Securing Cloud Services

Securing Cloud Services: A pragmatic approach to security architecture in the Cloud

LEE NEWCOMBE
Copyright Date: 2012
Published by: IT Governance Publishing
Pages: 329
https://www.jstor.org/stable/j.ctt5hh6g0
  • Cite this Item
  • Book Info
    Securing Cloud Services
    Book Description:

    This book provides an overview of security architecture processes and explains how they may be used to derive an appropriate set of security controls to manage the risks associated with working in the Cloud. Part 1 introduces Cloud Computing and describes the main service models (IaaS, PaaS and SaaS) and deployment models (public, private, community and hybrid) as defined by NIST. It outlines the common benefits, and describes some of the potential pitfalls of, and threats associated with, Cloud Computing. Part 2 outlines security architecture concepts and describes how they relate to Cloud Computing. It uses a conceptual security reference model (SRM) to define a set of common security services and explains how they can be delivered across the various service models in order to secure a Cloud service. Part 3 ­provides summary conclusions, and speculates on the future of Cloud Computing and its associated market.

    eISBN: 978-1-84928-397-7
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. PREFACE
    (pp. 5-5)
  3. ABOUT THE AUTHOR
    (pp. 6-6)
  4. ACKNOWLEDGEMENTS
    (pp. 7-8)
  5. Table of Contents
    (pp. 9-10)
  6. Part One: Introduction
    • CHAPTER 1: INTRODUCTION TO CLOUD COMPUTING
      (pp. 12-16)

      Cloud Computing: one of the more evocative labels for an IT delivery model – certainly more so than the “utility computing” label, to which Cloud owes much of its heritage. However, like its rain-bearing namesake, Cloud Computing can be difficult to describe, with many observers having their own perspective on what is, and what isn’t, Cloud. Many people use Cloud services without realising that they are doing so; iTunes, Hotmail, Facebook and Twitter are all examples of Cloud services. However, these are consumer Cloud services, which are aimed at individual users; the security of such consumer services is not discussed...

    • CHAPTER 2: OVERVIEW OF EXISTING CLOUD TAXONOMIES AND MODELS
      (pp. 17-31)

      Chapter 1provided an informal introduction to the main concepts underlying the Cloud Computing model. This chapter provides a more formal set of definitions and introduces common terminology to enable a shared understanding of what is meant when I use such terms as “Infrastructure as a Service”, “Community Clouds” and “deployment models”.

      There are a number of different definitions of Cloud Computing, but the mostly widely accepted is probably that produced by NIST². The NIST definition describes Cloud Computing as being:

      … a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g....

    • CHAPTER 3: THE SECURITY BALANCE
      (pp. 32-50)

      This chapter aims to give a pragmatic overview of some of the potential security benefits and potential pitfalls of working in the Cloud. From the security perspective, working in the Cloud typically tends to be neither intrinsically better nor worse than working on-premise – just different.

      Like beauty, security is very much in the eye of the beholder. This is a slightly pretentious way of saying that “good” security is (or at least should be) dependent on the context of your organisation in terms of the nature of your business, the threats and vulnerabilities to which your business is exposed...

    • CHAPTER 4: SECURITY THREATS ASSOCIATED WITH CLOUD COMPUTING
      (pp. 51-62)

      The previous chapter illustrated some of the potential benefits and pitfalls associated with the security of Cloud Computing. It is worth pointing out that, in the PwC 2012 Global State of Information Security Survey22, PwC report that the majority of those organisations that have implemented Cloud solutions believe that their move to the Cloud has improved their security.

      This chapter highlights some of the threat actors that may be in a position to attack a Cloud-based service. Some of the threat actors discussed in this chapter are taken from the NIST list of important actors for Public Clouds, which is...

    • CHAPTER 5: PRIVACY AND DATA SECURITY CONCERNS
      (pp. 63-72)

      Alongside security, compliance with legislative and regulatory requirements ranks as one of the most commonly cited concerns for those considering a move to Cloud Computing.

      This chapter provides a brief overview of the data privacy concerns impacting the adoption of Cloud services, primarily those imposed by the European Union through the Data Protection Directive. There is also a brief discussion of mechanisms to achieve compliance with the Payment Card Industry Data Security Standard (PCI-DSS) when operating in the Cloud.

      This chapter is not intended to provide comprehensive advice on the legality or compliance status of any particular Cloud solution –...

  7. Part Two: Pragmatic Cloud Security
    • CHAPTER 6: INTRODUCTION TO SECURITY ARCHITECTURE
      (pp. 74-86)

      Chapter 6introduces the concepts of security architecture, drawing on well-established enterprise architecture methodologies to derive logical services that deliver consistent levels of security, regardless of the technologies used to implement those services. One of the main advantages of adopting this approach is the complete traceability from business requirement to technical component. This allows the business to understand how their risks are managed and to understand the consequences of any move to Cloud-based services.

      The international software architecture standard ISO/IEC 4201037defines architecture as, “The fundamental organization of a system, embodied in its components, their relationships to each other and...

    • CHAPTER 7: APPLICATION OF SECURITY ARCHITECTURE TO CLOUD COMPUTING
      (pp. 87-114)

      Chapter 6introduced some fundamental concepts of security architecture. In this chapter, we begin to apply some of these concepts to the area of Cloud Computing. The use of a security architecture methodology allows organisations to approach Cloud-based deliveries with the confidence that their security concerns have been identified and appropriately managed. Rather than acting as a blocker, security can act as a mechanism for enabling organisations to take advantage of the undoubted benefits of Cloud Computing.

      I shall use a security reference model that I have used elsewhere to act as a framework for the discussion of approaches to...

    • CHAPTER 8: SECURITY AND THE CLOUD
      (pp. 115-142)

      This chapter begins with a brief overview of the existing guidance available to those with an interest in Cloud security. I then propose mechanisms for delivering the generic security services within the security reference model (SRM), i.e. those that are common to all three Cloud service models and where the delivery of the service is not overly impacted by the choice of IaaS, PaaS or SaaS.

      Finally, this chapter also discusses the relative merits of the different Cloud deployment models from a security point of view.

      Cloud Computing has been billed as the next major advance in IT provisions for...

    • CHAPTER 9: SECURITY AND INFRASTRUCTURE AS A SERVICE
      (pp. 143-218)

      In this chapter, I describe how the security services defined within the security reference model (SRM) – shown inFigure 7– can be delivered by those implementing an application upon an Infrastructure as a Service Cloud.

      There are many IaaS providers offering a variety of different types of service. The Opencrowd Cloud taxonomy, found athttp://cloudtaxonomy.opencrowd.com/taxonomy/infrastructure-as-a-service/suggests the following categories of IaaS services:

      Backup and recovery

      Compute

      Content delivery networks

      Multi-Cloud management

      Services management, and

      Storage.

      Personally, I would add Virtual Desktop Infrastructure (VDI) to this list. A number of Public Cloud providers offer VDI services, while the use...

    • CHAPTER 10: SECURITY AND PLATFORM AS A SERVICE
      (pp. 219-269)

      This chapter describes how the security services defined within the security reference model (SRM) shown inFigure 7may be delivered by consumers implementing an application upon a Platform as a Service Cloud.

      Whilst I may occasionally provide examples of the security services offered by PaaS providers, it is not my intention to provide a comprehensive overview of any particular PaaS platform. Similarly, I am not attempting to provide an exhaustive catalogue of available PaaS solutions. As with the rest of this book, my aim is to help you to adopt a way of working that enables you to find...

    • CHAPTER 11: SECURITY AND SOFTWARE AS A SERVICE
      (pp. 270-293)

      In this chapter, I describe how the security services defined within the security reference model (SRM) – shown inFigure 7– may be delivered by consumers implementing a service using a Software as a Service (SaaS) Cloud.

      The OpenCrowd taxonomy124of Cloud services splits SaaS CSPs into a number of different categories:

      Billing

      CRM

      Collaboration

      Content management

      Document management

      ERP

      Environmental health & safety

      Financials

      Health and wellness

      Human resources

      IT Services management

      Personal productivity

      Project management

      Sales

      Security

      Social networks.

      Examples of SaaS providers include:

      Salesforce.com (www.salesforce.com)

      FinancialForce.com (www.financialforce.com)

      Sage (www.sageone.com)

      Intuit (www.intuit.com)

      Netsuite (www.netsuite.com/portal/home.shtml)

      SuccessFactors (www.successfactors.com)

      RightNow (www.rightnow.com/cx-suite.php)...

  8. Part Three: Conclusion
    • CHAPTER 12: LOOKING AHEAD
      (pp. 295-302)

      This book primarily concerns the current state of Cloud Computing. I believe an appropriate way to finish is to engage in a look to the near future of Cloud Computing and the attendant security implications. This chapter is purely my personal opinion on the likely evolution of Cloud Computing – you may well have different opinions!

      I believe that Cloud Computing is here to stay; the agility and flexibility that Cloud offers cannot be matched by traditional delivery models. The increasing adoption of Cloud Computing by their clients will force the big systems integration companies to embrace the Cloud model....

    • CHAPTER 13: CONCLUSION AND SUMMARY
      (pp. 303-306)

      The purpose of this book has been to act as a guide to the possibilities open to those looking to adopt Cloud Computing in a risk-managed manner. In order to do so, I’ve adopted a fairly standard format: an introduction to the problem space, a review of past work, a suggested approach, and then examples of how that approach can be implemented.

      I have not tried to be exhaustive, overly comprehensive or dictatorial in tone. My aim has been to suggest an approach and a set of controls for your consideration; only you, your business stakeholders and security subject matter...

  9. APPENDIX A: SRM SECURITY SERVICE ASSIGNMENTS
    (pp. 307-325)
  10. ITG RESOURCES
    (pp. 326-329)