- A
- ABAC (attribute-based access control), 94
- ABC (Alice's Blob Cloud), 75
- access, unauthorized, 50
- access control
- ABAC (attribute-based access control), 94
- administrative, 28
- IAM, 28–29
- logging system access, 29
- logical design and, 96
- physical, 28
- RBAD (role-based access control), 94
- remote access, 166–168
- technical, 28
- accountability, 81–84
- AES (Advanced Encryption Standard), 53
- AI (artificial intelligence), 23, 24
- AICPA (American Institute of CPAs), 253
- algorithms, 52
- anonymization, 61
- APEC (Asia Pacific Economic Cooperation Privacy Framework), 231–232
- application architecture, 135
- API Gateway, 138
- application virtualization, 139–140
- cryptography, 138
- DAM (database activity monitoring), 136–137
- event-driven, 136
- sandboxing, 139
- WAF (web application firewall), 136
- XML (Extensible Markup Language), 137
- application security
- APIs, 132–133
- awareness, 117–120
- as business objective, 118
- business requirements, 121
- culture, 118
- by design, 118
- development and, 118
- functional testing, 130–131
- open- source software, 134–135
- pitfalls, 118–119
- SDLC (software development lifecycle), 120–123
- shared responsibility, 118
- software assurance, 129–132
- testing methodologies, 131–132
- third-party software, 134
- training, 117–120
- verification, 132–135
- vulnerabilities, 119–120
- application virtualization, 139–140
- architecture, application. See application architecture
- archive phase of cloud data lifecycle, 46
- audit mechanisms, 106–107
- audit process, 251–265
- auditability, 81–84
- AUP (acceptable use policy), 277
- availability management, 195–196
- AWS (Amazon Web Services), 3
- AWS Cloud Formation, 11
- AWS CloudTrail, 36
- AWS VPC Traffic Monitoring, 107
- Azure, Hyper-V hypervisor, 91
- B
- bare-metal hypervisors, 91
- BC (business continuity), 7, 107–116
- BCP (business continuity plan), 33–34
- BCP/DRP (business continuity plan/disaster recovery plan), 111–116
- BIOS (basic input output system), 146
- blob (binary large object) storage, 49
- blockchain, 24–25
- C
- capacity management, 196–197
- capacity monitoring, 172–173
- CAPEX (capital expense), 108
- CASB (Cloud Access Security Broker), 26, 142–143
- CC (Common Criteria), 40–41
- CCSM (Cloud Certification Schemes Metaframework), 276
- CDE (cardholder data environment), 70
- CDNs (content delivery networks), 50
- Center for Internet Security, 23
- chain of custody, 84
- change management, 180–182
- cheat sheets, 81
- CI/CD (continuous integration/continuous deployment), 181
- CIA (confidentiality, integrity, availability), 50, 163
- CIS (Center for Internet Security), benchmarks, 162
- CISO Mind Map, 211
- Citrix Xen-Server, 31
- cloud auditors, 12
- cloud brokers, 13
- cloud carriers, 13
- cloud computing
- application capabilities, 13
- auditability, 22
- availability, 19
- cost-benefit analysis, 34–35
- CSB (cloud service broker), 5
- CSC (cloud service customer), 4
- CSP (cloud service partner), 5
- CSP (cloud service provider), 4
- databases, 11
- definition, 2
- deployment models, 3
- Dropbox, 2
- elasticity, 7–8
- file storage, 2
- governance, 20–21
- IaaS (infrastructure as a service), 2
- infrastructure capabilities, 14
- interoperability, 18
- key characteristics, 5–9
- maintenance, 21
- measured service, 9
- multitenancy, 7
- network access, 6–7
- networking, 10–11
- on-demand self-service, 6
- orchestration, 11
- PaaS (platform as a service), 2
- performance, 20
- platform capabilities, 13–14
- portability, 18
- privacy, 19–20
- regulatory, 22–23
- resiliency, 20
- resource pooling, 8
- reversibility, 18
- roles, 4–5
- SaaS (software as a service), 2
- scalability, 7–8
- security, 19
- service models, 2–3
- SLAs (service level agreements), 22
- storage, 10
- versioning, 21
- virtualization, 9–10
- cloud computing policies, 261–262
- cloud consumers, 12
- cloud environment, risks, 108
- cloud gateways, 30
- cloud providers, 12
- cloud secure data lifecycle, 33, 44–47
- Cloud Security Alliance, 23
- CloudWatch, 105
- clustered hosts, 162–164
- CM (configuration management), 192–194
- CMDB (configuration management database), 129, 168, 192–193
- collisions, 56
- communication management, 204–210
- communication protection, 103–104
- communications, 89–90
- community cloud, 3, 16–17
- compute resources, 90–91
- containerization orchestration, 139–140
- containers, 25–26, 32
- content and file storage, 50
- contextual-based security, 30–31
- continual service improvement management, 185–186
- continuity management, 182–183
- contracts, 241, 276–282
- contractual private data, 239–242
- contractual requirements, 235–236
- correlation, 83
- cost-benefit analysis, 34–35
- countermeasures, 102
- create phase of cloud data lifecycle, 44–45
- crypto-shredding, 29, 78
- cryptographic erasure, 78
- cryptography, 27–28. See also encryption
- application architecture, 138
- data archiving and, 79
- erasure, 29
- Kerckhoffs's principle, 53
- keys, crypto-shredding, 29
- Rijndael, 53
- CSA (Cloud Security Alliance), 118, 255
- threats to cloud computing, 119
- CSB (cloud service broker), 5
- CSC (cloud service customer), 4
- CSP (cloud security practitioner), 87, 91–92
- CSP (cloud service partner), 5
- CSP (cloud service provider), 4
- elasticity, 7–8
- evaluating, 38–41
- scalability, 7–8
- customer communication, 206
- D
- DAC (discretionary access control) model, 73
- DAM (database activity monitoring), 136–137
- DAST (Dynamic Application Security Testing), 132
- data archiving, 74, 79–80
- data categorization, 66–67
- data center design, 95–99
- data classification, 66–67
- data corruption, 50
- data deletion, 77–79
- data destruction, 50
- data discovery, 62–66
- data dispersion, 47
- data events, 81–83
- data integrity, 83
- data labeling, 68–69
- data labels, 65
- data lake, 62–63
- data lifecycle, cloud secure data lifecycle, 33
- data mapping, 68
- data mart, 63
- data mining, 63
- data model, 64
- data retention, 70, 74–77, 80
- data sanitization, 29–30. See also sanitization
- data schema, 64
- data storage architectures, 48–52
- data warehouse, 62–63
- database storage, 49
- databases, 11
- DDoS (distributed denial of service), 50
- de-identification, 61–62
- defensible destruction, 77–78
- degaussing, 78
- deletion, 60
- deployment management, 191–192
- deployment models, 3, 15–17
- deployment stage of SDLC, 122
- design stage of SDLC, 122
- destroy phase of cloud data lifecycle, 46–47
- development stage of SDLC, 122–124
- DevOps, QA and, 127
- DevSecOps, 117
- digital forensics, 197–204
- direct identifiers, 61
- DISA (Defense Information Systems Agency), 161
- disaster recovery, 33–34
- disk storage, 49
- disposal, improper, 51
- DLP (data loss prevention), 33, 57–60
- DoS (denial-of-service), 50, 103
- DR (disaster recovery), 7, 107–116
- DRM (digital rights management), 71–73
- Dropbox, 2
- DRP (disaster recovery plan), 33–34, 111
- DRS (Distributed Resource Scheduling), 164
- E
- eDiscovery, 236–237
- egress monitoring, 31
- elasticity, 7–8
- encryption, 52–55. See also cryptography
- AES (Advanced Encryption Standard), 53
- application-level, 55
- data-in-motion, 138
- database-level, 55
- file-level, 54
- hashing, 55–56
- homomorphic, 60
- obfuscation, 60
- object-level, 54
- one-way, 55
- remote access, 167
- storage-level, 54
- volume-level, 54
- ENISA (European Network and Information Security Agency), 271
- ENISA cloud certification, 275–276
- environmental design, data center, 98–99
- environmental protection, 103
- ephemeral storage, 48
- Equifax data breach, 172
- erasure coding, 47
- ETL (extract, transform, load), 63
- event-driven architecture, 136
- expenses
- CAPEX (capital expense), 108
- OPEX (operational expense), 108
- F
- FaaS (firewall as a service), 138
- federated identity, 140–141
- FIPS (Federal Information Processing Standards), 39
- FIPS 140-2, 41
- firewalls, 175–177
- FISMA (Federal Information Security Management Act), 39
- forensics, 238
- FTP (File Transfer Protocol), 7
- functional policies, 261
- functional security requirements, 35–36
- functional testing, 130–131
- G
- gap analysis, 256–257
- GBLA (Gramm-Leach-Bliley Act), 234
- GDPR (General Data Protection Regulation), 123, 232–233
- data retention and, 76
- transparency and, 269
- GLBA (Gramm-Leach-Bliley Act), 22
- Google, 3
- GRC (governance, risk management, and compliance), 36
- guest OS, 165–166
- H
- HA (high availability), 163–164
- hardware, 147–149
- hashing, 55–56, 66, 79
- HIPAA (Health Insurance Portability and Accountability Act), 22, 76, 234
- homomorphic encryption, 60
- honeynets, 178
- honeypots, 178
- hosted hypervisors, 91
- hosts
- clustered, 162–164
- stand-alone, 162
- HTTP (Hypertext Transfer Protocol), 7
- HTTPS (HTTP Secure), 7
- HVAC, data center design, 98–99
- hybrid cloud, 17
- hybrid cloud deployment, 3
- Hyper-V, 31
- Hyper-V hypervisor, 91
- hypervisor security, 31–32
- hypervisors, 91–92
- I
- IaaS (infrastructure as a service), 2, 15
- security, 38
- storage, 48–49
- IAM (identity and access management) system, 28–29
- CASB (cloud access security broker), 142–143
- design solutions, 140–143
- federated identity, 140–141
- identity providers, 141
- infrastructure and, 105–106
- MFA (multifactor authentication), 142
- remote access, 168
- SSO (single sign-on), 141–142
- IAST (Interactive Application Security Testing), 132
- IBM Cloud, 3
- IBM Cloud Orchestrator, 11
- ICS (Industrial Control Systems), 121
- IDaaS (identity as a service), 97
- IDS/IPS (intrusion detection/intrusion prevention systems), 177–178
- immutable infrastructure, 192
- incident management, 186–189, 212–213, 220–226
- indirect identifiers, 61
- information storage and management, 50
- infrastructure
- access control, 153–155, 166–168
- audit mechanisms, 106–107
- backup and restore configuration, 174–175
- baseline compliance, 168–169
- BC (business continuity) planning, 107–116
- capacity monitoring, 172–173
- communication protection, 103–104
- communications, 89–90
- compute resources, 90–91
- countermeasure strategies, 102
- DHCP (Dynamic Host Configuration Protocol), 157
- DNS (domain name system), 157–158
- DR (disaster recovery) planning, 107–116
- guest OS, 165–166
- hardware monitoring, 173–174
- hosts, 162–164
- IAM (system), 105–106
- immutable, 192
- logical environment, 145–152
- management plane, 93–95
- network, 89–90
- management plane, 179–180
- security controls, 175–179
- VLANs, 155–156
- OS hardening, 160–162
- patch management, 169–172
- performance monitoring, 172–173
- physical environment, 88–89, 145–152
- remediation, 168–169
- risk analysis/assessment, 100–102
- SDP (software-defined perimeter), 159–160
- security controls, 102–107
- storage, 93
- storage clusters, 165
- system protection, 103–104
- TLS (Transport Layer Security), 156–157
- virtualization, 91–92
- VPN (virtual private network), 158–159
- infrastructure as code, 194
- infrastructure capability types, 14
- ingress monitoring, 31
- integration testing, 130
- interoperability, security and, 36
- IoT (Internet of Things), 25
- IP-based networks, 10
- IRM (information rights management), 71–73
- ISMS (information security management system), 184–185, 258–259
- ISO (International Organization for Standardization), 23
- ISO 270017 (Cloud Security), 101
- ISO 270018 (Privacy), 101
- ISO/IEC (International Organization for Standardization/International Electrotechnical Commission), 39
- IT, shadow IT, 6
- ITIL (Information Technology Infrastructure Library), 180
- ITSM (IT service management) frameworks, 180
- J–K
- jurisdictional issues, 50
-
- Kerckhoffs's principle, 53
- KMS (key management service), 27–28, 52–55, 138
- L
- labeling data, 68–69
- legal frameworks, 229–236
- legal hold, data retention and, 80
- legal requirements
- Australia, 243
- CCPA (California Consumer Privacy Act), 246–247
- contracts, 241
- contractual requirements, 235–236
- GDPR (General Data Protection Regulation), 243
- Gramm-Leach-Bliley Act, 246
- international, 228–229
- Privacy Shield, 245–246
- regulatory requirements, 235
- SCA (Stored Communication Act), 246
- statutory requirements, 235
- United States, 244
- legal risks, 229
- lexical analysis, 66
- logging, 82–83, 106
- log management, 218–219
- SIEM tools, 217–218
- logical design, data center, 95–97
- logical infrastructure, 145–152
- long-term storage, 48
- LUN (logical unit number), 48
- M
- MAC (mandatory access control), 73
- malware, 51
- management plane, 93–95, 179–180
- masking, 56
- MCM (Microsoft Cloud Monitoring), 105
- measured service, 9
- media loss, 51
- media sanitization, categories, 78
- media sanitization, 29–30. See also sanitization
- metadata, 65
- MFA (multifactor authentication), 7, 94, 142
- microsegmentation, 177
- ML (machine learning), 23
- ML/AI training data, 63–64
- MPP (management plane protection) tool, 94
- multivendor pathway connectivity, 99
- N
- NAS (network-attached storage), 10
- NDA (nondisclosure agreement), 22
- network, 89–90
- firewalls, 175–177
- honeynets, 178
- honeypots, 178
- IDS/IPS, 177–178
- IP-based networks, 10
- management plane, 179–180
- vulnerability assessments, 178–179
- network access, cloud computing and, 6–7
- network security, 30–31
- NGFW (next-generation firewalls), 177
- NGO (Non-Governmental Organizations), 24
- NICs (network interface cards), 148
- NIDS/NIPS (network-based intrusion detection system/intrusion prevention system), 177
- NIST (National Institute of Standards and Technology), 12
- NIST RA, 12
- NIST SSDF (Secure Software Development Framework). See SSDF (Software Development Framework)
- nonrepudiation, 84
- normalization, 63
- NSGs (network security groups), 30, 176
- nullification, 60
- O
- O&M (operations and maintenance) stage of SDLC, 122
- obfuscation, 60–61
- object storage, 49
- OECD (Organization for Economic Cooperation and Development), 230–231
- OLAP (online analytic processing), 63
- OMS Management Suite, 11
- open-source software, 134
- OPEX (operational expense), 108
- Oracle Cloud Management Solutions, 11
- Oracle VM VirtualBox, 91
- orchestration, 11, 139–140
- organizational policies, 261
- OS (operating system), guest OS, 165–166
- OSI (Open Systems Interconnection), 12
- outsourcing, 276–282
- overwriting, 29
- OWASP (Open Web Application Security Project), 81–82, 120–121
- P
- P&P (policies and procedures), 103
- PaaS (platform as a service), 2, 15
- packet capture, 107
- PAN (primary account number), 56–57
- password policies, 94
- patch management, 169–172
- pattern matching, 65–66
- PCI (Payment Card Industry), 123
- PCI DSS (Payment Card Industry Data Security Standard), 23, 40, 234
- performance monitoring, 172–173
- PHI (protected health information), 70, 239
- physical design, data center, 97–98
- physical environment, 88–89
- physical infrastructure, 145–152
- physical protection, 103
- PII (personally identifiable information), 70, 239
- platform capability types, 13–14
- policies, 261–262
- portability, security and, 36
- privacy issues
- contractual, 239–242
- GAPP (Generally Accepted Privacy Principles), 248–249
- GDPR (General Data Protection Regulation), 249–250
- jurisdictions, 247
- regulated, 239–242
- standard requirements, 248–250
- private cloud, 16
- private cloud deployment, 3
- problem management, 189–190
- product certification, 40–41
- provisioning, unauthorized, 50
- pseudo-anonymization, 60
- public cloud, 15–16
- public cloud deployment, 3
- Q
- QA (quality assurance), 127
- quantum computing, 26
- R
- RA (reference architecture), 12–23
- ransomware, 51
- RASP (Runtime Application Self-Protection), 132
- raw storage, 48
- RBAD (role-based access control), 94
- RDM (raw device mapping), 48
- records retention, 74
- regulated private data, 239–242
- regulator communication, 208–209
- regulatory noncompliance, 50
- regulatory requirements, 235
- release management, 190
- remote access, 167–168
- requirements stage of SDLC, 122
- resource pooling, 8
- Rijndael, 53
- risk assessment/analysis, 100–102
- risk management
- assessing programs, 266–268
- data custodian/processor, 268–269
- data owner/controller, 268–269
- framework, 267
- metrics, 272–273
- regulatory transparency, 269–270
- risk environment, 273–276
- risk frameworks, 270–272
- risk register, 273
- risk treatment, 270
- RPOs (recovery point objectives), 107
- RTOs (recovery time objectives), 107
- S
- SaaS (service as a service)
- eDiscovery, 237
- storage, 49
- SaaS (software as a service), 2, 14–15
- SaaS IAM (SaaS-provided IAM), 97, 100
- SAFECode (Software Assurance Forum for Excellence in Code), 117
- SAMM (Software Assurance Security Model), 121
- sandboxing, 139
- sanitization, 29–30
- SANs (storage area networks), 10
- SAST (Static Application Security Testing), 131
- SC (System and Communications Protection), 103–104
- scalability, 7–8
- SCM (software configuration management), 128–129
- SDLC (software development lifecycle), 120–122
- SDN (software-defined network), 148
- security
- access control, 28–29
- cryptography, 27–28
- data sanitization, 29–30
- DLP (data loss prevention), 33
- functional security requirements, 35–36
- IaaS (infrastructure as a service), 38
- interoperability, 36
- key management, 27–28
- media sanitization, 29–30
- network security, 30–31
- PaaS (platform as a service), 38
- portability, 35
- SaaS (software as a service), 37–38
- Shared Responsibility Model, 37
- threats, 32
- vendor lock-in, 36
- virtualization security, 31–32
- security controls
- environmental protection, 103
- monitoring, 215–216
- physical protection, 103
- semantics, 65
- sensitive data, 69–71
- serverless environments, 136
- service level management, 194–195
- service models in cloud computing, 2–3
- SFTP (Secure FTP), 7
- SHA (Secure Hash Algorithm), 56
- shadow IT, 6
- share phase of cloud data lifecycle, 45–46
- shared responsibility model, 37, 206–208
- SHS (Secure Hash Standard), 56
- shuffling, 60
- SIEM (security information and event management), 64
- SLAs (service level agreements), 277–278
- SOC (security operations center), 6, 210–215
- SOC-2 report, 101
- SOC-3 report, 101
- software assurance, 129–132
- SOX (Sarbanes-Oxley Act), 22, 234, 269
- SPAN (switched port analyzer), 148
- SSDF (Software Development Framework), 120–121
- SSDLC (secure software development lifecycle), 117, 121, 123–129
- SSO (single sign-on), 141–142, 168
- federated identity, 140–141
- stakeholder communication, 209–210
- stakeholders, policies and, 262–264
- STAR (Security, Trust, and Assurance Registry), 274
- statutory requirements, 235
- STIGs (Security Technical Implementation Guides), 161
- storage, 10, 93
- blob (binary large object), 49
- CDNs (content delivery networks), 50
- content and file storage, 50
- costs, 75
- databases, 49
- disk, 49
- ephemeral, 48
- IaaS (Infrastructure as a Service), 48–49
- information storage and management, 50
- infrastructure, 93
- long-term, 48
- NAS (network-attached storage), 10
- PaaS (Platform as a Service), 49
- raw, 48
- SaaS (Service as a Service), 50
- SANs (storage area networks), 10
- threats, 50–52
- store phase of cloud data lifecycle, 45
- STRIDE model, 128
- structured data, data discovery and, 64–65
- supply chain management, 133, 281–282
- system protection, 103–104
- T
- tenant partitioning, 96
- tenants, 19
- testing
- testing stage of SDLC, 122
- theft, 51
- third-party software, 134
- threat detection, 211–212
- threat modeling, 127–128
- threats, 32
- TLS (Transport Layer Security), 96
- tokenization, 56–57
- TPM (Trusted Platform Module), 147
- traceability, 81–84
- transformative technologies, 23–26
- Type-1 hypervisors, 91–92
- U
- unit testing, 130
- unstructured data, data discovery and, 65–66
- usability testing, 130
- use phase of cloud data lifecycle, 45
- V
- value variance, 60
- vendor communication, 205–206
- relationship management, 278–279
- vendor lock-in, 36
- virtual hardware, 150–152
- virtualization, 9–10, 91–92
- application virtualization, 139–140
- containers, 25–26
- management tools, 149–150
- risks, 101–102
- systems protection, 104–105
- VMware, 19
- virtualization security, 31–32
- VM (virtual machine), 19
- VM sprawl, 102
- VMM (Virtual Machine Manager), 164
- VMO (vendor management office), 6
- VMware, 19
- VMware EXSi, 31
- VMware vSphere, 91
- VMware Workstation Pro/VMware Fusion, 91
- volume storage, 49
- VPC (virtual private cloud), 92, 149
- VPNs (virtual private networks), 7
- vSphere, 31
- vulnerabilities, 119–120
- vulnerability assessments, 178–179
- W
- WAF (web application firewall), 136, 176
- Windows Virtual PC, 91
- WORM (write once, read many) media, 80
- X–Y–Z
- Xen hypervisor, 91
- XML (Extensible Markup Language), 137
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.