دسترسی نامحدود
برای کاربرانی که ثبت نام کرده اند
دانلود کتاب The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues
دانلود کتاب اکوسیستم امنیت ابری: مسائل فنی، حقوقی، تجاری و مدیریتی
مشخصات کتاب
The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues
ویرایش:
نویسندگان: Ryan Ko. Raymond Choo
سری:
ISBN (شابک) : 9780128015957, 0128015950
ناشر: Syngress
سال نشر: 2015
تعداد صفحات: 571
زبان: English
فرمت فایل : PDF (درصورت درخواست کاربر به PDF، EPUB یا AZW3 تبدیل می شود)
حجم فایل: 4 مگابایت
قیمت کتاب (تومان) : 44,000
در صورت تبدیل فایل کتاب The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues به فرمت های PDF، EPUB، AZW3، MOBI و یا DJVU می توانید به پشتیبان اطلاع دهید تا فایل مورد نظر را تبدیل نمایند.
توجه داشته باشید کتاب اکوسیستم امنیت ابری: مسائل فنی، حقوقی، تجاری و مدیریتی نسخه زبان اصلی می باشد و کتاب ترجمه شده به فارسی نمی باشد. وبسایت اینترنشنال لایبرری ارائه دهنده کتاب های زبان اصلی می باشد و هیچ گونه کتاب ترجمه شده یا نوشته شده به فارسی را ارائه نمی دهد.
توضیحاتی در مورد کتاب اکوسیستم امنیت ابری: مسائل فنی، حقوقی، تجاری و مدیریتی
با تکیه بر تخصص محققان و کارشناسان مشهور جهان، اکوسیستم امنیت ابریبه طور جامع طیف وسیعی از موضوعات امنیت ابری را از دیدگاههای چند رشتهای و بینالمللی مورد بحث قرار میدهد و پیادهسازیهای امنیتی فنی را با جدیدترینها هماهنگ میکند. تحولات در محیط های تجاری، حقوقی و بین المللی. این کتاب به طور کلی در مورد تحقیقات کلیدی و پیشرفتهای سیاستی در امنیت ابری بحث میکند - قرار دادن مسائل فنی و مدیریتی همراه با معاهدات عمیق در مورد یک موضوع چند رشتهای و بینالمللی. این کتاب شامل مشارکتهای رهبران فکری کلیدی و محققان برتر در جنبههای فنی، حقوقی و تجاری و مدیریتی امنیت ابری است. نویسندگان لبه برتر تحقیقات امنیت ابری را ارائه میکنند که روابط بین رشتههای مختلف را پوشش میدهد و در مورد اجرا و چالشهای قانونی در برنامهریزی، اجرا و استفاده از امنیت ابری بحث میکند.
توضیحاتی درمورد کتاب به خارجی
Drawing upon the expertise of world-renowned researchers and experts, The Cloud Security Ecosystem comprehensively discusses a range of cloud security topics from multi-disciplinary and international perspectives, aligning technical security implementations with the most recent developments in business, legal, and international environments. The book holistically discusses key research and policy advances in cloud security - putting technical and management issues together with an in-depth treaties on a multi-disciplinary and international subject. The book features contributions from key thought leaders and top researchers in the technical, legal, and business and management aspects of cloud security. The authors present the leading edge of cloud security research, covering the relationships between differing disciplines and discussing implementation and legal challenges in planning, executing, and using cloud security.
فهرست مطالب
Front Cover The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues Copyright Dedication Contents Contributors Foreword Preface How to Read This Book About the Authors List of Reviewers Acknowledgments Chapter 1: Cloud security ecosystem 1. How It All Started—The Story of an Online Bookstore 2. Consolidation of Terminologies and Perspectives 2.1. Perspective 1: Essential Characteristics 2.2. Perspective 2: Layers and Scope 3. The Achilles' Heel—Depending on a Trust Relationship 3.1. Case Study1: Breach of Trust by a Public Cloud System Administrator 3.2. Case Study2: Liability of a Liquidated Cloud Business 3.3. Gatekeepers—Governments Versus Technology Creators 4. Top Threats and Vulnerabilities of Cloud Security 4.1. Cloud Security Alliance's Top Threats to Cloud Computing Research 4.2. Statistics of Common Vulnerabilities Faced by Cloud Service Providers 5. Managing Cloud Security Risks with the Deming Cycle 6. Plan—Threats, Risk, and Requirements Landscape 7. Do—Cloud Security Approaches and Challenges 8. Check—Forensics and Incident Response 9. Act—Governance and Auditing 10. Summary References Part 1: Plan: Threats, risk, and requirements landscape Chapter 2: Cybercrime in cloud: Risks and responses in Hong Kong, Singapore 1. Introduction 1.1. Definition of Cloud Computing 1.2. Growth in Cloud Computing: Hong Kong and Singapore 2. Key factors shaping "Response": Hong Kong, Singapore 2.1. Hong Kong 2.1.1. Economy 2.1.2. Cultural factors 2.1.3. Political structure 2.1.4. Criminal justice and legal systems 2.2. Singapore 2.2.1. Economy 2.2.2. Cultural factors 2.2.3. Political structure 2.2.4. Criminal justice and legal systems 3. Discussion References Chapter 3: CATRA: Conceptual cloud attack taxonomy and risk assessment framework 1. Introduction 2. Taxonomies: A literature survey 2.1. Taxonomy Characteristics 2.2. Attack Taxonomy Classifiers 2.3. Attack Taxonomies 2.3.1. Cyber attack taxonomies 2.3.2. Countermeasures taxonomies 2.3.3. Network attack and countermeasure tools taxonomy 2.3.4. Distributed denial of service taxonomies 2.3.5. Protocol vulnerability taxonomies 2.3.6. Botnets and malware taxonomies 2.3.7. Web service attacks 2.3.8. Cloud security and attack taxonomies 2.4. Literature Gaps 3. Cloud attacks literature review 3.1. Vulnerabilities and Threat Vectors 3.1.1. People, process, and physical vulnerabilities 3.1.2. Technical vulnerabilities and vectors 3.1.2.1. Distributed denial of service 3.1.2.2. Cross-VM attacks 3.1.2.3. The malware vector and virtualization vulnerabilities 3.1.2.4. Phishing 3.1.2.5. Web services 3.1.2.6. Browser 3.1.2.7. Management console 3.1.2.8. Cryptography 3.1.2.9. Network protocols 3.1.2.10. Expanded network attack surface 3.2. Threat Actors 3.2.1. Financially motivated 3.2.2. Ideologically motivated 3.2.3. State and corporate backed 3.2.4. Insiders 3.2.5. Script kiddies 3.3. Countermeasures 3.3.1. Responsibility 3.3.2. Prevention 3.3.2.1. People, process, and physical vulnerabilities 3.3.2.2. Cross-VM attacks 3.3.2.3. Web services and applications 3.3.2.4. Management console 3.3.2.5. Cryptography and network protocols 3.3.3. Detection 3.3.3.1. Cloud intrusion detection systems 3.3.3.2. HVM malware 3.3.3.3. Phishing 3.3.4. Containment, recovery, and restoration 3.3.4.1. DDoS defense mechanisms 3.3.4.2. Backups 3.3.4.3. Utilizing virtualization 3.3.4.4. Expanded network attack surface 3.4. Cloud Attack Targets 3.5. Impact of Cloud Attacks 3.6. Literature Gaps 4. Conceptual cloud attack taxonomy and risk assessment framework 4.1. Source Dimension 4.2. Vector Dimension 4.3. Vulnerability Dimension 4.4. Target Dimension 4.5. Impact Dimension 4.6. Defense Dimension 5. Example scenario: extortion by DDoS and account hijacking 5.1. Parameters 5.2. Risk Assessment Method 5.3. Analysis 5.3.1. Source 5.3.2. Vectors 5.3.3. Vulnerabilities 5.3.4. Defenses 5.3.5. Targets 5.3.6. Impacts 5.3.7. Risk rating 5.4. Limitations 6. Conclusion and future work References Chapter 4: Multitiered cloud security model 1. Introduction 2. The Problem 3. Holistic approach 3.1. Awareness 3.2. Classification 3.3. Technology 3.4. Policy and Regulation 3.5. Certification 3.6. Standards 4. Why Develop Cloud Security Standards and Guidelines 5. Related Work 6. Design considerations of multitiered cloud security 7. Benefits to Stakeholders 8. MTCS standards 9. Self-Disclosure 10. Certification Scheme 11. Status 12. Deployment 13. Harmonization 14. Future Work 15. Conclusion Acknowledgements References Part 2: Do: Cloud security approaches and challenges Chapter 5: A guide to homomorphic encryption 1. Introduction 2. Current industry work-arounds and their gaps 3. History and Related Work 4. Overview of partial homomorphic encryption schemes 4.1. Public Key Encryption 4.2. El Gamal 4.3. Paillier Cryptosystem 5. Fully homomorphic encryption 5.1. Lattices 5.2. Lattice Problems 5.3. Learning With Errors 5.4. Approximate Eigenvector Algorithm Key Generation 5.4.1. Encryption and Decryption Proof for Homomorphic Addition and Multiplication Example 6. Homomorphic Encryption in the Cloud 7. Future of Homomorphic Encryption and Open Issues 8. Alternatives to homomorphic encryption 9. Summary References Chapter 6: Protection through isolation: Virtues and pitfalls 1. Introduction 2. Hypervisors 2.1. General Architectures 2.2. Practical Realization 3. Shared networking architecture 3.1. Packet Scheduling 3.2. Traffic Shaping 4. Isolation-based attack surface 5. Inventory of known attacks 6. Protection strategies 7. Conclusion References Chapter 7: Protecting digital identity in the cloud 1. Introduction 2. The rise of digital identity 2.1. Composition and Functions of Digital Identity 3. The rise of cloud computing 3.1. The Impact of Cloud Computing and Cross-Border Data 4. Protecting digital identity in the era of cloud computing 5. Conclusion Chapter 8: Provenance for cloud data accountability 1. Introduction 1.1. Background 1.2. Provenance Reconstruction 2. Related Work 3. Data Provenance Model for Data Accountability 3.1. A Case for Provenance 3.2. Elements of the Data Provenance Model 3.2.1. Artifact 3.2.2. Entity 3.2.3. Actions 3.2.4. Context 3.2.5. Time 3.3. Rules for Data Provenance Model 4. Reconstructing the Data Provenance 5. Challenges 6. Future Work and Concluding Remarks References Chapter 9: Security as a service (SecaaS)—An overview 1. Introduction 1.1. History Repeating Itself 1.2. The Growth of Cloud Computing Services 1.3. Defining Security as a Service 1.4. Motivation for This Chapter 2. Background 2.1. Security as a Service 2.2. Outsourcing Model 3. Traditional Security 3.1. On-Premise 3.2. Managed Security Services 4. SecaaS Categories of Service 4.1. System Security 4.2. Network Security 4.2.1. Service scanning 4.2.2. Intrusion detection 4.2.3. Real-time configuration and alerts 4.3. Web Security 4.3.1. Reduce cost and complexity 4.3.2. Provide real-time protection 4.3.3. Web filtering 4.3.4. Granular Web application controls 4.4. Data Security 5. Gaps Identified After SecaaS Classification 5.1. Gaps in SecaaS Web Technologies 5.2. Lack Of True Risk Evaluation 5.3. Lack of a Data-centric Approach 5.4. No Real Classification for Mapping Legitimate Communicating Services 6. Future Work 7. Concluding Remarks References Chapter 10: Secure migration to the cloud-In and out 1. Introduction 2. Who Are Cloud Consumer and CSP? 3. IT-Service of a small lawyer office migrates into the cloud 4. Requirements for cloud migration 4.1. Security Policy 4.2. Policy Development 4.3. Security and Privacy 4.4. Detecting and Preventing Sensitive Data Migration to the Cloud 4.5. Protecting Data Moving to the Cloud 4.6. Protecting Data in the Cloud 4.7. IT-Knowledge 4.8. Control and Visibility 4.9. Costs 4.10. Interoperability and Portability 4.11. Performance 5. Rollback Scenarios 5.1. Vendor Lock-In 6. Legal aspects 7. Challenges in cloud migration 7.1. Latency 7.2. Security 7.3. Interoperability 7.4. Internet Speed 7.5. Cloud Integration 8. Migration phases 8.1. Planning 8.2. Contracts 8.3. Migration 8.4. Operation 8.5. Termination 9. Auditing 10. Summary References Chapter 11: Keeping users empowered in a cloudy Internet of Things 1. Introduction 2. Problem Space Assumptions 2.1. Physical Limitations of Smart Objects 2.2. Security Objectives 2.3. Authentication-Related Tasks 2.4. Authorization-Related Tasks 2.5. Implications of Device Constraints for Authenticated Authorization 3. Delegated Authenticated Authorization 3.1. Constrained Level 3.2. Principal Level 3.3. Less-Constrained Level 3.4. Authorization to Authorize: Choosing the Authorization Managers 3.4.1. Estimating the amount of control 3.4.2. Delegated key management 3.4.3. Implementation 4. Usage Example 5. Conclusion References Chapter 12: Cloud as infrastructure for managing complex scalable business networks, privacy perspective 1. Introduction 2. Knowledge management 2.1. Definitions and Concepts 2.2. Social Networks in Business Environment 2.3. Technology as KM Enabler 2.4. Security and Privacy in KM Context 3. Cloud computing overview 3.1. Cloud Computing Concepts 3.2. Knowledge as a Service 3.3. Privacy and Security Issue in Cloud Computing 4. Strategies toward successful KM system 4.1. Modeling Knowledge Organizations and Groups 4.2. Modeling Knowledge Activities and Allocations 5. Modeling scalability and privacy 6. Concluding summary References Chapter 13: Psychology and security: Utilizing psychological and communication theories to promote safer cloud security b... 1. Introduction 2. Communication Theories 2.1. CPM Theory 2.2. Hyperpersonal Communication 3. Cognitive psychology 4. Other relevant theories 4.1. Learning Theories 4.2. Protection Motivation Theory 5. Overcoming Inhibitions to Safer Security Behaviors 6. Conclusion Suggested Further Readings References Part 3: Check: Forensics and incident response Chapter 14: Conceptual evidence collection and analysis methodology for Android devices 1. Introduction 2. Related Work 2.1. Background 2.2. Existing Literature 3. An Evidence Collection and Analysis Methodology for Android Devices 3.1. Identify Device and Preserve Evidence 3.2. Collect Evidence 3.2.1. Setup bootloader for live OS 3.2.2. Boot the live OS in memory 3.2.3. Collect the physical image of the device partitions 3.3. Examination and Analysis 3.3.1. Examine app files in private storage 3.3.2. Examine app files on external storage 3.3.3. Examine app databases 3.3.4. Examine and analyze accounts data 3.3.5. Analyze apps 3.4. Reporting and Presentation 4. Conclusion References Chapter 15: Mobile cloud forensics: An analysis of seven popular Android apps 1. Introduction 2. Android cloud apps 2.1. Dropbox 2.1.1. Examine app files in private storage (Dropbox) 2.1.2. Examine app files on external storage (Dropbox) 2.1.3. Examine app databases (Dropbox) 2.1.4. Examine and analyze accounts data (Dropbox) 2.2. Box 2.2.1. Examine app files in private storage (Box) 2.2.2. Examine app files on external storage (Box) 2.2.3. Examine app databases (Box) 2.2.4. Examine and analyze accounts data (Box) 2.3. OneDrive 2.3.1. Examine app files in private storage (OneDrive) 2.3.2. Examine app files on external storage (OneDrive) 2.3.3. Examine app databases (OneDrive) 2.3.4. Examine and analyze accounts data (OneDrive) 2.4. ownCloud 2.4.1. Examine app files in private storage (ownCloud) 2.4.2. Examine app files on external storage (ownCloud) 2.4.3. Examine app databases (ownCloud) 2.4.4. Examine and analyze accounts data (ownCloud) 2.5. Evernote 2.5.1. Examine app files in private storage (Evernote) 2.5.2. Examine app files on external storage (Evernote) 2.5.3. Examine app databases (Evernote) 2.5.4. Examine and analyze accounts data (Evernote) 2.6. OneNote 2.6.1. Examine app files in private storage (OneNote) 2.6.2. Examine app files on external storage (OneNote) 2.6.3. Examine app databases (OneNote) 2.6.4. Examine and analyze accounts data (OneNote) 2.7. Universal Password Manager 2.7.1. Examine app files in private storage (UPM) 2.7.2. Examine app files on external storage (UPM) 2.7.3. Examine app databases (UPM) 2.7.4. Examine and analyze accounts data (UPM) 2.8. Further App Analysis 2.8.1. Dropbox analysis 2.8.2. Box analysis 2.8.3. OneDrive analysis 2.8.4. ownCloud analysis 2.8.5. Evernote analysis 2.8.6. OneNote analysis 2.8.7. Universal password manager analysis 2.9. Our Research Environment 2.9.1. Nexus 4 2.9.2. Android VM 2.9.3. Samsung Galaxy S3 3. Conclusion References Chapter 16: Recovering residual forensic data from smartphone interactions with cloud storage providers 1. Introduction 2. Related work 3. Experiment design 4. Findings 4.1. Detailed Dropbox Findings 4.1.1. Android applications 4.1.2. iOS application 4.2. Detailed Box Findings 4.2.1. Android applications 4.2.2. iOS application 4.3. Detailed SugarSync Findings 4.3.1. Android applications 4.3.2. iOS application 4.4. Detailed Syncplicity Findings 4.4.1. Android applications 4.4.2. iOS application 5. Discussion 6. Conclusions and Future Work Appendix A. Metadata artifacts recovered dropbox service Appendix B. Metadata Artifacts Recovered Box Service Appendix C. Metadata Artifacts Recovered Syncplicity Service References Chapter 17: Integrating digital forensic practices in cloud incident handling: A conceptual Cloud Incident Handling Model 1. Introduction 2. Background 2.1. Cloud Computing Infrastructure 2.2. Incident Handling in Cloud Computing 2.3. Related Work 3. Cloud Incident Handling Model: A Snapshot 4. Case Study Simulation: ownCloud 4.1. Preparation and Forensic Readiness 4.2. Identification 4.3. Assessment, Forensic Collection, and Analysis 4.4. Action and Monitoring 4.5. Recovery 4.6. Evaluation and Forensic Presentation 5. Concluding Remarks References Chapter 18: Cloud security and forensic readiness: The current state of an IaaS provider 1. Introduction 2. Review of the private IaaS provider 2.1. Overview of the Case Study Organization 2.2. Security Analysis Methodology 2.2.1. Establishment of a security policy 2.2.2. Organization of information security 2.2.3. Asset management 2.2.4. Human resources security management 2.2.5. Physical and environmental security 2.2.6. Communications and operations management Establish operational procedures and responsibilities Third-party service delivery management Malicious/mobile code Backup Network security management Media handling Information exchange Electronic commerce services Monitoring 2.2.7. Access control 2.2.8. Information systems acquisition, development, and maintenance 2.2.9. Information security incident management 2.2.10. Business continuity management 2.2.11. Compliance management 2.2.12. Summary of observations 2.3. Cloud Vulnerabilities and Threat Assessment 2.3.1. Data breaches 2.3.2. Data loss 2.3.3. Account or service hijacking 2.3.4. Insecure interfaces and APIs 2.3.5. Denial-of-service 2.3.6. Malicious insiders 2.3.7. Abuse of cloud computing 2.3.8. Insufficient due diligence 2.3.9. Shared technology issues 2.3.10. Summary of observations 2.4. Digital Forensic Readiness Assessment 2.4.1. Define business scenarios that require digital evidence 2.4.2. Identify available sources and different types of potential evidence 2.4.3. Determining the evidence collection requirement 2.4.4. Establish a capability securely gathering legally admissible evidence to meet the requirement 2.4.5. Establish a policy for secure storage and handling of potential evidence 2.4.6. Ensure monitoring and auditing is targeted to detect and deter major incidents 2.4.7. Specify circumstances when escalation to a full formal investigation is required 2.4.8. Train staff, so that all those involved understand their role in the digital evidence process and the legal sensit... 2.4.9. Present an evidence-based case describing the incident and its impact 2.4.10. Ensure legal review to facilitate action in response to the incident 2.4.11. Summary of observations 3. Conclusions References Chapter 19: Ubuntu One investigation: Detecting evidences on client machines 1. Introduction 2. Related Work 3. Methodology 4. Experiment Setup 5. Discussion and Analysis 5.1. Windows Browser Based 5.1.1. Memory 5.1.2. Browser cache and history 5.1.3. Registry 5.1.4. Network traffic 5.2. Windows App-Based 5.2.1. Memory 5.2.2. File system 5.2.3. Event logs 5.2.4. Registry 5.2.5. Network traffic 5.2.6. Uninstallation 5.3. Mac OS X App-Based 5.3.1. Memory 5.3.2. Network traffic 5.4. iOS App-Based 6. Conclusion References Part 4: Act: Governance and Auditing Chapter 20: Governance in the Cloud 1. Why is governance important? 2. What are the questions that boards should be asking? 3. Calculating ROI 4. Auditing the cloud 4.1. Planning and Scoping the Audit 4.2. Governance and enterprise risk management 4.3. Legal and electronic discovery 4.4. Compliance and audit 4.5. Portability and interoperability 4.6. Operating in the cloud 4.7. Identity and access management 5. Conclusion Chapter 21: Computational trust methods for security quantification in the cloud ecosystem 1. Introduction 2. Computational Trust: Preliminaries 3. State-of-the-art Approaches Tackling Cloud Security 3.1. Computational Trust Models and Mechanisms 3.2. Trusted Computing Technologies 3.3. Cloud Security Transparency Mechanisms 3.4. Cloud Security Quantification Methods 4. Computational Trust Methods for Quantifying Security Capabilities 4.1. Formal Analysis of Security Capabilities 4.1.1. Transforming security attributes into formal security terms 4.1.1.1. Example 4.1.2. Mapping security terms to PLTs 4.1.2.1. Example 4.2. Evaluating Security Capablities 4.2.1. CertainLogic operators 4.2.1.1. CertainTrust 4.2.1.2. CertainLogic AND () Operator 4.2.1.3. CertainLogic FUSION operator 4.2.2. Security capability assessment using certainLogic operators 4.3. Visually Communicating Multiple Security Capabilities 5. Case Studies 5.1. Case Study 1: Quantifying and Visually Communicating Security Capabilities Practical Customized 5.1.1. Experiments: practical case 5.1.2. Experiments: customized case 5.2. Case Study 2: Quantifying and Communicating Security Capabilities in Presence of Multiple Sources 5.2.1. Experiments 6. Conclusion Acknowledgment Appendix. Proof for Theorem 1 References Chapter 22: Tool-based risk assessment of cloud infrastructures as socio-technical systems 1. Introduction 2. Structure of a Typical Cloud Infrastructure Scenario 2.1. Levels of Abstraction 2.2. Attacker Goals 2.3. A Cloud Scenario 3. The TRESPASS Project 4. Modeling the Scenario for Analysis 4.1. High-Level Model 4.1.1. Infrastructure 4.1.2. Actors 4.2. Middle-Level Model 4.2.1. Routing 4.2.2. Network traffic set-up 4.2.3. Flow-based access control 4.3. Low-Level Model 4.4. Modeling Typical Network Components 4.4.1. Routers and routing 4.4.2. Defining a service 4.4.2.1. Generic Service Access 4.4.2.2. Administrator Access 4.4.3. Switch versus hub 4.4.4. Firewalls 4.4.5. VPNs 4.5. Modeling Actors 4.5.1. Actor processes 4.5.2. Non-process attributes 4.6. Process Library 5. Identifying Attacks 6. Risk Assessment 6.1. Model-Based Risk Assessment 6.2. Attack-Based Risk Assessment 6.3. Combined Risk Assessment 7. Conclusion Acknowledgments References Index
