Lecture 10 - Cloud Future (16 Files Merged)

Service(s) analysis
After moving to the cloud, you may want to measure some variables showing
how the cloud vendor will handle your service(s) on the cloud:
Connection speed The speed at which you connect to the vendor’s cloud.
Datastore delete time How long it takes to delete the datastore.
Datastore read time How long it takes to read data.
Deployment latency The amount of latency between when an application is posted and
ready to use.
Lag time How slow the system is
Cloud monitoring tools
Do not wait until minor issues turning into
major things that may become a
destroying hammer over your business!!
It would give an idea of how your
service(s) perform on the cloud in terms
of utilization, performance, and
application health…etc.!
It may give you some insights when
something goes wrong (e.g., AWS went
dark in 2021)
https://fortune.com/2021/10/12/amazon-
web-services-aws-offline-error/
Cloud monitoring tools
Amazon Cloudwatch
Microsoft cloud monitoring
AppDynamics (Cisco acquired it on 2017)
BMC TrueSight Pulse (for multi-cloud
operations performance and cost
management)
CA Unified Infrastructure Management
This Photo by Unknown Author is licensed under CC BY-SA
(optimize all aspects of all cloud models)

Amazon Cloudwatch
Pros:
Can be used to set high-resolution
alarms, visualize logs and metrics.
Improve applications by
troubleshooting issues and automatic
activities.
Cons:
Customization of dashboards needs
further enhancement.
The dashboard is chunky.
Alerts and alarms are set manually. https://docs.aws.amazon.com/en_pv/AmazonCloud
Watch/latest/monitoring/cloudwatch_architecture.htm
l
Amazon Cloudwatch demonstration - Dashboards & Alarms
Best practices for moving to the cloud
Find the right vendor (map out a migration strategy)
Understand the contract(control the budget and predict business growing)
Get Service level agreement in place (monitor cloud usage)
Spread your services (multiple cloud vendors)
Data customization, security and reporting (cloud governance framework)
Move services as needed and automate where possible
Train staff early
Be creative!
Future of Cloud
Future of cloud – Business!
Multi-clouds (federated public clouds)

Industry-Specific clouds
Greater competition between public cloud
vendors
The growth of application platforms (more cloud
services!)
Open source Acquisitions( e.g., IBM & Red Hat)
From customers side:
Continued cost reduction
More tools, more data control, more insights!
https://blogs-
images.forbes.com/louiscolumbus/files/2018/0
1/Cloud-Workloads.png
Future of cloud – Technology!
•Serverless computing : focusing more on coding with reducing or eliminating
operational concerns using compute, network, and storage resources. Amazon’s
CTO has called serverless computing as the “next generation of how we built our
systems.”
•Edge computing: Internet of Things along with cloud computing – from
centralized to distributed data processing!
•MLaaS based products: Machine Learning as a service – The growing of
artificial intelligence and data mining applications.
•Hybrid clouds: the hybrid cloud will amount to a $100bn industry by 2023.
•Quantum Computing: All cloud vendors uses quantum physics to increase the
processing power of computers and leverage the best cloud-based tools.
Future of cloud – Technology!
• Automation: reduce human errors and

ensure fully security capabilities when
migrating to or using cloud (e.g., Netflix)
• Security: enhanced security frameworks
to balance the responsibility between
customers and cloud vendors to prevent
cyber attacks.
• Virtual reality and augmented reality
• 5G & cloud computing?
References
• https://pages.awscloud.com/rs/112-TZM-766/images/Building-Your-Hybrid-Cloud-
Strategy-eBook.pdf
• https://phoenixnap.com/blog/cloud-monitoring-tools
• https://www.softwaretestinghelp.com/cloud-monitoring-tools/
• https://aws.amazon.com/cloudwatch/pricing/
• https://www.forbes.com/sites/bernardmarr/2021/10/25/the-5-biggest-cloud-computing-
trends-in-2022/?sh=45f53c3e2267
• https://www.zdnet.com/article/single-vendor-approach-to-cloud-computing-is-dead-says-
ibm/
Before start!
Cloud planning.
Business requirements and goals.
Service-level agreements (SLA)
(availability, performance,…etc.).
Cloud Services (IaaS, SaaS, PaaS).
Cloud Delivery models (Private, Public,
Hybrid)
Estimated budget.
Politics, regulations, standards, and
stakeholders.
DO NOT REINVENT THE WHEEL!
Step 1 - Establishing a Private Cloud
Hardware for a private cloud
Networking services
Application stacks
Hardware for Private cloud
 Server and Network Equipment
Data center with adequate space
Cables types, management and organization (e.g.,
Fiber Optic solution)
Internet speed (minimum 3 Mbps for a solution or even
more!)
Only one ISP is not enough!
Environmental issues: power, cooling, fire prevention,
physical security
Redundancy to prevent single points of failure:
disaster recovery, backups, data replication, redundant
components (routers and switches)
Network services
Network devices such as routers,
switches, Network cabling.
Network architecture (e.g., mesh

network)
Network IPs configuration
Network and security protocols

Application stacks
• Virtual machines
• Network storage services
• Cloud management services (clustering group of services, service catalog and access control list)
Cloud • Tracking usage information for accounting and billing
management
Services • Cloud management platform (https://www.redhat.com/en/blog/tag/cloud-management)
• Privileges and limits on the VM number, types and duration for each project
• Access control policies for VM and storage allocations
• Backup services
Management • SLA limitation and cost
policies • Data retention and destruction policies
• Server and storage utilization (CPU, memory, storage, jobs)

• Network bandwidth and latency
• Security incident reports (https://www.trendmicro.com/en_ca/business/products/hybrid-cloud/cloud-security.html)
Management
reporting • Service report tickets and service catalog summary description
OpenStack
Application stacks
Step 2 - Migrating Compute & Storage services to a
private/public cloud
Cost analysis
• Hardware budget (e.g., servers).

• Software licensing fees, support, and administration
– i.e. database engines (e.g., oracle and MS SQL)
may not be a cheap in a cloud and depends on the
cloud vendor (e.g., Amazon, Microsoft).
• Service-level agreement (SLA) – e.g., service
availability and capacity.
• Data governance and management – Data
encryption, retention and redundancy.
• Hidden costs – In a Forbes survey published in
2013, 79% out of 468 CIOs actually think a lot about
potential hidden costs, and what they may mean to
the business.
Step 3 - Post-Implementation Checklist
Step 4 - Managing Cloud Services
Service management integration with the cloud
Usage tracking and accounting services
Capacity planning
Configuration management plan - automation is highly recommended!

(https://www.ansible.com/use-cases/configuration-management)
Service management integration with the cloud
One of the best practices is to check IT infrastructure library (ITIL), https://www.axelos.com/best-
practice-solutions/itil/what-is-itil
Four main services should been attention to:

Service catalog management: business (e.g., customer services) and support services (e.g., ticketing services)
Service level agreement: is a contract to ensure a minimum level of service is maintained.
Availability management: the process of ensuring compute and storage resources are available as needed to meet
SLAs.
Service validation and release management: procedures for testing and deploying new services to the cloud.
Usage tracking and accounting services
•Collect and maintain detailed information about use; for example, at the user and
image level
•Allow user, project, or department-level charging
•Feed data directly into financial reporting systems.
•Best practice: https://icclab.github.io/cyclops/

Capacity planning
Determine the working load for different resources such as CPU and memory.
Analyze the current statistics, predict the future, and produce the necessary
reports.
How many physical servers will be needed to support all SLAs instead of saying
to support departments?
Case study – AWS Outposts
Run AWS Infrastructure On-premises for a Consistent Hybrid Cloud Experience.
AWS Outposts come in two varieties:
1) VMware Cloud on AWS Outposts allows you to use the same VMware control
plane and APIs you use to run your infrastructure
2) AWS native variant of AWS Outposts allows you to use the same exact APIs
and control plane you use to run in the AWS Cloud, but on premises.
AWS Outposts
References
• https://www.openstack.org/
• https://www.realtimepublishers.com/chapters/1749/dgcc-10.pdf
Strategy-eBook.pdf
• https://aws.amazon.com/outposts/
• https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/integration-with-
aws-cloudformation-and-openstack-heat/chapter-4-cloudformation-provisioning-via-
services
• https://www.ansible.com/use-cases/configuration-management
Before start!
Cloud planning.
Business requirements and goals.
Service-level agreements (SLA)
(availability, performance,…etc.).
Cloud Services (IaaS, SaaS, PaaS).
Cloud Delivery models (Private, Public,
Hybrid)
Estimated budget.
Politics, regulations, standards, and
stakeholders.
DO NOT REINVENT THE WHEEL!
Step 1 - Establishing a Private Cloud
Hardware for a private cloud
Networking services
Application stacks
Hardware for Private cloud
 Server and Network Equipment
Data center with adequate space
Cables types, management and organization (e.g.,
Fiber Optic solution)
Internet speed (minimum 3 Mbps for a solution or even
more!)
Only one ISP is not enough!
Environmental issues: power, cooling, fire prevention,
physical security
Redundancy to prevent single points of failure:
disaster recovery, backups, data replication, redundant
components (routers and switches)
Network services
Network devices such as routers,
switches, Network cabling.
Network architecture (e.g., mesh

network)
Network IPs configuration
Network and security protocols

Application stacks
• Network storage services
• Cloud management services (clustering group of services, service catalog and access control list)
Cloud • Tracking usage information for accounting and billing
management
Services • Cloud management platform (https://www.redhat.com/en/blog/tag/cloud-management)
• Privileges and limits on the VM number, types and duration for each project
• Access control policies for VM and storage allocations
• Backup services
Management • SLA limitation and cost
policies • Data retention and destruction policies
• Server and storage utilization (CPU, memory, storage, jobs)

• Network bandwidth and latency
• Security incident reports (https://www.trendmicro.com/en_ca/business/products/hybrid-cloud/cloud-security.html)
Management
reporting • Service report tickets and service catalog summary description
OpenStack
Application stacks
Step 2 - Migrating Compute & Storage services to a
private/public cloud
Cost analysis
• Hardware budget (e.g., servers).

• Software licensing fees, support, and administration
– i.e. database engines (e.g., oracle and MS SQL)
may not be a cheap in a cloud and depends on the
cloud vendor (e.g., Amazon, Microsoft).
• Service-level agreement (SLA) – e.g., service
availability and capacity.
• Data governance and management – Data
encryption, retention and redundancy.
• Hidden costs – In a Forbes survey published in
2013, 79% out of 468 CIOs actually think a lot about
potential hidden costs, and what they may mean to
the business.
Step 3 - Post-Implementation Checklist
Step 4 - Managing Cloud Services
Service management integration with the cloud
Usage tracking and accounting services
Capacity planning
Configuration management plan - automation is highly recommended!

(https://www.ansible.com/use-cases/configuration-management)
Service management integration with the cloud
One of the best practices is to check IT infrastructure library (ITIL), https://www.axelos.com/best-
practice-solutions/itil/what-is-itil
Four main services should been attention to:

Service catalog management: business (e.g., customer services) and support services (e.g., ticketing services)
Service level agreement: is a contract to ensure a minimum level of service is maintained.
Availability management: the process of ensuring compute and storage resources are available as needed to meet
SLAs.
Service validation and release management: procedures for testing and deploying new services to the cloud.
Usage tracking and accounting services
•Collect and maintain detailed information about use; for example, at the user and
image level
•Allow user, project, or department-level charging
•Feed data directly into financial reporting systems.
•Best practice: https://icclab.github.io/cyclops/

Capacity planning
Determine the working load for different resources such as CPU and memory.
Analyze the current statistics, predict the future, and produce the necessary
reports.
How many physical servers will be needed to support all SLAs instead of saying
to support departments?
Case study – AWS Outposts
Run AWS Infrastructure On-premises for a Consistent Hybrid Cloud Experience.
AWS Outposts come in two varieties:
1) VMware Cloud on AWS Outposts allows you to use the same VMware control
plane and APIs you use to run your infrastructure
2) AWS native variant of AWS Outposts allows you to use the same exact APIs
and control plane you use to run in the AWS Cloud, but on premises.
AWS Outposts
References
• https://www.openstack.org/
• https://www.realtimepublishers.com/chapters/1749/dgcc-10.pdf
Strategy-eBook.pdf
• https://aws.amazon.com/outposts/
• https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/integration-with-
aws-cloudformation-and-openstack-heat/chapter-4-cloudformation-provisioning-via-
services
• https://www.ansible.com/use-cases/configuration-management
Security IV – Policy Document
Overview (Solutions Spotlight)
Adapted from Microsoft, © 2020 Microsoft Corporation.
Goals
 Today we will be continue looking at a very thoroughly put-together document from

Microsoft
 Part 2 of 2
 Intended for their enterprise Cloud Architects that make use of their Azure Platform
 Give you more insight into Azure
 Take a systematic approach to security for on-premises and in the cloud
 While Microsoft is committed to the privacy and security of your data and applications in
the cloud, customers must take an active role in the security partnership. Ever-evolving
cybersecurity threats increase the requirements for security rigor and principles at all layers
for both on-premises and cloud assets. Enterprise organizations are better able to manage
and address concerns about security in the cloud when they take a systematic approach.
Moving workloads to the cloud shifts many security responsibilities and costs to Microsoft,
freeing your security resources to focus on the critically important areas of data, identity,
strategy, and governance.
Useful links
 https://globalsign.ssllabs.com/
 https://owasp.org/www-project-top-ten/
 https://www.microsoft.com/en-us/securityengineering/sdl/practices
 https://docs.microsoft.com/en-us/azure/service-fabric/
https://aka.ms/MCRA Video Recording Strategies
Office 365
Azure Sentinel – Cloud Native SIEM and SOAR (Preview)
Securing Privileged Access

Dynamics 365
Office 365 Security
Rapid Cyberattacks
(Wannacrypt/Petya)
Data Loss Protection

Data Governance
eDiscovery
SQL Encryption &

Data Masking
+Monitor
https://aka.ms/MCRA Video Recording Strategies
Office 365
Azure Sentinel – Cloud Native SIEM and SOAR (Preview)
Securing Privileged Access

Dynamics 365
Office 365 Security
Rapid Cyberattacks
(Wannacrypt/Petya)
Data Loss Protection

Data Governance
eDiscovery
SQL Encryption &

Data Masking
+Monitor
Security III – Policy Document
Overview (Solutions Spotlight)
Adapted from Microsoft, © 2017 Microsoft Corporation.
Goals
 Today we will be looking at a very thoroughly put-together document from Microsoft

 Part 1 of 2
 Intended for their enterprise Cloud Architects that make use of their Azure Platform
 Give you more insight into Azure
Responsibilities
NOTE: Responsibilities can be renegotiation, if required.

Keys to success
Enterprise organizations benefit from taking a

methodical approach to cloud security. This involves
investing in core capabilities within the organization
that lead to secure environments.
Governance & Security Policy
 Microsoft recommends developing policies for how to evaluate, adopt, and use cloud
services to minimize creation of inconsistencies and vulnerabilities that attackers can
exploit. Ensure governance and security policies are updated for cloud services and
implemented across the organization:
 Identity policies
 Data policies
 Compliance policies and documentation
Administrative Privilege Management
 Your IT administrators have control over the cloud services and identity management
services. Consistent access control policies are a dependency for cloud security.
Privileged accounts, credentials, and workstations where the accounts are used must be
protected and monitored.
Identity Systems and Identity
Management
 Identity services provide the foundation of security systems. Most enterprise organizations
use existing identities for cloud services, and these identity systems need to be secured at
or above the level of cloud services.
Threat Awareness
 Organizations face a variety of security threats with varying motivations. Evaluate the
threats that apply to your organization and put them into context by leveraging resources
like threat intelligence and Information Sharing and Analysis Centers (ISACs).
 https://www.it-isac.org/
Data Protection
 You own your data and control how it should be used, shared, updated, and published.
You should classify your sensitive data and ensure it is protected and monitored with
appropriate access control policies wherever it is stored and while it is in transit.
 Many international, industry, and regional organizations independently certify that
Microsoft cloud services and platforms meet rigorous security standards and are trusted.
By providing customers with compliant, independently verified cloud services, Microsoft
also makes it easier for you to achieve compliance for your infrastructure and
applications.
 This section summarizes the top certifications. For a complete list of security certifications
and more information, see the Microsoft Trust Center.
 Full Compliance https://www.microsoft.com/en-us/TrustCenter/Compliance/default.aspx
ISO 27001 - helps organizations keep information CSA STAR - service organization's
assets secure internal controls for security,
ISO 27017 - Code of practice for information security availability, processing integrity,
controls (Cloud-focused) confidentiality or privacy
ISO 27018 - Control objectives, controls and guidelines
for implementing measures to protect Personally
Identifiable Information
SOC - service organization's internal controls for
security, availability, processing integrity,
confidentiality or privacy
HIPAA / HITECH - Health Insurance Portability and
Accountability Act / Health Information Technology
for Economic and Clinical Health Act
PCI DSS - Payment Card Industry Data Security
Standard is an information security standard for
organizations that handle branded credit cards from
the major cards
FERPA - Family Educational Rights and Privacy Act
CDSA - Content Delivery & Security Association
(https://www.microsoft.com/en-us/trustcenter/Compliance/CDSA)
 These are extremely helpful for you if you intend to deal in different geographical regions
 If I had to summarize Cloud Security in one concept – it would be “GDPR ”
 General Data Protection Regulation
 EU-centric
 Can be applied anywhere
 Deals with how end user data is stored, handled and processed, as well as internal
business processes that come in contact with personal data
 Came into effect May 25th, 2018
 Microsoft’s In-House testing methodologies on “Assume Breach” tactics
 Allows them to test live environments for maximum security
 https://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf
Security in a Cloud Enabled
World
INFO-5112
From the previous slides…
 You should have a fundamental understanding of the basic security principles covered in
the previous slide
 We are still in the building blocks of the fundamentals of the course
Security in the cloud is a joint effort
 CSP (Cloud Service providers) build clouds on not only a technical level, but a level of
trust, and security
 They have your data:
 HR
 Financial
 Private and Confidential
 Have to build trust by providing a reliable and secure infrastructure and environment
Your role in security
 You own the data

 The responsibility to protect your data, at the end of the day, is your own
 Even if the CSP says that it does, and things go south, you will still share the blame
 The responsibility to protect yourself from noisy neighbors, threat vectors, is on you
 Don’t trust the vendor to do everything
 Don’t rely on vendor security measures as your end-all-be-all
 Don’t discount your on-prem infrastructure
Why is securing on-prem important in a
cloud environment
 Your on-prem infrastructure has direct links to the cloud

 Sometimes forgotten and forlorn, as your new cloud-child takes more time than you have
to address your on-prem resources
 Ignoring the on-prem infrastructure happens with companies with weak polices
 Poorly defined plans
 Or a haphazard effort of cloud migration
 Addressing internal threats might require additional personnel
 Hiring security experts or independent auditors
Common “pillars of trust”
 Cloud Providers and Customers typically look for the following categories of “principles”
 Act as the “defining pillars of trust” for many CSPs
 Are directly tied to SLAs
 A non-exhaustive, but generally well-utilized list:
 Security
 Privacy
 Control
 Compliance
 Transparency
Pillar: Security
 This usually is defined as the ability to safeguard data, access, and protect against both
internal and external threats
 Built on technologies and policies
 Such as encryption
 Data retention standards
 Internal Policies
 Antivirus
 Identity Management
 Access Management
 Logging (monitoring traffic, access, health status, etc)
Pillar: Privacy
 To ensure that your data is only used for the purposes defined in policies
 To prevent unauthorized use and access of data
Pillar: Control
 To control the exchange of data

 Flow of data
 Retention of data (from a functionality level)
 Authorization and Auditing
Pillar: Compliance
 To ensure compliance with industry standards (further reinforcing trust through audits)
 Policies such as (broadly applicable):
 ISO 27001: policies and procedures that includes all legal, physical and technical controls
involved in an organization's information risk management processes
 ISO 27017: gives guidelines for information security controls applicable to the provision and use of
cloud services
 ISO 27018: stablishes commonly accepted control objectives, controls and guidelines for
implementing measures to protect Personally Identifiable Information
 SOC 1/2/3: internal controls for security, availability, processing integrity, confidentiality or privacy
 CSA Star: a rigorous third party independent assessment of the security of a cloud service provider
Pillar: Transparency
 As considered by many, the most important pillar

 The provider should be honest, open and accountable to their internal practices
 Describe data safeguards, security measures, policies on data, security and access
 You need to know how you are protected
 Where is the data stored
 Who has access
 Availability and awareness
 Uptime
Learning
 https://mva.microsoft.com/en-us/training-courses/security-in-a-cloudenabled-world-
12725?l=CfLHobAcB_3904300474
 See the above Microsoft page on Security
Varying security standards: SaaS
 CSP Responsibilities:
 Secure Infrastructure
 Secure OS
 Application Layer
 Data secure between CSP and customer
 Customer responsibility:
 Control data
 Control access
Varying security standards: PaaS
 Secure OS
 Application Layer
 Data secure between CSP and customer
 Control data
 Control access
 Control all code and development environment settings
Varying security standards: IaaS
 Control OS/Virtualized infrastructure
 Control data
 Control access
A typical model
Introduction to
Encryption in Office 365
Published March 1, 2018
EXECUTIVE SUMMARY
• Encryption can help with data security and data privacy by providing an added layer of defense in
depth to protect customer data, but keep in mind that SaaS features require the ability to reason, or
compute, against the customer’s data.
• Microsoft uses some of the strongest encryption protocols in the industry to provide a barrier against
unauthorized access to customer data.
• With Office 365, customer data is encrypted both in transit and at rest by default with no additional
licenses or action.
• Native encryption features offered in Office 365 can be added for increased protection.
• Office 365 offers flexible encryption key management options to further help organizations meet their
compliance needs as they move to the cloud.
• There are a variety of risks that can be reduced by encryption for Office 365, but good data
protections strategies include other capabilities that can be used with encryption.
Table of Contents
0. Introduction ................................................................................................................... 3
1. Why use encryption ..................................................................................................... 3
How encryption works ............................................................................................................. 3
Why use encryption .................................................................................................................. 3
Key Principle of SaaS Encryption ............................................................................................ 4
2. Encryption for Office 365 ........................................................................................... 4
Your Office 365 data encrypted by default ........................................................................... 4
Additional encryption options ................................................................................................ 4
3. Encryption Key Options for Office 365 .................................................................... 5
Cloud First Customers – Microsoft Managed Keys .............................................................. 5
Compliance Focused Customers – Customer Managed Keys (in Azure Key Vault) ......... 5
Compliance First Customers – Customer Managed Keys (On-Premises/Hybrid) ............ 7
5. Risks reduced by Encryption for Office 365 ............................................................ 8
6. Other data protection capabilities in Office 365 ....................................................... 9
7. Resources ..................................................................................................................... 10
0. Introduction
The era of digital transformation is here. Business leaders are busy rethinking how they can use
technology to drive new customer value and revenue. Driven by a sense of urgency to digitally transform
the workplace, organizations of all sizes—and across all industries—feel the pressure to embrace digital
change. However, change is hard.
As data grows exponentially, managing the risks and complexity of data is challenging: not only must
organizations protect their data from growing threats, but they must also maintain compliance with
various regulatory, industry and internal requirements related to data security and data privacy.
Encryption is extensively considered to be one method that can be used as part of a broader data
protection strategy. When customers use the Microsoft’s enterprise cloud service, their data is protected
by a variety of technologies and processes, and various forms of encryption.
When organizations use Office 365, they can expect customer data to be encrypted both in transit and at
rest by default. Additional encryption capabilities can be added for increased protection. And for
customers who have data security or privacy requirements that are driven by compliance, Office 365 offers
flexible encryption key management options to further help organizations meet their compliance needs as
they move to the cloud.
To help customers that are beginning their journey on encryption, in this document you will find a high-
level view of the encryption capabilities offered in Office 365, and what concerns and risks to customer
data each capability may help mitigate. It’s not meant to be comprehensive, but it will introduce what
encryption can do to protect and control data. For a deeper view on how the encryption capabilities are
implemented and managed, we recommend the additional reading material at the end of the document
under resources.
This document and the information reflects what we offer from the date it was published.
1. WHY USE ENCRYPTION

How encryption works
Encryption is the process of encoding messages or information in such a way that only authorized parties
can read it protect against data theft or failures in physical security, as well as against eavesdropping of
data in transit.
Most encryption methods use one or more keys. Those keys are what can unlock the ability for an
authorized party to read the data that’s been made unintelligible. Keys can be used to encrypt data,
decrypt data, or both. When a key is the means of decrypting data, the ability to use that key means that
you are an authorized party – you can read the data.
Why use encryption

There are several benefits to using encryption as one component to your broader data protection
strategy. Encryption can help with data security and data privacy by providing an added layer of defense
in depth to protect customer data. Encrypting information renders it unreadable to unauthorized
persons, even if they break through firewalls, infiltrate a network, get physical access to devices, or
bypass the permission on local machine. Encryption can help protect against data theft or failures in
physical security, as well as against eavesdropping of data in transit. For example, if a malicious attacker
got a hold of encrypted data, and is not authorized to use the key that can decrypt the data, the data
would be useless. Encryption is also commonly brought into compliance discussions as it can help meet
regulations or internal requirements that look to control or protect the confidentiality of certain data.
For example, the financial services industry is subject to some of the most stringent and complex
regulations, stemming from lessons learned from financial failures over the past 10 years. The industry is
regulated for anti-money laundering, fraud protection, customer data protection, and much more with
regulations such as MiFID, SEPA, ISAE3402, and industry standards like PCI-DSS.
Key Principle of SaaS Encryption

As you learn about the different encryption capabilities, it’s important to understand a key principle
regarding SaaS and the use of encryption today. SaaS features require the ability to reason, or compute,
against the customer’s data. A very simple example of this is a rule in a cloud email service that instructs
the service to send a copy of any email containing the keyword “legal” to a mailbox for legal hold reasons.
Clearly, if the body of the email is encrypted and the email service cannot use the encryption key to
decrypt the contents, it cannot perform this simple computation. It’s crucial to point out that SaaS is, by
nature, is a software application and software applications provide computational features. So, using
encryption with the intent of making the data unreadable by the cloud service blocks the innovative
features that are presumably the purpose of purchasing SaaS.
2. ENCRYPTION FOR OFFICE 365

Customer data within Microsoft’s enterprise cloud service is protected by a variety of technologies and
processes, including various forms of encryption. Microsoft uses some of the strongest encryption
protocols in the industry to provide a barrier against unauthorized access to customer data. Proper key
management is an essential element in encryption best practices, and Microsoft helps ensure that
encryption keys are properly secured.
Office 365 provides multiple encryption capabilities that protect customer data without impacting the
value-added services that many customers come to the cloud for. Read further to learn about what the
encryption offerings provided in Office 365.
Your Office 365 data encrypted by default

Customers can feel confident that their Office 365 data is encrypted both at rest and in transit by default.
For data in transit, Office 365 uses industry standard secure transport protocols, such as Transport Layer
Security between our customers clients/devices and Microsoft datacenters. All customer facing servers
negotiate using TLS by default with client machines to secure the customer data.
For data at rest, Office 365 uses various technologies. Office 365 servers use BitLocker to encrypt the disk
drives containing customer data at rest at the volume-level. In addition to volume-level encryption, Office
365 uses service encryption to encrypt at the application level. Service encryption provides more granular
layer of encryption for mailboxes and files in Office 365.
Additional customer-managed encryption options

Additional customer managed encryption options are available to provide granular layer of protection at
the content level.
Office 365 Message Encryption
For emails, Office 365 Message Encryption is an easy to set up email service that allows you to send
encrypted and rights protected mails to anyone. Admins can apply automatic policies through transport
rules that encrypt mail if it matches certain criteria. Users are can also easily apply protection through
Outlook (web, desktop) and share protected messages sent inside or outside the organization. Office 365
Message Encryption leverages the protection feature in Azure Information Protection without additional
licenses outside of the core Office 365 E3 or E5 offering.
Azure Information Protection for Office 365
The protection feature in Azure Information Protection uses encryption, identity, and authorization
policies that stay with the protected document and email to help you be in control of your data, even
when it is shared with other people. Customers can also use Azure Information Protection to help classify
and label documents and emails to further manage and control data –the labels can be used to classify
and apply protection, and once classified you can track and control how it is used. More information on
this can be found here.
3. ENCRYPTION KEY OPTIONS FOR OFFICE 365

Meeting compliance obligations are important to any organization. There are some customers who have
compliance requirements that call out certain key arrangements with their cloud service provider. For
these customers we provide several encryption key management options to meet their business needs.
Cloud First Customers – Microsoft Managed Keys

Microsoft managed keys are when the tenant private key(s) are stored and managed by the service
(Microsoft). Cloud first customers that do not have stringent compliance needs, leveraging Microsoft
managed keys as the ideal option.
With Microsoft Managed Keys the Microsoft service manages the encryption keys and takes the burden of
provisioning and managing the keys on behalf of the customer.
Compliance Focused Customers – Customer Managed Keys (in Azure Key Vault)
For some customers, Microsoft Managed Keys may not be meet their compliance obligations. Certain
compliance requirements may be driving overall security needs – such as where the keys can go, how the
keys are managed and who can operate on the keys. For example, in some regions customers have
regulatory obligations that state they need to have certain key arrangements with their cloud service
provider. Even more common, certain large organizations have HSM software, hardware and other
processes in place to manage their keys – therefore they may be looking to extend this into the cloud. For
these customers, customer managed keys are offered in Office 365.
Customer Managed keys are when the customer imports or generates keys in the Hardware Security
Module (HSM) in Azure Key Vault – and manages and controls the keys from Azure Key Vault. The
customers’ root keys never leave the HSM boundary.
Office 365 provides customers the option to provide and control their keys in Azure Key Vault, for their
Office 365 data at-rest with Customer Key, and for their Office 365 data in-transit with Bring Your Own
Key in Azure Information Protection.
With these customer managed key options in Office 365, organizations continue to receive a seamless
experience in Office 365, and the value-added services such as anti-spam/malware, data loss prevention,
eDiscovery, archiving ect., continue to work.
Customer Key in Office 365
Customer Key enhances the ability for organizations to meet the demands of organizations that have
compliance requirements that specify key arrangements with the cloud service provider. With Customer
Key, organizations can provide and control their encryption keys for their Office 365 data at-rest at the
application level. As a result, customers may exercise their control and revoke their keys, should they
decide to exit the service. By revoking the keys, the data is unreadable to the service and will put the
customer on path towards data deletion. Lastly, managing and protecting keys is crucial but can be
difficult. Customer Key includes an availability key to protect against data loss. The availability key is a root
key that is provisioned and protected by Microsoft and is functionally equivalent to the root keys that are
supplied by the customer for use with Customer Key. The availability key provides a strong key escrow
model which reduces the risk of all the keys being unintentionally lost or destroyed. Additionally, to meet
our rigorous SLA for service uptime, the availability key is also used for service availability. Although in our
experience service failures are rare, due to transient AAD or network issues, not being able to access
Office 365 content can be problematic; therefore, if the service cannot reach the customer’s root keys in
Azure Key Vault and we do not receive a response that indicates the customer has intended to block
access to their root keys, we will fall back to the availability key to complete the operation. The availability
key is unique to Customer Key and should the customer decide to exit the service, the availability key is
purged as part of the data deletion process.
DIAGRAM - Here is a simplified view of customer managed keys managed in Azure Key Vault. The customer provides and manages
their asymmetric private keys in Azure Key Vault. The customers’ private keys do no not leave Azure Key Vault’s HSM boundary and
customers have the control to revoke their private keys to make the data inaccessible to the service, and initiate the path towards data
deletion.
Bring Your Own Key (BYOK) in Azure Information Protection
With Bring Your Own Key (BYOK) in Azure Information Protection, customers may provide and control
their own encryption keys for their Office 365 data in-transit at the content level. For example, for Office
365 Message Encryption, customers may provide and control their own encryption keys for their sensitive
emails. Office 365 Message Encryption leverages the protection features in Azure Information Protection,
therefore Azure Information protection handles key management and interfacing with Azure Key Vault.
Azure Key Vault performs the encryption operations and the customers private root keys remain
protected in the HSM boundary.
Compliance First Customers – Customer Managed Keys (On-Premises/Hybrid)

For a very small subset of highly-regulated organizations that have compliance obligations requiring them
to have physical access and possession of their private keys so that their very most sensitive data is
inaccessible to the Microsoft Cloud Service—Microsoft supports Hold Your Own Key (HYOK) with Azure
Information Protection and S/MIME.
Hold Your Own Key (HYOK) with Azure Information Protection
HYOK is an isolated on-premises Azure Directory rights Management Service (AD RMS) instance that
provides a different private key to secure this data. Because the key is stored and managed in an on-
premises environment, it protects data that remains on-premises and away from all cloud instances. If
shared outside of this the data would be opaque to unauthorized parties including the cloud service
provider.
HYOK is not for everyone, and it is certainly not intended for every piece of data. HYOK is a special tool,
for a special purpose: data opacity at all costs. Generally, we recommend this to be applied to less than
one percent of data. While Office 365 does support HYOK with Azure Information Protection, Office 365
services will be significantly limited with this configuration. Because the data that is protected will be
opaque to the cloud, many of the most powerful Office 365 experiences will be unavailable: no anti-
malware/spam, Delve, eDiscovery, search, and so forth. Any transport rules and DLP policies will not be
able to look at this data, and any anti-virus services or DLP will need an entirely different environment.
DIAGRAM - Here is an example of an HYOK topology. Customer has on-premises AD, AD RMS server and HSM. Customer’s private keys
are managed in the on-premises HSM, and used by the on-premises AD RMS server. The customer physically possesses their private
keys and does not share these keys with the Microsoft cloud. The AIP classification labels are bound to the Azure RMS server – so when
an end user applies the specific label, which in this example is ‘Secret’ it will be protected with HYOK.
S/MIME
Office 365 also supports S/MIME. S/MIME is a certificate-based encryption solution that allows you to
both encrypt and digitally sign a message. The public certificates are distributed to an organization’s on-
premises Active Directory and stored in attributes that cannot be replicated to an Office 365 tenant. The
private keys remain on-premises and are never transmitted to Office 365. Therefore, Office 365 services
that need to read and reason over the data will not work.
5. RISKS REDUCED BY ENCRYPTION FOR OFFICE 365

There are a variety of risks that can be reduced by encryption for Office 365. Encryption can help reduce
the risk of data compromise from an attack by a malicious outsider or from an accidental data leak by one
of your users. Encryption can also help reduce the risk of non-compliance from regulations that look to
protect sensitive personal information, or various internal compliance obligations such as customer
contractual agreements or internal security policies, that drive the customers’ overall security decisions.
See below a high-level table and review the definitions to better understand how each encryption
technology can help reduce various risks to customer data.
Risk Area TLS BitLocker Service Office 365 Customer BYOK with HYOK with S/MIME
Encryption Message Key AIP AIP
Encryption
Attack from
malicious x x x x x x x x
outsider
Accidental
leak of data x x x x
(user)
Non-
Compliance
x x x x x x x x
(Regulatory/
Internal)
Offered In All All All Office 365 Office 365 Office 365 EMS E5 or N/A
commercial commercial commercial E3/E5* E5** + Azure E3/E5* + AIP Plan P2
Office 365 Office 365 Office 365 Key Vault Azure Key Add-On
SKUs SKUs SKUs Subscription Vault
Subscription
*Also offered as add-on for full list go here.
**Also offered as add-on to Office 365 E3 with Advanced Compliance SKU.
Definitions
TLS:
Reduces risk of data compromise due to snooping or man-in-the-middle attacks if information is

intercepted as it travels over the network. TLS doesn’t encrypt the message, just the connection. If your
recipient’s mail servers are not does support TLS encryption, then the message will be sent unencrypted.
We suggest customers adding Office 365 Message Encryption to their sensitive emails in this scenario.
BitLocker:
Reduces the risk of data compromise due to lapses in processes or controls (such as access control or
hardware recycling processes) that enable someone to gain physical access to disks containing sensitive
data.
Service Encryption:
Reduces risk of data compromise due to an attack by a malicious outsider. The data cannot be decrypted
without access to keys. Service encryption also provides a granular layer of protection at the application
layer on top of BitLocker for customers’ Office 365 data at-rest.
Service Encryption with Customer Key:
In addition to benefits of service encryption above, Customer Key can help reduce the risk of non-
compliance due to obligations surrounding how or where the customers’ encryption keys are controlled
or managed —or obligations related to having the explicit control to delete data when exiting the service.
Office 365 Message Encryption:
Reduces the risk of data compromise due to an attack by a malicious outsider, or due to an accidental
data leak by an employee. The new Office 365 Message Encryption includes the protection feature in
Azure Information Protection to encrypt and rights protect emails. When the new Office 365 Message
Encryption is applied to emails, the email is not only protected throughout the lifecycle of the email but
also provides an added layer of encryption on top of default encryption capabilities offered in Office 365
(TLS, BitLocker, Service Encryption).
BYOK with Azure Information Protection for Office 365 Message Encryption:
In addition to benefits of Office 365 Message Encryption, BYOK with Azure Information protection can
help reduce the risk of non-compliance due to obligations surrounding how or where the customers’
encryption keys are controlled or managed.
HYOK with Azure Information Protection:
Key is stored and managed in an on-premises environment, it protects any data that remains on-premises
and away from all cloud instances. If shared outside of this the data would be opaque to unauthorized
parties including the cloud service provider.
S/MIME:
S/MIME ensures that the email encrypted by S/MIME can only be decrypted by the direct recipient of the
email. The cloud service provider and unauthorized users cannot see the contents of the email. Office 365
supports S/MIME; however, Office 365 services are significantly limited on data that is encrypted with
S/MIME.
6. Other data protection capabilities in Office 365

Encryption can be useful a technology to help customers meet their compliance and data protection
needs; however, it should not be used in isolation. We recommend customers consider additional data
protection capabilities to complement the encryption solutions offered in Office 365. Here are just a few
to consider:
Data Governance
The benefits of implementing a comprehensive data governance strategy are two-fold, reduced cost of
storing data and perhaps more importantly reduced risk of keeping data that is no longer relevant but still
needs to be protected. With the data governance capabilities Office 365 customers are able to use
intelligence to classify, protect and retain data in their environment, and defensibly dispose of data that is
redundant, obsolete or trivial.
Data Loss Prevention
Customers may leverage Office 365 Data Loss Prevention (DLP) to identify, monitor and protect sensitive
information in your organization through content scanning. Not only will DLP detect sensitive information
types such as credit card numbers or national identity numbers, customers can apply protections such as
blocking access, showing policy notifications or encryption emails using Exchange Transport Rules.
Access Control
While there is no standing access to customer data, which is controlled by our access control system, for
added control, with Customer Lockbox customers can be added to the workflow before access is provided
to the Microsoft service engineer during service operations.
7. ADDITIONAL RESOURCES
For customers doing a risk assessment, we recommend reading a deeper encryption whitepaper offered
at https://aka.ms/mcsce. This looks across our encryption capabilities in the Microsoft Cloud.
For all else please refer to the resources below.
Encryption
• Microsoft Cloud Encryption Whitepaper
• Common misconceptions and truths of SaaS encryption
Customer Key in Office 365

1. Customer Key Set Up
2. Customer Key Blog
3. Customer Key FAQ
4. Customer Key Webinars
• Deep Dive on Customer Key
Office 365 Message Encryption

1. Office 365 Message Encryption Blog
2. Setting up Office 365 Message Encryption
3. Office 365 Message Encryption Webinars
• Protect and control your sensitive emails
BYOK and HYOK with AIP

1. Encryption key management strategies for compliance (for Azure Information Protection)
2. Hold Your Own Key with Azure Information Protection Blog
3. Hold your own key (HYOK) requirements and restrictions for AD RMS protection
Access Control
Customer Lockbox
1. Customer Lockbox 2 Min Video
2. Office 365 - Customer Lockbox SOC 1 SSAE 16 Type I Report
3. Customer Lockbox Webinar
o Own your data with next generation access control technology in Office 365
Terms & Conditions
The information contained in this document represents the current view of Microsoft Corporation on the issues
discussed as of the date of publication. Because Microsoft must respond to changing market conditions, this
document should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee
the accuracy of any information presented after the date of publication.
This is for informational purposes only and not for the purpose of providing legal advice. You should contact your
attorney to obtain advice with respect to any particular issue or problem. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
© 2018 Microsoft Corporation. All rights reserved.

Cloud Security – Best Practices
INFO 5112 – Cloud Services
Introduction
 Cloud Services are less secure than most

on-premises solutions.
 Large attack vector
 Big open “face” in public clouds
 A Treasure trove of information for hackers
 Sometimes easier to hack
 Is the term “Cloud security an oxymoron?”
 https://www.forbes.com/sites/sungardas/2015/05/20/why-cloud-
computing-security-is-no-longer-an-oxymoron/#51e5bcaf75ff
http://www.fico.com/en/blogs/wp-content/uploads/2015/03/Oxymoron2.jpg
Security…Security!
Why hackers target clouds
 Hackers are a treasure trove of information

 Remember: most clouds are multi-tenant models
 Credit cards, Passwords, etc. for multiple services
or vendors (i.e. one platform, multiple services)
 A assortment of varied information (financial,
personal, confidential)
 Many clients rely on vendors to secure clouds
for them
 Penetrating the cloud potentially results in
gaining access to many or all client information
databases, etc.
 Usually results in “keys to the kingdom”
http://i.dailymail.co.uk/i/pix/2017/02/08/14/3CF5F32D00000578-4203818-image-a-30_1486562764357.jpg
Distributed denial of
service attacks
D-DOS comes from multiple

resources (known and unknown)
including individual servers,
networks, and even more IoT
devices.
It consumes all cloud resources
including CPU, memory, and
bandwidth.
Reconfiguring firewalls, routers
and servers can block any
suspicious traffic.
What can you do to defend
 Don’t rely on cloud security measures

as a end-all be-all solution
 Implement encryption of data and
traffic end-to-end
 Don’t store passwords using reversible
encryption
 Ensure the SLA contains all the guidelines
you are looking for
 Transparency
 Security measures
 Defense in Depth
https://supporters.eff.org/files/defend-encryption-cyan-1.png
Defending - Continued
 Don’t store sensitive information in the cloud

 Not always feasible for cloud-only solutions
 Check applications for vulnerabilities
 Espousing vulnerable applications to the world
makes a whole new attack vector on a large
scale
 Follow industry best practices
https://supporters.eff.org/files/defend-encryption-cyan-1.png
SLA Security Model
With great cloud
comes great security
Security at Scale – The Good News
 Security measures are cheaper when

implemented on a mass scale
 Patch management, antivirus solutions,
hardening, firewalling
 Cloud providers often hire security
experts and subject matter experts
 They do the “heavy lifting” of security
 Organizations can hire auditors to audit the
cloud and provide baselines and
recommendations or remediation
 Deployment of security updates tends to
be much quicker, as critical patches can
be rolled out to the entire cloud, should
the need arise.
http://www.istockphoto.com/ca/photo/good-news-daily-newspaper-headline-gm154094028-20948599?esource=SEO_GIS_CDN_Redirect
Security at Scale – The Bad News
 There are threats both internal and external

 Cloud providers ultimately focus on
securing for the “greater good” – not on
Individuals
 Easy to get started meaning that there are
lots of ways to get into the system, and try
to learn about it
 Remember, it’s a multi-tenant model.
You share with others!
 Not many questions asked
 More discussed in further slides
http://www.managingamericans.com/pub/images/20120802221109_badnews.jpg
How to safeguard ourselves
 Encryption,
 Encryption
 Encryption,
 And did I mention, encryption?
 End – to – end
 Stored Data
Important security safeguards
 Auditing
 Vulnerability testing
 Independent pen-testing
 Defined policies
 Allow users to set own policies (user-level data security)
 VPNs
Compliance / Important Polices
 PCI DSS:
 Ensures that the provider can handle payments
 Stands for “Payment Card Industry Data Security Standard”
 To achieve this certification, a provider has to undergo audits, protect data, including the storage of,
processing and transmission. This certification encompasses a number of measure such as security
management, policies, procedures, network architecture design and software design.
 SOC 2 Type II:
 Ensures data security at the highest level
 Stands for Service Organization Controls
 SOC 1 is for less comprehensive systems.
 SOC 2 is for more comprehensive systems
 Type II involves long-term testing
Planning and Cloud Design –
Basics II
INFO-5112
INTO THE CLOUD
https://i.ytimg.com/vi/MH4wGvAzOAU/maxresdefault.jpg
So, what do we need to consider
 You should not ignore the following things:

 The challenge ahead
 Your applications or data
 Costs associated
 Proper research into CSPs (Cloud Service Providers)
 Data Governance and Security
 Your overall strategy
 * This is not an exhaustive list!
http://bensjoberg.org/wp-content/uploads/2017/05/3-Reasons-a-Career-in-Engineering-is-Worth-Considering.jpg
The challenges moving to a cloud
 The migration process is not easy

 Do your research ahead of time
 It’s easy to get things wrong the first time
 Do you need IaaS, PaaS, or SaaS? What Platform? How to proceed?
 No single way to approach this problem
 The People and Process may be in your way
 Sometimes the biggest challenge isn’t the technology – it’s the people
and process involved.
 Corporate policies and procedures, especially those based on
precedence can limit and hamper your overall strategy
 Older companies, as a rule of thumb, are more difficult to work with, as
they like to be cemented in their ways of doing things. This is compared
to new companies and startups which are by design agile and
competitive (in order to compete in this crowded market)
 Procedures and policies, especially of old companies, have long and
well-defined change management structures in place that prevent
you from being too dynamic.
Challenges don’t end there!
 You should always have your end goal in mind

 Need to work with a well-defined business plan and
strategy
 Don’t discount the psychological factor
 You will doubt your decisions
 Is it the right choice? Can my get through this? Is there
value added to my cloud migration?
 Sometimes it’s also worrying about the vendor –
buyers remorse.
 Others may not be on board
 Don’t see your objectives as critical
 And many, many more
 Miscalculated costs
 Poor project plan
 Etc…
https://www.allworship.com/wp-content/uploads/2016/07/bigstock-Career-Burden-112438508.jpg
Consider: Your application and/or data
 Many people think that a cloud migration is

all or nothing. It’s not that simple.
 What do you need to migrate?
 Don’t migrate what you don’t need!
Doing so adds complexity, costs, and headaches
 Not all data is suited for the cloud!
 If security is what you are after, consider a private
or hybrid cloud
 Some applications won’t work at all for what you
want to achieve; consider the costs of making
it compatible, v.s. the gains.
https://image.slidesharecdn.com/bigdatareal-timeapplications-120620170837-phpapp02/95/big-data-real-time-applications-1-728.jpg?cb=1340212830
Consider: Costs associated
 Clouds are generally cheaper, however

depending on your budget and/or
infrastructure can be more expensive. You
should consider the following:
 Licensing costs (are usually different for cloud
models – i.e. Oracle may not be as cheap in a cloud)
 Hardware requirements v.s. cloud migration
 Legacy applications (as discussed, if not cloud
compatible)
 Hidden expenses
https://www.neat-legal.co.uk/wp-content/uploads/2016/09/neat-1-1024x576.jpg
Consider: Data Governance
 Data governance is one of, if not the most important

aspects!
 Never ignore it
 Your cloud solution should fit in with your
data governance framework
 Ignoring it may result in severe civil and/or
criminal penalties (which can result in loss of
reputation and money)
 Possibly the single most costly mistake…
 Consider:
 How data is stored
 Where is it stored
 How is it accessed
 Who?
 Technical aspects
 Encryption?
 Retention (How long is the data stored for, once
deleted)
 Don’t need to consider things like RAID levels or storage
types, not a governance aspect…
http://www.qatarinsurance.com/corporate/wp-content/uploads/2015/12/corporate-governance-banner.jpg
Consider: Cloud Service Providers
 When choosing a provider, there is more

than meets the eye:
 Ensure that your provider is fully committed
to understanding your objectives and business
 Especially important in vertical markets (such
as Healthcare, Retail, Financial Services, etc.)
 Pure technical boasting may be a red-flag
 Listen to what they are saying, if they only
talk about technology, this may be a sign of
another sales pitch
 Moving to the cloud is about business continuity,
not about showing your technical achievements
 …But…. Can also be a green flag for IaaS solutions
or if you are looking to build something yourself.
 Sometimes Niche or specialty providers are best
 Need a database only? Why go IaaS – go for a
provider that’s hosting a database
 Don’t reinvent the wheel
http://secondlineblog.org/wp-content/uploads/2016/11/choice-a-colorful-coffee-cup-picture-id475046942-11.jpg
Questions to ask when looking for a CSP
 What services do you provide

 Cloud service models: IaaS, SaaS, PaaS?
 Niche services? BaaS (backup), DaaS (DB)
 What is your SLA
 Downtime history
 Data availability
 Penalties
 In the event of unforeseen circumstances
 How secure is your datacenter

 Or data in general
 Where is it located
 What security mechanisms (physical or logical
do you have in place to safeguard my data?)
 Customer testimonials
 Especially important when looking for niche CSPs
 What support is available?
 Can your solution meet our needs
 Resource scaling
https://plsadaptive.s3.amazonaws.com/gmedia/_oNBkWquestions.jpg
https://www.opservices.com.br/wp-content/uploads/2017/06/SLA_Service_Level_Agreement-1.png
SLAs – What are they; what to look for
 What is an SLA?
 ITIL: An agreement between an IT
service provider and a customer.
The SLA describes the IT service,
documents service level targets,
and specifies the responsibilities of
the IT service provider and the
customer
 Formal and legally binding
 Legal action possible if in violation
 Quantitative not Qualitative
 99.999% Uptime v.s high uptime
 Will cover key aspects of your cloud
service
 Key in determining what you will
be getting
https://www.incapsula.com/blog/wp-content/uploads/2017/05/MiniGraphic-1_SLA.png
Key factors to consider for SLA/CSP
 Availability (when is the service available)

 Security / Privacy
 Deals with data governance
 Physical security (Datacenter, access controls)
 Encryption during storage / transmission
 Data retention
 Location of Data
 Another data governance item
 Data falls under a specific jurisdiction, depending
where it is stored
 Think of the piracy debate and Sweden/Denmark,
v.s. USA – How can governments get data, with
what ease?
 Disaster Recovery / Backup

 How is data secured from a technical standpoint
(e.g. RAID, Off-site cold storage tape backups)
 Frequency of backups
 RTO/RPO Time/Point objectives
https://www.lawyer-monthly.com/Lawyer-Monthly/wp-content/uploads/2017/06/legal.jpg
Key Factors II
 Access to the Data

 Can you access it
 What format is it stored in
 Useful for data portability
 Relates mostly with PaaS and SaaS
 Data Portability
 How easy is it to migrate your data
 How easy is it to get your data on/off
 Applicable costs
 Performance
 Guaranteed (CPU, RAM, Network, Storage, etc)
 Burst capability
 Response times
https://diversitymd.com/wp-content/uploads/2016/12/Contract.jpg
Key Factors III
 Customer Service
 How are problems resolved
 Response times (Service-level)
 What is done to resolve them
 Change Management Process
 How are changes handled
 How are you notified
 How are new services/updates rolled out
 Dispute mediation strategy
 How are disputes handled
 What are your rights
 Your expectations
 What can YOU do on their platform?
 What you are not allowed to do
 Cloud Service Provider’s expectations
and onboarding or off boarding/exit strategy
 How do you migrate onto the cloud
 How do you get off the cloud
 How does the CSP ensure a smooth transition
https://c1.sfdcstatic.com/content/dam/blogs/ca/customer-service-circles.jpg
A Snapshot into
https://i.ytimg.com/vi/f5mlnTNYT0Y/maxresdefault.jpg
Introduction to the MS Azure Platform
 Looking into Azure from the SLA viewpoint:

 An SLA for each service (https://azure.microsoft.com/en-ca/support/legal/sla/)
 Uptime
 Critical Services: 99.99% (1 hour downtime / year)
 Other services: 99.9% (10 hours / year)
Location of Data
https://azure.microsoft.com/en-ca/regions/
Security
AW S A c a d e m y C l o u d F o u n d a t i o n s
Compute
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Overview
Topics Activities
• Compute services overview • Amazon EC2 versus Managed Service
• Amazon EC2 • Hands-on with AWS Lambda
• Amazon EC2 cost optimization • Hands-on with AWS Elastic Beanstalk
• Container services
• Introduction to AWS Lambda Demo
• Introduction to AWS Elastic Beanstalk • Recorded demonstration of Amazon EC2
Lab
• Introduction to Amazon EC2
Knowledge check
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
2
reserved.
Objectives
After completing this module, you should be able to:

• Provide an overview of different AWS compute services in the cloud
• Demonstrate why to use Amazon Elastic Compute Cloud (Amazon EC2)
• Identify the functionality in the EC2 console
• Perform basic functions in Amazon EC2 to build a virtual computing
environment
• Identify Amazon EC2 cost optimization elements

3
reserved.
Compute
Section 1: Compute services overview

reserved.
AWS compute services
Amazon Web Services (AWS) offers many compute services. This module will discuss the highlighted
Amazon EC2 Amazon EC2 Amazon Elastic Amazon Elastic VMware Cloud
Auto Scaling Container Container Service on AWS
Registry (Amazon (Amazon ECS)
ECR)
AWS Elastic AWS Lambda Amazon Elastic Amazon AWS Batch

Beanstalk Kubernetes Lightsail
Service (Amazon
EKS)
AWS Fargate AWS Outposts AWS Serverless

Application Repository
5
reserved.
Categorizing compute services
Services Key Concepts Characteristics Ease of Use
• Amazon EC2 • Infrastructure as a service • Provision virtual machines that A familiar concept to many
(IaaS) you can manage as you IT professionals.
• Instance-based choose
• AWS • Serverless computing • Write and deploy code that A relatively new concept
Lambda • Function-based runs on a schedule or that can for many IT staff members,
• Low-cost be triggered by events but easy to use after you
• Use when possible (architect learn how.
for the cloud)
• Amazon ECS • Container-based computing • Spin up and run jobs more AWS Fargate reduces
• Amazon EKS • Instance-based quickly administrative overhead,
• AWS Fargate but you can use options
• Amazon ECR that give you more control.
• AWS Elastic • Platform as a service (PaaS) • Focus on your code (building Fast and easy to get
Beanstalk • For web applications your application) started.
• Can easily tie into other
services—databases, Domain
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights Name System (DNS), etc. 6
reserved.
Choosing the optimal compute
service
• The optimal compute service or services that you use will
depend on your use case
• Some aspects to consider –
• What is your application design?
• What are your usage patterns?
• Which configuration settings will you want to manage?
• Selecting the wrong compute solution for an architecture can
lead to lower performance efficiency
• A good starting place—Understand the available compute options

7
reserved.
Compute
Amazon EC2

reserved.
Amazon Elastic Compute Cloud (Amazon
EC2)
Example uses of
Amazon EC2
instances
 Application server
 Web server
 Database server
 Game server
 Mail server
 Media server
 Catalog server
Photo by Taylor Vick on Unsplash  File server
 Computing server
 Proxy server
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights Photo by panumas nikhomkhai from Pexels
9
reserved.
Amazon EC2 overview
• Amazon Elastic Compute Cloud (Amazon

EC2)
• Provides virtual machines—referred to as EC2
instances—in the cloud.
• Gives you full control over the guest operating
system (Windows or Linux) on each instance.
• You can launch instances of any size into an
Amazon Availability Zone anywhere in the world.
EC2 • Launch instances from Amazon Machine
Images (AMIs).
• Launch instances with a few clicks or a line of
code, and they are ready in minutes.
reserved.
• You can control traffic to and from 10
Launching an Amazon EC2 instance
This section of the module

walks through nine key
decisions to make when you
create an EC2 instance by
using the AWS Management
Console Launch Instance
Wizard.
 Along the way, essential

Amazon EC2 concepts will
be explored.

11
reserved.
1. Select an AMI
Choices made using Launch

instance
the
AMI Instance
Launch Instance
Wizard:
• Amazon Machine Image (AMI)
• Is a template that is used to create an EC2 instance (which is a
1. AMI
virtual machine, or VM, that runs in the AWS Cloud)
2. Instance Type
• Contains a Windows or Linux operating system
3. Network settings
• Often also has some software pre-installed
4. IAM role
5. User data • AMI choices:
6. Storage options • Quick Start – Linux and Windows AMIs that are provided by AWS
7. Tags • My AMIs – Any AMIs that you created
8. Security group • AWS Marketplace – Pre-configured templates from third parties
9. Key pair • Community AMIs – AMIs shared by others; use at your own risk

12
reserved.
Creating a new AMI: Example
AWS Cloud
AMI
details Region A
Connect to the
instance and
manually modify it or
Quick Start
run a script that
or other
Launch modifies the instance Capture as
existing
Starter an (for example, a new AMI
AMI
AMI instance upgrade installed
1 2
software)
3
Unmodifie Modifie New
d d AMI
Instance Instanc
(Optional) MyAMI e
Import
a virtual Region B
machine Copy the AMI to any other Regions
where you want to use it
New 4
AMI

13
reserved.
2. Select an instance type
Choices made using • Consider your use case

the • How will the EC2 instance you create be used?
Launch Instance
• The instance type that you choose determines –
Wizard:
• Memory (RAM)
• Processing power (CPU)
1. AMI
• Disk space and disk type (Storage)
2. Instance Type
• Network performance
3. Network settings
4. IAM role • Instance type categories –
5. User data • General purpose
6. Storage options • Compute optimized
7. Tags • Memory optimized
• Storage optimized
8. Security group
• Accelerated computing
9. Key pair
• Instance types offer family, generation, and size

14
reserved.
EC2 instance type naming and sizes
Instance type Example instance sizes

details
Instance
vCPU Memory (GB) Storage
Name
Instance type naming t3.nano 2 0.5 EBS-Only
• Example: t3.large t3.micro 2 1 EBS-Only

• T is the family name
• 3 is the generation number t3.small 2 2 EBS-Only
• Large is the size
t3.medium 2 4 EBS-Only
t3.large 2 8 EBS-Only
t3.xlarge 4 16 EBS-Only
t3.2xlarge 8 32 EBS-Only

15
reserved.
Select instance type: Based on use
case
Instance type
details
General Compute Memory Accelerated Storage

Purpose Optimized Optimized Computing Optimized
Instance a1, m4, m5, r4, r5, f1, g3, g4,

c4, c5 d2, h1, i3
Types t2, t3 x1, z1 p2, p3
High In-memory Machine Distributed

Use Case Broad
performance databases learning file systems

16
reserved.
Instance types: Networking features
• The network bandwidth (Gbps) varies by instance type.

• See Amazon EC2 Instance Types to compare.
• To maximize networking and bandwidth performance of your instance
type:
• If you have interdependent instances, launch them into a cluster placement group.
• Enable enhanced networking.
• Enhanced networking types are supported on most instance types.
• See the Networking and Storage Features documentation for details.
• Enhanced networking types –
• Elastic Network Adapter (ENA): Supports network speeds of up to 100 Gbps.
• Intel 82599 Virtual Function interface: Supports network speeds of up to 10 Gbps.

17
reserved.
3. Specify network settings
Choices made by using • Where should the instance be deployed?

the • Identify the VPC and optionally the subnet
Launch Instance
Wizard: • Should a public IP address be automatically assigned?
• To make it internet-accessible
1. AMI
AWS Cloud
2. Instance Type
Region
3. Network settings
4. IAM role Availability Zone 1 Availability Zone
2
5. User data VPC
6. Storage options Public

Example: subnet
7. Tags specify to
8. Security group deploy the Instance
9. Key pair instance here
Private
subnet

18
reserved.
4. Attach IAM role (optional)
Choices made by using • Will software on the EC2 instance need to interact with
the other AWS services?
Launch Instance • If yes, attach an appropriate IAM Role.
Wizard:
• An AWS Identity and Access Management (IAM) role that
1. AMI
is attached to an EC2 instance is kept in an instance
profile.
2. Instance Type
3. Network settings • You are not restricted to attaching a role only at instance
4. IAM role launch.
5. User data • You can also attach a role to an instance that already
6. Storage options exists.
Example: Application
7. Tags attached to on instance
8. Security group can access
9. Key pair Role that grants
S3 bucket
Amazon Simple Instance
with
Storage Service
objects
(Amazon S3) bucket
access permissions
19
reserved.
5. User data script (optional)
Choices made by using User data

the
#!/bin/bash
Launch Instance
Wizard: yum update –y
yum install -y wget
1. AMI AMI Running
2. Instance Type EC2 instance
3. Network settings
4. IAM role • Optionally specify a user data script at instance launch
5. User data
• Use user data scripts to customize the runtime
6. Storage options
environment of your instance
7. Tags
• Script runs the first time the instance starts
8. Security group
9. Key pair • Can be used strategically
• For example, reduce the number of custom AMIs that you
build and maintain
20
reserved.
6. Specify storage
Choices made by using • Configure the root volume

the • Where the guest operating system is installed
Launch Instance
Wizard: • Attach additional storage volumes
(optional)
1. AMI
• AMI might already include more than one
2. Instance Type volume
3. Network settings
4. IAM role • For each volume, specify:
5. User data • The size of the disk (in GB)
6. Storage options • The volume type
7. Tags • Different types of solid state drives (SSDs) and
8. Security group hard disk drives (HDDs) are available
9. Key pair • If the volume will be deleted when the instance
is terminated
• If encryption should be used
21
reserved.
Amazon EC2 storage options
• Amazon Elastic Block Store (Amazon EBS) –

• Durable, block-level storage volumes.
• You can stop the instance and start it again, and the data will
still be there.
• Amazon EC2 Instance Store –
• Ephemeral storage is provided on disks that are attached to
the host computer where the EC2 instance is running.
• If the instance stops, data stored here is deleted.
• Other options for storage (not for the root volume) –
• Mount an Amazon Elastic File System (Amazon EFS) file
system.
• Connect to Amazon Simple Storage Service (Amazon S3).

22
reserved.
Example storage options
• Instance 1 characteristics Amazon Elastic Host computer
– Block Store
(Amazon EBS) Instance
• It has an Amazon EBS root Store
volume type for the Attached as Attached as
operating system. Root volume Storage volume
• What will happen if the 20-GB volume Instance 1 Ephemeral
instance is stopped and then volume 1
started again? Attached as
Storage volume
Attached as
• Instance 2 characteristics 500-GB
volume
Root volume
– Instance 2 Ephemeral
volume 2
• It has an Instance Store root
volume type for the
operating system.
• What will happen if the
instance stops (because of
user
© 2019 Amazon errorInc.or
Web Services, aAffiliates.
or its system All rights
23
reserved.
malfunction)?
7. Add tags
Choices made by using • A tag is a label that you can assign to an

the AWS resource.
Launch Instance
Wizard: • Consists of a key and an optional value.
• Tagging is how you can attach metadata to
1. AMI
an EC2 instance.
2. Instance Type
3. Network settings • Potential benefits of tagging—Filtering,
4. IAM role automation, cost allocation, and access
5. User data control.
6. Storage options
7. Tags
8. Security group Example:
9. Key pair

24
reserved.
8. Security group settings
Choices made by using • A security group is a set of firewall rules that

the control traffic to the instance.
Launch Instance
Wizard: • It exists outside of the instance's guest OS.
• Create rules that specify the source and
1. AMI which ports that network communications
2. Instance Type
can use.
3. Network settings
4. IAM role
• Specify the port number and the protocol, such as
Transmission Control Protocol (TCP), User
5. User data
Datagram Protocol (UDP), or Internet Control
6. Storage options
Message Protocol (ICMP).
7. Tags
• Specify the source (for example, an IP address or
8. Security group
another security group) that is allowed to use the
9. Key pair
rule.

Example rule:
25
reserved.
9. Identify or create the key pair
Choices made by using • At instance launch, you specify an

the existing key pair or create a new key pair.
Launch Instance
Wizard: • A key pair consists of – mykey.pem
• A public key that AWS stores.
1. AMI
• A private key file that you store.
2. Instance Type
3. Network settings • It enables secure connections to the
4. IAM role instance.
• For Windows AMIs –
5. User data
6. Storage options
7. Tags • Use the private key to obtain the
8. Security group administrator password that you need to log
9. Key pair
in to your instance.
• For Linux AMIs –
• Use the private key to use SSH to securely
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights connect to your instance. 26
reserved.
Amazon EC2 console view of a
running EC2 instance

27
reserved.
Another option: Launch an EC2 instance
with the AWS Command Line Interface
• EC2 instances can also be created
programmatically.
AWS Command
Line Interface
(AWS CLI)
• This example shows how simple Example command:

the command can be. aws ec2 run-instances \
• This command assumes that the key pair --image-id ami-1a2b3c4d \
and security group already exist.
--count 1 \
--instance-type c3.large \
• More options could be specified. See the
AWS CLI Command Reference for details.
--key-name MyKeyPair \
--security-groups MySecurityGroup \
--region us-east-1

28
reserved.
Amazon EC2 instance lifecycle
Only instances backed by Amazon EBS
Launch Start
pending
AMI
Reboot Stop
rebooting running stopping stopped
Stop-
Hibernate
Terminat
e
shutting-
down
Terminate
terminated

29
reserved.
Consider using an Elastic IP address
• Rebooting an instance will not • If you require a persistent public IP

change any IP addresses or DNS address –
hostnames. • Associate an Elastic IP address with
the instance.
• When an instance is stopped and

• Elastic IP address characteristics –
then started again –
• Can be associated with instances in
• The public IPv4 address and external the Region as needed.
DNS hostname will change.
• Remains allocated to your account
• The private IPv4 address and internal until you choose to release it.
DNS hostname do not change.
Elastic IP
Address
31
reserved.
EC2 instance metadata
• Instance metadata is data about your instance.

• While you are connected to the instance, you can view it –
• In a browser: http://169.254.169.254/latest/meta-data/
• In a terminal window: curl http://169.254.169.254/latest/meta-data/
• Example retrievable values –
• Public IP address, private IP address, public hostname, instance ID, security groups,
Region, Availability Zone.
• Any user data specified at instance launch can also be accessed at:
http://169.254.169.254/latest/user-data/
• It can be used to configure or manage a running instance.
• For example, author a configuration script that reads the metadata and uses it to
configure applications or OS settings.

32
reserved.
Amazon CloudWatch for monitoring
• Use Amazon CloudWatch to monitor EC2

instances Amazon Instance with
• Provides near-real-time metrics CloudWatch CloudWatch
• Provides charts in the Amazon EC2 console
Monitoring tab that you can view
• Maintains 15 months of historical data
• Basic monitoring
• Default, no additional cost
• Metric data sent to CloudWatch every 5
minutes
• Detailed monitoring
• Fixed monthly rate for seven pre-selected
metrics
• Metric data delivered every 1 minute
33
reserved.
• Amazon EC2 enables you to run Windows
Section 2 key and Linux virtual machines in the cloud.
• You launch EC2 instances from an AMI
takeaways template into a VPC in your account.
• You can choose from many instance types.
Each instance type offers different
combinations of CPU, RAM, storage, and
networking capabilities.
• You can configure security groups to
control access to instances (specify allowed
ports and source).
• User data enables you to specify a script to
run the first time that an instance launches.
• Only instances that are backed by
Amazon EBS can be stopped.
• You can use Amazon CloudWatch to
34 capture and review ©metrics on EC2
2019 Amazon Web Services, Inc. or its Affiliates. All rights
reserved.
Compute
Section 3: Amazon EC2 cost optimization

reserved.
Amazon EC2 pricing models
On-Demand Instances Reserved Instances Spot Instances

• Pay by the hour • Full, partial, or no upfront • Instances run as long as they are
payment for instance you available and your bid is above
• No long-term commitments. reserve. the Spot Instance price.
• Eligible for the AWS Free Tier. • Discount on hourly charge for • They can be interrupted by AWS
that instance. with a 2-minute notification.
Dedicated Hosts • 1-year or 3-year term. • Interruption options include
terminated, stopped or
• A physical server with EC2 hibernated.
instance capacity fully dedicated
to your use. Scheduled Reserved • Prices can be significantly less
Instances expensive compared to On-
Demand Instances
Dedicated Instances • Purchase a capacity reservation
that is always available on a • Good choice when you have
flexibility in when your
• Instances that run in a VPC on recurring schedule you specify.
applications can run.
hardware that is dedicated to a
• 1-year term.
single customer.
Per second billing available for On-Demand Instances, Reserved Instances, and
Spot Instances that run Amazon Linux or Ubuntu.
36
reserved.
Amazon EC2 pricing models:
Benefits
On-Demand
Spot Instances Reserved Instances Dedicated Hosts
Instances
• Low cost and • Large scale, • Predictability • Save money on
flexibility dynamic workload ensures compute licensing costs
capacity is available • Help meet
when needed compliance and
regulatory
requirements

37
reserved.
Amazon EC2 pricing models: Use
cases
Spiky Workloads Time-Insensitive Steady-State Workloads Highly Sensitive

Workloads Workloads
On-Demand
Spot Instances Reserved Instances Dedicated Hosts
Instances
• Short-term, spiky, or • Applications with flexible • Steady state or • Bring your own license
unpredictable workloads start and end times predictable usage (BYOL)
• Application • Applications only workloads
• Compliance and
development or testing feasible at very low • Applications that require regulatory restrictions
compute prices reserved capacity,
• Users with urgent including disaster • Usage and licensing
computing needs for recovery tracking
large amounts of • Users able to make • Control instance
additional capacity upfront payments to placement
reduce total computing
costs even further
38
reserved.
The four pillars of cost optimization
Cost Optimization
Increase Optimal Optimize

Right size
elasticity pricing storage
model choices

39
reserved.
Pillar 1: Right size
Pillars: Provision instances to match the

1. Right size   need
2. Increase elasticity
3. Optimal pricing model • CPU, memory, storage, and network throughput
4. Optimize storage choices • Select appropriate instance types for your use
Use Amazon CloudWatch metrics

• How idle are instances? When?
• Downsize instances
Best practice: Right size, then

reserve
40
reserved.
Pillar 2: Increase elasticity
Stop or hibernate Amazon EBS-backed

Pillars: instances that are not actively in use
1. Right-Size • Example: non-production development or test
2. Increase Elasticity 
3. Optimal pricing model
 instances
4. Optimize storage choices

Use automatic scaling to match needs
based on usage
• Automated and time-based elasticity

41
reserved.
Pillar 3: Optimal pricing model
Leverage the right pricing model for your use

Pillars:
1. Right-Size case
2. Increase Elasticity
• Consider your usage patterns
3. Optimal pricing model 
4. Optimize storage choices

Optimize and combine purchase types
Examples:
• Use On-Demand Instance and Spot Instances for
variable workloads
• Use Reserved Instances for predictable workloads
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights Consider serverless solutions (AWS Lambda) 42
reserved.
Pillar 4: Optimize storage choices
 Reduce costs while maintaining storage performance

Pillars: and availability
1. Right-Size  Resize EBS volumes
2. Increase Elasticity
3. Optimal pricing model  Change EBS volume types
4. Optimize storage choices    Can you meet performance requirements with less expensive
storage?
 Example: Amazon EBS Throughput Optimized HDD (st1)
storage typically costs half as much as the default General
Purpose SSD (gp2) storage option.
 Delete EBS snapshots that are no longer needed
 Identify the most appropriate destination for specific

types of data
 Does the application need the instance to reside on Amazon
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights EBS? 43
reserved.
 Amazon S3 storage options with lifecycle policies can reduce
Measure, monitor, and improve
• Cost optimization is an ongoing process.
• Recommendations –
• Define and enforce cost allocation tagging.
• Define metrics, set targets, and review regularly.
• Encourage teams to architect for cost.
• Assign the responsibility of optimization to an

individual or to a team.

44
reserved.
• Amazon EC2 pricing models include On-
Section 3 key Demand Instances, Reserved Instances,
Spot Instances, Dedicated Instances, and
takeaways Dedicated Hosts.
• Spot Instances can be interrupted with a 2-

minute notification. However, they can offer
significant cost savings over On-Demand
Instances.
• The four pillars of cost optimization are:

• Right size
• Increase elasticity
• Optimal pricing model
• Optimize storage choices

45
reserved.
Thank you
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior
written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email
us at: aws-course-feedback@amazon.com. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the
property of their owners.
Planning and Cloud Design -
Basics
INFO-5112
Things are Changing…
 The “Old way” of thinking and design focused on fixed, rigid, and static models
 Scale up (if insufficient resources)
 Monolithic (single product, housed in a single place)
 Stateful (everything was a fixed application that ran
constantly, designed for offline applications)
 Fixed capacity (no way to be elastic or proactive
unless you allocated beforehand)
 Focused on Active/Passive DR (Disaster Recovery)
and perimeter security
 Costs were fixed and constant (hardware, software)
https://upload.wikimedia.org/wikipedia/commons/0/0f/The_romance_of_the_ship%3B_the_story_of_her_origin_and_evolution_%281911%29_%2814775862471%29.jpg
The “New way” of doing things
 The Cloud model focuses on designing dynamic

Cloud-Aligned architectures
 Scale out (not up)
 Distributed (not monolithic, spread out in different
locations, geographical or otherwise)
 Stateless (single-sessions, applications are initialized at
runtime or user request, means that they don’t need
to be kept as active resource consumers)
 Elastic and flexible resource allocation
 DR (Disaster recovery) is always active, never an
afterthought
 Costs are on an pay-per-use basis
 We shift CAPEX to OPEX (Capital to Operational expenditures)
https://c1.staticflickr.com/1/96/211486691_11b54f1975_b.jpg
Where do we start?
 Cloud design is a matter of planning

 Careful decisions shape your cloud
migration strategy, applications you
convert, and essentially your whole
strategy
 You work from BIG to LITTLE

 Look at the macro problem so that you can
invent a solution to meet the needs of the
business first
 Planning determines the outcome

 Success or failure are determined by your
plan and execution
 You must understand the needs
of the business then map them to your
project requirements
 Ask why, what, how… http://cerasis.com/wp-content/uploads/2014/01/best-business-blogs.jpg
Were not to start
 Clouds are not the be-all end-all of a business plan

 Don’t throw money or technology at your solution first.
Doing so will cause you to try to iterate yourself out of it,
which will lead to failure
 Don’t start at the LITTLE, working to the BIG
 Doing so will lead you to redundancy and solutions that
are not a best fit
 You are looking for a solution that will fit your whole
business plan, not a solution that meets only individual
goals
 The solution should not be thought of, or designed as heterogeneous
Prioritizing According to Business Drivers
 Increasing productivity
 Reducing time to market in new product
development
 Reducing production costs
 Optimizing product distribution and
delivery
 Increasing market share
 Increasing customer retention
The Definitive Guide to Cloud Computing (Dan Sullivan)

Outcomes of positive design decisions
 Successful implementation of a cloud solution

 Selection of best service and deployment model
 Aligning business values with actions (solution-to-business
plan)
 Further reduced CAPEX and potentially reduced
OPEX
 Cloud solutions work on shifting CAPEX to OPEX for a
better service to consumers
 Cloud operations provide better services because of
the original saving in the CAPEX area
 Lower TCO (total cost of ownership) due to careful planning and delivery
 Better stability
https://static1.squarespace.com/static/5524d17fe4b068ce0b1ac335/5524e566e4b0d7e24abebb95/561dbdfde4b0cc702070a1f5/1444790862491/?format=1500w
Outcomes of bad design decisions
 A solution that doesn’t make sense

 Fragmented
 Unnecessary
 Overcomplicated
 Higher incurred costs
 Costs that could be shifted to OPEX
 Less stable
 Less reliable
 Waste of time and resources
 Possibly affecting your reputation
https://i.pinimg.com/736x/78/8b/0c/788b0cc733721cd0913d51ecc2b953df--safety-fail-safety-rules.jpg
Key outcomes of planning
 Understand your business

 Understand your requirements
 Learn how to make your solution
revolve around your requirements,
not the other way around
 The business plan to move forward with
https://thornleyfallis.com/wp-content/uploads/2012/11/results1.jpg
Things to keep in mind
 Things get real complicated, really quickly

 Architecture, planning, key decisions,
when mapped get complicated when
you have enough of them
 A system consists of many small bits
of architecture and plans, like a puzzle
 Understand your own solution first
 You need to know how your solution fits in
 Now to manage it and how to scale it
https://www.securitycameraking.com/securityinfo/wp-content/uploads/2014/01/things-to-consider-before-choosing-divorce.jpg
https://www.incimages.com/uploaded_files/image/970x450/getty_493829717_97058297045007_52806.jpg
PLANNING YOUR CLOUD STRATEGY

A business case
 Why do we need a business case?

 Should we even migrate to the cloud
 Does our company benefit from a cloud solution
 What will it accomplish
 Weigh the pros and cons
http://www.projectmanagementdocs.com/images/articles/business-case.jpg
Example of a Business Case
 Three positive financial aspects of cloud:

 Greater cost agility with infrastructure as a service — Cloud services have a high degree of cost
variability, so expenses can quickly go down if demand for services is reduced.
 Increased retained cash — By using cloud/on-demand services, CIOs do not have to invest upfront to
buy IT infrastructure via regular refresh cycles.
 Reduced opportunity costs — Opportunity costs are defined as the value foregone by pursuing a
certain course of action. By choosing to use cloud/on-demand, a company can free up cash to invest
in other parts of the business.
 Three negative financial aspects of cloud solutions:
 Less cost agility with software as a service (SaaS) — SaaS providers are promising cost agility as one of
the benefits; in reality, however, this is only working one way — up. Clients can end up paying more if
they use more licenses, but not less if they don’t use as many.
 Higher subscription fees — The total cost of ownership may be lower over five years, but the subscription
fees are more than the perpetual licenses after year three or four; therefore, the savings need to be
significant and ongoing to make cost lower after more than five to seven years.
 High switching costs with SaaS — The cost to get data out and bring it back on-premises is high.
Source: http://www.gartner.com/smarterwithgartner/the-financial-case-for-moving-to-the-cloud/
Your requirements
 Always determine your requirements

 You can’t design a cloud solution if you don’t know what you are looking for
 You need end-to-end visibility in your organization
 Determine what to move
 Require the input and assistance of subject matter experts and your C-level personnel
 Requirements can be
 Software
 Hardware
 Security
 Compliance
 Personal preference
Requirement Categories



Additional Requirements
 Using cloud storage to store single copies of data that are accessed by multiple
applications rather than duplicating data sets
 Reducing the number of ad hoc reporting tools as users standardized on the “best of the
breed” tools offered in the cloud’s service catalog
 New applications, such as statistical analysis and data mining of large customer
transaction data sets enabled by on‐demand access to compute and storage resources
Step 3 – See what’s out there (or in here)
 Research cloud vendors (CSPs), brokers (CSBs)

 Weigh pros and cons
 Compare with your requirements
 Determine best or…
 Maybe roll your own cloud
 Carefully do your research to determine the best solution
 Look at things from different angles
https://wallpaperstock.net/view-from-outer-space-wallpapers_35839_1920x1200.jpg
Example of the market
Published Sep 6, 2019

To be continued…
 Next Week’s Agenda:

 Continuing cloud planning and design
 Quiz 3
Storage
Overview
Topics Demos
• Amazon Elastic Block Store • Amazon EBS console
(Amazon EBS) • Amazon S3 console
• Amazon Simple Storage Service • Amazon EFS console
(Amazon S3)
• Amazon S3 Glacier console
• Amazon Elastic File System
(Amazon EFS) Lab
• Amazon Simple Storage Service • Working with Amazon EBS
Glacier Activities
• Storage solution case study
Knowledge check
2
reserved.
Objectives

• Identify the different types of storage
• Explain Amazon S3
• Identify the functionality in Amazon S3
• Explain Amazon EBS
• Identify the functionality in Amazon EBS
• Perform functions in Amazon EBS to build an Amazon EC2 storage solution
• Explain Amazon EFS
• Identify the functionality in Amazon EFS
• Explain Amazon S3 Glacier
• Identify the functionality in Amazon S3 Glacier
• Differentiate between Amazon EBS, Amazon S3, Amazon EFS, and Amazon S3 Glacier
3
reserved.
Core AWS services
Amazon Amazon
S3 EBS
Amazon Amazon
EFS S3 Glacier
Amazon Virtual Amazon AWS Identity and
Private Cloud Elastic Storage Access Management
(Amazon VPC) Compute (IAM)
Cloud
(Amazon EC2) Amazon Relational Amazon
Database Service DynamoDB
reserved.
Database 4
Storage
Section 1: Amazon Elastic Block Store
(Amazon EBS)

reserved.
Storage
Amazon Elastic Block Store

(Amazon EBS)

6
reserved.
AWS storage options: Block storage
versus object storage
What if you want to change one character in a 1-GB file?
Block storage Object storage

Change one block (piece of the file) Entire file must be updated
that contains the character
7
reserved.
Amazon EBS
Amazon EBS enables you to create individual storage volumes

and attach them to an Amazon EC2 instance:
• Amazon EBS offers block-level storage.
• Volumes are automatically replicated within its Availability Zone.
• It can be backed up automatically to Amazon S3 through
snapshots.
• Uses include –
• Boot volumes and storage for Amazon Elastic Compute Cloud (Amazon
EC2) instances
• Data storage with a file system
• Database hosts
• Enterprise applications
reserved.
8
Amazon EBS volume types

9
reserved.
Amazon EBS volume type use cases

10
reserved.
Amazon EBS features
• Snapshots –
• Point-in-time snapshots
• Recreate a new volume at any time
• Encryption –
• Encrypted Amazon EBS volumes
• No additional cost
• Elasticity –
• Increase capacity
• Change to different types

11
reserved.
Amazon EBS: Volumes, IOPS, and
pricing
1. Volumes –
• Amazon EBS volumes persist independently from the instance.
• All volume types are charged by the amount that is provisioned per
month.
2. IOPS –
• General Purpose SSD:
• Charged by the amount that you provision in GB per month until storage is
released.
• Magnetic:
• Charged by the number of requests to the volume.
• Provisioned IOPS SSD:
• Charged by the amount that you provision in IOPS (multiplied by the
percentage of days that you provision for the month).
12
reserved.
Amazon EBS: Snapshots and data
transfer
3. Snapshots –
• Added cost of Amazon EBS snapshots to Amazon S3 is per
GB-month of data stored.
4. Data transfer –
• Inbound data transfer is free.
• Outbound data transfer across Regions incurs charges.

13
reserved.
Amazon EBS features:
Section 1 key
• Persistent and customizable
takeaways block storage for Amazon EC2
• HDD and SSD types
• Replicated in the same
Availability Zone
• Easy and transparent
encryption
• Elastic volumes
• Back up by using snapshots

14
reserved.
Recorded demo:
Amazon Elastic
Block Store

15
reserved.
Storage
Section 2: Amazon Simple Storage Service
(Amazon S3)

reserved.
Storage
Amazon Simple Storage

Service (Amazon S3)

17
reserved.
Amazon S3 overview
• Data is stored as objects in buckets

• Virtually unlimited storage
• Single object is limited to 5 TB
• Designed for 11 9s of durability
• Granular access to bucket and objects

18
reserved.
Amazon S3 storage classes
Amazon S3 offers a range of object-level storage classes that

are designed for different use cases:
• Amazon S3 Standard
• Amazon S3 Intelligent-Tiering
• Amazon S3 Standard-Infrequent Access (Amazon S3 Standard-
IA)
• Amazon S3 One Zone-Infrequent Access (Amazon S3 One Zone-
IA)
• Amazon S3 Glacier
19
reserved.
Amazon S3 bucket URLs (two styles)
Amazon S3
To upload your data:
1. Create a bucket in an AWS Region.
2. Upload almost any number of objects to the
bucket.
Bucket path-style URL endpoint:
[bucket name] https://s3.ap-northeast-1.amazonaws.com/bucket-name
Region code Bucket name
Bucket virtual hosted-style URL endpoint:

Preview2.mp4 https:// bucket-name.s3-ap-northeast-1.amazonaws.com
Tokyo Region
(ap-northeast- Bucket name Region code
1)Services, Inc. or its Affiliates. All rights
© 2019 Amazon Web
20
reserved.
Data is redundantly stored in the Region
media/welcome.mp
4
Facility 1 Facility 2 Facility 3
my-bucket-name
Region
21
reserved.
Designed for seamless scaling
media/welcome.mp4 prod2.mp4 prod3.mp4 prod4.mp4
prod5.mp4 prod6.mp4 prod7.mp4 prod8.mp4
my-bucket-name
prod9.mp4 prod10.mp4 prod11.mp4 prod12.mp4

22
reserved.
Access the data anywhere
AWS Management
AWS Command Line SDK
Console
Interface

23
reserved.
Common use cases
• Storing application assets

• Static web hosting
• Backup and disaster recovery (DR)
• Staging area for big data
• Many more….

24
reserved.
Amazon S3 common scenarios
• Backup and storage

• Application hosting
• Media hosting Amazon S3 buckets
• Software delivery
Corporate
data center
Amazon
EC2
instances
25
reserved.
Amazon S3 pricing
• Pay only for what you use, including –

• GBs per month
• Transfer OUT to other Regions
• PUT, COPY, POST, LIST, and GET requests
• You do not pay for –

• Transfers IN to Amazon S3
• Transfers OUT from Amazon S3 to Amazon CloudFront or Amazon
EC2 in the same Region

26
reserved.
Amazon S3: Storage pricing
To estimate Amazon S3 costs, consider the following:

1. Storage class type –
• Standard storage is designed for:
• 11 9s of durability
• Four 9s of availability
• S3 Standard-Infrequent Access (S-IA) is designed for:
• 11 9s of durability
• Three 9s of availability
2. Amount of storage –
• The number and size of objects

27
reserved.
Amazon S3: Storage pricing
3. Requests –
• The number and type of requests (GET, PUT, COPY)
• Type of requests:
• Different rates for GET requests than other requests.
4. Data transfer –
• Pricing is based on the amount of data that is transferred
out of the Amazon S3 Region
• Data transfer in is free, but you incur charges for data that is
transferred out.

28
reserved.
• Amazon S3 is a fully managed
Section 2 key cloud storage service.
takeaways • You can store a virtually
unlimited number of objects.
• You pay for only what you use.
• You can access Amazon S3 at
any time from anywhere
through a URL.
• Amazon S3 offers rich security
controls.

29
reserved.
Recorded demo:
Amazon Simple
Storage System

30
reserved.
Storage
Section 3: Amazon Elastic File System
(Amazon EFS)

reserved.
Storage
Amazon Elastic File

System (Amazon EFS)
32
reserved.
Amazon EFS features
• File storage in the AWS Cloud

• Works well for big data and analytics, media processing
workflows, content management, web serving, and home
directories
• Petabyte-scale, low-latency file system
• Shared storage
• Elastic capacity
• Supports Network File System (NFS) versions 4.0 and 4.1
(NFSv4)
• Compatible with all Linux-based AMIs for Amazon EC2
reserved.
33
Amazon EFS architecture
VPC
Availability Zone A Availability Zone B Availability Zone C

Private subnet Private subnet Private subnet
Networ Networ Networ

k k k
Interfac Interfac Interfac
e e e
Private subnet
Network Network
Network
Interface Interface
Interface
Mount target Mount target Mount target

Elastic File System
34
reserved.
Amazon EFS implementation
1 Create your Amazon EC2 resources and launch your Amazon EC2
instance.
2
Create your Amazon EFS file system.
3
Create your mount targets in the appropriate subnets.
4 Connect your Amazon EC2 instances to the mount targets.
5 Verify the resources and protection of your AWS account.

35
reserved.
Amazon EFS resources
File system
• Mount target
• Subnet ID
• Security groups
• One or more per file system
• Create in a VPC subnet
• One per Availability Zone
• Must be in the same VPC
• Tags
• Key-value pairs
36
reserved.
• Amazon EFS provides file storage
Section 3 key over a network.
takeaways • Perfect for big data and analytics,
media processing workflows,
content management, web serving,
and home directories.
• Fully managed service that
eliminates storage administration
tasks.
• Accessible from the console, an API,
or the CLI.
• Scales up or down as files are added
or removed and you pay for what
you use.
37
reserved.
Recorded demo:
Amazon Elastic
File System

38
reserved.
Storage
Section 4: Amazon S3 Glacier

reserved.
Storage
Amazon S3 Glacier

40
reserved.
Amazon S3 Glacier review
Amazon S3 Glacier is a data archiving service that is designed for

security, durability, and an extremely low cost.
• Amazon S3 Glacier is designed to provide 11 9s of durability for objects.
• It supports the encryption of data in transit and at rest through Secure
Sockets Layer (SSL) or Transport Layer Security (TLS).
• The Vault Lock feature enforces compliance through a policy.
• Extremely low-cost design works well for long-term archiving.
• Provides three options for access to archives—expedited, standard, and
bulk—retrieval times range from a few minutes to several hours.

41
reserved.
Amazon S3 Glacier
• Storage service for low-cost

data archiving and long-term
backup
• You can configure lifecycle Archive after
30 days
Delete after
5 years
archiving of Amazon S3 content
to Amazon S3 Glacier Amazon Amazon
S3 bucket S3 Glacier
• Retrieval options – Archive
• Standard: 3–5 hours
• Bulk: 5–12 hours
• Expedited: 1–5 minutes

42
reserved.
Amazon S3 Glacier use cases
Media asset archiving
Healthcare information archiving
Regulatory and compliance

archiving
Scientific data archiving
Digital preservation
Magnetic tape replacement

43
reserved.
Using Amazon S3 Glacier
RESTful
web services
Java or .NET
SDKs
Amazon S3 with
lifecycle policies

44
reserved.
Lifecycle policies
Amazon S3 lifecycle policies enable you to delete or move objects

based on age.
Amazon S3 Amazon S3 Amazon Delete

Standard Standard - S3 Glacier
Infrequent
Access
365
30 days 60 days
days
Preview2.mp4 Preview2.mp4 Preview2.mp4

45
reserved.
Storage comparison
Amazon S3 Amazon S3 Glacier

Data Volume No limit No limit
Average Latency ms minutes/hours
Item Size 5 TB maximum 40 TB maximum
Cost/GB per Month Higher cost Lower cost
PUT, COPY, POST,
Billed Requests UPLOAD and retrieval
LIST, and GET
¢ ¢¢
Retrieval Pricing
Per request Per request and per GB
46
reserved.
Server-side encryption
Corporate AWS Cloud

data center
https Your Applications on

Amazon EC2 Amazon EC2
AWS Cloud
Data is encrypted Your application must

by default enable server-side encryption
Amazon S3 Glacier Amazon S3

47
reserved.
Security with Amazon S3 Glacier
Control access with

IAM
Amazon S3 Glacier
encrypts your data with
AES-256
Amazon S3
Glacier
Amazon S3 Glacier
manages your keys for you
48
reserved.
• Amazon S3 Glacier is a data
Section 4 key archiving service that is
takeaways designed for security,
durability, and an extremely
low cost.
• Amazon S3 Glacier pricing is
based on Region.
• Its extremely low-cost design
works well for long-term
archiving.
• The service is designed to
provide 11 9s of durability for
49
objects. © 2019 Amazon Web Services, Inc. or its Affiliates. All rights
reserved.
Recorded demo:
Amazon S3
Glacier

50
reserved.
Activity: Storage
Case Studies
Photo by panumas nikhomkhai from

Photo by Pixabay from Pexels.
Pexels.

51
reserved.
Storage case study activity
Case 1: A data analytics company for travel sites must store billions of customer events per
day. They use the data analytics services that are in the diagram. The following diagram
illustrates their architecture.
Amazon API Gateway Amazon Kinesis AWS Lambda
Amazon Kinesis
Data Firehose
Amazon Elastic Amazon Kinesis

Container Service
Storage ??

52
reserved.
Case 2: A collaboration software company processes email for enterprise customers. They
have more than 250 enterprise customers and more than half a million users. They must
store petabytes of data for their customers. The following diagram illustrates their
architecture.
Elastic Load Balancing

Corporate data
center
Storage ??
Amazon EC2 instances

53
reserved.
Case 3: A data protection company must be able to ingest and store large amounts of
customer data and help their customers meet compliance requirements. They use Amazon
EC2 for scalable compute and Amazon DynamoDB for duplicate data and metadata
lookups. The following diagram illustrates their architecture.
Amazon Amazon
EC2 DynamoD
B
Clients
Storage ??

54
reserved.
Storage
Wrap-up

reserved.
Module summary
In summary, in this module, you learned how to:

• Identify the different types of storage
• Explain Amazon S3
• Identify the functionality in Amazon S3
• Explain Amazon EBS
• Identify the functionality in Amazon EBS
• Perform functions in Amazon EBS to build an Amazon EC2 storage solution
• Explain Amazon EFS
• Identify the functionality in Amazon EFS
• Explain Amazon S3 Glacier
• Identify the functionality in Amazon S3 Glacier
• Differentiate between Amazon EBS, Amazon S3, Amazon EFS, and Amazon S3 Glacier
56
reserved.
Sample exam question
A company wants to store data that is not frequently accessed. What is the
best and cost-effective solution that should be considered?
A. AWS Storage Gateway

B. Amazon Simple Storage Service Glacier
C. Amazon Elastic Block Store (Amazon EBS)
D. Amazon Simple Storage Service (Amazon S3)
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 57
Additional resources
• AWS Storage page
• Storage Overview
• Recovering files from an Amazon EBS volume backup
• Confused by AWS Storage Options? S3, EFS, EBS Explained

58
reserved.
Thank you
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior
written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email
us at: aws-course-feedback@amazon.com. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the
property of their owners.
Lecture 2 – Cloud Basics
Continued
INFO 5112 – CLOUD SERVICES
Copyright, 2020 Fanshawe College

In the last lecture we covered…
What a Cloud is
Why Clouds and Cloud Services Exist
Benefits
Private Clouds (a Cloud Deployment Model)

What will be covered this Lecture
Public and Hybrid Clouds (Cloud Deployment Models)
Cloud Service Models
◦ IaaS
◦ SaaS
◦ PaaS
As mentioned, these are only the basic concepts, this course will focus on in-depth

Public Clouds

What is Public Cloud?
A Cloud maintained and Operated by a third party
◦ Cloud Service Provider (CSP)
Usually for-profit
◦ “Rented to many tenants
◦ If you aren’t paying, then you’re the product
Compute and storage are not stored on your premises
Pay for What you Use (Usage-Based Billing)
◦ Like your hydro bill
A Tradeoff between easier management and loss of control
Diverse geographical locations

Examples of Public Clouds

Cloud vendors – Amazon (AWS)
The leader of the public cloud market, released in 2006.
24 Regions (Geo areas) and 77 Availability Zones (Data Center) around the globe.
Planning to have 9 more availability zones.
1000+ different services covering many IT fields such as Web, database, networks, IoT,
and Blockchain.
Characteristics: low cost, Agility and Instant Elasticity, open, flexible and secure.
Never be hacked but two companies (Aviva and Gemalto) have been affected by
attacks!! Using their infrastructure to mine for cryptocurrency.
Annual revenue on 2019 was $87.4 billion.
https://aws.amazon.com/

Cloud vendors - Microsoft (Azure)
Best vendor for hybrid cloud, released in 2010.
60+ regions with 40+ data centers in 140 countries.
Hundreds of products covering most of all IT fields including Web, mobile, database,
IoT, Blockchain, and cognitive services.
Characteristics: Intelligent, trusted, secure, and pay less with licensed Microsoft
products (5 times less than AWS)!!
Azure users have experienced increase of 300% cyber-attacks on 2016.
https://www.computerweekly.com/news/252489780/Organisations-locked-out-by-
Azure-AD-crash
Annual revenue on 2019 was $125 billion.

Cloud vendors - IBM (Bluemix/Watson)
Best fit for private cloud, released in 2014.
6 regions with 18 available zones containing 60 data centers. No change in their
infrastructure in 2020!! (https://www.ibm.com/cloud/data-centers/)
Hundreds of products covering most of all IT fields including Web, mobile, database,
IoT, Blockchain, and Watson (AI Platform).
Characteristics: better power, bandwidth and performance, federated data centers,
secure, and offer particular infrastructure to government specs.
There is no evidence that Bluemix or Watson has been hacked before. But also, a few
reports are talking about the role of Watson to track cybersecurity crimes.

Cloud vendors – Google Cloud Platform
One of the leading vendors in data analytics and advertising, released in 2008.
24 regions with 73 available zones in 200+ countries and territories.
+90 of products or categories covering most of all IT fields including Compute,
Storage& Databases, Networking and Big Data.
Characteristics: provide smart and data analytics solutions, fast, scalable and high
performance besides encrypting data at the server side.
It has been subjected to many attacks from hackers in different countries to steal
sensitive and financial data.

Cloud vendors – Alibaba
Released in 2009.
21 regions with 63 zones, most of them in Asia and Europe.
+150 products or categories such as e-commerce, big data and IoT.
Characteristics: record-breaking performance, low latency, and data security & privacy.
It has been subjected to many attacks to steal users accounts. In 2016, there was an
attempt to steal 20 million accounts.
What do you think about Alibaba?

Benefits of a Public Cloud
Elastic on-demand and highly available resources

◦ Dynamically added and subtracted
◦ Seem like limitless resources
◦ Add and subtract on-demand
High availability
◦ Five Nines reliability + for competiveness
◦ Near limitless redundancy
◦ Available anywhere, anytime
Benefit to consumers
◦ Client devices not as significant

Which cloud vendor is more reliable?
https://www.networkworld.com/article/3394341/when-it-comes-to-uptime-
not-all-cloud-providers-are-created-equal.html
Drawbacks of a Public Cloud
Business relies on external provider (CSP)
◦ When it rains, it pours (CSP problems are your problems)
Data is not your data
◦ Data is not located on-site
◦ You may not be able to offer as granular customization as your clients would need
Limited customization
◦ You give up control for easier administration

Start-up Company!
How can you motivate an online retailer start-up company (i.e., offer a new smart home
cleaning robot) to move their business to a public cloud?
Which cloud vendor would you recommend for it? Why?

Public vs. Private cloud
PUBLIC PRIVATE
Your Data is secured, and you’re not alone Full control of the physical resources
when defending against attacks
You know who can access what and when
Your hardware is protected from failures from where
Handle the sudden high peak demand Can isolate data and infrastructure
Scale-up – add more resources. Scale-out – optimize current resources.
Data traveling on the “wire” Security is your responsibility
Cost and accessibility Maintenance, management, and expansion
plans

Hybrid Clouds are
Copyright, 2018 Fanshawe College http://i.vimeocdn.com/video/604439832_1280x720.jp

What is a Hybrid Cloud?
Composition of two or more distinct cloud infrastructures (private, community, or
public) that remain unique entities
Are bound by standardized or proprietary technology that enables data and application
portability (for example, cloud bursting for load balancing between clouds.)

https://res.cloudinary.com/beamly/image/upload/s--8t-IfI96--/c_fill,g_face,q_70,w_479/f_jpg/v1/click/sites/8/2014/10/Nickelodeons-CatDog-to-DVD-in-CatDog-Season-One-from-Shout-Factory.jpg
Benefits of a Hybrid Cloud
Cloud Bursting
◦ Used to offload resources into the cloud platform in times of heavy demand
◦ Allows for near unlimited resources
◦ Cost-effective and rapid
Application hosting
◦ Organizations pick what to host and where (i.e. website in the cloud, compute resources
on-premises)
Package and Deploy applications
◦ Applications can reach a broader audience by being distributed through the Public Cloud
◦ Leverage the CDN (Content Delivery Network)
Application Development and Testing
◦ Utilize additional resources that are not available (Compute nodes of AWS for example)

Drawbacks of a Hybrid Cloud
Cost
◦ Integration of traditional systems may be costly to offload to the Private
Cloud (i.e. bursting static content will not work)
◦ Your organization must make sense of what to deploy to the cloud
Offloading mission critical content
◦ You introduce a potential security loophole
◦ Only as reliable as the CSP is
Compatibility
◦ Can your internal infrastructure handle the cloud requirements?
◦ i.e. is your bandwidth sufficient to serve the product hosted on the
cloud?
Cloud Service
Models
http://blog.learningtree.com/wp-content/uploads/2017/05/FaaS.
What is a Cloud Service Model
A Cloud Service Model specifies the service and the capabilities provided to consumers
Split into the following three main categories
◦ Infrastructure as a Service (IaaS)
◦ Platform as a Service (PaaS)
◦ Software as a Service (SaaS)
Other services do exist, but are not covered (BaaS – Backup, NaaS – Network, etc)

IaaS – Infrastructure as a Service
The “Host” – the infrastructure

Designed to replace what’s located in traditional datacenters
The CSP (Cloud Service Provider) does the hosting in their datacenter:
◦ Hardware
◦ Software
◦ Servers
◦ Storage
◦ Networking
Works similar to a traditional timesharing service
Customers provision resources on demand
IaaS – Cont’d
Customers purchase “Virtual bare-metal”
◦ VMs
◦ Storage
◦ Compute
◦ Network Infrastructure (SDN – Software Defined Networking)
Customers have full control of the internal IaaS (such as VMs)
CSPs deploy and manage underlying infrastructure
Shared as multi-tenant models in a Public/Hybrid cloud
Shared between the organization in a Private cloud
Billed on Usage or Resources
Most Private clouds are IaaS by nature

IaaS – a Logical View

IaaS Examples
AWS – Dominates the IaaS market VMWare vCloud Air - a latecomer to

Largest IaaS provider the Cloud game, but a big name in
virtualization
PaaS
The “Build-on” platform
Designed to replace development tools
Consumer is provided the ability to deploy onto the platform
Applications deployed on the platform:
◦ Web Hosting (i.e. WordPress, WIS (Windows, IIS and SQL) or LAMP (Linux, Apache,
MySQL, PHP))
Provider manager all infrastructure, operating system, network, hardware, etc.

PaaS – Cont’d
Can be used to extend a service
◦ Develop a Website
◦ Develop a Web Application
Can be used as a test platform
◦ Test code, applications, etc

PaaS – A Logical View

PaaS Examples
Azure – Dominates the PaaS Google App Engine – a application

development world by providing a development platform as well as a
myriad of both open source and hosting service
closed source platforms

SaaS
The “Consume” item

Designed to replace traditional applications (i.e. Microsoft Word)
The capability provided to the consumer is to use the provider’s applications
running on a cloud infrastructure
The consumer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems, storage, or
even individual application capabilities, with the possible exception of
limited user-specific application configuration settings
Examples: Web-Based Email

SaaS – A Logical View

SaaS Examples
Salesforce is the Largest SaaS Google Cloud Platform provides a lot

provider. Provides CRM, Sales of tools such as machine learning,
Automation and more analytics and big data analytics

In a nutshell…
Copyright, 2018 Fanshawe College https://azure.microsoft.com/en-ca/overview/what-is-paas/

AWS Global Infrastructure Overview
Overview
Topics Activities
• AWS Global Infrastructure • AWS Management Console
clickthrough
• AWS service and service category
overview
Knowledge check
Demo
• AWS Global Infrastructure

2
reserved.
Objectives
• Identify the difference between AWS Regions, Availability Zones, and

edge locations
• Identify AWS service and service categories

3
reserved.
AW S G l o b a l I n f r a s t r u c t u r e O v e r v i e w
Section 1: AWS Global Infrastructure

reserved.
AWS Global Infrastructure
• The AWS Global Infrastructure is designed and built to deliver a flexible, reliable, scalable, and secure
cloud computing environment with high-quality global network performance.
• This map from https://infrastructure.aws shows the current AWS Regions and more that are coming soon.

5
reserved.
AWS Global
Infrastructure Details
6 © 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Regions
• An AWS Region is a geographical area.
• Data replication across Regions is

controlled by you.
• Communication between Regions uses

AWS backbone network infrastructure.
• Each Region provides full redundancy and

connectivity to the network.
• A Region typically consists of two or more

Availability Zones.
Example: London Region
7
reserved.
Selecting a Region
Data governance,
legal requirements
Proximity to customers
(latency)
Determine the right Region for
your services, applications, Services available
within the Region
and data based on these
factors
Costs (vary by Region)
8
reserved.
Availability Zones
• Each Region has multiple Availability Zones. AWS Cloud
• Each Availability Zone is a fully isolated Region eu-west-1

partition of the AWS infrastructure. Availability Zone eu-west-1a
• There are currently 69 Availability Zones worldwide Data center
• Availability Zones consist of discrete data centers
Data center
• They are designed for fault isolation
Data center
• They are interconnected with other Availability Zones by
using high-speed private networking
Availability Zone eu-west-1b
• You choose your Availability Zones.
• AWS recommends replicating data and resources Availability Zone eu-west-1c
across Availability Zones for resiliency.

9
reserved.
AWS data centers
• AWS data centers are designed for

security.
• Data centers are where the data
resides and data processing occurs.
• Each data center has redundant
power, networking, and connectivity,
and is housed in a separate facility.
• A data center typically has 50,000 to
80,000 physical servers.

10
reserved.
Points of Presence
• AWS provides a global network of

187 Points of Presence locations
• Consists of 176 edge locations
and 11 Regional edge caches
• Used with Amazon CloudFront
• A global Content Delivery Network
(CDN), that delivers content to end
users with reduced latency
• Regional edge caches used for
content with infrequent access.

11
reserved.
AWS infrastructure features
• Elasticity and scalability Physically Backup

distinct generators
• Elastic infrastructure; dynamic adaption of capacity
• Scalable infrastructure; adapts to accommodate
growth Data center Data center Data center Data center
• Fault-tolerance Data center Data center Data center Data center
• Continues operating properly in the presence of a Availability Zone Availability Zone
failure
• Built-in redundancy of components Data center Data center
Network
• High availability connectivity
Data center Data center
• High level of operational performance Availability Zone

• Minimized downtime
• No human intervention Uninterruptible Cooling
power supply AWS Region equipment

12
reserved.
• The AWS Global Infrastructure
consists of Regions and Availability
Key takeaways Zones.
• Your choice of a Region is typically
based on compliance requirements or
to reduce latency.
• Each Availability Zone is physically
separate from other Availability Zones
and has redundant power, networking,
and connectivity.
• Edge locations, and Regional edge
caches improve performance by
caching content closer to users.
AW S G l o b a l I n f r a s t r u c t u r e O v e r v i e w
Section 2: AWS services and service category
overview

reserved.
AWS foundational services
Applications Virtual desktops Collaboration and sharing
Databases Analytic Applicatio Deployment and Mobile

s
Cluster n services management Services
computing Queuing Containers Identity
Relationa
Platform l Real-time Orchestration DevOps tools Sync
Services App Streaming
NoSQ Data Resource templates Mobile
L warehouse Transcoding
Usage tracking Analytics
Caching Data Email
Monitoring and logs Notifications
workflows Search
Compute (virtual,
Foundation Networking Storage (object,
automatic scaling,
Services block, and archive)
and load balancing)
Infrastructur Regions Availability Zones Edge locations

e
15
reserved.
AWS categories of services
Analytics Application AR and VR Blockchain Business Compute

Integration Applications
Cost Customer Database Developer Tools End User Game Tech

Management Engagement Computing
Internet Machine Management and Media Services Migration and Mobile

of Things Learning Governance Transfer
Networking and Robotics Satellite Security, Identity, and Storage

Content Delivery Compliance
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights 16
reserved.
Storage service category
AWS storage services
Amazon Simple Amazon Elastic Amazon Elastic

Storage Service Block Store File System
Photo from https://www.pexels.com/photo/black-and-grey-device-159282/ (Amazon S3) (Amazon EBS) (Amazon EFS)
Amazon Simple
Storage Service
Glacier
17
reserved.
Compute service category
AWS Compute services
Amazon EC2 Amazon Amazon Elastic Amazon EC2

EC2 Container Service Container
Photo from https://www.pexels.com/photo/technology-computer-lines-board-
50711/ Auto Scaling (Amazon ECS) Registry
AWS Elastic AWS Amazon Elastic AWS

Beanstalk Lambda Kubernetes Service Fargate
(Amazon EKS)
18
reserved.
Database service category
AWS Database services
Amazon Relational Amazon Aurora Amazon

Database Service Redshift
Amazon
DynamoDB
Photo from https://aws.amazon.com/compliance/data-center/data-centers/

19
reserved.
Networking and content delivery
service category
AWS networking
and content delivery services
Amazon VPC Elastic Load Amazon AWS Transit

Balancing CloudFront Gateway
Amazon AWS Direct AWS VPN

Route 53 Connect
Photo by Umberto on Unsplash

20
reserved.
Security, identity, and compliance service
category
AWS security, identity,

and compliance services
AWS Identity and AWS Amazon Cognito

Photo by Paweł Czerwiński on Unsplash
Access Management Organizations
(IAM)
AWS Artifact AWS Key AWS Shield

Management
Service
21
reserved.
AWS cost management service category
AWS cost management

services
AWS Cost and AWS Budgets AWS Cost

Photo by Alexander Mils on Unsplash Usage Report Explorer

22
reserved.
Management and governance service
category
AWS management and

governance services
AWS Management AWS Config Amazon AWS Auto

Console CloudWatch Scaling
Photo by Marta Branco from Pexels
AWS Command AWS AWS Well- AWS

Line Interface Trusted Architected Tool CloudTrail
Advisor
23
reserved.
Activity: AWS
Management Console
clickthrough
Photo by Pixabay from

Pexels.
Hands-on activity: AWS Management
Console clickthrough
1. Launch the Sandbox hands-on environment and connect to the AWS Management Console.
2. Explore the AWS Management Console.
A. Click the Services menu.
B. Notice how services are grouped into service categories. For example, the EC2 service appears in the Compute
service category.
Question #1: Under which service category does the IAM service appear?
Question #2: Under which service category does the Amazon VPC service appear?
C. Click the Amazon VPC service. Notice that the dropdown menu in the top-right corner displays an AWS Region (for
example, it might display N. Virginia).
D. Click the Region menu and switch to a different Region. For example, choose EU (London).
E. Click Subnets (on the left side of the screen). The Region has three subnets in it. Click the box next to one of the
subnets. Notice that the bottom half of the screen now displays details about this subnet.
Question #3: Does the subnet you selected exist at the level of the Region or at the level of the Availability Zone?
F. Click Your VPCs. An existing VPC is already selected.
Question #4: Does the VPC exist at the level of the Region or the level of the Availability Zone?
Question #5: Which services are global instead of Regional? Check Amazon EC2, IAM, Lambda, and Route 53.

25
reserved.
Activity answer key
• Question #1: Under which service category does the IAM service appear?
• Answer: Security, Identity, & Compliance.
• Question #2: Under which service category does the Amazon VPC service appear?
• Answer: Networking & Content Delivery
• Question #3: Does the subnet that you selected exist at the level of the Region or the level of the
Availability Zone?
• Answer: Subnets exist at the level of the Availability Zone.
• Question #4: Does the VPC exist at the level of the Region or the level of the Availability Zone?
• Answer: VPCs exist at the Region level.
• Question #5: Which of the following services are global instead of Regional? Check Amazon
EC2, IAM, Lambda, and Route 53.
• Answer: IAM and Route 53 are global. Amazon EC2 and Lambda are Regional.
26
reserved.
Additional resources
• AWS Global Infrastructure
• AWS Global Infrastructure Region Table
• AWS Cloud Products
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

27
reserved.
Thank you
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission
from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email us at: aws-course-
feedback@amazon.com. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.
Lecture 1 – Cloud Basics
INFO 5112 – CLOUD SERVICES

Instructor Information
Hany ElYamany
◦ PhD in Software Engineering
◦ Contact : helyamany@fanshaweonline.ca (Answering Emails during 48 hours

maximum)

What are we going to learn?
What’s a Cloud / What’s a Cloud Service
Cloud Management Platforms, tools and services

◦ IaaS – Infrastructure as a Services (e.g., AWS & Microsoft Azure)
◦ SaaS – Software as a Service (e.g., Google apps)
◦ PaaS – Platform as a Service (e.g., Windows Azure)
Types of Clouds/Deployment Models:

◦ Private
◦ Public
◦ Hybrid

Learning Outcomes – Cont’d
Security
◦ Fewer Attack Vectors
◦ Security Policies
◦ Security Operations (Proactive v.s. Reactive, methods of defense)
Best Practices – CloudOps

Reasons to move to Cloud (and some not to)
Data Governance

KVH Datacenter – Tokyo, Japan
https://upload.wikimedia.org/wikipedia/commons/3/3c/KVH_Tokyo_Data_Center_2.png

Evaluation
Tests (30%) - Online

◦ Midterm Test: Week 5
◦ Final Test: Week 13
Quizzes (30%) - Online
◦ 8 quizzes (check course plan on FOL for their
times) – each is only 20 mins (1:30-1:50).
Labs (20%)
◦ 8 AWS Labs
CIO Project (20%)
◦ A group assignment – each group is 4 students.

What is a Cloud?
All clouds are Datacenters (or more than one!)
Consist of Compute and Storage Resources Connected by a Network
Virtualized into a shared pool of resources
Intelligently and Automatically orchestrated
◦ Arranged to deliver a service
Enable a shared pool of resources to be accessed remotely, efficiently and
enable the end user to take advantage of the orchestration.
Offered by a CSP (Cloud Service Provider) or through CSBs (Cloud Service
Brokerage)

CSP - Cloud Service Providers
Cloud Service Providers provide the underlying service for your cloud:
◦ Compute
◦ Storage
Google Cloud Platform, Microsoft Azure, Amazon Web Services

CSB - Cloud Service Brokerage
An IT Role and business model
Negotiates relationships between cloud providers and cloud consumers
Offer Integration between the organization and CSPs
◦ Consulting
◦ Integration services (on-site installation)
Can offer packages or standalone services

Why go Cloud?
Quick resource provisioning
◦ On demand, burst, dynamic, flexible
Reduce IT Costs
◦ Up-front infrastructure costs (CAPEX – Capital Expenditure)
◦ Level the playing field (allows small companies to compete)
High availability
◦ High uptime
◦ Fault tolerance
◦ Backups
Flexibility of access

What does Cloud Computing mean to you?
https://upload.wikimedia.org/wikipedia/commons/8/80/Datacenter_Cloudwatt.jpg

NIST (National Institute of Standards and Technology)
Definition
The NIST definition lists five essential characteristics of cloud computing:
◦ on-demand self-service
◦ broad network access
◦ resource pooling
◦ rapid elasticity or expansion
◦ and measured service
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
145.pdf

On-Demand Self-Service
A consumer can unilaterally provision computing capabilities, such as server time and
network storage, as needed automatically without requiring human interaction with
each service provider
In cloud computing, the consumers have the ability to provision any IT resource that
they require on demand from a cloud, at any time they want. Self-service means that
the consumers themselves carry out all the activities required to provision the cloud
resource.

Broad Network Access
Capabilities are available over the network and accessed through standard mechanisms
that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones,
tablets, laptops, and workstations).
Consumers access cloud services on any client/end-point device from anywhere over a
network, such as the Internet or an organization’s private network.
I.e, cloud applications, such as a Google Docs is designed so that it is accessed and used
at any time over the Internet. Users can access and edit documents from any Internet-
connected device, eliminating the need to install the application or any specialized client
software on the device.

Resource Pooling
The provider’s computing resources are pooled to serve multiple consumers using a
multi-tenant model, with different physical and virtual resources dynamically assigned
and reassigned according to consumer demand
There is a sense of location independence in that the customer generally has no control
or knowledge over the exact location of the provided resources but may be able to
specify location at a higher level of abstraction (e.g., country, state, or datacenter)
Examples of resources include storage, processing, memory, and network bandwidth.
http://www.informit.com/articles/article.aspx?p=2093407&seqNum=2

Rapid Elasticity
Rapid elasticity refers to the ability for consumers to quickly request, receive, and later
release as many resources as needed
The characteristic of rapid elasticity gives consumers a sense of availability of unlimited
IT resources that can be provisioned at any time.
It enables consumers to adapt to the variations in workloads by quickly and dynamically
expanding (scaling outward) or reducing (scaling inward) IT resources, and to
proportionately maintain the required performance level (I.e the launch of a new
service)

Measured Service
Cloud systems automatically control and optimize resource use by leveraging a metering
capability at some level of abstraction appropriate to the type of service (e.g., storage,
processing, bandwidth, and active user accounts). Resource usage can be monitored,
controlled, and reported, providing transparency for both the provider and consumer of
the utilized service.
For Profit
For Reports
Presented to Consumer

Cloud Deployment Models
A cloud deployment model provides a basis for how cloud infrastructure is
built, managed, and accessed
Divided into 4 main groups:
◦ Public cloud
◦ Private cloud
◦ Hybrid cloud
◦ Community cloud (Not discussed)
Each deployment can offer any of the service models (IaaS, PaaS, SaaS)
The different deployment models present a number of benefits, drawbacks
and limitations. We will discuss the advantages and disadvantages of each in
detail

3 Types of Clouds – Cloud Deployment Models
The types of Clouds are known as “Cloud Deployment Models”
Private (The one we will cover today)
◦ Most Secure
◦ On Premises
◦ Single Customer
Public
◦ Elastic
◦ Agile
◦ Accessible
Hybrid
◦ Seamless
◦ Transitionary

Private Cloud
Tend to dwell on-premises
◦ Single tenant
Fully adhere to organizational guidelines and polices
◦ Data Governance
◦ Your policies
Best described as an Infrastructure as a Service for a single client
◦ No resource sharing
Give you full control
Multiple Types:
◦ Software Solutions (i.e. IBM QRadar – a Security Information and Event Management
Product)
◦ Appliances or Pre-integrated solutions (i.e. hardware/software solutions)
◦ Managed Private Clouds – Managed by a 3rd Party (i.e. Dell KACE Appliance)

Examples of Private Clouds
ESXi On-Premesis, combined with SAN Storage to run a service (i.e. Exchange Server, or
SQL Server)
The G1013 Datacenter at Fanshawe
Fanshawe’s Active Directory

Benefits of a Private Cloud
Increased Security
◦ Hardware on-site
◦ Corporate policy/data governance is on-site
◦ Sometimes the only option
Potentially Lower Costs

◦ Depending on requirements
Most Customization
◦ Best fit for your organization
◦ You control what you need
Gain the benefits of cloud architecture without exposing your servers to external factors (Storage,
Compute)
Drawbacks of a Private Cloud
Lower Scalability / Agility
◦ Resources may be limited in a Private Cloud
◦ No room for “Burst resources”
Potentially More Expensive

◦ Depending on the tasks
◦ Application resource consumption is not dynamically allocated
◦ May not offer vast network connectivity
Less reliable
◦ Downtime, Backups, Geographical availability
◦ Backups usually stored on site

Lecture 10 - Cloud Future (16 Files Merged)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 10 - Cloud Future (16 Files Merged)

Uploaded by

Copyright:

Available Formats

Service(s) analysis

(optimize all aspects of all cloud models)

Multi-clouds (federated public clouds)

• Automation: reduce human errors and

Network architecture (e.g., mesh

Network IPs configuration

Network and security protocols

• Server and storage utilization (CPU, memory, storage, jobs)

• Hardware budget (e.g., servers).

Usage tracking and accounting services

Configuration management plan - automation is highly recommended!

Four main services should been attention to:

Service level agreement: is a contract to ensure a minimum level of service is maintained.

•Allow user, project, or department-level charging

•Feed data directly into financial reporting systems.

•Best practice: https://icclab.github.io/cyclops/

Network architecture (e.g., mesh

Network IPs configuration

Network and security protocols

• Server and storage utilization (CPU, memory, storage, jobs)

• Hardware budget (e.g., servers).

Usage tracking and accounting services

Configuration management plan - automation is highly recommended!

Four main services should been attention to:

Service level agreement: is a contract to ensure a minimum level of service is maintained.

•Allow user, project, or department-level charging

•Feed data directly into financial reporting systems.

•Best practice: https://icclab.github.io/cyclops/

 Today we will be continue looking at a very thoroughly put-together document from

Securing Privileged Access

Data Loss Protection

SQL Encryption &

Securing Privileged Access

Data Loss Protection

SQL Encryption &

 Today we will be looking at a very thoroughly put-together document from Microsoft

NOTE: Responsibilities can be renegotiation, if required.

Enterprise organizations benefit from taking a

 You own the data

 Your on-prem infrastructure has direct links to the cloud

 To control the exchange of data

 As considered by many, the most important pillar

compute, against the customer’s data.

compliance needs as they move to the cloud.

1. WHY USE ENCRYPTION

Why use encryption

Key Principle of SaaS Encryption

2. ENCRYPTION FOR OFFICE 365

Your Office 365 data encrypted by default

Additional customer-managed encryption options

Azure Information Protection for Office 365

3. ENCRYPTION KEY OPTIONS FOR OFFICE 365

Cloud First Customers – Microsoft Managed Keys

Customer Key in Office 365

Bring Your Own Key (BYOK) in Azure Information Protection

Compliance First Customers – Customer Managed Keys (On-Premises/Hybrid)

Hold Your Own Key (HYOK) with Azure Information Protection

5. RISKS REDUCED BY ENCRYPTION FOR OFFICE 365

Reduces risk of data compromise due to snooping or man-in-the-middle attacks if information is

Service Encryption with Customer Key:

Office 365 Message Encryption:

HYOK with Azure Information Protection:

6. Other data protection capabilities in Office 365