Fundamental Security Principles That Should be Followed by Cloud Vendors
The Cloud Security Alliance has developed a cloud computing controls matrix that has been designed to outline the fundamental security principles that should be followed by cloud vendors, as well as to assist prospective cloud customers in assessing the overall security risk of a cloud provider. (“Cloud Controls Matrix," March 8, 2013, Cloud Security Alliance)
These controls are divided into the areas shown in Table 1.
Table 1: Cloud Computing Control Areas
Compliance | - Audit planning
- Independent audits
- Third party audits
- Contact/authority maintenance
- Information system regulatory mapping
- Intellectual property
|
Data governance | - Ownership/stewardship
- Classification
- Handling/labeling/security policy
- Retention policy
- Secure disposal
- Non-production data
- Information leakage
- Risk assessments
|
Facility security | - Policy
- User access
- Controlled access points
- Secure area authorization
- Unauthorized persons entry
- Offsite authorization
- Offsite equipment
- Asset management
|
Human resources security | - Background screening
- Employment agreements
- Employment termination
|
Information security | - Management program
- Management support/involvement
- Po0licy
- Baseline requirements
- Policy reviews
- Policy enforcement
- User access policy
- User access restriction/authorization
- User access revocation
- User access reviews
- Training/awareness
- Industry knowledge/benchmarking
- Roles/responsibilities
- Management oversight
- Segregation of duties
- Encryption
- Encryption key management
- Vulnerability/patch management
- Antivirus/malicious software
- Incident management
- Incident reporting
- Incident response legal preparation
- Incident response metrics
- Acceptable use
- Asset returns
- eCommerce transactions
- Audit tools access
- Diagnostic/configuration ports access
- Network/infrastructure services
- Portable/mobile devices
- Source code access restriction
- Utility programs access
|
Legal | - Non-disclosure agreements
- Third party agreements
|
Operations management | - Policy
- Documentation
- Capacity/resource planning
- Equipment maintenance
|
Risk management | - Program
- Assessments
- Mitigation/acceptance
- Business/policy change impacts
- Third party access
|
Release management | - New development/acquisition
- Production changes
- Quality testing
- Outsourced development
- Unauthorized software installations
|
Resiliency | - Management program
- Impact analysis
- Business continuity planning
- Business continuity testing
- Environmental risks
- Equipment location
- Equipment power failures
- Power/telecommunications
|
Security architecture | - Customer access requirements
- Data integrity
- Production/non-production environments
- Remote user multifactor authentication
- Network security
- Segmentation
- Wireless security
- Shared networks
- Clock synchronization
- Equipment identification
- Audit logging/intrusion detection
- Mobile code
|
Much is written about the risks of using public cloud computing models, but many of those can be assuaged through effective due diligence and risk management. The risks of using private clouds are closer to those associated with traditional data centers. New hybrid models are beginning to be seen, however, with the most sensitive data remaining private. Since these combine private and public cloud models, the risks associated with both models need to be taken into account.
This article was adapted from the Faulkner Information Services library of reports. For more information,contact www.faulkner.com. To subscribe to the Faulkner Information Services visit http://www.faulkner.com/showcase/subscription.asp.