Article details

Title: Aspects of Security Standards for Cloud Computing
Author(s): Mihai Togan                        

Abstract: The cloud solutions have matured in recent years, giving companies and individual users the possibility to externalize their IT infrastructures and electronic data processing needs. Standardization is an important topic for every field, having a key role in obtaining a good level of interoperability and trust. With regard to the security of cloud environments, the maturity of standards and the existence of schemes for certifying the compliance with respect to their acceptance and their application are very strong recommendation aspects regarding the trust in cloud services. This paper contains a state of standardization or regulatory initiatives in the field of cloud services security. In this respect, we present various references regarding the cloud security standards that are in final stages or draft versions.

Keywords: cloud, security, standards, audit, risk management.

References:

[1] ISO/IEC Information technology Security techniques Information security management systems Requirements, ISO/IEC 27001:2013
[2] ISO/IEC Information technology Security techniques Code of practice for information security controls, ISO/IEC 27002:2013
[3] ISO/IEC Information technology Security techniques Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, ISO/IEC 27018:2014
[4] ISO/IEC Information security management for cloud systems, ISO/IEC 27017: Draft
[5] NIST NIST Cloud Computing Standards Roadmap, NIST Special Publication 500-291, Version 2, Jul. 2013
[6] NIST NIST Cloud Computing Reference Architecture, NIST Special Publication 500-292, Sep. 2011
[7] NIST US Government Cloud Computing Technology Roadmap, Vol. I: High-Priority Requirements to Further USG Agency Cloud Computing Adoption, NIST Special Publication 500-293, 2014
[8] NIST US Government Cloud Computing Technology Roadmap, Vol. II: Useful Information for Cloud Adopters, NIST Special Publication 500-293, Draft, Nov. 2011
[9] NIST US Government Cloud Computing Technology Roadmap, Vol. III: Technical Considerations for USG Cloud Computing Deployment Decisions, NIST Special Publication 500-293, Draft, Oct. 2011
[10] NIST Guidelines on Security and Privacy in Public Cloud Computing, NIST Special Publication 800-144, Dec. 2011
[11] NIST The NIST Definition of Cloud Computing, NIST Special Publication 800-145, Sep. 2011
[12] NIST Cloud Computing Synopsis and Recommendations, NIST Special Publication 800-146, May 2012
[13] NIST Inventory of Standards Relevant to Cloud Computing, NIST Cloud Computing Collaboration Site, Accessed in December 2014
[14] NIST NIST Cloud Computing Security Reference Architecture, NIST Special Publication 500-299, Draft, 2013
[15] NIST Cloud-adapted Risk Management Framework: Guide for Applying the Risk Management Framework to Cloud-based Federal Information Systems, NIST Special Publication 800-173, Work in progress
[16] NIST Security and Privacy Controls for Cloud-based Information Federal Systems, NIST Special Publication 800-174, Work in progress
[17] NIST Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publication 800-53, Revision 4, Apr. 2013
[18] CSA Trusted Cloud Initiative Reference Architecture, Cloud Security Alliance, https://research.cloudsecurityalliance.org/tci/
[19] NIST Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, NIST Special Publication 800-37, Revision 1, Feb. 2010
[20] NIST Standards for Security Categorization of Federal Information and Information Systems, Federal Information Processing Standards Publication, FIPS PUB 199, Feb. 2004
[21] NIST Minimum Security Requirements for Federal Information and Information Systems, Federal Information Processing Standards (FIPS) 200, 2006
[22] ETSI Cloud Standards Coordination: Final Report, ETSI Report, Version 1.0, Nov. 2013
[23] ITU-T Global Information Infrastructure, Internet Protocol Aspects and Next-generation Networks: Cloud Computing Cloud computing framework and high-level requirements, ITU-T Recommendation Y.3501, May 2013
[24] ITU-T Global Information Infrastructure, Internet Protocol Aspects and Next-generation Networks: Cloud Computing Cloud computing infrastructure requirements, ITU-T Recommendation Y.3510, May 2013
[25] ITU-T Global Information Infrastructure, Internet Protocol Aspects and Next-generation Networks: Cloud Computing Cloud computing framework for end-to-end resource management, ITU-T Recommendation Y.3520, Jun. 2013
[26] ITU-T Cloud computing security Overview of cloud computing security: Security framework for cloud computing, ITU-T Recommendation X.1601, Jan. 2014
[27] CSA Security Guidance for Critical Areas of Focus in Cloud Computing: Security Guidance for Critical Areas of Cloud Computing, Version 3.0, Cloud Security Alliance, Nov. 2011
[28] CSA Cloud Control Matrix (CCM), Cloud Security Alliance, Version 3.0.1, 2014
[29] CSA Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing, Cloud Security Alliance, Jun. 2013
[30] ISO Information technology -- Security techniques -- Guidelines for identification, collection, acquisition and preservation of digital evidence, ISO/IEC 27037:2012
[31] CSA Cloud Security Alliance Research, Cloud Security Alliance website, Accessed in Dec. 2014
[32] CSA Open Security Framework for Cloud Providers, Cloud Security Alliance, Aug. 2012
[33] ENISA Cloud Computing: Benefits, risks and recommendations for information security, ENISA Report, Nov. 2009
[34] ENISA Security and Resilience in Governmental Clouds, ENISA Report, Jan. 2011
[35] ENISA Good Practice Guide for securely deploying Governmental Clouds, ENISA Report, 2013
[36] ENISA Cloud Security Incident Reporting: Framework for reporting about major cloud security incidents, ENISA Report, Dec. 2013
[37] ENISA Survey and analysis of security parameters in cloud SLAs across the European public sector, ENISA Report, 2011
[38] ENISA Cloud Computing Certification - CCSL and CCSM, ENISA website, Accessed in Dec. 2014
[39] ENISA Auditing Security Measures: An Overview of Schemes for Auditing Security Measures, ENISA Report, Sep. 2013
[40] ENISA Certification in the EU Cloud Strategy, ENISA Report, Nov. 2014
[41] IETF The OAuth 2.0 Authorization Framework, Internet Standard, RFC 6749, Oct. 2012
[42] IETF The OAuth 2.0 Authorization Framework: Bearer Token Usage, Internet Standard, RFC 6750, Oct. 2012
[43] IETF OAuth 2.0 Threat Model and Security Considerations, Internet Standard, RFC 6819, Jan. 2013
[44] IETF OAuth 2.0 Token Revocation, Internet Standard, RFC 7009, Aug. 2013
[45] ODCA Usage: Data Security Framework Rev 1.0, Open Data Center Alliance, 2013
[46] CSCC Resource Hub, CSCC Deliverables, Cloud Standards Customer Council, http://www.cloud-council.org/resource-hub.htm
[47] EU Unleashing the Potential of Cloud Computing in Europe, European Union Commission, Brussels, Sep. 2012, http://eur-lex.europa.eu/ LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:EN:PDF