In Securing the Cloud, author J.R. “Vic” Winkler describes techniques to secure cloud computing. Winkler provides...
a framework for enterprises to transition to the cloud safely, taking into account alternate approaches, such as private vs. public and SaaS vs. IaaS. The book covers architectural aspects of securing a cloud, requirements for cloud data security and security criteria for building an internal cloud. The following excerpt comes from Chapter 9, Evaluating Cloud Security: An Information Security Framework (pdf), which provides tools for a cloud security assessment.
Most users of a cloud, whether it is a private or a public cloud, have certain expectations for the security of their data. Similarly, the owner and operator of a cloud share responsibility for ensuring security measures are in place and standards and procedures are followed. We can capture our expectations and responsibilities for security by stating them formally in documented requirements. By example, the NIST 800-53 security controls (these were discussed in Chapter 6) detail specific requirements for federal government systems. Systems that are fielded by government agencies must generally comply with these and related NIST requirements. The Cloud Security Alliance Controls Matrix takes a similar approach in detailing security requirements for cloud implementations, and there is a growing trend by commercial users to adopt such generally accepted requirements. A good starting point when you need to measure the presence and effectiveness of the security of a cloud includes having a list of required or recommended security controls.
To begin, there are two aspects to security controls in cloud implementations. The first has to do with the presence of the control. The second aspect is the effectiveness or robustness of the control. In other words, it is not enough that a security control is present—but that control also needs to be effective. Going further, one can describe this as the degree of trust (or assurance) that can be expected from these controls. For instance, a cloud may implement encrypted communications between the cloud and an external user—but if we are evaluating the effectiveness of encrypted communications, then we also need to verify that the control is properly designed, implemented, and verified.
Measuring the presence and/or effectiveness of security controls (against security requirements) is largely what security evaluations are intended to do. Security evaluations have broad value as guidance for planning or developing security and for verifying that required controls are properly implemented. But evaluations also have utility for procurement of cloud services; for instance, a CSP may choose to publish the high-level results of a third party security evaluation. In addition, if we are to compare the security of two or more clouds, then that will entail having a common set of criteria for evaluation.
On the basis of the sensitivity of data or the expected risk of a system, we should undergo an initial requirements phase where appropriate security controls are identified. If we subsequently perform a thorough assessment of the decision process that led to identifying those controls and couple that assessment with a security evaluation of the effectiveness of those controls that were implemented, then we should have a fairly good understanding of whether an overall cloud service has a sound security posture versus the risk it is subject to.
Reprinted with permission from Elsevier Inc. Copyright 2011. "Securing the Cloud" by J.R. “Vic” Winkler. For more information about this title and similar books, please visit the book’s page on the Syngress website.