Details
Cloud Security
A Comprehensive Guide to Secure Cloud Computing1. Aufl.
|
34,99 € |
|
| Verlag: | Wiley |
| Format: | EPUB |
| Veröffentl.: | 31.08.2010 |
| ISBN/EAN: | 9780470938942 |
| Sprache: | englisch |
| Anzahl Seiten: | 384 |
DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.
Beschreibungen
Well-known security experts decipher the most challenging aspect of cloud computing-security<br /> <br /> <p>Cloud computing allows for both large and small organizations to have the opportunity to use Internet-based services so that they can reduce start-up costs, lower capital expenditures, use services on a pay-as-you-use basis, access applications only as needed, and quickly reduce or increase capacities. However, these benefits are accompanied by a myriad of security issues, and this valuable book tackles the most common security challenges that cloud computing faces.</p> <p>The authors offer you years of unparalleled expertise and knowledge as they discuss the extremely challenging topics of data ownership, privacy protections, data mobility, quality of service and service levels, bandwidth costs, data protection, and support.</p> <p>As the most current and complete guide to helping you find your way through a maze of security minefields, this book is mandatory reading if you are involved in any aspect of cloud computing.</p> <p>Coverage Includes:</p> <ul> <li>Cloud Computing Fundamentals</li> <li>Cloud Computing Architecture</li> <li>Cloud Computing Software Security Fundamentals</li> <li>Cloud Computing Risks Issues</li> <li>Cloud Computing Security Challenges</li> <li>Cloud Computing Security Architecture</li> <li>Cloud Computing Life Cycle Issues</li> <li>Useful Next Steps and Approaches</li> </ul>
<p>Foreword xxi</p> <p>Introduction xxiii</p> <p><b>Chapter 1 Cloud Computing Fundamentals 1</b></p> <p>What Cloud Computing Isn’t 7</p> <p>Alternative Views 8</p> <p>Essential Characteristics 9</p> <p>On-Demand Self-Service 9</p> <p>Broad Network Access 10</p> <p>Location-Independent Resource Pooling 10</p> <p>Rapid Elasticity 10</p> <p>Measured Service 11</p> <p>Architectural Influences 11</p> <p>High-Performance Computing 11</p> <p>Utility and Enterprise Grid Computing 14</p> <p>Autonomic Computing 15</p> <p>Service Consolidation 16</p> <p>Horizontal Scaling 16</p> <p>Web Services 17</p> <p>High-Scalability Architecture 18</p> <p>Technological Influences 18</p> <p>Universal Connectivity 18</p> <p>Commoditization 19</p> <p>Excess Capacity 20</p> <p>Open-Source Software 21</p> <p>Virtualization 22</p> <p>Operational Influences 23</p> <p>Consolidation 23</p> <p>Outsourcing 26</p> <p>Outsourcing Legal Issues 26</p> <p>Business Process Outsourcing (BPO) Issues 28</p> <p>IT Service Management 30</p> <p>Automation 31</p> <p>Summary 31</p> <p><b>Chapter 2 Cloud Computing Architecture 33</b></p> <p>Cloud Delivery Models 34</p> <p>The SPI Framework 34</p> <p>SPI Evolution 34</p> <p>The SPI Framework vs. the Traditional IT Model 35</p> <p>Cloud Software as a Service (SaaS) 37</p> <p>Benefits of the SaaS Model 38</p> <p>Cloud Platform as a Service (PaaS) 39</p> <p>Cloud Infrastructure as a Service (IaaS) 41</p> <p>Cloud Deployment Models 43</p> <p>Public Clouds 44</p> <p>Community Clouds 46</p> <p>Private Clouds 48</p> <p>Hybrid Clouds 49</p> <p>Alternative Deployment Models 50</p> <p>The Linthicum Model 50</p> <p>The Jericho Cloud Cube Model 51</p> <p>Expected Benefits 55</p> <p>Flexibility and Resiliency 56</p> <p>Reduced Costs 57</p> <p>Centralization of Data Storage 58</p> <p>Reduced Time to Deployment 58</p> <p>Scalability 58</p> <p>Summary 59</p> <p><b>Chapter 3 Cloud Computing Software Security Fundamentals 61</b></p> <p>Cloud Information Security Objectives 62</p> <p>Confidentiality, Integrity, and Availability 63</p> <p>Confidentiality 63</p> <p>Integrity 64</p> <p>Availability 64</p> <p>Cloud Security Services 64</p> <p>Authentication 64</p> <p>Authorization 64</p> <p>Auditing 65</p> <p>Accountability 66</p> <p>Relevant Cloud Security Design Principles 66</p> <p>Least Privilege 67</p> <p>Separation of Duties 67</p> <p>Defense in Depth 67</p> <p>Fail Safe 68</p> <p>Economy of Mechanism 68</p> <p>Complete Mediation 68</p> <p>Open Design 69</p> <p>Least Common Mechanism 69</p> <p>Psychological Acceptability 69</p> <p>Weakest Link 70</p> <p>Leveraging Existing Components 70</p> <p>Secure Cloud Software Requirements 70</p> <p>Secure Development Practices 71</p> <p>Handling Data 71</p> <p>Code Practices 72</p> <p>Language Options 73</p> <p>Input Validation and Content Injection 73</p> <p>Physical Security of the System 73</p> <p>Approaches to Cloud Software Requirements Engineering 74</p> <p>A Resource Perspective on Cloud Software Security Requirements 75</p> <p>Goal-Oriented Software Security Requirements 76</p> <p>Monitoring Internal and External Requirements 77</p> <p>Cloud Security Policy Implementation and Decomposition 78</p> <p>Implementation Issues 79</p> <p>Decomposing Critical Security Issues into Secure Cloud Software Requirements 81</p> <p>NIST 33 Security Principles 85</p> <p>Secure Cloud Software Testing 86</p> <p>Testing for Security Quality Assurance 87</p> <p>Conformance Testing 89</p> <p>Functional Testing 90</p> <p>Performance Testing 92</p> <p>Security Testing 94</p> <p>Cloud Penetration Testing 99</p> <p>Legal and Ethical Implications 100</p> <p>The Three Pre-Test Phases 103</p> <p>Penetration Testing Tools and Techniques 105</p> <p>Regression Testing 111</p> <p>Cloud Computing and Business Continuity Planning/Disaster</p> <p>Recovery 113</p> <p>Definitions 113</p> <p>General Principles and Practices 114</p> <p>Disaster Recovery Planning 114</p> <p>Business Continuity Planning 117</p> <p>Using the Cloud for BCP/DRP 119</p> <p>Redundancy Provided by the Cloud 119</p> <p>Secure Remote Access 120</p> <p>Integration into Normal Business Processes 120</p> <p>Summary 120</p> <p><b>Chapter 4 Cloud Computing Risk Issues 125</b></p> <p>The CIA Triad 125</p> <p>Confidentiality 125</p> <p>Integrity 126</p> <p>Availability 126</p> <p>Other Important Concepts 127</p> <p>Privacy and Compliance Risks 127</p> <p>The Payment Card Industry Data Security Standard (PCI DSS) 128</p> <p>Information Privacy and Privacy Laws 130</p> <p>Threats to Infrastructure, Data, and Access Control 141</p> <p>Common Threats and Vulnerabilities 141</p> <p>Logon Abuse 143</p> <p>Inappropriate System Use 143</p> <p>Eavesdropping 143</p> <p>Network Intrusion 144</p> <p>Denial-of-Service (DoS) Attacks 144</p> <p>Session Hijacking Attacks 144</p> <p>Fragmentation Attacks 145</p> <p>Cloud Access Control Issues 145</p> <p>Database Integrity Issues 146</p> <p>Cloud Service Provider Risks 147</p> <p>Back-Door 148</p> <p>Spoofing 148</p> <p>Man-in-the-Middle 148</p> <p>Replay 148</p> <p>TCP Hijacking 149</p> <p>Social Engineering 149</p> <p>Dumpster Diving 149</p> <p>Password Guessing 150</p> <p>Trojan Horses and Malware 150</p> <p>Summary 151</p> <p><b>Chapter 5 Cloud Computing Security Challenges 153</b></p> <p>Security Policy Implementation 154</p> <p>Policy Types 154</p> <p>Senior Management Statement of Policy 155</p> <p>Regulatory Policies 155</p> <p>Advisory Policies 155</p> <p>Informative Policies 155</p> <p>Computer Security Incident Response Team (CSIRT) 156</p> <p>Virtualization Security Management 157</p> <p>Virtual Threats 158</p> <p>Hypervisor Risks 163</p> <p>Increased Denial of Service Risk 164</p> <p>VM Security Recommendations 165</p> <p>Best Practice Security Techniques 165</p> <p>VM-Specific Security Techniques 169</p> <p>Hardening the Virtual Machine 169</p> <p>Securing VM Remote Access 172</p> <p>Summary 173</p> <p><b>Chapter 6 Cloud Computing Security Architecture 177</b></p> <p>Architectural Considerations 178</p> <p>General Issues 178</p> <p>Compliance 178</p> <p>Security Management 179</p> <p>Information Classification 181</p> <p>Employee Termination 185</p> <p>Security Awareness, Training, and Education 186</p> <p>Trusted Cloud Computing 188</p> <p>Trusted Computing Characteristics 188</p> <p>Secure Execution Environments and Communications 191</p> <p>Secure Execution Environment 191</p> <p>Secure Communications 191</p> <p>Microarchitectures 203</p> <p>Identity Management and Access Control 204</p> <p>Identity Management 205</p> <p>Passwords 205</p> <p>Tokens 206</p> <p>Memory Cards 207</p> <p>Smart Cards 207</p> <p>Biometrics 207</p> <p>Implementing Identity Management 209</p> <p>Access Control 210</p> <p>Controls 210</p> <p>Models for Controlling Access 211</p> <p>Single Sign-On (SSO) 212</p> <p>Autonomic Security 213</p> <p>Autonomic Systems 213</p> <p>Autonomic Protection 215</p> <p>Autonomic Self-Healing 215</p> <p>Summary 216</p> <p><b>Chapter 7 Cloud Computing Life Cycle Issues 217</b></p> <p>Standards 218</p> <p>Jericho Forum 218</p> <p>The Distributed Management Task Force (DMTF) 219</p> <p>The DMTF Open Virtualization Format (OVF) 219</p> <p>The DMTF Open Cloud Standards Incubator 220</p> <p>The International Organization for Standardization (ISO) 220</p> <p>ISO 27001 220</p> <p>ISO 27002 222</p> <p>ISO 27003 222</p> <p>ISO 27004 223</p> <p>ISO 27005 223</p> <p>ISO 27006 224</p> <p>International Organization for Standardization/International Electrotechnical Commission ISO/IEC 29361, ISO/IEC 29362, and ISO/IEC 29363 Standards 224</p> <p>Distributed Application Platforms and Services 225</p> <p>The European Telecommunications Standards Institute (ETSI) 226</p> <p>The Organization for the Advancement of Structured Information Standards (OASIS) 226</p> <p>Storage Networking Industry Association (SNIA) 226</p> <p>Open Grid Forum (OGF) 227</p> <p>The Open Web Application Security Project (OWASP) 227</p> <p>OWASP Top Ten Project 227</p> <p>OWASP Development Guide 228</p> <p>OWASP Code Review Guide 229</p> <p>OWASP Testing Guide 230</p> <p>Incident Response 231</p> <p>NIST Special Publication 800-61 231</p> <p>Preparation 232</p> <p>Detection and Analysis 232</p> <p>Containment, Eradication, and Recovery 233</p> <p>Post-Incident Activity 234</p> <p>NIST Incident-Handling Summary 234</p> <p>Internet Engineering Task Force Incident-Handling Guidelines 234</p> <p>Layered Security and IDS 236</p> <p>Intrusion Detection 236</p> <p>IDS Issues 240</p> <p>Computer Security and Incident Response Teams 241</p> <p>CERT/CC 242</p> <p>FedCIRC 242</p> <p>Forum of Incident Response and Security Teams 243</p> <p>Security Incident Notification Process 243</p> <p>Automated Notice and Recovery Mechanisms 244</p> <p>Encryption and Key Management 246</p> <p>VM Architecture 246</p> <p>Key Protection Countermeasures 247</p> <p>Hardware Protection 248</p> <p>Software-Based Protection 249</p> <p>Data Deduplication 250</p> <p>Hashing 251</p> <p>Retirement 252</p> <p>VM Life Cycle 252</p> <p>Overwriting 253</p> <p>Degaussing 254</p> <p>Destruction 254</p> <p>Record Retention 255</p> <p>Data Remanence 255</p> <p>Due Care and Due Diligence 255</p> <p>Documentation Control 256</p> <p>Summary 256</p> <p><b>Chapter 8 Useful Next Steps and Approaches 259</b></p> <p>Getting Answers 259</p> <p>What Services Should Be Moved to the Cloud? 260</p> <p>What Questions Should You Ask Your Cloud Provider? 261</p> <p>When Should You Use a Public, Private, or Hybrid Cloud? 262</p> <p>Getting Help 264</p> <p>Cloud Security Alliance 264</p> <p>Cloud Computing Google Groups 265</p> <p>Cloud Computing Interoperability Forum 266</p> <p>Open Cloud Consortium 266</p> <p>Getting Started 267</p> <p>Top Ten List 267</p> <p>1. Assess Your Data’s Sensitivity 268</p> <p>2. Analyze the Risks vs. Benefits of Cloud Computing 271</p> <p>3. Define Business Objectives 273</p> <p>4. Understand the Underlying Structure of Your Network 273</p> <p>5. Implement Traditional Best Practice Security Solutions 274</p> <p>6. Employ Virtualization Best Practices 274</p> <p>7. Prevent Data Loss with Backups 275</p> <p>8. Monitor and Audit 275</p> <p>9. Seek Out Advice 276</p> <p>10. Employ Deception 277</p> <p>Parting Words 277</p> <p>Glossary of Terms and Acronyms 279</p> <p>References 345</p> <p>Index 349</p>
"This worthwhile addition to the growing library of cloud security books contains very helpful prescriptions for security policies and practices." (<i>Computing Reviews</i>, January 2011)<br /> <br />
<b>Ronald L. Krutz</b>, PhD, is a senior information systems security consultant with more than 30 years of experience. He founded the CMRI Cybersecurity Center at Carnegie Mellon University. <p><b>Russell Dean Vines</b> is Chief Security Advisor for Gotham Technology Group, LLC, and has been an information systems security expert for over 25 years. They coauthored the bestselling <i>CISSP Prep Guide</i>.</p>
<b>Secure your cloud to maximize its value</b> <p>Cloud computing is flexible, efficient, and cost-effective, but not without risks. To maximize its potential, you need to fully understand its vulnerabilities and how to offset them.</p> <p>This guide thoroughly examines cloud fundamentals, architecture, risks, and security principles. Two leadingsecurity experts detail critical approaches and solutions, helping you achieve the maximum return on cloud investments without compromising the safety of your information.</p> <ul> <li> <p>Avoid leakage and unauthorized data access among virtual machines running on the same server</p> </li> <li> <p>Properly handle sensitive information</p> </li> <li> <p>Prevent release of critical data to law enforcement or government agencies without approval by the client</p> </li> <li> <p>Follow compliance and regulatory requirements</p> </li> <li> <p>Deal with system crashes or failures</p> </li> <li> <p>Protect against hacker invasions into client applications hosted on the cloud</p> </li> <li> <p>Implement solid, robust security protection</p> </li> <li> <p>Manage interoperability that allows a client to easily move applications among different cloud providers and avoid "lock-in"</p> </li> </ul>
Diese Produkte könnten Sie auch interessieren:
