Certified Cloud Security Professional – CCSP [Part 1]

For Section 1 of the CCSP Exam – Cloud concepts, Architecture, and Design, we will be covering various topics ranging from Different types of Deployment and Service Models of the Cloud, Cloud Resources, IAM, Storage, and Threats to Virtualized Infrastructures. For advanced learning, I am covering references from Azure and AWS cloud while discussing cloud concepts.

1.1 Understand Cloud Computing Concepts

1.1.1 Cloud Computing Characterstics

Cloud, as we all know, is just another person’s computer. We are accessing servers, deployed in data centers of Amazon or Microsoft, and accessing them remotely from our web browser on the internet. Cloud is providing clients with immense access to high performing, scalable, and highly available compute, network, and storage resources. Users of the cloud simply have to pay, for what they use. So, if I want an Ubuntu machine with 4 CPUs, 8 GB RAM, and 200 GB disk storage for 4 hours? No problem, I can create a virtual machine using any of my cloud service provider’s consoles, and only pay for using those many resources for 4 hours time period. Cloud computing takes customers from Capex to the Opex-based model, where companies only pay for the usage and maintenance of their virtualized workloads. Hence, cloud characteristics based on the above example are,

  • Measured Services, or Pay what you use
  • Elasticity, or adding/removing resources based on real-time usage
  • On-Demand Self-Service, or provisioning new workloads as per user requirement by the customer itself
  • Broad Network Access, Available on the internet around the globe
  • Shared Pool of Resources, or use of shared but segmented Cloud Infra

Before moving to various deployment models, and the types of cloud, we need to understand that although the cloud providers like Amazon and Azure provide multiple unique offerings and solutions to the customers, very basic and most commonly used services are,

  1. Compute – For Compute, Amazon provides EC2 or Elastic Compute service and Azure provides Virtual machine service. With Cloud-Native applications, now we have Amazon’s EKS or Elastic Kubernetes Service, and Azure’s AKS or Azure Kubernetes Service as well. All these services provide end-user with access to the processing power to run their applications.
  2. Network – For Networking, Amazon provides VPC or Virtual Private Cloud with its own segmented private subnet and public Elastic IP. Azure provides VNet or Azure Virtual Network with its own private subnet and public IP. Additionally, Amazon provides multiple ways to connect with the outside network, like Amazon Direct connect, Nat Gateway, Transit Gateway, etc. Azure also has similar services like Azure ExpressRoute, Azure Virtual Network NAT gateway, Azure VPN Gateway, etc.
  3. Storage – For Storage, Amazon provides EBS or Elastic Block Storage for block storage, S3 for Object Storage, and EFS or Elastic File Storage for file system storage. Azure provides Azure Disks for block storage, Azure Blob for Object Storage, and Azure files for file system storage.

All these services are paid, and the cost may vary according to customization done while requesting services from CSPs or Cloud Service Providers. For example, Block storage may have the option of cheaper but slower HDDs (Hard Disk Drives) or SSDs (Sold-State Drives).

1.1.2 Cloud Computing Roles

Cloud deployment strategy is a big task, and requires people with different skill sets to work together for the solution to go live in production. These cloud computing roles can be technical, or managerial, depending on which aspect of strategy they are engaged in the project. Let us get a brief idea of all these roles,

  • Cloud Admin – Person working on administrating the cloud deployment, including activities like scale-in or scale-out, new region creation, etc.
  • Cloud Architect – Person responsible for designing the whole deployment, with planning strategies for high availability, expenditures, etc.
  • Cloud Operator – Person managing day-to-day activities like health checks of systems, alarm monitoring, etc.
  • Cloud Developer – Person who develops cloud solution software, like enhancing features of an existing cloud solution and releasing it as part of the next major or minor release.
  • Cloud Application Architect – Person who creates deployment strategies for application workloads created on top of cloud infra, based on requirements like high availability, auto-scaling groups, port security groups, etc.
  • Cloud Service Manager – Person who works mainly on policy designs, pricing, business agreements, SLA, etc. for the cloud solution, working continuously with vendors and cloud architects.
  • Cloud Storage Admin – Similar to Cloud Admin, Cloud Storage admin administers the activities related to cloud storage, creating new block storages, managing object storage, data lakes, etc.
  • Cloud Data Architect – Similar to Cloud Architect, Cloud Data Architect plans and designs the implementation of storage solutions, retention policies, RTO, RPO, etc.

1.2 Describe Cloud Reference Architecture

1.2.1 Cloud Service Categories and Deployment Models

Let us talk about three responsible parties in a Cloud reference architecture before moving to Cloud Deployment models and the type of service offered. These three parties are,

  • Cloud Service Providers, or owners of Cloud Infrastructure and Inventory
  • Cloud Customers, or end-users of the cloud services
  • Cloud Service Partners / Cloud Service Brokers, or third-party organizations acting on behalf of either customers or service providers, manage cloud deployments.
  • Cloud Service Auditors, or third-party organizations responsible for verifying the cloud service provider’s compliance with standards.

The Cloud Deployment model defines how cloud services are deployed and made available to customers. We have five types of deployment models,

  1. Public Cloud – Public cloud is deployed by cloud service providers at remote locations on their own premises and made available to customers via the Internet. Amazon Web Services, Microsoft Azure, and Google Cloud Platform are a few widely recognized Public Cloud Service Providers.
  2. Private Cloud – Private cloud is deployed in-house by an organization, as part of its IT data center. As the whole infra is part of the company’s intranet, it is considered more secure but needs a skilled team of system admins to manage the stack.
  3. Hybrid Cloud – Hybrid Cloud brings a mix of benefits from both public and private clouds. Organization-critical data can be kept inside a private cloud to ensure security, while web applications can be run on a public cloud for a cheaper cost.
  4. Community Cloud – The community cloud is created as part of a collaboration exercise between two or more organizations, where they combine their resources to enhance their cloud capabilities.
  5. Multi-Cloud – Cloud service providers offer a wide range of services to customers, yet sometimes customers may look to go beyond the service stack offered by a single provider. This creates a multi-cloud scenario, where a customer looks to utilize services from multiple cloud service providers.

Above were the ways the cloud can be deployed. However, each cloud may offer different kinds of services to the customers. Broadly, these services are categorized as,

  • SaaS or Software as a Service – In SaaS, customers use the services like a web application or database from their devices like a laptop or mobile phone, while CSP has ownership of deploying software, running it on servers, and managing the whole backend. For example, Gmail, Dropbox, etc.
  • PaaS or Platform as a Service – In PaaS, customers have access to an application with some dependencies already installed, and they have the right to modify or add more libraries or run any software on it using their own code. Mostly, it’s used by developers looking to test their applications. For example, AWS Elastic Beanstalk.
  • IaaS or Infrastructure as a Service – In IaaS, customers can provision their own virtual machines, add or remove the storage disks, change networking, etc. as they are provided infrastructure as part of the service offering, allowing them to utilize infrastructure as per their requirement. For example, AWS, Rackspace, etc. Do note that even in this offering, customers don’t have access to cloud infra and servers.

This ends Part 1 of Domain 1 of the CCSP Exam. In Part 2, we will proceed to the following topics of domain 1.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s