Previous article in series – Security Considerations for PaaS When SaaS is consumed from a public cloud service provider, the security options that the customer can control may be only at the application level. In that model, application security is the responsibility of the cloud service provider, but the customer retains responsibility for identity access…
Security Considerations for Platform as a Service (PaaS)
Previous article in the series – IaaS: Cloud Virtual Infrastructure Threats With the PaaS (platform as a service) model the vendor offers a complete development environment in which application developers can create and deploy their code. This avoids the need to build a server environment to run an application and the need to install a…
IaaS: Cloud Virtual Infrastructure Threats
Previous article in series – IaaS: Hypervisor Security Provisioning tools and VM templates are exposed to different attacks that attempt to create new unauthorized VMs or patch the VM templates to infect the other VMs that will be cloned from this template. These new categories of security threats are a result of the new, complex,…
IaaS: Hypervisor Security
Previous article in series – Cloud Computing: Shared Security Model The hypervisor acts as the abstraction layer that provides the management functions for required hardware resources among VMs. Virtual machine attacks: Active VMs are vulnerable to all traditional attacks that can affect physical servers. Once a VM is compromised, it may be able to attack…
Cloud Computing: Shared Security Model
In cloud computing, security is a shared responsibility between the CSP and the customer. The service model will dictate the general responsibilities, but specifics will also vary based on the actual service being consumed. Security Considerations for Infrastructure as a Service (IaaS) Within IaaS, a key emphasis and focus must be placed on the various…
ISO/IEC 27017: Information Security Controls for Cloud Computing
ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: Additional implementation guidance for relevant controls specified in ISO/IEC 27002 Additional controls with implementation guidance that specifically relate to cloud services. This standard provides enhanced controls for cloud service providers and cloud service customers and should…
The Prevent-Detect-Recover Cycle
The essence of IT governance is in the selection and application of security controls that adequately protect organizational data while simultaneously minimizing operational friction or disruption. The continuum of security controls extends over three classes or categories: Management (administrative) controls: Policies, standards, processes, procedures, and guidelines set by corporate administrative entities (e.g., executive- and/or mid-level…
Governance, Risk Management, and Compliance (GRC)
An approach commonly known as governance, risk management, and compliance (GRC) has evolved to analyze risks and manage mitigation in alignment with business and compliance objectives. Governance ensures the business focuses on core activities, clarifies who in the organization has the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses…
Cloud Security
Security on the Cloud doesn’t change drastically from what we have been doing traditionally in our own datacenters. We still need to address: Confidentiality: Confidentiality begins when people, doing their jobs, have a “need to know” to gain access to sensitive resources. Confidentiality is usually provided using the principle of least privilege, which means that…
Cloud Economics
Share on facebook Share on twitter Share on linkedin Share on email Cloud computing is often referred to as a technology or even a commodity. However, it is actually a paradigm shift in the business and economic models for provisioning and consuming information technology that can lead to a significant cost savings. These cost savings…