Securing Cloud Services
A pragmatic guide
Second edition
LEE NEWCOMBE, PH.D
Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at the following address:
IT Governance Publishing Ltd
Unit 3, Clive Court
Bartholomews Walk
Cambridgeshire Business Park
Ely
Cambridgeshire
CB7 4EA
United Kingdom
www.itgovernancepublishing.co.uk
Lee Newcombe 2012, 2020.
The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.
First published in the United Kingdom in 2012 by IT Governance Publishing.
ISBN 978-1-84928-398-4
Second edition published in the United Kingdom in 2020 by IT Governance Publishing.
ISBN 978-1-78778-207-5
PREFACE
Cloud computing represented a major change to the IT services landscape. For the first time, enterprise grade computing power was made available to all without the need to invest in the associated hosting environments, operations staff or complicated procurement activities. Unfortunately, this flexibility did not come without compromise or risk.
Security remains one of the major concerns of chief information officers (CIOs) considering a move to Cloud-based services. The aim of this book is to provide pragmatic guidance on how organisations can achieve a consistent and cohesive security posture across their IT services regardless of whether those services are hosted on-premises, on Cloud services or using a combination of both.
This book provides an overview of security architecture processes and how these may be used to derive an appropriate set of security controls to manage the risks associated with working 'in the Cloud'. This guidance is provided through the application of a Security Reference Model to the different Cloud delivery models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). It also considers the required changes in approach to work securely with the newer Function as a Service (FaaS) model.
Please note that this book is not a hands-on technical reference manual; those looking for code snippets or detailed designs should look elsewhere.
ABOUT THE AUTHOR
Lee Newcombe is an experienced and well qualified security architect. During his career, he has been employed by a major retail bank, two of the Big 4 consultancies and a global systems integrator (twice). His roles have included penetration testing, security audit, security architecture, security design, security implementation, business continuity, disaster recovery, forensics, identity and access management, security monitoring and many other facets of information assurance. He has worked across various sectors, including financial services, retail, utilities and government, from the very earliest days of the UK government G-Cloud programme through to his current role helping FTSE100 companies succeed with their Cloud First strategies. He currently leads the Cloud Security capability in Northern Europe for a global systems integrator.
He is a TOGAF 9-certified enterprise architect and holds numerous security certifications including CISSP, CCSK, full membership of the Institute of Information Security Professionals and is a CESG Certified Senior Information Risk Advisor, having previously been a long-term member of the CESG Listed Advisor Scheme. Lee acted as the chair of the UK Chapter of the Cloud Security Alliance from 2017 to 2019 and has been writing about, presenting on and working with Cloud technologies since 2008.
ACKNOWLEDGEMENTS
Cloud computing, and the enterprise appetite for Cloud adoption, have both matured since I completed the first edition of this book back in 2012. Cloud years are apparently like dog years; that being the case, this second edition has required substantial updates to bring the content up to date. I am extremely grateful to a number of peers for their review comments on the revised manuscript, including:
Ian Bramhill, John Sorzano, Paul Ward, Koby Kulater, Nasir Razzaq, James Relph, Alex Stezycki, Simon Hill, John Ward and Kevin Watkins.
I am also grateful to my ever (almost) patient wife Lynne for her review of the text from a general readability perspective, as well as the expert editing offered by IT Governance Publishing.
Despite the efforts of all of the above, there is always the chance that I have erred in this document any such technical errors are purely my own!
Finally, many thanks to you, the reader. Books would be very lonely places if left all by themselves; I hope you find something of value within these pages.
CONTENTS
Part 1: Securing Cloud services setting the scene
INTRODUCTION
provides the foundation for the rest of this book as it introduces the concepts embodied within Cloud computing, describes the associated security threats and lists a few of the existing industry initiatives dedicated to improving the security of Cloud services.
introduces a number of security architecture concepts and a conceptual Security Reference Model. This model is then applied to the different Cloud service models Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) and Function as a Service (FaaS) to show how the conceptual security services within the reference model can be delivered for each Cloud service model.
If you are already familiar with Cloud computing models, terminologies and associated risks then you could go straight to a useful refresher.
Throughout this book, I have italicised the names of the security services defined within the Security Reference Model (SRM). This is to distinguish between the name of a service such as identity management and the wider topic of identity management.
CHAPTER 1: INTRODUCTION TO CLOUD COMPUTING
Cloud computing
One of the more evocative labels for an IT delivery model certainly more so than the utility computing label to which Cloud owes much of its heritage. However, like its rain-carrying namesake, Cloud computing can be difficult to describe, with many observers having their own perspective on what is, and what is not, Cloud. Many people use Cloud services without realising that they are doing so iTunes, Facebook and Twitter are all examples of Cloud services. However, these are consumer Cloud services, aimed at individual users, and the security of such consumer services is not discussed within this book.