CSA Guide to Cloud Computing
Implementing Cloud Privacy and Security
Raj Samani
Brian Honan
Jim Reavis
Vladimir Jirasek
Technical Editor
Table of Contents
Copyright
Acquiring Editor: Chris Katsaropoulos
Editorial Project Manager : Benjamin Rearick
Project Manager: Punithavathy Govindaradjane
Designer: Mark Rogers
Syngress is an imprint of Elsevier
225 Wyman Street, Waltham, MA 02451, USA
Copyright 2015 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Samani, Raj, author.
CSA guide to cloud computing: implementing cloud privacy and security / Raj Samani, Brian Honan, Jim Reavis;Vladimir Jirasek, technical editor.
pages cm
ISBN 978-0-12-420125-5 (paperback)
1. Cloud computing. 2. Cloud computingSecurity measures. 3. Computer security. I. Honan, Brian, author.II. Reavis, Jim, author. III. Jirasek, Vladimir, editor. IV. CSA (Organization) V. Title. VI. Title: Cloud Security Allianceguide to cloud computing.
QA76.585.S376 2014
004.6782dc23
2014031206
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library
ISBN: 978-0-12-420125-5
For information on all Syngress publications, visit our website at store.elsevier.com/Syngress
Forewords
Our dependency on technology has grown almost as fast as new acronyms and buzzwords are introduced to the industry. Cloud computing equally represents a remarkable illustration of this dependency. While the term cloud security is new, the basic concept has been around for many years. Almost every Internet user is now leveraging some form of cloud computing and in certain cases not even realizing that they are using the cloud, or more importantly understanding their dependency on cloud services. This, of course, represents a wonderful opportunity to all of us, the ability to leverage incredible technical resources without the burden of having to buy, set up, secure, and maintain systems. Add to this, that we only have to pay for the resources we need, there is no question that cloud computing not only acts as wonderful resource to support our technical lives, but also a great driver for innovation and economic growth.
There are many excellent examples of the economic benefits of cloud computing for individuals, small businesses, large enterprises, and the public sector alike. However, as our dependency on cloud computing grows so do the increased risk around security and privacy. With such a concentration of system resources and customers, the impact of a major outage will have greater ramifications than ever before. An outage affecting only one organization means that the impact will affect only that organization and their stakeholders. With cloud computing however, an outage or major incident will not only affect one customer, but potentially an entire industry.
Herein lies the risk; as our dependency on cloud computing grows so does the potential impact of any incident. These risks go beyond cyber of course, with natural disasters, bankruptcy, and even law enforcement action against providers those do not undertake appropriate due diligence on what their customers do. Without the requisite transparency, end customers for cloud computing may be completely unaware of such risks until it is too late. Indeed many examples exist where customers realize something is wrong only when they can no longer gain access to their resources.
This book is critical in building the necessary levels of assurance required to protect such valuable resources. Of course the level of assurance will vary, but having the necessary tools is imperative. The Cloud Security Alliance and the authors of this book have provided a comprehensive view of the salient points required to protect assets with cloud service providers with appropriate references to external sources for more detail. Such measures are imperative as we have seen with the advent of the US FedRAMP, but also a multitude of other certification schemes established to build the confidence we all expect when using the cloud.
Cloud computing is here to stay. It promises tremendous opportunities that benefit each and every one of us. This is not lost on cyber criminals, and the need for protecting, or the benefits of, such critical assets has never been so great.
By
Honorable
Howard A. Schmidt, Partner, Ridge Schmidt Cyber, Former Cyber Security Advisor for presidents George W. Bush and Barack Obama
Throughout history, great inventions and innovations have been underestimated and even ridiculed, only to exceed all expectations and change the world. The Internet clearly falls into the category of wildly successful innovations, a research network that languished in obscurity for years, only to burst onto the scene in the 1990s and become a pervasive part of business and society. At the same time, many contemporaneous technology trends have failed to fulfill their promise. With the hype that has surrounded cloud computing over the past several years, it is easy to fall into the same complacent thinkingIs not cloud just a new characterization of preexisting computing technologies, such as the mainframe and the World Wide Web?
Cloud computing indeed has a heritage in many familiar computing concepts. Like many transformational technologies, timing is everything. Cloud is transforming computing into a utilitythe most powerful utility yet conceived. The idea that any person on Earth, rather than a privileged few, can have access to an unlimited amount of computing power, on demand, is startling in its possibilities. The idea that sophisticated new software-driven businesses can be built in the cloud in days rather than years is mind boggling. With each passing day, Cloud Security Alliance (CSA) receives new evidence that the cloud revolution is upon us. Global enterprises tell us that they are all in with the cloud. Financial institutions tell us they have opened their last internal data center. Software companies tell us that in the future, all of their products will exist in the cloud. Entrepreneurs are challenging every existing industry and dreaming up new ones, powered by the cloud. The time for cloud is now. Many of humanitys most difficult and pressing problems will someday be solved by the power of cloud computing, if we can trust it.
