Potential users of cloud services often fear that cloud providers’ governance is not yet mature enough to consistently and reliably protect their data. Customers have expressed concern over data security, in particular confidentiality, integrity, and availability. In the Sun white paper, "Building Customer Trust in Cloud Computing with Transparent Security," readers will learn about an approach for providing assurance that security design, technologies, and procedures are being implemented in conformance with industry standards.

The 25-page white paper introduces the concept of transparent security, which is defined as appropriate disclosure of the governance aspects of security design, policies, and practices. The writers make the case that the intelligent disclosure of security design, practices, and procedures can help improve customer confidence while protecting critical security features and data, thereby improving overall governance.

An effective vehicle for achieving transparency and enabling assurance is through the use of structured governance and security frameworks, the paper notes. Architecting a cloud computing environment that is guided by existing analogous industry standards and practicing “Transparent Security Principles” can greatly enhance customer confidence, the paper states. Transparent security principles that should and should not be disclosed are listed. As examples, disclosure is recommended for:

• Common security policies and practices
• When mandated
• Security architecture
• Governance

A model leveraging the ISO 27000 series standards as a commonly understood framework for disclosure is presented. The security framework Information Security Management System (ISMS) as defined in the ISO 27001 standard is recommended. In particular, ISO 27001 and ISO 27002 are noted to be good starting points from which to build a foundation for transparent security. As internationally accepted security standards for IT environments, ISO 27001 and 27002 together provide a framework, as represented by an ISMS and the associated security control objectives, to demonstrate how to maintain security best practices and how to implement a managed approach to business information protection, including risk and compliance.

There are other efforts underway to create a “cloud specific” standard. However, the writers state, the ISO 27001 and 27002 standards that cover today's IT security provide an approach that is compatible with cloud environments because these standards cover the basic categories of lifecycle controls found in every other standard. They are also well understood by security and governance communities and auditors, and they allow for some degree of flexibility to meet the realities of cloud environments, note the authors. Finally, the ISO 27000 series contemplates the use of people, process and technology as equally important components for implementing controls rather than favoring one of these critical areas over another.

The paper goes over the National Institute of Standards and Technology (NIST) definition of cloud computing and the essential characteristics that encompass it. Service and deployments models are also reviewed.

Additionally, an overview of ISMS is supplied, including how to implement, operate, monitor, review, maintain, and improve the ISMS.

Readers can view a table identifying security control objectives as defined in ISO 27002, along with the recommended disclosures for transparent security as well as the primary objectives and benefits of disclosure.

More Information

Building Customer Trust in Cloud Computing with Transparent Security - Sun white paper

DMTF White Paper: 'Interoperable Clouds'

Considering a Migration to the Cloud? [...read more...]

		fullsource
Print Email Current Profile Archive Blog Generate newsletter