Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 336 trang
THÔNG TIN TÀI LIỆU
Cấu trúc
Table of Contents
Preface
Who Should Read This Book
What’s in This Book
Conventions Used in This Book
Using Code Examples
Safari® Books Online
How to Contact Us
Acknowledgments
From Tim Mather
From Subra Kumaraswamy
From Shahed Latif
Chapter 1. Introduction
“Mind the Gap”
The Evolution of Cloud Computing
Summary
Chapter 2. What Is Cloud Computing?
Cloud Computing Defined
The SPI Framework for Cloud Computing
Relevant Technologies in Cloud Computing
Cloud access devices
Browsers and thin clients
High-speed broadband access
Data centers and server farms
Storage devices
Virtualization technologies
APIs
The Traditional Software Model
The Cloud Services Delivery Model
The Software-As-a-Service Model
The Platform-As-a-Service Model
The Infrastructure-As-a-Service Model
Cloud Deployment Models
Public Clouds
Private Clouds
Hybrid Clouds
Key Drivers to Adopting the Cloud
Small Initial Investment and Low Ongoing Costs
Economies of Scale
Open Standards
Sustainability
The Impact of Cloud Computing on Users
Individual Consumers
Individual Businesses
Start-ups
Small and Medium-Size Businesses (SMBs)
Enterprise Businesses
Governance in the Cloud
Barriers to Cloud Computing Adoption in the Enterprise
Security
Privacy
Connectivity and Open Access
Reliability
Interoperability
Independence from CSPs
Economic Value
IT Governance
Changes in the IT Organization
Political Issues Due to Global Boundaries
Summary
Chapter 3. Infrastructure Security
Infrastructure Security: The Network Level
Ensuring Data Confidentiality and Integrity
Ensuring Proper Access Control
Ensuring the Availability of Internet-Facing Resources
Replacing the Established Model of Network Zones and Tiers with Domains
Network-Level Mitigation
Infrastructure Security: The Host Level
SaaS and PaaS Host Security
IaaS Host Security
Virtualization Software Security
Threats to the hypervisor
Virtual Server Security
Securing virtual servers
Infrastructure Security: The Application Level
Application-Level Security Threats
DoS and EDoS
End User Security
Who Is Responsible for Web Application Security in the Cloud?
SaaS Application Security
PaaS Application Security
PaaS application container
Customer-Deployed Application Security
IaaS Application Security
Public Cloud Security Limitations
Summary
Chapter 4. Data Security and Storage
Aspects of Data Security
Data Security Mitigation
Provider Data and Its Security
Storage
Confidentiality
Integrity
Availability
Summary
Chapter 5. Identity and Access Management
Trust Boundaries and IAM
Why IAM?
IAM Challenges
IAM Definitions
IAM Architecture and Practice
Getting Ready for the Cloud
Relevant IAM Standards and Protocols for Cloud Services
IAM Standards and Specifications for Organizations
Security Assertion Markup Language (SAML)
Service Provisioning Markup Language (SPML)
eXensible Access Control Markup Language (XACML)
Open Authentication (OAuth)
IAM Standards, Protocols, and Specifications for Consumers
OpenID
Information cards
Open Authentication (OATH)
Open Authentication API (OpenAuth)
Comparison of Enterprise and Consumer Authentication Standards and Protocols
IAM Practices in the Cloud
Cloud Identity Administration
Federated Identity (SSO)
Enterprise identity provider
Identity management-as-a-service
Cloud Authorization Management
IAM Support for Compliance Management
Cloud Service Provider IAM Practice
SaaS
Customer responsibilities
CSP responsibilities
PaaS
IaaS
Guidance
Summary
Chapter 6. Security Management in the Cloud
Security Management Standards
ITIL
ISO 27001/27002
Security Management in the Cloud
Availability Management
Factors Impacting Availability
SaaS Availability Management
Customer Responsibility
SaaS Health Monitoring
PaaS Availability Management
Customer Responsibility
PaaS Health Monitoring
IaaS Availability Management
IaaS Health Monitoring
Access Control
Access Control in the Cloud
Access Control: SaaS
Access Control: PaaS
Access Control: IaaS
CSP infrastructure access control
Customer virtual infrastructure access control
Access Control Summary
Security Vulnerability, Patch, and Configuration Management
Security Vulnerability Management
Security Patch Management
Security Configuration Management
SaaS VPC Management
SaaS provider responsibilities
SaaS customer responsibilities
PaaS VPC Management
PaaS provider responsibilities
PaaS customer responsibilities
IaaS VPC Management
IaaS provider responsibilities
IaaS customer responsibilities
Intrusion Detection and Incident Response
Customer Versus CSP Responsibilities
Caveats
Summary
Chapter 7. Privacy
What Is Privacy?
What Is the Data Life Cycle?
What Are the Key Privacy Concerns in the Cloud?
Who Is Responsible for Protecting Privacy?
Changes to Privacy Risk Management and Compliance in Relation to Cloud Computing
Collection Limitation Principle
Use Limitation Principle
Security Principle
Retention and Destruction Principle
Transfer Principle
Accountability Principle
Legal and Regulatory Implications
U.S. Laws and Regulations
Federal Rules of Civil Procedure
USA Patriot Act
Electronic Communications Privacy Act
FISMA
GLBA
HIPAA
HITECH Act
International Laws and Regulations
EU Directive
APEC Privacy Framework
Summary
Chapter 8. Audit and Compliance
Internal Policy Compliance
Governance, Risk, and Compliance (GRC)
Benefits of GRC for CSPs
GRC Program Implementation
Illustrative Control Objectives for Cloud Computing
A.5 Security policy
A.6 Organization of information security
A.7 Asset management
A.8 Human resources security
A.9 Physical and environmental security
A.10 Communications and operations management
A.11 Access control
A.12 Information systems acquisition, development, and maintenance
A.13 Information security incident management
A.14 Business continuity management
A.15 Compliance
Incremental CSP-Specific Control Objectives
Asset management, access control
Information systems acquisition, development, and maintenance
Communications and operations management
Access control
Compliance
Additional Key Management Control Objectives
Key management
Control Considerations for CSP Users
Access control
Information systems acquisition, development, and maintenance
Organization of information security
Regulatory/External Compliance
Sarbanes-Oxley Act
Cloud computing impact of SOX
PCI DSS
Cloud computing impact of PCI DSS
HIPAA
Administrative safeguards
Assigned security responsibility
Physical safeguards
Technical safeguards
Summary of HIPAA privacy standards
Cloud computing impact of HIPAA
Other Requirements
The Control Objectives for Information and Related Technology (COBIT)
Cloud computing impact of COBIT
Cloud Security Alliance
Auditing the Cloud for Compliance
Internal Audit Perspective
External Audit Perspective
Audit framework
SAS 70
SysTrust
WebTrust
ISO 27001 certification
Comparison of Approaches
Summary
Chapter 9. Examples of Cloud Service Providers
Amazon Web Services (IaaS)
Google (SaaS, PaaS)
Microsoft Azure Services Platform (PaaS)
Proofpoint (SaaS, IaaS)
RightScale (IaaS)
Salesforce.com (SaaS, PaaS)
Sun Open Cloud Platform
Workday (SaaS)
Summary
Chapter 10. Security-As-a-[Cloud] Service
Origins
Today’s Offerings
Email Filtering
Web Content Filtering
Vulnerability Management
Identity Management-As-a-Service
Summary
Chapter 11. The Impact of Cloud Computing on the
Role of Corporate IT
Why Cloud Computing Will Be Popular with Business Units
Low-Cost Solution
Responsiveness/Flexibility
IT Expense Matches Transaction Volume
Business Users Are in Direct Control of Technology Decisions
The Line Between Home Computing Applications and Enterprise Applications Will Blur
Potential Threats of Using CSPs
Vested Interest of Cloud Providers
Loss of Control Over the Use of Technologies
Perceived High Risk of Using Cloud Computing
Portability and Lock-in to Proprietary Systems for CSPs
Lack of Integration and Componentization
ERP Vendors Offer SaaS
A Case Study Illustrating Potential Changes in the IT Profession Caused by Cloud Computing
Governance Factors to Consider When Using Cloud Computing
Summary
Chapter 12. Conclusion, and the Future of the Cloud
Analyst Predictions
Survey Says?
Security in Cloud Computing
Infrastructure Security
Data Security and Storage
Identity and Access Management
Security Management
Privacy
Audit and Compliance
Security-As-a-[Cloud]-Service
Impact of Cloud Computing on the Role of Corporate IT
Program Guidance for CSP Customers
Security Leadership
Security Governance
Security Assurance
Security Management
User Management
Technology Controls
Technology Protection and Continuity
Overall Guidance
The Future of Security in Cloud Computing
Infrastructure Security
Data Security and Storage
Identity and Access Management
Security Management
Privacy
Audit and Compliance
Impact of Cloud Computing on the Role of Corporate IT
Summary
Appendix A. SAS 70 Report Content Example
Section I: Service Auditor’s Opinion
Section II: Description of Controls
Section III: Control Objectives, Related Controls, and Tests of Operating Effectiveness
Section IV: Additional Information Provided by the Service Organization
Appendix B. SysTrust Report Content Example
SysTrust Auditor’s Opinion**American Institute of Certified Public Accountants (AICPA), Trust Services Principles, Criteria and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (Including WebTrust® and SysTrust®), 2006. Available at http://www.webtrust.org. [Trust Services Principles]
SysTrust Management Assertion
SysTrust System Description
SysTrust Schedule of Controls
Appendix C. Open Security Architecture for Cloud
Computing
Legend
Description
Key Control Areas
Examples
Assumptions
Typical Challenges
Indications
Contraindications
Resistance Against Threats
References
Control Details
Glossary
Index
Nội dung
[...]... availability Chapter 5, Identity and Access Management Explains the identity and access management (IAM) practice and support capabilities for authentication, authorization, and auditing of users who access cloud services Chapter 6, Security Management in the Cloud Depicts security management frameworks and the standards that are relevant for the cloud Chapter 7, Privacy Introduces privacy aspects to consider... facet of cloud computing Some of these groups are established (e.g., the National Institute of Standards and Technology efforts to promote standardization in cloud computing), and some of them are brand new, having emerged only with the appearance of this new computing model (e.g., the Cloud Security Alliance’s promotion of security in cloud computing, or the Open Cloud Manifesto’s promotion of cloud. .. consider within the context of cloud computing, and analyzes the similarities and differences with traditional computing models Additionally, in this chapter we highlight legal and regulatory implications related to privacy in the cloud Chapter 8, Audit and Compliance Reveals the importance of audit and compliance functions within the cloud, and the various standards and frameworks to consider * Vaquero,... Security- As-a- [Cloud] Service Looks at a different facet of cloud computing security: security delivered as a service unto itself through the cloud This security- as-a- [cloud] service (SaaS) is also an emerging space, and in this chapter we look at what some of those cloudsecurity services are Chapter 11, The Impact of Cloud Computing on the Role of Corporate IT Looks at the impact of cloud computing... Infrastructure Security Describes the IT infrastructure security capabilities that cloud services generally offer IT infrastructure security refers to the established security capabilities at the network, host, and application levels Chapter 4, Data Securityand Storage Examines the current state of data securityand the storage of data in the cloud, including aspects of confidentiality, integrity, and availability... auditing, and compliance for both the 1 Download at WoWeBook.Com cloud service provider (CSP) and the customer Is security in cloud computing a bad thing? The answer depends on what you use cloud computing for, and your expectations If you are a large organization with significant resources to devote to a sophisticated information security program, you need to overcome a number of security, privacy, and. .. chant cloud computing good” while at the same time saying cloud security bad.” But what does that really mean? Exactly what is wrong with security in cloud computing? The purpose of this book is to answer those questions through a systematic investigation of what constitutes cloud computing and what security it offers As such, this book also explores the implications of cloud computing security on privacy, ... elasticity Cloud computing has generated significant interest in the marketplace and is forecasted for high growth, as illustrated in Figure 2-2, which highlights the recent notable cloud launches and the current and projected revenues for cloud- based services WHAT IS CLOUD COMPUTING? Download at WoWeBook.Com 9 FIGURE 2-2 Recent notable cloud launches (top) and spending on cloud- based services (bottom) Cloud. .. enterprise and the cloud Data centers and server farms Cloud- based services require large computing capacity and are hosted in data centers and server farms These distributed data centers and server farms span multiple locations and can be linked via internetworks providing distributed computing and service delivery capabilities A number of examples today illustrate the flexibility and scalability of cloud. .. potential of cloud computing and mask the complexity involved in extending existing IT management processes and practices to cloud services APIs offered by IaaS cloud service providers (CSPs) such as Amazon EC2, Sun Cloud, and GoGrid allow users to create and manage cloud resources, including compute, storage, and networking components In this case, use of the API is via HTTP The GET, POST, PUT, and DELETE . risks yet to be discovered and managed. Cloud Security and Privacy is a book for everyone who is interested in under- standing the risks and rewards of cloud computing and for those who seek to. PM Download at WoWeBook.Com Cloud Security and Privacy Download at WoWeBook.Com Download at WoWeBook.Com Cloud Security and Privacy Tim Mather, Subra Kumaraswamy, and Shahed Latif Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo Download. access cloud services. Chapter 6, Security Management in the Cloud Depicts security management frameworks and the standards that are relevant for the cloud. Chapter 7, Privacy Introduces privacy