10

Not specific to any particular industry or requirements, but in general - are there currently commonly accepted standards regarding cloud-based applications?

I* am developing a system that will be deployed in the "cloud" (i.e. hosted by an IaaS/PaaS provider, ala Amazon EC2).
Besides any regulation or standard that applies specifically to my application - is there any formulated set of guidelines (not just best practices) or regulations specific to cloud architecture that I should comply with?

This is irrelevant to the type or content of the application, I'm asking specifically about the cloud infrastructure configuration.

The main intent here is to comply with any expectations the (enterprise) customers may have. (For actual security we are not relying on the regulations...)

(*) Okay, it's not really me, it's my client, but close enough.

AviD
  • 72,138
  • 22
  • 136
  • 218

2 Answers2

4

There are no Cloud-specific ones I am aware of, however you should definitely think about SoD:

Most Financial Audit regulations require Segregation of Duties (SoD), and generally these are relatively easy to manage in a traditional environment. In a virtualised environment (I'm looking at the wider scope of 'cloud' here) front and back office IT may end up being managed by the same individual or team, and may actually be on the same server, so when viewed from an audit perspective there is an increased risk of insider fraud. Regulations like Sarbanes-Oxley do require strict controls around segregation of duties, despite not being explicitly worded for IT in virtual environments.

Data Protection regulations are also likely to present an issue. Despite not being cloud specific, these regs tend to require that personal information remains within specific jurisdictions (eg Europe, US, UK) and if you have a standard 'cloud' there may not be any controls to restrict where data is actually stored. For example, if I wanted to store UK personal customer data on a cloud that is partially in the US I could fall foul of the UK's Data Protection Act 1998.

In terms of client expectations, cloud is often touted as being very resilient, due to its distributed nature, however outages do occur, and when they do, you are entirely reliant on the cloud provider sorting it out "in the cloud". See Amazon's April 2011 outage for an example.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Good point about availability. Also SoD, though that would again be dependant on the industry-specific regulations. Anyway, in this case we're talking about a specific system, so no risk of mixing front and back office... I guess it's the first line that is really what I was looking for. – AviD Feb 22 '12 at 11:24
3

We have consulted several in this space in this past 6 months. The emerging group for Security reference materials around cloud computing is the https://cloudsecurityalliance.org/

If you are developing an application to ride on the Service Provider stack - there are some great recommendations from the CSA on what to ask your provider and what minimum requirements should be in the Service Level Agreement.

In addition you should be as the application provider doing all the common good security framework prior to handing over to your Service Provider - code testing, database hardening, integrated strong authenication into the applciation.

Ask your Service provider about testing of your web application once it goes live as well on their infrastructure. Make sure your allowed to test it as part of the SLA.

SecurityCrunch
  • 116
  • 2
  • Thanks, I'm familiar in general with CSA, but I havent seen anything specific, as in say a checklist or set of standard guidelines for configuration. Can you point me at something specific? – AviD Feb 23 '12 at 10:13