virtual-vmware , visio-stencils

Cloud Security & Compliance – Standards and Guidelines

August 22, 2017

Cloud computing is a rapidly growing field and due to various breaches and companies penalized due to them, there are many standards and institutions that have quickly developed charters and standards for Cloud Security. Standards are based on security, system development, financial reporting etc.

 

These are the dossiers providing NIST guidelines on cloud security:

❖ NIST Cloud Computing Public Security Working Group

❖ NIST SP 500-292, NIST Cloud Computing Reference Architecture

❖ NIST SP 500-293, US Government Cloud Computing Technology Roadmap. Volume 1, 2, & 3.

❖ NIST SP 500-299, NIST Cloud Computing Security Reference Architecture

❖ NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing

❖ NIST SP 800-145, The NIST Definition of Cloud Computing

❖ NIST SP 800-146, Cloud Computing Synopsis and Recommendations

 

For Cloud Compliance and Assurance one can ask the cloud provider to obtain certifications attesting to compliance and security standards such as:

SSAE 16, ISAE 3402, SOC1, SOC2, SOC3. For financial data clients they can ask for American Institute of Certified Public Accountants (AICPA) certified audit reports. The other international one is ISO 2700 International Organization for Standardization).

 

Other references:

Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR)

U.S. Health Insurance Portability and Accountability Act (HIPAA) – used mostly for hospitals, medical institutes, heath insurance etc.

Payment Card Industry (PCI) Data Security Standard (DSS) Level 1 service provider – mostly used in finance industry, retail outlets, wherever credit cards are used.

Motion Picture Association of America (MPAA)

SOX / GLBA Sarbanes Oxley Compliance base on NIST 404.

Other ISO standards:

ISO/IEC 27001:2013

Information Security Management System (ISMS)

If you are doing business with US Govt. then you have to abide by FedRAMP. (Federal Risk and Authorization Management Program). They have specialized requirements for secure cloud services.

Civilian and DOD organizations have to comply with IST 800-37 and DOD Information Assurance Certification and Accreditation Process (DIACAP) and Federal Information Security Management Act (FISMA). Some agencies may ask to comply with ITAR (US International Traffic in Arms Regulations).

Federal customers also need to have FIPS 140-2 security systems running in cloud.

The OMB needs FedRAMP, FISMA, NIST 800-53 Rev3. JAB (Joint Authorization Board) was created to approve cloud services and monitor it by FedRAMP.

CSA (Cloud Security Alliance) mentioned before is a US Federal 501(c)6 non-profit organization. Its mission is to “promote the best use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to secure all other forms of computing” It created “security Guidance for Critical Areas of Focus in Cloud Computing document. Current version is 3.0.