Show Menu

CSCC: 10 Steps Security for Cloud Computing Cheat Sheet (DRAFT) by [deleted]

CSCC: 10 Steps Security for Cloud Computing

This is a draft cheat sheet. It is a work in progress and is not finished yet.


The Cloud Standards Customer Council (CSCC) announced version 3 of its Security for Cloud Computing: 10 Steps to Ensure Success. The 10 steps are meant to be a reference guide for organi­zations to better analyze the security effects of cloud computing on the organi­zation as a whole.

According to the CSCC, cloud security risks include loss of govern­ance, isolation failure, management interface vulner­abi­lities, vendor lock-in, service unavai­lab­ility, business failure of provider, malicious behavior of insiders, and insecure or incomplete data deletion.

Step One

Ensure effective govern­ance, risk and compli­ance by establ­ishing chains of respon­sib­ility, unders­tanding risk tolerance, unders­tanding specific laws, notifying users if a breach occurs and ensuring app and data security

Step Two

Audit operat­ional and business proces­ses. Audits should leverage an establ­ished standard, be carried out by skilled staff, and be done as part of a formal certif­ication process, according to the CSCC.

Step Three

Manage people, roles and identi­ties. “Customers must ensure that the cloud service provider has processes and functi­onality that govern who has access to the customer’s data and applic­ations. Conver­sely, cloud service providers must allow the customer to assign and manage the roles and associated levels of author­ization for each of their users in accordance with their security policies, and apply the principle of least privilege. These roles and author­ization rights are applied on a per-re­source, service or applic­ation basis,” the CSCC wrote.

Step Four

Ensure proper protection of data and inform­ati­on. According to the authors, “data protection is a component of enterprise risk manage­ment.” Protecting data is crucial in terms of risk manage­ment.

Step Five

Enforce privacy polici­es. “Enter­prises are respon­sible for defining policies to address privacy concerns and raise awareness of data protection within their organi­zation. They are also respon­sible for ensuring that their cloud service providers adhere to the defined privacy policies. Thus, customers have an ongoing obligation to monitor their provider’s compliance with customer policies. This includes an audit program covering all aspects of the privacy policies, including methods of ensuring that corrective actions will take place,” the council wrote.

Security for Cloud Computing

Step Six

Assess the security provisions for cloud applic­ati­ons­.The authors say that “organ­iza­tions must apply the same diligence to applic­ation security in the cloud as in a tradit­ional IT enviro­nment.” The respon­sib­ilities differ depending on the deployment model.
For example, in IaaS, the customer is respon­sible for most security compon­ents. In Platfo­rm-­as-­a-S­ervice the provider is respon­sible for securing the operating system while the customer is respon­sible for applic­ation security. For Softwa­re-­as-­a-S­ervice, the provider provides applic­ation security, while the customer is respon­sible for unders­tanding things such as data encryption standards, audit capabi­lities, and SLAs.

Step Seven

Ensure cloud networks and connec­tions are secure. The authors suggest that customers should have assurance on a provider’s internal and external network security.

Step Eight

Evaluate security controls on physical infras­tru­cture and facili­ties. Security controls include: holding physical infras­tru­cture in secure areas, protecting against external and enviro­nmental threats, putting controls in place to prevent loss of assets, proper equipment mainte­nance, and backup, redundancy and continuity plans

Step Nine

Manage security terms in the cloud service agreem­ent. “Since cloud computing typically involves at least two organi­zations – customer and provider, the respective security respon­sib­ilities of each party must be made clear. This is typically done by means of a cloud service agreement (CSA), which specifies the services provided and the terms of the contract between the customer and the provider,” according to the council.

Step Ten

Unde­rstand the security requir­ements of the exit process. Customer data should not remain with the provider after the exit process. The provider should be forced to cleanse log and audit data, though in some jurisd­ictions this isn’t possible because retention of records might be required by law.

Help Us Go Positive!

We offset our carbon usage with Ecologi. Click the link below to help us!

We offset our carbon footprint via Ecologi