The economics and innovation of cloud computing makes the cloud an appealing paradigm even for organizations that would not otherwise consider it due to governance, risk, compliance (GRC) and associated security risks. Here are my favorite references for coming up to speed on key GRC and security issues related to cloud computing.
Defining Cloud Computing
After several years of discussions, the IT industry is gravitating toward the cloud terminology established by National Institute of Standards and Technology (NIST). The NIST Definition of Cloud Computing PDF defines this paradigm as:
"A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources […] that can be rapidly provisioned and released with minimal management effort or service provider interaction."
NIST describes cloud computing in terms of 5 essential characteristics:
- On-demand self-service
- Broad network access
- Resource pooling
- Rapid elasticity
- Measured Service
NIST also clarifies that cloud computing can take the form of 3 service models:
- Cloud Software as a Service (SaaS)
- Cloud Platform as a Service (PaaS)
- Cloud Infrastructure as a Service (IaaS)
Lastly, NIST outlines 4 deployment models for cloud computing:
- Private cloud
- Community cloud
- Public cloud
- Hybrid cloud
NIST definitions are generally compatible with those established by other entities. At this point, attempting to create one’s own cloud definition will be fruitless, as NIST’s terms are becoming the de facto standard.
Security Framework for Cloud Computing
The most comprehensive framework for considering security aspects of cloud computing comes in the form of Security Guidance for Critical Areas of Focus in Cloud Computing PDF by Cloud Security Alliance (CSA).
The Security Guidance document begins by outlining general architectural issues related to cloud computing, and confirms the guide’s alignment with NIST’s cloud terminology. CSA highlights multi-tenancy as an important, though not an essential element of the paradigm. The document also clarifies the relationship and common use-cases of cloud service models (SaaS, PaaS and IaaS).
The remainder of the Security Guidance document presents a number of recommendations related to the following areas:
- Governing in the Cloud: Governance and Enterprise Risk Management, Legal and Electronic Discovery, Compliance and Audit, Information Lifecycle Management, Portability and Interoperability
- Operating in the Cloud: Traditional Security, BCDR, Data Center Operations, Incident Response, Notification, and Remediation, Application Security, Encryption and Key Management, Identity and Access Management, Virtualization
CSA has been gaining steam and has become probably the most influential non-government organization for cloud security guidance.
Risk Framework for Cloud Computing
The European Network and information Security Agency (ENISA) published a paper that surveys the risks associated with cloud computing. The paper offers recommendations for conducting a risk assessment of one’s cloud efforts and provides a comprehensive listing of the risks that should be considered. The risks fall into the following categories:
- Policy and organizational risks
- Technical risks
- Legal risks
- Risks not specific to the cloud
The ENISA paper includes recommendations for the division of responsibilities between cloud customers and providers. It also outlines key benefits of cloud computing, concluding that “cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view.”
Organizations employing OS virtualization to implement cloud computing will benefit from the Guide to Security for Full Virtualization Technologies PDF published by NIST, presently in draft form.
Individuals responsible for reviewing, defining or overseeing controls related to cloud computing will benefit from the CSA Cloud Controls Matrix. The spreadsheet “provides a controls framework that gives detailed understanding of security concepts and principles” aligned to CSA’s Security Guidance document.