Security Framework
Annex A: Industrial Security Standards
are maintained by IETF. The more secure version, HTTP / TLS, 1 is recommended whenever possible over HTTP.
A. 8
CLOUD SECURITY STANDARDS
There are a great number of guidelines and standards pertaining to cloud security, devised and used in various countries. We briefly describe a few notable ones below.
The ISO / IEC 27017 2 standard provides guidance on the information security elements of cloud computing. It assists with the implementation of cloud-specific information security controls, supplementing the guidance in ISO 27000 series standards, including ISO / IEC 27018 on the privacy aspects of cloud computing, ISO / IEC 27031 on business continuity, and ISO / IEC 27036-4 on relationship management, as well as all the other ISO 27nnn standards. 3
NIST has also published the following standards on cloud computing: NIST SP 800-146,‘ Cloud Computing Synopsis and Recommendations’, NIST SP 500-291,‘ Cloud Computing Standards Roadmap’, NIST SP 800-144,‘ Guidelines on Security & Privacy in Public Cloud Computing’, NIST SP 500-292,‘ Cloud Computing Reference Architecture’ and NIST SP 500-293,‘ US Cloud Computing Technology Roadmap’. 4
European Union Agency for Network and Information Security( ENISA) has published an auditable standard titled‘ Cloud Computing: Benefits, risks and recommendations for information security’ 5 to which many cloud providers are certified.
‘ Cloud Computing Security Considerations’ 6 by the Australian Signals Directorate provides analysis and measurement of risk that will be considered by cloud SaaS customers when evaluating the cloud as a potential solution.
Cloud Security Alliance has published many guidelines, including:
‘ Security Guidance for Critical Areas of Focus in Cloud Computing Version 3.0,’ 7 that contains practical, current guidance and advice for both cloud computing customers and providers.
‘ Practices for Secure Development of Cloud Applications’ 8 provides practical guidance relevant to cloud SaaS such as secure design recommendations for multi-tenancy and data encryption, and secure implementation recommendations for securing APIs.
1
See [ IETF-RFC2818 ], commonly known as HTTPS
2
See [ ISO-27017 ]
3
See [ ISO-27000 ], [ ISO-27018 ], [ ISO-27031 ] and [ ISO-27036-4 ]
4
See [ NIST-800-146 ], [ NIST-500-291 ], [ NIST-800-144 ], [ NIST-500-292 ] and [ NIST-500-293 ]
5
See [ ENISA-CCRA ]
6
See [ AU-CCSC ]
7
See [ CSA-SGCA ]
8
See [ CSA-SCCSA ]
IIC: PUB: G4: V1.0: PB: 20160926- 132-