There are times, like over a long US Holiday weekend leading up to your Handler duty shift, you get the "opportunity" to catch up with information security issues of the day and run into some great work that warrants mention for any number of reasons. And over this weekend I had the "opportunity" to look a bit deeper into Cloud Computing information security. Some exceptional work I ran into while perusing the cloudscape included the two following efforts, and both provide extensive citations and links.
- The "Security Guidance for Critical Areas of Focus in Cloud Computing", prepared by the Cloud Security Alliance (CSA), a group certainly fulfilling their mission statement. In their guidance executive summary they mention that every "attempt has been made to focus on areas of concern that are either unique to cloud computing, or are greatly exacerbated by the model". They certainly achieved the focus they wanted. An example of that focus, in the executive summary section on compliance and audit, is when they reference the "scope" of various attestations of security, when they note that "It is critical to examine the scope of SAS 70 Type II audits and ISO 27001 certifications" and later in the guidance state "Provider site certifications such as SAS 70, WebTrust® and SysTrust®, Service Capability & Performance (SCP) or ISO27001 can be directed as desired by the provider and are a point in time certification if there is any such certification". The CSA guidance is also quite focused elsewhere .
You can read about participating (or collaborating) here - Cloud Security Alliance Membership
- The European Network and Information Security Agency (ENISA), an EU agency, "risks assessment on cloud computing business model and technologies". This is an "in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing". The report also provides "a set of practical recommendations". In-Depth indeed, see - "Cloud Computing Benefits, risks and recommendations for information security".
Between now and my next Handler shift/Diary at the end of December, I'm sure there will be other weekend "opportunities" to pursue related work. I hope to present some information from Josh Corman of the451group on a developing cloud computing information security "reference" architecture extension that has utility for working through cloud information security issues in your environment.