E-Book, Englisch, 236 Seiten
Samani / Honan / Reavis CSA Guide to Cloud Computing
1. Auflage 2014
ISBN: 978-0-12-420185-9
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Implementing Cloud Privacy and Security
E-Book, Englisch, 236 Seiten
ISBN: 978-0-12-420185-9
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
CSA Guide to Cloud Computing brings you the most current and comprehensive understanding of cloud security issues and deployment techniques from industry thought leaders at the Cloud Security Alliance (CSA). For many years the CSA has been at the forefront of research and analysis into the most pressing security and privacy related issues associated with cloud computing. CSA Guide to Cloud Computing provides you with a one-stop source for industry-leading content, as well as a roadmap into the future considerations that the cloud presents. The authors of CSA Guide to Cloud Computing provide a wealth of industry expertise you won't find anywhere else. Author Raj Samani is the Chief Technical Officer for McAfee EMEA; author Jim Reavis is the Executive Director of CSA; and author Brian Honan is recognized as an industry leader in the ISO27001 standard. They will walk you through everything you need to understand to implement a secure cloud computing structure for your enterprise or organization. - Your one-stop source for comprehensive understanding of cloud security from the foremost thought leaders in the industry - Insight into the most current research on cloud privacy and security, compiling information from CSA's global membership - Analysis of future security and privacy issues that will impact any enterprise that uses cloud computing
Raj Samani is an active member of the Information Security industry, through involvement with numerous initiatives to improve the awareness and application of security in business and society. He is currently working as the VP, Chief Technical Officer for McAfee EMEA, having previously worked as the Chief Information Security Officer for a large public sector organisation in the UK and was recently inducted into the Infosecurity Europe Hall of Fame (2012).He previously worked across numerous public sector organisations, in many cyber security and research orientated working groups across Europe. Examples include the midata Interoperability Board, as well as representing DIGITALEUROPE on the Smart Grids Reference Group established by the European Commission in support of the Smart Grid Mandate.In addition, Raj is currently the Cloud Security Alliance's Strategic Advisor for EMEA having previously served as the Vice President for Communications in the ISSA UK Chapter where he presided over the award of Chapter Communications Programme of the Year 2008 and 2009, having previously established the UK mentoring programme. He is also on the advisory council for the Infosecurity Europe show, Infosecurity Magazine, and expert on both searchsecurity.co.uk, and Infosec portal, and regular columnist on Computer Weekly. He has had numerous security papers published, and appeared on television (ITV and More4) commenting on computer security issues. He has also provided assistance in the 2006 RSA Wireless Security Survey and part of the consultation committee for the RIPA Bill (Part 3).
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;CSA Guide to Cloud: Computing Implementing Cloud Privacy and Security;4
3;Copyright;5
4;Contents;6
5;Forewords;8
5.1;Partner, Ridge Schmidt Cyber,;9
6;About the Authors;12
6.1;RAJ SAMANI;12
6.2;BRIAN HONAN;12
6.3;JIM REAVIS;13
7;About the Cloud Security Alliance;14
7.1;HISTORY;14
8;Acknowledgments;16
9;CSA Guide to Cloud Computing—Introduction;18
9.1;HOW THIS BOOK IS STRUCTURED;19
10;Chapter 1 - Cloud Computing, What is it and What’s the Big Deal?;22
10.1;DEFINING CLOUD COMPUTING;23
10.2;ECONOMIC OPPORTUNITIES FOR CLOUD COMPUTING;30
10.3;THE CLOUD IS “NOT” SECURE;40
10.4;END NOTES;41
11;Chapter 2 - Selecting and Engaging with a Cloud Service Provider;44
11.1;SECURITY, TRUST AND ASSURANCE REPOSITORY INITIATIVE;46
11.2;ENGAGING WITH THE CLOUD SERVICE PROVIDER;50
11.3;END NOTES;54
12;Chapter 3 - The Cloud Threat Landscape;56
12.1;THE CLOUD THREAT LANDSCAPE;57
12.2;NOTORIOUS NINE;60
12.3;ADDITIONAL CLOUD THREATS;79
12.4;END NOTES;80
13;Chapter 4 - Secure Cloud for Mobile Computing;84
13.1;MOBILE TOP THREATS: EVIL 8.0;85
13.2;ADDRESSING THE THREAT: MOBILE COMPONENTS;97
13.3;END NOTES;103
14;Chapter 5 - Making the Move into the Cloud;106
14.1;CLOUD COMPUTING CHECKLIST;108
14.2;SECURITY FOR THE CLOUD;116
14.3;END NOTES;136
15;Chapter 6 - Certification for Cloud Service Providers;138
15.1;Certification for Cloud Service Providers;138
15.2;END NOTES;156
16;Chapter 7 - The Privacy Imperative;158
16.1;DOES CLOUD COMPUTING MAKE MY DATA ANY LESS PRIVATE?;158
16.2;PRIVACY LEVEL AGREEMENT;161
16.3;DATA PROTECTION CERTIFICATION;167
16.4;END NOTES;169
17;Chapter 8 - Cloud Security Alliance Research;170
17.1;BIG DATA WORKING GROUP;171
17.2;CLOUD DATA GOVERNANCE;177
17.3;CLOUDCERT;179
17.4;CLOUDTRUST PROTOCOL;179
17.5;ENTERPRISE ARCHITECTURE WORKING GROUP;182
17.6;INCIDENT MANAGEMENT AND FORENSICS;182
17.7;INNOVATION INITIATIVE;183
17.8;SECURITY AS A SERVICE;183
17.9;SECURITY GUIDANCE FOR CRITICAL AREAS OF FOCUS;186
17.10;SOFTWARE DEFINED PERIMETER;187
17.11;END NOTES;189
18;Chapter 9 - Dark Clouds, What to Do In The Event of a Security Incident;192
18.1;BUILDING A SECURITY INCIDENT RESPONSE TEAM;193
18.2;INCIDENT RESPONSE CHALLENGES IN THE CLOUD;197
18.3;THE FUTURE;210
18.4;END NOTES;211
19;Chapter 10 - The Future Cloud;212
19.1;MORE, MORE, AND MORE;212
19.2;CLOUD COMPUTING FOR CRITICAL INFRASTRUCTURE;214
19.3;DEFINING THE SECURITY REQUIREMENTS FOR TOMORROW’S CLOUD;218
19.4;END NOTES;228
20;Appendix;230
20.1;AUTHENTICATION BYPASS;230
21;Index;234
Chapter 2 Selecting and Engaging with a Cloud Service Provider
Abstract
Selecting a cloud service provider will need to consider a number of key criteria, price being only one of these. This chapter will consider the available mechanisms to measure the security deployed by prospective providers. Keywords
Assessment; Continuous monitoring; STAR initiative; Service level agreement The worst case scenario ? Security, Trust and Assurance Repository (STAR) initiative ? Engaging with the cloud service provider The cloud service provider that you selected has just gone out of business. A letter has arrived at your door from administrators of the provider warning you that unless you provided a large upfront cash payment by close of business today then the data center will close, oh and by the way, if you do not want to pay and simply get your data back, it will probably take up to four months! This may sound like a hypothetical worst case scenario, but it is exactly the position customers of 2e2 recently found themselves in.1 Administrators were hoping to raise a total of £960,000, with smaller users expected to contribute £5000 each. Failure to meet the required total would likely prove devastating to many if not all customers: We have received a number of requests from customers seeking to gain access to their data immediately. Unfortunately, the levels of data held in the companies’ datacentres are such that this process could take up to 16weeks and we will need to ensure that the integrity of third-party data and security is maintained. Consider the impact this type of scenario can have not only on your business, but also on your career and credibility within your place of employment. After all, you did undergo appropriate due diligence did you not? There is no suggestion that 2e2 customers failed to undertake appropriate due diligence, and indeed the cause of the issue was financial and not as a result of a security-related incident. However, it is presented as a warning, that selecting and engaging with a cloud provider demands due diligence to satisfy not only appropriate regulatory bodies (where applicable), but also the internal organization, and in a worst case scenario the media and irate customers. This due diligence will likely include not only the security maturity of the provider, but also their financial viability (wherever possible), possible analysis into the directors of the company, etc. One option would be to adopt a modified Know Your Customer (KYC) principle adopted by financial institutions. The KYC controls typically include the following2: ? Collection and analysis of basis identity information. ? Name matching against lists of known parties. ? Determination of the customer’s risk in terms of propensity to commit money laundering, terrorist finance, or identity theft. ? Creation of an expectation of a customer’s transactional behavior. ? Monitoring of a customer’s transactions against their expected behavior and recorded profile as well as that of the customer’s peers. While a like for like approach is unrealistic as this application is so very different to selecting a cloud provider, a comprehensive assessment is advisable as recommended by the Federal Financial Information Examination Council.3 In their 2012 statement, they stated that “Cloud computing may require more robust controls due to the nature of the service. When evaluating the feasibility of outsourcing to a cloud computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessments of elements specific to that service.”3 Some of the steps that should be considered under the Know Your Cloud Service Provider process should include the following, according to a paper by Peak the Cloud entitled “Tips for Selecting Your Cloud Provider”4: ? Solid reputation: This will involve checking for references from the provider’s existing clients, and whether these implementations relate to the service prospective clients are considering. This should also include whether their implementations align with industry/geography where relevant. ? Best of breed technology partnerships: It is advised to determine whether the prospective provider has the appropriate partnerships with technology providers that align with the potential service. ? Financial stability and growth: This measure will determine the financial viability of the provider, and will ultimately determine on the willingness of the provider to discuss their financial state. This may be feasible if the accounts are publicly accessible, and will allow potential customers to determine if the provider has a history of stability and growth. ? Enterprise-grade data centers and state-of-the-art equipment: Where possible the potential customer should ensure that the infrastructure is capable of supporting the overall business. This will be a difficult measure to ascertain as the right to audit is generally unavailable. ? Compliance, availability, and performance: These measures will be covered in further detail later in this chapter. Many of these tips address those that relate to the business viability and as such are out of scope of this book, with security and privacy considerations the focus of this publication. Further, dependent on the service sought not all of these measures will be required as the level of due diligence should be commensurate with the level of risk the organization is willing to tolerate. For example, where a provider is sought to host commercially sensitive data then the level of due diligence should be higher than if noncommercially sensitive data are being hosted. There is no magic formula with regards to the level of due diligence that should be undertaken, nor is there any specific methodology that must be followed, although certain frameworks for regulated data may either be advisable or required (for example, the Privacy Impact Assessment for personal data). Determining these factors will be entirely subjective; therefore, the following should be used as guidance and tailored according to the business (and business function). Security, Trust and Assurance Repository Initiative
One option afforded to potential end customers is to engage with each and every potential cloud service provider to determine the security controls implemented. In fact, in discussions with many providers today this appears to be the default method used by potential customers. Although such a method is likely to receive a response, it is an incredibly inefficient method for both provider and customer. For this reason, the Cloud Security Alliance launched the Security, Trust and Assurance Repository (STAR) in 2011. As discussed in Chapter 1, one of the greatest challenges associated with cloud computing is the lack of transparency regarding the level of security deployed by the provider. In an effort to address this issue, STAR was launched to provide a central repository where potential customers can freely access to determine the level of security deployed by providers it allows. This provides a level of transparency that historically would have required more than likely multiple e-mails/calls to each and every provider under consideration. Now potential customers not only have a single place to go to understand the security employed by multiple providers, it also allows for comparisons to be made providers therefore improving assurance in the cloud. The registry itself is based on three layers: 1. Self-assessment: The first layer publishes the result of the Consensus Assessment Initiative Questionnaire (CAIQ) and/or the Cloud Controls Matrix (CCM). As the name suggests, this particular layer has been filled out and completed by the provider. Therefore, entries on this layer provide less assurance and transparency than subsequent layers. Please note that from March 2014, providers were given the option of using either CCM v1.4 or CCM v3. The opportunity to use both standards will remain until February 2015, whereupon all providers will be assessed against CCM v3. 2. Third-party assessment-based certification: The second layer publishes the results of an assessment undertaken by a third party on the cloud service provider against the CCM and International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC) 27001 (please refer to Chapter 6 for more details on ISO/IEC standards), or American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) 2. Results within this layer provide a greater level of assurance, in that they are verified by a third party. 3. Continuous monitoring-based certification: Results within this layer are published in a continuous fashion. While previous layers would update the registry based on the audit or certification cycle (usually annually) of the provider, continuous monitoring leverages the Cloud Trust Protocol (CTP) to update as the name suggests, continuously! As the results are provided even outside of annual audits, end customers are given the greatest transparency and assurance regarding the security maturity of the provider. Please refer to Chapter 6 for...
