Auditing Cloud Computing - A Security and Privacy Guide

Read more

Informationen zum Autor BEN HALPERT, CISSP, is an information security researcher and practitioner. He has keynoted and presented sessions at numerous conferences and was a contributing author to Readings and Cases in the Management of Information Security and the Encyclopedia of Information Ethics and Security . Halpert writes a monthly security column for Mobile Enterprise magazine as well as an IT blog (www.benhalpert.com). He is also an adjunct instructor and on the advisory board of numerous colleges and universities. Klappentext AUDITING CLOUD COMPUTING A Security and Privacy Guide Companies are increasingly looking to Cloud Computing to improve operational efficiency, reduce head counts, and help with the bottom line. But security and privacy concerns present a strong barrier to entry. In an age when the consequences and potential costs of mistakes could quickly become catastrophic for companies that handle confidential and private customer data, auditors and IT security professionals must develop better ways of evaluating the security and privacy practices of Cloud services. Auditing Cloud Computing presents a collection of white papers written by renowned thought leaders in the field of auditing Cloud Computing to show you how to audit your company's hosted services. Providing a holistic view to this elastic, on-demand service, Auditing Cloud Computing is your one-stop reference to Cloud Computing and the many questions that may arise during preparation of an audit program or throughout the course of an audit or assessment. Edited by renowned information security researcher and practitioner Ben Halpert, this volume gathers a team of prominent Cloud experts who have labored to provide insight into many aspects that you and your organization will encounter during your foray into the Cloud. Written for Cloud consumers, providers, and integrators, Auditing Cloud Computing explores: The history, relevant definitions, deployment models, and challenges of Cloud computing What you can expect when creating audit programs for Cloud environments How the industry efforts of CSA, NIST, ISACA, and ENISA have influenced security and compliance programs Implementing, extending, and maintaining a governance program for Cloud activities How to leverage existing lifecycle controls Cross-cloud deployments Cloud-based IT delivery and support How "radical simplification" and "securely shared" concepts apply to all Cloud deployment models, even private Clouds Architecture considerations for Cloud service delivery and support The Cloud security continuum Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) Regulations along with Cloud-specific considerations Shaping the future of Cloud Computing security and audit Learn how to conduct a proper audit to ensure the security and privacy of your company's data in the Cloud with the necessary guidance found in Auditing Cloud Computing. Zusammenfassung The auditor's guide to ensuring correct security and privacy practices in a cloud computing environment Many organizations are reporting or projecting a significant cost savings through the use of cloud computing utilizing shared computing resources to provide ubiquitous access for organizations and end users. Inhaltsverzeichnis Preface xiii Chapter 1: Introduction to Cloud Computing 1 History 1 Defining Cloud Computing 2 Elasticity 2 Multitenancy 3 Economics 3 Abstraction 3 Cloud Computing Services Layers 4 Infrastructure as a Service 5 Platform as a Service 5 Software as a Service 6 Roles in Cloud Computing 6 Consumer 6 Provider 6 Integrator 7 Cloud Computing Deployment Models 8 Private 8 Community 8 Public 9 Hybrid 9 Challenges 9 Availability 10 ...

List of contents

Preface xiii
 
Chapter 1: Introduction to Cloud Computing 1
 
History 1
 
Defining Cloud Computing 2
 
Elasticity 2
 
Multitenancy 3
 
Economics 3
 
Abstraction 3
 
Cloud Computing Services Layers 4
 
Infrastructure as a Service 5
 
Platform as a Service 5
 
Software as a Service 6
 
Roles in Cloud Computing 6
 
Consumer 6
 
Provider 6
 
Integrator 7
 
Cloud Computing Deployment Models 8
 
Private 8
 
Community 8
 
Public 9
 
Hybrid 9
 
Challenges 9
 
Availability 10
 
Data Residency 10
 
Multitenancy 11
 
Performance 11
 
Data Evacuation 12
 
Supervisory Access 12
 
In Summary 13
 
Chapter 2: Cloud-Based IT Audit Process 15
 
The Audit Process 16
 
Control Frameworks for the Cloud 18
 
ENISA Cloud Risk Assessment 20
 
FedRAMP 20
 
Entities Using COBIT 21
 
CSA Guidance 21
 
CloudAudit/A6--The Automated Audit, Assertion, Assessment, and Assurance API 22
 
Recommended Controls 22
 
Risk Management and Risk Assessment 26
 
Risk Management 27
 
Risk Assessment 27
 
Legal 28
 
In Summary 29
 
Chapter 3: Cloud-Based IT Governance 33
 
Governance in the Cloud 36
 
Understanding the Cloud 36
 
Security Issues in the Cloud 37
 
Abuse and Nefarious Use of Cloud Computing 38
 
Insecure Application Programming Interfaces 39
 
Malicious Insiders 39
 
Shared Technology Vulnerabilities 39
 
Data Loss/Leakage 40
 
Account, Service, and Traffic Hijacking 40
 
Unknown Risk Profile 40
 
Other Security Issues in the Cloud 41
 
Governance 41
 
IT Governance in the Cloud 44
 
Managing Service Agreements 44
 
Implementing and Maintaining Governance for Cloud Computing 46
 
Implementing Governance as a New Concept 46
 
Preliminary Tasks 46
 
Adopt a Governance Implementation Methodology 48
 
Extending IT Governance to the Cloud 49
 
In Summary 52
 
Chapter 4: System and Infrastructure Lifecycle Management for the Cloud 57
 
Every Decision Involves Making a Tradeoff 57
 
Example: Business Continuity/Disaster Recovery 59
 
What about Policy and Process Collisions? 60
 
The System and Management Lifecycle Onion 61
 
Mapping Control Methodologies onto the Cloud 62
 
Information Technology Infrastructure Library 63
 
Control Objectives for Information and Related Technology 64
 
National Institute of Standards and Technology 65
 
Cloud Security Alliance 66
 
Verifying Your Lifecycle Management 67
 
Always Start with Compliance Governance 67
 
Verification Method 68
 
Illustrative Example 70
 
Risk Tolerance 72
 
Special Considerations for Cross-Cloud Deployments 73
 
The Cloud Provider's Perspective 74
 
Questions That Matter 75
 
In Summary 76
 
Chapter 5: Cloud-Based IT Service Delivery and Support 79
 
Beyond Mere Migration 80
 
Architected to Share, Securely 80
 
Single-Tenant Offsite Operations (Managed Service Providers) 81
 
Isolated-Tenant Application Services (Application Service Providers) 81
 
Multitenant (Cloud) Applications and Platforms 82
 
Granular Privilege Assignment 82
 
Inherent Transaction Visibility 84
 
Centralized Community Creation 86
 

Report

"To summarize, the book is a good review of the current situation in the field. Every CISO and CIO should be aware of the developments in the cloud regardless of the intention of actually implementing its use." (Blog.itgovernance.co.uk, April 2012)