded credit cards from the major card schemes. The standard is mandated by the card brands but administered by the PCI Security Standards Council. Created to reduce credit card fraud.