Addressing Cloud Security Threats with Standards

In a recent SNIA webinar, Cloud Standards: What They Are, Why You Should Care, the SNIA Cloud Storage Technologies Initiative (CSTI) highlighted some of the key cloud computing standards being developed and published by the ISO/IEC JTC 1/SC 38 (Cloud Computing and Distributed Platforms) and SC 27 (Information security, cybersecurity and privacy protection) standards committees. While ISO and IEC are not the only organizations producing cloud computing standards and specifications (e.g., ITU-T, OASIS, NIST, ENISA, SNIA, etc.), their standards, sometime developed jointly with ITU-T, can play a role in addressing WTO Agreement on Technical Barriers to Trade (TBT) issues. More importantly, they provide a baseline of cloud terminology, concepts, guidance/requirements, and expectations that are recognized internationally.

Cloud Terminology

As highlighted in the SNIA CSTI webinar, establishing a common cloud vocabulary was an early concern because several software providers invoked a bit of cloud washing, which injected confusion into the market space. ISO/IEC 17788 | ITU-T Y.3500 (Cloud computing – Overview and vocabulary), which drew heavily on NIST Special Publication 800-145 (The NIST Definition of Cloud Computing), and ISO/IEC 17789 | ITU-T Y.3502 (Cloud computing – Reference architecture) clarified many aspects of cloud computing (e.g., key characteristics, deployment models, roles and activities, service categories, frameworks, etc.). Since their publication, however, there have been many developments and clarifications within cloud, so SC 38 is working to capture these details in a new multi-part standard, ISO/IEC 22123, with Part 1 focused on cloud terminology and Part 2 expanding the cloud concepts; look for Part 1 later in 2020. Both ISO/IEC 17788 and ISO/IEC 17789 are available at no cost from the ISO web site (see https://standards.iso.org/ittf/PubliclyAvailableStandards/) as well as the ITU-T SG13 web site (see https://www.itu.int/en/ITU-T/studygroups/2017-2020/13/Pages/default.aspx).

Cloud Computing – SLA Framework

Another cloud standard highlighted in the SNIA CSTI webinar was the multi-part, ISO/IEC 19086 (Cloud computing – Service level agreement (SLA) framework). This service and vendor-neutral standard offers a unified set of considerations for organizations to help them make decisions about cloud adoption, as well as create a common ground for comparing cloud service offerings. Part 1 establishes a set of common cloud SLA building blocks (concepts, terms, definitions, contexts) that can be used to create cloud SLAs. Part 2 defines a model for specifying metrics for cloud SLAs. Part 3 specifies the core conformance requirements for SLAs for cloud services based on Part 1 and guidance on the core conformance requirements. Part 4 specifies conformance requirements for SLAs that address security and protection of PII components. Both parts ISO/IEC 19086-1 and ISO/IEC 19086-2 are available at no cost from the ISO web site (see https://standards.iso.org/ittf/PubliclyAvailableStandards/).

Security Techniques for Supplier Relationships

The next standard highlighted in the webinar was the ISO/IEC 27036 (Security techniques – Information security for supplier relationships). As the title implies, this multi-part standard offers guidance on the evaluation and treatment of information risks involved in the acquisition of goods and services from suppliers (i.e., supply chain security).

  • Part 1 (Overview and concepts) provides general background information and introduces the key terms and concepts in relation to information security in supplier relationships, including information risks commonly arising from or relating to business relationships between acquirers and suppliers.
  • Part 2 (Requirements) specifies fundamental information security requirements pertaining to business relationships between suppliers and acquirers of various products (goods and services); although Part 2 contains requirements, the document explicitly states that it is not intended for certification purposes.
  • Part 3 (Guidelines for ICT supply chain security) guides both suppliers and acquirers of ICT goods and services on information risk management relating to the widely dispersed and complex supply chain (e.g., malware, counterfeit products, organizational risks); Part 3 does not address business continuity management.
  • Part 4 (Guidelines for security of cloud services) guides cloud providers and customers on gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services. SC 27 has initiated efforts to revise ISO/IEC 27036, but new versions are unlikely to be available before 2023. ISO/IEC 27036-1 is available at no cost from the ISO web site (see https://standards.iso.org/ittf/PubliclyAvailableStandards/).

Cloud Security & Privacy

The last group of cloud standards covered webinar were a few from SC 27 that are related to cloud security and privacy. ISO/IEC 27017 | ITU-T X.1631 (Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services) provides both cloud customers and providers with additional information security controls and implementation advice beyond that provided in ISO/IEC 27002, in the cloud computing context; this document was not intended to certify the security of cloud service providers specifically because they can be certified compliant with ISO/IEC 27001, like any other organization. ISO/IEC 27018 (Security techniques – Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors) expands upon ISO/IEC 27002 and provides guidance aimed at ensuring that cloud service providers (public cloud) offer suitable information security controls to protect the privacy of their customers’ clients by securing PII entrusted to them. ISO/IEC 27040 (Security techniques – Storage security) provide guidance on securing most forms of storage technology, which cloud is often dependent on, as well as specifically addressing cloud storage. SC 27 has initiated efforts to revise ISO/IEC 27040, but new a version is unlikely to be available before 2023. While not specific to cloud, the webinar also covered ISO/IEC 27701 (Security techniques — Extension to ISO/IEC 27001 and to ISO/IEC 27002 for privacy information management — Requirements and guidelines) because its recent publication is likely to have an impact on ISO/IEC 27018, especially since certified compliance with this standard is under discussion within SC 27.

But Wait, There’s More

There are several other published cloud standards, technical reports (TR), and technical specifications (TS) that were not addressed in the webinar including:

  • ISO/IEC 17826:2012, Information technology — Cloud Data Management Interface (CDMI)
  • ISO/IEC 19941:2017, Information technology — Cloud computing — Interoperability and portability
  • ISO/IEC 19944:2017, Information technology — Cloud computing — Cloud services and devices: data flow, data categories and data use
  • ISO/IEC 22624:2020, Information Technology Cloud Computing Taxonomy based data handling for cloud services
  • ISO/IEC TR 22678:2019, Information Technology Cloud Computing Guidance for policy development
  • ISO/IEC TS 23167:2018, Information Technology Cloud Computing Common technologies and techniques
  • ISO/IEC TR 23186:2018, Information Technology Cloud Computing Framework of trust for processing of multi-sourced data
  • ISO/IEC TR 23188:2020, Information Technology Cloud Computing Edge computing landscape

Additionally, there are several other cloud projects in various stages of development, including:

  • ISO/IEC AWI TR 3445, Information technology — Cloud computing — Guidance and best practices for cloud audits
  • ISO/IEC TR 23187, Information Technology Cloud Computing — Interacting with cloud service partners (CSNs)
  • ISO/IEC 23613, Information Technology Cloud Computing — Cloud service metering elements and billing modes
  • ISO/IEC 23751, Information Technology Cloud Computing and distributed platforms — Data sharing agreement (DSA) framework
  • ISO/IEC 23951, Information Technology Cloud Computing — Guidance for using the cloud SLA metric model

Cloud standardization continues to be an active area of work for ISO and there are likely to be many more standards to come.

Leave a Reply

Your email address will not be published. Required fields are marked *