LECTURE 1 "UNIT 4"

Unit- 4

Cloud Security: Cloud Information security fundamentals, Cloud security services, Design principles, Secure Cloud Software Requirements, Policy Implementation, Cloud Computing Security Challenges, Virtualization security Management, Cloud Computing Security Architecture.

CLOUD SECURITY

“Cloud computing security or, more simply, cloud security is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing”

Cloud Information security fundamentals

What Is Information Security?

Information security is such a wide-ranging topic that it can be rather difficult to define precisely what it is. So when it came time for me to try to define it for the introduction of this topic, I as stuck for a long period of time. Following the recommendation of my younger, I went to the best place to find definitions for anything — the dictionary and came up with these entries:

Information:

•      Knowledge obtained from investigation, study or instruction

•      Knowledge acquired through experience or study

•      The processed data etc.

Security:

•      Freedom from risks or danger

So even after looking up information security in this dictionary, I still did not have a good way to describe and explain what information security was. It was a little unsettling to not be able to define, at the most basic level, what I really did. The greatest difficulty in defining information security is, to me, because it is a little bit like trying to define infinity.

Take a simple scenario where if ten different people were asked to define information security, we might well receive ten different answers, but what is surprising is that they might all be correct. Nevertheless, the universal, classic definition of information security is brief and simple:

Information security is the confidentiality, integrity, and availability of information.

 

Aspect of information security

The first and probably most important aspect of information security is the security policy. 

If information security were a person, the security policy would be the central nervous system. Policies become the core of information security that provides a structure and purpose for all other aspects of information  security.     

Another aspect of information security is organizational security. Organizational security takes the written security policy and develops the framework for implementing the policy throughout the organization. This would include tasks such as getting support from senior management, creating an information security awareness program, reporting to an information steering committee, and advising the business units of their role in the overall security process. The role of information security is still so large that there are many other aspects beyond just the organizational security and security policy.

Yet another aspect of information security is asset classification. Asset classification takes all the resources of an organization and breaks them into groups. This allows for an organization to apply differing levels of security to each of the groups, as opposed to security settings for each individual resource. This process can make security administration easier after it has been implemented, but the implementation can be rather difficult. However, there is still more to information security.

Another phase of information security is personnel security. This can be both fun and taxing at the same time. Personnel security, like physical security, can often be a responsibility of another person and not the sole responsibility of the information security manager. In small organizations, if the word “security” is in your job description, you may be responsible for everything. Personnel security deals with the people who will work in your organization. Some of the tasks that are necessary for personnel security are creating job descriptions, performing background checks, helping in the recruitment process, and user training. As mentioned in the previous paragraph, physical security is a component of information security that is often the responsibility of a separate person from the other facets of information security. Even if physical security is some other person’s responsibility, the information security professional must be familiar with how physical security can impact information security as a whole. Many times when an organization is thinking of stopping a break-in, the initial thought is to stop people from coming in over the Internet — when in fact it would be easier to walk into the building and plug into the network jack in the reception area. For years I have heard one particular story, which I have never been able to verify, that illustrates this example very well.

Supposedly, the CEO of a large company stands up in the general session of a hacker conference and announces, “This is a waste of time. My organization is so secure that if anyone here can break into our computers, I’ll eat my hat.”

Someone in the audience decides that the CEO needs to learn a lesson. The attacker decides to break into the organization, not by using the Internet or their telecommunication connection, but instead decides to take a physical approach to the attack. The attacker walks in the front door of the organization, walks to the second floor server room and proceeds to enter. Supposedly, the server room was having HVAC problems, so the door had to be propped open to allow the excess heat out. The attacker walks through the rows of devices in the server room and walks up to each of the cabinets and reads the electronically generated label on each device. When he finds the rack with the device marked “Firewall,” he realizes he has found what he was seeking. The attacker then proceeded to turn off the firewall, disconnect the cables, and remove the firewall from the rack. The attacker followed this by hoisting the firewall up onto his shoulder and walking into the CEO’s office.

When the attacker entered the CEO’s office, he had only one thing to say. He asked, “What kind of sauce would you like with your hat?”

Physical security can encompass everything from closed-circuit television to security lighting and fencing, to badge access and heating, ventilation, and air conditioning (HVAC). One area of physical security that is often the responsibility of the information security manager is backup power. The use of uninterruptible power supplies (UPS) are usually recommended even if your organization has other power backup facilities such as a diesel generator.