The Official (ISC)2 CCSP CBK Reference. Leslie Fife
major CSPs provide orchestration tools. These include IBM Cloud Orchestrator, Microsoft's OMS Management Suite, Oracle Cloud Management Solutions, and AWS Cloud Formation. Like all such offerings, they vary considerably in the tools provided and the integration with other vendors' cloud offerings.
DESCRIBE CLOUD REFERENCE ARCHITECTURE
The purpose of a reference architecture (RA) is to allow a wide variety of cloud vendors and services to be interoperable. An RA creates a framework or mapping of cloud computing activities and cloud capabilities to allow the services of different vendors to be mapped and potentially work together more seamlessly. An example of this approach is the seven-layer Open Systems Interconnection (OSI) model of networking, which is used to discuss many networking protocols. As companies are engaging in a wide variety of cloud solutions from multiple vendors, interoperability is becoming more important, and the reference architecture helps make that more easily occur.
The National Institute of Standards and Technology (NIST) provides a cloud computing reference architecture in SP 500-292 as do other organizations. Some models, such as NIST are role based. Other RAs, such as the IBM conceptual reference model, are layer based. The NIST RA is intended to be vendor neutral and defines five roles: cloud consumer, cloud provider, cloud auditor, cloud broker, and cloud carrier.
Cloud Computing Activities
Cloud computing activities in an RA depend on whether the RA is role based or layer based. As an example, the role-based NIST RA will be used to describe cloud computing activities. A similar description could be made for a layer-based model. In a role-based RA, cloud computing activities are the activities of each of the roles. The NIST model includes five roles, with the following types of activities:
Cloud consumer: The procurement and use of cloud services. This involves reviewing available services, requesting services, setting up accounts and executing contracts, and using the service. What the activities consist of depends on the cloud service model. For a SaaS consumer, the activities are typical end-user activities such as email, social networks, and collaboration tools. The activities with a PaaS customer center around development activities, business intelligence, and application deployment. IaaS customers focus on activities such as business continuity and disaster recovery, storage, and compute.
Cloud provider: The entity that makes a service available. These activities include service deployment, orchestration, and management as well as security and privacy.
Cloud auditor: An entity capable of independent examination and evaluation of cloud service controls. These activities are especially important for entities with contractual or regulatory compliance obligations. Audits are usually focused on compliance, security, or privacy.
Cloud broker: This entity is involved in three primary activities: aggregation of services from one or several CSPs, integration with existing infrastructure (cloud and noncloud), and customization of services.
Cloud carrier: The entity that provides the network or telecommunication connectivity that permits the delivery and use of cloud services.
Cloud Service Capabilities
Capability types are another way to look at cloud service models. In this view, we look at the capabilities provided by each model. Our three service models are SaaS, PaaS, and IaaS. Each provides a different level and type of service to the customer. The shared security responsibilities differ for each type as well.
Application Capability Types
Application capabilities include the ability to access an application over the network from multiple devices and from multiple locations. Application access may be made through a web interface, through a thin client, or in some other manner. As the application and data are stored in the cloud, the same data is available to a user from whichever device they connect from. Depending on the end user, the look of the interface may be different.
Users do not have the capability to control or modify the underlying cloud infrastructure, although they may be able to customize their interface of the cloud solution. What the user gets is a positive experience when working on a laptop or phone. The organization does not have to be concerned with the different types of endpoints in use in their organization (as it relates to cloud service access). Supporting all of the different types of devices is the responsibility of the application service provider.
Platform Capability Types
A platform has the capability of developing and deploying solutions through the cloud. These solutions may be developed with available tools, they may be acquired solutions that are delivered through the cloud, or they may be solutions that are acquired and customized prior to delivery. The user of a platform service may modify the solutions they deploy, particularly the ones they develop and customize. However, the user has no capability to modify the underlying infrastructure.
What the user gets in a platform service are tools that are specifically tailored to the cloud environment. In addition, the user can experiment with a variety of platform tools, methods, and approaches to determine what is best for a particular organization or development environment without the expense of acquiring all those tool and the underlying infrastructure costs. It provides a development sandbox at a lower cost than doing it all in house.
Infrastructure Capability Types
An infrastructure customer cannot control the underlying hardware but has control over the operating system, installed tools, solutions installed, and provisioning of infrastructure compute, storage, and network and other computing resources.
This capability provides the customer with the ability to spin up an environment quickly. The environment may be needed for only hours or days. The parent organization does not have to purchase the hardware or physical space for this infrastructure or pay for its setup and continuing maintenance for usage spikes, temporary needs, or even regular cycles of use.
Cloud Service Categories
There are three primary cloud service categories: SaaS, PaaS, and IaaS. In addition, other service categories are sometimes suggested, such as storage as a service (STaaS), database as a service (DBaaS), and even everything as a service (XaaS). However, these can be described in terms of the three basic types and have not caught on in common usage. They are most often used in marketing.
Security of systems and data is a shared responsibility between the customer and service provider. The point at which responsibilities of the service provider end and the responsibilities of the customer begin depends on the service category.
When talking about SaaS, PaaS, or IaaS solutions, we must know which service model is being discussed. Each is discussed in some detail next. Which model you are referring to is in part determined by where in the process you are.
If you are an end user, you are likely using a SaaS solution. If you are a developer, you may be offering a SaaS solution you developed in-house or through the use of a PaaS development environment. It is possible that the cloud service you provide is a development environment, so you offer a PaaS service you built on an IaaS service. Some customers work at all three levels. They use an IaaS service to build a development environment to create a SaaS solution. In each case, the security responsibilities are shared, as described elsewhere, by the customer and the CSP. However, that shared responsibility can become rather complex if the customer uses multiple services at differing service levels.
Software as a Service
SaaS is the most common cloud service that most people have experience with. This is where we find the end user, which at times is each of us. If you have shared a file through Google Docs, stored a file on Dropbox,