CCSP Domain 3 - Cloud Platform and Infrastructure Security

In this video we will cover:

• Architecture

• Physical

• Logical

• Service Orchestration — NIST SP 500-292

• Abstraction

In this video you will learn:

Let’s start with the physical. There must be a data center with racks for the equipment. Then the actual hardware e.g., router, switch, server, is added.

This breaks down into the four layers of architecture: applistructure, infrastructure, infostructure, and metastructure.

Infrastructure is the physical structure of the cloud. It is comprised of switches, servers, routers, etc.

Metastructure is where you encounter virtualizing of the physical. Everything from the hypervisor to virtual machines is found here.

Infostructure is the structure of cloud storage. It is where you find SANs or vSANs.

Applistructure refers to the deployed applications and their underlying services e.g., message, and queues.

In order to build a cloud, we need three things, they are Storage, Compute, and Network. There are three elements that have to be there in order for the cloud to work.

We have also highlighted some more key points in this short video. We encourage you to learn more about Architecture by watching this complete video. See you in the Next Video.

In this video we will cover:

• Storage

• Compute

• Network

• Cloud Management Plane

  
  

In this video you will learn:

Cloud requires three things, storage, compute, and network capabilities.

We need to have storage to place the data. There are two types of storage, one is block storage and the other one is object storage.

Next is the compute capability. This creates the ability to create VMs.

And, then we need network capability. This allows for virtualized networks to be built within the host servers running a hypervisor.

To log into the physical server we need the management plane. Logging into the hypervisor allows us to build virtual servers, virtual databases, virtual desktops, and virtual networking devices. Since the management plane allows for the monitoring and configuration of cloud resources it must be protected. Choose multi-factor authentication!

We encourage you to learn more about Compute, Storage, and Network by watching this complete video. See you in the Next Video.

In this video we will cover:

• Networking

• Switch And Mac Address

• LAN

In this video you will learn:

Today’s businesses rely on their networks. Without it most businesses barely function. Without a network, we don’t have a cloud. As we build the cloud the provider must still build a traditional network with real switches and routers. For the customer to function we virtualize the networks and put them inside of the server by using hypervisors.

If you are not familiar with the basics of networking it is essential that you study it. If you already know IP addresses, DHCP servers, and what a router is (among many other pieces) then you could skip this section. But do make sure that you have the basics.

We need to know LANs, WANs, routers, and switches (and more). Switches are the most common device that we probably have in networks today. Switches are used to create LANs.

Switches make forwarding decisions based on MAC addresses that are learned by listening to the Network Traffic.

We have also highlighted some key points related to switches and LAN.

We encourage you to learn more about Intro to Networking and Switches by watching this complete video. See you in the Next Video.

In this video we will cover:

• VLAN

  
  

In this video you will learn:

A VLAN allows different computers and devices to be connected virtually to each other as if they were in a LAN sharing a single broadcast domain.

VLANs emulate real LANs. Broadcast packets are forwarded within a LAN/VLAN.

We encourage you to learn more about VLAN & Virtualized LAN by watching this complete video. See you in the Next Video.

In this video we will cover:

• IP and Routers

• DHCP

In this video you will learn:

Routers are the connection point between the LAN and the WAN. A router uses layer 3 IP addresses to make decisions as to where a packet should be sent. At a minimum, they are used to route from a LAN to the Internet or WAN connection. They can also be used to route traffic between subnets within a LAN.

The router determines the best route a packet can take based on knowledge of the network that has been stored in the routing tables. Routing tables are built using routing protocols such as OSPF that enable routers to communicate with other routers to exchange knowledge of the networks.

The Dynamic Host Configuration Protocol is used to dynamically assign IP addresses to devices (virtual or real) on a network (virtual or real).

We encourage you to learn more about IP and Routers by watching this complete video. See you in the Next Video.

In this video we will cover:

• Software-Defined Networking

• SDN PLANES

  
  

In this video you will learn:

SDN is a method of managing switches within a network that differs dramatically from older technology. An SDN alleviates the switch’s work of making forwarding decisions and places that burden on a controller node. This effectively divides the switch's work. The control plane and data plane.

The control plane allows the switch to request a decision to be made by the controller when a new traffic flow is received. This allows the switch to just forward frames, which they are very good at. The frames are sent along on the data plane.

The controller allows for a single point of control within a network which is useful for management, security, and a host of many other benefits.

SDN is typically found within the physical network (not virtual) at a cloud or service provider today, although it can be used on a virtual network like you would find within Infrastructure as a Service (IaaS).

The Data Plane allows the switch to just be a switch means just forward your data. The control plane is what’s going to allow the switch to talk to the controller.

We encourage you to learn more about Software-Defined Network by watching this complete video. See you in the Next Video.

In this video we will cover:

• Content Distribution Network

  
  

In this video you will learn:

In CDN you have origin servers and edge servers. The perfect example of a Content Distribution Network (CDN) is Netflix. Let’s suppose, for the sake of an easier description, that Netflix has one server in California and all the movies are on that one server. If someone in London is watching a specific movie then it had to have been sent from California to London.

If you are in London and you were to watch the same movie it would be easier if it was sent to the UK once. Then cached on a local edge server. Once cached anyone that wants to also watch it at about the same time can just pull the movie locally. So if you imagine that the ‘trending near me’ section when you log into Netflix tells you that shows are being watched near you and are currently cached on that edge server.

If Netflix convinces others to watch that same movie the bandwidth across the US and the Atlantic Ocean are not tied up with multiple streams of the same movie. All because the movie has been cached locally.

If nobody is watching it then it disappears from trending near me and the cache on the edge server.

We encourage you to learn more about the Content Defined Network by watching this complete video. See you in the Next Video.

In this video we will cover:

• Virtual Private Network

  
  

In this video you will learn:

A Virtual Private Network (VPN) is described by security professionals as an encrypted tunnel. Tunneling brings with it the idea of authentication. The encryption then protects the traffic flow for confidentiality purposes. VPNs that we use today are TLS (formerly SSL), SSH, and IPSec.

We encourage you to learn more about the Virtual Private Network by watching this complete video. See you in the Next Video.

In this video we will cover:

• DNS & DNSSEC
  

In this video you will learn:

How do you get to Netflix? If you are not using the app, you can go to netflix.com. The routers and switches don’t know anything about the domain Netflix.com. The only thing that the network can work on today is IP addresses.

If we are using the IP-based network it has to have an IP address in order to be able to route data to the right destination. So what we need in order to be able to do that is something called Domain Name System (DNS).

DNS will convert the Name/URL that the user is attempting to access into an IP address for transmission. DNSSec - Domain Name System Security adds security to DNS. Origin authentication of DNS data, data integrity, and authenticated denial of existence.

We encourage you to learn more about the DNS & DNSSec by watching this complete video. See you in the Next Video.

In this video we will cover:

• OS Hardening
  

In this video you will learn:

The Good thing that you should do with any device plugged into any network anywhere is you should harden the devices. We need to take care of servers, especially those that are connected to the outside world.

We need to harden anything that is in the Demilitarized Zone (DMZ). If it's in the DMZ that means it is accessible from the internet. Operating systems need to be hardened or secured to minimize the attack surface.

You also need to make sure that your systems are patched.
You need to remove the default account, if not deleted should be renamed.

Change the default password.

Shut down unnecessary services.

Close unused parts.

We encourage you to learn more about OS Hardening by watching this complete video. See you in the Next Video.

In this video we will cover:

• Redundant Servers

• Server Clusters

• DRS (Distributed Resource Scheduling)

• Dynamic Optimization
  

In this video you will learn:

Another good thing to do in networks is to have redundant servers. A redundant server is installed with one server actively processing data and the other passively waiting to be needed. So, the servers are active/passive.

In server clusters installed with all/both servers handling or processing data. So the servers are active/active.

Along with server clusters and redundant servers we have DRS (Distributed Resource Scheduling) and DO (Dynamic Optimization).

DRS - A cloud function that allows resources to be managed dynamically. When a VM is started it can be placed where it best fits by DRS rather than the cloud administrator selecting a location. As resources are used and VMs expand their needs they can be moved dynamically to other servers.

Using DynamicOptimization (DO) you get the same basic support found with DRS, but here it is used to support server clusters. It is possible to perform a live migration of Virtual Machines (VMs) and Virtual Hard Drives (VHDs) within a host cluster.

We have also highlighted some important points related to Compute Dynamic Optimization and Storage Dynamic Optimization.

We encourage you to learn more about the DRS & DO by watching this complete video. See you in the Next Video.

In this video we will cover:

• Network Security Group

• Storage Area Network (SAN)

• Fibre Channel

• World Wide Name (WWN)

• iSCSI

In this video you will learn:

Security Groups (SG) or Network Security Groups (NSG) is a virtual LAN protected by a Firewall. Microsoft is using NSGs to secure traffic flow within. It is a little bit of Firewall Logic and a little bit of VLAN Logic combined together.

The more data we have, the more we need a SAN. You can think of a SAN as many massive drives attached to a LAN that is dedicated to this purpose. Storage Area Network we have two protocols, Fibre Channel and iSCSI.

Fibre Channel uses a different addressing scheme of LUNs (Logical Unit Number). If necessary Fibre Channel can be run across Ethernet. SCSI (Small Computer System Interface) protocol runs over TCP/IP. SCSI is a protocol developed by ANSI for attaching something like a printer directly to a computer.

We encourage you to learn more about the NSG and SAN by watching this complete video. See you in the Next Video.

In this video we will cover:

• Data Storage

In this video you will learn:

When we talk about storage we have two fundamental things that we have, we have structured and unstructured. Structured storage vs unstructured storage is the base logic that has been used. Then you can apply different terms to it like block, volumes, blobs, and so on, depending on the deployment models of SaaS, IaaS, or PaaS.

Be careful with the terms structured and unstructured. They are used both for data storage and for the organization of data itself. They are similar, yet different. Traditionally structured data is a database and unstructured data is big data.

You can match the two - a database (structured) stored in block storage (structured). But it is not a requirement. A database can be saved as a file and stored within a blob (unstructured).

We encourage you to learn more about Data Storage by watching this complete video. See you in the Next Video.

In this video we will cover:

• Redundant Array Of Independent Discs (RAID)

• Erasure Coding
  

In this video you will learn:

RAID is a tool that is designed to prevent the loss of data when a server has a hard drive that fails.

RAID 0 stripes data across many drives. Fast to write. But… It does not help when a drive fails.

RAID 1 mirrors the data to a second drive. If a drive fails it will be ok because the data is written to the second drive as well.

RAID 5 stripes data across multiple drives and then puts parity information for each block of data on a different drive. Parity information is also created for every block of data written to a drive. If a drive fails, the lost data can be recreated from the parity field.

Now how do we do this in the cloud? Erasure coding emulates RAID in the cloud. Data is chunked or shared and then stored across multiple drives. The difference is that the drives are on different servers. Then parity is created and stored separately from the block of data that it represents. If a drive is lost that chunk of data can be recreated from the associated parity field.

We encourage you to learn more about RAID & Erasure Codingby watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud Infrastructure Risks

• Egregious 11

In this video you will learn:

There are so many Cloud Issues, there are two documents from Cloud Security Alliance and Egregious is one of them. It is not in the 2022 exam outline, but it is still good to look at. These are significant problems with the cloud today. It is worth your time to look into these and be familiar with them regardless of whether (ISC)2 mentions this document name.

Misconfiguration and Inadequate Change Control is a huge problems today. Moving to the cloud usually means that there will be more virtual machines than you had in the physical environment. Configuration issues are rising to the top of the problems that we are seeing. For example, the AWS S3 has a default configuration that does not include encryption of the stored data.

When you don't carefully control the configurations that you have of the servers that are in the cloud-like routers, switches, and everything that is virtualized it’s gonna be a problem. It leads us to the third risk which is the Lack of Cloud Security Architecture and Strategy.

We encourage you to learn more about Egregious 11 by watching this complete video. See you in the Next Video.

In this video we will cover:

• Egregious 11 6-11

In this video you will learn:

The egregious 11 continues with some threats that have neither changed nor improved. Insider threats and insecure APIs. It is a good idea to be familiar with APIs, but we will address that later.

There are some new threats that have been added (since the Treacherous 12) and they are weak control plane, metastructure, and aplistructure failures as well as limited cloud visibility. The CSA uses the term ‘control plane’ to refer to what is often referred to as the ‘management plane’. You must protect this connection. It is how you, or a hacker, can control your cloud. Again think multi-factor authentication.

We encourage you to learn about Egregious 11 by watching this complete video. See you in the Next Video.

In this video we will cover:

• Treacherous 12

  
  

In this video you will learn:

So there was Egregious 11 which replaced the Treacherous 12. Egregious 11 is more important than the Treacherous 12 when preparing for this test.

A quick look at these is a good idea though.

We encourage you to learn more about Treacherous 12 by watching this complete video. See you in the Next Video.

In this video we will cover:

• Risk Assessments / Analysis

In this video you will learn:

There are so many threats that could be realized. Which threats are ones we really need to prepare for? Which threat is the biggest? What would be the most costly? What is the most likely? To uncover those answers we do risk assessments and work towards the best solutions for our business.

Risk appetite is the first question to address. What is the CEO willing to consume in the pursuit of their business? Are they risk aggressive or risk-averse?

The risk profile is the risk organization can tolerate before it would cease to exist.

We have also highlighted some other key points in this short video. We encourage you to learn more about Risk appetite and risk profile by watching this complete video. See you in the Next Video.

In this video we will cover:

• Risk Tolerance

In this video you will learn:

There is a tolerance around risk appetite. Risk tolerance can be used as an indicator of the status of risk. There is a level of tolerance that exists above and below what the CEO believes their risk appetite to be. There are times when they will be a little more risk aggressive and times when they are more risk-averse. That variation gives you risk tolerance.

We have also highlighted some other key points in this short video. We encourage you to learn more about Risk Tolerance by watching this complete video. See you in the Next Video.

In this video we will cover:

• Basics To Risk

In this video you will learn:

You should definitely be aware of the fundamental terms of risk management.

The first term is an asset. For example my iPhone.

The second thing is a threat. Some kind of harm can happen to the asset. It will impact confidentiality, integrity, and/or availability.

The next thing is the threat source. The threat source is the who or what that causes the threat to be exploited.

Vulnerability is that your phone is small and portable, making it easy to drop.

The impact is the extent of the damage caused by this threat being exploited.

The final point is attack/exploit. This is the actual exploitation. It takes this from a theoretical topic to real.

We encourage you to learn more about Basic Risk Terminology by watching this complete video. See you in the Next Video.

In this video we will cover:

• Quantitative Risk Assessment
  

In this video you will learn:

There are documents on how to do Risk Assessments. It includes ISO 31000 - Risk Assessment. ISO/IEC 27005 - Information Security Risk Management. There are some others highlighted in this video.

There are two risk assessment methods explained, one is Qualitative and the other is Quantitative risk assessment. In the Quantitative Method, the monetary impact of specific threat events is assessed. There are formulas to calculate the monetary impact.

If you are worried about a single loss, for e.g., you drop your phone and ran a car over it, that would mean your asset value is $1,000 and the exposure factor is 100%. The formula for Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF).

The Annual Rate of Occurrence (ARO) is how often this happens. When you combine the SLE with the ARO you now know the Annualized Loss Expectancy (ALE).

We have also highlighted some key points in this short video. We encourage you to learn more about Quantitative Risk Assessment by watching this complete video. See you in the Next Video.

In this video we will cover:

• Qualitative Risk Assessment

In this video you will learn:

Qualitative risk assessments are a little bit easier. This is when you map the likelihood of an event happening to its expected impact. When you map dozens or hundreds of events you can then prioritize the events that you will prepare for.

If we are talking about the content of the phone again and the concern of dropping it and running it over with a car. The question is how likely is that and what would its impact be. No likely and not big are the basic answers to that.

We encourage you to learn more about Qualitative Risk Assessment by watching this complete video. See you in the Next Video.

In this video we will cover:

• Risk Reduction/ Mitigation

• Risk Transference

• Risk Avoidance

• Risk Acceptance

In this video you will learn:

After getting through quantitative and qualitative risk assessments the next question to address is “What should we do about it?” There are four choices. Reduce your risk, transfer your risk, avoid your risk and accept your risk.

Let’s start with avoidance. If it’s too risky, don’t do it. When a risk is determined to be too great that activity should not be started. If the business is already engaged, then it should be stopped.

Risk reduction is applying controls to minimize the likelihood or impact. For e.g, putting on masks to reduce the chance of getting covid.

Risk transference is involving someone else in the recovery if the risk is realized. For e.g., insurance. If you get sick with covid and you are in hospital then your insurance should cover those expenses.
The last one is risk acceptance, no matter what else is done in response to risk, there is always at least a chance a risk will occur and there will be an impact felt. That chance must be accepted by the appropriate party.

We have also highlighted some key points in this short video. We encourage you to learn more about Risk Response by watching this complete video. See you in the Next Video.

In this video we will cover:

• Identity And Access Management

• Identification and Authentication

  
  

In this video you will learn:

We will cover the basics of Identity and Access Management (IAM). With that, we have Identification, Authentication, Authorization, and Accountability (IAAA).

Identification- Statement of who you say you are.
Authentication- Verification of claimed identity.
Authorization- Permissions granted or not.
Accountability- Log created so that someone can be held accountable for their actions.

In authentication, there are three factors.

Factor 1 is something you know, e.g., passwords.

Factor 2 is something we have, such as soft or hard tokens.

Factor 3 is something you are. A biometric which would be behavioral or physiological, such as a fingerprint or a vocal print.

We encourage you to learn more about Basic IAAA Introduction by watching this complete video. See you in the Next Video.

In this video we will cover:

• Authorization

• Accountability

• RBAC

In this video you will learn:

The next step is to identify what level of access we should grant. It means granting access, privileges, or not. Decisions could be based on Classification/Clearance combinations, ALCs or RBAC e.t.c.

The next important thing is to log., It is critical to decide what level of logging to do. Logs are not automatic within the cloud. Logs are a lot of work actually to make it happen and then you have to figure out what you are logging, how much you are logging, you have to figure out where to send the logs, and what kind of alerts you need.

Accountability is to create a log to be able to hold users accountable for actions within their accounts.

Role-based access control is an access control methodology that works well in large companies that can easily distinguish roles that contain many users. We have also highlighted more key points in this short video. We encourage you to learn more about Authorization and RBAC by watching this complete video. See you in the Next Video.

In this video we will cover:

• Attribute-Based Access Control

In this video you will learn:

The other way to control access is attribute-based. In the early days, we called it Network Access Control (NAC). Access is determined by many different attributes such as patch level, known or unknown device, wired or wireless network access, within or outside of the business VLANs, antimalware status, and firewall status.

We encourage you to learn more about Attribute-based access control by watching this complete video. See you in the Next Video.

In this video we will cover:

• Single Sign-On

In this video you will learn:

The next important topic to discuss is you try to add Single Sign-On (SSO) to make things easier for users. Sometimes it makes things easier for bad guys as well. The number of accounts, passwords, tokens and other access mechanisms that we have to try and manage in business today is many per user.

Personally, you can think about your bank account, Amazon account, and many other places to log on that you have a user ID and password. It is a lot to manage.

Most people use a single account to log In, for e.g people use Facebook to log in at different places so they don't have to set up more identification and password combinations again and again.

We encourage you to learn more about Single Sign-On by watching this complete video. See you in the Next Video.

In this video we will cover:

• SAML
  
  

In this video you will learn:

SAML stands for Security Assertion Markup Language. It is old because cloud technology is evolving very quickly, but SAML is still well supported in the industry today. This is the technology we are using to be able to log on as Single Sign-on into the cloud.

SAML is XML based. Let’s take the example of Facebook, when you try to Log on to Facebook in order to access a site you are trying to get to, how is that gonna work? This is a good thing to know.

For e.g., if you are trying to access a website through Facebook and you see a Facebook button on that website, you click on that button to log in using Facebook, and what happens it will redirect you to Facebook. So your computer is connected to Facebook and what happens you log In, and what happens facebook will send a token through your computer over to that website.

The token is formatted with XML. So the website that the user wants to connect to is the service provider, and Facebook is the identity provider or Identity as a Service (IaaS) provider.

The user's computer is the relaying party. It relays the token from the IaaS provider to the service provider. The service provider is relying on the party. They rely on the IaaS provider to authenticate the user.

We encourage you to learn more about SAML by watching this complete video. See you in the Next Video.

In this video we will cover:

• OAuth

• OpenID

• WSFederation
  

In this video you will learn:

OAuth is Open Authorization, it’s all about the authorization, not authentication. OAuth is really great for mobile, and IoT. It uses JSON rather than XML.

Then next is OpenID, which is part of OpenID Connect, which is actually part of the OAuth 2.0 framework. OpenID allows you to use an existing account to sign In to multiple websites, without needing to create new passwords.

WS-Federation is an Oasis standard for authentication that results in a security token. It often is associated with Microsoft, but it is an open standard so it could be used by anybody. It does use SOAP and XML.

We encourage you to learn more about OAuth, OpenID, & WSFederation by watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud Access Security Broker

In this video you will learn:

CASB is built around trying to see what users are doing. We must know where users are sending data. It does monitor what they are looking for, and what they actually connect to. If it’s an encrypted session then it can do man-in-the-middle monitoring. It can do data loss and leak prevention and DNS queries.

We have also covered some key points from this short video. We encourage you to learn more about CASB by watching this complete video. See you in the Next Video.

In this video we will cover:

• Firewall

• Firewall Placement

In this video you will learn:

Firewalls are a traditional technology, they are not cloud-specific. Firewalls will block or allow traffic based on its configuration. By default, it should block all traffic. It is good to know how a firewall works. It analyzes incoming packets against a list of rules, which is often called a policy. It compares the incoming packet against each rule in top-down order.

The firewall should be installed between a trusted and untrusted network. That includes between a LAN and a data center.

There are visuals in the short video about the Firewall’s placement. We encourage you to learn more about Firewalls by watching this video. See you in the next video.

In this video we will cover:

• IDS

• IPS

• Intrusion Detection Logic

• Actions That Are Possible Include

• IDS/IPS Placement

In this video you will learn:

An IDS (Intrusion Detection System) is a device, or software that monitors and logs network events. An IDS is usually installed on a span port on a switch. This allows it to view traffic by receiving a copy of what was sent through the switch.

It can be installed as a network appliance or on the destination/source host device. When installed on the host it often examines the logs, not the packet.

Meanwhile, the IPS (Intrusion Prevention System) is also a device or software installed on the network or the host. It is inline, for network-based IPS. Traffic must pass through the IPS. By being inline it can actively react to malicious traffic.

The other good question to ask is how do you know that it is an intrusion? There are two basic ways, signatures and anomalies. We encourage you to learn more about IDS & IPS by watching this complete video. See you in the Next Video.

In this video we will cover:

• Segmentation

• Micro-Segmentation

In this video you will learn:

Segmentation is common with virtualization/hypervisors and virtual LANs. We have new terms with the cloud such as micro-segmentation. It creates very tiny controlled ‘networks’. It is effectively a vLAN with a firewall in front of it. Since everything in the cloud is virtual we can create small LANs and very carefully control the traffic through the firewall since we are only allowing access to a single server or even just a single application.

We encourage you to learn more about Micro-Segmentation by watching this complete video. See you in the Next Video.

In this video we will cover:

• Hyper-Segmentation

In this video you will learn:

Hyper Segmentation utilizes the segmentation capability of the hypervisor to isolate the traffic transmission from everyone else.

We encourage you to learn more about Hyper-Segmentation by watching this complete video. See you in the Next Video.

In this video we will cover:

• Blast Radius

In this video you will learn:

When you micro-segment your blast radius becomes very small. The blast radius defines how much damage an attack causes? How many machines and how much data will be impacted by a bad actor's action is what is understood once the blast radius is understood.

We encourage you to learn more about Blast Radius by watching this complete video. See you in the Next Video.

In this video we will cover:

• Activity Monitors

• Database Activity Monitor

• File Activity Monitor

In this video you will learn:

We have two types of activity monitors, one database activity monitor, and the other file activity monitor. Database activity monitors are used to monitor the user’s activity on the database. The logs of the database would show the user’s activities, but if those logs are corrupted, lost, or tampered with, that knowledge is gone.

The activity will include who logs in, who does not log in., and the actions they use on the data itself. The logs are stored outside of the database so users/hackers should not be able to access or modify them.

The file activity monitor refers to the activity that occurs on a file storage system. We encourage you to learn more about Activity Monitor by watching this complete video. See you in the Next Video.

In this video we will cover:

• Data Loss Prevention

• DLPaaS

In this video you will learn:

DLP is data loss (or leak) Prevention (or Protection). A leak is an unacceptable transmission, usually from a user. A simple example is a user putting a credit card number in an email, thinking the email is secure.

The organization needs to ensure that data is not leaking out of the organization’s network.

DLPaaS is a cloud provider that is using this technology to monitor and control the loss of information.

We encourage you to learn more about DLP by watching this complete video. See you in the Next Video.

In this video we will cover:

• Hot and Cold Aisles

In this video you will learn:

Hot aisles have the area where people walk warm. The equipment is configured to pull cold air in from the back and push warm air out the front.

Cold aisles are the opposite. The equipment pulls cold air in from the front and pushes hot air out the back.

It is common to put two rows of racks of equipment nearly back to back. A person could squeeze between these two rows, but you don't normally walk behind it. If the cold air comes in from the back of the equipment that means that a smaller area of the data center needs to be cooled since cold air falls and hot air rises.

We encourage you to learn more about Hot & Cold Air Aisles by watching this complete video. See you in the Next Video.

In this video we will cover:

• Data Center Tiers

In this video you will learn:

There are four data center tiers defined by the Uptime Institute. Tier one is the lowest and tier four is the highest.

• Tier 1 is just basic capacity like you have got a data center that has enough routers and switches to make things function.
  Tier 2 has redundant power and cooling.

• Tier 3 has concurrently maintainable equipment.

• Tier 4 adds fault tolerance to the network topology.

We encourage you to learn more about Data Center Tiers by watching this complete video. See you in the Next Video.

In this video we will cover:

• Business Continuity Management

• Issues

  
  

In this video you will learn:

Business Continuity Management is a nice summary term to be used to describe all of the plans that a business needs to build. This includes business continuity plans, disaster recovery plans, incident response plans, contingency plans, and so on. This term is from British Standard 25999.

Events are defined by ITIL as a change of state.

An incident response plan is defined by NIST SP 900-34 as “The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attack against an organization’s information systems(s).”

When an incident reoccurs and the root cause must be found we turn to problem management.

A disaster is defined by NIST as “A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.” in NIST SP 800-82.

Business continuity plans are defined by NIST in SP 800-34 as “The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.”

We encourage you to learn more about BCM Introduction by watching this complete video. See you in the Next Video.

In this video we will cover:

• Plans

• Policy

• Project Management Initiation

  
  

In this video you will learn:

In order to talk about the plans we need for our cloud, you should put it in the context of proper business continuity management, disaster recovery planning, etc. There needs to be a policy on the topic of Business Continuity that explains the goals and objectives for each level of issues that can disrupt a business, from an incident to full business disruption.

We then move on to Project Management Initiation (PMI), which is basically the plan to build a plan. There is not much focus on these first two steps in CCSP, but it is crucial that we do not step over them.

We encourage you to learn more about the Beginning of BCP/DRP planning by watching this complete video. See you in the Next Video.

In this video we will cover:

• Business Impact Assessment

In this video you will learn:

In Business Impact Assessment (BIA) we are looking at risk assessment. BIA is defined as risk assessments plus identifying time frames related to how long a function can be offline, or how long it will take us to recover functionality, etc. That is why it’s called business impact, not a risk assessment.

Quantitative risk assessment is the calculation of the cost of an incident to the business.
Qualitative Risk Assessment refers to the process of ranking and prioritizing Incidents so as to determine what must be protected against.

We encourage you to learn more about BIA part 1 Risk Assessments by watching this complete video. See you in the Next Video.

In this video we will cover:

• Business Impact Analysis

• MTD (Maximum Tolerable Downtime)

• RTO (Recovery Time Objective)

In this video you will learn:

What we do with business impact is we add timeframes. Maximum Tolerable Downtime (MTD) is basically the maximum amount of time a system can be offline.

The Recovery Time Objective (RTO) is the time that a corporation has to do the actual work of recovery.

The Recovery Point Objective (RPO) is a point in the past when the last known good backup was created. It is expressed as a unit of time. It is the amount of data that can be lost.

We have also highlighted some more key points in this short video.

We encourage you to learn more about BIA part 2 MTD to RTO by watching this complete video. See you in the Next Video.

In this video we will cover:

• RTO to RPO

  
  

In this video you will learn:

Recovery Time Objective (RTO) is the window of time dedicated to performing the work of recovery. If you had a server in a data center and it’s on fire, in order to recover that inside of the RTO there must be a server (or virtual one) with a patched operating system and the applications also patched.

The next step is to load the data. When in the past was the last backup performed and completed? The Recovery Point Objective (RPO) is an expression of the data lost. Everything from the last backup up to the fire (in this example) is gone. This is normally expressed as a unit of time.

We encourage you to learn more about BIA part 3 RTO to RPO by watching this complete video. See you in the Next Video.

In this video we will cover:

• BIA part 4 SDO and RSL

In this video you will learn:

The next question to address is the level of functionality that must be attained at the recovery site. I use the word functional very specifically. It is not a normal level of processing but it is enough for your business to be able to survive. So, the question is what percentage of your production power must exist at the recovery site. For example, we are talking about the CPU level, number of calls processed, number of transactions performed, etc. at the recovery site that allows for the business to return to processing, even though it is not a normal level.

We encourage you to learn more about BIA part 4 SDO and RSL by watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud Recovery Strategies

In this video you will learn:

We are going to talk about very specifically where the cloud features in recovery strategies. We are not going to talk about hot, cold, or mobile sites, but rather just the three cloud solutions. The first cloud solution is to fail from a physical data center into the cloud. The second is to fail within, from one region to another region. The third solution is to fail from one cloud provider to another different cloud provider. For example, from AWS to Azure.

We encourage you to learn more about cloud Recovery Strategies by watching this complete video. See you in the Next Video.

In this video we will cover:

• Document

In this video you will learn:

The next step is to document everything that we learned in this planning process. Document the procedural steps to create the business continuity plans and disaster recovery plans.

There are also five levels of tests. We encourage you to learn more about cloud Documents and Test the plan by watching this complete video. See you in the Next Video.

The final step is to embed the plan in the community. We are not talking about everybody knowing about our plans, the entire business doesn’t have to know about this and it’s wherever cloud is needed, wherever the change in the cloud is needed, who ever needs to know about this, needs to know about this.