ContentCopyright © 2013 cloudbook: The Cloud Computing & SaaS Information Resource. All Rights Reserved.
 |
||||||||||
| login | | | About | | | Contact Us | ||||||
 |
|
|
|
|
|
|
|
|
| Featured Stories |
| Contributions |
| Videos |
| Papers |
| Research |
| News |
| How Cloud Computing Paradigm Can Meet the Challenges of Adaptive Security Systems? |
|
| by Irina Neaga | |
| The cloud computing model should drive and potentially apply for the design and development of the next generation of adaptive security systems. This essay shows some conceptual ideas and directions based on systems engineering methods and architecting principles. | |
| read the full story >> | |
| Making the Cloud Secure for the Enterprise |
|
| by Ellen Rubin | |
| Security issues associated with third-party cloud environments continue to prevent organizations from taking advantage of the cost savings and flexibility that the cloud can offer. Today, using a public cloud means moving from an internal environment where a company has complete control of data and processes to an environment where that control belongs to someone else, and is often opaque. Within the cloud, applications run in a multi-tenant environment sharing virtual machines with other customers. Companies considering moving an application to a cloud have legitimate concerns about data being compromised or stolen, including unauthorized access by cloud administrators, exposure in the Internet or rogue employees using the cloud to corrupt or leak sensitive information. | |
| read the full story >> | |
| Federated Identity Management in Cloud Computing |
|
|||
| April 25 2012 |
||||
|
||||
| “Identity” consists of a “set” of information based on context, allied with a definite entity (End User or System). Identity Management should include: Identity Provisioning, De-Provisioning, Identity Information Security, Identity Linking, Identity Mapping, Identity Federation, Identity Attributes Federation, Single Sign On, Authentication and Authorization.
With the adoption of cloud services, the organization’s trust boundary has become dynamic. It has moved beyond the control of IT. Identity & Access Management is a critical requirement considering data sensitivity and privacy of information have become increasingly an area of concern in cloud. |
||||
| Tokenization for Cloud Data Protection |
|
|||
| January 10 2012 |
||||
|
||||
| This paper offers a high-level overview of tokenization as a data protection and obfuscation technique in the cloud. It also discusses the PCI Data Security Council’s tokenization standards. |
||||
| The Cloud Security Part 1: For Dummies |
|
|||
| July 17 2011 |
||||
|
||||
| From an attacker’s perspective, cloud providers aggregate access to many victims’ data into a single point of entry. As the cloud environments become more and more popular, they will increasingly become the focus of attacks. Some organizations think that liability can be outsourced, but no, and I hope that we all understand it cannot. The contract with your cloud vendors basically means nothing, the ISVs or should I say the SaaS providers still holds the responsibility, so rather than focusing on contracts and limiting liability in cloud services deals, you should focus on controls and auditability. |
||||
| The Cloud Security Part 2: Market Perceptions, Vendors and More |
|
|||
| July 17 2011 |
||||
|
||||
| From an attacker’s perspective, cloud providers aggregate access to many victims’ data into a single point of entry. As the cloud environments become more and more popular, they will increasingly become the focus of attacks. Some organizations think that liability can be outsourced, but no, and I hope that we all understand it cannot. The contract with your cloud vendors basically means nothing, the ISVs or should I say the SaaS providers still holds the responsibility, so rather than focusing on contracts and limiting liability in cloud services deals, you should focus on controls and auditability. |
||||
| Intel Cloud Builders Guide to Cloud Design and Deployment on Intel Platforms |
|
|||
| May 25 2011 |
||||
|
||||
| Cloud on-boarding with CloudSwitch.
For enterprise IT organizations who are looking to securely utilize public clouds and existing data center infrastructure, the decision to use a cloud for the delivery of IT services is best done by starting with the knowledge and experience gained from previous work.
This reference architecture outlines how to extend the data center into the cloud using CloudSwitch software with Intel Xeon processor 5600 series servers. This paper, which includes detailed scripts and screen shots, should significantly reduce the learning curve for building and operating your first cloud computing infrastructure. |
||||
| A Cloud Security Bill of Rights |
|
|||
| May 18 2011 |
||||
|
||||
| Cloud Security remains a top concern for enterprise cloud deployments. Unresolved policy and control issues make it difficult to meet the requirements of corporate security and networking teams. As a result, we frequently hear from our customers that they assume they can only put the lowest-risk data and applications into the cloud – or that their cloud projects are on hold till the security issues get resolved. This is a major limitation for cloud adoption, often creating a false belief that the cloud only works for apps “that don’t matter,” or for companies who are willing to take risks. |
||||
Domain 10: Guidance for Application Security V2.1  |
|
|||
| September 22 2010 |
||||
|
||||
| Picking up from the latest Cloud Security Alliance papers, Domain 10: Guidance for Application Security V2.1 explores some of the challenges that organizations have encountered with application security for cloud computing. Domain 10 provides an upfront analysis, covering the traditional aspects of managing information confidentiality, integrity and availability, as it is central to documenting the classification of data handled by the application and will influence many of the design decisions. It also elaborates on situations for existing applications that are migrated to the cloud, as it can serve as an opportunity to address outstanding fundamental problems that have been overlooked or underrepresented during their development. |
||||
| True Isolation Makes the Public Cloud Work Like a Private Cloud |
|
|||
| March 23 2010 |
||||
|
||||
| Security is always mentioned as a key factor limiting cloud adoption, but what does "security" really mean in the cloud? To understand the potential risks of cloud computing - and how to address them - we need to be more specific. Once we've accurately defined the problems, we can address them with the right technology and processes. Here is a solution to allow applications to run safely in a public cloud. |
||||
| Security vs Compliance in the Cloud |
|
|||
| January 26 2010 |
||||
|
||||
| Security is always top of mind for CIOs and CSOs when considering a cloud deployment. Here is a look into cloud security and the standards used to determine compliance. |
||||
|
Security Guidance for Critical Areas of Focus in Cloud Computing v2 |
|
|||
| December 19 2009 |
||||
|
||||
| The Cloud Security Alliance's initial report, outlining areas of concern and guidance for organizations adopting cloud computing. The intention is to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers. Much of this guidance is also quite relevant to the cloud provider to improve the quality and security of their service offerings. As with any initial foray, there will certainly be guidance that we could improve upon. We will quite likely modify the number of domains and change the focus of some areas of concern. We seek your help to improve this guidance to make version 2.0 of this document an even better asset to the security practitioner and cloud provider. We will be kicking off numerous online activities and in-person regional events to share our findings and connect with experts to increase our knowledge base. |
||||
| Is Cloud Security Really Different Than Data Center Security? |
|
|||
| October 30 2009 |
||||
|
||||
| There are good reasons to plan a cloud security strategy, but in a sense, it's no different than planning a security strategy for your company. Before you start worrying about security in the cloud, get your own house in order. If you don't have a well executed internal security plan, that you're not ready for the cloud. Here are five issues to consider when planning your cloud security strategy. |
||||
| Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26 |
|
|||
| October 22 2009 |
||||
|
||||
| NIST (National Institute of Standards and Technology) is positioning its working definition of cloud computing that serves as a foundation for its upcoming publication on the topic. Computer scientists at NIST developed this draft definition in collaboration with industry and government. It was developed as the foundation for a NIST special publication that will cover cloud architectures, security, and deployment strategies for the federal government. |
||||
| Virtualization Security Testing |
|
|||
| September 24 2009 |
||||
|
||||
| Virtualization Security Testing |
||||
| Cloud Security |
|
|||
| September 21 2009 |
||||
|
||||
| Cloud Security |
||||
| Virtualization Security Roundtable |
|
|||
| September 10 2009 |
||||
|
||||
| Virtualization Security Roundtable |
||||
| HyTrust Authentication/Authorization |
|
|||
| August 12 2009 |
||||
|
||||
| HyTrust Authentication/Authorization |
||||
| Does Private Cloud Equal Secure Cloud? |
|
|||
| August 10 2009 |
||||
|
||||
| Whenever the word "private" is included in the name of technology, many people leap to the conclusion that security is built in. |
||||
| VMsafe Virtual Firewalls |
|
|||
| July 30 2009 |
||||
|
||||
| VMsafe Virtual Firewalls - Guest: Todd Ignasiak from Altor Networks |
||||
|
Private Virtual Infrastructure for Cloud Computing |
|
|||
| July 22 2009 |
||||
|
||||
| By F. John Krautheim.
Abstract: Cloud computing places an organization’s sensitive data in the control of a third party, introducing a significant level of risk on the privacy and security of the data. We propose a new management and security model for cloud computing called the Private Virtual Infrastructure (PVI) that shares the responsibility of security in cloud computing between the service provider and client, decreasing the risk exposure to both. The PVI datacenter is under control of the information owner while the cloud fabric is under control of the service provider. A cloud Locator Bot pre-measures the cloud for security properties, securely provisions the datacenter in the cloud, and provides situational awareness through continuous monitoring of the cloud security. PVI and Locator Bot provide the tools that organizations require to maintain control of their information in the cloud and realize the benefits of cloud computing. |
||||
|
The Case for Enterprise Ready Virtual Private Clouds |
|
|||
| July 22 2009 |
||||
|
||||
| By Timothy Wood and Prashant Shenoy, University of Massachusetts Amherst;
Alexandre Gerber, KK Ramakrishnan, and Jacobus Van der Merwe, AT&T Labs - Research.
Abstract: Cloud computing platforms such as Amazon EC2 provide customers with flexible, on demand resources at low cost. However, while existing offerings are useful for providing basic computation and storage resources, they fail to provide the security and network controls that many customers would like. In this work we argue that cloud computing has a great potential to change how enterprises run and manage their IT systems, but that to achieve this, more comprehensive control over network resources and security need to be provided for users. Towards this goal, we propose CloudNet, a cloud platform architecture which utilizes virtual private networks to securely and seamlessly link cloud and enterprise sites. |
||||
| Cloud Security Deep Dive |
|
|||
| January 20 2010 |
||||
|
||||
| In this webcast, the three coauthors of "Cloud Security and Privacy" take a deep dive into cloud security issues and focus on three specific aspects: 1 data security: 2 identity management in the cloud, and; 3 governance in the cloud (in the context of managing a cloud service provider with respect to security obligations). |
||||
| Cloud Security and Privacy |
|
|||
| January 20 2010 |
||||
|
||||
| This webcast discusses current issues in cloud computing with regards to security and privacy. The presenters are the three coauthors of a recent published book, "Cloud Security and Privacy." In this webcast, they discuss cloud issues with infrastructure and data security, identity management, security management, privacy considerations, audit and compliance, Security-as-a-Service (cloud-based security solutions), and the impact of cloud computing on traditional IT. |
||||
| Cloud Security & Privacy |
|
|||
| September 29 2009 |
||||
|
||||
| In this webcast, the authors of "Cloud Security and Privacy" discuss cloud computing's SPI delivery model, and its impact on various aspects of enterprise information security (eg, infrastructure, data, identity and access management, security management), privacy, and compliance. Security-as-a-Service and the impacts of cloud computing on corporate IT is also discussed. |
||||
| Analyst Take: Infrastructure Protection |
|
|||
| August 25 2009 |
||||
|
||||
| VP and Distinguished Analyst at Gartner, John Pescatore, discusses ways to validate your Infrastructure Protection Strategies. |
||||
| Security in the Cloud |
|
|||
| May 22 2009 |
||||
|
||||
| Security in the Cloud |
||||
| RSA Conference: FEA-303: Virtualization Security (Registration Required) |
|
|||
| April 20 2009 |
||||
|
||||
| This panel discussion and QA covers the state and possible future for virtualization security. Panel session with: Andreas Antonopoulos - Sr. Vice President, Nemertes Research Christofer Hoff - Chief Security Architect, Unisys Simon Crosby - CTO, Citrix Systems Stephen Herrod - CTO and VP of R&D, Vmware Michael Berman - CTO, Catbird |
||||
| Defending Inter-VM Attacks |
|
|||
| September 15 2008 |
||||
|
||||
| Defending Inter-VM Attacks |
||||
| Improving Vulnerability Management with Penetration Testing |
|
|||
| September 24 2006 |
||||
|
||||
| John Pescatore, from featured analyst firm Gartner, who discusses the overall state of security, including recent attack trends |
||||
| Federated Identity Management in Cloud Computing |
|
|||
| April 25 2012 |
||||
|
||||
| “Identity” consists of a “set” of information based on context, allied with a definite entity (End User or System). Identity Management should include: Identity Provisioning, De-Provisioning, Identity Information Security, Identity Linking, Identity Mapping, Identity Federation, Identity Attributes Federation, Single Sign On, Authentication and Authorization.
With the adoption of cloud services, the organization’s trust boundary has become dynamic. It has moved beyond the control of IT. Identity & Access Management is a critical requirement considering data sensitivity and privacy of information have become increasingly an area of concern in cloud. |
||||
| Tokenization for Cloud Data Protection |
|
|||
| January 10 2012 |
||||
|
||||
| This paper offers a high-level overview of tokenization as a data protection and obfuscation technique in the cloud. It also discusses the PCI Data Security Council’s tokenization standards. |
||||
| Intel Cloud Builders Guide to Cloud Design and Deployment on Intel Platforms |
|
|||
| May 25 2011 |
||||
|
||||
| Cloud on-boarding with CloudSwitch.
For enterprise IT organizations who are looking to securely utilize public clouds and existing data center infrastructure, the decision to use a cloud for the delivery of IT services is best done by starting with the knowledge and experience gained from previous work.
This reference architecture outlines how to extend the data center into the cloud using CloudSwitch software with Intel Xeon processor 5600 series servers. This paper, which includes detailed scripts and screen shots, should significantly reduce the learning curve for building and operating your first cloud computing infrastructure. |
||||
|
Domain 10: Guidance for Application Security V2.1 |
|
|||
| September 22 2010 |
||||
|
||||
| Picking up from the latest Cloud Security Alliance papers, Domain 10: Guidance for Application Security V2.1 explores some of the challenges that organizations have encountered with application security for cloud computing. Domain 10 provides an upfront analysis, covering the traditional aspects of managing information confidentiality, integrity and availability, as it is central to documenting the classification of data handled by the application and will influence many of the design decisions. It also elaborates on situations for existing applications that are migrated to the cloud, as it can serve as an opportunity to address outstanding fundamental problems that have been overlooked or underrepresented during their development. |
||||
|
Security Guidance for Critical Areas of Focus in Cloud Computing v2 |
|
|||
| December 19 2009 |
||||
|
||||
| The Cloud Security Alliance's initial report, outlining areas of concern and guidance for organizations adopting cloud computing. The intention is to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers. Much of this guidance is also quite relevant to the cloud provider to improve the quality and security of their service offerings. As with any initial foray, there will certainly be guidance that we could improve upon. We will quite likely modify the number of domains and change the focus of some areas of concern. We seek your help to improve this guidance to make version 2.0 of this document an even better asset to the security practitioner and cloud provider. We will be kicking off numerous online activities and in-person regional events to share our findings and connect with experts to increase our knowledge base. |
||||
|
Private Virtual Infrastructure for Cloud Computing |
|
|||
| July 22 2009 |
||||
|
||||
| By F. John Krautheim.
Abstract: Cloud computing places an organization’s sensitive data in the control of a third party, introducing a significant level of risk on the privacy and security of the data. We propose a new management and security model for cloud computing called the Private Virtual Infrastructure (PVI) that shares the responsibility of security in cloud computing between the service provider and client, decreasing the risk exposure to both. The PVI datacenter is under control of the information owner while the cloud fabric is under control of the service provider. A cloud Locator Bot pre-measures the cloud for security properties, securely provisions the datacenter in the cloud, and provides situational awareness through continuous monitoring of the cloud security. PVI and Locator Bot provide the tools that organizations require to maintain control of their information in the cloud and realize the benefits of cloud computing. |
||||
|
The Case for Enterprise Ready Virtual Private Clouds |
|
|||
| July 22 2009 |
||||
|
||||
| By Timothy Wood and Prashant Shenoy, University of Massachusetts Amherst;
Alexandre Gerber, KK Ramakrishnan, and Jacobus Van der Merwe, AT&T Labs - Research.
Abstract: Cloud computing platforms such as Amazon EC2 provide customers with flexible, on demand resources at low cost. However, while existing offerings are useful for providing basic computation and storage resources, they fail to provide the security and network controls that many customers would like. In this work we argue that cloud computing has a great potential to change how enterprises run and manage their IT systems, but that to achieve this, more comprehensive control over network resources and security need to be provided for users. Towards this goal, we propose CloudNet, a cloud platform architecture which utilizes virtual private networks to securely and seamlessly link cloud and enterprise sites. |
||||
|
Defining a dWAF to Secure Cloud Applications |
|
|||
| July 17 2009 |
||||
|
||||
| Cloud computing was not designed for security, although organizations such as Cloud Security Alliance (CSA) and Open Web Application Security Project (OWASP) are taking great strides in helping the industry solve the myriad of security problems confronting cloud computing. The benchmark guidelines established by the CSA in their document, Guidance for Critical Areas of Focus in Cloud Computing, is a great first step. This paper is intended to pick up where the CSA guide left off in terms of defining what a distributed web application firewall (dWAF) should look like in order to meet the standards set within the CSA document. It also includes recommendations and practical use-cases. |
||||
| Teleworking in the Cloud: Security Risks and Remedies |
|
|||
| May 15 2009 |
||||
|
||||
| Companies have many cloud computing choices to make when office applications and servers disappear from the IT department. If security is not built in, incidental costs will outweigh any cost savings. |
||||
| Securing Applications Using WebSphere sMash Applications on Amazon EC2 |
|
|||
| April 08 2009 |
||||
|
||||
| This article walks users through securing WebSphere sMash applications deployed on the Amazon Elastic Compute Grid. It illustrates how to secure applications using both HTTP basic authentication and Secure Socket Layer (SSL) methods. |
||||
| Cool Vendors in Infrastructure Protection, 2009 |
|
|||
| March 17 2009 |
||||
|
||||
| Chief Information Security Officers and other security decision makers should be prepared to consider inovative, new infrastructure protection vendors. They won't necessarily be appropriate for every enterprise, but their offerings and business models point to new directions in their market spaces. |
||||
| Cool Vendors in Software-as-a-Service Security, 2009 |
|
|||
| March 17 2009 |
||||
|
||||
| Gartner's first set of cool vendors in software-as-a-service security addresses the growing demand for agile, responsive, cost effective solutions with highly innovative offerings. Use this research when evaluating technology trends and future needs. |
||||
| Trustworthy Virtual Cloud Computing |
|
|||
|
||||
| Abstract: Virtual cloud computing is emerging as a promising solution to IT management to both ease the provisioning and administration of complex hardware and software systems and reduce the operational costs. With the industry’s continuous investment (e.g., Amazon Elastic Cloud Computing, IBM Blue Cloud), virtual cloud computing is likely to be a major component of the future IT solution, which will have significant impact on almost all sectors of society. The trustworthiness of virtual cloud computing is thus critical to the well-being of all organizations or individuals that will rely on virtual cloud computing for their IT solutions. This project envisions trustworthy virtual cloud computing and investigates fundamental research issues leading to this vision. Central to this visi .... | ||||
| Cloud security fears outweigh savings, but perhaps not for long |
|
|||
| July 08 2011 - GCN | ||||
|
||||
| read the full article >> | ||||
| Gazzang Pushes MySQL Database Encryption, Cloud Security |
|
|||
| March 02 2011 - eWeek.com | ||||
|
||||
| read the full article >> | ||||
| RSA Conference: Security Issues from the Cloud to Advanced Persistent Threats |
|
|||
| February 20 2011 - eWeek | ||||
|
||||
| read the full article >> | ||||
| RSA conference looks at online vulnerability |
|
|||
| February 17 2011 - SFGate | ||||
|
||||
| read the full article >> | ||||
| Virtualization can be key to cloud security, RSA chief says |
|
|||
| February 15 2011 - ComputerWorld | ||||
|
||||
| read the full article >> | ||||
| RSA Conference study to reveal cloud frustration |
|
|||
| February 09 2011 - SC Magazine | ||||
|
||||
| read the full article >> | ||||
| CloudPassage Launches Itself, New Cloud VM Security Package |
|
|||
| January 27 2011 - eWeek.com | ||||
|
||||
| read the full article >> | ||||
| Security Emerges From the Cloud |
|
|||
| December 31 2010 - The Motley Fool | ||||
|
||||
| read the full article >> | ||||
| 6 Security 'Must Haves' For Cloud Computing |
|
|||
| November 22 2010 - CMS Wire | ||||
|
||||
| read the full article >> | ||||
| Cloud Consortium Releases Security Compliance Tools |
|
|||
| November 17 2010 - InformationWeek | ||||
|
||||
| read the full article >> | ||||
| White House Proposes Cloud Security Standards |
|
|||
| November 04 2010 - information management | ||||
|
||||
| read the full article >> | ||||