INDEX
Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
A
acceptable use policy, 34, 104–105
access controls, 220–221, 238
access keys, 121
accounting, 238
Act on the Protection of Personal Information (Japan), 55
Active Directory, 242–243
Active Directory Federation Services (ADFS), 242
ADFS. See Active Directory Federation Services (ADFS)
Amazon Elastic Container Service (Amazon ECS), 172
Amazon Web Services (AWS), 118, 235
American Institute of Certified Public Accountants. See AICPA
Anglo-American model, 31
Apache Software Foundation, 269
API lock-in, 288
background, 115–118
external, 115–116
internal, 115–116
open, 115–116
private, 115–116
application design and architectures, how the cloud impacts, 205–207
application plane, 139–140
application programming interfaces. See APIs
application security, 195
DevOps and continuous integration/continuous deployment, 196, 207–209
how the cloud impacts application design and architectures, 196, 205–207
secure software development lifecycle (SSDLC), 196–204
Application Stack Maps, 185
application-level controls, 221
application/platform storage, 217
“Architectural Styles and the Design of Network-based Software Architectures” (Fielding), 117
attribute-based access control (ABAC), 251, 252
attributes, 237
audit management
in the cloud, 83–84
how the cloud changes audits, 88–90
auditors, 37
requirements, 90
audits
background, 82
computer-assisted audit techniques, 81
continuous monitoring vs. continuous auditing, 80–81
defined, 82
first-party, 78
how the cloud changes audits, 88–90
pass-through, 80
scope, 89–90
Australian Consumer Law of 2010, 54
Australian Privacy Principles (APPs), 54
authenticity, vs. integrity, 59
authoritative sources, 238
authorization, 238
availability, 170
B
bastion virtual networks, 146–147
benefits of cloud computing, 3
BIA. See business impact analysis (BIA)
big data, 267–272
biometrics, 251
black swan vulnerability, 148
blob storage, 216
blue-green deployment approach, 208
Boto3 Software Development Kit (SDK), 118
Breach Notification Law, 61
business continuity planning (BCP), 113, 122
architecting for failure, 125
background, 123–125
chaos engineering, 127
for loss of the cloud provider, 128
for private cloud and providers, 128
and SecaaS, 263
site recovery options, 124
within the cloud provider, 126–127
business impact analysis (BIA), 123–124
C
caching services, 217
Cafarella, Mike, 269
categorization, vs. classification, 99
certification, 88
chaos engineering, 127
Children’s Online Privacy Protection Act of 1998 (COPPA), 60
CIA Triad, 59
CISA Certified Information Systems Auditor All-in-One Exam Guide, Fourth Edition (Gregory), 82
Cisco, 137
Clarifying Lawful Overseas Use of Data Act. See CLOUD Act
classification
vs. categorization, 99
See also information classification
click-through/click-wrap agreements, 65
cloud, defined, 6–7
cloud access security broker. See CASB
CLOUD Act, 53–54
cloud bursting, 15–16
cloud computing, 2–4
“Cloud Computing Risk Assessment” (ENISA document), 43
Cloud Controls Matrix (CCM), 19–20
and incident response preparation, 186–187
cloud customers
managing identities, 248
responsibilities in compute virtualization, 164–165
responsibilities in network virtualization, 166–167
cloud jump kit, 185
cloud management plane. See management plane
cloud overlay networks, 167
cloud service providers (CSPs), 2
entitlements and access management, 252
and incident response preparation, 184–185
key managers, 225
major considerations for application security, 207
managing identities, 248
responsibilities in compute virtualization, 163
responsibilities in network virtualization, 166
risk concerns of a cloud provider being acquired, 292–293
security, 146
cloud services, essential characteristics, 7–8
Core Model, 32
code review, 201
cold sites, 124
Common Criteria, 85–86
Common Vulnerabilities and Exposures (CVE) database, 148
community cloud deployment model, 15
risk management, 42
Complementary User Entity Controls (CUEC), 86
compliance
artifacts of, 89
background, 77–78
continuous, 80–82
items to consider, 76
with laws and regulations, 78–79
reporting, 35–37
risks, 289
testing, 82
compute abstraction technologies, 147–150
compute virtualization, 162–165
See also virtualization
computer security incident response team (CSIRT), 59, 181
conceptual models, 22
confidentiality, 291
configuration items (CIs), 181
Consensus Assessments Initiative Questionnaire (CAIQ), 20–21
and incident response preparation, 186–187
container runtime, 171
containers, 148–150
components, 171
definitions files, 172
overview, 170–172
security recommendations, 172–173
content delivery networks (CDNs), 217
continuous compliance, 80–82
continuous integration/continuous deployment. See CI/CD
contracts, 33–34
impact of the cloud on, 78–79
negotiations, 65
and provider selection, 62–63
Control Objectives for Information and Related Technology. See COBIT
controls, defined, 287
controls models, 22
converged network adapters (CNAs), 168
converged networks, 169
cost savings, 3
countermeasures, defined, 287
credentials, 251
cross-border data transfers, restrictions to, 53, 57
crypto shredding, 105–106
CSA Guidance document, 1
CSA tools
Cloud Controls Matrix (CCM), 19–20
Consensus Assessments Initiative Questionnaire (CAIQ), 20–21
overview, 19
STAR registry, 21–22
CSPs. See cloud service providers
custodian/controller, 50–51
customer relationship management (CRM) systems, 217
customer-managed encryption keys, 225–226
Cutting, Doug, 269
Cyber Security Law (China), 55
cyberinsurance, 39
D
DAST, 201
data, ownership of, 78
data collection, 271
data controllers, 293
data deletion, 289
data dispersion, 170
data governance. See information governance
data lock-in, 288
data loss prevention (DLP), 218, 228
data masking, 229
data migrations to the cloud, 217–220
data processors, 293
data protection and privacy, 289, 290
legal frameworks, 50–52
Data Protection Directive (Directive 95/46/EC), 50
data security, 215
architecture, 226–227
cloud data storage types, 216–217
cloud platform/provider-specific controls, 227–228
controls, 216
data loss prevention (DLP), 218, 228
data masking, 229
data migrations to the cloud, 217–220
enforcing lifecycle management security, 229–230
enterprise rights management (ERM), 228–229
key management, 225–226
monitoring, auditing, and alerting, 227
securing data in the cloud, 220–226
test data generation, 229
data security lifecycle
enforcing lifecycle management security, 229–230
functions, actors, and controls, 107–109
locations and entitlements, 106–107
overview, 105–106
data storage types, 216–217
database activity monitors (DAMs), 217
database storage, 216
delegated authorization, 245
See also OAuth
demilitarized zones. See DMZ
Deming, W. Edwards, 77
Deming cycle, 77
deployment models, 14
blue-green deployment approach, 208
community cloud, 15
hybrid cloud, 15–16
private cloud, 14–15
public cloud, 14
risk management, 41–42
deployment pipeline security, 202–203
design patterns, 22
DevOps, 207–209
DevSecOps, 209
digital service providers (DSPs), 58, 59
disaster recovery (DR), 113, 122
architecting for failure, 125
background, 123–125
chaos engineering, 127
and SecaaS, 263
See also business continuity planning (BCP)
discovery. See electronic discovery
distributed data collection, 268, 269
distributed denial of service (DDoS) attacks, 262
protection from, 263
distributed processing, 268
distributed storage, 268
DMZ, 144
Docker Hub, 171
Docker Swarm, 171
due diligence
external, 64–65
internal, 63
dynamic application security testing (DAST), 201
dynamic data masking, 229
E
e-commerce-based analytics, 269
economic denial of service, 292
edge networks, 284
Elastic Compute Cloud (EC2), 118
elasticity, 8
electronic discovery, 66
authentication, 69
cooperation between provider and client, 69–70
data collection, 68
data retention laws and recordkeeping obligations, 67–68
direct access, 69
forensics, 68
native production, 69
possession, custody, and control, 66
preservation, 67
reasonable integrity, 69
relevant cloud applications and environment, 67
response to subpoena or search warrant, 70
searchability and e-discovery tools, 67
electronically stored information (ESI), 66
encryption, 221–223
application layer, 224
client-side, 224
database, 224
externally managed, 223
format-preserving encryption (FPE), 222
IaaS, 223–224
instance-managed, 223
PaaS, 224
proxy, 224
SaaS, 224
and SecaaS, 263
server-side, 224
end user/data subject, 51
API lock-in, 288
audit and evidence gathering, 285
benefits of resource concentration, 286
compliance risks, 289
confidentiality, 291
data controllers vs. data processors, 293
data lock-in, 288
economic denial of service, 292
guest system monitoring, 293
insecure or incomplete data deletion, 289
intellectual property, 291
isolation failure, 289
IT risk concepts, 286–287
licensing risks, 292
lock-in, 287–288
loss of governance, 287
malicious insiders, 290
management interface compromise, 289
marketing, 285
Open Virtualization Format (OVF), 288, 292
outsourcing service and changes in control, 291
professional negligence, 291
risk concerns of a cloud provider being acquired, 292–293
risk management, 286
risks and underlying vulnerabilities, 295–298
runtime lock-in, 288
scaling of resources, 285
security and the benefits of scale, 284–285
security risks, 286–290
standardized interfaces for managed security services, 285
underlying vulnerability in loss of governance, 294–295
updates and defaults, 285
user provisioning vulnerability, 293–294
VM hopping, 292
enterprise rights management (ERM), 228–229
enterprise risk management (ERM), 29
entities, 237
and access management, 252
ERM. See enterprise rights management (ERM); enterprise risk management (ERM)
European Network and Information Security Agency. See ENISA
European Telecommunications Standards Institute (ETSI), 141
EU-US Privacy Shield, 53
event-driven security, 205
events
defined, 181
See also incident response (IR)
eXtensible Access Control Markup Language. See XACML
F
FaaS. See Function as a Service (FaaS)
Facebook, 61
Federal Information Processing Standards. See FIPS standards
Federal Risk and Authorization Management Program. See FedRAMP
Federal Rules of Civil Procedure (FRCP), 66, 67, 68
Federal Trade Commission (FTC), 61
federated identity, 235–236
See also federation
federated identity management, 238
federation, 235–236
authentication and credentials, 251
background, 241–243
FedRAMP, 35
Fibre Channel, 168
FIDO Alliance, 251
Fielding, Roy, 117
file activity monitors (FAMs), 217
File Transfer Protocol (FTP), 219
first-party audits, 78
format-preserving encryption (FPE), 222
Function as a Service (FaaS), vs. serverless computing, 276
functional testing, 201
G
General Data Protection Regulation (GDPR), 50, 57–58, 100
Google, 128
Google Cloud Storage service, 216
background, 30–32
cloud provider assessments, 34–35
compliance reporting, 35–37
components of IT governance, 32
contracts, 33–34
corporate governance framework, 31
and incident response preparation, 184
overview, 32–33
tools, 33–37
See also information governance
governance, risk, and compliance (GRC), 43
Gramm-Leach-Bliley Act (GLBA), 60
Gregory, Peter, 82
guest system monitoring, 293
H
Hadoop Common, 271
Hadoop Distributed File System (HDFS), 216, 268, 269–271
hard tokens, 251
hard zoning, 169
hardware security modules (HSMs), key managers, 225
Health Insurance Portability and Accountability Act. See HIPAA
host bus adapters (HBAs), 168
host-based view, 202
hosted private cloud, 41
hot sites, 124
hybrid cloud deployment model, 15–16
risk management, 42
security, 146–147
hybrid key managers, 225
I
IAM. See identity and access management (IAM)
ICANN vs. EPAG, 58
identifiers, 237
identities, 237
identity and access management (IAM), 235
authentication and credentials, 251
and big data, 272
entitlements and access management, 252
free-form model, 248–249
how IAM works in the cloud, 236–237
hub-and-spoke (hybrid) model, 248, 249
managing users and identities for cloud computing, 247–251
privileged user management, 252
standards, 238–241
terms, 237–238
IEEE 802.1aq standard, 137
IEEE 802.1Q standard, 137
IM. See information management
image registry, 171
image repository, 171
immutable workloads, 150–152, 185, 203–204
See also workloads
incident notification, 79
incident response (IR), 179
and the Cloud Controls Matrix (CCM), 186–187
and Consensus Assessment Initiative Questionnaire (CAIQ), 186–187
containment, eradication, and recovery phase, 183, 190
detection and analysis phase, 182, 188–189
events definition, 181
five whys, 183
how the cloud impacts incident response, 184–190
incidents definition, 181
lifecycle overview, 180
post-incident activity phase, 183, 190
preparation phase, 181–182, 184–187
incidents
defined, 181
See also incident response (IR)
information classification, 96
background, 97–101
vs. categorization, 99
content-based, 100
context-based, 100
user-based, 100
information governance
authorizations, 97
cloud information governance domains, 96–97
contractual controls, 97
defined, 96
information classification, 96
information management policies, 96–97
location and jurisdiction policies, 97
ownership and custodianship, 96
security controls, 97
information management
acceptable use policy for cloud services, 104–105
background, 101
lifecycle, 101–103
information risk management (IRM), 30
information security, 30
Information Security Continuous Monitoring (ISCM), 80
Infrastructure as a Service (IaaS), 10–12, 125
encryption, 223–224
guest system monitoring, 293
lock-in, 288
risk management, 40
security responsibility for, 17–18
infrastructure as code (IaC), 125, 202, 203–204
instances, 147
integrity
vs. authenticity, 59
reasonable integrity, 69
intellectual property, 291
internal identities, 240
International Safe Harbor Privacy Principles, 53
International Standards Organization. See ISO/IEC standards
Internet of Things (IoT), 273
interoperability, 128
intrusion detection systems (IDSs), 262
intrusion prevention systems (IPSs), 262
ISACA (Information Systems Audit and Control Association), 80–81
ISO/IEC certification, 35
ISO/IEC standards, 84
27002, 87
27005, 87
27014:2013, 30
27018, 87
27034, 196
27035, 179
38500:2015, 30
background, 86–88
J
Java Virtual Machine (JVM), 163
See also virtualization
JSON Web Tokens (JWTs), 246
K
Kerberos, 242
key management, 225–226, 263, 272
Kubernetes, 171
L
Law on the Protection of Personal Information Held by Administrative Organs (Japan), 55
and MFA, 120–121
legal frameworks, 50–52
Australia, 54–55
Central and South America, 62
China, 55
CLOUD Act, 53–54
European Union and European Economic Area, 56–59
external due diligence, 64–65
federal and state agencies, 61
internal due diligence, 63
Japan, 55–56
regional examples, 54–62
required security measures, 52–53
restrictions to cross-border data transfers, 53
Russia, 56
security breach disclosure laws, 61
treaties, 53
US federal laws, 60
US state laws, 60
See also contracts
liabilities, 79
licensing risks, 292
logical model, 4–6
logical unit numbers (LUNs), 169–170
LUN masking, 169–170
M
macro layers, 134
malicious insiders, 290
managed security services (MSS), 285
management plane, 6, 11, 113–115, 139
access controls, 220
access keys, 121
accessing, 118–119
authorization and entitlements, 122
and containers, 173
customer authentication, 122
internal authentication and credential passing, 122
least privilege, 120–121
logging, monitoring and alerting, 122
master account, 119
MFA, 119–122
perimeter security, 122
securing, 119–122
time-based one-time password (TOTP), 119, 120
Universal 2nd Factor (U2F), 119, 121
in a virtual network, 166
MapReduce, 270
master account, 119
measured service, 8
Meltdown vulnerability, 148, 292
metastructure, 4–6, 113, 126, 227
and least privilege, 120–121
microsegmentation, 144–145
microservices, 205–207
Microsoft, and the CLOUD Act, 54
Microsoft Azure, 128
Microsoft Azure Agreement, 34
Microsoft Azure Block binary large objects (blobs), 216
Microsoft Security Development Lifecycle, 196
Microsoft Threat Modeling Tool, 199
migrating servers, 3
mobile computing, 274
monitoring systems, 64
continuous monitoring vs. continuous auditing, 80–81
Information Security Continuous Monitoring (ISCM), 80
multifactor authentication. See MFA
N
native production, 69
negligence, 291
Netflix, 127
network access, 8
network functions virtualization (NFV), 141–142
Network Information Security Directive (NIS Directive), 56–57, 58–59
network resource pools, 134
network security, 142
challenges of virtual appliances, 142–143
network segmentation, 136–137
Network Time Protocol (NTP), 13
network virtualization, 165–167
See also virtualization
networking planes, 139
NIST Risk Management Framework (RMF), 98
NIST standards
800-37, 98
800-53, 35
800-60, 98
800-61, 179
800-64, 196
800-81r1, 106
800-137, 81
nondisclosure agreements (NDAs), 88
O
OAuth, 239
background, 245–247
object storage, 216
omnibus privacy laws, 52–53
on-demand self-service, 8
Open Networking Foundation (ONF), 140
Open Virtualization Format (OVF), 288, 292
Open Web Application Security Project (S-SDLC), 196, 198, 274
OpenDaylight Project, 141
OpenFlow, 140–141
OpenID, 239
background, 247
OpenID Connect (OIDC), 247
Operators of Essential Services (OES), 58
orchestration and scheduling controller, 171
Organization for Economic Cooperation and Development (OECD), Privacy Guidelines, 50
OSI reference model, 135–136
out-of-band passwords, 251
outsourcing, 291
overlay network, 138
ownership of data, 78
P
packet sniffing, 166
pass-through audits, 80
patient health information (PHI), 61
Payment Card Industry. See PCI
PCI, 35
penetration testing, 202
persona, 237
Personal Information Protection and Electronic Documents Act (Canada), 55
personally identifiable information (PII), 61, 217
pipeline security, 202–203
Platform as a Service (PaaS), 12–13, 125
and big data, 272
encryption, 224
lock-in, 288
risk management, 40
security responsibility for, 17
privacy
and big data, 271
See also data protection and privacy
Privacy Act of 1988 (Australia), 54
Privacy Shield, 53
private cloud deployment model, 14–15
risk management, 41–42
security, 146
See also multitenancy
privileged user management, 252
professional negligence, 291
Project Floodlight, 141
provider/processor, 50
See also cloud service providers
public cloud deployment model, 14
risk management, 41
Q
qualitative risk assessment, 38
quality levels, 79
quantitative risk assessment, 38
R
RAID, 167
recovery and resiliency planning. See business continuity planning (BCP); disaster recovery (DR)
recovery point objective (RPO), 123–124
recovery time objective (RTO), 123–124
reference architectures, 22, 23
regression testing, 201
residual risk, 38
resource pooling, 7–8
responsibilities, shared, 3
See also shared responsibility model
REST (Representational State Transfer), 116
RESTful APIs. See REST APIs
RFC 6749, 245
RFC 6750, 245
RFC 7348, 139
RFC 7426, 140
RFC 8252, 245
risk assessment, 38
risk framing, 38
risk management, 37–39
defined, 38
deployment model effects, 41–42
overview, 39
service model effects, 40
trade-offs, 42
See also enterprise risk management (ERM); information risk management (IRM)
risk monitoring, 39
risk response, 38–39
risk tolerance, 261
risks and underlying vulnerabilities, 295–298
role-based access control (RBAC), 236, 252
roles, 237
root account, 119
Roskomnadzor, 56
rugged DevOps, 209
runtime lock-in, 288
S
Safe Harbor agreement, 53
Sarbanes-Oxley (SOX) Act, 63
SAST, 201
scaling, 8
SCIM, 239
SDI. See software defined infrastructure
SecaaS. See Security as a Service (SecaaS)
SecDevOps, 209
sectoral privacy laws, 52–53
Secure File Transfer Protocol (SFTP), 219
secure software development lifecycle (SSDLC), 196–197
defining standards, 198
design phase, 198
development phase, 200
secure deployment, 196, 201–204
secure design and development, 196, 197–201
testing, 201
threat modeling, 198–200
training, 197–198
security
and the benefits of scale, 284–285
benefits of the cloud, 284–286
and big data, 271
big data and security capabilities, 272
cloud data transfers, 219–220
and cloud networking, 142–147
and containers, 172–173
deployment pipeline security, 202–203
and DevOps, 208–209
event-driven security, 205
as a market differentiator, 285
software-defined security, 205
and storage virtualization, 170
and workloads, 150–154
See also application security; data security
Security as a Service (SecaaS), 257
changing providers, 259
Cloud Access Security Broker (CASB), 260
cloud-computing benefits, 258
data leakage, 259
deployment flexibility, 258
distributed denial of service (DDoS) attacks, 262, 263
e-mail security, 261
encryption and key management, 263
handling of regulated data, 259
identity, entitlement, and access management services, 259–260
insulation of clients, 258
intelligence sharing, 258
intrusion detection/prevention, 262
lack of visibility, 258–259
migration to, 259
regulation differences, 259
scaling and cost, 258
security assessments, 261
Security Information and Event Management (SIEM), 262
security management, 263
staffing and experience, 258
web application firewall (WAF), 262
web security gateway, 260–261
Security Assertion Markup Language (SAML), 239
background, 243–245
security assessments, 261
Security Information and Event Management (SIEM), 262
security management, 263
security measures, 52–53
security policies, 303
centralized example, 303–304
classification example, 303, 305–306
conformance to, 78
security process model, 22–24
security scope, 16–18
security SLAs, 78
Security Software as a Service. See Security as a Service (SecaaS)
serverless computing, 150, 274–276
vs. Function as a Service (FaaS), 276
service level agreements (SLAs), 34
and incident response preparation, 184
security SLAs, 78
service levels, 79
service models
Infrastructure as a Service (IaaS), 10–12
overview, 9–10
Platform as a Service (PaaS), 12–13
risk management, 40
security responsibility for, 16–18
Software as a Service (SaaS), 13–14
Service Organization Control. See SOC
shared responsibility model, 16–18
See also responsibilities, shared
sharing controls, 220
SIEM. See Security Information and Event Management (SIEM)
Simple Object Access Protocol. See SOAP
Simple Storage Service (Amazon S3), 5, 216, 235
single-sign-on (SSO), 238
site recovery options, 124
SOAP, 118
SOC, 36
background, 84–86
SOC 2 vs. ISO/IEC 27001, 88
soft tokens, 251
soft zoning, 169
Software as a Service (SaaS), 13–14, 125, 217
app vs. web site, 219
encryption, 224
lock-in, 287–288
risk management, 40
security responsibility for, 17
software defined infrastructure (SDI), 12, 126, 167
software defined networking (SDN), 139–141
benefits of SDN security, 143–144
deny by default, 144
firewalls, 143–144
identification tags, 144
network attacks, 144
service groups, 143–144
Software Defined Perimeter (SDP), 144–145
software-defined security, 205
Sony, 123
Spark, 270
Special Publication number, 1
Spectre vulnerability, 148, 292
SPI stacks/tiers, 9–10
SQOOP, 270
SSDLC. See secure software development lifecycle (SSDLC)
STAR Continuous program, 81–82
static application security testing (SAST), 201
static data masking, 229
storage area networks (SANs), 167–169
storage virtualization, 167–170
STRIDE threat model, 199–200
subscription clauses, 34
substantive testing, 82
System and Organization Controls. See SOC
System for Cross-domain Identity Management. See SCIM
T
termination terms, 79
test data generation, 229
testing
code review, 201
dynamic application security testing (DAST), 201
functional testing, 201
and incident response preparation, 184–185
penetration testing, 202
regression testing, 201
static application security testing (SAST), 201
systems, 64
unit testing, 201
See also vulnerability assessments
Three Vs, 268
time-based one-time password (TOTP), 119, 120
tokenization, 221–223
TOTP. See time-based one-time password (TOTP)
traffic analytics, 269
training, 197–198
transit virtual networks, 146–147
Transport Layer Security (TLS), 220
treaties, 53
Trust Services Criteria (TSC), 84, 85
U
underlay network, 138
unit testing, 201
Universal 2nd Factor (U2F), 119, 121, 251
updating systems, 64
URL filtering, 218
user provisioning vulnerability, 293–294
utility computing, 8
V
VAs. See vulnerability assessments
vendor lock-in, 125
virtual appliances, 142–143
key managers, 225
Virtual Extensible LANs. See VXLANs
virtual firewalls, 190
virtual local area networks. See VLANs
virtual machine managers, 147
virtual machines, 10, 147–148, 217
Virtual Private Networks (VPNs), 220
virtualization, 133–135, 161–162
categories, 162–170
compute virtualization, 162–165
network virtualization, 165–167
storage virtualization, 167–170
See also OSI reference model
VLANs, 136–137
microsegmentation and the Software Defined Perimeter, 144–145
VM hopping, 292
VMs. See virtual machines
volatile memory, 163
volume storage, 216
vulnerabilities
defined, 286
risks and underlying vulnerabilities identified by ENISA, 295–298
underlying vulnerability in loss of governance, 294–295
user provisioning, 293–294
vulnerability assessments, 154–155
cloud impacts on, 202
See also testing
VXLAN network identifiers (VNIs), 138
VXLAN Tunnel End Points (VTEPs), 138
W
WANs, 146
warm sites, 124
web application firewall (WAF), 262
wide area networks. See WANs
workloads
changes to workload security monitoring and logging, 153–154
defined, 147
how the cloud changes workload security, 150
immutable, 150–152, 185, 203–204
impact of the cloud on standard workload security controls, 153
platform-based, 150
X
XACML, 239
Y
YARN, 271
Z
zoning, 169