Chapter 7 - Designing Cloud Security

Abstract

This chapter focuses on processes and practices to be followed in order to ensure a robust security architecture. It starts with the requirements for the cloud security infrastructure. This can be divided into two parts—ensuring the security of the physical infrastructure, and best practices for security processes and technology. Subsequently, the concept of risk management is described. Risk management is the process of evaluating the possible security threats to the system, identifying the major risks, and putting in place security controls to handle them. The FIPS 200 standard for identifying the impact of a risk and the NIST 80053 standard for security controls are described. Subsequently, security design patterns and principles that should be followed to design the security infrastructure for a cloud are detailed. Following this, a high-level security design for a PaaS system based upon these design patterns is discussed. The PaaS security design illustrates the design patterns discussed earlier that can be put into practice. Finally, various security architectures which can be leveraged to implement cloud security are discussed. The chapter also focuses on security concerns arising out of the use of public clouds. The first set of issues arises from the fact that, legally, a cloud service provider is a subcontractor, and it is the responsibility of the business to ensure that they are in compliance with all legal and regulatory issues. Then, issues arising out of the fact that a cloud service provider is a “third party” in any litigation are discussed.