Guidelines on Security and Privacy in Public Cloud Computing, SP 800-144 December 2011, crsc.nist.gov
[follow these links]
DRAFT Cloud Computing Synopsis and Recommendations, NIST, May 2011
http://csrc.nist.gov/publications/drafts/800-146/Draft-NISTSP800-146.pdf
Challenging Security Requirements for US Government Cloud Computing Adoption (Draft), Cloud Security Working Group, NIST, November
2011
http://collaborate.nist.gov/twiki-cloudcomputing/pub/CloudComputing/CloudSecurity/NIST_Security_Requirements_for_US_Government_Cloud.pdf
Top Threats to Cloud Computing, V1.0, Cloud Security Alliance, March 2010
http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies, CIO Council, Privacy Committee, August 19,2010
http://www.cio.gov/documents/Privacy-RecommendationsCloud-Computing-8-19-2010.docx
Security Guidance For Critical Areas of Focus in Cloud Computing, V2.1, Cloud Security Alliance, December 2009
http://www.cloudsecurityalliance.org/csaguide.pdf
Cloud Computing Risk Assessment, European Network and Information Security Agency, November 2009
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport
The 10 Worst Cloud Outages (and what we can learn from them), J R Raphael, InfoWorld, June 27, 2011
http://www.infoworld.com/d/cloud-computing/the-10-worst-cloud-outages-and-what-we-can-learn-them-902
The Future of Cloud Computing, Version 1.0, Commission of the European Communities, Expert Group on Cloud Computing, January 2010
http://cordis.europa.eu/fp7/ict/ssai/docs/cloud-report-final.pdf
[All88] Julia Allen et al., Security for Information Technology Service Contracts, CMU/SEISIM-003, Software Engineering Institute, Carnegie Mellon University, January 1988,
<URL: http://www.sei.cmu.edu/reports/98sim003.pdf>.
[Alp11] Pavel Alpeyev, Joseph Galante, Mariko Yasu, Amazon.com Server Said to Have
Been Used in Sony Attack, Bloomberg, May 14, 2011, <URL:
http://www.bloomberg.com/news/2011-05-13/sony-network-said-to-have-beeninvaded-by-hackers-using-amazon-com-server.html>.
[And11] Nate Anderson, Anonymous vs. HBGary: the Aftermath, Ars Technica, February 24,
2011, <URL: http://arstechnica.com/tech-policy/news/2011/02/anonymous-vshbgary-the-aftermath.ars>.
[Arm10] Michael Armbrust et al., A View of Cloud Computing, Communications of the ACM,
Association for Computing Machinery, Vol. 53, No. 4, April 2010.
[Ash10] Warwick Ashford, Google Confirms Dismissal of Engineer for Breaching Privacy
Rules, Computer Weekly, September 16, 2010, <URL:
http://www.computerweekly.com/Articles/2010/09/16/242877/Google-confirmsdismissal-of-engineer-for-breaching-privacy.htm>.
[Avo00] Frederick M. Avolio, Best Practices in Network Security, Network Computing,
March 20, 2000, <URL: http://www.networkcomputing.com/1105/1105f2.html>.
[Bar05] Elaine B. Barker, William C. Barker, Annabelle Lee, Guideline for Implementing
Cryptography In the Federal Government, NIST Special Publication 800-21, Second
Edition, December 2005, <URL: http://csrc.nist.gov/publications/nistpubs/800-21-
1/sp800-21-1_Dec2005.pdf>.
[Bin09] David Binning, Top Five Cloud Computing Security Issues, Computer Weekly, April
24, 2009, <URL: http://www.computerweekly.com/Articles/2010/01/12/235782/Topfive-cloud-computing-security-issues.htm>.
[Bos11] Bianca Bosker, Dropbox Bug Made Passwords Unnecessary, Left Data At Risk For
Hours, The Huffington Post, June 21, 2011, <URL:
http://www.huffingtonpost.com/2011/06/21/dropbox-security-bugpasswords_n_881085.html>.
[Bra10] Simon Bradshaw, Christopher Millard, Ian Walden, Contracts for Clouds:
Comparison and Analysis of the Terms and Conditions of Cloud Computing Services,
Queen Mary School of Law Legal Studies, Research Paper No. 63/2010, September
2, 2010, <URL: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1662374>.54
[Bra11] Tony Bradley, Google, Skype, Yahoo Targeted by Rogue Comodo SSL Certificates,
PCWorld, March 23, 2011, <URL:
http://www.pcworld.com/businesscenter/article/223147/google_skype_yahoo_targete
d_by_rogue_comodo_ssl_certificates.html>.
[Bro08] Jon Brodkin, Loss of Customer Data Spurs Closure of Online Storage Service ‘The
Linkup,’ Network World, August 11, 2008, <URL:
http://www.networkworld.com/news/2008/081108-linkup-failure.html?page=1>.
[Bro09] Carl Brooks, Amazon EC2 Attack Prompts Customer Support Changes, Tech Target,
October 12, 2009, <URL:
http://searchcloudcomputing.techtarget.com/news/article/0,289142,sid201_gci137109
0,00.html>.
[Cal09] Michael Calore, Ma.gnolia Suffers Major Data Loss, Site Taken Offline, Wired
Magazine, January 30, 2009, <URL:
http://www.wired.com/epicenter/2009/01/magnolia-suffer/>.
[CAO09] Report from Office of the City Administrative Officer: Analysis of Proposed
Contract, City of Los Angeles, CAO File No.:0150-00813-0001, July 9, 2009, <URL:
http://clkrep.lacity.org/onlinedocs/2009/09-1714_rpt_cao_7-9-09.pdf>.
[Cap09] Dawn Cappelli, Andrew Moore, Randall Trzeciak, Timothy J. Shimeall, Common
Sense Guide to Prevention and Detection of Insider Threats, Third Edition, Version
3.1, CERT, January 2009, <URL: http://www.cert.org/archive/pdf/CSG-V3.pdf>.
[CBC04] USA Patriot Act Comes under Fire in B.C. Report, CBC News, October 30, 2004,
<URL: http://www.cbc.ca/canada/story/2004/10/29/patriotact_bc041029.html>.
[Cha10] Rajarshi Chakraborty, Srilakshmi Ramireddy, T.S. Raghu, H. Raghav Rao, The
Information Assurance Practices of Cloud Computing Vendors, IEEE IT Pro, Vol. 12,
Issue 4, July/August 2010.
[Cho09] Richard Chow et al., Controlling Data in the Cloud: Outsourcing Computation
without Outsourcing Control, ACM Workshop on Cloud Computing Security,
Chicago, Illinois, November 2009, <URL:
http://www2.parc.com/csl/members/eshi/docs/ccsw.pdf>.
[CIO10a] Privacy Recommendations for the Use of Cloud Computing by Federal Departments
and Agencies, CIO Council, Privacy Committee, Web 2.0/Cloud Computing
Subcommittee, August 2010, <URL: http://www.cio.gov/Documents/PrivacyRecommendations-Cloud-Computing-8-19-2010.docx>.55
[CIO10b] Federal Enterprise Architecture Security and Privacy Profile, Version 3, September
30, 2010, <URL: http://www.cio.gov/Documents/FEA-Security-Privacy-Profile-v3-
09-30-2010.pdf>.
[Cla09] Gavin Clarke, Microsoft's Azure Cloud Suffers First Crash, The Register, March 16,
2009, <URL: http://www.theregister.co.uk/2009/03/16/azure_cloud_crash/>.
[CLA10] Second Status Report on the Implementation of the Google E-Mail and Collaboration
System, City Administrative Officer, City of Los Angeles, July 9, 2010, <URL:
http://clkrep.lacity.org/onlinedocs/2009/09-1714_rpt_cao_7-9-10.pdf>.
[CLA11a] Second Amendment to Contract Number C-116359 between the City and Computer
Sciences Corporation for E-Mail and Collaboration Solution (Google), InterDepartmental Correspondence, City of Los Angeles, December 9, 2011, <URL:
http://clkrep.lacity.org/onlinedocs/2009/09-1714-S2_RPT_CLA_12-09-11.pdf>.
[CLA11b] Record of Council Action Regarding Second Amendment to Contract Number C-
116359, City of Los Angeles, December 20, 2011, <URL:
http://clkrep.lacity.org/onlinedocs/2009/09-1714-S2_CA_12-14-11.pdf>.
[Coc97] Steve Cocheo, The Bank Robber, the Quote, and the Final Irony, nFront, American
Bankers Association (ABA) Banking Journal, 1997, <URL:
http://www.banking.com/aba/profile_0397.htm>.
[Cou09] David A. Couillard, Defogging the Cloud: Applying Fourth Amendment Principles to
Evolving Privacy Expectations in Cloud Computing, Minnesota Law Review, Vol.
93, No. 6, June 2009.
[Cra08] George Craciun, Amazon EC2 Spreads Malware, Softpedia, July 1, 2008, <URL:
http://news.softpedia.com/news/Amazon-EC2-Spreads-Malware-89014.shtml>.
[Cra10] Personal conversation with Kevin K. Crawford, Assistant General Manager,
Information Technology Agency, City of Los Angeles, December 15, 2010.
[Cra11] Personal conversation with Kevin K. Crawford, Assistant General Manager,
Information Technology Agency, City of Los Angeles, August 22, 2011.
[CSA11a] Encryption and Key Management, Cloud Security Alliance, January 12, 2011, <URL:
https://wiki.cloudsecurityalliance.org/guidance/index.php/Encryption_and_Key_Man
agement>.
[CSA11b] Cloud Controls Matrix, Version 1.2, Cloud Security Alliance, August 26, 2011,
<URL: https://cloudsecurityalliance.org/wpcontent/uploads/2011/08/CSA_CCM_v1.2.xls>.56
[CSC10] LA SECS Overview: SaaS E-mail and Collaboration Solution (SECS) –
Implementing Google for the Los Angeles, CSC, April 15, 2010, <URL:
http://assets1.csc.com/lef/downloads/LEFBriefing_CSC_LA_Google_041510.pdf>.
[CWD10] Notice of Deficiencies-CSC Contract No. C-116359, City of Los Angeles, December
9, 2010, <URL: http://www.consumerwatchdog.org/resources/googdeficiency.pdf>.
[Daw05] Alistair B. Dawson, Understanding Electronic Discovery and Solving Its Problems,
56
th
Annual Program on Oil and Gas Law, The Center for American and International
Law, February 17-18, 2005, Houston, Texas, <URL:
http://www.brsfirm.com/publications/docs/00037W.pdf>.
[Dem10] Kelley Dempsey et al., Information Security Continuous Monitoring for Federal
Information Systems and Organizations, Initial Public Draft, SP 800-137, NIST,
September 2011, <URL: http://csrc.nist.gov/publications/nistpubs/800-137/SP800-
137-Final.pdf>.
[Dig08] Larry Dignam, Amazon Explains Its S3 Outage, ZDNET, February 16, 2008, <URL:
http://www.zdnet.com/blog/btl/amazon-explains-its-s3-outage/8010>.
[Dij10] Marten van Dijk, Ari Juels, On the Impossibility of Cryptography Alone for PrivacyPreserving Cloud Computing, 5
th
USENIX Workshop on Hot Topics in Security
(HotSec ’10), August 10, 2010, <URL:
http://www.usenix.org/event/hotsec10/tech/full_papers/vanDijk.pdf>
[Din10] Jocelyn Ding, LA’s Move to Google Apps Continues Apace, Official Google
Enterprise Blog, August 04, 2010, <URL:
http://googleenterprise.blogspot.com/2010/08/las-move-to-google-apps-continuesapace.html>.
[DoC00] Safe Harbor Privacy Principles, U.S. Department of Commerce, July 21, 2000,
<URL: http://export.gov/safeharbor/eu/eg_main_018475.asp>.
[DPW10] LA DPW Engineering Newsletter, No. 10-22, Los Angeles City, Department of
Public Works (DPW), April 21, 2010, <URL:
http://eng.lacity.org/newsletters/2010/04-21-10.pdf>.
[Dun10a] John E. Dunn, Ultra-secure Firefox Offered to UK Bank Users, Techworld, February
26, 2010, <URL: http://news.techworld.com/security/3213740/ultra-secure-firefoxoffered-to-uk-bank-users/>.
[Dun10b] John E. Dunn, Virtualised USB Key Beats Keyloggers, Techworld, February 22,
2010, <URL: http://news.techworld.com/security/3213277/virtualised-usb-key-beatskeyloggers/>.57
[DVA] What the VA Is Doing to Protect Your Privacy, VA Pamphlet 005-06-1, Department
of Veteran Affairs, <URL: http://www.privacy.va.gov/docs/VA005-06-
1_privacy_brochure.pdf>.
[Eis05] Margaret P. Eisenhauer, Privacy and Security Law Issues in Off-shore Outsourcing
Transactions, Hunton & Williams LLP, The Outsourcing Institute, Legal Corner,
February 15, 2005, <URL:
http://www.outsourcing.com/legal_corner/pdf/Outsourcing_Privacy.pdf>.
[Fer07] Peter Ferrie, Attacks on Virtual Machine Emulators, White Paper, Symantec
Corporation, January 2007, <URL:
http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf>.
[Fer09] Tim Ferguson, Salesforce.com Outage Hits Thousands of Businesses, CNET News,
January 8, 2009, <URL: http://news.cnet.com/8301-1001_3-10136540-92.html>.
[Fer10] David S. Ferreiro, Guidance on Managing Records in Cloud Computing
Environments, NARA Bulletin 2010-05, September 8, 2010, <URL:
http://www.archives.gov:80/records-mgmt/bulletins/2010/2010-05.html>.
[Fre08] Stefan Frei, Thomas Duebendorfer, Gunter Ollmann, Martin May, Understanding the
Web Browser Threat: Examination of vulnerable online Web browser populations
and the "insecurity iceberg", ETH Zurich, Tech Report Nr. 288, 2008, <URL:
http://e-collection.ethbib.ethz.ch/eserv/eth:30892/eth-30892-01.pdf>.
[Fow09] Geoffrey Fowler, Ben Worthen, The Internet Industry Is on a Cloud – Whatever That
May Mean, The Wall Street Journal, March 26, 2009, <URL:
http://online.wsj.com/article/SB123802623665542725.html>.
[FTC07] Fair Information Practice Principles, Federal Trade Commission, June 25, 2007,
<URL: http://www.ftc.gov/reports/privacy3/fairinfo.shtm>.
[Gaj09] Sebastian Gajek, Meiko Jensen, Lijun Liao, and Jörg Schwenk, Analysis of Signature
Wrapping Attacks and Countermeasures, IEEE International Conference on Web
Services, Los Angeles, California, July 2009.
[Gar05] Tal Garfinkel, Mendel Rosenblum, When Virtual Is Harder than Real: Security
Challenges in Virtual Machine Based Computing Environments, HotOS’05, Santa Fe,
New Mexico, June 2005, <URL:
http://www.stanford.edu/~talg/papers/HOTOS05/virtual-harder-hotos05.pdf>.
[Gar07] Simson Garfinkel, An Evaluation of Amazon’s Grid Computing Services: EC2, S3
and SQS, Technical Report TR-08-07, Center for Research on Computation and
Society, School for Engineering and Applied Sciences, Harvard University, July
2007, <URL: http://simson.net/clips/academic/2007.Harvard.S3.pdf>.58
[GAO06] Privacy: Domestic and Offshore Outsourcing of Personal Information in Medicare,
Medicaid, and TRICARE, United States Government Accountability Office, GAO-
06-676, September 2006, <URL: http://www.gao.gov/new.items/d06676.pdf>.
[GAO10] Contractor Integrity: Stronger Safeguards Needed for Contractor Access to Sensitive
Information, United States Government Accountability Office, GAO-10-693,
September 2010, <URL: http://www.gao.gov/new.items/d10693.pdf>.
[Gee08] Daniel E. Geer, Complexity Is the Enemy, IEEE Security and Privacy, Vol. 6, No. 6,
November/December 2008.
[Gon09] Reyes Gonzalez, Jose Gasco, and Juan Llopis, Information Systems Outsourcing
Reasons and Risks: An Empirical Study, International Journal of Human and Social
Sciences, Vol. 4, No. 3, 2009, <URL: http://www.waset.org/journals/ijhss/v4/v4-3-
24.pdf>.
[Goo09a] Dan Goodin, Salesforce.com Outage Exposes Cloud's Dark Linings, The Register,
January 6, 2009, <URL:
http://www.theregister.co.uk/2009/01/06/salesforce_outage/>.
[Goo09b] Dan Goodin, Webhost Hack Wipes Out Data for 100,000 Sites, The Register, June 8,
2009, <URL: http://www.theregister.co.uk/2009/06/08/webhost_attack/>.
[Goo10] Dan Goodin, Privacy Watchdog Pack Demands Facebook Close the 'App Gap', The
Register, June 16, 2010, <URL:
http://www.theregister.co.uk/2010/06/16/facebook_privacy/>.
[Gou11] Jeff Gould, Los Angeles Ends Google Apps for LAPD; Decision Bigger Than You
Think, AOL Government, December 19, 2011, <URL:
http://gov.aol.com/2011/12/19/los-angeles-ends-google-apps-for-lapd-decisionbigger-than-you/>.
[Gra03] Tim Grance et al., Guide to Information Technology Security Services, Special
Publication 800-35, National Institute of Standards and Technology, October 2003,
<URL: http://csrc.nist.gov/publications/nistpubs/800-35/NIST-SP800-35.pdf>.
[Gre09] Andy Greenberg, IBM's Blindfolded Calculator, Forbes Magazine, July 13, 2009,
<URL: http://www.forbes.com/forbes/2009/0713/breakthroughs-privacy-supersecret-encryption.html>.
[Gro10] Bernd Grobauer, Thomas Schreck, Towards Incident Handling in the Cloud:
Challenges and Approaches, ACM Cloud Computing Security Workshop, Chicago,
Illinois, October 8, 2010.59
[Gru09] Nils Gruschka, Luigi Lo Iacono, Vulnerable Cloud: SOAP Message Security
Validation Revisited, IEEE International Conference on Web Services, Los Angeles,
California, July 2009.
[Gun08] Mike Gunderloy, Who Protects Your Cloud Data?, Web Worker Daily, January 13,
2008, <URL: http://webworkerdaily.com/2008/01/13/who-protects-your-clouddata/>.
[Han06] Saul Hansell, Online Trail Can Lead To Court, The New York Times, February 4,
2006, <URL:
http://query.nytimes.com/gst/fullpage.html?res=9B03E5D7163EF937A35751C0A96
09C8B63>.
[HR2458] Federal Information Security Management Act of 2002 (FISMA), H.R. 2458, Title
III—Information Security, <URL: http://csrc.nist.gov/drivers/documents/FISMAfinal.pdf>.
[Inf09] Twitter Email Account Hack Highlights Cloud Dangers, Infosecurity Magazine, July
23, 2009, <URL: http://www.infosecurity-magazine.com/view/2668/twitter-emailaccount-hack-highlights-cloud-dangers-/>.
[Jac07] Dean Jacobs, Stefan Aulbach, Ruminations on Multi-Tenant Databases, Fachtagung
für Datenbanksysteme in Business, Technologie und Web, Aachen, Germany, March
5-9, 2007, <URL: http://www.btw2007.de/paper/p514.pdf>.
[Jan08] Wayne Jansen, Karen Scarfone, Guidelines on Cell Phone and PDA Security, Special
Publication (SP) 800-124, National Institute of Standards and Technology, October
2008, <URL: http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf>
[Jen09] Meiko Jensen, Jörg Schwenk, Nils Gruschka, Luigi Lo Iacono, On Technical Security
Issues in Cloud Computing, IEEE International Conference on Cloud Computing,
Bangalore, India, September 21-25, 2009.
[JTF10] Guide for Applying the Risk Management Framework to Federal Information
Systems: A Security Life Cycle Approach, Joint Task Force Transformation
Initiative, NIST Special Publication 800-37, Revision 1, <URL:
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf>.
[Kan09] Balachandra Reddy Kandukuri, Ramakrishna Paturi V, Atanu Rakshit, Cloud
Security Issues, IEEE International Conference on Services Computing, Bangalore,
India, September 21-25, 2009.
[Kar08] Paul A. Karger, I/O for Virtual Machine Monitors: Security and Performance Issues,
IEEE Security and Privacy, September/October 2008.60
[Kat10] Neil Katz, Austin Plane Crash: Pilot Joseph Andrew Stack May Have Targeted IRS
Offices, Says FBI, CBS News, February 18, 2010, <URL:
http://www.cbsnews.com/8301-504083_162-6220271-
504083.html?tag=contentMain%3bcontentBody>.
[Kel05] Yared Keleta, J.H.P. Eloff, H.S. Venter, Proposing a Secure XACML Architecture
Ensuring Privacy and Trust, Research in Progress Paper, University of Pretoria, 2005,
<URL: http://icsa.cs.up.ac.za/issa/2005/Proceedings/Research/093_Article.pdf>.
[Ker10] Sean Michael Kerner, Mozilla Confirms Security Threat from Malicious Firefox
Add-ons, eSecurity Planet, February 5, 2010, <URL:
http://www.esecurityplanet.com/news/article.php/3863331/Mozilla-ConfirmsSecurity-Threat-From-Malicious-Firefox-Add-Ons.htm>.
[Ker11] Justin Kern, Amazon Apologizes, Cites Human Error in Cloud Interruption,
Information Management Online, April 29, 2011, <URL: http://www.informationmanagement.com/news/cloud_SaaS_data_center_downtime_storage_Amazon-
10020215-1.html>.
[Kin06] Samuel King, Peter Chen, Yi-Min Wang, Chad Verbowski, Helen Wang, Jacob
Lorch, SubVirt: Implementing Malware with Virtual Machines, IEEE Symposium on
Security and Privacy, Berkeley, California, May 2006, <URL:
http://www.eecs.umich.edu/~pmchen/papers/king06.pdf>.
[Kre07] Brian Krebs, Salesforce.com Acknowledges Data Loss, Security Fix, The
Washington Post, November 6, 2007, <URL:
http://blog.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_da
t.html>.
[Kre08] Brian Krebs, Amazon: Hey Spammers, Get Off My Cloud! The Washington Post,
July 1, 2008, <URL:
http://voices.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_of
f_my.html>.
[Kow08] Eileen Kowalski et al., Insider Threat Study: Illicit Cyber Activity in the Government
Sector, U.S. Secret Service and Carnegie Mellon University, Software Engineering
Institute, January 2008, <URL:
http://www.cert.org/archive/pdf/insiderthreat_gov2008.pdf>.
[Kri08] Michael Krigsma, Amazon S3 Web Services Down. Bad, Bad News for Customers,
ZDNET, February 15, 2008, <URL: http://blogs.zdnet.com/projectfailures/?p=602>.
[Kum08] Sushil Kumar, Oracle Database Backup in the Cloud, White Paper, Oracle
Corporation, September 2008.61
[Lab95] Stephen Labaton, 2 Men Held in Attempt to Bomb I.R.S. Office, New York Times,
December 29, 1995, <URL: http://www.nytimes.com/1995/12/29/us/2-men-held-inattempt-to-bomb-irs-office.html?pagewanted=1>.
[LAPD10] Supplemental Report to the City Administrative Officer: Second Status Report on the
Implementation of the Google E-Mail and Collaboration System (C.F. 09-1714), Los
Angeles Police Department, City of Los Angeles, <URL:
http://clkrep.lacity.org/onlinedocs/2009/09-1714_rpt_lapd_7-8-10.pdf>.
[Lat96] 20-Year Term in Plot to Bomb IRS Offices, Nation In Brief, Los Angeles Times,
August 10, 1996, <URL: http://articles.latimes.com/1996-08-10/news/mn-
32970_1_20-year-term>.
[Lea09] Neal Leavitt, Is Cloud Computing Really Ready for Prime Time?, IEEE Computer,
January 2009.
[Len03] Bee Leng, A Security Guide for Acquiring Outsourced Service, GIAC GSEC Practical (v1.4b), SANS Institute, August 19, 2003, <URL:
[Mag10] James Maguire, How Cloud Computing Security Resembles the Financial Meltdown, Datamation, internet.com, April 27, 2010, <URL:
http://itmanagement.earthweb.com/netsys/article.php/3878811/How-CloudComputing-Security-Resembles-the-Financial-Meltdown.htm>.
[Mcc10] Erika McCallister, Tim Grance, Karen Scarfone, Guide to Protecting the
Confidentiality of Personally Identifiable Information (PII), SP 800-122, National
Institute of Standards and Technology, April 2010, <URL:
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf>.
[Mcd10] Steve McDonald, Legal and Quasi-Legal Issues in Cloud Computing Contracts,
Workshop Document, EDUCAUSE and NACUBO Workshop on Cloud Computing
and Shared Services, Tempe, Arizona, February 8–10, 2010, <URL:
http://net.educause.edu/section_params/conf/CCW10/issues.pdf>.
[Mcm07] Robert McMillan, Salesforce.com Warns Customers of Phishing Scam, PC Magazine,
IDG News Network, November 6, 2007, <URL:
http://www.pcworld.com/businesscenter/article/139353/salesforcecom_warns_custom
ers_of_phishing_scam.html>.
[Mcm09a] Robert McMillan, Hackers Find a Home in Amazon's EC2 Cloud, Infoworld, IDG
News Network, December 10, 2009, <URL: http://www.infoworld.com/d/cloudcomputing/hackers-find-home-in-amazons-ec2-cloud-742>.62
[Mcm09b] Robert McMillan, Misdirected Spyware Infects Ohio Hospital, PC Magazine, IDG
News Service September 17, 2009, <URL:
http://www.pcworld.com/businesscenter/article/172185/misdirected_spyware_infects
_ohio_hospital.html>.
[Mee09] Haroon Meer, Nick Arvanitis, Marco Slaviero, Clobbering the Cloud, Part 4 of 5,
Black Hat USA Talk Write-up, SensePost SDH Labs, 2009, <URL:
http://www.sensepost.com/labs/conferences/clobbering_the_cloud/amazon>.
[Mel11] Peter Mell, Tim Grance, The NIST Definition of Cloud Computing, Special
Publication 800-145, National Institute of Standards and Technology, August 2011,
<URL: http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf>.
[Met09] Cade Metz, DDoS Attack Rains Down on Amazon Cloud, The Register, October 5,
2009, <URL: http://www.theregister.co.uk/2009/10/05/amazon_bitbucket_outage/>.
[Met11] Cade Metz, Amazon Cloud Fell from Sky after Botched Network Upgrade, The
Register, April 29, 2011, <URL:
http://www.theregister.co.uk/2011/04/29/amazon_ec2_outage_post_mortem/>.
[Mic09] The Windows Azure Malfunction This Weekend, Windows Azure <Team Blog>,
Microsoft Corporation, March 18, 2009, <URL:
http://blogs.msdn.com/windowsazure/archive/2009/03/18/the-windows-azuremalfunction-this-weekend.aspx>.
[Mic10] Fact-Based Comparison of Hosted Services: Google vs. Microsoft, Microsoft
Corporation, May 16, 2010, <URL:
http://download.microsoft.com/download/0/5/F/05FF69ED-6F8F-4357-863B-
12E27D6F1115/Hosted%20Services%20Comparison%20Whitepaper%20-
%20Google%20vs%20Microsoft.pdf>.
[Mil08] Rich Miller, Major Outage for Amazon S3 and EC2, Data Center Knowledge,
February 15, 2008, <URL:
http://www.datacenterknowledge.com/archives/2008/02/15/major-outage-foramazon-s3-and-ec2/>.
[Mil09] Rich Miller, Lightning Strike Triggers Amazon EC2 Outage, Data Center
Knowledge, June 11, 2009, <URL:
http://www.datacenterknowledge.com/archives/2009/06/11/lightning-strike-triggersamazon-ec2-outage/>.
[Mod08] Austin Modine, Downed Salesforce Systems Slow Europe and US, The Register,
February 11, 2008, <URL:
http://www.theregister.co.uk/2008/02/11/salesforce_outages_feb_2008/>.63
[MRG10] Online Banking: Browser Security Project, Malware Research Group, Zorin Nexus
Ltd., June 2010, <URL: http://malwareresearchgroup.com/wpcontent/uploads/2009/01/Online-Banking-Browser-Security-Project-June-
201013.zip>.
[Mul10] Robert Mullins, The Biggest Cloud on the Planet is Owned by the Crooks, Network
World, March 22, 2010, <URL:
http://www.networkworld.com/community/node/58829>.
[Nav10] Eliminating the Data Security and Regulatory Concerns of Using SaaS Applications,
White Paper, Navajo Systems, January 2010, <URL:
http://www.navajosystems.com/media/Virtual_Private_SaaS_White_Paper.pdf>.
[Obe08a] Jon Oberheide, Evan Cooke, Farnam Jahanian, Empirical Exploitation of Live Virtual
Machine Migration, Black Hat Security Conference, Washington, DC, February
2008, <URL: http://www.blackhat.com/presentations/bh-dc-
08/Oberheide/Whitepaper/bh-dc-08-oberheide-WP.pdf>.
[Obe08b] Jon Oberheide, Evan Cooke, Farnam Jahanian, CloudAV: N-Version Antivirus in the
Network Cloud, USENIX Security Symposium, Association, San Jose, CA, July 28-
August 1, 2008, <URL: http://www.eecs.umich.edu/fjgroup/pubs/usenix08-
cloudav.pdf>.
[OECD80]OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal
Data, Organisation for Economic Co-operation and Development, September
23,1980, <URL:
http://www.oecd.org/document/18/0,3746,en_2649_34255_1815186_1_1_1_1,00.ht
ml>.
[Opp03] David Oppenheimer, Archana Ganapathi, David Patterson, Why Do Internet Services
Fail, and What Can Be Done About It?, 4
th
USENIX Symposium on Internet
Technologies and Systems, March 2003, <URL:
http://roc.cs.berkeley.edu/papers/usits03.pdf>.
[Orm07] Tavis Ormandy, An Empirical Study into the Security Exposure to Hosts of Hostile
Virtualized Environments, 2007, <URL: http://taviso.decsystem.org/virtsec.pdf>.
[Ove10] Stephanie Overby, How to Negotiate a Better Cloud Computing Contract, CIO, April
21, 2010, <URL:
http://www.cio.com/article/591629/How_to_Negotiate_a_Better_Cloud_Computing_
Contract>.
[Owa10] Cloud-10 Multi Tenancy and Physical Security, The Open Web Application Security
Project, Cloud Top 10 Security Risks, August 30, 2010, <URL:
https://www.owasp.org/index.php/Cloud-
10_Multi_Tenancy_and_Physical_Security>.64
[Pea09] Siani Pearson, Taking Account of Privacy When Designing Cloud Computing
Services, International Conference on Software Engineering (ICSE) Workshop on
Software Engineering Challenges of Cloud Computing, Vancouver, Canada, May 23,
2009.
[Pep11a] Julianne Pepitone, Amazon EC2 Outage Downs Reddit, Quora, CNN Money, April
22, 2011, <URL:
http://money.cnn.com/2011/04/21/technology/amazon_server_outage/index.htm>.
[Pep11b] Julianne Pepitone, RSA Offers to Replace All SecurID Tokens after Hack Attack,
CNN Money Tech, June 8, 2011, <URL:
http://money.cnn.com/2011/06/08/technology/securid_hack/index.htm>.
[Per11] By Juan Carlos Perez, Microsoft's Cloud BPOS Suite Suffers Outage Again,
InfoWorld Inc., June 22, 2011, <URL:
http://www.infoworld.com/d/applications/microsofts-cloud-bpos-suite-suffers-outageagain-050>.
[Pon10] Larry Ponemon, Security of Cloud Computing Users, Ponemon Institute, May 12,
2010, <URL: http://www.ca.com/files/IndustryResearch/security-cloud-computingusers_235659.pdf>.
[Pro07] Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang, Nagendra
Modadugu, The Ghost in the Browser: Analysis of Web-based Malware, Hot Topics
in Understanding Botnets (HotBots), April 10, 2007, Cambridge, Massachusetts,
<URL: http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf>.
[Pro09] Niels Provos, Moheeb Abu Rajab, Panayiotis Mavrommatis, Cybercrime 2.0: When
the Cloud Turns Dark, Communications of the ACM, April 2009.
[Pro10] Cloud Security and Privacy: Data Security and Storage, November 18, 2010, <URL
http://mscerts.programming4.us/programming/Cloud%20Security%20and%20Privac
y%20%20%20Data%20Security%20and%20Storage.aspx>.
[Rag09] Steve Ragan, New Service Offers Cloud Cracking for WPA, The Tech Herald,
December 8, 2009, <URL:
http://www.thetechherald.com/article.php/200950/4906/New-service-offers-cloudcracking-for-WPA>.
[Rap09] J.R. Raphael, Facebook Privacy Change Sparks Federal Complaint, PC World,
February 17, 2009, <URL:
http://www.pcworld.com/article/159703/facebook.html?tk=rel_news>.
[Ref10] Security Within a Virtualized Environment: A New Layer in Layered Security, White
Paper, Reflex Security, retrieved April 23, 2010, <URL:65
http://www.vmware.com/files/pdf/partners/security/security-virtualizedwhitepaper.pdf>.
[Ris09] Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage, Hey, You, Get Off
of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds, ACM
Conference on Computer and Communications Security, November 2009, <URL:
http://cseweb.ucsd.edu/~hovav/dist/cloudsec.pdf>.
[Row07] Brent R. Rowe, Will Outsourcing IT Security Lead to a Higher Social Level of
Security?, Research Triangle Institute International, July 2007, <URL:
http://weis2007.econinfosec.org/papers/47.pdf>.
[Sar10] David Sarno, Los Angeles Police Department Switch to Google E-mail System Hits
Federal Roadblock, Los Angeles Times, November 03, 2010, <URL:
http://articles.latimes.com/2010/nov/03/business/la-fi-google-la-20101103>.
[Sar11a] David Sarno, Google Facing Hurdles in Bid to Provide Email Service to
Governments, Los Angeles Times, April 14, 2011, <URL:
http://articles.latimes.com/2011/apr/14/business/la-fi-google-email-20110414>.
[Sar11b] David Sarno, L.A. won't put LAPD on Google's cloud-based email system, Los
Angeles Times, December 14, 2011, <URL:
http://articles.latimes.com/2011/dec/14/business/la-fi-google-email-20111215>.
[Sca11] Karen Scarfone, Murugiah Souppaya, Paul Hoffman, Guide to Security for Full
Virtualization Technologies, Special Publication 800-125, National Institute of
Standards and Technology, January 2011, <URL:
http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf >.
[Sch00] Bruce Schneier, Crypto-Gram Newsletter, Software Complexity and Security, March
15, 2000, <URL: http://www.schneier.com/crypto-gram-0003.html#8>.
[Sch10] Jeff Schnepper, Don't Like the Tax Law? Don't Shoot the IRS, MSN, March 10,
2010, <URL:
http://articles.moneycentral.msn.com/Taxes/blog/page.aspx?post=1692029&_blg=1,1
619827>.
[Sch11] Mathew J. Schwartz, Are You Ready for an FBI Server Takedown?, Information
Week, July 01, 2011, <URL:
http://www.informationweek.com/news/security/management/231000897>.
[Sha08] Amit Shah, Kernel-based Virtualization with KVM, Linux Magazine, issue 86,
January 2008, <URL: http://www.linuxmagazine.com/w3/issue/86/Kernel_Based_Virtualization_With_KVM.pdf>.66
[Sec05] VMware Vulnerability in NAT Networking, BugTraq, SecurityFocus, December 21,
2005, <URL: http://www.securityfocus.com/archive/1/420017 and
http://www.securityfocus.com/bid/15998/>.
[SECS09] Professional Services Contract, SAAS E-Mail & Collaboration Solution (SECS), City
of Los Angeles, November 10, 2009, <URL:
https://sites.google.com/a/lageecs.lacity.org/la-geecs-blog/home/faqs-1/C-
116359_c_11-20-09.pdf?attredirects=0&d=1>
[She05] Tim Shelton, Remote Heap Overflow, ACSSEC-2005-11-25 - 0x1, <URL:
http://packetstormsecurity.org/0512-advisories/ACSSEC-2005-11-25-0x1.txt>.
[Sla09] Marco Slaviero, BlackHat Presentation Demo Vids: Amazon, part 4 of 5, AMIBomb,
August 8, 2009, <URL: http://www.sensepost.com/blog/3797.html>.
[Sob06] Charles H. Sobey, Laslo Orto, and Glenn Sakaguchi, Drive-Independent DataRecovery: The Current State-of-the-Art, IEEE Transactions on Magnetics, February
2006, <URL:
http://www.actionfront.com/whitepaper/Drive%20Independent%20Data%20Recover
y%20TMRC2005%20Preprint.pdf>.
[Som11] Juraj Somorovsky et al., All Your Clouds Belong to Us – Security Analysis of Cloud
Management Interfaces, ACM Cloud Computing Security Workshop (CCSW),
Chicago, October 21, 2011.
[Sto02] Gary Stoneburner, Alice Goguen, and Alexis Feringa, Risk Management Guide for
Information Technology Systems, SP 800-30, NIST, July 2002, <URL:
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf>.
[Sto10] Jon Stokes, EMC's Atmos Shutdown Shows Why Cloud Lock-in is Still Scary, Ars
Technica, July 2010, <URL: http://arstechnica.com/business/news/2010/07/emcsatmos-shutdown-shows-why-cloud-lock-in-is-still-scary.ars>.
[Sut09] John D. Sutter, Twitter Hack Raises Questions about 'Cloud Computing', CNN, July
16, 2009, <URL: http://edition.cnn.com/2009/TECH/07/16/twitter.hack/>.
[Swa06] Marianne Swanson, Joan Hash, Pauline Bowen, Guide for Developing Security Plans
for Federal Information Systems, NIST, Special Publication 800-18, Revision 1,
February 2006, <URL: http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-
18-Rev1-final.pdf>.
[UCG10] Cloud Computing Use Cases White Paper, Version 4.0, Cloud Computing Use Case
Discussion Group, July 2, 2010, <URL:
http://opencloudmanifesto.org/Cloud_Computing_Use_Cases_Whitepaper-4_0.pdf>.67
[Val08] Craig Valli, Andrew Woodward, The 2008 Australian Study of Remnant Data
Contained on 2
nd
Hand Hard Disks: The Saga Continues, The 6
th
Australian Digital
Forensics Conference, Perth, Western Australia, December 1-3, 2008, <URL:
http://conferences.secau.org/proceedings/2008/forensics/Valli%20and%20Woodward
%202008%20remnant%20Data%20saga%20continues.pdf>.
[Vaq09] Luis M. Vaquero1, Luis Rodero-Merino1, Juan Caceres, Maik Lindner, A Break in
the Clouds: Towards a Cloud Definition, Computer Communication Review (CCR)
Online, Short technical Notes, January 2009, <URL:
http://ccr.sigcomm.org/online/files/p50-v39n1l-vaqueroA.pdf>.
[Vie09] Kleber Vieira, Alexandre Schulter, Carlos Westphall, Carla Westphall, Intrusion
Detection Techniques in Grid and Cloud Computing Environment, IT Professional,
IEEE Computer Society, August 26, 2009.
[Vij11] Jaikumar Vijayan, City of Los Angeles May Sue over Delays in Google Apps Project,
Computer World, April 18, 2011, <URL:
http://computerworld.co.nz/news.nsf/management/city-of-los-angeles-may-sue-overdelays-in-google-apps-project-report>.
[Vmw09] VMware Hosted Products and Patches for ESX and ESXi Resolve a Critical Security
Vulnerability, VMware Security Advisory, VMSA-2009-0006, <URL:
http://www.vmware.com/security/advisories/VMSA-2009-0006.html>.
[Vmw10] VMware vShield: Virtualization-Aware Security for the Cloud, product brochure,
2010, <URL: http://www.vmware.com/files/pdf/vmware-vshield_br-en.pdf>.
[Wai08] Phil Wainewright. Many Degrees of Multi-tenancy, ZDNET News and Blogs, June
16, 2008, <URL: http://blogs.zdnet.com/SAAS/?p=533>.
[Wal10] Hannah Wald, Cloud Computing for the Federal Community, IAnewsletter, Vol. 13,
No. 2, Information Assurance Technology Analysis Center, Spring 2010.
[Wei09] Jinpeng Wei, Xiaolan Zhang, Glenn Ammons, Vasanth Bala, Peng Ning, Managing
Security of Virtual Machine Images in a Cloud Environment, ACM Cloud Computing
Security Workshop (CCSW’09) , Chicago, Illinois, November 13, 2009.
[Wei11] Thilo Weichert, Cloud Computing and Data Privacy, The Sedona Conference,
Working Group on International Electronic Information Management, Discovery &
Disclosure, February 2011, <URL: https://www.datenschutzzentrum.de/cloudcomputing/20100617-cloud-computing-and-data-privacy.pdf>.
[Whi09] Lance Whitney, Amazon EC2 Cloud Service Hit by Botnet, Outage, December 11,
2009, CNET News, <URL: http://news.cnet.com/8301-1009_3-10413951-83.html>.68
[Wil10] Matt Williams, All Eyes are on Los Angeles as City Deploys Cloud-Based E-Mail,
Government Technology, February 10, 2010, <URL:
http://www.govtech.com/gt/744804?id=744804&full=1&story_pg=1>.
[Xen08] Xen Architecture Overview, Version 1.2, Xen Wiki Whitepaper, February 13, 2008,
<URL:
http://wiki.xensource.com/xenwiki/XenArchitecture?action=AttachFile&do=get&targ
et=Xen+Architecture_Q1+2008.pdf>.
[You07] Greg Young, Neil MacDonald, John Pescatore, Limited Choices are Available for
Network Firewalls in Virtualized Servers, Gartner, Inc., ID Number: G00154065,
December 20, 2007, <URL: http://www.reflexsystems.com/Content/News/20071220-
GartnerVirtualSecurityReport.pdf>.
[You08] Lamia Youseff, Maria Butrico, Dilma Da Silva, Toward a Unified Ontology of Cloud
Computing, Grid Computing Environments Workshop (GCE08), held in conjunction
with SC08, November 2008, <URL:
http://www.cs.ucsb.edu/~lyouseff/CCOntology/CloudOntology.pdf>.
[Zet09a] Kim Zetter, FBI Defends Disruptive Raids on Texas Data Centers, Wired Magazine,
April 7, 2009, <URL: http://www.wired.com/threatlevel/2009/04/data-centers-ra/>.
[Zet09b] Kim Zetter, Bank Sends Sensitive E-mail to Wrong Gmail Address, Sues Google,
Wired Magazine, September 21, 2009, <URL:
http://www.wired.com/threatlevel