Summary and outlook
User organizations (Cloud Service Consumers, CSC) do not get all information they require to understand and rate the cloud service when it comes to IT security. They may not have enough information to prepare for the performance of activities which the Cloud Service Provider (CSP) has left to its customers.
Obviously, cloud security standards cannot specify all detail of specific cloud computing services. They must generalize. Documentation provided by Cloud Service Providers (CSP) mostly do not deliver enough information especially about the Deployment and extended Service Model. But even if they would, the material does not allow to compare different cloud service offerings (from different vendors).
This paper proposes how cloud security standards can be enhanced to overcome the shortcomings mentioned above.
- User’s guide shall be provided by the Cloud Service Provider (CSP) which contains Service and Deployment Model Patterns.
- The Patterns are specific for a certain cloud computing service and provide the information required by Cloud Service Consumers (CSC).
- The Patterns must be observed by the Cloud Service Provider (CSP) during design, implementation, and operations of the cloud computing service.
- Cloud security standards shall comprise two additional security measures (security controls) which require the Cloud Service Provider (CSP) a) to define the Service and Deployment Model Patterns and b) to adhered to these Patterns during design, implementation and for planning the cloud’s operations.
- Cloud security standards shall also define rules and provide templates for Service Model Patterns and for Deployment Model Patterns. The patterns shall be semi-formal expressions. Then, the Pattern are compatible and support the comparison of different cloud computing services also from different vendors.
Using the concept described in this zero Outage Industry Standard, cloud security standards can really cover and consider virtually all possible Service Models and Deployment Models and, as a result of this, support differentiating between offerings and improve the support for Cloud Service Consumers (CSC) for which the standards are also build for
The concept can be extended. According to this Zero Outage Industry Standard:
- Security standards shall request that a user’s guide is provided which contains all detail
- allowing users to understand and assess the IT security of an IT service or product
- which enables users to do their part in securing and/or securely using the IT service or product.
- Security standards shall define content and structure of that user’s guide
- so that the user’s guide is purposeful and of sufficient quality and
- enables users comparing different IT services or products with regard to IT security and compliance risks.
Users and user organizations contribute to IT security and compliance. They often install products themselves and integrate IT services into their business environments. They must observe certain rules (e.g., keeping the password secret) when using the products and IT services. Enterprise customers must often agree upon changes. They are affected by security incidents and involved in their treatment. There are many situations where the IT service provider and the user organization must interact with each other in order to ensure compliance and achieve and maintain an appropriate level of IT security. Agreements and transparency e. g. through the provisioning of user’s guides are the fundament for such a “Joint Security Management (JSM)” .