The Official (ISC)2 CCSP CBK Reference. Leslie Fife
of hardware, network and storage, and the virtualization software. The remainder of the maintenance and versioning is the responsibility of the customer.
What this means in practical terms is that updates and patches in a SaaS or PaaS environment may occur without the knowledge of the customer. If properly tested before being deployed, it will also be unnoticed by the customer. There remains the potential for something to break when an update or patch occurs, as it is impossible to test every possible variation that may exist in the cloud environment of the customers. This is true in a traditional on-premise environment as well. In an IaaS environment, the customer has much more control over patch and update testing and deployment.
On the positive side, there will not be the endpoints that exist in every organization that never get updated and have older, insecure versions of potentially unlicensed software. When connecting to the cloud service, the customer will always be using the newest, most secure version of the solution in a SaaS solution.
In a PaaS or IaaS, the customer is responsible for some of the maintenance and versioning. However, each customer that connects to the PaaS and IaaS environment will be accessing the most current version provided. The maintenance and versioning are simplified by restricting the maintenance and versioning to the cloud environment. It is not necessary to update each endpoint running a particular piece of software. Everyone connecting to the cloud is running the same version, even if it is old and has not been updated.
Service Levels and Service Level Agreements
Contractually, an SLA specifies the required performance parameters of a solution. This negotiation will impact the price, as more stringent requirements can be more expensive. For example, if you need 24-hour support, this will be less expensive than 4-hour support.
Some CSPs will provide a predefined set of SLAs, and customers choose the level of service they need. The customer can be an individual or an organization. For the customer contracting with a CSP, this is a straightforward approach. The CSP publishes their performance options and the price of each, and the customer selects the one that best suits their needs and resources.
In other cases, a customer specifies their requirements, and the CSP will provide the price. If the CSP cannot deliver services at the level specified or if the price is more than the customer is willing to pay, the negotiation continues. Once agreed upon, the SLA becomes part of the contract. This is generally true only for large customers. The cost of negotiating and customizing an SLA and the associated environment is not generally cost effective for smaller contracts and individuals.
Auditability
A cloud solution needs to be auditable. This is an independent examination of the cloud services controls, with the expression of an opinion on their function with respect to their purpose. Are the controls properly implemented? Are the controls functioning and achieving their goal? These are the questions of an auditor.
A CSP will rarely allow a customer to perform on audit on their controls. Instead, independent third parties will perform assessments that are provided to the customer. Some assessments require a nondisclosure agreement (NDA), and others are publicly available. These include SOC reports, vulnerability scans, and penetration tests.
Regulatory
Proper oversight and auditing of a CSP makes regulatory compliance more manageable. A regulatory environment is one where a principle or rule controls or manages an organization. Governance of the regulatory environment is the implementation of policies, procedures, and controls that assist an organization in meeting regulatory requirements.
One form of regulations are those governmental requirements that have the force of law. The Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX) in the United States, and GDPR in the European Union are examples of laws that are implemented through regulations and have the force of law. If any of these apply to an organization, governance will put a framework in place to ensure compliance with these regulations.
Another form of regulations is those put in place through contractual requirements. An SLA takes the form of a contractual obligation as do the rules associated with credit and debit cards through the Payment Card Industry Data Security Standard (PCI DSS). Enforcement of contractual rules can be through the civil courts governing contracts. Governance must again put in place the framework to ensure compliance.
A third form of regulations is found through standards bodies like International Organization for Standardization (ISO) and NIST as well as nongovernmental groups such as the Cloud Security Alliance and the Center for Internet Security. These organizations make recommendations and provide best practices in the governance of security and risk. These support improved security and risk management. While this form of regulation does not usually have the force of law, an organization or industry may voluntarily choose to be regulated by a specific set of guidelines. For example, U.S. federal agencies are required to follow NIST requirements. If an organization or industry chooses to follow a set of guidelines under ISO, NIST, or other group, they must put the governance framework in place to ensure compliance. While often voluntary, once an organization chooses to follow these guidelines, the governance process ensures the organization complies with these regulations.
Impact of Related Technologies
The technologies in this section may be termed transformative technologies. Without them, the cloud computing still works and retains its benefits. These transformative technologies either improves your capabilities in the cloud or expands the capabilities and benefits of cloud computing. In the following sections, the specific use cases for the technology will be described.
Machine Learning
Machine learning (ML) is a key component of artificial intelligence (AI) and is becoming more widely used in the cloud. Machine learning creates the ability for a solution to learn and improve without the use of additional programming. Many of the CSPs provide ML tools. There is some concern and regulatory movement when ML makes decisions about individuals without the involvement of a person in the process.
The availability of large amounts of inexpensive data storage coupled with vast amounts of computing power increases the effectiveness of ML. A data warehouse, or even a data lake, can hold amounts of data that could not be easily approached before. ML tools can mine this data for answers to questions that could not be asked before because of the computing power required. This capability has the potential to transform how we use data and the answers we can extract from our data.
The security concern has to do with both the data and the processing. If all of your data is available in one large data lake, access to the data must be tightly controlled. If your data store is breached, all of your data is at risk. Controls to protect the data at rest and access to this data are crucial to make this capability safe for use.
The other concern is with how the data is used. More specifically, how will it impact the privacy of the individuals whose data is in the data store? Will questions be asked where the answers can be used to discriminate against groups of people with costly characteristics? Might insurance companies refuse to cover individuals when the health history of their entire family tree suggests they are an even greater risk than would be traditionally believed?
Governmental bodies and Non-Governmental Organizations (NGOs) are addressing these concerns to some degree. For example, Article 22 of the EU GDPR has a prohibition on automated decision-making, which often involves ML, when that decision is made without human intervention if the decision has a significant impact on the individual. For example, a decision on a mortgage loan could involve ML. The final loan decision cannot be made by the ML solution. A human must review the information and make the final decision.
Artificial Intelligence
Machine learning is not the