| Dedication |
|
vii | |
| Contents |
|
ix | |
| Preface |
|
xvii | |
| Acknowledgments |
|
xix | |
| About the Authors |
|
xxi | |
|
|
|
1 | (14) |
|
|
|
1 | (5) |
|
Public, Private, and Hybrid Clouds |
|
|
6 | (1) |
|
What This Book Will Cover |
|
|
6 | (2) |
|
|
|
8 | (1) |
|
|
|
8 | (1) |
|
|
|
8 | (4) |
|
|
|
12 | (1) |
|
Why the Cloud Is Superior Security |
|
|
13 | (1) |
|
|
|
14 | (1) |
|
Chapter 2 We Need a New Model for Security |
|
|
15 | (12) |
|
|
|
16 | (1) |
|
Location-Independent Security |
|
|
17 | (5) |
|
|
|
22 | (1) |
|
|
|
23 | (3) |
|
|
|
26 | (1) |
|
Chapter 3 The Basics of IT Security: From Mainframe to Cloud |
|
|
27 | (10) |
|
The Unchanging Nature of IT Security |
|
|
28 | (2) |
|
Define What You Need to Secure |
|
|
30 | (2) |
|
Define What Security Means |
|
|
32 | (3) |
|
|
|
35 | (1) |
|
Define What Needs to Be Secured |
|
|
35 | (1) |
|
Determine What "Security" Means |
|
|
36 | (1) |
|
|
|
36 | (1) |
|
Chapter 4 The Basics of Security Failure |
|
|
37 | (12) |
|
|
|
38 | (4) |
|
|
|
42 | (7) |
|
Understand the Causes of Security Failures |
|
|
44 | (1) |
|
Understand the Consequences of Ineffective Security |
|
|
45 | (4) |
|
Chapter 5 The Basics of Fitting Security to Situation |
|
|
49 | (14) |
|
Understand the Price of Security |
|
|
49 | (1) |
|
Design, Implement, and Manage |
|
|
50 | (2) |
|
|
|
52 | (3) |
|
|
|
55 | (3) |
|
Where Price and Consequence Intersect |
|
|
58 | (2) |
|
Stay on the Good Side of the Intersection |
|
|
60 | (1) |
|
|
|
61 | (2) |
|
Chapter 6 Defining the Cloud to Protect |
|
|
63 | (10) |
|
A Very Quick Cloud Primer |
|
|
63 | (3) |
|
Instance Provisioning Wins |
|
|
66 | (3) |
|
Survey the Cloud: Understand Protection |
|
|
69 | (2) |
|
Protection Depends on the Cloud |
|
|
71 | (2) |
|
Chapter 7 Infrastructure as a Service |
|
|
73 | (12) |
|
Outsourcing Equipment Used to Support Operations, Including Storage, Hardware, Servers, and Networking Components |
|
|
73 | (1) |
|
Utility Model---Pay for Time and Resources Used |
|
|
74 | (1) |
|
The Danger of the Hyperjack |
|
|
75 | (1) |
|
Defense against Hyperjacking |
|
|
75 | (1) |
|
|
|
76 | (1) |
|
Desktop Virtualization Issues |
|
|
77 | (1) |
|
Desktop Virtualization Defense |
|
|
77 | (1) |
|
|
|
78 | (1) |
|
|
|
79 | (1) |
|
|
|
79 | (1) |
|
|
|
80 | (1) |
|
|
|
80 | (1) |
|
|
|
80 | (1) |
|
Other Infrastructure Types |
|
|
81 | (1) |
|
Unified Communications Clouds |
|
|
82 | (1) |
|
|
|
83 | (1) |
|
|
|
84 | (1) |
|
Chapter 8 Platform as a Service (PaaS) |
|
|
85 | (10) |
|
A Way to Rent Hardware, Operating Systems, Storage, and Network Capacity Over the Internet |
|
|
85 | (2) |
|
Systems Can Be Used to Run Service-Provided Software, Packaged Software, or Customer-Developed Software |
|
|
87 | (3) |
|
|
|
90 | (5) |
|
Chapter 9 Software as a Service |
|
|
95 | (10) |
|
The Internet Defines SaaS |
|
|
96 | (1) |
|
|
|
96 | (1) |
|
All Users Work from a Single Software Version |
|
|
96 | (1) |
|
Easy to Upgrade, Manage, and Deploy Software |
|
|
96 | (1) |
|
Shared Responsibility Model |
|
|
97 | (1) |
|
Cloud Access Security Brokers |
|
|
98 | (1) |
|
|
|
99 | (1) |
|
|
|
100 | (1) |
|
|
|
101 | (1) |
|
|
|
101 | (1) |
|
CASB Spreads Security Across SaaS and On-Prem |
|
|
101 | (1) |
|
|
|
102 | (1) |
|
Containers Are Developer-Driven SaaS Tools |
|
|
102 | (1) |
|
|
|
103 | (2) |
|
Chapter 10 Virtual Desktop Infrastructure |
|
|
105 | (16) |
|
Virtual Desktops---The Cloud from the Other End |
|
|
110 | (1) |
|
Much Lower Deployment, Maintenance, and Management Costs |
|
|
111 | (3) |
|
One Desktop Experience: Many Client Platforms |
|
|
114 | (3) |
|
Performance in Question for VDI |
|
|
117 | (2) |
|
The Security/Alteration "Lock Down" from Central Management |
|
|
119 | (2) |
|
Chapter 11 Understand Your Cloud Type |
|
|
121 | (8) |
|
The Nature of the Cloud Can Have a Huge Impact on Security Possibilities |
|
|
121 | (1) |
|
Clouds Are Bigger Than Organizational Boundaries |
|
|
122 | (1) |
|
Everyone Needs to Agree on the Cloud Under Discussion |
|
|
123 | (5) |
|
|
|
124 | (4) |
|
|
|
128 | (1) |
|
|
|
129 | (10) |
|
Classic Clouds Are Public |
|
|
129 | (4) |
|
Each Cloud Provider Is Unique |
|
|
133 | (1) |
|
The Network Connecting Customer and Cloud Is Key to Both Security and Performance |
|
|
133 | (1) |
|
In Provider Relationships, Service-Level Agreements (SLAs) Rule |
|
|
134 | (1) |
|
Dynamic Provisioning and Capacity Flexibility Must Be Covered in the SLA |
|
|
135 | (1) |
|
Customer Data Security Should Be Governed by the SLA |
|
|
136 | (1) |
|
Data Must Be Secure at Every Point in the Transaction |
|
|
136 | (1) |
|
Cloud Provider Demise Must Be Covered in the SLA |
|
|
137 | (1) |
|
|
|
138 | (1) |
|
|
|
139 | (12) |
|
Private Clouds Start with Virtualization |
|
|
139 | (2) |
|
Difference between Virtualization and Private Cloud Comes Down to Self-Service Provisioning and Dynamic Capacity Adjustment |
|
|
141 | (2) |
|
Cloud Implies Geographic Dispersal, but There Are Critical Exceptions |
|
|
143 | (3) |
|
The Security Issues of Virtualization Apply to Private Clouds, Although They Are Amplified by Self-Service Provisioning and Dynamic Capacity Adjustment |
|
|
146 | (1) |
|
Questions Are Only Now Beginning to Be Resolved around Software Licensing Issues |
|
|
147 | (1) |
|
Some IT Professionals Now Question Whether Virtualization Will Inevitably Evolve Toward the Cloud |
|
|
148 | (1) |
|
|
|
149 | (2) |
|
|
|
151 | (12) |
|
Hybrid Clouds Mix Components of Private and Public Clouds |
|
|
151 | (1) |
|
A Hybrid Cloud Will Often Feature Mostly Private Features with Some Public Functions Added |
|
|
152 | (2) |
|
Other Hybrid Clouds Will Be Mostly Private, with Public Components Available for Dynamic Capacity Adjustment |
|
|
154 | (1) |
|
Key Security Issue for Hybrid Cloud Is the Point at Which Data Transitions from Private to Public Cloud and Back (the Authentication Weakness) |
|
|
154 | (5) |
|
Depending on Type and Security of Functions, If a Private Cloud Expands into Public Infrastructure Because of Capacity, Requirements May Be Critical |
|
|
159 | (2) |
|
Private Cloud Means You're Paying for 100% of Your Capacity 100% of the Time |
|
|
159 | (1) |
|
Surge Capacity and the Capacity Rubber Band |
|
|
160 | (1) |
|
Did You Pre-Plan the Trust Relationships and Prepare to Secure the Surge? |
|
|
160 | (1) |
|
|
|
161 | (2) |
|
Chapter 15 Working with Your Cloud Provider |
|
|
163 | (12) |
|
Security Service-Level Agreements |
|
|
164 | (6) |
|
A Define Scope of Agreement (Which Parts of IT Are Covered) |
|
|
167 | (1) |
|
|
|
168 | (1) |
|
C Define Performance to Be Met |
|
|
169 | (1) |
|
D Define Remediation, Relief, and Penalties If Performance Targets Are Not Met |
|
|
169 | (1) |
|
Trust Relationships with the Provider |
|
|
170 | (2) |
|
A References from Existing Customers |
|
|
170 | (1) |
|
B Pilot Projects: A Brief Tutorial |
|
|
171 | (1) |
|
C Expanding the Scope of the Relationship |
|
|
171 | (1) |
|
|
|
172 | (1) |
|
Assistance with Audits and Compliance |
|
|
172 | (1) |
|
A Ask the Question: How Much Experience Does the Provider Have with Audits? |
|
|
172 | (1) |
|
B Know the Reports: They Are Key to Success |
|
|
173 | (1) |
|
|
|
173 | (2) |
|
Chapter 16 Protecting the Perimeter |
|
|
175 | (12) |
|
|
|
175 | (2) |
|
Where Does the Organizational Security Zone Stop? |
|
|
177 | (1) |
|
Virtual Private Networks: Have They Become the Backdoor into Your Enterprise? |
|
|
178 | (3) |
|
Single Sign-On (SSO) and Multifactor Authentication (MFA) |
|
|
181 | (1) |
|
Virtual Applications: Compromise for BYOD |
|
|
182 | (3) |
|
VDI: Will Desktops in the Cloud Give IT Back Control with BYOD Running Rampant? |
|
|
185 | (1) |
|
|
|
186 | (1) |
|
Chapter 17 Protecting the Contents |
|
|
187 | (10) |
|
Getting the Initial Data into the Cloud |
|
|
187 | (1) |
|
Setting Up and Running Your Cloud Apps |
|
|
188 | (1) |
|
Where and How Are You Connecting to Your App? |
|
|
188 | (2) |
|
Where and What Are Your Authentication Sources? |
|
|
190 | (1) |
|
Testing Shouldn't Be an Afterthought! |
|
|
191 | (1) |
|
Are You Building a Draft System? |
|
|
192 | (1) |
|
Are You Repeating Your Load and Vulnerability Testing on Each Rev? |
|
|
193 | (1) |
|
Who Has the Keys to the Kingdom? |
|
|
193 | (2) |
|
Have You Allocated Enough Time to Bring Your Documentation Up to "As Built"? |
|
|
195 | (1) |
|
|
|
196 | (1) |
|
Chapter 18 Protecting the Infrastructure |
|
|
197 | (14) |
|
Protecting the Physical Cloud Server |
|
|
197 | (4) |
|
Protecting the Virtual Cloud Server |
|
|
201 | (6) |
|
Hyperjacking: The Keys to the Kingdom |
|
|
207 | (1) |
|
Protecting the Network Infrastructure (Load Balancers, Accelerators, More Proxies, Managers, and More) |
|
|
208 | (1) |
|
Tie a Cloud into Your Security Infrastructure |
|
|
209 | (1) |
|
|
|
209 | (2) |
|
Chapter 19 Tie the Cloud Using an Internal Management Framework |
|
|
211 | (10) |
|
Understand the APIs Available from Your Cloud Provider |
|
|
212 | (1) |
|
Conversations with Your Vendors: Understand How to Hook into APIs |
|
|
213 | (1) |
|
Using Appliances to Manage Cloud Security |
|
|
214 | (2) |
|
Using Software to Manage Cloud Security |
|
|
216 | (1) |
|
Test and Confirm Those Vendor Claims |
|
|
217 | (2) |
|
Stop Doing Work as Administrator |
|
|
219 | (1) |
|
The Single Console: Security Management's Holy Grail |
|
|
219 | (1) |
|
|
|
220 | (1) |
|
|
|
220 | (1) |
|
Chapter 20 Closing Comments |
|
|
221 | (6) |
|
Understand the Appliances and Systems Your Cloud Provider Can Control |
|
|
221 | (2) |
|
Conversations with Your Vendors: Understand How They Hook into APIs |
|
|
223 | (4) |
|
Who Is Allowed to Use Those APIs and Who Can Manage Them? |
|
|
224 | (1) |
|
What Connection Technologies Does the API Set Provide For? |
|
|
224 | (1) |
|
Where Are Connections Allowed From? |
|
|
224 | (1) |
|
When Are Connections Allowed? |
|
|
224 | (1) |
|
How Does the Change Process Work? |
|
|
225 | (2) |
| Index |
|
227 | |
Lisainfo e-raamatute kohta