||||||||||||||||||||

support an IT workload.
Self-service means cloud users can provision and
deprovision cloud resources using a GUI,
command-line tools, or programmatically through
API calls.
Broad network access allows a multitude of device
types to access cloud services over a network.
Pay-as-you-go means cloud consumers pay only
for the cloud resources they use.
Availability ensures that cloud-based IT systems
and data are always available. The cloud SLA
provides uptime guarantees.

Identifying Cloud Service Models

Software as a Service (SaaS) refers to software
solution rentals where the software is accessed
and used over a network.
Infrastructure as a Service (IaaS) refers to the
underlying items such as storage, networking, and
virtual machines that support cloud-based
software solutions.
Platform as a Service (PaaS) refers to managed
database and developer cloud services that do not
require cloud users to configure the underlying
supporting infrastructure.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Identifying Cloud Deployment Models

Public clouds are owned and managed by CSPs.
The cloud services are available to anybody with
Internet access.
Private clouds are owned, managed, and used by a
single organization.
Hybrid clouds are composed of an on-premises
network linked to a cloud virtual network.
Community clouds address organizations with the
same computing needs, often within the same
industry.

Understanding Cloud Shared Responsibility

With SaaS, the management of settings and data is
the responsibility of the cloud customer. The CSP
is responsible for managing the underlying
infrastructure that supports the software solution.
With IaaS, the cloud customer is responsible for
all management aspects of storage, network
configuration, and virtual machines. The CSP is
responsible for the underlying hardware,
including routers, switches, storage arrays, and
physical servers.
With PaaS, the cloud customer is responsible for
the details regarding the PaaS solution, such as
database settings and data. The CSP is responsible

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

for the underlying infrastructure, such as storage

and virtual machines that support the PaaS
solution.

SELF TEST
The following questions will help you measure your
understanding of the material presented in this chapter.
As indicated, some questions may have more than one
correct answer, so be sure to read all the answer choices
carefully.

Identifying Cloud Computing Characteristics

1. Which cloud computing characteristic is most
closely related to OPEX?
A. Broad network access
B. Elasticity
C. Pay-as-you-go
D. Self-service
2. Your manager has asked you to review the storage
SLA for a public cloud provider to determine the
potential amount of annual downtime. Which of
the following cloud characteristics is most closely
related to this scenario?

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

A. Broad network access

B. Pay-as-you-go
C. Scalability
D. Availability
3. Your cloud-hosted public website experiences more
traffic during the holiday season. You need to
design a configuration that responds to application
requests to add or remove back-end virtual
machines as required. The maximum number of
VMs should never exceed four. Which cloud
characteristic does this most closely relate to?
A. Metered use
B. Scalability
C. Broad network access
D. Availability
4. Users in your company use their work-issued
laptops and personal smartphones to access web
apps hosted on a company’s private cloud
infrastructure. Which term best describes this
scenario?
A. Broad network access
B. Scalability
C. Elasticity
D. Availability

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Identifying Cloud Service Models

5. Which of the following cloud resource deployments
is an example of IaaS?
A. Web e-mail
B. Instant messaging
C. Managed database
D. Virtual machines
6. You have decided to deploy your own cloud-based
virtual machines hosting a Microsoft SQL Server
database. Which type of cloud service model is this?
A. CaaS
B. PaaS
C. IaaS
D. SaaS
7. What type of cloud computing service model does
cloud-based storage apply to?
A. SaaS
B. IaaS
C. PaaS
D. CaaS

Identifying Cloud Deployment Models

8. What makes private clouds different from public
clouds? (Choose two.)

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

A. Service availability
B. Limited user base
C. Security of data at rest
D. Responsibility for infrastructure
9. Your on-premises network is linked to a cloud-
based virtual network through a VPN tunnel. What
type of cloud deployment model is this?
A. Hybrid
B. Private
C. Public
D. Extended
10. Which of the following is a true statement?
A. Anybody with Internet access can potentially
access public cloud services.
B. Anybody with Internet access can potentially
access private cloud services.
C. Private clouds are available to any user with a
paid subscription.
D. Public clouds are used by a single organization.

Understanding Cloud Shared Responsibility

11. Which term best describes deploying a cloud-based
database without having to configure the
underlying virtual machine?

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

A. Horizontal scaling
B. Managed service
C. Vertical scaling
D. Infrastructure as a Service
12. You have manually deployed an Ubuntu Linux
virtual machine in the public cloud. Who is
responsible for applying Linux operating system
updates to the VM?
A. Cloud service provider
B. Cloud tenant
C. Ubuntu
D. Cloud service provider and cloud tenant
13. Which type of hypervisor requires an existing
operating system?
A. Type 1
B. Type 2
C. Type 3
D. Type 4
14. Which statements regarding cloud computing are
correct? (Choose two.)
A. Virtualization relies on cloud computing.
B. Cloud-hosted virtual machines normally run on
type 2 hypervisors.
C. Cloud computing relies on virtualization.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

D. Cloud-hosted virtual machines normally run on

type 1 hypervisors.
15. Which of the following is considered a “bare metal”
type of hypervisor?
A. Type 1
B. Type 2
C. Type 3
D. Type 4

SELF TEST ANSWERS

Identifying Cloud Computing Characteristics
1. C. Operating expenses (OPEX) relate to paying
for cloud resource usage, such as on a monthly
basis, as opposed to hosting the same IT services on
premises, which requires a capital investment in
hardware, software, licensing, and technician fees.
A, B, and D are incorrect. They are not as
closely related to OPEX as the pay-as-you-go cloud
computing characteristic.
2. D. One of the details in a service level
agreement (SLA) is the expected uptime
(availability) for the cloud service.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

A, B, and C are incorrect. They are cloud

characteristics that do not relate to downtime.
3. B. Scalability refers to achieving elasticity
through scalability configurations, such as the
maximum number of virtual machines.
A, C, and D are incorrect. Metered use, also
referred to as “pay as you go,” charges cloud
customers based on their use of cloud resources.
Broad network access does not involve adding or
removing resources to improve resource
performance. Availability ensures that cloud-based
IT systems and data are available when needed and
is normally addressed through backups and IT
system and data redundancy.
4. A. Broad network access relates to the use of
different types of devices to access cloud-based IT
services over a network.
B, C, and D are incorrect. Scalability refers to
the long-term design of constraints, such as the
maximum number of virtual machines. Elasticity is
the dynamic response to resource requirements.
Availability ensures that cloud-based IT systems
and data are available when needed and is normally
addressed through backups and IT system and data
redundancy.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Identifying Cloud Service Models

5. D. Virtual machines are considered
Infrastructure as a Service (IaaS).
A, B, and C are incorrect. A and B are incorrect
because they are considered Software as a Service
(SaaS). C is incorrect because managed databases
are considered Platform as a Service (PaaS).
6. C. If virtual machines are manually configured
with software such as Microsoft SQL Server, this is
considered Infrastructure as a Service (IaaS).
A, B, and D are incorrect. Communications as a
Service (CaaS) relates to cloud-based services such
as instant messaging. Platform as a Service (PaaS)
provides services such as developer tools and
databases without having to manually configure the
underlying infrastructure. Software as a Service
(SaaS) refers to a software solution available over a
network, such as web e-mail provided over the
Internet by a cloud service provider.
7. B. In the cloud, storage is considered
Infrastructure as a Service (IaaS).
A, C, and D are incorrect. None of these cloud
service models is considered IaaS.

Identifying Cloud Deployment Models

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

8. B and D. Private clouds are the responsibility

of and used by a single organization, but still adhere
to cloud computing characteristics such as self-
service and elasticity.
A and C are incorrect. Service availability and
security of data at rest are items that apply to
private and public clouds.
9. A. Hybrid cloud solutions combine on-premises
and cloud solutions, such as linking an on-premises
network to a cloud network via a VPN tunnel.
B, C, and D are incorrect. Private clouds are the
responsibility of and used by a single organization,
whereas public clouds are potentially available to
anybody over the Internet. “Extended” is not a valid
cloud deployment model.
10. A. Private clouds are the responsibility of and
used by a single organization, whereas public clouds
are potentially available to anybody over the
Internet.
B, C, and D are incorrect. Private clouds are
owned and used by a single organization. Public
clouds are available to all Internet users.

Understanding Cloud Shared Responsibility

11. B. In the cloud, a managed service provides a
solution, such as deploying a database, without

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

having to deal with the underlying virtual machine,

network, and storage configuration details.
A, C, and D are incorrect. Horizontal scaling
adds or removes virtual machines to support an
application. Vertical scaling increases or decreases
virtual machine power through items such as the
number of virtual CPUs and the amount of RAM.
Infrastructure as a Service (IaaS) requires the
detailed configuration of resources such as virtual
machines, storage, and networking.
12. B. Cloud tenants are cloud customers, and as
such are responsible for applying updates to
manually deployed virtual machines.
A, C, and D are incorrect. These entities are not
responsible for applying updates to a manually
deployed virtual machine.
13. B. Type 2 hypervisors require an existing
operating system since they run as an app in the
operating system.
A, C, and D are incorrect. A type 1 hypervisor
installs directly on hardware; it is the operating
system. Type 3 and type 4 are invalid hypervisor
categories.
14. C and D. Virtualization in the form of virtual
machines makes cloud computing possible.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

A and B are incorrect. Virtualization can be used

outside of a cloud environment. Cloud-hosted
virtual machines run on type 1 hypervisors (bare
metal) in the cloud.
15. A. Type 1 hypervisors run directly on hardware
(bare metal) and do not need an existing operating
system. They are often referred to as a bare metal
hypervisor.
B, C, and D are incorrect. Type 2 hypervisors
run as an app and require an existing operating
system. Type 3 and type 4 hypervisors do not exist.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Chapter 2
The Business Side of Cloud
Computing

CERTIFICATION OBJECTIVES

2.01 The Business Case for Cloud Computing

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

2.02 Service Level Agreements

2.03 Managing Cloud Costs

Two-Minute Drill

D Q&A Self Test

espite its many benefits, cloud computing isn’t for
everyone, whether an individual or an organization. In
some cases data privacy laws and regulations limit the
use of cloud computing. This chapter introduces you to
cost factors to consider when adopting or managing
existing cloud resources.
We’ll start by identifying the benefits of cloud
computing compared to provisioning the same
computing resources on premises. This will lead into a
discussion of the business side of cloud computing in
terms of ensuring cloud solutions address business
needs while minimizing costs.
Next, we’ll dive into cloud service–specific service
level agreements (SLAs) and how they relate to IT
system and data availability. Finally, we’ll talk about
managing cloud costs using a variety of strategies.

CERTIFICATION OBJECTIVE 2.01

THE BUSINESS CASE FOR CLOUD

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

COMPUTING
Cloud computing has become wildly popular.
Individuals and organizations benefit from using
computing services running on somebody else’s
equipment for a small usage fee—small, at least, in
comparison to running those same services on your own
equipment in your own facility that you must also
manage. But the cost really is about more than just the
direct fees. For example, are IT services deployed more
efficiently? Is customer service improved? Answering
such questions is described as proof of value (PoV).
Cloud adoption begins with mapping available cloud
services to computing needs and conducting proof of
concept (PoC) pilots to ensure chosen cloud services
work as expected. This can include software developers
using automated testing for quality assurance (QA)
purposes in the cloud or using cloud-based file share
folders to address file access needs. Instead of manually
provisioning cloud resources, such as virtual machines
and databases, cloud users can also use templates
(essentially blueprints) to quickly create or even
manage cloud resources over and over again.
Cloud computing is a collection of IT solutions that is
of interest not only to the organization’s chief
technology officer (CTO) but also to the chief financial
officer (CFO) since there is a potential reduction in up-
front, large IT investments.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Ongoing Operating Expenses (OPEX)

As discussed in Chapter 1, the pay-as-you-go cloud
computing characteristic represents the fact that most
cloud computing pricing models charge customers only
for the cloud resources that they use. This ongoing
variable monthly expense is called an operating expense
(OPEX).

You might hear other IT technicians refer to

metered usage when it comes to paying only
for cloud resources that are used. In the
context of cloud computing characteristics,
this is synonymous with pay-as-you-go.

An organization that deploys IT services on premises

using its own hardware, software, and licenses incurs a
much larger up-front, fixed cost, which is called a capital
expense (CAPEX). This doesn’t mean that cloud
computing costs are always cheaper than on-premises
computing costs; many factors feed into a return on
investment (ROI) analysis, such as a reduced time to
market, which can save money in other areas and
provide organizations with a competitive advantage. To
illustrate this, consider the following example:

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Y our company requires a back-end database server to process

customer transactions for a public-facing website. Following is a
comparison of the steps for provisioning the server on premises and
the steps for provisioning the server via the cloud:

Clearly, the cloud deployment option requires less

work and allows technicians to focus on the business
problem instead of the underlying technology. Using
this type of comparison when presenting to
management makes a great business case for cloud
computing and, over time, can reduce the total cost of
ownership (TCO) of the IT solution.

You can expect to be tested on OPEX and

CAPEX. Remember that OPEX does not always
mean IT costs are less expensive than CAPEX;
it depends on the specific IT solution and the

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

time over which that solution will be used.

Information Technology Infrastructure Library (ITIL)

and the Cloud
ITIL originally was an acronym for Information
Technology Infrastructure Library—and it is still
identified as such in the Cloud Essentials+ Acronyms
list—but the official name of the framework was
changed to ITIL by its owner, AXELOS, more than five
years ago.
In a nutshell, ITIL is an IT service framework with
the goal of providing IT services as efficiently and cost-
effectively as possible. This framework relates to cloud
computing characteristics such as self-service
provisioning, as well as to promoting professional
development through providing proper training for
technicians (human capital) who will manage cloud
services. From cloud technicians to cloud end users, the
framework is all about IT service management
continuous improvement.
Let’s say your organization wants to run important IT
services in the cloud such as

Customer relationship management (CRM)

Enterprise resource planning (ERP)
Digital marketing campaigns, including e-mail
campaigns

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Social media feed analytics

Part of ITIL relates to supplier management. The cloud

service provider (CSP) is the supplier in this case, and
your organization must take care to ensure these listed
items are available from the CSP at a reasonable cost
over time. Using these cloud services provides
customers with the benefit of quick and easy
deployment. For example, executing e-mail marketing
campaigns in the cloud doesn’t even require the
installation of or permission to use an SMTP e-mail
server, where this might be required on-premises.
Careful planning and ongoing monitoring are the key
to the efficient and effective use of cloud computing
services, given that the success criteria have been
defined. This could include smaller website deployment
times for testing purposes in the cloud. Cloud
computing allows for a faster pace and larger scale of
data generation and consumption than was previously
possible, and this must be managed carefully for
organizations to derive as much business value for as
little cost as possible.

CERTIFICATION OBJECTIVE 2.02

SERVICE LEVEL AGREEMENTS

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

A service level agreement (SLA) is a contract between a

CSP and a cloud customer. An SLA is specific to a cloud
service. For example, Figure 2-1 shows an excerpt from
an SLA for a cloud storage solution. These terms will
differ from the terms in an SLA for virtual machines,
websites, and so on.

FIGURE 2-1 Excerpt from Amazon Web Services

(AWS) S3 cloud storage SLA

SLAs focus on cloud service performance, availability,

and technical support. A statement of work (SOW)
provides details about deliverables that result from a
contract, such as an SLA. If the SLA does not mention
these items, you can submit a request for information
(RFI) to the CSP to receive further details.
To determine acceptable performance and availability
values, you must first establish a baseline of normal
acceptable performance and availability for the use of IT
services. Let’s say an SLA specifies monthly cloud
storage uptime of 99.9 percent, which represents the
industry standard benchmark for cloud storage

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

availability. How much downtime is possible given this

value? Potentially, cloud storage could be unavailable
for 43 minutes and 12 seconds per month, as shown in
Figure 2-2 (using the SLA Uptime Calculator at
www.slatools.com/sla-uptime-calculator). If the CSP
fails to meet the SLA obligations, cloud service credits
are applied to the customer’s cloud computing charges.

FIGURE 2-2 Determining cloud service uptime

from the SLA monthly uptime
percentage

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

In some cases the details in the SLA can be

modified or negotiated. This is especially
true with larger organizations or
government agencies.

Chargeback
SLAs define not only cloud service availability but also
the related pricing structure. In some organizations, this
even applies to a private cloud. The IT department
provides the private cloud services, and each department
within the organization is charged for its use of private
cloud resources (departmental chargeback).
Tracking cloud resources based on details such as
department or project is easily accomplished with
resource tagging, which means adding metadata to
further define that resource. For example, deploying
storage, virtual machines, and websites in the cloud
means deploying numerous cloud resources, each of
which might be tagged with a “Project” tag with a value
of “Project ABC,” as shown in Figure 2-3. This way, all
cloud resources related to “Project ABC” can be listed
together to facilitate management and billing allocation.

FIGURE 2-3 Tag names and values for a

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Microsoft Azure virtual machine

CERTIFICATION OBJECTIVE 2.03

MANAGING CLOUD COSTS

Even though cloud computing costs are monthly
recurring operating costs, it doesn’t mean it is less
important to plan and track cloud computing charges.
For example, leaving a cloud database or virtual
machine deployment running for months when it is
only needed for a single day could result in large cloud
computing bills that could have been easily avoided.
Cloud-based policies and permissions can be used to
limit which cloud users can deploy specific cloud
services. There are options to automate actions, such as
virtual machine auto-shutdown, as shown in Figure 2-4.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

FIGURE 2-4 Microsoft Azure virtual machine

auto-shutdown options

Reserved and Spot Instances

Most CSPs allow you to reserve compute capacity
(virtual machine usage) ahead of time for an extended
period of time, such as up to three years. This is referred
to as a reserved instance. If you know you will need
compute capacity in the cloud for that period of time,
you can cut cloud costs by doing this because the CSP

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

offers discounts for reserved instance configurations.

Another cost-saving measure is to use spot instances.
This refers to virtual machine compute capacity that is
currently unused and can be used at a minimal cost, but
there is no guarantee it will always be available to you.
If you want to use cloud-based VMs for testing or
noncritical IT workloads at a minimal cost, using spot
instances fits this need.

Common cost-reduction settings, such as

scheduling VM auto-shutdown, show up on
the exam even though not all public CSPs
support all such settings.

Cloud Subscription Types

Cloud subscriptions define a billing and management
boundary. You could have a single public CSP account
with multiple subscriptions.
The subscription is where payment information, such
as credit card details, is specified along with billing e-
mail and physical addresses. You can beef up
subscriptions with additional cloud features, enhanced
technical support, and so on, at an increased cost. Some

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

CSPs such as Microsoft Azure provide different types of

subscriptions; for example:

Free Trial (30 days or use of $260 credit)

Pay-As-You-Go
Pay-As-You-Go Dev/Test (for developers)

Licensing
Most open-source software does not require users to
pay for licenses. Open source means the source code is
freely available to anyone on the Internet, and any
modifications to the source code must be made freely
available to all users on the Internet. Examples of
popular open-source software include the Ubuntu Linux
operating system and the LibreOffice productivity suite.
The opposite of open-source software is proprietary
software. An example is Microsoft Windows; Microsoft
owns the Windows OS source code and does not make it
freely available for modifications. Also, most proprietary
software requires a fee for licensing the software.
Most CSPs offer a bring your own license (BYOL)
option when deploying resources such as virtual
machines or databases, as shown in Figure 2-5. If your
organization has already paid licensing fees, you can
continue to use them in the cloud to reduce costs. When
configuring an OS and supplying license information,
you’ll normally have to accept the End User Licensing

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Agreement (EULA) before continuing.

FIGURE 2-5 Microsoft Azure virtual machine

BYOL option

EXERCISE 2-1

Microsoft Azure Pricing Calculator

In this exercise, you will determine the approximate
monthly cost of deploying IT services in the Microsoft
Azure public cloud using the Microsoft Azure Pricing
Calculator. The following instructions depend on having
completed Exercise 1-1 in Chapter 1.

1. Use your web browser to navigate to

https://azure.microsoft.com/en-
ca/pricing/calculator.
2. Click the Virtual Machines tile, and then scroll
down to the Virtual Machines section of the web
page.
3. From the Instance drop-down list, choose the D4

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

instance type.
4. Scroll down and enter 40 in the Hours field.
5. Scroll back up to the very top of the web page and
click the Storage Accounts tile. Scroll down to the
Storage Accounts section and review the default
settings, but do not change any of the Storage
Account settings.
6. Scroll back up to the very top of the web page and
click the Azure SQL Database tile.
8. From the Backup Storage Tier drop-down list,
choose RA-GRS.
9. Scroll down to the very bottom of the web page to
view the estimated monthly cost for all the
selected cloud products.

EXERCISE 2-2

Microsoft Azure Budgets and Alerts

In this exercise, you will configure an Azure budget and
alert. The following instructions depend on having
completed Exercise 1-1 in Chapter 1.

1. Sign in to https://portal.azure.com.
2. From the search field at the top center of the Azure
portal, type Subscriptions and click the search

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

result of the same name.

a. Click your subscription name.
b. In the left-hand navigator, click Budgets.
3. Click the Add button:
a. Name the budget Budget1.
b. Type 300 in the Amount field.
c. Enable the check box for the Alert Recipients
(Email) section, then type in a fictitious group
e-mail address such as [email protected].
d. Click Create.

INSIDE THE EXAM

Match Requirements to Cloud Service
Configurations
ConfigurationsIn some cases the CompTIA Cloud
Essentials+ CLO-002 exam might ask what the best
cloud solution is given a business requirement. An
example might look like this:
Your organization needs a software sandbox
testing environment for website
development. The environment needs the
ability to spin up rapidly at a minimal cost.

One possible solution is

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Create resource deployment templates for the

required testing resources and ensure spot-
instance virtual machines are used.

CERTIFICATION SUMMARY
This chapter discussed how to bridge the gap between
the business side of computing and the details related to
cloud computing service delivery.
You have been exposed to the difference between
CAPEX and OPEX and how cloud managed services
allow cloud technicians to focus on the business
problem instead of the underlying IT complexities.
You also learned how ITIL relates to the cloud and
how SLAs define expected cloud service levels and
pricing structures. This chapter covered how cloud
resource tagging facilitates organizing cloud resources
for billing purposes.
Saving money is always important; strategies such as
virtual machine auto-shutdown and the use of spot
instances can help achieve this. Finally, you learned
about cloud subscriptions and licensing options.

TWO-MINUTE DRILL

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

The Business Case for Cloud Computing

Operating expenses (OPEX) map to monthly
recurring cloud computing charges.
Capital expenditures (CAPEX) map to purchasing,
configuring, and managing IT infrastructure
onsite.
ITIL is an IT service framework that strives to
increase the quality and efficiencies related to IT
service delivery while reducing costs.

Service Level Agreements

A service level agreement (SLA) is a contract
between a cloud provider and cloud customer
specifying uptime and cloud usage charges.
Chargeback is used to track cloud service usage by
a specific group or user for billing purposes.
Tagging cloud resources means adding metadata to
further describe the resource, normally to
facilitate management and billing.

Managing Cloud Costs

Reserved instances offer preplanned compute
capacity over time at a discount.
Spot instances offer the use of available cloud
compute resources at a discount, but the
availability can change at any time.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Cloud subscriptions determine which cloud

features are available.
Bring your own license (BYOL) allows the use of
existing software licenses in a cloud computing
environment.

SELF TEST
The following questions will help you measure your
understanding of the material presented in this chapter.
As indicated, some questions may have more than one
correct answer, so be sure to read all the answer choices
carefully.

The Business Case for Cloud Computing

1. Which term is most closely related to ensuring that
cloud solutions improve the customer experience
and increase efficiencies?
A. Proof of concept (PoC)
B. Return on investment (ROI)
C. Proof of value (PoV)
D. Total cost of ownership (TCO)
2. Which term is synonymous with metered usage?
A. Elasticity

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

B. Pay-as-you-go
C. CAPEX
D. Managed service
3. Which two terms are the most closely related to
ITIL?
A. Service delivery
B. Supplier management
C. Service level agreement
D. Managed service
4. From the cloud customer’s perspective, to which
business role does the CSP apply?
A. Cloud tenant
B. Regulator
C. Supplier
D. Enforcer

Service Level Agreements

5. Which of the following two items are commonly
found in a cloud SLA?
A. Data retention options
B. Expected uptime
C. Subscription limits
D. Service credits
6. You are evaluating cloud service SLAs. What is

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

required to determine if the SLA performance

guarantees are suitable for a specific IT workload?
A. Template
B. Baseline
C. Pricing calculator
D. Migration toolkit
7. Your organization runs a private cloud. Cloud usage
is tracked by department for monthly billing
purposes. Which term best describes this model?
A. Service level agreement
B. Chargeback
C. IaaS
D. SaaS

Managing Cloud Costs

8. You need to minimize cost when periodically
testing new OS updates in cloud-based Windows
virtual machines. What should you do?
A. Use spot instances
B. Use reserved instances
C. View the virtual machine SLA
D. Deploy the virtual machine using a template
9. Your on-premises, mission-critical Windows server
is already licensed. You plan to migrate the server

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

to a cloud-based virtual machine. What should you

do to reduce costs?
A. Use the BYOL option when creating the cloud
virtual machine
B. Deploy the server as a spot instance
C. Increase the virtual machine compute power
D. Switch to an open-source OS
10. Which term is associated with agreeing to licensing
terms?
A. BYOL
B. EULA
C. SLA
D. TCO
11. Developers in your company have been leaving
cloud-based virtual machines running long after
they are needed. What should you configure to
reduce costs?
A. Auto-shutdown
B. Spot instances
C. Reserved instances
D. Virtual machine templates
12. You want to be made aware of cloud computing
charges when a certain dollar amount is reached.
What should you configure?

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

A. Reserved instances
B. Cloud pricing calculator
C. Cloud templates
D. Billing alerts
13. What should you configure to control which types
of virtual machines can be deployed in the cloud?
A. Cloud policies
B. Cloud template
C. Cloud SLA
D. Cloud subscription
14. Your company has a three-year military contract
that will require the use of many virtual machines
that must be left running all the time. You need to
minimize cloud computing costs. Which cloud
virtual machine option should you consider?
A. Spot instances
B. Reserved instances
C. Auto-shutdown
D. Template deployment
15. Which type of software does not normally charge
users for licensing?
A. CAPEX
B. Open source
C. Proprietary

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

D. BYOL

SELF TEST ANSWERS

The Business Case for Cloud Computing
1. C. In a cloud computing context, proof of value
(PoV) identifies the business value of cloud
computing.
A, B, and D are incorrect. Proof of concept
(PoC) provides assurances that a plan will function
correctly. Return on investment (ROI) is used to
determine if an expenditure has increased or
decreased in value over time. Total cost of
ownership (TCO) identifies costs associated with
using a product or service, including ongoing
management and maintenance costs, over time.
2. B. Metered usage is synonymous with pay-as-
you-go; cloud usage is tracked and billed
accordingly.
A, C, and D are incorrect. Elasticity refers to the
ability to quickly provision or deprovision cloud
resources on demand. Capital expenditures
(CAPEX) refer to large investments in equipment.
Managed services in the cloud take care of the

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

underlying infrastructure configurations required

to support a higher-level service such as a database.
3. A and B. The ITIL framework strives to provide
efficient IT services with a minimum of cost. Part of
this framework relates to service delivery and
supplier management.
C and D are incorrect. Service level agreements
(SLAs) are contracts between cloud providers and
cloud customers. Managed services in the cloud
take care of the underlying infrastructure
configurations required to support a higher-level
service such as a database.
4. C. Cloud service providers (CSPs) are suppliers
from the cloud customer’s perspective.
A, B, and D are incorrect. Cloud tenants are
cloud customers. Regulators set policy to control
industry through regulations. Enforcer is not a
common cloud role.

Service Level Agreements

5. B and D. Service level agreements (SLAs)
include details about cloud service uptime and
service credits for cloud customers if SLA metrics
are not honored.
A and C are incorrect. SLAs do not reference
data retention policies or cloud subscription limits.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

6. B. Baselines set a standard for performance

under normal load conditions. Without baselines,
determining if details such as network bandwidth
or monthly uptime percentages fulfill business
requirements is difficult.
A, C, and D are incorrect. Templates define
cloud resources to be created or managed in some
way. Pricing calculators and migration toolkits are
not related to SLAs.
7. B. Chargeback refers to tracking usage for a
group or department and then billing it accordingly.
A, C, and D are incorrect. Service level
agreements (SLAs) include details about cloud
service uptime and service credits for cloud
customers if SLA metrics are not honored.
Infrastructure as a Service (IaaS) and Software as a
Service (SaaS) are cloud service models.

Managing Cloud Costs

8. A. Spot instances are extra compute capacity
that can be “rented” when needed, but uptime is not
guaranteed, so for testing OS updates, this would be
acceptable.
B, C, and D are incorrect. Reserved instances
require a long-term commitment for compute
services at a discount. SLAs for VMs do not provide

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

a method for minimizing costs, nor does deploying

a VM using a template.
9. A. Bring your own license (BYOL) allows cloud
customers to use their existing software licenses
with cloud deployments such as virtual machines.
B, C, and D are incorrect. Mission-critical
servers should not be deployed as spot instances
because uptime is not guaranteed. Increasing VM
compute power increases costs. Switching to an
open-source OS does not reduce costs from the
perspective that a Windows server license has
already been acquired.
10. B. The End User License Agreement (EULA) is
normally accompanied by a check box that users
must check after having read a software licensing
agreement.
A, C, and D are incorrect. Bring your own
license (BYOL) allows cloud customers to use their
existing software licenses with cloud deployments
such as VMs. Service level agreements (SLAs)
include details about cloud service uptime and
service credits for cloud customers if SLA metrics
are not honored. Total cost of ownership (TCO)
specifies the direct cost of an item or service plus
the management costs over time.
11. A. Enabling auto-shutdown allows you to

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

schedule when virtual machines are automatically

turned off.
B, C, and D are incorrect. Spot instances are
extra compute capacity that can be “rented” when
needed, but uptime is not guaranteed. Reserved
instances require a long-term commitment for
compute services at a discount. Virtual machine
templates contain instructions on deploying VMs
and can accept parameters for unique values such
as the VM name or OS image.
12. D. Billing alerts are configured to notify
administrators when monthly cloud charges reach a
specified amount.
A, B, and C are incorrect. Reserved instances
require a long-term commitment for compute
services at a discount. Cloud pricing calculators
allow users to add the anticipated usage of specific
cloud services to get a sense of how much cloud
services might cost. Cloud templates are used to
facilitate the deployment and management of cloud
resources.
13. A. Cloud policies not only control which
administrators can deploy and manage virtual
machines but also control granular resource details
such as which type of VMs can be deployed.
B, C, and D are incorrect. Cloud templates are

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

used to facilitate the deployment and management

of cloud resources. Service level agreements (SLAs)
include details about cloud service uptime and
service credits for cloud customers if SLA metrics
are not honored. Cloud subscriptions serve as a
billing and features boundary for cloud computing.
A single cloud account can contain multiple
subscriptions.
14. B. Reserved instances require a long-term
commitment for compute services at a discount.
A, C, and D are incorrect. Spot instances are
extra compute capacity that can be “rented” when
needed, but uptime is not guaranteed. Enabling
auto-shutdown allows you to schedule when VMs
are automatically turned off. Cloud templates are
used to facilitate the deployment and management
of cloud resources.
15. B. Open-source software means the source
code is freely available to everybody over the
Internet, and normally license fees do not apply to
use the software.
A, C, and D are incorrect. Capital expenditures
(CAPEX) refer to large investments in equipment.
Proprietary software does not make source code
freely available over the Internet, and normally
license fees are required to use the software. Bring

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

your own license (BYOL) allows cloud customers to

use their existing software licenses with cloud
deployments such as VMs.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Part II
Cloud Design Requirements

CHAPTERS

3 Cloud Planning

4 Compliance and the Cloud

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Chapter 3
Cloud Planning

CERTIFICATION OBJECTIVES

3.01 Cloud Feasibility

3.02 Solving Business Problems with the Cloud

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

3.03 Cloud Migration Strategies

Two-Minute Drill

T Q&A Self Test

his chapter emphasizes the importance of planning the
use of cloud computing services. New companies can
adopt cloud computing with relative ease, while
organizations already using on-premises solutions have
more to consider.
In this chapter, we explore how to determine whether
or not cloud services address business needs, how to
choose the correct cloud services, and how to plan a
cloud migration strategy.

CERTIFICATION OBJECTIVE 3.01

CLOUD FEASIBILITY
Like all business endeavors, the adoption of cloud
computing requires careful analysis, planning, and
testing. Formulating a solid business plan and
identifying how business needs are addressed by
technology play important roles in a successful cloud
adoption strategy. When assessing the feasibility of
extending IT services beyond existing on-premises
solutions, an organization needs to identify the potential

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

benefits that cloud computing offers. Some of these

benefits might include

Less up-front capital costs

Quicker deployment of IT services
More time to focus on using IT to solve business
problems, instead of focusing on configuring the
technology
Quicker time to market for products and services

The current and future needs of the organization

must be factored in, such as the capability to add users
to e-mail systems, the capability to deploy more virtual
machines, the capacity to increase cloud storage—this
cloud scalability fits in well with capacity planning. A
technical gap analysis is used to identify whether
current IT solutions properly address business needs,
such as determining that cloud-stored data must reside
in data centers within national boundaries. If not, the
analysis results can identify what needs to be changed,
such as moving cloud storage within national
boundaries or switching to a cloud service provider
(CSP) that supports this option. In this example, a
business gap analysis is also applicable since the IT
cloud solutions map to business process requirements.
A point of contact needs to be established when
reporting to stakeholders as cloud adoption progresses.
Affected stakeholders can included end users of cloud

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

services, IT teams supporting cloud services, and

management.
As an example, let’s say current on-premises file
server data will be migrated to a cloud-based file sharing
system. Affected users must be notified of this change to
ensure their continued file access, and a method of
reporting on the status of the migration must be
established. CSPs provide audit and log functionality for
all aspects of cloud resource management, including the
migration of data to the cloud.

Feasibility Study
A feasibility study factors in items such as technical
constraints, regulatory compliance, and cost to
determine whether a proposed solution has a realistic
chance at succeeding.
Documentation can aid in determining how realistic
and practical (feasible) a proposed cloud computing
solution will be in addressing business needs. As
discussed in Chapter 1, CSP service level agreements
(SLAs) define expected uptime for specific cloud
services. CSP compliance web pages show which
security and data privacy standards the CSP supports.
Network and data flow diagrams are important in
showing how IT systems and data will interact with one
another, such as using a site-to-site VPN tunnel to link
on-premises IT services to a public CSP service. Other

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

relevant documentation types include

Change management
Resource management
Configuration management
Standard operating procedures

For instance, automating the management of storage

resources in the cloud might now be done using
command-line tools such as Microsoft PowerShell using
scripts or templates, where previously this task was
handled using on-premises proprietary storage solution
tools. The various types of documentation and diagrams
are useful not only during a feasibility study but also
during solution implementation and future
troubleshooting.

Cloud Pilot Program

Whereas a cloud feasibility study addresses general
questions such as “Can our organization use cloud
computing to more efficiently use technology to serve
business needs,” a pilot program actually implements a
cloud service on a small scale for purposes of evaluating
the service.
Think of pilot programs as being more specific to how
feasibility can be measured. For example, a pilot
program could consist of five users (a control group)
from a department using cloud services to do their jobs

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

for a period of time while others continue to use on-

premises IT services. The results of conducting pilot
programs are then reported to relevant stakeholders to
determine the feasibility of implementing the cloud
services on a larger scale.

Make sure you know the difference between

a feasibility study and a pilot program.

Pilot programs can be used as a “proof of

concept” tool to test the migration of on-
premises IT systems and data to the cloud
and then the use of those systems and data in
the cloud.

CERTIFICATION OBJECTIVE 3.02

SOLVING BUSINESS PROBLEMS WITH

THE CLOUD

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Organizations don’t use technology because the gadgets

are cool. They use technology to solve business
problems and to save money. Money can be saved with
right-sizing, which strives to use IT infrastructure
efficiently, such as reducing the number of virtual
machines supporting an application when requests slow
down, otherwise known as scaling in (see Chapter 1).

Map Computing Requirements to Cloud Services

Planning for the use of cloud computing means looking
at the organization’s current and future anticipated IT
needs and then finding services in the cloud that fulfill
those needs. For example, if your organization needs to
quickly test custom software application changes,
deploying application containers in the cloud might be
faster and cheaper than deploying virtual machines.
This is true because an application container, unlike a
VM, does not contain an entire operating system;
instead, it simply uses an underlying operating system
that is already running.
Table 3-1 shows a sample of common IT needs and
corresponding cloud solutions.

TABLE 3-1 Common Computing Needs and Cloud

Solutions

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Using cloud services is one thing, but logging and

monitoring usage is also crucial for continuous
improvement over time. You can configure alerts so that
you are notified, for example, if the average CPU
utilization of a virtual machine exceeds a given
percentage value within a specific time frame, as shown

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

in Figure 3-1.

FIGURE 3-1 Configuring a Microsoft Azure alert

rule

Data Sovereignty and Privacy

Cloud computing services run on physical hardware that
exists somewhere in a data center. The location of that
data center can play a crucial role in determining if a

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

specific CSP or cloud service should be used.

Upon creation, cloud services generally let the creator
specify a location (or region) into which a cloud
resource will be deployed, as shown in Figure 3-2.
Organizations may need to ensure sensitive data resides
in data centers within national boundaries for legal or
regulatory compliance. Data sovereignty refers to
keeping sensitive data within national boundaries to
control jurisdictional rule of law related to data.

FIGURE 3-2 Deploying a Microsoft Azure

storage account in the Canada East
region

Data privacy has become a global issue due to the

global nature of the Internet. Personally identifiable
information (PII) refers to any piece of information or
combination of pieces of information that can uniquely
identify an individual. Examples of PII include

Social Security number

E-mail address

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

IP address
Street address
Mother’s maiden name

Protected health information (PHI) refers to any

piece of medically related information about an
individual. Protection of PII and PHI normally requires
encryption to provide data confidentiality. Examples of
PHI include

Blood type
Prescribed medications
Past medical procedures
Health insurance coverage
Medical procedure payment history

PII and PHI, as well as payment card information,

must be protected both on premises and in the cloud.
The following discussion provides further details on a
few data privacy standards that might affect an
organization’s decision regarding whether it should
engage the services of a particular CSP.

General Data Protection Regulation (GDPR)

Because data privacy is such a common theme,
lawmakers around the world have been scrambling to
create a framework of rules to protect the collection,
retention, use, and sharing of private data. The GDPR is

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

a legislative act of the European Union (EU) that is

intended to put control of PII into the data owner’s
hands.
The GDPR states that individuals are entitled to clear
communication and consent regarding how their
personal data will be collected and used. Individuals also
have the right to access their collected data and to
ensure its accuracy.
The GDPR applies to organizations within the EU
that collect and process personal data, and it applies to
any entity located outside the EU that processes
personal data of EU citizens.

Health Insurance Portability and Accountability Act

(HIPAA)
In the United States, HIPAA is designed to keep
individuals’ health information protected from
unauthorized access and use. American healthcare
providers and health plans must comply with HIPAA
regulations using methods such as

Strong user and device authentication

Data encryption
Data integrity checking to detect tampering
Ongoing monitoring to detect potential security
breaches

Like all rules, there are exceptions. Consider the

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

example of people participating in a medical study in

which each person consents to having activity-
monitoring devices attached to their body. If the
collected data from multiple users is analyzed and
summarized, then HIPAA may not apply. Any medically
related information that can be traced back to an
American citizen could be subject to HIPAA.

Payment Card Industry Data Security Standard (PCI

DSS)
Merchants dealing with payment cards such as debit
and credit cards must adhere to the PCI DSS framework.
Unlike some other data privacy standards, such as
GDPR and HIPAA, PCI DSS is not limited to a country
or group of countries; it is international.
Protecting cardholder data could require securing the
transmission and storage of that information, if it is
being stored at all. Much of PCI DSS consists of general
recommendations; it’s up to IT security experts to
determine the best security control to mitigate risks.
The other thing to consider is that compliance details
vary from one card type to the next (Visa, MasterCard,
American Express). Table 3-2 provides a subset of PCI
DSS security requirements and solutions.

TABLE 3-2 PCI DSS Requirements and Suggested

Security Controls

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

From a security analyst standpoint, auditing IT

environments for PCI DSS can include

Identifying cardholder data

Assessing existing security controls
Remediation through reconfiguration or the use of
new security controls
Reporting on Compliance (RoC) for PCI DSS
audits

CERTIFICATION OBJECTIVE 3.03

CLOUD MIGRATION STRATEGIES

After an organization has completed a feasibility study,
followed by pilot programs to test specific cloud solution
viability, and has determined that, yes, moving IT

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

services from on premises to the cloud does make sense,

it can focus on cloud migration strategies. An important
consideration when choosing a migration strategy is
that it can also help fulfill disaster recovery and
business continuity planning by replicating data to the
cloud in various regions so that a disaster does not
destroy all copies of the data.
Remember, with cloud computing, depending on the
services you deploy, there is a shared responsibility
between you, the cloud customer, and the CSP. For
instance, if you deploy virtual machines in the cloud, it’s
up to you to manage them, including patching the OS,
but the underlying physical hypervisor hardware,
storage, and network infrastructure on which the virtual
machines run is the responsibility of the CSP, who, in
this context, can also be referred to as a managed service
provider (MSP).
Most cloud migrations use a phased approach. In
simple terms, it could consist of the following phases:

1. Evaluate on-premises candidates for cloud

migration.
2. Place IT systems and data in the cloud.
3. Synchronize data between on premises and the
cloud.
4. After a period of time during which cloud
adoption is successful, decommission the on-

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

premises IT systems and data.

Of course, you might never decommission the on-

premises components, which results in running a
hybrid cloud solution.

Lift and Shift

While some customized IT solutions may need to be
redesigned to work in the cloud, other solutions can be
moved from the on-premises IT configurations into the
cloud with little to no modification. Commercial off-the-
shelf (COTS) software often lends itself to a lift and
shift migration strategy from on premises to the cloud,
whereas customized, resource-intensive solutions
typically do not. Lift and shift migrations are often
referred to as rehosting migrations. Rebuilding IT
systems to work in the cloud is referred to as
refactoring, which is central to the rip and replace
migration strategy discussed in the next section.

Be prepared to answer exam questions that

test your knowledge of the difference between
lift and shift migrations versus refactoring.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Large Datasets
If you have large on-premises datasets, your cloud
migration strategy might include employing CSP large
data transfer services such as AWS Snowball. With AWS
Snowball, a secured storage device is sent to your
location, your data is copied (with 256-bit encryption) to
the device, and the device is shipped back to AWS,
where the data is then copied into the AWS cloud.
Transferring very large amounts of data (think
petabytes) over the Internet sometimes is not feasible,
even with the fastest Internet connections, because it
would take too long. It might also be too expensive or
not sufficiently secure.

Physical to Virtual (P2V)

Physical on-premises servers can be migrated into the
cloud as virtual machines. This process is referred to as
physical to virtual (P2V) migration and normally occurs
through an agent installed on the physical server that
communicates with a management console. The agent
analyzes the hardware and OS configuration so that the
virtualized environment is configured accordingly. The
opposite, meaning migrating a virtual machine to a
physical host, is referred to as virtual to physical (V2P).
You might also consider a P2V migration if you want
to run a private cloud on your own equipment by
virtualizing existing physical servers. The free VMware

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Converter tool can be used to perform P2V migrations

for physical Windows and Linux hosts.

Virtual to Virtual (V2V)

This one is interesting; most folks assume that V2V
means migrating on-premises VMs to the cloud, which
is correct. This can be much quicker than deploying a
brand-new VM in the cloud and configuring it to meet
your needs.
But V2V can also mean migrating cloud-based VMs
back to the premises when required. For example,
Microsoft Azure VMs use virtual hard disks (VHDs).
You can download VHDs from Azure, as shown in
Figure 3-3, and then create on-premises VMs using the
downloaded VHDs.

FIGURE 3-3 Downloading a Microsoft Azure VM

VHD file

Rip and Replace

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

The previous section discussed the notion of refactoring

IT solutions—essentially, rebuilding an IT solution to
suit a cloud environment. That’s precisely what the rip
and replace migration strategy entails, and it’s often
used to migrate customized, complex IT solutions for
which there is no functional equivalent service available
in the cloud.
CSPs offer a wide variety of infrastructure and
development solutions to facilitate rip and replace
migrations, including

Cloud-based server-less programmatic functions

that don’t require setting up the underlying
infrastructure
Web application deployment slots to swap out
testing and production versions of a web
application
Message queues to allow software components to
communicate even if they are not running at the
same time
Integration with software developer tools such as
Microsoft Visual Studio
Templates to quickly deploy load-balanced app-
testing environments

EXERCISE 3-1

Run an On-Premises Cloud Migration

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Assessment for Microsoft SQL Server

In this exercise, you will download, install, and run the
Microsoft Data Migration Assistant. This exercise relies
on having an on-premises Microsoft SQL Server
reachable over the network.

1. Download the free Microsoft Data Migration

Assistant tool from
https://www.microsoft.com/en-
us/download/details.aspx?id=53595.
2. Run the MSI installer and accept all installation
defaults. On the last installation screen, shown in
Figure 3-4, check the Launch Microsoft Data
Migration Assistant check box and click Finish.

FIGURE 3-4 Launch the Microsoft Data

Migration Assistant after installation

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

3. In the left-hand navigation pane of the Data

Migration Assistant, click the + sign to create a
new migration assessment (see Figure 3-5).

FIGURE 3-5 Create a new assessment or

migration

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

4. With the Assessment radio button selected (the

default), name the project HfxProj1.
5. Ensure that the Source Server Type field is set to
SQL Server and the Target Server Type field is set
to Azure SQL Database, and then click Create and
click Next. (Note that after the assessment
indicates success, you could come back here and
choose the Migration radio button to actually
perform a SQL Server data migration.)
6. Specify the name of your on-premises SQL Server
and the appropriate authentication type. If
somebody else set up the SQL Server, get this

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

information from that person.

7. Click Connect and select one or more databases
to run the assessment against. Click Add.
8. Click the Start Assessment button in the bottom
right of the screen.
9. After the assessment concludes, review the
results to determine if the on-premises SQL
database can be easily migrated to Azure.

INSIDE THE EXAM

Databases
Although not listed in the official exam objectives, the
CompTIA Cloud Essentials+ CLO-002 exam expects
you to be familiar with basic database terminology.
Most CSPs support the managed deployment of
SQL databases such as MySQL, Oracle SQL Database,
and Microsoft SQL Server. Remember, managed
services take care of the underlying virtual machines
and storage for you. This is often referred to as
Database as a Service (DBaaS).
Most CSPs also support a variety of NoSQL
database types. Unlike SQL, NoSQL does not use a
rigid database schema, or blueprint, of exactly what
type of data can be stored.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

CERTIFICATION SUMMARY
This chapter discussed factors to consider when
planning the adoption of cloud computing services.
You have been exposed to the importance of ensuring
that CSP service offerings address business needs. A
business gap analysis assesses the current state of a
business process and the desired state. A technical gap
analysis identifies the current technical configuration of
a current solution compared to the desired
configuration to efficiently support business processes.
If a feasibility study determines that a proposed cloud
solution can realistically succeed in meeting business
needs, then further detailed testing is done on a small
scale via pilot programs, which test exactly how feasibile
proposed cloud solutions are.
You learned how planning the use of cloud services
includes determining how deployed cloud solutions will
be monitored to ensure the best performance and
security possible. Alerts can be configured so that
notifications of detected anomalies are sent to cloud
administrators.
You also learned about sensitive individual data and
data privacy in the cloud and how related laws and
regulations can influence the use and configuration of
cloud services. You learned that personally identifiable
information (PII) refers to any individual or

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

combination of details that can uniquely identify an

individual, such as street address or Social Security
number. Protected health information (PHI) is similar
to PII but differs in that the details are medically
related.
You have been exposed to data privacy standards such
as the European Union’s General Data Protection
Regulation (GDPR), the American Health Insurance
Portability and Accountability Act (HIPAA), and the
international Payment Card Industry Data Security
Standard (PCI DSS).
Finally, you learned about cloud migration strategies,
including lift and shift versus rip and replace. You also
learned about migrating virtual machines to physical
nodes (V2P) and migrating physical nodes to virtual
machines (P2V).

TWO-MINUTE DRILL
Cloud Feasibility
A cloud feasibility study determines whether or
not cloud computing can address business needs.
Cloud pilot programs implement proposed cloud
solutions on a small scale; results must be
analyzed to determine success or failure before
deploying on a larger scale.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Solving Business Problems with the Cloud

Current and future computing needs must be
accounted for in the cloud.
Right-sizing uses cloud resources efficiently while
reducing costs.
Scaling in refers to the removal of virtual
machines supporting an application, normally due
to reduced application requests.
Mapping computing needs to cloud services
requires a thorough understanding of CSP service
offerings.
Organizations in certain industries and some
government agencies might be bound by data
privacy standards, laws, and regulations such as
GDPR, HIPAA, or PCI DSS.
Data sovereignty refers to keeping sensitive data
within national boundaries to control
jurisdictional rule of law related to data.
Personally identifiable information (PII) is any
combination of sensitive data that can be traced
back to an individual.
Protected health information (PHI) is any
combination of medically related data that can be
traced back to an individual.

Cloud Migration Strategies

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Lift and shift cloud migrations involve moving IT

systems and data from on premises to the cloud
with little or no changes.
Commercial off-the-shelf (COTS) solutions lend
themselves to the lift and shift strategy.
Rip and replace cloud migrations involve
refactoring or redesigning IT solutions to suit the
cloud environment.
You can migrate physical nodes to virtual
machines using a physical to virtual (P2V)
migration.
You can migrate virtual machines to physical
nodes using a virtual to physical (V2P) migration.

SELF TEST
The following questions will help you measure your
understanding of the material presented in this chapter.
As indicated, some questions may have more than one
correct answer, so be sure to read all the answer choices
carefully.

Cloud Feasibility
1. You need to perform a general analysis to

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

determine if cloud computing will address business

needs. What should you perform?
A. Pilot program
B. Feasibility study
C. Phased cloud migration
D. Disaster recovery planning
2. Which term best relates to analyzing test results to
identify shortfalls where cloud solutions might not
address specific computing requirements?
A. Pilot program
B. Feasibility study
C. Disaster recovery planning
D. Gap analysis
3. You would like to automate the deployment of a
cloud-based software testing environment. What
should you use? (Choose two.)
A. Command-line scripting
B. Gap analysis
C. GUI deployment tools
D. Templates
4. Which activity determines whether an
implemented cloud solution will address business
requirements?
A. Pilot program

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

B. Feasibility study
C. Gap analysis
D. Cloud migration

Solving Business Problems with the Cloud

5. What makes the use of application containers more
desirable to developers than virtual machines?
A. Quicker startup time
B. Better security
C. More network options
D. Support for MFA
6. When scaling in for a cloud-based web application,
what are you doing?
A. Decreasing the compute power
B. Increasing the compute power
C. Removing virtual machine instances
D. Adding virtual machine instances
7. You need a dedicated network circuit to link your
on-premises network to the cloud. Which of the
following options provide this capability? (Choose
two.)
A. Microsoft Azure ExpressRoute
B. AWS DirectConnect
C. Microsoft Azure Virtual Network Gateway

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

D. AWS Snowball
8. Which of the following is most closely related to
sensitive medical information?
A. PHI
B. PII
C. COTS
D. SLA
9. Which data privacy standard is a legislative act of
the European Union?
A. HIPAA
B. PCI DSS
C. GDPR
D. COTS
10. Your manager instructs you to deploy cloud-stored
data only within Canada. Which term best describes
this scenario?
A. Disaster recovery planning
B. Load balancing
C. Service level agreement
D. Data sovereignty

Cloud Migration Strategies

11. What is the first phase of a cloud migration?
A. Migrate data to the cloud

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

B. Perform an on-premises cloud readiness

assessment
C. Synchronize on-premises and cloud data
D. Decommission on-premises IT systems
12. Which cloud migration strategy is best suited for
commercial off-the-shelf software?
A. Rip and replace
B. On-premises assessment
C. Lift and shift
D. Rip and shift
13. What is another term commonly used to describe
the rip and replace migration strategy?
A. Refactoring
B. Migrating
C. Replication
D. Reproducing
14. Which AWS service is designed to allow physical
storage appliances to transfer large volumes of on-
premises data to the cloud?
A. AWS Direct Connect
B. AWS Snowball
C. Amazon S3
D. Amazon EC2
15. Which type of migration converts a physical server

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

to a virtual machine?
A. V2V
B. V2P
C. P2P
D. P2V

SELF TEST ANSWERS

Cloud Feasibility
1. B. A feasibility analysis is the first type of
analysis to determine, in general terms, whether or
not a cloud solution is realistic and practical.
A, C, and D are incorrect. Pilot programs are
focused on whether an implemented solution
solves business problems on a small scale and can
also identify shortcomings. A phased cloud
migration uses a structured approach to assess on-
premises cloud readiness before migrating IT
systems and data. Disaster recovery planning in the
context of cloud computing normally refers to
replicating data to various geographical locations.
2. D. A gap analysis identifies shortcomings
between a requirement and a proposed solution.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

A, B, and C are incorrect. Pilot programs are

focused on how a solution solves business
problems and can also identify shortcomings. A
feasibility study is the first type of analysis to
determine, in general terms, whether or not a cloud
solution is realistic and practical. Disaster recovery
in the cloud normally refers to running additional
systems and replicating storage to alternative
geographical locations.
3. A and D. Command-line scripting using tools
such as Microsoft PowerShell can be used to
automate cloud resource deployment and
management, as can templates. Both options
remove the need for cloud technicians to manually
deploy cloud resources.
B and C are incorrect. A gap analysis identifies
shortcomings between a requirement and a
proposed solution. GUI deployment tools do not
lend themselves to automation since they require
user interaction.
4. A. Pilot programs are focused on whether an
implemented solution solves business problems
and can also identify shortcomings.
B, C, and D are incorrect. A feasibility study is
the first type of analysis to determine, in general
terms, whether or not a solution is realistic and

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

practical. A gap analysis identifies shortcomings

between a requirement and a proposed solution.
Cloud migrations are actions that take place after
ensuring cloud solutions will address business
requirements.

Solving Business Problems with the Cloud

5. A. Application containers use the underlying
operating system that is already running, whereas a
VM contains an entire OS that must be started.
Starting a container means starting application
software only and not the OS.
B, C, and D are incorrect. Application
containers do not provide more security or options
than virtual machines do. Multifactor
authentication (MFA) is not an application
container feature.
6. C. With horizontal scaling, scaling in means
removing virtual machine instances in response to
a decline in application requests.
A, B, and D are incorrect. Vertical scaling
encompasses increasing and decreasing virtual
machine compute power. Adding virtual machines
is referred to as scaling out.
7. A and B. Microsoft Azure ExpressRoute and
AWS Direct Connect are cloud service offerings that

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

allow customers to link their on-premises networks

to the cloud using a dedicated private network
circuit that does not traverse the Internet.
C and D are incorrect. The Microsoft Azure
Virtual Network Gateway can be used to link
Microsoft Azure ExpressRoute circuits or standard
site-to-site IPSec VPN devices together. AWS
Snowball is a large-scale data transfer service that
can be used when network transmission is not
feasible.
8. A. Protected health information (PHI) is
medically sensitive private information.
B, C, and D are incorrect. Personally
identifiable information (PII) is any combination of
personal data that can be traced back to an
individual. Commercial off-the-shelf (COTS)
software refers to standard software solutions
available to anybody. Service level agreements
(SLAs) are contracts between cloud customers and
CSPs that detail items such as expected service
uptime.
9. C. The General Data Protection Regulation
(GDPR) is a data privacy legislative act of the
European Union.
A, B, and D are incorrect. The Health Insurance
Portability and Accountability Act is a U.S. data

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

privacy act related to medical information. Payment

Card Industry Data Security Standard (PCI DSS) is a
security framework designed to harden the use of
cardholder data. Commercial off-the-shelf (COTS)
software refers to standard software solutions
available to anybody.
10. D. Data sovereignty refers to keeping data
within geographical boundaries so that specific laws
and regulations are applicable.
A, B, and C are incorrect. Disaster recovery in
the cloud normally refers to running additional
systems and replicating storage to alternative
geographical locations. Load balancing is used to
funnel incoming client app requests to the load
balancer, which then redirects the request to the
least-busy back-end VM that supports the app.
Service level agreements (SLAs) are contracts
between cloud customers and CSPs detailing items
such as expected service uptime.

Cloud Migration Strategies

11. B. When performing a cloud migration, the first
task is to conduct an on-premises cloud readiness
assessment.
A, C, and D are incorrect. Data migration,
synchronization, and the decommissioning of on-

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

premises systems should take place after having a

performance and on-premises assessment.
12. C. A lift and shift migration essentially moves
IT solutions to the cloud with little to no
modification, which makes it the best strategy for
migrating COTS software because it doesn’t require
refactoring.
A, B, and D are incorrect. Rip and replace
migrations require refactoring an IT solution so
that it will work in the cloud, and COTS software
doesn’t require refactoring. When performing a
cloud migration, the first task is to conduct an on-
premises cloud readiness assessment. Rip and shift
is not a valid cloud migration strategy.
13. A. Rip and replace migrations require
refactoring an IT solution so that it will work in the
cloud.
B, C, and D are incorrect. These terms do not
describe rip and replace migrations.
14. B. AWS Snowball is a large-scale data transfer
service that can be used when network
transmission is not feasible.
A, C, and D are incorrect. AWS Direct Connect
is a cloud service offering that allows customers to
link their on-premises networks to the cloud using

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

a dedicated private network circuit that does not

traverse the Internet. Amazon S3 is a cloud storage
solution. Amazon EC2 is a cloud-based virtual
machine solution.
15. D. Physical to virtual (P2V) refers to the
process of using a software agent installed on a
physical host to convert it to a virtual machine.
A, B, and C are incorrect. Virtual to virtual
(V2V) converts a virtual machine from one
virtualization format to another. Virtual to physical
(V2P) converts a virtual machine to a physical
server. Peer to peer (P2P), in a networking context,
refers to a network where each device can act as
both a client and a server.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Chapter 4
Compliance and the Cloud

CERTIFICATION OBJECTIVES

4.01 Laws, Regulations, and Security Standards

4.02 Cloud Service Provider Compliance

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

4.03 Business Requirements and Cloud Solutions

Two-Minute Drill

T Q&A Self Test

his chapter focuses on why organizations need to
evaluate how well potential cloud service providers
(CSPs) comply with laws, regulations, and security
standards. This factor can have enormous influence on
the selection of a CSP and the use of specific cloud
services.
We start by discussing how laws and regulations are
similar yet different and why CSP and cloud customer
compliance with laws, regulations, and security
standards is important. Next, we focus on the meaning
of common security standards that apply to specific
industries and government agencies. Finally, we address
how to determine whether offered CSP solutions are
compliant with laws and regulations relevant to the
cloud customer.

CERTIFICATION OBJECTIVE 4.01

LAWS, REGULATIONS, AND SECURITY

STANDARDS
The adoption of cloud computing is a form of

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

outsourcing; you, the cloud customer, depend on IT

services running on cloud service provider equipment in
a data center at some undisclosed location. But as an
organization, how can you trust that the CSP has done
its due diligence in protecting sensitive IT systems and
data in the cloud?
That’s where proof of CSP adherence to laws and
regulations such as HIPAA (protection of sensitive
patient health information in the United States) comes
in. The physical location of IT systems and data can be
crucial—data collected, stored, and used in a foreign
country normally falls under acts of legislation of that
country (data sovereignty), and that could prove
problematic in some cases. Some industry-based
security standards, such as the Payment Card Industry
Data Security Standard (PCI DSS), apply to cardholder
data regardless of local laws and regulations.

Legal and Regulatory Compliance

Laws and regulations are not quite the same thing. Laws
are created by government bodies, whereas regulations
focus on the implementation details as to how laws are
enforced. Several factors determine whether an
organization is subject to specific laws and regulations
applicable to cloud computing:

Type of industry
Physical location of the organization

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Citizenship of clients
Location of physical compute equipment
Location of transmitted and stored data

Both the breaking of laws and a lack of regulatory

compliance can in some cases result in fines or
imprisonment, or both. All of the listed items must be
considered to ensure legal and regulatory compliance
when using cloud computing. One way to do this is to
refer to any compliance details listed on a CSP’s website,
such as the AWS Compliance Programs web page shown
in Figure 4-1.

FIGURE 4-1 Amazon Web Services (AWS)

Compliance Programs web page

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

CSPs do not publicly disclose the specific addresses of

their data centers, although maps providing addresses
have been made available, such as through WikiLeaks.
CSP employees and contractors need to know where to
show up for work, but that’s about it. The fewer people
who know where IT systems and data are physically
housed, the more secure those items are.
While CSP compliance with security standards is
important, as discussed, bear in mind that the bad guys

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

always use good things in bad ways. For example,

providing massive compute power in the cloud at a
minimal cost is one way that malicious users can attack
cryptographic security measures that were once
considered nearly impenetrable. Cloud service providers
can monitor the frequent deployment and use of high-
powered compute resources in an attempt to detect the
criminal use of cloud computing environments, even
when not required by laws or regulations.

CERTIFICATION OBJECTIVE 4.02

CLOUD SERVICE PROVIDER

COMPLIANCE
For many organizations, the selection of a CSP hinges
on two things:

The CSP’s cloud services meet business computing

requirements.
The CSP is in compliance with security and
auditing standards relevant to the organization.

The following discussion covers only a handful of

security standards and regulations that might be
applicable during CSP selection.

NIST SP 800-53

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

In the United States, the National Institute of Standards

and Technology (NIST) has published an extensive
series of Special Publications (SPs) covering computer
security, one of which is SP 800-53, “Security and
Privacy Controls for Federal Information Systems and
Organizations.” Section 2.5 of this document (“External
Service Providers”) discusses how organizations using
cloud computing services share the security
responsibility with the CSP. CSPs must be able to
demonstrate their compliance with security standards
through independent audits and security accreditations.
The chain of trust becomes more complex when CSPs
themselves depend on other external entities such as IT
consultants and hardware and software vendors.
There will always be risks associated with cloud
computing. An organization’s risk appetite determines if
and how cloud computing services are used. A security
control mitigates a threat against an asset. An example
of this is cloud customers using their own encryption
keys and Public Key Infrastructure (PKI) certificates to
protect data in transit and data at rest, as opposed to
using CSP-generated encryption keys and PKI
certificates. Both are valid technical solutions, but laws
or regulations might require keys and certificates to
remain under the control of the data owner. Figure 4-2
shows an example of the use of customer-managed
encryption keys for cloud storage.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

FIGURE 4-2 Microsoft Azure customer-managed

key configuration for a storage
account

ISO/IEC 27017:2015
The International Standards Organization (ISO) and
International Electrotechnical Commission (IEC)
standard 27017:2015 is titled “Information Technology –
Security Techniques – Code of Practice for Information
Security Controls Based on ISO/IEC 27002 for Cloud
Services.” That’s a long title, but why is it relevant?
ISO/IEC 27017:2015 is relevant because it focuses on
the use of effective security controls to mitigate cloud
computing risk. Your chosen CSP should be certified by
an ISO certifying agent for the proper use of CSP
security controls. But remember the notion of shared

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

responsibility? You, as the cloud customer, also bear

some responsibility for security. Just because your
organization uses an ISO-certified CSP, it doesn’t mean
by extension that your organization is ISO certified.
Figure 4-3 shows AWS ISO compliance details.

FIGURE 4-3 AWS ISO Compliance web page

FedRAMP
The Federal Risk and Authorization Management
Program (FedRAMP) applies primarily to U.S. federal

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

government agencies that use, or will use, cloud

computing services.
Outsourcing IT services to cloud service providers
implies a level of trust and it introduces risk. FedRAMP
is designed to ensure that CSPs adhere to NIST SP 800-
53 security standards. When researching CSPs,
government agencies can refer to the FedRAMP
MarketPlace, as shown in Figure 4-4, to find FedRAMP-
approved CSPs.

FIGURE 4-4 FedRAMP MarketPlace web page

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

The FedRAMP MarketPlace is not only for

U.S. federal government agencies. Any
organization can access this reference list to
find FedRAMP-compliant CSPs. This
provides assurances about the security
posture of CSPs and their service offerings.

Sarbanes-Oxley Act
Financial scandals related to companies such as
WorldCom and Enron received extensive media
coverage in the early 2000s. These types of questionable
accounting practices and falsification of financial
documents led to the creation of the Sarbanes-Oxley
(SOX) Act in 2002.
SOX requires public organizations to follow strict
rules for accounting and financial document reporting.
What does this have to do with the cloud? Organizations
affected by SOX who use cloud services must use a CSP
that adheres to the Statement on Standards for
Attestation Engagements (SSAE) No. 16. SSAE No. 16 is
an auditing standard that deals with reporting on
security controls within service organizations such as
CSPs and their data centers.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Regulatory compliance allows for a wide

variety of technical solutions. You might see
some exam questions that ask for the best
solution for compliance, where there is not a
perfect solution. Read the question text
carefully!

CERTIFICATION OBJECTIVE 4.03

BUSINESS REQUIREMENTS AND CLOUD

SOLUTIONS
Aside from looking at a CSP’s compliance with laws and
regulations, other factors such as matching cloud
services with IT functional requirements also influence
how cloud services will be used. If specific details about
a CSP are unavailable on the Web, such as how
customer data is permanently deleted, you should
contact the CSP to get this information.

Data Artifacts
Deleted data, even from on-premises disks, is often
retrievable using freely available tools, especially if the

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

data was deleted using standard operating system

functions. For compliance reasons, your organization
might need to ensure that sensitive data is permanently
removed.
Media sanitization is the process of rendering data so
that it is irretrievable using a reasonable amount of
effort and time. It’s important to think beyond literal
storage devices; what about the data or app
configuration settings on a smartphone that could allow
access to an IT system containing sensitive data? Media
sanitization also applies to device storage for devices
that connect to the cloud.

Software Data Removal

Using only an operating system to delete files, format
disks, or even repartition disks is not sufficient to
ensure that data cannot be recovered. There are plenty
of tools that can recover deleted partitions with relative
ease, such as EaseUS Partition Master and Acronis Disk
Director. If you delete files within a cloud virtual
machine using standard operating system methods,
malicious users who compromise that virtual machine
could potentially retrieve that deleted data.
Sanitizing storage media essentially means
overwriting data with random new data. Multiple passes
of random data writes reduces the likelihood of data
retrieval. Figure 4-5 shows an example of scrub

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

(overwrite) types.

FIGURE 4-5 Disk Scrubber tool

Storage Media Destruction

One way to make sure sensitive data cannot be retrieved
is to physically destroy the media or data, whether it is a
hard disk or backup tapes. There are a few ways in
which this can be done:

Drill holes into storage media such as hard disk

platters
Physically shred storage media

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Degaussing
Data is removed when the storage media is
near a strong magnetic field
Not applicable to optical storage media or solid
state drives (SSDs)

Depending on your organization, the method of

storage media destruction might need to comply with
specific rules. CSPs can also provide details as to how
they dispose of their physical storage media. The U.S.
National Security Agency (NSA) has published a list of
approved storage media degaussing tools, “Degausser
Evaluated Products List,” an excerpt of which is shown
in Figure 4-6.

FIGURE 4-6 NSA-approved electromagnetic

degausser equipment list

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Cloud Service Provider Security Control

Implementation
Evaluating which CSP is the best fit for an organization
or government agency can be facilitated by creating a
questionnaire that can be used for internal evaluation

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

purposes or, in some cases, when negotiating with a

CSP.
In the case of Amazon Web Services, the AWS
Artifact tool provides AWS compliance information,
including access to security reports. These reports can
provide valuable details that help with creating a CSP
security compliance document, shown in in Table 4-1.

TABLE 4-1 Sample CSP Security Compliance

Document

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

The exam will cover a variety of cloud-

related document types. Make sure you know
when to refer to a service level agreement
versus a security compliance document. SLAs
are focused on availability and performance
and not on how security is implemented.

EXERCISE 4-1

Review Amazon Web Services Regulatory

Compliance
In this exercise, you will use the AWS Compliance
Center to get details regarding the use of AWS cloud
computing services for financial institutions.

1. Using a web browser, navigate to

https://www.atlas.aws.
2. Click the Get Started button.
3. Select your country or region from the drop-down
list or make a selection on the map.
4. Click the Download PDF button and save the file
to your device.
5. Open the downloaded PDF to read about AWS

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

compliance in your region for financial

institutions, as shown in Figure 4-7.

FIGURE 4-7 AWS Canadian country profile for

financial institution cloud usage

INSIDE THE EXAM

Security Standards
While CompTIA does not expect you to be a legal
expert or a regulatory analyst for the CLO-002 exam,
you should be aware of a few common standards such

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

as PCI DSS, HIPAA, GDPR, SOX, FedRAMP, and

ISO/IEC 27017:2015. You don’t need to memorize the
details of each of these standards, but you should have
the ability to determine if specific CSP accreditations
meet organiza-tional requirements for legal and
regulatory compliance.

CERTIFICATION SUMMARY
This chapter focused on ensuring that your organization
remains compliant with related laws and regulations
when using cloud services. When depending on a CSP,
an organization should perform due diligence to ensure
that the CSP adheres to relevant laws, regulations, and
security standards.
The discussion began with a review of how laws and
regulations such as HIPAA and PCI DSS can apply to
CSPs and cloud customers. An example is where
sensitive data is collected, stored, and used. Next, we
discussed how laws define general rules, but regulations
focus on the details, including how the law is
implemented and enforced.
Next, security standards frameworks such as NIST SP
800-53 and FedRAMP were discussed in the context of
cloud computing, both from the CSP and cloud
customer perspectives.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Finally, you learned about using questionnaires to

determine if a CSP adequately meets business needs,
including legal and regulatory compliance.

TWO-MINUTE DRILL
Laws, Regulations, and Security Standards
Laws are general guidelines for controlling
behavior.
In the business world, regulations provide the
implementation and enforcement details for laws.
The physical location of servers and data can
determine which laws are applicable.
HIPAA is an American law protecting sensitive
patient medical information.
PCI DSS is not a law, but rather an industry-based
security standard designed to protect cardholder
data.

Cloud Service Provider Compliance

NIST SP 800-53 details how CSPs must
demonstrate security standards compliance
through independent assessments.
ISO/IEC 27017:2015 focuses on how security
controls reduce the risks associated with cloud

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

computing.
FedRAMP provides security guidelines for U.S.
government agency use of cloud computing.
The Sarbanes-Oxley Act imposes accounting and
financial reporting requirements for publicly
traded U.S. companies, the purpose of which is to
mitigate financial reporting falsehoods to protect
the public, including investors.

Business Requirements and Cloud Solutions

Media sanitization techniques are designed to
prevent the retrieval of sensitive data from storage
media.
Storage media physical destruction techniques
include drilling, shredding, and magnetic
degaussing.
Questionnaires are useful in determining whether
CSPs meet specific security and regulatory
standards that can factor into CSP selection.

SELF TEST
The following questions will help you measure your
understanding of the material presented in this chapter.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

As indicated, some questions may have more than one

correct answer, so be sure to read all the answer choices
carefully.

Laws, Regulations, and Security Standards

1. Which of the following statements regarding laws
and regulations is accurate?
A. Regulations provide implementation and
enforcement details.
B. Laws provide implementation and enforcement
details.
C. Breaking laws can result in fines; this is not true
for a lack of regulatory compliance.
D. A lack of regulatory compliance can result in
fines, but not imprisonment.
2. Which term refers to the applicable laws based on
the location of where data is collected, stored, and
used?
A. Special Publication
B. Security control
C. Data sovereignty
D. PKI
3. You are evaluating CSPs because your organization
has decided to adopt cloud computing for some of
its IT service needs. What is the quickest way to

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

determine which security standards the CSP is

compliant with?
A. Send an e-mail message to the CSP inquiring
about compliance.
B. Call the CSP to inquire about compliance.
C. View government legislative bill details.
D. View the CSP’s compliance web page.
4. Which factor has the most influence on which
regulations apply to your organization?
A. Operating system used for cloud virtual
machines
B. Type of industry
C. Cloud storage encryption strength
D. Type of cloud media sanitization in use
5. You want to know the specific physical addresses of
a CSP’s data centers. What should you do?
A. Run a DNS domain name lookup for the CSP
domain suffix.
B. Send an information request to the CSP.
C. Review the CSP service level agreement.
D. Nothing. CSPs do not voluntarily disclose data
center physical addresses.

Cloud Service Provider Compliance

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

6. Which U.S. federal government security standard is

most closely related to cloud security?
A. HIPAA
B. ISO/IEC 27017:2015
C. FedRAMP
D. Sarbanes-Oxley Act
7. Which U.S. regulation is designed to mitigate
financial document reporting fraud?
A. HIPAA
B. ISO/IEC 27017:2015
C. FedRAMP
D. Sarbanes-Oxley Act
8. Why is a CSP’s security standards compliance
important? (Choose two.)
A. It provides a level of assurance to cloud
customers that the CSP has taken effective
steps to mitigate risk.
B. A CSP’s security standards compliance means
its cloud customers are also compliant.
C. It proves that the CSP cannot be hacked.
D. The CSP security posture is accredited by third
parties.
9. Which risk is the most prevalent when adopting
cloud computing?

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

A. The use of deprecated encryption algorithms

B. Cloud tenant centralized data storage
C. Lack of cloud tenant isolation
D. Trust placed in outsourcing
10. What kind of standard is SSAE No. 16?
A. Auditing
B. Encryption
C. Risk management
D. Authentication

Business Requirements and Cloud Solutions

11. Which statements regarding a CSP’s legal and
regulatory compliance are correct? (Choose two.)
A. All security responsibilities fall upon the CSP.
B. A CSP’s service level agreements list
independent third-party auditors.
C. A CSP provides documentation about its
security standards compliance.
D. Cloud customers also bear some responsibility
in securing their use of cloud computing.
12. You are reviewing a CSP’s media destruction
procedures. Your organization requires that hard
disk data is removed magnetically. Which technique
does this?

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

A. Drilling
B. Shredding
C. Hammering
D. Degaussing
13. Compared to vulnerability assessments, which
word is most closely associated with penetration
testing?
A. Documentation
B. Authentication
C. Active
D. Passive
14. To prevent future sensitive data retrieval of cloud-
replicated data, you have repartitioned a hard disk
within a laptop computer. The computer was
running a Windows client operating system at the
time of the repartitioning. Which statement
regarding this scenario is correct?
A. A Windows server operating system should
have been used.
B. Deleted partitions are easily recovered.
C. A Linux server operating system should have
been used.
D. The operating system cannot be running when
disk partitions are removed.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

15. Which type of security testing identifies

weaknesses but does not attempt to exploit them?
A. Penetration test
B. Regression test
C. Load test
D. Vulnerability test

SELF TEST ANSWERS

Laws, Regulations, and Security Standards
1. A. Regulations are the implementation and
enforcement side of laws.
B, C, and D are incorrect. Laws are statements,
or rules, that should not be broken, but do not
provide enforcement or implementation details.
Since regulations are the implementation and
enforcement of laws, breaking laws or failing to
comply with regulations can result in fines or
imprisonment.
2. C. Data sovereignty is related to where
sensitive data is collected, stored, and used and
which laws apply to the privacy of that data.
A, B, and D are incorrect. A Special Publication

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

(SP) is a formal document published by the

National Institute of Standards and Technology
(NIST). Security controls are implemented to
mitigate the risk related to a business asset. Public
Key Infrastructure (PKI) is a hierarchy of digital
certificates used to secure IT computing
environments.
3. D. Most CSPs provide a web page that lists their
security standards compliance details.
A, B, and C are incorrect. Sending the CSP an e-
mail or calling the CSP will most likely not be the
quickest way to determine CSP compliance.
Legislative bills are not specific to a CSP.
4. B. Regulations are normally specific to a type of
industry, such as financial or medical.
A, C, and D are incorrect. Operating system
types, encryption strength, and media sanitization
methods do not influence which regulations apply
to your organization.
5. D. For security reasons, CSPs do not disclose
physical data center addresses.
A, B, and C are incorrect. DNS domain name
registrant searches will not show physical data
center addresses, nor will CSP information requests
or reviewing SLAs.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Cloud Service Provider Compliance

6. C. The Federal Risk and Authorization
Management Program (FedRAMP) is a U.S.
government standard focused on how government
agencies can securely use cloud computing.
A, B, and D are incorrect. The Health Insurance
Portability and Accountability Act (HIPAA) applies
to medical and health insurance providers and is
designed to protect sensitive medical information.
ISO/IEC 27017:2015 is an international standard
based on the use of effective security controls to
mitigate cloud computing risk. The Sarbanes-Oxley
Act is designed to mitigate fraudulent accounting
practices and misleading financial document
reporting.
7. D. The Sarbanes-Oxley Act is designed to
mitigate fraudulent accounting practices and
misleading financial document reporting.
Organizations regulated by SOX who use cloud
services must use only CSPs that adhere to SSAE
No. 16.
A, B, and C are incorrect. HIPAA applies to
medical and health insurance providers and is
designed to protect sensitive medical information.
ISO/IEC 27017:2015 is an international standard
based on the use of effective security controls to

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

mitigate cloud computing risk. FedRAMP is a U.S.

government standard focused on how government
agencies can securely use cloud computing.
8. A and D. CSP compliance provides its cloud
customers verification from reliable, independent
third parties that the CSP has appropriate security
controls in place.
B and C are incorrect. A CSP’s compliance with
a specific security standard does not automatically
extend to cloud customers. While security
standards compliance reduces the risk of hacking, it
does not completely eliminate the risk.
9. D. Cloud computing adoption means placing
trust in the CSP that it is competent in ensuring IT
systems and data are available and kept secure.
A, B, and C are incorrect. CSPs normally keep
up with the latest security options for their
customers; doing otherwise is bad for business and
exposes the CSP to liability. Cloud tenant
centralized data storage itself does not present
enormous risk. CSPs have strict security guidelines
and third-party security audits to ensure this (most
private companies cannot afford to implement this
kind of security scrutiny). CSPs keep cloud tenant
configurations and data isolated from one another.
10. A. SSAE No. 16 is an auditing standard that

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

applies to service organizations such as CSPs.

Organizations regulated by SOX who use cloud
services must use only CSPs that adhere to SSAE
No. 16.
B, C, and D are incorrect. SSAE No. 16 is not a
standard directly related to encryption, risk
management, or authentication.

Business Requirements and Cloud Solutions

11. C and D. CSPs provide security standard
compliance documentation, normally in the form of
web pages. Just because a CSP is compliant with a
security standard such as PCI DSS, that does not
automatically mean its cloud customers are also
compliant.
A and B are incorrect. Security responsibilities
fall upon the CSP and the cloud customer. The
degree of responsibility depends on the specific
cloud service being used. Cloud SLAs do not provide
details about third-party auditors.
12. D. Degaussing applies a strong magnetic field
to magnetic storage such as hard disks and backup
tapes.
A, B, and C are incorrect. Drilling, shredding,
and hammering do not remove data magnetically.
13. C. Penetration tests (pen tests) are considered

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

active since they attempt to exploit discovered

vulnerabilities.
A, B, and D are incorrect. Documentation and
authentication are not terms closely associated with
penetration testing. Pen tests are active, not
passive, as vulnerability tests are.
14. B. Many data recovery tools, including free
ones, provide the option of recovering deleted
partitions.
A, C, and D are incorrect. The operating system
type does not affect the success or failure of
removing disk partitions. As long as the removed
partition is not the OS partition, the OS can remain
running in most cases.
15. D. Vulnerability tests identify weaknesses but
do not attempt to exploit them.
A, B, and C are incorrect. Regression testing is
used to ensure that new changes, such as to
software code, have not caused problems in
unrelated areas. Load testing is used to identify the
performance of a solution under a busy workload.
Penetration tests (pen tests) are considered active
since they attempt to exploit discovered
vulnerabilities.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

TWO-MINUTE DRILL
Storage Media
HDD-based cloud storage is slower than SSD-
based cloud storage but is less expensive.
SSD-based cloud storage is best suited for
intensive disk I/O usage.
Disk IOPS is a measurement of disk throughput; a
higher value means better performance.

Cloud Storage Configuration

Managed disks remove the need for cloud
customers to provision storage for cloud VM
disks.
CSP file-based solutions are similar to on-premises
shared folders.
Accessing Microsoft Azure Files shared folders
occurs over TCP port 445.
CSP object-based storage is flat compared to file
system hierarchies.
Network access to cloud-based storage is normally
done over HTTP using the REST API.
Common file types such as text and media
documents are stored as block blobs.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Virtual machine disk files are commonly stored as

page blobs.
Hot storage should be used for data that will be
accessed frequently.
Cold storage should be used for data that will be
accessed infrequently.
Cloud storage replication creates additional copies
of data for increased resiliency to failure.
Cloud customers can use custom encryption keys
to secure data at rest.

Databases in the Cloud

On-premises databases should be assessed for
cloud readiness with a tool such as Microsoft Data
Migration Assistant and then be migrated to the
cloud.
Managed databases remove the underlying
infrastructure complexity from the cloud
customer; this often referred to as Database as a
Service (DBaaS).
SQL-compliant databases use a structured data
schema and are best suited to store related data
stored in separate tables.
NoSQL-compliant databases are designed to
accommodate vast amounts of unstructured data.
Microsoft SQL Server access occurs over TCP port

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

1433.
Access by NoSQL databases such as MongoDB
occurs over TCP port 27017.
Database Transaction Units (DTUs) are a
performance unit consisting of vCPUs, amount of
RAM, and disk IOPS.

Content Delivery Networks

CDNs copy (cache) data to different geographical
locations near users to improve the user
experience.
CDN Time To Live (TTL) values determine how
long before the source data is checked for
changes.
DNS CNAME (alias) records point to other DNS
records.

SELF TEST
The following questions will help you measure your
understanding of the material presented in this chapter.
As indicated, some questions may have more than one
correct answer, so be sure to read all the answer choices
carefully.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Storage Media
1. You are planning how cloud storage will address
business needs. Choosing which cloud storage
option will have the largest positive impact on
performance?
A. Capacity
B. Storage media brand
C. Solid state drives
D. FTP access
2. Which data storage characteristic is the most
closely related to minimizing data redundancy?
A. IOPS
B. Replication
C. Deduplication
D. RAID
3. Which RAID configuration improves disk I/O
performance but does not include fault tolerance?
A. RAID 0
B. RAID 1
C. RAID 5
D. RAID deduplication
4. Which solution protects stored data even if
physical storage devices are stolen?
A. Deduplication

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

B. RAID 1
C. RAID 5
D. Encryption of data at rest

Cloud Storage Configuration

5. Your organization is configuring cloud backup for
on-premises servers. Which cloud backup storage
configuration should be used to minimize costs?
A. Increased IOPS
B. Cool access tier
C. Storage replication
D. Hot access tier
6. Developers are planning to write on-premises code
that programmatically accesses cloud storage. You
are configuring on-premises firewall rules to allow
this storage access. Which type of outbound traffic
will you most likely allow in this scenario?
A. FTPS
B. SMB
C. NFS
D. HTTPS
7. In the event of a regional disaster, you would like
cloud-stored data available elsewhere. What should
you configure?
A. RAID 0

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

B. Geo-redundant storage
C. Deduplication
D. RAID 1

Databases in the Cloud

8. Which type of database solution uses a rigid
schema?
A. NoSQL
B. SQL
C. Managed
D. Replicated
9. Which TCP port is normally used to connect to
Microsoft SQL Server?
A. 80
B. 443
C. 1433
D. 3389
10. What is another term for DBaaS?
A. Unmanaged database
B. NoSQL
C. Managed database
D. SQL

Content Delivery Networks

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

11. What is the primary benefit of using a CDN?

A. Regulatory compliance
B. Adherence to standards
C. Improved performance
D. Enhanced security
12. Which CDN configuration determines how long
before the source of cached data is checked for
changes?
A. TTL
B. Replication
C. Path
D. SSL
13. You need to create a DNS record that redirects a
custom domain name for a CDN configuration.
What type of record should you create?
A. MX
B. A
C. PTR
D. CNAME
14. What is the primary benefit of deploying a CDN?
A. Enhanced security
B. Improved performance
C. Reduced costs

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

D. Regulatory compliance
15. You are configuring a CDN that will be used to
serve media files to users. What should you
configure to use the CDN most efficiently?
A. Increased TTL
B. Reduced TTL
C. Wildcard path for media files
D. Custom encryption keys

SELF TEST ANSWERS

Storage Media
1. C. Solid state drives (SSDs) provide better
performance than traditional hard disk drives
(HDDs). Naturally, CSPs charge more for the
performance improvement, so choosing SSDs over
HDDs also increases cloud costs.
A, B, and D are incorrect. Storage capacity, the
brand of storage media, and accessing cloud storage
through FTP will not positively impact performance
as much as the use of SSDs will.
2. C. Deduplication removes duplicate disk blocks
and replaces duplicates with pointers to reduce disk

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

space consumption.
A, B, and D are incorrect. Disk IOPS is a disk
I/O throughput measurement. Replication creates
copies of data for increased resiliency to failure at a
primary location. Redundant Array of Independent
Disks (RAID) organizes multiple disk storage
devices together in various ways to improve disk
performance and/or to provide fault tolerance.
3. A. RAID 0, disk striping, uses multiple physical
disks working as one to improve performance, but
the failure of a single disk renders the entire disk
array unavailable.
B, C, and D are incorrect. RAID 1 (disk
mirroring) and RAID 5 (disk striping with
distributed parity) both provide fault tolerance.
RAID deduplication is not a function specifically
related to RAID; deduplication is a method of
reducing disk space consumption.
4. D. Encrypting data at rest protects stored data.
The correct decryption key is required to read
information that is encrypted.
A, B, and C are incorrect. Deduplication is a
method of reducing disk space consumption. RAID
1 (disk mirroring) and RAID 5 (disk striping with
distributed parity) both provide disk fault tolerance.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Cloud Storage Configuration

5. B. Cool or cold cloud storage is best suited for
data that is accessed infrequently, such as backups,
and is less expensive than hot cloud storage.
A, C, and D are incorrect. Increasing disk IOPS
and enabling storage replication increase cloud
computing charges. Hot access tiers are best suited
for data that is frequently accessed, because hot
access provides higher performance for quicker data
access, but is more expensive than cold access.
6. D. Accessing cloud storage programmatically
normally occurs through the REST API, which
relies on HTTP and HTTPS.
A, B, and C are incorrect. These network file
access protocols are not used for cloud storage
access as often as HTTPS is.
7. B. Geo-redundant storage keeps copies of data
in different regions, which is resilient against a
regional disaster.
A, C, and D are incorrect. RAID 0 (disk
striping) uses multiple physical disks working as
one to increase disk I/O performance.
Deduplication is a method of reducing disk space
consumption. RAID 1 (mirroring) copies data to a
secondary disk when it is written to the primary

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

disk.

Databases in the Cloud

8. B. SQL databases use a structured, or rigid,
schema that defines what type of data will be
stored.
A, C, and D are incorrect. NoSQL databases do
not use a structured schema; many different types
of data can be stored without a definition of how
that data will be stored. Managed SQL and NoSQL
cloud databases hide the underlying infrastructure
complexities related to hosting databases from
cloud customers. Database replication is not
determined by a structured or unstructured
schema.
9. C. By default, Microsoft SQL Server is
accessible over TCP port 1433.
A, B, and D are incorrect. Port 80 is used for
HTTP, port 443 is used for HTTPS, and port 3389 is
used for Remote Desktop Protocol (RDP; covered in
Chapter 6).
10. C. Database as a Service (DBaaS) is a managed
database service, which means the CSP takes care of
the underlying infrastructure to host the database.
A, B, and D are incorrect. Unmanaged
databases require cloud customers to install and

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

configure the underlying infrastructure to support

the database. NoSQL and SQL databases are
available as managed and nonmanaged services.

Content Delivery Networks

11. C. A content delivery network (CDN) improves
the performance of users’ access to content by
placing a copy of that content geographically near
users, which reduces network latency.
A, B, and D are incorrect. A CDN does not
specifically address regulatory compliance,
standards adherence, or improved security.
12. A. The Time To Live (TTL) value determines
how long before the CDN cache checks the source
data for changes.
B, C, and D are incorrect. CDN configuration
settings for replication, path, and Secure Sockets
Layer (SSL) do not determine when cached source
data has changed.
13. D. DNS CNAME records are alias records that
point to other DNS records.
A, B, and C are incorrect. MX records are mail
exchange records used for e-mail transfer; A records
use names to point to IPv4 addresses; and PTR
records are reverse lookup records that, given an IP
address, return a DNS name.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

14. B. A CDN is configured to place data near the

users who request it, which improves performance
by reducing network latency.
A, C, and D are incorrect. CDNs do not enhance
security, reduce costs, or help with regulatory
compliance.
15. C. Wildcard paths are used to specify which
files should be included in the CDN.
A, B, and D are incorrect. Modifying the TTL
value or using custom encryption keys for cloud
data will not make as big a difference in efficiency
than a correctly configured wildcard path to copy
only the required files.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

DNS, that are used on premises are also used in a cloud

computing environment for the same purposes.
The chapter wrapped up by explaining how load
balancers can be implemented to provide quick and
efficient access to cloud-hosted applications. Client
requests to the app are directed to the load balancer,
which then routes the requests to the least-busy
responsive back-end server. The load-balanced solution
can also be autoscaled to adjust the number of back-end
virtual machines serving the application.

TWO-MINUTE DRILL
Cloud Network Components
Cloud customers can connect to public CSPs over
the Internet or through a private dedicated
network circuit.
Redundant Internet cloud connections should be
used in case one connection fails.
Dedicated network circuits provide predictable
bandwidth on a private network link.
Microsoft Azure dedicated network links are called
ExpressRoute circuits.
Amazon Web Services dedicated network links are
called Direct Connect dedicated connections.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

VPNs create an encrypted tunnel between two

endpoints over an untrusted network.
Branch office networks can be connected using a
site-to-site VPN. If one branch office has VPN
connectivity to the cloud, other branch offices
could be configured to also have cloud access
through the VPN.
On-premises networks can be securely connected
to the public cloud via a site-to-site VPN.
Site-to-site VPNs require an on-premises VPN
appliance with a public IP address.
Individual user devices can be securely connected
to the public cloud using a client-to-site VPN.
Client-to-site VPNs do not require an on-premises
VPN appliance.
Software-defined networking (SDN) spares cloud
customers from needing detailed network
hardware configuration knowledge when
configuring cloud network components.
Cloud virtual networks contain subnets and are
configured with a specific IP address space.
Microsoft Azure cloud-based virtual networks are
called VNets.
Amazon Web Services cloud-based virtual
networks are called VPCs.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Network Protocols
Traditional on-premises network protocols are also
used in the cloud.
SSH uses TCP port 22 for network device, Unix,
and Linux remote management.
RDP uses port TCP 3389 for Windows host remote
management.
Cloud services are primarily accessible over HTTP
(TCP port 80) and HTTPS (TCP port 443).
LDAP uses TCP port 389 when connecting to a
network configuration database.
SNMP uses UDP port 161 when monitoring
network devices.
DNS uses UDP port 53 for client requests.
DNS uses TCP port 53 for server-to-server
communication.

Cloud Load Balancing

Client connectivity to an application goes through
a load balancer.
Load-balanced applications perform better and are
resilient to server failures.
Load balancers can serve internal or public-facing
applications.
Load balancing uses back-end server pools

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

consisting of VMs running the same application.

App requests are routed to the least-busy back-end
server.
App requests are not routed to unresponsive back-
end servers.

SELF TEST
The following questions will help you measure your
understanding of the material presented in this chapter.
As indicated, some questions may have more than one
correct answer, so be sure to read all the answer choices
carefully.

Cloud Network Components

1. Which term refers to configuring cloud networking
without directly having to configure underlying
network hardware?
A. Load balancing
B. Software-defined networking
C. Cloud-based routing
D. Cloud-based virtualization
2. Your company uses a dedicated network circuit for
public cloud connectivity. You need to ensure that

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

on-premises–to–public cloud connections are not

exposed to other Internet users. What should you
do?
A. Configure a site-to-site VPN
B. Nothing
C. Configure a client-to-site VPN
D. Enable HTTPS
3. What must be configured within a cloud-based
network to allow cloud resources to communicate
on the network?
A. Public IP address
B. VPN
C. Load balancer
D. Subnet
4. Which type of IP addressing notation uses a slash
followed by the number of subnet mask bits?
A. SDN
B. CIDR
C. VPN
D. QoS
5. Which word is the most closely related to using a
VPN?
A. Performance
B. Encryption

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

C. Anonymous
D. Updates
6. Which type of VPN links two networks together
over the Internet?
A. Point-to-site
B. Branch-to-branch
C. Client-to-site
D. Site-to-site
7. Which common VPN type links a single device to a
private network over the Internet?
A. Point-to-site
B. Branch-to-branch
C. Client-to-site
D. Site-to-site

Network Protocols
8. You need to configure your on-premises perimeter
firewall to allow outbound Linux remote
management. Which port should you open?
A. TCP 80
B. UDP 161
C. TCP 22
D. TCP 3389
9. Your Microsoft Azure virtual machine has been

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

deployed into an Azure VNet that uses default DNS

settings. You are unable to connect to www.site.com
from within the VM. What is the most likely
problem?
A. The VNet is configured with custom DNS
servers.
B. Outbound TCP port 22 traffic is blocked.
C. www.site.com is down.
D. Azure virtual machines do not support Internet
name resolution.
10. You are configuring your on-premises perimeter
firewall to allow outbound Windows server remote
management. Which port should you open?
A. 3389
B. 443
C. 445
D. 389

Cloud Load Balancing

11. Which of the following words are most closely
related to load balancing? (Choose two.)
A. Security
B. Performance
C. Archiving
D. Resiliency

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

12. Which cloud feature automatically adds or removes

virtual machines based on how busy an application
is?
A. Load balancing
B. Elasticity
C. Autoscaling
D. Monitoring
13. Which term describes adding virtual machines to
support a busy application?
A. Scaling in horizontally
B. Scaling out horizontally
C. Scaling down vertically
D. Scaling up horizontally
14. After a load balancer is put in place, users report
that they can no longer access a web application.
What is the most likely cause of the problem?
A. The load balancer DNS name is not resolving to
the website name.
B. The website DNS name is not resolving to the
load balancer.
C. TCP port 3389 is blocked in the cloud.
D. TCP port 389 is blocked in the cloud.
15. What normally occurs when a load balancer back-
end server is unresponsive?

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

A. The load balancer deletes and re-creates the

failed server.
B. The load balancer uses vertical scaling to add
servers.
C. The load balancer does not route client requests
to the unresponsive server.
D. The load balancer prevents client connections
to the app.

SELF TEST ANSWERS

Cloud Network Components
1. B. Software-defined networking (SDN) hides
the underlying complexities of network device
configuration from the cloud user.
A, C, and D are incorrect. Load balancing
distributes incoming client app requests among a
pool of back-end servers supporting the app. Cloud-
based routing is used to direct network traffic flow.
Cloud-based virtualization allows VMs to run on
CSP equipment.
2. B. Nothing needs to be done; dedicated
network circuits are completely separate from

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Internet connections.
A, C, and D are incorrect. None of the options
are correct because nothing needs to be done.
3. D. A subnet is created within a cloud-based
virtual network to allow cloud resources to
communicate on the network. The subnet IP
address range must fall within the cloud-based
virtual network address space.
A, B, and C are incorrect. A public IP address is
used to provide connectivity to cloud resources over
the Internet. VPNs provide encrypted tunnels
between two endpoints over an untrusted network
such as the Internet. Load balancing distributes
incoming client app requests among a pool of back-
end servers supporting the app.
4. B. Classless Inter-Domain Routing (CIDR)
notation uses an IP network address prefix followed
by a slash and the number of bits in the subnet
mask.
A, C, and D are incorrect. Software-defined
networking (SDN) hides the underlying
complexities of network device configuration from
the cloud user. VPNs provide encrypted tunnels
between two endpoints over an untrusted network
such as the Internet. Quality of service (QoS)
provides a reasonable guaranteed level of network

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

throughput with minimal packet loss for time-

sensitive applications such as Voice over IP (VoIP).
5. B. Virtual private networks (VPNs) create an
encrypted tunnel between two endpoints for the
secure transmission of data.
A, C, and D are incorrect. The terms
performance, anonymous, and updates are not
closely related to VPNs.
6. D. Site-to-site VPNs can be used to connect
different networks together over the Internet.
A, B, and C are incorrect. Point-to-site (P2S)
VPN links allow individual client connectivity to a
remote network, such as Microsoft Azure client-to-
site VPN configurations. Branch-to-branch is not a
common VPN term.
7. C. Client-to-site VPNs link individual devices to
a VPN endpoint through an encrypted tunnel.
A, B, and D are incorrect. Point-to-site (P2S)
VPN links allow individual client connectivity to a
remote network, such as Microsoft Azure client-to-
site VPN configurations. Branch-to-branch is not a
common VPN term. Site-to-site VPNs can be used
to connect different networks together over the
Internet.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Network Protocols
8. C. Remote management of Linux hosts is
normally performed using Secure Shell (SSH) over
TCP port 22.
A, B, and D are incorrect. TCP port 80 is used
by HTTP, UDP port 161 is used by SNMP, and TCP
port 339 is used for Windows host remote
management using RDP.
9. C. The most likely culprit of the listed items is
that www.site.com is down.
A, B, and D are incorrect. Custom DNS server
references are not part of Azure VNet default
settings. Connecting to a website uses TCP port 80
or 443, not TCP port 22, which is used for SSH.
Azure virtual machines can resolve Internet names
if the configuration allows it.
10. A. Windows host remote management occurs
over TCP port 3389.
B, C, and D are incorrect. HTTPS uses TCP port
443, the Server Message Block (SMB) file-sharing
protocol uses TCP port 445, and LDAP uses TCP
port 389.

Cloud Load Balancing

11. B and D. Load balancing distributes client app

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

requests to a pool of back-end servers to improve

application performance and resiliency against
server failures.
A and C are incorrect. Security and archiving are
not closely related to load balancing.
12. C. Autoscaling (also called horizontal scaling)
can be configured to add or remove virtual
machines when application utilization is above or
below configured thresholds.
A, B, and D are incorrect. Load balancing
distributes client app requests to a pool of back-end
servers to improve application performance and
resiliency against server failures. Elasticity is a
cloud computing characteristic that defines the
rapid provisioning and deprovisioning of cloud
resources. Monitoring is a passive activity that is
not related to adding or removing VMs for busy
applications.
13. B. Scaling out horizontally means adding
virtual machines in response to how busy an
application is.
A, C, and D are incorrect. Scaling in means
removing virtual machines, not adding VMs.
Vertical scaling is related to individual VM
resources such as vCPUs and RAM. Scaling up is
vertical, not horizontal.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

14. B. The DNS name used for web app

connectivity most likely points to a now-defunct
server IP address. The name must resolve to the
load balancer’s IP address.
A, C, and D are incorrect. DNS names must, in
the end, resolve to an IP address to be resolved
correctly. Port 3389 is used for RDP and port 389 is
used for LDAP; neither of these is used to access a
web application.
15. C. Unresponsive back-end servers no longer
receive client requests through the load balancer.
A, B, and D are incorrect. Unresponsive back-
end servers are not re-created by a load balancer.
Adding servers is horizontal, not vertical, scaling.
Just because one back-end server is unresponsive,
it does not mean other servers cannot still fulfill
client app requests.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

operating system virtualization possible and how you

should select the appropriate virtual machine sizing
based on VM workloads.
You have been exposed to how both Windows and
Linux virtual machine images can be deployed and how
to manage them over RDP and SSH, respectively,
through public IP addresses or a jump box. Cloud-based
virtual machines are related to other cloud resources
such as virtual network interfaces and custom route
tables.
You also learned how autoscaling addresses
application performance by scaling out (adding VMs)
when the application is busy and scaling in (removing
VMs) when demand for the application quiets down.
Finally, you learned how high-performance
computing (HPC) can be used to perform large-scale,
complex computing tasks across a cluster of VM nodes
working together in parallel.

TWO-MINUTE DRILL
Virtualization in the Cloud
Hypervisors run virtual machines.
Virtual desktop infrastructure (VDI) provides user
desktops over a network from a central
virtualization server.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Virtual machine sizing determines virtual

hardware resources such as number of vCPUs,
amount of RAM, and disk and network
throughput.
The virtual machine “size” is also referred to as
“instance type.”
Existing virtual machines can be resized to address
compute requirements.
Resizing an existing virtual machine requires
restarting the VM after resizing.

Cloud Virtual Machine Components

Virtual machines are based on operating system
images.
OS images can contain only OS files for Windows
or Linux.
OS images can also contain specific OS settings
and additional software beyond the OS software.
Cloud customers can create custom images that
are used to deploy virtual machines.
Linux virtual machines are remotely managed
using SSH over TCP port 22.
Windows virtual machines are remotely managed
using RDP over TCP port 3389.
For remote management, each virtual machine can

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

have a public IP address, but this is not

recommended for security reasons.
A jump box is a virtual machine with a public IP
address through which technicians can then
access the private IP addresses of cloud virtual
machines.
Windows virtual machines are normally
configured to use username and password
authentication
Linux SSH public key authentication stores a
public key with the virtual machine in the cloud;
the related private key is stored on a user device.
Virtual machines can be grouped together for
autoscaling purposes to add and remove VMs in
response to application requests.
Cloud virtual machines can be associated with one
or more virtual network interfaces.
A virtual network interface can have multiple IP
configurations using public and private IP
addresses.
Custom routes are used to control network traffic
flow.

High-Performance Computing
HPC is also referred to as big compute and parallel
processing.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

HPC uses a cluster of virtual machine nodes

working together to process complex jobs.
HPC cluster head nodes receive job instructions
and coordinate them among cluster worker nodes.

SELF TEST
The following questions will help you measure your
understanding of the material presented in this chapter.
As indicated, some questions may have more than one
correct answer, so be sure to read all the answer choices
carefully.

Virtualization in the Cloud

1. Which term is used to describe the physical host
running guests?
A. Virtualizor
B. Scale set
C. Cluster
D. Hypervisor
2. Which virtualization solution provides user
desktops from a centralized virtualization host?
A. SDN
B. CDN

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

C. VDI
D. VLAN
3. Which type of hypervisor is also called a bare metal
hypervisor?
A. Type 1
B. Type 2
C. Type 3
D. Type 4
4. Which virtual machine characteristic determines
the amount of compute power?
A. Autoscaling
B. Load balancer
C. Sizing
D. Tagging

Cloud Virtual Machine Components

5. You need to vertically scale a cloud virtual machine
to accommodate an increased workload. Which two
items should be adjusted?
A. Public IP address
B. RAM
C. vCPU
D. Load balancer
6. You have deployed a Linux virtual machine named

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

LINUX1 in the cloud. Over time, you realize that

LINUX1 does not need the amount of hardware
resources that it was originally allocated. What
should you do to reduce cloud costs?
A. Resize LINUX1
B. Delete and re-create LINUX1 with the correct
resources
C. Add LINUX1 to an autoscaling group
D. Add LINUX1 to a load balancer back-end server
pool
7. After deploying a Windows virtual machine named
WINDOWS1 in the cloud, you cannot connect to it
over RDP from your on-premises headquarters
network. Other office locations can connect to
WINDOWS1 over RDP. What is the most likely
cause of the problem?
A. Cloud firewall rules are preventing incoming
port 3389 traffic.
B. Cloud firewall rules are preventing incoming
port 389 traffic.
C. Headquarters network firewall rules are
preventing outbound port 3389 traffic.
D. Headquarters network firewall rules are
preventing outbound port 389 traffic.
8. Which statements regarding Linux SSH public key

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

authentication are correct? (Choose two.)

A. The public key is stored on the connecting
device.
B. The public key is stored in the cloud.
C. The private key is stored in the cloud.
D. The private key is stored on the connecting
device.
9. You have deployed numerous Linux and Windows
virtual machines in the cloud. None of the VMs
have a public IP address. You need to be able to
manage all VMs from your on-premises network
while minimizing exposure to network security
threats. Which options should you consider?
(Choose two.)
A. Assign a public IP address to each virtual
machine
B. Deploy a jump box
C. Configure a virtual machine autoscaling group
D. Configure a VPN to the cloud
10. You need to configure an existing Linux virtual
machine named FIREWALL1 in the cloud so that it
can run as a firewall appliance between two virtual
network subnets. What should you do? (Choose
two.)
A. Switch the operating system image in

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

FIREWALL1 from Linux to Windows

B. Resize FIREWALL1 to include more vCPUs
C. Add a cloud routing table entry
D. Create a virtual network interface and associate
it with FIREWALL1

High-Performance Computing
11. You are the cloud technician for a pharmaceutical
research company. Currently, researchers are
analyzing vast datasets on premises, but the
analysis results are taking too long to generate.
What should you propose to speed up analysis
results while minimizing IT costs?
A. CSP
B. CDN
C. HPC
D. SDN
12. Which word is the most closely related to HPC in
the cloud?
A. Security
B. Clustering
C. NoSQL
D. Template
13. You plan on configuring a cloud HPC cluster to
analyze terabytes of climate modeling data. What is

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

the first thing you should do?

A. Deploy an HPC cluster
B. Deploy a load balancer
C. Move data into the cloud
D. Configure virtual machine autoscaling
14. Which type of virtual disk configuration should
HPC nodes use?
A. SDN
B. IOPS
C. HDD
D. SSD
15. You are using an Amazon Web Services (AWS)
HPC cluster to analyze medical data. Which AWS
option should you configure to monitor HPC cluster
performance?
A. Direct Connect
B. ExpressRoute
C. CloudWatch
D. CDN

SELF TEST ANSWERS

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Virtualization in the Cloud

1. D. A hypervisor runs software designed to host
guests.
A, B, and C are incorrect. Virtualizor is not a
valid term. A scale set groups VMs together for
autoscaling purposes. A cluster is a group of VM
nodes working together for a single purpose, such
as for application high availability or running
complex computations.
2. C. Virtual desktop infrastructure (VDI) uses a
centralized server to host multiple user desktop
environments.
A, B, and D are incorrect. Software-defined
networking (SDN) provides a layer between user
interfaces that configures underlying network
devices, thus hiding those complexities from the
cloud user. A content delivery network (CDN)
caches content geographically near users that will
request that content. A virtual local area network
(VLAN) is a logical subdivision of a physical
network to reduce network congestion or provide
network isolation and security for critical IT
systems.
3. A. Type 1 hypervisors run directly on hardware
(“bare metal”) to support the running of multiple
guests.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

B, C, and D are incorrect. Type 2 hypervisors

run as an application within an existing operating
system. Type 3 and 4 hypervisors are invalid types.
4. C. Virtual machine sizing determines the
virtual machine compute power.
A, B, and D are incorrect. Autoscaling adds or
removes virtual machines in response to how busy
an application is. Load balancing takes incoming
client app requests and directs them to the least-
busy back-end server. Tagging adds metadata to
cloud resources to facilitate searching, filtering, and
cost management.

Cloud Virtual Machine Components

5. B and C. Increasing the amount of memory, or
RAM, and the number of virtual CPUs (vCPUs) is
referred to as “scaling up”—this is vertical scaling.
A and D are incorrect. IP addressing and load
balancing are not directly related to VM vertical
scaling.
6. A. Resizing a virtual machine either increases
or decreases its compute power. Decreasing it
reduces cloud costs.
B, C, and D are incorrect. Resizing a VM is a
more efficient method of adjusting the required
compute power than deleting and re-creating the

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

VM. Autoscaling and load balancing are not directly

related to compute power hardware resources.
7. C. Because other offices can successfully
connect using RDP, the firewall rules at the
headquarters location must be blocking port 3389
RDP traffic.
A, B, and D are incorrect. Cloud firewall rules
are not the problem; other offices can successfully
connect using RDP. RDP uses port 3389, not 389.
8. B and D. Secure Shell (SSH) public key
authentication in the cloud stores public keys with
the virtual machine in the cloud. The related private
key is stored on the user device.
A and C are incorrect. Public keys are not stored
on the connecting device. Private keys are not
stored in the cloud.
9. B and D. A jump box provides the public
connectivity point for remotely managing cloud
virtual machines without exposing each VM directly
to the Internet. Configuring a VPN to the cloud uses
a single public connectivity point through which
VM remote management can be securely
conducted.
A and C are incorrect. Virtual machines should
not be directly exposed to the Internet, when

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

possible. Autoscaling does not address remote

management or security exposure issues.
10. C and D. Custom network routes control
network traffic flow, such as to a firewall appliance,
which normally has at least two virtual network
interfaces.
A and B are incorrect. Switching the operating
system image and resizing the virtual machine will
not enable a firewall appliance.

High-Performance Computing
11. C. High-performance computing uses groups of
virtual machine nodes to run complex tasks for
large datasets.
A, B, and D are incorrect. A cloud service
provider (CSP), content delivery network (CDN), or
software-defined networking (SDN) does not
provide the means to analyze large datasets.
12. B. High-performance computing (HPC) uses a
cluster of virtual machines to process complex tasks
in parallel.
A, C, and D are incorrect. Security, NoSQL, and
templates are not as closely related to HPC as the
term “cluster” is.
13. C. Before an HPC cluster can process vast

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

datasets in the cloud, the data must first be made

available in the cloud.
A, B, and D are incorrect. Deploying the HPC
cluster should occur after the relevant data is in the
cloud. HPC clusters do not use load balancers. HPC
clusters do autoscale as required, but VM
autoscaling is configured after moving the target
data into the cloud.
14. D. Solid-state drives (SSDs) provide the best
disk performance.
A, B, and C are incorrect. Software-defined
networking (SDN) is not related to disk
performance. Input/output operations per second
(IOPS) is not a cloud disk configuration; instead,
IOPS increases when SSD is selected. Hard disk
drives (HDDs) are slower than SSDs.
15. C. The AWS CloudWatch service is used for
cloud resource monitoring.
A, B, and D are incorrect. Direct Connect is the
AWS dedicated private network circuit solution;
ExpressRoute is Microsoft Azure’s solution. A
content delivery network (CDN) caches content
near users geographically.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

and can be written in any language.

Applications can consist of many microservices
working together.
Microservices can be updated, tested, and scaled
independently of one another.
Messages are often passed over the network
between microservices using HTTP with message
handling through REST or SOAP.
A content management system (CMS) allows
nontechnical users to create and manage website
content without writing code.

Blockchain
A blockchain is a publicly transparent digital ledger
of transactions (a collection of blocks) that cannot
be modified.
Each block (list of transactions) contains details
such as date and time stamps, financial values, the
current block’s unique hash, and the previous
block’s unique hash.
A blockchain is decentralized, meaning it is stored
across many computers.
A smart contract is added to the blockchain and
can automate the execution of contract details,
such as payments to intellectual property owners.
The blockchain is chronological and updated every

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

ten minutes.
Blockchain updates occur only after a consensus
has been reached among blockchain nodes about
the validity of the blocks.
Cryptocurrency refers to digital assets consisting
of any commodity that has value, such as Bitcoins,
intellectual property, or contracts.
Cryptocurrency miners are computers or groups of
computers with a large amount of compute power
that are used to validate blockchain transactions.
Cryptocurrency is not controlled by governments
or financial institutions.

Application Containers
Images contain application files and settings.
Images do not contain operating system files.
Images are contained in either private or public
repositories where new images can be uploaded
and existing images can be downloaded,
depending on permissions.
Images are portable, meaning they can easily be
moved to other hosts running application
containerization software such as Docker.
Containers are run-time instances of images.
Containers start up very quickly because they use

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

the host operating system that is already running.

Microservices are often created to run in their own
containers.
Most cloud service providers can host image
repositories.

Big Data Analytics

Big data refers to vast datasets that can come from
a variety of different sources, including Internet of
Things (IoT) devices.
IoT refers to devices that communicate over the
Internet, such as home environmental controls or
smart car data such as GPS location or car speed
statistics.
Most cloud service providers offer an IoT
repository where registered IoT devices can send
their data for further processing.
NoSQL databases are designed to store massive
amounts of unstructured data.
Big data analytics uses clusters of virtual machines
working together to analyze large amounts of
data.
Virtual to physical (V2P) refers to converting a VM
to an OS configuration that runs on physical
hardware. This is sometimes necessary when all
of the compute power of a physical host must be

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

allocated to a single task.

Artificial intelligence (AI) refers to software
behaving in a manner similar to human beings.
Machine learning (ML) takes AI further by
allowing technicians to “teach” software to make
decisions and predictions based on big data.

SELF TEST
The following questions will help you measure your
understanding of the material presented in this chapter.
As indicated, some questions may have more than one
correct answer, so be sure to read all the answer choices
carefully.

Service-Oriented Architecture
1. Which of the following terms is most closely
associated with the term “microservice”?
A. Encryption
B. Machine learning
C. Modular
D. Blockchain
2. You have developed a microservice that can pass
messages to other microservices even if they are

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

not running. Which term best encompasses this

configuration?
A. Loose coupling
B. Monolithic
C. Machine learning
D. Blockchain
3. Which of the following benefits is most likely to be
derived from the use of microservices in application
development?
A. Encryption using HTTPS
B. Facilitated cloud service provider exit strategy
C. Ability to add to a blockchain
D. Ability to test one component while others
remain running
4. Which of the following identifies a network
resource, but not how to access the resource?
A. URI
B. REST
C. SOAP
D. URL

Blockchain
5. Which blockchain characteristic prevents the
modification of past transactions?

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

A. Hashing
B. Encryption
C. Immutability
D. Decentralization
6. Which piece of data uniquely identifies a
blockchain block?
A. Block size
B. Miner node name
C. Date and time stamp
D. Hash
7. How often is a blockchain on the Internet updated?
A. Every minute
B. Every five minutes
C. Every ten minutes
D. Every hour

Application Containers
8. Which of the following is designed to run
application containers?
A. CMS
B. Docker
C. Blockchain
D. Machine learning
9. How are container images and containers related?

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

A. The terms are synonymous.

B. Images are run-time instances of containers.
D. Containers are run-time instances of images.
A. Images contain operating system files, whereas
containers do not.
10. Why do application containers start very quickly?
A. They use SSD storage.
B. They contain a small optimized version of the
operating system.
C. They use the underlying host operating system.
D. They are cached in memory.

Big Data Analytics

11. Which type of storage is designed for big data?
A. SQL
B. NoSQL
C. Message queue
D. Image registry
12. When working with big data analytics clusters,
what is required before determining whether
performance is acceptable or not?
A. Metric alerts
B. Image registry
C. Baseline

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

D. Message queue
13. Your company has vast amounts of medical
research data that needs to be analyzed to predict
future health patterns. Which cloud solution should
you implement?
A. Machine learning
B. Artificial intelligence
C. Blockchain
D. Internet of Things
14. Which of the following terms is the most closely
associated with machine learning?
A. Blockchain
B. Application container
C. Image registry
D. Training model
15. Which of the following are benefits derived from
the use of machine learning? (Choose two.)
A. Establishing baselines
B. Predicting outcomes
C. Deploying VMs
D. Recognizing patterns

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

SELF TEST ANSWERS

Service-Oriented Architecture
1. C. Microservices are a module-based approach
to software development, where each microservice
performs a specific function. An application can
consist of many microservices.
A, B, and D are incorrect. Encryption scrambles
data so that only authorized users with the correct
key can decrypt it. Machine learning means training
machines to analyzes large datasets to make
informed decisions and to identify patterns to
predict future trends. On the Internet, a blockchain
is a decentralized, verified public ledger of
transactions that cannot be modified.
2. A. Loose coupling refers to using microservices
that can exchange messages even if they are not
running simultaneously, by using message queues.
B, C, and D are incorrect. Monolithic apps are
those that unify all app functionality instead of
dividing the app into functionally specific
components, or microservices. Machine learning
analyzes large datasets to make informed decisions
and to identify patterns to predict future trends. A

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

blockchain is a decentralized, verified public ledger

of transactions that cannot be modified.
3. D. Applications can consist of multiple
microservices, which are modular software
components that can each be tested independently
of others.
A, B, and C are incorrect. Encryption using
HTTPS secures HTTP-based network
communications but is not directly related to
microservices. CSP exit strategies are used to plan
to cease the use of a specific CSP. Microservices are
not necessarily related to adding blockchain
transactions.
4. A. A Uniform Resource Identifier (URI)
specifies a network resource, but not exactly how to
access it, such as using HTTP, HTTPS, or FTP, as
does a URL.
B, C, and D are incorrect. Representational
State Transfer (REST) is a style of extracting data
from a network resource such as a web service.
Simple Object Access Protocol (SOAP) is a
standardized protocol used to extract data over a
network using XML as the data format.

Blockchain
5. C. When something is immutable, it cannot be

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

modified. Past blockchain transactions are

immutable; they cannot be tampered with.
A, B, and D are incorrect. Hashing generates a
unique value that can be used to determine if
modifications have taken place, but it does not
prevent modification. Encryption scrambles data so
that only authorized parties with the correct key can
decrypt the data. Decentralization means that a
blockchain is spread across many computers; this
does not prevent the modification of past
transactions.
6. D. A hash results from feeding data into a one-
way hashing algorithm. It uniquely represents the
blockchain block.
A, B, and C are incorrect. A blockchain
transaction is not uniquely identified by the block
size, miner node name, or date and time stamp.
7. C. New blockchain transactions are added once
every ten minutes.
A, B, and D are incorrect. These do not
represent the blockchain update interval.

Application Containers
8. B. Docker is software running on a Windows-
based or Linux-based host that can run and manage
application images and containers.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

A, C, and D are incorrect. A content

management system (CMS) enables a person to
create and manage website content without
requiring detailed technical knowledge or coding
skills. A blockchain is a decentralized, verified
public ledger of transactions that cannot be
modified. Machine learning analyzes large datasets
to make informed decisions and to identify patterns
to predict future trends.
9. C. Application containers are launched from
application images. A container is a run-time
instance of an image.
A, B, and D are incorrect. Application images
contain app files and settings; when the image is
running, it is called a container. Neither images nor
containers contain operating system files.
10. C. Application containers start quickly because
they use the host operating system that is already
running.
A, B, and D are incorrect. Solid-state drive
(SSD) storage is not the reason application
containers start quickly. Application containers do
not contain an operating system, nor are they
cached in memory.

Big Data Analytics

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

11. B. NoSQL allows unstructured data storage,

which means each row could store completely
different types of data.
A, C, and D are incorrect. SQL databases use a
rigid schema, or blueprint, of what is allowed to be
stored. Message queues are used to temporarily
store messages passed between software
components, not big data. Image registries, which
can be private or public, store application images.
12. C. A baseline is a measure of normal activity,
which helps to identify outliers from that normal
performance.
A, B, and D are incorrect. Metric alerts feed
into establishing a baseline, but do not by
themselves help determine if performance is
acceptable or not. Image registries, which can be
private or public, store application images, but are
not related to performance. Message queues are
used to temporarily store messages passed between
software components.
13. A. Machine learning (ML) analyzes large
datasets and can be “trained” to make informed
decisions and to identify patterns to predict future
trends.
B, C, and D are incorrect. Artificial intelligence
(AI) is a broad term that relates to software

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

mimicking human behavior. ML is an

implementation of AI. A blockchain is a
decentralized, verified public ledger of transactions
that cannot be modified. Internet of Things (IoT)
refers to devices that can communicate over the
Internet.
14. D. Machine learning analyzes large datasets
and can be “trained” to make informed decisions
and to identify patterns to predict future trends.
A, B, and C are incorrect. A blockchain is a
decentralized, verified public ledger of transactions
that cannot be modified. Application containers
contain application files and settings. Image
registries, which can be private or public, store
application images, but are not related to
performance.
15. B and D. Machine learning (ML) analyzes
datasets and can be “trained” to make decisions or
future predictions, as well as to identify patterns.
A and C are incorrect. Baselines and
deployment are not directly related to machine
learning.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

exchange data over HTTP/S or SMTP using XML or

JSON formats.
You also learned about sandboxing to isolate
development and testing from the production
environment. Sandboxing is possible at the network,
virtual machine, and container levels. We covered
software testing types such as load testing, which
simulates above-average workloads, and regression
testing, which ensures existing application functionality
is not adversely affected by code changes.
Next, you learned how CI/CD ensures the automated
and timely delivery of software solutions. Developers
create and work with code through centralized code
repositories. Code that is checked out cannot be
modified by other developers.
Finally, you learned about a variety of cloud
automation techniques, including command-line tools
and templates. You also learned that cloud orchestration
brings together multiple automation tasks in a single
workflow.

TWO-MINUTE DRILL
Software Development in the Cloud
DevOps combines software development and IT
operations to deliver high-quality solutions as

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

efficiently as possible.
The use of software development solutions in the
cloud falls under the PaaS cloud service model.
Application programming interfaces (APIs) are
collections of functions for a hardware device or a
software solution.
Software developers can call upon APIs to execute
hardware or software functions defined in the
API.
Software developers can create and host APIs in
the cloud.
Software components communicate over common
protocols such as HTTP/S and SMTP.
Extensible Markup Language (XML) is a common
data exchange format that uses tags to describe
data.
JavaScript Object Notation (JSON) uses key–value
pairs to define data.

Software Testing
Sandboxing is used in the IT world to isolate
development and testing environments from
production environments.
There are various sandboxing solutions, such as
network isolation, VMs with limited network
connectivity, and application containers.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Functional testing is used to ensure that IT

solutions meet design requirements.
Unit testing applies to a specific code function, or
microservice.
Regression testing ensures that software changes
have not adversely affected other, unrelated areas
of that software.
Load testing simulates above-average workloads to
determine if application response is acceptable.
Fuzz testing feeds unexpected data to an
application. Behavior is observed in order to
improve application stability and prevent the
disclosure of sensitive information.

Continuous Integration and Delivery

Continuous integration and continuous delivery
(CI/CD) is the DevOps practice of delivering
efficient and high-quality IT solutions in a timely
and automated fashion.
Code repositories are centralized collections of
software code.
Developers can check out code from a repository
when updates are required. Checked-out code
cannot be modified by other developers.
CI/CD can use triggers such as code check-in to
automate code builds, testing, packaging, and

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

deployment.

Cloud Resource Deployment

Cloud automation can be achieved through cloud-
based command-line tools, scripts, templates, and
batch jobs.
Infrastructure as code (IaC) comes in the form of
cloud automation templates, which normally use
the JavaScript Object Notation (JSON) file format.
Cloud automation can use triggers such as the
receipt of an HTTP message or the presence of a
message in a message queue.
Cloud orchestration brings cloud automation tasks
together in a single workflow.
Runbooks are often used with cloud orchestration
to execute a series of automation tasks.

SELF TEST
The following questions will help you measure your
understanding of the material presented in this chapter.
As indicated, some questions may have more than one
correct answer, so be sure to read all the answer choices
carefully.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

Software Development in the Cloud

1. Software developers in your organization have
begun creating, testing, and deploying code for
custom software applications in the cloud without
manually deploying cloud resources. To which type
of cloud computing model does this example best
apply?
A. PaaS
B. IaaS
C. SaaS
D. STaaS
2. You are using the cloud to develop a microservice.
Your solution must have the ability to scale and be
tested independently of other microservices. What
should you use for your microservices?
A. Metal as a Service
B. Virtual machine
C. Container
D. Code repository
3. Which of the following represents a standard data
exchange format over a network?
A. PDF
B. PKI
C. XML

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

D. HTML
4. You are planning the creation of a custom line of
business software that will be hosted in the cloud.
You plan on using the Java programming language
to code the solution. Using which of the following
will most greatly facilitate this endeavor?
A. API
B. XML
C. SDK
D. PKI

Software Testing
5. Which type of software testing applies an above-
average workload to an application?
A. Vulnerability
B. Penetration
C. Load
D. Compliance
6. You have configured automated cloud-based code
builds and testing. One configured test ensures that
new code changes have not adversely affected other
code modules. What type of testing is this?
A. Fuzz
B. Vulnerability
C. Regression

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

D. Penetration
7. A custom application consists of multiple
microservices. You need to test code changes made
to one microservice. Which of the following
presents the fastest and most efficient sandboxing
solution?
A. VMs
B. APIs
C. Containers
D. Fuzzing

Continuous Integration and Delivery

8. Which term describes a central location where
developers create, modify, check in, check out, and
test software solutions?
A. API
B. CI/CD
C. DevOps
D. Code repository
9. What benefit is derived when software developers
check out code from a repository?
A. Other developers cannot modify the checked-
out code.
B. Other developers can modify the checked-out
code.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

C. Automated testing against the checked-out code

begins.
D. Automated deployment of the checked-out code
begins.
10. Which actions are common examples of
automatically triggered tasks that execute when
developers check code into a code repository?
(Choose two.)
A. Virtual machine deployment
B. Code building
C. Testing
D. Template creation

Cloud Resource Deployment

11. Which of the following terms is the most closely
related to infrastructure as code?
A. CI/CD
B. Template
C. Code repository
D. Container
12. How does cloud orchestration differ from cloud
automation?
A. It doesn’t; the terms are synonymous.
B. Only cloud automation coordinates a collection
of tasks.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

C. Only cloud orchestration coordinates a

collection of tasks.
D. Cloud automation uses command-line tools,
whereas cloud orchestration uses GUI tools.
13. Which of the following is the most common cloud
resource template file format?
A. JSON
B. CSV
C. TXT
D. HTML
14. Which of the following items is most commonly
considered a cloud orchestration component as
opposed to a cloud automation component?
A. Script
B. Cloud resource template
C. Runbook
D. Code repository
15. Which term is described as organizing multiple
automation tasks into a single workflow?
A. Script
B. Cloud resource template
C. Runbook
D. Orchestration

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

SELF TEST ANSWERS

Software Development in the Cloud
1. A. Platform as a Service (PaaS) is a cloud
service model that hides the underlying resource
provisioning from the cloud customer. PaaS is often
used by software developers.
B, C, and D are incorrect. Infrastructure as a
Service (IaaS) is a cloud service model that allows
cloud customers to deploy infrastructure
components, such as storage, networks, and virtual
machines, in the cloud. Software as a Service (SaaS)
refers to a software solution available over a
network, such as web e-mail service provided over
the Internet by a cloud service provider. Storage as
a Service (STaaS) is a specific subset of IaaS focused
on cloud storage, such as for cloud backup and
archive storage.
2. C. Application containers consist of the files
necessary to run an app, along with settings and app
tools. Each app container can be scaled and tested
independently. A, B, and D are incorrect. Metal as
a Service (MaaS) provides cloud customers with a
dedicated hypervisor to run virtual machines. Using

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

virtual machines to host a single microservice is

less efficient than using an application container.
Code repositories are not required when developing
microservices.
3. C. Extensible Markup Language (XML) is a file
type that uses tags to describe data rather than
defining the formatting of data. XML is a common
data format used to exchange data between
dissimilar systems.
A, B, and D are incorrect. Portable Document
Format (PDF) is a standard document file format.
Public Key Infrastructure (PKI) is a hierarchy of
digital security certificates. Hypertext Markup
Language (HTML) is a file type that uses tags to
define data formatting.
4. C. A software development kit (SDK) provides
developer tools for a specific software platform,
such as Java. SDKs are composed of many APIs.
A, B, and D are incorrect. An application
programming interface (API) is a collection of
related functions that can be called upon, or hooked
into, by other software components. SDKs contain
many APIs. Extensible Markup Language (XML) is
a file type that uses tags to describe data rather than
defining the formatting of data. XML is a common
data format used to exchange data between

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

dissimilar systems. Public Key Infrastructure (PKI)

is a hierarchy of digital security certificates.

Software Testing
5. C. Load testing applies an above-average
workload to an application in order to determine
application security and stability.
A, B, and D are incorrect. Vulnerability testing
identifies security weaknesses. Penetration testing
identifies and attempts to exploit discovered
weaknesses. Compliance testing is used to ensure
compliance with standards, laws, or regulations.
6. C. Regression testing ensures that changes
have not adversely affected other components or
functionality not related to the change.
A, B, and D are incorrect. Fuzz testing provides
random and unanticipated data to an application.
Application behavior is then observed to determine
its security and stability. Vulnerability testing
identifies security weaknesses. Penetration testing
identifies and attempts to exploit discovered
weaknesses.
7. C. Application containers consist of application
files and settings. Each microservice comprising a
larger application can run within its own container.
This allows container code updates, testing, and

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

scaling independently of other containers.

A, B, and D are incorrect. Virtual machines
(VMs) are slower to start and stop than application
containers because they contain an entire operating
system. An application programming interface
(API) is a collection of related functions that can be
called upon, or hooked into, by other software
components. Fuzz testing provides random and
unanticipated data to an application.

Continuous Integration and Delivery

8. D. A code repository is a central location where
developers create, modify, check in, check out, and
test software solutions. Code can be checked out so
that it cannot be modified by other developers until
it is checked back in. Private code repositories can
be configured, or public repositories can be used.
A, B, and C are incorrect. An application
programming interface (API) is a collection of
related functions that can be called upon, or hooked
into, by other software components. Continuous
integration and continuous delivery (CI/CD)
ensures the timely delivery of software solutions,
ideally in an automated fashion, over the Internet.
Development and operations (DevOps) is a term
that refers to developing software solutions and
continuously deploying related updates efficiently

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

and securely.
9. A. Checking out code from a code repository
prevents other software developers from modifying
that checked-out code.
B, C, and D are incorrect. The listed statements
regarding checked-out code are not correct.
10. B and C. Automation can be configured with
some code repositories, such as automatically
building and testing code when it is checked in.
A and D are incorrect. Virtual machine
deployment and template creation are not common
examples of code repository check-in actions.

Cloud Resource Deployment

11. B. Infrastructure as code refers to using syntax
statements to create and manage cloud resources,
such as through template files.
A, C, and D are incorrect. Continuous
integration and continuous delivery (CI/CD)
ensures the timely delivery of software solutions,
ideally in an automated fashion over the Internet. A
code repository is a centralized storage location for
programming code. Application containers consist
of application files and settings. Containers are
isolated and portable and can be moved to different
hosts.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

12. C. Cloud orchestration involves coordinating

multiple related automation tasks.
A, B, and D are incorrect. Cloud automation
and cloud orchestration are not the same.
Orchestration coordinates multiple automation
tasks. Orchestration is not exclusive to GUI tools.
13. A. The JavaScript Object Notation (JSON)
format is a commonly used file syntax for cloud
resource templates.
B, C, and D are incorrect. Comma-separated
value (CSV) is a text file format that uses commas
as a delimiter to separate values. TXT is a standard
text file format. Hypertext Markup Language
(HTML) is a file format that uses tags to format the
display of content.
14. C. A runbook is a cloud orchestration
component used to run a series of tasks.
A, B, and D are incorrect. While scripts,
templates, and code repositories are related to cloud
orchestration, runbooks are the most closely
related.
15. D. Cloud orchestration involves coordinating
multiple related automation tasks.
A, B, and C are incorrect. Scripts, templates,
and runbooks are related to cloud orchestration, but

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

orchestration itself coordinates multiple

automation tasks.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

be centralized and trusted by third parties (aka identity

federation). You learned how multifactor authentication
enhances sign-in security, and finally, you learned how
single sign-on removes the need for users to re-
authenticate (after initial authentication) to each
additional app they want to access.

TWO-MINUTE DRILL
Confidentiality
Confidentiality protects sensitive data from
unauthorized users.
PKI certificates can be used to implement
confidentiality and can be issued to users, devices,
and software.
PKI certificates contain public–private key pairs.
Data confidentiality security controls can apply to
data storage and network communications.
Data encryption feeds data into an encryption
algorithm along with an encryption key.
More bits in an encryption key generally means
better encryption strength.
Unencrypted data is referred to as plain text, and
encrypted data is referred to as ciphertext.
Symmetric encryption uses the same key for

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

encryption and decryption.

Asymmetric encryption uses a public key for
encryption and a mathematically related private
key for decryption.
RC4, Blowfish, and AES are examples of
symmetric encryption algorithms.
RSA, ECC, and ElGamal are examples of
asymmetric encryption algorithms.
Transport Layer Security (TLS) is a network
security protocol that supersedes SSL.
TLS requires a server-side PKI certificate to
support HTTPS connections over port 443.

Data Integrity and Message Authentication

Integrity security controls are used to ensure that
data has not been modified by unauthorized users.
Hashing applies an algorithm to data that results
in a unique value called a hash or message digest.
Hash generation determines data validity; if a
current hash of a file matches a past hash of the
same file, the file has not been modified.
MD5 and SHA-256 are examples of hashing
algorithms.
Digital signing is used to ensure that a message
came from the user or device it says it came from.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

Private keys are used to create digital signatures;

public keys are used to verify digital signatures.

Availability
Availability security controls ensure that IT
services and data are continuously accessible.
Cloud service level agreements (SLAs) include
details about service availability.
Network attacks such as DoS and DDoS attempt to
render systems unavailable for legitimate use.
IT system and data availability can be achieved
through data backups, replication, and
redundancy.

Identity and Access Management

Identity and access management begins with
security principles (users, devices, software).
Security principles are stored with identity
providers.
Centralized identity providers trusted by third
parties define identity federation.
Identity providers can use their private key to
digitally sign authentication tokens, which are
verified by apps using the related public key.
Single sign-on (SSO) removes the need for
repeated user authentication for apps after initial

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

authentication.
Multifactor authentication (MFA) combines
authentication categories such as “something you
know” and “something you have.”
Data labeling can be used to further control
(authorize) access to sensitive data.

SELF TEST
The following questions will help you measure your
understanding of the material presented in this chapter.
As indicated, some questions may have more than one
correct answer, so be sure to read all the answer choices
carefully.

Confidentiality
1. Which of the following is the most closely related
to data confidentiality?
A. Hashing
B. Digital signature
C. Encryption
D. Authentication
2. You need to secure a cloud-hosted web application
using HTTPS. What is required to accomplish this?

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

A. PKI certificate
B. SSL certificate
C. TLS certificate
D. IPSec certificate
3. You have decided to use your own key to encrypt
and decrypt data stored in the cloud. Which type of
encryption is this?
A. PKI
B. Symmetric
C. Asymmetric
D. TLS

Data Integrity and Message Authentication

4. Hashing is an example of providing data:
A. Integrity
B. Availability
C. Confidentiality
D. Authentication
5. You have generated file hashes for files stored in
the cloud. How does this provide integrity?
A. It creates a digital signature.
B. Future hashes are compared with older hashes;
if they match, the data has been modified.
C. It encrypts files stored in the cloud.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

D. Current hashes are compared with older

hashes; if they match, the data has not been
modified.
6. You are configuring a cloud-hosted web application
in a federated identity environment. What is
required for the web application to trust digitally
signed security tokens from the identity provider?
A. Identity provider private key
B. Web app private key
C. Web app public key
D. Identity provider public key
7. How do digital signatures and hashing differ, if at
all?
A. They are the same thing.
B. Unlike digital signatures, hashing proves
message sender authenticity.
C. Unlike hashing, digital signatures prove
message sender authenticity.
D. Hashing encrypts, while digital signatures do
not.

Availability
8. Which of the following is the most closely related
to data availability?
A. Encryption

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

B. Backups
C. Digital signatures
D. Authentication
9. A malicious attacker uses a compromised host to
attack a web server virtual machine, causing it to
crash. Which type of attack is this?
A. Ransomware
B. Directory traversal
C. DoS
D. DDoS
10. A malicious attacker uses a network of
compromised hosts to attack a web server virtual
machine, causing it to crash. Which type of attack is
this?
A. Ransomware
B. Directory traversal
C. DoS
D. DDoS

Identity and Access Management

11. What do web apps use to establish trust from
identity providers?
A. Encrypted identity provider tokens
B. Encrypted web app tokens

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

C. Digitally signed web app tokens

D. Digitally signed identity provider tokens
12. Which of the following best describes identity
federation?
A. Exporting user accounts from one directory
service to other directory services
B. Copying user accounts from one directory to
other directories
C. Configuring applications to trust a central
identity provider
D. Disburdening users from having to enter
credentials for each app they access
13. Which of the following best describes SSO?
A. Exporting user accounts from one directory
service to other directory services
B. Copying user accounts from one directory to
other directories
C. Configuring applications to trust a central
identity provider
D. Disburdening users from having to enter
credentials for each app they access
14. Which of the following are examples of multifactor
authentication? (Choose two.)
A. Username and password

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

B. Username, password, and authentication server

IP address
C. Username, password, and PIN sent to a phone
D. Username, password, and smartcard
15. Your organization requires cloud resources in the
Eastern U.S. region to be labeled with a default
Project ID and Project Manager. The solution must
be implemented with the least possible amount of
administrative effort. What should you configure?
A. Template
B. Custom API
C. Role-based access control
D. Resource tagging policy

SELF TEST ANSWERS

Confidentiality
1. C. Encryption is a form of confidentiality.
A, B, and D are incorrect. Hashing ensures that
data has not been tampered with or corrupted.
Digital signatures are used to verify message
authenticity. Authentication is the proving of one’s
identity.

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

2. A. A PKI certificate is required before enabling

an HTTPS binding for a web application.
B, C, and D are incorrect. PKI certificates can
be used with SSL, TLS, or IPSec, which are all
network security protocols; however, technically,
they are not types of certificates.
3. B. A symmetric key is one that is used for both
encryption and decryption.
A, C, and D are incorrect. Public Key
Infrastructure (PKI) is a hierarchy of digital
security certificates, not an encryption type.
Asymmetric encryption uses two keys; a public key
for encryption and a private key for decryption.
Transport Layer Security (TLS) is a network
security protocol that supersedes Secure Sockets
Layer (SSL).

Data Integrity and Message Authentication

4. A. Hashing is used to detect modifications
made to data.
B, C, and D are incorrect. Availability ensures
that IT systems and data are continuously
accessible. Confidentiality protects sensitive data
from unauthorized users. Authentication is the
proving of one’s identity.
5. D. File hashes are unique values. If the file is

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

modified in any way, when a hash is generated

again, a different unique value will result.
A, B, and C are incorrect. Hashes do not create
digital signatures. Hashing does not encrypt files.
6. D. The identity provider public key can be used
to verify security tokens digitally signed by the
identity provider’s private key.
A, B, and C are incorrect. The identity provider
private key is used to create digital signatures. Web
app keys are not involved in this scenario.
7. C. Digital signatures use the sender’s public key
to authenticate the message, which was signed
using the sender’s private key.
A, B, and D are incorrect. Hashing and digital
signatures are not the same thing. Hashing is used
to detect data modifications, and digital signatures
are used to authenticate messages. Neither hashing
nor digital signatures encrypt data.

Availability
8. B. Data backups are related to availability.
A, C, and D are incorrect. Encryption is a form
of confidentiality that protects sensitive data from
unauthorized users. Digital signatures are used to
ensure message authenticity. Authentication is the

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

proving of one’s identity.

9. C. A denial of service (DoS) attack involves an
attacker using (normally) a single attacking system
to render a victim system unusable for legitimate
users.
A, B, and D are incorrect. Ransomware is
malware that encrypts files and demands a ransom
payment to potentially receive decryption keys.
Directory traversal is a type of web server attack
that traverses the web server file system hierarchy.
A distributed DoS (DDoS) attack consists of an
attacker using multiple compromised hosts to
attack a victim network or host, such as flooding a
network with useless traffic.
10. D. A distributed denial of service (DDoS) attack
consists of an attacker using multiple compromised
hosts to attack a victim network or host, such as
flooding a network with useless traffic.
A, B, and C are incorrect. Ransomware is
malware that encrypts files and demands a ransom
payment to potentially receive decryption keys.
Directory traversal is a type of web server attack
that traverses the web server file system hierarchy.
A denial of service (DoS) attack involves an attacker
using (normally) a single attacking system to
render a victim system unusable for legitimate

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

users.

Identity and Access Management

11. D. Identity providers digitally sign tokens upon
successful user authentication. Apps are configured
to trust the signature of the identity provider.
A, B, and C are incorrect. Encryption is not
used to establish trust from identity providers. Web
apps do not generate security tokens; identity
providers do.
12. C. Identity federation uses a central identity
provider that is trusted by third parties.
A, B, and D are incorrect. Exporting, importing,
and copying user accounts between directory
services does not centralize identities, which is a
core concept of identity federation. Disburdening
users from having to enter credentials for each app
they access is the purpose of single sign-on (SSO).
13. D. Single sign-on (SSO) relieves users from
having to enter credentials for every app they
access.
A, B, and C are incorrect. Exporting, importing,
and copying user accounts between directory
services does not centralize identities, which is a
core concept of identity federation. Identity
federation uses a central identity provider that is

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

trusted by third parties.

14. C and D. Multifactor authentication combines
two or more authentication categories such as
“something you know” (username, password) and
“something you have” (PIN from phone or a
smartcard).
A and B are incorrect. Username, password, and
server IP address all fall under the category of
“something you know.”
15. D. Cloud policies can apply default tags to a
subset of cloud resources, including within a region,
if none are specified upon resource creation.
A, B, and C are incorrect. While a template can
apply tags to cloud resources, policies are more
automated since nothing must be invoked;
templates must be invoked in some manner. A
custom application programming interface (API) is
a collection of programming functions, and while
an API could be used for tagging, it requires more
effort than configuring a cloud policy. Role-based
access control is not related to automated resource
tagging.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

TWO-MINUTE DRILL
Risk Management
An organization that is planning to adopt cloud
computing can engage the professional services of
IT consulting firms to create a Request for
Proposal (RFP) aligning cloud services with
business needs.
The use of cloud services introduces business
dependencies on the CSP and ISP.
Risk assessments begin with identifying assets,
followed by assigning asset owners, asset labeling
and sorting by value, threat identification and
prioritization, security control efficacy review, and
security control modification or implementation.
Security controls require period reviews to ensure
they continue to be effective against constantly
evolving threats.
A risk register is a central list of organizational
assets and related threats, with a threat likelihood
rating value.
Risk acceptance means engaging in an activity and
acknowledging related risks while not mitigating
those risks.
Risk transfer shifts some or all risk to a third

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

party, such as an insurance provider.

Risk avoidance means not partaking in an activity
due to the unacceptably high level of associated
risk.
Risk mitigation involves implementing security
controls to reduce the impact of realized threats.

Assets and Threats

Standard operating procedures (SOPs) provide
guidance for the deployment and management of
cloud resources under normal circumstances.
Cloud policies can limit cloud technician
administrative capabilities.
Digital asset discovery can be automated or
conducted manually, including cloud resource
tagging.
Threats are related to assets; assets must be
identified before threats are identified.
A risk register is a centralized list of assets, related
threats, and threat likelihood rating values.

Threat Mitigation
Security controls are used to mitigate threats.
Standard operating procedures (SOPs) ensure the
consistent management of cloud resources.
Security policies define how an organization uses

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

IT solutions in a secure manner.

Access and control policies define which
permissions specific users, devices, or software
components should have to cloud resources.
Communications policies define how resources
are securely accessed over the network.
Department-specific policies define how a specific
business unit executes business processes and
uses technology securely.
Control objectives are requirements for securing
assets, such as “network connections must be
encrypted.”
Security controls reduce the likelihood of realized
threats, such as by using PKI certificates to secure
network connections over HTTPS.
Network security groups (NSGs) contain firewall
rule sets that allow or deny network traffic in the
cloud.
An incident response plan (IRP) specifies
immediate actions to be taken when a negative
incident occurs.
A disaster recovery plan (DRP) is more detailed
than an IRP and specifies how a business process,
IT system, or data is recovered in the event of a
disaster.
The recovery time objective (RTO) specifies the

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

maximum allowable downtime; the recovery point

objective (RPO) specifies the maximum tolerable
amount of data loss.
The mean time to repair (MTTR) specifies the
average amount of time it takes to recover a
service or component after a failure.
Security information and event management
(SIEM) tools provide a centralized way to collect,
analyze, correlate, and report on suspected
security incidents.
SIEM needs to be configured for the specific
environment in which it is running.

Security Testing and Auditing

Vulnerability scanning identifies weaknesses.
Penetration testing attempts to exploit discovered
weaknesses, after receiving permission.
Fuzzing submits random unanticipated data to an
application in order to observe the application’s
behavior and enhance application stability and
security.

SELF TEST

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

The following questions will help you measure your

understanding of the material presented in this chapter.
As indicated, some questions may have more than one
correct answer, so be sure to read all the answer choices
carefully.

Risk Management
1. What is the first step in a risk assessment?
A. Threat identification
B. Threat prioritization
C. Asset identification
D. Vulnerability scanning
2. Which type of risk treatment acknowledges the risk
associated with an activity and takes no corrective
action?
A. Acceptance
B. Transfer
C. Avoidance
D. Mitigation
3. Which type of risk treatment spreads the risk out
to a third party, such as a cloud service provider?
A. Acceptance
B. Transfer
C. Avoidance

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

D. Mitigation
4. Your company backs up on-premises files to the
cloud to ensure data availability. To which risk
treatment is this scenario most closely related?
A. Acceptance
B. Transfer
C. Avoidance
D. Mitigation

Assets and Threats

5. Which type of documentation provides guidance
for normal cloud management activities?
A. SLA
B. DRP
C. SOP
D. IRP
6. Which risk management activity must take place
before threats can be identified?
A. Vulnerability assessment
B. Penetration test
C. Risk register creation
D. Asset inventory
7. Which cloud activity adds metadata to cloud
resources, which can be helpful in organizing cloud

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

assets?
A. Logging
B. Tagging
C. Auditing
D. Vulnerability scanning

Threat Mitigation
8. You need to address security concerns related to
how your organization stores sensitive data.
Current data protection measures have been
deemed inadequate. What should you consult to list
current data protection controls?
A. Risk register
B. SIEM
C. SLA
D. Audit file
9. Which term is used to describe general security
requirements related to asset security?
A. Security control
B. Control objective
C. Risk register
D. SIEM
10. Which disaster recovery term refers to the average
amount of time required to recover a failed

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

component or service?
A. SLA
B. DRP
C. IRP
D. MTTR

Security Testing and Auditing

11. Users requiring cloud VM administrative access are
granted full global access to all types of cloud
resources. Which security term is the most closely
related to this scenario?
A. SIEM
B. Control objective
C. Vulnerability assessment
D. Principle of least privilege
12. Which term is used to describe securing an IT
solution by reducing the attack surface?
A. Penetration testing
B. Hardening
C. Vulnerability testing
D. Fuzzing
13. Which type of testing submits random unexpected
data to a web application?
A. Penetration

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

B. Fuzz
C. Vulnerability
D. Regression
14. Which type of testing only identifies security
weaknesses?
A. Penetration
B. Fuzz
C. Vulnerability
D. Regression
15. Which type of testing actively exploits discovered
weaknesses?
A. Penetration
B. Fuzz
C. Vulnerability
D. Regression

SELF TEST ANSWERS

Risk Management
1. C. Assets must be identified before identifying
threats or running vulnerability scans.
A, B, and D are incorrect. Threats relate to

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

assets; assets must be identified first. Vulnerability

scans should be conducted periodically after assets
and threats have been identified.
2. A. Risk acceptance acknowledges the risk
associated with an activity but takes no steps to
mitigate the risk, usually because the risk impact is
minimal.
B, C, and D are incorrect. Risk transfer
describes shifting some risk to an outside party
such as an insurance provider or a cloud service
provider. Risk avoidance means not partaking in an
activity due to the unacceptably high level of
associated risk. Risk mitigation involves applying
security controls to eliminate or reduce the impact
of realized threats.
3. B. Risk transfer shifts some risk to an outside
party such as an insurance provider or a cloud
service provider.
A, C, and D are incorrect. Risk acceptance
acknowledges the risk associated with an activity
but takes no steps to mitigate the risk, usually
because the risk impact is minimal. Risk avoidance
means not partaking in an activity due to the
unacceptably high level of associated risk. Risk
mitigation involves applying security controls to
eliminate or reduce the impact of realized threats.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

4. D. Risk mitigation involves applying security

controls to eliminate or reduce the impact of
realized threats.
A, B, and C are incorrect. Risk acceptance
acknowledges the risk associated with an activity
while taking no steps to mitigate the risk, usually
because the risk impact is minimal. Risk transfer
describes shifting some risk to an outside party,
such as an insurance provider or a cloud service
provider. Risk avoidance means not partaking in an
activity due to the unacceptably high level of
associated risk. Risk mitigation involves applying
security controls to eliminate or reduce the impact
of realized threats.

Assets and Threats

5. C. Standard operating procedures (SOPs)
provide guidance on how to conduct an activity
under normal circumstances, such as deploying
cloud resources.
A, B, and D are incorrect. Service level
agreements (SLAs) are contracts between cloud
customers and cloud service providers that outline
guaranteed cloud service uptime as well as the
consequences if uptime is not met. Disaster
recovery plans (DRPs) provide details regarding
how to quickly recover a failed business process, IT

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

system, or data with as little disruption as possible.

Incident response plans (IRPs) specify immediate
actions to take when a negative incident occurs,
such as isolating the security breach and
communicating with the organization’s information
technology security officer about the incident.
6. D. Threats are related to assets. An asset
inventory must be compiled first.
A, B, and C are incorrect. Vulnerability
assessments identify weaknesses, and penetration
tests exploit discovered weaknesses; these are
methods of identifying threats, not precursors to
identifying threats. A risk register is a centralized
list of assets, threats, and controls and thus is
created after the asset inventory.
7. B. Tagging adds custom metadata to cloud
resources. This can be used to organize resources
for the purposes of securing assets.
A, C, and D are incorrect. Logging, auditing,
and vulnerability scanning do not add metadata to
cloud resources.

Threat Mitigation
8. A. A risk register is a centralized list of assets,
threats, and controls.
B, C, and D are incorrect. Security information

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

and event management (SIEM) tools provide a

centralized way to collect, analyze, correlate, and
report on suspected security incidents. A service
level agreement (SLA) is a contract between a cloud
service provider and customer defining cloud
service details such as expected uptime. While audit
files could be related to security controls, they do
not list data protection controls.
9. B. A control objective provides requirements
that must be satisfied by a security control to
safeguard an asset.
A, C, and D are incorrect. Security controls are
put in place to protect assets, such as the encryption
of cloud-stored data. A risk register is a centralized
list of assets, threats, and controls. Security
information and event management (SIEM) tools
provide a centralized way to collect, analyze,
correlate, and report on suspected security
incidents.
10. D. The mean time to repair (MTTR) is an
important availability metric that specifies the
average amount of time it takes to recover a service
or component after a failure.
A, B, and C are incorrect. Service level
agreements (SLAs) are contracts between cloud
customers and cloud service providers that outline

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

guaranteed cloud service uptime as well as the

consequences if uptime is not met. Disaster
recovery plans (DRPs) provide details regarding
how to quickly recover a failed business process, IT
system, or data with as little disruption as possible.
Incident response plans (IRPs) specify immediate
actions to take when a negative incident occurs,
such as isolating the security breach and
communicating with the organization’s information
technology security officer about the incident.

Security Testing and Auditing

11. D. The principle of least privilege states that
only the required permissions to perform a task
should be granted.
A, B, and C are incorrect. Security information
and event management (SIEM) tools provide a
centralized way to collect, analyze, correlate, and
report on suspected security incidents. A control
objective provides requirements that must be
satisfied by a security control to safeguard an asset.
Vulnerability assessments identify weaknesses but
do not attempt to exploit them as penetration tests
do.
12. B. Hardening refers to securing an asset, which
includes reducing the attack surface.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||
||||||||||||||||||||

A, C, and D are incorrect. Vulnerability

assessments identify weaknesses but do not
attempt to exploit them as penetration tests do.
Fuzzing submits random unanticipated data to an
application in order to observe the application’s
behavior and enhance application stability and
security.
13. B. Fuzzing submits random unanticipated data
to an application in order to observe the
application’s behavior and enhance application
stability and security.
A, C, and D are incorrect. Vulnerability
assessments identify weaknesses but do not
attempt to exploit them as penetration tests do.
Regression testing ensures that one change has not
adversely affected other, unrelated areas of an
application.
14. C. Vulnerability assessments identify
weaknesses but do not attempt to exploit them as
penetration tests do.
A, B, and D are incorrect. Penetration tests
attempt to exploit discovered vulnerabilities.
Fuzzing submits random unanticipated data to an
application in order to observe the application’s
behavior and enhance application stability and
security. Regression testing ensures that one

NEWOUTLOOK.IT
||||||||||||||||||||
||||||||||||||||||||

change has not adversely affected other, unrelated

areas of an application.
15. A. Penetration tests attempt to exploit
discovered vulnerabilities.
B, C, and D are incorrect. Fuzzing submits
random unanticipated data to an application in
order to observe the application’s behavior and
enhance application stability and security.
Vulnerability assessments identify weaknesses but
do not attempt to exploit them as penetration tests
do. Regression testing ensures that one change has
not adversely affected other, unrelated areas of an
application.

NEWOUTLOOK.IT
Technet24
||||||||||||||||||||