Platinum - Unit 41 - Cloud Based Systems and Security

Relevant LINKS


Handbook home page


The candidate can analyse the key aspects of a cloud based system.  They will look at and describe the main technologies deployed.  They will describe and assess the data management needs and equipment available.  They will look in detail at the security problems and possible silutions for cloud based systems. 
A work activity will typically be ‘non-routine or unfamiliar’ because the task or context is likely to require some preparation, clarification or research to separate the components and to identify what factors need to be considered. For example, time available, audience needs, accessibility of source, types of content, message and meaning, before an approach can be planned; and the techniques required will involve a number of steps and at times be non-routine or unfamiliar. 
Example of context – candidates can investigate and generate a detailed report to assist in the migraiton of a local company or charity to cloud based services and applications.

Activities supporting the assessment of this unit

Example of work at this level

Assessor's guide to interpreting the criteria

General Information

RQF general description for Level 3 qualifications

  • Achievement at RQF level 3 (EQF Level 4) reflects the ability to identify and use relevant understanding, methods and skills to complete tasks and address problems that, while well defined, have a measure of complexity. It includes taking responsibility for initiating and completing tasks and procedures as well as exercising autonomy and judgment within limited parameters. It also reflects awareness of different perspectives or approaches within an area of study or work.
  • Use factual, procedural and theoretical understanding to complete tasks and address problems that, while well defined, may be complex and non-routine.

  • Address problems that, while well defined, may be complex and non-routine.  Identify, select and use appropriate skills, methods and procedures.  Use appropriate investigation to inform actions.  Review how effective methods and actions have been.

  • Take responsibility for initiating and completing tasks and procedures, including, where relevant, responsibility for supervising or guiding others.  Exercise autonomy and judgement within limited parameters information and ideas


  • Standards must be confirmed by a trained Platinum Level Assessor or higher

  • Assessors must at a minimum record assessment judgements as entries in the on-line mark book on the certification site.

  • Routine evidence of work used for judging assessment outcomes in the candidates' records of their day to day work will be available from their e-portfolios and on-line work. Assessors should ensure that relevant web pages and files are available to their Account Manager on request by supply of the URL.

  • When the candidate provides evidence of matching all the criteria to the specification subject to the guidance below, the assessor can request the award using the link on the certification site. The Account Manager will request a random sample of evidence from candidates' work that verifies the assessor's judgement.

  • When the Account Manager is satisfied that the evidence is sufficient to safely make an award, the candidate's success will be confirmed and the unit certificate will be printable from the web site.

  • This unit should take an average level 3 learner 55 hours TQT to complete.

Assessment Method

Assessors can  score each of the criteria N, L, S or H. N indicates no evidence. L indicates some capability but some help still required. S indicates that the candidate can match the criterion to its required specification. H indicates performance that goes beyond the expected in at least some aspects. Candidates are required to achieve at least a S on all the criteria to achieve the full award.

Expansion of the assessment criteria

1. Candidates will analyse and describe the key elements of cloud based systems.

1.1 I can describe and compare the main hypervisors used to deliver cloud computing

Candidates should be able to describe the key features of hypervisors.
Evidence: will be provided directly from student portfolios and assessor feedback.
Additional information and guidance
Candidates need to describe the main hypervisors on the market and compare some of their features. They need to define what a hypervisor does and what it needs to do. This will then determine some of its features. Most hypervisors are management systems which take a host machine and create spaces inside the machine to allow it to run other
machines. Students can explore how this works by installing the hosted hypervisor software VirtualBox and running a guest system on it. If their main machine is windows, they can get a Linux OS disk and run the entire Linux system inside their windows machine. As far as the guest system is concerned, it has access to all of the host machine’s resources.
Some useful eBooks can be downloaded here: or here

1.2 I can describe the main systems and hardware used for cloud based use and explain their main features

Candidates should be able to describe the purpose of their work and why using IT adds value to it in some way or ways.
Evidence: will be provided directly from the presentation of work in web pages that has clear purpose and describes the purpose of the work.
Additional information and guidance
Candidates might describe the audience at which they are targeting their work and any aspects of the work that makes it particularly suitable for the audience e.g. "I presented a science investigation using a web page with links to references so that a future employer can see the quality of my work simply by knowing the URL". "I used a public web page to collaborate with my friends in producing an information page about the local environment because it enabled us to work together effectively. It also made it easy for other people to contribute and made the results easy to link to other similar sites". They should be able to fully explain the key characteristics of writing formally on a web page to present part of an e-portfolio as opposed to the style used for chat and instant messaging of friends. The candidate will show evidence of understanding relevance in relation to purpose. Information that is irrelevant to a task will not support its purpose and inaccurate or biased information could be against the purpose. The main difference between
Level 3 and Level 2 is that in Level 3, the quality of explanation needs to be explicit and clarity of understanding, whereas in Level 2 Gold it is enough to describe the purpose e.g. from a list of options or other supporting structures. Their documented web pages, blogs and/or files should contain detailed explanations in keeping with the guidance here.

1.3 I can analyse the features of the main cloud based systems and services

Candidates should be able to show a detailed understanding, through research, of the main features of cloud based systems.

Evidence: will be provided directly from student portfolios and assessor feedback.

Additional information and guidance

Candidates need to explore and comment on the services that are available for cloud based systems. It would be useful to have a table or report like format where they identify the main elements and give some detailed descriptions of what they do and why they are included in any package. Features will include things such as the amount of support
available, the types of services in terms of range so that they can be compared and contrasted across providers. What sorts of policies and procedures back up their offerings. What is the overall scope of the features and what would a service be like without them. How quickly can the system scale and contract for needs. How much can the user do on their own and how much requires an intervention from the company that runs the service. Candidates can download and analyse a company’s SLA (Service Level Agreement) and see what level of quality they can expect.

1.4 I can assess the strengths of the cloud based services on offer and give clear examples to illustrate my conclusions

Candidates should be able to draw clear conclusions from their research and analysis.

Evidence: will be provided directly from student portfolios and assessor or client feedback.

Additional information and guidance

Candidates should be able to use the information they gather to make informed decisions. If they are working with a client to recommend cloud based services to them, for example to replace an office based server with a cloud one for email, they need to be able to give clear justifications backed with evidence. Much of the material provided will be marketing material which is sometimes exaggerated in order to make sales. If they read around the topic enough they should be able to separate some of these myths from reality to make good choices. What is a strength and how might it be measured? What reference points do they need to use to assess these strengths?

1.5 I can assess the weaknesses of the cloud based services on offer and indicate ways to minimise the impact of these problems

Candidates should be able to document and comment on the aspects of cloud computing which are not quite fit for purpose.

Evidence: will be provided directly from student portfolios and assessor feedback.
Additional information and guidance
As with all things in life, nothing is entirely a perfect match for your needs. Cloud computing has many strengths, but also has some weaknesses, though this really depends on your perspective. A weakness does not always mean that the service is not right and it could be that a work- around is required. Candidates need to show that they understand the nature of the services on offer to such an extent that they can recommend their use with some caveats. It might mean that they recommend a compromise which has most of the benefits of a cloud based solution, but the user has to accept a few issues that can’t be overcome. An example here might be that the client has huge data storage needs, but little in terms of traffic and processing power. It might be that the candidate will recommend that the user has to download and archive data regularly in order to benefit from the other services, without incurring extra charges for their data storage, assuming it can be archived without disruption to what the company offers. It may be that the best service on offer is US based and because of EU restrictions, the client needs to keep personal data on a local server while still using the cloud services for their main needs.

1.6 I can evaluate cloud based services and systems against desktop based systems

Candidates should be able to offer clear and detailed examples of a side by side comparison of some key services of cloud versus local.

Evidence: will be provided directly from student portfolios and assessor feedback.
Additional information and guidance
In most cases, cloud based servers are virtual machines that are hosted in data centres around the world. Companies that offer cloud systems have large physical servers themselves, but the resources of these systems are pooled and combined across multiple data centres to offer flexibility and scalability. Therefore, if you purchase a cloud based server, it should be the same as having one in the office next door. What then are the differences? Is there a way to compare like for like between the two systems? One example might be in terms of storage. If you have your own local server, adding storage and extra memory is relatively easy as you can physically add them. With cloud services you only really pay for what you use, so you would only need to pay for this when required. Having said that, the cost of storage and memory might be relatively high in comparison. A basic Cloud Server from most providers would cost (in February 2016) as little as £8 per month for a 1 CPU, 2GB RAM, 25GB storage device. To double all of these resources would be only £16 and £30 for quadruple. To buy a server yourself would be expensive if you bought a proper system and not just a desktop PC with lots of RAM and drive space. However, adding a 1TB of storage to your own server would be less than adding 50GB to the cloud server. The other issue is even with fast broadband, you will not get the access speed of a proper Tier 1 data centre.
A table or report comparing these features and giving some examples will be required for this criterion.

2. Candidates will describe and assess the data management needs for cloud based systems.

2.1 I can evaluate the key hardware and software required for big data solutions and describe how it is used

Candidates will need to list and evaluate in detail the main components of a system with reference to the needs for big data.

Evidence: will be provided directly from student portfolios and assessor feedback.
Additional information and guidance
Candidates should at first define what big data is in order to set the scene for how the needs of it can be achieved. As an example of the scope of big data, in 2012 alone 2.5 exabytes of data were created every day.  That is 2,5,000,000,000,000,000,000. Every single device around us is Internet aware and capturing and transferring data. The idea with big data is that if this can be analysed, companies and governments can determine trends and act on them. This volume of data, however, requires massive computing power, storage and transfer capabilities and other aspects which are beyond most traditional servers. In most cases, it can only be fully managed by using parallel processing, so pooling the resources of 100s or 1000s of computers together.
Candidates at this level should be able to define the hardware and evaluate how effective it might be, as well as looking at some aspects of the software involved. They do not need to have an in depth understanding of the more detailed aspects of functionality. They should be able to give some detailed examples to illustrate their findings however
and there are plenty of examples around such as weather predictions or epidemiological studies of health trends etc.

2.2 I can analyse the data requirements of different situations​

Candidates should be able to describe the requirements of a range of situations.

Evidence: will be provided directly from student portfolios and client feedback.
Additional information and guidance
Candidates should be able to work with different organisations and be able to take some details from them about overall usage and from this determine their data needs. The key determinants will be traffic requirements and data storage needs. An email server requires hardly any processing power, though it may require a great deal of data storage
capacity if the email needs to be kept for a long time. Schools offer real challenges in terms of cloud based services as they have 100s of logins at peak times which requires processing power. If a school has a web based system that all staff and students need to use, they will have very high levels of concurrency. At certain times of the day, i.e. the first lesson in the morning and afternoon, virtually every computer will be trying to login to the system. The web software and database that manage this system will be dealing with all of these people wanting the same resources at the same time. The server will be in overdrive to cope. In contrast, a system such as a social media site may have
millions of users, but they will not all be active at the same time so the server needs will be very different. candidates need to give examples such as these to illustrate data needs in order to process and manage data in different circumstances and for different purposes.

2.3 I can describe how the data needs of different companies and usage will affect the data solutions

Candidates should be able to describe the range of uses of data.
Evidence: will be provided directly from student portfolios and assessor feedback.
Additional information and guidance
Candidates need to expand on 2.1 and add some extra details about specific usage of data. Is the data need for a great deal of analytics, therefore the data has to be processed regularly and reports generated, or is the data just required to be stored and backed up regularly for archival reasons. These different data needs will determine the types of systems and services needed for the job. Candidates should be comfortable enough to make basic recommendations of system solutions based on some data needs as this will drive the required solution given.

2.4 I can describe the different types of data management system available

Candidates should be able to describe a range of data management tools.
Evidence: will be provided directly from student portfolios and client feedback.
Additional information and guidance
Some common examples of data management systems will help to illustrate the range of ways that data is used. For example, many companies that are sales based use a CRM (Customer Relationship Management) system which tracks all of the details and interactions of possible customers (leads) and actual customers. Most candidates will
be familiar with school and college based MIS (Management Information System). These are used to store personal information about students and also information about their time-tables and upcoming examinations.
There are many other examples and candidates just need to describe some of their main features and give examples of their use, especially focussing on what they are designed to do with data.

2.5 I can assess the strengths of data management systems and recommend the best in terms of effectiveness and efficiency

Candidates should be able to give examples from different systems and rate these in terms of fitness for purpose and expectations.

Evidence: will be provided directly from student portfolios and assessor feedback.
Additional information and guidance
Candidates can explore different data management systems and look at their main strengths. Do they deliver on what they say? A good resource here is the open source software testing site:
Candidates can log in and test these systems as an administrator and as a user and see their features.
What makes a system effective and efficient?
Most cloud based systems, for example Facebook, Amazon and eBay, run on Linux servers. Candidates should be familiar with the LAMP stack (Linux, Apache, MySQL, PHP) or similar for these types of services.
One of the world’s biggest companies that not many people know about is Oracle who make large scale databases. Some of these organisations need to be investigated and evaluated.

2.6 I can evaluate data management and attempt to predict future trends

Candidates should be able to make an informed judgement from their studies about data management.

Evidence: will be provided by blogs or reflective journal entries.
Additional information and guidance
Candidates have explored the current trends in data management and looked at the issues such as big data. In their opinion, backed with some examples, where do they see the industry heading in the next 5 or 10 years. This is the sort of information that is important for when they work with clients. Should their clients use cloud computing now, or should they wait and see. Are some of the problems with security and ownership such that it is never worth the effort?

2.7 I can analyse the legal implications of cloud based data storage and retrieval

Candidates should be able to write in detail some of the legal considerations around cloud services.

Evidence: will be provided by reports and assessor feedback.
Additional information and guidance
One key strength of cloud computing is also a relative weakness in some ways. One of the main concerns that companies have, particularly companies dealing with very private data, is who actually owns it?
Recent issues have being aired in Europe where all of the cloud based companies, at least the larger ones, are US based. The European government accepted that their servers were safe enough to manage European citizen data, but no longer. If a company you use for cloud services goes bankrupt and closes down in a short space of time, how do you get your data back? These are some of the issues of this situation and candidates need to reference some of the laws and frameworks which currently govern data storage and retrieval.

3. Candidates critically evaluate the security aspects of cloud based systems.

3.1 I can analyse and research the main threats to cloud based systems

The candidate should be able to demonstrate a good level of understanding of security issues.
Evidence: will be provided by a report or portfolio.
Additional information and guidance
The cloud is an always on and always accessible service and now has some of the biggest, and therefore most valuable, data in the world. It therefore is a natural target for organised crime and disaffected people with computing skills. In a way, the threats are no different to your own home threats, but the sheer scale of the problem is different and the reward for hackers huge. Recent articles in the media highlight the scale of issues where companies such as telephone companies can lose millions overnight due to the lack of confidence in their security.
Problems experienced by TalkTalk in late 2015 turned out to be not as bad, scale wise, as first predicted, but the damage financially through lack of confidence in the company as a result of the leak was irreversible. other potential threats in terms of finance could be in the compromise of systems such as the stock exchange systems. if people managed to hack into the London Stock Exchange system, they could cause billions of pounds in damage. If people hack into cloud based systems used by something like hospitals of airlines, they could cause mass deaths and panic. The high stakes involved in cloud based systems and services means that the threats are constantly monitored. Just recently a security flaw was found in some Linux code. Since Linux systems run 80% of the Internet and most mobile phones this is a large scale problem. The key point about open source is that these problems are found and then fixed, in proprietary systems, you rarely find out.
The threats to systems are generally: physical, hardware or software based.
  1. Physical - most damage to systems is caused by internal personnel. They may be disgruntled or have other issues with the company and cause damage or disruption from the inside. Most companies, such as ISPs, have high levels of checks on personnel and even clients who use the centres need to go through very thorough checks before they can enter the centre to work on their own servers. If possible, it would be useful for schools or colleges to organise a visit to an ISP or large company to see the security on offer.
  2. Hardware - hardware protection can be physical, in terms of locking servers in rooms or chaining their sides shut to prevent tampering, but also can be machine based such as physical firewalls or putting servers into demilitarized zones which prevent hackers getting past. Servers can also be used as decoys or “honeypots” to trick hackers into hacking the wrong devices.
  3. Software - Software protection will come from systems such as intrusion detection software or rootkit detectors. It will also be anti-virus and malware software.

3.2 I can describe the threats to cloud based systems and give examples

The candidate should be able to describe in detail the main threats they find in their research.

Evidence: will be provided directly from student portfolios and assessor feedback.
Additional information and guidance
Candidates need to detail and give examples of the main threats. Some of these include: data breaches, data loss, hijacking of accounts or services, poor quality middle man data files (APIs, libraries), Denial of Service attacks, disgruntled employees, abus (using the cloud servers as a large scale attack device), poor customer understanding and shared problems (since many services share the same underlying machine, if that is compromised, a large scale problem will occur).

3.3 I can describe and recommend ways to minimise threats to cloud based systems

The candidate should be able to describe the processes and procedures which will help to reduce the items identified in 3.2.
Evidence: will be provided directly from a report or portfolio.
Additional information and guidance
Candidates might describe how the items they identified in 3.2 can be minimised or avoided and tie these two criteria together. Useful reports exist on the Internet as guides and most cloud based services will have support materials as guidance.

3.4 I can describe the laws which affect cloud based services​

The candidate should be able to describe the main laws and legislation which currently affects services in the cloud.
Evidence: will be provided directly from student portfolios and assessor feedback.
Additional information and guidance
Candidates need to give a detailed overview of the law as it currently stands and give their view on the usefulness. Many commentators show that the evolution of the Internet and cloud based services is moving too fast for the slow moving legal system to react effectively.
The above document shows that the laws apply to different levels and services in cloud based computing and are not always straight-forward.
As long as candidates can show a good appreciation of the legal issues and some reasoned conclusion, this will cover the criterion.
The other key aspect of the cloud is that it crosses borders and what might be acceptable practice in one country is not in another, but who is responsible? What is a company's legal responsibility for data and information?
3.5 I can describe the licenses and their impact on cloud based services
The candidate should be able to describe the different kinds of licenses that help cloud service work. They can give examples of open source and proprietary ones.
Evidence: will be provided directly by their portfolio work and general reports.
Additional information and guidance
The vast majority of cloud based services run on free and open source hardware and software and the Internet itself has grown exponentially as it adheres to open standard and protocols. Candidates should describe and reflect on some of these licences and give examples of what part they play in the growth of cloud based services. The Linux operating system allows companies to quickly and cheaply deploy many servers and then offer cloud based hosting, though they still need some of the peripheral software and hardware, some of which may require proprietary licenses. Some of the control panel software in free and open source, but some isn’t. What advantages does this offer for the growth and longevity of cloud systems?
3.6 I can evaluate the impact of laws and licenses on the development of cloud based services
The candidate should be able to reflect and comment on the various laws and licensing issues that help or hinder cloud systems.
Evidence: will be provided directly by their portfolio work and general reports.
Additional information and guidance
Candidates can summarise much of their findings in this section by saying what the current situation of cloud systems is in regard to laws and licenses and what possible future impacts there might be. If some of the main software used were to become proprietary and therefore expensive, would this help or hinder growth? Is the growth so fast now that
customers will accept the extra charges associated with paid for software? Will it be dictated by the quality of the offering, regardless of price? The current battle between the European courts and US companies has an impact on the use and uptake of some services and could greatly hinder cloud systems. If laws become much stricter on the responsibility of cloud companies for the data they have, i.e. they become legally liable for any terrorist activities that take place on their servers, will this limit the expansion of so many providers?

The assessor should keep a record of assessment judgements made for each candidate and make notes of any significant issues for any candidate. They must be prepared to enter into dialog with their Account Manager and provide their assessment records to the Account Manager through the on-line mark book. They should be prepared to provide evidence as a basis for their judgements through reference to candidate e-portfolios and through signed witness statements associated with the criteria matching marks in the on-line markbook. Before authorizing certification, the Account Manager must be satisfied that the assessors judgements are sound.