Cloud Security and Privacy. An Enterprise Perspective on Risks and Compliance Tim Mather, Subra Kumaraswamy, Shahed Latif

Dostępność produktu

Produkt nie został jeszcze oceniony pod kątem ułatwień dostępu lub nie podano żadnych informacji o ułatwieniach dostępu lub są one niewystarczające. Prawdopodobnie Wydawca/Dostawca jeszcze nie umożliwił dokonania walidacji produktu lub nie przekazał odpowiednich informacji na temat jego dostępności.

Spis treści książki

• Cloud Security and Privacy
• SPECIAL OFFER: Upgrade this ebook with OReilly
• Preface
  • Who Should Read This Book
  • Whats in This Book
  • Conventions Used in This Book
  • Using Code Examples
  • Safari Books Online
  • How to Contact Us
  • Acknowledgments
    • From Tim Mather
    • From Subra Kumaraswamy
    • From Shahed Latif
• 1. Introduction
  • Mind the Gap
  • The Evolution of Cloud Computing
  • Summary
• 2. What Is Cloud Computing?
  • Cloud Computing Defined
  • The SPI Framework for Cloud Computing
    • Relevant Technologies in Cloud Computing
      • Cloud access devices
      • Browsers and thin clients
      • High-speed broadband access
      • Data centers and server farms
      • Storage devices
      • Virtualization technologies
      • APIs
  • The Traditional Software Model
  • The Cloud Services Delivery Model
    • The Software-As-a-Service Model
    • The Platform-As-a-Service Model
    • The Infrastructure-As-a-Service Model
  • Cloud Deployment Models
    • Public Clouds
    • Private Clouds
    • Hybrid Clouds
  • Key Drivers to Adopting the Cloud
    • Small Initial Investment and Low Ongoing Costs
    • Economies of Scale
    • Open Standards
    • Sustainability
  • The Impact of Cloud Computing on Users
    • Individual Consumers
    • Individual Businesses
    • Start-ups
    • Small and Medium-Size Businesses (SMBs)
    • Enterprise Businesses
  • Governance in the Cloud
  • Barriers to Cloud Computing Adoption in the Enterprise
    • Security
    • Privacy
    • Connectivity and Open Access
    • Reliability
    • Interoperability
    • Independence from CSPs
    • Economic Value
    • IT Governance
    • Changes in the IT Organization
    • Political Issues Due to Global Boundaries
  • Summary
• 3. Infrastructure Security
  • Infrastructure Security: The Network Level
    • Ensuring Data Confidentiality and Integrity
    • Ensuring Proper Access Control
    • Ensuring the Availability of Internet-Facing Resources
    • Replacing the Established Model of Network Zones and Tiers with Domains
    • Network-Level Mitigation
  • Infrastructure Security: The Host Level
    • SaaS and PaaS Host Security
    • IaaS Host Security
    • Virtualization Software Security
      • Threats to the hypervisor
    • Virtual Server Security
      • Securing virtual servers
  • Infrastructure Security: The Application Level
    • Application-Level Security Threats
    • DoS and EDoS
    • End User Security
    • Who Is Responsible for Web Application Security in the Cloud?
    • SaaS Application Security
    • PaaS Application Security
      • PaaS application container
    • Customer-Deployed Application Security
    • IaaS Application Security
    • Public Cloud Security Limitations
  • Summary
• 4. Data Security and Storage
  • Aspects of Data Security
  • Data Security Mitigation
  • Provider Data and Its Security
    • Storage
      • Confidentiality
      • Integrity
      • Availability
  • Summary
• 5. Identity and Access Management
  • Trust Boundaries and IAM
  • Why IAM?
  • IAM Challenges
  • IAM Definitions
  • IAM Architecture and Practice
  • Getting Ready for the Cloud
  • Relevant IAM Standards and Protocols for Cloud Services
    • IAM Standards and Specifications for Organizations
      • Security Assertion Markup Language (SAML)
      • Service Provisioning Markup Language (SPML)
      • eXensible Access Control Markup Language (XACML)
      • Open Authentication (OAuth)
    • IAM Standards, Protocols, and Specifications for Consumers
      • OpenID
      • Information cards
      • Open Authentication (OATH)
      • Open Authentication API (OpenAuth)
    • Comparison of Enterprise and Consumer Authentication Standards and Protocols
  • IAM Practices in the Cloud
    • Cloud Identity Administration
    • Federated Identity (SSO)
      • Enterprise identity provider
      • Identity management-as-a-service
  • Cloud Authorization Management
    • IAM Support for Compliance Management
  • Cloud Service Provider IAM Practice
    • SaaS
      • Customer responsibilities
      • CSP responsibilities
    • PaaS
    • IaaS
  • Guidance
  • Summary
• 6. Security Management in the Cloud
  • Security Management Standards
    • ITIL
    • ISO 27001/27002
  • Security Management in the Cloud
  • Availability Management
    • Factors Impacting Availability
  • SaaS Availability Management
    • Customer Responsibility
    • SaaS Health Monitoring
  • PaaS Availability Management
    • Customer Responsibility
    • PaaS Health Monitoring
  • IaaS Availability Management
    • IaaS Health Monitoring
  • Access Control
    • Access Control in the Cloud
    • Access Control: SaaS
    • Access Control: PaaS
    • Access Control: IaaS
      • CSP infrastructure access control
      • Customer virtual infrastructure access control
    • Access Control Summary
  • Security Vulnerability, Patch, and Configuration Management
    • Security Vulnerability Management
    • Security Patch Management
    • Security Configuration Management
    • SaaS VPC Management
      • SaaS provider responsibilities
      • SaaS customer responsibilities
    • PaaS VPC Management
      • PaaS provider responsibilities
      • PaaS customer responsibilities
    • IaaS VPC Management
      • IaaS provider responsibilities
      • IaaS customer responsibilities
    • Intrusion Detection and Incident Response
    • Customer Versus CSP Responsibilities
    • Caveats
  • Summary
• 7. Privacy
  • What Is Privacy?
  • What Is the Data Life Cycle?
  • What Are the Key Privacy Concerns in the Cloud?
  • Who Is Responsible for Protecting Privacy?
  • Changes to Privacy Risk Management and Compliance in Relation to Cloud Computing
    • Collection Limitation Principle
    • Use Limitation Principle
    • Security Principle
    • Retention and Destruction Principle
    • Transfer Principle
    • Accountability Principle
  • Legal and Regulatory Implications
  • U.S. Laws and Regulations
    • Federal Rules of Civil Procedure
    • USA Patriot Act
    • Electronic Communications Privacy Act
    • FISMA
    • GLBA
    • HIPAA
    • HITECH Act
  • International Laws and Regulations
    • EU Directive
    • APEC Privacy Framework
  • Summary
• 8. Audit and Compliance
  • Internal Policy Compliance
  • Governance, Risk, and Compliance (GRC)
    • Benefits of GRC for CSPs
    • GRC Program Implementation
  • Illustrative Control Objectives for Cloud Computing
    • A.5 Security policy
    • A.6 Organization of information security
    • A.7 Asset management
    • A.8 Human resources security
    • A.9 Physical and environmental security
    • A.10 Communications and operations management
    • A.11 Access control
    • A.12 Information systems acquisition, development, and maintenance
    • A.13 Information security incident management
    • A.14 Business continuity management
    • A.15 Compliance
  • Incremental CSP-Specific Control Objectives
    • Asset management, access control
    • Information systems acquisition, development, and maintenance
    • Communications and operations management
    • Access control
    • Compliance
  • Additional Key Management Control Objectives
    • Key management
  • Control Considerations for CSP Users
    • Access control
    • Information systems acquisition, development, and maintenance
    • Organization of information security
  • Regulatory/External Compliance
    • Sarbanes-Oxley Act
      • Cloud computing impact of SOX
    • PCI DSS
      • Cloud computing impact of PCI DSS
    • HIPAA
      • Administrative safeguards
      • Assigned security responsibility
      • Physical safeguards
      • Technical safeguards
      • Summary of HIPAA privacy standards
      • Cloud computing impact of HIPAA
  • Other Requirements
    • The Control Objectives for Information and Related Technology (COBIT)
      • Cloud computing impact of COBIT
  • Cloud Security Alliance
  • Auditing the Cloud for Compliance
    • Internal Audit Perspective
    • External Audit Perspective
      • Audit framework
      • SAS 70
      • SysTrust
      • WebTrust
      • ISO 27001 certification
    • Comparison of Approaches
  • Summary
• 9. Examples of Cloud Service Providers
  • Amazon Web Services (IaaS)
  • Google (SaaS, PaaS)
  • Microsoft Azure Services Platform (PaaS)
  • Proofpoint (SaaS, IaaS)
  • RightScale (IaaS)
  • Salesforce.com (SaaS, PaaS)
  • Sun Open Cloud Platform
  • Workday (SaaS)
  • Summary
• 10. Security-As-a-[Cloud] Service
  • Origins
  • Todays Offerings
    • Email Filtering
    • Web Content Filtering
    • Vulnerability Management
    • Identity Management-As-a-Service
  • Summary
• 11. The Impact of Cloud Computing on the Role of Corporate IT
  • Why Cloud Computing Will Be Popular with Business Units
    • Low-Cost Solution
    • Responsiveness/Flexibility
    • IT Expense Matches Transaction Volume
    • Business Users Are in Direct Control of Technology Decisions
    • The Line Between Home Computing Applications and Enterprise Applications Will Blur
  • Potential Threats of Using CSPs
    • Vested Interest of Cloud Providers
    • Loss of Control Over the Use of Technologies
    • Perceived High Risk of Using Cloud Computing
    • Portability and Lock-in to Proprietary Systems for CSPs
    • Lack of Integration and Componentization
    • ERP Vendors Offer SaaS
  • A Case Study Illustrating Potential Changes in the IT Profession Caused by Cloud Computing
  • Governance Factors to Consider When Using Cloud Computing
  • Summary
• 12. Conclusion, and the Future of the Cloud
  • Analyst Predictions
  • Survey Says?
  • Security in Cloud Computing
    • Infrastructure Security
    • Data Security and Storage
    • Identity and Access Management
    • Security Management
    • Privacy
    • Audit and Compliance
    • Security-As-a-[Cloud]-Service
    • Impact of Cloud Computing on the Role of Corporate IT
  • Program Guidance for CSP Customers
    • Security Leadership
    • Security Governance
    • Security Assurance
    • Security Management
    • User Management
    • Technology Controls
    • Technology Protection and Continuity
    • Overall Guidance
  • The Future of Security in Cloud Computing
    • Infrastructure Security
    • Data Security and Storage
    • Identity and Access Management
    • Security Management
    • Privacy
    • Audit and Compliance
    • Impact of Cloud Computing on the Role of Corporate IT
  • Summary
• A. SAS 70 Report Content Example
  • Section I: Service Auditors Opinion
  • Section II: Description of Controls
  • Section III: Control Objectives, Related Controls, and Tests of Operating Effectiveness
  • Section IV: Additional Information Provided by the Service Organization
• B. SysTrust Report Content Example
  • SysTrust Auditors Opinion
  • SysTrust Management Assertion
  • SysTrust System Description
  • SysTrust Schedule of Controls
• C. Open Security Architecture for Cloud Computing
  • Legend
  • Description
  • Key Control Areas
  • Examples
  • Assumptions
  • Typical Challenges
  • Indications
  • Contraindications
  • Resistance Against Threats
  • References
  • Control Details
• Glossary
• Index
• About the Authors
• Colophon
• SPECIAL OFFER: Upgrade this ebook with OReilly
• Copyright

pokaż cały spis treści

ukryj recenzje