Sorry, you need to enable JavaScript to visit this website.
Security and Privacy in the Public Cloud June 7, 2013

What is a Cloud?

There has been much “hype” about cloud and a lot of confusion, especially regarding risk management and security concerns. The groundwork is quietly being laid for security and privacy services in public cloud ecosystems. The collaboration and harmonization activities are currently underway at the international level between the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Telecommunication Standardization Sector (ITU-T) of the International Telecommunications Union (ITU).

Most well-versed Information Technology (IT) practitioners are no doubt familiar with the cloud computing definition and the three cloud service models developed by the U.S. National Institute of Standards and Technology (NIST):  Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS). These models turned out not to be mutually exclusive. It was hard to tell them apart. Moreover, the NIST definitions conflicted with those of the ITU-T which focused on Communications as a Service (CaaS) and Network as a Service (NaaS). It was obvious that a new paradigm was needed.

In response, the ISO/IEC Joint Technical Committee 1/Subcommittee 38 (Distributed application platforms and services, or DAPS) and the ITU-T/Study Group 13 (Future Networks) formed two collaborative teams for Cloud Computing (CT-CC) to address vocabulary (CT-CCV) and architecture (CT-CCRA). Draft Standard ISO/IEC 17788, is working on a cloud-computing vocabulary, to help cloud computing users communicate in a common and clearly understood way. Draft Standard ISO/IEC17789 will produce a reference architecture to help cloud computing users understand the overall capabilities of a cloud computing service and the pieces within it.

At the April 2013 ISO/IEC Plenary, held in Madrid, the CT-CC teams agreed on core cloud computing terminology and a new cloud computing definition (still in draft). To reconcile the conflicting SC 38 and ITU-T Stu Group 13 models, the CT-CC defined three cloud service categories which correspond closely to the NIST cloud models and then cross-indexed it with cloud service “types.” These include: Application Capabilities Type, Platform Capabilities Type and Infrastructure Capabilities Type. This new matrix can accommodate existing and future cloud service/platform combinations.[1]

The cloud marketing around the NIST-defined cloud platforms (IaaS, PaaS and SaaS) has made it nearly impossible to abandon these terms even though precise definitions have been hard to come by.

At the Madrid meeting of the CT-CCV, the term cloud computing was defined as: “paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with on-demand self-service provisioning and administration.” So there you have it, we now know what cloud computing is for the moment, subject to reconsideration between now and the next CT-CCVmeeting in Kobe, Japan in September, 2013.

Cloud-based Security and Privacy Services

ISO/IEC JTC1 SC 27 is also working to standardize privacy and security services, as seen in the publication of ISO/IEC privacy and security standards:  

  • A framework for identity management (24760)
  • A framework for access management (29146)
  • Privacy Framework (29100)
  • Privacy Reference Architecture (29101)
  • Privacy Capability Assessment Model (29190)
  • Entity Authentication Assurance Framework (29115)

SC 27 has also produced the widely-used ISO/IEC 27000 Information technology- Security techniques series of standards that help organizations develop and maintain information security management systems (ISMS). SC 27 is now working on a cloud-specific security and privacy standards:

  • The 4th draft Standard ISO/IEC 27017 Information technology – Security techniques – Information security management – Guidelines on information security controls for the use of cloud computing services.
  • ISO/IEC 27018 is the 2nd working draft-Security Techniques-'Code of practice for controls to protect personally identifiable information processed in public cloud computing services.'(working title)
  • Since both of these standards are in committee draft, quoting from them is not permitted.
  • ISO 27017 uses ISO/IEC 27002, Information technology – Security techniques – Code of practice for information management as a reference for selecting controls (such as asset inventory and credential controls) within the process of implementing ISMS. ISO 27017 provides additional implementation for relevant information security controls based on ISO 27002, particularly as they relate to cloud computing. ISO 27017 is aimed at both providers and consumers of cloud services.
  • ISO 27018 is applicable to all organizations, including government, not for profits, and any public or private organization that provides data processing services to other organizations via cloud computing, as part of their information processing. ISO 27018 augments the ISO/IEC 27002 controls to accommodate the distributed nature of the risk and the existence of a contractual relationship between the personally identifiable information (PII) controller (information owner) and the PII processor (public cloud service provider). By selecting this standard, users of these services will more easily meet their own PII protection obligations. It is expected that ISO 27018 will align with the proposed European Union’s General Data Protection Regulation. [2]

As subject matter experts that have helped the National Institute of Standards and Technology (NIST) co-author and support multiple security standards and guidelines that act as pillars for FISMA and FedRAMP, coupled with our accreditation as a FedRAMP approved Third Party Assessor Organization (3PAO), Electrosoft Services Inc. can help guide/assist your organization through the challenges associated with the FedRAMP process. By employing structured, well-defined procedures, Electrosoft can help your organization get through the ATO process as quickly and cost-efficiently as possible.  

-Judy Fincher

[1]   (Website visited 5/27/2013)

Return to Electroblog