Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance by Tim Mather, Subra Kumaraswamy, Shahed Latif

Preface xi

1 Introduction 1

"Mind the Gap" 1

The Evolution of Cloud Computing 2

Summary 2

2 What Is Cloud Computing? 7

Cloud Computing Defined 7

The SPI Framework for Cloud Computing 11

The Traditional Software Model 17

The Cloud Services Delivery Model 17

Cloud Deployment Models 22

Key Drivers to Adopting the Cloud 26

The Impact of Cloud Computing on Users 27

Governance in the Cloud 30

Barriers to Cloud Computing Adoption in the Enterprise 30

Summary 34

3 Infrastructure Security 35

Infrastructure Security: The Network Level 36

Infrastructure Security: The Host Level 44

Infrastructure Security: The Application Level 49

Summary 59

4 Data Security and Storage 61

Aspects of Data Security 61

Data Security Mitigation 65

Provider Data and Its Security 66

Summary 71

5 Identity and Access Management 73

Trust Boundaries and IAM 73

Why IAM? 74

IAM Challenges 76

IAM Definitions 76

IAM Architecture and Practice 77

Getting Ready for the Cloud 80

Relevant IAM Standards and Protocols for Cloud Services 82

IAM Practices in the Cloud 92

Cloud Authorization Management 98

Cloud Service Provider IAM Practice 99

Guidance 104

Summary 107

6 Security Management In The Cloud 109

Security Management Standards 112

Security Management in the Cloud 113

Availability Management 115

SaaS Availability Management 117

PaaS Availability Management 120

IaaS Availability Management 122

Access Control 124

Security Vulnerability, Patch, and Configuration Management 130

Summary 141

7 Privacy 145

What is Privacy? 146

What Is the Data Life Cycle? 146

What Are the Key Privacy Concerns in the Cloud? 149

Who IsResponsible for Protecting Privacy? 150

Changes to Privacy Risk Management and Compliance in Relation to Cloud Computing 151

Legal and Regulatory Implications 155

U.S. Laws and Regulations 155

International Laws and Regulations 162

Summary 164

8 Audit and Compliance 167

Internal Policy Compliance 168

Governance, Risk, and Compliance (GRC) 170

Illustrative Control Objectives for Cloud Computing 174

Incremental CSP-Specific Control Objectives 179

Additional Key Management Control Objectives 180

Control Considerations for CSP Users 181

Regulatory/External Compliance 182

Other Requirements 192

Cloud Security Alliance 192

Auditing the Cloud for Compliance 194

Summary 202

9 Examples Of Cloud Service Providers 203

Amazon Web Services (laaS) 203

Google (SaaS, PaaS) 205

Microsoft Azure Services Platform (PaaS) 206

Proofpoint (SaaS, laaS) 207

RighiScale (laaS) 208

Salesforce.com (SaaS, PaaS) 210

Sun Open Cloud Platform 211

Workday (SaaS) 213

Summary 213

10 Security-As-A-[Cloud] Service 217

Origins 218

Today's Offerings 220

Summary 223

11 The Impact of Cloud Computing on The Role of Corporate It 225

Why Cloud Computing Wilt Be Popular with Business Units 226

Potential Threats of Using CSPs 228

A Case Study Illustrating Potential Changes in the IT Profession Caused by Cloud Computing 230

Governance Factors to Consider When Using Cloud Computing 235

Summary 236

12 Conclusion and The Future of The Cloud 239

Analyst Predictions 240

Survey Says? 242

Security in Cloud Computing 245

Program Guidance for CSP Customers 257

The Future of Security in Cloud Computing 260

Summary 265

A Sas 70 Report Content Example 267

B Systrust Report Content Example 273

C Open Security Architecture for Cloud Computing 279

Glossary 293

Index 299