Cloud Essentials+ Lesson 5 PDF
Document Details
Tags
Summary
This document provides a lesson on managing cloud governance, covering cloud concepts, risk management, compliance, and policies. It focuses on topics like data ownership, risk assessment, and standard operating procedures (SOPs) within cloud environments.
Full Transcript
Lesson 5 Managing Cloud Governance Lesson 5 Managing Cloud Governance Relate cloud concepts to governance Apply risk management concepts Understand compliance and the cloud Manage policies and procedures for cloud services Copyright © 2019...
Lesson 5 Managing Cloud Governance Lesson 5 Managing Cloud Governance Relate cloud concepts to governance Apply risk management concepts Understand compliance and the cloud Manage policies and procedures for cloud services Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2 Topic A Relate Cloud Concepts to Governance Exam Objectives: 1.1 Explain cloud principles. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3 Governance and the Five Cloud Characteristics On-demand self-service - policies and change management practices need to be updated for the self-service nature of the cloud. Broad network access - businesses will not know what kind of device is accessing the resources. Risk management must include Internet vulnerabilities. Resource pooling - heavily regulated industries may restrict the storage of sensitive data on public networks. Rapid elasticity - change management and standard operating procedures must be current and reflect the rapid changes available with cloud services. Measured services - billed on a pay-per-use model so resource and change management practices must address these measured services to ensure there are no unexpected charges. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4 Governance and the Three Cloud Service Models Software as a Service - deployments are governed by change management, resource management, and access and control policies. Platform as a Service - secure development practices should be adopted and applications should be developed to meet compliance requirements. Infrastructure as a Service - standard operating procedures (SOP) should govern the cloud infrastructure. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5 Governance and the Three Cloud Service Models Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6 Governance and the Four Cloud Deployment Models Private cloud - organizations retain control of data which may be required due to industry regulations, data sovereignty issues, or risk assessments. Public cloud - organizations must take appropriate measures to manage risk and to control access to resources. Community cloud - several organizations may have similar security and management needs that are based on industry regulations. Hybrid cloud - organizations may choose combinations of the above models to govern data. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7 Topic B Apply Risk Management Concepts Exam Objectives: 4.1 Recognize risk management concepts related to cloud services. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8 Risk Assessment A risk assessment is a careful study to identify and address risks to your organization, business processes, customers, and systems. Defines a response based on a likelihood of occurrence and impact. Risks are documented and classified. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9 Risk Assessment Steps Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10 Classification of Risks Risks are organized into categories: Likelihood Impact Cost Response Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11 Asset Inventory Necessary even for cloud resources. Documents what resources are deployed so that they can be managed to mitigate risks. You can’t protect what you don’t know about. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12 Data Ownership Risk: loss of ownership or control of data to the cloud service provider. Example: social media sites may own data posted to them. Many businesses use social media as part of their customer interaction strategies. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13 Risk Response Mitigation Avoidance Acceptance Transfer Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14 Mitigation Take reasonable precautions to prevent a particular risk. Risks can only be managed and minimized, not eliminated. Mitigation examples: Backups VPN Encryption Multifactor authentication Geo-redundancy Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15 Avoidance Keep the business out of the position of being affected by a given risk. Example: retain highly sensitive data on-premise rather than in the cloud for greater security. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16 Acceptance Take no action to mitigate a risk due to low impact or low probability. Example: certain natural disasters. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17 Transfer Transfer the risk elsewhere. Example: insurance Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18 Risk Documentation Risk register Vendor lock-in Data portability Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19 Risk Register Tracks identified risks and mitigation efforts. Common sections: Risk Description Likelihood Impact Severity Mitigation Status Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20 Vendor Lock-in Organization may be dependent on the cloud service provider’s proprietary services. Loss of control by not being able to easily move services to another cloud service provider. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21 Data Portability Data portability is the transfer of data between two cloud service providers. May be difficult if data is stored in a proprietary manner. Should be specified in the contract with the cloud service provider. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22 Guidelines A risk assessment defines risks that the organization has evaluated and documented. Risk assessments include the following steps: Determine the hazard(s). Identify who or what could be harmed. Evaluate risks and develop mitigation strategies. Document the risk findings and mitigation. Review the risk assessment regularly. Data classification helps employees understand the proper use and security of data. Conduct a software and operating system inventory; you can’t manage what you don’t know about. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23 Guidelines (continued) Risk responses: Mitigation Avoidance Acceptance Transfer Vendor lock-in can be a risk, making it difficult to change cloud service providers. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24 Topic C Understand Compliance and the Cloud Exam Objectives Covered: 4.3 Identify the importance and impacts of compliance in the cloud. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25 Compliance and Standards Data sovereignty Regulatory concerns and industry-based requirements International standards Certifications Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26 Data Sovereignty Data is subject to the regulations, laws, and requirements of the country where it is stored. Of particular concern for the cloud, where geo-redundancy may cause data to be stored around the world. Cloud service providers can help to manage your organization’s data legally. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27 Regulatory Concerns and Industry-Based Requirements Auditing and documentation must still be provided for data stored in the cloud. Regulations examples: Payment Card Industry (PCI) Sarbanes-Oxley HIPAA Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28 International Standards Defined by the International Organization for Standards (abbreviated as ISO in the United States). Two primary cloud standards define cloud-specific vocabulary and the cloud service models. Ensures cloud service providers, governments, and regulatory bodies operate from a consistent set of terms. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29 Certifications Independent auditing of cloud service providers. Certifies whether the CSP is compliant with various industry or government requirements. Assures consumers that an independent agency has verified the security claims of the CSP. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30 Topic D Manage Policies and Procedures for Cloud Services Exam Objectives Covered: 4.2 Explain policies or procedures. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31 Standard Operating Procedures (SOP) Specific step by step procedural documents for standard tasks. Goal is to provide efficient and consistent instructions that minimize mistakes during configurations. May reflect best practices or industry regulations. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32 Standard Operating Procedures (SOP) (continued) Template may include: Title Department Data Purpose Actual procedures Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33 Change Management Preparing the organization for change. Support during the change. Help after the change. Cloud deployments may represent a significant change for many employees. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34 Resource Management Utilization of tangible resources. Money, supplies, etc. Utilization of intangible resources. Time, skill, people, etc. Cloud services may introduce many changes to resource management. Example: a shift from CapEx to OpEx for the finance department. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 35 Resource Management (continued) Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 36 Policies CIA Triad Security policies Incident response policies Access and control policies Communications policies Department-specific policies Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 37 The CIA Triad Review the three components of the CIA Triad: Confidentiality Integrity Availability Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 38 Security Policy Every organization should have a written security policy. States the company’s security stance. How the company views its data. What risk levels will be tolerated. Rules that govern security for the company. Security policy is always evolving. Must adapt to changes in technology and risks. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 39 Security Policy (continued) Security policy will focus on two factors: Internal - employees, account management, permissions, access controls, etc. External - hackers, physical security, power outages, etc. Employees are often required to sign the security policy: Indicates they read it. Indicates they agree to abide by it. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 40 Security Policy (continued) Many online templates for security policies exist. Usually contains the following elements: Security objectives. Scope of the policy. Goals of the policy. Areas of responsibility. Industry regulations. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 41 Incident Response Policy Step by step procedure for managing specific security incidents. What actions will be taken. Who will take those actions. When those actions will be taken. Example security incidents: Data breach. Website attack. Physical security breach (burglary, laptop theft). Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 42 Access and Control Policies Manage the interaction of users and data. Creation, modification, deletion of user accounts. Password management. Rotation, use, length, complexity. Network access by personal devices. Remote access/VPNs. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 43 Communications Policies Govern all communications media: Email Instant messaging Texting Phone calls Blogs Social media Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 44 Communications Policies (continued) Define acceptable use of communications media. Email belongs to the organization, not the user. Employees must not represent themselves as company spokespersons (unless they actually are). Communications frequently puts data at risk. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 45 Department-Specific Policies Some department may have unique policy requirements. Example: finance departments may be held to different industry regulations than marketing departments. Ensure that each department is compliant. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 46 Guidelines Cloud assessment and migration phases are an excellent time to review and modify policy documents. Standard operating procedures (SOP) are standard task checklists so that steps are done efficiently and consistently. Change management helps organizations more smoothly implement changes to operating systems, applications, procedures, etc. A cloud deployment is usually a significant change that requires careful change management. Cloud services involve a different kind of resource management so resource management documents will need to be updated. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 47 Guidelines (continued) Security policies define the organization’s security stance and priorities. Incident response policies provide specific steps toward mitigating a security incident. Access and control policies govern user account management, permissions, network access, and other controls. Communications policies define how media may be used, including email, instant messaging, social media, and other tools. Individual departments in your organization may have unique requirements that may be documented with department-specific policies. Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 48 Reflective Questions 1. Does your organization have standard operating procedures for routine roles? 2. Does your organization use a change management process? Copyright © 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 49