Advances, Systems and Applications
From: A quantitative analysis of current security concerns and solutions for cloud computing
Framework | Objectives | Structure and comments |
---|---|---|
CSA Guidance | ||
• Recommendations for reducing risks • No restrictions regarding specific solutions or service types • Guidelines not necessarily applicable for all deployment models • Provide initial structure to divide efforts for researches | • One architectural domain • Governance domains: risk management, legal concerns, compliance, auditing, information management, interoperability and portability • Operational domains: traditional and business security, disaster recovery, data center operations, encryption, application security, identification, authorization, virtualization, security outsourcing • Emphasis on the fact that cloud is not bound to virtualization technologies, though cloud services heavily depend on virtualized infrastructures to provide flexibility and scalability | |
CSA Top Threats | ||
• Provide context for risk management decisions and strategies • Focus on issues which are unique or highly influenced by cloud computing characteristics | • Seven main threats: ‐Abuse and malicious use of cloud resources ‐Insecure APIs ‐Malicious insiders ‐Shared technology vulnerabilities ‐Data loss and leakage ‐Hijacking of accounts, services and traffic ‐Unknown risk profile (security obscurity) · Summarizes information on top threats and provide examples, remediation guidelines, impact caused and which service types (based on SPI model) are affected | |
CSA Architecture | ||
• Enable trust in the cloud based on well-known standards and certifications allied to security frameworks and other open references • Use widely adopted frameworks in order to achieve standardization of policies and best practices based on already accepted security principles | • Four sets of frameworks (security, NIST SPI, IT audit and legislative) and four architectural domains (SABSA business architecture, ITIL for services management, Jericho for security and TOGAF for IT reference) • Tridimensional structure based on premises of cloud delivery, trust and operations • Concentrates a plethora of concepts and information related to services operation and security |