Aside from cloud adoption, what about the cloud security framework I s

Aside from cloud adoption, what about the cloud security framework I should carefully weigh up to define policies and procedures for implementing and managing controls as well as in the end meet the business objectives?

Answer»

Cloud Security Alliance’s Cloud CONTROLS Matrix version 3.0.1

If you need to assess security risks of a cloud provider, this framework will bear the fruit while on the other hand, it provides fundamental security concepts and principles in 13 domains and 133 controls for the vendor to follow.

Shortly known as CCM, from the vendor’s perspective, it will improve or enhance security control environments by emphasizing business information security control requirements, identifying and mitigating from security threats and vulnerabilities in the cloud. The matrix also offers cloud taxonomy and terminology, security measurements, standardized security risk, IT risk and operational risk when notably managing one or all of them.

Sr. No.	Cloud Control Matrix - Domains	No. of Controls for Each Domain (Cloud Security Alliance)
1.	AIS: Application & Interface Security	4
2.	AAC: Audit Assurance & Compliance	3
3.	BCR: Business Continuity Management & Operational Resilience	11
4.	CCC: Change Control & CONFIGURATION Management	5
5.	DSI: Data Security & Information Lifecycle Management	7
6.	DCS: Datacenter Security	9
7.	EKM: Encryption & Key Management	4
8.	GRM: Governance and Risk Management	11
9.	HRS: Human Resources	11
10.	IAM: Identity & ACCESS Management	13
11.	IVS: Infrastructure & Virtualization Security	13
12.	IPY: Interoperability & Portability	5
13.	MOS: Mobile Security	20
14.	SEF: Security Incident Management, E-Discovery & Cloud Forensics	5
15.	STA: Supply Chain Management, Transparency and Accountability	9
16.	TVM: Threat and Vulnerability Management	3

NIST Special Publication 800-144 on Guidelines on Security and Privacy in Public Cloud Computing

If you consider adopting public cloud computing, then this 80-page document shall come to the light. It will give you a big picture of security and privacy challenges and crucial points to consider when you outsource your data, applications and infrastructure to a public cloud provider in which they own and operate the infrastructure and computational resources aside from the fact they deliver services to the public via a multi-tenant platform.

As this paper tells us, it does not recommend any specific cloud computing service, service arrangement, service agreement, service provider, or deployment model. Such consequence is each organization is encouraged to apply their very own guidelines when analyzing their requirements, inclusive of security and privacy, and to assess, select, engage, and oversee the public cloud services that can fulfil those requirements at the most.

Other than two FRAMEWORKS explained above, you could also bring another document titled ‘Security Guidance for Critical Areas of Focus in Cloud Computing v4.0’ from Cloud Security Alliance (CSA) into play. Developed based on previous iterations of the security guidance, dedicated research, and public participation from their MEMBERS, working groups, and industry experts within their community, it provides how to manage and mitigate security and risks in adopting cloud computing technology while also pledge guidance and insights to support business goals.

Aside from cloud adoption, what about the cloud security framework I should carefully weigh up to define policies and procedures for implementing and managing controls as well as in the end meet the business objectives?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment