We’ve come a long way from the early days of cloud
computing.
We now look at cloud computing seriously in terms of a
‘Business Benefits with Security, Governance and Assurance
Perspective’— an aptly titled ISACA Emerging Technology
White Paper. To help promote information security and good
practices related to cloud computing, ISACA joined the CSA (Cloud
Security Alliance) (www.cloudsecurityalliance.org).
CSA has followed the definition given by NIST for cloud
computing: ”Cloud computing is a model for enabling
convenient, on-demand network access to a shared pool of
configurable computing resources (e.g. networks, servers, storage,
applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider
interaction.”
This cloud model promotes availability, and comprises five
essential characteristics, three service models, and four
deployment models (See box).
We could follow CSA’s ‘Security Guidance for Critical
Areas of Focus in Cloud Computing (v2.1)’ published in
December 2009 to evaluate security related to cloud computing
solutions. In brief, the advice given by CSA is to adopt a
risk-based approach.
- First, identify which data or functions are being considered
for the cloud.
- Next, determine the importance of that data or function to the
organization by asking questions framed around confidentiality,
integrity and availability requirements.
- The next step is to determine the most appropriate cloud
deployment model, i.e. public, private, community or hybrid.
- The final step is to evaluate the potential cloud service model
by focusing on the degree of control you will have for implementing
risk mitigations in different SPI tiers.
The cloud service provider needs to answer questions regarding
the security controls he is responsible for in each service model.
Thus, the consumer will be aware of additional controls required to
meet his security requirements. This involves performing a gap
analysis exercise. For example, the gap analysis could be done
against the PCI DSS security requirement that the organization has
to comply with and against the security controls being provided by
the cloud service provider.
The CSA document has divided the security guidance into three
sections and 13 domains:
Section I - Cloud
architecture
This section comprises the domain of the cloud computing
architecture framework. It provides the conceptual framework
essential to understand cloud computing from the perspective of
network and security professionals.
The next two sections, comprising 12 domains, provide guidance
regarding specific issues faced by security professionals.
Section II - Governing in the
cloud
This section covers the domains of Governance and Enterprise Risk
Management, Legal and Electronic Discovery, Compliance and Audit,
Information Lifecycle Management, and Portability and
Interoperability.
Section III - Operating in the
cloud
This section covers the domains of Traditional Security, Business
Continuity and Disaster Recovery, Data Center Operations, Incident
Response, Notification, and Remediation, Application Security,
Encryption and Key Management, Identity and Access Management, and
Virtualization.
Currently there are no publicly available standards for cloud
computing. By following the guidance provided by CSA, we can be
assured that we are following the most current practices.