



































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A comprehensive overview of key cloud computing concepts and definitions, essential for understanding the isc2 ccsp exam syllabus. It covers various aspects of cloud computing, including deployment models, service categories, capabilities types, and security risks. Particularly useful for individuals preparing for the isc2 ccsp exam, offering a structured and detailed explanation of fundamental cloud computing principles.
Typology: Exams
1 / 43
This page cannot be seen from the preview
Don't miss anything!




































ISO/IEC 17788 - > ISO/IEC standard that provides an overview and vocabulary for cloud computing. Application Capabilities Type - > Cloud capabilities type in which the cloud service customer can use the cloud service provider's applications Cloud Application Portability - > Ability to migrate an application from one cloud service to another cloud service. Cloud Auditor - > Cloud service partner with the responsibility to conduct an audit of the provision and use of cloud services. Cloud Capabilities Type - > Classification of the functionality provided by a cloud service to the cloud service customer, based on resources used. The cloud capabilities types are application capabilities type, infrastructure capabilities type and platform capabilities type. Cloud Computing - > Paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand. Examples of resources include servers, operating systems, networks, software, applications, and storage equipment. Cloud Data Portability - > Data portability from one cloud service to another cloud service. Cloud Deployment Model - > Way in which cloud computing can be organized based on the control and sharing of physical or virtual resources. The cloud deployment models include community cloud, hybrid cloud, private cloud and public cloud.
Cloud Service - > One or more capabilities offered via cloud computing invoked using a defined interface. Cloud Service Broker - > Cloud service partner that negotiates relationships between cloud service customers and cloud service providers. Cloud Service Category - > Group of cloud services that possess some common set of qualities. A cloud service category can include capabilities from one or more cloud capabilities types. Cloud Service Customer - > Party which is in a business relationship for the purpose of using cloud services. A business relationship does not necessarily imply financial agreements. Cloud Service Customer Data - > Class of data objects under the control, by legal (ie. copyright) or other reasons, of the cloud service customer that were input to the cloud service, or resulted from exercising the capabilities of the cloud service by or on behalf of the cloud service customer via the published interface of the cloud service. It may be that the cloud service contains or operates on data that is not cloud service customer data; this might be data made available by the cloud service providers, or obtained from another source, or it might be publicly available data. However, any output data produced by the actions of the cloud service customer using the capabilities of the cloud service on this data is likely to be cloud service customer data, following the general principles of copyright, unless there are specific provisions in the cloud service agreement to the contrary. Cloud Service Derived Data - > Class of data objects under cloud service provider control that are derived as a result of interaction with the cloud service by the cloud service customer. Cloud service derived data includes log data containing records of who used the service, at what times, which functions, types of data involved and so on. It can also include information about the numbers of authorized users and their identities. It can also include any configuration or customization data, where the cloud service has such configuration and customization capabilities.
Data Storage as a Service (DSaaS) - > Cloud service category in which the capability provided to the cloud service customer is the provision and use of data storage and related capabilities. DSaaS can provide any of the three cloud capabilities types. Hybrid Cloud - > Cloud deployment model using at least two different cloud deployment models. Infrastructure as a Service (IaaS) - > Cloud service category in which the cloud capabilities type provided to the cloud service customer is an infrastructure capabilities type. The cloud service customer does not manage or control the underlying physical and virtual resources, but does have control over operating systems, storage, and deployed applications that use the physical and virtual resources. The cloud service customer may also have limited ability to control certain networking components (e.g., host firewalls). Infrastructure Capabilities Type - > Cloud capabilities type in which the cloud service customer can provision and use processing, storage or networking resources. Measured Service - > Metered delivery of cloud services such that usage can be monitored, controlled, reported and billed. Multi-Tenancy - > Allocation of physical or virtual resources such that multiple tenants and their computations and data are isolated from and inaccessible to one another. Network as a Service (NaaS) - > Cloud service category in which the capability provided to the cloud service customer is transport connectivity and related network capabilities. NaaS can provide any of the three cloud capabilities types. On-Demand Self Service - > Feature where a cloud service customer can provision computing capabilities, as needed, automatically or with minimal interaction with the cloud service provider. Platform as a Service (PaaS) - > Cloud service category in which the cloud capabilities type provided to the cloud service customer is a platform capabilities type.
Platform Capabilities Type - > Cloud capabilities type in which the cloud service customer can deploy, manage and run customer-created or customer-acquired applications using one or more programming languages and one or more execution environments supported by the cloud service provider. Resource Pooling - > Aggregation of a cloud service provider's physical or virtual resources to serve one or more cloud service customers. Public Cloud - > Cloud deployment model where cloud services are potentially available to any cloud service customer and resources are controlled by the cloud service provider. Private Cloud - > Serves only one customer or organization. Reversibility - > Process for cloud service customers to retrieve their cloud service customer data and application artefacts and for the cloud service provider to delete all cloud service customer data as well as contractually specified cloud service derived data after an agreed period. Software as a Service (SaaS) - > Cloud service category in which the cloud capabilities type provided to the cloud service customer is an application capabilities type. Tenant - > One or more cloud services users sharing access to a set of physical and virtual resources. Broad Network Access - > Feature where the physical and virtual resources are available over a network and accessed through standard mechanisms that promote use by heterogeneous client platforms. Rapid Elasticity & Scalability - > Feature where physical and virtual resources can be rapidly and elastically adjusted, in some cases automatically, to increase or decrease resources. CSA Egregious Eleven (As of 2019) - > Eleven top threats to cloud computing.
On-Demand Self-Service - > Cloud services can be requested, provisioned, and put into use by the customer through automated means without the need to interact with a person. Cloud Service Business Manager - > Oversees business and billing administration, purchases the cloud services, and requests audit reports as necessary. Cloud Service Integrator - > Connects and integrates existing systems and services to the cloud. Cloud Services Administrator - > Tests cloud services, monitors services, administers security of services, provides usage reports on cloud services, and addresses problem reports. Cloud Service Operations Manager - > Prepares systems for the cloud, administers services, monitors services, provides audit data when requested or required, and manages inventory and assets. Cloud Service Deployment Manager - > Gathers metrics on cloud services, manages deployment steps and processes, and defines the environment and processes. Cloud Service Manager - > Delivers, provisions, and manages the cloud services. Inter-Cloud Provider - > Responsible for peering with other cloud services and providers as well as overseeing and managing federations and federated services. Cloud Service Developer - > Develops cloud components and services and performs the testing and validation of services. Blockchain - > A digital ledger in which transactions made in cryptocurrency are recorded chronologically and publicly. This ledger is distributed and decentralized across many systems based on the application (hundreds to millions), avoiding a single point of failure/compromise situation and verifying integrity.
Container - > A digital wrapper that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside a single unit. This can then be rapidly deployed throughout host environments without the need for specific server configurations or underlying OSes or hardware. Quantum Computing - > Involves the use of quantum phenomena, such as the interactions between atoms or wave movements, to aid in computation. The most prominent use of this for cloud computing is cryptography. Quantum computing can break current PKI systems based on prime number factorization. Type 1 Hypervisor (Bare Metal) - > VM manager installed directly onto the computer and manages access to the host hardware without going through a host OS. Harder to inject malicious code than a type 2 hypervisor because it's directly on the hardware. Unstructured Data - > Data that does not exist in a fixed location/format and can include text documents, PDFs, voice messages, emails, pictures, and videos. Structured Data - > Data that is typically numeric or categorical, can be organized and formatted in a way that is easy for computers to read, organize, and understand, and can be inserted into a database in a seamless fashion. Network Segmentation - > The process of separating different parts of the network and/or restricting access to certain areas of the network. Can be done using physical separation methods or software/virtual separation methods. SDLC: Analysis - > Requirements of the project are put into a project plan, which will outline specifications for the features and functionality of the software or application to be created. At the end of this phase there will be formal requirements and specifications ready. What should be used to secure API communication? - > TLS (Transport Layer Security) should be used to secure API communications.
Dynamic Optimization - > The process in which cloud environments are constantly monitored and maintained to ensure that the resources are available when needed and that nodes share the load equally so that one node doesn't become overloaded. Cloud Controls Matrix (CCM) - > Outlines a detailed approach for handling controls in a cloud environment. Developed and published by the Cloud Security Alliance (CSA). Windows Server Update Service (WSUS) - > A tool that allows client machines to receive updates from local servers and gives administrators an opportunity to approve the updates before they get deployed. Microsoft Deployment Toolkit (MDT) - > Collection of tools to help automate the deployment of Windows server and desktop operating systems. ISO/IEC 27001 - > Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system. With the newest update of 27001:2013 it's now considered the gold standard in regard to the security of information systems and their data. Common Criteria: Evaluation Assurance Levels (EAL) - > EAL 1: Functionally tested EAL 2: Structurally tested EAL 3: Methodically tested and checked EAL 4: Methodically designed, tested, and reviewed EAL 5: Semi-formally designed and tested EAL 6: Semi-formally verified design and tested EAL 7: Formally verified design and tested Simple Object Access Protocol (SOAP) - > An XML-based communication protocol used for sending messages between applications via the Internet. TLS Handshake and Record Protocols - > Handshake Protocol: The TLS connection between two parties is negotiated and established (SYN, SYN/ACK, ACK)
Record Protocol: The actual secure communications method for transmitting data occurs. Business Continuity/Disaster Recovery (BCDR) Plan Steps - > 1. Define Scope
Data Discovery - > Business intel operation and user-driven process to look for patterns or specific attributes within data. Data Dispersion - > The concept that data can be distributed across many data centers in different geographical locations. This is a key benefit in cloud environments because it provides disaster recovery and natural avoidance to downtime due to natural disasters. vSphere Update Manager (VUM) - > Utility which is built into VMware. Able to automate patches of both the vSphere hosts as well as the virtual machines running under them. Also provides a dashboard which gives administrators a glimpse into their patching status across the environment. STRIDE Threat Model - > Derived from an acronym for the following six threat categories:
NIST SP 800 - 145 Definition of Cloud Computing - > A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. OAuth - > Framework used for authorization. Enables a third-party application to obtain limited access to an HTTP service. VMware ESXi - > Type 1 hypervisor used to create and manage virtual servers. ISO/IEC 27050 - > Consists of six major components across the eDiscovery phase of a law suit, with an emphasis on the discovery of electronically stored information (ESI).
Public Key Infrastructure (PKI) - > System for creating public and private keys using a certificate authority (CA) and digital certificates for authentication. Data is encrypted with a symmetric key, this symmetric key is then encrypted with the receiver's public key. This ensure that only the receiver can decrypt the data. Session Key - > A unique symmetric encryption key chosen for a single secure session in a specific timeframe. In the context of Kerberos authentication, a key issued to both the client and the server by the authentication service that uniquely identifies their session. Kerberos - > An authentication system developed by MIT and used to verify the identity of networked users. Allows for mutual authentication between a client/user/service to a server/service. Key Distribution Center (KDC) = Authentication Server and Ticket Granting Server.
Data Obfuscation/Masking - > Hiding data with useless characters (ie. *). Can also use nulls, randomization, and shuffling (different entries used within the same data set to replace other data. Not ideal because real data is still used). (ie. changing up the salaries associated with different employees). Ephemeral Storage/Disks - > Storage used for VM instances. Used for VM booting and ceases to exist once their task is complete. Raw Disk Storage - > Non-allocated disk space. Persistent Disks - > Virtual block storage. Data broken into different segments or "blocks." The blocks can then be distributed to multiple repositories. Storage Bucket - > Object storage where data and metadata are stored as "objects." This data is kept in a single repository. Data Labeling - > Applying tags to data to aid in searches and analytics. Can be predefined and then applied as data is created. Should meet the business needs of the organization. (ie. Name, age, cost, location, structure, etc). Data Mapping - > Matching two datasets to one another. Involves identifying relationships and creating a path from one label to another. Transforms data to allow two datasets to interact. A data leak is most likely to occur during which phase of the cloud data lifecycle? - > Use. Due to the nature of data being actively used, viewed, and processed in the use phase, it's more likely to be leaked in this phase than in others. Artificial Intelligence (AI) - > The ability of devices to perform human-like analysis. Operates by consuming a large amount of data and recognizing patterns and trends in the data. Payment Card Industry Data Security Standard (PCI DSS) - > InfoSec standard for organizations that handle branded credit cards from the major card schemes. The standard is mandated by the card brands but administered by the PCI Security Standards Council. Created to reduce credit card fraud.