For security professionals working in cloud environments, many of the knowledge and best practices gained from the traditional data center model are still applicable to cloud computing environments, but security professionals' in-depth understanding of cloud computing concepts, different types of cloud models, and cloud services Understanding is critical to successfully implementing and overseeing security policies and compliance.
What is cloud computing
1.1 Cloud computing definitions Cloud computing definitions
The official definition of "cloud computing" given by NIST is: "Cloud computing is a model that is ubiquitous, convenient, on-demand, based on network access, shared use, and configurable computing resources. (including networks, servers, storage, applications, and services), can be quickly configured and released with minimal administrative effort or interaction with cloud service providers.
The definition given by ISO/IEC is very similar to the definition given by NIST. Cloud computing is a scalable, elastic, shareable physical or virtual resource pool that allows access through the network and provides self-service on demand. and management.
1.2 Cloud Computing Terminology and Basic Concepts
Cloud Application : An application that does not reside or run on the user's device, but is accessible over the network
Cloud Application Portability : The ability to migrate cloud applications from one cloud provider to another
Cloud Computing : It is a platform accessed through the network that can provide services from a large pool of scalable system resources without using dedicated physical hardware and static parameter configurations (Configuration)
Cloud Data Portability (Cloud Data Portability) : the ability to move (Move) data between cloud providers
Cloud Deployment Model (Cloud Deployment Model) : A way to implement cloud computing through a specific configuration and characteristics of a set of virtual resources. Cloud deployment models include public cloud, private cloud, hybrid cloud and community cloud (industry cloud)
Cloud Service (Cloud Service) : The capability provided by the Cloud Provider and accessed by customers. Cloud Service Category (Cloud Service Category) a group of cloud services with the same characteristics or quality
Community Cloud (Community Cloud) : A cloud service model, community members are limited to those tenants (Tenants) who have shared needs and associations, and at least one community member maintains or controls the cloud platform
Data Portability : The ability to move data from one system to another without having to re-enter it
Hybrid Cloud : A cloud service model that combines two other types of cloud deployment models
Infrastructure as a Service (Infrastructure as a Service, IaaS) : One of the cloud service categories, Cloud Service Provider (Cloud
Service Provider) provides infrastructure-level services (such as processing, storage and network)
Measured Service (Measured Service) : Cloud services are delivered and billed in a metered manner
Multitenancy : A technology that allows multiple cloud clients and applications to run in the same cloud environment, but cloud tenants are isolated from each other and usually invisible to each other, but can share the same resources
On-demand self-service (On-demand self-service) : Cloud customers can obtain services in the form of automatic resource allocation when needed, without the participation of cloud providers
Platform as a Service (Platform as a Service, PaaS) : One of the cloud service categories, in which the cloud provider is responsible for providing platform services to cloud customers (such as Azure and AWS), and the cloud service provider is responsible for providing services including the system and its up to the application level services
Private Cloud : One of the cloud service models in which the cloud computing environment is owned and controlled by a single entity and used to achieve its own business goals.
Public Cloud : One of the cloud service models, in which the cloud computing environment is maintained and controlled by the cloud provider, but the cloud service is available to any potential cloud customer (Cloud Customer).
Resource Pooling : A collection of resources allocated by cloud providers to cloud customers'.
Reversibility : Cloud customers can delete (migrate) all data and applications from the cloud provider platform, and completely delete (migrate) all data from the cloud provider environment, while migrating to the new environment with minimal business impact ability.
Software as a Service (Software as a Service, SaaS) : One of the cloud service categories, providing cloud customers with a complete set of applications, and the cloud provider is responsible for maintaining the entire infrastructure, platform and applications.
Tenant : One or more cloud customers share access to resource pools
1.3 Cloud computing roles and responsibilities
Cloud Service Provider (Cloud Service Provider, CSP) : It is a provider that provides cloud computing services. A CSP will own data centers, hire staff, own and manage (hardware and software) resources, provide services and security, and help with management of cloud customers and their data and processing needs, such as AWS, Rackspace, and Microsoft Azure.
Cloud Customer and Cloud User : A cloud customer is anyone who purchases cloud services, either an individual or a company. A cloud subscriber is simply someone who uses a cloud service, which may be an employee of the company that is the cloud customer or just an individual.
Cloud Access Security Broker (CASB) : A third-party entity that usually acts as an intermediary to provide independent Identity and Access Management (IAM) services for cloud service providers and cloud customers. CASB can take a variety of service forms, including single sign-on (SSO), certificate management and key escrow (Cryptographic Key
Escrow).
Regulator : Ensures that the organization follows the regulatory framework. These regulatory bodies can be government agencies, certification bodies or parties to contracts.
Data Owner : An organization that collects or creates data. In an organization, data is usually assigned a specific data owner as an individual with data rights and responsibilities; this person is usually a department head or business unit manager who creates or collects a specific data set (Dataset). From the perspective of cloud computing, cloud customers are usually data owners. Many international treaties and frameworks believe that data owners are also data controllers.
Data Custodian : Refers to any organization or person who operates, stores or moves data on behalf of the data owner. Within an organization, the data steward might be the database administrator. But in a cloud environment, the data host is usually a cloud service provider. According to international practice, the data trustee is also called the data processor (Data Processor).
1.4 Key cloud computing characteristics
Wide network access means that there should never be network bandwidth bottlenecks. This is usually achieved by using advanced routing techniques, load balancing techniques, multisite hosting (Multisite Hosting) and other techniques.
On-demand self-service refers to a model that allows cloud customers and cloud service providers to extend their computing and/or storage needs. This service is effective in real time.
The feature of resource pooling allows cloud service providers to meet various resource demands of cloud customers while maintaining economic viability. The cloud service provider makes a capital investment (Capital Investment), which far exceeds the funds that any single cloud customer can provide on its own; the cloud service provider can allocate these resources on demand to avoid resources being underutilized (which means investment waste) Or be overused (which means a drop in service level).
Measurable/metered services , in short, mean that cloud customers only pay for the resources they actually use; The service is like a water company or electric company billing customers for their monthly utility bills.
Elasticity (Elasticity) : This is a kind of flexibility. When resources are needed immediately, resources can be allocated on demand, rather than purchased according to other factors.
The ISO/IEC standard not only includes the above features, but also adds features. Although features are components of most multi-tenant (Multitenancy) multi-tenant
cloud service offerings, they are not inevitable features in the field of cloud computing services. Some cloud service models do not include multi-tenancy because cloud customers can purchase, rent/lease fully exclusive resources.
1.5 Building block technologies
In addition to CPU, memory/RAM, storage, network, database and applications, cloud computing construction also includes technologies such as virtualization and orchestration.