Index

  • A
  • ABAC (attribute-based access control), 94
  • ABC (Alice's Blob Cloud), 75
  • access, unauthorized, 50
  • access control
    • ABAC (attribute-based access control), 94
    • administrative, 28
    • IAM, 28–29
    • logging system access, 29
    • logical design and, 96
    • physical, 28
    • RBAD (role-based access control), 94
    • remote access, 166–168
    • technical, 28
  • accountability, 81–84
  • AES (Advanced Encryption Standard), 53
  • AI (artificial intelligence), 23, 24
  • AICPA (American Institute of CPAs), 253
  • algorithms, 52
  • anonymization, 61
  • APEC (Asia Pacific Economic Cooperation Privacy Framework), 231–232
  • application architecture, 135
    • API Gateway, 138
    • application virtualization, 139–140
    • cryptography, 138
    • DAM (database activity monitoring), 136–137
    • event-driven, 136
    • sandboxing, 139
    • WAF (web application firewall), 136
    • XML (Extensible Markup Language), 137
  • application security
    • APIs, 132–133
    • awareness, 117–120
    • as business objective, 118
    • business requirements, 121
    • culture, 118
    • by design, 118
    • development and, 118
    • functional testing, 130–131
    • open- source software, 134–135
    • pitfalls, 118–119
    • SDLC (software development lifecycle), 120–123
    • shared responsibility, 118
    • software assurance, 129–132
    • testing methodologies, 131–132
    • third-party software, 134
    • training, 117–120
    • verification, 132–135
    • vulnerabilities, 119–120
  • application virtualization, 139–140
  • architecture, application. See application architecture
  • archive phase of cloud data lifecycle, 46
  • audit mechanisms, 106–107
  • audit process, 251–265
  • auditability, 81–84
  • AUP (acceptable use policy), 277
  • availability management, 195–196
  • AWS (Amazon Web Services), 3
    • Xen hypervisor, 91
  • AWS Cloud Formation, 11
  • AWS CloudTrail, 36
  • AWS VPC Traffic Monitoring, 107
  • Azure, Hyper-V hypervisor, 91
  • B
  • bare-metal hypervisors, 91
  • BC (business continuity), 7, 107–116
  • BCP (business continuity plan), 33–34
  • BCP/DRP (business continuity plan/disaster recovery plan), 111–116
  • BIOS (basic input output system), 146
  • blob (binary large object) storage, 49
  • blockchain, 24–25
  • C
  • capacity management, 196–197
  • capacity monitoring, 172–173
  • CAPEX (capital expense), 108
  • CASB (Cloud Access Security Broker), 26, 142–143
  • CC (Common Criteria), 40–41
  • CCSM (Cloud Certification Schemes Metaframework), 276
  • CDE (cardholder data environment), 70
  • CDNs (content delivery networks), 50
  • Center for Internet Security, 23
  • chain of custody, 84
  • change management, 180–182
  • cheat sheets, 81
  • CI/CD (continuous integration/continuous deployment), 181
  • CIA (confidentiality, integrity, availability), 50, 163
  • CIS (Center for Internet Security), benchmarks, 162
  • CISO Mind Map, 211
  • Citrix Xen-Server, 31
  • cloud auditors, 12
  • cloud brokers, 13
  • cloud carriers, 13
  • cloud computing
    • application capabilities, 13
    • auditability, 22
    • availability, 19
    • cost-benefit analysis, 34–35
    • CSB (cloud service broker), 5
    • CSC (cloud service customer), 4
    • CSP (cloud service partner), 5
    • CSP (cloud service provider), 4
    • databases, 11
    • definition, 2
    • deployment models, 3
    • Dropbox, 2
    • elasticity, 7–8
    • file storage, 2
    • governance, 20–21
    • IaaS (infrastructure as a service), 2
    • infrastructure capabilities, 14
    • interoperability, 18
    • key characteristics, 5–9
    • maintenance, 21
    • measured service, 9
    • multitenancy, 7
    • network access, 6–7
    • networking, 10–11
    • on-demand self-service, 6
    • orchestration, 11
    • PaaS (platform as a service), 2
    • performance, 20
    • platform capabilities, 13–14
    • portability, 18
    • privacy, 19–20
    • regulatory, 22–23
    • resiliency, 20
    • resource pooling, 8
    • reversibility, 18
    • roles, 4–5
    • SaaS (software as a service), 2
    • scalability, 7–8
    • security, 19
    • service models, 2–3
    • SLAs (service level agreements), 22
    • storage, 10
    • versioning, 21
    • virtualization, 9–10
  • cloud computing policies, 261–262
  • cloud consumers, 12
  • cloud environment, risks, 108
  • cloud gateways, 30
  • cloud providers, 12
  • cloud secure data lifecycle, 33, 44–47
  • Cloud Security Alliance, 23
  • CloudWatch, 105
  • clustered hosts, 162–164
  • CM (configuration management), 192–194
  • CMDB (configuration management database), 129, 168, 192–193
  • collisions, 56
  • communication management, 204–210
  • communication protection, 103–104
  • communications, 89–90
  • community cloud, 3, 16–17
  • compute resources, 90–91
  • containerization orchestration, 139–140
  • containers, 25–26, 32
  • content and file storage, 50
  • contextual-based security, 30–31
  • continual service improvement management, 185–186
  • continuity management, 182–183
  • contracts, 241, 276–282
  • contractual private data, 239–242
  • contractual requirements, 235–236
  • correlation, 83
  • cost-benefit analysis, 34–35
  • countermeasures, 102
  • create phase of cloud data lifecycle, 44–45
  • crypto-shredding, 29, 78
  • cryptographic erasure, 78
  • cryptography, 27–28. See also encryption
    • application architecture, 138
    • data archiving and, 79
    • erasure, 29
    • Kerckhoffs's principle, 53
    • keys, crypto-shredding, 29
    • Rijndael, 53
  • CSA (Cloud Security Alliance), 118, 255
    • threats to cloud computing, 119
  • CSB (cloud service broker), 5
  • CSC (cloud service customer), 4
  • CSP (cloud security practitioner), 87, 91–92
  • CSP (cloud service partner), 5
  • CSP (cloud service provider), 4
    • elasticity, 7–8
    • evaluating, 38–41
    • scalability, 7–8
  • customer communication, 206
  • D
  • DAC (discretionary access control) model, 73
  • DAM (database activity monitoring), 136–137
  • DAST (Dynamic Application Security Testing), 132
  • data archiving, 74, 79–80
  • data categorization, 66–67
  • data center design, 95–99
  • data classification, 66–67
  • data corruption, 50
  • data deletion, 77–79
  • data destruction, 50
  • data discovery, 62–66
  • data dispersion, 47
  • data events, 81–83
  • data integrity, 83
  • data labeling, 68–69
  • data labels, 65
  • data lake, 62–63
  • data lifecycle, cloud secure data lifecycle, 33
  • data mapping, 68
  • data mart, 63
  • data mining, 63
  • data model, 64
  • data retention, 70, 74–77, 80
  • data sanitization, 29–30. See also sanitization
  • data schema, 64
  • data storage architectures, 48–52
  • data warehouse, 62–63
  • database storage, 49
  • databases, 11
  • DDoS (distributed denial of service), 50
  • de-identification, 61–62
  • defensible destruction, 77–78
  • degaussing, 78
  • deletion, 60
  • deployment management, 191–192
  • deployment models, 3, 15–17
  • deployment stage of SDLC, 122
  • design stage of SDLC, 122
  • destroy phase of cloud data lifecycle, 46–47
  • development stage of SDLC, 122–124
  • DevOps, QA and, 127
  • DevSecOps, 117
  • digital forensics, 197–204
  • direct identifiers, 61
  • DISA (Defense Information Systems Agency), 161
  • disaster recovery, 33–34
  • disk storage, 49
  • disposal, improper, 51
  • DLP (data loss prevention), 33, 57–60
  • DoS (denial-of-service), 50, 103
  • DR (disaster recovery), 7, 107–116
  • DRM (digital rights management), 71–73
  • Dropbox, 2
  • DRP (disaster recovery plan), 33–34, 111
  • DRS (Distributed Resource Scheduling), 164
  • E
  • eDiscovery, 236–237
  • egress monitoring, 31
  • elasticity, 7–8
  • encryption, 52–55. See also cryptography
    • AES (Advanced Encryption Standard), 53
    • application-level, 55
    • data-in-motion, 138
    • database-level, 55
    • file-level, 54
    • hashing, 55–56
    • homomorphic, 60
    • obfuscation, 60
    • object-level, 54
    • one-way, 55
    • remote access, 167
    • storage-level, 54
    • volume-level, 54
  • ENISA (European Network and Information Security Agency), 271
  • ENISA cloud certification, 275–276
  • environmental design, data center, 98–99
  • environmental protection, 103
  • ephemeral storage, 48
  • Equifax data breach, 172
  • erasure coding, 47
  • ETL (extract, transform, load), 63
  • event-driven architecture, 136
  • expenses
    • CAPEX (capital expense), 108
    • OPEX (operational expense), 108
  • F
  • FaaS (firewall as a service), 138
  • federated identity, 140–141
  • FIPS (Federal Information Processing Standards), 39
  • FIPS 140-2, 41
  • firewalls, 175–177
  • FISMA (Federal Information Security Management Act), 39
  • forensics, 238
  • FTP (File Transfer Protocol), 7
  • functional policies, 261
  • functional security requirements, 35–36
  • functional testing, 130–131
  • G
  • gap analysis, 256–257
  • GBLA (Gramm-Leach-Bliley Act), 234
  • GDPR (General Data Protection Regulation), 123, 232–233
    • data retention and, 76
    • transparency and, 269
  • GLBA (Gramm-Leach-Bliley Act), 22
  • Google, 3
  • GRC (governance, risk management, and compliance), 36
  • guest OS, 165–166
  • H
  • HA (high availability), 163–164
  • hardware, 147–149
  • hashing, 55–56, 66, 79
  • HIPAA (Health Insurance Portability and Accountability Act), 22, 76, 234
  • homomorphic encryption, 60
  • honeynets, 178
  • honeypots, 178
  • hosted hypervisors, 91
  • hosts
    • clustered, 162–164
    • stand-alone, 162
  • HTTP (Hypertext Transfer Protocol), 7
  • HTTPS (HTTP Secure), 7
  • HVAC, data center design, 98–99
  • hybrid cloud, 17
  • hybrid cloud deployment, 3
  • Hyper-V, 31
  • Hyper-V hypervisor, 91
  • hypervisor security, 31–32
  • hypervisors, 91–92
  • I
  • IaaS (infrastructure as a service), 2, 15
    • security, 38
    • storage, 48–49
  • IAM (identity and access management) system, 28–29
    • CASB (cloud access security broker), 142–143
    • design solutions, 140–143
    • federated identity, 140–141
    • identity providers, 141
    • infrastructure and, 105–106
    • MFA (multifactor authentication), 142
    • remote access, 168
    • SSO (single sign-on), 141–142
  • IAST (Interactive Application Security Testing), 132
  • IBM Cloud, 3
  • IBM Cloud Orchestrator, 11
  • ICS (Industrial Control Systems), 121
  • IDaaS (identity as a service), 97
  • IDS/IPS (intrusion detection/intrusion prevention systems), 177–178
  • immutable infrastructure, 192
  • incident management, 186–189, 212–213, 220–226
  • indirect identifiers, 61
  • information storage and management, 50
  • infrastructure
    • access control, 153–155, 166–168
    • audit mechanisms, 106–107
    • backup and restore configuration, 174–175
    • baseline compliance, 168–169
    • BC (business continuity) planning, 107–116
    • capacity monitoring, 172–173
    • communication protection, 103–104
    • communications, 89–90
    • compute resources, 90–91
    • countermeasure strategies, 102
    • DHCP (Dynamic Host Configuration Protocol), 157
    • DNS (domain name system), 157–158
    • DR (disaster recovery) planning, 107–116
    • guest OS, 165–166
    • hardware monitoring, 173–174
    • hosts, 162–164
    • IAM (system), 105–106
    • immutable, 192
    • logical environment, 145–152
    • management plane, 93–95
    • network, 89–90
      • management plane, 179–180
      • security controls, 175–179
      • VLANs, 155–156
    • OS hardening, 160–162
    • patch management, 169–172
    • performance monitoring, 172–173
    • physical environment, 88–89, 145–152
    • remediation, 168–169
    • risk analysis/assessment, 100–102
    • SDP (software-defined perimeter), 159–160
    • security controls, 102–107
    • storage, 93
    • storage clusters, 165
    • system protection, 103–104
    • TLS (Transport Layer Security), 156–157
    • virtualization, 91–92
    • VPN (virtual private network), 158–159
  • infrastructure as code, 194
  • infrastructure capability types, 14
  • ingress monitoring, 31
  • integration testing, 130
  • interoperability, security and, 36
  • IoT (Internet of Things), 25
  • IP-based networks, 10
  • IRM (information rights management), 71–73
  • ISMS (information security management system), 184–185, 258–259
  • ISO (International Organization for Standardization), 23
  • ISO 270017 (Cloud Security), 101
  • ISO 270018 (Privacy), 101
  • ISO/IEC (International Organization for Standardization/International Electrotechnical Commission), 39
  • IT, shadow IT, 6
  • ITIL (Information Technology Infrastructure Library), 180
  • ITSM (IT service management) frameworks, 180
  • J–K
  • jurisdictional issues, 50
  • Kerckhoffs's principle, 53
  • KMS (key management service), 27–28, 52–55, 138
  • L
  • labeling data, 68–69
  • legal frameworks, 229–236
  • legal hold, data retention and, 80
  • legal requirements
    • Australia, 243
    • CCPA (California Consumer Privacy Act), 246–247
    • contracts, 241
    • contractual requirements, 235–236
    • GDPR (General Data Protection Regulation), 243
    • Gramm-Leach-Bliley Act, 246
    • international, 228–229
    • Privacy Shield, 245–246
    • regulatory requirements, 235
    • SCA (Stored Communication Act), 246
    • statutory requirements, 235
    • United States, 244
  • legal risks, 229
  • lexical analysis, 66
  • logging, 82–83, 106
    • log management, 218–219
    • SIEM tools, 217–218
  • logical design, data center, 95–97
  • logical infrastructure, 145–152
  • long-term storage, 48
  • LUN (logical unit number), 48
  • M
  • MAC (mandatory access control), 73
  • malware, 51
  • management plane, 93–95, 179–180
  • masking, 56
  • MCM (Microsoft Cloud Monitoring), 105
  • measured service, 9
  • media loss, 51
  • media sanitization, categories, 78
  • media sanitization, 29–30. See also sanitization
  • metadata, 65
  • MFA (multifactor authentication), 7, 94, 142
  • microsegmentation, 177
  • ML (machine learning), 23
  • ML/AI training data, 63–64
  • MPP (management plane protection) tool, 94
  • multivendor pathway connectivity, 99
  • N
  • NAS (network-attached storage), 10
  • NDA (nondisclosure agreement), 22
  • network, 89–90
    • firewalls, 175–177
    • honeynets, 178
    • honeypots, 178
    • IDS/IPS, 177–178
    • IP-based networks, 10
    • management plane, 179–180
    • vulnerability assessments, 178–179
  • network access, cloud computing and, 6–7
  • network security, 30–31
  • NGFW (next-generation firewalls), 177
  • NGO (Non-Governmental Organizations), 24
  • NICs (network interface cards), 148
  • NIDS/NIPS (network-based intrusion detection system/intrusion prevention system), 177
  • NIST (National Institute of Standards and Technology), 12
  • NIST RA, 12
  • NIST SSDF (Secure Software Development Framework). See SSDF (Software Development Framework)
  • nonrepudiation, 84
  • normalization, 63
  • NSGs (network security groups), 30, 176
  • nullification, 60
  • O
  • O&M (operations and maintenance) stage of SDLC, 122
  • obfuscation, 60–61
  • object storage, 49
  • OECD (Organization for Economic Cooperation and Development), 230–231
  • OLAP (online analytic processing), 63
  • OMS Management Suite, 11
  • open-source software, 134
  • OPEX (operational expense), 108
  • Oracle Cloud Management Solutions, 11
  • Oracle VM VirtualBox, 91
  • orchestration, 11, 139–140
  • organizational policies, 261
  • OS (operating system), guest OS, 165–166
  • OSI (Open Systems Interconnection), 12
  • outsourcing, 276–282
  • overwriting, 29
  • OWASP (Open Web Application Security Project), 81–82, 120–121
  • P
  • P&P (policies and procedures), 103
  • PaaS (platform as a service), 2, 15
    • security, 38
    • storage, 49
  • packet capture, 107
  • PAN (primary account number), 56–57
  • password policies, 94
  • patch management, 169–172
  • pattern matching, 65–66
  • PCI (Payment Card Industry), 123
  • PCI DSS (Payment Card Industry Data Security Standard), 23, 40, 234
  • performance monitoring, 172–173
  • PHI (protected health information), 70, 239
  • physical design, data center, 97–98
  • physical environment, 88–89
  • physical infrastructure, 145–152
  • physical protection, 103
  • PII (personally identifiable information), 70, 239
  • platform capability types, 13–14
  • policies, 261–262
  • portability, security and, 36
  • privacy issues
    • contractual, 239–242
    • GAPP (Generally Accepted Privacy Principles), 248–249
    • GDPR (General Data Protection Regulation), 249–250
    • jurisdictions, 247
    • regulated, 239–242
    • standard requirements, 248–250
  • private cloud, 16
  • private cloud deployment, 3
  • problem management, 189–190
  • product certification, 40–41
  • provisioning, unauthorized, 50
  • pseudo-anonymization, 60
  • public cloud, 15–16
  • public cloud deployment, 3
  • Q
  • QA (quality assurance), 127
  • quantum computing, 26
  • R
  • RA (reference architecture), 12–23
  • ransomware, 51
  • RASP (Runtime Application Self-Protection), 132
  • raw storage, 48
  • RBAD (role-based access control), 94
  • RDM (raw device mapping), 48
  • records retention, 74
  • regulated private data, 239–242
  • regulator communication, 208–209
  • regulatory noncompliance, 50
  • regulatory requirements, 235
  • release management, 190
  • remote access, 167–168
  • requirements stage of SDLC, 122
  • resource pooling, 8
  • Rijndael, 53
  • risk assessment/analysis, 100–102
  • risk management
    • assessing programs, 266–268
    • data custodian/processor, 268–269
    • data owner/controller, 268–269
    • framework, 267
    • metrics, 272–273
    • regulatory transparency, 269–270
    • risk environment, 273–276
    • risk frameworks, 270–272
    • risk register, 273
    • risk treatment, 270
  • RPOs (recovery point objectives), 107
  • RTOs (recovery time objectives), 107
  • S
  • SaaS (service as a service)
    • eDiscovery, 237
    • storage, 49
  • SaaS (software as a service), 2, 14–15
    • security, 37–38
  • SaaS IAM (SaaS-provided IAM), 97, 100
  • SAFECode (Software Assurance Forum for Excellence in Code), 117
  • SAMM (Software Assurance Security Model), 121
  • sandboxing, 139
  • sanitization, 29–30
  • SANs (storage area networks), 10
  • SAST (Static Application Security Testing), 131
  • SC (System and Communications Protection), 103–104
  • scalability, 7–8
  • SCM (software configuration management), 128–129
  • SDLC (software development lifecycle), 120–122
  • SDN (software-defined network), 148
  • security
    • access control, 28–29
    • cryptography, 27–28
    • data sanitization, 29–30
    • DLP (data loss prevention), 33
    • functional security requirements, 35–36
    • IaaS (infrastructure as a service), 38
    • interoperability, 36
    • key management, 27–28
    • media sanitization, 29–30
    • network security, 30–31
    • PaaS (platform as a service), 38
    • portability, 35
    • SaaS (software as a service), 37–38
    • Shared Responsibility Model, 37
    • threats, 32
    • vendor lock-in, 36
    • virtualization security, 31–32
  • security controls
    • environmental protection, 103
    • monitoring, 215–216
    • physical protection, 103
  • semantics, 65
  • sensitive data, 69–71
  • serverless environments, 136
  • service level management, 194–195
  • service models in cloud computing, 2–3
  • SFTP (Secure FTP), 7
  • SHA (Secure Hash Algorithm), 56
  • shadow IT, 6
  • share phase of cloud data lifecycle, 45–46
  • shared responsibility model, 37, 206–208
  • SHS (Secure Hash Standard), 56
  • shuffling, 60
  • SIEM (security information and event management), 64
    • tools, 82–83
  • SLAs (service level agreements), 277–278
  • SOC (security operations center), 6, 210–215
  • SOC-2 report, 101
  • SOC-3 report, 101
  • software assurance, 129–132
  • SOX (Sarbanes-Oxley Act), 22, 234, 269
  • SPAN (switched port analyzer), 148
  • SSDF (Software Development Framework), 120–121
  • SSDLC (secure software development lifecycle), 117, 121, 123–129
  • SSO (single sign-on), 141–142, 168
    • federated identity, 140–141
  • stakeholder communication, 209–210
  • stakeholders, policies and, 262–264
  • STAR (Security, Trust, and Assurance Registry), 274
  • statutory requirements, 235
  • STIGs (Security Technical Implementation Guides), 161
  • storage, 10, 93
    • blob (binary large object), 49
    • CDNs (content delivery networks), 50
    • content and file storage, 50
    • costs, 75
    • databases, 49
    • disk, 49
    • ephemeral, 48
    • IaaS (Infrastructure as a Service), 48–49
    • information storage and management, 50
    • infrastructure, 93
    • long-term, 48
    • NAS (network-attached storage), 10
    • PaaS (Platform as a Service), 49
    • raw, 48
    • SaaS (Service as a Service), 50
    • SANs (storage area networks), 10
    • threats, 50–52
  • store phase of cloud data lifecycle, 45
  • STRIDE model, 128
  • structured data, data discovery and, 64–65
  • supply chain management, 133, 281–282
  • system protection, 103–104
  • T
  • tenant partitioning, 96
  • tenants, 19
  • testing
    • black-box, 131
    • DAST, 132
    • functional testing, 130–131
    • gray-box, 131
    • IAST, 132
    • methodologies, 131–132
    • RASP, 132
    • SAST, 131
    • white-box, 131
  • testing stage of SDLC, 122
  • theft, 51
  • third-party software, 134
  • threat detection, 211–212
  • threat modeling, 127–128
  • threats, 32
    • to storage, 50–52
  • TLS (Transport Layer Security), 96
  • tokenization, 56–57
  • TPM (Trusted Platform Module), 147
  • traceability, 81–84
  • transformative technologies, 23–26
  • Type-1 hypervisors, 91–92
  • U
  • unit testing, 130
  • unstructured data, data discovery and, 65–66
  • usability testing, 130
  • use phase of cloud data lifecycle, 45
  • V
  • value variance, 60
  • vendor communication, 205–206
    • relationship management, 278–279
  • vendor lock-in, 36
  • virtual hardware, 150–152
  • virtualization, 9–10, 91–92
    • application virtualization, 139–140
    • containers, 25–26
    • management tools, 149–150
    • risks, 101–102
    • systems protection, 104–105
    • VMware, 19
  • virtualization security, 31–32
  • VM (virtual machine), 19
    • management, 91–92
  • VM sprawl, 102
  • VMM (Virtual Machine Manager), 164
  • VMO (vendor management office), 6
  • VMware, 19
  • VMware EXSi, 31
  • VMware vSphere, 91
  • VMware Workstation Pro/VMware Fusion, 91
  • volume storage, 49
  • VPC (virtual private cloud), 92, 149
  • VPNs (virtual private networks), 7
  • vSphere, 31
  • vulnerabilities, 119–120
  • vulnerability assessments, 178–179
  • W
  • WAF (web application firewall), 136, 176
  • Windows Virtual PC, 91
  • WORM (write once, read many) media, 80
  • X–Y–Z
  • Xen hypervisor, 91
  • XML (Extensible Markup Language), 137
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.80.173.25