Cloud Security and Privacy. An Enterprise Perspective on Risks and Compliance

Spis treści książki

• Cloud Security and Privacy
• SPECIAL OFFER: Upgrade this ebook with OReilly
• Preface
  • Who Should Read This Book
  • Whats in This Book
  • Conventions Used in This Book
  • Using Code Examples
  • Safari Books Online
  • How to Contact Us
  • Acknowledgments
    • From Tim Mather
    • From Subra Kumaraswamy
    • From Shahed Latif
• 1. Introduction
  • Mind the Gap
  • The Evolution of Cloud Computing
  • Summary
• 2. What Is Cloud Computing?
  • Cloud Computing Defined
  • The SPI Framework for Cloud Computing
    • Relevant Technologies in Cloud Computing
      • Cloud access devices
      • Browsers and thin clients
      • High-speed broadband access
      • Data centers and server farms
      • Storage devices
      • Virtualization technologies
      • APIs
  • The Traditional Software Model
  • The Cloud Services Delivery Model
    • The Software-As-a-Service Model
    • The Platform-As-a-Service Model
    • The Infrastructure-As-a-Service Model
  • Cloud Deployment Models
    • Public Clouds
    • Private Clouds
    • Hybrid Clouds
  • Key Drivers to Adopting the Cloud
    • Small Initial Investment and Low Ongoing Costs
    • Economies of Scale
    • Open Standards
    • Sustainability
  • The Impact of Cloud Computing on Users
    • Individual Consumers
    • Individual Businesses
    • Start-ups
    • Small and Medium-Size Businesses (SMBs)
    • Enterprise Businesses
  • Governance in the Cloud
  • Barriers to Cloud Computing Adoption in the Enterprise
    • Security
    • Privacy
    • Connectivity and Open Access
    • Reliability
    • Interoperability
    • Independence from CSPs
    • Economic Value
    • IT Governance
    • Changes in the IT Organization
    • Political Issues Due to Global Boundaries
  • Summary
• 3. Infrastructure Security
  • Infrastructure Security: The Network Level
    • Ensuring Data Confidentiality and Integrity
    • Ensuring Proper Access Control
    • Ensuring the Availability of Internet-Facing Resources
    • Replacing the Established Model of Network Zones and Tiers with Domains
    • Network-Level Mitigation
  • Infrastructure Security: The Host Level
    • SaaS and PaaS Host Security
    • IaaS Host Security
    • Virtualization Software Security
      • Threats to the hypervisor
    • Virtual Server Security
      • Securing virtual servers
  • Infrastructure Security: The Application Level
    • Application-Level Security Threats
    • DoS and EDoS
    • End User Security
    • Who Is Responsible for Web Application Security in the Cloud?
    • SaaS Application Security
    • PaaS Application Security
      • PaaS application container
    • Customer-Deployed Application Security
    • IaaS Application Security
    • Public Cloud Security Limitations
  • Summary
• 4. Data Security and Storage
  • Aspects of Data Security
  • Data Security Mitigation
  • Provider Data and Its Security
    • Storage
      • Confidentiality
      • Integrity
      • Availability
  • Summary
• 5. Identity and Access Management
  • Trust Boundaries and IAM
  • Why IAM?
  • IAM Challenges
  • IAM Definitions
  • IAM Architecture and Practice
  • Getting Ready for the Cloud
  • Relevant IAM Standards and Protocols for Cloud Services
    • IAM Standards and Specifications for Organizations
      • Security Assertion Markup Language (SAML)
      • Service Provisioning Markup Language (SPML)
      • eXensible Access Control Markup Language (XACML)
      • Open Authentication (OAuth)
    • IAM Standards, Protocols, and Specifications for Consumers
      • OpenID
      • Information cards
      • Open Authentication (OATH)
      • Open Authentication API (OpenAuth)
    • Comparison of Enterprise and Consumer Authentication Standards and Protocols
  • IAM Practices in the Cloud
    • Cloud Identity Administration
    • Federated Identity (SSO)
      • Enterprise identity provider
      • Identity management-as-a-service
  • Cloud Authorization Management
    • IAM Support for Compliance Management
  • Cloud Service Provider IAM Practice
    • SaaS
      • Customer responsibilities
      • CSP responsibilities
    • PaaS
    • IaaS
  • Guidance
  • Summary
• 6. Security Management in the Cloud
  • Security Management Standards
    • ITIL
    • ISO 27001/27002
  • Security Management in the Cloud
  • Availability Management
    • Factors Impacting Availability
  • SaaS Availability Management
    • Customer Responsibility
    • SaaS Health Monitoring
  • PaaS Availability Management
    • Customer Responsibility
    • PaaS Health Monitoring
  • IaaS Availability Management
    • IaaS Health Monitoring
  • Access Control
    • Access Control in the Cloud
    • Access Control: SaaS
    • Access Control: PaaS
    • Access Control: IaaS
      • CSP infrastructure access control
      • Customer virtual infrastructure access control
    • Access Control Summary
  • Security Vulnerability, Patch, and Configuration Management
    • Security Vulnerability Management
    • Security Patch Management
    • Security Configuration Management
    • SaaS VPC Management
      • SaaS provider responsibilities
      • SaaS customer responsibilities
    • PaaS VPC Management
      • PaaS provider responsibilities
      • PaaS customer responsibilities
    • IaaS VPC Management
      • IaaS provider responsibilities
      • IaaS customer responsibilities
    • Intrusion Detection and Incident Response
    • Customer Versus CSP Responsibilities
    • Caveats
  • Summary
• 7. Privacy
  • What Is Privacy?
  • What Is the Data Life Cycle?
  • What Are the Key Privacy Concerns in the Cloud?
  • Who Is Responsible for Protecting Privacy?
  • Changes to Privacy Risk Management and Compliance in Relation to Cloud Computing
    • Collection Limitation Principle
    • Use Limitation Principle
    • Security Principle
    • Retention and Destruction Principle
    • Transfer Principle
    • Accountability Principle
  • Legal and Regulatory Implications
  • U.S. Laws and Regulations
    • Federal Rules of Civil Procedure
    • USA Patriot Act
    • Electronic Communications Privacy Act
    • FISMA
    • GLBA
    • HIPAA
    • HITECH Act
  • International Laws and Regulations
    • EU Directive
    • APEC Privacy Framework
  • Summary
• 8. Audit and Compliance
  • Internal Policy Compliance
  • Governance, Risk, and Compliance (GRC)
    • Benefits of GRC for CSPs
    • GRC Program Implementation
  • Illustrative Control Objectives for Cloud Computing
    • A.5 Security policy
    • A.6 Organization of information security
    • A.7 Asset management
    • A.8 Human resources security
    • A.9 Physical and environmental security
    • A.10 Communications and operations management
    • A.11 Access control
    • A.12 Information systems acquisition, development, and maintenance
    • A.13 Information security incident management
    • A.14 Business continuity management
    • A.15 Compliance
  • Incremental CSP-Specific Control Objectives
    • Asset management, access control
    • Information systems acquisition, development, and maintenance
    • Communications and operations management
    • Access control
    • Compliance
  • Additional Key Management Control Objectives
    • Key management
  • Control Considerations for CSP Users
    • Access control
    • Information systems acquisition, development, and maintenance
    • Organization of information security
  • Regulatory/External Compliance
    • Sarbanes-Oxley Act
      • Cloud computing impact of SOX
    • PCI DSS
      • Cloud computing impact of PCI DSS
    • HIPAA
      • Administrative safeguards
      • Assigned security responsibility
      • Physical safeguards
      • Technical safeguards
      • Summary of HIPAA privacy standards
      • Cloud computing impact of HIPAA
  • Other Requirements
    • The Control Objectives for Information and Related Technology (COBIT)
      • Cloud computing impact of COBIT
  • Cloud Security Alliance
  • Auditing the Cloud for Compliance
    • Internal Audit Perspective
    • External Audit Perspective
      • Audit framework
      • SAS 70
      • SysTrust
      • WebTrust
      • ISO 27001 certification
    • Comparison of Approaches
  • Summary
• 9. Examples of Cloud Service Providers
  • Amazon Web Services (IaaS)
  • Google (SaaS, PaaS)
  • Microsoft Azure Services Platform (PaaS)
  • Proofpoint (SaaS, IaaS)
  • RightScale (IaaS)
  • Salesforce.com (SaaS, PaaS)
  • Sun Open Cloud Platform
  • Workday (SaaS)
  • Summary
• 10. Security-As-a-[Cloud] Service
  • Origins
  • Todays Offerings
    • Email Filtering
    • Web Content Filtering
    • Vulnerability Management
    • Identity Management-As-a-Service
  • Summary
• 11. The Impact of Cloud Computing on the Role of Corporate IT
  • Why Cloud Computing Will Be Popular with Business Units
    • Low-Cost Solution
    • Responsiveness/Flexibility
    • IT Expense Matches Transaction Volume
    • Business Users Are in Direct Control of Technology Decisions
    • The Line Between Home Computing Applications and Enterprise Applications Will Blur
  • Potential Threats of Using CSPs
    • Vested Interest of Cloud Providers
    • Loss of Control Over the Use of Technologies
    • Perceived High Risk of Using Cloud Computing
    • Portability and Lock-in to Proprietary Systems for CSPs
    • Lack of Integration and Componentization
    • ERP Vendors Offer SaaS
  • A Case Study Illustrating Potential Changes in the IT Profession Caused by Cloud Computing
  • Governance Factors to Consider When Using Cloud Computing
  • Summary
• 12. Conclusion, and the Future of the Cloud
  • Analyst Predictions
  • Survey Says?
  • Security in Cloud Computing
    • Infrastructure Security
    • Data Security and Storage
    • Identity and Access Management
    • Security Management
    • Privacy
    • Audit and Compliance
    • Security-As-a-[Cloud]-Service
    • Impact of Cloud Computing on the Role of Corporate IT
  • Program Guidance for CSP Customers
    • Security Leadership
    • Security Governance
    • Security Assurance
    • Security Management
    • User Management
    • Technology Controls
    • Technology Protection and Continuity
    • Overall Guidance
  • The Future of Security in Cloud Computing
    • Infrastructure Security
    • Data Security and Storage
    • Identity and Access Management
    • Security Management
    • Privacy
    • Audit and Compliance
    • Impact of Cloud Computing on the Role of Corporate IT
  • Summary
• A. SAS 70 Report Content Example
  • Section I: Service Auditors Opinion
  • Section II: Description of Controls
  • Section III: Control Objectives, Related Controls, and Tests of Operating Effectiveness
  • Section IV: Additional Information Provided by the Service Organization
• B. SysTrust Report Content Example
  • SysTrust Auditors Opinion
  • SysTrust Management Assertion
  • SysTrust System Description
  • SysTrust Schedule of Controls
• C. Open Security Architecture for Cloud Computing
  • Legend
  • Description
  • Key Control Areas
  • Examples
  • Assumptions
  • Typical Challenges
  • Indications
  • Contraindications
  • Resistance Against Threats
  • References
  • Control Details
• Glossary
• Index
• About the Authors
• Colophon
• SPECIAL OFFER: Upgrade this ebook with OReilly
• Copyright

pokaż cały spis treści

ukryj recenzje