Introduction: While an enterprise, as a data owner, has responsibility for ensuring that their data is properly protected, when data is stored with a
Cloud Service Provider (CSP), the CSP assumes at least partial responsibility, if not full responsibility, in the role of data custodian. Even with divided responsibilities for data ownership and data custodianship, the data owner does not give up the need for diligence in ensuring that data is properly protected by the custodian.
Question [8 points]: Briefly describe the relationship between the enterprise or cloud consumer, as data owner, and the CSP, as data custodian, regarding data control and responsibility, within each of the three cloud service offerings: IaaS, PaaS, and SaaS. [Your answer must contain at least 150 words. Cite any references that you use.]
Introduction: Risks to data security in clouds are presented to two basic states of data. The security triad (confidentiality, integrity, and availability) along with risk tolerance determines the nature of data protection mechanisms, procedures, and processes used within the cloud for data security. The key issue is risk exposure to that data within those two states.
Question [4 points]: What are the two basic states of data within the cloud architecture? [Select the best answer.]
Data in motion and data encrypted
Data at rest and data in motion
Data in storage and data at risk
Data in motion and data in transit
Introduction: Several questions about adopting public clouds have to do with what might happen when an external cloud becomes business-critical for the organization. One of these questions involves concern over cloud lock-in.
Question [8 points]: Define cloud lock-in and briefly describe cloud lock-in impacts to business operations and cybersecurity. Describe trends in the cloud industry that address cloud lock-in. [Your answer must contain at least 150 words. Cite any references that you use.]
Introduction: Security controls are countermeasures or safeguards to prevent, avoid, counteract, detect, or otherwise respond to security risks. They can be technical mechanisms, manual practices, or procedures.
Question [8 points]: Briefly describe NIST-defined security controls in general, the NIST security control structure of classes and families, and the use of NIST security controls within the risk management process. [Your answer must contain at least 150 words. Cite any references that you use.]
Introduction: Key strategies and best practices for security in cloud computing can form a foundation for security practice within the broader cloud community. Traditional security best practices apply to cloud computing, but CSPs and cloud consumers may be challenged in adopting such practices when they are more general rather than specific to the cloud space.
Question [8 points]: Briefly describe a cloud security best practice in two (2) of the following areas: policy, risk management, configuration management / change control, auditing, vulnerability scanning, or segregation of duties. [Your answer must contain at least 150 words. Cite any references that you use.]
Introduction: When security controls manage software, system, or network vulnerabilities, this should be done without introducing new vulnerabilities. Implementing security controls with poorly designed applications or systems only guarantees greater complexity. Good security exhibits several qualities and one of them is a tendency to simplicity versus complexity.
Question [4 points]: Is the following statement True or False?
A goal for cloud security is ease of use and easy adoption of security controls. Security controls must be appropriate, effective, and easy to comprehend and navigate by users and administrators.
True
False
Introduction: In multi-tenant cloud computing, security monitoring has importance beyond serving as a means for infrastructure control. By the very nature of a multi-tenant infrastructure, monitoring is necessary on an ongoing basis for near-real-time verification of security. Security monitoring is a key cloud security strategy with important purposes for CSPs and cloud tenants.
Question [4 points]: What are five primary purposes of security monitoring in clouds? [Select the best answer.]
Threat detection; security control configuration; bug exposure; legal activity record; enabling forensics
Threat detection; security control verification; bug exposure; legal activity record; data encryption
Threat detection; security control verification; bug exposure; legal activity record; enabling forensics
Threat detection; security control verification; event data collection; legal activity record; enabling forensics
Event correlation and analysis; security control verification; bug exposure; legal activity record; enabling forensics
Introduction: Organizations implement private clouds for several reasons. One important reason is to gain greater control over cloud implementation. A second important reason is to provide a degree of flexibility and customization to the IT infrastructure of the organization. A private cloud can be more flexible than a public cloud in delivering customized cloud services to groups in the enterprise. Cloud infrastructure deviations can support needs of internal customers and fall into several broad categories.
Question [8 points]: Briefly describe cloud infrastructure deviations in two (2) of the following broad categories. Include a discussion of benefits, challenges, cost impact, etc. Cloud infrastructure deviation categories include [choose two categories about which to write]: hardware platform deviation; network deviation; software platform deviation; or allocation boundaries. [Your answer must contain at least 150 words. Cite any references that you use.]
Introduction: Private cloud users may access the cloud through the Internet or the internal enterprise. When presenting network connectivity toward enterprise and public Internet users, it is critical that you do not present an opportunity for a non-enterprise user to gain access to enterprise data or to the enterprise.
Question [4 points]: Is the following statement True or False?
When private cloud Internet and enterprise users are segregated in a defense-in-depth manner, user data should not be encrypted.
True
False
Introduction: The physical location of the private cloud and its supporting infrastructure in a data center is important to consider for security. Failures of physical security or of parts of the infrastructure can lead to security breaches or denial-of-service. Some important considerations are 1) acts of nature; 2) business continuity and disaster recovery; 3) physical security and access; 4) security cameras and environmental sensors; 5) fire suppression; and 6) reliable power and data center cooling.
Question [8 points]: Briefly describe the significance and impact of two (2) data center considerations when planning an enterprise data center.
Write about two (2) of the five considerations listed in the introduction to this question. [Your answer must contain at least 150 words. Cite any references that you use.]
Introduction: When enterprises adopt public clouds, they usually are unable to directly evaluate the security of CSP vendors. And CSPs do not want to repeatedly incur the cost of answering potential customer’s detailed security questions. Often a CSP may state that they are SAS70 or ISO 27002 compliant, but simply stating that a CSP is compliant amounts to self-certification.
Question [4 points]: Is the following statement True or False?
An increase in third party audits by some CSPs is a positive trend, but these audits are not always performed against common test sets, and therefore may have limited value.
True
False
Introduction: Selecting a public CSP should entail an assessment of the risk to which a customer and the customer’s data are subject. The nature and level of risk will vary according to many factors. Among these risk factors are the CSP cloud architecture and security measures. Overall, risk can be broadly classified into several categories.
Question [4 points]: What are three broad categories of risk a potential CSP customer should consider when selecting a public CSP? [Select the best answer.]
Lock-in risks; policy and legal risks; and data exposure risks
Technical risks; policy and legal risks; and operational risks
Technical risks; governance loss risks; and social engineering risks
Introduction: When selecting a public CSP, an enterprise must consider the overall viability of the CSP. A CSP may fail as a business or be subject to adverse circumstances, any of which could be a risk for a customer who comes to rely on a cloud service. The CSP ability and interest to operate has much to do with their profitability. Since public CSPs are for profit businesses, if the CSP cannot manage the business, then the cloud service is in jeopardy.
Question [8 points]: Briefly describe important considerations that would affect the viability of a CSP, including financial, human resource, technical, and general business considerations. [Your answer must contain at least 150 words. Cite any references that you use.]
Introduction: In addition to risk factors, an enterprise should consider many security criteria when selecting a public CSP. Some selection criteria specific to security include 1) security policies; 2) security staff; 3) change management; 4) upgrade and patch management; 5) scans; 6) forensics; 7) incident management; and 8) business continuity.
Question [8 points]: Briefly describe two (2) security related selection criteria used during selection of a public CSP. Write about two (2) of the eight security related selection criteria listed in the introduction to this question. [Your answer must contain at least 150 words. Cite any references that you use.]
Introduction: The goal of operating a cloud is to deliver cloud services in an efficient, reliable, cost-effective, and secure manner. This can be very difficult to achieve and depends on many supporting activities.
Architecture drives implementation and ongoing costs, including operational security costs. Efficient and secure operation is predicated on thorough and rigorous planning.
Question [4 points]: Is the following statement True or False?
Enterprises commonly spend appropriate attention and financial and time resources on planning and architecture activities to build the proper foundation for future cloud operations, including security operations.
True
False
Introduction: Your CEO found out that you have taken a class in Cloud Security. He is very curious as to what you have learned and wishes to have a discussion with you. You prepare a list both Pros and Cons about Cloud Computing prior to your meeting.
Question [8 points]: List and briefly describe the Pros and Cons you wish to explain to your boss. [Your answer must contain at least 150 words. Cite any references that you use.]
Last Completed Projects
| topic title | academic level | Writer | delivered |
|---|