Cloud Security

CategoryCloud Computing Standards

Cloud security services provide a broad set of capabilities to protect system data, customer information, managed application functions and the associated infrastructure services. They minimize the impact that security-related threats and vulnerabilities might have on an organization.

Standards Overview

Cloud Services One Can Trust

One of the primary concerns with the use of cloud services is the risk of customer information becoming subject to unauthorized access, improper distribution and use for malicious purposes. To address this concern, cloud service providers and consumers need to establish a discipline of secure capture, processing, storage and sharing of cloud-based information resources, with a framework of controls to enforce such discipline.

The security challenges that Cloud Computing presents are intimidating, specifically those related to public clouds, where platform solutions and infrastructure are owned and operated by a third-party that delivers services to the general public in a multi-tenant environment. However, with the proper Governance, Risk and Compliance (GRC) strategy and processes adapted for the Cloud Ecosystem, such challenges can be well addressed.

The following publications provide recommendations on cloud security controls and party responsibilities:

ISO/IEC Cloud Security

ISO/IEC 27017 — Code of Practice for Information Security Controls for Cloud Computing Services
ISO/IEC 27018 — Code of Practice for PII Protection in Public Cloud Acting as PII Processors

CSA Cloud Security Guidance

CSA Security, Trust and Assurance Registry

NIST Cloud Computing Security Recommendations

NIST SP800-144 — Guidelines on Security and Privacy in Public Cloud Computing
NIST SP500-299 — Cloud Computing Security Reference Architecture

Federal Risk and Authorization Management Program

FedRAMP Cloud Service Provider Requirements

FedRAMP Federal Agency Requirements

FedRAMP Third-party Assessor Requirements

security

Cloud has extended enterprise security boundaries from a self-managed environment to an external and somewhat untrusted zone.

Security considerations for the cloud include strategies to protect capital assets, safe cloud deployment processes, and mechanisms to maintain regulatory requirements.

Cloud service providers need to enable policy-based service delivery to convince their clients they can effectively manage their confidential digital assets.

Client organizations should take a risk-based approach in analyzing security and privacy options, and deciding on placing critical business functions into a cloud.