Cloud computing unit 3 and 4

SLA Management in cloud computing

Service level agreements (SLAs) are a list of objectives, services, and

responsibilities a customer can expect suppliers or managed services providers
(MSPs) to provide. SLAs also include metrics for measuring the accuracy and extent
to which MSPs provide those services as well as potential penalties if the levels of
service specified by the agreement aren’t maintained. While SLAs are typically
negotiated between customers and service providers, it’s not unheard of for
departments within the same company to create their own service agreements.

What Is SLA Management?

Broadly defined, SLA management is the ongoing process of ensuring all provided
services and processes—including the underlying contracts—are in alignment with
the agreed-upon service level targets stipulated by the contract. From the creation of
help desk tickets to retrospective reporting and regular customer feedback, SLA
monitoring helps to protect your business—and ensure your customers are satisfied.

Because strong SLAs will specify the measurement criteria for the agreed upon
services and responsibilities, proper SLA management also involves remaining
attentive to those metrics.

What Are the Three Types of SLAs?

SLAs are broadly categorized according to three tiers:

 Customer-based SLA: These agreements are between service providers and

individual customer groups—and apply to all the services the customer group uses.
For instance, if the financial department of a company constitutes a customer group,
a customer-based SLA could require that service provider be responsible for
managing the financial software as well as billing, payroll, and procurement systems.

 Service-based SLA: These agreements are between service providers and

customers—and are based on specific services that the service provider offers. This
can include providing email systems for customers, or routine maintenance as part
of a service package.

 Multi-level SLA: These agreements are categorized into three sub-tiers, with each
one applying the same services to different customer groups within the same SLA.

o Corporate-level SLA. This provides SLA management for every user across the
customer organization. Many of the issues this level of SLA management deals with
 Cloud computing unit 3 and 4

are not critical issues, so SLA performance reviews and updates are usually
required on a less frequent basis.

o Customer-level SLA. This provides SLA management for specific customer

groups—but applies to all services provided or in use.

o Service-level SLA. This provides SLA management for specific services related to
specific customer groups.

Why Are SLAs Important?

SLAs provide several valuable benefits for both customers and service providers.
MSPs rely on SLAs to manage customer expectations and to define the situations in
which customers can’t hold them liable for service outages or issues related to
performance. SLAs are also essential for establishing performance targets and
benchmarks to set a standard for MSPs to meet.

For MSPs, SLAs tend to be one of the two foundational contracts established with
their customers. In addition to the service agreement, many service providers will
enter into a master services agreement with customers that lays out the broad
overview of terms and conditions under which they agree to provide services. The
master services agreement will often incorporate the conditions of the SLA, which
allows for more specificity regarding the services MSPs will provide and the metrics
they will use to measure the effectiveness of those services.

For customers, some of the benefits SLAs provide include a means of describing the
performance characteristics of the services they are receiving—which they can use
to compare or generate leverage when assessing other service providers’ SLAs.
The service agreements will also offer means for seeking redress for breaches of
contract via service credits or other forms of compensation and remediation.

SLA reporting is another important vector for ensuring MSPs are meeting service
targets. Many MSPs will choose to make statistics related to performance available
online so customers can easily confirm they haven’t breached they SLA contracts.

Policy-based automation

Cloud automation refers to all processes and tools that reduce or

eliminate human intervention when managing cloud computing
workloads and services. Tasks include automatically provisioning
Cloud computing unit 3 and 4

infrastructure and organized compute resources, workflow version

control, and performing backups.

Policy-based automation focuses on separating your business and operational policies

from the mechanics of actually performing the automation according to the policies.
Policy-based automation focuses on setting your policies and Automation Control
deals with implementing them.

Automation Control policy-based automation includes resource information, groups

of resources, and relationships in the decision-making process before acting. Resource
information defines resource class and name, as well as how to start, stop, and
monitor the resource. Resources can be members of system-wide groups and
relationships.

The power of a policy

 You are able to define automation requirements easily:

In a policy, you can define which resources belong together and are managed as
one (business entity). For example, a DB2® System consists of many
resources. With Automation Control, you can group and aggregate resources to
more meaningful manageable entities, for example, My-HumanResource-
Application and so forth. You can monitor on this level, issue commands on
this level, and manage at the business level rather than at the single IT resource
level.

 In policies, you can specify how resources are dependent and related to each
other. For example, which of the other resources must be available before a
certain resource can be started. In another example, my database must be up
and running before my application is started.
 Policy definitions can be reused, copied, and cloned for similar applications
elsewhere in the enterprise.
 Because the underlying technology is responsible for the detailed actions,
these actions are performed in a consistent and reliable manner. With
traditional programming solutions, the testing of abnormal conditions is
difficult and prone to be incomplete. The action of automation under these
abnormal conditions is, however, critical to the entire automation solution.
Cloud computing unit 3 and 4
Cloud computing unit 3 and 4

What are service level objectives?

A Service Level Objective (SLO) serves as a benchmark for indicators,

parameters, or metrics defined with specific service level targets. The
objectives may be an optimal range or a specific value for each service
function or process that constitutes a cloud service.
The SLOs can also be referred to as measurable characteristics of an SLA,
such as Quality of Service (QoS) aspects that are achievable, measurable,
meaningful, and acceptable for both service providers and customers. An
SLO is agreed within the SLA as an obligation, with validity under specific
conditions (such as time period) and is expressed within an SLA document.
Cloud computing unit 3 and 4

SLO best practices

Put simply, Service Level Objectives describe how good the service
reliability was during a specific duration of time, based on the measurements
of specific service level indicators.

The following best practices can help you achieve these goals:

 Identify the right metrics & indicators to accurately describe system

reliability as perceived, expected, and required by your organization and
end-users.
 Make sure the right people understand the SLOs. SLO should be well
understood by the technical team and organizational leaders.
Organizations should devise SLOs based on the business requirements as
well as the technical capacity and expertise available to the organization.
 Align the technical team & business stakeholders on SLO targets. If
engineers cannot deliver on the SLO targets, the organization risks failure
to comply with its SLAs to customers.
 Use an independent SLO for each logical component of the
system. Every system component may impact or contribute to the overall
system differently. Therefore, it’s important to define optimum SLOs for
every system component based on cost, complexity and other associated
business and technical challenges.
 Measure several service level indicators collectively to evaluate a
single SLO target. For instance, the latency, errors and other QoS
metrics may be required to evaluate a complete system performance with
respect to specific objectives.
 Document & communicate SLOs for all stakeholders. This
information is often critical for technical teams or business leaders to
make relevant decisions.
 Prioritize SLOs for certain customers. Paying customers with stringent
availability requirements may require a higher SLO baseline than
freemium users.
 Consider SLOs an ongoing commitment to deliver optimum system
performance across various service level indicators. SLOs evolve over
time; they cannot be considered as static targets. IT workloads and end-
user expectations change on a continual basis. An SLO designed for the
Cloud computing unit 3 and 4

workload requirements at present may not be equally valid for its future
performance requirements.
 Keep SLOs simple, few & realistic. Avoid absolute numbers that are
unrealistic. You may set an internal SLO that acts as a safety margin or
buffer to deliver a lower SLO target agreed with the end-users.
Cloud computing unit 3 and 4
Cloud computing unit 3 and 4
Cloud computing unit 3 and 4

What is cloud security?

Cloud security is the set of control-based security measures and technology

protection, designed to protect online stored resources from leakage, theft,
and data loss. Protection includes data from cloud infrastructure,
applications, and threats. Security applications uses a software the same
as SaaS (Software as a Service) model.

How to manage security in the cloud?

Cloud service providers have many methods to protect the data.

Firewall is the central part of cloud architecture. The firewall protects the
network and the perimeter of end-users. It also protects traffic between
various apps stored in the cloud.

Access control protects data by allowing us to set access lists for various
assets. For example, you can allow the application of specific
employees while restricting others. It's a rule that employees can access the
equipment that they required. We can keep essential documents which are
stolen from malicious insiders or hackers to maintaining strict access control.

Data protection methods include Virtual Private Networks (VPN), encryption,

or masking. It allows remote employees to connect the network. VPN
accommodates the tablets and smart phone for remote access. Data masking
maintains the data's integrity by keeping identifiable information private. A
Cloud computing unit 3 and 4

medical company share data with data masking without violating

the HIPAA laws.

For example, we are putting intelligence information at risk in order of the

importance of security. It helps to protect mission-critical assets from threats.
Disaster recovery is vital for security because it helps to recover lost or stolen
data.

Benefits of Cloud Security System

We understand how the cloud computing security operates to find ways to
benefit your business.

Cloud-based security systems benefit the business by:

o Protecting the Business from Dangers

o Protect against internal threats
o Preventing data loss
o Top threats to the system include Malware, Ransomware, and
o Break the Malware and Ransomware attacks
o Malware poses a severe threat to the businesses.

More than 90% of malware comes via email. It is often reassuring that
employee's download malware without analysingit. Malicious software installs
itself on the network to steal files or damage the content once it is
downloaded.

Ransomware is a malware that hijacks system's data and asks for a financial
ransom. Companies are reluctant to give ransom because they want their data
back.

Data redundancy provides the option to pay a ransom for your data. You can
get that was stolen with minimal service interruption.
Cloud computing unit 3 and 4

Many cloud data protection solutions identify malware and ransomware.

Firewalls keep malicious email out of the inbox.

Difference between Cloud Security and Traditional

IT Security
Cloud security Traditional IT Security

Quick scalable Slow scaling

Efficient resource utilization Lower efficiency

Usage-based cost Higher cost

Third-party data centres In-house data centres

Reduced time to market Longer time to market

Low upfront infrastructure High Upfronts costs

Cloud Security Challenges

It becomes more challenging when adopting modern cloud approaches
Like: automated cloud integration, and continuous deployment
(CI/CD) methods, distributed serverless architecture, and short-term assets for
tasks such as a service and container.

Some of the advanced cloud-native security challenge and many layers of risk
faced by today's cloud-oriented organizations are below:
Cloud computing unit 3 and 4

1. Enlarged Surface

Public cloud environments have become a large and highly attractive surface
for hackers and disrupt workloads and data in the cloud. Malware, zero-day,
account acquisition and many malicious threats have become day-to-day
more dangerous.

2. Lack of visibility and tracking

Cloud providers have complete control over the infrastructure layer and
cannot expose it to their customers in the IaaS model. The lack of visibility and
control is further enhanced in the SaaS cloud models. Cloud customers are
often unable to identify their cloud assets or visualize their cloud
environments effectively.

3. Ever-changing workload

Cloud assets are dynamically demoted at scale and velocity. Traditional

security tools implement protection policies in a flexible and dynamic
environment with an ever-changing and short-term workload.

4. DevOps, DevSecOps and Automation

Organizations are adopting an automated DevOps CI/CD culture that ensures

the appropriate security controls are identified and embeddedin the
development cycle in code and templates. Security-related changes
implemented after the workload is deployed to production can weaken the
organization's security posture and lengthen the time to market.

5. Granular privileges and critical management

At the application level, configured keys and privileges expose the session to
security risks. Often cloud user roles are loosely configured, providing broad
privileges beyond therequirement. An example is allowing untrained users or
users to delete or write databases with no business to delete or add database
assets.

6. Complex environment
Cloud computing unit 3 and 4

These days the methods and tools work seamlessly on public cloud providers,
private cloud providers, and on-premises manage persistent security in hybrid
and multi-cloud environments-it including geographic Branch office edge
security for formally distributed organizations.

7. Cloud Compliance and Governance

All the leading cloud providers have known themselves best, such as PCI 3.2,
NIST 800-53, HIPAA and GDPR.

It gives the poor visibility and dynamics of cloud environments. The

compliance audit process becomes close to mission impossible unless the
devices are used to receive compliance checks and issue real-time alerts.

Brokered cloud storage access

Cloud Broker is an entity that manages the use, performance and delivery of
cloud services, and relationships between cloud providers and cloud
consumers.

All the data stored in the cloud. It can be located in the cloud service
provider’s system used to transfer data from sent and received. The cloud
computing has no physical system that serves this purpose. To protect the
cloud storage is the way to isolate data from client direct access. They are two
services are created. One service for a broker with full access to storage but
no access to the client, and another service for a proxy with no access to
storage but access to both the client and broker. These important two services
are in the direct data path between the client and data stored in the cloud.
Under this system, when a client makes a request for data, here’s what
happens:

1. The request goes to the external service interface of the proxy.

2. The proxy using internal interface, forwards the request to the broker.
3. The broker requests the data from the cloud storage system.
4. The storage system returns the results to the broker.
5. The broker returns the results to the

The proxy completes the response by sending the data requested to the
client.
Cloud computing unit 3 and 4

Storage zone with encrypted keys

Cloud brokers provide services in three categories:

Aggregation: A cloud broker combines and integrates multiple services into

one or more new services.

Arbitrage: This is similar to service aggregation, except that the services

being aggregated are not fixed.

Intermediation: The cloud broker give service by improving capability and

providing value added services to cloud consumers. The improvement can be
managing access to cloud services, identity management, performance
reporting, enhanced security, etc.

Benefits of using a cloud broker

Benefits of using a cloud broker for a business or technical purpose include
the following:

 Cloud interoperability - Integration between several cloud

 Cloud portability - Move application between different cloud
 Increase business continuity by reducing dependency from one cloud
 Cost

Storage location and tenancy

Cloud service providers as per their Service Level Agreements, need to
contractually store and process data in locations that are predetermined by
their contract. It gets the commitment for specific data site storage the cloud
vendor is under contract to conform to privacy laws.

Because data stored in the cloud is usually stored from multiple tenants the
each vendor has its own unique method for segregating one customer’s data
from another. It’s important to understand how the specific service provider
maintains data segregation. Cloud storage provider provides privileged
access to storage. Most cloud service providers store data in an encrypted
form to protect the data used in security mechanism. Hence, data cannot be
accessed by the unauthorized user.
Cloud computing unit 3 and 4

It is important to know what impact a disaster or interruption occurs on the

stored data. Since data are stored across multiples sites, it may not be
possible to recover data in a timely manner.

What is Cloud Encryption?

Cloud encryption is the process of transforming data from its original plain text
format to an unreadable format, such as ciphertext, before it is transferred to and
stored in the cloud.

As with any form of data encryption, cloud encryption renders the information
indecipherable and therefore useless without the encryption keys. This applies even
if the data is lost, stolen or shared with an unauthorized user.

Encryption is regarded as one of the most effective components within the

organization’s cybersecurity strategy. In addition to protecting the data itself from
misuse, cloud encryption also addresses other important security issues, including:

 Compliance with regulatory standards regarding data privacy and protection

 Enhanced protection against unauthorized data access from other public cloud tenants
 In select cases, absolving the organization of the need to disclose breaches or other security events

How Does Cloud Encryption Work?

Encryption leverages advanced algorithms to encode the data, making it

meaningless to any user who does not have the key. Authorized users leverage the
key to decode the data, transforming the concealed information back into a readable
format. Keys are generated and shared only with trusted parties whose identity is
established and verified through some form of multi-factor authentication.

Cloud encryption is meant to protect data as it moves to and from cloud-based

applications, as well as when it is stored on the cloud network. This is known
as data in transit and data at rest, respectively.

Encrypting data in transit

A significant portion of data in motion is encrypted automatically through the HTTPS

protocol, which adds a security sockets layer (SSL) to the standard IP protocol. The
SSL encodes all activity, ensuring that only authorized users can access the
session details. As such, if an unauthorized user intercepts data transmitted during
the session, the content would be meaningless. Decoding is completed at the user-
level through a digital key.

Encrypting data at rest

Cloud computing unit 3 and 4

Data encryption for information stored on the cloud network ensures that even if the
data is lost, stolen or mistakenly shared, the contents are virtually usel ess without
the encryption key. Again, keys are only made available to authorized users. Similar
to data in transit, encryption/decryption for data at rest is managed by the software
application.

Encryption Algorithms

There are two basic encryption algorithms for cloud-based data:

Symmetric encryption: The encryption and decryption keys are the same. This
method is most commonly used for bulk data encryption. While implementation is
generally simpler and faster than the asymmetric option, it is somewhat less secure
in that anyone with access to the encryption key can decode the data.

Asymmetric encryption: Leverages two keys—a public and private authentication

token—to encode or decode data. While the keys are linked, they are not the same.
This method provides enhanced security in that the data cannot be accessed unless
users have both a public, sharable key and a personal token.

The benefits of cloud encryption

Encryption is one of the primary defenses organizations can take to secure their
data, intellectual property (IP) and other sensitive information, as well as their
customer’s data. It also serves to address privacy and protection standards and
regulations.

Benefits of cloud encryption include:

 Security: Encryption offers end-to-end protection of sensitive information,
including customer data, while it is in motion or at rest across any device or
between users
 Compliance: Data privacy and protection regulations and standards such as
FIPS (Federal Information Processing Standards) and HIPPA (Health Insurance
Portability and Accountability Act of 1996) require organizations to encrypt all
sensitive customer data
 Integrity: While encrypted data can be altered or manipulated by malicious
actors, such activity is relatively easy to detect by authorized users
 Reduced risk: In select cases, organizations may be exempt from disclosing a
data breach if the data was encrypted, which significantly reduces the risk of both
reputational harm and lawsuits or other legal action associated with a security
event
Cloud computing unit 3 and 4

Cloud encryption challenges

Cloud encryption is a relatively simple, but highly effective security technique.

Unfortunately, many organizations overlook this aspect of the cybersecurity
strategy, likely because they are unaware of the shared responsibility model
associated with the public cloud. As discussed above, while the cloud provider must
maintain security within the cloud infrastructure, private users are responsible for
securing the data and assets stored in the cloud and ensuring its safe transmissi on
to and from the cloud.

Additional challenges may include:

Time and cost: Encryption is an added step, and therefore an added cost for
organizations. Users that wish to encrypt their data must not only purchase an
encryption tool, but also ensure that their existing assets, such as computers and
servers, can manage the added processing power of encryption. Encryption can
take time and therefore the organization might experience increased latency.

Data loss: Encrypted data is virtually useless without the key. If the organization
loses or destroys the access key, the data may not be able to be recovered.

Key management: No cloud security measure is foolproof, and encryption is no

exception. It is possible for advanced adversaries to crack an encryption ke y,
particularly if the program allows the key to be chosen by the user. This is why it’s
important to require two or more keys to access sensitive content.

Cloud Security Audits:

What is a Cloud Security Audit?

A cloud audit is a test of a cloud environment, typically conducted by

an independent third-party. During an audit, the auditor gathers
evidence via physical inspection, inquiry, observation, re-performance,
or analytics.
Cloud computing unit 3 and 4

Cloud security audits commonly focus on an organization’s security

controls – these are the operational, procedural, or technical
protections an organization uses to safeguard the integrity and
confidentiality of its information systems. In the cloud, an auditor may
evaluate which security controls exist, whether they are implemented
correctly, whether they are working as expected, and how effective
they are at mitigating threats.

In addition, a cloud security audit typically verifies that cloud systems

are aligned with the specific requirements of regulations, industry
standards, or security benchmarks.

What is a cloud audit?

A cloud audit is a periodic examination an organization does to assess and
document its cloud vendor's performance. The goal of such an audit is to
see how well a cloud vendor is doing in meeting a set of
established controls and best practices.

The Cloud Security Alliance (CSA) provides audit documents, guidance

and controls that an IT organization can use to examine its cloud vendors.
Third-party auditors can also use CSA audit materials. CSA resources are
considered the primary audit tools to perform and optimize a
comprehensive cloud audit.

The term CloudAudit refers to a specification the CSA developed in 2019

for the presentation of information about how a cloud service provider
addresses control frameworks. The goal of CloudAudit was to
provide cloud service providers with a way to make their performance and
security data readily available for potential customers.
Cloud computing unit 3 and 4

Benefits of Cloud Security Audits

Here are a few ways in which security audits can improve the security
of your cloud environment:

 Overseeing access control – employees join and leave the

organization and personnel move to new roles and departments.
A security audit can ensure that access control is managed
responsibly, for example ensuring that access is revoked when
employees leave, and that new employees are granted minimal
privileges.
 Secure access to the cloud – a cloud security audit can help
verify that employees and other users access cloud systems in a
secure manner – for example, using a VPN over an encrypted
channel.
 Security of APIs and third-party tools – most cloud
environments use a large variety of APIs and third-party
technologies. Every API or third-party tool is a potential security
risk. Audits can identify security weaknesses in APIs and tools
and help the organization remediate them.
 Verifying backup strategies – the cloud makes it easy to
perform backups. However, this is only effective if an
organization’s cloud platform is configured to carry out the
backups regularly. An audit can ensure that the organization is
Cloud computing unit 3 and 4

performing backups for all critical systems, and adopting security

measures to safeguard those backups.

Cloud Security Auditing Challenges

Here are a few key challenges that can make cloud security audits
more difficult, and how to overcome them.

Transparency

In a cloud environment, cloud providers control most of the

operational and forensic data. This data is critical for auditing
purposes. Audits must have a comprehensive inventory of cloud
resources and data, access to security policies, and direct access to
relevant forensic data. This requires coordination with cloud providers
and the organization’s IT operations staff.

Encryption

There are a two main options for encrypting data in the cloud:

 You can encrypt data on-premises and then send it to the cloud,
but this runs the risk of rogue insiders abusing their privileges.
 You can leave encryption to the cloud provider, but then you will
be at risk of breaches within the cloud provider’s environment.
From an auditing perspective, it is almost always better to encrypt
data on-premise and manage encryption keys in-house. Auditing can
be extremely difficult, even impossible in some cases, if encryption
keys are managed by the cloud provider. The PCI DSS Cloud Special
Cloud computing unit 3 and 4

Interest Group encourages organizations to store and manage

encryption keys independently from the cloud provider.

Colocation

In a cloud environment, it is very common for several environments to

share the same physical systems. This creates security issues and
makes it more difficult to audit the physical environment. If it is not
possible to run services on physically separate devices, the cloud
provider must provide proof that it can prevent any user of the system
from gaining administrative privileges on the machine.

Scale, Scope, and Complexity

In a traditional data center, there was a finite number of servers, which

auditors could review and report on. In a cloud environment, there can
be exponential growth in the number of audited entities, which may
include physical hosts, virtual machines (VMs), managed databases,
containers, and serverless functions. It can be very difficult to audit all
these entities, especially considering new entities are added and
removed on a daily basis.

The key to making a cloud environment auditable is to standardize

workloads. For example, if containers are only created using a limited,
controlled set of images, auditors can focus their testing on those
approved container images. Similarly, VMs should be created from a
limited pool of machine images that can be reviewed by auditors.
Cloud computing unit 3 and 4

How do you conduct a cloud audit?

An audit of a cloud environment is similar to an IT audit. Both examine a variety
of operational, administrative, security and performance controls. Cloud audit
controls are also similar to IT audit controls but with a focus on the nuances of
cloud environments.

Cloud vendors offer several on-demand, as-a-service resources, such as software as

a service and platform as a service. Audits help assure these offerings are delivered
with the appropriate attention to specific controls, especially those involving
security policies and risk management. Audits of cloud computing services look
for evidence that a cloud vendor is using best practices, complies with appropriate
standards and meets certain benchmarks in delivering its services.

Find out the seven steps involved in an effective cloud audit.

When performing a cloud audit, take the following basic steps:

1. Gather evidence. Collect relevant documents and other evidence, such as

screenshots.

2. Interview. Ask cloud vendor personnel how the provider operates and
delivers its services. CSA has cloud audit questions and checklists that can be
useful to both external and internal auditors. CSA has partnered with ISACA to
define what constitutes relevant cloud audit knowledge and provide
accreditation resources for cloud audit professionals.

3. Analyze. Look at how well the vendor's processes align with CSA and ISACA
controls.

4. Compile results. Combine analysis with the evidence from documentation and
interviews into work papers that are used to prepare a final report and
recommendations.
Cloud computing unit 3 and 4

5. Prepare final report. Submit it to the organization's management, usually

during a formal audit briefing.

6. Take action. Management sets dates for responses to the recommended

actions and assigns a team to respond to the audit report.
Cloud audit tools
CSA provides tools and guidance auditors need to perform a cloud audit. The table
below lists these items and their availability.

Resource Description

Cloud Controls Matrix (CCM) v4 Cybersecurity control framework for cloud

computing aligned to CSA best practices

Security, Trust, Assurance and Risk Checklist tool to ask cloud vendors about
(STAR) security questionnaire security controls

STAR Registry List of cloud vendors' security and regulatory

compliance postures

CSA best practices Guidance on cloud security, performance and

auditing
Cloud computing unit 3 and 4

Resource Description

Cloud audit professional credentials

The CSA and ISACA jointly offer the following cloud audit credentials:

 Certificate of Cloud Security Knowledge is a body of knowledge in cloud

technology areas, including cloud processing and security. It is a first step in
preparation for the companion certification in cloud auditing knowledge.

 Certificate of Cloud Auditing Knowledge trains candidates in how to audit

cloud platforms and security.

Both certificates complement ISACA credentials. They provide evidence of an

auditor's knowledge of cloud infrastructure and systems, security and
vulnerabilities, and they show that the auditor knows how to conduct a cloud audit.

What Does Cloud Compliance Mean?

Cloud compliance is the general principle that cloud-delivered systems must be
compliant with standards that the cloud customers face. This is a very important issue
with new cloud computing services, and it is something that lots of IT professionals
look at very closely.
Cloud computing unit 3 and 4

The term ‘cloud compliance’ can relate to many different industry standards and
regulations that cloud customers need to comply with.

For example, in the healthcare industry, a set of laws called HIPAA make stringent
guidelines and security protocols mandatory for certain kinds of patient health data.
Another example is new financial privacy regulations that have stemmed from
changes in the finance world over the last couple of decades.

Essentially, cloud customers need to look at the effective security provisions of their
vendors the same way they would look at their own internal security. They will need
to figure out whether their cloud vendor services match the compliance that they need.
There are several ways to go about this. In some cases, companies can just look for
vendors that certify compliance, and choose their services without any further input.
However, sometimes clients may need to actually get involved in accessing the cloud
vendor’s security, to make sure that it complies with the industry standards and
regulations.

In assessing cloud security, experts suggest that cloud customers ask certain kinds of
questions, such as — where is the data going to be stored? And who will be able to
access it? In addition, companies are choosing between public, private and hybrid
cloud computing services. This is also relevant to security, in that private cloud
solutions can sometimes be more secure than public cloud solutions. In public cloud
services, clients essentially share the same data platforms, and that means that in some
cases, there is a concern about data crossover or unauthorized access.

One way to think about this is in an analogy to housing, where private cloud systems
would resembled gated mansions and public systems resemble connected apartments.
There will be more security issues in a set of connected apartment units, where there’s
less separation between different tenants. Cloud compliance will remain an issue as
engineers and designers work on how to provide the most secure and best options for
customers.
Cloud computing unit 3 and 4

Challenges of Cloud Compliance

A new and different type of computing environment presents different compliance

challenges. The following are just a few of many such examples.

Certifications and Attestations

To satisfy the requirements of applicable standards and regulations, both you and
your public cloud vendor will need to demonstrate compliance.

So, in addition to your own set of responsibilities, you’ll need to make sure your
cloud platform also has the appropriate certifications or attestations.

Moreover, you’ll need to monitor validation, as data protection laws change, new
regulations come into force, and cloud providers can lose their compliance status at
any time.

Data Residency

As most data protection laws only allow you to host personal data within permitted
territories, you’ll need to make careful choices about which cloud regions you intend
to use.

This may be particularly challenging if your organization is subject to a significant

number of different regulations. In such cases, you may need to adopt a multi-
cloud strategy to ensure you have the right mix of regions to cover all regulated
data.

Cloud Complexity

You cannot protect what you don’t know you have. However, the cloud is a much
more complex environment with lots of moving parts. This presents challenges to
visibility and control over the data you need to protect.

Furthermore, this complexity makes it more difficult to assess the risk to your data
so you can formulate an informed strategy to suitably protect it.

Different Approach to Security

Most compliance requirements for security are very general in nature and merely
state you should take appropriate technical and organizational measures to
protect personal data.

But traditional security tools are simply not up to the job, as they’re designed for
static environments and difficult to adapt to the cloud. You’ll therefore need security
solutions specifically designed for cloud-based infrastructure — where IP addresses
 Cloud computing unit 3 and 4

frequently change and resources are routinely launching and closing down. This will
mean a different approach to security with more focus on configuration
management and individual workload protection.

Google App Engine is a Platform-as-a-Service (PaaS) offering by Google

Cloud that allows developers to build and deploy web applications and APIs.
The architecture of Google App Engine is designed to abstract away much of
the infrastructure management and scaling concerns, enabling developers to
focus on building and deploying their applications. Here's an overview of the
architecture:

1. User Interface: This is where users interact with your application. It can be a
web browser, mobile app, or any other client that sends requests to your
application.
2. Client Library: Google provides client libraries for various programming
languages to make it easy for developers to interact with App Engine services.
This library helps developers send requests and receive responses from the
App Engine services.
3. App Engine Application: This is your custom application code. It can be
written in multiple languages like Python, Java, Go, or Node.js. You write your
code to handle incoming requests, process data, and produce responses.
4. Runtime Environment: App Engine provides a runtime environment for your
application. This environment includes libraries, services, and tools that help
run your code, manage HTTP requests, and handle various tasks like
authentication, logging, and more.
5. Scaling Service: One of the key features of App Engine is its automatic
scaling. It can handle spikes in traffic by creating new instances of your
application when needed and scaling down when traffic decreases. The scaling
service takes care of this automatically.
6. Request Routing: Incoming HTTP requests are routed to the appropriate
instances of your application. Google's load balancers manage this process,
distributing requests to available instances.
7. Data Storage: Google Cloud Datastore (NoSQL database) or Google Cloud
SQL (relational database) are often used for data storage in App Engine
applications. These services are fully managed and scalable, which simplifies
data management.
 Cloud computing unit 3 and 4

8. Caching: Google Cloud provides services like Cloud Memorystore for in-
memory caching to improve the performance of your application by reducing
the need to retrieve data from your primary data store.
9. File Storage: Google Cloud Storage can be used to store and serve static files
like images, videos, and other assets in your application.
10. Task Queues: App Engine provides task queues for handling background
tasks, such as sending emails or processing data asynchronously. These
queues are used to manage and distribute tasks across instances of your
application.
11. Services and APIs: App Engine can make use of other Google Cloud services
and APIs, such as Cloud Pub/Sub, BigQuery, or Cloud Machine Learning
Engine, to extend your application's capabilities.
12. Service Modules: App Engine allows you to break your application into
multiple service modules, each with its own version and scaling settings. This
can be useful for microservices architecture or separating components of your
application.
13. Security and Authentication: Google provides built-in security features, such
as Identity-Aware Proxy (IAP) for controlling access to your application and
Firebase Authentication for user authentication.
14. Monitoring and Logging: You can use Google Cloud's Stackdriver suite to
monitor, log, and trace the behavior and performance of your application.
15. Deployment: Google provides tools for deploying your application code,
managing versions, and rolling back to previous versions if needed.
16. Global Distribution: App Engine can serve your application from multiple
geographical regions to reduce latency and improve reliability. This is known
as the App Engine Standard environment (multi-region) or the App Engine
Flexible environment (which can be deployed in multiple regions).

Runtime lifecycle

The App Engine flexible environment runtimes use open source components
that are maintained by their respective communities. The runtimes are
identified by their language version, for example, Java 17, Python 3.10, and
so forth.
 Cloud computing unit 3 and 4

Google provides support for a runtime during General availability (GA). During
this support window:

 Runtime components are regularly updated with security and bug fixes.

 To maintain stability, App Engine avoids implementing breaking features or

changes into the runtime. Breaking changes will be announced in advance on
the runtime-specific

 When a language version is no longer actively maintained by the respective

community, App Engine will also stop providing maintenance and support for
that language runtime. Before a runtime reaches the end of support phase as
described in the runtimes support schedule, Google will provide a notification
to customers.

Google may make changes to any runtime's support schedule or lifecycle in

accordance with the terms of your agreement for the use of Google Cloud
platform services.

Runtime lifecycle
GA-level
End of Support Deprecated Decommissioned
support

Creation & redeployment Yes No No No

Project Configuration Yes Yes No No

Updates

Running existing workloads Yes Yes Yes No

UI & CLI Warnings Yes Yes No No

Language patches Automatic No automatic No automatic No automatic

updates updates updates

Patching APIs & SDKs Automatic No automatic No automatic No automatic

updates updates updates

Customer Support GA-level No runtime support No runtime support No runtime support

support
 Cloud computing unit 3 and 4

Notification period

App Engine will begin issuing in-app notifications 90 days before the
application reaches end of support. Upon notification, you should prepare to
upgrade your application to a newer runtime that is supported in the flexible
environment .

End of support

When runtime components reach the end of support date:

 Google will no longer apply security updates or patches to components of the

runtime environment.
 Your application will continue to run and receive traffic.
 You will no longer be able to create and/or update the application on the
unsupported runtime.
 Issues arising from the use of an unsupported runtime will not be eligible for
technical support

We strongly encourage you to upgrade your application to a supported

runtime version as soon as it becomes available to continue receiving security
updates and being eligible for technical support.

Alternatively, you can redeploy your application using a custom runtime.

Deprecated

If Google allowed your Organization to re-enable deployments in an

unsupported runtime, Google will remove that ability once the runtime is
deprecated.

Where practicable, we will make reasonable efforts to notify you in advance of

the deprecation by in-app notifications or other means. In certain instances,
including in circumstances involving critical security vulnerabilities or similar
high severity issues, advance notice may not be practicable.

Decommissioned
Cloud computing unit 3 and 4

Applications that continue to use a decommissioned runtime may be disabled

without further notice. You must choose a more up-to-date runtime to deploy
your application.

Advantages of Google App Engine

The Google App Engine has a lot of benefits that can help you advance
your app ideas. This comprises:
1. Infrastructure for Security: The Internet infrastructure that Google
uses is arguably the safest in the entire world. Since the application
data and code are hosted on extremely secure servers, there has
rarely been any kind of illegal access to date.
2. Faster Time to Market: For every organization, getting a product or
service to market quickly is crucial. When it comes to quickly releasing
the product, encouraging the development and maintenance of an app
is essential. A firm can grow swiftly with Google Cloud App Engine’s
assistance.
3. Quick to Start: You don’t need to spend a lot of time prototyping or
deploying the app to users because there is no hardware or product to
buy and maintain.
4. Easy to Use: The tools that you need to create, test, launch, and
update the applications are included in Google App Engine (GAE).
5. Rich set of APIs & Services: A number of built-in APIs and services
in Google App Engine enable developers to create strong, feature-rich
apps.
6. Scalability: This is one of the deciding variables for the success of
any software. When using the Google app engine to construct apps,
you may access technologies like GFS, Big Table, and others that
Google uses to build its own apps.
7. Performance and Reliability: Among international brands, Google
ranks among the top ones. Therefore, you must bear that in mind
while talking about performance and reliability.
8. Cost Savings: To administer your servers, you don’t need to employ
engineers or even do it yourself. The money you save might be put
toward developing other areas of your company.
9. Platform Independence: Since the app engine platform only has a
few dependencies, you can easily relocate all of your data to another
environment.
Cloud computing unit 3 and 4

Features of App Engine

Runtimes and Languages

To create an application for an app engine, you can use Go, Java, PHP,
or Python. You can develop and test an app locally using the SDK’s
deployment toolkit. Each language’s SDK and nun time are unique. Your
program is run in a:
 Java Run Time Environment version 7
 Python Run Time environment version 2.7
 PHP runtime’s PHP 5.4 environment
 Go runtime 1.2 environment