Cloud service Provider Security: enhancing cloud computing transparency

One of the most pressing challenges for businesses wishing to take advantage of cloud computing services is the issue of transparency. How should they assess the security of cloud computing service providers (CSPs) and how they should determine the credibility and reliability of a particular CSP?

The security, trust, and warranty registration (STAR) of the Cloud Computing Security Alliance, launched last year, is an attempt to make CSP security and operations more transparent and open. But other groups in the industry are working to improve the transparency of cloud computing that companies should be familiar with. Although they adopt different approaches, their objectives are consistent, namely, to further promote the transparency and openness of CSP security and operations.

Cloud computing transparency: Open Data Center Alliance

The Open Data Center Consortium (ODCA) is an independent IT consortium that provides guidance on standards, usage patterns, and other areas related to data center operations and cloud computing. The model is community driven, which provides ODCA members with advice to develop specific usage patterns that provide detailed consideration of data center challenges and usage, particularly with regard to the cloud computing infrastructure. ODCA's core values are to enhance interaction and support between cloud users and vendors, with the goal of creating "work domains" that are critical to the usage pattern. These include security (provision of security and safety compliance monitoring), regulation (regulatory framework and carbon footprint), management, Services (service catalog and unit of measurement), and infrastructure (virtual machine interoperability and input/output (IO) control). There are many issues of concern to the IT enterprise in this domain, including the security and availability of the internal and external cloud computing environments, and the periodic release of updates to usage patterns.

Although ODCA does not have a "self reporting" transparency mechanism like star, there are several specific usage patterns that can directly enhance the transparency of the vendor. The first is a security monitoring usage model that requires vendors to provide users with a web-based interface to detect a wide variety of security-controlled states, including antivirus definitions, intrusion prevention system (IPS) events, and firewall logs. The current model clearly states that the work in progress needs to be more closely coordinated with the CSA Cloud Control matrix and other control frameworks. The second model for transparency is the vendor support model, which requires cloud providers to comply with regulations and controls defined by standards organizations such as NIST, PCI security standards boards, and ISO, as well as security boards introduced in the security monitoring model. CSP can achieve four levels of protection:

Copper level: Basic security, such as antivirus, firewall, vulnerability management, security event monitoring, and physical security access restrictions.

Silver level: The equivalent of general enterprise security, including protection against network intrusion, event logging, continuity planning, and more powerful security documents.

Gold Level: Equivalent to the security of financial organizations, including penetration testing, multifactor authentication, storage encryption, and physical server isolation.

Platinum Level: the equivalent of military security, with more powerful encryption measures and the removal of cloud computing vendor administrator access.

Similarly, each level of protection has specific and explicit requirements. For example, network and firewall management describes the controls and processes for each level, as follows:

Copper Level: CSP manages all firewall rules without consumer intervention.

Silver Level: CSP manages firewall rules and accepts consumer comments and suggestions. The CSP also provides a network separation between logical physical layers.

Gold Level: The consumer manages the firewall rules, while the CSP provides the management maintenance of the firewall. Provides network separation and application layer protection between logical tiers.

Platinum Level: The CSP is completely inaccessible to the firewall, and the consumer manages everything. Provides network separation and application layer protection between logical tiers.

Cloud Computing Standard Client Committee

While not contributing directly to cloud computing transparency, like star and ODCA, the cloud computing standard Customer Board (CSCC) has focused on using use cases and general guidance to provide tactical and strategic changes and recommendations to cloud project implementations. Its current use case documentation includes high-level security guidance for specific control areas such as asset management, password and key management, and network security. In addition, some simple use cases are involved. At present, CSCC does not appear to provide security or transparency for the purpose of registration, but it does have a supplier and large consumers, including the list of important members.

CSCC is also closely following the open cloud Declaration, a campaign with more than 400 supporters, aimed at promoting more open standards, dialogue and consistent transparency in cloud control and standard communication. Over time, CSCC will likely become an important contributor to cloud computing transparency and may lead to improvements such as the Star plan.

As more and more companies seek to transition to mixed cloud computing and public cloud computing, the need for transparency in cloud computing providers will only become more urgent. It remains to be seen how hard it is to get the success of cloud computing transparency. To date, only three companies have submitted the CSA Star information: Microsoft Office 365, Mimecast, and Solutionary. This suggests that many cloud computing vendors may not be ready to submit detailed information at this level, or that there may not be much community support or star knowledge. Nevertheless, cloud users can expect organizations such as CSA, ODCA, and CSCC to provide useful guidance on the monitoring and reporting of supplier control status.