Advances, Systems and Applications
Table 2 Summary of ENISA and NIST security frameworks
From: A quantitative analysis of current security concerns and solutions for cloud computing
Framework | Objectives | Structure and comments |
|---|---|---|
ENISA Report | ||
• Study on benefits and risks when adopting cloud solutions for business operations • Provide information for security assessments and decision making | • Three main categories of cloud specific risks (policy and organizational, technical, legal) plus one extra category for not specific ones • Offers basic guidelines and best practices for avoiding or mitigating their effects • Presents recommendations for further studies related to trust building (certifications, metrics and transparency), large scale data protection (privacy, integrity, incident handling and regulations) and technical aspects (isolation, portability and resilience) • Highlights the duality of scalability (fast, flexible and accessible resources versus concentrations of data attracting attackers and also providing infrastructure for aiding their operations) • Extensive study on risks considering their impact and probability | |
NIST Taxonomy | ||
• Define what cloud services should provide rather than how to design and implement solutions • Ease the understanding of cloud internal operations and mechanisms | • Taxonomy levels: ‐First level: cloud roles (service provider, consumer, cloud broker, cloud carrier and cloud auditor) ‐Second level: activities performed by each role (cloud management, service deployment, cloud access and service consumption) ‐Third and following levels: elements which compose each activity (deployment models, service types and auditing elements) • Based on publication SP 500-292, highlighting the importance of security, privacy and levels of confidence and trust to increase technology acceptance • Concentrates many useful concepts, such as models for deploying or classifying services | |