1. Security Management Standards
Based on the authors’ assessment, the standards that are relevant to
security management practices in the cloud are ITIL and ISO/IEC 27001
and 27002.
1.1. ITIL
The Information Technology Infrastructure Library (ITIL) is a set
of best practices and guidelines that define an integrated,
process-based approach for managing information technology services.
ITIL can be applied across almost every type of IT environment including
cloud operating environment. ITIL seeks to ensure that effective
information security measures are taken at strategic, tactical, and
operational levels. Information security is considered an iterative
process that must be controlled, planned, implemented, evaluated, and
maintained.
ITIL breaks information security down into:
Policies
The overall objectives an organization is attempting to
achieve
Processes
What has to happen to achieve the objectives
Procedures
Who does what and when to achieve the objectives
Work instructions
Instructions for taking specific actions
The ITIL-process security management is based on the code of
practice for information security management also known as ISO/IEC
17799:2005. The ITIL security management process has relationships with
almost all other ITIL processes. However, the most obvious relationships
will be to the service-level management process, incident management
process, and change management process, since they greatly influence the
state of security in the system (server, network, or application). ITIL
also is related to ISO/IEC 20000 as that’s the first international standard
for IT Service Management (ITSM). It is based on and is intended to supersede the earlier
British standard, BS 15000.
Organizations and management systems cannot be certified as
“ITIL-compliant.” An organization that has implemented ITIL guidance in
ITSM can, however, achieve compliance with and seek certification under
ISO/IEC 20000.
1.2. ISO 27001/27002
ISO/IEC 27001 formally defines the mandatory requirements for an
Information Security Management System (ISMS). It is also a certification standard and uses ISO/IEC
27002 to indicate suitable information security controls within the
ISMS. However, since ISO/IEC 27002 is merely a code of practice/guideline
rather than a certification standard, organizations are free to select
and implement controls as they see fit.
Given the current trend of organizations moving toward ISO/IEC
27001 for information security management, there is a general consensus
among information security practitioners to revise the ITIL security
management best practices with the goal of strengthening the application
and logical security in the Information and Communication Technology
(ICT) infrastructure domain.
Essentially, the ITIL, ISO/IEC 20000, and ISO/IEC 27001/27002
frameworks help IT organizations internalize and respond to basic
questions such as:
To that end, they help you to respond to the question: how do I
ensure that my services are secure?
2. Security Management in the Cloud
After analyzing the management process disciplines across the ITIL and ISO
frameworks, we (the authors) identified the following relevant processes
as the recommended security management focus areas for securing services
in the cloud:
Availability management (ITIL)
Access control (ISO/IEC 27002, ITIL)
Vulnerability management (ISO/IEC 27002)
Patch management (ITIL)
Configuration management (ITIL)
Incident response (ISO/IEC 27002)
System use and access monitoring (ISO/IEC 27002)
Other ITIL management
domains, such as problem management and service continuity management, may
be more relevant to your business in the context of security management,
but the focus of this chapter is limited to the subset of domains with the
highest impact to organizations in managing security and operational risk.
In subsequent sections, we will discuss the security management processes
that are relevant to cloud services. We have also attempted to highlight
the current state of cloud service support for security management
processes in the context of the SPI delivery model and deployment models
(private, public, and hybrid). Clearly, this is an evolving area, and we
recommend that you periodically reexamine cloud service capabilities and
fine-tune your security management processes accordingly.
Table 1
highlights the relevance of various security management functions
available to you for each of the SPI cloud delivery models in the context of deployment
models (private and public). As you can see from the table, security
management practice cuts across the delivery and deployment models. These
functions need to be factored into your cloud security operations
model.
Table 1. Relevant security management functions for SPI cloud delivery
models in the context of deployment models (private, public)
Cloud deployment/SPI | Public
clouds | Private
clouds |
---|
Software-as-a-service
(SaaS) | | The following
functions typically managed by your IT department or managed
services:
|
Platform-as-a-service (PaaS) | The following are limited
to customer applications deployed in PaaS (CSP is responsible for
the PaaS platform):
|
Infrastructure-as-a-service (IaaS) | Availability management (virtual instances) Access control (user and limited network) Vulnerability management (operating system and
applications) Patch management (operating system and
applications) Configuration management (operating system and
applications) Incident response Monitoring system use and access (operating system and
applications)
|
Hence, organizations looking to augment the public cloud for certain
use cases can leverage and extend their internal security management
practices and processes developed for their internal private cloud
services.