Per the NIST, cloud computing is defined as a “model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (NIST, 2011). In cloud computing, securing such a vast amount of data and protecting each of the systems that the cloud service communicates with can be quite the challenge. Thankfully, the NIST CSA, ITIL, and ISO organizations all assist in increasing security in cloud applications, services, and products.
The National Institute of Standards and Technology (NIST), in 2012, created its first set of guidelines for managing cloud computing’s security and privacy issues. Guidelines on Security and Privacy in Public Cloud Computing (NIST Special Publication 800-144) shares a unique perspective of the various challenges that face cloud computing, including insight on risks, threats, and their proposed solutions. The most interesting aspect of the article is the NIST’s statement regarding differences with how cloud computing is defined; without an accurate description of what the service does, how can one possibly begin to defend it? 800-144 provides a complete summary of the differences between cloud computing’s models (deployment and service), outsourcing and accountability issues, as wells threats in the following categories- governance, compliance, trust, architecture, identity and access management, software isolation, data protection, availability, and incident response. NIST’s article also provides guidelines for securing cloud services, including proper research and planning of solutions, meeting organizational, local, and government security and privacy requirements, and always maintaining accountability of all data and applications.
In NIST’s SP 800-146 Cloud Computing Synopsis and Recommendations, benefits, guidelines, and recommendations for cloud computing are provided, as well as securing its many deployment models. Regarding security, the NIST recommends minimizing the potential for browsers and client devices by utilizing security best practices such as password complexity and renewals, updating, and strict policies for hardware and software usage and management. Encryption should be utilized for web sessions and network communications; they recommend encryption that is FIP 140-2 compliant. Furthermore, NIST’s SP 800-146 suggests enhanced physical security, authentication, and identity and access management procedures and policies.
When comparing NIST’s cloud security management publications to those of the CSA, ITIL, and ISO, each are relatively similar yet have unique recommendations regarding the specific environment in which the cloud services are hosted. While the above-mentioned cloud security management publications are indeed different, they each have content that compliments one another. In fact, regarding available IT controls, frameworks, and how they influence cloud governance models, most, if not all, of NIST, CSA, ITIL, and ISO’s material do not cover everything entirely; due to this, organizations tend to utilize multiple cloud security management systems. CSA utilizes a security standard that covers thirteen domains; this provides organizations with the fundamental security principles which assist cloud vendors and their customers with assessing security risk. ITIL, on the other hand, comes in the form of a best practice approach, offering thirty-four practices on how to improve internal IT services concerning the Cloud. Finally, similar to ITIL’s methodology, the ISO uses security standards (standard and best practices), which cover fourteen domains (ISO 27001); this is used to promote IT governance with cloud computing through checklists and guides.
Today’s organizations require sophisticated and custom cloud security management frameworks for the specific situation. The one-size-fits-all approach simply isn’t always practical. Due to the vast differences of each businesses’ needs, expectations, risks, and possible benefits to be had by cloud adoption, utilizing all or parts of NIST, CSA, ITIL, and ISO’s cloud security management protocols will be superior when compared to merely using one. Similar to how cloud deployment models work, often, both private and public cloud usage is ideal, whereas only one may limit the functionality of the cloud’s services. Cloud technology is currently revolutionizing various areas of business operations, leading those who build, maintain, and secure them frantically trying to stay current with leading tactics and best practices. As the term best practice is becoming more dated every year, many across the globe are redefining what ‘best practices’ truly means. Instead of using a ‘cookie-cutter’ approach to cloud security, organizations need to revamp the recipe, adding in herbs and spices until the right taste, or in this case, security, is achieved.
To help identify each of NIST, CSA, ITIL, and ISO’s cloud security management protocols, what they cover, how they help, and how they are implemented, I have included a quick overview of each in the diagram below.
|NIST||Guidelines and recommendations, security standards||Complete coverage using various sub-frameworks||Provides organization with security and privacy challenges and solutions||Broad view of the entire system|
|CSA||Guidelines and recommendations, security standards||13 Domains||Provides organizations with the fundamental security principles which assist cloud vendors and their customers with assessing security risk||Broad view of the entire system|
|ITIL||Best Practice (IT service-based)||34 Processes||Improve internal IT services in relation to the Cloud||Easy to implement using guidelines and checklists|
|ISO||Security standard (combination of standard and best practice) using a risk-based approach||ISO 27001: 14 domains||Complete IT governance with cloud computing||Complete overview of all IT-related services which spreads to cloud computing|
Mell, P. & Grance, T. (2011, September 28). The NIST Definition of Cloud Computing. Retrieved October 19, 2020, from https://csrc.nist.gov/publications/detail/sp/800-145/final
Grance, T. & Jansen, W. (2018, November 10). Guidelines on Security and Privacy in Public Cloud Computing. Retrieved October 19, 2020, from https://www.nist.gov/publications/guidelines-security-and-privacy-public-cloud-computing
CSA. (2011). SECURITY GUIDANCE FOR CRITICAL AREAS OF FOCUS IN CLOUD COMPUTING V3.0. Retrieved October 19, 2020, from https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf
Gehrmann, Maico. (2012, August 17). Combining ITIL, COBIT, and ISO/IEC 27002 for Structuring comprehensive information technology for management in organizations. Retrieved October 19, 2020, from https://pdfs.semanticscholar.org/2d25/2587574241b29cea014f6129720450433afc.pdf