Datasheet
36 Part I Overview of Commerce
passwords for message exchange, which do not counter the advanced
attacks such as source misbehavior. Inconsistency detection is an attrac-
tive technique that is available today and can be deployed.
Vetting:
Vetting in the context of cloud computing applies to the follow-
ing categories:
Vendors:
This item applies only if a third-party entity acts as the pro-
vider of infrastructure. The main focus of this phase from the security
perspective is to understand and identify security risks of third-party
networks and their operations.
Operations staff:
This phase describes the vetting process for privi-
leged users within cloud computing infrastructure who make critical-
operation decisions such as changing capacity; modifying host, network,
or application configuration; utilizing corporate resources; and access-
ing sensitive audit trails and logging information.
Applications:
Vetting the applications deployed to cloud computing
infrastructure is a non-trivial task and has to be undertaken very care-
fully, as the process is cumbersome and tends to lack scalability.
Penetration testing:
While your security staff might want to perform
penetration testing and code audit for all applications and infrastructure
components, the objective is to ensure that this step is cost-effective and
scalable. In practice, this will be required only for the most complex
applications that extensively utilize infrastructure services.
Please note that the preceding items all suffer from snapshot syndrome; that
is, when something in the application or the infrastructure changes (package
update, adding new functionality, and so on) after the audit and vetting is suc-
cessfully completed, the vetting results don’t apply and are considered void.
Governance
Governance is important for distributed computing, or any shared infrastructure
such as cloud computing for that matter, because the execution environment is
usually heterogeneous in nature and consists of multiple entities, components,
users, domains, policies, and stake holders. The different governance issues that
administrators are worried about are credential and trust governance, as well
as MLT (Monitoring, Logging, and Tracing) issues.
Credential Governance
Governance of the credentials is a critical aspect of cloud computing infrastruc-
ture because there are many systems that interact with each other and require
different sets of credentials for accessing them. Credential governance systems
624463c01.indd 36 3/29/11 2:26:37 AM