CCSK Guide
29Jun/11Off

Cloud Security Standards

Whether an organization is considering SaaS (software as a service) applications, PaaS (platform as a service) models or IaaS (infrastructure as a service) options, it’s pretty much a given that security and compliance issues will be priority considerations. However, potential cloud service customers do run into trouble trying to determine if the security and audit programs of cloud service providers are adequate. For one thing, many service providers don’t release details about their security controls. Also, regulation for service provider controls is inconsistent.

This article takes a look at some of the resources available for current and potential cloud customers to assess the security of a service provider.

CSA Best Practices

According to IT service provider CDW, survey results show that 70% of cloud users don’t certify their cloud service provider’s security measures. The Cloud Security Alliance (CSA) is a leader in cloud security standard creation and implementation. The CSA has released a set of security standards specific to the cloud, available for both cloud customers and service providers.

This set of standards is referred to as the Cloud Controls Matrix (CCM) and consists of about 100 controls and assessment guidelines that span a diverse range of best practices for ensuring security in the cloud. The CCM also includes several regulatory and compliance mandates, including PCI, HIPAA, ISO/IEC, NIST and COBIT.

The CCM is organized according to the thirteen domains that are outlined in the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing. The domains are as follows:

  1. Cloud computing architectural framework
  2. Governance and enterprise risk management
  3. Legal and electronic discovery
  4. Compliance and audit
  5. Information lifecycle management
  6. Portability and interoperability
  7. Traditional security, business continuity and disaster recovery
  8. Data center operations
  9. Incident response, notification and remediation
  10. Application security
  11. Encryption and key management
  12. Identity and access management
  13. Virtualization

These domains encompass best practices that can help regulate cloud security policy and practices.

Independent Auditing

Another thing to consider when assessing the security of a cloud service provider is to see if they have been audited by an independent body. Audits can help to ensure that the provider has all of the essential security processes and controls in place.

However, it’s important to note that not all audits are adequately designed to assess the unique environment of the cloud. For instance, industry standards such as SAS 70 do not cover cloud services. Furthermore, SAS 70 audits involve vague, subjective controls which are often defined by the provider or auditor. It’s crucial to ensure that your cloud service provider has aligned itself with governance, controls and security standards that are specific to cloud computing. The CSA conducts third-party audits that would be suitable.

A Forrester Research report conducted for risk and security professionals reveals that the CSA’s cloud security standards are the most thorough, as the CSA “Takes a more holistic view of Cloud security. In addition, the CSA has the widest participation from users as well as Cloud vendors.”

Transparency Claims

Once you’ve found a provider that seems to have its security controls audited, take it one step further. As the service provider exactly which controls it has implemented. A CSA audit demonstrates how each CSA control requirement has been met, unlike SAS 70 audits, which are restricted to sue by the service provider and auditor. Such audits may not even document how controls are actually met.

As recent cloud service outages have shown, transparency is extremely important, especially during a crisis. For instance, when Amazon’s Elastic Cloud Compute went down in April 2011, its lackluster communications were called out by unsatisfied customers.

Summary

This article takes a look at existing cloud security standards and practices to ensure their cloud service provider can be trusted. According to IT service provider CDW, survey results show that 70% of cloud users don’t certify their cloud service provider’s security measures. This article takes a look at three key actions that current or prospective cloud customers can take: follow CSA best practices, ensure their service provider has been audited by an independent body, and double-check the service provider’s transparency claims.

CCSK Exam Preparation

In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:

  • Contractual security requirements (Domain 2)
  • Enterprise and Information Risk Management (Domain 2)
  • Contract enforceability (Domain 3)
  • Compliance impact on cloud contracts and compliance analysis requirements (Domain 4)
  • SAS 70 Type II (Domain 4)
  • Auditor requirements (Domain 4)

Enjoy this article?

Consider subscribing to our rss feed!

Tagged as: , , , , , , , , , , Comments Off
Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

No trackbacks yet.

» «

Login

Sponsored Links

Tags

access control Amazon Amazon EC2 API audit authentication authorization best practices compliance contracts CSA data breach data breaches data security disaster recovery encryption EU google government IaaS IAM identity identity federation interoperability lock-in management Microsoft open source PaaS portability private cloud provider selection public cloud risk management risks SaaS security SOA standards threats trends vendors virtualization virtual machines vulnerabilities

Archives

Meta



Our mission: Provide reliable and accurate information to cloud security professionals seeking CCSK certification.



We expect individuals seeking the Certificate of Cloud Security Knowledge will find our information specifically targeted at their CCSK pursuit useful. Our test preparation software and forums give candidates a higher chance for success.

Thank you for visiting. Since you're new to the site:
  • Please review the user agreement.
  • Register for the site so you may use the testing services.



    • We hope you find this service useful, and good luck on the exam!