Details

Preface xiii <p><b>Chapter 1: Introduction to Cloud Computing 1</b></p> <p>History 1</p> <p>Defining Cloud Computing 2</p> <p>Elasticity 2</p> <p>Multitenancy 3</p> <p>Economics 3</p> <p>Abstraction 3</p> <p>Cloud Computing Services Layers 4</p> <p>Infrastructure as a Service 5</p> <p>Platform as a Service 5</p> <p>Software as a Service 6</p> <p>Roles in Cloud Computing 6</p> <p>Consumer 6</p> <p>Provider 6</p> <p>Integrator 7</p> <p>Cloud Computing Deployment Models 8</p> <p>Private 8</p> <p>Community 8</p> <p>Public 9</p> <p>Hybrid 9</p> <p>Challenges 9</p> <p>Availability 10</p> <p>Data Residency 10</p> <p>Multitenancy 11</p> <p>Performance 11</p> <p>Data Evacuation 12</p> <p>Supervisory Access 12</p> <p>In Summary 13</p> <p><b>Chapter 2: Cloud-Based IT Audit Process 15</b></p> <p>The Audit Process 16</p> <p>Control Frameworks for the Cloud 18</p> <p>ENISA Cloud Risk Assessment 20</p> <p>FedRAMP 20</p> <p>Entities Using COBIT 21</p> <p>CSA Guidance 21</p> <p>CloudAudit/A6—The Automated Audit, Assertion, Assessment, and Assurance API 22</p> <p>Recommended Controls 22</p> <p>Risk Management and Risk Assessment 26</p> <p>Risk Management 27</p> <p>Risk Assessment 27</p> <p>Legal 28</p> <p>In Summary 29</p> <p><b>Chapter 3: Cloud-Based IT Governance 33</b></p> <p>Governance in the Cloud 36</p> <p>Understanding the Cloud 36</p> <p>Security Issues in the Cloud 37</p> <p>Abuse and Nefarious Use of Cloud Computing 38</p> <p>Insecure Application Programming Interfaces 39</p> <p>Malicious Insiders 39</p> <p>Shared Technology Vulnerabilities 39</p> <p>Data Loss/Leakage 40</p> <p>Account, Service, and Traffic Hijacking 40</p> <p>Unknown Risk Profile 40</p> <p>Other Security Issues in the Cloud 41</p> <p>Governance 41</p> <p>IT Governance in the Cloud 44</p> <p>Managing Service Agreements 44</p> <p>Implementing and Maintaining Governance for Cloud Computing 46</p> <p>Implementing Governance as a New Concept 46</p> <p>Preliminary Tasks 46</p> <p>Adopt a Governance Implementation Methodology 48</p> <p>Extending IT Governance to the Cloud 49</p> <p>In Summary 52</p> <p><b>Chapter 4: System and Infrastructure Lifecycle Management for the Cloud 57</b></p> <p>Every Decision Involves Making a Tradeoff 57</p> <p>Example: Business Continuity/Disaster Recovery 59</p> <p>What about Policy and Process Collisions? 60</p> <p>The System and Management Lifecycle Onion 61</p> <p>Mapping Control Methodologies onto the Cloud 62</p> <p>Information Technology Infrastructure Library 63</p> <p>Control Objectives for Information and Related Technology 64</p> <p>National Institute of Standards and Technology 65</p> <p>Cloud Security Alliance 66</p> <p>Verifying Your Lifecycle Management 67</p> <p>Always Start with Compliance Governance 67</p> <p>Verification Method 68</p> <p>Illustrative Example 70</p> <p>Risk Tolerance 72</p> <p>Special Considerations for Cross-Cloud Deployments 73</p> <p>The Cloud Provider’s Perspective 74</p> <p>Questions That Matter 75</p> <p>In Summary 76</p> <p><b>Chapter 5: Cloud-Based IT Service Delivery and Support 79</b></p> <p>Beyond Mere Migration 80</p> <p>Architected to Share, Securely 80</p> <p>Single-Tenant Offsite Operations (Managed Service Providers) 81</p> <p>Isolated-Tenant Application Services (Application Service Providers) 81</p> <p>Multitenant (Cloud) Applications and Platforms 82</p> <p>Granular Privilege Assignment 82</p> <p>Inherent Transaction Visibility 84</p> <p>Centralized Community Creation 86</p> <p>Coherent Customization 88</p> <p>The Question of Location 90</p> <p>Designed and Delivered for Trust 91</p> <p>Fewer Points of Failure 91</p> <p>Visibility and Transparency 93</p> <p>In Summary 93</p> <p><b>Chapter 6: Protection and Privacy of Information Assets in the Cloud 97</b></p> <p>The Three Usage Scenarios 99</p> <p>What Is a Cloud? Establishing the Context—Defining Cloud Solutions and their Characteristics 100</p> <p>What Makes a Cloud Solution? 101</p> <p>Understanding the Characteristics 104</p> <p>Service Based 104</p> <p>On-Demand Self-Service 104</p> <p>Broad Network Access 104</p> <p>Scalable and Elastic 105</p> <p>Unpredictable Demand 105</p> <p>Demand Servicing 105</p> <p>Resource Pooling 105</p> <p>Managed Shared Service 105</p> <p>Auditability 105</p> <p>Service Termination and Rollback 106</p> <p>Charge by Quality of Service and Use 106</p> <p>Capability to Monitor and Quantify Use 106</p> <p>Monitor and Enforce Service Policies 107</p> <p>Compensation for Location Independence 107</p> <p>Multitenancy 107</p> <p>Authentication and Authorization 108</p> <p>Confidentiality 108</p> <p>Integrity 108</p> <p>Authenticity 108</p> <p>Availability 108</p> <p>Accounting and Control 109</p> <p>Collaboration Oriented Architecture 109</p> <p>Federated Access and ID Management 109</p> <p>The Cloud Security Continuum and a Cloud Security Reference Model 110</p> <p>Cloud Characteristics, Data Classification, and Information Lifecycle Management 113</p> <p>Cloud Characteristics and Privacy and the Protection of Information Assets 113</p> <p>Information Asset Lifecycle and Cloud Models 114</p> <p>Data Privacy in the Cloud 118</p> <p>Data Classification in the Context of the Cloud 119</p> <p>Regulatory and Compliance Implications 119</p> <p>A Cloud Information Asset Protection and Privacy Playbook 121</p> <p>In Summary 124</p> <p><b>Chapter 7: Business Continuity and Disaster Recovery 129</b></p> <p>Business Continuity Planning and Disaster Recovery Planning Overview 129</p> <p>Problem Statement 130</p> <p>The Planning Process 131</p> <p>The Auditor’s Role 133</p> <p>Augmenting Traditional Disaster Recovery with Cloud Services 135</p> <p>Cloud Computing and Disaster Recovery: New Issues to Consider 136</p> <p>Cloud Computing Continuity 136</p> <p>Audit Points to Emphasize 138</p> <p>In Summary 139</p> <p><b>Chapter 8: Global Regulation and Cloud Computing 143</b></p> <p>What is Regulation? 144</p> <p>Federal Information Security Management Act 146</p> <p>Sarbanes-Oxley Law 146</p> <p>Health Information Privacy Accountability Act 146</p> <p>Graham/Leach/Bliley Act 147</p> <p>Privacy Laws 147</p> <p>Why Do Regulations Occur? 148</p> <p>Some Key Takeaways 149</p> <p>The Real World—A Mixing Bowl 149</p> <p>Some Key Takeaways 151</p> <p>The Regulation Story 151</p> <p>Privacy 153</p> <p>International Export Law and Interoperable Compliance 154</p> <p>Effective Audit 155</p> <p>Identifying Risk 156</p> <p>In Summary 156</p> <p><b>Chapter 9: Cloud Morphing: Shaping the Future of Cloud Computing Security and Audit 161</b></p> <p>Where Is the Data? 162</p> <p>A Shift in Thinking 164</p> <p>Cloud Security Alliance 165</p> <p>CloudAudit 1.0 166</p> <p>Cloud Morphing Strategies 166</p> <p>Virtual Security 167</p> <p>Data in the Cloud 168</p> <p>Cloud Storage 169</p> <p>Database Classes in the Cloud 171</p> <p>Perimeter Security 171</p> <p>Cryptographic Protection of the Data 172</p> <p>In Summary 173</p> <p><b>Appendix: Cloud Computing Audit Checklist 175</b></p> <p>About the Editor 181</p> <p>About the Contributors 183</p> <p>Index 191</p>

"To summarize, the book is a good review of the current situation in the field. Every CISO and CIO should be aware of the developments in the cloud regardless of the intention of actually implementing its use." (Blog.itgovernance.co.uk, April 2012)

<p><b>BEN HALPERT, CISSP,</b> is an information security researcher and practitioner. He has keynoted and presented sessions at numerous conferences and was a contributing author to <i>Readings and Cases in the Management of Information Security</i> and the <i>Encyclopedia of Information Ethics and Security</i>. Halpert writes a monthly security column for <i>Mobile Enterprise</i> magazine as well as an IT blog (www.benhalpert.com). He is also an adjunct instructor and on the advisory board of numerous colleges and universities.

<p><b>AUDITING CLOUD COMPUTING</b></br> A Security and Privacy Guide <p>Companies are increasingly looking to Cloud Computing to improve operational efficiency, reduce head counts, and help with the bottom line. But security and privacy concerns present a strong barrier to entry. In an age when the consequences and potential costs of mistakes could quickly become catastrophic for companies that handle confidential and private customer data, auditors and IT security professionals must develop better ways of evaluating the security and privacy practices of Cloud services. <i>Auditing Cloud Computing</i> presents a collection of white papers written by renowned thought leaders in the field of auditing Cloud Computing to show you how to audit your company's hosted services. <p>Providing a holistic view to this elastic, on-demand service, <i>Auditing Cloud Computing</i> is your one-stop reference to Cloud Computing and the many questions that may arise during preparation of an audit program or throughout the course of an audit or assessment. Edited by renowned information security researcher and practitioner Ben Halpert, this volume gathers a team of prominent Cloud experts who have labored to provide insight into many aspects that you and your organization will encounter during your foray into the Cloud. <p>Written for Cloud consumers, providers, and integrators, <i>Auditing Cloud Computing</i> explores: <ul> <li>The history, relevant definitions, deployment models, and challenges of Cloud computing</li> <li>What you can expect when creating audit programs for Cloud environments</li> <li>How the industry efforts of CSA, NIST, ISACA, and ENISA have influenced security and compliance programs</li> <li>Implementing, extending, and maintaining a governance program for Cloud activities</li> <li>How to leverage existing lifecycle controls</li> <li>Cross-cloud deployments</li> <li>Cloud-based IT delivery and support</li> <li>How "radical simplification" and "securely shared" concepts apply to all Cloud deployment models, even private Clouds</li> <li>Architecture considerations for Cloud service delivery and support</li> <li>The Cloud security continuum</li> <li>Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)</li> <li>Regulations along with Cloud-specific considerations</li> <li>Shaping the future of Cloud Computing security and audit</li> </ul> <p>Learn how to conduct a proper audit to ensure the security and privacy of your company's data in the Cloud with the necessary guidance found in <i>Auditing Cloud Computing.</i>

US