Part Three: Security in the Cloud

Start course


In this course, we take a look at company culture and how to make it focus on security. We look at how to close the gap between current state and desired state and how to build security in your environments. You'll also learn about security in the cloud before moving on to look at the various metrics available for assessing security in your workflows.

If you have any feedback relating to this course, feel free to contact us at

Learning Objectives

  • Learn how to create a security-aware culture in your organization
  • Understand how to close the gap between current state and desired state
  • Learn how to build security into your IT architecture
  • Learn about security in the Cloud in relation to PaaS, SaaS, and IaaS
  • Understand how to use metrics to measure the performance of our infrastructure

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field. 



As we did with our on premises systems, we have to assess our risk in this cloud environment in a contextually accurate manner. Using the previous matrix, we can develop a risk matrix associated with the service models, which you see at the upper left hand boundary, running from the bottom with the infrastructure to the top, with software-as-a-service.

At the bottom of the grid, we show the various deployment models, from the left, private, followed by community, hybrid, and finally public. As you see, the blocks change as we move up and as we move to the right, ultimately into the upper right-hand corner, showing that the risk has increased dramatically, moving from the lower left to the upper right.

Different kinds of tools have been developed to enable us to accurately judge where our risk is. One comes from the cloud security alliance itself in the form of the cloud controls matrix. Another comes from the Jericho in the form of a self-assessment scheme.

Now, referring back to the NIST special publication 800-145 and the cloud security alliance, both of these organizations recognize five essential characteristics that define cloud as a different entity from on-premise computing. And these are, on-demand self-service, accessible over a broad high speed network, pooled resources, on demand elasticity and measured service.

Simply defined, these permit the following. As requirements or demands change, the customer is able to service their own account for new capacities and capabilities. Accessibility over a high-speed network is the only way the clouds work. Therefore high-speed bandwidth is essential. Pooling of resources provides economies of scale that on-premise are not able to match. Expansion or contraction of capabilities and capacities occurs as and when it is needed at the customer's requirement. And a reflection of the economies of scale, the customer pays for only what they consume rather than paying, for example, 100% of the carrying cost for the capability while only consuming 20% of it.

So these key characteristics enable in a sense a do it yourself type of arrangement whereby you the customer put more control of how you infrastructure functions. Is provisioned, operates, and supplies the needed capability. Similarly, by being able to manipulate these capacities and capabilities in a do it yourself sort of mode, the customer is able to control their cost in the form of operational expenses rather than accruing these as capital expenses.

One of the great benefits of cloud computing is its ability to change in its capacity and its capability on demand. If expansion is required or a contraction for that matter, changes in these capacities and capabilities happen within a matter of minutes based on customer implementation of that requirement. This compares very favorably with having to wait days, weeks, or even months for these changes to occur in a more traditional setting and with the continued occurrence of charges associated with that during the waiting period.

The benefit associated with this is when capacity is changed, the charges are changed as well. For example, when capacity is added, the charges begin when the capacity has changed and increased, and they are stopped when the capacity is stopped or removed, the charges are as well. As I said, this can happen within a matter of minutes rather than days, weeks or months.

Now, in this graphic, we want to review the various layers that we find in cloud computing service models. At the lowest level, we have infrastructure as a service. At this layer, we have the various attributes you see, and at this point, a customer is operating what is in fact, a virtual environment as though you are running on your own platform in your own shop.

The cloud service provider is providing the platform in which the customer will load up the operating system environment and the end use application that they would normally operate in their own system on their own premises. Platform-as-a-service has underneath it an infrastructure as a service layer, which provides the ability to expand or contract as needed to support the operations.

Platform-as-a-service was originally defined as a development environment that can be used in the cloud to facilitate cost effective development and ease of porting developed applications for modules to an operational environment running on the infrastructure as a service layer.

Unlike the other two environments, a customer using software-as-a-service typically acts as though they are in fact an end-user consumer. A common example is the Microsoft product Office 365 which provides a Microsoft Office like environment in the cloud. This too rests on an infrastructure as a service under layer, and will expand or contract as resource requirements dictate.

Here we have a more detailed description of what infrastructure as a service includes. As if to operate a computing complex in their own shop, the customer is able to rapidly provision services and other resources as may be required to support operations. These include all aspects of the data centers, such as storage, hardware, servers, and all the relevant networking components.

The primary benefits include being able to provision and either expand or contract as conditions dictate, without having to wait days, weeks or months for the new capacities to be turned on or off. This flexibility and scalability allows the enterprise to control its costs as long as it has proper procedures to ensure that these traits are not abused or mishandled.

As mentioned, platform-as-a-service was originally intended to act as an on-demand development platform. To replace the classic isolated or standalone systems used strictly for development and never allowed to function as additional resource for operations use.

The primary benefits of platform-as-a-service include the ability to configure it and reconfigure it as frequently as development efforts may require which under normal circumstances would prove to be very costly, producing substantial delays and cumbersome operations.

One key benefit of platform-as-a-service is that development efforts can now be done on a global basis using platform-as-a-service in the cloud to provide a collaboration platform that serves all needs at all times. The software-as-a-service distributed model acts as though the software is being served exists like a desktop application, one that we might customarily see in the form of Microsoft Office.

Key benefits here include a much reduced maintenance requirement since all users use the cloud base as opposed to an in-house installed version. Another benefit is that whenever anyone signs into the cloud base application, what they're using is frequently, if not always the most current version due to the fact that the software provider has as part of their service arrangement with the customer, maintaining the software for all the end users.

An associated benefit of being software-as-a-service user is that patching and upgrading efforts are now offloaded to the service provider from the customer. So far, you have seen that we have three service models, four deployment models and five characteristics that define cloud computing.

In the software-as-a-service area, there are many variations of software-as-a-service, including security as a service, disaster recovery as a service, identity management as a service, data storage and analytics as a service, cloud access security brokers, information as a service, integration platform as a service and forensics as a service.

It is important to bear in mind that while these offerings are all valid and their product names are certainly accurate with their vendors, and that they are all called as a service, this is done to denote that these are offered in the cloud, in the same NIST publication. They described the service models, deployment platforms, and then these as derivatives of software-as-a-service.

About the Author
Learning paths5

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.