Security Framework
Annex A : Industrial Security Standards
are maintained by IETF . The more secure version , HTTP / TLS , 1 is recommended whenever possible over HTTP .
A . 8
CLOUD SECURITY STANDARDS
There are a great number of guidelines and standards pertaining to cloud security , devised and used in various countries . We briefly describe a few notable ones below .
The ISO / IEC 27017 2 standard provides guidance on the information security elements of cloud computing . It assists with the implementation of cloud-specific information security controls , supplementing the guidance in ISO 27000 series standards , including ISO / IEC 27018 on the privacy aspects of cloud computing , ISO / IEC 27031 on business continuity , and ISO / IEC 27036-4 on relationship management , as well as all the other ISO 27nnn standards . 3
NIST has also published the following standards on cloud computing : NIST SP 800-146 , ‘ Cloud Computing Synopsis and Recommendations ’, NIST SP 500-291 , ‘ Cloud Computing Standards Roadmap ’, NIST SP 800-144 , ‘ Guidelines on Security & Privacy in Public Cloud Computing ’, NIST SP 500-292 , ‘ Cloud Computing Reference Architecture ’ and NIST SP 500-293 , ‘ US Cloud Computing Technology Roadmap ’. 4
European Union Agency for Network and Information Security ( ENISA ) has published an auditable standard titled ‘ Cloud Computing : Benefits , risks and recommendations for information security ’ 5 to which many cloud providers are certified .
‘ Cloud Computing Security Considerations ’ 6 by the Australian Signals Directorate provides analysis and measurement of risk that will be considered by cloud SaaS customers when evaluating the cloud as a potential solution .
Cloud Security Alliance has published many guidelines , including :
‘ Security Guidance for Critical Areas of Focus in Cloud Computing Version 3.0 ,’ 7 that contains practical , current guidance and advice for both cloud computing customers and providers .
‘ Practices for Secure Development of Cloud Applications ’ 8 provides practical guidance relevant to cloud SaaS such as secure design recommendations for multi-tenancy and data encryption , and secure implementation recommendations for securing APIs .
1
See [ IETF-RFC2818 ], commonly known as HTTPS
2
See [ ISO-27017 ]
3
See [ ISO-27000 ], [ ISO-27018 ], [ ISO-27031 ] and [ ISO-27036-4 ]
4
See [ NIST-800-146 ], [ NIST-500-291 ], [ NIST-800-144 ], [ NIST-500-292 ] and [ NIST-500-293 ]
5
See [ ENISA-CCRA ]
6
See [ AU-CCSC ]
7
See [ CSA-SGCA ]
8
See [ CSA-SCCSA ]
IIC : PUB : G4 : V1.0 : PB : 20160926 - 132 -