# CCSP Exam Cram - DOMAIN 3 (2023)

https://www.youtube.com/watch?v=s99QazL9Smo

[00:01] welcome to domain three of the ccsp exam.
[00:03] cram series 2023 Edition covering every topic mentioned in the official exam syllabus for domain three of the ccsp exam.
[00:12] as a cyber security strategist in a VC so for Regional Bank I can tell you firsthand you're going to use the skills that you learn in the ccsp exam prep series every day of your cyber security career and more importantly last year I helped hundreds of thousands achieve cyber security certifications like Security Plus cissp and now I'm bringing that same formula to the ccsp exam.
[00:36] this installment represents the third video in the series of six one for each domain of the ccsp exam.
[00:45] when we wrap the series I'll release a Consolidated full course video.
[00:51] domain 3 focuses on cloud platform and infrastructure security and as always I recommend the ccsp offici exam study guide from Cybex which includes a
[01:03] practice questions a couple of practice exams and some flashcards to help in your study and you can find the link to the least expensive version out on amazon.com in the video description.
[01:19] and to help in your preparation a PDF copy of this presentation is available in the video description.
[01:23] I've also included a clickable table of content in the video description so you can jump forward and back in the video as you need so let's get into domain three Cloud platform and infrastructure security.
[01:38] as always I will cover every topic mentioned in the official exam syllabus.
[01:43] I'll also provide examples of Concepts wherever I can to give you some additional context and as in domain 2 I'll also do a bit of showand tell in a real Cloud environment.
[01:51] again the ccsp is CSP agnostic it doesn't focus on any onecloud platform but I do find a bit of showand tell in a real environment gives you some context for those areas where maybe you don't
[02:04] Have any experience in your work life?
[02:07] Yet, so let's have a look at a few exam essentials applicable to domain three.
[02:10] Those areas the official study guide promises will factor significantly on exam day.
[02:13] We have risks associated with each type of cloud computing.
[02:15] Essentially, more services generally equals more risk.
[02:21] And more control over your environment means more risks you are responsible for mitigating.
[02:25] Goes back to that shared responsibility model we first talked about in domain one and we'll touch on here again in this session in multiple respects.
[02:33] Explain key business continuity terms like RTO, RPO, and RSL.
[02:38] If you are not familiar with these acronyms, you will be by the time we're done with this session.
[02:41] These are key concepts that help set the bar for your business continuity plan and disaster recovery plan requirements.
[02:44] Responsibility sharing between customer and provider.
[02:53] So essentially, who is responsible, customer or CSP, in each area of cloud?
[03:06] infrastructure we'll talk about design and description of a secure data center.
[03:12] we'll look at the build versus buy decision physical and environment design considerations and the pros and cons in each area.
[03:18] business continuity and Disaster Recovery in the cloud that's similar to on premises but there's certainly more complexity in the agreements between the cloud customer and the cloud service provider.
[03:31] I will add that these exam Essentials are my rough mapping from the official study guide because the fact that the matter is the exam Essentials and the book chapters themselves in the official study guide do not map one to one to exam domains.
[03:43] you'll notice there are more than six chapters in the book because some domains are covered in part across each of multiple chapters.
[03:50] so let's jump into 3.1 comprehend Cloud infrastructure and platform component.
[03:59] we'll touch on several areas of infrastructure and platform here including physical environment Network and Communications compute.
[04:07] virtualization storage and the management plane.
[04:09] Now in the shared responsibility model customer and CSP share security responsibilities.
[04:16] So in each area we will review responsibilities and security controls and who owns them.
[04:23] So you can imagine in a cloud scenario we'll talk a bit less about the physical environment.
[04:28] Because that physical data center is entirely the domain of the cloud service provider.
[04:33] We will talk about how you can do your due diligence on ensuring that your cloud service provider is designing and managing that data center effectively.
[04:43] So let's start with a talk about the physical environment.
[04:47] So there are infrastructure components that are common to all cloud service delivery models.
[04:51] Most of those components are physically located with the CSP but many are also accessible via the network.
[04:59] So the CSP is is taking on customer data center facilities infrastructure and management responsibilities.
[05:03] They are responsible for the physical by and
[05:07] large in the shared responsibility model.
[05:09] though we know some elements of operation are shared by the CSP and the customer.
[05:13] just a reminder for the exam.
[05:15] you want to know who owns Which roles.
[05:17] who is responsible for What from that shared responsibility model.
[05:22] so if we think about it from a physical perspective the CSP owns all aspects of physical security in their data centers.
[05:29] they own it down to the wire the facilities the equipment the environment and the Personnel that care for that physical infrastructure.
[05:39] but the csps utilize common controls to address these risks.
[05:43] so for physical security standard measures like locks security Personnel lights fences and visitor check-in procedures just as we do in our own data center.
[05:53] logical access controls like identity and access management single sign on multiactor authentic ation and logging.
[06:00] so they have an audit Trail and controls for data confidentiality and integrity just as any Cloud customer would but with much broader controls so
[06:09] let's look at what I mean by broader controls in the form of an example so
[06:13] for example ensuring that communication lines are not physically compromised by locating telecommunications equipment inside a controlled area of the csp's building or campus so
[06:23] physical security that would be broader control it protects data integrity and and service and resource availability for that matter so
[06:32] let's move on to network and communication we'll start with IAS where we know the customer is responsible for configuring VMS the virtual Network and guest OS security but the CSP is responsible for the physical host physical storage and the physical Network
[06:49] moving into platform as a service the CSP is responsible for the physical components the internal Network and the tools it's cheaper for the customer but the customer has less control if you remember that diagram in the SAS model the customer remains responsible for configuring access to the cloud service for their users as
[07:10] well as shared responsibility for data recovery.
[07:13] the CSP owns physical infrastructure as well as Network and communication security.
[07:19] so let's break it down another way.
[07:22] so if we just look at those three models we'll look at is first where we know that the customer is responsible for configuring the VMS the virtual Network and the guest OS security as if the systems were on premises.
[07:35] the CSP provides the tooling to secure the VM but the customer must configure those tools.
[07:44] and the CSP is responsible for configuring the security of the network the storage and the software for the physical host.
[07:50] the CSP owns all physical security.
[07:55] here moving into PA where we know that the CSP is responsible for everything from the is model all the physical components.
[08:02] they are also responsible for internal Network and tooling.
[08:07] the customer is responsible for configuring the application and data.
[08:11] access security any additional customer control is generally provided through service SKS or service tiers.
[08:19] and what I mean by that for example in a path web application uh context for example you'll find some service tiers may give a customer their own physical host or access to greater compute capacity.
[08:33] but they have to spend to get that greater control in the form of a different service tier within that past service.
[08:39] so moving on to software as a service where the customer remains responsible for configuring use access to the service they are configuring access control for their users.
[08:50] the customer also has shared responsibility for data recovery.
[08:55] now what do I mean by that well the CSP May provide tools for recovery but the customer may need to perform recovery themselves in some cases.
[09:05] perfect example in Office 365 users have access to hundreds of previous versions of a document.
[09:13] available for selfservice Recovery right there from within Microsoft Word or PowerPoint
[09:17] but the user must perform that recovery themselves
[09:21] next we have compute the infrastructure components that deliver compute resources like our VMS disk process memory and network resources for customers
[09:31] so how does the CSP manage compute capacity
[09:34] well reservation is one way a minimum resource that's guaranteed to a customer you'll see that in the form of a VM skew for example
[09:44] limits maximum utilization of compute Resources by a customer that's handled through a VM skew
[09:48] we can set a minimum and a maximum limits are allowed to change dynamically based on current conditions and consumption remembering that a CSP is going to over subscribe their infrastructure by Design
[10:03] and shares a waiting given to a particular VM used to calculate percentage based access to pooled resources where there's contention and you'll even see VM SKS that allow us to select a lesser skew at
[10:16] a lesser price for non-production workloads where we know we're going to be deprioritized in times of contention.
[10:22] but we pay less for that resource over the course of the month as we're paying for that subscription.
[10:27] in in case of a shortage though host scoring will determine who gets capacity generally speaking.
[10:33] but what we see in those VM SKS is that we can choose inexpensive SKS that get deprioritized and have low resource limits or expensive VM SKS that give us very high resource guarantees.
[10:46] so in each delivery and service model the CSP remains responsible for the maintenance and the security of the physical components of compute.
[10:54] they are dealing with that physical host and that physical storage and that physical Network.
[11:00] the customer remains largely responsible for their data and their users.
[11:04] but between the physical component there can be quite an array of software and other components.
[11:09] so who is responsible for each of these remaining parts varies by service and delivery model and sometimes by the CSP.
[11:19] detail should be spelled out in the contract and you want to be familiar before you enter into a production workload scenario the CSP also deals with the challenge of multi-tenant and we could argue that customers deal with multi-tenancy in their own private clouds but those multi-tenant customers are all internal customers generally speaking where the CSP is dealing with external customers with signed contracts so it's certainly a stickier situation.
[11:45] let's shift gears and talk about virtualization responsibilities and risks.
[11:49] so the security of the hypervisor is always the responsibility of the CSP.
[11:53] the virtual Network and the virtual machine may be the responsibility of either the CSP or the customer.
[12:00] it depends on the cloud service model and there are risks associated with virtualization you should be familiar with a flawed hypervisor for example can facilitate inter VM attacks.
[12:14] Network traffic between VMS is not necessarily visible.
[12:16] So Bad actors posing as customers could certainly carry out
[12:21] attacks of their own if we don't have the right network controls in place.
[12:26] resource availability for VMS can be impacted.
[12:28] now we talked about how the CSP can prioritize resource allocation but we still have that lingering worry about noisy neighbors.
[12:37] those neighbors that are sharing our physical infrastructure and always consuming maximum capacity and VMS and their dis images are simply files they can be portable and movable.
[12:48] so if the CSP doesn't have the right controls in place we could fall prey to a different sort of malicious Insider attack.
[12:56] if they don't have their own separation of Duties and act controls in place to limit access to those files.
[13:05] so let's talk through security recommendations for the hypervisor.
[13:09] installing updates to the hypervisor as they're released by the vendor of course.
[13:13] restricting administrative access to the management interfaces of the hypervisor capabilities to monitor the security of activity occurring between
[13:23] guest operating systems the VMS essentially and then security recommendation for the guest OS.
[13:30] so again installing all updates to the guest OS promptly backing up virtual drives used by the guest OS on a regular basis.
[13:38] those hypervisor recommendations are all the responsibility of the CSP.
[13:45] the security recommendations for the guest os are customer responsibility though the CSP May provide tools to facilitate ease of patching and backups.
[13:53] so the csp's hypervisor security includes preventing physical access to the servers.
[14:00] limiting both local and remote access to the hypervisor and the virtual Network between the hypervisor and the VM is also a potential attack surface.
[14:11] responsibility for security in this layer is often shared between the CSP and the customer.
[14:17] these components include the virtual Network virtual switches virtual firewalls virtual IP addresses the responsibility is going to
[14:23] vary by model whether it's IAS Pas or SAS.
[14:27] and when I say hypervisor in this case just to make sure we're Crystal Clear.
[14:29] we talked in domain one about the hypervisor types.
[14:33] we have the type one which is the bare metal hypervisor.
[14:34] that's VMware esxi Microsoft hyperv KVM dedicated host no operating system in the middle.
[14:43] whereas a type two hypervisor is hosted on a guest operating system.
[14:49] that would be VMware Workstation Oracle virtual box.
[14:51] so type one is that production scenario hypervisor.
[14:54] type two is much more common in development and test scenarios.
[15:00] so we're always talking about a type one hypervisor in this case.
[15:05] and again the CSP is always responsible for security of that physical host and the hypervisor running there.
[15:11] now there is a virtualization focused attack called out in both the official study guide and the common body of knowledge I wanted to mention.
[15:18] and that's VM escape.
[15:21] this is where an attacker gains access to a VM and then attacks either the host.
[15:25] machine that holds all the VMS the hypervisor or any of the other VMS or a malicious user breaks the isolation between VMS running on a hypervisor by gaining access outside their VM.
[15:36] Now VM Escape is generally preventable.
[15:40] One protection would be ensuring patches on the hypervisor and VMS are always up to date.
[15:46] We do know that the CSP is responsible for patching that hypervisor.
[15:48] Who's responsible for the VM depends on the model.
[15:52] We know that the customer is responsible in the IS model for patching and backing up their VM.
[16:00] The CSP can also ensure guest privileges are low.
[16:02] They have server level redundancy in place as well as host-based intrusion prevention and detection.
[16:09] So let's shift gears and talk about storage.
[16:12] So cloud storage has a number of potential security issues.
[16:17] Various types of cloud storage are discussed in domain one.
[16:18] We're going to touch on some of the highlights here in terms of risk.
[16:21] So data spends most of its life at rest.
[16:24] So understanding who is
[16:26] responsible for securing cloud storage.
[16:29] is very important now CSP.
[16:31] responsibilities include physical protection of data centers and the storage infrastructure they contain.
[16:37] security patches and maintenance of the underlying data storage Technologies and other data services they provide on the customer side.
[16:44] properly configuring and using the storage tools.
[16:50] we know that sometimes the CSP is responsible for giving us tools potentially but the customer must configure and use those tools and then logical security and privacy of data they store in the CSP's environment.
[17:03] so I want to unpack customer responsibilities a bit further.
[17:07] I mentioned CSPs often provide a set of controls and configuration options customers can use to secure the use of their storage platforms but they may need to make some specific configurations beyond the default.
[17:21] so the customer is going to be responsible for assessing the adequacy of these controls and properly configuring and using the.
[17:27] available controls ACC over public internet VPN or internal networks.
[17:32] for example as I actually showed you in domain 2 in the world of cloud storage.
[17:38] when we're looking at a storage account.
[17:43] your CSPS often give you the ability to block internet access altogether to force TLS security for data in transit and to limit access from internal networks.
[17:53] but you have to use those controls as a customer ensuring adequate protection for data at rest in motion is based on the the capabilities offered by the CSP feature configuration.
[18:04] Key Management would even be a customer concern if the the customer is managing their own keys and configuring secure access whether that's private or public.
[18:15] at the end of the day when you're looking at a cloud service provider's storage account they've issued to you the data is generally going to be encrypted at the account level at rest.
[18:25] but you have a number of additional configuration options to restrict access.
[18:28] but the bottom line here is in the cloud
[18:30] the customer loses some control over storage
[18:33] they lose control of the physical medium where the data is stored
[18:36] but they retain responsibility for data security and privacy
[18:39] so how can customers deal with their challenges and responsibilities without control of the physical storage medium
[18:46] because after all the inability to securely wipe physical storage and the possibility of another tenant being allocated the same previously allocated physical storage space is a definite concern
[18:58] our logical storage account sits on a physical storage medium somewhere and the customer retains responsibility for secure deletion in spite of that lack of control over the physical medium
[19:09] and that's where compensating controls come into play
[19:14] for example only storing data in an encrypted format as we saw in domain 2 in some of our show Andel the cloud storage account was encrypted by default
[19:26] we had the option to add another
[19:30] layer of encryption called double encryption and a customer can choose to retain control of the keys needed to decrypt the data so not allowing the cloud service provider to hold those keys together.
[19:42] these permit crypto shredding when data is no longer needed rendering any recoverable fragments useless so let's talk about the management plane.
[19:53] so what is the management plane exactly well it provides the tools the web interface and the apis necessary to configure Monitor and control your Cloud environment.
[20:05] it provides virtual management options equivalent to the physical Administration options a legacy data center would provide so we can power VMS on and off provision new VM resources migrate VMS just as a few examples.
[20:19] you interact with the management plane through tools including the csps cloud portal Powershell or other command line or even client sdks now this is is separate from and it works with the control plane and the
[20:31] data plane so let's talk about these two
[20:33] for just a moment the control plane is
[20:36] what you're calling when you create top
[20:38] level cloud resources such as with arm
[20:41] or bicep and Azure cloud formation and
[20:44] AWS or even terraform infrastructur is
[20:47] code is what I'm talking about here and
[20:49] the data plane performs operations on
[20:51] resources created through that control
[20:53] plane essentially management plane
[20:56] control equals environment control so
[20:58] let's talk talk about securing the
[20:59] management plane so the key interfaces
[21:02] we're worried about include the cloud
[21:04] portal the main web interface for the
[21:06] CSP platform the Azure portal AWS
[21:09] Management console the Google Cloud
[21:11] console from a scheduling perspective
[21:13] our ability to stop or start resources
[21:15] at a scheduled time we have tools
[21:18] available like the instant scheduler or
[21:20] Lambda in AWS Azure automation or Azure
[21:23] functions on the Microsoft platform and
[21:26] then orchestration automating processes
[21:28] to manage resources services workloads
[21:31] and infrastructure as code deployments
[21:33] cloud formation in AWS as your Dev Ops
[21:37] on the Microsoft platform Cloud build in
[21:40] Google Cloud platform and then we have
[21:43] our maintenance functions updating
[21:45] upgrading security patching Etc we can
[21:47] secure all of the above in the same
[21:49] fashion across these platforms we secure
[21:52] management plane interfaces with
[21:54] multiactor authentication ro-based
[21:56] access control and rooll manag agement
[21:59] next up is 3.2 design a secure data
[22:02] center here we'll talk through logical
[22:05] Design Elements like tenant partitioning
[22:07] and access control physical Design
[22:10] Elements like location selection and the
[22:12] build or buy decision environmental
[22:15] design heating ventilation and air
[22:17] conditioning and multivendor pathway and
[22:20] then what the syllabus calls design
[22:22] resilient so building resiliency into
[22:24] design and since the CSP is responsible
[22:27] for design of of the physical data
[22:29] center we'll talk about how customers
[22:32] can do their due diligence to ensure
[22:34] that the csp's physical data center
[22:37] design decisions are
[22:39] adequate so we'll start with logical
[22:41] design where I expect more Focus will be
[22:43] given on the exam and The Logical design
[22:46] of a data center is an abstraction in
[22:49] the now Legacy collocation scenario
[22:51] customers were separated at the server
[22:54] Rack or cage level so it's a physical
[22:56] isolation in a logic iCal data center
[22:59] designed in the cloud customers utilize
[23:01] software and services provided by the
[23:05] CSP and The Logical design of the cloud
[23:08] infrastructure should create tenant
[23:10] partitioning or isolation limit and
[23:12] secure remote
[23:13] access monitor the cloud infrastructure
[23:17] and allow for the patching and updating
[23:19] of systems the ccsp exam focuses largely
[23:22] on tenant partitioning and access
[23:24] control which are called out in the
[23:25] syllabus so we'll take a look at both of
[23:28] those
[23:30] so in the cloud logical isolation and
[23:32] CSP multi- teny makes cloud computing
[23:34] more affordable but it creates some
[23:36] security and privacy concerns in the
[23:38] process if isolation between tenants is
[23:40] breached customer data is at
[23:43] risk multi-tenancy is a concept that was
[23:46] developed decades ago though business
[23:48] centers physically housed multiple
[23:50] tenants collocation data centers
[23:52] supported multiple customers but their
[23:55] isolation was in many respects physical
[23:58] and the risk in these scenarios is
[23:59] largely physical it's a server Rack or
[24:02] cage isolation and the public Cloud
[24:04] tenant partitioning is largely logical
[24:07] customers are sharing capacity across
[24:09] the CSP data center including the
[24:11] physical components CSP and tenant share
[24:14] responsibility for implementing and
[24:16] enforcing controls that address the
[24:18] unique multi-tenant risks of the public
[24:20] cloud in this scenario access control is
[24:23] a primary if not the primary concern a
[24:27] single point of access certainly makes
[24:29] Access Control simpler it facilitates
[24:31] monitoring through an audit Trail but
[24:34] any single point can become a failure
[24:36] Point as well in the hybrid Cloud which
[24:38] is very common in large organizations a
[24:41] single login for on premises and Cloud
[24:44] can simplify identity and access
[24:46] management a very common identity model
[24:48] one method of Access Control is to
[24:50] Federate a customer's existing identity
[24:52] and access management system with their
[24:55] CSP tenant another method is to
[24:57] facilitate ident ID and access
[24:59] management between cloud and on premises
[25:01] using identity as a service a couple of
[25:05] examples of identity as a service would
[25:06] be Azure active directory used in Office
[25:09] 365 or Google's Cloud identity used with
[25:12] Google
[25:13] workspace there are multiple local and
[25:16] remote access controls available
[25:18] including remote desktop protocol the
[25:20] native access protocol for Windows
[25:22] operating systems as well as secure
[25:24] shell which is the native remote access
[25:26] protocol for Linux and Unix operating
[25:28] systems and very common for Remote
[25:30] Management of network devices as well
[25:33] and RDP and SSH both support encryption
[25:36] and MFA in their modern versions now
[25:38] secure terminal or console-based access
[25:40] is a system for secure local access in
[25:44] the Legacy collocation scenario we would
[25:47] commonly see a keyboard video mouse or
[25:49] KVM system with access controls to limit
[25:53] console access in a scenario where
[25:55] multiple customers have physical servers
[25:57] in a sing single shared rack you could
[25:59] actually rent rack space without
[26:01] committing to a full rack and that would
[26:04] be coupled with oversight from the Colo
[26:07] data center staff to ensure that one
[26:08] customer didn't touch another customer's
[26:11] physical server in that rack jump boxes
[26:15] a Bastion host at the boundary of lower
[26:17] and higher security zones your csps
[26:20] offer this as a service in some cases we
[26:22] have Azure Bastion and AWS Transit
[26:25] Gateway as a couple of very popular
[26:27] examples virtual clients software tools
[26:29] that allow remote connection to a VM for
[26:31] use as if it is your local machine
[26:34] virtual desktop infrastructure or vdi
[26:36] for contractors is very common in this
[26:40] scenario so let's take a look at
[26:42] physical design starting with the build
[26:44] versus buy decision building your own
[26:46] data center from scratch and buying an
[26:48] existing facility each have their
[26:50] advantages and disadvantages so let's
[26:52] compare build versus buy build requires
[26:55] significant investment to build a robust
[26:58] day data center that has the resiliency
[26:59] we need buying that capability is
[27:02] generally a lower cost of Entry
[27:04] especially in a shared scenario the
[27:07] build option offers the most control
[27:09] over data center design so buy has less
[27:12] flexibility and service design because
[27:14] it's limited to what the provider offers
[27:17] the build option requires knowledge and
[27:19] skill to match the quality of the buy
[27:22] option in the buy scenario we know
[27:24] someone with a high level of skill
[27:27] generally speaking is designing that
[27:28] data center shared Data Centers do come
[27:31] though with additional security
[27:33] challenges the fact of the matter is
[27:35] csps offer many advantages of the build
[27:38] option at a Buy price tag customers can
[27:40] leverage the csp's experience to get
[27:43] that build level quality and near build
[27:45] level flexibility but at a buy cost of
[27:48] Entry so in physical design location
[27:51] selection is one of the first decisions
[27:53] so availability of affordable stable
[27:55] resilient electricity is important
[27:58] natural disaster exposure needs to be
[28:00] considered are we exposed to flood
[28:02] hurricane tornadoes availability of
[28:05] high-speed redundant internet
[28:06] connectivity as well as other utilities
[28:09] add say propane natural gas and Diesel
[28:13] to run your
[28:14] generators physical sight security so
[28:17] securing against vehicular approaches
[28:19] ballards Gates
[28:22] visibility location relative to existing
[28:24] customer data centers so business
[28:26] continuity disaster recovery
[28:28] considerations and geographic location
[28:31] relative to customers and when you move
[28:34] to the public Cloud most of these are
[28:35] CSP decisions a customer just chooses
[28:39] which CSP Regions they're going to
[28:41] reside
[28:42] in and you need to know the challenges
[28:45] of physical security belong to the
[28:47] CSP a strong fence line of sufficient
[28:50] height and construction lighting of
[28:53] facility perimeter and entrances video
[28:55] monitoring and alerting electronic monit
[28:58] in for
[28:59] tampering visitor access procedures so
[29:01] guest access for example with controlled
[29:04] entry points interior access controls
[29:07] badges key codes secured doors fire
[29:09] detection and prevention protection of
[29:12] sensitive asset Systems wiring closets
[29:16] Etc due to its Cloud Focus the ccsp exam
[29:19] spends little time on physical security
[29:22] but focuses more on the aspects of
[29:24] logical security and design it is a fact
[29:28] that there is no security without
[29:30] physical security but in the cloud this
[29:33] is a CSP responsibility I will a bit
[29:36] later in this session though show you
[29:38] how you can verify that your CSP has
[29:41] taken the appropriate steps to build
[29:44] excellent physical security into their
[29:46] data center
[29:48] design now you may see questions on the
[29:50] exam around the data center tier
[29:52] standard which lays out a four tier
[29:54] standard for data center availability
[29:57] and uptime
[29:58] and redundancy so availability and
[30:01] uptime are often used interchangeably
[30:03] there is actually a difference uptime
[30:05] simply measures the amount of time a
[30:07] system is running availability
[30:09] encompasses availability of the
[30:10] infrastructure the applications and the
[30:13] services that are hosted it's generally
[30:15] expressed as a number of NES such as 59
[30:19] 99.999% availability it should be
[30:22] measured by the cloud customer to ensure
[30:25] the CSP is meeting their SLA obligations
[30:28] these tiers come from a company called
[30:31] The uptime Institute this is an
[30:33] organization that publishes
[30:34] specifications for physical and
[30:36] environmental redundancy expressed in
[30:38] these four tiers that organizations can
[30:40] Implement to achieve High availability
[30:43] so let's take a look at each of these
[30:45] tiers starting with tier one which is
[30:47] basic site infrastructure this involves
[30:50] no redundancy and the most amount of
[30:52] downtime in the event of unplanned
[30:53] maintenance or an interruption it must
[30:56] have a UPS and uninterruptible power
[30:59] supply that can handle brief power
[31:00] outages as well as sags and spikes in
[31:03] power it must have dedicated cooling
[31:06] equipment that can run 24/7 and a
[31:08] generator to handle extended power
[31:11] outages the expected availability of
[31:14] Tier 1 is
[31:16] 99.67 1% moving into tier two we have
[31:19] redundant sight infrastructure this
[31:21] provides partial redundancy meaning an
[31:23] unplanned Interruption will not
[31:25] necessarily cause an outage it add adds
[31:28] redundant components for important
[31:29] Cooling and Power Systems facilities
[31:32] must also have the ability to store
[31:34] additional fuel to support the generator
[31:37] and it's expected to provide
[31:40] 99.74%
[31:42] availability tier three concurrently
[31:44] maintainable site infrastructure adds
[31:47] even more redundant components it has a
[31:49] major advantage in that it never needs
[31:51] to be shut down for maintenance enough
[31:54] redundant components that any component
[31:56] can be taken offline for maintenance and
[31:59] the data center continues to run it's
[32:02] expected to provide
[32:03] 99.98 2% availability and then finally
[32:07] we have tier four fault tolerance site
[32:09] infrastructure which can withstand
[32:11] either planned or unplanned activity
[32:14] without affecting availability this is
[32:16] achieved by eliminating all single
[32:18] points of failure and it requires fully
[32:21] redundant infrastructure including dual
[32:23] commercial power feeds dual backup
[32:25] generators and is expected to provide
[32:30] 99.995%
[32:31] availability heating ventilation and air
[32:34] conditioning or HVAC is also a concern
[32:36] because an HVAC failure can reduce
[32:38] availability of computing resources just
[32:40] like a power failure customer reviews of
[32:43] a CSP should include review of the
[32:45] adequacy and redundancy of their HVAC
[32:49] systems now I mentioned that the
[32:52] physical aspects of security and the
[32:54] physical aspects of data center design
[32:56] belong to the CSP but also that I'd show
[32:59] you a way that as a customer on behalf
[33:01] of your customers you can validate you
[33:04] can do some due diligence to ensure that
[33:06] CSP has made good decisions in their
[33:08] data center design and one of those
[33:11] documents is the sock 2 type 2 report
[33:16] now because of the confidential
[33:17] information in a sock 2 type 2 report
[33:20] some csps will require a non-disclosure
[33:23] agreement prior to sharing or at least
[33:25] that you are a customer
[33:27] and a routine review of the most current
[33:30] sock 2 report is a critical part of a
[33:32] customer's due diligence in evaluating
[33:35] csps so let's unpack that sock 2 type 2
[33:38] report what is that
[33:40] exactly it is part of the statements on
[33:43] standards for attestation engagements
[33:45] which is a set of auditing standards
[33:48] issued by the American Institute of
[33:49] certified public
[33:52] accountants and ssa1 18 is an audit
[33:55] standard that enhances the quality and
[33:57] the useful of system and organization
[33:59] control or sock reports so they're
[34:02] designed for larger organizations like
[34:04] Cloud providers because the cost of a
[34:06] type two report can run $30,000 or more
[34:08] they're not
[34:10] inexpensive now the sock type 1 report
[34:13] assesses the design of a security
[34:15] process at a specific point in time so
[34:17] it's looking at your processes at a
[34:19] point in time a snapshot sock type two
[34:22] on the other hand assesses how effective
[34:23] those controls are over time by
[34:26] observing operations
[34:28] for 6 months and it is that type two
[34:31] report that we're interested in so what
[34:33] I'd like to do now just to give you some
[34:34] context is show you how to retrieve a
[34:37] sock 2 type 2 report from a
[34:40] CSP and we'll start with Microsoft I'm
[34:43] here at servic trust. microsoft.com
[34:46] their servic trust portal and you'll
[34:48] notice here under certifications
[34:50] regulations and standards they show us
[34:53] some of the certifications with which
[34:56] Microsoft Azure and other cloud services
[34:58] Microsoft offers comply I'll click on
[35:01] all documents which takes me to the list
[35:05] of documents that I can retrieve related
[35:08] to certifications and if I go down the
[35:10] list way down here under sock I will
[35:13] find a number of sock type two reports
[35:17] so you see there is a sock one here's a
[35:20] sock two type one sock 2 type two and if
[35:25] I just click on one of these what you'll
[35:26] find I mentioned these
[35:28] are available but often considered
[35:31] sensitive if I click this to download
[35:34] you notice here I'm prompted to
[35:36] authenticate you must be a customer and
[35:38] incidentally if you sign in and go a
[35:40] couple of steps further you'll be
[35:41] prompted to agree to an NDA now I've
[35:44] pulled up one of these reports just so
[35:47] you can see what you get it's a PDF that
[35:49] goes line by line through the sock
[35:53] requirements with those details so out
[35:55] of respect for that NDA I'll stop there
[35:58] and I'm going to just mention that AWS
[36:01] similar path to get that sock 2 type 2
[36:04] report you'll see here they post on
[36:06] their blog when those reports are
[36:08] available and it mentions we can go to
[36:11] the AWS customer uh portal the AWS
[36:14] artifact in the AWS Management console
[36:19] and in fact that will prompt us for
[36:21] authentication and we'll get to those
[36:24] reports so fairly similar and and
[36:27] another area we need to be concerned
[36:30] with is multivendor
[36:32] pathway
[36:34] connectivity as another element of
[36:36] environment design so connectivity to
[36:39] data center locations from more than one
[36:41] internet service provider is what we
[36:43] call multivendor Pathway connectivity
[36:45] using multiple vendors as a proactive
[36:47] way for csps to mitigate the risk of
[36:49] losing network connectivity and a best
[36:52] practice for csps or data centers is
[36:54] dual entry dual provider for high
[36:57] availab ility that means two providers
[36:59] entering the building from separate
[37:02] locations and likewise customers should
[37:04] consider multiple paths for
[37:05] communicating with their Cloud vendor so
[37:07] if a customer has sight tosite
[37:09] connectivity with a VPN building some
[37:11] redundancy into that
[37:13] connectivity in the end this protects
[37:16] availability whether we're talking about
[37:18] the CSP and their two providers two
[37:20] paths or that customer to CSP
[37:23] connectivity and finishing out 3.2
[37:26] design resilient so resilient designs
[37:28] are engineered to respond positively to
[37:31] changes or disturbances like natural
[37:33] disasters or even madade disturbances
[37:36] for that
[37:37] matter a few examples of resilient
[37:39] design High availability firewalls
[37:42] whether that's active passive or active
[37:44] active multivendor pathway connectivity
[37:47] that we just spoke about a web server
[37:49] Farm behind redundant load balancers a
[37:51] database cluster like a Windows or a
[37:53] Linux cluster feature service level
[37:56] resiliency requires a identifying single
[37:58] points of failure throughout a service
[38:00] chain so if we're thinking about an iner
[38:03] application resilient design means we're
[38:05] looking at the application layer any
[38:08] middleware at the data tier on the back
[38:11] end and thinking about resiliency in the
[38:14] systems and Facilities that surround
[38:16] that application's service
[38:19] chain and that brings us to section 3.3
[38:22] analyze risks associated with Cloud
[38:24] infrastructure and platforms here we'll
[38:27] talk about risk assessment identifying
[38:29] and analyzing
[38:30] risks Cloud vulnerabilities threats and
[38:33] attacks and we'll finish up section 3.3
[38:35] with a look at risk mitigation
[38:38] strategies so risk management on the
[38:41] whole is so important because it's the
[38:43] practice of mitigating and managing the
[38:45] risks to our sensitive data and to our
[38:49] business critical systems careful
[38:51] selection of csps as important as is
[38:54] development of service level agreements
[38:56] and our contractual agreement so when we
[38:58] look at the cloud the service level slas
[39:02] are pretty well established we do have a
[39:03] responsibility as a customer to make
[39:06] sure that we Monitor and hold our CSP to
[39:10] account but slas can also Factor when we
[39:12] think about vendors in our supply chain
[39:15] for example organizations can balance
[39:18] cost savings with Risk by building a
[39:20] system on top of IAS or PAs rather than
[39:22] utilizing a SAS
[39:24] solution bearing in mind that if we go
[39:27] that iaz route as a customer IAS means
[39:30] more control more responsibilities and
[39:32] ultimately more risks that are our
[39:34] responsibility to mitigate and
[39:37] manage customers need to be proactive in
[39:40] addressing their responsibilities under
[39:42] the shared responsibility model and
[39:44] making sure that their CSP does the same
[39:47] and that last point is important because
[39:49] even when a CSP cloud service of one
[39:52] form or another doesn't meet its
[39:55] mandated contractual SLA at doesn't mean
[39:57] every CSP is going to proactively give
[39:59] you a partial Credit in response to that
[40:03] SLA breach I've seen csps that have a
[40:06] major outage and they come back and
[40:07] provide a partial credit to customers
[40:09] due to the SLA failure I've seen others
[40:11] that definitely do not identifying risks
[40:15] is the first step in the risk management
[40:18] process and to identify risks we first
[40:21] need to identify the organization's
[40:23] valuable assets once we have identified
[40:26] our assets then we can ident identify
[40:27] potential causes of disruption to those
[40:30] assets there are actually some risk
[40:32] Frameworks that can provide us with
[40:36] processes and procedures and give us a
[40:38] more systematic and consistent approach
[40:42] one of those is ISO I
[40:44] 31,000 risk management guidelines
[40:46] another comes from nist SP 800-37 which
[40:50] is a guide for applying the risk
[40:52] management framework to federal
[40:54] information systems and while nist
[40:56] guidance is applicable to government
[40:58] Information Systems you're definitely
[41:00] going to find guidance in there that's
[41:01] equally applicable in commercial
[41:04] businesses I want to talk about another
[41:06] aspect of risk assessment called out in
[41:08] the official study guide and that is
[41:09] quantitative risk assessment which
[41:11] assigns a dollar value to evaluate the
[41:14] effectiveness of counter measures
[41:16] quantitative risk assessment is
[41:18] objective it ensures our controls are
[41:20] cost effective in other words that our
[41:22] counter measures are not more expensive
[41:24] than the impacts themselves and risks
[41:28] specific to Cloud environment should be
[41:30] identified when we're making a decision
[41:31] to use a cloud service we should assess
[41:33] that risk before we take that step into
[41:37] that cloud
[41:38] service and Analysis is our next step
[41:41] analyzing risks continues the
[41:42] conversation we started by asking what
[41:44] could go wrong and it seeks to answer
[41:47] two primary questions what will the
[41:49] impact be if that situation occurs if
[41:53] the potential impact is realized and
[41:57] that's what we call the single loss
[41:59] expectancy in quantitative risk
[42:01] assessments that's expressed as a dollar
[42:03] value and How likely is that impact to
[42:07] happen that's what we call our
[42:09] annualized rate of occurrence so how
[42:12] frequently is it going to occur that
[42:14] would be expressed as a decimal so for
[42:16] example an impact that happens twice a
[42:19] year has an annualized rate of
[42:20] occurrence of two an impact that happens
[42:23] once every two years has an annualized
[42:26] rate of occurrence of 0.5 and an impact
[42:30] that happens once every 5 years is
[42:34] 0.2 so by those numbers you can guess
[42:37] that a risk that happens once a year
[42:39] would have an annualized rate of
[42:41] occurrence of
[42:44] 1.0 and with these two figures with
[42:46] single loss expectancy and the
[42:48] annualized rate of occurrence we can
[42:50] calculate our annualized loss expectancy
[42:54] annualized loss expectancy is the
[42:56] possible yearly cost of all instances of
[42:58] a specific realized threat against a
[43:02] specific asset so I'd like to look at
[43:04] this with you in the form of a simple
[43:08] example and we'll at that point
[43:11] calculate our annualized loss expectancy
[43:15] the formula is single loss expectancy
[43:18] times annualized rate of occurrence
[43:21] equals annualized loss expectancy so
[43:25] let's just step through an example we
[43:26] have a scenario a tornado May strike one
[43:29] of our Branch offices once every 5 years
[43:31] causing a 30% loss to a $1 million
[43:35] building so we'll Begin by calculating
[43:38] the cost of a single occurrence so what
[43:42] will be the impact if that goes wrong
[43:44] well the single loss expectancy we
[43:46] express as a dollar value how
[43:50] significant will the loss be that's our
[43:54] exposure Factor we express that as a
[43:56] percentage
[43:57] the formula for that single loss
[43:59] expectancy is the asset value times the
[44:03] exposure
[44:05] Factor so doing the math if we have a
[44:08] million doll building we have an
[44:10] exposure factor of 30% that means we
[44:13] expect a
[44:15] $300,000 loss in a single incident so
[44:19] that's our percentage loss that exposure
[44:22] Factor so 1 million time 30%
[44:25] or3 when Express as a decimal is a
[44:29] $300,000 single loss expectancy every
[44:32] time a tornado hits that
[44:35] building now let's calculate our
[44:38] annualized cost our annualized loss
[44:40] expectancy we said our single loss
[44:42] expectancy is
[44:44] $300,000 our annualized rate of
[44:46] occurrence once every 5 years is
[44:48] expressed as a decimal as
[44:51] 0.2 so let's calculate our annualized
[44:55] loss expectancy we have the three 00,000
[44:57] single loss
[44:59] expectancy we take that times our
[45:01] annualized rate of occurrence
[45:03] 0.2 equals an annualized loss expectancy
[45:07] of $60,000 that's that 300,000 single
[45:11] loss expectancy spread across the five
[45:15] years for every single
[45:18] occurrence and that is a simple example
[45:20] I won't try to tell you that that simple
[45:23] example is really simple but you now
[45:25] have the PDF that you download with this
[45:27] video so you can watch this video over
[45:30] and again and look at those formulas and
[45:33] commit these to memory I'm not certain
[45:35] you're going to see a lot of
[45:36] quantitative risk assessment on the exam
[45:39] but since it's called out in the
[45:40] official study guide I want to make sure
[45:42] that you are prepared for exam
[45:45] day so analyzing our CSP risks so when
[45:49] we're analyzing a CSP or a Cloud
[45:51] solution in the associated risk it's
[45:53] going to involve many departments and
[45:56] focus areas our business units will
[45:58] likely get involved vendor management
[46:01] our supply chain
[46:03] potentially our
[46:05] privacy Specialists when we're dealing
[46:08] with risks that involve data breach or
[46:11] data
[46:12] leaks and our information security
[46:14] department the folks responsible for
[46:16] securing our Cloud
[46:19] infrastructure and CSP operation should
[46:22] also be considered but most major csps
[46:24] are audited for ISO IEC
[46:27] 271
[46:29] 2717 and
[46:32] 2718 now what are those exactly do you
[46:34] ask well these are standards to guide
[46:37] csps in their preparation or for
[46:40] customers evaluating potential
[46:43] csps so ISO I 271 is a framework for
[46:49] policies and procedures that include
[46:50] legal physical and Technical controls
[46:53] involved in an organization's
[46:55] riskmanagement
[46:58] processes but the focus is on policies
[47:01] and procedures then we have ISO IEC
[47:04] 27017 which is a standard developed for
[47:07] cloud service providers and users to
[47:09] make a safer cloud-based environment and
[47:12] reduce the risk of security problems
[47:15] then ISO I 2718 which is the first
[47:18] International standard about the privacy
[47:20] in Cloud Computing Services now we
[47:23] actually covered ISO I 271 7 in depth in
[47:28] domain 1 in section
[47:30] 1.5 we will cover ISO
[47:34] 27018 a bit later in this series in
[47:38] domain 6 in section
[47:41] 6.2 repetition is good for memorization
[47:44] I'm going to call these out in various
[47:46] facets throughout the series so you'll
[47:48] be ready on game day and csps like
[47:52] Microsoft and Amazon do provide
[47:55] resources that demonstrate their
[47:57] compliance with standards like ISO 271
[48:01] as well as the 2717 and8 standards so
[48:05] we're going to revisit in the Microsoft
[48:08] example here the service trust portal at
[48:10] servic trust.
[48:12] microsoft.com and I will search for
[48:15] 2717 and what I'll find here are
[48:18] documents demonstrating compliant for
[48:22] various Microsoft cloud services with
[48:24] ISO 271 1 2718 and 2717 all in a single
[48:30] document in the example of that cloud
[48:33] service and you'll find similar
[48:35] resources in the AWS Management console
[48:38] again a cloud agnostic exam but I just
[48:41] want you to understand what your
[48:42] recourse is as a customer or a
[48:45] consultant to customers when you want to
[48:48] verify that your CSP or prospective CSP
[48:52] meet your Quality Bar when it comes to
[48:54] compliance with well-known security
[48:59] standards continuing with risk analysis
[49:02] let's look at a couple of CSP risks and
[49:04] risks with a Cloud solution are mainly
[49:07] associated with data privacy and
[49:08] information security there's
[49:10] authentication risk so does the CSP
[49:13] provide a solution or is this a customer
[49:15] responsibility we talked about
[49:18] Federation versus identity as a service
[49:21] a bit earlier in this session so if it's
[49:23] customer managed we have more control of
[49:25] it's CSP managed we're transferring some
[49:28] of that risk over to our cloud service
[49:31] provider then data security how a vendor
[49:34] and crypts data at rest the strength of
[49:36] the cryptography and the access controls
[49:38] that prevent unauthorized access by
[49:41] cloud service personnel and other
[49:43] tenants so some controls may be on by
[49:46] default but the customer may have to
[49:48] enable others we saw this in domain 2
[49:51] when we looked at cloud storage where we
[49:53] saw encryption at rest enabled by
[49:55] default we saw that forcing encryption
[49:59] in transit so TLS encryption was a
[50:01] feature we needed to turn on as was
[50:04] double encryption which would facilitate
[50:06] crypto shredding down the
[50:09] road supply chain risk management so
[50:12] evaluating vendor security policies and
[50:15] processes now most csps don't allow
[50:17] direct auditing of their operations do
[50:20] in part to the sheer number of customers
[50:22] they support instead they provide
[50:24] standardized reports and assurance
[50:26] material regarding their security
[50:29] practices such as AOC 2 report ISO 271
[50:34] certification and specialized reports
[50:37] for regulated
[50:39] data like Hippa fed ramp and ISO 27017
[50:44] and 18 and you saw exactly how we
[50:47] retriev those standardized reports in
[50:49] one example demonstrated earlier in this
[50:52] session so let's shift gears and talk
[50:54] about common Cloud risk risks now one
[50:57] risk that's been discussed is the
[50:58] organization losing ownership and full
[51:01] control over system Hardware asset
[51:05] careful selection of csps and the
[51:06] development of slas and other
[51:08] contractual Agreements are critical to
[51:11] limiting risk organizations can balance
[51:14] cost savings with Risk by building a
[51:16] system on top of is or PAs rather than
[51:19] utilizing a SAS solution remember the
[51:23] service model affects the level of
[51:25] control but but regardless of which
[51:28] deployment or service model is used some
[51:30] risks are common to all cloud computing
[51:37] environments so Geographic dispersion of
[51:39] CSP data centers if the cloud services
[51:42] properly architected the disruption at
[51:44] one data center should not cause a
[51:46] complete outage but customers must
[51:48] verify the resilience and continuity
[51:50] controls in place at the
[51:53] CSP downtime resilience for Network
[51:57] disruptions can be built in multiple
[51:58] ways such as multivendor connectivity
[52:00] zones and regions we discussed these
[52:03] earlier in this session as well as in
[52:05] Cloud shared considerations in domain
[52:08] one compliance compliance data and some
[52:11] jurisdictions cannot be transferred to
[52:14] other countries so data dispersion is
[52:17] inappropriate now your major csps have
[52:20] compliance focused service offering so
[52:22] you'll have some mitigations enabling
[52:25] you to Control Data residency then
[52:28] there's General technology risk so Cloud
[52:31] systems are not immune to Standard
[52:33] Security issues like cyber attacks and
[52:35] CSP defenses should be documented and
[52:37] tested and customers should be aware of
[52:39] their configuration responsibilities
[52:42] remembering that some security features
[52:44] are enabled by default and others must
[52:47] be configured by the customer and it's
[52:49] customer responsibility to know which
[52:52] and to be aware of
[52:54] which let's shift to risk type so we
[52:56] have external risks different threat
[52:58] actors ranging from competitors and
[53:00] script kites to criminal syndicates and
[53:03] state
[53:04] actors capabilities will depend on their
[53:06] tools their experience and certainly
[53:08] their
[53:09] funding other external environmental
[53:11] threats like fire and floods and
[53:13] man-made threats such as accidental
[53:16] deletion of data or users internal
[53:20] threats a malicious Insider a threat
[53:21] actor who may be a dissatisfied employee
[53:24] like someone overlooked for a
[53:27] motion another internal thread is Human
[53:30] air which is when data is accidentally
[53:34] deleted csps also face these risks and
[53:37] customers have to verify their CSP as
[53:39] address them or provided tools to help
[53:41] customers address them but customers
[53:43] should know who is responsible for
[53:45] configuration that's going to be a
[53:47] recurring theme when it comes to
[53:49] security feature
[53:52] configuration so let's shift gears and
[53:55] talk about Cloud vulnerability ities
[53:56] threats and attacks the primary
[53:59] vulnerability in the cloud is that it is
[54:01] an internet-based model organizations
[54:03] could be at risk if the csp's public
[54:06] facing infrastructure comes under attack
[54:08] any attack on your CSP or Cloud vendor
[54:11] may be unrelated to you as an
[54:14] organization threat actors may be
[54:16] targeting the CSP or another tenant of
[54:18] the CSP risks can come from other
[54:21] tenants as well customers may be
[54:25] collateral damage of an attack on the
[54:30] CSP now I want to talk about Cloud
[54:33] specific risks the cloud security
[54:35] Alliance details the top Cloud specific
[54:38] security threats in their list titled
[54:41] the CSA agreus
[54:43] 11 and they cover the top 11 threats
[54:47] from year to year so a recent list
[54:51] included data breaches misconfiguration
[54:53] and inadequate Change Control lack of
[54:56] cloud security architecture and strategy
[54:59] insufficient identity credential access
[55:02] and key management account hijacking
[55:06] Insider threat insecure interfaces and
[55:10] apis weak control plane meta structure
[55:14] and appla structure failures we'll talk
[55:16] about those two terms if you're not
[55:18] familiar limited Cloud usage visibility
[55:22] and abuse and nefarious use of cloud
[55:25] services so let's break break these 11
[55:27] down a bit
[55:28] further first we have data breaches
[55:31] which are loss of sensitive data due to
[55:33] a security breach now an unintentional
[55:35] loss or oversharing is a data leak a
[55:38] data breach is loss due to a security
[55:40] breach you'll want to know the
[55:41] difference for exam day misconfiguration
[55:45] and inadequate Change Control software
[55:47] can offer the most secure configuration
[55:49] options but if it's not properly set up
[55:52] then the resulting system will have
[55:54] security issues the same is true of of
[55:56] any cloud service we can remediate this
[55:59] risk through change in configuration
[56:01] management a deliberate written plan
[56:03] that goes through a review process to
[56:06] reduce errors lack of cloud security
[56:09] architecture and strategy as
[56:11] organizations migrate to the cloud some
[56:13] Overlook security or they fail to
[56:15] consider their obligations in the shared
[56:17] responsibility
[56:18] model insufficient identity credential
[56:22] access and Key Management it's important
[56:24] to remember that the public Cloud offers
[56:27] benefits over Legacy on premise
[56:29] environments but it can also bring
[56:31] additional complexities identity and
[56:34] access management encryption and secret
[56:36] and Key Management are different than on
[56:39] Prem and
[56:41] essential in the cloud but we need to
[56:44] spend time in architecting those
[56:47] solutions to make sure we're following
[56:49] best practices for the cloud so we
[56:51] modernize our approach to these areas as
[56:54] we modernize our approach to compute and
[56:57] Service delivery account hijacking
[56:59] credential theft abuse and or elevation
[57:02] to carry out an attack fishing is
[57:05] actually the most common approach to
[57:06] account hijacking Insider threat
[57:09] disgruntled employees employee mistakes
[57:11] and unintentional oversharing job
[57:14] rotation privileged access management
[57:17] auditing and security training are all
[57:20] potential
[57:22] mitigations insecure interfaces and apis
[57:25] customers face in to secure access to
[57:27] systems gated by apis web consoles and
[57:30] the like controls like multiactor
[57:33] authentication role-based access control
[57:36] and key based API access are all
[57:39] controls that can help mitigate these
[57:41] threats next we have weak control plane
[57:44] issues weaknesses in the elements of a
[57:46] cloud system that enable Cloud
[57:48] environment configuration and management
[57:50] this would be our web console our
[57:52] command line interfaces and our apis the
[57:55] good news is most PPS offer reference
[57:57] architectures to ensure customers secure
[57:59] and isolate their Dev test and prod
[58:02] environments as well as their production
[58:06] data so now let's take a quick look at
[58:09] Insider threat protections offered by
[58:12] csps and again I'm just going to show
[58:15] you one example here of Insider threat
[58:18] protections available with a CSP just
[58:20] for
[58:22] context so I'll switch to a browser and
[58:24] I'm going to browse to compliance .
[58:26] microsoft.com which is home a Microsoft
[58:28] purview which includes an array of
[58:31] compliant Solutions and here I see The
[58:33] Insider risk management solution and
[58:36] when I go to the policies tab here I can
[58:39] create a policy to Define what types of
[58:42] behavior I'd like to monitor for and
[58:43] you'll see there are templates here that
[58:45] allow me to monitor for malicious
[58:47] behaviors like Data Theft but also
[58:49] unintentional leakage data leaks by my
[58:52] higher priority users or my habitually
[58:55] risky users I see security policy
[58:57] violations even misuse of health records
[59:01] so a number of templates that get me off
[59:04] to a good start if I'm not quite sure
[59:07] what sorts of behaviors I want to
[59:08] monitor for now I'll quickly create a
[59:10] policy here just so we can look at the
[59:13] types of behaviors these policies will
[59:16] monitor for a bit more
[59:18] specifically and when we get into the
[59:22] details here I see I can look at the
[59:24] indicator so for all office indicators I
[59:27] can look at sharing behaviors I can look
[59:30] at deleting of SharePoint files as I
[59:34] scroll down here I see adding users from
[59:37] outside the organization I see removing
[59:40] sensitivity labels and when I look at
[59:43] the casby solution I see unusual Mass
[59:47] deletion another great example of
[59:49] tooling provided by the CSP that
[59:51] requires customer
[59:54] configuration continuing with the the
[59:56] CSA egregious 11 we have meta structure
[59:59] and appla structure failures these are
[01:00:01] vulnerabilities in the operational
[01:00:03] capabilities that csps make available
[01:00:06] like apis for accessing various cloud
[01:00:08] services now if the CSP has inadequately
[01:00:12] secure these interfaces any resulting
[01:00:14] Solutions built on top of those services
[01:00:17] will inherit these weaknesses now let's
[01:00:20] break these down just a bit further The
[01:00:22] Meta structure is the protocols and
[01:00:25] mechanism M that provide the interface
[01:00:27] between the cloud layers enabling
[01:00:29] management and
[01:00:31] configuration and appla structure are
[01:00:33] applications deployed in the cloud and
[01:00:36] the underlying application Services used
[01:00:38] to build
[01:00:40] them that would include P features like
[01:00:42] message cues functions and message
[01:00:46] services so who's responsible and how do
[01:00:48] we mitigate well mitigating risks in
[01:00:50] this area is the responsibility of the
[01:00:52] CSP so customers should verify the CSP
[01:00:56] has implemented their own secure
[01:00:57] software development life cycle to
[01:00:59] ensure service
[01:01:02] continuity and remembering that your
[01:01:05] csps generally don't allow direct audit
[01:01:07] that's where we're going back to read
[01:01:09] Assurance
[01:01:11] materials in which the csps tell us
[01:01:14] about their compliance with various
[01:01:16] audit standards and compliance
[01:01:20] standards and rounding out the list
[01:01:23] limited Cloud usage visibility which
[01:01:25] refers first to when organizations
[01:01:27] experience a significant reduction in
[01:01:29] visibility over their information
[01:01:32] technology stack as a whole now this is
[01:01:34] because in some models the CSP owns the
[01:01:36] stack so visibility is limited by Design
[01:01:39] and by
[01:01:40] responsibility and finally abuse and
[01:01:42] nefarious use of cloud services now
[01:01:45] while lowcost and high scale of compute
[01:01:47] in the cloud is an advantage to
[01:01:49] Enterprises it's also an opportunity for
[01:01:51] attackers to execute disruptive attacks
[01:01:54] at scale this makes executing dos and
[01:01:57] fishing attacks easier so csps have to
[01:02:00] implement mitigating security controls
[01:02:02] to address these
[01:02:03] risks remember csps are dealing with
[01:02:07] multi-tenancy at higher scale and with a
[01:02:10] more varied customer base than we are in
[01:02:12] a private cloud in a corporate
[01:02:13] environment there are several approaches
[01:02:15] to risk mitigation in Cloud environment
[01:02:17] and the first of those is selecting a
[01:02:19] qualified
[01:02:20] zsp the next is designing and
[01:02:23] architecting with security in mind
[01:02:26] security should be considered at every
[01:02:27] step and that starts with the design
[01:02:30] process the next risk mitigation tool is
[01:02:32] encryption and data should be encrypted
[01:02:34] at rest and in transit so that means
[01:02:37] storage and database encryption at rest
[01:02:40] TLS and VPN for data and Transit and
[01:02:43] finally ongoing monitoring and
[01:02:45] management to maintain security posture
[01:02:48] major csps generally provide tools to
[01:02:51] manage and monitor configuration
[01:02:53] security and to monitor changes to Cloud
[01:02:56] services and to track their
[01:02:58] usage so let's take a quick look at an
[01:03:01] example of this in a live Cloud
[01:03:03] environment ongoing monitoring and
[01:03:05] management to maintain security
[01:03:08] posture in fact we call this capability
[01:03:11] Cloud security posture management and
[01:03:14] Cloud workload protection so I'm going
[01:03:16] to look on the Microsoft platform and
[01:03:18] Microsoft Azure at Defender for cloud
[01:03:22] which gives us that security posture
[01:03:24] management aw and Google Cloud platform
[01:03:27] absolutely have equivalent tools so here
[01:03:30] I can see my security posture I can see
[01:03:34] recommendations coming from the CSP and
[01:03:37] it even goes a bit further than that so
[01:03:39] when I drill down into these
[01:03:41] recommendations for example uh
[01:03:43] encrypting data at rest I see here it
[01:03:46] tells me I have a VM and a database now
[01:03:50] it tells me the status is completed so
[01:03:52] if I had a regression if somebody were
[01:03:53] to reverse a secure configuration that
[01:03:57] would appear here as well and a
[01:03:59] recommendation would be provided and you
[01:04:02] can see that it's even been gamified to
[01:04:04] a certain degree there's a score here in
[01:04:07] addition to that recommendation so I'll
[01:04:09] go to security alerts any alerts that
[01:04:13] require my attention any configuration
[01:04:16] recommendations come up here and going
[01:04:18] down the list under Cloud security I see
[01:04:21] that security posture I see regulatory
[01:04:25] compl compliance so this is going to
[01:04:27] show me some default configurations now
[01:04:30] this tool has dozens of compliance
[01:04:32] templates I can apply but you see here
[01:04:34] sock and ISO
[01:04:36] 271 right out of the box here's that
[01:04:39] cloud workload protection so any of my
[01:04:42] specific workloads are going to be
[01:04:43] surfaced here so I can thumb through my
[01:04:47] VMS and then my P Services right here in
[01:04:50] one place but just a quick look so know
[01:04:54] that your cloud service providers have
[01:04:57] that capability baked in for
[01:04:59] you that brings us to section 3.4 design
[01:05:02] and plan security controls here we'll
[01:05:05] cover physical and Environmental
[01:05:07] Protection this would include on
[01:05:09] premises for private and hybrid Cloud
[01:05:11] scenarios system storage and
[01:05:13] communication
[01:05:15] protection identification authentication
[01:05:17] and authorization in Cloud environments
[01:05:20] and audit mechanisms functions like log
[01:05:23] collection correlation which would be a
[01:05:25] M function and packet capture we're
[01:05:29] going to touch on a few concepts related
[01:05:30] to physical and Environmental Protection
[01:05:32] and in some cases revisit Concepts we've
[01:05:35] touched on previously but the primary
[01:05:36] consideration is site location is that
[01:05:39] will have an impact on both physical and
[01:05:41] Environmental Protections your cloud
[01:05:43] data centers share many requirements
[01:05:45] with traditional collocation providers
[01:05:47] or individual corporate data centers
[01:05:50] including the need to restrict physical
[01:05:52] access at multiple points
[01:05:56] ensuring a clean and stable power supply
[01:05:59] adequate utilities like water and sewer
[01:06:01] adequate Workforce remember for the exam
[01:06:04] that these considerations are a customer
[01:06:06] responsibility in on premises or private
[01:06:09] cloud data centers and a CSP
[01:06:11] responsibility in the public Cloud I do
[01:06:14] expect overall to see less exam focus on
[01:06:17] physical considerations since it's a CSP
[01:06:19] area of responsibility for public Cloud
[01:06:22] we saw how to track down those CSP
[01:06:26] assertion documents that articulate the
[01:06:30] csp's compliance with various Regulatory
[01:06:34] and audit standards and
[01:06:36] Frameworks so site selection and
[01:06:39] facility design the key elements in site
[01:06:42] selection and facility design include
[01:06:44] visibility composition of the
[01:06:46] surrounding area
[01:06:48] accessibility effects of natural
[01:06:50] disasters we don't want to build a data
[01:06:52] center in a site that's not easily
[01:06:54] accessible automobile for example or
[01:06:57] that would have undue exposure to
[01:06:59] natural disasters you know for example I
[01:07:01] I might not build a data center on the
[01:07:04] coast now these are all problems for the
[01:07:06] CSP and the public Cloud again customers
[01:07:08] need to focus on selecting CSP data
[01:07:10] center locations to meet their disaster
[01:07:13] recovery and data residency
[01:07:15] requirements remember csp's Auto Select
[01:07:18] region pairs for redundancy something to
[01:07:20] just bear in mind so if we revisit the
[01:07:23] region pairs concept we talked about in
[01:07:26] a previous installment in the series for
[01:07:28] example we have East usest as a primary
[01:07:32] data center region the CSP will pair a
[01:07:36] secondary region to serve as the backup
[01:07:38] and that's generally 300 plus miles away
[01:07:41] chosen by the CSP so in my example
[01:07:43] Microsoft uses West us as the region
[01:07:47] pair for East us moving on to system
[01:07:50] storage and communication protection
[01:07:52] we'll touch on a few Concepts you've
[01:07:54] seen at least once before
[01:07:56] we want to make sure that we encrypt and
[01:07:57] protect data at rest in transit and in
[01:08:00] use and protect systems and services
[01:08:04] from disruptive attacks at scale like
[01:08:06] denial of service and distributed denial
[01:08:08] of service certainly made easier in the
[01:08:10] cloud boundary protections for Ingress
[01:08:13] and egress firewalls intrusion detection
[01:08:15] and prevention and Key Management so
[01:08:18] protecting secrets of all kinds
[01:08:20] passwords Keys certificates
[01:08:23] Etc that's really the technology half of
[01:08:26] the equation and security practices
[01:08:29] automation of configuration think
[01:08:30] infrastructure is code responsibilities
[01:08:33] for protecting Cloud systems and
[01:08:35] services should be well defined
[01:08:37] monitoring and maintenance in place this
[01:08:40] is a little more people and process
[01:08:42] focused and remembering that customer
[01:08:44] and CSP roles in all of these areas are
[01:08:46] going to vary based on the shared
[01:08:47] responsibility model so your
[01:08:49] responsibilities as a customer vary from
[01:08:52] is to P to and SAS and we need to make
[01:08:55] sure you know the difference on exam day
[01:08:58] and properly securing Information
[01:09:00] Systems can be a difficult task due to
[01:09:02] the sheer number of elements that make
[01:09:04] up a system it can actually help to
[01:09:06] break these systems down into components
[01:09:08] and then apply security controls to make
[01:09:10] the overall task a bit more manageable
[01:09:13] to kind of piece it out now one source
[01:09:15] of controls is nist special publication
[01:09:19] 800-53 security and privacy controls for
[01:09:22] information systems and organizations
[01:09:24] which contains a family of controls
[01:09:27] specific to systems and Communications
[01:09:29] in fact that control family includes
[01:09:31] more than 50 controls many of which are
[01:09:34] relevant to system storage and
[01:09:37] communication now to get a bit more
[01:09:39] specific we'll break this down into
[01:09:42] policy and procedures separation of
[01:09:45] system and user functionality security
[01:09:47] function isolation denial of service
[01:09:50] protection boundary protection and
[01:09:53] cryptographic key establishment and
[01:09:57] management so starting with policy and
[01:09:59] procedures we establish requirements for
[01:10:01] system protection and Define the purpose
[01:10:04] scope roles and responsibilities needed
[01:10:06] to achieve it separation of system and
[01:10:09] user functionality essentially no single
[01:10:11] person can control all of the elements
[01:10:14] of a critical function or
[01:10:16] system and separating user and admin
[01:10:19] functions can also prevent users from
[01:10:21] altering processes or misconfigured
[01:10:24] systems sometimes
[01:10:26] unintentionally security function
[01:10:28] isolation separating security specific
[01:10:30] functions from other roles is just
[01:10:32] another flavor of separation of Duties
[01:10:35] really configuring data security
[01:10:37] controls like encryption and logging
[01:10:40] configuration would be perfect examples
[01:10:43] of that security function
[01:10:45] isolation denial a service protection so
[01:10:48] denial a service is a disruptive attack
[01:10:50] at scale it's definitely more difficult
[01:10:52] for smaller organizations to combat
[01:10:54] effectively but most of your csps offer
[01:10:57] denial a service or DDOS mitigation as a
[01:11:00] service and there are also dedicated
[01:11:03] thirdparty providers like aamay and
[01:11:05] cloudflare that offer DDOS mitigation
[01:11:08] protections now in the big three we have
[01:11:11] Azure DDOS AWS shield and Google Cloud
[01:11:15] armor which are all DDOS mitigation as a
[01:11:19] service features and on at least a
[01:11:21] couple of those platforms they offer a
[01:11:23] basic tier of that service at no charge
[01:11:25] and requiring no real
[01:11:27] configuration then we have boundary
[01:11:29] protection which deals with both Ingress
[01:11:31] and egress protections including
[01:11:34] preventing malicious traffic from
[01:11:36] entering the network preventing
[01:11:38] malicious traffic from leaving the
[01:11:39] network protecting against data loss so
[01:11:42] data exfiltration and configuring rules
[01:11:45] and policies in your routers gateways or
[01:11:48] firewalls and your large csps generally
[01:11:50] have a policy engine that allows you to
[01:11:52] configure centralized policies to apply
[01:11:54] to your network networ virtual
[01:11:55] appliances your virtual firewalls and
[01:11:57] gateways as you bring those devices or
[01:11:59] new regions online so you don't have to
[01:12:01] configure those individual devices
[01:12:04] manually so you're really codifying your
[01:12:06] configuration in infrastructure as code
[01:12:10] and finally cryptographic key
[01:12:12] establishment and
[01:12:14] management the cryptography provides a
[01:12:16] number of security functions including
[01:12:18] confidentiality integrity and
[01:12:20] non-repudiation and it helps to match
[01:12:23] these functions to the predictions that
[01:12:25] offer so encryption tools like TLS or a
[01:12:27] VPN can be used to provide
[01:12:30] confidentiality hashing can be
[01:12:32] implemented to detect unintentional data
[01:12:35] modifications that's really an Integrity
[01:12:37] function so if I Hash a file I calculate
[01:12:40] a hash I send you the file you calculate
[01:12:42] the hash on the file you receive if the
[01:12:45] hash is match we know the file has
[01:12:48] reached you intact its Integrity remains
[01:12:51] intact and additional security measures
[01:12:54] like digital signature or hash based
[01:12:56] message authentication code or hmac can
[01:12:59] be used to detect intentional tampering
[01:13:03] so hmac can simultaneously verify both
[01:13:06] data integrity and message authenticity
[01:13:09] so that's really a non-repudiation
[01:13:12] function let's move on to identification
[01:13:16] authentication and
[01:13:18] authorization authentication sometimes
[01:13:20] abbreviated as auen is the process of
[01:13:23] proving that you are who you say you are
[01:13:25] are that's identity authorization
[01:13:29] sometimes abbreviated off Z is the act
[01:13:31] of granting an authenticated party
[01:13:33] permission to do something that's
[01:13:37] access so permissions rights and
[01:13:39] privileges are granted to users based on
[01:13:41] their proven identity for resources to
[01:13:44] which they have been assigned access and
[01:13:48] users should be granted minimum
[01:13:49] necessary permissions this is called the
[01:13:52] principle of lease
[01:13:54] privilege I want to touch on
[01:13:56] accountability which is a challenge with
[01:13:58] Cloud identity users who perform
[01:14:00] activities on a system need to be held
[01:14:02] accountable for following policies and
[01:14:05] procedures accountability is typically
[01:14:07] enforced with adequate logging and
[01:14:09] monitoring of system activity now Cloud
[01:14:12] brings with it some challenges in
[01:14:14] enforcing accountability for example SAS
[01:14:16] apps used as users travel make
[01:14:18] identifying anomalous or malicious
[01:14:20] behavior much more difficult bad
[01:14:23] password practices with our
[01:14:26] users specifically users reusing
[01:14:28] passwords across Services as a problem
[01:14:31] and the use of personal devices in BYOD
[01:14:34] or bring your own device
[01:14:36] scenarios now modern identity is a
[01:14:39] service tools in the cloud provide
[01:14:41] solutions for these challenges which
[01:14:43] we'll talk through and I'll show you a
[01:14:44] bit in just a moment so let's start with
[01:14:47] multiactor authentication which works by
[01:14:50] requiring two or more of the following
[01:14:52] authentication methods something you
[01:14:55] know like a pin or a password something
[01:14:57] you have like a trusted device or
[01:15:00] something you are a biometric
[01:15:02] authentication that second Factor can be
[01:15:05] authenticator apps like the Microsoft
[01:15:07] authenticator or Google
[01:15:09] Authenticator a voice call an SMS or
[01:15:13] text message though SMS is considered a
[01:15:15] very weak second factor and
[01:15:17] organizations like the cloud security
[01:15:19] Alliance have been recommending against
[01:15:21] that for some time we have the oath
[01:15:24] Hardware token which provides a
[01:15:27] time-based onetime password and if that
[01:15:30] onetime password concept isn't Crystal
[01:15:33] Clear think about any authenticator app
[01:15:35] you use Microsoft Google One login any
[01:15:39] third party they also generally serve as
[01:15:41] a software oath providing that
[01:15:43] time-based onetime password in the form
[01:15:46] of a numeric sequence that changes every
[01:15:48] couple of
[01:15:50] minutes continuing with multiactor
[01:15:52] authentication so two or more authentic
[01:15:55] ation factors obviously more secure than
[01:15:57] a single authentication Factor if you
[01:15:59] talk to some of the identity as a
[01:16:01] service providers you might be surprised
[01:16:03] to learn that in the opinion of many
[01:16:05] experts passwords are the weakest form
[01:16:07] of authentication now password policies
[01:16:10] help increase their security by
[01:16:12] enforcing complexity and history
[01:16:15] requirements smart cards are a good
[01:16:17] option which include a micr processor
[01:16:19] and cryptographic
[01:16:20] certificates oath tokens are a stronger
[01:16:23] second Factor option creating a one-time
[01:16:26] password whether that's a hardware token
[01:16:28] or a software token like the
[01:16:29] authenticator app on your
[01:16:32] phone biometric methods identifying
[01:16:34] users based on a fingerprint or facial
[01:16:37] recognition every modern iPhone features
[01:16:40] facial recognition your Android phones
[01:16:43] that don't offer facial ID do have
[01:16:45] fingerprint generally speaking so lots
[01:16:48] of options to go beyond a simple text
[01:16:50] message for that second Factor now let's
[01:16:52] shift gears and talk about conditional
[01:16:54] authentic ication policies this
[01:16:56] capability is increasingly common in
[01:16:59] identity as a service platforms uh we've
[01:17:01] seen this in Azure active directory used
[01:17:03] with Office 365 for a lot of years now
[01:17:06] so a conditional authentication policy
[01:17:10] will typically look at the signals
[01:17:11] around the authentication attempt the
[01:17:13] user in their location the device
[01:17:16] they're authenticating from is it a
[01:17:17] known device is it compliant with our
[01:17:19] security policies is the application An
[01:17:22] approved application what is is the
[01:17:25] real-time risk rating of this user and
[01:17:27] typically that risk rating comes from
[01:17:31] machine learning and AI processing data
[01:17:33] from that user's past behaviors
[01:17:35] potentially some user entity behavioral
[01:17:37] analysis that tell us if conditions are
[01:17:40] unusual if risk is medium or high
[01:17:42] potentially these signals will be
[01:17:44] processed together and then the platform
[01:17:46] will allow access block access or
[01:17:49] potentially require multiactor
[01:17:52] authentication we can throw an
[01:17:53] additional prompt at that user if the
[01:17:56] conditions tell us that there's
[01:17:57] something a bit unusual and if they meet
[01:18:01] the bar then they are granted access to
[01:18:05] our data and resources and this
[01:18:08] functionality Works seamlessly with the
[01:18:10] authenticator app on our mobile device
[01:18:12] that's ubiquitous today the
[01:18:13] authentication application it's also
[01:18:16] called so it's a software-based
[01:18:17] authenticator it implements two-step
[01:18:20] verification services using the
[01:18:22] time-based onetime password algorithm an
[01:18:25] hmac based onetime password algorithm
[01:18:28] for authenticating users of software
[01:18:31] applications that's the authenticator
[01:18:33] app and we know Microsoft authenticator
[01:18:36] and Google Authenticator are really just
[01:18:37] two of many but the authenticator apps
[01:18:40] from companies like Microsoft and Google
[01:18:42] generate one-time passcodes using these
[01:18:45] Open Standards that are developed by the
[01:18:47] initiative for open authentication so
[01:18:49] oath you'll hear hmac and top tokens
[01:18:53] called oath tokens with some of these
[01:18:55] providers just different names for the
[01:18:57] same functionality we have push
[01:19:00] notifications where the server is
[01:19:01] pushing down the authentication
[01:19:03] information to your mobile device so you
[01:19:06] have notifications enabled on your phone
[01:19:09] and really there's a finer grain of
[01:19:10] notifications it's time sensitive
[01:19:12] notifications so that push notification
[01:19:14] will push a notification from your
[01:19:16] authenticator app directly to you on
[01:19:19] your phone right away when you need to
[01:19:21] respond to that second Factor but the
[01:19:23] identity platform is using the mobile
[01:19:25] device app to be able to push that
[01:19:27] message to you in real time or near real
[01:19:30] time so you can respond to that second
[01:19:31] Factor on your phone now I'd like to
[01:19:33] take just a minute and show you
[01:19:36] conditional authentication policies in
[01:19:38] an identity as a service platform just
[01:19:40] to give you some real world context for
[01:19:42] how that
[01:19:43] functionality increases the security
[01:19:46] around identity and access management in
[01:19:48] the
[01:19:49] cloud so I'll switch to a browser here
[01:19:52] and I'm looking at the Azure active
[01:19:53] directory ad Center so this is
[01:19:55] Microsoft's identity as a service
[01:19:58] platform so if you've not used this with
[01:19:59] Microsoft Azure maybe you used an Azure
[01:20:02] ad account with Office 365 this is the
[01:20:04] platform that supports Office 365 for
[01:20:08] identity now I'm going to scroll down
[01:20:10] and look at the security features of
[01:20:13] azure active directory and conditional
[01:20:15] access is what Microsoft calls their
[01:20:17] conditional authentication functionality
[01:20:20] that I was describing in the
[01:20:22] presentation now I'm going to look at an
[01:20:24] exist in policy here exchange online
[01:20:26] requires compliant device so I can see
[01:20:29] it's already configured to look at some
[01:20:31] of the signals as part of that user's
[01:20:33] authentication attempt so I can apply
[01:20:36] this policy to all users or specific
[01:20:39] groups of users even guests and external
[01:20:42] users I can apply this to specific
[01:20:45] applications I can drill down to a
[01:20:47] specific app or apply it to all apps now
[01:20:49] let's look at conditions so I see here I
[01:20:53] can act based on the user's location and
[01:20:57] in fact I can exclude certain locations
[01:20:59] so I might not want to apply additional
[01:21:01] factors of authentication to trusted
[01:21:03] location so it's certainly possible that
[01:21:06] when someone is on a compliant device in
[01:21:09] a trusted location we're going to skip
[01:21:11] this policy and I'll just exclude them
[01:21:15] and I can look at device platform so I
[01:21:17] can apply this to specific types of
[01:21:19] devices Windows Mac OS iOS Android Etc
[01:21:40] none or low maybe I want to apply these
[01:21:44] additional authentication conditions now
[01:21:47] I'll look at user risk so this is the
[01:21:49] risk level for the user itself for that
[01:21:52] identity and again giving me the option
[01:21:55] to configure my tolerance there now I'll
[01:21:58] scroll down a bit and look at my access
[01:22:00] controls here so I can configure some
[01:22:03] conditions around access so I can choose
[01:22:05] to Grant or block access now blocking
[01:22:08] access is a pretty straightforward
[01:22:10] decision I'm just checking block but
[01:22:11] under Grant what you'll notice here is I
[01:22:13] can require MFA I can require specific
[01:22:16] authentication strength a compliant
[01:22:19] device a device that's hybrid Azure ad
[01:22:23] join so join to my on premises active
[01:22:25] directory and synced to my identity
[01:22:28] provider in the cloud in Azure ad I can
[01:22:31] require an approved Client
[01:22:34] app and an app protection policy which
[01:22:38] would be something we'd set up in our
[01:22:39] mobile device management platform and
[01:22:41] then you'll notice down here I can
[01:22:43] require one of these controls or all of
[01:22:45] these controls so I have a lot of
[01:22:47] flexibility in the functionality and on
[01:22:49] this platform they actually offer the
[01:22:51] option to straight up enable that policy
[01:22:54] or to put it into reporton mode which
[01:22:57] can be handy because we can assess what
[01:23:01] the impact of the policy would be before
[01:23:03] we roll it out to live users so again
[01:23:07] just a quick look hope that gives you
[01:23:08] some context so back to our presentation
[01:23:12] let's talk about Federation which is a
[01:23:15] collection of domains that have an
[01:23:17] established trust so the level of trust
[01:23:20] may vary it typically includes
[01:23:22] authentication and almost always
[01:23:24] includes authorization we're typically
[01:23:26] using this for identity and access
[01:23:28] management it often includes a number of
[01:23:31] organizations that have established
[01:23:32] trust for shared access to a set of
[01:23:36] resources for example you can Federate
[01:23:38] your on premises environment with your
[01:23:40] Azure active directory and use this
[01:23:41] Federation for authentication and
[01:23:44] authorization this signin method ensures
[01:23:47] that all user authentication occurs on
[01:23:49] premises we are federating to our on
[01:23:51] premises directory it allows administrat
[01:23:54] traders to implement more rigorous
[01:23:56] levels of access control so historically
[01:23:59] we would use Federation so we could
[01:24:01] leverage certificate authentication or a
[01:24:03] key fob or a card
[01:24:06] token some of these methods are making
[01:24:08] their way into the identity as a service
[01:24:10] platform so Federation has become less
[01:24:13] necessary in some circumstances I'd like
[01:24:15] to talk through a quick identity
[01:24:17] Federation example I think might
[01:24:19] resonate with you so I have a website
[01:24:21] let's say it's hosted in Microsoft Azure
[01:24:23] that's my CSP so that's going to use
[01:24:25] Azure active directory as its identity
[01:24:27] as a service that's identity provider a
[01:24:29] IDPA that's identity provider a I have a
[01:24:32] user who wants to authenticate with
[01:24:36] identity provider B let's say they're a
[01:24:38] Facebook user so they don't have an
[01:24:40] Azure active directory account and I
[01:24:42] want to facilitate easy authentication
[01:24:45] of Facebook users to my website without
[01:24:47] requiring everyone to have an Azure ad
[01:24:49] account so what I can do is configure
[01:24:51] Federation I can configure Azure active
[01:24:53] directory to trust Facebook as an
[01:24:56] identity provider so identity provider a
[01:24:59] Azure ad trust identity provider B
[01:25:02] Facebook and that way my user can
[01:25:06] authenticate with their Facebook account
[01:25:08] and then they are granted shared
[01:25:10] access then this may be cloud or it may
[01:25:12] be on premises we definitely see
[01:25:14] identity Federation happening between
[01:25:17] identity providers in the cloud and on
[01:25:19] premises like active directory on
[01:25:21] premise quite common and trust is not
[01:25:23] always by Direction as in this example
[01:25:25] trust only happens in One Direction and
[01:25:27] incidentally configuring Facebook as an
[01:25:30] identity provider in Azure active
[01:25:32] directory is not that difficult in fact
[01:25:35] I'm just going to go back to the portal
[01:25:37] quickly and I'll click on external
[01:25:39] identities here just to show you all
[01:25:41] identity providers and you'll notice
[01:25:43] Facebook is right there so many of your
[01:25:46] identity as a service platforms are
[01:25:47] going to have similar functionality to
[01:25:49] allow Facebook Google Twitter as
[01:25:52] potential ident ID
[01:25:55] providers and with identity and access
[01:25:57] management audit mechanisms are top of
[01:26:00] mind we need to collect logs so we have
[01:26:02] an audit Trail and your cloud services
[01:26:04] will offer different controls over what
[01:26:06] information is logged what they will
[01:26:08] have in common is they collect a minimum
[01:26:11] level of security relevant events like
[01:26:13] the use of privileged accounts or
[01:26:15] changes to privileged
[01:26:17] accounts and a log aggregator like a
[01:26:20] security information event management
[01:26:22] system or sem can inject logs from all
[01:26:25] of your on premises and Cloud resources
[01:26:27] for review and
[01:26:30] correlation so nist SP
[01:26:33] 800-53 and the oasp logging cheat sheet
[01:26:36] both offer guidance on specific
[01:26:38] information to capture in audit records
[01:26:42] and good news there we covered both of
[01:26:43] these in domain two of this
[01:26:46] series so correlation that I just
[01:26:48] mentioned refers to the ability to
[01:26:51] discover relationships between two or
[01:26:53] more events across
[01:26:54] logs this capability is commonly
[01:26:57] associated with a sim a security
[01:26:59] information event management system
[01:27:01] which correlates events and logs from
[01:27:04] many sources this is very important in
[01:27:07] investigation and Incident Management
[01:27:10] security incidents because we can
[01:27:12] correlate activities across a broad
[01:27:13] variety of sources to provide a more
[01:27:16] comprehensive picture of the actors
[01:27:18] activities in our environment we touched
[01:27:21] on some of the core tenants of aim in do
[01:27:24] main 2 and we'll talk about Sims in
[01:27:26] Greater depth later in this series and
[01:27:29] to round out 3.4 we'll touch on packet
[01:27:31] capture and replay so packet capture
[01:27:33] tools are also called protocol analyzers
[01:27:36] and in the cloud Some Cloud environments
[01:27:39] may not provide any facility for
[01:27:41] capturing packets particularly in SAS
[01:27:43] scenarios where the customer is not
[01:27:44] responsible for anything related to the
[01:27:47] environment certainly you'll see that
[01:27:49] your csps offer some facilities for IAS
[01:27:53] and other foundational scenarios now wi
[01:27:55] shark is a free open- source protocol
[01:27:58] analyzer it has CLI and guey versions
[01:28:01] windows and Linux versions it is really
[01:28:03] ubiquitous this is the deao standard for
[01:28:06] packet capture now some of your csps
[01:28:09] support wire shark directly others have
[01:28:12] specialized services to perform packet
[01:28:14] capture on Virtual networks so two good
[01:28:17] examples in Microsoft Azure there is
[01:28:19] Network Watcher which is a specialized
[01:28:22] packet capture medium AWS supports wire
[01:28:25] shark directly incidentally Network
[01:28:27] Watcher in Azure produces pcap output
[01:28:31] that we can open in wi shark so your CSP
[01:28:33] protocol analyzers can actually save the
[01:28:36] data that they collect to a wire shark
[01:28:39] compatible packet capture file or pcap
[01:28:42] which is the case in Azure and a couple
[01:28:44] of other platforms that come immediately
[01:28:47] to mind and that brings us to section
[01:28:50] 3.5 plan disaster recovery and business
[01:28:54] continuity so here we'll touch on
[01:28:56] business continuity and Disaster
[01:28:58] Recovery strategy business requirements
[01:29:01] we're going to touch on three key
[01:29:04] acronyms recovery time objective
[01:29:07] recovery Point objective and Recovery
[01:29:09] Service
[01:29:10] level and creation implementation and
[01:29:14] testing of our business continuity and
[01:29:17] Disaster Recovery plans a good place to
[01:29:20] start is by identifying the difference
[01:29:22] between a business continuity plan and a
[01:29:25] disaster recovery plan so the BCP
[01:29:28] focuses more on the whole business where
[01:29:30] the disaster recovery plan focuses more
[01:29:32] on the technical aspects of
[01:29:35] recovery the business continuity plan
[01:29:37] will cover Communications and process
[01:29:39] more broadly another way to think about
[01:29:41] that is the business continuity plan is
[01:29:43] an umbrella policy and the disaster
[01:29:46] recovery plan is part of it so what are
[01:29:48] the goals of DRP and
[01:29:51] BCP well it's all about minimizing the
[01:29:54] effects of a disaster by improving
[01:29:56] responsiveness by the employees in
[01:29:58] different situations erasing Confusion
[01:30:00] by providing written procedures and
[01:30:03] participation in drills to ensure folks
[01:30:06] know what they are doing in the event of
[01:30:08] an actual disaster ultimately helping
[01:30:11] your important users executing the plan
[01:30:14] to make logical decisions during a
[01:30:17] crisis there are a few core definitions
[01:30:20] related to business continuity planning
[01:30:23] that are worth knowing for exam day so
[01:30:25] the business resumption plan this is the
[01:30:28] plan to move from the disaster recovery
[01:30:30] site back to your business environment
[01:30:32] or back to normal operations in other
[01:30:34] words meantime between failures that's a
[01:30:37] determination of how long a piece of it
[01:30:40] infrastructure will continue to work
[01:30:42] before it fails meantime to repair or
[01:30:46] sometimes meantime to recovery a Time
[01:30:48] determination for how long it will take
[01:30:50] to get a piece of Hardware or software
[01:30:52] repaired and back
[01:30:55] online max tolerable downtime the amount
[01:30:58] of time we can be without the asset that
[01:31:01] is unavailable before we must declare a
[01:31:04] disaster and initiate our Disaster
[01:31:08] Recovery
[01:31:10] plan so let's shift and talk about
[01:31:13] business continuity and Disaster
[01:31:15] Recovery
[01:31:18] strategy I wanted to provide just a
[01:31:21] couple of definitions here that may come
[01:31:22] in handy on EX exam day so the business
[01:31:24] continuity plan is the overall
[01:31:26] organizational plan for how to continue
[01:31:29] business after an event has
[01:31:32] occurred it's a proactive risk
[01:31:35] mitigation strategy that contains likely
[01:31:37] scenarios that could affect the
[01:31:38] organization and guidance on how the
[01:31:41] organization should respond in other
[01:31:43] words the business continuity plan is
[01:31:45] going to focus on the most likely
[01:31:49] scenarios this plan is sometimes called
[01:31:52] a continuity of operation plan now
[01:31:55] depending on the sources you look at
[01:31:57] some sources will Define a difference
[01:32:00] call out a subtle difference between a
[01:32:01] business continuity plan and a
[01:32:03] continuity of operations plan if you
[01:32:06] look at the common body of knowledge for
[01:32:08] the ccsp exam these two are considered
[01:32:12] one and the same and then the disaster
[01:32:15] recovery plan again is the plan for
[01:32:16] recovering from an IT disaster and
[01:32:19] having the it infrastructure back in
[01:32:21] operation one is business focus the
[01:32:24] other is more Tech
[01:32:26] focused and the business impact
[01:32:29] assessment which we talked about earlier
[01:32:31] in this series is used to determine
[01:32:33] which processes are critical and which
[01:32:35] are
[01:32:36] not it measures the impact of specific
[01:32:40] systems and processes and any that are
[01:32:42] deemed critical to the organization's
[01:32:45] functioning must be prioritized in an
[01:32:47] emergency
[01:32:48] situation the business impact assessment
[01:32:51] contains typically a cost benefit
[01:32:54] analysis and a calculation of the return
[01:32:57] on
[01:32:57] investment and just pivoting to look at
[01:33:01] business continuity and disaster
[01:33:02] recovery from a CSP perspective a cloud
[01:33:05] data center that's affected by a natural
[01:33:07] disaster will likely activate multiple
[01:33:09] BCPS and drps a CSP will activate both
[01:33:13] plans to deal with the interruption to
[01:33:15] their service now one key element of the
[01:33:18] BCP is communicating incident status to
[01:33:21] relevant parties
[01:33:24] now the customer is responsible for
[01:33:26] determining how to recover in the case
[01:33:28] of a disaster in the cloud so recovery
[01:33:31] of our applications is not necessarily
[01:33:33] going to be automatic and a customer may
[01:33:35] choose to implement backups or utilize
[01:33:37] multiple availability zones load
[01:33:39] balancers or other techniques in other
[01:33:42] words the CSP is going to give us the
[01:33:44] tools but they're not necessarily going
[01:33:46] to do all of that design and
[01:33:47] implementation work for us we have to
[01:33:50] use the tools we're given csps can
[01:33:53] further protect customers by not
[01:33:55] allowing two availability zones within a
[01:33:58] single physical data center within a
[01:34:01] cloud region now we talked about
[01:34:03] availability zones all the way back in
[01:34:05] domain one so let's just briefly revisit
[01:34:09] the concept of availability zones in a
[01:34:11] cloud data center to refresh your memory
[01:34:13] here so availability zones are unique
[01:34:16] physical locations within a region with
[01:34:18] independent power Network and Cooling
[01:34:22] and they're comprised of one or more
[01:34:23] data data centers if we look at a region
[01:34:25] for a cloud service provider Like Us
[01:34:28] East for example that region is going to
[01:34:31] consist of multiple data centers in
[01:34:33] fairly close proximity and availability
[01:34:36] zones will provide a way for us to
[01:34:39] spread our infrastructure within that
[01:34:43] region within those data centers to
[01:34:45] tolerate data center failures via
[01:34:47] redundancy and isolation the focus there
[01:34:50] is really on providing redundancy Within
[01:34:54] that data center region so if I put a
[01:34:56] load balancer in place with multiple web
[01:34:59] application instances I would hope to
[01:35:02] spread those throughout the data centers
[01:35:04] in that region across availability zones
[01:35:07] so I make my load balancer Zone
[01:35:09] redundant in other words but the focus
[01:35:11] again is on data center failures within
[01:35:13] a region so our hope is that our CSP
[01:35:17] doesn't provide availability zones that
[01:35:19] leave us stuck in a single Data
[01:35:22] Center and major csps have multiple data
[01:35:25] centers within a region so it can be
[01:35:27] safely assumed this is
[01:35:29] true so let's talk about the
[01:35:31] communication plan the plan that details
[01:35:33] how relevant stakeholders will be
[01:35:35] informed in the event of an incident
[01:35:37] like a security breach it would include
[01:35:40] a plan to maintain confidentiality such
[01:35:43] as encryption to ensure that the event
[01:35:45] does not become public knowledge at
[01:35:48] least before we're ready the contact
[01:35:51] list should be maintained that includes
[01:35:52] stakeholders from government police
[01:35:55] customers suppliers and internal staff
[01:35:58] now compliance regulations like gdpr
[01:36:01] include notification requirements
[01:36:03] relevant parties and timelines for
[01:36:05] example gdpr has a
[01:36:08] 72-hour time limit on the point by which
[01:36:12] certain notifications must go out but
[01:36:15] confidentiality amongst internal
[01:36:17] stakeholders is desirable so external
[01:36:20] stakeholders can be informed in
[01:36:22] accordance with the plan you want to be
[01:36:24] the one as an organization informing
[01:36:26] your stakeholders not allowing them to
[01:36:29] get that information from a News
[01:36:32] Bulletin so when we have an incident
[01:36:35] there are multiple groups of relevant
[01:36:37] stakeholders that we need to inform and
[01:36:38] manage and they may include internal
[01:36:41] stakeholders a cyber insurance provider
[01:36:43] business partners customers law
[01:36:46] enforcement a stakeholder in this case
[01:36:49] is a party with an interest in an
[01:36:51] Enterprise corporate stakeholders
[01:36:53] include investors employees customers
[01:36:56] suppliers uh regulated Industries like
[01:36:59] Banking and Healthcare will have
[01:37:01] requirements driven by the regulations
[01:37:03] governing their Industries so
[01:37:06] stakeholder management and communication
[01:37:08] plans will certainly be influenced by
[01:37:11] the industry that your organization
[01:37:13] Works
[01:37:14] in so let's talk business requirements
[01:37:17] these are the three acronyms called out
[01:37:19] in the exam syllabus there's the
[01:37:22] recovery point objetive Ive that's the
[01:37:24] age of data that must be recovered from
[01:37:26] backup storage for normal operations to
[01:37:29] resume if a system or a network goes
[01:37:32] down next we have the recovery time
[01:37:35] objective or rtoo which is the duration
[01:37:37] of time and a service level within which
[01:37:39] a business process must be restored
[01:37:41] after a disaster in order to avoid
[01:37:44] unacceptable consequences associated
[01:37:47] with a break in
[01:37:48] continuity slas between a company and
[01:37:51] its customers will definitely influence
[01:37:53] the RPO and the RTO in fact they will be
[01:37:55] determined based on contractual slas
[01:37:59] between a company and its customers or
[01:38:01] operating level agreements or OAS
[01:38:04] between the IT department and other
[01:38:07] departments within the organization and
[01:38:09] finally we have the recovery service
[01:38:11] level which measures the compute
[01:38:14] resources needed to keep production
[01:38:16] environments running during a disaster
[01:38:19] it is a percentage measure zero of 100
[01:38:22] of how much computing power you will
[01:38:24] need during a disaster and based upon a
[01:38:28] percentage of computing used by
[01:38:30] production environments versus other
[01:38:32] environments like development test and
[01:38:34] QA so for example if I have a 10 web
[01:38:37] server environment and eight of those
[01:38:39] servers are used for Dev test and QA I'd
[01:38:43] only need to bring the two production
[01:38:45] servers into my Dr environment I'm only
[01:38:48] going to migrate what I need to keep the
[01:38:51] production trains running so to speak
[01:38:53] but that Recovery Service level answers
[01:38:55] the question what needs to be migrated
[01:38:58] to keep production
[01:39:01] running and another quick real world
[01:39:05] look this time at data backup and
[01:39:07] retention features in platform as a
[01:39:10] service
[01:39:11] offerings this will only take a minute
[01:39:14] but it'll be a good reminder of the pros
[01:39:15] and cons the tradeoffs in platform as a
[01:39:19] service so I'm going to look at Azure
[01:39:22] SQL so Microsoft P offering for SQL
[01:39:25] Server so I'm looking at a SQL instance
[01:39:28] here and I'll go down under data
[01:39:30] management to backups and what I see
[01:39:32] down here are my available backups but
[01:39:34] I'm going to look at my retention
[01:39:36] policies and what I want to show you
[01:39:37] here is when I look at the retention
[01:39:40] policies for This Server uh we'll notice
[01:39:43] here that for pitr which is point in
[01:39:46] time restore backups I only have so many
[01:39:50] days that I can select there there's a
[01:39:52] sliding scale that gives me 1 to 7 days
[01:39:55] and I can then look at my differential
[01:39:57] backup frequencies I have a drop down
[01:39:59] that gives me a limited number of
[01:40:01] options I have a little more control in
[01:40:03] my long-term retention you'll see here
[01:40:05] it mentions that I can keep my long-term
[01:40:08] backups for up to 10 years so I
[01:40:11] have that long-term retention
[01:40:14] flexibility but less flexibility in some
[01:40:17] of the short-term point and time
[01:40:19] recovery options so the upside is
[01:40:22] configuration is very simp simple it's
[01:40:23] just a few clicks the downside is I have
[01:40:25] to accept the limitations that come with
[01:40:28] that platform as a service
[01:40:31] offering next up is bcdr business
[01:40:34] continuity and Disaster Recovery plan
[01:40:36] creation implementation and testing and
[01:40:38] I'd like to talk through the process
[01:40:40] with you beginning with the design phase
[01:40:43] we design our bcdr plans based on
[01:40:46] priorities from the business impact
[01:40:48] analysis and FEMA and infragard are
[01:40:51] organizations that can also advise us on
[01:40:53] like disastrous for a region so we
[01:40:55] prioritize our planning around the most
[01:40:57] probable impact then we Implement our
[01:41:00] plan to protect critical business
[01:41:03] functions again we're always focused on
[01:41:06] valuable assets so when we're designing
[01:41:09] plans to recover business operations and
[01:41:12] infrastructure we're focused on critical
[01:41:13] business functions first we also need to
[01:41:17] identify key personnel as they will be
[01:41:20] the ones carrying out these BCD or
[01:41:23] plans now in the testing process we're
[01:41:26] testing to make sure our plans function
[01:41:28] as expected and that the people involved
[01:41:32] know their roles and responsibilities
[01:41:34] and that the plans actually work testing
[01:41:37] both BCP and and DRP plans is essential
[01:41:40] and disaster recovery and business
[01:41:42] continuity plans that are not tested
[01:41:44] seldom work as expected in Live use if
[01:41:48] we haven't tested and refined them first
[01:41:51] and when we conduct these test test we
[01:41:53] then report and revise so our business
[01:41:56] continuity and Disaster Recovery plan
[01:41:58] should be revised as necessary based on
[01:42:01] test results and test will definitely
[01:42:04] identify need for revision because our
[01:42:07] business evolves and so these plans must
[01:42:09] evolve and be refined over time to
[01:42:12] continue to align with our critical
[01:42:14] business functions and
[01:42:17] processes so let's talk through a few
[01:42:20] Disaster Recovery test scenarios we need
[01:42:23] to test our business continuity and
[01:42:25] Disaster Recovery plans at least
[01:42:26] annually most organizations will test
[01:42:29] them in part in various forms more than
[01:42:31] once a year common disaster scenarios
[01:42:35] would include data breach data loss
[01:42:38] power outage or other utilities Network
[01:42:41] failure so notice that not every impact
[01:42:43] is the most significant impact we want
[01:42:45] to test a range of impacts natural
[01:42:48] disasters civil unrest or terrorism
[01:42:51] we're getting more serious now and P
[01:42:53] pmics and the plans should also test the
[01:42:56] most likely scenarios first but can also
[01:42:59] be tested in a number of ways there are
[01:43:01] different types of tests we can carry
[01:43:03] out so for example tabletop testing
[01:43:06] members of the disaster recovery team
[01:43:08] Gather in a large conference room and
[01:43:10] roleplay a disaster scenario usually the
[01:43:14] exact scenario is known only to the test
[01:43:16] moderator Who present the details to the
[01:43:18] team at the meeting so they are
[01:43:20] responding in the moment the team
[01:43:23] members refer to the document and
[01:43:24] discuss the appropriate responses to
[01:43:27] that particular type of disaster so a
[01:43:30] couple of benefits to this type of
[01:43:33] testing is that a tabletop test is
[01:43:34] roleplay only so it's minimal impact on
[01:43:37] productivity and it's also a great way
[01:43:39] in your early revisions to identify
[01:43:42] revisions to the plan
[01:43:46] steps when you write out that first
[01:43:48] draft of a disaster recovery or business
[01:43:51] continuity plan nobody's going to get it
[01:43:52] perfect on the first draft so the
[01:43:54] tabletop testing can help us refine the
[01:43:56] plan so we are ready for a real impact
[01:44:01] then there's a dry run in this test some
[01:44:02] of the response measures are tested on
[01:44:05] non-critical function so there's a bit
[01:44:06] of doing in this case then we have a
[01:44:09] full test which involves actually
[01:44:11] shutting down operations at the primary
[01:44:12] site and shifting them to the disaster
[01:44:15] recovery site when the entire
[01:44:17] organization takes part in an
[01:44:19] unscheduled unannounced practice
[01:44:21] scenario of full business continuity and
[01:44:23] Disaster Recovery
[01:44:27] activities and just a couple of notes on
[01:44:30] plan implementation so implementing
[01:44:32] business continuity or Disaster Recovery
[01:44:34] processes May necessitate utilizing
[01:44:37] cloud computing for critical services so
[01:44:39] customers can take advantage of the
[01:44:40] Cloud's High availability features like
[01:44:43] multiple availability zones automatic
[01:44:46] failover to backup regions direct
[01:44:49] connection to a cloud service provider
[01:44:54] and most of these choices come with
[01:44:56] costs that have to be considered even if
[01:44:57] we're talking about intra region
[01:45:01] features like availability zones
[01:45:03] protecting us against a data center
[01:45:04] failure or if it's automatic fail over
[01:45:06] to a backup region when we're
[01:45:08] implementing that type of redundancy
[01:45:10] there's going to be some infrastructure
[01:45:12] involved that has a subscription cost
[01:45:15] but the cost of high availability in the
[01:45:17] cloud is generally less than a company
[01:45:19] trying to achieve High availability on
[01:45:22] their own but it needs to be cost
[01:45:23] effective at the end of the day the cost
[01:45:26] of building resiliency should be less
[01:45:28] than the cost of business
[01:45:32] Interruption and congratulations you've
[01:45:34] made it to the end of domain three of
[01:45:37] the ccsp exam cram series as always I
[01:45:40] hope you're getting value from the
[01:45:41] series if you have any questions feel
[01:45:43] free to leave those in the comments
[01:45:46] section below this video or reach out on
[01:45:48] LinkedIn in a private chat and I'll look
[01:45:51] forward to seeing you in domain four so
[01:45:53] until next time take care and stay safe
[01:45:57] [Music]