Before we consider security in the cloud arena, we should have an appreciation for the basic definitions and the fact that there are several closely related security fields:
Information Security: This term refers to a broad field that has to do with the protection of information and information systems. Information security has historical roots that include ciphers, subterfuge, and other practices whose goals were to protect the confidentiality of written messages. In our era, information security is generally understood to involve domains that are involved in the security of IT systems as well as with the non-IT processes that are in interaction with IT systems. The objective of information security is to protect information as well as information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Subdomains to Information Security: Among these are computer security, network security, database security, and information assurance. In cloud security, we will be drawing upon each of these as necessary to address issues that we face.
Confidentiality, Integrity, and Availability: The overall objective for security can largely be boiled down to the triad of security: protecting the confidentiality, integrity, and availability of information.
Least Privilege Principle: Users and processes acting on their behalf should be restricted to operate with a minimal set of privileges. This is to prevent the pervasive use of privilege or access rights within IT systems.
Authentication: The means to establish a user’s identity, typically by can become very complex in many ways. Authentication data may reside in multiple systems in the same infrastructure or domain.
Authorization: The rights or privileges that are granted to a person, user, or process. These can be electronically represented in many ways, and access control lists (ACLs) are simple lists of users and their rights (generally simple statements such as read, write, modify, delete, or execute) against either specific resources or classes of resources. Even simpler are traditional UNIX file permissions, which are at the granularity of Owner, Group, and Others with read, write, execute, and other permissions. The problem with such authorization schemes is that they only work well enough with a very small population of users. They do not scale to large populations, and these schemes are ineffective for computing environments where underlying user IDs are recycled. They are also ineffective against problems that are more difficult to represent, such as we have with SOA services.
Cryptography: From the Greek word for secret kryptos , cryptography has two faces: One is focused on hiding or obfuscating information, and the other ( cryptoanalysis ) is dedicated to exposing secrets that are protected by cryptographic means. Encryption is the process of converting information in plain text into cipher text , with decryption serving the reverse function. Ciphers are the algorithms that are used to perform encryption and decryption, and they are dependent on the use of keys or keying materials . An in-depth treatment of cryptography is beyond the scope of this book, but several further points should be made. First, modern computer cryptography is measured in several dimensions. Cryptography is computationally expensive, but typically the stronger the algorithm the greater the overhead. Second, there are different kinds of algorithms; among them are key pairs (public–private) whereby an individual can safely publish their public key for anyone else to use to encrypt information that can only be decrypted using the associated private key. This has great utility in many ways. Third, cryptography has many other uses in computing; one such use is digital signatures whereby an individual or entity can authenticate data by signing it. Another use is to authenticate two or more communicating parties.
Auditing: This encompasses various activities that span the generation, collection and review of network, system, and application events to maintain a current view of security. Electronic security monitoring is based on the automated assessment of such audit data. But the term auditing is overloaded in security, and it is also used to refer to periodic also overloaded, and we will find many cases where it is used to refer to activities associated with audit event assessment as well as with the periodic activities to verify security controls are appropriate and operating correctly. (We will strive to put sufficient context in our use of these terms.)
Accountability: This amounts to being able to retroactively establish who did what, when, and how. Accountability is dependent on identity and auditing. If accountability is important, then we need to appropriately protect all data and control information that is used to grant access as well as audit access. Since we may not discover a need to perform a forensic review of such data for relatively long periods of time, the general requirements for retaining such event data range from about 120 days and up. (At least one government organization had a requirement to retain such data indefinitely, but ran into physical media problems after 10 years!)