A
- abuse case testing, 164–165
- access control, 34–36, 115, 188–189, 201–202
- access control list (ACL), 24, 88
- accountability, 96, 128
- Active Directory (AD), 127, 174, 175–176, 202
- administrative access control, 34, 35
- Adobe, 157
- Advanced Encryption Standard (AES), 55, 68
- advocate training and awareness, 140–144
- agent-based DLP, 76
- Agile Manifesto, 147
- Agile methodology/software development, 147, 221, 222
- AICPA service organization control (SOC) reports, 285
- AICPA SOC 2, 217
- Akamai, 171
- algorithm, 68
- Amazon API Gateway, 171
- Amazon Web Services (AWS)
- Cloud Formation, 14
- cloud orchestration with, 13
- CloudShark, 130
- CloudTrail, 124
- CloudWatch, 124
- as defining regions, 44
- Identity and Access Management (IAM), 127, 175
- Inspector, 124
- Lambda, 47, 187
- Management Console, 113, 190
- in multi-cloud deployment, 21
- as offering ability to use their infrastructure in an isolated VPC, 105
- as offering GDPR-compliant services, 11
- as providing quantum computing service, 31
- Relational Database (RDS), 64
- as running data centers all over the world, 113
- Service Health Dashboard, 243
- shared responsibility model for, 7
- shared responsibility model of, 237
- Simple Storage Service (S3), 65, 91
- VPC Traffic Monitoring, 130
- Well-Architected Framework of, 50
- Xen hypervisor, 108
- American Institute of CPAs (AICPA), 217, 285
- analysis, 45, 81, 99–100, 120–122, 163–164, 245–247, 289
- Apache, 167
- API gateway, 169, 171
- Apple FileVault, 94
- application capability types, 16
- application programming interfaces (APIs), 21, 47, 62, 65, 165–166
- Application Security Verification Standard (ASVS) (OWASP), 157
- application testing, 161–162
- application virtualization and orchestration, 173
- application-level encryption, 69
- Architecture, Threats, Attack surfaces, Mitigations (ATASM), 155–156
- archive phase controls, 60
- artificial intelligence (AI), 28, 29, 79
- Asia-Pacific Economic Cooperation Privacy Framework (APEC), 260, 264
- assessment, 119–120, 131, 135, 211, 214–215, 280–281, 307–308, 309
- assurance, of cloud software, 158–165
- at-rest data monitoring, 76
- attributed-based access control (ABAC), 112
- AU-3, 129
- audit controls, internal and external, 282–283
- audit mechanisms, 128–130
- audit planning, 290–291
- audit process, 281–299
- audit reports, 285
- audit requirements, 283–284
- audit scope restrictions, 288
- audit scope statements, 288–289
- auditability, 26, 96
- Australian Privacy Act, 273
- authentication, 127, 177
- authorization, in cloud environments, 127
- authorization to operate (ATO), 290
- autoscaling, 187
- availability management, 226–227
- availability zones, 44
- AWS (Amazon Web Services). See Amazon Web Services (AWS)
- Azure. See Microsoft Azure
B
- backup and restoration functions, 207–208
- bare-metal hypervisor, 108
- baselines/baselining, 42, 195–196
- binary large object (blob) storage, 65
- black-box testing, 161
- blockchain, 29–30
- blocks, 29
- breach notification, 302
- bring-your-own-device (BYOD) environment, 174, 178
- building block technologies, 11–14
- Bundesdatenschutzgesetz, 263
- business continuity and disaster recovery (BCDR), 215
- business continuity (BC), 9, 131–138
- business continuity plan (BCP), 44, 131–132, 134–138
- business impact analysis (BIA), 45
- business impact assessment (BIA), 131, 135, 214–215, 280
- Business Operation Support Services (BOSS), 51
C
- cache poisoning, 193
- California Consumer Protection Act (CCPA), 274, 277
- capacity management, 227–228
- capital expenditures (CapEx), 3, 11
- CAPTCH authentication, 28
- cardholder data environment (CDE), 84
- Carnegie Mellon University Software Engineering Institute (SEI), Incident Management Capability Assessment, 253
- categorization, 83
- Center for Internet Security (CIS), 26, 185–186, 196, 264
- certificates, 77
- chain of custody, 100, 230
- change advisory board (CAB), 213
- change control board (CCB), 213
- change management, 213–214
- cheat sheets (OWASP), 97–98, 129, 157
- Cisco, 113
- CISO Mind Map, 240
- Citrix XenServer, 39
- Clarifying Lawful Overseas Use of Data Act (U.S. CLOUD Act), 233, 258, 274
- cloud access security broker (CASB), 31, 127, 175, 178–179
- cloud application architecture, 168–174
- cloud application security, 140–144
- cloud attacks, 122–123
- cloud auditor, 15
- cloud broker, 15
- cloud carrier, 15
- cloud computer, roles and responsibilities, 3–7
- cloud computing
- activities of, 14–15
- CSA's top threats to, 142
- defined, 2–3
- key characteristics of, 7–11
- other threats to, 41
- security concepts relevant to, 33–36
- service and deployment models in, 3
- cloud consumer, activities related to role of, 15
- Cloud Controls Matrix (CCM) (CSA), 54, 143, 264, 281, 287, 293, 308
- cloud data concepts, 58–63
- cloud data lifecycle phases, 58–61
- cloud data storage architectures, 63–67
- cloud design patterns, 49–51
- cloud development, basics of, 140–141
- cloud gateways, 37
- cloud infrastructure, 104–113, 119–124
- cloud orchestration, 13, 173
- cloud platforms, analyzing risks associated with, 119–124
- cloud reference architecture, 14–18
- cloud secure data lifecycle, 43–44, 59–61
- Cloud Security Alliance (CSA), 14, 26, 41, 49, 54, 123, 140, 142, 149, 229, 264, 266, 267, 281, 287, 293. See also Cloud Controls Matrix (CCM) (CSA); CSA Enterprise Architecture (CSA EA); CSA Security, Trust, Assurance, and Risk (STAR) registry; CSA Top Threats Working Group; Egregious 11 (CSA)
- cloud security, common pitfalls of, 141–142
- cloud security operations
- building and implementing physical and logical infrastructure for cloud environment, 182–188
- digital forensics, 228–234
- implementation of operational controls and standards, 212–228
- management of, 239–253
- management of communication with relevant parties, 234–239
- management of physical and logical infrastructure for cloud environment, 200–212
- operation of physical and logical infrastructure for cloud environment, 188–200
- cloud service broker, 4–5
- cloud service categories, 17–18
- cloud service customer (CSC), 4
- cloud service partner, 4
- cloud service provider (CSP), 4, 15, 51–56
- cloud shared responsibilities, 21–27
- cloud software, assurance and validation of, 158–165
- cloud threats, 122–123
- cloud vulnerabilities, 122–123, 142–144
- Cloudflare, 171
- cloud-native organizations, 14
- cloud-specific incident management, 252
- cluster management agent, 197
- clustered hosts, 197
- code peer reviews, 162
- code review, 162
- collision, use of term, 70
- command-line interface (CLI), 188, 190
- Common Criteria (CC), 54–55, 308
- Common Vulnerabilities and Exposures (CVEs), 218
- communications, 106–107, 125–126, 234–239
- community cloud, 3, 20, 105
- compliance, 122, 297–298
- computer-based training (CBT), 142
- confidential computing, 32
- Confidential Computing Consortium, 32
- confidentiality, integrity, and availability (CIA), 66, 143, 149, 216
- configuration item (CI), 224
- configuration management (CM), 224–225
- configuration management database (CMDB), 158, 202, 224
- conformance assessment body (CAB), 309
- Consensus Assessments Initiative Questionnaire (CAIQ), 54
- consumer-grade IRM (DRM), 87
- container orchestration, 173
- container security, 39–40
- containerized application, 12
- containers, 173, 223
- containers/containerization, 30–31, 39, 223
- content analysis, 81
- content and file storage, 65
- content delivery network (CDN), 65
- continual service improvement management, 217–218
- continuity management, 214–216
- continuity of operations plan (COOP), 131
- continuous audit trail, 88
- continuous deployment (CD), 222
- continuous integration/continuous deployment (CI/CD), 213, 222
- continuous monitoring, 244
- contract clauses, 312–313
- contract design, 309–316
- contract management, 312–313
- contracts, components of, 271–272
- contractual private data, 268–271
- contractual requirements, 264
- control frameworks, 292–293
- controls, use of term, 303
- correlation, 99, 129–130, 246
- cost-benefit analysis, 45
- countermeasures, 303
- create phase controls, 59
- Critical Security Controls (CSC), 264
- cross-site scripting (XSS), 143, 169, 170
- cryptographic coprocessor, 183
- cryptographic erase/cryptographic erasure, 37, 94
- cryptographic key establishment and management, 126
- cryptography, 33–34, 171–172
- cryptoshredding, 12, 37, 61, 94
- CSA Enterprise Architecture (CSA EA), 50–51
- CSA Security, Trust, Assurance, and Risk (STAR) registry, 54, 113, 287, 300, 308
- CSA Top Threats Working Group, 142
- cyber hygiene, 41
- cyber risk insurance, 313–314
- cyber-physical systems (CPS), 145
- Cybersecurity Framework (CSF) (NIST), 217, 289, 293
D
- data anonymization, 73
- data archiving, 89, 94–95
- data center, 113–119
- data classification, 82–87
- data controller, 261, 301
- data corruption, 67
- data custodian/processor, 301–302
- data de-identification, 73
- data deletion, 89, 93–94
- data destruction, 67
- data discovery, 78–82
- data dispersion, 61–62
- data disposal, 90
- data events, 96–101
- data flow diagram (DFD), 62
- data flows, 62–63
- data formats, 92–93
- data labels, 80–81, 86
- data lake, 78
- data leakage prevention (DLP), 74
- data location, 82
- data loss prevention (DLP), 60, 74–76
- data mapping, 85–86
- data mart, 79
- data masking, 72
- data mining, 79
- data model, 80
- data obfuscation, 71–72
- data owner/controller, 301–302
- data privacy, jurisdictional differences in, 277
- data processor, 261, 301
- data retention, 89–93, 95–96
- data sanitization, 36–37
- data science, 27–28
- data security, as distinct from privacy, 261
- Data Security Standard (PCI Council), 53
- data security strategy, 293–294
- data security technologies and strategies, 67–78
- data subject, 261, 301
- data type, 83
- data warehouse, 78
- data-at-rest encryption, 171
- database activity monitoring (DAM), 170
- database as a service (DBaaS), 17
- database management system (DBMS), 70
- database-level encryption, 69–70
- databases, 13, 64
- data-in-motion encryption, 171, 172
- Defense Information Systems Agency (DISA), 186
- defensible destruction, 93
- deletion, as obfuscation method, 71
- denial of service, 66
- denial-of-service protection, 126
- dependencies, 163
- deployment management, 222–223
- deployment models, 3, 18–21
- design principles (of secure cloud computing), 43–51
- destroy phase controls, 61
- DevOps, DevSecOps as evolution of, 32
- DevOps security, 51
- DevSecOps, 32–33
- Diffie-Hellman, 194
- digital evidence, collection, acquisition, and preservation of, 231–232
- digital forensics, 228–234, 267
- digital rights management (DRM), 87
- direct identifiers, 73
- disaster recovery (DR), 9, 131–138
- disaster recovery plan (DRP), 44–45, 132, 134–138
- discretionary access control (DAC), 89
- disk storage, 64
- disposal, improper, 67
- distributed information technology model, 298–299
- Distributed Resource Scheduling (DRS), 198–199
- DNS attacks, 193
- DNS security extensions (DNSSEC), 193
- DNS spoofing, 193
- Docker, 12, 39, 168
- domain name system (DNS), and DNS security extensions, 193
- downtime, 122
- DREAD mnemonic, 154
- Dropbox, 3, 9, 17, 75, 127, 295
- Dynamic Application Security Testing (DAST), 161–162
- Dynamic Host Configuration Protocol (DHCP), 192
- dynamic policy control, 88
E
- EA Working Group, 51
- edge computing, 31–32
- eDiscovery, 265–266
- Egregious 11 (CSA), 41, 123, 142, 149, 150, 156
- egress monitoring, 38–39
- elasticity, rapid, 9–10
- Electronic Communication Privacy Act, Title II, 276
- emojis, 163
- encryption, 55, 67–70, 72, 171, 172
- encryption-based transmission, 8
- endpoint, 76
- enterprise risk management, 299–309
- enterprise-grade IRM, 87
- environmental design (of data center), 117–118
- ephemeral computing, 40
- ephemeral storage, 63–64
- Equifax data breach (2017), 205
- erasure coding, 61
- EUCS, 309
- European Convention on Human Rights (ECHR), 273
- European Economic Area (EEA), 275
- European Network and Information Security Agency (ENISA), 305–306, 309
- European Union General Data Protection Regulation (EU GDRP). See General Data Protection Regulation (GDPR) (EU)
- event attribution, 97–98
- event sources, 97–98
- events, as distinct from incidents, 218
- everything as a service (XaaS), 17
- evidence collection, 232, 233
- evidence management, 230–234
- evidence preservation, 233–234
- extensible markup language firewalls, 170–171
- Extensible Markup Language (XML), 170
- Extensible Stylesheet Language Transformation (XSLT), 170
- extract, transform, load (ETL), 78
F
- Family Education Rights and Privacy Act (FERPA) (US), 263
- Federal Information Processing Standards (FIPS), 52, 55–56, 68, 71
- Federal Information Security Modernization Act (FISMA) (US), 264
- Federal Risk and Authorization Management Program (FedRAMP), 52, 54, 264, 290, 300
- Federal Trade Commission (FTC) (US), 274
- federated identity, 175
- federated identity management (FIM), 175
- Fibre Channel/Fibre Channel over Ethernet (FCoE), 184
- file integrity monitoring, 70
- File Transfer Protocol (FTP), 8
- file-level encryption, 69
- Financial Private Rule (US), 276
- firewalls, 209–210
- forensic data collection methodologies, 228–230
- forensic requirements, 267
- fully qualified domain name (FQDN), 193
- functional security requirements, 46–48
- functional testing, 159–160
G
- gap analysis, 289
- Gartner, 115
- gateway-to-gateway VPNs, 194
- G-Cloud (UK), 54
- General Data Protection Regulation (GDPR) (EU), 11, 23, 26, 28, 52, 61–62, 73, 92, 170, 238, 256–257, 258, 261–262, 263, 264, 268, 272–273, 279–280, 302, 303
- Generally Accepted Privacy Principles (GAPP), 264, 278–279
- GitHub, 13
- global user ID (GUID), 80
- Google Cloud Cloud Console, 190
- Google Cloud Identity and Access Management, 175
- Google Cloud Platform, 7, 11, 13, 105, 171
- Google Cloud Status Dashboard, 243
- Google Docs, 17
- Google Drive, 75
- Google Workspace, 13, 88, 115, 127
- governance, as cloud shared consideration, 24
- governance, risk management, and compliance (GRC), 47
- government cloud standards, 53–54
- Gramm-Leach-Bliley Act (GLBA), 5, 26, 274, 276, 302
- gray-box testing, 161
- guest operating systems (OSs), 188, 199–200
- Guidance for Organisations Engaging Cloud Service Providers (Irish Data Protection Commission), 6
- Guidance on HIPAA & Cloud Computer (U.S. Department of Health and Human Services), 6
- Guidance on the use of cloud computer (UK Information Commissioner's Office), 5
- Guidelines for Media Sanitization (NIST), 61
H
- handling, use of term, 43, 60
- hardening, 182, 195–196
- hardware monitoring, 206–207
- hardware security modules (HSMs), 34, 68, 69, 183–184
- hardware-specific security configuration requirements, 182–185
- hash functions, 70
- hashing, 70–71, 81
- Health Information Technology for Economic and Clinical Health (HITECH) Act, 298, 302
- Health Insurance Portability and Accountability Act (HIPAA), 23–24, 26, 73, 92, 122, 170, 216, 262, 263, 264, 269, 274, 276, 298, 302
- heating, ventilation, and air conditioning (HVAC), 117
- high availability (HA), 198
- high-availability (HA), 9
- homomorphic encryption, 72
- honeynets/honeypots, 211
- host-based intrusion detection system/intrusion prevention system (HIDS/HIPS), 211
- hosted hypervisor, 108
- HTTP Secure (HTTPS), 8
- hybrid cloud, 3, 20
- Hypertext Transfer Protocol (HTTP), 8
- Hyper-V, 39, 108
- hypervisor, 12, 30, 108–109, 186
- hypervisor security, 39
I
- IBM
- as providing quantum cloud computing, 31
- as running data centers all over the world, 113
- IBM Cloud, 50
- IBM Cloud Computing Reference Architecture (CCRA), 14
- IBM Cloud Orchestrator, 14
- IBM Lotus Notes, 47
- identification, authentication, authorization, and accountability (IAAA), 127
- identification, in cloud environments, 127
- identity, 34
- identity and access management (IAM) system, 35, 114, 115, 121, 127, 128, 174–179
- identity as a service (IDaaS), 115, 127, 201–202
- identity provider (IdP), 175–176
- IEEE802.1Q, 191
- immutable architecture, 42, 223–224
- improper disposal, as threat to storage type, 67
- incident, 248, 249
- incident management, 218–219, 248–249, 252
- incident management plan, 248
- incident management standards, 252–253
- incident response phases, 249–251
- incident response plan (IRP), 248
- incident response team (IRT), 219, 248–249
- incidents, events as distinct from, 218
- indirect identifiers, 73
- industrial control system (ICS), 32, 145, 248
- information rights management (IRM), 60, 69, 87–89
- information security management, 216–217
- information security management system (ISMS), 52, 216, 291–292
- information storage and management, 65
- infrastructure, as code, 225
- infrastructure as a service (IaaS), 3, 15, 17, 18, 49, 63–65, 107, 108
- infrastructure as code (IAC), 42, 187
- infrastructure capability types, 16–17
- ingress monitoring, 38–39
- in-motion data monitoring, 75–76
- instant-message tools, 75
- instructor-led training (ILT), 142
- integration testing, 159
- Interactive Application Security Testing (IAST), 162, 168
- internal information security controls system, 292–293
- International Auditing and Assurance Standards Board, 287
- International Electrotechnical Commission (IEC), 52
- international legislation, as conflicting, 256–257, 258
- International Organization for Standardization (ISO)
- ISO 15408-1:2009, 308
- ISO 18788, 240
- ISO 20000-1, 213
- ISO 22301:2019, 216
- ISO 27000, 215, 315
- ISO 27000:2022, 300
- ISO 27001, 26, 52, 54, 121, 166, 216, 278, 287, 288, 291, 293, 300, 304
- ISO 27002, 52, 215, 289, 293
- ISO 27017, 52, 122, 216
- ISO 27018, 52–53, 122, 217, 278
- ISO 27035, 219, 253
- ISO 27036, 316
- ISO 27036:2021, 315
- ISO 27050, 228–229, 266
- ISO 27701, 217
- ISO 31000:2018, 300, 305, 306
- as standards body, 26
- International Standard on Assurance Engagement (ISAE), 287
- Internet Key Exchange v2, 194
- Internet of Things (IoT), 30, 145
- Internet service provider (ISP), role of cloud carrier as often performed by, 15
- interoperability, 21, 47, 88
- interruption, use of term, 251
- intrusion detection system (IDS), 210, 244
- intrusion detection system/intrusion prevention system (IDS/IPS), 244
- intrusion prevention system (IPS), 210
- in-use data monitoring, 76
- IP security (IPSec), 123–124, 194
- Irish Data Protection Commission, 6
- iSCSI, 184
- ISO/IEC 11889, 183
- ISO/IEC 27001:2013, 292
- ISO/IEC 27036-1:3032, 315
- ISO/IEC 27036-2:2014, 315
- ISO/IEC 27036-3:2013, 315
- ISO/IEC 27036-4:2016, 315
- ISO/IEC 27037:2012, 267
- ISO/IEC 27041:2015, 267
- ISO/IEC 27042:2015, 267
- ISO/IEC 27043:2015, 267
- ISO/IEC 31000:2018, 120
- IT Operations & Support (ITOSS), as CSA EA domain, 51
- IT service management (ITSM), 212, 225, 227
- ITIL (formerly Information Technology Infrastructure Library), 213, 219, 221
J
- Java Virtual Machine, 31
- Jira ticket, 17
K
- Kayboard Video Mouse (KVM), 189–190
- Kerckhoffs, Auguste (cryptographer), 68
- Kerckhoffs' principle, 68
- key management, 33–34
- key management encryption, 171
- key management service (KMS), 34, 171
- key performance indicators (KPIs), 218
- Kubernetes (K8s), 14, 21, 168, 173
L
- laws and regulations, compliance requirements of, 263–265
- legal, risk, and compliance, 256–316
- legal constraints, 83
- legal frameworks and guidelines, 258–263
- legal hold, 95–96, 229
- legal requirements, 256–267
- lexical analysis, 81
- Lightweight Directory Access Protocol (LDAP), 174
- live migration, 197
- log capture and analysis, 245–247
- log centralizations, 130
- log collection, 129
- log management, 247–248
- logging, 97–100, 129
- logical design (of data center), 114–115
- logical unit number (LUN), 64
- long-term storage, 64
- loosely coupled storage, 199
- LXC, 39
M
- machine learning (ML), 27, 28, 79
- malware, 67
- management console, 212
- management plane, 111–113, 212
- management plane protection (MPP), 113
- mandatory access control (MAC), 89
- manual testing, 163
- masking, 72
- master services agreement (MSA), 25, 309, 310
- maximum tolerable downtime (MTD), 133
- mean time to contain (MTTC), 307
- mean time to detect (MTTD), 307
- media sanitization, 36–37
- metadata, 80
- microsegmentation, 210
- Microsoft
- as running data centers all over the world, 113
- as SAFECode partner, 157
- Microsoft Azure
- Active Directory (Azure AD), 127, 175–176, 202
- API management, 171
- Blob Storage, 65, 91
- as CSP, 4, 13
- Databases, 64
- as defining regions, 44
- Functions, 47, 187
- Hyper-V hypervisor, 108
- in multi-cloud deployment, 21
- Network Watcher, 130
- as offering ability to use their infrastructure in an isolated VPC, 105
- as offering GDPR-compliant services, 11
- Portal, 190
- as providing quantum computing service, 31
- as publishing security reference architectures, 113
- Sentinel, 241
- shared responsibility model for, 7, 237
- status, 243
- Well-Architected Framework of, 50
- Microsoft BitLocker, 94
- Microsoft Corp. v. United States, 233
- Microsoft Exchange, 47
- Microsoft Hyper-V, 284
- Microsoft Office, 88
- Microsoft Operations Management Suite (OMS), 14
- Microsoft SQL Server, 64
- Microsoft Virtual Machine Manager (VMM), 199
- ML/AI training data, 79
- mobile device management (MDM), 174
- monitoring, 75–76, 205–206, 206–207
- multi-cloud deployment strategy, 3, 20–21
- multifactor authentication (MFA), 9, 15, 36, 127, 135, 176–177, 201
- multiregion plans, 44
- multitenancy, 9
- multivendor pathway connective, 118–119
- Mundie, Craig, 257
N
- National Institute of Standards and Technology (NIST)
- configuration checklists, 196
- Cybersecurity Framework (CSF), 217, 289, 293
- incident response lifecycle phases, 220
- NISTIR 8006, 266
- Risk Management Framework (RMF), 215, 217, 244, 306
- Secure Software Development Framework (SSDF), 144, 145
- SP 500-292, 14, 50
- SP 500-299, 50
- SP 800-37, 120, 217, 244, 305, 306
- SP 800-53, 125–126, 129, 217, 293
- SP 800-61, 219, 253
- SP 800-88, 61, 93, 94
- SP 800-92, 245, 247
- SP 800-122, 268
- SP 800-125A Rev 1, 39
- SP 800-145, 2, 7, 17, 18
- SP 800-146, 305, 306
- SP 800-207, 38
- as standards body, 26
- national vulnerability database (NVD), 144
- network, in cloud infrastructure, 106–107
- network configuration, 184–185
- network interface card (NIC), 37–38, 184
- network security, 37–39
- network security controls, 208–211
- network security groups (NSGs), 37–38, 209–210
- network-attached storage (NAS), 12
- network-based intrusion detection system/intrusion prevention system (NIDS/NIPS), 210–211
- networking, as building block technology, 13
- New York Department of Financial Services (NY DFS), 264
- next-generation firewalls (NGFW), 210
- nondisclosure agreement (NDA), 26, 117–118
- non-functional testing, 160
- nonrepudiation, 100–101
- normalization, 78
- North American Electric Reliability Corporation Critical Infrastructure Protection (NERC/CIP), 298
- nullification, 71
O
- OAuth2, 174
- object storage, 64
- object-level encryption, 69
- Okta, 127
- OMB Cloud Working Group, 312
- OneDrive, 9
- one-way encryption, 70
- online analytic processing (OLAP), 79
- Open Systems Interconnection (OSI), 14
- Open Web Application Security Project® (OWASP), 97, 129, 142, 144, 145, 153, 156, 157. See also OWASP Top 10
- open-source software (OSS), 163, 167–168, 315
- OpenSSL, 167
- operating expenditures (OpEx), 3, 11
- operating system baseline compliance monitoring and remediation, 202–203
- operational controls and standards, implementation of, 212–218
- operations and maintenance (O&M), 144
- Oracle databases, 64
- Oracle VM, 108
- Oracle VM VirtualBox, 108
- orchestration, as building block technology, 13
- Organisation for Economic Co-operation and Development (OECD), 259
- outsourcing, 27, 309–316
- overwriting, 37
- OWASP Top 10, 143, 150, 156, 163, 170
- ownership, as way to drive data classification levels and schemes, 83
P
- P score, 221
- packet capture (pcap), 130
- Parallels Desktop, 108
- PASTA (Process for Attack Simulation and Threat Analysis), 154–155
- patch management, 203–205
- patching, 42, 186
- pattern matching, as method of content analysis, 81
- Payment Card Industry Data Security Standard (PCI DSS), 23–24, 26, 52, 53, 74, 84, 170, 216, 262–263, 269, 298
- penetration testing as a service (PTaaS), 17
- penetration tests, 26
- performance, as cloud shared consideration, 24
- performance and capacity monitoring, 205–206
- persistence, as ideal attribute of IRM system, 88
- Personal Information Protection Act (PIPA) (British Columbia), 263
- Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), 5, 52, 263, 302
- personally identifiable information (PII), 52, 84, 217, 268–269, 272, 274
- physical access control, 34, 35
- physical and logical infrastructure for cloud environment, 182–212
- physical design (of data center), 116–117
- physical environment, 104–105
- platform as a service (PaaS), 3, 15, 16, 17–18, 49, 64–65, 107, 108
- platform capability types, 16
- platform components, 104–113
- point of presence (POP), 184
- policies, 125, 293–296
- portability, 22, 46–47
- precedent, defined, 258
- primary account number (PAN), 73–74
- privacy, 23, 261, 268
- privacy impact assessment (PIA), 280–281
- privacy information management system (PIMS), 217
- privacy issues, 267–281
- privacy laws, 5, 23, 34, 83, 94, 219, 242, 250, 256, 257, 259, 263, 268, 269, 272, 273, 274, 275, 277, 280, 302. See also Australian Privacy Act; Clarifying Lawful Overseas Use of Data Act (U.S. CLOUD Act); General Data Protection Regulation (GDPR) (EU); Gramm-Leach-Bliley Act (GLBA); Privacy Shield; Stop Hacks and Improve Electronic Data Security (SHIELD) Act (New York); Stored Communication Act (SCA) of 1986
- privacy requirements, 278
- Privacy Shield, 263, 275
- private cloud, 3, 19, 105
- private data, 269–276
- privilege access control, 35–36
- privileged access management (PAM), 35, 179
- problem management, 221
- product certifications, system/subsystem, 54–56
- protected health information (PHI), 84, 269, 274, 276, 277
- Protection Profiles (PP), 308
- proxies, 37
- pseudo-anonymization/pseudonymization, 73
- public cloud, 3, 18–19, 105
- public key infrastructure (PKI), 77
Q
- quality assurance (QA), 164
- quantum computing, 31
R
- random access memory (RAM), 63–64
- ransomware, 67
- raw device mapping (RDM), 64
- real world scenarios, $16 USD: The Price of Cracking SMS MFA, 111–112
- records retention, 90
- recovery point objective (RPO), 133–134, 135
- recovery service level (RSL), 133, 134
- recovery time objective (RTO), 133, 135
- RedRAMP packages, 26
- redundant arrays of independent disks (RAIDs), 61
- reference architecture (RA), 14
- regression testing, 160
- regulated private data, 268–271
- regulators, 5–6, 238–239
- regulatory, as cloud shared consideration, 26
- regulatory noncompliance, 66
- regulatory requirements, 264, 302–303
- Rehman, Rafeeq (author), 240
- related technologies, impact of, 27–33
- release management, 221–222
- Remote Desktop Protocol (RDP), 189, 201
- REpresentational State Transfer (REST), 169
- reservations, use of term, 197
- resiliency, 23–24, 44
- resilient designs (of data center), 118–119
- resolving, 193
- resource pooling, 10
- return on investment (ROI), 46
- reversibility, 22
- RFC 7348, 191
- Rijndael, 68
- risk appetite, 301
- risk assessment, 119–120, 307–308
- risk frameworks, 304–305
- risk management, 300, 307
- risk management frameworks (RMFs), 215, 217, 244, 253, 304, 306
- risk mitigation strategies, 123–124
- risk profile, defined, 300–301
- risk treatment, 303–304
- risks, 120, 122, 149–153, 256–267, 258
- role-based access control (RBAC), 112
- Runtime Application Self-Protection (RASP), 162
S
- SaaS IAM/SaaS-provided IAM, 115, 121, 127
- Safe Harbor, 263
- SAFECode, 140, 157
- safeguards, 303
- Safeguards Rule (US), 276
- Salesforce, 13, 127
- sandboxing, 172–173
- SANS CWE Top 25, 143–144
- SANS Institute, 142
- SANS security principles, 50
- Sarbanes-Oxley Act (SOX), 26, 263, 274, 302–303
- schema, 80
- scoping, 293
- secrets, 77, 77–78
- secure by design principle, 43
- secure coding, 156–157
- Secure Coding Practices, 157
- Secure Control Framework (SCF), 281, 293
- secure data lifecycle, 59
- Secure FTP (SFTP), 8
- secure network configuration, 190–199
- secure SDLC (SSDLC), 144, 145–147, 149–158
- Secure Shell (SSH), 59, 188–189, 201
- Secure Sockets Layer (SSL), 191
- security, 23, 48–49
- Security and Risk Management, 51
- Security Assertion Markup Language (SAML), 174
- Security Associate (SA), 194
- security controls, 124–130, 244–245
- security development lifecycle (SDL), 144, 145–148
- security function isolation, 125
- security groups, 187
- security hygiene, 41–42
- security information and event management (SIEM), 80, 99, 130, 219–221, 245–246
- security operations, 239–253
- security operations center (SOC), 240–245
- Security Technical Implementation Guides (STIGs), 186, 196
- security testing, 160–161
- semantics, 80
- semi-structured data, 81–82
- sensitive data, 84–85
- serverless computing/ technology, 40–41, 187
- service access, 36
- service catalog, 213
- service level management, 225–226
- service level requirements (SLRs), 310
- service models, 3, 15
- Service Organization Controls (SOC), 264
- Service Organization Controls (SOC) 2 framework, 217
- Service Organization Controls (SOC) 2, Type II report, 166
- service-level agreement (SLA), 19, 22, 25, 26, 122, 226, 229, 310–311
- shadow IT, 9
- share, as step/phase of cloud secure data lifecycle, 43, 59, 60
- share phase controls, 60
- shared responsibility model, 6, 48, 49, 236–237
- shared security model, 126
- SharePoint, 9, 75, 295
- shuffling, 71
- single point of failure (SPOF), 31, 118, 185, 186
- single sign-on (SSO), 135, 175, 176, 202
- site-to-site VPNs, 194
- Slack, 75
- SMS MFA code, price of cracking, 111–112
- SOC 1, 285, 286
- SOC 2, 52, 278, 285, 286, 287, 288, 300
- SOC 2 Type I report/audit, 286
- SOC 2 Type II report/audit, 52, 113, 117, 121, 283, 286, 290
- SOC 3, 285, 286, 287
- SOC reports, 26
- software as a service (SaaS), 3, 15, 17, 48–49, 65, 107, 108
- Software Assurance Maturity Model (SAMM), 144, 145
- software bill of materials (SBOM), 164, 168
- Software Composition Analysis (SCA), 163–164
- software configuration management (SCM), 157–158
- software development lifecycle (SDLC), 144–148
- Software Engineering Institute (SEI) (Carnegie Mellon University), Incident Management Capability Assessment, 253
- software-defined network (SDN), 184
- software-defined perimeter (SDP), 194–195, 209
- Solar Winds, attack against (2020), 315
- solid-state drive (SSD), 59, 63
- Spanning Tree Protocol (STP), 191
- SSL VPN, 194
- stakeholders, 239, 296–297
- stand-alone hosts, 196
- statement of work (SOW), 310
- Statement on Standards for Attestation Engagements (SSAE), 287
- Static Application Security Testing (SAST), 161, 168
- statutory requirements, 263
- Stop Hacks and Improve Electronic Data Security (SHIELD) Act (New York), 263, 277
- storage, 12, 110–111
- storage area network (SAN), 12, 75, 184
- storage as a service (STaaS), 17
- storage clusters, 199
- storage controllers, 184
- storage types, 63–67
- storage-level encryption, 69
- store phase controls, 59–60
- Stored Communication Act (SCA) of 1986, 276
- STRIDE mnemonic, 153–154
- substitution, as obfuscation method, 71
- supplemental security components, 169–171
- supply chain management, 314–315
- supply chain risk management (SCRM), 121, 166, 300
- switched port analyzer (SPAN), 185
- system inventory tool, 47
- systems development lifecycle (SDLC), 58
- system/subsystem product certifications, 54–56
T
- tailoring, 293
- Target, attack against (2015), 314
- Target of Evaluation (ToE), 308
- technical access control, 34
- Technology Solution Services (TSS), 51
- tenant partitioning, 114–115
- tenants, use of term, 11
- theft, as threat to storage type, 67
- third-party software management, 166–167
- threat modeling, 153
- threats, 41, 66–67, 122–123, 142
- tightly coupled cluster, 199
- Title II of the Electronic Communication Private Act, 276
- tokenization, 73–74
- traceability (of data events), 96
- training, 79, 140–144, 215
- transformative technologies, 27–33
- transparency requirements, 302–303
- Transport Layer Security (TLS), 59, 114, 191–192
- Treacherous 12, 142
- Trust Service Criteria (TSC), 217
- Trusted Computing Group, 183
- trusted execution environment (TEE), 32, 36
- Trusted Platform Module (TPM), 182–183
- two-factor authentication (2FA), 176
- Type 1 (authentication factor), 177
- type 1 hypervisor, 39, 108
- Type 2 (authentication factor), 177
- type 2 hypervisor, 108
- Type 3 (authentication factor), 177
U
- UK Information Commissioner's Office, 5
- unit testing, 159
- United States, data privacy law in, 273–277. See also Clarifying Lawful Overseas Use of Data Act (U.S. Cloud Act); Gramm-Leach-Bliley Act (GLBA); Health Insurance Portability and Accountability Act (HIPAA)
- unstructured data, 80–81
- Uptime Institute, 198
- U.S. Defense Information Systems Agency (DISA), 196
- U.S. Department of Commerce, 239
- U.S. Department of Health and Human Services, 6
- U.S. Privacy Shield framework, 239
- usability testing, 159
- use phase controls, 60
- user access, 35
- user interface (UI), 190
V
- validated open-source software, 167–168
- validation, of cloud software, 158–165
- value variance, 71
- vendor lock-in, 47–48
- vendor management, 311–312
- vendor management office (VMO), 165–166
- Veracode, 157
- verification against criteria, 52–54
- verified secure software, 165–168
- versioning, 24–25
- virtual extensible LAN (VXLAN), 191
- virtual hardware-specific security configuration requirements, 186–187
- virtual local area network (VLAN), 110, 185, 191
- virtual machines (VMs), 11, 30, 39, 204
- virtual network computing (VNC), 189
- virtual private cloud (VPC), 105, 173, 182, 187
- virtual private networks (VPNs), 9, 37, 59, 193–194
- VirtualBox, 39
- virtualization, 11–12, 30, 64, 108–110, 284
- virtualization management tools, installation and configuration of, 185–186
- virtualization security, 39–41
- VM escape, 39, 109
- VMare, 157, 196, 284
- VMware ESXi, 39, 198
- VMware vSphere, 39, 108, 185
- VMware Workstation Pro/VMware Fusion, 108
- VMware's DRS, 199
- volume storage, 64
- volume-level encryption, 69
- vulnerability assessments, 211
- vulnerability scans, 26, 156
W
- waterfall methodology, 147
- web application firewall (WAP), 162, 169, 171, 209, 244
- Well-Architected Framework, 50
- white-box testing, 161
- Windows Server, 16
- Windows Server Update Services (WSUS), 203
- Windows Virtual PC, 108
- workaround, 221
- write once, read many (WORM) media, 95
Z
- zero trust architecture (ZTA), 37
- zero trust network, 38
- zero trust network architecture (ZTNA), 112
- zone transfers, 193
- Zoom, 277
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.