DATA SECURITY

IN CLOUD
COMPUTING,
VOLUME II
DATA SECURITY
IN CLOUD
COMPUTING,
VOLUME II

GIULIO D’AGOSTINO
Data Security in Cloud Computing, Volume II
Copyright © Momentum Press®, LLC, 2019.

All rights reserved. No part of this publication may be reproduced, stored

in a retrieval system, or transmitted in any form or by any means—­
electronic, mechanical, photocopy, recording, or any other—except for
brief quotations, not to exceed 250 words, without the prior permission
of the publisher.

First published in 2019 by

Momentum Press®, LLC
222 East 46th Street, New York, NY 10017
www.momentumpress.net

ISBN-13: 978-1-94944-923-5 (print)

ISBN-13: 978-1-94944-924-2 (e-book)

Momentum Press Computer Engineering Foundations, Currents, and

Trajectories Collection

Cover and interior design by S4Carlisle Publishing Services Private Ltd.,

Chennai, India

First edition: 2019

10 9 8 7 6 5 4 3 2 1

Printed in the United States of America

 Dedication

To my wife Eimear for standing beside me throughout my

career and writing this book.
 Abstract

Cloud computing has already been adopted by many organizations and

people because of its advantages of economy, reliability, scalability and guar-
anteed quality of service amongst others. Readers will learn specifics about
software as a service (SaaS), platform as a service (PaaS), infrastructure as a
service (IaaS), server and desktop virtualization, and much more.
This book covers not only information protection in cloud comput-
ing security and risk management, but also the plan, management, and
­in-depth implementation details needed to migrate existing applications to
the cloud. Readers will have a greater comprehension of cloud engineering
and the ­actions required to rapidly reap its benefits while at the same time
lowering IT implementation risk.  The book’s content is ideal for ­users
wanting to migrate to the cloud, IT professionals seeking an overview on
cloud fundamentals, and computer science students who will build cloud
solutions for testing purposes.

KEYWORDS

Amazon Web Services; API; Azure; BaaS; cloud computing; computer

­engineering and science; Google Cloud; Java; MySQL; Node.js; SaaS; SQL
 Contents

List of Figures xi
List of Tables xiii
List of Abbreviations xv
Acknowledgments xvii
Introduction xix
Chapter 7 Secure Cloud Architecture 1
7.1. Governance and Comprehensive Risk Analysis 4
Chapter 8 Risk and Trust Assessment 11
Chapter 9 Managing Risk in the Cloud 25
Chapter 10 Cloud Security Access Control 37
10.1.  Improvements 44
10.2.  Multilevel Authentication 45
10.3.  Encryption 46
10.4.  Password Administration 46
10.5.  Distributed Servers 46
Chapter 11 Cloud Security Risk Management 49
11.1.  Risk in the Cloud 49
11.2.  Indirect Measurements and Metrics 51
11.3.  Definitions of Risk 52
11.4.  Risk and Cloud 55
11.4.1.   Security Risks Not Particular
to Cloud Computing    55
11.4.2.   Cloud-specific Hazards 57
11.4.3.   Safety SLA for Cloud Services 61
Chapter 12 Infrastructure-as-a-Service (IaaS) 71
12.1.  Considerations 71
12.2.  Network 73
x  •  CONTENTS

12.3.  Security Implications 73

12.4.  Storage 74
12.5.  Databases 75
12.6.  Control 75
Chapter 13 Cryptographic Key Management for
Data Protection 77
13.1.  Key Management System Design Choices 80
13.2.  Cloud Key Management Challenges 82
13.3.  Cloud Key Management Strategies 83
13.3.1.   Establish Trust in Crypto Module 83
13.3.2.   Use Key Splitting Techniques 84
Chapter 14 Managing Legal Compliance Risk
and Personal Data Protection 85
14.1.  Digital Agenda for Europe 2015 87
14.2.  Addressing Legal Compliance 89
14.2.1.    Precontractual phase 89
14.2.2.    Step 1: Precontractual Phase 90
14.2.3.    Risks and Opportunities
for Your Cloud Service Client     90
14.2.4.    Outsourcing Cloud Services 90
14.2.5.    Step 2: Major Issues in Entering
a Cloud Service Contract     91
14.2.6.    Jurisdiction and Applicable Law 91
14.2.7.    Privacy Roles 93
14.2.8.    Amendments to the Contract 94
14.2.9.    Data Location and Transfers of Data 94
14.2.10. Processing of Personal Data
by Subcontractors    95
14.2.11.  Data Subjects’ Rights (Intervenability) 96
14.2.12. Step 3: Exiting a Cloud Service
Contract: Major Issues    96
14.2.13.  Lock-in and Interoperability 96
14.2.14.  Service-level Agreements 96
14.2.15.  Termination of the Contract 97
Chapter 15 Future Directions in Cloud Computing
Security 101
15.1.  Categories 102
About the Author 105
Index 107
 List of Figures

Figure 7.1. Cloud computing structure 2

Figure 7.2. Just how secure is your cloud? 2
Figure 7.3. Four safety elements 4
Figure 7.4. The role performed by a safety agent 4
Figure 7.5. Cloud user and Service Provider 5
Figure 7.6. Example of compliance architecture 7
Figure 7.7. Schematic diagram of an internal LAN security
infrastructure of a cloud computing supplier 10
Figure 8.1. Risk control strategy 15
Figure 8.2. Cloud hazard assessment models 16
Figure 8.3. Risk matrix using a scale between 0 and 8 17
Figure 8.4. Relation among the elements of a threat 18
Figure 8.5. The matrix that depicts the amount of risk
for every emphasized event 20
Figure 9.1. The RMF procedure recorded in Table 9.1
and NIST SP 800-37 Rev. 1 29
Figure 9.2. The RMF procedure recorded in Table 9.1 and NIST
SP 800-37 Rev. 1 32
Figure 10.1. Layers of safety 38
Figure 10.2. The three-tier structure database structure 40
Figure 10.3. Shows a few of the most popular server operating
systems such as Windows and Linux 41
Figure 10.4. Cloud computing sophistication and
accessibility points 43
Figure 13.1. Cryptographic keys possess a lifespan cycle that
contains some or all of the following states 79
Figure 13.2. Notional decision flowchart for a cloud platform 81
 List of Tables

Table 7.1. Risk assessment matrix 8

Table 9.1. NIST SP 800-37 Rev. 1 28
Table 9.2. Risk management framework—cloud consumer’s
perspective 34
Table 14.1. Internal due diligence checklist 90
Table 14.2. External due diligence checklist 91
Table 14.3. Jurisdiction and applicable law 92
Table 14.4. Privacy role aspects for the cloud customer to consider 93
Table 14.5. Amendments to the contract checklist 93
Table 14.6. Subprocessors and subcontractors 95
Table 14.7. Lock-in and interoperability checklist 96
Table 14.8. Suggestions: Termination of the contract 97
Table 15.1. Known attacks against cloud computing 102
Table 15.2. Cloud security categories 103
 List of Abbreviations

API Application Programming Interface

BYOT Bring Your Own Technology
CAIQ Cloud Evaluation Initiative Questionnaire
CCs Cloud Clients
CIO Chief Information Officer
CSA Cloud Security Alliance
CSP Cloud Service Provider
DDoS Distributed Denial of Service
DoS Denial of Service
DR Disaster Recovery
ENISA European Network and Information Security Agency
EU European Union
FSI Financial Services Institutions
IaaS Infrastructure-as-a-Service
ISP Internet Service Providers
IT Information Technology
MAC Media Access Control
NAT Network Address Translation
NFS Network File Systems
NIST National Institute of Science and Technology
PaaS Platform-as-a-Service
PII Personally Identifiable Information
PocT Policy as a Trust Management Technique
PrdT Prediction as a Trust Management Technique
RecT Recommendation as a Trust Management Technique
RepT Reputation as a Trust Management Technique
RMF Risk Management Frame
SA Support Arrangement
SaaS Software-as-a-Service
SLA Service Level Agreement
SNMP Simple Network Management Protocol
VM Virtual Machine
 Acknowledgments

First and foremost, I would like to thank my family and friends for always
standing by me. I also thank Nigel Wyatt, Michael Weiss (Griffith College
Dublin), Gabriel Grecco (photography), and the Momentum Press team for
the support and inspiration.
 Introduction

This second volume of my series of works dedicated to Data Security in

Cloud Computing acts as a professional benchmark, as well as a practi-
tioner’s guide to today’s most complete and concise view of cloud com-
puting security. It offers coverage on cloud computing security concepts,
technology, and practice as they relate to based technologies, and to recent
advancements. It investigates practical answers to a wide assortment of
cloud computing protection issues.
The primary audience for this book consists of engineers/students
interested in monitoring and analyzing specific, measurable cloud com-
puting protection environments, which may include infrastructure or
transportation systems, mechanical systems, seismic events, and under-
water environments. This book will also be useful for safety and related
professionals interested in tactical surveillance and mobile cloud comput-
ing protection target classification and monitoring. This thorough refer-
ence and practitioner’s short book is also of significance to students in
upper-division undergraduate and graduate-level classes in cloud comput-
ing security.
 CHAPTER 10

Cloud Security Access

Control

Cloud security access control may be an overwhelming job. Having tens

of thousands of consumers accessing systems from around the globe
and with many distinct devices can demand a great deal of planning and
thinking. The many layers of possible safety risks are also a ripe target
for hackers. Big conglomerates all around the world host virtual servers.
Employees and consumers are in one part of the Earth, but the systems are
in a different location. Sometimes servers are moved from one datacenter
to another depending upon the time of day or a rise in demand from an-
other location; therefore, we have to fasten the “moving targets.” Consider
Netflix—a sexy film comes out, or even a new show is released, and they
transfer that content into the nearest place to the clients watching it. In
addition, there is also the notion of BYOT (bring your own technology)
and hence the data security pro’s job becomes a lot harder. Among the
most effective ways to have a look at the safety controls is to examine the
layers where difficulties could happen. Every segment of the system has
challenges that have to be dealt with. Occasionally those struggles may be
easy to deal with, but generally, a comprehensive examination will have to
be undertaken to avoid unauthorized access.
The very first and most exposed coating is the device layer. As shown
in Figure 10.1, to think about safety, we begin with the consumer and con-
tinue through every stage. The user coating is generally the primary user
interface apparatus. Most often, a computer, a tablet computer, or a mobile
phone is utilized to get into the cloud system. Each telephone seller might
have their particular browser, which might or might not comply with the
safety standards of your company. A browser which works well under a
single make of phone might lead to security problems in another make.
The programming layer comes next, and it requires a careful execution
for precisely what the program is supposed to perform, but it also ought to
38  •   DATA SECURITY IN CLOUD COMPUTING, VOLUME II

prevent things the app is not supposed to do. The next layer is the host op-
erating system. There are only a few specialists producing operating sys-
tems compared to the number of developers. Ultimately, we’ll analyze the
network hardware and infrastructure. As shown in Figure 10.1, layers of
safety begin with the consumer and finish with the community; all must be
considered. Simple Network Management Protocol (SNMP)–based man-
agement not just generates management options for applications, systems,
complicated devices, and environmental management systems. Douglas
Mauro and Kevin Schmidt wrote a tech’s manual to SNMP in a publication
titled “Essential SNMP” and they also provide that using the benchmark
allows for observation of many different sorts of apparatus and the health
of your system. Some devices are designed to contain temperature infor-
mation. Warnings can be automatic along with other equipment (think
buffs) that could be taught to turn on automatically.

User

Application

Server

Network

Figure 10.1.  Layers of safety

Internet browsers dominate the consumer interface for many reasons.

The most straightforward reason is that the majority of users don’t matter
what platform they’re using. Telephones, tablet computers, notebooks, lap-
tops, and high-definition workstations have access to an Internet browser.
There are also a couple of web browsers that have variations for each of
the platforms.
Firefox and Chrome are just two that lead the marketplace (Net
­Marketshare n.d.). The leading end for most cloud programs is your In-
ternet browser. Connect into a browser-based application, and you’re in
the cloud using the tools of a host in a data center somewhere on Earth.
Embedding safety at the front-end program rather than allowing different
applications to interfere with the relation between the host and the sys-
tem gives a higher degree of protection than many web browser imple-
mentations. The safety bubble of the front end first assesses the internal
 Cloud Security Access Control  •   39

applications to ensure that the version of this front end is legitimate and
not tampered with. This can occasionally cause an extended login inter-
val for these kinds of devices. In case the front-end applications don’t
match the anticipated front-end version, the program denies access from
that consumer.
Most commercial cloud applications and services need many users to
combine their systems. This places much more challenges for the safety
employee. For maintaining a protected internal system many businesses
have limited access to additional programs. There are programs that may
be set up on tablets and phones to restrict which programs a user can do.
Just letting users perform requests using only your front end will assist
in keeping out critical applications or invalid information requests from
attacks. This becomes harder when an employee is permitted to bring their
own device. If a person accesses cloud tools, administrators would like to
understand who they are and restrict the user capability. There are many
malware and viruses; the ability to have a front end that functions as a
firewall against intrusion is vital. The leading end check is essential to
securing the cloud and network servers before somebody gets in.
When creating applications to run in the cloud, applications engi-
neers have lots of programming languages to pick from. Programming
languages of reduced complexity are preferred by many, on account of
their capacity to utilize computer hardware and their high-speed process-
ing. Because of advancement in chip capabilities in the previous 10 years,
higher level languages like Java and Ruby are increasingly being more
popular for applications development. Preventing the software layer is
quite complicated. The developer should avoid overflows of the stack,
await code identification, and think about all of the probable things an
individual or application on the consumers’ computer may be capable of
accomplishing. The developer has to be aware of the abuse of the enabled
access and prevent unauthorized access of information. Applications have
to be made to check for invalid requests in addition to ones that are valid.
Preventing authorized users from doing illegal activities must forever be
in the minds of the developer.
One technique used by program developers would be to trap errors and
merely send back a generic message to the consumer when unauthorized
tables or requests are being queried. Rather than returning the code and
developer error message, the user gets a general warning they have done
something wrong. Maintaining detailed error message from the consumer
can keep particulars of this machine from reaching the user. Then they can
start looking for vulnerabilities to this release and system. In the event the
application programmer retains that data from the user, their application is
a lot safer. A different way to secure your program is to produce tiers.
40  •   DATA SECURITY IN CLOUD COMPUTING, VOLUME II

In Figure 10.2, the three-tier structure communicates via a center

application ensuring greater protection to your database, revealing how
information flows through the intermediary or middleware to be able to
insulate the database. The three-tier structure was developed by a company
named Open Environment Corporation, which was purchased by Borland
in 1996. This system examines the program from three distinct tiers. The
center bit of software understands the right format, design, business prin-
ciples, and access control necessary to pass along a trade to the backend
server.

Front-end user interface

Middleware

Database server

Figure 10.2.  The three-tier

structure database structure

The backend database server only responds to requests in the mid-

dleware and just in the appropriate format with the right credentials. Any
similarity in the petition in the middleware and the database returns noth-
ing. This sort of programming necessitates layers of hardware to coincide
with the three tiers. Together with the decreased prices for virtual servers,
including many segments of equipment has become increasingly more
commonplace. It raises the points of collapse; therefore, most program de-
velopment businesses don’t wish too many layers, but in the event the app
is written appropriately, creating several instances of this middleware may
 Cloud Security Access Control  •   41

result in improved reaction times of this machine. Just take an example

where every server may handle 200 users.
Whenever your community develops beyond 200, including a dif-
ferent front-end host to the system would make sense, rather than add-
ing more memory or processing power to a single server. Employing the
three-tier architecture also produces the capacity to separate functions ac-
cess for the developers. You might have six programmers working on a job.
Having them specify and create the principles and the way the interfaces
will operate provides them with the physical separation to deal with their
portion of their undertaking. One advantage of the three-tier structure is
that it insulates the database by the users. This is particularly true when
your best aim is to maintain a secure database.
The majority of the World Wide Web is run on Linux and all its “tastes”,
as well as the Microsoft Windows host and all its variations. The program
development platform selected by the project manager, developer, and ad-
ministrator will frequently force the collection of the server operating sys-
tem. There are numerous essential facets of server operating systems that
need to be taken into consideration when deciding application development.

Figure 10.3.  Shows a few of the most popular server operating

systems such as Windows and Linux

The costes of the hosting and software could be a problem. Figure 10.3
shows a few of the most popular server operating systems such as ­Windows
and Linux. When choosing a server seller, a whole slew of queries must
be addressed, not the least of which is that there is access to an own server
and the hardware that’ll be operating it. Routine upkeep of your host is
also critical. Security upgrades are significant to keep up with in your
42  •   DATA SECURITY IN CLOUD COMPUTING, VOLUME II

server platform, so inquire who is performing the software upgrades. Be-

sides applications, hardware maintenance is done to keep the machine op-
erating for a longer and healthier life. Disk drives can fail and have to be
replaced. Besides care, there are lots of server tracking software that may
warn you of issues with your host. These vary from assessing disc space to
high memory usage. In fact, if the system is in use, and there’s unusually
large network traffic, a number of the host monitors will create an error.
More particular monitors can reveal the information coming from any par-
ticular machine.
An alarm can be generated in the host administrators, or the device
may take immediate corrective actions to obstruct the place that’s causing
the warning. Among the very best tactics to maintain the operating system
procured would be to restrict physical access to the host to some few indi-
viduals. Most hosting facilities have a track log report of every individual
entering and departing.

• Windows
• Linux
• VMWare
• Microsoft Azure
• OpenVMS
• OS/390
• Solaris
• macOS

There’s also a significant push for some biometric accessibility. Some

server rooms utilize hand geometry while some others utilize fingerprint
technologies. Each biometric has its weaknesses and strengths, and the
simple point is to assess what your seller is using and determine if this is
sufficient for your program. Utilizing encryption, long, complicated pass-
words, customized user IDs that monitor the accessibility as well as the
upgrades every administrator makes permits to get a fantastic audit trail.
Understanding when programs are brought down and up and if applica-
tions are installed are also central monitoring that needs to be done to
ensure administrators are following the principles.
Selecting infrastructure hardware is essential. The physical safety of
your systems is critical for keeping out undesirable hackers and users. With
physical access, someone can pull power cords and network strings, place in
principle drives, reboot servers into a thumb drive, or slip the entire server.
Many hosting companies have secure doors on server racks in addition to
security measures to monitor and allow authorized personnel to the com-
puter area. Most data center facilities have 24-hour video surveillance too.
 Cloud Security Access Control  •   43

In Figure 10.4, cloud computing sophistication and accessibility

points provide you with a glimpse of the targets on your system. Along
with procuring the host hardware, the system hardware also needs to be

Figure 10.4.  Cloud computing sophistication and accessibility points

secured. A secured computer room or telephone cupboard has become

the most frequent approach to guarantee the system hardware. When an
intruder or hacker has physical access to the system, they could install
devices that can catch the information being transmitted. Great physical
safety is merely the beginning. The next part to community security is
actively managing the apparatus and allowing requests only from reliable
devices. This can be accomplished via the usage of programs and physical
Media Access Control (MAC) addresses in the community cards. ­Actively
managed switches enable every interface to be assigned to a MAC address,
so when another device connects to the change, it won’t permit entry to the
computer system. Many businesses will have many network connections
in a workplace. Each ought to be handled and just physically linked to the
change if it’s in use.
Developing a physical barrier in the system is just about the safest way
to stop unwanted interlopers. The next element is protecting the commu-
nity from online intruders. Using network address translation (NAT) and
also suitable firewall configurations can restrict the dangers from external
hackers. Additionally, it is possible to limit which portions of the world are
44  •   DATA SECURITY IN CLOUD COMPUTING, VOLUME II

allowed to your hosted option. This makes harder once you have users that
travel and are expected to look at their e-mail or Internet systems, but it’s
an alternative for the large security-conscious businesses. There are solu-
tions you can buy in your firewall to block unique sites such as social web-
sites. These kinds of providers could also be obstructed. Many firewalls
have cubes for X-rated material. Some will block stock trading business
and banking sites so that nobody has access to commercial websites from
their network. Consequently, if somebody gains unauthorized access, they
still won’t be able to access financial institutions.
Your customers could maliciously become infected with a virus that
turns their computer into a robot for a different user. These BOTs can sub-
sequently be used by hackers to monitor what you’re doing and let mali-
cious code to go from the internal system. The real key to protecting from
the inside is to get great spyware and antivirus practices. Additionally,
updating your working and application software with the latest patches is
crucial. Moreover, it contains routers and switches, which many IT people
cannot perform at fixed intervals. A 6-month inspection of infrastructure
ought to be done to create a report that confirms gear is up-to-date and
functioning correctly. A new kind of virus was made and deployed across
the Web in 2013. Often referred to as ransomware, the app would encrypt
all your photos or all your files. A warning screen would appear and ask
that you pay via bitcoin or other money trade like Western Union, or your
documents would not be recoverable. Ransomware remained widespread
till 2015 and will most likely be with us for a lengthy time. It’s a challeng-
ing kind of virus to obstruct since users have access to their documents
and an increasing number of folks are using encryption. The distinction is
that the “keys” are at the user’s hands rather than the criminals.

10.1. IMPROVEMENTS

There are just a few drawbacks to this cloud. Among the greatest is that
you eliminate control over the physical hardware that’s running your oper-
ation. Should you use Gmail from Google, then you’re already outsourc-
ing your e-mail to the cloud and then actually don’t have any idea where
all your information has been saved. Additionally, with all the free provid-
ers, the supplier is becoming something, right? The supplier gets to read
and decode all your e-mails and images to be able to promote you better.
Folks are paying Google to run advertisements which will target exactly
what you would like and where you would like it. Another danger of this
cloud is in case the service supplier goes bankrupt. Where does this leave
 Cloud Security Access Control  •   45

you and your information? Make sure all your cloud info is backed up
to another vendor’s support or your local backup drive. There are some
fantastic solutions which will make it possible for you to do so in several
scenarios. The cloud is quite lively in regard to how it functions. Not only
will companies have smaller IT departments, but they’ll also have the less
real onsite hardware. No requirement for a computer room except to com-
mand the system and connect to the cloud. “For both small and midsize
businesses, the ability to outsource IT applications and services not only
gives the capability to reduce overall costs but can also reduce the barriers
to entry for several processing-intensive activities, because it removes the
requirement for upfront funding investment and the requirement of keep-
ing dedicated infrastructure” (International Telecommunications Union
2009). The cloud allows for outsourcing neighborhood servers and work-
stations to more efficient digital computers.
The cloud, being hosted on highest safety information centers, cou-
pled with 256-bit encryption calculations, is among if not the very pro-
tected alternatives to store info. Nations such as China or India, unlike
the United States, don’t have a vast IT infrastructure. The cloud could
open new markets and alternatives to international users permitting it to
be valuable and innovative for people around the world. Cloud computing
can decrease the cost of IT and also make quick expansion or contraction
not as painful. Also, it is going to interconnect people in a way never seen
or imagined before.

10.2.  MULTILEVEL AUTHENTICATION

There are lots of multilevel authentication an administrator may use

to stop unwanted access to sensitive cloud information. At this time,
there’s a big range in authentication criteria to get into any cloud-based
server. Some have images that come together with your password, as
another confirmation. You want to be aware of the text and also the
picture that’s related to your account. A remedy for this problem is
to employ multilevel authentication utilizing three or more layers of
complicated passwords. The second degree of authentication is a group
­degree password.
For some programs, there’s a general password to enter a system;
however, to make adjustments or overwrite current information another
password is demanded. This sort of management degree authentication is
observed in retail. A clerk may create a new trade but isn’t able to clear a
product or provide a refund with no supervisor level password.
46  •   DATA SECURITY IN CLOUD COMPUTING, VOLUME II

10.3. ENCRYPTION

When a user uses one machine to get the cloud, then the keys for end-to-end
encryption could be stored using an application on that device. Together
with users able to get the cloud on multiple devices such as smartphones
and tablets, it may be difficult to talk about these keys safely between
­devices. AES-256 is suggested for end-to-end. Encryption keys must be
controlled and preserved by the end user. The domain manager (DM)
­handles domain preventing access to unregistered users before they get in
the computer system. The customer side will encrypt the data and send it
into the domain name, eliminating the direct connection from users from
the cloud into the domain name. This may be referred to as border security,
and there are lots of sellers to help protect your IT assets. Check Point
Software Technologies Ltd. is a huge seller that addresses the challenges
of system safety through firewalls and hazard prevention program.

10.4.  PASSWORD ADMINISTRATION

There are various ways a user may use password management to their
benefit in the cloud. These programs also provide robust encryption algo-
rithms that can encrypt around 256 bits. The great thing about the cloud is
that the capability to recoup passwords is remote anywhere on the planet.
Password management applications can have drawbacks though. The
remedy for this is to sponsor the password supervisors in the cloud using
the same online encryption criteria. The secret is to get a fantastic pass-
word and thwart any burglar at the door. Another choice is to utilize the
changing tokens which have semi-passwords from the consumer and the
remainder of it a random number generated on the symbol. The symbol is
usually the size of a tiny USB drive. Along with this physical token, they
also possess a software token which could run on your smartphone. The
benefit is you don’t have to take an excess device around.

10.5.  DISTRIBUTED SERVERS

As time goes on, large site service providers like Google, Microsoft,
and Amazon have changed from dispersed server facilities to enormous,
sprawling data centers. The allure of this cloud-hosted data centers has
enabled businesses and ordinary users to conserve time and money. Dis-
tributed cloud servers allow remote access to information anywhere in
the world through an online connection. Whether the hosting business is
 Cloud Security Access Control  •   47

large or small, the safety needs of your company ought to be fulfilled.

One important thing to consider when deciding on a hosting firm is if
you’re sharing resources with a different site, obtaining a virtual server on
a PC, or obtaining a whole server for your applications. When considering
safety, having your hardware is most likely the safest. Unfortunately, most
firms don’t wish to invest $500 or more to get a dedicated host. A digital
machine may provide you excellent security while still maintaining excel-
lent cost controls. To get a public facing site with static info or hyperlinks
to your social websites, a shared host operating WordPress ought to be
safe enough.
Many systems only demand a simple user-generated password to ob-
tain access, while some are somewhat more robust. Consider the demands
of your program, what laws regarding data breaches might be appropriate
for you, and attempt to mitigate your risk through proper security meth-
ods. SNMP, encryption, antivirus, and strong passwords are required to
track and protect almost any cloud system from assault efficiently. Indi-
vidual negligence of safety is arguably the most significant contributor
to both network and cloud invasion. Inadequate password choice, stolen
notebooks, sharing the same password among different sites, and making
computers unlocked for simple access for real usage are all top dangers.

REFERENCES

International Telecommunications Union. 2009. “Distributed Computing: Utili-

ties, Grids & Clouds.” ITU-T Technology Watch Report 9.
Net Marketshare. n.d. “Desktop Browser Market Share,” SM-Net Applications
.com https://www.netmarketshare.com/browser-marketshare.aspx
SNMP. n.d. “Secure Internet Management and SNMP.” http://www.snmp.com
 Index

A B
Addressing legal compliance, 89 Biometric, 42
amendments to the contract, BOTs, 44
93–94 Broad network accessibility, 64
data location and transfers of BYOT, 37
data, 94–95
data subjects’ rights (interven- C
ability), 96 CERT (Computer Emergency
exiting cloud service contract, 96 Response Team), 60
jurisdiction and applicable law, Check Point Software
91–93 Technologies Ltd., 46
lock-in and interoperability, 96 Chief information officer (CIO), 6
major issues in entering a cloud Chrome, 38
service contract, 91 Ciphertext, 83
outsourcing cloud services, Cloud computing
90–91 public, service, 1
precontractual phase, 89–90 security
privacy roles, 93 categories, 102–103
processing of personal data by future directions in, 101–102
subcontractors, 95 risks not particular to, 55–57
risks and opportunities for your Cloud embraced hazard
cloud service client, 90 assessment model (CARAM),
service-level agreements, 96–97 13, 21–22
termination of contract, 97–99 Cloud hosting support providers
AES-256, 46 (CSPs), 11
Aleatory, 13–14 Cloud key management
Amazon, 46 challenges, 82–83
Application programming strategies, 83–84
interface (API), 76 Cloud managing, risk in, 25–36
Article 29 Working Party Opinion Cloud security
5/2012, 98–99 access control
Asia Cloud Computing distributed servers, 46–47
Association, 85 encryption, 46
Asset, 12 improvements, 44–45
108  •   INDEX
Cloud security (Continued )
multilevel authentication, 45
overview, 37–44
password administration, 46
risk management, 49
definitions of risk, 52–55
indirect measurements and
metrics, 51–52
risk and cloud, 55–67
risk in cloud, 49–51
Cloud Security Alliance (CSA),
13, 88
Cloud service
client, risks and opportunities
for, 90
contract, major issues in
­entering, 91
kind, 81
outsourcing, 90–91
Cloud shipping model, 81
Cloud SLA, 62
Cloud Tracking Service, 64
CloudWATCH, 88
CNIL’s methodology, 18–19
Common threat and trust version
(JRTM), 13
Consensus assessment initiative
questionnaire (CAIQ), 16–17
Contract
amendments to, 93–94
termination of, 97–99
Contractual obligations, 51
Crypto module, establish trust in,
83–84
Cryptographic key management
cloud key management
challenges, 82–83
strategies, 83–84
for data protection, 77–79
key management system design
choices, 80–82
CUMULUS, 66
D F
Data protection
cryptographic key management
for. See Cryptographic key
management
managing legal compliance risk
and personal, 85–87
addressing legal compliance,
89–99
digital agenda for Europe 2015,
87–89
Data Protection Directive 95/46/
EC, 91, 96
Data security risks, 51
Data structure shops, 74
Data subject, 12
Data systems risk management, 26
Databases, 75
Digital agenda for Europe 2015,
87–89
Digital Agenda’s e-commerce
Directive, 86–87
Dimension Data, 63
Distributed denial of service
(DDoS), 58
Distributed servers, 46–47
Document-oriented databases, 74
Domain manager (DM), 46
Dreaded event, 18
E
800-144 Guidelines on Practice
and Security in Public Cloud
Computing, 58
E-privacy Directive 2002/58/EC, 92
Encryption, 46, 83
European Cloud Partnership, 87
European Data Protection
Regulation, 87, 90
European Union Agency for
Network and Information
Security (ENISA), 57
Event, 12
Event tree analysis, 14
Fault tree analysis, 14
 •   109
INDEX    

Federal Information Knowledge Management

Processing, 32 Practices Statement
Firefox, 38 (KMPS), 80
FSI Regulations Impacting Cloud
in Asia-Pacific Markets, 85 L
Lawmakers, recommendations
G for, 85–86
Google, 44, 46 Linux, 41
Graph databases, 75 Lock-in and interoperability, 96

H M
Hardware versus software
cryptography, 82
Hazard, definition of, 52
Higher level languages, 39
I Multitenancy, 67, 82
Incident, 12
Infrastructure as a service (IaaS)
considerations, 71–72
control, 75–76
databases, 75
network, 73
security implications, 73
storage, 74–75
International Organization for
Standardization (ISO)/
International Electrotechnical
Commission (IEC), 53
Internet, 1
Internet browsers, 38
Internet service providers
(ISPs), 1
Media Access Control (MAC)
addresses, 43
Microsoft, 46, 61
Microsoft Windows, 41
Multilevel authentication, 45
Mutual auditability, 59
N
National Institute of Standards and
Technology (NIST), 53
Netflix, 37
Network address translation
(NAT), 43
NIST SP 800-37 Rev. 1, 27, 28
O
OECD, 88
On-demand adaptive provision, 67
On-demand self-evident, 63
Open Environment Corporation, 40
Open Group, 54–55

J P
Java, 39 Password administration, 46
JRTM, 21–22 PLA V2, 97–98
Precontractual phase, 89–90
K Privileged customers, multiple
Key management system design layers of, 82
choices, 80–82 Programming languages, 39
Key splitting techniques, 84 Public cloud computing service, 1
Key-value databases, 75
Knowledge Management Plan Q
(KMP), 80 QUIRC, 53
110  •   INDEX
R governance and comprehensive
Ransomware, 44
Reflexive algorithm, 6
Relative risk, 14
Reliability trust, 21
Remote users, authentication of, 82
Renewal, 79
Resource pooling, 64
Revocation, 79
Risk and cloud
cloud-specific hazards, 57–61
safety SLA for cloud services,
61–67
security risks not particular to
cloud computing, 55–57
Risk and trust assessment, 11–22
Risk avoidance, 15
Risk-based method of handling
data systems, 27
Risk evaluation, 15
Risk management, 15, 25
framework, 34–35
Risk management frame (RMF),
26, 28
RMF4CE, 29
Ruby, 39
S Utility, 52
Safety incident, 12
Safety SLA, 62
SDLC (System Development Life
Cycle) procedures, 27
Secure cloud architecture, 1–3
risk analysis, 4–10
Security, Trust & Assurance
Registry (STAR) database, 17
Service level agreements (SLAs),
1, 49, 59, 88, 96–97
for cloud services, 61–67
Simple Network Management
Protocol (SNMP), 38
Social networks, 75
Solitude incident, 13
Storage, 74–75
Subcontractors, processing of
personal data by, 95
Support arrangement (SA), 33
T
Three-tier structure, 40–41
U
Uncertainty, 51–52
US Federal Government, 85
User-facing front-end program, 75
V
Von Neumann and Morgenstern’s
Model of Expected
Vulnerability, 12, 66
W
WordPress, 47
World Wide Web, 41
 FORTHCOMING TITLES FROM OUR COMPUTER
ENGINEERING FOUNDATIONS, CURRENTS, AND
TRAJECTORIES COLLECTION
Lisa McLean, Editor
• Data Security in Cloud Computing, Volume I by Giulio D’Agostino
• Advanced Selenium Web Accessibility Testing: Software Automation Testing Secrets
Revealed by Narayanan Palani

Momentum Press is one of the leading book publishers in the field of engineering,
mathematics, health, and applied sciences. Momentum Press offers over 30 collections,
including Aerospace, Biomedical, Civil, Environmental, Nanomaterials, Geotechnical,
and many others.

Momentum Press is actively seeking collection editors as well as authors. For more
information about becoming an MP author or collection editor, please visit
http://www.momentumpress.net/contact

Announcing Digital Content Crafted by Librarians

Concise e-books business students need for classroom and research

Momentum Press offers digital content as authoritative treatments of advanced engineering

topics by leaders in their field. Hosted on ebrary, MP provides practitioners, researchers,
faculty, and students in engineering, science, and industry with innovative electronic content
in sensors and controls engineering, advanced energy engineering, manufacturing, and
materials science.

Momentum Press offers library-friendly terms:

• perpetual access for a one-time fee
• no subscriptions or access fees required
• unlimited concurrent usage permitted
• downloadable PDFs provided
• free MARC records included
• free trials

The Momentum Press digital library is very affordable, with no obligation to buy in future years.

For more information, please visit www.momentumpress.net/library or to set up a trial in the

US, please contact [email protected].