The economics and innovation of cloud computing makes the cloud an appealing paradigm even for organizations that would not otherwise consider it due to governance, risk, compliance (GRC) and associated security risks. Here are my favorite references for coming up to speed on key GRC and security issues related to cloud computing.

Defining Cloud Computing

After several years of discussions, the IT industry is gravitating toward the cloud terminology established by National Institute of Standards and Technology (NIST). The NIST Definition of Cloud Computing PDF defines this paradigm as:

“A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources […] that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

NIST describes cloud computing in terms of 5 essential characteristics:

• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured Service

NIST also clarifies that cloud computing can take the form of 3 service models:

• Cloud Software as a Service (SaaS)
• Cloud Platform as a Service (PaaS)
• Cloud Infrastructure as a Service (IaaS)

Lastly, NIST outlines 4 deployment models for cloud computing:

• Private cloud
• Community cloud
• Public cloud
• Hybrid cloud

NIST definitions are generally compatible with those established by other entities. At this point, attempting to create one’s own cloud definition will be fruitless, as NIST’s terms are becoming the de facto standard.

Security Framework for Cloud Computing

The most comprehensive framework for considering security aspects of cloud computing comes in the form of Security Guidance for Critical Areas of Focus in Cloud Computing PDF by Cloud Security Alliance (CSA).

The Security Guidance document begins by outlining general architectural issues related to cloud computing, and confirms the guide’s alignment with NIST’s cloud terminology. CSA highlights multi-tenancy as an important, though not an essential element of the paradigm. The document also clarifies the relationship and common use-cases of cloud service models (SaaS, PaaS and IaaS).

The remainder of the Security Guidance document presents a number of recommendations related to the following areas:

• Governing in the Cloud: Governance and Enterprise Risk Management, Legal and Electronic Discovery, Compliance and Audit, Information Lifecycle Management, Portability and Interoperability
• Operating in the Cloud: Traditional Security, BCDR, Data Center Operations, Incident Response, Notification, and Remediation, Application Security, Encryption and Key Management, Identity and Access Management, Virtualization

CSA has been gaining steam and has become probably the most influential non-government organization for cloud security guidance.

Risk Framework for Cloud Computing

The European Network and information Security Agency (ENISA) published a paper that surveys the risks associated with cloud computing. The paper offers recommendations for conducting a risk assessment of one’s cloud efforts and provides a comprehensive listing of the risks that should be considered. The risks fall into the following categories:

• Policy and organizational risks
• Technical risks
• Legal risks
• Risks not specific to the cloud

The ENISA paper includes recommendations for the division of responsibilities between cloud customers and providers. It also outlines key benefits of cloud computing, concluding that “cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view.”

Additional References

Organizations employing OS virtualization to implement cloud computing will benefit from the Guide to Security for Full Virtualization Technologies PDF published by NIST, presently in draft form.

Individuals responsible for reviewing, defining or overseeing controls related to cloud computing will benefit from the CSA Cloud Controls Matrix. The spreadsheet “provides a controls framework that gives detailed understanding of security concepts and principles” aligned to CSA’s Security Guidance document.

— Lenny Zeltser

View full post on Lenny Zeltser on Information Security

• Top 10 Cloud Security Risks
  Like any model of IT services, the cloud introduces several security challenges specific to this paradigm of computing. Below are my top 10 cloud-specific risks that customers should understand and a...
• Security Risks to Consider When Adopting Cloud Services
  Security professionals are rightly concerned about their organizations starting to embrace cloud-based services even for applications that process sensitive and regulated data. Yet, cloud computing i...
• Cloud Security Risks to Consider When Adopting Cloud Services
  Security professionals are rightly concerned about their organizations starting to embrace cloud-based services even for applications that process sensitive and regulated data. Yet, cloud computing is...
• Secrecy of cloud computing providers raises IT security risks
  Despite how attractive cloud computing can sound as an outsourcing option, there's widespread concern that it presents a security and legal minefield. Cloud service providers often cultivate an aura o...
• Cyber Crooks All Set to Crash the British Royal Wedding
  As we have seen with many major events in the past, news of the British Royal Wedding is currently being used by cyber criminals to bolster their spam campaigns and push rogue antivirus software throu...
• Cloud Makes Security More Affordable for Smaller Companies
  Cloud computing presents its share of risks that concern infosec professionals. At the same time, the cloud billing model offers a major security benefit to small and medium-sized businesses (SMBs) by...
• 5 Favorite Security Reads of the Week
  Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week: RSA Guide 2011: Key Themes by Mike Rothman Canned Sandboxing [for Malware Analysis] by ...
• 5 Favorite Security Reads of the Week
  Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week: Teens Turn to Social Coding to Protect Privacy on Social Nets by Mya Frazier Big Networ...
• Alexa Illustrates Web Security Risks (part 1)
  I recently needed to look at some Alexa data related to their tracking of the top web domains visited for a side project that I was working on.During my investigation of their data, I found it interes...
• Alexa Illustrates Web Security Risks (part 2)
  I wanted to circle back and close the loop from my original post on this. First- not surprisingly I’m not the only one to have taken note at malicious sites landing in Alexa (reference sucuri.net blo...