Cloud computing needs better security standards

Gartner's latest study predicts that all cloud-sector businesses will continue to grow in double-digit numbers. But outsourcing key functionality to third parties also invites users to focus on security issues. When an enterprise runs the IT business internally, it can define and control the security protocol. But how do you know where the security protocols are when you rely on cloud service providers? And how do they do it?

To solve these problems, the cloud industry itself is evolving and adapting its architecture. By defining the security standards for the cloud, it is the best solution-to provide a uniform standard within its industry that makes it a recognized certification standard for cloud service providers. By implementing and widely adopting such standards, potential cloud customers will use assessment tools to conduct security assessments for cloud service providers.

However, many industry cloud service providers have not yet adopted a unified standard. They have adopted the norms they have accepted, and the existing agreements have led to the emergence of misleading guidance.

Cloud Security Alliance

The largest and most significant number of security standards agencies are CSA or the Cloud Security Alliance (Cloud Alliance). These include Amazon network services, Microsoft, Oracle, Red Hat, Rackspace and salesforce companies (also including dozens of companies), the most promising cloud services companies support CSA.

CSA has developed a compliance standard called the CCM or Cloud Control matrix (Cloud). The standard is organized into Excel spreadsheets, where CCM covers more than 10 cloud infrastructure areas, including risk management and security information. CCM has gone beyond the scope of its own security issues, including government, laws and regulations and hardware architecture and other compliance solutions.

The CCM describes hundreds of standards. For example, from the category "Facility Security-security Zone authorization", you can find the following control specification: the entry and exit of the security zone should be restricted and the physical access control mechanism monitored to ensure that only authorized personnel are allowed to enter.

Clearly, this standard is about the physical security of the cloud service provider facility. But the standard does not completely dictate the actions it implements.

In the case of a customer's assessment of a cloud service provider, if the vendor can assure you of an audit standard and, in this case, the CCM V1.3 control specification FS-04, this would be far better than knowing nothing or simply listening to the supplier word situation.

NIST, IEEE and ENISA

These standards bodies share a loving name with the world that reads as if it were a game of Scrabble. They are also developing their own guidelines, which also cover the issue of cloud service security.

NIST, the National Institute of Standards and Technology, unveiled its public cloud computing security and privacy guidelines last year. Unlike the CCM standard for CSA, NIST guidelines are for cloud customers and their related details-customers should consider consulting questions for potential cloud service providers.

IEEE, the Institute of Electrical and Electronic Engineers, has embarked on the development of its own cloud safety standards. and call it the P2301 project-Cloud portability and interoperability guidelines-IEEE's standard definition focuses on interoperability between cloud vendors.

While security is only one aspect of interoperability standards, cloud customer interoperability is a key in itself to avoid potential reliance on cloud service providers. Without these standards, it is easy to generate data movement and process changes between cloud service providers. Customers will be able to get stuck with the vendor, which will also become a liability standard for safety.

In order not to be left out, the European Network and Information Security Agency, or ENISA, has also issued its accelerated safety standards: The Cloud Contract Security Service level monitoring guide. The guide is intended for public cloud customers, and ENISA will lead users to ask the cloud vendor for detailed questions to ensure that the cloud vendor adheres strictly to the security protocol.

Beware of SAS 70

In the fast-growing world of cloud services, the SAS 70 standard is fading, a standard that is part of the auditing standards promulgated by the American Association of Accountants ' Audit Standards Board. Although it was originally designed to oversee compliance with financial reporting rules, some cloud service providers still use SAS 70来 as a so-called security protocol authentication.

Some critics, including Gartner, say SAS 70 has a significant shortfall in providing customers with a useful security guarantee. It is argued that the audit standard is far from the cloud service security intent and cannot meet the needs of modern threat assessment. In addition, SAS 70 has been criticized as an instantaneous standard, and it is basically unable to respond to the continued performance of service providers.

High-profile cloud services, similar to some of the "frustrations" Amazon has encountered, are tainted by the standards of the SAS 70, although they are compliant. So today, when customers evaluate cloud service providers, they are warned not to focus too much on SAS 70 certification. Gartner recommends using self-assessment and negotiated audit procedures to refine the SAS 70 standard.