- seguridad (Spanish)
n. ~ The state of being protected from attack, risk, threat, or vulnerability.
In the context of computing, security includes protection against unauthorized access to systems, the destruction or alteration of information, or denial of service, whether caused by malice or unintended act.
- Black's 9th 2009 (†382 s.v. security): The state of being secure, especially from danger or attack.
- Dictionary of Computing 1996 (†517 s.v. "security"): Prevention of or protection against (a) access to information by unauthorized recipients or (b) intentional but unauthorized destruction or alteration of that information. Security may guard against both unintentional as well as deliberate attempts to access sensitive information, in various combinations according to circumstance. The concepts of security, integrity, and privacy are interlinked.
- Bushey et al. 2016 (†755 ): · Does the system prevent unauthorized access, use, alteration, or destruction of your data? · Is your data secure during procedures of transfer into and out of the system? · Does the system provide and give you access to audit trails, metadata, and/or access logs to demonstrate security measures? · Will you be notified in the case of a security breach or system malfunction? · Does the Provider use the services of a subcontractor? · Does the Provider offer information about the identity of the subcontractor and its tasks? · Are subcontractors held to the same level of legal obligations as the Provider of the cloud service? · Is there a disaster recovery plan available? · Does the Provider offer any information regarding past performance with disaster recovery procedures? (†1896)
- Classen and McCaw 2012 (†599 p.3): Data security is typically a customer’s greatest concern when deciding whether to use a vendor’s cloud services. Customers typically assume that the financial liability for loss, misuse, damage or destruction of that data falls to the cloud vendor, but that is not necessarily the case. A vendor’s data security obligations and liabilities are contractually separate and distinct from its confidentiality obligations and those security obligations may transfer to the customer the responsibility of security for that data. (†1381)
- Classen and McCaw 2012 (†599 p.3): Those vendors unwilling to accept liability without fault usually argue that a customer cannot make its own cloud network environment impervious to hacking and thus the vendor should not be held to a higher standard. ...Why should a vendor be expected to deliver at a level the customer itself is incapable of achieving? Customers, on the other hand, believe that data security is likely to be higher through a third party cloud vendor as the vendor has both the resources to dedicate to that security and the expertise in information technology to detect and confront emerging security threats. In addition, customers rely on the fact that vendors providing cloud services to certain industry sectors know or should know of any mandated minimum standards for data security applicable to those sectors. Accordingly, customers look to the vendor to use the resources and expertise to deliver the services with a higher level protection than the customer is able to achieve itself. (†1382)
- Cloud Security Alliance 2013 (†593 p.6): Among the most significant security risks associated with cloud computing is the tendency to bypass information technology (IT) departments and information officers. Although shifting to cloud technologies exclusively is affordable and fast, doing so undermines important business-level security policies, processes, and best practices. In the absence of these standards, businesses are vulnerable to security breaches that can quickly erase any gains made by the switch to SaaS. (†1359)
- CNSS-4009 (†730 p.64): A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach. (†1750)
- Duranti 2013 (†408 ): Security, the biggest benefit of the Cloud, presents also the biggest risk. There can be unauthorized access provided to sub-contractors, and hackers tend to attack Cloud environments much more than in-house systems. It is not a matter of if but when a breach will occur. (†498)
- Furht and Escalante 2010 (†583 p.17-18): Companies are still concerned about security when using cloud computing. Customers are worried about the vulnerability to attacks, when information and critical IT resources are outside the firewall. The solution for security assumes that that cloud computing providers follow standard security practices... (†1187)
- Furht and Escalante 2010 (†583 p.337): However, Cloud Computing also raises many concerns, mainly about security, privacy, compliance and reliability. When users move their data to the service provider data center, there is no guarantee that nobody else has access to this data. If the data is being stored in a different country, there can also be issues about jurisdictions for legal rights, and control of the data. (†1211)
- Furht and Escalante 2010 (†583 p. 12): The security requirements for cloud computing providers begins with the same techniques and tools as for traditional data centers, which includes the application of a strong network security perimeter. However, physical segmentation and hardwarebased security cannot protect against attacks between virtual machines on the same server. (†1374)
- Furht and Escalante 2010 (†583 p. 24): From the point of view of the technology, the security of user data can be reflected in the following rules of implementation: 1. The privacy of user storage data. User storage data cannot be viewed or changed by other people (including the operator). 2. The user data privacy at runtime. User data cannot be viewed or changed by other people at runtime (loaded to system memory). 3. The privacy when transferring user data through network. It includes the security of transferring data in cloud computing center intranet and internet. It cannot be viewed or changed by other people. 4. Authentication and authorization needed for users to access their data. Users can access their data through the right way and can authorize other users to access. (†1375)
- Hanna and Molina 2010 (†584 ): For many firms, a cloud computing provider can provide better security than their in-house facilities. This is because the CPs are devoting huge resources to making security a non-issue for customers and, in fact, a selling point versus other CPs. With billions of dollars of potential business at stake, CPs are going to do their best to secure their environment. (†1154)
- Hunter 2014 (†602 p.18): Cloud providers use data encryption and other techniques to ensure no unauthorized users have access to your company’s data. You should confirm whether the type of security proposed is sufficient to accomplish the following objectives: your company’s data should be secured from access by the general public, your company’s data should be secured from access by other cloud users, our company’s data should be secured from access/review by cloud administrators. You should be notified when your data has been breached. How does the cloud recognize data breaches and how will it inform your company? Some of your company’s data is “sensitive”; what additional security protocols are in place to ensure your company’s sensitive data (even more than its “regular” data) is not breached? The answer to each of these questions should be clear from the language of the provider agreement. (†1388)
- Law 2011 (†581 s.v. internet security): The means used to protect Web sites and other electronic files from attack by hackers and viruses. The Internet is, by definition, a network; networks are open, and are thus open to attack. A poor Internet security policy can result in a substantial loss of productivity and a drop in consumer confidence. The essential elements of Internet security are constant vigilance–the perfect Internet security system will be out of date the next day; a combination of software and human expertise–security software can only do so much, it must be combined with human experience; and internal as well as external security–many security breaches come from within an organization. (†1118)
- Net 2000 2010B (†701 p. 2): Fundamentally there are two types of security. The first type is concerned with the integrity of the data. In this case the modification of the records is strictly controlled. For example, you may not wish an account to be credited or debited without specific controls and auditing. This type of security is not a major concern in test and development databases. The data can be modified at will without any business impact. ¶ The second type of security is the protection of the information content from inappropriate visibility. Names, addresses, phone numbers and credit card details are good examples of this type of data. Unlike the protection from updates, this type of security requires that access to the information content is controlled in every environment. (†1597)
- NIST 2013 (†734 p. B-20): A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach. [CNSSI 4009] (†1817)
- RFC 4949 (†591 p. 264): Parker [Park] suggests that providing a condition of system security may involve the following six basic functions, which overlap to some extent: · "Deterrence": Reducing an intelligent threat by discouraging action, such as by fear or doubt. (See: attack, threat action.) · "Avoidance": Reducing a risk by either reducing the value of the potential loss or reducing the probability that the loss will occur. (See: risk analysis. Compare: "risk avoidance" under "risk".) · "Prevention": Impeding or thwarting a potential security violation by deploying a countermeasure. · "Detection": Determining that a security violation is impending, is in progress, or has recently occurred, and thus make it possible to reduce the potential loss. (See: intrusion detection.) · "Recovery": Restoring a normal state of system operation by compensating for a security violation, possibly by eliminating or repairing its effects. (See: contingency plan, main entry for "recovery".) · "Correction": Changing a security architecture to eliminate or reduce the risk of reoccurrence of a security violation or threat consequence, such as by eliminating a vulnerability. (†1348)
- Schulz 2009 (†596 p.28): ...meeting security requirements in the cloud means encrypting data while in transit and at rest, using secure protocols such as Secure-HTTP, and vetting a provider's access control mechanisms...query providers about who, physically, has access to machines hosting your data. ...specify who can make changes, update, view or otherwise manipulate your data and have access to the audit trail... A cloud provider should be telling you with high degree of detail how often it backs up data, where it's backed up, how it's protected from a security standpoint, and how quickly it can restore data if the main system goes down and it's restored to a hot failover system... (†1376)
- Trusted Computing Group 2010 (†585 p.3-4): ...We have selected six specific areas of the cloud computing environment where equipment and software implementing TCG specifications can provide substantial security improvements [Hanna and Molina, 2010]. 1 - Securing data at rest: Cryptographic encryption is certainly the best practice and in many U.S. states and countries worldwide, it’s the law for securing data at rest at the cloud provider. Fortunately, hard drive manufacturers are now shipping self-encrypting drives that implement the TCG’s Trusted Storage standards. Self-encrypting drives build encryption hardware into the drive, providing automated encryption with minimal cost or performance impact. Software encryption can also be used, but it is slower and less secure since the encryption key can be copied off the machine without detection. 2 - Securing data in transit: Encryption techniques should also be used for data in transit. In addition, authentication and integrity protection ensure that data only goes where the customer wants it to go and is not modified in transit. Well-established protocols such as SSL/TLS should be used here. The tricky part is strong authentication, as described next. 3 - Authentication: User authentication is often the primary basis for access control, keeping the bad guys out while allowing authorized users in with a minimum of fuss. In the cloud environment, authentication and access control are more important than ever since the cloud and all of its data are accessible to anyone over the Internet. The TPM can easily provide stronger authentication than username and passwords. TCG’s IF-MAP standard allows for real-time communication between the cloud provider and the customer about authorized users and other security issues. When a user is fired or reassigned, the customer’s identity management system can notify the cloud provider in real-time so that the user’s cloud access can be modified or revoked within seconds. If the fired user is logged into the cloud, they can be immediately disconnected. Trusted Computing enables authentication of client PCs and other devices, which also is critical to ensuring security in cloud computing. 4 - Separation between customers: One of the more obvious cloud concerns is separation between a cloud provider’s users (who may be competing companies or even hackers) to avoid inadvertent or intentional access to sensitive information. Typically a cloud provider would use virtual machines (VMs) and a hypervisor to separate customers. TCG technologies can provide significant security improvements for VM and virtual network separation. In addition, the TPM can provide hardware-based verification of hypervisor and VM integrity. The TNC architecture and standards can provide strong network separation and security. 5 - Cloud legal and regulatory issues: To verify that a cloud provider has strong policies and practices that address legal and regulatory issues, each customer must have its legal and regulatory experts inspect cloud provider policies and practices to ensure their adequacy. The issues to be considered include data security and export, compliance, auditing, data retention and destruction, and legal discovery. In the areas of data retention and deletion, Trusted Storage and TPM access techniques can play a key role in limiting access to data. 6 - Incident response: As part of expecting the unexpected, customers need to plan for the possibility of cloud provider security breaches or user misbehavior. An automated response or at least automated notification is the best solution. TCG’s IF-MAP (Metadata Access Protocol) specification enables the integration of different security systems and provides real-time notification of incidents and of user misbehavior. (†1156)
- Wikipedia (†387 s.v. computer security): Security applied to computing devices such as computers and smartphones, as well as computer networks such as private and public networks, including the whole Internet. The field covers all the processes and mechanisms by which digital equipment, information and services are protected from unintended or unauthorized access, change or destruction... It includes physical security to prevent theft of equipment, and information security to protect the data on that equipment. It is sometimes referred to as "cyber security" or "IT security", though these terms generally do not refer to physical security (locks and such). (†999)