This post is a summary of the guidance provided in version 3 of the Cloud Security Alliance document Security Guidance for Critical Areas of Focus in Cloud Computing v3.0. The CSA guidance remains one of the best around providing actionable security guidance for businesses adopting a multi-tenant cloud service environment.
Overall document summary:
- The Cloud Security guidance document is organized into 14 domains.
- The 14 cloud security domains are Cloud Architecture, Governance and Enterprise Risk Management, Legal: Contracts and Electronic Discovery, Compliance and Audit, Information Management and Data Security, Portability and Interoperability, Traditional Security, Business Continuity and Disaster Recovery, Data Center Operations, Incident Response, Notification and Remediation, Application Security, Encryption and Key Management, Identity and Access Management, Virtualization, and Security as a Service
- The different cloud deployment models are: private, public, community, or hybrid models
- Assets that need security in the cloud fall in two categories: Data or Applications/functions/processes. Parts or all assets can move to the cloud or live in your own data center.
- Hosting options could include internal (on-premise), external (dedicated or shared cloud infrastucture), or combined (e.g. data can live on-prem while application can move to the cloud).
- Assess the CIA (Confidentiality, Integrity, Availability) requirements for the asset and how the risk varies if part or the entire asset moves to the cloud.
- In summary, know the assets moving to the cloud, determine your risk tolerance, and figure out the acceptable cloud deployment and service models
Continue reading “Cloud Security Guidance”