Cloud Security Standards: A recent study by Gartner predicts that all cloud businesses will continue to grow in double digits. Therefore, Cloud Computing needs more Complete Security Standards for ‎Cloud Security, ‎Predictive Prioritization and ‎Vulnerability Management.
But outsourcing key functions to a third party also invites users to focus on security issues. When an enterprise runs its IT business internally, it can define and control security protocols. But when relying on cloud service providers, how can you know where security protocols exist? And how are they implemented?
In order to solve these problems, the cloud industry itself is constantly evolving and adjusting its architecture. Defining cloud security standards is the best solution-providing a unified standard within the industry, making it a recognized certification standard for cloud service providers. Through the implementation and widespread adoption of such standards, potential cloud customers will use assessment tools to conduct security assessments on cloud service providers.
However, many cloud service providers in the industry have not yet adopted a unified standard. They have adopted the standards they have approved, and the various existing agreements have led to the production of deceptive guidance.
Cloud Security Alliance
The largest security standards organization with many participants is CSA or Cloud Security Alliance (Cloud Security Alliance). Including Amazon Web Services, Microsoft, Oracle, Red Hat, RackSpace, Salesforce, etc. (also including dozens of companies), promising cloud service companies support CSA.
CSA has developed a compliance standard called CCM or Cloud Control Matrix (CloudControlMatrix). The standard is organized into Excel electronic spreadsheet which, CCM covered more than a dozen cloud infrastructure areas, including risk management and security information. CCM has gone beyond the scope of its own security issues, which also includes compliance solutions such as government, laws and regulations, and hardware architecture.
Recommended Articles
- Working Safely from Home – Online Security Measures in this Pandemic
- Importance of Web App Security over the Increasing Web Application Attacks
- Hybrid Cloud Security Puzzle: Integrated Solutions for Cloud Computing
- Make Sure Your Security Policies Survive the Transition to the Cloud
- Best Methods to Improve Information Security in Companies
CCM elaborates hundreds of standards. For example, from the category “Facility Security-Security Zone Authorization”, you can find the following control specifications: the entrance and exit of the security zone should be restricted, and physical access control mechanisms should be monitored to ensure that only authorized personnel can enter.
Obviously, this standard talks about the physical security of cloud service provider facilities. But standards do not completely govern the actions of its implementation.
In response to the customer’s assessment of the cloud service provider, if the vendor can guarantee you an audit standard and provide compliance with (in this case) CCMV1.3 control specification FS-04, it will be far better than a The situation of ignorance or simply listening to the supplier’s side.
NIST, IEEE and ENISA
These standards bodies have shared a loving name with the world, and they read like a round of scrabble. They are also developing their own guidelines, which also cover the security of cloud services.
NIST, the National Institute of Standards and Technology , which published its public cloud computing security and privacy guidelines last year. Different from CSA’s CCM standard, NIST’s guidelines are aimed at cloud customers and related details-for potential cloud service providers, customers should consider what consulting questions they should raise.
IEEE, the Institute of Electrical and Electronics Engineers, has started to develop its own cloud security standard. And call it P2301 Project-Cloud Portability and Interoperability Guide-IEEE standard definition mainly focuses on the interoperability between cloud vendors.
Upcoming topics related to cloud security standards
- Download cloud security standards pdf
- Cloud security standards nist
- Cloud security standard template
- Download cloud security standards ppt
- Define cloud security standards (iso)
- What is cloud security standards csa
- Strong cloud security best practices
- security standards in cloud computing ppt
Although security is only one aspect of interoperability standards, cloud customer interoperability is itself a key to avoid potential dependence on cloud service providers. Without these standards, it is easy to cause data movement and process changes between cloud service providers. Customers will be able to get stuck with suppliers, which will also become a legal liability standard for safety.
In order not to be left out, the European Network and Information Security Agency or ENISA has also promulgated its fast-track security standard: Cloud Contract Security Service Level Monitoring Guidelines. This guide is aimed at public cloud customers. ENISA will guide users to ask cloud providers with detailed questions to ensure that cloud providers can strictly abide by security protocols.
Beware of SAS70
In this fast-developing world of cloud services, the brilliance of the SAS70 standard is gradually fading. This standard is part of the audit standards promulgated by the Audit Standards Committee of the American Institute of Accountants. Although it was originally designed to supervise companies’ compliance with financial reporting rules, some cloud service providers still use SAS70 as a so-called security protocol certification.
Some critics, including Gartner, said that SAS70 has obvious shortcomings while providing customers with useful security guarantees. Some people think that this audit standard is far from the original intent of cloud service security and cannot meet the needs of modern threat assessment. In addition, SAS70 has been criticized as an instantaneous standard, which basically cannot reflect the continuous performance of service providers.
High-profile cloud services, similar to some “frustrations” encountered by Amazon, although its technology complies with SAS70 standards, it still taints the audit standards. Therefore, nowadays, when customers evaluate cloud service providers, they are warned not to focus too much on SAS70 certification. Gartner recommends using self-assessment and negotiated audit procedures to complement the SAS70 standard.