Module 1 Preparing to Deploy Cloud

Solutions
Describe Interaction of Cloud Components and Services
Module 1 Preparing to Deploy Cloud Solutions

• Describe Interaction of Cloud Components and Services

• Describe Interaction of Non-cloud Components and Services
• Evaluate Existing Components and Services for Cloud Deployment
• Evaluate Automation and Orchestration Options
• Prepare for Cloud Deployment

2
Topic 1 Describe Interaction of Cloud Components and Services

Exam Objectives Covered:

• 1.1 Given a scenario, analyze system requirements to ensure successful
system deployment.
• 1.5 Given a scenario, analyze sizing, subnetting, and basic routing for a
provided deployment of the virtual network.

3
Technical Benefits of Cloud Computing

• Resource pooling
• On-demand self service
• Rapid elasticity
• Measured services
• Broad network access

4
Business Benefits of Cloud Computing

• Move IT expenses from (CapEx) to (OpEx)

• Improves service quality
• Brings new technologies within reach of organizations of all sizes

5
Common Types of Cloud Services

6
Cloud Service Providers

The "Big 4" Cloud Service Providers

Provider Description

Amazon Web Services Offers SaaS, PaaS, IaaS, and many other cloud services at global scale.
(AWS)
Microsoft Azure Offers SaaS, PaaS, IaaS, and many other cloud services at global scale.

Google Cloud Platform Offers SaaS, PaaS, IaaS, and many other cloud services at global scale.
(GCP)
IBM Cloud Offers SaaS, PaaS, IaaS, and many other cloud services at global scale.

7
Cloud Service Providers (Cont.)

Smaller and "Niche" Cloud Service Providers

Provider Description
Heroku A large provider of PaaS services, including app development,
management, deployment, and scaling.
Digital Ocean Another large provider of PaaS services, including app development,
management, deployment, and scaling.
GitHub A large version control repository service used for collaborative app
development.
QuickBooks Online Provides a cloud-based SaaS version of QuickBooks accounting software.

BackBlaze Provides cloud-based data backup and data recovery for personal and
business uses.
ClearData Provides cloud-related services and solutions specific to the highly
regulated healthcare industry.

8
Core Cloud Solution Components
Component Description
Compute Processor and memory.

Virtual servers and Logically separated compute resources.

machines
Containers Lightweight, standalone executable that holds everything necessary to run a piece
of software.
Storage HDDs or SDDs for saving files and data.

Database SQL or NoSQL databases for storing and retrieving data.

Network and content Bandwidth for accessing cloud services and infrastructure for deploying cloud apps.
delivery
Security, identity, and Authentication, access control, and regulatory assurance for solutions and
compliance processes.
Application services Services for building and deploying cloud apps.

Developer tools Software to create cloud apps.

9
Additional Cloud Solution Components
Component Description
Analytics Tools for monitoring and measuring cloud solution performance.

Migration Service to help move data and apps to the cloud.

Management tools Tools for managing cloud apps and solutions.

Artificial intelligence Software that can perform analysis and critical decision making normally done by
humans.
Mobile services Tools and components that allow mobile devices to access cloud solutions.

Messaging Services that enable app-to-app communications.

Business productivity Software for common business tasks.

Desktop and streaming Solutions that allow users to work from a virtual computer “desktop.”

Software development Online stores and other tools to publish and monetize software.
and publishing
Internet of Things Cloud-connected devices that can communicate.

10
Common Cloud Deployments

Public Cloud Private Cloud

Cloud Service Provider Corporate Cloud Data

Cloud Data Center Center

Multiple, different cloud Corporate offices

clients connected to private cloud

11
Common Cloud Deployments (Cont.)

Hybrid Cloud

Cloud Service Provider One or more locations with

Cloud Data Center corporate data centers.

Community Cloud

Cloud Service Provider

Cloud Data Center

Multiple cloud clients with

similar needs
12
Further Deployment Differentiation

Cloud deployments may be further categorized in the following ways:

• Single server
• Single cloud architecture
• Multi-cloud architecture

13
SLAs

14
Cloud Component Interaction

Database

Network

VMs running
on Host

CPU on
App running Host
on VMs
Host Host
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Guidelines for Describing Cloud Component Interaction

• When justifying your cloud project to management and key stakeholders, remember
to map cloud benefits to organizational goals, increased organizational capabilities,
and costs savings.
• Research common cloud architectures used by other organizations that have
deployed cloud projects similar to those your organization is considering. Review the
pros and cons of each architecture to help decide which is best for you.
• Consider calling cloud administrators who have implemented cloud projects similar
to those you're considering, to see if they are happy with their architectural decisions
or if they would make changes or additions based on their experience.
• When planning a cloud project or moving into a cloud deployment, map out all cloud
components and how they will interact. Documenting this will help you identify
possible problem areas, and troubleshoot issues that might arise and may illuminate
the need for additional services or configuration.
• When considering cloud services, compare MSAs and SLAs from multiple vendors.

16
Activity: Describing Networking Component Interactions
Compare options for Microsoft Azure and Google Cloud.
a) Open a browser and navigate to https://azure.microsoft.com.
b) In your browser, open a new tab, and navigate to https://cloud.google.com.
c) Review and search both sites to help you answer the following questions.

1. Do both solutions provide data center high availability and multi-region high
availability? If so, what are the costs for each?

2. What are the advantages and disadvantages for using one CSP versus two CSPs?

17
Activity: Describing Networking Component Interactions
1. Do both solutions provide data center high availability and multi-region high
availability? If so, what are the costs for each?
Azure Storage and Google Cloud Storage both provide high availability within the
same data center and across multiple regions. The price difference varies based on
the type of storage, but multi-regional high availability tends to be 1.25 to 2 times
more than a single region.

2. What are the advantages and disadvantages for using one CSP versus two CSPs?
Answers may include potential for cloud vendor lock-in, not getting the opportunity
to get full hands-on experience with more than one vendor as you’re considering
moving more services to the cloud, and (if you don’t migrate the app to Google),
losing in-house experience with Google APIs and needing to rewrite that code using
Azure APIs.

18
Module 1 Preparing to Deploy Cloud
Solutions
Describe Interaction of Non-cloud Components and Services
Module 1 Preparing to Deploy Cloud Solutions

• Describe Interaction of Cloud Components and Services

• Describe Interaction of Non-cloud Components and Services
• Evaluate Existing Components and Services for Cloud Deployment
• Evaluate Automation and Orchestration Options
• Prepare for Cloud Deployment

2
Topic 2 Describe Interaction of Non-cloud Components and
Services

Exam Objectives Covered:

• 1.1 Given a scenario, analyze system requirements to ensure successful
system deployment.

3
Non-cloud Network Resources

Cloud

Network
Communications

4
Non-cloud Security Apparatus

Cloud

Network
Encryption Communications

5
On-premises Computing Services

Cloud

Database

Network
Encryption Communications

App running
on Server
File Server
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
Authentication

Authentication
Identity Management
Cloud

Database

Network
Encryption Communications

App running
on Server
File Server
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Other Non-cloud Services

Authentication
Identity Management
Cloud

Database

Network
Encryption Communications

Monitoring
software,
Logging
software, etc.
App running
on Server
File Server
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
 User Interaction Components

User Interaction Authentication

Components Identity Management
Cloud

Database

Network
Encryption Communications

Monitoring
software,
Logging
software, etc.
App running
on Server
File Server
Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Module 1 Preparing to Deploy Cloud
Solutions
Evaluate Existing Components and Services for Cloud Deployment
Module 1 Preparing to Deploy Cloud Solutions

• Describe Interaction of Cloud Components and Services

• Describe Interaction of Non-cloud Components and Services
• Evaluate Existing Components and Services for Cloud Deployment
• Evaluate Automation and Orchestration Options
• Prepare for Cloud Deployment

2
Topic 3 Evaluate Existing Components and Services for Cloud
Deployment

Exam Objectives Covered:

• 1.1 Given a scenario, analyze system requirements to ensure successful
system deployment.

3
Systems and Platforms

• When looking at which systems may be a good fit to move to the cloud, evaluate
both the operating system and the platform the operating system is running on.
• Specially built legacy systems may offer features or capabilities that aren't available
on cloud-based systems.
• The systems you wish to move to the cloud have to work with the systems and
architectures offered by your provider of choice.

4
Applications

When evaluating applications, look for these issues that may indicate the apps are not a
good choice for the cloud:
• Applications that require direct access to hardware.
• Applications that use or require hard-coded IP addresses.
• Latency sensitive apps.
• Apps that transfer very large files.
• Apps that use outdated APIs or APIs that are not supported by the CSP.

5
Cloud Elements and Target Objects

Cloud
Services

6
Other Components and Services

Verify that these other components and services are available when the deployment is
scheduled to occur:
• Authentication.
• Security.
• Compliance.
• Monitoring.
• Logging.
• Reporting.
• Integration.

7
Guidelines for Selecting Systems and
Applications for Cloud Deployment

• Look for systems, platforms, and apps that are x86-64-bit chipset architecture
compatible, as most providers offer compute resources for that architecture.
• Whenever you're considering moving a system or application to the cloud, have a
fallback plan in case cloud deployment fails.
• When evaluating which applications to deploy to the cloud, examine the business
goals that are driving consideration of the application.
• While your evaluation of systems, platforms, and apps for cloud deployment should
tell you the cloud services you must purchase, some providers can break out services
in unexpected ways.
• When preparing for a cloud deployment, it's often a good idea to review the full list
of cloud services available from the CSP and note any that you think may be required
to make your project successful.

8
Activity: Selecting Systems and
Applications for Migration to the Cloud
One of the members of your organization’s Executive Steering committee has come to
you asking about an in-house application the Finance department uses extensively. He
wants to know if this app is a good fit to move to the cloud.
• The application was developed 16 years ago using a now out-of-date language, and
runs on a legacy operating system.
• The developer who wrote the application is no longer with the company.
• The application provides a key service for the finance department and the app data
is stored within the application, not a database

1. Can the finance app be moved to the cloud as is with minimal code changes? Why
or why not?

2. Should the finance app be moved to the cloud with more extensive code changes?
Why or why not?

9
Activity: Selecting Systems and
Applications for Migration to the Cloud

1. Can the finance app be moved to the cloud as is with minimal code changes? Why
or why not?
Answers may include: the finance app will most likely not function properly or at all
because the out-of-date language will not be supported by any of the OSes available
in the cloud, and the unsupported language may not support the APIs used by the
cloud.

2. Should the finance app be moved to the cloud with more extensive code changes?
Why or why not?
Answers may include: the app will need to be moved to a current programming
language. The developer who wrote the app is not available to modify the
application, which means that retrofitting the application to make it work in the
cloud will require more effort. Even with the original developer, it may require a large
amount of effort to update the app for the cloud.

10
Module 1 Preparing to Deploy Cloud
Solutions
Evaluate Automation and Orchestration Options
Module 1 Preparing to Deploy Cloud Solutions

• Describe Interaction of Cloud Components and Services

• Describe Interaction of Non-cloud Components and Services
• Evaluate Existing Components and Services for Cloud Deployment
• Evaluate Automation and Orchestration Options
• Prepare for Cloud Deployment

2
Topic 4 Evaluate Automation and Orchestration Options

Exam Objectives Covered:

• 1.1 Given a scenario, analyze system requirements to ensure successful
system deployment.
• 1.2 Given a scenario, execute a provided deployment plan.
• 2.1 Given a scenario, apply security configurations and compliance controls
to meet given cloud infrastructure requirements.

3
APIs

Administer, Manage, and

Monitor Cloud Services

Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
Automation vs. Orchestration

Automation Orchestration

Deploy New VM

Deploy New VM
2

Install Application on VM

Install Application on VM Add VM to Web Farm

5
Cloud Automation Options

Automation Option Description

Command Line Provides administration from the command line where specific commands and their
Interface (CLI) parameters can be executed to perform administrative tasks from provisioning to
Commands configuration, and monitoring.
Web and graphical Provide a graphical interface that is often easier to use for manual administration
user interface (GUI) and configuration tasks.
tools
Cloud portal tools Many CSPs provide one or more portals, which are central management and
configuration tools.
Third-party tools Third-party solutions that integrate with cloud services to provide features,
capabilities, or an enhanced management experience. May also provide GUI or
command-line management tools.

6
Orchestration Techniques

The common uses for cloud orchestration are:

• Resource orchestration to provision and allocate resources to cloud environments or
solutions.
• Workload orchestration for management of apps and other cloud workloads and the
components essential to those workloads.
• Service orchestration to deploy services in cloud environments.

7
Orchestration for DevOps (Infrastructure as Code)

Development QA

DevOps

Operations

8
Custom Programming Options

Customer Code using

CSP APIs or CMP APIs

9
Third-Party Tools for Orchestration

10
Guidelines for Evaluating Automation and Orchestration

• It's best to create simple and standardized automation routines.

• When evaluating automation and orchestration options for cloud service vendors,
look for vendors that support tools and vendors that support languages and scripting
architectures your system operations staff is familiar with.
• Commit to a DevOps implementation to realize the full advantage of cloud
computing.
• Closely document security processes and process steps related to automation and
orchestration and put procedures in place to update automated and orchestrated
processes when security processes change.
• Refine processes before considering them for automation.

11
Activity: Evaluating Automation Processes
Research automation and orchestration options for Microsoft Azure and
Google Cloud.
a) In your browser, open a new tab, and navigate to
https://docs.microsoft.com/en-us/azure/automation/automation-intro.
b) In your browser, open a new tab, and navigate to https://www.chef.io/chef/.
c) In your browser, open a new tab, and navigate to https://puppet.com.
d) Review and search the three sites to help you answer the following questions.

1. What are the differences in the languages between Azure Automation, Chef, and
Puppet?

2. Do Chef, Azure Automation, and Puppet all have marketplaces that provide sample
code?

12
Activity: Evaluating Automation Processes
1. What are the differences in the languages between Azure Automation, Chef, and
Puppet?
Azure Automation uses runbooks, which are based on Windows PowerShell. The
runbooks can do anything that Windows PowerShell can do. Puppet uses Ruby but it
also has its own declarative language that bundles together all of the installation
requirements into packages. Chef is written in Ruby and Erlang, with the
specifications or extensions written in Ruby.

2. Do Chef, Azure Automation, and Puppet all have marketplaces that provide sample
code?
The marketplaces for Chef and Puppet provide many code samples and the ability to
browse and search them. Because Azure Automation uses PowerShell, you can
simply use the TechNet Script Center to find many different code samples and other
add-ins.

13
Module 1 Preparing to Deploy Cloud
Solutions
Prepare for Cloud Deployment
Module 1 Preparing to Deploy Cloud Solutions

• Describe Interaction of Cloud Components and Services

• Describe Interaction of Non-cloud Components and Services
• Evaluate Existing Components and Services for Cloud Deployment
• Evaluate Automation and Orchestration Options
• Prepare for Cloud Deployment

2
Topic 5 Prepare for Cloud Deployment

Exam Objectives Covered:

• 1.1 Given a scenario, analyze system requirements to ensure successful
system deployment.

3
Cloud Deployment Plans

Item to be
Description
Addressed
Business goals and This should state both the six-twelve month, and the one-three year vision and goals
milestones for the project.
Key stakeholders and This includes executive sponsors and parties with a vested financial interest in the
personnel success of the project, which are critical in pre-deployment stages to state project
value.
Cloud deployment This may start at a very high level and drill down into specific steps, including
workflow specific commands to be executed.
Dependencies Dependencies are the relationships for preceding steps to succeeding tasks.

Risks and problems Risks can derail a project and many are based on dependencies.

Resources Identify all resources needed for the project.

Communications Make sure everyone on the team knows the plan.

4
Performance Measurement and Baselines

5
Cloud Structure Requirements

The cloud structure should be based on:

• Network requirements such as bandwidth, load balancing, high-availability, regional
access, and other requirements.
• Security and compliance requirements such as the need for encrypted connections
between clients, apps, and data sources, authentication and access controls, and
other security mechanisms.
• App architecture such as two-tier, where clients (client tier) access the data directly
(database tier), or three-tier, where an app running business logic sits between the
client and the data to perform additional processing (client tier, business tier, and
data tier).

6
Target Hosts and Commands

• You must identify target hosts provided by the CSP where guest VMs or containers
will be installed.
• The VMs and containers will have configuration specifications defining resource
requirements such as compute, memory, storage, and so forth.
• You should be able to identify the requirements for the CSP resource systems or
systems that will host the VMs and containers.
• Document any task steps or commands needed to provision hosts, VMs, containers,
or other CSP resources

7
Migration Tools

8
Benefits of DevOps Approach

A DevOps approach has many benefits, including:

• Fast implementation times, which can mean faster time to market and reduced ROI.
• More stable and reliable operations environments.
• Early detection and more rapid correction of issues (code or infrastructure).
• Improved collaboration between business, development, and operations, thus
improving business agility.
• Continuous release, deployment, testing, and monitoring of apps, thus facilitating
faster implementation and business agility.

9
Guidelines for Preparing for a Cloud Deployment

• Consider using an agile methodology in your project execution plan.

• For shorter deployments of one to four weeks in length, use a more rigid and less
flexible project execution plan.
• For longer running deployments, those taking longer than four weeks, make the plan
flexible.
• Take baseline measurements of key performance metrics, both front-end and back-
end, to use for comparison purposes once solutions are deployed to the cloud.
• If a problem materializes, be sure to assess the real impact of the problem on project
milestones and goals.
• When taking baseline measurements, work with end-users and service or app
experts to determine common task key back-end actions that should be measured to
determine the baseline for a service or app.
• Document CSP task steps, including GUI and command-line steps, thoroughly, and
cross-train cloud team members so that multiple people are able to provision and
configure CSP resources.
• Refer to CSP checklists and best practice guides when provisioning resources.
• Evaluate the benefits of a DevOps approach to cloud deployment and management.

10
Activity: Preparing for Cloud Deployment
Compare migration tools for Microsoft Azure and Google Cloud.
a) In your browser, review and search both sites to help you answer the following
questions.

1. What cloud migration tools does Microsoft Azure provide?

2. What cloud migration tools does Google Cloud provide?

3. Use the Microsoft Azure Total Cost of Ownership Calculator.

• Add a server workload using Windows, with 10 servers, 1 processor per server, 8 Cores
per processor, and 16 GB of RAM.
• Add a Physical Server Environment with the following settings: Linux, 10 Servers, 1 Proc
per server, 8 Cores, 16 RAM
• Add storage with the following settings: Local Disk/SAN, HDD disk type, 1 TB capacity
• In the networking section, enter 6 GB in the Outbound bandwidth (GB) /Month
• Review the different options on the Adjust assumptions page and the Software
Assurance Coverage toggle to off
• Review the TCO calculator results.

11
Activity: Preparing for Cloud Deployment

1. What cloud migration tools does Microsoft Azure provide?

Microsoft Azure provides an assessment tool that calculates costs for migration and
generates a validation plan for making the transition. It then provides the tools to
make the migration.

2. What cloud migration tools does Google Cloud provide?

Google Cloud has the Cloud Data Transfer tool for moving data to the cloud, and a
free virtual machine migration tool.

3. Use the Microsoft Azure Total Cost of Ownership Calculator.

What was your results in the TCO calculator?

12
Reflective Questions

1. Have you participated in deploying apps or services to the cloud already, or

are you in the process of evaluating the cloud for potential deployment?

2. What business or technical benefits could your organization see from

moving some apps or services to the cloud? Be as specific as possible.

13
Module 2 Deploying a Pilot Project
Manage Change in a Pilot Project
Module 2 Deploying a Pilot Project

• Manage Change in a Pilot Project

• Execute Cloud Deployment Workflow
• Complete Post-Deployment Configuration

2
Topic 1 Manage Change in a Pilot Project

Exam Objectives Covered:

• 1.2 Given a scenario, execute a provided deployment plan.

3
Overview of Change Management Processes

At minimum, a change management process should involve:

• Identifying the change or developing a solution to address a problem (which then
becomes the change).
• Recording the change.
• Assessing the impact of the change.
• Notifying stakeholders of the change or requesting approval to make changes.
• Scheduling implementation of changes.
• Monitoring the impact of the change.
• Rolling back changes if required to address issues that arise from the changes.

4
Approvals

Approval

Cloud Project Lead

Key Stakeholder
Executive

5
Scope of Changes

The cloud team should include the following in their assessment of the impact of
changes:
• Impact to project schedule (both current phase and any cascading implications that
will impact deadlines).
• Impact on project dependencies.
• Impact to project goals.
• Impact on project costs.
• Impact to projected project ROI.

6
Schedules

There are multiple factors that should be taken into consideration to determine the best
schedule for implementing changes:
• What steps are dependent upon the change?
• Who will implement the change, what's their availability, and how will that impact
other cloud deployment tasks?
• What verification steps are needed to ensure the change is properly implemented?

7
CMDB

• Stores information about IT installations including:

• Authorized configurations
• Relationships to other IT assets
• Used to manage:
• Software builds
• Hardware builds
• Impact analysis
• Incident response

8
Guidelines for Managing Change in a Cloud Pilot Project

• At minimum, a change management process should take the following actions into
account: identification of issues requiring a change, development of a solution to deal
with the changes, assessment of the impact of the changes, request for approval for
changes, and scheduling implementation of changes.
• When a change is made, notify key stakeholders and other parties impacted by the
change.
• When assessing the impact of a change, be sure to look at the following: impact to
project schedule (both current phase and any cascading implications that will impact
deadlines), impact on project dependencies, impact to project goals, impact on project
costs, and impact to projected project ROI.
• When seeking approvals, be sure to justify any changes using the project's original
business goals.
• Schedule changes to minimize impact on the overall project schedule.
• When scheduling changes, determine the following: What steps in the cloud
deployment are dependent on the change being implemented? , Who will implement
the change and any cascading impact on other cloud deployment tasks?, and what
verification steps are needed to ensure the change has been properly implemented?
9
Activity: Managing Changes as Part of Deployment

1. What actions should be taken when developing a solution to deal with the
changes?

2. What actions should be taken when assessing the impact of the changes?

10
Activity: Managing Changes as Part of Deployment

1. What actions should be taken when developing a solution to deal with the
changes?
Answers may include finding the best solution to the issue. This phase should be
focused on addressing the issue. If there are multiple options for addressing the
issue, then those should be included.

2. What actions should be taken when assessing the impact of the changes?
Answers may include impact to project schedule, impact on project dependencies,
impact to project goals, impact on project costs, impact to projected project ROI, etc.

11
Module 2 Deploying a Pilot Project
Execute Cloud Deployment Workflow
Module 2 Deploying a Pilot Project

• Manage Change in a Pilot Project

• Execute Cloud Deployment Workflow
• Complete Post-Deployment Configuration

2
Topic 2 Execute Cloud Deployment Workflow

Exam Objectives Covered:

• 1.2 Given a scenario, execute a provided deployment plan.

3
Cloud Deployment Workflow

1. Provision the cloud environment

2. Install and configure applications

3. Secure the production environment

4. Perform a trial migration

5. Perform full migration and cutover

4
 Sample Cloud Deployment Workflows

Migration from On-Premises Storage to Cloud Migration of On-Premises App to the Cloud
Storage

1. Provision cloud storage at desired 1. Provision cloud hosts and other

capacity. supporting services required by the app
2. Verify access and use scripts to create a to be migrated such as databases.
test folder structure. 2. Install and configure the app and any
3. Perform a trial migration using a limited supporting apps, and middleware needed.
subset of data. 3. Secure the new cloud environment,
4. Perform a full migration after confirming including the hosts, VMs, containers, and
the deployment schedule with all users. services.
5. Perform access checks and instruct users 4. Perform a trial migration by migrating a
to verify access to their files. subset of data. Test the app using the
migrated data.
5. Perform a full migration after confirming
the deployment schedule with all users.

5
CSP Recommendations

CSP recommendations, best practice guides, and checklists

6
Deployment Documentation Requirements

There should be three major sets of documentation:

• Pre-deployment documentation should record all activities and preparation taken
ahead of deployment, the order they were taken in, and any results.
• Deployment documentation records the steps taken during deployment and their
results.
• Post-deployment documentation records all post-deployment steps taken in
sequence.

7
Guidelines for Executing Deployment Workflows
• You will start using more CSP resources and incur more costs.
• The trial migration should have sufficient time in the schedule between the trial
migration date and the full migration and cutover to the cloud so that any problems
identified during the trial migration can be resolved before the full migration and
without changing the scheduled date of the full migration.
• If you're deploying a new service or capability, perform a trial launch and let a subset
of users test the new service.
• When deploying a new service or capability, select users to test the new service who
are willing to go back to their departments and act as departmental support staff
after launch and provide training and assistance to colleagues who will be using the
service for the first time.
• Refer to CSP documentation and follow guidelines and best practices.
• Use CSP migration and deployment guides as well as best practice guides to cross-
check your own deployment plan and verify that there are not steps that have been
omitted.
• Store documentation in a central location that can be accessed by cloud team
members and anyone else who may be called upon to help with the deployment, or
troubleshoot issues after deployment.

8
Questions

1. List the steps in the cloud deployment workflow.

2. What resources should be used to cross-check your own deployment plan and
verify that no steps have been omitted?

3. What deployment documentation should you have?

9
Answers

1. List the steps in the cloud deployment workflow.

1. Provision the cloud environment
2. Install and configure applications
3. Secure the production environment
4. Perform a trial migration
5. Perform full migration and cutover

2. What resources should be used to cross-check your own deployment plan and
verify that no steps have been omitted?
CSP checklists and best practice guides

3. What deployment documentation should you have?

Pre-deployment, deployment, and post-deployment records

10
Module 2 Deploying a Pilot Project
Complete Post-Deployment Configuration
Module 2 Deploying a Pilot Project

• Manage Change in a Pilot Project

• Execute Cloud Deployment Workflow
• Complete Post-Deployment Configuration

2
Topic 3 Complete Post-Deployment Configuration

Exam Objectives Covered:

• 1.2 Given a scenario, execute a provided deployment plan.

3
Post-Deployment Cloud Configuration Tasks

These are some general post-deployment configuration tasks that cloud administrators
may need to perform:
• Testing and validation that the solution is functional and performing well.
• Setup of user roles and access.
• Configuration of integration components.
• Configure data connections.
• Configure system or data backup.

4
Cloud Management Options

Most CSPs provide multiple options for managing cloud services, which usually include:
• Management portal. This is usually a graphical user interface (GUI) that allows users
to configure and manage resources, provision new resources, monitor resources,
view activity, and even check their billing statements.
• Command-line management. Most CSPs offer some form of management from the
command line, which enables the use of scripts to complete more complex or
repetitive tasks.
• API management. Many CSPs publish APIs to allow external tools to manage
resources.

5
Windows Azure Automation Features

6
DSC

• PowerShell 4.0 and later feature that supports declarative patterns to describe a
system or service configuration.
• Three primary components:
• Configuration: Defines and persists configuration of instances and resources.
• Resources: Contains properties in a schema and PowerShell script functions that can be
implemented by the Local Configuration Manager to implement and persist the
configuration.
• Local Configuration Manager (LCM): Facilitates interaction between resources and
configurations on behalf of DCS. Queries the system at regular intervals to see if the system
is out of state, and puts it back in state if it is.

7
Google Cloud Platform Automation Features

8
Guidelines for Completing Post-Deployment Configuration

• Begin license, application, and database monitoring for the production cloud
environment.
• Review and compare automation and orchestration options for CSPs you're
considering.
• Automation usually involves scripting. See what scripting languages are required and
if any members of your cloud team know those languages.
• Compare CSP orchestration services, and prices if fee-based, to third-party
management services and prices.
• Third-party management services may also help prevent cloud service vendor lock-in
by making it easier to move from one cloud service to another while preserving
automation and orchestration.

9
Reflective Questions

1. Have you participated in any IT migrations from one data center to another?
If so, what type of documentation did you keep during the migration
process?

2. What types of IT automation have you implemented in your own on-

premises or cloud IT environments?

10
Module 3 Testing Pilot Project
Deployments
Identify Cloud Service Components for Testing
Module 3 Testing Pilot Project Deployments

• Identify Cloud Service Components for Testing

• Test for High Availability and Accessibility
• Perform Deployment Load Testing
• Analyze Test Results

2
Topic 1 Identify Cloud Service Components for Testing

Exam Objectives Covered:

• 1.3 Given a scenario, analyze system requirements to determine if a given
testing plan is appropriate.

3
Test Plans and Test Cases

Test Plan

Test Case
• Data to be tested
• Procedures or inputs
• Scenarios and descriptions
• Expected results
• Actual results

Test Case
• Data to be tested
• Procedures or inputs
• Scenarios and descriptions
• Expected results
• Actual results

4
Shared Component Testing

Test for shared components:

• Sizing. To ensure the VMs have been assigned the correct number and size of
processors and memory, and that storage size is the correct size to handle apps and
services.
• Connectivity. To ensure that all shared services that must communicate with each
other, can communicate with each other, and that the number of network
connections needed is present.
• Resource allocation. To ensure that resources and components are properly
allocated and assigned within the solution.
• Security. To ensure that resources that should not be able to accesses each other,
can't.
• Performance. To ensure that resources perform at expected levels.

5
Cloud Deployment Environments

Production cloud

Development cloud QA or Testing cloud

6
Test for Goals of Cloud Deployment Plan

• Cloud projects are green-lighted in order to achieve specific business goals.

• The goals are usually business objectives tied to key cloud computing benefits such
as accessibility, rapid-scalability, and so forth.
• When testing cloud services and apps, you will be testing discrete pieces of
functionality, but you should always have the overall goals of the cloud project in
mind.
• Any issues that may put achieving project goals in jeopardy should be surfaced as a
priority to be resolved.

7
Connectivity Testing

Typically, the most important two issues tested and measured are:
• Latency. Latency describes the amount of time data takes to traverse the network.
From an end-user perspective, latency describes how long they have to wait for an
app to service to respond to an input.
• Performance. Performance testing seeks to answer the question, "Does the solution
perform at a level that will be acceptable to users?" If a service or app is slower once
moved to the cloud, users will almost certainly be unhappy.

8
Data Integrity Testing

Data integrity testing involves:

• Validating each value if it is successfully saved to the database.
• Ensuring the data compatibility against old hardware or old versions of operating
systems and browsers.
• Verifying the data can be modified and deleted.
• Verifying size and number of files present.
• Checking whether or NOT a blank value or default value can be retrieved from the
database.

9
Proper Function Testing

Functional testing often includes:

• Identification of functions that a service or app is expected to perform.
• Use of input data based on function specifications.
• Examination of output based on the function specifications.
• Execution of the test case.
• Comparison of expected and actual outcomes.
• Checks against whether the service or app works as needed.

10
Accessibility Testing

• Ensures cloud-based solutions can be connected to and that populations with

different levels of abilities can use cloud services effectively.
• Defined by several guidelines published by the World Wide Web Consortium (W3C).
• Web Content Accessibility Guidelines (WCAG) are currently documented as WCAG
2.0.
• Section 508, government standards for accessibility, define design criteria to make
web-based and computer apps accessible to people with different abilities.

11
Guidelines for Identifying Components to Be Tested

• Create formal test plans with test cases to validate cloud deployments.
• It's a good idea to perform load tests on VMs to test memory usage, app
performance, and network speed after resources are provisioned and configured,
prior to full deployment.
• When initial tests are run, it's also a good time to set up any CSP or third-party
monitoring software that will track key system and app usage metrics and allow
cloud administrators to track performance and issues on an ongoing basis.
• If budget is available or if moving to an infrastructure as code/DevOps environment,
set up development, QA, and production clouds to speed deployment of updates.
• Compare performance test results taken after deployment to baselines taken before
deployment.

12
Activity: Identifying Components to Be Tested

Research testing options for Microsoft Azure and Google Cloud.

a) In your browser, open a new tab, and navigate to https://azure.microsoft.com.
b) In your browser, open a new tab, and navigate to https://cloud.google.com.
c) Review and search both sites to help you answer the following questions.

1. What are some of the components you will need to test?

2. What are some of the solutions for testing Microsoft Azure components?

3. What are some other ways to test storage on Microsoft Azure?

13
Activity: Identifying Components to Be Tested

1. What are some of the components you will need to test?

Answers may include: Azure File storage, Azure authentication, Google Cloud VM
Instances, Apps running on Google Cloud VM instances, Google Cloud authentication,
etc.

2. What are some of the solutions for testing Microsoft Azure components?
Answers may include: use Azure Diagnostics to collect statistics, use Visual Studio
profiler to perform analysis, use Visual Studio with the Team Foundation Service, etc.

3. What are some other ways to test storage on Microsoft Azure?

Answers may include: use file transfer software and then time the transfers, do file
searches and time the searches, have a pilot group of users use storage for a few
days and see if they "feel" storage is faster or slower, etc.

14
Module 3 Testing Pilot Project
Deployments
Test for High Availability and Accessibility
Module 3 Testing Pilot Project Deployments

• Identify Cloud Service Components for Testing

• Test for High Availability and Accessibility
• Perform Deployment Load Testing
• Analyze Test Results

2
Topic 2 Test for High Availability and Accessibility

Exam Objectives Covered:

• 1.3 Given a scenario, analyze system requirements to determine if a given
testing plan is appropriate.

3
Cloud Solution High Availability
and Accessibility Requirements

4
High Availability Options

Replication
Load Balancing

Multi-region
deployments

Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Load Balancing Tests

Load
Balancing

6
Replication Tests

To test replication, you should do the following:

• Confirm replication configuration. There are many different replication technologies
which may be impacted by the type of database in use, the CSP, and other factors.
• Test that replication is working. Verify that replication is working to and from all
locations by performing changes, additions, and deletions.
• Test that replication is working under load. One you've confirmed replication is
working, put the systems under load and use monitoring, test tools, and manual tests
to confirm that replication is working under load.
• Test performance under load. Increase load on the service or app to simulate peak
load, and test response times to ensure that replication is occurs within acceptable
parameters under peak load.
• Test failure and reentry of database nodes. Database nodes that are part of a
replicated deployment are usually part of a HA deployment as well.

7
Cloud Regions

Benefit Description
Provides access to cloud resources This speeds access to cloud resources, and reduces issues caused by
close to end-users network latency.
Allows for multi-region HA You can have load balanced server farms and replicated databases
within a single cloud data center.
Allows for multi-region disaster The same issue exists for HA deployments designed to provide
recovery and business continuity disaster recovery and business continuity.
Allows organizations to provide data Some types of regulated data, such as financial, security, health
driven services in countries or regions care, and privacy information, are governed by different laws in
with different laws governing data different countries and regions.
access

8
Multi-region Performance Testing

Load Balancing Replication Testing

Testing

Test Regional
Failures

Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Guidelines for Testing High Availability
and Accessibility Options

• If users will be accessing cloud resources from other continents or even across
continents, consider deploying services and apps to multiple regions to reduce
latency and address any compliance issues.
• Perform at least some manual testing while performing peak load, failover, and
reentry testing to ensure that user experience remains acceptable.
• Notify your CSP when you will be performing testing and verify they have no
activities planned for those times that will impact or skew tests.
• Notify your CSP when you will be performing peak load testing so that they don't see
it as a Denial of Service attack and terminate traffic from load testing tools.

10
Activity: Documenting Testing for High Availability
Research high availability options for Microsoft Azure and Google Cloud.
a) In your browser, open a new tab, and navigate to https://azure.microsoft.com.
b) In your browser, open a new tab, and navigate to https://cloud.google.com.
c) Review and search both sites to help you answer the following questions.

1. What features does Microsoft Azure have to provide high availability?

2. What features does Google Cloud have to provide high availability?

3. What should you consider when assessing the impact of the changes?

11
 Activity: Documenting Testing for High Availability
1. What features does Microsoft Azure have to provide high availability?
Answers may include fabric controller for Azure compute instances, Azure Storage
maintains replicas of data in same regions and some in other regions, load balancer,
etc.

2. What features does Google Cloud have to provide high availability?

Answers may include auto-scaling for adding more compute instances, high
availability mode for compute instances, cloud storage maintains replicas of data in
same and different regions, load balancer, etc.

3. What should you consider when assessing the impact of the changes?
Answers may include impact to project schedule, impact on project dependencies,
impact to project goals, impact on project costs, impact to projected project ROI, etc.

12
Module 3 Testing Pilot Project
Deployments
Perform Deployment Load Testing
Module 3 Testing Pilot Project Deployments

• Identify Cloud Service Components for Testing

• Test for High Availability and Accessibility
• Perform Deployment Load Testing
• Analyze Test Results

2
Topic 3 Perform Deployment Load Testing

Exam Objectives Covered:

• 1.3 Given a scenario, analyze system requirements to determine if a given
testing plan is appropriate.

3
Load Testing Options

Performed by load testing tools:

• Microsoft Azure: Allows for load testing through the Azure Portal or with Visual
Studio.
• Google Cloud Platform: Offers page speed insights and some distributed load testing
tools.
• There are also third party load testing tools that specialize in testing different types
of services and apps.
• Many CSPs also have preferred third party load testing vendors that they work with.

4
Vulnerability Scanning and Penetration Testing Options

Test Type Description

White box Testers have full background and device information to simulate an attack
from a knowledgeable insider.
Gray box Testers have some knowledge about how system components interact but
do not have any detailed knowledge about internal program operations.
Black box Testers have little or no information provided except the company name
to simulate an attack from outside.

5
Activity: Evaluating Load Testing Options
Research load testing options for Microsoft Azure and Google Cloud.
a) In your browser, open a new tab, and navigate to
https://www.visualstudio.com/team-services/cloudload-testing/.
b) In your browser, open a new tab, and navigate to
https://cloud.google.com/solutions/distributedload-testing-using-kubernetes.
c) Review and search both articles to help you answer the following questions.

1. What advantages does the Visual Studio Team Services solution have?

2. What preparation is required in order to perform load testing with Visual Studio
Team Services?

3. What advantages does the Load Testing using Kubernetes solution have?

6
Activity: Evaluating Load Testing Options
1. What advantages does the Visual Studio Team Services solution have?
Answers will vary, but may include it is customizable, can scale up to hundreds of
thousands of users, can generate load from multiple regions, provides analysis of
tests, etc.

2. What preparation is required in order to perform load testing with Visual Studio
Team Services?
Answers will vary, but may include download and install Visual Studio Enterprise,
create a team services account, create or download a load test project.

3. What advantages does the Load Testing using Kubernetes solution have?
Answers will vary, but may include infrastructure elasticity that makes it easy to test
applications and services with large numbers of simulated clients with each
generating traffic patterned after users or devices, can scale to simulate high loads,
etc.

7
Module 3 Testing Pilot Project
Deployments
Analyze Test Results
Module 3 Testing Pilot Project Deployments

• Identify Cloud Service Components for Testing

• Test for High Availability and Accessibility
• Perform Deployment Load Testing
• Analyze Test Results

2
Topic 4 Analyze Test Results

Exam Objectives Covered:

• 1.4 Given a scenario, analyze testing results to determine if the testing was
successful in relation to given system requirements.

3
Success Factors for Testing

Common success factors and the questions each is designed to answer:

• Functionality: Does the solution function as required per specification on the front-
end and back-end?
• Sizing: Is the solution sized to meet current usage demands (or peak usage demands
if that is what the project goal called for)?
• Automation and orchestration: Do required automation steps and orchestrated tasks
execute and complete successfully and achieve the results designed?
• Scaling: Can the solution be scaled manually, or through orchestrated operations, to
meet growing utilization?
• Performance: Does the solution perform at an acceptable level for both users and
operations that take place on the back end?
• SLA guarantees: Are provider solution components and services performing at the
level specified in the SLA?
• Security: Does the solution meet security requirements as specified?
• Compliance: Does the solution meet compliance requirements as specified?

4
Test Result Analysis

Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Cloud Performance Fluctuation Variables

Performance Factors Description

Devices used to access the Mobile and desktop devices may have a different experience when
solution connecting to the solution.
Service and app design Put simply, services and apps can be poorly designed.

Application components If a service or app depends on a process, API, or component that is slow
or bottlenecked due to over utilization, the cascading impact could
negatively impact performance of the entire solution.
WAN resources Slow connections between offices where the employees of a cloud client
must work and the cloud data center may make an otherwise high
performing app slow and difficult to use.
Peak usage During times of peak usage, one or more components of a solution may
become bottlenecked, causing the entire solution to suffer negative
performance.
Cyberattacks CSPs, or some of their big clients, can be the target of cyberattacks.

6
Cloud Performance Optimizations and Tradeoffs

Ways organizations can improve performance:

• Consolidate in the cloud. If a cloud solution must access other software components,
services, or data on-premises, this could create a bottleneck.
• Scale up. VMs and containers can be moved to more powerful hosts, and given more
resources, including processors, memory, storage and network cards.
• Scale out. Instead of giving VMs more resources, you can add or move VMs running
the same code and load balance requests.
• Improve network bandwidth. Network bandwidth is a common issue, especially
when transitioning on-premises services and apps to the cloud.
• Rewrite app code. In some cases, apps or their components must be rewritten so
that they can take advantage of cloud services and APIs, or communicate more
effectively.

7
Guidelines for Analyzing Test Results

• Get signoff from key stakeholders as to what the key success factors are for testing.
• Make sure your team is using clear, well written, formal test plans and test cases.
• Consider using bug tracking software as a central repository for test plans, test cases,
and defect tracking.
• Communicate with your CSP to stay abreast of any activities that may create
performance fluctuations.
• Ask CSP support staff about any unusual or unexpected performance numbers and
request that they help cross-check cloud service component configuration settings.
• All performance optimizations come with cost tradefoffs. If increasing costs, be sure
to update long term cost, budget, and ROI based on the new expenses and in reports
to stakeholders.

8
Activity: Analyzing Test Results to Determine Success

1. What actions should you take while analyzing test results?

9
Activity: Analyzing Test Results to Determine Success

1. What actions should you take while analyzing test results?

Answers may include investigate any warnings or errors, report results to key
stakeholders, cross-check any unusual or unexpected performance numbers with
service providers, document changes to address failures, discuss results with key
stakeholders to talk about impact and schedule changes, etc.

10
Reflective Questions

1. Have you ever tested any IT apps, services, or components as part of a

migration, deployment, or upgrade, and what tools did you use to do the
testing?

2. What types of fluctuations such as network or device base fluctuations have

impacted app performance in your IT infrastructure either on-premises or in
the cloud?

11
Module 4 Designing a Secure and
Compliant Cloud Infrastructure
Design Cloud Infrastructure for Security
Module 4 Designing a Secure and Compliant Cloud Infrastructure

• Design Cloud Infrastructure for Security

• Determine Organizational Compliance Needs

2
Topic 1 Design Cloud Infrastructure for Security

Exam Objectives Covered:

• 2.1 Given a scenario, apply security configurations and compliance controls
to meet given cloud infrastructure requirements.

3
Responsible Parties in Cloud Environments

On-premises Environment Cloud Environment

Infrastructure and Infrastructure and

Security Services Security Services

Managed by You Managed Managed

by You by CSP

4
Corporate Security Policies

The security policy might include the following:

• Goals or mission statement for cloud services: One or two sentences that clearly
state the goals for using cloud services.
• Data classification: This is a complex but essential component of a security policy.
Data can be classified a number of ways, but some common classifications are:
• Sensitive corporate data (corporate secrets).
• Data that is protected by law such as personally identifiable information (PII), sensitive
personal information (SPI), and HIPAA-related information.
• Operational data that is used in performance of day-to-day operations.
• Scope: This defines who and what the policy applies to.
• Responsibilities: The section by role and current role-holder name who is responsible
for key activities.
• Policy statements: These are the specific, discrete statements that make up the
policy.

5
Questions to Ask When Developing Security Policies
• What services, apps, and data should be put in the cloud? Why?
• What services, apps, and data should not be put in the cloud? Why?
• Is there already a corporate data classification policy that can be leveraged?
• Are there any other applicable polices that can be leveraged?
• How are industry peers handling their polices and making their choices?
• What do standards bodies such as ISO, NIST, or the CSA recommend for security and
data handling policies related to your industry?
• Who should have authority to approve agreements with CSPs, and what type of
approval change is required for CSP contracts?
• Where can services and data be physically located?
• What are our options for moving services, apps, and data from one provider to
another, to a private cloud, or back to on-premises?
• Can the CSPs protect corporate sensitive data to the standards defined by the
corporate policy?
• Who can make changes to configuration settings for infrastructure, services, and
apps?

6
Goals of Securing Cloud Solution Components

Goal Description
Abuse and unallowed use of Malicious users, either internal or external, from using your cloud
cloud resources resources for illicit, illegal, or unauthorized activities.
Breaches and exploitation of Cloud technologies that may not have been designed to offer strong
shared resources isolation in multi-tenant environments.
Breaches and exploitation of This includes credential theft or gaining access to integrated services and
cloud apps APIs.
Access to resources by malicious Cloud solutions must be projected from bad actors within your
insiders organization and the CSP.
Data theft, loss, and leakage Data theft, loss, or leakage risk is common for both cloud and on-
premises deployments.
Account, service, and traffic Exploitations of service or app vulnerabilities can lead to accounts being
hijacking compromised.
Unknown risk profile Since cloud environments are controlled by CSPs, visibility may be
reduced, making it difficult to calculate a risk profile and activate proper
remediation techniques.

7
Need for a Holistic Security Approach

Security issue Prevention measure

Abuse and unallowed use of Consult with your CSP on how they mitigate these threats.
cloud resources
Breaches and exploitation of Talk with your CSP and ask how each client is isolated from the others in the
shared resources CSP’s multi-tenant shared infrastructure.
Breaches and exploitation of Analyze and implement highly secure models for cloud service interfaces
cloud apps such as using strong authentication methods combined with encryption of
transmitted data.
Attacks from malicious Perform an assessment of your CSP’s hiring practices and policies.
insiders
Data theft, loss, and leakage You should encrypt data to and from the CSP network to end-users.

Account hijacking Prohibit the sharing of account credentials among users and across services
both by policy and by design.
Unknown risk profile Seek to reduce unknowns by working with your CSP.

8
Encryption and Decryption

9
Apply Security to Achieve Defense-In-Depth

• To achieve true defense-in-depth, you must consider all components in use and any
points of vulnerability.
• Implement strong, policy-based management.
• Monitor network activity and review security logs of the system, app, or service and
those of any network security devices in the path of connectivity to it.
• You should also perform, or have a third party perform, occasional vulnerability
scanning and penetration testing.

10
Guidelines for Planning a Secure Cloud Infrastructure

• Consider all components in use and any points of vulnerability.

• Encrypt data while it is in transit using network encryption such as IPSec, SSL/TLS, PKI, or
other technologies.
• Encrypt data that is being backed up.
• Encrypt data while at rest using disk encryption, file encryption, database encryption, and
other technologies.
• Consider encrypting virtual machines.
• Use a high bitstrength encryption for PKI and other encryption technologies for extra
security.
• Consider data movement when planning security.
• Disable unneeded ports and services on infrastructure components.
• Create and enforce strict account management policies that include timely account
cleanup and deletion as well as account audits.
• Use host-based, VM-based, and container-based software firewalls as appropriate.
• Install antivirus and anti-malware on VMs and containers.
• Make sure patching is done rapidly after appropriate validation, following security
guidelines.

11
Activity: Planning a Secure Cloud
Infrastructure for Deployment

Research security options for Microsoft Azure and Google Cloud.

a) In your browser, open a new tab, and navigate to https://azure.microsoft.com.
b) In your browser, open a new tab, and navigate to https://cloud.google.com.
c) Review and search both sites to help you answer the following questions.

1. What features does Microsoft Azure have to provide security for cloud
applications?

2. What features does Microsoft Azure have to provide security for cloud storage?

3. What features does Google Cloud have to provide security for cloud applications?

12
Activity: Planning a Secure Cloud
Infrastructure for Deployment
1. What features does Microsoft Azure have to provide security for cloud
applications?
Answers may include Web Application vulnerability scanning to test for
vulnerabilities, Web Application firewall to protect from common web-based attacks,
Layered Security Architecture to provide differing levels of network access for each
application tier, etc.

2. What features does Microsoft Azure have to provide security for cloud storage?
Answers may include Role-Based Access Control to restrict access based on userroles,
Shared Access Signature to grant limited access to resources, encryption in transit to
protect data when it is transmitted across networks, encryption at rest to protect
data in the cloud, etc.

3. What features does Google Cloud have to provide security for cloud applications?
Answers may include up-to-date security patches for operating systems and
applications, User and Credential Management to limit access by user role, using
identical servers in their stack so security footprint is smaller, security scanner to
discover vulnerabilities, etc.

13
Module 4 Designing a Secure and
Compliant Cloud Infrastructure
Determine Organizational Compliance Needs
Module 4 Designing a Secure and Compliant Cloud Infrastructure

• Design Cloud Infrastructure for Security

• Determine Organizational Compliance Needs

2
Topic 2 Determine Organizational Compliance Needs

Exam Objectives Covered:

• 2.1 Given a scenario, apply security configurations and compliance controls
to meet given cloud infrastructure requirements.

3
Need for a Compliant Cloud Design

Compliance requirements:
• HIPAA (Health Insurance Portability and Accountability Act).
• Education: FERPA (Federal Education Rights and Privacy Act).
• Email and cloud content: SCA (Stored Communications Act).
• Consumer credit history: FCRA (Fair Credit Reporting Act).
• Children's data and images: COPPA (Children’s Online Privacy Protection Act).
• Internal financial records of public companies: SOX (Sarbanes-Oxley).
• Protection of public data held by federal agencies: FISMA (Federal Information
Security Management Act).
• Payment Card Industry Data Security Standard PCI DSSPCI DSS.

4
Governance

Control Objectives for Information and Related Technology (COBIT) includes:

• A framework for implementation and linking governance to business requirements.
• Process descriptions for planning, building, running, and monitoring IT processes.
• Control objectives, which are requirements that are considered necessary for
management of IT services.
• Maturity models that allow for processes to develop, evolve, and be refined.
• Guidelines for management to help assign responsibilities, measure performance,
and define objectives.

5
Compliance Responsibility

Who is ultimately responsible for meeting

regulatory compliance for your cloud?

CSP or
You are

6
Cloud Compliance and Governance Issues

Compliance-related issues that must be governed in most regulated industries include:

• CSP compliance with data handling requirements set out by specific regulations
such as PCI DSS or HIPAA.
• Location, recoverability, and retention of data stored in the cloud. You must be able
to locate regulated data, often including the physical device(s) it is stored on.
• Physical and digital security. Data centers where regulated data is stored must meet
physical security requirements.
• Support and procedures for cross-border investigations. Multinational regulated
organizations must comply with different regulations from the national entities they
serve or store data in such as the United States and European Union.

7
Compliance Audit Requirements

Compliance
Requirements

8
Audit and Compliance Requirements

To meet audit and compliance requirements, an organization will need to follow a

process that uses steps like these:
• Identify compliance requirements such as corporate policies and standards, laws and
regulations, SLAs, etc.
• Implement policies, procedures, processes, and systems to satisfy those compliance
requirements.
• Monitor whether these policies, procedures, and processes are followed diligently.

9
Guidelines for Determining Organizational
Compliance Needs for Deployment
• Evaluate CSPs for certifications in the areas where your organization must be
compliant.
• Remember that the onus of meeting compliance requirements is on the client.
• Make sure cloud providers offer transparency of their infrastructure to customers.
• Ask CSPs about audit results on their compliant storage practices and security ratings.
• Ask CSPs to review recent compliance certification reports or audits.
• Consider asking businesses in your field or industry that are using cloud services
about their experience maintaining compliance in the cloud.
• When considering compliance needs, ask about and research the following:
• Scope of compliance needs.
• CSP compliance certifications.
• CSP SLAs.
• Provider solvency and the well being of their business.
• Data retention period for regulated data.
• Incident management.

10
Activity: Determining Organizational
Compliance Needs for Deployment

1. When evaluating your cloud providers for compliance information, what should you
look for?

2. What might you ask the cloud provider to do in order to help you determine if they
will meet your compliance needs?

11
Activity: Determining Organizational
Compliance Needs for Deployment

1. When evaluating your cloud providers for compliance information, what should you
look for?
Answers may include certifications in the areas where your organization must be
compliant, audit results on their compliant storage practices and security ratings, etc.

2. What might you ask the cloud provider to do in order to help you determine if they
will meet your compliance needs?
Answers may include ask them to offer transparency of their infrastructure to you,
request audits from them, ask them to review recent compliance certification reports
or audits, etc.

12
Reflective Questions

1. How are IT networks and assets you’ve worked with been designed to be
secure?

2. How have systems or data you've worked with had to meet compliance
needs?

13
Module 5 Designing and Implementing a
Secure Cloud Environment
Design Virtual Network for Cloud Deployment
Module 5 Designing and Implementing a Secure Cloud
Environment

• Design Virtual Network for Cloud Deployment

• Determine Network Access Requirements
• Secure Networks for Cloud Interaction
• Manage Cloud Component Security
• Implement Security Technologies

2
Topic 1 Design a Virtual Network for Cloud Deployment

Exam Objectives Covered:

• 1.5 Given a scenario, analyze sizing, subnetting, and basic routing for a
provided deployment of the virtual network.

3
Virtual Network Connectivity to Cloud Resources

Benefit Description
Isolation You can isolate virtual networks from each other to create secure
networks, and separate networks such as development, QA, and
deployment cloud networks.
Internet connectivity Each virtual network can access the Internet if so desired.

Connection to other CSP You can configure other CSP services, such as queuing, messaging,
services and others to connect to virtual networks.
Connection to other This allows you to provide access required between virtual networks
virtual networks while retaining control over connections.
Connection to on- This allows you to connect your virtual networks to on-premises
premises systems.
Traffic filtering This allows you to filter incoming and outgoing traffic from virtual
networks.

4
Virtual Network Components

Component Description
Virtual switch Similar to a physical network switch, a virtual switch allows you to create
network segments by connecting networking components together.
Virtual bridge A bridge lets you connect your VM to the LAN used by your host computer.

Virtual host adapter The host virtual adapter allows your VMs to communicate with the host they
are running on.
NAT A NAT device allows you to connect your VMs to an external network when
you have only one IP address assigned to the NIC, and that address is used by
the host computer.
DHCP server The DHCP server provides IP addresses to virtual machines in configurations
that are not bridged to the NIC such as host-only and NAT configurations.
Ethernet adapter Any physical adapter installed on the hosts that connects to the network.

5
SDN

The following key technologies enable SDN:

• Functional separation of traffic based on software-defined configuration.
• Network virtualization through configuration of routes, protocols, and other
networking properties.
• Automation through programmability, allowing adaptive routing based on network
topology.

6
Network Component Configuration Options

To create and use virtual networks, you must also configure the following network
components:
• Subnets. You must add TCP/IP subnets to your virtual networks to designate
addresses used on those networks.
• Routers or routing tables. You must configure routers or routing tables on VMs
connected to the virtual network to allow packets to be routed appropriately to and
from the virtual network.
• DNS. You can provide DNS server addresses or use CSP provided DNS services.
• CSP region or zones. If you're creating virtual networks in different CSP regions, you
need to specify which region each virtual network is in.
• Traffic filters. Configure filters between subnets using inbound and outbound
security rules to filter traffic by source and destination IP address, port, and protocol.

7
Guidelines for Designing a Virtual
Network for Cloud Deployment

• Compare virtual network services from cloud providers as they may be the only way
you can create virtual networks, or may be more functional and much easier to
configure and manage than VM-based virtual networks configured on hosted VMs.
• If planning to filter traffic to virtual networks, add testing steps to your deployment
planning to make sure all necessary traffic is getting through.
• Work with CSP personnel to help configure virtual networks and network
components like routing tables, network virtual appliances, and subnets.

8
Activity: Designing the Virtual Network
for Connecting to Cloud Services

Create a virtual network in Azure.

a) On the Microsoft Azure browser tab, in the Navigation pane, select Virtual
networks.
b) In the Virtual networks pane, select Create virtual network.
c) In the Create virtual network pane, in the Name box, type CloudAccess
d) In the Address space box, type 192.168.0.0/16
e) From the Resource Group drop-down list, select GenStorage.
f) Under Subnet, in the Address range box, type 192.168.0.0/24
g) Select Create.
h) In the Virtual networks pane, select the Refresh button until the new virtual
network appears.

9
Module 5 Designing and Implementing a
Secure Cloud Environment
Determine Network Access Requirements
Module 5 Designing and Implementing a Secure Cloud
Environment

• Design Virtual Network for Cloud Deployment

• Determine Network Access Requirements
• Secure Networks for Cloud Interaction
• Manage Cloud Component Security
• Implement Security Technologies

2
Topic 2 Determine Network Access Requirements

Exam Objectives Covered:

• 1.5 Given a scenario, analyze sizing, subnetting, and basic routing for a
provided deployment of the virtual network.

3
Ports and Protocols

Range Numbers Description

Well-known ports 0 to 1,023 Specific port numbers are most vulnerable to attack.

Registered ports 1,024 to 49,151 Too system-specific for direct target by attackers, but they
might scan for open ports in this range.
Dynamic or private 49,152 to 65,535 Constantly changing; cannot be targeted by number, but
ports attackers might scan for open ports in this range.

4
Ports and Protocols (Cont.)
Port Number Service
21 FTP (File Transfer Protocol)

22 SSH (Secure Shell)

25 SMTP (Simple Mail Transfer Protocol)

53 DNS (Domain Name System)

80 HTTP (Hypertext Transfer Protocol)

110 POP3 (Post Office Protocol)

139 NetBIOS Session Service

143 IMAP (Internet Message Access Protocol)

443 HTTPS (Hypertext Transfer Protocol Secure)

3389 RDP (Remote Desktop Protocol)

5
Types of Access Required for Cloud Services

Cloud Application
On-Premises Application

Ports: Ports:
80 80
443 443

6
Port and Protocol Security When Deploying to Cloud

To help you determine which ports and protocols you need to configure access for, and
which networks need to pass specific traffic, look for guidance from these sources:
• Application and service configuration guides.
• CSP security and deployments guides.
• Deployment guides from third party sources or consultancies that implement
solutions similar to the solutions you're implementing.
• Your own documentation, firewall, and routing information.
• If you're uncertain what ports and protocols are used by a legacy, on-premises app
you'd like to move to the cloud, use tools like a port scanner or protocol analyzer to
determine which ports are used.

7
Guidelines for Determining Network Access Requirements

• Don't assume you know all ports used to access, or used on the back-end of an app
or service. Many administrators assume common web ports such as 80 and 443
(HTTP and HTTPS) are used, and may fail to consider ports needed for database
access or use by other services.
• If you're uncertain what ports and protocols are used by a legacy, on-premises app
you'd like to move to the cloud, and don't have clear documentation, use tools like a
port scanner or protocol analyzer to determine which ports are used.
• Use CSP and app deployment guides as the basis for designing port and protocol
access to services and apps.
• When creating inbound and outbound rules for network access, be mindful of the
direction of traffic flow.

8
Questions

1. You want to disallow unsecure file transfers on your virtual network. What port do
you block?

2. True or False: A cloud-based web app will use the same ports and protocols as an
on-premises web app.

3. When designing port and protocol access to services and apps, what guides should
you use?

9
Answers

1. You want to disallow unsecure file transfers on your virtual network. What port do
you block?
21

2. True or False: A cloud-based web app will use the same ports and protocols as an
on-premises web app.
True

3. When designing port and protocol access to services and apps, what guides should
you use?
CSP and app deployment guides

10
Module 5 Designing and Implementing a
Secure Cloud Environment
Secure Networks for Cloud Interaction
Module 5 Designing and Implementing a Secure Cloud
Environment

• Design Virtual Network for Cloud Deployment

• Determine Network Access Requirements
• Secure Networks for Cloud Interaction
• Manage Cloud Component Security
• Implement Security Technologies

2
Topic 3 Secure Networks for Cloud Interaction

Exam Objectives Covered:

• 1.5 Given a scenario, analyze sizing, subnetting, and basic routing for a
provided deployment of the virtual network.
• 2.1 Given a scenario, apply security configurations and compliance controls
to meet given cloud infrastructure requirements.
• 2.3 Given a cloud service model, implement defined security technologies to
meet given security requirements.

3
Ciphers

• A cipher is an algorithm used to encrypt or decrypt data.

• Enciphering: The process of translating plaintext to ciphertext.
• Deciphering: The process of translating ciphertext to plaintext.
• Ciphers alter individual letters or bits to scramble a message.
• Codes alter words or phrases, or resemble a secret language.
• The science of breaking codes and ciphers is called cryptanalysis.

Original Encrypted
Cipher
Information Information

4
Network Security Options

Security Method
Description

Flood guards This is a tool used by network administrators and security professionals to
protect resources from flooding attacks, such as Distributed Denial of Service
(DDoS) attacks.
Loop protection Network loops can occur when one or more pathways exist between the
endpoints in a network and packets get forwarded over and over again.
Port security Disabling unnecessary services and closing unused ports.

Secure router configuration Ensuring that all routers on the network are properly secured will protect your
network from attacks and can also prevent routing loops, which are caused by
a routing algorithm error that creates a looping pattern.

5
Network Security Options (Cont.)

Security Method
Description

Network separation Splitting your network into two or more logically separated networks helps
separate critical network functions from lower-priority functions so that
security can be managed on a critical versus non-critical basis.
VLAN management With proper management procedures in place, security measures can be
implemented and managed quickly.
Implicit deny Use the principle of implicit deny when granting access to network resources
within a network.
Log analysis Regular monitoring and analyzing of security logs helps detect any
unauthorized intrusion attempts on the network.

6
Network Encryption Technologies

Technology Description
IPSec A set of open, non-proprietary standards that you can use to secure data as it
travels across the network or the Internet.
PPTP A Microsoft VPN Layer 2 protocol that increases the security of PPP by
providing tunneling and data encryption for PPP packets.
L2TP An Internet-standard protocol combination of PPTP and L2F that enables the
tunneling of PPP sessions across a variety of network protocols, such as IP,
Frame Relay, or ATM.
SSH A protocol used for secure remote login and secure transfer of data.

7
Network Encryption Technologies (Cont.)

Technology Description
PKI A system that is composed of a CA, certificates, software, services, and other
cryptographic components, for the purpose of enabling authenticity and
validation of data and entities.
Digital certificate An electronic document that associates credentials with a public key.

HTTPS A secure version of HTTP that supports web commerce by providing a secure
connection between a web browser and a server.
TLS and SSL Security protocols that combine digital certificates for authentication with
public key data encryption.

8
VPNs

Traffic is encrypted

Cloud Internet Private network

9
Network Segmentation and Security

Some common network segmentation implementations related to cloud deployments

include the following:
• De-Militarized Zone (DMZ)
• Virtual Extensible LAN (VXLan)
• Segmentation
• Micro-Segmentation

10
DMZ

Web server

Private cloud network

DMZ Internet

11
VXLAN

• VLAN specifications only allow for 4,096 network IDs to be assigned at any given
time, which might not be enough addresses for a large cloud computing
environment.
• The goal of VXLAN is to extend the VLAN address space to support 16 million IDs.

12
Segmentation Options

The first type of segmentation allows isolation of different types of network traffic. The
following three types of network traffic should be segmented:
• Management traffic. Most enterprise virtualization platforms provide a special
virtual network connection for management traffic, such as VMWare's service
console traffic that is used to connect hypervisor platforms to management tools
such as VWWare vCenter.
• Operations traffic. This traffic is associated with dynamic memory migration and
storage operations.
• Virtual machine production traffic. This is the traffic to and from VMs generated by
the services and apps running on those VMs and the requests and responses from
the client.

13
Micro-segmentation Options

Normal Segmentation Micro-Segmentation

Perimeter Perimeter
Firewall Firewall
DMZ/Web VLAN

Finance
VM
HR VM HR Group Finance Group
Inside
Firewall DMZ- DMZ-
Web VM Web VM
Services/Management
App VLAN
VLAN
App VM App VM
HR VM Services Mgmt
VM VM

Finance DB VM DB VM
VM
DB VLAN

Finance Services Mgmt

HR VM
VM VM VM

Services/Management
Group
14
Guidelines for Securing Deployments with Segmentation

• Use virtual DMZs to isolate publicly accessible cloud resources from those that aren't.
• Provide some form of network security and encryption to protect data in transit from
corporate data sources, corporate cloud sources, and corporate users.
• Consider micro-segmentation to provide granular security for your in-cloud
deployment for persistent protection.

15
Activity: Creating a Secure Network
Design with Segmentation

You have an app that you would like to add to the cloud. It has a front end for the user
interface and a database that would be on the back end.

You create a segmented network that has a subnet for resources that are accessed
publicly and another subnet for resources that are strictly private.

On which subnet would the app front end reside and which would contain the
database?

16
Activity: Creating a Secure Network
Design with Segmentation
You have an app that you would like to add to the cloud. It has a front end for the user
interface and a database that would be on the back end.

You create a segmented network that has a subnet for resources that are accessed
publicly and another subnet for resources that are strictly private.

On which subnet would the app front end reside and which would contain the
database?

The front end would be in the public subnet since it is accessed by users, and the
database would be in the private subnet because it is accessed by the app and
administrators.

17
Module 5 Designing and Implementing a
Secure Cloud Environment
Manage Cloud Component Security
Module 5 Designing and Implementing a Secure Cloud
Environment

• Design Virtual Network for Cloud Deployment

• Determine Network Access Requirements
• Secure Networks for Cloud Interaction
• Manage Cloud Component Security
• Implement Security Technologies

2
Topic 4 Manage Cloud Component Security

Exam Objectives Covered:

• 1.5 Given a scenario, analyze sizing, subnetting, and basic routing for a
provided deployment of the virtual network.
• 1.9 Given a scenario, apply elements required to extend the infrastructure
into a given cloud solution.
• 2.1 Given a scenario, apply security configurations and compliance controls
to meet given cloud infrastructure requirements.
• 2.4 Given a cloud service model, apply the appropriate security automation
technique to the target system.

3
Network Security Software and Devices

System Description
IDS An intrusion detection system (IDS) is a detection control system that scans,
audits, and monitors the security infrastructure for signs of attacks in
progress.
Network intrusion detection A type of IDS that primarily uses passive hardware sensors to monitor traffic
system (NIDS) on a specific segment of the network.
WIDS A wireless IDS (WIDS) is a type of NIDS that scans the radio frequency
spectrum for possible threats to the wireless network, primarily rogue access
points.
IPS An intrusion prevention system (IPS) has the monitoring capability of an IDS,
but actively works to block any detected threats.

4
Network Security Software and Devices (Cont.)

System Description
NIPS A network intrusion prevention system (NIPS) monitors suspicious network
and system traffic and reacts in real time to block it.
WIPS A wireless IPS (WIPS) is a type of NIPS that scans the radio frequency spectrum
for possible threats to the wireless network, primarily rogue access points,
and can actively block this malicious traffic.
Web security gateways A web security gateway is a utility used primarily to intentionally block
internal Internet access to a predefined list of websites or categories of
websites.

5
Types of Network Monitoring

Monitoring System
Description

Signature-based monitoring This system uses a predefined set of rules provided by a software vendor or
security personnel to identify events that are unacceptable.
Anomaly-based monitoring This system uses a definition of an expected outcome or pattern to events,
and then identifies any events that do not follow these patterns.
Behavior-based monitoring This system identifies the way in which an entity acts, and then reviews future
behavior to see if it deviates from the norm.
Heuristic monitoring This system identifies the way in which an entity acts in a specific
environment, and makes decisions about the nature of the entity based on
this.

6
Antivirus and Anti-Malware Software

Type Description
Antivirus software An application that scans files for executable code that matches specific
patterns that are known to be common to viruses.
Anti-spyware This software is specifically designed to protect systems against spyware
attacks.
Host-based firewalls This is software that is installed on a single system to specifically guard against
networking attacks.

7
Agent-based vs. Agent-less Cloud Security

• Agent-based and agent-less security services use two different approaches to

monitor, collect information, and control the systems, apps and services that they
monitor.
• Agent-based security products install a small piece of software, the agent, on each
monitored component.
• The agent collects information and sends it back to designated security
administration software.
• Agent-less services use the cloud provider’s API to communicate with the cloud
platform to get updates about and pass instructions to monitored components to
control security.
• Because they talk to the provider’s platform they are often transparent to the
services, and applications running on server instances and components.

8
Pros and Cons of Agent-based
vs. Agent-less Cloud Security

Some experts endorse agent-based monitoring for several reasons, including:

• Agents can connect more deeply into components to gather more data, and perform
more complex configuration.
• Agents don't require a lot of network bandwidth.
• Agents can be custom designed for systems and components to collect specific data
or perform specific configuration tasks, where agent-less systems tend to collect the
same high-level data about all the systems and components they monitor.

9
Pros and Cons of Agent-based
vs. Agent-less Cloud Security (Cont.)

Some experts endorse agentless-based monitoring for several reasons, including:

• Overhead of installation and maintenance since agents must be installed on every
cloud instance, and maintained so that they stay up-to-date.
• Some cloud environments don't allow agent installation on many or all of their
services.
• Many agent-based solutions may not be aware of some cloud-native services such as
CSP-provided load-balancing or databases, so you may not be able to model these
services in security policies, forcing the use of overly permissive configurations.
• Third parties that offer security management across multiple cloud providers use the
APIs of each provider, essentially leveraging agent-less security management that
provides visibility and control in a multi-cloud environment.
• There is a very small processor utilization “tax” using agents.

10
Firewalls

Approved traffic

Private network

Unapproved traffic

11
SLA Security Considerations

Security SLAs and provisions often address three common areas of risk:
• Ownership. Agreements need to address who owns digital assets, including data,
especially who maintains custody and control of data, and how data will be
controlled.
• Availability of services. These provisions include details about monitoring and
response times.
• Baseline Services. These are often regulatory, or common practice guarantees, such
as performing intrusion detection monitoring or firewalling cloud network access as
part of security due diligence.

12
Chain of Custody Guarantees

Collection Analysis and Presentation in Disposal

Storage Court

13
Patches and Maintenance for Network Security

You can do the following to help facilitate patching and maintenance in your
organization:
• Take a detailed inventory and keep it up to date.
• Standardize systems as much as possible.
• Make a list and map of security software and devices in place.
• Put in place a reliable system for collecting vulnerability alerts.
• When alerts come out, compare them to inventory to quickly identify systems that
may be impacted.
• Assess the risk based on the alert, the degree to which the solution is mission critical,
security apparatus already in place, and so forth.
• Create a priority system for quickly deploying patches to affected systems.
• Update all affected documentation.

14
Managed Cloud Services

15
Guidelines for Securing Networks for Cloud Interaction

• Work with CSPs during on-boarding to learn their security and response processes
and to learn their recommendations for their clients.
• Since CSP resources, staff, and response procedures will effectively become part of
your security and response process, review and update your security and response
processes to incorporate CSP notifications, responsibilities, escalations, and
timelines.
• Consider the tradeoffs in agent versus agent-less security options and evaluate the
benefits of software for those solutions.
• Consider agent-less security management for cloud environments or agent-based
solutions that are specifically designed for cloud environments.
• Review CSP SLAs per recommendations in this topic.

16
Module 5 Designing and Implementing a
Secure Cloud Environment
Implement Security Technologies
Module 5 Designing and Implementing a Secure Cloud
Environment

• Design Virtual Network for Cloud Deployment

• Determine Network Access Requirements
• Secure Networks for Cloud Interaction
• Manage Cloud Component Security
• Implement Security Technologies

2
Topic 5 Implement Security Technologies

Exam Objectives Covered:

• 2.1 Given a scenario, apply security configurations and compliance controls
to meet given cloud infrastructure requirements.
• 2.4 Given a cloud service model, apply the appropriate security automation
technique to the target system.

3
Impact of Security Tools on Systems and Services

The need for security is not lost on business and organizations. Still, the impact of this
need is far reaching and includes:
• The need for security software of all types to manage, monitor, and secure systems.
• The need to hire skilled security staff.
• The need to obtain continuing education of skilled security staff.
• The need to invest in automation and DevOps practices to automate patching and
other security processes.
• The need to invest in software, training, or consulting to federate identity
management to allow single sign-on and tight access controls across diverse multi-
cloud and hybrid cloud environments.

4
Microsoft Azure Security Features

5
Google Cloud Platform Security Features

6
Guidelines for Implementing Security Technologies

• Consider the impact use of security technologies will have on use of systems and
apps.
• While the CSP will manage patching for the host OS, you are responsible for patching
and verifying the security configuration of the VMs and containers you use.
• Consider ways to use automation and orchestration to automate updates so that
patching and security update roll-outs can be done quickly and efficiently.
• Review any security tools provided by your CSP to see what capabilities they provide
that you can leverage to secure, manage, and monitor your network.

7
Reflective Questions

1. What types of virtual or physical network layouts does your organization use
to secure communications and isolate mission critical apps and services?

2. What types of network monitoring are in use in your organization, and which
have you interacted with the most?

8
Module 6 Planning Identity and Access
Management for Cloud Deployments
Determine Identity Management and Authentication Technologies
Module 6 Planning Identity and Access Management for Cloud
Deployments

• Determine Identity Management and Authentication Technologies

• Plan Account Management Policies for the Network and Systems
• Control Access to Cloud Objects
• Provision Accounts

2
Topic 1 Determine Identity Management and Authentication
Technologies

Exam Objectives Covered:

• 1.9 Given a scenario, apply elements required to extend the infrastructure
into a given cloud solution.
• 2.2 Given a scenario, apply the appropriate ACL to the target objects to meet
access requirements according to a security template.
• 4.4 Given a scenario, implement account provisioning techniques in a cloud
environment to meet security and policy requirements.

3
Identification

4
Authentication

5
Identity and Access Management

6
Authentication Factors

Most authentication schemes are based on the use of one or more authentication
factors:
• Something you are, including physical characteristics, such as fingerprints or a retina
pattern.
• Something you have, such as a token or access card.
• Something you know, such as a password.
• Somewhere you are or are not, such as an approved IP address or GPS location.
• Something you do, such as established keystroke patterns or tracing over a Windows
8 or 10 picture password.

7
Authentication Protocols

Used in Cloud
Protocol Description
Environments
Password Authentication A password-based point-to-point protocol. No
Protocol (PAP)
Challenge-handshake CHAP provides better security than PAP as it uses a Not commonly
authentication protocol one-way hash function and "shared secrets" such as a
(CHAP) password to validate users and systems.
Extensible Authentication EAP has more than 40 variants and is widely used for Yes, for system-to-
Protocol (EAP) authentication in wireless and point-to-point network system and client-to-
connections. server authentication
Terminal Access Controller Very old form of authentication, authorization, and No
Access Control System accounting (AAA) protocol dating to 1984.
(variants include TACACS,
XTACACS, and TACACS+)

8
Authentication Protocols (Cont.)

Used in Cloud
Protocol Description
Environments
Remote Authentication RADIUS provides a central database that allows policy Yes
Dial-in User Services driven authentication and authorization of remote
(RADIUS) (often dial-in users).
DIAMETER Diameter was design to overcome the shortcomings Yes
of RADIUS, and to take advantage of the higher speed
digital communications in use today.
Kerberos Kerberos uses symmetric key cryptography and tickets Yes
to allow users and network nodes to verify each
other's identity.

9
Authorization

10
Federation and SSO

11
Guidelines for Determining IAM Technologies
for Cloud Deployment

• Review your existing identity and access management technologies for on-premises
systems and use that as a starting point for determining technologies to use in cloud
deployments.
• Select cloud services and technologies that will work in conjunction with on-premises
technologies and services as that will make policy enforcement easier across on-
premises and cloud systems.
• Consider federation requirements when selecting technologies so that choices you
make when designing IAM solutions will allow you to more easily implement
federation later on.
• Determine the authentication factors you need, and any multi-factor authentication
you'd like to implement.
• Remember that cloud solutions reside inside the CSP’s data center so you don't have
control of physical access; therefore, any technologies you choose to pursue must
work over network connections.

12
Activity: Determining IAM Technologies
for Cloud Deployment
Research IAM options for Microsoft Azure and Google Cloud.
a) In your browser, open a new tab, and navigate to https://azure.microsoft.com.
b) In your browser, open a new tab, and navigate to https://cloud.google.com.
c) Review and search both sites to help you answer the following questions.

1. What is the main method Google Cloud uses to control user access?

2. What is the main method Microsoft Azure uses to control user access?

3. What features does Google Cloud provide to help with identity and access
management?

4. Would you be able to implement an SSO solution without a third-party service?

13
Activity: Determining IAM Technologies
for Cloud Deployment
1. What is the main method Google Cloud uses to control user access?
User roles are used to allow users to access projects and resources.

2. What is the main method Microsoft Azure uses to control user access?
Azure Active Directory is used to manage users and access by assigning permissions
to the user or through security groups.

3. What features does Google Cloud provide to help with identity and access
management?
Answers may include single sign-on (SSO) to prevent users from having to provide a
password when they move from different applications or other resources, multi-
factor authentication, built-in auditing to ease compliance processes, etc.

4. Would you be able to implement an SSO solution without a third-party service?

Yes; with Azure Active Directory and Google Cloud Directory Sync, you can effectively
have all three environments in sync.

14
Module 6 Planning Identity and Access
Management for Cloud Deployments
Plan Account Management Policies for the Network and Systems
Module 6 Planning Identity and Access Management for Cloud
Deployments

• Determine Identity Management and Authentication Technologies

• Plan Account Management Policies for the Network and Systems
• Control Access to Cloud Objects
• Provision Accounts

2
Topic 2 Plan Account Management Policies for the Network and
Systems

Exam Objectives Covered:

• 2.2 Given a scenario, apply the appropriate ACL to the target objects to meet
access requirements according to a security template.
• 4.4 Given a scenario, implement account provisioning techniques in a cloud
environment to meet security and policy requirements.

3
Account Management

Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
Principle of Least Privilege

5
Account Policy Considerations

Some common policy statements include:

• Who can approve account creation.
• Who is allowed to use a resource.
• Whether or not users can share accounts or have multiple accounts.
• When and how an account should be disabled or modified after a user access review.
• When and if a user account should expire after a period of non-use.
• When to enforce general account prohibition.
• What rules should be enforced for password history, password strength, and
password reuse.
• When to lock out an account in the event of a suspected incident or hijacking
attempt.
• When and how to recover an account after it has been compromised or deleted.

6
Account Management Policies in Cloud Deployments

Security Control Description

Types of accounts that will be These might include user accounts, privileged accounts, administrator
allowed accounts, guest accounts, and app and service accounts.
Account privilege guidelines Account privileges are permissions granted to users that allow them to
perform various actions.
User ID and password User IDs and passwords should be implemented and managed with a
requirements number of strict guidelines.
Account access restrictions Account access guidelines should be documented for each type of
account used within an organization.
Account management guidelines Account management can include a number of different tasks.

Multiple account guidelines There can be many issues revolving around multiple user accounts.

Continuous monitoring Account management should be considered an ongoing practice with

regard to security.

7
Account Life Cycle Options

Account Account Account

Creation Management Deprovisioning

8
Guidelines for Planning Account Management Policy Requirements
for Deployment
• Implement the principle of least privilege when assigning user and group account
access.
• Draft an account policy and include all account policy requirements.
• Verify that account request and approval procedures exist and are enforced.
• Verify that account modification procedures exist and are enforced.
• Draft a password policy and include requirements to ensure that passwords are
resistant to cracking attempts.
• Limit the use of multiple and shared accounts to protect them from abuse.
• Implement account management security controls like maintenance, auditing, and
location/time-based restrictions.
• Store user names and passwords in encrypted databases with credential
management software.
• Implement a group policy for wider access control.
• Consider implementing an identity federation system to streamline user access
between systems.
• Consider how a federated identity may be a single point of failure for access to
different systems.
9
Activity: Planning Account Management Policy Requirements for
Deployment

1. Who is allowed to use a resource?

2. When and how should an account be disabled or modified after a user access
review?

3. What rules should be enforced for password history and password strength?

4. Search the Internet for sample account management policies and look for items
that you think would be beneficial to your organization’s account management
policy.

10
Activity: Planning Account Management Policy Requirements for
Deployment
1. Who is allowed to use a resource?
Users are limited to resources that are required to perform their jobs.

2. When and how should an account be disabled or modified after a user access
review?
Answers may include if a user is found to have improper access, it can be changed
immediately. Accounts should be disabled for any employees who leave the
organization. Users should be granted different access if they change roles in the
organization, etc.

3. What rules should be enforced for password history and password strength?
Answers may include you can set the number of unique passwords that have to be
used before the employee can begin repeating them. You can set the minimum
password strength, which is a combination of the characters used and the length, etc.

4. Search the Internet for sample account management policies and look for items
that you think would be beneficial to your organization’s account management
policy.
You should have collected and compared several different policies.
11
Module 6 Planning Identity and Access
Management for Cloud Deployments
Control Access to Cloud Objects
Module 6 Planning Identity and Access Management for Cloud
Deployments

• Determine Identity Management and Authentication Technologies

• Plan Account Management Policies for the Network and Systems
• Control Access to Cloud Objects
• Provision Accounts

2
Topic 3 Control Access to Cloud Objects

Exam Objectives Covered:

• 2.2 Given a scenario, apply the appropriate ACL to the target objects to meet
access requirements according to a security template.
• 2.3 Given a cloud service model, implement defined security technologies to
meet given security requirements.

3
Data Classification

Data classification may categorize data in the following ways:

• The sensitivity of the data.
• Business impact of data if exposed, lost, or breached.
• Regulatory or compliance rules, including applicable regulations, access
requirements, and retention requirements.

4
Accessed Components

Similar to on-premises IT systems, users, groups, and processes in use by apps and
services may need to access the following types of cloud components:
• Compute resources such as VMs or containers
• Apps
• Storage
• File shares
• Databases
• Virtual networks
• Other cloud services

5
Access Control Methods

There are four main types of access control:

• Mandatory Access Control (MAC): This is the strictest form of access control and is
primarily used by the government.
• Discretionary Access Control (DAC): DAC allows each user to control access to their
own data.
• Role Based Access Control: Sometimes called Non-discretionary Access Control, Role
Based Access Control structures access based on user's job function within the
organization.
• Rule Based Access Control: With this method, access is allowed or denied to
resources based on rules defined by the system administrator.

6
Effect of Cloud Service Models
on Security Implementations

Model Security Considerations

SaaS In this model, security manages access to cloud-based apps, and to the features and
capabilities available to end users.
PaaS Consider resource access and utilization from multiple perspectives, including access
control, load-balancing, failover, privacy, and protection of the organization for one and
across multiple providers in the event of an outage.
IaaS The security focus with IaaS is managing virtual machines and containers.

7
Effect of Cloud Deployment Models
on Security Implementations

Cloud deployment models Security Issues

Public cloud Public cloud providers are much larger targets for hackers than private
clouds and are often hardened by continual hacking attempts.
Private cloud Private clouds have the same security concerns as public clouds as well
as managing the security of their host platforms, hypervisors, and
automation management platforms.
Hybrid cloud Since hybrid clouds essentially mix public cloud and private cloud,
organizations managing hybrid clouds have some of the management
concerns of both of those deployment models.

8
Guidelines for Controlling Access to Cloud Objects

• Protect private information before sending it to the cloud with encryption.

• Don't duplicate IDs; use single sign-on. Having more accounts to manage, monitor,
and control increases security risks and chance of exposure and stolen accounts.
• Audit usage of cloud services. CSPs frequently provide this information, but in the
case of a dispute, it is important to have an independent audit trail.
• Consider using a Cloud Service Broker (CSB) solution as a means to create an
independent audit trail of cloud service consumption.
• Consider implementing your own cloud service governance framework to provide
independent control, especially in organizations with multiple SaaS providers.
• Put systems in place to protect API keys. APIs are used to access cloud services and
components and they can present vulnerabilities that can be exploited.

9
Activity: Controlling Access to a Cloud Object

1. What is the difference between Discretionary Access Control (DAC) and Mandatory
Access Control (MAC)?

2. What is the difference between Rule Based Access Control and Role Based Access
Control?

10
Activity: Controlling Access to a Cloud Object

1. What is the difference between Discretionary Access Control (DAC) and Mandatory
Access Control (MAC)?
DAC allows each user to control access to their own data, while MAC is the strictest
form of access control and is defined by the system administrator.

2. What is the difference between Rule Based Access Control and Role Based Access
Control?
In Rule Based Access Control access is allowed or denied to resources based on rules
defined by the system administrator, while Role Based Access Control structures
access based on a user's job function within the organization.

11
Module 6 Planning Identity and Access
Management for Cloud Deployments
Provision Accounts
Module 6 Planning Identity and Access Management for Cloud
Deployments

• Determine Identity Management and Authentication Technologies

• Plan Account Management Policies for the Network and Systems
• Control Access to Cloud Objects
• Provision Accounts

2
Topic 4 Provision Accounts

Exam Objectives Covered:

• 4.4 Given a scenario, implement account provisioning techniques in a cloud
environment to meet security and policy requirements.

3
Identity Management Plans

Step Strategy and Questions

Assess your current identity Questions to ask:
management approach • What users and groups must be authenticated to access cloud resources?
• What is the process for provisioning user accounts to access cloud
resources?
• What are the costs, current and projected, of managing identity and
access both on-premises and in the cloud?
Evaluate IAM approaches Research IAM solutions and tools.
and tools
Develop your IAM Plan the following:
implementation strategy • Directory integration with existing identity management systems that will
continue to be used.
• Single sign-on capability.
• Multi-factor authentication as a general requirement to provide additional
security or for access to sensitive systems.
• Provisioning.

4
User Account Provisioning Methods

• Discretionary account provisioning

• Self-service account provisioning
• Workflow-based account provisioning
• Automated account provisioning

5
User Account Lifecycle Management

Processes to identify accounts as

inactive, suspended, or marked for
deletion

Phase 1

Processes to delete
Phase 5 Phase 2
Processes to monitor unneeded accounts after
user privileges a pre-determined length
of time

Phase 4 Phase 3

Keep a list of all past user

identities to prevent an
accidental reactivation of
an account
6
Account Automation and Orchestration Activities

7
Guidelines for Provisioning Accounts

• Use the process described in this topic to develop an identity management plan.
• Automate and orchestrate provisioning and deprovisioning to reduce errors and
improve timeliness of execution.
• Where feasible and in accordance with security policies, automate self-provisioning
to offload provisioning from administrative staff.
• Automate security search processes to identify stale and abandoned accounts.
• Automate security search processes to identify accounts that may have incorrect or
elevated rights or group assignments.
• Track administrative tasks used in provisioning and use the tracked steps to design
orchestration for provisioning.

8
Activity: Provisioning Cloud Accounts

1. In cloud environments, which account provisioning method can significantly save

time and reduce risk?

2. Why is it a good practice to disable accounts before they’re deleted?

9
Activity: Provisioning Cloud Accounts

1. In cloud environments, which account provisioning method can significantly save

time and reduce risk?
Automated account provisioning

• Why is it a good practice to disable accounts before they’re deleted?

To help in audit protection and compliance, and to make it easier and less time-
consuming to reestablish credentials.

10
Reflective Questions

1. What identity management and access technologies do you use in your

current IT environment?

2. In your IT environment, what policies are in place to ensure that accounts

are managed through their entire life cycle?

11
Module 7 Determining CPU and
Memory Sizing for Cloud Deployments
Determine CPU Size for Cloud Deployment
Module 7 Determining CPU and Memory Sizing for Cloud
Deployments

• Determine CPU Size for Cloud Deployment

• Determine Memory Size for Cloud Deployment

2
Topic 1 Provision Accounts

Exam Objectives Covered:

• 1.6 Given a scenario, analyze CPU and memory sizing for a provided
deployment.

3
CPU Performance Considerations

4
CPU Energy Savings Considerations

Benefits to considering energy usage in CPU sizing:

• In public and hybrid cloud deployments, right-sizing CPUs, rather than paying for
more processor than you need, will help keep costs and energy use down.
• In private cloud deployments, selecting energy-efficient CPUs with better energy
management features will translate into energy cost savings as CPUs can be shut
down when not needed.
• Focusing on energy savings can be part of your organization’s overall plan to be more
“green.” This allows you to publicize and promote your efforts to save energy in the
IT space.

5
CPU Technologies

• Hyper-Threading or HT Technology is Intel's proprietary simultaneous multithreading

(SMT) implementation used to improve parallelization of computations performed on
x86 microprocessors.
• Intel VT (Virtualization Technology) is hardware assistance for processors running
virtualization. The key benefits include:
• Reduction in Virtual Machine Manager (VMM) complexity; closes hardware “virtualization
holes” and reduces the need for device-specific knowledge in VMM.
• Enhanced reliability, security, and protection by providing better control over device DMA
and interrupts.
• Improved functionality by thorough support for older guest OSes and enabling pass-
through access to I/O devices (where appropriate).
• Improved performance by eliminating unnecessary transitions to the VMM.

6
Virtualization vs. Containerization

Virtual Machines Containers

App 1 App 2

Bins/Libs Bins/Libs
App 1 App 2
Guest OS Guest OS
Bins/Libs Bins/Libs

Container Engine Container Engine

Host OS Host OS

Server Server
7
Virtualization vs. Containerization
Dedicated vs. Shared Compute Environments

Dedicated Compute Shared Compute

Environment Environment

9
CPU Overcommit

VMWare has published guidelines to commit ratio calculations:

• 1:1 to 3:1 is no problem
• 3:1 to 5:1 may begin to cause performance degradation
• 6:1 or greater is often going to cause a problem

10
Optimize Commit vs. Overcommit

Optimize Commit Overcommit

VM VM VM

VM VM

11
CPUs Sizing Considerations in Virtual Environments

?
12
Guidelines for Determining CPU Size for Cloud Deployment

• Moving VMs from one processor architecture to another can be problematic.

• Consider dedicated hosting for I/O intensive apps such as big data apps.
• Use peak usage information and other public information on overcommit ratios to
assign vCPUs to physical CPUs.
• If using CPU overcommit, test by simulating peak usage across multiple VMs.
• Whenever evaluating processors, always consider future growth as well as current
usage.
• Have at least one more core than the maximum number of vCPUs that will be
assigned to a single VM so that the hypervisor's CPU scheduler can always find a core
available when it needs to schedule a request.
• To plan CPU sizing and VM density well, you should analyze CPU usage and app
performance in your current environment or test deployment environment as a basis
for your planning.
• Consider containers for development environments due to their benefits of high
density per host and rapid deployment.

13
Activity: Determining CPU Size for Cloud Deployment
Estimate the cost of a VM instance on the Google Cloud Platform that would be used to
run an app. The VM instance will run with 6 CPU cores on Windows Server.

1. Open the Google Cloud Platform Pricing Calculator:

https://cloud.google.com/products/calculator/.
a) In the Instances section, in the Number of instances box, type 10
b) In the What are these instances for? box, type Windows Servers
c) From the Operating System / Software drop-down menu, select Paid: Windows
Server 2008r2, Windows Server 2012r2, Windows Server 2016, Windows Core.
d) From the Machine type drop-down menu, select Custom Machine Type.
e) For vCPUs, move the slider until the number of cores is 6.
f) At the end of the Instances section, select ADD TO ESTIMATE.
g) Review the estimate information.

Try this exercise with other operating systems to compare costs.

14
Module 7 Determining CPU and
Memory Sizing for Cloud Deployments
Determine Memory Size for Cloud Deployment
Module 7 Determining CPU and Memory Sizing for Cloud
Deployments

• Determine CPU Size for Cloud Deployment

• Determine Memory Size for Cloud Deployment

2
Topic 2 Determine Memory Size for Cloud Deployment

Exam Objectives Covered:

• 1.6 Given a scenario, analyze CPU and memory sizing for a provided
deployment.

3
Memory Performance In Virtual Environments

4
Memory Bursting, Ballooning, and Overcommit

• Burst mode is a generic term which refers to any time a device transmits data
repeatedly without going through all the communication initialization steps required
to transmit each piece of data separately.
• Apps on a VM using burst mode can consume a large amount of virtual memory, and
then release it back to the host. This is called ballooning.

5
Memory Overcommitment Ratio

10:1 up to a 20:1 ratio of

guest VM to host allocation

6
Memory Usage in Container Environments

• Containers are being deployed side-by-side with VMs.

• This introduces more complications in memory management considering how
densely containers can be packed.
• The memory footprint of containers is smaller, reducing the problem.
• But containers may still use burst mode and balloon memory, creating contention
issues for the hypervisor and administrators to solve.

7
Guidelines for Determining Memory
Size for Cloud Deployment

• Start tracking memory usage on your apps and services before you move them to the
cloud so that you have good data to base sizing considerations on.
• Anticipate any growth in usage when planning for memory allocation during peak
load times.
• After pilot deployment, perform tests against multiple VMs on the same host to try
to force overcommit issues to see the results.
• If testing memory overcommit, use manual testing to determine the impact on user
experience when VMs are in overcommitted states.
• Deploy fewer VMs per host, and allocate both virtual and physical memory more
liberally.
• Monitor VMs and apps to determine how frequently and when swapping is occurring
and adjust virtual memory settings, or redeploy VMs to new hosts as needed.
• Closely monitor app for performance after updates are rolled out.
• Reassess memory allocation for VMs and memory requirements on the physical host
periodically.

8
Activity: Determining Memory Size for Cloud Deployment
Return to the Google Cloud Platform Pricing Calculator you used in the last activity for
Module 7.1.

Change memory allocation for Windows Servers.

a) In the Estimate section, under Compute Engine, for 10 x Windows Servers,
select the Edit button.
b) In the Instances section, for Memory, move the slider until the amount of
memory is 8.
Note: You will need to be at the top of the page to see the Instances section
c) At the end of the Instances section, select ADD TO ESTIMATE.

Change the memory size in any other estimates you created for comparison.

9
Reflective Questions

1. How have you chosen CPU size for systems apps or services in your IT
career?

2. How have you determined the memory requirements for apps or services
running on your systems?

10
Module 8 Determining Storage
Requirements for Cloud Deployments
Determine Storage Technology Requirements
Module 8 Determining Storage Requirements for Cloud
Deployments

• Determine Storage Technology Requirements

• Select Storage Options for Deployment
• Determine Storage Access and Provisioning Requirements
• Determine Storage Security Options

2
Topic 1 Determine Memory Size for Cloud Deployment

Exam Objectives Covered:

• 1.7 Given a scenario, analyze the appropriate storage type and protection
capability for a provided deployment.

3
IOPS and Read/Write Throughput

HDD SSD SAN

IOPS IOPS IOPS

4
Storage Protection Options

Many CSPs give you the option to choose from the following replication options:
• Local replication. This replicates your data within a single data center in the region
where you created your storage account.
• Regional replication (also called zone-redundant storage). Replicates your data
across multiple data centers within one or two regions.
• Geo-redundant storage (GRS). Replicates your data to a secondary region that is
distant from the primary region.

5
Asynchronous and Synchronous Replicated Storage

Synchronous Asynchronous
Replication Replication

Primary Replication Primary Replication

Storage Target Storage Target
Data written to primary Data written to primary
storage and replication target storage first and then to
simultaneously replication target

6
Storage Mirroring

Primary Secondary
Cloud Cloud

Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Snapshots and Clones

• A storage snapshot takes an original, initial data picture, and then takes subsequent
pictures, storing the differences from the original.
• Cloning makes a complete copy of a VM, or storage environment.
• Clones tend to be used for configuration backup and rapid deployment.
• Snapshots tend to be used more in roll-back and roll-forward scenarios, often during
app development.

8
Guidelines for Determining
Storage Technology Requirements

• Review IOPS ratings for storage you are considering from CSPs.
• Always review any high availability or regional protection that the CSP gives you by
default.
• If using asynchronous replication, test for issues related to the lag in replication.
• To determine performance and replication, analyze each application based on the
need and usages of storage within the app.
• Plan how you will use cloning and snapshotting in support of system backup and
recovery, and as deployment aids.

9
Activity: Comparing Types of Storage and Prices
Currently your organization needs 3 TB of storage for end user data and they anticipate
that growing to 4 TB over the next 12 months, and if they decide to move an app
database to the cloud as well, that will be 2 TB.

Compare how much it would cost to store organization’s data with Microsoft Azure and
Google Cloud.

1. Use cloud storage options calculators on both Azure and Google to calculate the
storage costs in each Cloud Service Provider.
a) In your browser, open a new tab, and navigate to
https://azure.microsoft.com/en-us/pricing/calculator/.
b) On the Pricing calculator page, select Storage.
c) In your browser, open a new tab, and navigate to
https://cloud.google.com/products/calculator/.
d) On the Pricing calculator page, select Cloud Storage.
e) For both calculators, use the default settings and only change the amount of
storage you want to price, or the type of storage.

10
Module 8 Determining Storage
Requirements for Cloud Deployments
Select Storage Options for Deployment
Module 8 Determining Storage Requirements for Cloud
Deployments

• Determine Storage Technology Requirements

• Select Storage Options for Deployment
• Determine Storage Access and Provisioning Requirements
• Determine Storage Security Options

2
Topic 2 Select Storage Options for Deployment

Exam Objectives Covered:

• 1.7 Given a scenario, analyze the appropriate storage type and protection
capability for a provided deployment.

3
Network Storage Types

Storage Type
Usage

Object storage (also known as blob For Representational State Transfer (REST)-based object storage
storage) for unstructured binary data in the cloud. Object storage is
primarily used for unstructured data such as images, videos,
audio, documents, and more.
File storage Provides file shares that are accessible over common
connection protocols by end users.
Table storage Tables are NoSQL tables and are used mainly for big data
applications.
Queue storage Message queuing is an application service offered by many
CSPs. Queues provide storage for app messages waiting for
delivery.
High-performance storage Some CSPs also provide high-performance storage options for
I/O intensive applications.

4
Storage Compression Technologies

Compression Technology Description

File compression File system compression transparently compressing each file as
it is written to disk to reduce file size.
Storage array compression Some vendors, such as SUN, have implemented storage array
compression, but since this must be implemented at the block
level below the file system, it is technically problematic. Many
storage vendors do not offer this type of compression.
Backup storage compression Backup compression usually doesn't slow down the backup
process, and can achieve good compression ratios.

5
Data Deduplication

Data deduplication works by comparing objects (such as files or blocks) and removing
copies that already exist in the data set. The process consists of four steps:
1. Segment data into blocks or some other discrete portion.
2. Create a hash for each block.
3. Compare the hash to existing hashes to determine if the data is already stored in a
different block.
4. Add a pointer to the existing object already stored in the database in place of the
duplicate data.

6
Storage Tiers

Hot storage for frequently accessed data or data

used on a day-to-day basis

Warm storage for less frequently accessed data

such as data used a few times a month

Cold storage for rarely accessed data

7
Guidelines for Selecting Storage Options for Deployment

• Select the type of storage that is best for the application or use case required. CSPs
can help you make this selection.
• Categorize your data by how frequently it is accessed and buy cloud storage tiers that
match as that will save money over time.
• When evaluating compression technologies, measure the impact on performance. It
might be better to buy more storage than to suffer the performance penalty.
• When implementing databases, look at deduplication processes and technologies to
reduce storage, and save bandwidth during data transfers and backups.
• Work with CSPs and app designers to select the type of storage you need for your
apps and services.

8
Activity: Selecting Storage Options for Deployment

Compare storage options for Microsoft Azure and Google Cloud.

a) In your browser, review and search both sites to help you answer the following
questions.

1. What is the cost to store 4 TB of data in cold storage in each CSP?

2. What would it cost to retrieve data from cold storage in each CSP?

*Document your answers for you own benefit. Since prices change over time there is
not answer key for these questions.

9
Module 8 Determining Storage
Requirements for Cloud Deployments
Determine Storage Access and Provisioning Requirements
Module 8 Determining Storage Requirements for Cloud
Deployments

• Determine Storage Technology Requirements

• Select Storage Options for Deployment
• Determine Storage Access and Provisioning Requirements
• Determine Storage Security Options

2
Topic 3 Determine Storage Access and Provisioning Requirements

Exam Objectives Covered:

• 1.7 Given a scenario, analyze the appropriate storage type and protection
capability for a provided deployment.
Storage Access Protocols

Protocol Description
Small Computer System Interface (SCSI) SCSI is the most heavily used block level access method for disks
in the data center.
Fibre Channel (FC) Fibre Channel was designed to extend the functionality of SCSI to
allow for longer connection distances and to consolidate storage.
Internet/IP Small Computer System iSCSI encapsulates SCSI data and commands inside the payload of
Interface (iSCSI) IP packets, allowing for data transfer across existing IP
infrastructures, which can be cost effective.
Fibre Channel over Ethernet (FCoE) FCoE provides functionality for moving native Fibre Channel
across consolidated Ethernet networks.

4
Storage Access Protocols (Cont.)

Protocol Description
Common Internet File System (CIFS) CIFS is a shared storage protocol typically used in Microsoft
environments for file sharing and is based on Small Message
block (SMB).
Network File System (NFS) NFS is another file based storage protocol traditionally used in
Linux and Unix environments.
HTTP and others When you need to support thousands of customers with
multiple terabytes each, traditional storage protocols may not
suffice due to scalability and resource administration.

5
Storage Management Considerations

Storage management takes all of the following into consideration:

• Virtualization
• Replication
• RAID and mirroring
• Security
• Compression
• Traffic analysis
• Process automation
• Storage provisioning
• Data movement between hot, warm, and cold storage

6
Storage Provisioning Models

Fat/Thick Provisioning

Used Allocated Capacity

Thin Provisioning

Provision More
Capacity as Needed

Used

7
Encryption Requirements

Copyright (c) 2019 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
Tokenization

• In data security, tokenization replaces sensitive data with a placeholder called a

token.
• The token has no meaning and cannot be exploited.
• The token references the sensitive data which can be retrieved through tokenization
system. Apps that must access data can request tokens to access sensitive data.
• Tokenization systems should be isolated and segmented from data processing
systems and applications.
• Tokenization is used to safeguard sensitive data such as:
• Credit card processing.
• Banking records.
• Medical records.
• Voter registrations.

9
Guidelines for Determining Storage
Access and Provisioning Requirements

• When choosing thick or thin provisioning, factor in how quickly storage needs are
likely to grow and how long it will take you to add storage.
• If using thin provisioning, orchestrate storage utilization monitoring and provisioning
to ensure new storage is brought online as quickly as needed.
• Use storage encryption for any data that is mandated to be safeguarded by
regulation or corporate policy.

10
Activity: Comparing Storage Access
and Provisioning Options

Compare storage access and provisioning options for Microsoft Azure and
Google Cloud.
a) In your browser, open a new tab, and navigate to https://azure.microsoft.com/.
b) In your browser, open a new tab, and navigate to https://cloud.google.com/.
c) Review and search both sites to help you answer the following questions.

1. What are the different methods for accessing your cloud storage?

2. Do Azure or Google Cloud use thin or thick provisioning by default?

11
Activity: Comparing Storage Access
and Provisioning Options

Compare storage access and provisioning options for Microsoft Azure and
Google Cloud.
a) In your browser, open a new tab, and navigate to https://azure.microsoft.com/.
b) In your browser, open a new tab, and navigate to https://cloud.google.com/.
c) Review and search both sites to help you answer the following questions.

1. What are the different methods for accessing your cloud storage?
Answers may include: cloud storage can be accessed from anywhere with an Internet
connection, it can be accessed from inside or outside the cloud, it can be accessed by
users or applications on any kind of device, a diverse set of operating systems and
programming languages can be used, it is also accessible through REST APIs.

2. Do Azure or Google Cloud use thin or thick provisioning by default?

They both use thin provisioning by default. You are only billed for what you use.

12
Module 8 Determining Storage
Requirements for Cloud Deployments
Determine Storage Security Options
Module 8 Determining Storage Requirements for Cloud
Deployments

• Determine Storage Technology Requirements

• Select Storage Options for Deployment
• Determine Storage Access and Provisioning Requirements
• Determine Storage Security Options

2
Topic 4 Determine Storage Security Options

Exam Objectives Covered:

• 1.7 Given a scenario, analyze the appropriate storage type and protection
capability for a provided deployment.

3
Security Considerations for Data

Data State Description

At rest Data at rest refers to data in storage, whether in a database, on a disk, or on another
storage medium.
In transit Data in transit refers to data that is moving across a network, including data for web
applications, mobile device apps, and instant messaging. Data is considered to be in
transit from when it leaves the storage medium or database until it is saved again or
delivered to its destination.
In use Data in use refers to any data that is not at rest and not in transit. This includes data
being generated, changed, erased, or viewed at exactly one network node.

4
ACLs

Controls access to
network resources

5
Data Obfuscation

010100101
2 101010110
001010101
3
010010101
Mask sensitive Non-production
Classify data
data Data

Production
Source Data 4 Dev

1
QA

Staging
database
BI

6
Zoning

There are two types of zoning:

• Hard zoning, where devices are assigned a permanent zone.
• Soft zoning, where device assignments can be changed by administrators.

7
User and Host Authentication and Authorization

• One of the most fundamental ways to protect data is through the use of strong and
consistent host and user authentication.
• When properly implemented, no host or user can access data unless credentials
supplied are correct and current.

8
Guidelines for Determining Storage Security Options

• Always use a well implemented, well managed, policy-driven authentication and

authorization process for hosts and users.
• Protect data at rest, in transit, and in use.
• Use DO techniques to remove PII and identifiable information from data used for
testing.
• Use zoning on SANs to protect data in highly secure environments.

9
Activity: Determining Storage
Security Options for Deployment

Compare storage encryption options for Microsoft Azure and Google Cloud.
a) In your browser, open a new tab, and navigate to https://azure.microsoft.com/.
b) In your browser, open a new tab, and navigate to https://cloud.google.com/.
c) Review and search both sites to help you answer the following questions.

1. When should data in the cloud be encrypted to ensure it is secure?

2. Does either cloud provider enable encryption by default?

3. What is used by each cloud provider to provide encryption in transit?

4. Does encrypted data remain encrypted when it is backed up for both CSPs?

5. Will you be able to access your encrypted data if you lose the encryption key?

10
Activity: Determining Storage
Security Options for Deployment

1. When should data in the cloud be encrypted to ensure it is secure?

At rest and in transit.

2. Does either cloud provider enable encryption by default?

Google Cloud storage enables encryption at rest by default. Microsoft Azure
encryption is not enabled by default.

3. What is used by each cloud provider to provide encryption in transit?

For Google Cloud Storage, you will use their Cloud Interconnect feature and VPNs to
create encrypted channels between your private IP environment on-premises and
the cloud network. For Microsoft Azure Storage, you will use Client-Side Encryption,
HTTPs, or SMB 3.0.

4. Does encrypted data remain encrypted when it is backed up for both CSPs?
Yes, both CSPs encrypt data through the entire backup process. If the data was
originally encrypted, it remains so, and the backup file itself is also encrypted.

11
Reflective Questions

1. What storage technologies do you use in your IT environment?

2. For the highly secure data managed by your organization, what storage
security options do you employ?

12
Module 9 Analyzing Workload
Characteristics to Ensure Successful
Migration
Determine the Type of Cloud Deployment to Perform
Module 9 Analyzing Workload Characteristics to Ensure Successful
Migration

• Determine the Type of Cloud Deployment to Perform

• Manage Virtual Machine and Container Migration
• Manage Network, Storage, and Data Migration

2
Topic 1 Determine the Type of Cloud Deployment to Perform

Exam Objectives Covered:

• 1.8 Given a scenario, analyze characteristics of the workload (storage,
network, compute) to ensure a successful migration.

3
VMWare vs. Hyper-V
Feature / Capability vSphere Hyper-V

Max cluster size 64 nodes with 800 VMs per cluster 64 nodes with 800 VMs per
cluster
Max cores per CPU Unlimited Unlimited

Max CPUs per host 576 logical processors 512 logical processers

Max memory per host 12 TB 24 TB

Max RAM per VM 6 TB 12 TB

Max vCPU per VM 128 240

Max disk size 62 TB for vmds, RDM, and snapshots 64 TB (vhdx), 2 TB (vhd), 256
TB+ (raw)
Max VM or vCPUs per host or 1024 VMs 1024 VMs
logical CPU
Pricing Generally considered less expensive Generally considered more
expensive
Container support Yes (vSphere integrated container) Yes (Windows containers)

4
VMWare vs. Hyper-V (Cont.)

Feature / Capability vSphere Hyper-V

Guest OS support Very comprehensive Many Windows OSes and
some Linux
Hardware compatibility Considered very compatible Less compatible, but
growing.
OVF support Yes Yes (OVF import and export)

Hot add capability CPU, Memory, Disk, NIC, PCIe SSD Same except CPU (must
reboot to at vCPU)
Automated live migration Yes Yes

Ease of use Easier, especially for complex configuration Harder; the Hyper-V UI is in
tasks need of updating.
Ecosystem Growing, but some ecosystem components Large ecosystem of
come form third parties. Microsoft products and
Azure services.

https://go.heroix.com

5
P2V Deployments

6
V2V Deployments

7
V2P Deployments

8
P2P Deployments

9
Online vs. Offline Migrations

• Online migrations happen while a data service is in use and online.

• Online migrations make it easier for users, partners, and customers to continue
accessing their data without disruption while migration is occurring.
• They are more difficult to plan and implement as administrators must ensure data is
moved in sync with all changes and updates in both locations prior to cutting over
access to the new storage location.
• In an offline migration, access is removed to the data source prior to migration
usually as part of planned and scheduled downtime.
• Once accessed is turned back on, users access their data in the new location without
noticing that anything has changed.
• Offline migrations are easier to manage for administrators but are not always a viable
option due to the size of the data that must be moved.

10
Storage Migrations

Bandwidth constrictions
make moving data to the
cloud unfeasible

On-premises Environment

11
Guidelines for Determining the
Type of Cloud Deployment to Perform

• Evaluate workloads running on physical servers as directed in this topic to see if they
may be a good fit for a P2V migration.
• Investigate and try virtual migration tools. Start with the tools offered by the virtual
platform you'll be deploying, such as VMWare.
• Perform V2V migrations to move VMs to different VM platforms or environments.
• As a best practice, when performing V2V migrations, migrate to platforms using the
same chip vendor technology (Intel or AMD).
• If it turns out that an app cannot run or isn't supported in a virtual environment,
perform a V2P migration.
• Look for CSP and third party migration options that can shorten data migrations.

12
Activity: Determining the Type of
Cloud Deployment to Perform

1. Your organization has several virtual servers hosting multiple virtual machines.
Which cloud deployment type would you recommend using to migrate the virtual
machines to the cloud?

2. Your organization also has physical servers, which run applications, perform
directory services, host databases, and more. Which cloud deployment type would
you recommend using to migrate these physical servers to the cloud?

13
Activity: Determining the Type of
Cloud Deployment to Perform

1. Your organization has several virtual servers hosting multiple virtual machines,
which cloud deployment type would you recommend using to migrate the virtual
machines to the cloud?
A Virtual-to-Virtual (V2V) deployment will allow you to efficiently and quickly migrate
the virtual machines to the cloud.

2. Your organization also has physical servers, which run applications, perform
directory services, host databases, and more. Which cloud deployment type would
you recommend using to migrate these physical servers to the cloud?
You may want to keep some servers on-premises such as legacy servers that aren’t
ready to be replaced yet. Otherwise, you should use a Physical-to-Virtual (P2V)
deployment to migrate the physical servers to virtual servers in the cloud. This
reduces the amount of cost you need to run and maintain those physical servers.

14
Module 9 Analyzing Workload
Characteristics to Ensure Successful
Migration
Manage Virtual Machine and Container Migration
Module 9 Analyzing Workload Characteristics to Ensure Successful
Migration

• Determine the Type of Cloud Deployment to Perform

• Manage Virtual Machine and Container Migration
• Manage Network, Storage, and Data Migration

2
Topic 2 Manage Virtual Machine and Container Migration

Exam Objectives Covered:

• 1.8 Given a scenario, analyze characteristics of the workload (storage,
network, compute) to ensure a successful migration.

3
OVF

• Open Virtualization Format (OVF) is an initiative supported by the DMTF as an open-

source standard for packaging and distributing software applications for VMs.
• An OVF package contains the software files and an Extensible Markup Language
(XML) OVF descriptor file in a single folder.
• Numerous vendors use OVF in their virtualization products.
• Selecting VM software providers that support OVF can help ensure VMs are portable
between virtualization platforms, cloud vendors, and on-premises deployments.

4
Workloads

The following list describes some common cloud workloads:

• Analytic workloads are used to holistically analyze large amounts of data from
websites, cloud systems, and data warehouses.
• Database workloads are a very common type of workload used in public, hybrid, and
private cloud environments.
• High-performance workloads have special processing or technical requirements
requiring large amounts of compute resources.
• Transactional workloads include automated business processes such as billing and
order processing.

5
App Portability

• Application portability (also called cloud portability) is the ability to move

applications and data from one data center, either on-premises or in the cloud, to
another with minimal disruption.
• Applications that are portable can be moved from on-premises to the cloud, or from
one CSP to another CSP, or from public to private clouds.
• Portability allows customers to more easily move CSPs in the event the current CSP
cannot or will not provide the services a customer requires.
• For example, a key service may be set to be discontinued, or prices may increase.
Portability helps avoid being locked into a single CSP.

6
App Components

• Remember that when you're migrating an app to the cloud, or from one CSP to
another, all the app components must be moved, or reconfigured.
• For example, a data driven store front web app might:
• Have app code that runs on the front end of the app.
• Have a database that runs on the back end of the app.
• Use both custom services written for the app.
• Each of these app components must be migrated with the app to the new cloud
environment, or reconfigured to connect and utilize services across cloud providers,
or between cloud and on-premises components.

7
Container Migration Considerations

Beyond the fundamentals, you must also do the following:

• Decomposition, also called destructuring, is the act of taking a large monolithic app
and modularizing it.
• Find base images to base new containers on (or use a migration tool such as
Image2Docker).
• Configure the containerized app. This might include specifying connection
credentials, security information app settings, logging levels, environment variables,
and so forth.
• Create the container images.
• Run the containers and test.

8
Virtual Machine Migration Issues

Issue Description
Vhd and vhdx migration Azure supports only generation 1 VMs that are in the VHD file
format and have a fixed sized disk that is a maximum of 1,023 GB.
So if you have Hyper-V VMs on-premises or running on systems on a
different CSP, then you will have to convert your virtual disks.
Processor architecture The Intel and AMD processor architectures and supporting chipsets
are slightly different. It's possible that moving VMs from a host
running on one architecture to a host running chips with a different
architecture can cause issues that will prevent VMs from working.
Hypervisor to hypervisor migration It's possible that migrating from one virtual environment to another
will necessitate moving to a new hypervisor, which could cause
issues for existing VMs.

9
SOP for Workload Migration

Migration Method Description

Lift and shift Sometimes called rehosting, this approach minimizes new development or
extending legacy apps to take advantage of cloud-native capabilities.
Lift, tinker, and shift Sometimes called replatforming, this is similar to lift and shift, but a few
cloud-related optimizations are made to workload components to achieve
tangible, defined benefits.
Repurchasing The organization chooses to replace their in-house service with a cloud
service or cloud-native service.
Refactoring Also called re-architecting, this reimagines how the app should work in and
function in a modern and cloud-native way.
Retirement In some cases, organizations have looked at the workloads running in their
environment and found some of their IT portfolio is no longer needed.
Revisit Also called retain, this option simply means to do nothing in the near term
but to re-evaluate later.

10
Guidelines for Virtual Machine and Container Migration

• Be aware of how your virtualization platform recognizes and uses OVF format as that
may provide additional cross compatibility and more options when migrating to or
from a given virtualization vendor.
• Evaluate workloads to make sure they are a good fit to move to the cloud.
• Evaluate CSP app portability options to see what tools and services they can provide
to assist in app migrations.
• Be sure to include all app components in both the evaluation and planning stages
when migrating an app to or between clouds.
• Be aware of the container migration considerations presented in this topic.
• Be aware of the virtual machine migration issues presented in this topic.

11
Activity: Determining Source and Destination
Workload Format for Migration

Research the Google VM Migration Service.

a) In your browser, open a new tab, and search for the Google VM Migration
Service.
b) Review and search the results to help you answer the following questions.

1. What virtual machine formats does the Google VM Migration Service support?

2. How much do you estimate it will cost to migrate VMs to Google Cloud?

3. Will there be any service disruption while migrating the VMs to the cloud?

12
Activity: Determining Source and Destination
Workload Format for Migration

1. What virtual machine formats does the Google VM Migration Service support?
The Google VM Migration Service connects to an operating system that is up and
running and migrates the files and settings from that server to the cloud. Because it
migrates a running server, it does not matter which virtual machine format the VM is
in, or even if it is a physical server.

2. How much do you estimate it will cost to migrate VMs to Google Cloud?
The actual migration is free. Once the VMs have been imported into Compute
Engine, you will be billed like you would for any other VM instance you created.

3. Will there be any service disruption while migrating the VMs to the cloud?
There is no service disruption because the VMs are replicated on block-level to the
cloud so the source and target machines are never turned off or disconnected.

13
Module 9 Analyzing Workload
Characteristics to Ensure Successful
Migration
Manage Network, Storage, and Data Migration
Module 9 Analyzing Workload Characteristics to Ensure Successful
Migration

• Determine the Type of Cloud Deployment to Perform

• Manage Virtual Machine and Container Migration
• Manage Network, Storage, and Data Migration

2
Topic 3 Manage Network, Storage, and Data Migration

Exam Objectives Covered:

• 1.8 Given a scenario, analyze characteristics of the workload (storage,
network, compute) to ensure a successful migration.

3
Bandwidth Considerations

At the time of migration, additional bandwidth may be needed for the reasons listed
here.
• Migration of VMs (or app code) to the CSP. Depending on the solution being
deployed, more VMs may need to be transferred to the CSP.
• Migration of data to the CSP. This is perhaps the biggest concern as data driven apps
may use very large data stores.
• Synchronization of data prior to or after cutover to the CSP solution. If you've used
a copy and ship method to move data to a CSP data center, then data changes after
the ship date will need to be synchronized.
• Cloud solution testing. Testing your cloud solution prior to cutover may involve
putting various amounts of load or stress on the solution.
• Backup of VMs, apps, and data prior to the actual migration. As a best practice you
should back up any solution components and data prior to cloud migration and also
prior to cutover if doing a multi-phase migration.
• Backup of VMs, apps, and data after successful launch in the cloud. Once a solution
is successfully deployed to the cloud, it should be backed up immediately, and
regularly.

4
Data and Network Portability

Cloud Component Challenges

Data • Determining data and databases to be moved.
• Determining any propriety data-related services or components that must
be refactored or replaced at the destination.
• Locating the data (or all copies of it) in a CSP data center or data centers.
• Finding an efficient, cost-effective way to move the data with little or no
service disruption.
• Moving to a new database system (as is sometimes required when moving
between CSPs).
Networking • Duplicating virtual networking and virtual private network configurations.
• Connecting virtual networks across cloud platforms.
• Duplicating or replacing proprietary network filtering or routing
configurations from the source cloud or data center on the destination.

5
Data Transfer Options

To overcome data transfer challenges, consider the following options:

• Apply data footprint reduction technologies. Reduce the data size by reduplicating
and compressing data.
• Pre-ship static data. Providers often provide a way to ship large data sets. Services
such as Amazon Snowball and Azure Import/Export allow you to ship data directly to
the CSP.
• Pre-ship data, then synchronize changes. If the data to be moved is not static and is
used frequently, another option is to pre-ship data and, once it's online in the cloud,
synchronize changes that have taken place since the original data was shipped.
• Buy a high-speed direct connection to the CSP. This an option some CSPs provide in
conjunction with ISPs they work with.

6
Downtime Impact

Downtime has a cost both in

IT resources and lost
productivity

On-premises Environment

7
Environmental Considerations

Issues Challenges
Working hours restrictions If users have working hours restrictions when they are not allowed to
access network services, those hours may be a natural good fit for
performing migration activities that require downtime.
Peak time frame constraints Peak times my be times of day such as early afternoon, which might be
peak data entry time, or just after closing when all transactions for the data
are processed for reporting.
Legal restrictions If you store or access regulated data and are a global company, there may
be regulations governing what data can be moved across national
boundaries.
Time zone constraints If you have geographically distributed workloads, migration becomes even
more complex.

8
Guidelines for Network, Storage, and Data Migration

• Take the bandwidth considerations covered in this topic into account when planning
network, storage, and data migration.
• Take the data and network portability issues covered in this topic into account when
planning data migrations.
• Consider pre-shipping large data sets to CSPs.
• Always discuss with your CSP what options you have to extract data and move to a
different CSP. Get details in an SLA or other contract if possible.
• Calculate the cost of planned downtime. Include those costs in planning and in
reporting before, during, and post migration.
• Use projected downtime costs to justify tools and services that may be able to
reduce overall downtime.
• Consider the environmental factors discussed in this topic when planning migrations.

9
Activity: Determining If Any Environmental
Constraints Will Impact Migration

1. How would you plan the best time to migrate?

2. You need to migrate 3 TB of data to Azure, which will not complete during the least
usage time on the weekend. What alternative methods could you use to get that
data in the cloud and avoid downtime?

3. Are there any legal regulatory restrictions or entities for dealing with employee
data that might impact migration?

10
Activity: Determining If Any Environmental
Constraints Will Impact Migration

1. How would you plan the best time to migrate?

Answers may include avoid times of peak usage, use bandwidth when it is least
utilized, etc.

2. You need to migrate 3 TB of data to Azure, which will not complete during the least
usage time on the weekend. What alternative methods could you use to get that
data in the cloud and avoid downtime?
Answers may include break the data into smaller sizes and upload a piece each
weekend, use a portable drive option to copy the data and ship it to Azure, etc.

3. Are there any legal regulatory restrictions or entities for dealing with employee
data that might impact migration?
Answers may include privacy laws in the United States and United Kingdom that need
to be considered, etc.

11
Reflective Questions

1. What type of IT system migrations have you performed?

2. When you have migrated apps that have large databases, how have you
moved the data?

12
Module 10 Maintaining Cloud Systems
Patch Cloud Systems
Module 10 Maintaining Cloud Systems

• Patch Cloud Systems

• Design and Implement Automation and Orchestration for Maintenance

2
Topic 1 Patch Cloud Systems

Exam Objectives Covered:

• 1.3 Given a scenario, analyze system requirements to determine if a given
testing plan is appropriate.
• 3.1 Given a cloud service model, determine the appropriate methodology to
apply given patches.

3
Scope of Components to be Patched

The components you should look to patch are:

• Hypervisors
• Virtual machines\Operating systems
• Virtual appliances
• Networking components
• Applications
• Storage components
• Clusters

4
Production vs. Development vs. QA Patching

QA
Development Patching/Test Production

5
Rolling Updates

• A rolling update is a patching strategy that staggers deployment across multiple

phases.
• This helps reduce downtime and issues from the update.
• Instead of updating all of the servers or tiers at the same time, the update is installed
on one server or subset of servers at a time.
• This can be for any group of cloud components, not just servers or VMs.
• Yu want to consider peak usage times for the organization and schedule any updates
when they will have the least impact.

6
Blue/Green Deployment Patching

New
Version

Router
Old
Users
Version

7
Hotfixes

• Designed to fix serious or critical flaws or security vulnerabilities.

• Designed to be deployed quickly to solve a specific issue.

8
Failover Cluster Patching

• You may want only the critical security patches to address severe vulnerabilities.
• You may instead plan regular outages to perform patching.
• Or you may want to stay as up to date as possible and schedule downtime to install
all patches.
• Cluster-Aware Updating (CAU) is a feature in Windows 2012 and later that updates all
servers in a failover cluster so that it does not impact the availability of the cluster.

9
Patching Order of Operations

Here are the steps to help you create your own process:
Step 1: Do an inventory of all components in your environment, documenting the type of
each component, version, IP addresses, physical location, and function.
Step 2: Try to standardize components of the same type to all use the same version of
their software/firmware/etc.
Step 3: Inventory the security controls you have in place (routers, firewalls, IDSes, anti-
malware, etc.) and their configurations (i.e., firewall rules, etc.).
Step 4: You will compare any reported vulnerabilities against your inventory and security
control list.
Step 5: Once you know the vulnerabilities that apply to your environment, you need to
assess each one for how critical the vulnerability itself is, and how critical the systems it
affects are.
Step 6: You will deploy patches without disrupting uptime or production.
Step 7: Finally, monitor your patch systems for any issues and be prepared to rollback
patches in the event they create problems in your environment.

10
Patching Dependency Considerations

• Some software packages have dependencies on specific versions of other software

packages.
• This can create a problem if you update one software package and another software
package requires the previous version.
• It will throw an error or not function properly, forcing you to rollback the update.
• As part of your inventory, you will determine if you have any software dependencies,
and if they require specific versions of other software.

11
Guidelines for Patching Cloud Systems

• Review all of the different types of components that need to be patched.

• If you can, use a test environment to test patches before applying them to your
production environment.
• At the very least, use pilot systems to test patches on them first.
• Consider peak usage times for the organization and schedule any updates when they
will have the least impact.
• Consider following a patching order of operations to ensure you roll out updates in
the least disrupting and most comprehensive manner.
• Investigate possible dependencies among your systems that could be broken by
patching.

12
Activity: Creating a Patching SOP
1. What should be the first step in creating a patching SOP?

2. What versioning technique can you employ to make patching related OS types and
applications easier?

3. How will you know what vulnerabilities exist and which systems or applications to
patch?

13
Activity: Creating a Patching SOP
1. What should be the first step in creating a patching SOP?
The first step is taking inventory of all production systems (including OS types and
versions, IP addresses, physical location, and function), applications (including
version number and which system(s) it is installed on), and other devices that may
require updates. You cannot properly manage patching without first knowing what
may need to be patched.

2. What versioning technique can you employ to make patching related OS types and
applications easier?
Standardize related applications and OS types to use the same version number. This
will reduce the amount of variables when installing new patches because all related
applications or systems will be installing the same patches.

3. How will you know what vulnerabilities exist and which systems or applications to
patch?
You will need a tool such as a vulnerability scanner, patch management system, etc.,
that can detect what vulnerabilities exist in your environment and what patches are
available. You then need to compare those vulnerabilities to your inventory and see
which apply to your systems.
14
Module 10 Maintaining Cloud Systems
Design and Implement Automation and Orchestration for
Maintenance
Module 10 Maintaining Cloud Systems

• Patch Cloud Systems

• Design and Implement Automation and Orchestration for Maintenance

2
Topic 2 Design and Implement Automation and Orchestration for
Maintenance

Exam Objectives Covered:

• 2.1 Given a scenario, apply security configurations and compliance controls
to meet given cloud infrastructure requirements.
• 3.2 Given a scenario, apply the appropriate automation tools to update cloud
elements.
• 3.6 Given a scenario, apply the appropriate maintenance automation
technique to the target objects.

3
Platform Automation and Orchestration Options

• Automation and orchestration can aid your patch maintenance efforts by allowing
you to automate the installation of patches, creating test environments, rebooting
patched systems, etc.

4
Types of Updates

• Physical Hardware Checks

• Backup and Restore
• Software Updates and Licensing
• Event Logs and Services
• Disk Management
• Anti-Virus
• Security
• Active Directory
• Microsoft Exchange Mail System
• Network Performance
• Miscellaneous

5
Maintenance Activities to Automate
Here are some maintenance activities you might consider automating:
• Snapshot VMs
• Cloning VMs
• Patching systems
• Restart/Shutdown VMs
• Maintenance Mode
• Enabling/ Disabling alerts
• Clearing logs and archiving logs
• Compressing drives
• Removing inactive accounts
• Removing stale DNS entries
• Removing orphaned resources
• Removing outdated rules from firewall
• Removing outdated rules from security
• Resource reclamation
• Maintain ACLs for the target object

6
Automation Workflows

• In addition to using automation and orchestration, there are also automation

workflows you can employ.
• Automation workflows are either managed or unmanaged automation solutions that
have prebuilt automation workflows related to the cloud.
• Many CSPs offer their own versions of these tailored to work with their environment.
• AWS has the Amazon Simple Workflow Service (SWF)
• Microsoft Azure has Azure Automation

7
Maintenance Schedules

Automation scripts run on

regular basis on different
schedules

8
Guidelines for Designing and Implementing
Maintenance Automation and Orchestration

• Consider using automation and orchestration to aid your maintenance efforts.

• Consider all your maintenance tasks and which ones would be best to automate.
• Consider using automation workflow either through your CSP or a third party tool to
aid your automation efforts.
• Schedule your maintenance tasks to ensure they are performed on a regular basis.

9
Activity: Designing Maintenance
Automation and Orchestration

1. What criteria would you use to validate whether a task or action should be
automated?

2. When would you consider using a CSP-specific automation tool over a third-party
tool, or vice versa?

10
Activity: Designing Maintenance
Automation and Orchestration

1. What criteria would you use to validate whether a task or action should be
automated?
Answers may include the time it takes to automate a task should be shorter than
performing the task manually, the task is performed at a high frequency and over
time the time it takes to automate the process will be recouped, etc.

2. When would you consider using a CSP-specific automation tool over a third-party
tool, or vice versa?
A CSP-specific tool will typically have better integration with that cloud service and
provide more control and more options. That CSP-specific tool won't work with
another cloud service, whereas a third-party automation tool should work with both
CSPs and more. The third-party tool may not have as good an integration as the CSP-
specific tool.

11
Reflective Questions

1. How have your IT teams patched systems in the organizations you've worked
for?

2. In the current IT environment, what maintenance activities would be good

choices for automation?

12
Module 11 Implementing Backup,
Restore, Disaster Recovery, and Business
Continuity Measures
Back Up and Restore Cloud Data
Module 11 Implementing Backup, Restore, Disaster Recovery,
and Business Continuity Measures

• Back Up and Restore Cloud Data

• Implement Disaster Recovery Plans
• Implement Business Continuity Plans

2
Topic 1 Back Up and Restore Cloud Data

Exam Objectives Covered:

• 3.3 Given a scenario, apply an appropriate backup or restore method.

3
Cloud Storage Options

• CSPs provide different storage options based on performance needs and how often
data is accessed.

4
Backup Scenarios

• There are many different factors that can cause data loss or the need to restore a
backup.
• Many of these factors are impossible to predict and are out of your control.
• Data loss will cost you time in recreating what you lost or can financially cripple your
business and bring productivity to a halt.
• At a minimum, you need to back up critical and important data.
• Ideally you will back up any data that is useful to your organization.
• Be aware of retention requirements.
• Be aware of data residency/sovereignty laws that may have restrictions on moving
certain data outside the country of origin.
• Having data replicated or backed up to multiple regions or even other clouds can
improve your data recovery because not all of your data is in one service or one
region.

5
SLAs for Backup and Restore

• The SLA for cloud backup and restore and data replication should detail how quickly
the CSP responds in case of an incident and how they handle trouble tickets.
• It should also address items such as who to call in case of an emergency or what the
CSP's own disaster recovery plan is if they go down.
• If your organization has special needs or services for backup or restore and data
replication, then tell the CSP in advance and put it in writing.

6
Backup Types

Backup type Description

Full backup Is a full copy of your entire data set.

Incremental backup Backs up the data that has changed since the previous backup was
performed.
Differential backup Contains all of the data that has changed since the last full backup.

Copy-on-write snapshot Stores metadata about the location of the original data without copying it
when the snapshot is created.
Clone or split-mirror snapshot References all the data on a set of mirrored drives.

Redirect-on-write storage snapshot Writes only changed data that is redirected to storage that is provisioned
for snapshots.
Incremental snapshot Creates timestamps that enable a user to go back to any of those points
in time.
Change block/delta tracking Compares disk sectors against the last backup file and locates the blocks
that have been modified. These modified blocks are backed up instead of
the entire disk sector.

7
Backup Targets

Backup Target Description

Tape Tapes are still used for backups. Tape manufacturers have improved the
capacity and performance speeds of tape media and tape drives. It is one
of a number of local backup targets.
Direct-attached storage (DAS) Digital storage device directly attached to a computer.

Network-attached storage (NAS) Digital storage device that connects to the local network.

Storage-area network (SAN) Dedicated high-speed network that interconnects shared pools of storage
devices to multiple servers.
Integrated backup appliances Integrated backup appliances offer backup software and storage.

Cloud You can back up data to the cloud from your on-premises environment. If
your data is already in the cloud, then you can replicate it to another
region(s).

8
Backup Schedules

Backup data on regular basis

9
Backup Considerations

There are additional considerations when planning backups.

• What files need to be backed up? In an ideal situation, you would back up all objects
in your environment.
• Are there any dependencies that need to be accounted for? Are there any
dependencies for the objects that you are backing up that need to be backed up as
well?
• Are there any configurations that need to be backed up? Any configuration files that
would be important to back up.
• Where are the objects that need to be backed up? Where are the objects located
and can they be reached by your backup solution?
• Who is responsible for running backups? Assign the task to the person or persons
who will run backups.

10
Online/Offline Backups

• An online backup is where data from a system is regularly backed up on a remote

server or the cloud without taking the data offline.
• Offline backup, also known as a cold backup, is a database backup performed when
the database is offline.

11
Guidelines for Backing Up and Restoring Cloud Data

• Accept that there are many different factors that can cause data loss that are
impossible to predict and are out of your control.
• At a minimum, you need to back up critical and important data. Ideally you will back
up any data that is useful to your organization.
• Consider possible retention requirements that may affect how you retain and back
up data.
• Consider sending your back up, restore, and data replication requirements to your
CSP in writing before you sign up to help clarify what you expect to receive.
• Select a backup target that fits your needs and provides the recoverability you
require.
• Implement a backup schedule to ensure that backups are done in a consistent and
timely manner.

12
Activity: Creating a Backup and Restore It
Back up Google Cloud VM with a snapshot.
a) On the Google Cloud browser tab, on the Compute Engine page, in the
Navigation pane, select Snapshots.
b) In the Snapshots pane, select Create snapshot.
c) In the Create a snapshot pane, in the Name box, type snapshot-1-pilot
d) From the Source disk drop-down list, select wordpress-1-vm.
e) For Encryption type, observe that the snapshot will be encrypted by Google.
f) Select Create.
Note: It may take up to 4 minutes for this to complete.
Restore a VM instance snapshot.
a) On the Google Cloud browser tab, on the Compute Engine page, in the
Snapshots pane, select snapshot-1-pilot.
b) In the Snapshot details pane, observe the snapshot information.
c) On the top bar, select CREATE INSTANCE.
d) In the Create an instance pane, in the Name box, type instance-1-restored
Note: You will restore the snapshot to a new VM instance.
e) Under Machine configuration, from the Machine type drop-down list, select f1-
micro.
f) Select Create. 13
Module 11 Implementing Backup,
Restore, Disaster Recovery, and Business
Continuity Measures
Implement Disaster Recovery Plans
Module 11 Implementing Backup, Restore, Disaster Recovery,
and Business Continuity Measures

• Back Up and Restore Cloud Data

• Implement Disaster Recovery Plans
• Implement Business Continuity Plans

2
Topic 2 Implement Disaster Recovery Plans

Exam Objectives Covered:

• 3.4 Given a cloud-based scenario, apply appropriate disaster recovery
methods.

3
DR

• Recovery Point Objective (RPO): This is the point to which you hope to be able to
recover to following a disaster.
• Recovery Time Objective (RTO): This is the length of time it takes to restore data to
achieve the RPO.

4
DR Capabilities of Cloud Service Providers

• Backup to and restore from the cloud

• Back up to and restore to the cloud
• Replication to virtual machines in the cloud
• Managed applications and managed DR in the cloud
• File transfer
• Archiving
• Third party sites

5
SLAs for DR

1. Ask your CSP for a risk assessment and analysis for known threats at the location(s)
from which DR is being served.
2. Ask your CSP for help choosing the correct deployment model that meets business
goals and requirements of availability, confidentiality, and integrity.
3. Identify all mission-critical applications and data.
4. Determine technologies required for different types of backup and storage.
5. Ensure that the SLA is economical; will provide the appropriate level of service; and
will not breach any of the security, privacy, and compliance obligations.
6. Thoroughly test the implementation to ensure compatibility with steps one and two.
7. Make sure the DR plan and policies are in place to meet security, privacy, and
compliance requirements.
8. Get the approval of all the stakeholders involved.

6
Corporate DR Procedures

• Each organization will have similar basic requirements when it comes to DR.
• In addition, each organization may also have unique requirements as well.
• You need to discuss and review the requirements and criteria for what disaster
recovery is for your organization.
• What are the requirements that are a minimum for your organization and what are
goals you would like to exceed?
• What processes do you need internally to meet these?

7
Cloud Service Provider DR Procedures

• What does your CSP consider a successful DR to be?

• What procedures do they employ for their DR?
• Does that match with what your requirements are?
• You need to talk with your CSP about their requirements for DR versus yours and see
what they can do to ensure your needs are met, or if they cannot be met.

8
Bandwidth or ISP DR Limitations

• One key problem with Disaster Recovery and Disaster Recovery-as-a-Service (DRaaS)
is lack of bandwidth.
• Bandwidth speeds offered by DRaaS providers are typically designed to handle day-
to-day operations, not the bulk data transfer that is needed in the event of a large
recovery.
• DRaaS providers assume that they will only need to perform a limited number of
recovery operations, so they may not have the bandwidth to accommodate several
large scale recoveries simultaneously.
• It's also likely that the client DRaaS organization connects to an ISP for bandwidth
that is also bandwidth limited.
• ISPs and DRaaS providers may also have policies in place that reduce bandwidth once
certain usage thresholds are met.
• All of these limits need to be understood, analyzed, discussed and factored into
disaster recovery plans, and recovery goal timelines.

9
Guidelines for Implementing Disaster Recovery Plans

• Create a DRP document that details every component of the disaster recovery plan.
• Assemble a DR team responsible for developing, executing, and testing the DR plan.
• Train and test your IT staff in the disaster recovery plan to ensure it gets executed
correctly.
• Work with your CSP to create SLAs for your DR requirements.

10
Activity: Planning for Disaster Recovery

1. You have services with two different CSPs and data is being used each day by users
and customers. Which one is more important to have recovery for?

2. What would help make both services more redundant?

11
Activity: Planning for Disaster Recovery

1. You have services with two different CSPs and data is being used each day by users
and customers. Which one is more important to have recovery for?
You don’t know. Usually client-facing services are more important, but both will
impact users being able to do their jobs.

2. What would help make both services more redundant?

Using multi-region locations to avoid failures in a single location.

12
Module 11 Implementing Backup,
Restore, Disaster Recovery, and Business
Continuity Measures
Implement Business Continuity Plans
Module 11 Implementing Backup, Restore, Disaster Recovery,
and Business Continuity Measures

• Back Up and Restore Cloud Data

• Implement Disaster Recovery Plans
• Implement Business Continuity Plans

2
Topic 3 Implement Business Continuity Plans

Exam Objectives Covered:

• 3.5 Given a cloud-based scenario, apply the appropriate steps to ensure
business continuity.

3
Business Continuity

A BCP should contain the following items:

• Initial data, including important contact information, located at the beginning of the
plan
• Revision management process that describes change management procedures
• Purpose and scope
• How to use the plan, including guidelines as to when the plan will be initiated
• Policy information
• Emergency response and management
• Step-by-step procedures
• Checklists and flow diagrams
• Schedule for reviewing, testing, and updating the plan

4
Alternate Sites

• The physical location of the site.

• The comfort of employees during a crisis.
• Will it be able to support the needed technology?
• Does it have amenities such as day care, kitchen, restrooms, etc.?

5
Continuity of Operations

• Essential Functions (EFs)

• Orders of Succession
• Delegations of Authority
• Continuity Facilities
• Continuity Communications
• Vital Records Management
• Human Capital
• Tests, Training, and Exercises (TT&E)
• Devolution of Control and Direction
• Reconstitution

6
Connectivity Issues

Your organization uses different connectivity technologies and you need to plan for each
one.
• Phone Systems: You might rely heavily on mobile phones but chances are your
company still uses traditional phones and some of your devices may as well.
• Internet/Network Connectivity: In today's world, the Internet is a critical connection
to your business services.
• Bandwidth Capacity: Having an Internet connection is important, but having one with
very limited bandwidth may not be of much use.

7
Edge Sites

• Edge sites utilize the Internet of Things (IoT) where edge devices collect data and
process some of it locally, and send only the results of the processed data to a data
center or cloud for processing.
• The data can also be sent to other edge devices, some of which may be hardened
data centers for distribution or more processing.
• Edge computing may still be able to provide some amount of data collection and
processing even when your services are otherwise down.

8
Guidelines for Planning for Business Continuity

• Consider creating a Business Continuity Plan to help your organization know what to
do in the event of an outage.
• Consider what partners or third parties you will work with to achieve business
continuity.
• Carefully consider the requirements of an alternate site before selecting one.
• Review the continuity of operations guidelines and address the requirements.
• Ensure that you have continuity built into your connectivity technologies such as
phones, WAN, LAN, and bandwidth.

9
Activity: Planning for Business Continuity

You have been asked to create a business continuity plan. Your organization currently
has two office locations in different cities. Each office has local servers, desktops, and a
router connecting them to the Internet. Both rely on outside vendors for Internet
access and computer and network repair. Both are in the process of moving data to the
cloud.

1. If one office experiences a disaster and goes down, how could you have business
continuity?

2. What single points of failure exist?

3. What are the critical outsourced relationships and dependencies?

10
Activity: Planning for Business Continuity

1. If one office experiences a disaster and goes down, how could you have business
continuity?
You could have one office cover for the other. Phones and other communications
would need to be routed to the second office. If they have not moved all of their data
to the cloud, then they may not be able to get access to that.

2. What single points of failure exist?

Each office having a single router with no backup devices is a single point of failure.

3. What are the critical outsourced relationships and dependencies?

Both offices rely on outside vendors for some of their services like Internet
connection, and computer and network repair.

11
Reflective Questions

1. In your organization, how do you perform backups and where is data backed
up to?

2. What type of disaster recovery or business continuity plan does your

organization have in place for IT services?

12
Module 12 Analyzing Cloud Systems
for Performance
Monitor Cloud Systems to Measure Requirements
Module 12 Analyzing Cloud Systems for Performance

• Monitor Cloud Systems to Measure Requirements

• Optimize Cloud Systems to Meet Performance Criteria

2
Topic 1 Implement Business Continuity Plans

Exam Objectives Covered:

• 4.5 Given a scenario, analyze deployment results to confirm they meet the
baseline.

3
Benefits of Monitoring Cloud Systems

• Monitoring can help you identify potential issues before they become problems or
disruptions in service.
• You can also monitor to see how your environment is performing.
• Monitoring can also help you plan and budget for IT upgrades.

4
Synthetic vs. Real-Time Monitoring

There are two methods of monitoring: synthetic and real-time.

• Synthetic monitoring creates fake traffic by simulating users, which it uses to monitor
applications.
• Real monitoring, on the other hand, monitors real end user activity on applications
and continuously observes system availability, functionality, and responsiveness.

5
Monitoring Tool Options

• Microsoft Azure monitoring solution:

• Azure Monitor
• Application Insights
• Log Analytics
• Microsoft Operations Management Suite (OMS)
• Google Stackdriver
• Amazon CloudWatch
• Rackspace Cloud Monitoring

6
Cost Analysis Tools

• A cost analysis tool is designed to help organizations analyze and minimize the cost of
their operations.
• They collect data on the number of servers or VMs running at any given time,
processor utilization, memory usage, and other metrics.
• They can analyze this data to report on cost and utilization information.

7
KPIs

• A key performance indicator (KPI) is a quantifiable measure a company uses to

determine how well it meets the set operational and strategic goals.
• These can be simple goals such as zero defects or no failures, or they can relate to
more specific goals such as meeting a specified level of performance or not
exceeding a certain level of cost.
• KPIs will be different from organization to organization and even department to
department since their goals will be different.

8
Cloud Components to Monitor

What to Monitor Description

Baselines A baseline attempts to define the normal utilization of the resources in your
environment. This gives amounts to compare to monitor performance.
CPU utilization The amount of CPU time used by a VM instance.

Memory utilization The amount of memory used by a VM instance.

Storage utilization The amount of storage used and available in the environment.

Network utilization The amount of bytes sent and received on the VM instance network interface.

Versions Monitor the versions of applications and OSes (patches).

9
Compliance Monitoring

• Organizations have different levels of compliance that they need to conform to

depending on the types of data and activities they use.
• Compliance monitoring tools are specialized monitoring tools that help you analyze
your environment and compare against the compliance requirements you need to
follow to determine if there are any compliance issues.

10
Guidelines for Monitoring Systems to Meet Requirements

• Consider reviewing CSP-provided monitoring tools and third party tools to find the
best solution for your organization.
• Consider how monitoring can help you identify potential issues before they become
problems or disruptions in service.
• Consider monitoring the performance of your environment to discover areas that
need improvement.
• Consider using a cost analysis tool to analyze and minimize the cost of your cloud
operations.
• Employ KPIs to give goals that your monitoring helps determine if you have reached
or not.
• Consider using compliance monitoring tools to help you determine if your
environment meets your compliance requirements.

11
Activity: Researching and Comparing
Cloud Monitoring Tools and Options

Research monitoring options for Microsoft Azure

a) In your browser, open a new tab, and navigate to https://azure.microsoft.com.

1. What features does Microsoft Azure have to provide monitoring for their cloud?

2. What features of Azure Monitor would help you diagnose an issue with one of your
cloud applications?

12
Activity: Researching and Comparing
Cloud Monitoring Tools and Options

1. What features does Microsoft Azure have to provide monitoring for their cloud?
Answers may include Azure Monitor for monitoring services running on Azure,
Application Insights for more complex monitoring needs, Log Analytics to help tune
performance and plan maintenance on applications running in production, and
Operations Management Suite (OMS) for managing and monitoring large cloud
installations.

2. What features of Azure Monitor would help you diagnose an issue with one of your
cloud applications?
Answers may include the activity log can be used to see what operations were
performed and at what time and by who, metrics provide you with data on how the
application is performing, and diagnostics logs provide diagnostic information about
particular resources.

13
Module 12 Analyzing Cloud Systems
for Performance
Optimize Cloud Systems to Meet Performance Criteria
Module 12 Analyzing Cloud Systems for Performance

• Monitor Cloud Systems to Measure Requirements

• Optimize Cloud Systems to Meet Performance Criteria

2
Topic 2 Optimize Cloud Systems to Meet Performance Criteria

Exam Objectives Covered:

• 4.6 Given a specific environment and related data (e.g., performance,
capacity, trends), apply appropriate changes to meet expected criteria.

3
Performance Trends

4.5

3.5

2.5

1.5

0.5

0
Baseline

4
Performance to Baselines Comparison

4.5

3.5

2.5

1.5

0.5

0
Current Performance Baseline

5
Performance to SLA Comparison

4.5

3.5

2.5

1.5

0.5

0
SLA Guranatees Baseline

6
Tuning and Optimization Options for Cloud Target Objects

• For compute, you can add or remove CPU cores, increase or decrease memory, add
or remove VM instances from a instance group or cluster etc.
• For network, you can adjust your bandwidth, isolate cloud objects into difference
subnets, etc.
• For storage, you can change the performance level of the storage used, increase or
decrease the allocated storage capacity, relocate storage, etc.

7
Performance and Capacity Optimization Options

Scale Out/In

Scale Up/Down

8
Guidelines for Optimizing Cloud
Systems to Meet Performance Criteria

• Analyze performance data for trends to help you anticipate future needs and
improve performance or save resources for times when they aren't needed.
• Create a performance baseline in which to compare future performance against to
measure if your performance is what it should be.
• Compare your performance data against those performance guarantees in the SLAs
to determine if the service did in fact meet those guarantees.
• Once you have analyzed your performance data, reassign the service and application
resources to optimize performance.
• Consider how you will meet performance and capacity optimization.

9
Activity: Optimizing Cloud Systems

You have reviewed the data you collected from monitoring your cloud services and
have found some instances where you can optimize performance.

1. One VM instance that hosts a simple calculator app is often at 90% memory
utilization. What should you do to optimize performance?

2. Another VM instance that hosts WordPress is often at 80% CPU utilization with
spikes that reach 100%. What should you do to optimize performance?

10
Activity: Optimizing Cloud Systems

You have reviewed the data you collected from monitoring your cloud services and
have found some instances where you can optimize performance.

1. One VM instance that hosts a simple calculator app is often at 90% memory
utilization. What should you do to optimize performance?
Scale-up by adding more memory to the instance.

2. Another VM instance that hosts WordPress is often at 80% CPU utilization with
spikes that reach 100%. What should you do to optimize performance?
Scale-out by adding more VMs to the instance.

11
Reflective Questions

1. What types of monitoring tools do you use in your current environment to

measure performance?

2. How have systems, apps, and services in environments you work in been
optimized to improve performance?

12
Module 13 Analyzing Cloud Systems
for Anomalies and Growth Forecasting
Monitor for Anomalies and Resource Needs
Module 13 Analyzing Cloud Systems for Anomalies and Growth
Forecasting

• Monitor for Anomalies and Resource Needs

• Plan for Capacity
• Create Reports for Cloud System Metrics

2
Topic 1 Monitor for Anomalies and Resource Needs

Exam Objectives Covered:

• 4.1 Given a scenario, analyze defined metrics to determine the presence of
an abnormality and/or forecast future needed cloud resources.

3
Monitor Utilization and Anomalies

• Monitoring for utilization is similar to monitoring for performance but the intent is
not to adjust performance. The intent is to know what is being utilized and how
much.
• It can also involve looking for anomalies, which are anything outside of the normal
experience, or different from the baseline.
• Monitoring for anomalies can help you detect issues before they become problems.
• There are utilization and anomaly monitoring tools that you can use.

4
Common Cloud Monitor Alert Methods and Messages

• Monitoring alerts have similarities across different tools and CSPs, but each will have
their unique methods and messages.
• In general, an alert is a defined set of criteria that is executed when that criteria is
met.
• The alert will contain information on what the issue is, the severity, the time of the
alert, and sometimes possible resolution steps and more.
• There are typically two kinds of alerts:
• Metric alerts trigger when the specified metric crosses a predetermined threshold.
• Activity or event alerts trigger when a specific event occurs.

5
Alert Based on Deviation from Baseline

4.5

3.5

3
Alert Triggered 2.5

1.5

0.5

0
Current Baseline

6
Event Collection and Correlation

Event correlation follows these five steps:

1. Event filtering: This consists of filtering out events that are irrelevant based on the
criteria specified for the correlation.
2. Event aggregation: This is a technique where similar, but not necessarily identical,
events are combined into an aggregate.
3. Event de-duplication: In this step, events that are exact duplicates are merged
together.
4. Event masking: Events that are downstream of a failed system are ignored.
5. Root cause analysis: This step consists of analyzing the dependencies between the
events to detect whether some events are related to or caused by other events.

7
Policies in Support of Event Collection and Alerting

Policy Type Description

Activity policy Pertains to monitoring specific activities carried out by users or
other activities.
Anomaly detection policy Pertains to monitoring for anomalies that are different from either
the baseline of your organization or from regular activity.
App discovery policy Pertains to monitoring for new apps within your organization.

File policy Pertains to scanning for files and other data and applying
governance actions to the files.

8
Resource Capacity Forecasting

• With enough monitoring data, you can spot trends in your environment and begin to
forecast your resource needs in the future.
• The data may show a steady increase of usage for a specific service, which will eventually
exceed the capacity of the resources you have assigned to it.
• You might also forecast a decrease for another service and can remove resources
accordingly to save cost on resources you don’t need.

9
Guidelines for Monitoring for
Anomalies and Resource Needs

• Monitor for anomalies to help detect issues before they become problems.
• Familiarize yourself with your monitoring tool to understand how alerts work and to
configure your own.
• Configure alerts to notify you when there is a deviation from the baseline in your
environment.
• Consider using event collection and correlation to find relationships between
different events that might reveal dependencies that can be addressed.
• Consider using your monitoring data to spot trends in your environment and begin to
forecast your resource needs in the future.

10
Activity: Monitoring Systems to Identify
Anomalies and Forecast Resource Needs

1. How can you detect issues before they become a problem?

2. Some users have reported issues trying to access the WordPress site. You want to
ensure that they are always up and running. What should you do?

3. What does event masking do?

11
Activity: Monitoring Systems to Identify
Anomalies and Forecast Resource Needs

1. How can you detect issues before they become a problem?

Monitor for anomalies.

2. Some users have reported issues trying to access the WordPress site. You want to
ensure that they are always up and running. What should you do?
Monitor for the HTTP uptime and set an alert.

3. What does event masking do?

Event masking ignores events on systems that rely on a failed equipment since the
failed equipment is the reason for their failure.

12
Module 13 Analyzing Cloud Systems
for Anomalies and Growth Forecasting
Plan for Capacity
Module 13 Analyzing Cloud Systems for Anomalies and Growth
Forecasting

• Monitor for Anomalies and Resource Needs

• Plan for Capacity
• Create Reports for Cloud System Metrics

2
Topic 2 Plan for Capacity

Exam Objectives Covered:

• 4.2 Given a scenario, determine the appropriate allocation of cloud
resources.
• 4.3 Given a scenario, determine when to provision/deprovision cloud
resources.

3
Capacity Planning Considerations

Capacity Consideration Factors

Business need change • Mergers
• Acquisitions
• Divestitures
• Cloud service requirements change
• Regulation and law change
• Vendor lock in
Application lifecycle • Application life cycle
• Application deployment
• Application upgrade
• Application retirement
• Application replacement
• Application migration
• Increase/decrease in application feature use

4
Resource Requirements Based on Cloud Deployment Models

Cloud Deployment Model Resources Required

Public cloud The CSP makes the resources available and you decide what you want to
purchase. You can add or remove resources easily to meet future
demands.
Private cloud The resources can be added and removed easily like with the public cloud,
but your organization controls the level of resource capacity of the cloud.
If you reach that limit, then you will have to add more physical resources
to the cloud.
Hybrid cloud With a hybrid cloud, you have the CSP-controlled resources of the public
cloud and the resources controlled by your organization like with the
private cloud.
Community cloud The resources are most likely managed by a CSP but any changes to the
resource allocation will have to be approved or initiated by the entities
who run the community cloud.

5
Capacity Relationship to Elasticity in Cloud Environment

• Capacity calculation changes when you have an infrastructure that can expand on
demand.
• Although there is a physical limit, capacity is essentially only limited by budget.
• You will have to be careful to avoid unintended or uncontrolled up-scaling or out-
scaling. If this is not monitored you can incur a large cost for scaling up or out.
• You also need to regularly check that you don't over allocate resources and pay for
what you are not using.

6
Cloud Bursting Techniques

Bursting to
the Cloud

Cloud On-premises Environment

7
Configuration Management Tools

• Microsoft Azure: They have a capacity planner that is broken out by different types of
service such as Azure Site Recovery, Azure Cosmos DB capacity planner, etc.
• Google Cloud: Google does not have a tool, but they do most of the capacity
planning for you.
• AWS: AWS has some third party capacity planners available in their marketplace.

8
Change Management Control

1 2 3

Analyze Plan Implement

Need for change Change roles Manage transition

phase

Type of change Change duties Confirm adoption

of change
Organizational Address resistance Conduct post-
culture project review

9
Guidelines for Monitoring for Resource Capacity Needs

• Consider the different factors that will affect your capacity needs when planning for
capacity.
• Consider your type of cloud deployment model and how that will affect your
resource management.
• Be careful when scaling up or out that you don't use more resources than you want
to pay for.
• Consider using cloud bursting in your on-premises environment to increase
computing power when the demand for computing capacity spikes.
• Consider using a change management process to assess the change and get approval
to ensure better stability.

10
Activity: Planning Future Resource Allocation

Your organization has planned for resource allocation in the past with their on-
premises environment. Now that they are moving to the cloud they will need to update
how they plan for future resource allocation.
Currently each user stores 13 GB of data on average for a total of 3 TB for all users.
User data has been increasing by 10% each year. You have been asked to investigate
how to approach future resource allocation planning for cloud services.

1. Based on the current data usage and rate of growth, how much space will your
organization need for user data in 6 months?

2. How much will that cost for Multi-Regional Storage? Research pricing for Google
Cloud.
a) In your browser, open a new tab, and navigate to
https://cloud.google.com/products/calculator/.

11
Activity: Planning Future Resource Allocation

1. Based on the current data usage and rate of growth, how much space will your
organization need for user data in 6 months?
Your organization will need an additional 150 MB for a total of 3150 MB.

2. How much will that cost for Multi-Regional Storage? Research pricing for Google
Cloud.
As prices change over time, you should have estimated the cost for your own benefit.

12
Module 13 Analyzing Cloud Systems
for Anomalies and Growth Forecasting
Create Reports for Cloud System Metrics
Module 13 Analyzing Cloud Systems for Anomalies and Growth
Forecasting

• Monitor for Anomalies and Resource Needs

• Plan for Capacity
• Create Reports for Cloud System Metrics

2
Topic 3 Create Reports for Cloud System Metrics

Exam Objectives Covered:

• 4.7 Given SLA requirements, determine the appropriate metrics to report.

3
Types of Reports

• Dashboards are pages or panes inside the tools or CSP interface that display
monitoring data.
• This may be a list of events or graphs that display information on different metrics.
• They provide a great way to get a quick glance on the status of your environment.
Dashboards can contain almost any data that is monitored or recorded in the cloud.
• There are the more traditional reports as well.
• Typically you can set different criteria that control what is included in the report.
• You can usually configure reports to be sent to your users on a scheduled basis.
• Report content can range from cloud objects and metric data to billing reports.

4
Chargeback and Showback Models

• With the chargeback model, an internal bill for any costs related to IT such as
licenses, training, data transfer, infrastructure use, etc. was generated for each
department and the cost of those items was deducted from the budget.
• The showback model follows the same process as the chargeback model except that
a department does not have to pay their “bill” out of their budget.
• Showback is the more common way to track usage of IT resources and map them to
specific applications, business units, and end users.

5
Reports Based on Organization Policy

• As you learned earlier in this lesson, organizations may have policies that relate to
monitoring and alerting.
• In order to demonstrate that those policies are being followed, or to verify if they are
working as intended, you may need to create reports for those policies.
• You will need the details of the policies so that you can create the reports with the
correct criteria.

6
Reports Based on SLAs

• As with organization policies, you can report on SLAs as well.

• You can create reports for the metrics specified in your SLAs and run them for the
specified time interval.
• You can then use these reports to show whether your CSP is meeting the SLAs or not.

7
Common Reports

Reports Description
Utilization Contain the usage for different resources in your cloud environment. These could
include CPU utilization, memory utilization, network utilization, etc.
Elasticity coverage Contain the data on how well your scaling settings are covering your demand. They
should show you if your upper limits are too low and if your lower limits are too
high.
Connectivity Contain information on the connectivity of your cloud. They show any instances
where connectivity was down or otherwise had issues.
Costs Contain the usage of your cloud objects and the associated costs. These can be
billing reports or other costs reports you run for your own reporting.
Others You can create reports on just about anything that is in your cloud.

8
Guidelines for Creating Reports for Cloud System Metrics

• Create dashboards to give you quick insight into the status of your environment.
• Consider using the showback model to help business unit leads and executives have
a better understanding of the costs involved with on-premises IT usage.
• Create reports for company monitoring policies to demonstrate that those policies
are being followed, or to verify if they are working as intended.
• Create reports for SLAs to document whether the CSP is meeting the SLAs or not.

9
Activity: Preparing Cloud System Reports
Enable Google Compute Engine usage reports.
a) On the Google Cloud browser tab, on the Compute Engine page, in the
Navigation pane, select Settings.
b) In the Settings pane, check the Enable usage report check box.
c) For Cloud Storage bucket, select Browse.
d) In the Select bucket pane, select the New bucket button.
e) In the Bucket name box, type ce-usage-<your user id from email address>
Note: For example, ce-usage-peterl091619. Select CONTINUE.
g) For Location type, select Regional.
h) At the bottom of the pane, select Create.
Note: You will use the default values in the remaining sections.
i) In the Select bucket pane, at the bottom of the page, select Select.
j) In the Settings pane, in the Report prefix box, type ce-usage
k) Scroll down and select Save.
Note: If you get an error when you select Save, you will need to type the
bucket name manually and then select Save again.
Note: Reports are generated in 24 hour intervals, so your first usage report
won't be available until 24 hours from now.
10
Reflective Questions

1. What type of capacity planning is done for IT systems in your organization

and how often do you do it?

2. What types of reports on system utilization have you created or discussed

with management?

11
Module 14 Troubleshooting Deployment,
Capacity, Automation, and Orchestration
Issues
Create Reports for Cloud System Metrics
Module 14 Troubleshooting Deployment, Capacity,
Automation, and Orchestration Issues

• Troubleshoot Deployment Issues

• Troubleshoot Capacity Issues
• Troubleshoot Automation and Orchestration Issues

2
Topic 1 Troubleshoot Deployment Issues

Exam Objectives Covered:

• 5.1 Given a scenario, troubleshoot a deployment issue.
• 5.6 Given a scenario, explain the troubleshooting methodology.

3
Troubleshooting Steps

The CompTIA troubleshooting theory has six steps:

• Identify the problem – Question the user and identify user changes to the computer
and perform backups before making changes.
• Establish a theory of probable cause – Question the obvious. If necessary, conduct
internal or external research based on symptoms.
• Test the theory to determine cause – Once the theory is confirmed, determine the
next steps to resolve the problem. If the theory is not confirmed, establish a new
theory or escalate.
• Act – Establish a plan of action to resolve the problem and implement the solution.
• Test and prevent – Verify full system functionality and, if applicable, implement
preventative measures.
• Report – Document findings, actions, and outcomes.

4
Integration Issues Related to Different Cloud Platforms

Two of the biggest issues relate to:

• Management: Managing user accounts in multiple environments, or using SaaS
applications that shift the burden of maintenance and upgrades to the provider, both
create management issues.
• Security: Integration adds more to secure as you now have more connections to your
different environments which can create a vector of attack.

5
Resource Contention Issues

6
Connectivity Issues

You need to ask questions along these lines:

• Will the service be in a public or in a private network?
• Is the service only accessible through a load balancer?
• Should the service be globally reachable or only to a particular CIDR?

7
Cloud Service Provider Outage

8
License Issues

• In a traditional on-premises environment, you license your software and operating

systems either per user or device, or use enterprise licensing.
• Scaling up in the cloud could violate existing licensing.
• Purchasing additional licenses for those peak demand periods may not be cost
effective.
• Many CSPs will include licensing in the cost for their supported operating systems.
• Consider open source applications and operating systems that don't have licensing
issues.

9
Template Misconfiguration

10
Time Synchronization Issues

11
Language Support

• CSP may not support the development language you use for your service.
• You will have two choices: either find a CSP that does support the languages you
want to use, or transition to a different language.
• The choice will depend on a variety of factors such as:
• The amount of investment you have in this language
• Skill set of your devs
• The amount of investment you have in the CSP

12
Deployment-Related Automation Issues

• Automation issues in deployment can be misconfigurations that cause your

deployment to function improperly or not at all.
• They can also be larger where you deploy 1000 VMs instead of 10 or 100, which can
be a costly mistake.
• With any automation, you should test it beforehand to make sure it works as you
intended.
• Even a tested automation can have issues if the objects it manipulates are somehow
changed.
• In this case, you need to determine if there were any changes to those objects since
the last time you ran that automation.

13
Guidelines for Troubleshooting Deployment Issues

• Follow the six troubleshooting steps when you investigate an issue.

• Determine what connectivity requirements you need before deployment.
• Be prepared for CSP outages by having redundant services and replicated data in
another region and/or with a different CSP.
• Consider running workload benchmark testing using the type of implementation you
are planning when evaluating a provider.

14
Activity: Troubleshooting Deployment Issues
1. You have migrated your accounting software (which includes sales and purchasing)
to the cloud. Before the migration, access to the software was limited to a certain
number of users. Now that it is in the cloud, your manager decides to open up
access to more users so that they can perform information lookups to help them do
their jobs. Now users are reporting issues of random times when they cannot get
the application to load. You investigate the app and it is does not seem to be a
performance or connectivity issue. What might the issue be and how would it be
resolved?

2. The manager of the Purchasing department decided they wanted to move their app
to the cloud and moved forward without properly vetting it to ensure it is a good
candidate for the cloud. Now they have moved the app to the cloud but are
experiencing issues trying to get the app to run properly. What would you do to
address these issues?

15
Activity: Troubleshooting Deployment Issues
1. You have migrated your accounting software (which includes sales and purchasing)
to the cloud. Before the migration, access to the software was limited to a certain
number of users. Now that it is in the cloud, your manager decides to open up
access to more users so that they can perform information lookups to help them do
their jobs. Now users are reporting issues of random times when they cannot get
the application to load. You investigate the app and it is does not seem to be a
performance or connectivity issue. What might the issue be and how would it be
resolved?
Answers may include the user licensing limit is being exceeded and once the limit is
reached, anyone who accesses the app is denied access.

2. The manager of the Purchasing department decided they wanted to move their app
to the cloud and moved forward without properly vetting it to ensure it is a good
candidate for the cloud. Now they have moved the app to the cloud but are
experiencing issues trying to get the app to run properly. What would you do to
address these issues?
Answers may include pause the migration and reassess the app to see if
requirements or dependencies in the app are causing it not to run properly in the
cloud. This will allow you to find a possible issue to address, or discover that the app
may not be a good candidate for the cloud.
16
Module 14 Troubleshooting Deployment,
Capacity, Automation, and Orchestration
Issues
Troubleshoot Capacity Issues
Module 14 Troubleshooting Deployment, Capacity,
Automation, and Orchestration Issues

• Troubleshoot Deployment Issues

• Troubleshoot Capacity Issues
• Troubleshoot Automation and Orchestration Issues

2
Topic 2 Troubleshoot Capacity Issues

Exam Objectives Covered:

• 5.2 Given a scenario, troubleshoot common capacity issues.

3
Exceeded Cloud Capacity Boundaries

• Compute
• Storage
• Networking
• IP address limitations
• Bandwidth limitations
• Licensing
• Variance in number of users
• API request limit
• Batch job scheduling issues

4
Unplanned Expansions

• Many organizations have a growth strategy, or at the very least an expectation of

what growth should be.
• Having unplanned expansions, or deviations from a baseline, can be an indicator of
an issue or miscalculation of needed resources.
• The result may be that the performance of your services suffers, or that you expand
to meet the unexpected growth but now your costs are over what was planned for.

5
Guidelines for Troubleshooting Capacity Issues

• Research potential capacity boundaries of your CSP that you may not have
considered such as API request limits, IP address limitations, licensing, etc.
• Employ a growth strategy to mitigate the affect of unplanned expansions.

6
Activity: Troubleshooting Capacity Issues

1. Users are complaining that the cloud services are slower than they had been
previously. You have managed services with your CSP where they are supposed to
maintain a minimum level of performance. What would your next step be and why?

2. You are using the cloud to host your catalog of high definition photos and videos,
and the files are especially large. You make weekly uploads as new photos and
videos are created. This week you can't complete the upload. It starts, but fails
partway through. You have verified that connectivity is good. What might be the
issue?

7
Activity: Troubleshooting Capacity Issues

1. Users are complaining that the cloud services are slower than they had been
previously. You have managed services with your CSP where they are supposed to
maintain a minimum level of performance. What would your next step be and why?
Answers may include review the SLAs you have with the CSP and determine if the
service you are receiving is within the SLA. If not, then contact the CSP and discuss
why your needs are not being met. If the level of service is within your SLA, then you
may need to redefine the level of service that you need.

2. You are using the cloud to host your catalog of high definition photos and videos,
and the files are especially large. You make weekly uploads as new photos and
videos are created. This week you can't complete the upload. It starts, but fails
partway through. You have verified that connectivity is good. What might be the
issue?
Answers may include most likely that a video file being uploaded is causing the data
to exceed the storage capacity of your account. You will need to either move some of
the existing files or increase the capacity of your storage account.

8
Module 14 Troubleshooting Deployment,
Capacity, Automation, and Orchestration
Issues
Troubleshoot Automation and Orchestration Issues
Module 14 Troubleshooting Deployment, Capacity,
Automation, and Orchestration Issues

• Troubleshoot Deployment Issues

• Troubleshoot Capacity Issues
• Troubleshoot Automation and Orchestration Issues

2
Topic 3 Troubleshoot Automation and Orchestration Issues

Exam Objectives Covered:

• 5.3 Given a scenario, troubleshoot automation/orchestration issues.

3
Determine Automation and Orchestration Issues

4
Breakdowns in the Workflow

• When an orchestrated task breaks, the workflow can provide critical clues to the
underlying issue.
• Orchestrated tasks will have a sequence, execution history, or some other monitoring
or output report that allows you to view the result of individual steps in the
workflow.
• With more rudimentary orchestration tools, you can review the task steps and
commands, and compare them to step results to find which steps threw errors.
• More robust orchestration tools may allow you to view steps in real time, step
through orchestrated steps, and even roll-forward or roll-back task steps.
• Some reporting tools may highlight or otherwise surface errors as well.

5
Account Mismatch Issues

Account mismatch issues can occur under any of the following (and other)
circumstances:
• If an automated task attempts to gain access to a resource or configuration object it
does not have access to.
• If credentials used by the automated task have expired (due to password expiration,
logon hours restrictions, or some other security restriction).
• If the automation or orchestration service is configured to use an incorrect account
such as one that does not have access to the required scripts, or does not have
administrative permissions.
• If the automation service fails to properly login, which may happen after service
restarts or if using an account that requires multi-factor authentication.

6
Change Management Failure

• If changes aren't well managed, then those changes may break scripts used in
automation and orchestration tasks.
• Script execution logs and orchestration reports should be reviewed regularly.
• As with other automation troubleshooting, administrators may wish to manually step
through script execution to isolate specific steps that are broken, and troubleshoot
those steps to resolve the issue.

7
Server Name and IP Address Changes

Server name or IP address changed

and imbedded reference in script
not updated

8
Location Changes

9
Version and Feature Mismatch

• New extensions, features, and add-ons may not work with older versions of software
or operating systems.
• When an incompatible version of an app or operating system is encountered when
attempting to add new features, a version or feature mismatch occurs.
• This essentially means that the patch, new feature, or extension is not compatible
with the installed app or operating system, usually because the installed software is
too old.

10
Automation Tool Incompatibility

11
Job Validation Issues

The following types of job validation issues can arise:

• Validation at time of creation. Some tools check sequencing, account access,
environment configuration and other data to ensure that the workflow constructed
can execute without issue.
• Validation at time of execution. Once the workflow is constructed, validators,
depending on the tasks being executed and the automation tool, may check the
compute environment to ensure the workflow can execute and may terminate
execution of the workflow if the environment is not determined to be correct.
• Validation errors. In some cases, environmental validators may incorrectly identify
non-lethal issues and prevent workflows from executing.

12
Guidelines for Troubleshooting
Automation and Orchestration Issues

• Build error capture into scripts and have scripts output errors and other messages to
report files to make it easier to troubleshoot issues.
• Thoroughly document all scripts and workflows, including the goal and intent, the
commands used, parameters, resources touched, and any third party or custom
components used.
• Make sure automated and orchestrated tasks are considered as part of change
management processes.
• To troubleshoot automated scripts, step through individual script steps from the
command line and monitor execution as well as any errors or warnings that occur.
• Check event log and activity files on systems being managed for clues to why
automated or orchestrated tasks may be failing.
• When troubleshooting automation and orchestration issues, take into account any
recent changes to impacted systems or the cloud environment as a whole.

13
Activity: Troubleshooting Automation
and Orchestration Issues
1. When using your automation tool, you receive an error message when trying to
establish a connection. You have verified that you have connectivity to the cloud
service. What could cause this?

2. You receive an error that a command is not recognized or is invalid. You know it is a
legitimate command, but you receive the error each time. What could cause this?

14
Activity: Troubleshooting Automation
and Orchestration Issues
1. When using your automation tool, you receive an error message when trying to
establish a connection. You have verified that you have connectivity to the cloud
service. What could cause this?
Answers may include this error occurs if the credential asset name is not valid or if
the username and password that you used to set up the automation credential asset
are not valid. Some authentication technologies set for the account, like MFA, may
cause an issue when trying to connect using an automation tool. Special characters in
the automation credential asset name that you are using to connect to the cloud
service may cause the issue, so remove it. The account may not be set up properly
and needs to updated. You may need to use a certificate if something like MFA is
configured for the access account.

2. You receive an error that a command is not recognized or is invalid. You know it is a
legitimate command, but you receive the error each time. What could cause this?
Answers may include the command is part of an add-on or module that has not been
installed. Install the add-on or module to add the command to the automation tool.

15
Reflective Questions

1. What types of capacity issues have you had to troubleshoot? How did you
find the problem, and how did you resolve it?

2. What types of automation or orchestration issues have you had to

troubleshoot? How did you find the problem, and how did you resolve it?

16
Module 15 Troubleshooting Connectivity
Issues
Identify Connectivity Issues
Module 15 Troubleshooting Connectivity Issues

• Identify Connectivity Issues

• Troubleshoot Connectivity Issues

2
Topic 1 Identify Connectivity Issues

Exam Objectives Covered:

• 5.4 Given a scenario, troubleshoot connectivity issues.

3
Logical Issues

• Incorrect interface/Interface misconfiguration

• Wrong default gateway address
• Misconfigured routing
• Misconfigured DNS
• Duplicate IP address
• Bad/missing IP routes
• Loss of Internet connectivity
• Router configurations
• Cloud service cannot be reached

4
QoS Issues

• Quality of Service (QoS) is the level of service in performance, availability, and

reliability that you receive from a CSP.
• If the level of service you receive from your CSP does not meet the SLA, then you will
need to contact them and bring this to their attention.
• If the service that you provide through your cloud services has issues, then you will
need to investigate where the issues lie.

5
Misconfigured VLAN/VXLAN

• Misconfigured VLANs and VXLANs can cause communication issues in your cloud.
• If you experience no connectivity between cloud objects, then they may be
configured to use different VLANs.
• You will need to reconfigure the objects to use the same VLAN.
• The cause could also be because by default, VMs on different segments are added to
different VLANs, and they cannot communicate with one another unless they are
configured to allow communication between computers on different VLANs.
• You can check the VLAN assignment and reassign the computers to the VLAN to
enable communication among them.

6
Misconfigured Firewall Rules

• The first step you typically take in troubleshooting a firewall problem is to view which
rules are currently being applied to the object.
• In the cloud, you can set firewall rules at different levels such as for the entire cloud,
a VLAN, and even a single VM in some cases.
• You will need to view the different rules being applied to the object and the priority
level to see which rules overrule others.

7
Insufficient Bandwidth

• You may be able to add all the resources you need for good performance in your
cloud, but you can still have bandwidth issues that affect performance.
• Bandwidth can be a problem for anyone as more people and organizations are
utilizing the cloud than ever before.
• This can cause issues with performance, response time, latency, slow transfer times,
etc.
• If you experience bandwidth issues, you can get better and faster WAN connections.
• If you have a private or hybrid cloud, then you should have a dedicated connection at
a level to support your bandwidth needs.

8
Latency

• Latency in the cloud is the delay between a client request and a cloud service
provider’s response.
• Latency in a cloud environment is less predictable and more complicated to measure
than in an on-premises environment.
• Cloud service data centers can be located anywhere in the world, and a greater
physical distance can add to latency.
• Data exchanges between different cloud services can also contribute to latency.

9
MTUs and MSS

• Misconfigured Maximum Transmission Units (MTUs) can cause the MTU to be

inaccessible or cause intermittent errors.
• In case of a mismatch of the MTU, the TCP/IP connection handshake does not occur
between the devices (routers) and the connection cannot be established.
• You can reconfigure the MTU to check whether the problem gets resolved. If not,
replace the device.

10
Guidelines for Identifying Connectivity Issues

• Follow standard troubleshooting steps for IP address-related logical configuration

issues.
• Contact your CSP if you experience QoS issues with your cloud service that are
outside of their SLAs.
• Be aware of factors that contribute to latency and design your cloud implementation
to mitigate some of these.
• Ensure you have a WAN connection sufficient for your needs to reduce bandwidth
issues.

11
 Activity: Identifying Connectivity Issues
1. A user complains of no longer being able to access the cloud services from their
workstation. After some initial investigation, you decide the issue may be because
of a firewall. What troubleshooting steps would you take to confirm this?

2. Your on-premises location has experienced a brief power outage that has affected
some of the systems and devices in your environment. All of the local servers and
workstations are up and running, but are unable to reach your cloud services. What
steps should you take to identify the issue?

12
 Activity: Identifying Connectivity Issues
1. A user complains of no longer being able to access the cloud services from their
workstation. After some initial investigation, you decide the issue may be because
of a firewall. What troubleshooting steps would you take to confirm this?
Answers may include first have other users try to reach the cloud services and
establish if the problem resides with one or more devices. If multiple users have the
same issue, then check that the rules for the firewalls are not blocking the traffic the
users are trying to use. If only a single user has an issue, then check his or her device
for connectivity in general and also check if he or she has a local firewall running that
may be blocking traffic.

2. Your on-premises location has experienced a brief power outage that has affected
some of the systems and devices in your environment. All of the local servers and
workstations are up and running, but are unable to reach your cloud services. What
steps should you take to identify the issue?
Answers may include determine what other connectivity you do have, such as can
users reach internal devices or other external locations such as the Internet. If they
can reach other internal devices but not the Internet, then it could be the router is
either not on or needs to be reset/reconfigured. If they can reach the Internet, then
perhaps there is a coincidental issue with your cloud services. You should try to reach
the cloud services from a different network.
13
Module 15 Troubleshooting Connectivity
Issues
Troubleshoot Connectivity Issues
Module 15 Troubleshooting Connectivity Issues

• Identify Connectivity Issues

• Troubleshoot Connectivity Issues

2
Topic 2 Troubleshoot Connectivity Issues

Exam Objectives Covered:

• 5.4 Given a scenario, troubleshoot connectivity issues.

3
Network Connectivity Tools

• Ping
• Traceroute/tracert
• Arp
• NETSTAT
• Nslookup
• ipconfig/ifconfig
• Route
• Ssh
• Tcpdump
• Telnet

4
Remote Access Tools for Troubleshooting

5
Guidelines for Troubleshooting Connectivity Issues

• Employ network connectivity tools when troubleshooting network connectivity

issues to save you time locating the issue.
• Consider becoming familiar with the command-line tools and their outputs to help
you troubleshoot issues.
• Consider using remote access tools to log into Cloud VMs to troubleshoot issues.

6
Activity: Troubleshooting Connectivity Issues
1. You have two users who are reporting that they are unable to connect to cloud
services. You investigate and find that they are not able to connect to anything.
What are some of your first troubleshooting steps?

2. You have a user who can't connect to the company intranet site or your cloud
services. You are able to connect to both with no difficulty. You check your IP
configuration against the user’s and find that you are configured with different DNS
server addresses. You do not have DNS administrative utilities installed on your
workstation. What can you do to diagnose the DNS problem?

7
Activity: Troubleshooting Connectivity Issues
1. You have two users who are reporting that they are unable to connect to cloud
services. You investigate and find that they are not able to connect to anything.
What are some of your first troubleshooting steps?
Answers may include verify that the machines are connected, either with a physical
network cable or wireless adapter. Then verify that the host's IP addressing
information is correct. Use ipconfig or ifconfig, as appropriate, to determine if the
host is configured for static or dynamic IP addressing and if it has a valid IP address.

2. You have a user who can't connect to the company intranet site or your cloud
services. You are able to connect to both with no difficulty. You check your IP
configuration against the user’s and find that you are configured with different DNS
server addresses. You do not have DNS administrative utilities installed on your
workstation. What can you do to diagnose the DNS problem?
Answers may include use the nslookup command to see if the user’s server can
resolve the name address and to examine the entries on both DNS servers.

8
Reflective Questions

1. What type of connectivity issues have you found in your own environment?
How did you identify them?

2. What types of network connectivity tools have you used to troubleshoot

connectivity issues?

9
Module 16 Troubleshooting Security
Issues
Troubleshoot Identity and Access Issues
Module 16 Troubleshooting Security Issues

• Troubleshoot Identity and Access Issues

• Troubleshoot Attacks
• Troubleshoot Other Security Issues

2
Topic 1 Troubleshoot Identity and Access Issues

Exam Objectives Covered:

• 5.5 Given a scenario, troubleshoot security issues.

3
Authentication Issues

• First determine if the problem is truly authentication and not some other problem
with the cloud network, the device, or the application.
• See if someone else can authenticate.
• If no one can authenticate by using one method, then see if users can authenticate
by using some other method.
• Also try, if available, a different authentication protocol, such as Kerberos, NTLM,
smart card/token, MS-CHAP v2 (for remote access), and more.
• Check the Event Viewer logs or error messages to see if there is any indication of the
problem.

4
Authorization Issues

5
Federation and SSO Issues

There are some potential issues with SSO and federation that you need to consider
before implementing these systems.
• How the system will provision and de-provision user accounts.
• How a user is allowed to reset their passwords.

6
Certificate Issues

Issue Description
Unencrypted credentials Credentials are sent over the network unencrypted, or they are
stored in cleartext form.
Certificate issues Digital certificates are invalid, insecure, or non-functional.

Key management issues Encryption keys are inaccessible to authorized personnel or

accessible to unauthorized personnel.

7
Incorrect Identity and Access Hardening Settings

• Personnel: The most common use for IAM is to define identities for organizational
employees. Likewise, personnel identities are among the most popular attack
vectors.
• Endpoints: The devices that people use to gain legitimate access to your network are
varied and often difficult to account for in an IAM system. This is especially true of
mobile devices like smartphones, tablets, and laptops.
• Software: Like servers, applications and services can be uniquely identified in the
organization through digital certificates. One unique issue with applications is how to
determine which other entities are allowed to run certain apps.
• Roles: Roles support the identities of various assets by defining the resources an
asset has permission to access based on the function that asset fulfills. Role-based
identity can have poorly defined roles that can lead to privilege creep.

8
Guidelines for Troubleshooting Identity and Access Issues

• When users experience authentication issues, first try to determine if the issue is
related to something else instead.
• When an issue occurs, determine if it affects other users or just one.
• Consider how the system will provision and de-provision user accounts when using
SSO and federation before implementing these systems.
• Consider how users will reset their passwords when using SSO before implementing
these systems.
• Consider how non-user assets in your organization fit into your IAM scheme.

9
Activity: Troubleshooting Identity and Access Issues

1. A user comes to you and says that he is no longer able to log in to the network. He
says that yesterday he was able to log in just fine. What troubleshooting steps
would you take?

2. A user who recently moved from one department to a new department is unable to
access the cloud services for the new department. What troubleshooting steps
would you take?

10
Activity: Troubleshooting Identity and Access Issues

1. A user comes to you and says that he is no longer able to log in to the network. He
says that yesterday he was able to log in just fine. What troubleshooting steps
would you take?
Answers may include check the user account to verify that is hasn't been locked out;
check if the user password has expired.

2. A user who recently moved from one department to a new department is unable to
access the cloud services for the new department. What troubleshooting steps
would you take?
Answers may include check to see if other users in that department have the same
issue, verify that the user was moved from the domain group of her former
department and added to the domain group for the new department, verify that the
user has the proper cloud role or other cloud permissions for the new department in
the cloud.

11
Module 16 Troubleshooting Security
Issues
Troubleshoot Attacks
Module 16 Troubleshooting Security Issues

• Troubleshoot Identity and Access Issues

• Troubleshoot Attacks
• Troubleshoot Other Security Issues

2
Topic 2 Troubleshoot Attacks

Exam Objectives Covered:

• 5.5 Given a scenario, troubleshoot security issues.

3
External Attacks

2. Virtual resources provisioned to

individual accounts

4. Distributed cloud resources

overload target server
3. Attacker consolidates
control over virtual
environments

1. Attacker executes
automated signup script on
cloud provider

4
Internal Attacks

Issue Description
Policy violation Personnel violate your organization's policy and engage in
unacceptable use of systems, data, and the network.
Social media and personal messaging Personnel use social media and personal messaging accounts in
use ways that bring risk to the organization.
Social engineering Personnel fall victim to social engineering attacks and divulge
sensitive information or give access to unauthorized users.
Insider threat Disgruntled or otherwise malicious personnel use their unique
knowledge of the organization to exploit it for personal gain.

5
Privilege Escalation

• Vertical
• User can perform functions not normally assigned to their role or explicitly permitted.
• Example: Normal user gains access to admin rights.
• Horizontal
• User can access or modify specific resources they are not entitled to.
• Example: Normal user gains access to other users’ private data.

l
tica Admin
Ver

User A User B
Horizontal

6
Attack Vectors Related to Configuration

Although the paths that attackers take are diverse, there are three general elements that
can contribute to an attack vector:
• Vulnerabilities: Attackers will almost always search for holes within your systems and
networks.
• Exploits: These almost always depend on vulnerabilities to be effective. When the
gap in security is identified, the attacker can launch a tool or utility to take advantage
of that gap.
• Techniques: An attack's technique provides more detail about the path it takes, as
well as how it operates. It can also help categorize the effects of an exploit payload.

7
Guidelines for Troubleshooting Attacks

• Consider familiarizing yourself with different types of attacks on clouds so that you
will be better prepared to recognize and troubleshoot them.
• Remember that attacks don't come from outside your organization only; they can
come from inside your organization as well.
• User accounts can be a source of multiple attacks, so ensure you have good user
management in place to mitigate this.
• Understand the vectors that attackers take as this is a crucial step in security because
it helps the practitioner identify the how of an attack.

8
Activity: Troubleshooting Attacks
1. It has been discovered that a user in the sales department is able to access
resources in the finance department. It is suspected that the user is disgruntled and
may be trying to find sensitive information. What troubleshooting steps would you
take?

2. Users and customers are complaining that your company cloud app is not
responding. You check and the cloud app is up and running. What troubleshooting
steps would you take?

9
Activity: Troubleshooting Attacks
1. It has been discovered that a user in the sales department is able to access
resources in the finance department. It is suspected that the user is disgruntled and
may be trying to find sensitive information. What troubleshooting steps would you
take?
Answers may include check the user's group membership to verify that they don’t
have this kind of access; implement tighter group security to limit the user's access;
monitor and audit the user's network activity, and if the user is using another
account, then lock down that account or simply change the password. If this user is
found to be malicious, then HR or a manager will need to be notified so that they can
determine what steps to take.

2. Users and customers are complaining that your company cloud app is not
responding. You check and the cloud app is up and running. What troubleshooting
steps would you take?
Answers may include query the routers for congestion on their interfaces to see if
they are being flooded; use a network monitoring tool to check traffic to the cloud
app; try to filter the offending traffic on upstream routers; wait for the DoS attack to
stop.

10
Module 16 Troubleshooting Security
Issues
Troubleshoot Other Security Issues
Module 16 Troubleshooting Security Issues

• Troubleshoot Identity and Access Issues

• Troubleshoot Attacks
• Troubleshoot Other Security Issues

2
Topic 3 Troubleshoot Other Security Issues

Exam Objectives Covered:

• 5.5 Given a scenario, troubleshoot security issues.

3
Unencrypted Communication

Some steps to help encrypt communications are:

• Ensure that you are using secure remote protocols like SSH.
• Ensure that you are using SSL/TLS to secure web-based communications.
• Ensure that users know not to store passwords in unencrypted text, spreadsheet, or
database files.
• Ensure that any custom apps you develop employ encryption for data at rest, in
transit, and in use.

4
Unauthorized Physical Access

Physical Resource Vulnerabilities

Building and grounds • Location
• Physical access control
Devices • Servers
• Laptops and tablets
• Mobile phones
• Other wireless devices
Communications • Telecommunications
• Service providers
• Wireless cells

5
Unencrypted Data

Unencrypted data is vulnerable

regardless of where it is located.

6
Weak or Obsolete Security Technologies

• Securing your environment is a good accomplishment but only if it is done well and
maintained.
• When implementing security, ensure that you are following best practices and using
settings that provide adequate security.
• Even when you implement good security, you may still not maintain the level of
protection you want.
• You need to periodically review your security settings and also review new
vulnerabilities so that you can then implement changes to keep your environment
safe.

7
Insufficient Security Controls and Processes

• Having insufficient security controls can leave your environment open to attacks.
• These can range from physical controls such as locks, to technical controls such as
anti-malware or firewalls.
• Having insufficient security processes can leave your environment open to attacks
even if you have good security controls in place.
• Security processes include items such as security governance, policy management,
awareness and education, identity and access management, vulnerability
management, and incident response.

8
Tunneling or Encryption Issues

• Tunneling with a protocol such as SSH, or using a VPN, can provide access to your
cloud from another network.
• While these provide a useful service they can also create potential issues.
• Tunneling can be used to "sneak through" a firewall by wrapping a protocol that the
firewall would normally block inside a protocol that the firewall does not block.

9
Security Device Failure

Network Device Issues

Access point Access points are incorrectly authenticating users or are non-functional.

Firewall Firewalls fail to prevent unwanted traffic from entering or leaving the
network, or block legitimate traffic from entering or leaving the network.
Content filter The content filter blocks legitimate content, or fails to block undesirable
content.
Intrusion detection system (IDS) The IDS frequently encounters false positives and false negatives.

10
Guidelines for Troubleshooting Other Security Issues

• Always encrypt your communications to prevent attackers from gaining important

information like account passwords.
• Remember that your physical security is as important as your virtual security as it will
keep intruders from gaining access to your organization and your staff.
• Remember that unencrypted data is vulnerable regardless of where it is located.
• Ensure you are implementing adequate security settings when you secure your
environment so that you have the level of security you require.
• Review your security settings and new vulnerabilities on a periodic basis to discover
new attack vectors that you can then implement security for.
• Ensure that your security controls are adequate for your environment to avoid
additional security issues.
• Ensure that you implement adequate security controls to further protect your
organization and avoid security or potential legal issues.

11
Activity: Troubleshooting Other Security Issues

1. You configured security settings 18 months ago when you integrated your on-
premises and cloud networks. You were just informed that the connection between
the on-premises network and your cloud may have been hacked. What steps should
you take to help prevent more potential hacking?

2. What are some examples of physical security vulnerabilities?

12
Activity: Troubleshooting Other Security Issues

1. You configured security settings 18 months ago when you integrated your on-
premises and cloud networks. You were just informed that the connection between
the on-premises network and your cloud may have been hacked. What steps should
you take to help prevent more potential hacking?
Answers may include although your security was adequate 18 months ago, you need
to keep it up-to-date. Technology is always advancing and new threats and attacks
emerge. You should review your security configuration and make updates as
necessary. Then schedule regular reviews to assess and update your security.

2. What are some examples of physical security vulnerabilities?

Answers may include disgruntled employees performing some sort of physical
sabotage, weather-related problems such as floods, an external power failure, and
workers accidentally digging up fiber optic cables.

13
Reflective Questions

1. What types of attacks have you had to deal with in your environment? How
did you detect them and stop them?

2. What other security issues have you identified in your environment?

14