High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
Security Guidance
for
Critical Areas of Focus
in
Cloud Computing
Prepared by the
Cloud Security Alliance
April 2009
Security Guidance for Critical Areas of Focus in Cloud ComputingCopyright © 2009 Cloud Security Alliance 2
Table of Contents
Foreword ............................................................................................................................. 3Acknowledgments............................................................................................................... 4Introduction ......................................................................................................................... 5Executive Summary and Key Guidance ............................................................................. 6Section I. Cloud Architecture ..................................................................................... 14Domain 1: Cloud Computing Architectural Framework ........................................ 15Section II. Governing in the Cloud .............................................................................. 25Domain 2: Governance and Enterprise Risk Management ..................................... 26Domain 3: Legal ..................................................................................................... 30Domain 4: Electronic Discovery ............................................................................. 41Domain 5: Compliance and Audit .......................................................................... 44Domain 6: Information Lifecycle Management ..................................................... 48Domain 7: Portability and Interoperability ............................................................. 51Section III. Operating in the Cloud ................................................................................ 54Domain 8: Traditional Security, Business Continuity and Disaster Recovery ....... 55Domain 9: Data Center Operations ......................................................................... 59Domain 10: Incident Response, Notification and Remediation................................ 62Domain 11: Application Security ............................................................................. 65Domain 12: Encryption and Key Management ........................................................ 72Domain 13: Identity and Access Management ......................................................... 74Domain 14: Storage .................................................................................................. 77Domain 15: Virtualization ........................................................................................ 79Appendix A. Contact Information ................................................................................... 83
Security Guidance for Critical Areas of Focus in Cloud ComputingCopyright © 2009 Cloud Security Alliance 3
Foreword
Welcome to the Cloud Security Alliance’s initial report, “Security Guidance for Critical Areas of Focus in Cloud Computing”. From our first organizing meeting in Silicon Valley in earlyDecember of 2008, we have moved rapidly to garner industry support and have reached out to amultitude of subject matter experts to develop this report. We look forward to your participationin reviewing this document and providing your feedback at public venues and in our workinggroups.My role as a Chief Information Security Officer is dual-purposed as it pertains to this subject. Iam responsible for security assurance as both a consumer and provider of cloud computingservices. Depending upon which hat I am wearing, I will have stronger affinity with anyparticular guidance recommendation in this document. However, if you accept the propositionthat cloud computing allows for the realization of economic efficiencies in computing, I stronglyfeel that the most cost effective way to secure the cloud is to do it right the first time.Implementing a high standard of security benefits both providers and consumers alike.The very nature of how businesses use information technology is being transformed by the 'on-demand' cloud computing model. It is imperative that information security leaders are engaged atthis early stage to help assure that the rapid adoption of cloud computing builds in informationsecurity best practices without impeding the business. I am proud to be a co-founder of thisimportant initiative.Best,Dave Cullinane, CPP, CISSPCISO & Vice President eBay MP Global Information Security
Security Guidance for Critical Areas of Focus in Cloud Computing
Info and Rating
Sections
« prev | next »- Foreword
- Acknowledgments
- Introduction
- Executive Summary of Key Guidance
- Section I. Cloud Architecture
- Domain 1: Cloud Computing Architectural Framework
- Section II. Governing in the Cloud
- Domain 2: Governance and Enterprise Risk Management
- Domain 4: Electronic Discovery
- Domain 5: Compliance and Audit
- Domain 6: Information Lifecycle Management
- Domain 7: Portability and Interoperability
- Section III. Operating in the Cloud
- Domain 8: Traditional Security, Business Continuity and Disaster Recovery
- Domain 9: Data Center Operations
- Domain 10: Incident Response, Notification, and Remediation
- Domain 11: Application Security
- Domain 12: Encryption and Key Management
- Domain 13: Identity and Access Management
- Domain 14: Storage
- Domain 15: Virtualization
- Appendix A. Contact Information
Add a Comment