云计算的安全架构与技术 第4节.ppt

Wu Tsu Yang创新信息产业研究中心 Innovative Information Industry Research Center Cloud Computing Risk Issues Tsu-Yang Wu * The CIA Triad Three fundamental tenets of information security Confidentiality Network security protocols Network authentication services Data encryption services Integrity Firewall services Communications security management Intrusion detection services (IDS) The CIA Triad Availability Fault tolerance for data availability Acceptable logins and operating process performance Reliable and interoperable security processes and network security mechanisms * Other Important Concepts Identification For access control, identification is necessary for authentication and authorization Authentication To authenticate user’s identity Accountability Audit trails and logs support accountability Authorization Privacy * Privacy Risks Fundamental principle of privacy Notice — Regarding the collection, use, and disclosure of personally identifiable information (PII) Choice — To opt out or opt in regarding disclosure of PII to third parties Access — To permit review and correction of information Security — To protect PII from unauthorized disclosure Enforcement — Of applicable privacy policies and obligations * Privacy Risks Privacy policies covered Statement of the organization’s commitment to privacy The type of information collected Retaining and using e-mail correspondence Information gathered through cookies and Web server logs and how that information is used How information is shared Mechanisms to secure information transmissions encryption and digital signatures * Privacy Risks Mechanisms to protect PII stored by the organization Evaluation of information protection practices Methods for the user to access and correct PII held by the organization Rules for disclosing PII to outside parties Providing PII that is legally required * Common Threats and Vulnerabilities Threats to cloud and traditional infrastructure Eavesdrop