book

Cloud Security and Privacy

by Tim Mather, Subra Kumaraswamy, Shahed Latif

September 2009

Intermediate to advanced

338 pages

11h 12m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Cloud Security and Privacy
SPECIAL OFFER: Upgrade this ebook with O’Reilly
Preface
Who Should Read This BookWhat’s in This BookConventions Used in This BookUsing Code ExamplesSafari® Books OnlineHow to Contact UsAcknowledgmentsFrom Tim MatherFrom Subra KumaraswamyFrom Shahed Latif
1. Introduction
“Mind the Gap”The Evolution of Cloud ComputingSummary
2. What Is Cloud Computing?
Cloud Computing DefinedThe SPI Framework for Cloud ComputingRelevant Technologies in Cloud ComputingCloud access devicesBrowsers and thin clientsHigh-speed broadband accessData centers and server farmsStorage devicesVirtualization technologiesAPIsThe Traditional Software ModelThe Cloud Services Delivery ModelThe Software-As-a-Service ModelThe Platform-As-a-Service ModelThe Infrastructure-As-a-Service ModelCloud Deployment ModelsPublic CloudsPrivate CloudsHybrid CloudsKey Drivers to Adopting the CloudSmall Initial Investment and Low Ongoing CostsEconomies of ScaleOpen StandardsSustainabilityThe Impact of Cloud Computing on UsersIndividual ConsumersIndividual BusinessesStart-upsSmall and Medium-Size Businesses (SMBs)Enterprise BusinessesGovernance in the CloudBarriers to Cloud Computing Adoption in the EnterpriseSecurityPrivacyConnectivity and Open AccessReliabilityInteroperabilityIndependence from CSPsEconomic ValueIT GovernanceChanges in the IT OrganizationPolitical Issues Due to Global BoundariesSummary
3. Infrastructure Security
Infrastructure Security: The Network LevelEnsuring Data Confidentiality and IntegrityEnsuring Proper Access ControlEnsuring the Availability of Internet-Facing ResourcesReplacing the Established Model of Network Zones and Tiers with DomainsNetwork-Level MitigationInfrastructure Security: The Host LevelSaaS and PaaS Host SecurityIaaS Host SecurityVirtualization Software SecurityThreats to the hypervisorVirtual Server SecuritySecuring virtual serversInfrastructure Security: The Application LevelApplication-Level Security ThreatsDoS and EDoSEnd User SecurityWho Is Responsible for Web Application Security in the Cloud?SaaS Application SecurityPaaS Application SecurityPaaS application containerCustomer-Deployed Application SecurityIaaS Application SecurityPublic Cloud Security LimitationsSummary
4. Data Security and Storage
Aspects of Data SecurityData Security MitigationProvider Data and Its SecurityStorageConfidentialityIntegrityAvailabilitySummary
5. Identity and Access Management
Trust Boundaries and IAMWhy IAM?IAM ChallengesIAM DefinitionsIAM Architecture and PracticeGetting Ready for the CloudRelevant IAM Standards and Protocols for Cloud ServicesIAM Standards and Specifications for OrganizationsSecurity Assertion Markup Language (SAML)Service Provisioning Markup Language (SPML)eXensible Access Control Markup Language (XACML)Open Authentication (OAuth)IAM Standards, Protocols, and Specifications for ConsumersOpenIDInformation cardsOpen Authentication (OATH)Open Authentication API (OpenAuth)Comparison of Enterprise and Consumer Authentication Standards and ProtocolsIAM Practices in the CloudCloud Identity AdministrationFederated Identity (SSO)Enterprise identity providerIdentity management-as-a-serviceCloud Authorization ManagementIAM Support for Compliance ManagementCloud Service Provider IAM PracticeSaaSCustomer responsibilitiesCSP responsibilitiesPaaSIaaSGuidanceSummary
6. Security Management in the Cloud
Security Management StandardsITILISO 27001/27002Security Management in the CloudAvailability ManagementFactors Impacting AvailabilitySaaS Availability ManagementCustomer ResponsibilitySaaS Health MonitoringPaaS Availability ManagementCustomer ResponsibilityPaaS Health MonitoringIaaS Availability ManagementIaaS Health MonitoringAccess ControlAccess Control in the CloudAccess Control: SaaSAccess Control: PaaSAccess Control: IaaSCSP infrastructure access controlCustomer virtual infrastructure access controlAccess Control SummarySecurity Vulnerability, Patch, and Configuration ManagementSecurity Vulnerability ManagementSecurity Patch ManagementSecurity Configuration ManagementSaaS VPC ManagementSaaS provider responsibilitiesSaaS customer responsibilitiesPaaS VPC ManagementPaaS provider responsibilitiesPaaS customer responsibilitiesIaaS VPC ManagementIaaS provider responsibilitiesIaaS customer responsibilitiesIntrusion Detection and Incident ResponseCustomer Versus CSP ResponsibilitiesCaveatsSummary
7. Privacy
What Is Privacy?What Is the Data Life Cycle?What Are the Key Privacy Concerns in the Cloud?Who Is Responsible for Protecting Privacy?Changes to Privacy Risk Management and Compliance in Relation to Cloud ComputingCollection Limitation PrincipleUse Limitation PrincipleSecurity PrincipleRetention and Destruction PrincipleTransfer PrincipleAccountability PrincipleLegal and Regulatory ImplicationsU.S. Laws and RegulationsFederal Rules of Civil ProcedureUSA Patriot ActElectronic Communications Privacy ActFISMAGLBAHIPAAHITECH ActInternational Laws and RegulationsEU DirectiveAPEC Privacy FrameworkSummary

8. Audit and Compliance
Internal Policy ComplianceGovernance, Risk, and Compliance (GRC)Benefits of GRC for CSPsGRC Program ImplementationIllustrative Control Objectives for Cloud ComputingA.5 Security policyA.6 Organization of information securityA.7 Asset managementA.8 Human resources securityA.9 Physical and environmental securityA.10 Communications and operations managementA.11 Access controlA.12 Information systems acquisition, development, and maintenanceA.13 Information security incident managementA.14 Business continuity managementA.15 ComplianceIncremental CSP-Specific Control ObjectivesAsset management, access controlInformation systems acquisition, development, and maintenanceCommunications and operations managementAccess controlComplianceAdditional Key Management Control ObjectivesKey managementControl Considerations for CSP UsersAccess controlInformation systems acquisition, development, and maintenanceOrganization of information securityRegulatory/External ComplianceSarbanes-Oxley ActCloud computing impact of SOXPCI DSSCloud computing impact of PCI DSSHIPAAAdministrative safeguardsAssigned security responsibilityPhysical safeguardsTechnical safeguardsSummary of HIPAA privacy standardsCloud computing impact of HIPAAOther RequirementsThe Control Objectives for Information and Related Technology (COBIT)Cloud computing impact of COBITCloud Security AllianceAuditing the Cloud for ComplianceInternal Audit PerspectiveExternal Audit PerspectiveAudit frameworkSAS 70SysTrustWebTrustISO 27001 certificationComparison of ApproachesSummary
9. Examples of Cloud Service Providers
Amazon Web Services (IaaS)Google (SaaS, PaaS)Microsoft Azure Services Platform (PaaS)Proofpoint (SaaS, IaaS)RightScale (IaaS)Salesforce.com (SaaS, PaaS)Sun Open Cloud PlatformWorkday (SaaS)Summary
10. Security-As-a-[Cloud] Service
OriginsToday’s OfferingsEmail FilteringWeb Content FilteringVulnerability ManagementIdentity Management-As-a-ServiceSummary
11. The Impact of Cloud Computing on the Role of Corporate IT
Why Cloud Computing Will Be Popular with Business UnitsLow-Cost SolutionResponsiveness/FlexibilityIT Expense Matches Transaction VolumeBusiness Users Are in Direct Control of Technology DecisionsThe Line Between Home Computing Applications and Enterprise Applications Will BlurPotential Threats of Using CSPsVested Interest of Cloud ProvidersLoss of Control Over the Use of TechnologiesPerceived High Risk of Using Cloud ComputingPortability and Lock-in to Proprietary Systems for CSPsLack of Integration and ComponentizationERP Vendors Offer SaaSA Case Study Illustrating Potential Changes in the IT Profession Caused by Cloud ComputingGovernance Factors to Consider When Using Cloud ComputingSummary
12. Conclusion, and the Future of the Cloud
Analyst PredictionsSurvey Says?Security in Cloud ComputingInfrastructure SecurityData Security and StorageIdentity and Access ManagementSecurity ManagementPrivacyAudit and ComplianceSecurity-As-a-[Cloud]-ServiceImpact of Cloud Computing on the Role of Corporate ITProgram Guidance for CSP CustomersSecurity LeadershipSecurity GovernanceSecurity AssuranceSecurity ManagementUser ManagementTechnology ControlsTechnology Protection and ContinuityOverall GuidanceThe Future of Security in Cloud ComputingInfrastructure SecurityData Security and StorageIdentity and Access ManagementSecurity ManagementPrivacyAudit and ComplianceImpact of Cloud Computing on the Role of Corporate ITSummary
A. SAS 70 Report Content Example
Section I: Service Auditor’s OpinionSection II: Description of ControlsSection III: Control Objectives, Related Controls, and Tests of Operating EffectivenessSection IV: Additional Information Provided by the Service Organization
B. SysTrust Report Content Example
SysTrust Auditor’s OpinionSysTrust Management AssertionSysTrust System DescriptionSysTrust Schedule of Controls
C. Open Security Architecture for Cloud Computing
LegendDescriptionKey Control AreasExamplesAssumptionsTypical ChallengesIndicationsContraindicationsResistance Against ThreatsReferencesControl Details
Glossary
Index
About the Authors
Colophon
SPECIAL OFFER: Upgrade this ebook with O’Reilly
Copyright

Content preview from Cloud Security and Privacy

Chapter 4. Data Security and Storage

In today’s world of (network-, host-, and application-level) infrastructure security, data security becomes more important when using cloud computing at all “levels”: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS). This chapter describes several aspects of data security, including:

Data-in-transit
Data-at-rest
Processing of data, including multitenancy
Data lineage
Data provenance
Data remanence

The objective of this chapter is to help users evaluate their data security scenarios and make informed judgments regarding risk for their organizations. As with other aspects of cloud computing and security, not all of these data security facets are of equal importance in all topologies (e.g., the use of a public cloud versus a private cloud, or non-sensitive data versus sensitive data).

Aspects of Data Security

With regard to data-in-transit, the primary risk is in not using a vetted encryption algorithm. Although this is obvious to information security professionals, it is not common for others to understand this requirement when using a public cloud, regardless of whether it is IaaS, PaaS, or SaaS. It is also important to ensure that a protocol provides confidentiality as well as integrity (e.g., FTP over SSL [FTPS], Hypertext Transfer Protocol Secure [HTTPS], and Secure Copy Program [SCP])—particularly if the protocol is used for transferring data across the Internet. Merely encrypting data and using a non-secured ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780596806453Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Cloud Security and Privacy

by Tim Mather, Subra Kumaraswamy, Shahed Latif

Chapter 4. Data Security and Storage

Aspects of Data Security

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.