Incorporating Security Provisions into the New ISO/IEC Cloud SLA Standards

No ratings

Presented at AusCERT 2014 by

David Ross

The cloud is offering businesses opportunities like never before. All the world is rushing out to throw its life's computing resources into the cloud, along with corporate secrets, critical systems, countless bucket-loads of personally identifiable and private data, often either dubiously protected or sometimes not at all. Here on the wild frontier, the sales managers have been shooting anything that moves, and everything is ‘cloud’. Outsourced services are now magically called cloud services, even though they remain unchanged as simply outsourced managed services, completely lacking those is essential cloud characteristics of rapid elasticity and on demand self-service. Meanwhile the world’s standards bodies have debated (at length!) the meaning of the word ‘cloud’ (and, indeed, the words ‘user’, ‘customer’, and ‘consumer’). While formal standardisation always lags behind the commonly accepted de jure implementation standards, slowly but surely the cogs turn and formal standardisation makes its way to the market. Over the last few years, experts from every corner of the globe have been working to achieve global standardisation, of not only interoperability, but also terminology, architectures, and the like, to take the hype out of cloud offerings and bring a level of certainty in a rapidly evolving landscape. In this presentation, a seasoned security practitioner, demonstrates the current failings of security provisions in many cloud service agreements, provides an overview of emerging international cloud computing standards – in particular the new ISO/IEC cloud SLA standards being very actively developed at the moment – and details how you can provide your direct input into this process at this critical stage. Your home-country national standards body wants your input! The author is a network security expert, Payment Card Industry Qualified Security Assessor (PCI QSA) and a Founding Director of the Cloud Security Alliance in Australia, and also participates in the current development of the ISO draft standards for cloud computing in collaboration with experts throughout the globe including the gamut of standards bodies and wide-ranging industry consortia.