Category Archives: CCIE SP

CCIE Evolving Technologies – Cloud Security and Privacy

CCIE Coaching, CCIE Data Center, CCIE General, CCIE R&S, CCIE Security, CCIE SP, , ,

cloud

Cloud Security and Privacy Overview

Here is another post to help you with the new Evolving Technologies section of the written exams for CCIE. This is from the Cloud section, and specifically addresses the Security and Privacy sub-bullet.

The Top Concerns

What should be your top most concerns in this area? Here they are:

  • Secure data transfers – ensuring data travels over IPsec, or similarly protected channels is critical as information moves from your users to private, or public, or hybrid clouds; obviously public and hybrid clouds can present more risk as the Internet is often the medium of transfer.
  • Secure software interfaces – the APIs you and your provider use in your cloud services must also offer security and privacy mechanisms.
  • Secure stored data – for storage in the cloud ecosystem, is your data receiving the security and privacy it requires; what about proper disposal of data by cloud providers?
  • User access control – who has access to your data in the cloud? This is especially critical if your data is maintained by a public provider with users that fall outside of your corporate scope.
  • Data separation – if you are using cloud services in a multi-tenant environment, what techniques are in use to protect data breaches from one organization to another.

Cloud Security Controls

These tend to fall into these categories:

  • Deterrent controls – intended to reduce attacks on a cloud system. Much like a warning sign on a fence or a property, deterrent controls typically reduce the threat level by informing potential attackers that there will be adverse consequences for them if they proceed.
  • Preventive controls – strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities. Strong authentication of cloud users, for instance, makes it less likely that unauthorized users can access cloud systems, and more likely that cloud users are positively identified.
  • Detective controls – intended to detect and react appropriately to any incidents that occur. In the event of an attack, a detective control will signal the preventative or corrective controls to address the issue. System and network security monitoring, including intrusion detection and prevention arrangements, are typically employed to detect attacks on cloud systems and the supporting communications infrastructure.
  • Corrective controls – reduce the consequences of an incident, normally by limiting the damage. They come into effect during or after an incident. Restoring system backups in order to rebuild a compromised system is an example of a corrective control.

Pearson Education (InformIT)

CCIE Evolving Technologies – Cloud Performance and Reliability

CCIE Coaching, CCIE Data Center, CCIE General, CCIE R&S, CCIE Security, CCIE SP, , , , ,

Evolving

Here is my latest installment in the complimentary CCIE Evolving Technologies training that all candidates must master for any CCIE written exam.

CCIE Evolving Technologies – Cloud Performance

Cloud technologies can cause great enhancements in the performance of your enterprise IT needs, or, they can cause nightmares. Understand that due to virtualization, contention for cloud resources, if not properly managed (especially in multitenant environments) can make performance unacceptable.

There are numerous public cloud providers who sell cloud server instances, typically by the hour and priced based on the memory (DRAM) size of the instance. In such an environment, an 8 Gbyte instance might cost roughly eight times as much as a 1 Gbyte instance. Other resources, such as CPUs, are scaled and priced according to the memory size.

The result can be a consistent price/performance ratio, with some discounts to encourage the use of larger systems. Some providers allow you to pay a premium for a larger allotment of CPU resources (a “high-CPU instance”). Other resource usage may also be monetized, such as network throughput and storage.

Cloud technologies provide the unique ability for dynamic capacity allocation. Companies can increase server instances as needed, in reaction to real load. This can also be done automatically via the cloud API, based on metrics from performance monitoring software. A small business or start-up can grow from a single small instance to thousands, without a detailed capacity planning study as would be expected in enterprise environments.

Storage in the cloud can be an area of concern since when compared to local disk, performance can vary considerably. As a result, some storage services allow an IOPS rate to be purchased when reliable performance is desired.

Fortunately, OS virtualization features great enhancements in performance. Have you ever virtualized Windows, providing the bare minimum of required RAM and witnessed it outperform tradition systems installs with dramatically more RAM. This is an excellent aspect of cloud computing.

CCIE Evolving Technologies – Cloud Reliability

While cloud performance is quite tricky and can be a risk or great reward, reliability thanks to the cloud, tends to be a much more reward based proposition.

Contingency planning efforts for continuity of operations and disaster recovery are concerned with designing and implementing cloud architectures that provide run-time reliability, operational resiliency, and automated recovery when interruptions are encountered, regardless of origin.

The technologies features in IT clouds today help ensure this and include:

  • Resource Pooling
  • Resource Reservation
  • Hypervisor Clustering
  • Redundant Storage

While these technologies address basic failover and availability demands, more specialized and complex approaches include:

  • Dynamic Failure Detection and Recovery
  • Zero Downtime

These help establish resilient cloud architectures that act as pillars for enterprise cloud solutions.

CCENT ICND1 100-105 Exam Cram Premium Edition and Practice Test