Programming4us
         
 
 
Programming

Security Management in the Cloud

12/4/2010 3:23:46 PM

1. Security Management Standards

Based on the authors’ assessment, the standards that are relevant to security management practices in the cloud are ITIL and ISO/IEC 27001 and 27002.

1.1. ITIL

The Information Technology Infrastructure Library (ITIL) is a set of best practices and guidelines that define an integrated, process-based approach for managing information technology services. ITIL can be applied across almost every type of IT environment including cloud operating environment. ITIL seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels. Information security is considered an iterative process that must be controlled, planned, implemented, evaluated, and maintained.

ITIL breaks information security down into:


Policies

The overall objectives an organization is attempting to achieve


Processes

What has to happen to achieve the objectives


Procedures

Who does what and when to achieve the objectives


Work instructions

Instructions for taking specific actions

The ITIL-process security management is based on the code of practice for information security management also known as ISO/IEC 17799:2005. The ITIL security management process has relationships with almost all other ITIL processes. However, the most obvious relationships will be to the service-level management process, incident management process, and change management process, since they greatly influence the state of security in the system (server, network, or application). ITIL also is related to ISO/IEC 20000 as that’s the first international standard for IT Service Management (ITSM). It is based on and is intended to supersede the earlier British standard, BS 15000.

Organizations and management systems cannot be certified as “ITIL-compliant.” An organization that has implemented ITIL guidance in ITSM can, however, achieve compliance with and seek certification under ISO/IEC 20000.

1.2. ISO 27001/27002

ISO/IEC 27001 formally defines the mandatory requirements for an Information Security Management System (ISMS). It is also a certification standard and uses ISO/IEC 27002 to indicate suitable information security controls within the ISMS. However, since ISO/IEC 27002 is merely a code of practice/guideline rather than a certification standard, organizations are free to select and implement controls as they see fit.

Given the current trend of organizations moving toward ISO/IEC 27001 for information security management, there is a general consensus among information security practitioners to revise the ITIL security management best practices with the goal of strengthening the application and logical security in the Information and Communication Technology (ICT) infrastructure domain.

Essentially, the ITIL, ISO/IEC 20000, and ISO/IEC 27001/27002 frameworks help IT organizations internalize and respond to basic questions such as:

  • How do I ensure that the current security levels are appropriate for your needs?

  • How do I apply a security baseline throughout your operation?

To that end, they help you to respond to the question: how do I ensure that my services are secure?

2. Security Management in the Cloud

After analyzing the management process disciplines across the ITIL and ISO frameworks, we (the authors) identified the following relevant processes as the recommended security management focus areas for securing services in the cloud:

  • Availability management (ITIL)

  • Access control (ISO/IEC 27002, ITIL)

  • Vulnerability management (ISO/IEC 27002)

  • Patch management (ITIL)

  • Configuration management (ITIL)

  • Incident response (ISO/IEC 27002)

  • System use and access monitoring (ISO/IEC 27002)

Other ITIL management domains, such as problem management and service continuity management, may be more relevant to your business in the context of security management, but the focus of this chapter is limited to the subset of domains with the highest impact to organizations in managing security and operational risk. In subsequent sections, we will discuss the security management processes that are relevant to cloud services. We have also attempted to highlight the current state of cloud service support for security management processes in the context of the SPI delivery model and deployment models (private, public, and hybrid). Clearly, this is an evolving area, and we recommend that you periodically reexamine cloud service capabilities and fine-tune your security management processes accordingly.

Table 1 highlights the relevance of various security management functions available to you for each of the SPI cloud delivery models in the context of deployment models (private and public). As you can see from the table, security management practice cuts across the delivery and deployment models. These functions need to be factored into your cloud security operations model.

Table 1. Relevant security management functions for SPI cloud delivery models in the context of deployment models (private, public)
Cloud deployment/SPIPublic cloudsPrivate clouds
Software-as-a-service (SaaS)
  • Access control (partial)

  • Monitoring system use and access (partial)

  • Incident response

The following functions typically managed by your IT department or managed services:
  • Availability management

  • Access control

  • Vulnerability management

  • Patch management

  • Configuration management

  • Incident response

  • Monitoring system use and access

Platform-as-a-service (PaaS)The following are limited to customer applications deployed in PaaS (CSP is responsible for the PaaS platform):
  • Availability management

  • Access control

  • Vulnerability management

  • Patch management

  • Configuration management

  • Incident response

  • Monitoring system use and access

Infrastructure-as-a-service (IaaS)
  • Availability management (virtual instances)

  • Access control (user and limited network)

  • Vulnerability management (operating system and applications)

  • Patch management (operating system and applications)

  • Configuration management (operating system and applications)

  • Incident response

  • Monitoring system use and access (operating system and applications)


Hence, organizations looking to augment the public cloud for certain use cases can leverage and extend their internal security management practices and processes developed for their internal private cloud services.

Other -----------------
- The Art of SEO : Trending, Seasonality, and Seasonal Fluctuations in Keyword Demand
- The Art of SEO : Leveraging the Long Tail of Keyword Demand
- The Art of SEO : Determining Keyword Value/Potential ROI
- Identity and Access Management : Cloud Service Provider IAM Practice
- Identity and Access Management : Cloud Authorization Management
- Identity and Access Management : IAM Practices in the Cloud (part 2) - Federated Identity
- Identity and Access Management : IAM Practices in the Cloud (part 1) - Cloud Identity Administration
- iPad SDK : Keyboard Extensions and Replacements (part 4) - Creating the Calculator
- iPad SDK : Keyboard Extensions and Replacements (part 3) - Creating the Keyboard Input View
- iPad SDK : Keyboard Extensions and Replacements (part 2)
- iPad SDK : Keyboard Extensions and Replacements (part 1) - Adding a Keyboard Button in Dudel
- iPad SDK : New Input Methods - Gesture Recognition
- iPad SDK : New Input Methods - Menu Additions
- iPad SDK : Implementing an About Panel in a Modal Way (part 2)
- iPad SDK : Implementing an About Panel in a Modal Way (part 1) - Creating the Modal Web View Controller
- Parallel Programming with Microsoft .Net : Dynamic Task Parallelism - Variations
- Keyword Research Tools (part 7) - comScore Marketer
- Keyword Research Tools (part 6)
- Keyword Research Tools (part 5)
- Keyword Research Tools (part 4)
 
 
Most View
- Exchange Transport Server Architecture (part 2)
- User-Level Security : Custom Authentication
- Windows Small Business Server 2011 : A Networking Primer - Ethernet/IEEE 802.3 & TCP/IP Basics
- Sharepoint 2010 : Content Management - In place Records Management
- SharePoint 2010 : Deploying and Managing FAST Search with Windows PowerShell (part 1) - Using the FAST Search Server 2010 for SharePoint Shell
- Recovering from a Disaster in an Exchange Server 2010 Environment - Recovering from a Boot Failure
- Exchange Server 2010 : Manage Access for Mobile Devices (part 4) - Monitor Mobile Device Usage
- Windows Server 2008 : Configuring Windows Media Services (part 6) - Configuring Source Settings
- Windows Vista : Installing Windows Deployment Services (part 2) - Configuring Windows Deployment Services
- Windows 7 : Understanding Batch File Basics (part 2) - Using Batch File Parameters
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS