Security standards are lists of best practices and processes defined by industry organizations to help organizations ensure their security posture and protect their data and systems.
While many security standards overlap with cloud security standards, confusion abounds around the shared responsibility model. Customers are often unsure where a cloud provider’s security responsibility ends and where theirs begins. This makes selecting standards difficult.
The following is a list of professional and technical organizations that work to address cloud security issues. It includes organizations responsible for issuing cybersecurity standards and, by extension, cloud security standards. Also, read guidance on how to select a standard and how to prepare for potential audits.
Professional and technical organizations
The following groups, task forces and associations offer resources and standards on cloud security.
Distributed Management Task Force
DMTF develops standards for existing and new technologies, such as the cloud. Its working groups address cloud issues in greater detail, including the Open Cloud Standards Incubator, Cloud Management Working Group and Cloud Auditing Data Federation.
European Telecommunications Standards Institute
ETSI primarily develops telecommunications standards. Among its cloud-focused activities are the Cloud Standards Coordination working group and Technical Committee Cloud. Both of these groups address different cloud technology issues.
Open Grid Forum
OGF develops standards for grid computing, cloud, and advanced digital networking and distributed computing technologies. Among its cloud-focused activities is the Open Cloud Computing Interface set of specifications, which include the OCCI Core specification and OCCI Infrastructure specification.
Open Commons Consortium
OCC, formerly known as the Open Cloud Consortium, offers an open knowledge repository of cloud computing and data commons resources via a variety of academic and scientific research initiatives.
Organization for the Advancement of Structured Information Standards
OASIS is a nonprofit that develops open standards for security, cloud technology, IoT, content technologies and emergency management. Its cloud technical committees include the OASIS Cloud Application Management for Platforms, OASIS Identity in the Cloud, and OASIS Topology and Orchestration Specification for Cloud Applications.
Storage Networking Industry Association
SNIA developed the Cloud Data Management Interface (CDMI), which defines an interface to access cloud storage and to manage the data stored within the cloud resource. It is typically used by cloud storage systems developers. CDMI is now an ISO standard, ISO/IEC 17826:2016 Information technology — CDMI.
The Open Group
This consortium of technology industry organizations develops standards and accreditations for a variety of IT issues. Its Open Platform 3.0 Forum is a working group whose activities focus on mobility, social networks, big data analytics, cloud computing and IoT.
TM Forum is a global consortium of technology firms that offers a collaborative platform for addressing technology issues. Its Cloud Services Initiative provides resources on creating cloud standards for both technology firms and users.
The following standards organizations create standards, frameworks and other documents that can be applied to cloud applications. Also included in this list are regulations and frameworks related to cloud security.
National Institute of Standards and Technology
NIST develops and distributes standards primarily for government use, but they are widely used by private industry, too. Its Special Publication (SP) series of standards is used extensively in public and private sectors.
- NIST SP 500-291 (2011), NIST Cloud Computing Standards Roadmap provides a compilation of available standards on cloud computing and examines standards priorities and where gaps in the standards exist.
- NIST SP 500-293 (2014), U.S. Government Cloud Computing Technology Roadmap provides a detailed framework and structure for cloud computing infrastructures. While it’s designed for government applications, it can also be used in the private sector.
- NIST SP 800-53 Rev. 5 (2020), Security and Privacy Controls for Information Systems and Organizations is a widely used standard for information system security and is applicable to cloud security.
- NIST SP 800-144 (2011), Guidelines on Security and Privacy in Public Cloud Computing provides guidance and recommendations on implementing a secure environment in public cloud services.
- NIST SP 800-145 (2011), The NIST Definition of Cloud Computing describes important aspects of cloud computing and serves as a benchmark for comparing cloud services and deployment strategies. It also provides a foundation for discussions on cloud computing and how to use it.
- NIST SP-800-210 (2020), General Access Control Guidance for Cloud Systems describes cloud access controls, security controls and guidance for cloud-based delivery options, such as IaaS and PaaS.
- NIST Standards Acceleration to Jumpstart Adoption of Cloud Computing performs three activities that work together to encourage greater use of cloud:
- NIST recommends existing standards.
- NIST coordinates contributions from various organizations into cloud specifications.
- NIST identifies gaps in cloud standards and encourages outside firms to fill the gaps.
- NIST Cloud Computing Program (NCCP) defines a model and framework for building a cloud infrastructure. NCCP is composed of five advanced technology characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service. It covers SaaS, PaaS and IaaS models, as well as private, pubic and hybrid cloud deployment models.
- NIST Cybersecurity Framework is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risks based on existing best practices. It can be used by non-U.S. and non-critical infrastructure organizations.
International Organization for Standardization
ISO develops standards for many kinds of systems and technologies, including the following for cloud environments:
- ISO/IEC 17789:2014, Information technology — Cloud computing — Reference architecture defines cloud computing roles, cloud computing activities, and cloud computing functional components and how they interact.
- ISO/IEC 17826:2016, Information technology — CDMI, as mentioned above, defines an interface to access cloud storage and to manage the data stored within the cloud resource.
- ISO/IEC 18384:2016, Information Technology — Reference Architecture for Service Oriented Architecture defines vocabulary, guidelines and general technical principles underlying service-oriented architectures, which are often deployed in cloud platforms.
- ISO/IEC 19086:2016, Information technology — Cloud computing– Service level agreement framework provides the framework for preparing SLAs for cloud services.
- ISO/IEC 19941:2017, Information technology — Cloud computing — Interoperability and portability specifies the interoperability and portability aspects of cloud computing.
- ISO/IEC 19944:2020, Cloud computing and distributed platforms — Data flow, data categories and data use describes how data moves among cloud service vendors and users of cloud services.
- ISO/IEC 22123:2021, Information technology — Cloud computing — Part 1: Vocabulary and Part 2: Concepts provides the fundamental terms and definitions in cloud computing.
- ISO/IEC Technical Report 22678:2019, Information technology — Cloud computing — Guidance for policy development provides guidance for developing cloud-focused policies.
- ISO/IEC Technical Specifications 23167:2020, Information technology — Cloud computing — Common technologies and techniques describes technologies and techniques used in cloud computing, such as VMs, microservices and containers.
- ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements provides the framework and guidance for creating an information security management system that is applicable to cloud and noncloud applications. It’s also a framework for conducting cloud security audits.
- ISO/IEC 27002: 2013, Information Technology — Security techniques — Code of practice for information security controls is the companion standard to ISO 27001. It supports and facilitates ISO 27001 implementation by providing best practice guidance on applying the security controls listed in the standard.
- ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services provides guidance on the information security aspects of cloud computing and cloud-specific information security controls.
- ISO/IEC 27018:2019, Information technology — Security techniques — Code of practice for protection of personally identifiable information in public clouds acting as PII processors provides guidance on ensuring privacy within public cloud environments that process PII.
ISACA, previously known as the Information Systems Audit and Control Association, is a professional organization that addresses information assurance, governance and security for audit professionals. It created the Control Objectives for Information and Related Technologies (COBIT) framework. COBIT is widely used in IT governance and security.
Payment Card Industry Data Security Standard
PCI DSS applies to organizations that process, store or transmit cardholder data. It is applicable to cloud service providers (CSPs).
General Data Protection Regulation
GDPR is a global data protection regulation developed by the European Union. It addresses the need for a broad range of data protection activities, especially cybersecurity.
Health Insurance Portability and Accountability Act Security Rule
The HIPAA Security Rule is used as an audit and assessment standard for healthcare and nonhealthcare institutions. Part 164, in particular, includes requirements for protecting the security and integrity of electronic personal health information.
Federal Risk and Authorization Management Program
FedRAMP is a framework that provides standardized guidelines to help federal agencies and the private sector evaluate cyberthreats and cyber risks to infrastructure platforms and cloud-based services and software options.
Federal Information Security Management Act
FISMA is a framework and set of compliance rules that define security actions government agencies can use to enhance their cybersecurity posture and protect critical information systems from different types of attacks.
How to select an appropriate standard
With so many standards, regulations, frameworks and other practice documents, IT professionals often have difficulty selecting the most relevant option for their organization.
If your organization is looking to deploy its own cloud services, review the aforementioned standards, conduct research into the various cloud working groups and technical committees, and examine the standards being used by major CSPs, such as AWS and Microsoft Azure. Chances are IT departments will have already performed considerable due diligence on these issues, so achieving compliance with standards will be an important outcome.
When using a third-party cloud provider, check how it achieves compliance with cloud security standards. Ask qualified individuals about security compliance as part of the evaluation process. Alternately, examine a cloud vendor’s most recent System and Organization Controls Type 2 (SOC 2) reports. These reports examine the controls used by vendors to protect customer data and verify the operational effectiveness of those controls. For CSPs, SOC 2 reports should document the standards and practices the vendor uses to protect the security and privacy of user data.
How to prepare for a cloud security audit
Depending on who is performing the audit — the IT department, the internal audit department or an external IT auditor — ensure existing security controls, especially those applicable to cloud services, are documented and periodically reviewed and updated. Make sure the audit entity has experience with cloud services and cloud security controls.
To start, identify the controls that need to be addressed by security policies and procedures. As with any audit, preparation is essential. Evidence supporting the performance of security controls is essential for a smooth and hassle-free audit experience.