Transcription of SECURITY GUIDANCE FOR CRITICAL AREAS OF FOCUS IN …
1 SECURITY GUIDANCE FOR CRITICAL AREAS OF FOCUS IN cloud COMPUTING SECURITY GUIDANCE FOR CRITICAL AREAS OF FOCUS IN cloud COMPUTING 2011 cloud SECURITY ALLIANCE | 1 INTRODUCTION The GUIDANCE provided herein is the third version of the cloud SECURITY Alliance document, SECURITY GUIDANCE for CRITICAL AREAS of FOCUS in cloud Computing, which was originally released in April 2009. The permanent archive locations for these documents are: (this document) (version 2 GUIDANCE ) (version 1 GUIDANCE ) In a departure from the second version of our GUIDANCE , each domain was assigned its own editor and peer reviewed by industry experts.
2 The structure and numbering of the domains align with industry standards and best practices. We encourage the adoption of this GUIDANCE as a good operating practice in strategic management of cloud services. These white papers and their release schedule are located at: In another change from the second version, there are some updated domain names. We have these changes: Domain 3: Legal Issues: Contracts and Electronic Discovery and Domain 5: Information Management and Data SECURITY . We now have added another domain, which is Domain 14: SECURITY as a Service 2011 cloud SECURITY Alliance.
3 All rights reserved. You may download, store, display on your computer, view, print, and link to the cloud SECURITY Alliance GUIDANCE at subject to the following: (a) the GUIDANCE may be used solely for your personal, informational, non-commercial use; (b) the GUIDANCE may not be modified or altered in any way; (c) the GUIDANCE may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the GUIDANCE as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the cloud SECURITY Alliance GUIDANCE Version (2011).
4 SECURITY GUIDANCE FOR CRITICAL AREAS OF FOCUS IN cloud COMPUTING 2011 cloud SECURITY ALLIANCE | 2 TABLE OF CONTENTS Introduction .. 1 Foreword .. 3 Acknowledgments .. 4 Letter from the Editors .. 6 An Editorial Note on Risk .. 8 Section I. cloud Architecture .. 11 Domain 1: cloud Computing Architectural Framework .. 12 Section II. Governing in the cloud .. 29 Domain 2: Governance and Enterprise Risk Management .. 30 Domain 3: Legal Issues: Contracts and Electronic Discovery .. 35 Domain 4: Compliance and Audit Management.
5 45 Domain 5: Information Management and Data SECURITY .. 50 Domain 6: Interoperability and Portability .. 64 Section III. Operating in the cloud .. 73 Domain 7: Traditional SECURITY , Business Continuity, and Disaster Recovery .. 74 Domain 8: Data Center Operations .. 89 Domain 9: Incident Response .. 93 Domain 10: Application SECURITY .. 103 Domain 11: Encryption and Key Management .. 129 Domain 12: Identity, Entitlement, and Access Management .. 136 Domain 13: Virtualization .. 157 Domain 14: SECURITY as a Service.
6 162 SECURITY GUIDANCE FOR CRITICAL AREAS OF FOCUS IN cloud COMPUTING 2011 cloud SECURITY ALLIANCE | 3 FOREWORD Welcome to the third version of the cloud SECURITY Alliance s SECURITY GUIDANCE for CRITICAL AREAS of FOCUS in cloud Computing. As cloud computing begins to mature, managing the opportunities and SECURITY challenges becomes crucial to business development. We humbly hope to provide you with both GUIDANCE and inspiration to support your business needs while managing new risks. The cloud SECURITY Alliance has delivered actionable, best practices based on previous versions of this GUIDANCE .
7 As we continue to deliver tools to enable businesses to transition to cloud services while mitigating risk, this GUIDANCE will act as the compass for our future direction. In , you will find a collection of facts and opinions gathered from over seventy industry experts worldwide. We have compiled this information from a range of activities, including international chapters, partnerships, new research, and conference events geared towards furthering our mission. You can follow our activities at The path to secure cloud computing is surely a long one, requiring the participation of a broad set of stakeholders on a global basis.
8 However, we should happily recognize the progress we are seeing: new cloud SECURITY solutions are regularly appearing, enterprises are using our GUIDANCE to engage with cloud providers, and a healthy public dialogue over compliance and trust issues has erupted around the world. The most important victory we have achieved is that SECURITY professionals are vigorously engaged in securing the future, rather than simply protecting the present. Please stay engaged on this topic and continue to work with us to complete this important mission.
9 Best Regards, Jerry Archer Dave Cullinane Nils Puhlmann Alan Boehme Paul Kurtz Jim Reavis The cloud SECURITY Alliance Board of Directors SECURITY GUIDANCE FOR CRITICAL AREAS OF FOCUS IN cloud COMPUTING 2011 cloud SECURITY ALLIANCE | 4 ACKNOWLEDGMENTS Domain Authors/Contributors Domain 1: Chris Hoff, Paul Simmonds Domain 2: Marlin Pohlman, Becky Swain, Laura Posey, Bhavesh Bhagat Domain 3: Francoise Gilbert, Pamela Jones Harbour, David Kessler, Sue Ross, Thomas Trappler Domain 4: Marlin Pohlman, Said Tabet Domain 5: Rich Mogull, Jesus Luna Domain 6: Aradhna Chetal, Balaji Ramamoorthy, Jim Peterson, Joe Wallace, Michele Drgon, Tushar Bhavsar Domain 7: Randolph Barr, Ram Kumar, Michael Machado, Marlin Pohlman Domain 8: Liam Lynch Domain 9: Michael Panico, Bernd Grobauer, Carlo Espiritu, Kathleen Moriarty, Lee Newcombe, Dominik Birk, Jeff Reed Domain 10: Aradhna Chetal, Balaji Ramamoorthy, John Kinsella, Josey V.
10 George, Sundararajan N., Devesh Bhatt, Tushar Bhavsar Domain 11: Liam Lynch Domain 12: Paul Simmonds, Andrew Yeomans, Ian Dobson, John Arnold, Adrian Secombe, Peter Johnson, Shane Tully, Balaji Ramamorthy, Subra Kumaraswamy, Rajiv Mishra, Ulrich Lang, Jens Laundrup, Yvonne Wilson Domain 13: Dave Asprey, Richard Zhao, Kanchanna Ramasamy Balraj, Abhik Chaudhuri, Melvin M. Rodriguez Domain 14: Jens Laundrup, Marlin Pohlman, Kevin Fielder Peer Reviewers Valmiki Mukherjee, Bernd Jaeger, Ulrich Lang, Hassan Takabi, Pw Carey, Xavier Guerin, Troy D.
