Cloud Security: a Comprehensive Guide to Secure Cloud Computing
Total Page:16
File Type:pdf, Size:1020Kb
ffirs.indd ii 6/24/2010 2:47:19 PM Contents at a Glance Foreword xxi Introduction xxiii Chapter 1 Cloud Computing Fundamentals 1 Chapter 2 Cloud Computing Architecture 33 Chapter 3 Cloud Computing Software Security Fundamentals 61 Chapter 4 Cloud Computing Risk Issues 125 Chapter 5 Cloud Computing Security Challenges 153 Chapter 6 Cloud Computing Security Architecture 177 Chapter 7 Cloud Computing Life Cycle Issues 217 Chapter 8 Useful Next Steps and Approaches 259 Glossary of Terms and Acronyms 279 References 345 Index 349 i ffirs.indd i 6/24/2010 2:47:18 PM ffirs.indd ii 6/24/2010 2:47:19 PM Cloud Security ffirs.indd iii 6/24/2010 2:47:19 PM ffirs.indd iv 6/24/2010 2:47:19 PM Cloud Security A Comprehensive Guide to Secure Cloud Computing Ronald L. Krutz Russell Dean Vines ffirs.indd v 6/24/2010 2:47:19 PM Cloud Security: A Comprehensive Guide to Secure Cloud Computing Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2010 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-58987-8 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or autho- rization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifi cally disclaim all warranties, including without limitation warranties of fi tness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disap- peared between when this work was written and when it is read. For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be avail- able in electronic books. Library of Congress Control Number: 2010930374 Trademarks: Wiley, the Wiley logo, Wrox, the Wrox logo, Programmer to Programmer, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affi liates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. ffirs.indd vi 6/24/2010 2:47:19 PM I thank God for His greatest gift of all—my family. — Ronald L. Krutz Dedicated to Elzy, for now and forever. — Russell Dean Vines ffirs.indd vii 6/24/2010 2:47:19 PM ffirs.indd ii 6/24/2010 2:47:19 PM ffirs.indd viii 6/24/2010 2:47:19 PM About the Authors Ronald L. Krutz is a senior information system security consultant. He has over 30 years of experience in distributed computing systems, computer architectures, real-time systems, information assurance methodologies, and information security training. He holds B.S., M.S., and Ph.D. degrees in Electrical and Computer Engineering and is the author of best selling texts in the area of information system security. He co-authored the CISSP Prep Guide for John Wiley and Sons and is co-author of the Wiley Advanced CISSP Prep Guide, the CISSP Prep Guide, Gold Edition, the Security+Certifi cation Guide, the CISM Prep Guide, the CISSP Prep Guide, 2nd Edition: Mastering CISSP and ISSEP, the Network Security Bible, the CISSP and CAP Prep Guide, Platinum Edition: Mastering CISSP and CAP, the Certifi ed Ethical Hacker (CEH) Prep Guide, and the Certifi ed Secure Software Lifecycle Prep Guide. He is also the author of Securing SCADA Systems and of three textbooks in the areas of microcomputer system design, computer interfacing, and computer architecture. Dr. Krutz has seven patents in the area of digital systems and has published over 40 technical papers. Dr. Krutz also serves as consulting Editor for John Wiley and Sons Information Security Certifi cation Series, is a Distinguished Visiting Lecturer in the University of New Haven Henry C. Lee College of Criminal Justice and Forensic Sciences, and is an Adjunct Professor in Midway College, Kentucky. Dr. Krutz is a Registered Professional Engineer in Pennsylvania. ix ffirs.indd ix 6/24/2010 2:47:19 PM x About the Authors Russell Dean Vines has been in the information systems industry for over 20 years, and has a unique ability to disseminate complex security issues to a wider audience, from CEOs to home Internet surfers. He is also the author or co-author of 10 previous books, including the CISSP Prep Guide, which reached #25 on Amazon’s best-sellers list. He co-authored the Advanced CISSP Prep Guide, the CISSP Prep Guide, Gold Edition, the Security+Certifi cation Guide, the CISM Prep Guide, the CISSP Prep Guide, 2nd Edition: Mastering CISSP and ISSEP, the CISSP and CAP Prep Guide, Platinum Edition: Mastering CISSP and CAP, and the Certifi ed Ethical Hacker (CEH) Prep Guide. He is also the author of Wireless Security Essentials, and Composing Digital Music for Dummies. In addition to being a Certifi ed Information Systems Security Professional (CISSP), Mr. Vines is a Certified Information Systems Manager (CISM), a Certifi ed Ethical Hacker (CEH), certifi ed in CompTIA’s Security+ program, and is a Payment Card Industry (PCI) Qualifi ed Security Assessor (QSA). Russ also has vendor security certifi cations from RSA, Websense, McAfee, Citrix, VMware, Microsoft, and Novell, and has been trained in the NSA’s Information Assurance Methodology (IAM). Mr. Vines is a frequent contributor to Web and trade publications; dis- cusses Information Security Threats and Countermeasures as a member of SearchSecurityChannel.com’s Ask the Experts panel, frequently speaks at industry events such as Comdex and Networld+Interop, and teaches CISSP, CEH, and Websense classes. ffirs.indd x 6/24/2010 2:47:19 PM Credits Executive Editor Vice President and Executive Carol Long Publisher Barry Pruett Project Editor Ed Connor Associate Publisher Jim Minatel Technical Editor David Chapa Project Coordinator, Cover Production Editor Lynsey Stanford Daniel Scribner Proofreader Editorial Director Nancy Bell Robyn B. Siesky Indexer Editorial Manager Robert Swanson Mary Beth Wakefi eld Cover Designer Marketing Manager Ryan Sneed David Mayhew Cover Image Production Manager © istockphoto.com/ Tim Tate GodfriedEdelman Vice President and Executive Group Publisher Richard Swadley xi ffirs.indd xi 6/24/2010 2:47:20 PM Acknowledgments I want to thank my wife, Hilda, for her support and encouragement during the writing of this text. — Ronald L. Krutz I’d like to give a big shout-out to the gang at Gotham Technology Group, in particular Ken Phelan, Joe Jessen, and Nancy Rand, for their assistance during this project. I’d also like to thank doctors Paul M. Pellicci and Lawrence Levin for the rare gift of health. But my greatest thanks is reserved for my wife, Elzy, for her continuous and unwavering support throughout my life. — Russell Dean Vines Both authors would like to express their gratitude to Carol Long and Ed Connor of John Wiley and Sons for their support and assistance in developing this text. xii ffirs.indd xii 6/24/2010 2:47:20 PM Contents Foreword xxi Introduction xxiii Chapter 1 Cloud Computing Fundamentals 1 What Cloud Computing Isn’t 7 Alternative Views 8 Essential Characteristics 9 On-Demand Self-Service 9 BroadNetwork Access 10 Location-Independent Resource Pooling 10 Rapid Elasticity 10 Measured Service 11 Architectural Infl uences 11 High-Performance Computing 11 Utility and Enterprise Grid Computing 14 Autonomic Computing 15 Service Consolidation 16 Horizontal Scaling 16 Web Services 17 High-Scalability Architecture 18 Technological Infl uences 18 Universal Connectivity 18 Commoditization 19 Excess Capacity 20 Open-Source Software 21 Virtualization 22 Operational Infl uences 23 Consolidation 23 xiii ffirs.indd xiii 6/24/2010 8:00:45 AM xiv Contents Outsourcing 26 Outsourcing Legal Issues 26 Business Process Outsourcing (BPO) Issues 28 IT Service Management 30 Automation 31 Summary 31 Chapter 2 Cloud Computing Architecture 33 Cloud Delivery Models 34 The SPI Framework 34 SPI Evolution 34 The SPI Framework vs.