Ben Halpert
Auditing Cloud Computing
Ben Halpert
Auditing Cloud Computing
- Gebundenes Buch
- Merkliste
- Auf die Merkliste
- Bewerten Bewerten
- Teilen
- Produkt teilen
- Produkterinnerung
- Produkterinnerung
The auditor's guide to ensuring correct security and privacy practices in a cloud computing environment
Many organizations are reporting or projecting a significant cost savings through the use of cloud computing--utilizing shared computing resources to provide ubiquitous access for organizations and end users. Just as many organizations, however, are expressing concern with security and privacy issues for their organization's data in the "cloud." Auditing Cloud Computing provides necessary guidance to build a proper audit to ensure operational integrity and customer data protection, among…mehr
Andere Kunden interessierten sich auch für
- Peter HaunEntscheidungsorientiertes Rechnungswesen mit Daten- und Methodenbanken54,99 €
- Cloud Security253,99 €
- High Performance Cloud Auditing and Applications110,99 €
- Suryadipta MajumdarCloud Security Auditing88,99 €
- Suryadipta MajumdarCloud Security Auditing66,99 €
- Urs E. GattikerThe Information Security Dictionary97,99 €
- Tony FadellBuild15,99 €
-
-
-
The auditor's guide to ensuring correct security and privacy practices in a cloud computing environment
Many organizations are reporting or projecting a significant cost savings through the use of cloud computing--utilizing shared computing resources to provide ubiquitous access for organizations and end users. Just as many organizations, however, are expressing concern with security and privacy issues for their organization's data in the "cloud." Auditing Cloud Computing provides necessary guidance to build a proper audit to ensure operational integrity and customer data protection, among other aspects, are addressed for cloud based resources.
Provides necessary guidance to ensure auditors address security and privacy aspects that through a proper audit can provide a specified level of assurance for an organization's resources
Reveals effective methods for evaluating the security and privacy practices of cloud services
A cloud computing reference for auditors and IT security professionals, as well as those preparing for certification credentials, such as Certified Information Systems Auditor (CISA)
Timely and practical, Auditing Cloud Computing expertly provides information to assist in preparing for an audit addressing cloud computing security and privacy for both businesses and cloud based service providers.
Many organizations are reporting or projecting a significant cost savings through the use of cloud computing--utilizing shared computing resources to provide ubiquitous access for organizations and end users. Just as many organizations, however, are expressing concern with security and privacy issues for their organization's data in the "cloud." Auditing Cloud Computing provides necessary guidance to build a proper audit to ensure operational integrity and customer data protection, among other aspects, are addressed for cloud based resources.
Provides necessary guidance to ensure auditors address security and privacy aspects that through a proper audit can provide a specified level of assurance for an organization's resources
Reveals effective methods for evaluating the security and privacy practices of cloud services
A cloud computing reference for auditors and IT security professionals, as well as those preparing for certification credentials, such as Certified Information Systems Auditor (CISA)
Timely and practical, Auditing Cloud Computing expertly provides information to assist in preparing for an audit addressing cloud computing security and privacy for both businesses and cloud based service providers.
Produktdetails
- Produktdetails
- Wiley Corporate F&A
- Verlag: Wiley & Sons
- Artikelnr. des Verlages: 14587474000
- 1. Auflage
- Seitenzahl: 224
- Erscheinungstermin: 9. August 2011
- Englisch
- Abmessung: 235mm x 157mm x 17mm
- Gewicht: 408g
- ISBN-13: 9780470874745
- ISBN-10: 0470874740
- Artikelnr.: 33255050
- Wiley Corporate F&A
- Verlag: Wiley & Sons
- Artikelnr. des Verlages: 14587474000
- 1. Auflage
- Seitenzahl: 224
- Erscheinungstermin: 9. August 2011
- Englisch
- Abmessung: 235mm x 157mm x 17mm
- Gewicht: 408g
- ISBN-13: 9780470874745
- ISBN-10: 0470874740
- Artikelnr.: 33255050
BEN HALPERT, CISSP, is an information security researcher and practitioner. He has keynoted and presented sessions at numerous conferences and was a contributing author to Readings and Cases in the Management of Information Security and the Encyclopedia of Information Ethics and Security. Halpert writes a monthly security column for Mobile Enterprise magazine as well as an IT blog (www.benhalpert.com). He is also an adjunct instructor and on the advisory board of numerous colleges and universities.
Preface xiii Chapter 1: Introduction to Cloud Computing 1 History 1
Defining Cloud Computing 2 Elasticity 2 Multitenancy 3 Economics 3
Abstraction 3 Cloud Computing Services Layers 4 Infrastructure as a Service
5 Platform as a Service 5 Software as a Service 6 Roles in Cloud Computing
6 Consumer 6 Provider 6 Integrator 7 Cloud Computing Deployment Models 8
Private 8 Community 8 Public 9 Hybrid 9 Challenges 9 Availability 10 Data
Residency 10 Multitenancy 11 Performance 11 Data Evacuation 12 Supervisory
Access 12 In Summary 13 Chapter 2: Cloud-Based IT Audit Process 15 The
Audit Process 16 Control Frameworks for the Cloud 18 ENISA Cloud Risk
Assessment 20 FedRAMP 20 Entities Using COBIT 21 CSA Guidance 21
CloudAudit/A6--The Automated Audit, Assertion, Assessment, and Assurance
API 22 Recommended Controls 22 Risk Management and Risk Assessment 26 Risk
Management 27 Risk Assessment 27 Legal 28 In Summary 29 Chapter 3:
Cloud-Based IT Governance 33 Governance in the Cloud 36 Understanding the
Cloud 36 Security Issues in the Cloud 37 Abuse and Nefarious Use of Cloud
Computing 38 Insecure Application Programming Interfaces 39 Malicious
Insiders 39 Shared Technology Vulnerabilities 39 Data Loss/Leakage 40
Account, Service, and Traffic Hijacking 40 Unknown Risk Profile 40 Other
Security Issues in the Cloud 41 Governance 41 IT Governance in the Cloud 44
Managing Service Agreements 44 Implementing and Maintaining Governance for
Cloud Computing 46 Implementing Governance as a New Concept 46 Preliminary
Tasks 46 Adopt a Governance Implementation Methodology 48 Extending IT
Governance to the Cloud 49 In Summary 52 Chapter 4: System and
Infrastructure Lifecycle Management for the Cloud 57 Every Decision
Involves Making a Tradeoff 57 Example: Business Continuity/Disaster
Recovery 59 What about Policy and Process Collisions? 60 The System and
Management Lifecycle Onion 61 Mapping Control Methodologies onto the Cloud
62 Information Technology Infrastructure Library 63 Control Objectives for
Information and Related Technology 64 National Institute of Standards and
Technology 65 Cloud Security Alliance 66 Verifying Your Lifecycle
Management 67 Always Start with Compliance Governance 67 Verification
Method 68 Illustrative Example 70 Risk Tolerance 72 Special Considerations
for Cross-Cloud Deployments 73 The Cloud Provider's Perspective 74
Questions That Matter 75 In Summary 76 Chapter 5: Cloud-Based IT Service
Delivery and Support 79 Beyond Mere Migration 80 Architected to Share,
Securely 80 Single-Tenant Offsite Operations (Managed Service Providers) 81
Isolated-Tenant Application Services (Application Service Providers) 81
Multitenant (Cloud) Applications and Platforms 82 Granular Privilege
Assignment 82 Inherent Transaction Visibility 84 Centralized Community
Creation 86 Coherent Customization 88 The Question of Location 90 Designed
and Delivered for Trust 91 Fewer Points of Failure 91 Visibility and
Transparency 93 In Summary 93 Chapter 6: Protection and Privacy of
Information Assets in the Cloud 97 The Three Usage Scenarios 99 What Is a
Cloud? Establishing the Context--Defining Cloud Solutions and their
Characteristics 100 What Makes a Cloud Solution? 101 Understanding the
Characteristics 104 Service Based 104 On-Demand Self-Service 104 Broad
Network Access 104 Scalable and Elastic 105 Unpredictable Demand 105 Demand
Servicing 105 Resource Pooling 105 Managed Shared Service 105 Auditability
105 Service Termination and Rollback 106 Charge by Quality of Service and
Use 106 Capability to Monitor and Quantify Use 106 Monitor and Enforce
Service Policies 107 Compensation for Location Independence 107
Multitenancy 107 Authentication and Authorization 108 Confidentiality 108
Integrity 108 Authenticity 108 Availability 108 Accounting and Control 109
Collaboration Oriented Architecture 109 Federated Access and ID Management
109 The Cloud Security Continuum and a Cloud Security Reference Model 110
Cloud Characteristics, Data Classification, and Information Lifecycle
Management 113 Cloud Characteristics and Privacy and the Protection of
Information Assets 113 Information Asset Lifecycle and Cloud Models 114
Data Privacy in the Cloud 118 Data Classification in the Context of the
Cloud 119 Regulatory and Compliance Implications 119 A Cloud Information
Asset Protection and Privacy Playbook 121 In Summary 124 Chapter 7:
Business Continuity and Disaster Recovery 129 Business Continuity Planning
and Disaster Recovery Planning Overview 129 Problem Statement 130 The
Planning Process 131 The Auditor's Role 133 Augmenting Traditional Disaster
Recovery with Cloud Services 135 Cloud Computing and Disaster Recovery: New
Issues to Consider 136 Cloud Computing Continuity 136 Audit Points to
Emphasize 138 In Summary 139 Chapter 8: Global Regulation and Cloud
Computing 143 What is Regulation? 144 Federal Information Security
Management Act 146 Sarbanes-Oxley Law 146 Health Information Privacy
Accountability Act 146 Graham/Leach/Bliley Act 147 Privacy Laws 147 Why Do
Regulations Occur? 148 Some Key Takeaways 149 The Real World--A Mixing Bowl
149 Some Key Takeaways 151 The Regulation Story 151 Privacy 153
International Export Law and Interoperable Compliance 154 Effective Audit
155 Identifying Risk 156 In Summary 156 Chapter 9: Cloud Morphing: Shaping
the Future of Cloud Computing Security and Audit 161 Where Is the Data? 162
A Shift in Thinking 164 Cloud Security Alliance 165 CloudAudit 1.0 166
Cloud Morphing Strategies 166 Virtual Security 167 Data in the Cloud 168
Cloud Storage 169 Database Classes in the Cloud 171 Perimeter Security 171
Cryptographic Protection of the Data 172 In Summary 173 Appendix: Cloud
Computing Audit Checklist 175 About the Editor 181 About the Contributors
183 Index 191
Defining Cloud Computing 2 Elasticity 2 Multitenancy 3 Economics 3
Abstraction 3 Cloud Computing Services Layers 4 Infrastructure as a Service
5 Platform as a Service 5 Software as a Service 6 Roles in Cloud Computing
6 Consumer 6 Provider 6 Integrator 7 Cloud Computing Deployment Models 8
Private 8 Community 8 Public 9 Hybrid 9 Challenges 9 Availability 10 Data
Residency 10 Multitenancy 11 Performance 11 Data Evacuation 12 Supervisory
Access 12 In Summary 13 Chapter 2: Cloud-Based IT Audit Process 15 The
Audit Process 16 Control Frameworks for the Cloud 18 ENISA Cloud Risk
Assessment 20 FedRAMP 20 Entities Using COBIT 21 CSA Guidance 21
CloudAudit/A6--The Automated Audit, Assertion, Assessment, and Assurance
API 22 Recommended Controls 22 Risk Management and Risk Assessment 26 Risk
Management 27 Risk Assessment 27 Legal 28 In Summary 29 Chapter 3:
Cloud-Based IT Governance 33 Governance in the Cloud 36 Understanding the
Cloud 36 Security Issues in the Cloud 37 Abuse and Nefarious Use of Cloud
Computing 38 Insecure Application Programming Interfaces 39 Malicious
Insiders 39 Shared Technology Vulnerabilities 39 Data Loss/Leakage 40
Account, Service, and Traffic Hijacking 40 Unknown Risk Profile 40 Other
Security Issues in the Cloud 41 Governance 41 IT Governance in the Cloud 44
Managing Service Agreements 44 Implementing and Maintaining Governance for
Cloud Computing 46 Implementing Governance as a New Concept 46 Preliminary
Tasks 46 Adopt a Governance Implementation Methodology 48 Extending IT
Governance to the Cloud 49 In Summary 52 Chapter 4: System and
Infrastructure Lifecycle Management for the Cloud 57 Every Decision
Involves Making a Tradeoff 57 Example: Business Continuity/Disaster
Recovery 59 What about Policy and Process Collisions? 60 The System and
Management Lifecycle Onion 61 Mapping Control Methodologies onto the Cloud
62 Information Technology Infrastructure Library 63 Control Objectives for
Information and Related Technology 64 National Institute of Standards and
Technology 65 Cloud Security Alliance 66 Verifying Your Lifecycle
Management 67 Always Start with Compliance Governance 67 Verification
Method 68 Illustrative Example 70 Risk Tolerance 72 Special Considerations
for Cross-Cloud Deployments 73 The Cloud Provider's Perspective 74
Questions That Matter 75 In Summary 76 Chapter 5: Cloud-Based IT Service
Delivery and Support 79 Beyond Mere Migration 80 Architected to Share,
Securely 80 Single-Tenant Offsite Operations (Managed Service Providers) 81
Isolated-Tenant Application Services (Application Service Providers) 81
Multitenant (Cloud) Applications and Platforms 82 Granular Privilege
Assignment 82 Inherent Transaction Visibility 84 Centralized Community
Creation 86 Coherent Customization 88 The Question of Location 90 Designed
and Delivered for Trust 91 Fewer Points of Failure 91 Visibility and
Transparency 93 In Summary 93 Chapter 6: Protection and Privacy of
Information Assets in the Cloud 97 The Three Usage Scenarios 99 What Is a
Cloud? Establishing the Context--Defining Cloud Solutions and their
Characteristics 100 What Makes a Cloud Solution? 101 Understanding the
Characteristics 104 Service Based 104 On-Demand Self-Service 104 Broad
Network Access 104 Scalable and Elastic 105 Unpredictable Demand 105 Demand
Servicing 105 Resource Pooling 105 Managed Shared Service 105 Auditability
105 Service Termination and Rollback 106 Charge by Quality of Service and
Use 106 Capability to Monitor and Quantify Use 106 Monitor and Enforce
Service Policies 107 Compensation for Location Independence 107
Multitenancy 107 Authentication and Authorization 108 Confidentiality 108
Integrity 108 Authenticity 108 Availability 108 Accounting and Control 109
Collaboration Oriented Architecture 109 Federated Access and ID Management
109 The Cloud Security Continuum and a Cloud Security Reference Model 110
Cloud Characteristics, Data Classification, and Information Lifecycle
Management 113 Cloud Characteristics and Privacy and the Protection of
Information Assets 113 Information Asset Lifecycle and Cloud Models 114
Data Privacy in the Cloud 118 Data Classification in the Context of the
Cloud 119 Regulatory and Compliance Implications 119 A Cloud Information
Asset Protection and Privacy Playbook 121 In Summary 124 Chapter 7:
Business Continuity and Disaster Recovery 129 Business Continuity Planning
and Disaster Recovery Planning Overview 129 Problem Statement 130 The
Planning Process 131 The Auditor's Role 133 Augmenting Traditional Disaster
Recovery with Cloud Services 135 Cloud Computing and Disaster Recovery: New
Issues to Consider 136 Cloud Computing Continuity 136 Audit Points to
Emphasize 138 In Summary 139 Chapter 8: Global Regulation and Cloud
Computing 143 What is Regulation? 144 Federal Information Security
Management Act 146 Sarbanes-Oxley Law 146 Health Information Privacy
Accountability Act 146 Graham/Leach/Bliley Act 147 Privacy Laws 147 Why Do
Regulations Occur? 148 Some Key Takeaways 149 The Real World--A Mixing Bowl
149 Some Key Takeaways 151 The Regulation Story 151 Privacy 153
International Export Law and Interoperable Compliance 154 Effective Audit
155 Identifying Risk 156 In Summary 156 Chapter 9: Cloud Morphing: Shaping
the Future of Cloud Computing Security and Audit 161 Where Is the Data? 162
A Shift in Thinking 164 Cloud Security Alliance 165 CloudAudit 1.0 166
Cloud Morphing Strategies 166 Virtual Security 167 Data in the Cloud 168
Cloud Storage 169 Database Classes in the Cloud 171 Perimeter Security 171
Cryptographic Protection of the Data 172 In Summary 173 Appendix: Cloud
Computing Audit Checklist 175 About the Editor 181 About the Contributors
183 Index 191
Preface xiii Chapter 1: Introduction to Cloud Computing 1 History 1
Defining Cloud Computing 2 Elasticity 2 Multitenancy 3 Economics 3
Abstraction 3 Cloud Computing Services Layers 4 Infrastructure as a Service
5 Platform as a Service 5 Software as a Service 6 Roles in Cloud Computing
6 Consumer 6 Provider 6 Integrator 7 Cloud Computing Deployment Models 8
Private 8 Community 8 Public 9 Hybrid 9 Challenges 9 Availability 10 Data
Residency 10 Multitenancy 11 Performance 11 Data Evacuation 12 Supervisory
Access 12 In Summary 13 Chapter 2: Cloud-Based IT Audit Process 15 The
Audit Process 16 Control Frameworks for the Cloud 18 ENISA Cloud Risk
Assessment 20 FedRAMP 20 Entities Using COBIT 21 CSA Guidance 21
CloudAudit/A6--The Automated Audit, Assertion, Assessment, and Assurance
API 22 Recommended Controls 22 Risk Management and Risk Assessment 26 Risk
Management 27 Risk Assessment 27 Legal 28 In Summary 29 Chapter 3:
Cloud-Based IT Governance 33 Governance in the Cloud 36 Understanding the
Cloud 36 Security Issues in the Cloud 37 Abuse and Nefarious Use of Cloud
Computing 38 Insecure Application Programming Interfaces 39 Malicious
Insiders 39 Shared Technology Vulnerabilities 39 Data Loss/Leakage 40
Account, Service, and Traffic Hijacking 40 Unknown Risk Profile 40 Other
Security Issues in the Cloud 41 Governance 41 IT Governance in the Cloud 44
Managing Service Agreements 44 Implementing and Maintaining Governance for
Cloud Computing 46 Implementing Governance as a New Concept 46 Preliminary
Tasks 46 Adopt a Governance Implementation Methodology 48 Extending IT
Governance to the Cloud 49 In Summary 52 Chapter 4: System and
Infrastructure Lifecycle Management for the Cloud 57 Every Decision
Involves Making a Tradeoff 57 Example: Business Continuity/Disaster
Recovery 59 What about Policy and Process Collisions? 60 The System and
Management Lifecycle Onion 61 Mapping Control Methodologies onto the Cloud
62 Information Technology Infrastructure Library 63 Control Objectives for
Information and Related Technology 64 National Institute of Standards and
Technology 65 Cloud Security Alliance 66 Verifying Your Lifecycle
Management 67 Always Start with Compliance Governance 67 Verification
Method 68 Illustrative Example 70 Risk Tolerance 72 Special Considerations
for Cross-Cloud Deployments 73 The Cloud Provider's Perspective 74
Questions That Matter 75 In Summary 76 Chapter 5: Cloud-Based IT Service
Delivery and Support 79 Beyond Mere Migration 80 Architected to Share,
Securely 80 Single-Tenant Offsite Operations (Managed Service Providers) 81
Isolated-Tenant Application Services (Application Service Providers) 81
Multitenant (Cloud) Applications and Platforms 82 Granular Privilege
Assignment 82 Inherent Transaction Visibility 84 Centralized Community
Creation 86 Coherent Customization 88 The Question of Location 90 Designed
and Delivered for Trust 91 Fewer Points of Failure 91 Visibility and
Transparency 93 In Summary 93 Chapter 6: Protection and Privacy of
Information Assets in the Cloud 97 The Three Usage Scenarios 99 What Is a
Cloud? Establishing the Context--Defining Cloud Solutions and their
Characteristics 100 What Makes a Cloud Solution? 101 Understanding the
Characteristics 104 Service Based 104 On-Demand Self-Service 104 Broad
Network Access 104 Scalable and Elastic 105 Unpredictable Demand 105 Demand
Servicing 105 Resource Pooling 105 Managed Shared Service 105 Auditability
105 Service Termination and Rollback 106 Charge by Quality of Service and
Use 106 Capability to Monitor and Quantify Use 106 Monitor and Enforce
Service Policies 107 Compensation for Location Independence 107
Multitenancy 107 Authentication and Authorization 108 Confidentiality 108
Integrity 108 Authenticity 108 Availability 108 Accounting and Control 109
Collaboration Oriented Architecture 109 Federated Access and ID Management
109 The Cloud Security Continuum and a Cloud Security Reference Model 110
Cloud Characteristics, Data Classification, and Information Lifecycle
Management 113 Cloud Characteristics and Privacy and the Protection of
Information Assets 113 Information Asset Lifecycle and Cloud Models 114
Data Privacy in the Cloud 118 Data Classification in the Context of the
Cloud 119 Regulatory and Compliance Implications 119 A Cloud Information
Asset Protection and Privacy Playbook 121 In Summary 124 Chapter 7:
Business Continuity and Disaster Recovery 129 Business Continuity Planning
and Disaster Recovery Planning Overview 129 Problem Statement 130 The
Planning Process 131 The Auditor's Role 133 Augmenting Traditional Disaster
Recovery with Cloud Services 135 Cloud Computing and Disaster Recovery: New
Issues to Consider 136 Cloud Computing Continuity 136 Audit Points to
Emphasize 138 In Summary 139 Chapter 8: Global Regulation and Cloud
Computing 143 What is Regulation? 144 Federal Information Security
Management Act 146 Sarbanes-Oxley Law 146 Health Information Privacy
Accountability Act 146 Graham/Leach/Bliley Act 147 Privacy Laws 147 Why Do
Regulations Occur? 148 Some Key Takeaways 149 The Real World--A Mixing Bowl
149 Some Key Takeaways 151 The Regulation Story 151 Privacy 153
International Export Law and Interoperable Compliance 154 Effective Audit
155 Identifying Risk 156 In Summary 156 Chapter 9: Cloud Morphing: Shaping
the Future of Cloud Computing Security and Audit 161 Where Is the Data? 162
A Shift in Thinking 164 Cloud Security Alliance 165 CloudAudit 1.0 166
Cloud Morphing Strategies 166 Virtual Security 167 Data in the Cloud 168
Cloud Storage 169 Database Classes in the Cloud 171 Perimeter Security 171
Cryptographic Protection of the Data 172 In Summary 173 Appendix: Cloud
Computing Audit Checklist 175 About the Editor 181 About the Contributors
183 Index 191
Defining Cloud Computing 2 Elasticity 2 Multitenancy 3 Economics 3
Abstraction 3 Cloud Computing Services Layers 4 Infrastructure as a Service
5 Platform as a Service 5 Software as a Service 6 Roles in Cloud Computing
6 Consumer 6 Provider 6 Integrator 7 Cloud Computing Deployment Models 8
Private 8 Community 8 Public 9 Hybrid 9 Challenges 9 Availability 10 Data
Residency 10 Multitenancy 11 Performance 11 Data Evacuation 12 Supervisory
Access 12 In Summary 13 Chapter 2: Cloud-Based IT Audit Process 15 The
Audit Process 16 Control Frameworks for the Cloud 18 ENISA Cloud Risk
Assessment 20 FedRAMP 20 Entities Using COBIT 21 CSA Guidance 21
CloudAudit/A6--The Automated Audit, Assertion, Assessment, and Assurance
API 22 Recommended Controls 22 Risk Management and Risk Assessment 26 Risk
Management 27 Risk Assessment 27 Legal 28 In Summary 29 Chapter 3:
Cloud-Based IT Governance 33 Governance in the Cloud 36 Understanding the
Cloud 36 Security Issues in the Cloud 37 Abuse and Nefarious Use of Cloud
Computing 38 Insecure Application Programming Interfaces 39 Malicious
Insiders 39 Shared Technology Vulnerabilities 39 Data Loss/Leakage 40
Account, Service, and Traffic Hijacking 40 Unknown Risk Profile 40 Other
Security Issues in the Cloud 41 Governance 41 IT Governance in the Cloud 44
Managing Service Agreements 44 Implementing and Maintaining Governance for
Cloud Computing 46 Implementing Governance as a New Concept 46 Preliminary
Tasks 46 Adopt a Governance Implementation Methodology 48 Extending IT
Governance to the Cloud 49 In Summary 52 Chapter 4: System and
Infrastructure Lifecycle Management for the Cloud 57 Every Decision
Involves Making a Tradeoff 57 Example: Business Continuity/Disaster
Recovery 59 What about Policy and Process Collisions? 60 The System and
Management Lifecycle Onion 61 Mapping Control Methodologies onto the Cloud
62 Information Technology Infrastructure Library 63 Control Objectives for
Information and Related Technology 64 National Institute of Standards and
Technology 65 Cloud Security Alliance 66 Verifying Your Lifecycle
Management 67 Always Start with Compliance Governance 67 Verification
Method 68 Illustrative Example 70 Risk Tolerance 72 Special Considerations
for Cross-Cloud Deployments 73 The Cloud Provider's Perspective 74
Questions That Matter 75 In Summary 76 Chapter 5: Cloud-Based IT Service
Delivery and Support 79 Beyond Mere Migration 80 Architected to Share,
Securely 80 Single-Tenant Offsite Operations (Managed Service Providers) 81
Isolated-Tenant Application Services (Application Service Providers) 81
Multitenant (Cloud) Applications and Platforms 82 Granular Privilege
Assignment 82 Inherent Transaction Visibility 84 Centralized Community
Creation 86 Coherent Customization 88 The Question of Location 90 Designed
and Delivered for Trust 91 Fewer Points of Failure 91 Visibility and
Transparency 93 In Summary 93 Chapter 6: Protection and Privacy of
Information Assets in the Cloud 97 The Three Usage Scenarios 99 What Is a
Cloud? Establishing the Context--Defining Cloud Solutions and their
Characteristics 100 What Makes a Cloud Solution? 101 Understanding the
Characteristics 104 Service Based 104 On-Demand Self-Service 104 Broad
Network Access 104 Scalable and Elastic 105 Unpredictable Demand 105 Demand
Servicing 105 Resource Pooling 105 Managed Shared Service 105 Auditability
105 Service Termination and Rollback 106 Charge by Quality of Service and
Use 106 Capability to Monitor and Quantify Use 106 Monitor and Enforce
Service Policies 107 Compensation for Location Independence 107
Multitenancy 107 Authentication and Authorization 108 Confidentiality 108
Integrity 108 Authenticity 108 Availability 108 Accounting and Control 109
Collaboration Oriented Architecture 109 Federated Access and ID Management
109 The Cloud Security Continuum and a Cloud Security Reference Model 110
Cloud Characteristics, Data Classification, and Information Lifecycle
Management 113 Cloud Characteristics and Privacy and the Protection of
Information Assets 113 Information Asset Lifecycle and Cloud Models 114
Data Privacy in the Cloud 118 Data Classification in the Context of the
Cloud 119 Regulatory and Compliance Implications 119 A Cloud Information
Asset Protection and Privacy Playbook 121 In Summary 124 Chapter 7:
Business Continuity and Disaster Recovery 129 Business Continuity Planning
and Disaster Recovery Planning Overview 129 Problem Statement 130 The
Planning Process 131 The Auditor's Role 133 Augmenting Traditional Disaster
Recovery with Cloud Services 135 Cloud Computing and Disaster Recovery: New
Issues to Consider 136 Cloud Computing Continuity 136 Audit Points to
Emphasize 138 In Summary 139 Chapter 8: Global Regulation and Cloud
Computing 143 What is Regulation? 144 Federal Information Security
Management Act 146 Sarbanes-Oxley Law 146 Health Information Privacy
Accountability Act 146 Graham/Leach/Bliley Act 147 Privacy Laws 147 Why Do
Regulations Occur? 148 Some Key Takeaways 149 The Real World--A Mixing Bowl
149 Some Key Takeaways 151 The Regulation Story 151 Privacy 153
International Export Law and Interoperable Compliance 154 Effective Audit
155 Identifying Risk 156 In Summary 156 Chapter 9: Cloud Morphing: Shaping
the Future of Cloud Computing Security and Audit 161 Where Is the Data? 162
A Shift in Thinking 164 Cloud Security Alliance 165 CloudAudit 1.0 166
Cloud Morphing Strategies 166 Virtual Security 167 Data in the Cloud 168
Cloud Storage 169 Database Classes in the Cloud 171 Perimeter Security 171
Cryptographic Protection of the Data 172 In Summary 173 Appendix: Cloud
Computing Audit Checklist 175 About the Editor 181 About the Contributors
183 Index 191