Physical and Environmental Protection ISO/IEC TS 22237-2 Protection and Availability Classes ISO/IEC TS 22237-2 lists multiple layers of security referred to as classes. Each class has a guidance profile that specifies the proper controls that should exist at each layer. Outer layers have less stringent control guidance than inner layers. The two topics of control…
Secure Cloud Data Center Design – Part 2
Physical Environment ISO/IEC TS 22237-1:2018: Information technology — Data center facilities and infrastructures enumerates availability and protection classes that define different levels of recommended environment restrictions, automated support systems, and design criteria for data centers. The ISO/IEC 22237 seven-part series is comprised of: ISO/IEC TS 22237-1:2018 Information technology — Data center facilities and infrastructures outlines…
Secure Cloud Data Center Design – Part 1
Secure cloud data center design begins with a logical design that then leads to physical design. ISO/IEC 19441:2017 provides illumination on two key concerns related to data in a data center, namely portability and interoperability. The basic environmental protection concerns within a data center are evolving to include concerns outside of the data center. Logical…
Cloud Computing: Compute and Storage
Compute The compute resources of a cloud service provider are a combination of: The number of CPUs The amount of RAM memory These compute resources are managed and allocated on a per-guest OS and/or a per-host basis within a resource cluster. The use of reservations, limits, and shares provides the contextual ability for an administrator…
Cloud Computing: Network and Communications
Systems and services related to network and communications are not directly related to the cloud. However, network and communication services and the components that make those services possible are integral resources to cloud service and consumption. Network function virtualization (NFV) and software-defined networking (SDN) are the two ways in which traditional network management and presentation…
Cloud Computing: Virtualization and Management Plane
Virtualization involves sharing underlying resources to enable a more efficient and agile use of hardware, which drives management efficiency through reduced personnel resourcing and maintenance. Virtualization provides the ability to run multiple operating systems (guests) and their associated applications on a single physical host. The guest is an isolated software instance that is operable with…
Continuous Operations
In order to support continuous operations, the following principles should be adopted as part of the security operations policies. Audit logging: Higher levels of assurance are required for protection, retention, and lifecycle management of audit logs, adhering to applicable legal, statutory, or regulatory compliance obligations. Audit logging also provides unique user access accountability that can…
Data Event Logging and Event Attributes
In order to be able to perform effective audits and investigations, the event log should contain as much of the relevant data as possible for the processes being examined. OWASP Proactive Controls v3.0, section C9, recommends the following when implementing security logging functions. For security logging implementation: Use a common logging format and approach within…
An Effective Information Security Continuous Monitoring (ISCM) Strategy
Continuous monitoring is a concept that has grown in importance during the transition to cloud computing. Information Security Continuous Monitoring (ISCM) is defined as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” Resource: NIST SP 800-137, page vi http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf The terms continuous and ongoing in this context mean…
Applying Controls for Personally Identifiable Information (PII)
The operative application of defined controls for the protection of PII is widely affected by the “cluster” of providers/sub-providers involved in the operation of a specific cloud service; therefore, any attempt to provide guidelines for this can be made only at a general level. Since the goal of applying data protection measures is to fulfill…