Article details

Title: Aspects of Security Standards for Cloud Computing
Author(s): Mihai Togan                        

Abstract: The cloud solutions have matured in recent years, giving companies and individual users the possibility to externalize their IT infrastructures and electronic data processing needs. Standardization is an important topic for every field, having a key role in obtaining a good level of interoperability and trust. With regard to the security of cloud environments, the maturity of standards and the existence of schemes for certifying the compliance with respect to their acceptance and their application are very strong recommendation aspects regarding the trust in cloud services. This paper contains a state of standardization or regulatory initiatives in the field of cloud services security. In this respect, we present various references regarding the cloud security standards that are in final stages or draft versions.

Keywords: cloud, security, standards, audit, risk management.

References:

[1] ISO/IEC – Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC 27001:2013
[2] ISO/IEC – Information technology – Security techniques – Code of practice for information security controls, ISO/IEC 27002:2013
[3] ISO/IEC – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, ISO/IEC 27018:2014
[4] ISO/IEC – Information security management for cloud systems, ISO/IEC 27017: Draft
[5] NIST – NIST Cloud Computing Standards Roadmap, NIST Special Publication 500-291, Version 2, Jul. 2013
[6] NIST – NIST Cloud Computing Reference Architecture, NIST Special Publication 500-292, Sep. 2011
[7] NIST – US Government Cloud Computing Technology Roadmap, Vol. I: High-Priority Requirements to Further USG Agency Cloud Computing Adoption, NIST Special Publication 500-293, 2014
[8] NIST – US Government Cloud Computing Technology Roadmap, Vol. II: Useful Information for Cloud Adopters, NIST Special Publication 500-293, Draft, Nov. 2011
[9] NIST – US Government Cloud Computing Technology Roadmap, Vol. III: Technical Considerations for USG Cloud Computing Deployment Decisions, NIST Special Publication 500-293, Draft, Oct. 2011
[10] NIST – Guidelines on Security and Privacy in Public Cloud Computing, NIST Special Publication 800-144, Dec. 2011
[11] NIST – The NIST Definition of Cloud Computing, NIST Special Publication 800-145, Sep. 2011
[12] NIST – Cloud Computing Synopsis and Recommendations, NIST Special Publication 800-146, May 2012
[13] NIST – Inventory of Standards Relevant to Cloud Computing, NIST Cloud Computing Collaboration Site, Accessed in December 2014
[14] NIST – NIST Cloud Computing Security Reference Architecture, NIST Special Publication 500-299, Draft, 2013
[15] NIST – Cloud-adapted Risk Management Framework: Guide for Applying the Risk Management Framework to Cloud-based Federal Information Systems, NIST Special Publication 800-173, Work in progress
[16] NIST – Security and Privacy Controls for Cloud-based Information Federal Systems, NIST Special Publication 800-174, Work in progress
[17] NIST – Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publication 800-53, Revision 4, Apr. 2013
[18] CSA – Trusted Cloud Initiative – Reference Architecture, Cloud Security Alliance, https://research.cloudsecurityalliance.org/tci/
[19] NIST – Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, NIST Special Publication 800-37, Revision 1, Feb. 2010
[20] NIST – Standards for Security Categorization of Federal Information and Information Systems, Federal Information Processing Standards Publication, FIPS PUB 199, Feb. 2004
[21] NIST – Minimum Security Requirements for Federal Information and Information Systems, Federal Information Processing Standards (FIPS) 200, 2006
[22] ETSI – Cloud Standards Coordination: Final Report, ETSI Report, Version 1.0, Nov. 2013
[23] ITU-T – Global Information Infrastructure, Internet Protocol Aspects and Next-generation Networks: Cloud Computing – Cloud computing framework and high-level requirements, ITU-T Recommendation Y.3501, May 2013
[24] ITU-T – Global Information Infrastructure, Internet Protocol Aspects and Next-generation Networks: Cloud Computing – Cloud computing infrastructure requirements, ITU-T Recommendation Y.3510, May 2013
[25] ITU-T – Global Information Infrastructure, Internet Protocol Aspects and Next-generation Networks: Cloud Computing – Cloud computing framework for end-to-end resource management, ITU-T Recommendation Y.3520, Jun. 2013
[26] ITU-T – Cloud computing security – Overview of cloud computing security: Security framework for cloud computing, ITU-T Recommendation X.1601, Jan. 2014
[27] CSA – Security Guidance for Critical Areas of Focus in Cloud Computing: Security Guidance for Critical Areas of Cloud Computing, Version 3.0, Cloud Security Alliance, Nov. 2011
[28] CSA – Cloud Control Matrix (CCM), Cloud Security Alliance, Version 3.0.1, 2014
[29] CSA – Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing, Cloud Security Alliance, Jun. 2013
[30] ISO – Information technology -- Security techniques -- Guidelines for identification, collection, acquisition and preservation of digital evidence, ISO/IEC 27037:2012
[31] CSA – Cloud Security Alliance Research, Cloud Security Alliance website, Accessed in Dec. 2014
[32] CSA – Open Security Framework for Cloud Providers, Cloud Security Alliance, Aug. 2012
[33] ENISA – Cloud Computing: Benefits, risks and recommendations for information security, ENISA Report, Nov. 2009
[34] ENISA – Security and Resilience in Governmental Clouds, ENISA Report, Jan. 2011
[35] ENISA – Good Practice Guide for securely deploying Governmental Clouds, ENISA Report, 2013
[36] ENISA – Cloud Security Incident Reporting: Framework for reporting about major cloud security incidents, ENISA Report, Dec. 2013
[37] ENISA – Survey and analysis of security parameters in cloud SLAs across the European public sector, ENISA Report, 2011
[38] ENISA – Cloud Computing Certification - CCSL and CCSM, ENISA website, Accessed in Dec. 2014
[39] ENISA – Auditing Security Measures: An Overview of Schemes for Auditing Security Measures, ENISA Report, Sep. 2013
[40] ENISA – Certification in the EU Cloud Strategy, ENISA Report, Nov. 2014
[41] IETF – The OAuth 2.0 Authorization Framework, Internet Standard, RFC 6749, Oct. 2012
[42] IETF – The OAuth 2.0 Authorization Framework: Bearer Token Usage, Internet Standard, RFC 6750, Oct. 2012
[43] IETF – OAuth 2.0 Threat Model and Security Considerations, Internet Standard, RFC 6819, Jan. 2013
[44] IETF – OAuth 2.0 Token Revocation, Internet Standard, RFC 7009, Aug. 2013
[45] ODCA – Usage: Data Security Framework Rev 1.0, Open Data Center Alliance, 2013
[46] CSCC – Resource Hub, CSCC Deliverables, Cloud Standards Customer Council, http://www.cloud-council.org/resource-hub.htm
[47] EU – Unleashing the Potential of Cloud Computing in Europe, European Union Commission, Brussels, Sep. 2012, http://eur-lex.europa.eu/ LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:EN:PDF