Standards for Security
The European Commission has recently stated that widespread adoption of cloud computing would be crucial for improving productivity levels in the European economy, and that Europe should aim to be the world’s leading “trusted cloud region.” However, people are concerned and security in the cloud remains one of the largest barriers to the cloud. This is compounded even more with many high-profile cloud-related security scandals in the news The Steering Board of the European Cloud Partnership (ECP) recognised that “data security can be the most important issue in the uptake of cloud computing”, and underlined moreover “the need for broad standardisation efforts.”
CloudWATCH has identified the following security standards that are suitable for cloud computing
ISO / EIC 27018 Code of practice for data protection controls for public cloud computing services - ISO
ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
ISO/IEC 27018:2014 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations. The guidelines in ISO/IEC 27018:2014 might also be relevant to organizations acting as PII controllers; however, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors. ISO/IEC 27018:2014 is not intended to cover such additional obligations.
Special Publication 800-53, Revision 4, provides a more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate—contributing to systems that are more resilient in the face of cyber attacks and other threats. This "Build It Right" strategy is coupled with a variety of security controls for "Continuous Monitoring" to give organisations near real-time information that is essential for senior leaders making ongoing risk-based decisions affecting their critical missions and business functions.
The Cloud Computing Security Reference Architecture, lays out a risk-based approach of establishing responsibilities for implementing necessary security controls throughout the cloud life cycle. This security reference architecture draws on and supplements a number of other NIST publications to provide the security needed to speed adoption of cloud computing. This document supplements SP 500-292, Cloud Computing Reference Architecture. The security reference architecture provides “a comprehensive formal model to serve as security overlay to the architecture” in SP 500-292.
The draft publication describes a methodology for applying the Risk Management Framework described in SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, adapted for the cloud. The formal model and security components in the draft are derived from the Cloud Security Alliance’s Trusted Cloud Initiative - Reference Architecture.
Cloud Controls Matrix (CCM) - Cloud Security Alliance
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.
Open Certification Framework (OCF) - Cloud Security Alliance
The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers. The framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives. The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost.
It is based upon the control objectives and continuous monitoring structure as defined within the CSA GRC (Governance, Risk and Compliance) Stack research projects. It will support several tiers, recognizing the varying assurance requirements and maturity levels of providers and consumers. These will range from the CSA Security, Trust and Assurance Registry (STAR) self-assessment to high-assurance specifications that are continuously monitored.
Cloud Trust Protocol (CTP) - Cloud Security Alliance
The CloudTrust Protocol (CTP) is the mechanism by which cloud service consumers (also known as “cloud users” or “cloud service owners”) ask for and receive information about the elements of transparency as applied to cloud service providers. The primary purpose of the CTP and the elements of transparency is to generate evidence-based confidence that everything that is claimed to be happening in the cloud is indeed happening as described, …, and nothing else. This is a classic application of the definition of digital trust. And, assured of such evidence, cloud consumers become liberated to bring more sensitive and valuable business functions to the cloud, and reap even larger payoffs. With the CTP cloud consumers are provided a way to find out important pieces of information concerning the compliance, security, privacy, integrity, and operational security history of service elements being performed “in the cloud”.
CloudAudit - Cloud Security Alliance
The goal of CloudAudit is to provide a common interface and namespace that allows enterprises who are interested in streamlining their audit processes (cloud or otherwise) as well as cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. CloudAudit is a volunteer cross-industry effort from the best minds and talent in Cloud, networking, security, audit, assurance and architecture backgrounds. The CloudAudit Working group was officially launched in January 2010 and has the participation of many of the largest cloud computing providers, integrators and consultants.
Privacy Level Agreement - Cloud Security Alliance
With its mission to support the creation of a transparent and trusted cloud market and in order to remove barriers to cloud adoption, the CSA is defining baselines for compliance with data protection legislation and best practices by defining a standard format for Privacy Level Agreements (PLAs) and standards, through which a cloud service provider declares the level of privacy (personal data protection and security) that it sustains for the relevant data processing.
The CSA believes that the PLA outline can be a powerful self-regulatory harmonization tool and could bring results that are difficult to obtain using traditional legislative means. Moreover, we see the PLA as:
- A clear and effective way to communicate to (potential) cloud customers the level of personal data protection provided by a CSP.
- A tool to assess the level of a CSP’s compliance with data protection legislative requirements and best practices.
- A way to offer contractual protection against possible financial damages due to lack of compliance.
PLA are meant to be similar to SLA for privacy. In the PLA (typically an attachment to the Service Agreement) the CSP will clearly declare the level of privacy and data protection that it undertakes to maintain with respect to the relevant data processing, in a format similar to that which is used by other CSPs. CSPs have realized the importance of privacy disclosures, and they are devoting time and resources at improving their privacy disclosures, in order to reassure the customers about their data handling practices. This working group will be working on the definition of a template (i.e., a sample outline) for PLA.
EuroCloud Star Audit (ESCA) - EuroCloud
The certification scheme “EuroCloud Star Audit” (ECSA) was established in order to establish trust in cloud services both on the customer and the user side. The purpose of the ECSA and auditing Cloud Services is to provide an accountable quality rating of Cloud Services. This certification is specifically designed for IaaS, PaaS and SaaS and defines graded levels of performance to be met in specific fields if the cloud service provider in question is to be certified as reliable.
ECSA is a mature certification scheme, especially designed to asses cloud service. EuroCloud evaluates a cloud service against the requirements of the ECSA audit scheme and covers all participants of the specific supply chain of a cloud service. The ECSA audit has a non-negotiable mandatory bandwidth of all important areas which include: provider's profile, contract and compliance including data privacy protection against local law, security, operations, environment and technical infrastructure, processes and relevant parts of the application and implementation up to interoperability and data portability.
Data Security Framework - Open Data Center Alliance
The Framework defines requirements associated with increasing data security in the cloud, and documents the following data security controls:
- Access control - Controlling who or what can access which data when, and in what context.
- Information classification - Identifying the sensitivity of the data and the impact of unauthorized access, as well as the organization’s need for data integrity and data availability.
- Data encryption - Applying the appropriate encryption techniques to enforce data confidentiality requirements.
- Data masking techniques - Further increasing data security in the cloud through anonymization and tokenization.
- Security information and event management - Tracking and responding to data security triggers, to log unauthorized access to data and send alerts where necessary.
- Backup, archiving, and deletion - Identifying backup requirements and how those relate to secure storage and secure destruction of data when it is no longer needed.
This framework serves a variety of audiences. Business decision makers looking for specific information around data security and enterprise IT groups involved in planning and operations will find this document useful. Solution providers and technology vendors will benefit from its content to better understand customer needs and tailor service and product offerings. Standards organizations will find the information helpful in defining standards that are open and relevant to end users.