Yeluri, Raghuram.

Building the Infrastructure for Cloud Security : A Solutions View. - 1 online resource (240 pages)

Intro -- Contents at a Glance -- Contents -- About the Authors -- About the Technical Reviewers -- Acknowledgments -- Foreword -- Introduction -- Chapter 1: Cloud Computing Basics -- Defining the Cloud -- The Cloud's Essential Characteristics -- The Cloud Service Models -- The Cloud Deployment Models -- The Cloud Value Proposition -- Historical Context -- Traditional Three-Tier Architecture -- Software Evolution: From Stovepipes to Service Networks -- The Cloud as the New Way of Doing IT -- Security as a Service -- New Enterprise Security Boundaries -- A Roadmap for Security in the Cloud -- Summary -- Chapter 2: The Trusted Cloud: Addressing Security and Compliance -- Security Considerations for the Cloud -- Cloud Security, Trust, and Assurance -- Trends Affecting Data Center Security -- Security and Compliance Challenges -- Trusted Clouds -- Trusted Computing Infrastructure -- Trusted Cloud Usage Models -- The Boot Integrity Usage Model -- Understanding the Value of Platform Boot Integrity -- The Trusted Virtual Machine Launch Usage Model -- The Data Protection Usage Model -- The Run-time Integrity and Attestation Usage Model -- Trusted Cloud Value Proposition for Cloud Tenants -- The Advantages of Cloud Services on a Trusted Computing Chain -- Summary -- Chapter 3: Platform Boot Integrity: Foundation for Trusted Compute Pools -- The Building blocks for Trusted Clouds -- Platform Boot Integrity -- Roots of Trust -RTM, RTR, and RTS in the Intel TXT Platform -- Measured Boot Process -- Attestation -- Trusted Compute Pools -- TCP Principles of Operation -- Pool Creation -- Workload Placement -- Workload Migration -- Compliance Reporting for a Workload/Cloud Service -- Solution Reference Architecture for the TCP -- Hardware Layer -- Operating System / Hypervisor Layer -- Virtualization/Cloud Management and Verification/Attestation Layer. Security Management Layer -- VM/Workload Policy Management -- GRC Tools-Compliance in the Cloud -- Reference Implementation: The Taiwan Stock Exchange Case Study -- Solution Architecture for TWSE -- Trusted Compute Pool Use Case Instantiation -- Remote Attestation with HyTrust -- Use Case Example: Creating Trusted Compute Pools and Workload Migration -- Integrated and Extended Security and Platform Trust with McAfee ePO -- Summary -- Chapter 4: Attestation: Proving Trustability -- Attestation -- Integrity Measurement Architecture -- Policy Reduced Integrity Measurement Architecture -- Semantic Remote Attestation -- The Attestation Process -- Remote Attestation Protocol -- Flow for Integrity Measurement -- A First Commercial Attestation Implementation: The Intel Trust Attestation Platform -- Mt. Wilson Platform -- Mt. Wilson Architecture -- The Mt. Wilson Attestation Process -- Attestation Identity Key Provisioning -- Host Registration and Attestation Identity Key Certificate Provisioning -- Requesting Platform Trust -- Security of Mt. Wilson -- Mt. Wilson Trust, Whitelisting, and Management APIs -- Mt. Wilson APIs -- The API Request Specification -- API Response -- Mt. Wilson API Usage -- Deploying Mt. Wilson -- Mt. Wilson Programming Examples -- API Client Registration Process -- Whitelisting and Host Registration -- Verify Trust: Trust Attestation -- Summary -- Chapter 5: Boundary Control in the Cloud: Geo-Tagging and Asset Tagging -- Geolocation -- Geo-fencing -- Asset Tagging -- Trusted Compute Pools Usage with Geo-Tagging -- Stage 1: Platform Attestation and Safe Hypervisor Launch -- Stage 2: Trust-Based Secure Migration -- Stage 3: Trust- and Geolocation-Based Secure Migration -- Adding Geo-Tagging to the Trusted Compute Pools Solution -- Hardware Layer (Servers) -- Hypervisor and Operating System Layer. Virtualization, Cloud Management, and the Verification and Attestation Layer -- Security Management Layer -- Provisioning and Lifecycle Management for Geo-Tags -- Geo-Tag Workflow and Lifecycle -- Tag Creation -- Tag Whitelisting -- Tag Provisioning -- Tag selection -- Tag deployment -- Validation and Invalidation of Asset Tags and Geo-Tags -- Attestation of Geo-Tags -- Architecture for Geo-Tag Provisioning -- Tag Provisioning Service -- Tag Provisioning Agent -- Tag Management Service and Management Tool -- Attestation Service -- Geo-Tag Provisioning Process -- Push Model -- Pull Model -- Reference Implementation -- Step 1 -- Step 2 -- Step 3 -- Step 4 -- Summary -- Chapter 6: Network Security in the Cloud -- The Cloud Network -- Network Security Components -- Load Balancers -- Intrusion Detection Devices -- Application Delivery Controllers -- End-to-End Security in a Cloud -- Network security: End-to-End security: Firewalls -- Network security: End-to-End security: VLANs -- End-to-End Security for Site-to-Site VPN s -- Network security:End-to-End security: Hypervisors and Virtual Machines -- Hypervisor Security -- Virtual Machine Guest Security -- Software-Defined Security in the Cloud -- OpenStack -- OpenStack Network Security -- Network Security Capabilities and Examples -- Summary -- Chapter 7: Identity Management and Control for Clouds -- Identity Challenges -- Identity Usages -- Identity Modification -- Identity Revocation -- Identity Management System Requirements -- Basic User Control Properties -- Key Requirements for an Identity Management Solution -- Accountability -- Notification -- Anonymity -- Data Minimization -- Attribute Security -- Attribute Privacy -- Identity Representations and Case Studies -- PKI Certificates -- Security and Privacy Discussion -- Limitations -- Identity Federation -- Single Sign-On. Intel Identity Technologies -- Hardware Support -- Virtualization Technology (VT) -- Intel Identity Protection Technology (IPT) -- Intel Security Engine -- Cloud Identity Solutions -- Summary -- Chapter 8: Trusted Virtual Machines: Ensuring the Integrity of Virtual Machines in the Cloud -- Requirements for Trusted Virtual Machines -- Virtual Machine Images -- The Open Virtualization Format (OVF) -- A Conceptual Architecture for Trusted Virtual Machines -- Mystery Hill (MH) Client -- Mystery Hill Key Management and Policy Server (KMS) -- Mystery Hill Plug-in -- Trust Attestation Server -- Workflows for Trusted Virtual Machines -- Deploying Trusted Virtual Machines with OpenStack -- Summary -- Chapter 9: A Reference Design for Secure Cloud Bursting -- Cloud Bursting Usage Models -- An Explanation of Cloud Bursting -- Architectural Considerations for Cloud Bursting -- Data Center Deployment Models -- Trusted Hybrid Clouds -- Cloud Bursting Reference Architecture -- Secure Environment Built Around Best Practices -- Cloud Management -- Cloud Identity and Access Management -- Separation of Cloud Resources, Traffic, and Data -- Vulnerability and Patch Management -- Compliance -- Network Topology and Considerations -- Security Design Considerations -- Hypervisor Hardening -- Firewalls and Network separation -- Management Network Firewalling -- Virtual Networking -- Anti-Virus Software -- Cloud Management Security -- Security Controls -- Governance, Risk, and Compliance (GRC) -- Practical Considerations for Virtual Machine Migration -- Summary -- Index.

9781430261469


Electronic books.

QA75.5-76.95