Professional Documents
Culture Documents
Lecture 10 - Cloud Future (16 Files Merged)
Lecture 10 - Cloud Future (16 Files Merged)
After moving to the cloud, you may want to measure some variables showing
how the cloud vendor will handle your service(s) on the cloud:
Connection speed The speed at which you connect to the vendor’s cloud.
Datastore delete time How long it takes to delete the datastore.
Datastore read time How long it takes to read data.
Deployment latency The amount of latency between when an application is posted and
ready to use.
Lag time How slow the system is
Cloud monitoring tools
Do not wait until minor issues turning into
major things that may become a
destroying hammer over your business!!
It would give an idea of how your
service(s) perform on the cloud in terms
of utilization, performance, and
application health…etc.!
It may give you some insights when
something goes wrong (e.g., AWS went
dark in 2021)
https://fortune.com/2021/10/12/amazon-
web-services-aws-offline-error/
Cloud monitoring tools
Amazon Cloudwatch
Microsoft cloud monitoring
AppDynamics (Cisco acquired it on 2017)
BMC TrueSight Pulse (for multi-cloud
operations performance and cost
management)
CA Unified Infrastructure Management
This Photo by Unknown Author is licensed under CC BY-SA
https://blogs-
images.forbes.com/louiscolumbus/files/2018/0
1/Cloud-Workloads.png
Future of cloud – Technology!
•Serverless computing : focusing more on coding with reducing or eliminating
operational concerns using compute, network, and storage resources. Amazon’s
CTO has called serverless computing as the “next generation of how we built our
systems.”
•Edge computing: Internet of Things along with cloud computing – from
centralized to distributed data processing!
•MLaaS based products: Machine Learning as a service – The growing of
artificial intelligence and data mining applications.
•Hybrid clouds: the hybrid cloud will amount to a $100bn industry by 2023.
•Quantum Computing: All cloud vendors uses quantum physics to increase the
processing power of computers and leverage the best cloud-based tools.
Future of cloud – Technology!
• https://phoenixnap.com/blog/cloud-monitoring-tools
• https://www.softwaretestinghelp.com/cloud-monitoring-tools/
• https://aws.amazon.com/cloudwatch/pricing/
• https://www.forbes.com/sites/bernardmarr/2021/10/25/the-5-biggest-cloud-computing-
trends-in-2022/?sh=45f53c3e2267
• https://www.zdnet.com/article/single-vendor-approach-to-cloud-computing-is-dead-says-
ibm/
Before start!
Cloud planning.
Business requirements and goals.
Service-level agreements (SLA)
(availability, performance,…etc.).
Cloud Services (IaaS, SaaS, PaaS).
Cloud Delivery models (Private, Public,
Hybrid)
Estimated budget.
Politics, regulations, standards, and
stakeholders.
DO NOT REINVENT THE WHEEL!
Step 1 - Establishing a Private Cloud
Hardware for a private cloud
Networking services
Application stacks
Hardware for Private cloud
Server and Network Equipment
Data center with adequate space
Cables types, management and organization (e.g.,
Fiber Optic solution)
Internet speed (minimum 3 Mbps for a solution or even
more!)
Only one ISP is not enough!
Environmental issues: power, cooling, fire prevention,
physical security
Redundancy to prevent single points of failure:
disaster recovery, backups, data replication, redundant
components (routers and switches)
Network services
Network devices such as routers,
switches, Network cabling.
• Privileges and limits on the VM number, types and duration for each project
• Access control policies for VM and storage allocations
• Backup services
Management • SLA limitation and cost
policies • Data retention and destruction policies
Capacity planning
Availability management: the process of ensuring compute and storage resources are available as needed to meet
SLAs.
Service validation and release management: procedures for testing and deploying new services to the cloud.
Usage tracking and accounting services
•Collect and maintain detailed information about use; for example, at the user and
image level
Analyze the current statistics, predict the future, and produce the necessary
reports.
How many physical servers will be needed to support all SLAs instead of saying
to support departments?
Case study – AWS Outposts
Run AWS Infrastructure On-premises for a Consistent Hybrid Cloud Experience.
AWS Outposts come in two varieties:
1) VMware Cloud on AWS Outposts allows you to use the same VMware control
plane and APIs you use to run your infrastructure
2) AWS native variant of AWS Outposts allows you to use the same exact APIs
and control plane you use to run in the AWS Cloud, but on premises.
AWS Outposts
References
• https://www.openstack.org/
• https://www.realtimepublishers.com/chapters/1749/dgcc-10.pdf
• https://pages.awscloud.com/rs/112-TZM-766/images/Building-Your-Hybrid-Cloud-
Strategy-eBook.pdf
• https://aws.amazon.com/outposts/
• https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/integration-with-
aws-cloudformation-and-openstack-heat/chapter-4-cloudformation-provisioning-via-
services
• https://www.ansible.com/use-cases/configuration-management
Before start!
Cloud planning.
Business requirements and goals.
Service-level agreements (SLA)
(availability, performance,…etc.).
Cloud Services (IaaS, SaaS, PaaS).
Cloud Delivery models (Private, Public,
Hybrid)
Estimated budget.
Politics, regulations, standards, and
stakeholders.
DO NOT REINVENT THE WHEEL!
Step 1 - Establishing a Private Cloud
Hardware for a private cloud
Networking services
Application stacks
Hardware for Private cloud
Server and Network Equipment
Data center with adequate space
Cables types, management and organization (e.g.,
Fiber Optic solution)
Internet speed (minimum 3 Mbps for a solution or even
more!)
Only one ISP is not enough!
Environmental issues: power, cooling, fire prevention,
physical security
Redundancy to prevent single points of failure:
disaster recovery, backups, data replication, redundant
components (routers and switches)
Network services
Network devices such as routers,
switches, Network cabling.
• Privileges and limits on the VM number, types and duration for each project
• Access control policies for VM and storage allocations
• Backup services
Management • SLA limitation and cost
policies • Data retention and destruction policies
Capacity planning
Availability management: the process of ensuring compute and storage resources are available as needed to meet
SLAs.
Service validation and release management: procedures for testing and deploying new services to the cloud.
Usage tracking and accounting services
•Collect and maintain detailed information about use; for example, at the user and
image level
Analyze the current statistics, predict the future, and produce the necessary
reports.
How many physical servers will be needed to support all SLAs instead of saying
to support departments?
Case study – AWS Outposts
Run AWS Infrastructure On-premises for a Consistent Hybrid Cloud Experience.
AWS Outposts come in two varieties:
1) VMware Cloud on AWS Outposts allows you to use the same VMware control
plane and APIs you use to run your infrastructure
2) AWS native variant of AWS Outposts allows you to use the same exact APIs
and control plane you use to run in the AWS Cloud, but on premises.
AWS Outposts
References
• https://www.openstack.org/
• https://www.realtimepublishers.com/chapters/1749/dgcc-10.pdf
• https://pages.awscloud.com/rs/112-TZM-766/images/Building-Your-Hybrid-Cloud-
Strategy-eBook.pdf
• https://aws.amazon.com/outposts/
• https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/integration-with-
aws-cloudformation-and-openstack-heat/chapter-4-cloudformation-provisioning-via-
services
• https://www.ansible.com/use-cases/configuration-management
Security IV – Policy Document
Overview (Solutions Spotlight)
Adapted from Microsoft, © 2020 Microsoft Corporation.
Goals
https://globalsign.ssllabs.com/
https://owasp.org/www-project-top-ten/
https://www.microsoft.com/en-us/securityengineering/sdl/practices
https://docs.microsoft.com/en-us/azure/service-fabric/
https://aka.ms/MCRA Video Recording Strategies
Office 365
Azure Sentinel – Cloud Native SIEM and SOAR (Preview)
+Monitor
https://aka.ms/MCRA Video Recording Strategies
Office 365
Azure Sentinel – Cloud Native SIEM and SOAR (Preview)
+Monitor
Security III – Policy Document
Overview (Solutions Spotlight)
Adapted from Microsoft, © 2017 Microsoft Corporation.
Goals
Microsoft recommends developing policies for how to evaluate, adopt, and use cloud
services to minimize creation of inconsistencies and vulnerabilities that attackers can
exploit. Ensure governance and security policies are updated for cloud services and
implemented across the organization:
Identity policies
Data policies
Compliance policies and documentation
Administrative Privilege Management
Your IT administrators have control over the cloud services and identity management
services. Consistent access control policies are a dependency for cloud security.
Privileged accounts, credentials, and workstations where the accounts are used must be
protected and monitored.
Identity Systems and Identity
Management
Identity services provide the foundation of security systems. Most enterprise organizations
use existing identities for cloud services, and these identity systems need to be secured at
or above the level of cloud services.
Threat Awareness
Organizations face a variety of security threats with varying motivations. Evaluate the
threats that apply to your organization and put them into context by leveraging resources
like threat intelligence and Information Sharing and Analysis Centers (ISACs).
https://www.it-isac.org/
Data Protection
You own your data and control how it should be used, shared, updated, and published.
You should classify your sensitive data and ensure it is protected and monitored with
appropriate access control policies wherever it is stored and while it is in transit.
Many international, industry, and regional organizations independently certify that
Microsoft cloud services and platforms meet rigorous security standards and are trusted.
By providing customers with compliant, independently verified cloud services, Microsoft
also makes it easier for you to achieve compliance for your infrastructure and
applications.
This section summarizes the top certifications. For a complete list of security certifications
and more information, see the Microsoft Trust Center.
Full Compliance https://www.microsoft.com/en-us/TrustCenter/Compliance/default.aspx
ISO 27001 - helps organizations keep information CSA STAR - service organization's
assets secure internal controls for security,
ISO 27017 - Code of practice for information security availability, processing integrity,
controls (Cloud-focused) confidentiality or privacy
ISO 27018 - Control objectives, controls and guidelines
for implementing measures to protect Personally
Identifiable Information
SOC - service organization's internal controls for
security, availability, processing integrity,
confidentiality or privacy
HIPAA / HITECH - Health Insurance Portability and
Accountability Act / Health Information Technology
for Economic and Clinical Health Act
PCI DSS - Payment Card Industry Data Security
Standard is an information security standard for
organizations that handle branded credit cards from
the major cards
FERPA - Family Educational Rights and Privacy Act
CDSA - Content Delivery & Security Association
(https://www.microsoft.com/en-us/trustcenter/Compliance/CDSA)
These are extremely helpful for you if you intend to deal in different geographical regions
If I had to summarize Cloud Security in one concept – it would be “GDPR ”
General Data Protection Regulation
EU-centric
Can be applied anywhere
Deals with how end user data is stored, handled and processed, as well as internal
business processes that come in contact with personal data
Came into effect May 25th, 2018
Microsoft’s In-House testing methodologies on “Assume Breach” tactics
Allows them to test live environments for maximum security
https://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf
Security in a Cloud Enabled
World
INFO-5112
From the previous slides…
You should have a fundamental understanding of the basic security principles covered in
the previous slide
We are still in the building blocks of the fundamentals of the course
Security in the cloud is a joint effort
CSP (Cloud Service providers) build clouds on not only a technical level, but a level of
trust, and security
They have your data:
HR
Financial
Private and Confidential
Have to build trust by providing a reliable and secure infrastructure and environment
Your role in security
Cloud Providers and Customers typically look for the following categories of “principles”
Act as the “defining pillars of trust” for many CSPs
Are directly tied to SLAs
A non-exhaustive, but generally well-utilized list:
Security
Privacy
Control
Compliance
Transparency
Pillar: Security
This usually is defined as the ability to safeguard data, access, and protect against both
internal and external threats
Built on technologies and policies
Such as encryption
Data retention standards
Internal Policies
Antivirus
Identity Management
Access Management
Logging (monitoring traffic, access, health status, etc)
Pillar: Privacy
To ensure that your data is only used for the purposes defined in policies
To prevent unauthorized use and access of data
Pillar: Control
To ensure compliance with industry standards (further reinforcing trust through audits)
Policies such as (broadly applicable):
ISO 27001: policies and procedures that includes all legal, physical and technical controls
involved in an organization's information risk management processes
ISO 27017: gives guidelines for information security controls applicable to the provision and use of
cloud services
ISO 27018: stablishes commonly accepted control objectives, controls and guidelines for
implementing measures to protect Personally Identifiable Information
SOC 1/2/3: internal controls for security, availability, processing integrity, confidentiality or privacy
CSA Star: a rigorous third party independent assessment of the security of a cloud service provider
Pillar: Transparency
https://mva.microsoft.com/en-us/training-courses/security-in-a-cloudenabled-world-
12725?l=CfLHobAcB_3904300474
See the above Microsoft page on Security
Varying security standards: SaaS
CSP Responsibilities:
Secure Infrastructure
Secure OS
Application Layer
Data secure between CSP and customer
Customer responsibility:
Control data
Control access
Varying security standards: PaaS
CSP Responsibilities:
Secure Infrastructure
Secure OS
Application Layer
Data secure between CSP and customer
Customer responsibility:
Control data
Control access
Control all code and development environment settings
Varying security standards: IaaS
CSP Responsibilities:
Secure Infrastructure
Customer responsibility:
Control OS/Virtualized infrastructure
Control data
Control access
A typical model
Introduction to
Encryption in Office 365
Published March 1, 2018
EXECUTIVE SUMMARY
• Encryption can help with data security and data privacy by providing an added layer of defense in
depth to protect customer data, but keep in mind that SaaS features require the ability to reason, or
• Microsoft uses some of the strongest encryption protocols in the industry to provide a barrier against
unauthorized access to customer data.
• With Office 365, customer data is encrypted both in transit and at rest by default with no additional
licenses or action.
• Native encryption features offered in Office 365 can be added for increased protection.
• Office 365 offers flexible encryption key management options to further help organizations meet their
• There are a variety of risks that can be reduced by encryption for Office 365, but good data
protections strategies include other capabilities that can be used with encryption.
Table of Contents
0. Introduction ................................................................................................................... 3
1. Why use encryption ..................................................................................................... 3
How encryption works ............................................................................................................. 3
Why use encryption .................................................................................................................. 3
Key Principle of SaaS Encryption ............................................................................................ 4
2. Encryption for Office 365 ........................................................................................... 4
Your Office 365 data encrypted by default ........................................................................... 4
Additional encryption options ................................................................................................ 4
3. Encryption Key Options for Office 365 .................................................................... 5
Cloud First Customers – Microsoft Managed Keys .............................................................. 5
Compliance Focused Customers – Customer Managed Keys (in Azure Key Vault) ......... 5
Compliance First Customers – Customer Managed Keys (On-Premises/Hybrid) ............ 7
5. Risks reduced by Encryption for Office 365 ............................................................ 8
6. Other data protection capabilities in Office 365 ....................................................... 9
7. Resources ..................................................................................................................... 10
0. Introduction
The era of digital transformation is here. Business leaders are busy rethinking how they can use
technology to drive new customer value and revenue. Driven by a sense of urgency to digitally transform
the workplace, organizations of all sizes—and across all industries—feel the pressure to embrace digital
change. However, change is hard.
As data grows exponentially, managing the risks and complexity of data is challenging: not only must
organizations protect their data from growing threats, but they must also maintain compliance with
various regulatory, industry and internal requirements related to data security and data privacy.
Encryption is extensively considered to be one method that can be used as part of a broader data
protection strategy. When customers use the Microsoft’s enterprise cloud service, their data is protected
by a variety of technologies and processes, and various forms of encryption.
When organizations use Office 365, they can expect customer data to be encrypted both in transit and at
rest by default. Additional encryption capabilities can be added for increased protection. And for
customers who have data security or privacy requirements that are driven by compliance, Office 365 offers
flexible encryption key management options to further help organizations meet their compliance needs as
they move to the cloud.
To help customers that are beginning their journey on encryption, in this document you will find a high-
level view of the encryption capabilities offered in Office 365, and what concerns and risks to customer
data each capability may help mitigate. It’s not meant to be comprehensive, but it will introduce what
encryption can do to protect and control data. For a deeper view on how the encryption capabilities are
implemented and managed, we recommend the additional reading material at the end of the document
under resources.
This document and the information reflects what we offer from the date it was published.
Most encryption methods use one or more keys. Those keys are what can unlock the ability for an
authorized party to read the data that’s been made unintelligible. Keys can be used to encrypt data,
decrypt data, or both. When a key is the means of decrypting data, the ability to use that key means that
you are an authorized party – you can read the data.
For example, the financial services industry is subject to some of the most stringent and complex
regulations, stemming from lessons learned from financial failures over the past 10 years. The industry is
regulated for anti-money laundering, fraud protection, customer data protection, and much more with
regulations such as MiFID, SEPA, ISAE3402, and industry standards like PCI-DSS.
Office 365 provides multiple encryption capabilities that protect customer data without impacting the
value-added services that many customers come to the cloud for. Read further to learn about what the
encryption offerings provided in Office 365.
For data in transit, Office 365 uses industry standard secure transport protocols, such as Transport Layer
Security between our customers clients/devices and Microsoft datacenters. All customer facing servers
negotiate using TLS by default with client machines to secure the customer data.
For data at rest, Office 365 uses various technologies. Office 365 servers use BitLocker to encrypt the disk
drives containing customer data at rest at the volume-level. In addition to volume-level encryption, Office
365 uses service encryption to encrypt at the application level. Service encryption provides more granular
layer of encryption for mailboxes and files in Office 365.
For emails, Office 365 Message Encryption is an easy to set up email service that allows you to send
encrypted and rights protected mails to anyone. Admins can apply automatic policies through transport
rules that encrypt mail if it matches certain criteria. Users are can also easily apply protection through
Outlook (web, desktop) and share protected messages sent inside or outside the organization. Office 365
Message Encryption leverages the protection feature in Azure Information Protection without additional
licenses outside of the core Office 365 E3 or E5 offering.
The protection feature in Azure Information Protection uses encryption, identity, and authorization
policies that stay with the protected document and email to help you be in control of your data, even
when it is shared with other people. Customers can also use Azure Information Protection to help classify
and label documents and emails to further manage and control data –the labels can be used to classify
and apply protection, and once classified you can track and control how it is used. More information on
this can be found here.
With Microsoft Managed Keys the Microsoft service manages the encryption keys and takes the burden of
provisioning and managing the keys on behalf of the customer.
Compliance Focused Customers – Customer Managed Keys (in Azure Key Vault)
For some customers, Microsoft Managed Keys may not be meet their compliance obligations. Certain
compliance requirements may be driving overall security needs – such as where the keys can go, how the
keys are managed and who can operate on the keys. For example, in some regions customers have
regulatory obligations that state they need to have certain key arrangements with their cloud service
provider. Even more common, certain large organizations have HSM software, hardware and other
processes in place to manage their keys – therefore they may be looking to extend this into the cloud. For
these customers, customer managed keys are offered in Office 365.
Customer Managed keys are when the customer imports or generates keys in the Hardware Security
Module (HSM) in Azure Key Vault – and manages and controls the keys from Azure Key Vault. The
customers’ root keys never leave the HSM boundary.
Office 365 provides customers the option to provide and control their keys in Azure Key Vault, for their
Office 365 data at-rest with Customer Key, and for their Office 365 data in-transit with Bring Your Own
Key in Azure Information Protection.
With these customer managed key options in Office 365, organizations continue to receive a seamless
experience in Office 365, and the value-added services such as anti-spam/malware, data loss prevention,
eDiscovery, archiving ect., continue to work.
Customer Key enhances the ability for organizations to meet the demands of organizations that have
compliance requirements that specify key arrangements with the cloud service provider. With Customer
Key, organizations can provide and control their encryption keys for their Office 365 data at-rest at the
application level. As a result, customers may exercise their control and revoke their keys, should they
decide to exit the service. By revoking the keys, the data is unreadable to the service and will put the
customer on path towards data deletion. Lastly, managing and protecting keys is crucial but can be
difficult. Customer Key includes an availability key to protect against data loss. The availability key is a root
key that is provisioned and protected by Microsoft and is functionally equivalent to the root keys that are
supplied by the customer for use with Customer Key. The availability key provides a strong key escrow
model which reduces the risk of all the keys being unintentionally lost or destroyed. Additionally, to meet
our rigorous SLA for service uptime, the availability key is also used for service availability. Although in our
experience service failures are rare, due to transient AAD or network issues, not being able to access
Office 365 content can be problematic; therefore, if the service cannot reach the customer’s root keys in
Azure Key Vault and we do not receive a response that indicates the customer has intended to block
access to their root keys, we will fall back to the availability key to complete the operation. The availability
key is unique to Customer Key and should the customer decide to exit the service, the availability key is
purged as part of the data deletion process.
DIAGRAM - Here is a simplified view of customer managed keys managed in Azure Key Vault. The customer provides and manages
their asymmetric private keys in Azure Key Vault. The customers’ private keys do no not leave Azure Key Vault’s HSM boundary and
customers have the control to revoke their private keys to make the data inaccessible to the service, and initiate the path towards data
deletion.
With Bring Your Own Key (BYOK) in Azure Information Protection, customers may provide and control
their own encryption keys for their Office 365 data in-transit at the content level. For example, for Office
365 Message Encryption, customers may provide and control their own encryption keys for their sensitive
emails. Office 365 Message Encryption leverages the protection features in Azure Information Protection,
therefore Azure Information protection handles key management and interfacing with Azure Key Vault.
Azure Key Vault performs the encryption operations and the customers private root keys remain
protected in the HSM boundary.
HYOK is an isolated on-premises Azure Directory rights Management Service (AD RMS) instance that
provides a different private key to secure this data. Because the key is stored and managed in an on-
premises environment, it protects data that remains on-premises and away from all cloud instances. If
shared outside of this the data would be opaque to unauthorized parties including the cloud service
provider.
HYOK is not for everyone, and it is certainly not intended for every piece of data. HYOK is a special tool,
for a special purpose: data opacity at all costs. Generally, we recommend this to be applied to less than
one percent of data. While Office 365 does support HYOK with Azure Information Protection, Office 365
services will be significantly limited with this configuration. Because the data that is protected will be
opaque to the cloud, many of the most powerful Office 365 experiences will be unavailable: no anti-
malware/spam, Delve, eDiscovery, search, and so forth. Any transport rules and DLP policies will not be
able to look at this data, and any anti-virus services or DLP will need an entirely different environment.
DIAGRAM - Here is an example of an HYOK topology. Customer has on-premises AD, AD RMS server and HSM. Customer’s private keys
are managed in the on-premises HSM, and used by the on-premises AD RMS server. The customer physically possesses their private
keys and does not share these keys with the Microsoft cloud. The AIP classification labels are bound to the Azure RMS server – so when
an end user applies the specific label, which in this example is ‘Secret’ it will be protected with HYOK.
S/MIME
Office 365 also supports S/MIME. S/MIME is a certificate-based encryption solution that allows you to
both encrypt and digitally sign a message. The public certificates are distributed to an organization’s on-
premises Active Directory and stored in attributes that cannot be replicated to an Office 365 tenant. The
private keys remain on-premises and are never transmitted to Office 365. Therefore, Office 365 services
that need to read and reason over the data will not work.
See below a high-level table and review the definitions to better understand how each encryption
technology can help reduce various risks to customer data.
Risk Area TLS BitLocker Service Office 365 Customer BYOK with HYOK with S/MIME
Encryption Message Key AIP AIP
Encryption
Attack from
malicious x x x x x x x x
outsider
Accidental
leak of data x x x x
(user)
Non-
Compliance
x x x x x x x x
(Regulatory/
Internal)
Offered In All All All Office 365 Office 365 Office 365 EMS E5 or N/A
commercial commercial commercial E3/E5* E5** + Azure E3/E5* + AIP Plan P2
Office 365 Office 365 Office 365 Key Vault Azure Key Add-On
SKUs SKUs SKUs Subscription Vault
Subscription
*Also offered as add-on for full list go here.
**Also offered as add-on to Office 365 E3 with Advanced Compliance SKU.
Definitions
TLS:
BitLocker:
Reduces the risk of data compromise due to lapses in processes or controls (such as access control or
hardware recycling processes) that enable someone to gain physical access to disks containing sensitive
data.
Service Encryption:
Reduces risk of data compromise due to an attack by a malicious outsider. The data cannot be decrypted
without access to keys. Service encryption also provides a granular layer of protection at the application
layer on top of BitLocker for customers’ Office 365 data at-rest.
In addition to benefits of service encryption above, Customer Key can help reduce the risk of non-
compliance due to obligations surrounding how or where the customers’ encryption keys are controlled
or managed —or obligations related to having the explicit control to delete data when exiting the service.
Reduces the risk of data compromise due to an attack by a malicious outsider, or due to an accidental
data leak by an employee. The new Office 365 Message Encryption includes the protection feature in
Azure Information Protection to encrypt and rights protect emails. When the new Office 365 Message
Encryption is applied to emails, the email is not only protected throughout the lifecycle of the email but
also provides an added layer of encryption on top of default encryption capabilities offered in Office 365
(TLS, BitLocker, Service Encryption).
BYOK with Azure Information Protection for Office 365 Message Encryption:
In addition to benefits of Office 365 Message Encryption, BYOK with Azure Information protection can
help reduce the risk of non-compliance due to obligations surrounding how or where the customers’
encryption keys are controlled or managed.
Key is stored and managed in an on-premises environment, it protects any data that remains on-premises
and away from all cloud instances. If shared outside of this the data would be opaque to unauthorized
parties including the cloud service provider.
S/MIME:
S/MIME ensures that the email encrypted by S/MIME can only be decrypted by the direct recipient of the
email. The cloud service provider and unauthorized users cannot see the contents of the email. Office 365
supports S/MIME; however, Office 365 services are significantly limited on data that is encrypted with
S/MIME.
Data Governance
The benefits of implementing a comprehensive data governance strategy are two-fold, reduced cost of
storing data and perhaps more importantly reduced risk of keeping data that is no longer relevant but still
needs to be protected. With the data governance capabilities Office 365 customers are able to use
intelligence to classify, protect and retain data in their environment, and defensibly dispose of data that is
redundant, obsolete or trivial.
Customers may leverage Office 365 Data Loss Prevention (DLP) to identify, monitor and protect sensitive
information in your organization through content scanning. Not only will DLP detect sensitive information
types such as credit card numbers or national identity numbers, customers can apply protections such as
blocking access, showing policy notifications or encryption emails using Exchange Transport Rules.
Access Control
While there is no standing access to customer data, which is controlled by our access control system, for
added control, with Customer Lockbox customers can be added to the workflow before access is provided
to the Microsoft service engineer during service operations.
7. ADDITIONAL RESOURCES
For customers doing a risk assessment, we recommend reading a deeper encryption whitepaper offered
at https://aka.ms/mcsce. This looks across our encryption capabilities in the Microsoft Cloud.
Encryption
• Microsoft Cloud Encryption Whitepaper
• Common misconceptions and truths of SaaS encryption
Access Control
Customer Lockbox
1. Customer Lockbox 2 Min Video
2. Office 365 - Customer Lockbox SOC 1 SSAE 16 Type I Report
3. Customer Lockbox Webinar
o Own your data with next generation access control technology in Office 365
The information contained in this document represents the current view of Microsoft Corporation on the issues
discussed as of the date of publication. Because Microsoft must respond to changing market conditions, this
document should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee
the accuracy of any information presented after the date of publication.
This is for informational purposes only and not for the purpose of providing legal advice. You should contact your
attorney to obtain advice with respect to any particular issue or problem. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
http://www.fico.com/en/blogs/wp-content/uploads/2015/03/Oxymoron2.jpg
Security…Security!
Why hackers target clouds
http://i.dailymail.co.uk/i/pix/2017/02/08/14/3CF5F32D00000578-4203818-image-a-30_1486562764357.jpg
Distributed denial of
service attacks
https://supporters.eff.org/files/defend-encryption-cyan-1.png
Defending - Continued
https://supporters.eff.org/files/defend-encryption-cyan-1.png
SLA Security Model
With great cloud
comes great security
Security at Scale – The Good News
http://www.managingamericans.com/pub/images/20120802221109_badnews.jpg
How to safeguard ourselves
Encryption,
Encryption
Encryption,
And did I mention, encryption?
End – to – end
Stored Data
Important security safeguards
Auditing
Vulnerability testing
Independent pen-testing
Defined policies
Allow users to set own policies (user-level data security)
VPNs
Compliance / Important Polices
PCI DSS:
Ensures that the provider can handle payments
Stands for “Payment Card Industry Data Security Standard”
To achieve this certification, a provider has to undergo audits, protect data, including the storage of,
processing and transmission. This certification encompasses a number of measure such as security
management, policies, procedures, network architecture design and software design.
SOC 2 Type II:
Ensures data security at the highest level
Stands for Service Organization Controls
SOC 1 is for less comprehensive systems.
SOC 2 is for more comprehensive systems
Type II involves long-term testing
Planning and Cloud Design –
Basics II
INFO-5112
INTO THE CLOUD
https://i.ytimg.com/vi/MH4wGvAzOAU/maxresdefault.jpg
So, what do we need to consider
http://bensjoberg.org/wp-content/uploads/2017/05/3-Reasons-a-Career-in-Engineering-is-Worth-Considering.jpg
The challenges moving to a cloud
https://image.slidesharecdn.com/bigdatareal-timeapplications-120620170837-phpapp02/95/big-data-real-time-applications-1-728.jpg?cb=1340212830
Consider: Costs associated
https://www.neat-legal.co.uk/wp-content/uploads/2016/09/neat-1-1024x576.jpg
Consider: Data Governance
http://secondlineblog.org/wp-content/uploads/2016/11/choice-a-colorful-coffee-cup-picture-id475046942-11.jpg
Questions to ask when looking for a CSP
https://plsadaptive.s3.amazonaws.com/gmedia/_oNBkWquestions.jpg
https://www.opservices.com.br/wp-content/uploads/2017/06/SLA_Service_Level_Agreement-1.png
SLAs – What are they; what to look for
What is an SLA?
ITIL: An agreement between an IT
service provider and a customer.
The SLA describes the IT service,
documents service level targets,
and specifies the responsibilities of
the IT service provider and the
customer
Formal and legally binding
Legal action possible if in violation
Quantitative not Qualitative
99.999% Uptime v.s high uptime
Will cover key aspects of your cloud
service
Key in determining what you will
be getting
https://www.incapsula.com/blog/wp-content/uploads/2017/05/MiniGraphic-1_SLA.png
Key factors to consider for SLA/CSP
https://www.lawyer-monthly.com/Lawyer-Monthly/wp-content/uploads/2017/06/legal.jpg
Key Factors II
https://diversitymd.com/wp-content/uploads/2016/12/Contract.jpg
Key Factors III
Customer Service
How are problems resolved
Response times (Service-level)
What is done to resolve them
Change Management Process
How are changes handled
How are you notified
How are new services/updates rolled out
Dispute mediation strategy
How are disputes handled
What are your rights
Your expectations
What can YOU do on their platform?
What you are not allowed to do
Cloud Service Provider’s expectations
and onboarding or off boarding/exit strategy
How do you migrate onto the cloud
How do you get off the cloud
How does the CSP ensure a smooth transition
https://c1.sfdcstatic.com/content/dam/blogs/ca/customer-service-circles.jpg
A Snapshot into
https://i.ytimg.com/vi/f5mlnTNYT0Y/maxresdefault.jpg
Introduction to the MS Azure Platform
https://azure.microsoft.com/en-ca/regions/
Security
AW S A c a d e m y C l o u d F o u n d a t i o n s
Compute
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Overview
Topics Activities
• Compute services overview • Amazon EC2 versus Managed Service
• Amazon EC2 • Hands-on with AWS Lambda
• Amazon EC2 cost optimization • Hands-on with AWS Elastic Beanstalk
• Container services
• Introduction to AWS Lambda Demo
• Introduction to AWS Elastic Beanstalk • Recorded demonstration of Amazon EC2
Lab
• Introduction to Amazon EC2
Knowledge check
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
2
reserved.
Objectives
Amazon EC2 Amazon EC2 Amazon Elastic Amazon Elastic VMware Cloud
Auto Scaling Container Container Service on AWS
Registry (Amazon (Amazon ECS)
ECR)
Amazon EC2
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights Photo by panumas nikhomkhai from Pexels
9
reserved.
Amazon EC2 overview
t3.large 2 8 EBS-Only
t3.xlarge 4 16 EBS-Only
t3.2xlarge 8 32 EBS-Only
Choices made by using • Will software on the EC2 instance need to interact with
the other AWS services?
Launch Instance • If yes, attach an appropriate IAM Role.
Wizard:
• An AWS Identity and Access Management (IAM) role that
1. AMI
is attached to an EC2 instance is kept in an instance
profile.
2. Instance Type
3. Network settings • You are not restricted to attaching a role only at instance
4. IAM role launch.
5. User data • You can also attach a role to an instance that already
6. Storage options exists.
Example: Application
7. Tags attached to on instance
8. Security group can access
9. Key pair Role that grants
S3 bucket
Amazon Simple Instance
with
Storage Service
objects
(Amazon S3) bucket
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
access permissions
19
reserved.
5. User data script (optional)
– Block Store
(Amazon EBS) Instance
• It has an Amazon EBS root Store
volume type for the Attached as Attached as
operating system. Root volume Storage volume
• What will happen if the 20-GB volume Instance 1 Ephemeral
instance is stopped and then volume 1
started again? Attached as
Storage volume
Attached as
• Instance 2 characteristics 500-GB
volume
Root volume
– Instance 2 Ephemeral
volume 2
• It has an Instance Store root
volume type for the
operating system.
• What will happen if the
instance stops (because of
user
© 2019 Amazon errorInc.or
Web Services, aAffiliates.
or its system All rights
23
reserved.
malfunction)?
7. Add tags
Launch Start
pending
AMI
Reboot Stop
rebooting running stopping stopped
Stop-
Hibernate
Terminat
e
shutting-
down
Terminate
terminated
Elastic IP
Address
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
31
reserved.
EC2 instance metadata
• Basic monitoring
• Default, no additional cost
• Metric data sent to CloudWatch every 5
minutes
• Detailed monitoring
• Fixed monthly rate for seven pre-selected
metrics
• Metric data delivered every 1 minute
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
33
reserved.
• Amazon EC2 enables you to run Windows
Section 2 key and Linux virtual machines in the cloud.
• You launch EC2 instances from an AMI
takeaways template into a VPC in your account.
• You can choose from many instance types.
Each instance type offers different
combinations of CPU, RAM, storage, and
networking capabilities.
• You can configure security groups to
control access to instances (specify allowed
ports and source).
• User data enables you to specify a script to
run the first time that an instance launches.
• Only instances that are backed by
Amazon EBS can be stopped.
• You can use Amazon CloudWatch to
34 capture and review ©metrics on EC2
2019 Amazon Web Services, Inc. or its Affiliates. All rights
reserved.
Compute
On-Demand
Spot Instances Reserved Instances Dedicated Hosts
Instances
• Low cost and • Large scale, • Predictability • Save money on
flexibility dynamic workload ensures compute licensing costs
capacity is available • Help meet
when needed compliance and
regulatory
requirements
On-Demand
Spot Instances Reserved Instances Dedicated Hosts
Instances
• Short-term, spiky, or • Applications with flexible • Steady state or • Bring your own license
unpredictable workloads start and end times predictable usage (BYOL)
• Application • Applications only workloads
• Compliance and
development or testing feasible at very low • Applications that require regulatory restrictions
compute prices reserved capacity,
• Users with urgent including disaster • Usage and licensing
computing needs for recovery tracking
large amounts of • Users able to make • Control instance
additional capacity upfront payments to placement
reduce total computing
costs even further
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
38
reserved.
The four pillars of cost optimization
Cost Optimization
Examples:
• Use On-Demand Instance and Spot Instances for
variable workloads
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights Consider serverless solutions (AWS Lambda) 42
reserved.
Pillar 4: Optimize storage choices
• Recommendations –
• Define and enforce cost allocation tagging.
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior
written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email
us at: aws-course-feedback@amazon.com. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the
property of their owners.
Planning and Cloud Design -
Basics
INFO-5112
Things are Changing…
The “Old way” of thinking and design focused on fixed, rigid, and static models
Scale up (if insufficient resources)
Monolithic (single product, housed in a single place)
Stateful (everything was a fixed application that ran
constantly, designed for offline applications)
Fixed capacity (no way to be elastic or proactive
unless you allocated beforehand)
Focused on Active/Passive DR (Disaster Recovery)
and perimeter security
Costs were fixed and constant (hardware, software)
https://upload.wikimedia.org/wikipedia/commons/0/0f/The_romance_of_the_ship%3B_the_story_of_her_origin_and_evolution_%281911%29_%2814775862471%29.jpg
The “New way” of doing things
https://c1.staticflickr.com/1/96/211486691_11b54f1975_b.jpg
Where do we start?
Increasing productivity
Reducing time to market in new product
development
Reducing production costs
Optimizing product distribution and
delivery
Increasing market share
Increasing customer retention
https://static1.squarespace.com/static/5524d17fe4b068ce0b1ac335/5524e566e4b0d7e24abebb95/561dbdfde4b0cc702070a1f5/1444790862491/?format=1500w
Outcomes of bad design decisions
https://i.pinimg.com/736x/78/8b/0c/788b0cc733721cd0913d51ecc2b953df--safety-fail-safety-rules.jpg
Key outcomes of planning
https://thornleyfallis.com/wp-content/uploads/2012/11/results1.jpg
Things to keep in mind
https://www.securitycameraking.com/securityinfo/wp-content/uploads/2014/01/things-to-consider-before-choosing-divorce.jpg
https://www.incimages.com/uploaded_files/image/970x450/getty_493829717_97058297045007_52806.jpg
http://www.projectmanagementdocs.com/images/articles/business-case.jpg
Example of a Business Case
Source: http://www.gartner.com/smarterwithgartner/the-financial-case-for-moving-to-the-cloud/
Your requirements
Using cloud storage to store single copies of data that are accessed by multiple
applications rather than duplicating data sets
Reducing the number of ad hoc reporting tools as users standardized on the “best of the
breed” tools offered in the cloud’s service catalog
New applications, such as statistical analysis and data mining of large customer
transaction data sets enabled by on‐demand access to compute and storage resources
Step 3 – See what’s out there (or in here)
https://wallpaperstock.net/view-from-outer-space-wallpapers_35839_1920x1200.jpg
Example of the market
Storage
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Overview
Topics Demos
• Amazon Elastic Block Store • Amazon EBS console
(Amazon EBS) • Amazon S3 console
• Amazon Simple Storage Service • Amazon EFS console
(Amazon S3)
• Amazon S3 Glacier console
• Amazon Elastic File System
(Amazon EFS) Lab
• Amazon Simple Storage Service • Working with Amazon EBS
Glacier Activities
• Storage solution case study
Knowledge check
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
2
reserved.
Objectives
Amazon Amazon
S3 EBS
Amazon Amazon
EFS S3 Glacier
Amazon Virtual Amazon AWS Identity and
Private Cloud Elastic Storage Access Management
(Amazon VPC) Compute (IAM)
Cloud
(Amazon EC2) Amazon Relational Amazon
Database Service DynamoDB
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
reserved.
Database 4
Storage
Section 1: Amazon Elastic Block Store
(Amazon EBS)
• Snapshots –
• Point-in-time snapshots
• Recreate a new volume at any time
• Encryption –
• Encrypted Amazon EBS volumes
• No additional cost
• Elasticity –
• Increase capacity
• Change to different types
4. Data transfer –
• Inbound data transfer is free.
• Outbound data transfer across Regions incurs charges.
media/welcome.mp
4
Facility 1 Facility 2 Facility 3
my-bucket-name
Region
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
21
reserved.
Designed for seamless scaling
my-bucket-name
AWS Management
AWS Command Line SDK
Console
Interface
• Software delivery
Corporate
data center
Amazon
EC2
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
instances
25
reserved.
Amazon S3 pricing
3. Requests –
• The number and type of requests (GET, PUT, COPY)
• Type of requests:
• Different rates for GET requests than other requests.
4. Data transfer –
• Pricing is based on the amount of data that is transferred
out of the Amazon S3 Region
• Data transfer in is free, but you incur charges for data that is
transferred out.
VPC
Private subnet
Network Network
Network
Interface Interface
Interface
Mount target Mount target Mount target
1 Create your Amazon EC2 resources and launch your Amazon EC2
instance.
2
Create your Amazon EFS file system.
3
Create your mount targets in the appropriate subnets.
4 Connect your Amazon EC2 instances to the mount targets.
File system
• Mount target
• Subnet ID
• Security groups
• One or more per file system
• Create in a VPC subnet
• One per Availability Zone
• Must be in the same VPC
• Tags
• Key-value pairs
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
36
reserved.
• Amazon EFS provides file storage
Section 3 key over a network.
takeaways • Perfect for big data and analytics,
media processing workflows,
content management, web serving,
and home directories.
• Fully managed service that
eliminates storage administration
tasks.
• Accessible from the console, an API,
or the CLI.
• Scales up or down as files are added
or removed and you pay for what
you use.
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
37
reserved.
Recorded demo:
Amazon Elastic
File System
Amazon S3 Glacier
Digital preservation
RESTful
web services
Java or .NET
SDKs
Amazon S3 with
lifecycle policies
365
30 days 60 days
days
AWS Cloud
Amazon S3 Glacier
encrypts your data with
AES-256
Amazon S3
Glacier
Amazon S3 Glacier
manages your keys for you
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
48
reserved.
• Amazon S3 Glacier is a data
Section 4 key archiving service that is
takeaways designed for security,
durability, and an extremely
low cost.
• Amazon S3 Glacier pricing is
based on Region.
• Its extremely low-cost design
works well for long-term
archiving.
• The service is designed to
provide 11 9s of durability for
49
objects. © 2019 Amazon Web Services, Inc. or its Affiliates. All rights
reserved.
Recorded demo:
Amazon S3
Glacier
Pexels.
Case 1: A data analytics company for travel sites must store billions of customer events per
day. They use the data analytics services that are in the diagram. The following diagram
illustrates their architecture.
Amazon Kinesis
Data Firehose
Storage ??
Case 2: A collaboration software company processes email for enterprise customers. They
have more than 250 enterprise customers and more than half a million users. They must
store petabytes of data for their customers. The following diagram illustrates their
architecture.
Storage ??
Case 3: A data protection company must be able to ingest and store large amounts of
customer data and help their customers meet compliance requirements. They use Amazon
EC2 for scalable compute and Amazon DynamoDB for duplicate data and metadata
lookups. The following diagram illustrates their architecture.
Amazon Amazon
EC2 DynamoD
B
Clients
Storage ??
Wrap-up
A company wants to store data that is not frequently accessed. What is the
best and cost-effective solution that should be considered?
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 57
Additional resources
• Storage Overview
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior
written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email
us at: aws-course-feedback@amazon.com. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the
property of their owners.
Lecture 2 – Cloud Basics
Continued
INFO 5112 – CLOUD SERVICES
As mentioned, these are only the basic concepts, this course will focus on in-depth
https://www.networkworld.com/article/3394341/when-it-comes-to-uptime-
Copyright, 2018 Fanshawe College
not-all-cloud-providers-are-created-equal.html
Drawbacks of a Public Cloud
Business relies on external provider (CSP)
◦ When it rains, it pours (CSP problems are your problems)
Data is not your data
◦ Data is not located on-site
◦ You may not be able to offer as granular customization as your clients would need
Limited customization
◦ You give up control for easier administration
Your Data is secured, and you’re not alone Full control of the physical resources
when defending against attacks
You know who can access what and when
Your hardware is protected from failures from where
Handle the sudden high peak demand Can isolate data and infrastructure
Scale-up – add more resources. Scale-out – optimize current resources.
Data traveling on the “wire” Security is your responsibility
Cost and accessibility Maintenance, management, and expansion
plans
Cloud Bursting
◦ Used to offload resources into the cloud platform in times of heavy demand
◦ Allows for near unlimited resources
◦ Cost-effective and rapid
Application hosting
◦ Organizations pick what to host and where (i.e. website in the cloud, compute resources
on-premises)
Package and Deploy applications
◦ Applications can reach a broader audience by being distributed through the Public Cloud
◦ Leverage the CDN (Content Delivery Network)
Application Development and Testing
◦ Utilize additional resources that are not available (Compute nodes of AWS for example)
Cost
◦ Integration of traditional systems may be costly to offload to the Private
Cloud (i.e. bursting static content will not work)
◦ Your organization must make sense of what to deploy to the cloud
Offloading mission critical content
◦ You introduce a potential security loophole
◦ Only as reliable as the CSP is
Compatibility
◦ Can your internal infrastructure handle the cloud requirements?
◦ i.e. is your bandwidth sufficient to serve the product hosted on the
cloud?
Copyright, 2018 Fanshawe College
Cloud Service
Models
http://blog.learningtree.com/wp-content/uploads/2017/05/FaaS.
Copyright, 2018 Fanshawe College
What is a Cloud Service Model
A Cloud Service Model specifies the service and the capabilities provided to consumers
Split into the following three main categories
◦ Infrastructure as a Service (IaaS)
◦ Platform as a Service (PaaS)
◦ Software as a Service (SaaS)
Other services do exist, but are not covered (BaaS – Backup, NaaS – Network, etc)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Overview
Topics Activities
• AWS Global Infrastructure • AWS Management Console
clickthrough
• AWS service and service category
overview
Knowledge check
Demo
• AWS Global Infrastructure
6 © 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Regions
Data governance,
legal requirements
Proximity to customers
(latency)
Determine the right Region for
your services, applications, Services available
within the Region
and data based on these
factors
Costs (vary by Region)
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
8
reserved.
Availability Zones
failure
• Built-in redundancy of components Data center Data center
Network
• High availability connectivity
Data center Data center
Compute (virtual,
Foundation Networking Storage (object,
automatic scaling,
Services block, and archive)
and load balancing)
Amazon Simple
Storage Service
Glacier
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
17
reserved.
Compute service category
Amazon
DynamoDB
Photo from https://aws.amazon.com/compliance/data-center/data-centers/
AWS networking
and content delivery services
24 © 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hands-on activity: AWS Management
Console clickthrough
1. Launch the Sandbox hands-on environment and connect to the AWS Management Console.
2. Explore the AWS Management Console.
A. Click the Services menu.
B. Notice how services are grouped into service categories. For example, the EC2 service appears in the Compute
service category.
Question #1: Under which service category does the IAM service appear?
Question #2: Under which service category does the Amazon VPC service appear?
C. Click the Amazon VPC service. Notice that the dropdown menu in the top-right corner displays an AWS Region (for
example, it might display N. Virginia).
D. Click the Region menu and switch to a different Region. For example, choose EU (London).
E. Click Subnets (on the left side of the screen). The Region has three subnets in it. Click the box next to one of the
subnets. Notice that the bottom half of the screen now displays details about this subnet.
Question #3: Does the subnet you selected exist at the level of the Region or at the level of the Availability Zone?
F. Click Your VPCs. An existing VPC is already selected.
Question #4: Does the VPC exist at the level of the Region or the level of the Availability Zone?
Question #5: Which services are global instead of Regional? Check Amazon EC2, IAM, Lambda, and Route 53.
• Question #1: Under which service category does the IAM service appear?
• Answer: Security, Identity, & Compliance.
• Question #2: Under which service category does the Amazon VPC service appear?
• Answer: Networking & Content Delivery
• Question #3: Does the subnet that you selected exist at the level of the Region or the level of the
Availability Zone?
• Answer: Subnets exist at the level of the Availability Zone.
• Question #4: Does the VPC exist at the level of the Region or the level of the Availability Zone?
• Answer: VPCs exist at the Region level.
• Question #5: Which of the following services are global instead of Regional? Check Amazon
EC2, IAM, Lambda, and Route 53.
• Answer: IAM and Route 53 are global. Amazon EC2 and Lambda are Regional.
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights
26
reserved.
Additional resources
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission
from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email us at: aws-course-
feedback@amazon.com. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.
Lecture 1 – Cloud Basics
INFO 5112 – CLOUD SERVICES
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
145.pdf
In cloud computing, the consumers have the ability to provision any IT resource that
they require on demand from a cloud, at any time they want. Self-service means that
the consumers themselves carry out all the activities required to provision the cloud
resource.
http://www.informit.com/articles/article.aspx?p=2093407&seqNum=2
Most Customization
◦ Best fit for your organization
◦ You control what you need
Gain the benefits of cloud architecture without exposing your servers to external factors (Storage,
Compute)
Copyright, 2018 Fanshawe College
Drawbacks of a Private Cloud
Lower Scalability / Agility
◦ Resources may be limited in a Private Cloud
◦ No room for “Burst resources”
Less reliable
◦ Downtime, Backups, Geographical availability
◦ Backups usually stored on site