A look at Cloud Concepts and Models for CompTIA’s Cloud+
The CompTIA Cloud+ certification is an entry-level certification intended to authenticate the knowledge of IT administrators/practitioners working with cloud-based technologies. The ideal candidate will have two-to-three years’ experience and know a little bit about a lot of different topics. The exam (number CV0-001) consists of 100 questions that need to be answered in 90 minutes, and the passing score is 750 on a scale that ranges from 100 to 900.
This month, my focus will be on the first of the seven domains that make up the exam. It is appropriately titled Cloud Concepts and Models and it focuses heavily on definitions of topics that appear repeatedly in other domains. By itself, it makes up just 12 percent of the exam questions but if you don’t understand the subjects that appear here, the odds are strong that you will struggle with the other areas.
The domain is divided into four main topics: Compare and contrast cloud services, Compare and contrast cloud delivery models and services, Summarize cloud characteristics and terms, Explain object storage concepts. Each of these are examined in order below.
It is important to note that “(according to NIST)” appears with each service model listed in the objectives. Given that cloud computing is such a hot topic today and yet there is great disparity between what it means when one vendor or another mentions it, there is a need for standardization. CompTIA, rightfully so, has chosen to use the NIST (National Institute of Standards and Technology) definitions so it is only fitting to start with what their definition of cloud computing is.
They define it as “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Building from that, cloud providers market and sell everything “as a Service” and the type of service you subscribe to is always named for the highest level of technology that may be provided. For example, if computing and storage is the highest level, the client will purchase Infrastructure as a Service (IaaS) but if applications are involved, then it will be Software as a Service (SaaS). The three most common types of services offered by cloud providers are:
Infrastructure as a Service
If a company needs extra network capacity — including processing power, storage, and networking services like firewalls — but lacks the funds to buy more network hardware, it can purchase IaaS instead. Infrastructure as a Service works much like a utility in that the client pays for what they use. Of the three most popular implementations, IaaS requires the most network management expertise from the client since the client provides and manages the software.
IaaS is defined by NIST as providing capability to the consumer to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
Platform as a Service
The Platform as a Service (PaaS) adds a layer to IaaS that includes software development tools such as runtime environments. Because of this, it can be helpful for software developers since the vendor manages the various hardware platforms freeing up the developer to focus on building and scaling applications. The best PaaS solutions allow the client to export developed programs and run them in environments other than where they were developed. Examples of PaaS include Google App Engine, and Microsoft Azure.
PaaS is defined by NIST as providing capability to the consumer to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.
Software as a Service (SaaS)
Of the three most common levels of service, Software as a Service (SaaS) is the highest. It handles the task of managing software and its deployment, and it includes the platform and infrastructure as well. This is the model used by Google Docs and Microsoft Office 365, among many others. The advantage of this model is to cut costs for software ownership and management; clients typically sign up for subscriptions to use the software and can renew as needed.
SaaS is defined by NIST as providing capability to the consumer to use the provider’s applications running on a cloud infrastructure.
In addition to the primary three, CompTIA wants you to know four others for the exam. The first three are defined by NIST in Special Publication 800-145. These other four are not as commonly implemented and often overlap one with another:
Communications as a Service (CaaS): provides things like Voice over IP (VoIP), instant messaging, and video collaboration
Data as a Service (DaaS): provides for multiple sources of data in a mash-up
Business Processes as a Service (BPaaS): used to provide business services such as payroll, IT help desk, or other services.
Anything/Everything as a Service (XaaS): a hybrid combination of everything else.
Accountability and Responsibility
The level of responsibility between the provider and the client is specified in the contract. It needs to be very clear which party has responsibility for specific elements should anything go wrong.
Cloud Delivery Models
Regardless of the service model selection, there are essentially four models for cloud delivery that can be chosen: private, public, community, and hybrid. If a company purchases virtualization software and sets up their own cloud, it is known as a private cloud and this essentially eliminates most of the features (such as scalability) that companies often turn to the cloud for but gives them the ability to control their own security.
The NIST definition of a private cloud is: “The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and may exist on or off premises.”
A public cloud is usually what most people think of when picturing cloud computing and it is one operated by a third-party. Traditionally, these clouds offer scalability, reliability, flexibility, geographical independence, and cost effectiveness. The client pays for what they use and as they need more of any one resource, they simply get charged (and pay) more.
The NIST definition of a public cloud is: “The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.”
When organizations with common interests combine to create a cloud, it is known as a community cloud. In essence, it can be thought of as a public cloud with better security. The clients on it know each other and – in theory – trust them more than they would trust strangers on a public cloud. While the economies of scale and flexibility may not be as much as with a public cloud, the trade-off is better security.
The NIST definition of a community cloud is: “The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.”
The fourth model is a combination of public and private clouds into a hybrid cloud. As the name implies, this includes the best features of a public cloud while simultaneously allowing for the storage of more sensitive information on the private cloud and can be thought of as the best of both worlds.
The NIST definition of a hybrid cloud is: “The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).”
On or Off-Premise Hosting
Depending on the model deployed, the cloud system may reside on the premises of the cloud customer or be hosted by a third party. Different deployments come with tradeoffs in how customers have access to resources and costs of maintaining the datacenter. It is possible for a cloud provider to have access to large quantities of other parties’ resources and that can raise security concerns.
Accountability and Responsibility
Just as accountability and responsibility issues apply with the cloud service model, so too do they apply with the delivery models. The key issues are: visibility, security/privacy, and responsibility. Per NIST’s SP800-144, “The main issue centers on the risks associated with moving important applications or data from within the confines of the organization’s computing center to that of another organization (i.e., a public cloud), which is readily available for use by the general public.”
The main thing to acknowledge is that the responsibilities of the both the organization and the cloud provider vary depending on the service model. Reducing costs and increasing efficiency are primary motivations for moving towards a public cloud, but relinquishing responsibility should never be. Ultimately, the organization itself is accountable for the choice of a cloud model and the security and privacy of the outsourced service.
Several security issues that vary between models are:
Multitenancy issues: workloads from different clients can be on the same system and a flaw in implementation could compromise security
Data segregation: VPN routing and forwarding can help mitigate these risks
Network isolation: efficiency can replace isolation
Laws and regulations: the consumer retains the ultimate responsibility for compliance
A service level agreement (SLA) will define terms related to functionality and performance validation based on the chosen delivery method. High availability and minimal downtimes are always desired and any model chosen needs to fit the business process for which it is being implemented.
Service orchestration, per SP500-292, is “the composition of system components that support the cloud provider’s activities in arrangement, coordination, and management of computing resources, in order to provide secure cloud services to cloud consumers.
Cloud Characteristics and Terms
There are a number of reasons why businesses turn to cloud solutions and every one of these is expanded upon in later domains. For this section, though, it is important to know the terms:
Elasticity: this is the ability to scale up resources as needed. In most cases, clients can get more resources instantly without needing to purchase, install, and configure new hardware. Elasticity can also work backwards; if fewer resources are required, the client may be able to scale down and pay less without needing to sell hardware.
The NIST lists rapid elasticity as one of the five essential characteristics of the cloud and define it as: “Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.”
On-demand self serve/just in time service: With an on-demand model, users can access additional storage, processing, and capabilities automatically without requiring intervention from the service provider. The true key is that human interaction from the service provider should not be needed.
Pay-as-you-grow: subscriptions with built-in elasticity are referred to as pay-as-you-grow models. A key to them is that they should require upfront costs and services are paid for as they are used.
Chargeback: almost everyone has had the misfortune of working for an organization where all expenses are unfairly charged to one account and chargeback is the exact opposite of that. It decentralizes IT costs and allocates them to those incurring them.
Ubiquitous access: This means that cloud capabilities are accessible over the network by different types of clients, such as workstations, laptops, and mobile phones, using common access software such as web browsers. It offers the ability for users to get the data they want, when they want, and how they want it and the same level of access should be given regardless of access location.
Metering resource pooling: closely linked with virtualization, with resource pooling the provider’s resources are seen as one large pool that can be divided up among clients as needed. Typically, clients have no control or knowledge over the exact physical location of the provided resources but should be able to access additional resources as needed.
Typical pooled resources include network bandwidth, storage, processing power, and memory. Most cloud providers meter clients’ usage and then charge them for the services used (known as measured service). Resource usage is monitored by the provider and reported to the client in a transparent fashion.
Multitenancy: as was mentioned earlier, workloads from different clients can be on the same system and a flaw in implementation could compromise security. The “multi-tenant” nature of the cloud means that security incidents could originate with another customer at that cloud provider. Data needs to be protected from other cloud consumers AND from the cloud provider as well.
Cloud bursting: the premise behind cloud bursting is that when the demand becomes too great for a private cloud, some of the load can be shifted to a public cloud seamlessly.
Rapid deployment: this is one of the principle promises of cloud computing (along with scalability, cost savings, and empowerment). The deployment models are those already mentioned: public, private, community, and hybrid.
Automation: since no human interaction on the part of a provider is so important, there are five key areas where automation comes in to play: Automated provisioning of computing and storage resources, Automated deployment of related components, Automated tools, Automated reporting of problems and outages, and Automated vulnerability monitoring tools.
Object Storage Concepts
The last topic beneath this domain is that of storage concepts. The key is to know the definitions only since each of the topics are expounded upon further in other domains. The seven object storage terms/concepts to know are:
Object ID: an object ID exists as a unique identifier for every set of data and the metadata that make up an object.
Metadata: this is descriptions of the data and can be thought of as attributes or “data about data”.
Data/blob: a “Binary Large Object” is known as a “BLOb” or “BLOB” and is a collection of binary data stored as a single entity.
Extended metadata: just like metadata, these are descriptions of the data but often used for proprietary features. It is based on the entity being described – identity provider, service provider, etc.
Policies: these work like and are much like metadata but are associated with security.
Replicas: the two primary purposes for using replicas are to increase availability and to decrease risk.
Access control: more commonly known as Identity and Access Control, this is one of the most important security components and should always be based on the functional requirement.
Summing it Up
There are seven domains on the CompTIA Cloud+ certification exam (CV0-001) and this month we walked through the topics covered by the first one. Next month, the focus will move to the second domain, Virtualization, and what you should know about it as you prepare to sit for the exam.