WEBVTT

1
00:00:00.000 --> 00:00:01.620
In this lesson,

2
00:00:01.620 --> 00:00:04.440
we will learn about Cloud Management.

3
00:00:04.440 --> 00:00:07.170
Cloud management involves overseeing

4
00:00:07.170 --> 00:00:09.660
and securing cloud resources

5
00:00:09.660 --> 00:00:13.890
and services while ensuring that cloud provider

6
00:00:13.890 --> 00:00:17.760
and customer responsibilities are clearly defined

7
00:00:17.760 --> 00:00:20.010
and properly executed.

8
00:00:20.010 --> 00:00:22.500
Cloud management concepts include

9
00:00:22.500 --> 00:00:25.170
the shared responsibility model

10
00:00:25.170 --> 00:00:28.410
as well as the management of encryption keys

11
00:00:28.410 --> 00:00:31.140
and licenses in both cloud

12
00:00:31.140 --> 00:00:34.110
and customer managed environments.

13
00:00:34.110 --> 00:00:37.860
The shared responsibility model outlines the division

14
00:00:37.860 --> 00:00:40.290
of security responsibilities

15
00:00:40.290 --> 00:00:44.490
between the cloud service provider and the customer.

16
00:00:44.490 --> 00:00:48.420
Let's learn more about the shared responsibility model

17
00:00:48.420 --> 00:00:53.420
as well as cloud versus customer managed resources.

18
00:00:53.490 --> 00:00:57.870
First, we have the shared responsibility model.

19
00:00:57.870 --> 00:01:02.262
A shared responsibility model defines which security tasks

20
00:01:02.262 --> 00:01:05.400
are handled by the cloud provider

21
00:01:05.400 --> 00:01:07.770
and which are handled by the client.

22
00:01:07.770 --> 00:01:11.440
If you are using services like Amazon Web Services

23
00:01:11.440 --> 00:01:15.240
or AWS, Microsoft Azure,

24
00:01:15.240 --> 00:01:16.860
or Google Cloud,

25
00:01:16.860 --> 00:01:21.390
certain roles like maintaining the physical infrastructure,

26
00:01:21.390 --> 00:01:23.250
security of the hardware,

27
00:01:23.250 --> 00:01:27.030
and environmental controls will be handled

28
00:01:27.030 --> 00:01:30.060
by the cloud service provider.

29
00:01:30.060 --> 00:01:31.650
On the other hand,

30
00:01:31.650 --> 00:01:36.650
tasks such as configuring data encryption, managing access,

31
00:01:36.960 --> 00:01:41.460
and setting up security permissions fall on the client.

32
00:01:41.460 --> 00:01:44.550
There are three types of controls

33
00:01:44.550 --> 00:01:47.940
under this shared responsibility modeled,

34
00:01:47.940 --> 00:01:52.440
inherited, shared, and customer specific.

35
00:01:52.440 --> 00:01:57.150
Inherited controls are fully managed by the cloud provider,

36
00:01:57.150 --> 00:02:00.810
such as ensuring data centers have the right

37
00:02:00.810 --> 00:02:03.120
environmental conditions.

38
00:02:03.120 --> 00:02:06.660
Shared controls are responsibility shared

39
00:02:06.660 --> 00:02:10.020
between the cloud provider and the client,

40
00:02:10.020 --> 00:02:11.535
like patch management,

41
00:02:11.535 --> 00:02:14.697
where the provider patches the infrastructure

42
00:02:14.697 --> 00:02:19.020
and the client patches the operating systems they manage

43
00:02:19.020 --> 00:02:20.550
and are using.

44
00:02:20.550 --> 00:02:24.570
Last customer specific controls are solely

45
00:02:24.570 --> 00:02:28.410
the responsibility of the customer or client,

46
00:02:28.410 --> 00:02:31.620
and include configuring security zones

47
00:02:31.620 --> 00:02:34.860
or setting up proper communication protocols

48
00:02:34.860 --> 00:02:37.290
for their applications.

49
00:02:37.290 --> 00:02:39.270
So to sum it up,

50
00:02:39.270 --> 00:02:42.870
the more you move up the technology stack

51
00:02:42.870 --> 00:02:46.830
from infrastructure to user-facing applications,

52
00:02:46.830 --> 00:02:51.060
the more responsibilities typically fall on the client.

53
00:02:51.060 --> 00:02:55.470
The cloud service provider handles the physical hardware,

54
00:02:55.470 --> 00:03:00.120
regions, availability zones, and core services like compute

55
00:03:00.120 --> 00:03:01.740
and storage,

56
00:03:01.740 --> 00:03:06.360
while the client is responsible to protect their own data,

57
00:03:06.360 --> 00:03:10.440
install, patch, and configure their systems,

58
00:03:10.440 --> 00:03:12.540
as well as manage identity

59
00:03:12.540 --> 00:03:15.480
and access permissions in the cloud.

60
00:03:15.480 --> 00:03:18.316
In this way, both the cloud provider

61
00:03:18.316 --> 00:03:21.630
and the client work together to ensure

62
00:03:21.630 --> 00:03:25.410
a secure and reliable cloud environment.

63
00:03:25.410 --> 00:03:29.911
Second, we have cloud versus customer managed resources

64
00:03:29.911 --> 00:03:32.130
In the cloud environment,

65
00:03:32.130 --> 00:03:34.260
as we just discussed,

66
00:03:34.260 --> 00:03:38.400
many of the core infrastructure responsibilities fall

67
00:03:38.400 --> 00:03:40.980
to the cloud service provider.

68
00:03:40.980 --> 00:03:44.970
This includes the physical hardware, networking,

69
00:03:44.970 --> 00:03:48.900
and general maintenance of the underlying systems

70
00:03:48.900 --> 00:03:50.610
and infrastructure.

71
00:03:50.610 --> 00:03:52.560
However, when it comes

72
00:03:52.560 --> 00:03:56.100
to critical resources like encryption keys

73
00:03:56.100 --> 00:03:58.230
and software licenses,

74
00:03:58.230 --> 00:04:02.250
the responsibility often shifts to the customer.

75
00:04:02.250 --> 00:04:05.970
In a cloud environment, the provider is responsible

76
00:04:05.970 --> 00:04:09.300
for maintaining the infrastructure that stores

77
00:04:09.300 --> 00:04:12.120
and protects encryption keys,

78
00:04:12.120 --> 00:04:17.120
ensuring the underlying platform is secure and reliable.

79
00:04:17.160 --> 00:04:22.160
Services like AWS Key Management Service or KMS

80
00:04:22.587 --> 00:04:26.760
or Azure Key Vault even help manage

81
00:04:26.760 --> 00:04:29.490
and store keys securely.

82
00:04:29.490 --> 00:04:33.810
However, it is still the customer's responsibility

83
00:04:33.810 --> 00:04:38.810
to generate, manage, and rotate the keys properly.

84
00:04:38.820 --> 00:04:43.193
So if a customer mismanages their encryption keys

85
00:04:43.193 --> 00:04:46.263
by failing to rotate them regularly

86
00:04:46.263 --> 00:04:49.920
or improperly configuring access

87
00:04:49.920 --> 00:04:52.890
sensitive data could be exposed

88
00:04:52.890 --> 00:04:57.890
despite the cloud service provider's secure infrastructure.

89
00:04:57.990 --> 00:04:59.955
Licensing is another area

90
00:04:59.955 --> 00:05:02.370
where the difference between cloud

91
00:05:02.370 --> 00:05:06.150
and customer managed environments becomes clear.

92
00:05:06.150 --> 00:05:09.600
In cloud environments, licenses for software

93
00:05:09.600 --> 00:05:13.214
or services are often bundled with the platform

94
00:05:13.214 --> 00:05:16.080
as part of a subscription.

95
00:05:16.080 --> 00:05:18.900
For instance, if you are using a service

96
00:05:18.900 --> 00:05:22.560
like Microsoft Azure or AWS,

97
00:05:22.560 --> 00:05:25.794
certain licenses for tools like Microsoft Office

98
00:05:25.794 --> 00:05:30.794
or database solutions might be included automatically,

99
00:05:31.200 --> 00:05:35.250
reducing the administrative overhead for customers.

100
00:05:35.250 --> 00:05:38.880
In this case, the cloud provider takes care

101
00:05:38.880 --> 00:05:40.287
of licensing renewals

102
00:05:40.287 --> 00:05:43.920
and ensures that the licenses stay compliant

103
00:05:43.920 --> 00:05:46.350
with the provider's terms.

104
00:05:46.350 --> 00:05:50.100
In contrast, in customer managed environments,

105
00:05:50.100 --> 00:05:54.165
the organization is solely responsible for tracking,

106
00:05:54.165 --> 00:05:59.165
renewing, and maintaining compliance licensing agreements.

107
00:05:59.400 --> 00:06:04.050
This can involve managing multiple software licenses

108
00:06:04.050 --> 00:06:07.560
for various products and services,

109
00:06:07.560 --> 00:06:10.620
often requiring dedicated staff

110
00:06:10.620 --> 00:06:13.734
to ensure that no licenses expire

111
00:06:13.734 --> 00:06:18.734
and that the organization remains within legal compliance.

112
00:06:19.020 --> 00:06:22.394
So when using cloud-based services,

113
00:06:22.394 --> 00:06:25.410
understanding the balance of cloud

114
00:06:25.410 --> 00:06:29.010
and client responsibility is a must.

115
00:06:29.010 --> 00:06:33.300
In a cloud environment, many aspects like key storage

116
00:06:33.300 --> 00:06:37.260
and licensing may be managed by the provider,

117
00:06:37.260 --> 00:06:41.280
but the customer must still ensure proper usage

118
00:06:41.280 --> 00:06:44.760
and security of those resources.

119
00:06:44.760 --> 00:06:47.130
In a customer managed environment

120
00:06:47.130 --> 00:06:51.570
in the cloud, the organization has greater control,

121
00:06:51.570 --> 00:06:55.564
but this also means taking on the full responsibility

122
00:06:55.564 --> 00:07:00.564
for managing security, licensing and compliance.

123
00:07:00.600 --> 00:07:02.730
The distinction between cloud

124
00:07:02.730 --> 00:07:05.880
and customer managed resources highlights

125
00:07:05.880 --> 00:07:09.960
the importance of carefully managing encryption keys

126
00:07:09.960 --> 00:07:14.670
and licenses regardless of who is responsible

127
00:07:14.670 --> 00:07:17.490
for the underlying infrastructure.

128
00:07:17.490 --> 00:07:22.470
So remember, cloud management involves overseeing

129
00:07:22.470 --> 00:07:26.610
and securing cloud resources while clearly defining

130
00:07:26.610 --> 00:07:30.030
responsibilities between the cloud provider

131
00:07:30.030 --> 00:07:31.770
and the customer.

132
00:07:31.770 --> 00:07:35.070
The shared responsibility model outlines

133
00:07:35.070 --> 00:07:37.513
which security tasks are handled

134
00:07:37.513 --> 00:07:40.080
by the cloud service provider,

135
00:07:40.080 --> 00:07:43.057
like maintaining the physical infrastructure,

136
00:07:43.057 --> 00:07:46.086
and which are managed by the customer,

137
00:07:46.086 --> 00:07:51.086
such as configuring data encryption and access.

138
00:07:51.390 --> 00:07:53.160
In cloud environments,

139
00:07:53.160 --> 00:07:57.030
services like AWS Key Management Service

140
00:07:57.030 --> 00:08:01.650
or Azure Key Vault help manage encryption keys,

141
00:08:01.650 --> 00:08:05.860
but customers are still responsible for properly handling

142
00:08:05.860 --> 00:08:08.910
and rotating those keys.

143
00:08:08.910 --> 00:08:13.440
Furthermore, licensing in the cloud is often bundled

144
00:08:13.440 --> 00:08:15.759
into platform subscriptions,

145
00:08:15.759 --> 00:08:18.720
reducing the customer's workloads,

146
00:08:18.720 --> 00:08:22.320
but organizations must still track, renew,

147
00:08:22.320 --> 00:08:25.440
and maintain compliance themselves.

148
00:08:25.440 --> 00:08:28.920
Understanding the division of responsibilities

149
00:08:28.920 --> 00:08:30.420
for encryption keys

150
00:08:30.420 --> 00:08:34.440
and licenses is crucial to maintaining security

151
00:08:34.440 --> 00:08:37.863
and compliance in any cloud environment.