Cloud Essentials+ Lesson5.pptx

Full Transcript

Lesson 5 Managing Cloud
Governance
Lesson 5 Managing Cloud Governance

Relate cloud concepts to governance
Apply risk management concepts
Understand compliance and the cloud
Manage policies and procedures for cloud services

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Topic A Relate Cloud Concepts to Governance

Exam Objectives:
1.1 Explain cloud principles.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Governance and the Five Cloud Characteristics

On-demand self-service - policies and change management practices
need to be updated for the self-service nature of the cloud.
Broad network access - businesses will not know what kind of device
is accessing the resources. Risk management must include Internet
vulnerabilities.
Resource pooling - heavily regulated industries may restrict the
storage of sensitive data on public networks.
Rapid elasticity - change management and standard operating
procedures must be current and reflect the rapid changes available
with cloud services.
Measured services - billed on a pay-per-use model so resource and
change management practices must address these measured
services to ensure there are no unexpected charges.
Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
Governance and the Three Cloud Service Models

Software as a Service - deployments are governed by change
management, resource management, and access and control
policies.
Platform as a Service - secure development practices should be
adopted and applications should be developed to meet compliance
requirements.
Infrastructure as a Service - standard operating procedures (SOP)
should govern the cloud infrastructure.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Governance and the Three Cloud Service Models

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
Governance and the Four Cloud Deployment Models

Private cloud - organizations retain control of data which may be
required due to industry regulations, data sovereignty issues, or risk
assessments.
Public cloud - organizations must take appropriate measures to
manage risk and to control access to resources.
Community cloud - several organizations may have similar security
and management needs that are based on industry regulations.
Hybrid cloud - organizations may choose combinations of the above
models to govern data.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Topic B Apply Risk Management Concepts

Exam Objectives:
4.1 Recognize risk management concepts related to cloud
services.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
Risk Assessment

A risk assessment is a careful study to identify and address risks to
your organization, business processes, customers, and systems.
Defines a response based on a likelihood of occurrence and impact.
Risks are documented and classified.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Risk Assessment Steps

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
Classification of Risks

Risks are organized into categories:
Likelihood
Impact
Cost
Response

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
Asset Inventory

Necessary even for cloud resources.
Documents what resources are deployed so that they can be
managed to mitigate risks.
You can’t protect what you don’t know about.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Data Ownership

Risk: loss of ownership or
control of data to the cloud
service provider.
Example: social media sites
may own data posted to
them.
Many businesses use social
media as part of their
customer interaction
strategies.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Risk Response

Mitigation
Avoidance
Acceptance
Transfer

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
Mitigation

Take reasonable precautions
to prevent a particular risk.
Risks can only be managed
and minimized, not
eliminated.
Mitigation examples:
Backups
VPN
Encryption
Multifactor authentication
Geo-redundancy

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Avoidance

Keep the business out of
the position of being
affected by a given risk.
Example: retain highly
sensitive data on-premise
rather than in the cloud
for greater security.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
Acceptance

Take no action to mitigate a
risk due to low impact or
low probability.
Example: certain natural
disasters.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Transfer

Transfer the risk
elsewhere.
Example: insurance

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Risk Documentation

Risk register
Vendor lock-in
Data portability

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Risk Register

Tracks identified risks and mitigation efforts.
Common sections:
Risk
Description
Likelihood
Impact
Severity
Mitigation
Status

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
Vendor Lock-in

Organization may be dependent on the cloud service provider’s
proprietary services.
Loss of control by not being able to easily move services to another
cloud service provider.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21
Data Portability

Data portability is the transfer of data between two cloud service
providers.
May be difficult if data is stored in a proprietary manner.
Should be specified in the contract with the cloud service provider.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22
Guidelines

A risk assessment defines risks that the organization has evaluated
and documented.
Risk assessments include the following steps:
Determine the hazard(s).
Identify who or what could be harmed.
Evaluate risks and develop mitigation strategies.
Document the risk findings and mitigation.
Review the risk assessment regularly.
Data classification helps employees understand the proper use and
security of data.
Conduct a software and operating system inventory; you can’t
manage what you don’t know about.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23
Guidelines (continued)

Risk responses:
Mitigation
Avoidance
Acceptance
Transfer
Vendor lock-in can be a risk, making it difficult to change cloud
service providers.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24
Topic C Understand Compliance and the Cloud

Exam Objectives Covered:
4.3 Identify the importance and impacts of compliance in the
cloud.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25
Compliance and Standards

Data sovereignty
Regulatory concerns and industry-based requirements
International standards
Certifications

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26
Data Sovereignty

Data is subject to the regulations, laws, and requirements of the
country where it is stored.
Of particular concern for the cloud, where geo-redundancy may
cause data to be stored around the world.
Cloud service providers can help to manage your organization’s data
legally.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27
Regulatory Concerns and Industry-Based
Requirements

Auditing and
documentation must still
be provided for data
stored in the cloud.
Regulations examples:
Payment Card Industry
(PCI)
Sarbanes-Oxley
HIPAA

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28
International Standards

Defined by the International Organization for Standards (abbreviated
as ISO in the United States).
Two primary cloud standards define cloud-specific vocabulary and the
cloud service models.
Ensures cloud service providers, governments, and regulatory bodies
operate from a consistent set of terms.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29
Certifications

Independent auditing of cloud service providers.
Certifies whether the CSP is compliant with various industry or
government requirements.
Assures consumers that an independent agency has verified the
security claims of the CSP.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30
Topic D Manage Policies and Procedures for Cloud
Services
Exam Objectives Covered:
4.2 Explain policies or procedures.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31
Standard Operating Procedures (SOP)

Specific step by step procedural documents for standard tasks.
Goal is to provide efficient and consistent instructions that
minimize mistakes during configurations.
May reflect best practices or industry regulations.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32
Standard Operating Procedures (SOP) (continued)

Template may
include:
Title
Department
Data
Purpose
Actual procedures

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33
Change Management

Preparing the organization for change.
Support during the change.
Help after the change.

Cloud deployments may represent a significant change for many
employees.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34
Resource Management

Utilization of tangible resources.
Money, supplies, etc.
Utilization of intangible resources.
Time, skill, people, etc.
Cloud services may introduce many changes to resource
management.
Example: a shift from CapEx to OpEx for the finance department.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 35
Resource Management (continued)

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 36
Policies

CIA Triad
Security policies
Incident response policies
Access and control policies
Communications policies
Department-specific policies

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 37
The CIA Triad

Review the three
components of the CIA
Triad:
Confidentiality
Integrity
Availability

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 38
Security Policy

Every organization should
have a written security policy.
States the company’s
security stance.
How the company views its
data.
What risk levels will be
tolerated.
Rules that govern security for
the company.
Security policy is always
evolving.
Must adapt to changes in
technology and risks.
Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 39
Security Policy (continued)

Security policy will focus on
two factors:
Internal - employees, account
management, permissions,
access controls, etc.
External - hackers, physical
security, power outages, etc.
Employees are often required
to sign the security policy:
Indicates they read it.
Indicates they agree to abide
by it.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 40
Security Policy (continued)

Many online templates for
security policies exist.
Usually contains the following
elements:
Security objectives.
Scope of the policy.
Goals of the policy.
Areas of responsibility.
Industry regulations.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 41
Incident Response Policy

Step by step procedure for
managing specific security
incidents.
What actions will be taken.
Who will take those actions.
When those actions will be
taken.
Example security incidents:
Data breach.
Website attack.
Physical security breach
(burglary, laptop theft).

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 42
Access and Control Policies

Manage the interaction of
users and data.
Creation, modification,
deletion of user accounts.
Password management.
Rotation, use, length,
complexity.
Network access by personal
devices.
Remote access/VPNs.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 43
Communications Policies

Govern all communications
media:
Email
Instant messaging
Texting
Phone calls
Blogs
Social media

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 44
Communications Policies (continued)

Define acceptable use of
communications media.
Email belongs to the
organization, not the user.
Employees must not
represent themselves as
company spokespersons
(unless they actually are).
Communications frequently
puts data at risk.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 45
Department-Specific Policies

Some department may have
unique policy requirements.
Example: finance departments
may be held to different
industry regulations than
marketing departments.
Ensure that each department
is compliant.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 46
Guidelines

Cloud assessment and migration phases are an excellent time to
review and modify policy documents.
Standard operating procedures (SOP) are standard task checklists so
that steps are done efficiently and consistently.
Change management helps organizations more smoothly implement
changes to operating systems, applications, procedures, etc.
A cloud deployment is usually a significant change that requires
careful change management.
Cloud services involve a different kind of resource management so
resource management documents will need to be updated.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 47
Guidelines (continued)

Security policies define the organization’s security stance and
priorities.
Incident response policies provide specific steps toward mitigating a
security incident.
Access and control policies govern user account management,
permissions, network access, and other controls.
Communications policies define how media may be used, including
email, instant messaging, social media, and other tools.
Individual departments in your organization may have unique
requirements that may be documented with department-specific
policies.

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 48
Reflective Questions

1. Does your organization have standard operating procedures for
routine roles?

2. Does your organization use a change management process?

Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 49