Rights Contact Login For More Details
- Wiley
More About This Title Cloud Security: A Comprehensive Guide to Secure Cloud Computing
- English
English
Cloud computing allows for both large and small organizations to have the opportunity to use Internet-based services so that they can reduce start-up costs, lower capital expenditures, use services on a pay-as-you-use basis, access applications only as needed, and quickly reduce or increase capacities. However, these benefits are accompanied by a myriad of security issues, and this valuable book tackles the most common security challenges that cloud computing faces.
The authors offer you years of unparalleled expertise and knowledge as they discuss the extremely challenging topics of data ownership, privacy protections, data mobility, quality of service and service levels, bandwidth costs, data protection, and support.
As the most current and complete guide to helping you find your way through a maze of security minefields, this book is mandatory reading if you are involved in any aspect of cloud computing.
Coverage Includes:
Cloud Computing FundamentalsCloud Computing ArchitectureCloud Computing Software Security FundamentalsCloud Computing Risks IssuesCloud Computing Security ChallengesCloud Computing Security ArchitectureCloud Computing Life Cycle IssuesUseful Next Steps and Approaches- English
English
Russell Dean Vines is Chief Security Advisor for Gotham Technology Group, LLC, and has been an information systems security expert for over 25 years. They coauthored the bestselling CISSP Prep Guide.
- English
English
Foreword xxi
Introduction xxiii
Chapter 1 Cloud Computing Fundamentals 1
What Cloud Computing Isn’t 7
Alternative Views 8
Essential Characteristics 9
On-Demand Self-Service 9
Broad Network Access 10
Location-Independent Resource Pooling 10
Rapid Elasticity 10
Measured Service 11
Architectural Influences 11
High-Performance Computing 11
Utility and Enterprise Grid Computing 14
Autonomic Computing 15
Service Consolidation 16
Horizontal Scaling 16
Web Services 17
High-Scalability Architecture 18
Technological Influences 18
Universal Connectivity 18
Commoditization 19
Excess Capacity 20
Open-Source Software 21
Virtualization 22
Operational Influences 23
Consolidation 23
Outsourcing 26
Outsourcing Legal Issues 26
Business Process Outsourcing (BPO) Issues 28
IT Service Management 30
Automation 31
Summary 31
Chapter 2 Cloud Computing Architecture 33
Cloud Delivery Models 34
The SPI Framework 34
SPI Evolution 34
The SPI Framework vs. the Traditional IT Model 35
Cloud Software as a Service (SaaS) 37
Benefits of the SaaS Model 38
Cloud Platform as a Service (PaaS) 39
Cloud Infrastructure as a Service (IaaS) 41
Cloud Deployment Models 43
Public Clouds 44
Community Clouds 46
Private Clouds 48
Hybrid Clouds 49
Alternative Deployment Models 50
The Linthicum Model 50
The Jericho Cloud Cube Model 51
Expected Benefits 55
Flexibility and Resiliency 56
Reduced Costs 57
Centralization of Data Storage 58
Reduced Time to Deployment 58
Scalability 58
Summary 59
Chapter 3 Cloud Computing Software Security Fundamentals 61
Cloud Information Security Objectives 62
Confidentiality, Integrity, and Availability 63
Confidentiality 63
Integrity 64
Availability 64
Cloud Security Services 64
Authentication 64
Authorization 64
Auditing 65
Accountability 66
Relevant Cloud Security Design Principles 66
Least Privilege 67
Separation of Duties 67
Defense in Depth 67
Fail Safe 68
Economy of Mechanism 68
Complete Mediation 68
Open Design 69
Least Common Mechanism 69
Psychological Acceptability 69
Weakest Link 70
Leveraging Existing Components 70
Secure Cloud Software Requirements 70
Secure Development Practices 71
Handling Data 71
Code Practices 72
Language Options 73
Input Validation and Content Injection 73
Physical Security of the System 73
Approaches to Cloud Software Requirements Engineering 74
A Resource Perspective on Cloud Software Security Requirements 75
Goal-Oriented Software Security Requirements 76
Monitoring Internal and External Requirements 77
Cloud Security Policy Implementation and Decomposition 78
Implementation Issues 79
Decomposing Critical Security Issues into Secure Cloud Software Requirements 81
NIST 33 Security Principles 85
Secure Cloud Software Testing 86
Testing for Security Quality Assurance 87
Conformance Testing 89
Functional Testing 90
Performance Testing 92
Security Testing 94
Cloud Penetration Testing 99
Legal and Ethical Implications 100
The Three Pre-Test Phases 103
Penetration Testing Tools and Techniques 105
Regression Testing 111
Cloud Computing and Business Continuity Planning/Disaster
Recovery 113
Definitions 113
General Principles and Practices 114
Disaster Recovery Planning 114
Business Continuity Planning 117
Using the Cloud for BCP/DRP 119
Redundancy Provided by the Cloud 119
Secure Remote Access 120
Integration into Normal Business Processes 120
Summary 120
Chapter 4 Cloud Computing Risk Issues 125
The CIA Triad 125
Confidentiality 125
Integrity 126
Availability 126
Other Important Concepts 127
Privacy and Compliance Risks 127
The Payment Card Industry Data Security Standard (PCI DSS) 128
Information Privacy and Privacy Laws 130
Threats to Infrastructure, Data, and Access Control 141
Common Threats and Vulnerabilities 141
Logon Abuse 143
Inappropriate System Use 143
Eavesdropping 143
Network Intrusion 144
Denial-of-Service (DoS) Attacks 144
Session Hijacking Attacks 144
Fragmentation Attacks 145
Cloud Access Control Issues 145
Database Integrity Issues 146
Cloud Service Provider Risks 147
Back-Door 148
Spoofing 148
Man-in-the-Middle 148
Replay 148
TCP Hijacking 149
Social Engineering 149
Dumpster Diving 149
Password Guessing 150
Trojan Horses and Malware 150
Summary 151
Chapter 5 Cloud Computing Security Challenges 153
Security Policy Implementation 154
Policy Types 154
Senior Management Statement of Policy 155
Regulatory Policies 155
Advisory Policies 155
Informative Policies 155
Computer Security Incident Response Team (CSIRT) 156
Virtualization Security Management 157
Virtual Threats 158
Hypervisor Risks 163
Increased Denial of Service Risk 164
VM Security Recommendations 165
Best Practice Security Techniques 165
VM-Specific Security Techniques 169
Hardening the Virtual Machine 169
Securing VM Remote Access 172
Summary 173
Chapter 6 Cloud Computing Security Architecture 177
Architectural Considerations 178
General Issues 178
Compliance 178
Security Management 179
Information Classification 181
Employee Termination 185
Security Awareness, Training, and Education 186
Trusted Cloud Computing 188
Trusted Computing Characteristics 188
Secure Execution Environments and Communications 191
Secure Execution Environment 191
Secure Communications 191
Microarchitectures 203
Identity Management and Access Control 204
Identity Management 205
Passwords 205
Tokens 206
Memory Cards 207
Smart Cards 207
Biometrics 207
Implementing Identity Management 209
Access Control 210
Controls 210
Models for Controlling Access 211
Single Sign-On (SSO) 212
Autonomic Security 213
Autonomic Systems 213
Autonomic Protection 215
Autonomic Self-Healing 215
Summary 216
Chapter 7 Cloud Computing Life Cycle Issues 217
Standards 218
Jericho Forum 218
The Distributed Management Task Force (DMTF) 219
The DMTF Open Virtualization Format (OVF) 219
The DMTF Open Cloud Standards Incubator 220
The International Organization for Standardization (ISO) 220
ISO 27001 220
ISO 27002 222
ISO 27003 222
ISO 27004 223
ISO 27005 223
ISO 27006 224
International Organization for Standardization/International Electrotechnical Commission ISO/IEC 29361, ISO/IEC 29362, and ISO/IEC 29363 Standards 224
Distributed Application Platforms and Services 225
The European Telecommunications Standards Institute (ETSI) 226
The Organization for the Advancement of Structured Information Standards (OASIS) 226
Storage Networking Industry Association (SNIA) 226
Open Grid Forum (OGF) 227
The Open Web Application Security Project (OWASP) 227
OWASP Top Ten Project 227
OWASP Development Guide 228
OWASP Code Review Guide 229
OWASP Testing Guide 230
Incident Response 231
NIST Special Publication 800-61 231
Preparation 232
Detection and Analysis 232
Containment, Eradication, and Recovery 233
Post-Incident Activity 234
NIST Incident-Handling Summary 234
Internet Engineering Task Force Incident-Handling Guidelines 234
Layered Security and IDS 236
Intrusion Detection 236
IDS Issues 240
Computer Security and Incident Response Teams 241
CERT/CC 242
FedCIRC 242
Forum of Incident Response and Security Teams 243
Security Incident Notification Process 243
Automated Notice and Recovery Mechanisms 244
Encryption and Key Management 246
VM Architecture 246
Key Protection Countermeasures 247
Hardware Protection 248
Software-Based Protection 249
Data Deduplication 250
Hashing 251
Retirement 252
VM Life Cycle 252
Overwriting 253
Degaussing 254
Destruction 254
Record Retention 255
Data Remanence 255
Due Care and Due Diligence 255
Documentation Control 256
Summary 256
Chapter 8 Useful Next Steps and Approaches 259
Getting Answers 259
What Services Should Be Moved to the Cloud? 260
What Questions Should You Ask Your Cloud Provider? 261
When Should You Use a Public, Private, or Hybrid Cloud? 262
Getting Help 264
Cloud Security Alliance 264
Cloud Computing Google Groups 265
Cloud Computing Interoperability Forum 266
Open Cloud Consortium 266
Getting Started 267
Top Ten List 267
1. Assess Your Data’s Sensitivity 268
2. Analyze the Risks vs. Benefits of Cloud Computing 271
3. Define Business Objectives 273
4. Understand the Underlying Structure of Your Network 273
5. Implement Traditional Best Practice Security Solutions 274
6. Employ Virtualization Best Practices 274
7. Prevent Data Loss with Backups 275
8. Monitor and Audit 275
9. Seek Out Advice 276
10. Employ Deception 277
Parting Words 277
Glossary of Terms and Acronyms 279
References 345
Index 349
- English