- •Cloud Computing
- •Foreword
- •Preface
- •Introduction
- •Expected Audience
- •Book Overview
- •Part 1: Cloud Base
- •Part 2: Cloud Seeding
- •Part 3: Cloud Breaks
- •Part 4: Cloud Feedback
- •Contents
- •1.1 Introduction
- •1.1.1 Cloud Services and Enabling Technologies
- •1.2 Virtualization Technology
- •1.2.1 Virtual Machines
- •1.2.2 Virtualization Platforms
- •1.2.3 Virtual Infrastructure Management
- •1.2.4 Cloud Infrastructure Manager
- •1.3 The MapReduce System
- •1.3.1 Hadoop MapReduce Overview
- •1.4 Web Services
- •1.4.1 RPC (Remote Procedure Call)
- •1.4.2 SOA (Service-Oriented Architecture)
- •1.4.3 REST (Representative State Transfer)
- •1.4.4 Mashup
- •1.4.5 Web Services in Practice
- •1.5 Conclusions
- •References
- •2.1 Introduction
- •2.2 Background and Related Work
- •2.3 Taxonomy of Cloud Computing
- •2.3.1 Cloud Architecture
- •2.3.1.1 Services and Modes of Cloud Computing
- •Software-as-a-Service (SaaS)
- •Platform-as-a-Service (PaaS)
- •Hardware-as-a-Service (HaaS)
- •Infrastructure-as-a-Service (IaaS)
- •2.3.2 Virtualization Management
- •2.3.3 Core Services
- •2.3.3.1 Discovery and Replication
- •2.3.3.2 Load Balancing
- •2.3.3.3 Resource Management
- •2.3.4 Data Governance
- •2.3.4.1 Interoperability
- •2.3.4.2 Data Migration
- •2.3.5 Management Services
- •2.3.5.1 Deployment and Configuration
- •2.3.5.2 Monitoring and Reporting
- •2.3.5.3 Service-Level Agreements (SLAs) Management
- •2.3.5.4 Metering and Billing
- •2.3.5.5 Provisioning
- •2.3.6 Security
- •2.3.6.1 Encryption/Decryption
- •2.3.6.2 Privacy and Federated Identity
- •2.3.6.3 Authorization and Authentication
- •2.3.7 Fault Tolerance
- •2.4 Classification and Comparison between Cloud Computing Ecosystems
- •2.5 Findings
- •2.5.2 Cloud Computing PaaS and SaaS Provider
- •2.5.3 Open Source Based Cloud Computing Services
- •2.6 Comments on Issues and Opportunities
- •2.7 Conclusions
- •References
- •3.1 Introduction
- •3.2 Scientific Workflows and e-Science
- •3.2.1 Scientific Workflows
- •3.2.2 Scientific Workflow Management Systems
- •3.2.3 Important Aspects of In Silico Experiments
- •3.3 A Taxonomy for Cloud Computing
- •3.3.1 Business Model
- •3.3.2 Privacy
- •3.3.3 Pricing
- •3.3.4 Architecture
- •3.3.5 Technology Infrastructure
- •3.3.6 Access
- •3.3.7 Standards
- •3.3.8 Orientation
- •3.5 Taxonomies for Cloud Computing
- •3.6 Conclusions and Final Remarks
- •References
- •4.1 Introduction
- •4.2 Cloud and Grid: A Comparison
- •4.2.1 A Retrospective View
- •4.2.2 Comparison from the Viewpoint of System
- •4.2.3 Comparison from the Viewpoint of Users
- •4.2.4 A Summary
- •4.3 Examining Cloud Computing from the CSCW Perspective
- •4.3.1 CSCW Findings
- •4.3.2 The Anatomy of Cloud Computing
- •4.3.2.1 Security and Privacy
- •4.3.2.2 Data and/or Vendor Lock-In
- •4.3.2.3 Service Availability/Reliability
- •4.4 Conclusions
- •References
- •5.1 Overview – Cloud Standards – What and Why?
- •5.2 Deep Dive: Interoperability Standards
- •5.2.1 Purpose, Expectations and Challenges
- •5.2.2 Initiatives – Focus, Sponsors and Status
- •5.2.3 Market Adoption
- •5.2.4 Gaps/Areas of Improvement
- •5.3 Deep Dive: Security Standards
- •5.3.1 Purpose, Expectations and Challenges
- •5.3.2 Initiatives – Focus, Sponsors and Status
- •5.3.3 Market Adoption
- •5.3.4 Gaps/Areas of Improvement
- •5.4 Deep Dive: Portability Standards
- •5.4.1 Purpose, Expectations and Challenges
- •5.4.2 Initiatives – Focus, Sponsors and Status
- •5.4.3 Market Adoption
- •5.4.4 Gaps/Areas of Improvement
- •5.5.1 Purpose, Expectations and Challenges
- •5.5.2 Initiatives – Focus, Sponsors and Status
- •5.5.3 Market Adoption
- •5.5.4 Gaps/Areas of Improvement
- •5.6 Deep Dive: Other Key Standards
- •5.6.1 Initiatives – Focus, Sponsors and Status
- •5.7 Closing Notes
- •References
- •6.1 Introduction and Motivation
- •6.2 Cloud@Home Overview
- •6.2.1 Issues, Challenges, and Open Problems
- •6.2.2 Basic Architecture
- •6.2.2.1 Software Environment
- •6.2.2.2 Software Infrastructure
- •6.2.2.3 Software Kernel
- •6.2.2.4 Firmware/Hardware
- •6.2.3 Application Scenarios
- •6.3 Cloud@Home Core Structure
- •6.3.1 Management Subsystem
- •6.3.2 Resource Subsystem
- •6.4 Conclusions
- •References
- •7.1 Introduction
- •7.2 MapReduce
- •7.3 P2P-MapReduce
- •7.3.1 Architecture
- •7.3.2 Implementation
- •7.3.2.1 Basic Mechanisms
- •Resource Discovery
- •Network Maintenance
- •Job Submission and Failure Recovery
- •7.3.2.2 State Diagram and Software Modules
- •7.3.3 Evaluation
- •7.4 Conclusions
- •References
- •8.1 Introduction
- •8.2 The Cloud Evolution
- •8.3 Improved Network Support for Cloud Computing
- •8.3.1 Why the Internet is Not Enough?
- •8.3.2 Transparent Optical Networks for Cloud Applications: The Dedicated Bandwidth Paradigm
- •8.4 Architecture and Implementation Details
- •8.4.1 Traffic Management and Control Plane Facilities
- •8.4.2 Service Plane and Interfaces
- •8.4.2.1 Providing Network Services to Cloud-Computing Infrastructures
- •8.4.2.2 The Cloud Operating System–Network Interface
- •8.5.1 The Prototype Details
- •8.5.1.1 The Underlying Network Infrastructure
- •8.5.1.2 The Prototype Cloud Network Control Logic and its Services
- •8.5.2 Performance Evaluation and Results Discussion
- •8.6 Related Work
- •8.7 Conclusions
- •References
- •9.1 Introduction
- •9.2 Overview of YML
- •9.3 Design and Implementation of YML-PC
- •9.3.1 Concept Stack of Cloud Platform
- •9.3.2 Design of YML-PC
- •9.3.3 Core Design and Implementation of YML-PC
- •9.4 Primary Experiments on YML-PC
- •9.4.1 YML-PC Can Be Scaled Up Very Easily
- •9.4.2 Data Persistence in YML-PC
- •9.4.3 Schedule Mechanism in YML-PC
- •9.5 Conclusion and Future Work
- •References
- •10.1 Introduction
- •10.2 Related Work
- •10.2.1 General View of Cloud Computing frameworks
- •10.2.2 Cloud Computing Middleware
- •10.3 Deploying Applications in the Cloud
- •10.3.1 Benchmarking the Cloud
- •10.3.2 The ProActive GCM Deployment
- •10.3.3 Technical Solutions for Deployment over Heterogeneous Infrastructures
- •10.3.3.1 Virtual Private Network (VPN)
- •10.3.3.2 Amazon Virtual Private Cloud (VPC)
- •10.3.3.3 Message Forwarding and Tunneling
- •10.3.4 Conclusion and Motivation for Mixing
- •10.4 Moving HPC Applications from Grids to Clouds
- •10.4.1 HPC on Heterogeneous Multi-Domain Platforms
- •10.4.2 The Hierarchical SPMD Concept and Multi-level Partitioning of Numerical Meshes
- •10.4.3 The GCM/ProActive-Based Lightweight Framework
- •10.4.4 Performance Evaluation
- •10.5 Dynamic Mixing of Clusters, Grids, and Clouds
- •10.5.1 The ProActive Resource Manager
- •10.5.2 Cloud Bursting: Managing Spike Demand
- •10.5.3 Cloud Seeding: Dealing with Heterogeneous Hardware and Private Data
- •10.6 Conclusion
- •References
- •11.1 Introduction
- •11.2 Background
- •11.2.1 ASKALON
- •11.2.2 Cloud Computing
- •11.3 Resource Management Architecture
- •11.3.1 Cloud Management
- •11.3.2 Image Catalog
- •11.3.3 Security
- •11.4 Evaluation
- •11.5 Related Work
- •11.6 Conclusions and Future Work
- •References
- •12.1 Introduction
- •12.2 Layered Peer-to-Peer Cloud Provisioning Architecture
- •12.4.1 Distributed Hash Tables
- •12.4.2 Designing Complex Services over DHTs
- •12.5 Cloud Peer Software Fabric: Design and Implementation
- •12.5.1 Overlay Construction
- •12.5.2 Multidimensional Query Indexing
- •12.5.3 Multidimensional Query Routing
- •12.6 Experiments and Evaluation
- •12.6.1 Cloud Peer Details
- •12.6.3 Test Application
- •12.6.4 Deployment of Test Services on Amazon EC2 Platform
- •12.7 Results and Discussions
- •12.8 Conclusions and Path Forward
- •References
- •13.1 Introduction
- •13.2 High-Throughput Science with the Nimrod Tools
- •13.2.1 The Nimrod Tool Family
- •13.2.2 Nimrod and the Grid
- •13.2.3 Scheduling in Nimrod
- •13.3 Extensions to Support Amazon’s Elastic Compute Cloud
- •13.3.1 The Nimrod Architecture
- •13.3.2 The EC2 Actuator
- •13.3.3 Additions to the Schedulers
- •13.4.1 Introduction and Background
- •13.4.2 Computational Requirements
- •13.4.3 The Experiment
- •13.4.4 Computational and Economic Results
- •13.4.5 Scientific Results
- •13.5 Conclusions
- •References
- •14.1 Using the Cloud
- •14.1.1 Overview
- •14.1.2 Background
- •14.1.3 Requirements and Obligations
- •14.1.3.1 Regional Laws
- •14.1.3.2 Industry Regulations
- •14.2 Cloud Compliance
- •14.2.1 Information Security Organization
- •14.2.2 Data Classification
- •14.2.2.1 Classifying Data and Systems
- •14.2.2.2 Specific Type of Data of Concern
- •14.2.2.3 Labeling
- •14.2.3 Access Control and Connectivity
- •14.2.3.1 Authentication and Authorization
- •14.2.3.2 Accounting and Auditing
- •14.2.3.3 Encrypting Data in Motion
- •14.2.3.4 Encrypting Data at Rest
- •14.2.4 Risk Assessments
- •14.2.4.1 Threat and Risk Assessments
- •14.2.4.2 Business Impact Assessments
- •14.2.4.3 Privacy Impact Assessments
- •14.2.5 Due Diligence and Provider Contract Requirements
- •14.2.5.1 ISO Certification
- •14.2.5.2 SAS 70 Type II
- •14.2.5.3 PCI PA DSS or Service Provider
- •14.2.5.4 Portability and Interoperability
- •14.2.5.5 Right to Audit
- •14.2.5.6 Service Level Agreements
- •14.2.6 Other Considerations
- •14.2.6.1 Disaster Recovery/Business Continuity
- •14.2.6.2 Governance Structure
- •14.2.6.3 Incident Response Plan
- •14.3 Conclusion
- •Bibliography
- •15.1.1 Location of Cloud Data and Applicable Laws
- •15.1.2 Data Concerns Within a European Context
- •15.1.3 Government Data
- •15.1.4 Trust
- •15.1.5 Interoperability and Standardization in Cloud Computing
- •15.1.6 Open Grid Forum’s (OGF) Production Grid Interoperability Working Group (PGI-WG) Charter
- •15.1.7.1 What will OCCI Provide?
- •15.1.7.2 Cloud Data Management Interface (CDMI)
- •15.1.7.3 How it Works
- •15.1.8 SDOs and their Involvement with Clouds
- •15.1.10 A Microsoft Cloud Interoperability Scenario
- •15.1.11 Opportunities for Public Authorities
- •15.1.12 Future Market Drivers and Challenges
- •15.1.13 Priorities Moving Forward
- •15.2 Conclusions
- •References
- •16.1 Introduction
- •16.2 Cloud Computing (‘The Cloud’)
- •16.3 Understanding Risks to Cloud Computing
- •16.3.1 Privacy Issues
- •16.3.2 Data Ownership and Content Disclosure Issues
- •16.3.3 Data Confidentiality
- •16.3.4 Data Location
- •16.3.5 Control Issues
- •16.3.6 Regulatory and Legislative Compliance
- •16.3.7 Forensic Evidence Issues
- •16.3.8 Auditing Issues
- •16.3.9 Business Continuity and Disaster Recovery Issues
- •16.3.10 Trust Issues
- •16.3.11 Security Policy Issues
- •16.3.12 Emerging Threats to Cloud Computing
- •16.4 Cloud Security Relationship Framework
- •16.4.1 Security Requirements in the Clouds
- •16.5 Conclusion
- •References
- •17.1 Introduction
- •17.1.1 What Is Security?
- •17.2 ISO 27002 Gap Analyses
- •17.2.1 Asset Management
- •17.2.2 Communications and Operations Management
- •17.2.4 Information Security Incident Management
- •17.2.5 Compliance
- •17.3 Security Recommendations
- •17.4 Case Studies
- •17.4.1 Private Cloud: Fortune 100 Company
- •17.4.2 Public Cloud: Amazon.com
- •17.5 Summary and Conclusion
- •References
- •18.1 Introduction
- •18.2 Decoupling Policy from Applications
- •18.2.1 Overlap of Concerns Between the PEP and PDP
- •18.2.2 Patterns for Binding PEPs to Services
- •18.2.3 Agents
- •18.2.4 Intermediaries
- •18.3 PEP Deployment Patterns in the Cloud
- •18.3.1 Software-as-a-Service Deployment
- •18.3.2 Platform-as-a-Service Deployment
- •18.3.3 Infrastructure-as-a-Service Deployment
- •18.3.4 Alternative Approaches to IaaS Policy Enforcement
- •18.3.5 Basic Web Application Security
- •18.3.6 VPN-Based Solutions
- •18.4 Challenges to Deploying PEPs in the Cloud
- •18.4.1 Performance Challenges in the Cloud
- •18.4.2 Strategies for Fault Tolerance
- •18.4.3 Strategies for Scalability
- •18.4.4 Clustering
- •18.4.5 Acceleration Strategies
- •18.4.5.1 Accelerating Message Processing
- •18.4.5.2 Acceleration of Cryptographic Operations
- •18.4.6 Transport Content Coding
- •18.4.7 Security Challenges in the Cloud
- •18.4.9 Binding PEPs and Applications
- •18.4.9.1 Intermediary Isolation
- •18.4.9.2 The Protected Application Stack
- •18.4.10 Authentication and Authorization
- •18.4.11 Clock Synchronization
- •18.4.12 Management Challenges in the Cloud
- •18.4.13 Audit, Logging, and Metrics
- •18.4.14 Repositories
- •18.4.15 Provisioning and Distribution
- •18.4.16 Policy Synchronization and Views
- •18.5 Conclusion
- •References
- •19.1 Introduction and Background
- •19.2 A Media Service Cloud for Traditional Broadcasting
- •19.2.1 Gridcast the PRISM Cloud 0.12
- •19.3 An On-demand Digital Media Cloud
- •19.4 PRISM Cloud Implementation
- •19.4.1 Cloud Resources
- •19.4.2 Cloud Service Deployment and Management
- •19.5 The PRISM Deployment
- •19.6 Summary
- •19.7 Content Note
- •References
- •20.1 Cloud Computing Reference Model
- •20.2 Cloud Economics
- •20.2.1 Economic Context
- •20.2.2 Economic Benefits
- •20.2.3 Economic Costs
- •20.2.5 The Economics of Green Clouds
- •20.3 Quality of Experience in the Cloud
- •20.4 Monetization Models in the Cloud
- •20.5 Charging in the Cloud
- •20.5.1 Existing Models of Charging
- •20.5.1.1 On-Demand IaaS Instances
- •20.5.1.2 Reserved IaaS Instances
- •20.5.1.3 PaaS Charging
- •20.5.1.4 Cloud Vendor Pricing Model
- •20.5.1.5 Interprovider Charging
- •20.6 Taxation in the Cloud
- •References
- •21.1 Introduction
- •21.2 Background
- •21.3 Experiment
- •21.3.1 Target Application: Value at Risk
- •21.3.2 Target Systems
- •21.3.2.1 Condor
- •21.3.2.2 Amazon EC2
- •21.3.2.3 Eucalyptus
- •21.3.3 Results
- •21.3.4 Job Completion
- •21.3.5 Cost
- •21.4 Conclusions and Future Work
- •References
- •Index
286 |
C. Onwubiko |
16.4.1 Security Requirements in the Clouds
A private (localised) cloud is a solely owned cloud, operated and used by an enterprise. It may be regulated and governed like other clouds, and most importantly, it is for ‘restricted’ users only. Private clouds are more secure than public clouds, and therefore, private clouds are most suitable for transmitting classified information, such as confidential and/or proprietary information. Information assets with lesser security requirements, such as personal information may still use a private cloud (see Fig. 16.4). It is pertinent to note that the use of a private cloud offers no guarantee as to the security or privacy of the information assets that it stores or transports. For example, the use of Microsoft Azure on-premise cloud platform does not provide any guarantee to the security and compliance of information that is stored or transported using this cloud. We recommend that organisations seeking to use the cloud for classified information or regulated transactions should use a private cloud, but must do so bearing in mind that the necessary security requirements of that information asset are constantly assessed and reviewed. Furthermore, private clouds come with a prize; for instance, the cost to rent, deploy or operate a private cloud is comparably and considerably higher than a public cloud.
A public cloud is an open cloud maintained by a cloud vendor for the general use of everyone including cybercriminals. A public cloud is most probably the most currently used cloud, such as Salesforce, Amazon EC2 and Amazon web services (see Fig. 16.2, [4]). A public cloud is relatively safe and offers a wide range of capability at reduced cost.
Agency clouds, like private clouds, are perceived to be secure and reliable because they are privately owned by the military or defence agencies. Hence, rigorous and complex security requirements are thought to be applied. Defence agency cloud may require separate legal, regulatory and security compliance measures different from those of public clouds. For example, the DISA cloud is subject to government legislation, while UK government clouds would be subject to CESG information assurance compliance and protective handling.
A community cloud is governed by the regulatory controls of that community,for example, health and financial institutions clouds. Integrated (hybrid) clouds combine a set of requirements from two or more co-joining clouds. These requirements are bound to vary depending on the specific requirements of the co-joining clouds. It is an illusion to think that hybrid clouds provide ‘high’ security. Each cloud must be assessed in its own right to determine its privacy, security and regulatory policies and practices.
16.5 Conclusion
Cloud computing is an emerging technology that offers unparalleled distributed computing resources at affordable infrastructure and operating costs. The cloud requires conscientious and diligent attention from both users and providers due to the inherent risks associated with its operating paradigm, such as ubiquitous network access, multi-tenancy service delivery, location independence, homogeneity and openness.
16 Security Issues to Cloud Computing |
287 |
In this chapter, cloud computing has been explained. Three of the widely used cloud services, namely, software computing, platform computing and infrastructure computing, and five of the deployment models, namely, private (localised), public, community, agency and hybrid clouds have been discussed.
Cloud computing, like existing utility services such as electricity, water and telephone, can be secure, safe and reliable; however, this can be achieved when security issues that exist with traditional IT services are evaluated in relation to cloud computing. Unfortunately, cloud computing offers varying levels of security and privacy based on the cloud model being deployed.
The proposed cloud security framework to assess cloud offerings provides a systematic assessment of cloud computing services based on cost, capability and security. It has been shown that the three cloud service models offered unique security requirements. Similarly, the capability of the deployment models (public, community, agency, private and hybrid) has been found to be unique and varied.
As organisations use the framework and information classification model proposed in this chapter to evaluate cloud services and information requirement respectively, we recommend that they do so by knowing that not all information assets should be migrated to the cloud.
About the Author
Dr. Cyril Onwubiko is a CLAS Consultant at Cable and Wireless, where he is responsible for providing information assurance to information assets of varying business impact levels (ILs) in accordance with the HMG security policy framework. Cyril is also currently the chair of the Security and Information Assurance Committee, E-Security Group at Research Series.
Prior to C&W, Cyril was an Information Security Consultant at British Telecom (BT), providing strategic information security undertakings. Earlier, Cyril worked at COLT Telecommunications Group for 8 years, participating in several projects, while helping COLT develop their IP VPN service – IP Corporate, a Pan-European IP VPN service for managed customers. Cyril also assisted COLT to roll out their enterprise-MPLS VPN core and was a focal engineer supporting SWIFT. He is experienced in VPN Security, Security Information and Event Management (SIEM), Data Fusion, IDS and Computer Network Security, and knowledgeable in Information Assurance, HMG Security Policy Framework (SPF) and Risk Assessment and Management.
Cyril holds a Ph.D. in Computer Network Security from Kingston University, London, UK, a Masters of Science degree (M.Sc.) in Internet Engineering from the University of East London, London, UK and a Bachelors of Science and Technology degree (B.Sc.), first class honours, in Computer Science and Mathematics from Federal University of Technology, Owerri. He is the author of two books, ‘Security Framework for Attack Detection in Computer Networks’ and ‘Concepts in Numerical Methods’.
288 |
C. Onwubiko |
References
1.Mell P, Grance T (2009) Draft NIST working definition of cloud computing. http://csrc.nist. gov/groups/SNS/cloud-computing/index.html. Accessed 16 Sept 2009
2.Mell P, Grance T (2009, August 12) Effectively and securely using the cloud computing paradigm, NIST
3.Kaufman LM (2009 July/August) Data security in the world of cloud computing. IEEE Sec Priv 7(4):61–64
4.Greenfield T (2009) Cloud computing in a military context – Beyond the Hype, Defense Information Systems Agency (DISA), DISA Office of the CTO. http://www.govinfosecurity. com/regulations.php?reg_id = 1432. Accessed 20 Sept 2009
5.NBC Federal Cloud Playbook (2009) National business center, Department of the Interior, Washington DC. http://cloud.nbc.gov/PDF/NBC%20Cloud%20White%20Paper%20 Final%20(Web%20Res).pdf. Accessed 23 Sept 2009
6.Microsoft Azure Services, http://www.microsoft.com/azure/services.mspx. Accessed 23 Sept 2009
7.Gellman R (2009) Privacy in the clouds: risks to privacy and confidentiality from cloud computing. http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf. Accessed 17 Sept 2009
8.Claburn T (2009) Google Apps contract in LA hits security Headwind, http://www.informationweek.com/news/showArticle.jhtml?articleID=218501443. InformationWeek. Accessed 20 July 2009
9.Onwubiko C, Lenaghan A (2009, March) Challenges and complexities of managing information security. Int J Elect Sec Digit Forensic IJESDF 3(2). ISSN (Online): 1751-9128 – ISSN (Print): 1751-911X
10. Safe Harbour (1998) European commission’s directive on data privacy and protection legislation, http://www.export.gov/safeharbor/SafeHarborInfo.htm. Accessed 17 Sept 2009
11. Onwubiko C (2008) Security framework for attack detection in computer networks. VDM Verlag, Germany
12. Cloud Security Alliance (2009), http://www.cloudsecurityalliance.org/. Accessed 19 Sept 2009 13. Cloud Computing Interoperability Forum (2009), http://www.cloudforum.org/. Accessed 17
Sept 2009
14. SB-1386, The California Security Breach Information Act (2002) SB1386 amending civil codes 1798.29, 1798.82 and 1798.84. http://en.wikipedia.org/wiki/SB_1386. Accessed 20 Sept 2009
15. Onwubiko C (2009), A security audit framework for security management in the enterprise. Commun Inform Sci 45:9–17, Springer. ISSN 1865-0929 (Print) 1865-0937 (Online)
16. Chaput SR (2009) Compliance and audit, security guidance for critical areas of focus in cloud computing, Cloud Security Alliance
17. Cohen R (2009) Lightning knocks out amazon’s compute cloud. Cloud Comput J. http:// cloudcomputing.sys-con.com/node/998582. Accessed 11 June 2009
18. Viega J (August 2009) Cloud computing and the common man. IEEE Comput 42(8):106–108
19. Ristenpart T, Tromer E, Shacham H, Savage S (2009) Hay, you, get off of my cloud: exploring information leakage in third-party compute clouds. ACM Computer Communications Security Conference CCS’09, November 2009
20. Cheesbrough P (2008, Dec) Into the cloud, lessons from the early adopters of cloud computing. Information Age
21. Youseff L et al. (2009) Toward a unified ontology of cloud computing. http://www.cs.ucsb. edu/~lyouseff/CCOntology/CloudOntology.pdf Accessed 15 Sept 2009
22. OpenCrowd (2009) The OpenCrowd cloud taxonomy. http://www.opencrowd.com/views/ cloud.php. Accessed 26 Sept 2009
23. Pfleeger SL (May/June 2009) Useful cybersecurity metrics. IEE IT Pro J 11(3):38–45
Chapter 17
Securing the Cloud
James P. Durbano, Derek Rustvold, George Saylor, and John Studarus
Abstract Despite the excitement surrounding the cloud, a relatively small percentage of organizations have actually begun incorporating cloud computing into their technology portfolios. Of the many obstacles to adopting the cloud model of delivery and consumption of computing resources, the number one concern, from users to CIOs/CTOs, is security. The lack of strong security controls can resonate through the cloud, opening all of the applications and services that are running across the cloud to exploitation. In this chapter, we examine cloud security, focusing our discussion on gaps within the existing ISO 27002 security controls when applied to cloud computing. These gaps are used to build a list of potential security concerns that may not be addressed by traditional (non-cloud) data center policy and procedures. Using the results of this gap analysis, a set of recommendations on how to incorporate security into the cloud is provided. Additionally, case studies of both publicand private-cloud provider security mechanisms are presented.
Abbreviations |
|
||
AWS |
Amazon Web Services |
|
|
CIO |
Chief Information Officer |
|
|
CTO |
Chief Technical Officer |
|
|
EC2 |
Elastic Compute Cloud (Amazon EC2) |
|
|
FIMSA |
Federal Information Security Management Act |
|
|
GLBA |
Gramm–Leach–Bliley Act |
|
|
HIPAA |
Health Information Portability and Accountability Act |
|
|
ISO |
International Organization for Standardization |
|
|
IT |
Information Technology |
|
|
NIST |
National Institute of Standards and Technology |
|
|
RAM |
Random Access Memory |
|
|
|
|
|
|
J.P. Durbano (*) |
|
||
Northrop Grumman 1840 Century Park East Los Angeles, CA 90067-2199, USA |
|
||
e-mail: james.durbano@ngc.com |
|
||
N. Antonopoulos and L. Gillam (eds.), Cloud Computing: Principles, |
289 |
||
Systems and Applications, Computer Communications and Networks, |
|
||
DOI 10.1007/978-1-84996-241-4_17, © Springer-Verlag London Limited 2010 |
|
||