Cover image for Cloud Security and Privacy

Book description

You may regard cloud computing as an ideal way for your company to control IT costs, but do you know how private and secure this service really is? Not many people do. With Cloud Security and Privacy, you'll learn what's at stake when you trust your data to the cloud, and what you can do to keep your virtual infrastructure and web applications secure. Ideal for IT staffers, information security and privacy practitioners, business managers, service providers, and investors alike, this book offers you sound advice from three well-known authorities in the tech security world. You'll learn detailed information on cloud computing security that-until now-has been sorely lacking.

  • Review the current state of data security and storage in the cloud, including confidentiality, integrity, and availability

  • Learn about the identity and access management (IAM) practice for authentication, authorization, and auditing of the users accessing cloud services

  • Discover which security management frameworks and standards are relevant for the cloud

  • Understand the privacy aspects you need to consider in the cloud, including how they compare with traditional computing models

  • Learn the importance of audit and compliance functions within the cloud, and the various standards and frameworks to consider

  • Examine security delivered as a service-a different facet of cloud security

Table of Contents

  1. Cloud Security and Privacy
  2. SPECIAL OFFER: Upgrade this ebook with O’Reilly
  3. Preface
    1. Who Should Read This Book
    2. What’s in This Book
    3. Conventions Used in This Book
    4. Using Code Examples
    5. Safari® Books Online
    6. How to Contact Us
    7. Acknowledgments
      1. From Tim Mather
      2. From Subra Kumaraswamy
      3. From Shahed Latif
  4. 1. Introduction
    1. “Mind the Gap”
    2. The Evolution of Cloud Computing
    3. Summary
  5. 2. What Is Cloud Computing?
    1. Cloud Computing Defined
    2. The SPI Framework for Cloud Computing
      1. Relevant Technologies in Cloud Computing
        1. Cloud access devices
        2. Browsers and thin clients
        3. High-speed broadband access
        4. Data centers and server farms
        5. Storage devices
        6. Virtualization technologies
        7. APIs
    3. The Traditional Software Model
    4. The Cloud Services Delivery Model
      1. The Software-As-a-Service Model
      2. The Platform-As-a-Service Model
      3. The Infrastructure-As-a-Service Model
    5. Cloud Deployment Models
      1. Public Clouds
      2. Private Clouds
      3. Hybrid Clouds
    6. Key Drivers to Adopting the Cloud
      1. Small Initial Investment and Low Ongoing Costs
      2. Economies of Scale
      3. Open Standards
      4. Sustainability
    7. The Impact of Cloud Computing on Users
      1. Individual Consumers
      2. Individual Businesses
      3. Start-ups
      4. Small and Medium-Size Businesses (SMBs)
      5. Enterprise Businesses
    8. Governance in the Cloud
    9. Barriers to Cloud Computing Adoption in the Enterprise
      1. Security
      2. Privacy
      3. Connectivity and Open Access
      4. Reliability
      5. Interoperability
      6. Independence from CSPs
      7. Economic Value
      8. IT Governance
      9. Changes in the IT Organization
      10. Political Issues Due to Global Boundaries
    10. Summary
  6. 3. Infrastructure Security
    1. Infrastructure Security: The Network Level
      1. Ensuring Data Confidentiality and Integrity
      2. Ensuring Proper Access Control
      3. Ensuring the Availability of Internet-Facing Resources
      4. Replacing the Established Model of Network Zones and Tiers with Domains
      5. Network-Level Mitigation
    2. Infrastructure Security: The Host Level
      1. SaaS and PaaS Host Security
      2. IaaS Host Security
      3. Virtualization Software Security
        1. Threats to the hypervisor
      4. Virtual Server Security
        1. Securing virtual servers
    3. Infrastructure Security: The Application Level
      1. Application-Level Security Threats
      2. DoS and EDoS
      3. End User Security
      4. Who Is Responsible for Web Application Security in the Cloud?
      5. SaaS Application Security
      6. PaaS Application Security
        1. PaaS application container
      7. Customer-Deployed Application Security
      8. IaaS Application Security
      9. Public Cloud Security Limitations
    4. Summary
  7. 4. Data Security and Storage
    1. Aspects of Data Security
    2. Data Security Mitigation
    3. Provider Data and Its Security
      1. Storage
        1. Confidentiality
        2. Integrity
        3. Availability
    4. Summary
  8. 5. Identity and Access Management
    1. Trust Boundaries and IAM
    2. Why IAM?
    3. IAM Challenges
    4. IAM Definitions
    5. IAM Architecture and Practice
    6. Getting Ready for the Cloud
    7. Relevant IAM Standards and Protocols for Cloud Services
      1. IAM Standards and Specifications for Organizations
        1. Security Assertion Markup Language (SAML)
        2. Service Provisioning Markup Language (SPML)
        3. eXensible Access Control Markup Language (XACML)
        4. Open Authentication (OAuth)
      2. IAM Standards, Protocols, and Specifications for Consumers
        1. OpenID
        2. Information cards
        3. Open Authentication (OATH)
        4. Open Authentication API (OpenAuth)
      3. Comparison of Enterprise and Consumer Authentication Standards and Protocols
    8. IAM Practices in the Cloud
      1. Cloud Identity Administration
      2. Federated Identity (SSO)
        1. Enterprise identity provider
        2. Identity management-as-a-service
    9. Cloud Authorization Management
      1. IAM Support for Compliance Management
    10. Cloud Service Provider IAM Practice
      1. SaaS
        1. Customer responsibilities
        2. CSP responsibilities
      2. PaaS
      3. IaaS
    11. Guidance
    12. Summary
  9. 6. Security Management in the Cloud
    1. Security Management Standards
      1. ITIL
      2. ISO 27001/27002
    2. Security Management in the Cloud
    3. Availability Management
      1. Factors Impacting Availability
    4. SaaS Availability Management
      1. Customer Responsibility
      2. SaaS Health Monitoring
    5. PaaS Availability Management
      1. Customer Responsibility
      2. PaaS Health Monitoring
    6. IaaS Availability Management
      1. IaaS Health Monitoring
    7. Access Control
      1. Access Control in the Cloud
      2. Access Control: SaaS
      3. Access Control: PaaS
      4. Access Control: IaaS
        1. CSP infrastructure access control
        2. Customer virtual infrastructure access control
      5. Access Control Summary
    8. Security Vulnerability, Patch, and Configuration Management
      1. Security Vulnerability Management
      2. Security Patch Management
      3. Security Configuration Management
      4. SaaS VPC Management
        1. SaaS provider responsibilities
        2. SaaS customer responsibilities
      5. PaaS VPC Management
        1. PaaS provider responsibilities
        2. PaaS customer responsibilities
      6. IaaS VPC Management
        1. IaaS provider responsibilities
        2. IaaS customer responsibilities
      7. Intrusion Detection and Incident Response
      8. Customer Versus CSP Responsibilities
      9. Caveats
    9. Summary
  10. 7. Privacy
    1. What Is Privacy?
    2. What Is the Data Life Cycle?
    3. What Are the Key Privacy Concerns in the Cloud?
    4. Who Is Responsible for Protecting Privacy?
    5. Changes to Privacy Risk Management and Compliance in Relation to Cloud Computing
      1. Collection Limitation Principle
      2. Use Limitation Principle
      3. Security Principle
      4. Retention and Destruction Principle
      5. Transfer Principle
      6. Accountability Principle
    6. Legal and Regulatory Implications
    7. U.S. Laws and Regulations
      1. Federal Rules of Civil Procedure
      2. USA Patriot Act
      3. Electronic Communications Privacy Act
      4. FISMA
      5. GLBA
      6. HIPAA
      7. HITECH Act
    8. International Laws and Regulations
      1. EU Directive
      2. APEC Privacy Framework
    9. Summary
  11. 8. Audit and Compliance
    1. Internal Policy Compliance
    2. Governance, Risk, and Compliance (GRC)
      1. Benefits of GRC for CSPs
      2. GRC Program Implementation
    3. Illustrative Control Objectives for Cloud Computing
      1. A.5 Security policy
      2. A.6 Organization of information security
      3. A.7 Asset management
      4. A.8 Human resources security
      5. A.9 Physical and environmental security
      6. A.10 Communications and operations management
      7. A.11 Access control
      8. A.12 Information systems acquisition, development, and maintenance
      9. A.13 Information security incident management
      10. A.14 Business continuity management
      11. A.15 Compliance
    4. Incremental CSP-Specific Control Objectives
      1. Asset management, access control
      2. Information systems acquisition, development, and maintenance
      3. Communications and operations management
      4. Access control
      5. Compliance
    5. Additional Key Management Control Objectives
      1. Key management
    6. Control Considerations for CSP Users
      1. Access control
      2. Information systems acquisition, development, and maintenance
      3. Organization of information security
    7. Regulatory/External Compliance
      1. Sarbanes-Oxley Act
        1. Cloud computing impact of SOX
      2. PCI DSS
        1. Cloud computing impact of PCI DSS
      3. HIPAA
        1. Administrative safeguards
        2. Assigned security responsibility
        3. Physical safeguards
        4. Technical safeguards
        5. Summary of HIPAA privacy standards
        6. Cloud computing impact of HIPAA
    8. Other Requirements
      1. The Control Objectives for Information and Related Technology (COBIT)
        1. Cloud computing impact of COBIT
    9. Cloud Security Alliance
    10. Auditing the Cloud for Compliance
      1. Internal Audit Perspective
      2. External Audit Perspective
        1. Audit framework
        2. SAS 70
        3. SysTrust
        4. WebTrust
        5. ISO 27001 certification
      3. Comparison of Approaches
    11. Summary
  12. 9. Examples of Cloud Service Providers
    1. Amazon Web Services (IaaS)
    2. Google (SaaS, PaaS)
    3. Microsoft Azure Services Platform (PaaS)
    4. Proofpoint (SaaS, IaaS)
    5. RightScale (IaaS)
    6. Salesforce.com (SaaS, PaaS)
    7. Sun Open Cloud Platform
    8. Workday (SaaS)
    9. Summary
  13. 10. Security-As-a-[Cloud] Service
    1. Origins
    2. Today’s Offerings
      1. Email Filtering
      2. Web Content Filtering
      3. Vulnerability Management
      4. Identity Management-As-a-Service
    3. Summary
  14. 11. The Impact of Cloud Computing on the Role of Corporate IT
    1. Why Cloud Computing Will Be Popular with Business Units
      1. Low-Cost Solution
      2. Responsiveness/Flexibility
      3. IT Expense Matches Transaction Volume
      4. Business Users Are in Direct Control of Technology Decisions
      5. The Line Between Home Computing Applications and Enterprise Applications Will Blur
    2. Potential Threats of Using CSPs
      1. Vested Interest of Cloud Providers
      2. Loss of Control Over the Use of Technologies
      3. Perceived High Risk of Using Cloud Computing
      4. Portability and Lock-in to Proprietary Systems for CSPs
      5. Lack of Integration and Componentization
      6. ERP Vendors Offer SaaS
    3. A Case Study Illustrating Potential Changes in the IT Profession Caused by Cloud Computing
    4. Governance Factors to Consider When Using Cloud Computing
    5. Summary
  15. 12. Conclusion, and the Future of the Cloud
    1. Analyst Predictions
    2. Survey Says?
    3. Security in Cloud Computing
      1. Infrastructure Security
      2. Data Security and Storage
      3. Identity and Access Management
      4. Security Management
      5. Privacy
      6. Audit and Compliance
      7. Security-As-a-[Cloud]-Service
      8. Impact of Cloud Computing on the Role of Corporate IT
    4. Program Guidance for CSP Customers
      1. Security Leadership
      2. Security Governance
      3. Security Assurance
      4. Security Management
      5. User Management
      6. Technology Controls
      7. Technology Protection and Continuity
      8. Overall Guidance
    5. The Future of Security in Cloud Computing
      1. Infrastructure Security
      2. Data Security and Storage
      3. Identity and Access Management
      4. Security Management
      5. Privacy
      6. Audit and Compliance
      7. Impact of Cloud Computing on the Role of Corporate IT
    6. Summary
  16. A. SAS 70 Report Content Example
    1. Section I: Service Auditor’s Opinion
    2. Section II: Description of Controls
    3. Section III: Control Objectives, Related Controls, and Tests of Operating Effectiveness
    4. Section IV: Additional Information Provided by the Service Organization
  17. B. SysTrust Report Content Example
    1. SysTrust Auditor’s Opinion
    2. SysTrust Management Assertion
    3. SysTrust System Description
    4. SysTrust Schedule of Controls
  18. C. Open Security Architecture for Cloud Computing
    1. Legend
    2. Description
    3. Key Control Areas
    4. Examples
    5. Assumptions
    6. Typical Challenges
    7. Indications
    8. Contraindications
    9. Resistance Against Threats
    10. References
    11. Control Details
  19. Glossary
  20. Index
  21. About the Authors
  22. Colophon
  23. SPECIAL OFFER: Upgrade this ebook with O’Reilly
  24. Copyright