Enhancing Cloud Security Standards


Cloud computing was introduced with the promise to dramatically reduce complexity for the user organizations. After approximately a decade, cloud computing services are now so complex with regard to assembly of functionality, provisioning and maintenance, that it is rather impossible to use them right now, on-demand without a significant amount of preparation. Nevertheless, several cloud computing standards could be understood in a way that cloud computing is a simple function that can instantly be used after ordering it through a self-service portal. A closer look, however, reveals that today’s cloud computing services can be complex. The complexity also concerns the IT security management – also for the user organization. Whereas in traditional outsourcing, the IT service provider took care about most essential security aspects, modern public cloud offerings leave many tasks to the user organizations. But there is more. Cloud services differ in their construction which may also affect the IT security and compliance risk profile.

Current cloud security standards (e.g. [1], [2] and [3]) do not provide user organizations with sufficient detail. This can be because authors did not see any possibility to do this. They focused on cloud services they considered being typical and added statements that further analysis is required when a specific cloud service is about to be contracted.

This document describes an alternative:

  1. Cloud security standards shall demand the Cloud Service Provider (CSP) to provide appropriate guidance for user organizations.
  2. This guidance shall characterize the cloud computing service, specifically the cloud’s Deployment Model (for whom and how the service provided) and the cloud’s Service Model (which party is responsible for what).
  3. In addition to the content of guidance, the cloud security standards shall also define its structure and the syntax and semantics of the sentences (called Patterns in the following) the guidance for user organizations consists of. This third condition ensures that user organization can compare the cloud computing services or, more precisely, their security and compliance risk profile and the division of labor throughout the service’s lifecycle.

The concept can be extended to and used in other areas than cloud security. According to this Zero Outage Industry Standard, security standards shall request that a user’s guide is provided which contains all necessary detail. Security standards shall also define content and structure of that user’s guide. Refer to below to read more about the reasons and the implementation of this concept.

This document is developed based on concepts described in [4] and using diagrams from [5]. In this document a simple model is used with two parties: the IT service provider or Cloud Service Provider (CSC) as the supplying party on the one hand and the user organization or Cloud Service Consumer (CSC) as the consuming party on the other hand. The model is extended when required.

A References and Applicable Documents

[1] Cloud Computing Compliance Controls Catalogue (C5:2020); Federal Office for Information Security, 2020

[2] Cloud Security Alliance (CSA): CSA Cloud Controls Matrix (CCM); Version 4, https://cloudsecurityalliance.org/research/cloud-controls-matrix/

[3] ISO/IEC 27017 – Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services

[4] Eberhard von Faber: Vorschlag zur Verbesserung von Cloud-Sicherheitsstandards; Berücksichtigung der unterschiedlichsten Service- und Bereitstellungsmodelle mit nur zwei Anforderungen; in: Datenschutz und Datensicherheit – DuD, 46, pp. 45-51. January 2022, Springer, ISSN 1614-0702, https://doi.org/10.1007/s11623-022-1559-x (https://rdcu.be/cEp9H);

English translation: Concept for considering different Service and Deployment Models in cloud security standards; Translation of the article published in: Datenschutz und Datensicherheit – DuD, 46, January 2022, https://zero- outage.com/opinion/concept-for-improving-cloud-security-standards/

[5] Eberhard von Faber: Enhancing Cloud Security Standards: A Proposal for Clarifying Differences of Cloud Services with Respect to Responsibilities and Deployment; invited keynote at European Identity and Cloud Conference organized by KuppingerCole Analyst AG, Berlin, May 13, 2022

[6] Cloud Security Alliance (CSA): Enterprise Architecture to CCM Shared Responsibility Model; 2020

[7] Peter Mell and Timothy Grance: The NIST Definition of Cloud Computing, Recommendations of the National Institute of Standards and Technology; NIST Special Publication 800-145, September 2011

[8] Eberhard von Faber: IT und IT-Sicherheit in Begriffen und Zusammenhängen, Thematisch sortiertes Lexikon mit alphabetischem Register zum Nachschlagen; Springer Vieweg, Wiesbaden 2021, 289 Seiten, 64 farbige Abbildungen, ISBN 978-3- 658-33430-7, https://doi.org/10.1007/978-3-658-33431-4

[9] ISO/IEC 20000 – Information technology – Service management – Part 1: Service management system requirements, Part 2: Guidance on the application of service management systems

[10] Eberhard von Faber and Wolfgang Behnsen: Joint Security Management: organisationsübergreifend handeln (Mehr Sicherheit im Zeitalter von Cloud- Computing, IT-Dienstleistungen und industriali-sierter IT-Produktion); Springer Vieweg, Wiesbaden 2018, 246 Seiten, 60 farbige Abbildungen, ISBN 978-3-658-20833- 2, https://doi.org/10.1007/978-3-658-20834-9