Architecture

Establish guidance, direction, advisement, reference architectures, ensures alignment to business requirements.

Governance

Governance and Enterprise Risk Management

The ability of an organization to govern and measure enterprise risk introduced by Cloud computing. Items such as legal precedence for agreement breaches, ability of user organizations to adequately assess risk of a Cloud provider, responsibility to protect sensitive data when both user and provider may be at fault, and how international boundaries may affect these issues.

Legal issues; Contracts and Electronic Discovery

Potential legal issues when using Cloud computing. Issues touched on in this section include protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, international laws etc…

Compliance and Audit Management

Maintaining and proving compliance when using Cloud computing. Issues dealing with evaluating how Cloud computing affects compliance with Internal Security Policies, as well as various compliance requirements (regulatory, legislative and otherwise) discussed here. This domain includes some direction on proving compliance during an audit.

Data Governance

Governing data that is placed in the Cloud, items surrounding the identification and control of data in the Cloud, as well as compensating controls that can be used to deal with loss of physical control when moving data to the cloud, are discussed here. Other items, such as who is responsible for data confidentiality, integrity, and availability are mentioned.

Operations

Manage Plan and Business Continuity

Securing the management plan and administrative interfaces used when accessing the Cloud, including both web consoles and API’s. Ensuring business continuity for Cloud deployments.

Infrastructure Security

Core Cloud infrastructure security, including networking, workload security and hybrid Cloud considerations. This domain also includes security fundamentals for private Clouds.

Virtualization and Containers

Security for hypervisors, containers and software defined networks.

Incident Response Notification and Remediation

Proper and adequate incident detection, response, notification and remediation. This attempts to address items that should be in place at both provider and user levels to enable proper incident handling and forensics. This domain will help you understand the complexities the Cloud brings to your current incident handling program.

Application Security

Securing application software that is running on or being developed in the cloud. This includes items such as whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of Cloud platform is most appropriate (SaaS, PaaS, IaaS).

Data Security and Encryption

Implementing data security and encryption, and ensuring scalable key management.

Identity, entitlement, and Access Management

Managing identities and leveraging directory services to provide access control. The focus is on issues encountered when extending an organization identity into the Cloud. This section provides insight into assessing an organization’s readiness to conduct Cloud-based identity, entitlement, and Access Management (IDM).

Security as a Service

Providing third party facilitated security assurance, incident management, compliance attestation, and Identity and Access oversight.

Related Technologies

Established and emerging technologies with a close relationship to Cloud computing, including Big Data, Internet of things, and mobile computing.