Chapter 6. Security Management in the Cloud

With the adoption of public cloud services, a large part of your network, system, applications, and data will move under third-party provider control. The cloud services delivery model will create islands (clouds) of virtual perimeters as well as a security model with responsibilities shared between the customer and the cloud service provider (CSP). This shared responsibility model will bring new security management challenges to the organization’s IT operations staff. With that in mind, the first question a chief information security officer (CISO) must answer is whether she has adequate transparency from cloud services to manage the governance (shared responsibilities) and implementation of security management processes (preventive and detective controls) to assure the business that the data in the cloud is appropriately protected. The answer to this question has two parts: what security controls must the customer provide over and above the controls inherent in the cloud platform, and how must an enterprise’s security management tools and processes adapt to manage security in the cloud. Both answers must be continually reevaluated based on the sensitivity of the data and the service-level changes over time.

As a customer of the cloud, you should start with the exercise of understanding the trust boundary of your services in the cloud. You should understand all the layers you own, touch, or interface with in the cloud service—network, ...

Get Cloud Security and Privacy now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.