From the course: Cybersecurity Foundations
Clouding the issues
- [Instructor] Cloud technology is no longer a novel approach to deploying infrastructure, but is a mainstream option for enterprises. Cloud security solutions may be deployed by the enterprise IT team, or solutions may be deployed by business groups. There are three forms of Cloud deployments in common use, infrastructure as a service, platform as a service and software as a service. However, there are many more specialist forms of Cloud service that can be used. In all cases, there's a need for security controls to be used to protect the Cloud solution, just as there is for an open premise solution. However, there are some differences in the controls when using them for Cloud, and there are some new controls that need to be considered. The International Standards Organization has produced an ISO 27,000 standard for Cloud known as ISO 27017. This is based on ISO 27002, and includes an additional six controls. NIST has produced the SP 800-144, "Guidelines on Security and Privacy in Public Cloud Computing," which refers back to the SP 853 controls. However, the main reference for Cloud security is the "Cloud Security Alliance Security Guidance" for critical areas of focus in Cloud computing, with its 14 areas of controls. These domains provide a full description of Cloud, its security needs, and the controls needed to protect Cloud deployments. The guidance is supported by a Cloud controls matrix, which can be downloaded from the CSA site, shown here. The Cloud Controls Matrix provides the fundamental security principles that should be adopted by Cloud vendors and that can assist Cloud customers in assessing the overall security risk of a Cloud provider. It provides clarity on the shared responsibilities between the Cloud service provider and customer, according to the form of Cloud. More importantly, it provides a controls framework cross-reference to the other major security standards recognized in industry. Version 3.0.1 of the CCM has 133 controls in 16 domains. The 16 domains can be seen here. They don't align with the domains in the security guidance for critical areas of focus in Cloud computing, but they do provide a comprehensive coverage of security across Cloud, starting with application and interface security and finishing with threatened vulnerability management. However, the main reference for Cloud security is the "Cloud Security Alliance Security Guidance" for critical areas of focus in Cloud computing, with its 14 areas of controls.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.