programming4us
           
 
 
Programming

Security Management in the Cloud

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
12/4/2010 3:23:46 PM

1. Security Management Standards

Based on the authors’ assessment, the standards that are relevant to security management practices in the cloud are ITIL and ISO/IEC 27001 and 27002.

1.1. ITIL

The Information Technology Infrastructure Library (ITIL) is a set of best practices and guidelines that define an integrated, process-based approach for managing information technology services. ITIL can be applied across almost every type of IT environment including cloud operating environment. ITIL seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels. Information security is considered an iterative process that must be controlled, planned, implemented, evaluated, and maintained.

ITIL breaks information security down into:


Policies

The overall objectives an organization is attempting to achieve


Processes

What has to happen to achieve the objectives


Procedures

Who does what and when to achieve the objectives


Work instructions

Instructions for taking specific actions

The ITIL-process security management is based on the code of practice for information security management also known as ISO/IEC 17799:2005. The ITIL security management process has relationships with almost all other ITIL processes. However, the most obvious relationships will be to the service-level management process, incident management process, and change management process, since they greatly influence the state of security in the system (server, network, or application). ITIL also is related to ISO/IEC 20000 as that’s the first international standard for IT Service Management (ITSM). It is based on and is intended to supersede the earlier British standard, BS 15000.

Organizations and management systems cannot be certified as “ITIL-compliant.” An organization that has implemented ITIL guidance in ITSM can, however, achieve compliance with and seek certification under ISO/IEC 20000.

1.2. ISO 27001/27002

ISO/IEC 27001 formally defines the mandatory requirements for an Information Security Management System (ISMS). It is also a certification standard and uses ISO/IEC 27002 to indicate suitable information security controls within the ISMS. However, since ISO/IEC 27002 is merely a code of practice/guideline rather than a certification standard, organizations are free to select and implement controls as they see fit.

Given the current trend of organizations moving toward ISO/IEC 27001 for information security management, there is a general consensus among information security practitioners to revise the ITIL security management best practices with the goal of strengthening the application and logical security in the Information and Communication Technology (ICT) infrastructure domain.

Essentially, the ITIL, ISO/IEC 20000, and ISO/IEC 27001/27002 frameworks help IT organizations internalize and respond to basic questions such as:

  • How do I ensure that the current security levels are appropriate for your needs?

  • How do I apply a security baseline throughout your operation?

To that end, they help you to respond to the question: how do I ensure that my services are secure?

2. Security Management in the Cloud

After analyzing the management process disciplines across the ITIL and ISO frameworks, we (the authors) identified the following relevant processes as the recommended security management focus areas for securing services in the cloud:

  • Availability management (ITIL)

  • Access control (ISO/IEC 27002, ITIL)

  • Vulnerability management (ISO/IEC 27002)

  • Patch management (ITIL)

  • Configuration management (ITIL)

  • Incident response (ISO/IEC 27002)

  • System use and access monitoring (ISO/IEC 27002)

Other ITIL management domains, such as problem management and service continuity management, may be more relevant to your business in the context of security management, but the focus of this chapter is limited to the subset of domains with the highest impact to organizations in managing security and operational risk. In subsequent sections, we will discuss the security management processes that are relevant to cloud services. We have also attempted to highlight the current state of cloud service support for security management processes in the context of the SPI delivery model and deployment models (private, public, and hybrid). Clearly, this is an evolving area, and we recommend that you periodically reexamine cloud service capabilities and fine-tune your security management processes accordingly.

Table 1 highlights the relevance of various security management functions available to you for each of the SPI cloud delivery models in the context of deployment models (private and public). As you can see from the table, security management practice cuts across the delivery and deployment models. These functions need to be factored into your cloud security operations model.

Table 1. Relevant security management functions for SPI cloud delivery models in the context of deployment models (private, public)
Cloud deployment/SPIPublic cloudsPrivate clouds
Software-as-a-service (SaaS)

  • Access control (partial)

  • Monitoring system use and access (partial)

  • Incident response

The following functions typically managed by your IT department or managed services:

  • Availability management

  • Access control

  • Vulnerability management

  • Patch management

  • Configuration management

  • Incident response

  • Monitoring system use and access

Platform-as-a-service (PaaS)The following are limited to customer applications deployed in PaaS (CSP is responsible for the PaaS platform):

  • Availability management

  • Access control

  • Vulnerability management

  • Patch management

  • Configuration management

  • Incident response

  • Monitoring system use and access

Infrastructure-as-a-service (IaaS)

  • Availability management (virtual instances)

  • Access control (user and limited network)

  • Vulnerability management (operating system and applications)

  • Patch management (operating system and applications)

  • Configuration management (operating system and applications)

  • Incident response

  • Monitoring system use and access (operating system and applications)


Hence, organizations looking to augment the public cloud for certain use cases can leverage and extend their internal security management practices and processes developed for their internal private cloud services.
Other -----------------
- The Art of SEO : Trending, Seasonality, and Seasonal Fluctuations in Keyword Demand
- The Art of SEO : Leveraging the Long Tail of Keyword Demand
- The Art of SEO : Determining Keyword Value/Potential ROI
- Identity and Access Management : Cloud Service Provider IAM Practice
- Identity and Access Management : Cloud Authorization Management
- Identity and Access Management : IAM Practices in the Cloud (part 2) - Federated Identity
- Identity and Access Management : IAM Practices in the Cloud (part 1) - Cloud Identity Administration
- iPad SDK : Keyboard Extensions and Replacements (part 4) - Creating the Calculator
- iPad SDK : Keyboard Extensions and Replacements (part 3) - Creating the Keyboard Input View
- iPad SDK : Keyboard Extensions and Replacements (part 2)
- iPad SDK : Keyboard Extensions and Replacements (part 1) - Adding a Keyboard Button in Dudel
- iPad SDK : New Input Methods - Gesture Recognition
- iPad SDK : New Input Methods - Menu Additions
- iPad SDK : Implementing an About Panel in a Modal Way (part 2)
- iPad SDK : Implementing an About Panel in a Modal Way (part 1) - Creating the Modal Web View Controller
- Parallel Programming with Microsoft .Net : Dynamic Task Parallelism - Variations
- Keyword Research Tools (part 7) - comScore Marketer
- Keyword Research Tools (part 6)
- Keyword Research Tools (part 5)
- Keyword Research Tools (part 4)
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us