Just where do providers obtain guidance on how they should manage their activities and services -- especially security services -- in the cloud? I'd like to offer a few ideas on some good references and secure cloud computing "how to" documents that are useful for users and providers alike in this domain.
Obviously cloud vendors have their own ideas about ways to provide services, ensure security, and, of course, ensure the customer is satisfied; however, if you want objective advice in this space, where do you go? Essentially, the three key resources for you to consider are:
- Cloud Security Alliance (CSA)
- European Network and Information Security Agency (ENISA)
- National Institute of Science and Technology (NIST)
Each one of these organizations has recently published objective guidelines for cloud operations and security. They have developed these thorough documents using input and comments from industry, academic and government experts.
Cloud Security Alliance (CSA)
The Cloud Security Alliance, or CSA, was formed in early December 2008 in Silicon Valley as a grassroots effort to facilitate the mission to create and apply best practices to secure cloud computing. The CSA recognizes that a secure cloud is a "shared responsibility" and, as such, the guidance it provides is written for both users and providers.
The CSA published its first security guideline in April 2009: "Security Guidance for Areas of Focus in Cloud Computing."
Since its launch, this seminal publication has continued to exceed the CSA leadership's expectations for helping organizations around the world make informed decisions regarding if, when, and how they will adopt cloud computing services and technologies. Over the last year, however, cloud computing technologies have evolved at an astounding rate. Hence a second version was released, Version 2.1, again with input from around the world from business, academic and government experts. The second version of the CSA guide is designed to provide both new knowledge and greater depth to support these challenging decisions.
To give you a sense of the contents of the CSA security guide --- especially with an eye to guidance to the cloud providers/vendors --- the key domains of focus include the following:
Domain 1: Cloud Computing Architectural Framework
Governing in the Cloud
Domain 2: Governance and Enterprise Risk Management
Domain 3: Legal and Electronic Discovery
Domain 4: Compliance and Audit
Domain 5: Information Lifecycle Management
Domain 6: Portability and Interoperability
Operating in the Cloud
Domain 7: Traditional Security, Business Continuity and Disaster Recovery
Domain 8: Data Center Operations
Domain 9: Incident Response, Notification and Remediation
Domain 10: Application Security
Domain 11: Encryption and Key Management
Domain 12: Identity and Access Management
Domain 13: Virtualization
In the Cloud Security Alliance V2.1, Information Life Cycle (Pages 40 -- 42), there are mandates for the cloud service provider to observe. Examples include:
- The cloud computing provider must assure the data owner that they provide full disclosure (aka 'transparency') regarding security practices and procedures as stated in their service-level Agreements (SLAs).
- Cloud services providers should offer contractual language that warrants the denial of access to data as a fundamental philosophy (i.e., "Default Deny All"). This specifically applies to cloud services employees and their customers other than the data owner's employees and authorized personnel.
As you look these domain topics over --- and when you examine the actual guideline --- the provider will find substantial guidance on expectations for cloud security operations, and as such, it will be an excellent basis for the cloud provider to ensure their policies, standards, guidelines and performance support these recommendations.
European Network and Information Security Agency (ENISA)
Obviously, cloud computing is a global initiative. ENISA brought together over two dozen contributors to prepare and publish the "Cloud Computing -- Benefits, Risks and Recommendations for Information Security" document in November 2009.
Although the document is focused on assurance for cloud customers, the contents, frameworks, use cases/scenarios and requirements cited in the guide can certainly be used by the cloud providers in a similar fashion to the CSA guidance. Providers should use it to understand the expectations for confidentiality, integrity and availability for their data.
The contents of the ENISA cloud computing guide include detailed discussions on benefits, risks and vulnerabilities of cloud computing --- again, topics that a cloud vendor should be very familiar with in order to ensure customer satisfaction.
There are some excellent details, for example, beginning on Page 69 under the topic of "Information Assurance Requirements." A cloud provider looking at these requirements can better understand necessary actions in such areas as operational security and identity and access management, change control procedures and remote access policy.
National Institute of Science and Technology (NIST)
As of this writing, there are no NIST Special Publications on cloud computing and/or cloud security; however, there is an excellent presentation / primer on cloud computing entitled "Presentation on Effectively and Securely Using the Cloud Computing Paradigm." It is an excellent summary of key strengths, weaknesses and challenges of cloud computing implementation. Although this document does not identify specific guidance for a cloud provider, it could be used by the provider as a means of educating its prospective customers.
Cloud vendors need to realize that these documents summarized above exist and will be used by their customers to grade and evaluate their cloud computing services. Therefore, it is in the best interest of the cloud service provider to understand and digest these guidelines and demonstrate their responsiveness to these suggestions. Otherwise, the customers may realize that the cloud vendor who doesn't pay attention to these "mandates" --- albeit guidelines --- may not be successful in the marketplace.
With the above secure cloud computing how to documents, there are many points of guidance for the cloud service provider. The directions are there; however, it may take some detailed reading by the cloud provider to readily understand these expectations.
Understanding cloud computing and cloud security is like eating the elephant. You simply need to read, study and absorb one part at a time. This article has given you -- the cloud provider -- some ideas on what your customers expect and as such, you may want to start on one of these documents first to best understand cloud security expectations.
About the author:
Ernie Hayden is a practicing security professional and consultant living in the Seattle area. He holds a Certified Information Systems Security Professional certification and is a Certified Ethical Hacker.