The Official (ISC)2 CCSP CBK Reference. Leslie Fife

Чтение книги онлайн.

СКАЧАТЬ they may have accounts with multiple CSPs, such as AWS, IBM Cloud Foundry, and Microsoft Azure. In addition, they may be using public, private, and community clouds.

      This complexity could lead to data being out of sync, processes being broken, and the workforce unable to keep track of all the part. Like the conductor of an orchestra, cloud orchestration partners keep all of these pieces working together including data, processes, and application services. Orchestration is the glue that ties all of the pieces together through programming and automation. Orchestration is valuable whether an organization runs a single cloud environment or a multicloud environment.

      This is more than simply automating a task here and a task there. However, automation is used by the cloud orchestration service to create one seemingly seamless organizational cloud environment. In addition to hiding much of the complexity of an organization's cloud environment, cloud orchestration can reduce costs, improve efficiency, and support the overall workforce.

      The major CSPs provide orchestration tools. These include IBM Cloud Orchestrator, Microsoft's OMS Management Suite, Oracle Cloud Management Solutions, and AWS Cloud Formation. Like all such offerings, they vary considerably in the tools provided and the integration with other vendors' cloud offerings.

DESCRIBE CLOUD REFERENCE ARCHITECTURE

      The purpose of a reference architecture (RA) is to allow a wide variety of cloud vendors and services to be interoperable. An RA creates a framework or mapping of cloud computing activities and cloud capabilities to allow the services of different vendors to be mapped and potentially work together more seamlessly. An example of this approach is the seven-layer Open Systems Interconnection (OSI) model of networking, which is used to discuss many networking protocols. As companies are engaging in a wide variety of cloud solutions from multiple vendors, interoperability is becoming more important, and the reference architecture helps make that more easily occur.

      The National Institute of Standards and Technology (NIST) provides a cloud computing reference architecture in SP 500-292 as do other organizations. Some models, such as NIST are role based. Other RAs, such as the IBM conceptual reference model, are layer based. The NIST RA is intended to be vendor neutral and defines five roles: cloud consumer, cloud provider, cloud auditor, cloud broker, and cloud carrier.

      Cloud Computing Activities

      Cloud computing activities in an RA depend on whether the RA is role based or layer based. As an example, the role-based NIST RA will be used to describe cloud computing activities. A similar description could be made for a layer-based model. In a role-based RA, cloud computing activities are the activities of each of the roles. The NIST model includes five roles, with the following types of activities:

       Cloud consumer: The procurement and use of cloud services. This involves reviewing available services, requesting services, setting up accounts and executing contracts, and using the service. What the activities consist of depends on the cloud service model. For a SaaS consumer, the activities are typical end-user activities such as email, social networks, and collaboration tools. The activities with a PaaS customer center around development activities, business intelligence, and application deployment. IaaS customers focus on activities such as business continuity and disaster recovery, storage, and compute.

       Cloud provider: The entity that makes a service available. These activities include service deployment, orchestration, and management as well as security and privacy.

       Cloud auditor: An entity capable of independent examination and evaluation of cloud service controls. These activities are especially important for entities with contractual or regulatory compliance obligations. Audits are usually focused on compliance, security, or privacy.

       Cloud broker: This entity is involved in three primary activities: aggregation of services from one or several CSPs, integration with existing infrastructure (cloud and noncloud), and customization of services.

       Cloud carrier: The entity that provides the network or telecommunication connectivity that permits the delivery and use of cloud services.

      Cloud Service Capabilities

      Capability types are another way to look at cloud service models. In this view, we look at the capabilities provided by each model. Our three service models are SaaS, PaaS, and IaaS. Each provides a different level and type of service to the customer. The shared security responsibilities differ for each type as well.

      Application Capability Types

      Application capabilities include the ability to access an application over the network from multiple devices and from multiple locations. Application access may be made through a web interface, through a thin client, or in some other manner. As the application and data are stored in the cloud, the same data is available to a user from whichever device they connect from. Depending on the end user, the look of the interface may be different.

      Users do not have the capability to control or modify the underlying cloud infrastructure, although they may be able to customize their interface of the cloud solution. What the user gets is a positive experience when working on a laptop or phone. The organization does not have to be concerned with the different types of endpoints in use in their organization (as it relates to cloud service access). Supporting all of the different types of devices is the responsibility of the application service provider.

      Platform Capability Types

      A platform has the capability of developing and deploying solutions through the cloud. These solutions may be developed with available tools, they may be acquired solutions that are delivered through the cloud, or they may be solutions that are acquired and customized prior to delivery. The user of a platform service may modify the solutions they deploy, particularly the ones they develop and customize. However, the user has no capability to modify the underlying infrastructure.

What the user gets in a platform service are tools that are specifically tailored to the cloud environment. In addition, the user can experiment with a variety of platform tools, methods, and approaches to determine what is best for a particular organization or development environment without the expense of acquiring all those tool and the underlying infrastructure costs. It provides a development sandbox at a lower cost than doing it all in house.

      Infrastructure Capability Types

      An infrastructure customer cannot control the underlying hardware but has control over the operating system, installed tools, solutions installed, and provisioning of infrastructure compute, storage, and network and other computing resources.

      This capability provides the customer with the ability to spin up an environment quickly. The environment may be needed for only hours or days. The parent organization does not have to purchase the hardware or physical space for this infrastructure or pay for its setup and continuing maintenance for usage spikes, temporary needs, or even regular cycles of use.

      Cloud Service Categories

      There are three primary cloud service categories: SaaS, PaaS, and IaaS. In addition, other service categories are sometimes suggested, such as storage as a service (STaaS), database as a service (DBaaS), and even everything as a service (XaaS). However, these can be described in terms of the three basic types and have not caught on in common usage. They are most often used СКАЧАТЬ