1

I'm preparing for the CCSP exam and another test question is throwing me off.

The question reads:

In all cloud models, security controls are driven by which of the following:

A. Virtualization engine
B. Hypervisor
C. SLAs
D. Business Requirements

I chose C. SLAs because:

  • Virtualization and hypervisor answers are too technical and not in scope for the context of this question.
  • The cloud provider may not necessarily have the same business objectives as the customer so a business requirement for the customer may not align with the goals or security objectives of the cloud provider.
  • The SLA is a mutual contractually-binding document describing the extent of service reliability and the scope of overall liability for both parties in the cloud.

Example: if the cloud provider decides to sell all customer information to a customer's competitor, that would be in breach (hopefully) of the security and disclosure terms outlined in the SLA... right?

Obviously though, I'm wrong though according to the test prep material. Could someone please elaborate?

The test prep material considers "D. Business Requirements" the correct answer.

Mike B
  • 3,336
  • 4
  • 29
  • 39

2 Answers2

1

The SLA is in place to mandate that service levels are achieved in order to meet Business Requirements. Business Requirements trumps everything else. I get your reasoning above but SLAs are not standalone and sit between the security controls and the business requirements. The SLA may be used to measure the security controls but they're in place to meet business requirements rather than just for the sake of it.

AndyMac
  • 3,149
  • 12
  • 21
1

Business Requirements mandates everything. Even insecure, expensive, outdated or even illegal options. Business defines the SLA, defines the architecture, defines what they will disclose and what they won't. Defines which taxes they will pay, and which they will evade.

If the business states that the new infrastructure needs to run on MS-DOS, Netware and Ethernet 10base2, what you will do? Refuse to work, try to change the minds of the directors, or go to eBay to buy a bag of BCN connectors?

Security usually is not implemented because the business wants it, but usually because they are forced to. Security is seen as a money sync. You don't direct earn anything from spending on security, so management usually spend more on people, marketing and servers. It's an area that does not show anything when things are going well, but gets grilled when things don't go well.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142