Cloud security standards do not address the differences of cloud offerings

Several cloud security standards (e.g. [6]) are addressing this “shared responsibility” (refer to Figure 3). Though, the advice given is very general and not telling how to deal with the respective topic. The advice cannot be specific since the standards cannot describe all possible assignments of responsibility. The standards merely define the issue and define the “what”. They cannot explain “how” since the cloud’s model is not known. Figure 4 shows examples how existing cloud security standards typically address the shared responsibility. ISO/IEC 27017 [3] seems to deliver the most details.

Figure 4: The shared responsibility models do not deliver much detail

As a result, user organizations must

  • first analyze the cloud computing service’s Service and Deployment Model,
  • then explore what this means regarding
    • IT security and compliance risks,
    • skill and resources needed for the activities which are not performed by the Cloud Service Provider (CSP).

Based on this, user organizations can start comparing different cloud offerings, consider making the necessary preparations and finally think about contractual conditions.

This must principally be done for every cloud computing service under consideration and before any purchasing decision is taken. Though, the actual contradictions are the following:

  1. Cloud computing services are mostly offered with the promise that “a consumer can unilaterally provision computing capabilities…”. This “on-demand self-service” is the first and foremost characteristic or cloud computing services defined by the NIST [7]. Reality seems to look different today. At least, understanding this as the possibility to instantly set-up the service may conflict with reality.
  2. Even more critical, the user organizations (Cloud Service Consumers, CSC) may not be provided with the required details, especially about the cloud’s Deployment and Service Model. Or even if provided, the information is difficult to analyze and compare between different offerings.

Although the cloud security standards cannot provide all detail about all possible cloud computing service offerings, they can request that the required information is made available. This is the essence of the proposal made by this Zero Outage Industry Standard. The proposal helps solving or at least mitigating the two problems identified above as detailed in the next chapter.