Securing the Cloud. Cloud Computer Security Techniques and Tactics. Vic (J.R.) Winkler. Technical Editor Bill Meine ELSEVIER

Similar documents
Computing. Federal Cloud. Service Providers. The Definitive Guide for Cloud. Matthew Metheny ELSEVIER. Syngress is NEWYORK OXFORD PARIS SAN DIEGO

IMPROVEMENT THE PRACTITIONER'S GUIDE TO DATA QUALITY DAVID LOSHIN

Cyber Attacks. Protecting National Infrastructure Student Edition. Edward G. Amoroso

Virtualization and Forensics

Risk Analysis and the Security Survey

Managing Data in Motion

Open Source Toolkit. Penetration Tester's. Jeremy Faircloth. Third Edition. Fryer, Neil. Technical Editor SYNGRESS. Syngrcss is an imprint of Elsevier

Network Security. Windows 2012 Server. Securing Your Windows. Infrastructure. Network Systems and. Derrick Rountree. Richard Hicks, Technical Editor

Master Data Management

Measuring Data Quality for Ongoing Improvement

Metrics and Methods for Security Risk Management

Securing SQL Server. Protecting Your Database from. Second Edition. Attackers. Denny Cherry. Michael Cross. Technical Editor ELSEVIER

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Customer Relationship Management

Data Warehousing in the Age of Big Data

RESILIENT. SECURE and SOFTWARE. Requirements, Test Cases, and Testing Methods. Mark S. Merkow and Lakshmikanth Raghavan. CRC Press

Eleventh Hour Security+

Network Security: A Practical Approach. Jan L. Harrington

Securing the Cloud Cloud Computer Security Techniques and Tactics

IT Manager's Handbook

Measuring and. Communicating. Security's Value. A Compendium of Metrics. for Enterprise Protection

How To Write A Diagram

AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Academic Press is an imprint of Elsevier

Rapid System Prototyping with FPGAs

Configuration. Management for. Senior Managers. Essential Product Configuration. and Lifecycle Management

Big Data Analytics From Strategie Planning to Enterprise Integration with Tools, Techniques, NoSQL, and Graph

Human Performance Improvement

Cloud Computing. Theory and Practice. Dan C. Marinescu. Morgan Kaufmann is an imprint of Elsevier HEIDELBERG LONDON AMSTERDAM BOSTON

for the Entire Organization

Digital Forensics with Open Source Tools

Agile Development & Business Goals. The Six Week Solution. Joseph Gee. George Stragand. Tom Wheeler

How To Manage Cloud Data Safely

Big Data, Big Risk, Big Rewards. Hussein Syed

Cloud security architecture

Winning the Hardware-Software Game

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Security Metrics. A Beginner's Guide. Caroline Wong. Mc Graw Hill. Singapore Sydney Toronto. Lisbon London Madrid Mexico City Milan New Delhi San Juan

Supply Chain Strategies

Beginning SQL Server Administration. Apress. Rob Walters Grant Fritchey

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

A Survey on Security Issues and Security Schemes for Cloud and Multi-Cloud Computing

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Contents. xvii. Preface. xxi. Foreword. 1 Introduction 1. Preamble 1. Scope and Structure of the Book 3. Acknowledgments 4 Endnotes 5

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Engineering DOCUMENTATION CONTROL HANDBOOK

AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO

Clinical Trials in the Cloud: A New Paradigm?

AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Academic Press is an imprint of Elsevier

Delivery. Enterprise Software. Bringing Agility and Efficiency. Global Software Supply Chain. AAddison-Wesley. Alan W. Brown.

Ensuring Cloud Security Using Cloud Control Matrix

Architectures, and. Service-Oriented. Cloud Computing. Web Services, The Savvy Manager's Guide. Second Edition. Douglas K. Barry. with.

Security Issues in Cloud Computing

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

Job Hazard Analysis. A Guide for Voluntary Compliance and Beyond. From Hazard to Risk: Transforming the JHA from a Tool to a Process

Practical Intrusion Analysis

How To Protect Your Cloud Computing Resources From Attack

CIMA'S Official Learning System

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Implementing Database Security and Auditing

Web Application Security

John Essner, CISO Office of Information Technology State of New Jersey

Building VPNs. Nam-Kee Tan. With IPSec and MPLS. McGraw-Hill CCIE #4307 S&

Security Controls What Works. Southside Virginia Community College: Security Awareness

Obj ect-oriented Construction Handbook

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

External Supplier Control Requirements

Private Cloud Computing

The Data Access Handbook

Contents. Foreword. Acknowledgments

Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A

Cloud Security Specialist Certification Self-Study Kit Bundle

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Security in the Cloud

Secure Cloud Computing through IT Auditing

Key Considerations of Regulatory Compliance in the Public Cloud

Dispelling the Myths about Cloud Computing Security

Contents. BBS Software as a Service (SaaS),7. EH introducing aoudco.pu.ing 1. Distinguishing Cloud Types 4. Exploring

Data Center Storage. Hubbert Smith. Implementation, and Management »C) Cost-Effective Strategies, CRC Press J Taylor & Francis Group

Building. Applications. in the Cloud. Concepts, Patterns, and Projects. AAddison-Wesley. Christopher M. Mo^ar. Cape Town Sydney.

Governance Simplified

Cloud Computing and Records Management

Fixed/Mobile Convergence and Beyond AMSTERDAM BOSTON. HEIDELBERG LONDON

White paper Reaping Business Value from a Hybrid Cloud Strategy

Eye Tracking in User Experience Design

RFID Field Guide. Deploying Radio Frequency Identification Systems. Manish Bhuptani Shahram Moradpour. Sun Microsystems Press A Prentice Hall Title

Platform Ecosystems. Aligning Architecture, Governance, and Strategy. Amrit Tiwana AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO

Valvation. Theories and Concepts. Rajesh Kumar. Professor of Finance, Institute of Management Technology, Dubai, UAE

Michael Noel. Colin Spence. SharePoint UNLEASHED. 800 East 96th Street, Indianapolis, Indiana USA

Information Security Awareness Training

SOFTWARE TESTING AS A SERVICE

Security Officer s Checklist in a Sourcing Deal

SOA Governance. Stephen G. Bennett, Clive Gee, Robert Laird, Co-authored and edited by Thomas Erl. Governing

Electricity for the Entertainment Electrician Ef Technician

Transcription:

Securing the Cloud Cloud Computer Security Techniques and Tactics Vic (J.R.) Winkler Technical Editor Bill Meine ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is an imprint of Elsevier SVNGRESS

Contents Acknowledgments About the Author About the Technical Editor Introduction xiii xv xvii xix CHAPTER 1 Introduction to Cloud Computing and Security 1 Understanding Cloud Computing 1 Cloud Scale, Patterns, and Operational Efficiency 2 A Synergistic Trick 3 Elasticity, Shape Shifling, and Security 3 The IT Foundation for Cloud 4 Cloud Computing as Foundation for Cloud Services 5 Cloud Computing Qualities 7 The Bottom Line 8 An Historical View: Roots of Cloud Computing 10 Decentralization and Proliferation 10 Networking, the Internet, and the Web 11 Virtualization 12 A Brief Primer on Security: From 50,000 ft 13 Terminology and Principles 14 Risk Management 17 Security Must Become a Business Enabler 17 A Brief Primer on Architecture 18 Systems Engineering 19 IT Architecture 20 Security Architecture: A Brief Discussion 20 Defense in Depth 23 Cloud Is Driving Broad Changes 23 Cloud Works Today 24 Valid Concerns 25 Summary 26 Endnotes 26 CHAPTER 2 Cloud Computing Architecture 29 Cloud Reference Architecture 29 Revisiting Essential Characteristics 30 Cloud Service Models 33 Cloud Deployment Models 35

viii Contents Control over Security in the Cloud Model 37 Cloud Application Programming Interfaces 39 Making Sense of Cloud Deployment 39 Public Clouds 40 Private Clouds 40 Community Clouds 41 Hybrid Clouds 41 Making Sense of Services Models 43 Cloud Software-as-a-Service 43 Cloud Platform-as-a-Service 43 Cloud Infrastructure-as-a-Service 43 How Clouds Are Formed and Key Examples 44 Using Virtualization to Form Clouds 45 Using Applications or Services to Form Clouds 48 Real-world Cloud Usage Scenarios 49 Virtualization Formed Clouds 49 Application/Service Formed Clouds 51 Hybrid Cloud Models 52 Summary 52 Endnotes 52 CHAPTER 3 Security Concerns, Risk Issues, and Legal Aspects 55 Cloud Computing: Security Concerns 56 A Closer Examination: Virtualization 57 A Closer Examination: Provisioning 62 A Closer Examination: Cloud Storage 64 A Closer Examination: Cloud Operation, Security, and Networking 66 Assessing Your Risk Tolerance in Cloud Computing 67 Assessing the Risk 68 Information Assets and Risk 69 Privacy and Confidentiality Concerns 70 Data Ownership and Locale Concerns 71 Auditing and Forensics 72 Emerging Threats 73 So, Is It Safe? 73 Legal and Regulatory Issues 74 Third Parties 75 Data Privacy 79 Litigation 84 Summary 85 Endnotes 87

Contents ix CHAPTER 4 Securing the Cloud: Architecture 89 Security Requirements for the Architecture 91 Physical Security 91 Cloud Security Standards and Policies 93 Cloud Security Requirements 94 Security Patterns and Architectural Elements 102 Defense In-depth 102 Honeypots 104 Sandboxes 104 Network Patterns 104 The Importance of a CMDB 107 Cabling Patterns 109 Resilience and Grace 110 Planning for Change Ill Cloud Security Architecture Ill Cloud Maturity and How It Relates to Security 112 Jericho Forum 113 Representative Commercial Cloud Architectures 114 Representative Cloud Security Architectures 115 Planning Key Strategies for Secure Operation 121 Classifying Data and Systems 121 Define Valid Roles for Cloud Personnel and Customers 122 Summary 123 Endnotes 123 CHAPTER 5 Securing the Cloud: Data Security 125 Overview of Data Security in Cloud Computing 125 Control over Data and Public Cloud Economics 126 Organizational Responsibility: Ownership and Custodianship 127 Data at Rest 128 Data in Motion 130 Common Risks with Cloud Data Security 130 Data Encryption: Applications and Limits 132 Overview of Cryptographic Techniques 133 Common Mistakes or Errors with Data Encryption 135 Cloud Data Security: Sensitive Data Categorization 137 Authentication and Identity 137 Access Control Techniques 138 Data Categorization and the Use of Data Labels 140 Application of Encryption for Data at Rest 141

X Contents Application of Encryption for Data in Motion 142 Impediments to Encryption in the Cloud 143 Deletion of Data 143 Data Masking 144 Cloud Data Storage 145 Cloud Lock-in (the Roach Motel Syndrome) 146 Metadata 148 Avoiding Cloud Lock-in (the Roach Motel Syndrome) 149 Summary 150 Endnotes 151 CHAPTER 6 Securing the Cloud: Key Strategies and Best Practices 153 Overall Strategy: Effectively Managing Risk 154 Risk Management: Stages and Activities 154 Overview of Security Controls 156 Cloud Security Controls Must Meet Your Needs 156 NIST Definitions for Security Controls 157 Unclassified Models 158 Classified Model 160 The Cloud Security Alliance Approach 161 The Limits of Security Controls 162 Security Exposure Will Vary over Time 164 Exploits Don't Play Fair 164 Best Practices 165 Best Practices for Cloud Computing: First Principals 165 Best Practices across the Cloud Community 170 Other Best Practices for Cloud Computing: Cloud Service Consumers 172 Other Best Practices for Cloud Computing: Cloud Service Providers 173 Security Monitoring 174 The Purpose of Security Monitoring 176 Transforming an Event Stream 177 The Need for C.I.A. in Security Monitoring 183 The Opportunity for MaaS 184 Summary 184 Endnotes 185 CHAPTER 7 Security Criteria: Building an Internal Cloud 187 Private Clouds: Motivation and Overview 187 Security Implications: Shared versus Dedicated Resources 189

Contents xi Considerations for Achieving Cost Savings 190 Private Clouds: The Castle Keep? 193 Analysis to Support Architecture Decisions 194 Security Criteria for Ensuring a Private Cloud 195 Network Considerations 196 Data Center Considerations 202 Operational Security Considerations 206 Regulation 208 Summary 209 Endnotes 210 CHAPTER 8 Security Criteria: Selecting an External Cloud Provider 211 Selecting a CSP: Overview of Assurance 211 Vendor Claims and Independent Verification 212 Selecting a CSP: Vendor Transparency 215 Selecting a CSP: Overview of Risks 217 Risk Will Vary by Customer and by CSP 217 Assessing Risk Factors 218 Selecting a CSP: Security Criteria 224 Security Criteria: Revisiting Defense-in-depth 225 Security Criteria: Other Considerations 227 Additional Security-relevant Criteria 229 Summary 232 Endnotes 232 CHAPTER 9 Evaluating Cloud Security: An Information Security Framework 233 Evaluating Cloud Security 234 Existing Work on Cloud Security Guidance or Frameworks 235 Checklists for Evaluating Cloud Security 237 Foundational Security 238 Business Considerations 240 Defense-in-depth 242 Operational Security 246 Metrics for the Checklists 249 Summary 249 Endnotes 250 CHAPTER 10 Operating a Cloud 253 From Architecture to Efficient and Secure Operations 255 The Scope of Planning 255 Physical Access, Security, and Ongoing Costs 256

xii Contents Logical and Virtual Access 257 Personnel Security 257 From the Physical Environment to the Logical 259 Bootstrapping Secure Operations 260 The Refinement of Procedures and Processes over Time 260 Efficiency and Cost 260 Security Operations Activities 262 Server Builds 263 Business Continuity, Backup, and Recovery 265 Managing Changes in Operational Environments 266 Information Security Management 269 Vulnerability and Penetration Testing 270 Security Monitoring and Response 271 Best Practices 274 Resilience in Operations 275 Summary 275 Endnotes 277 Index 279

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information