The document discusses security considerations for cloud computing. It summarizes cloud security working groups that were formed to address security issues and categorize issues. It then discusses elements of a cloud security model including privileged user access, regulatory compliance, data location, data segregation, recovery, investigation support, and long-term viability. Finally, it introduces the Cloud Security Reference Model and the Cloud Cube Model for standardizing secure cloud computing and addressing de-perimeterization of networks.

1. Security Reference Model

2. Security Concern in Cloud
• Cloud Computing model break this barrier for multiple benefits.
• Resource are remotely accessed by consumers of outer network
domains
• Cloud computing moves beyond the concept of working inside
protected network boundary.

3. Cloud Security Working Groups
• Cloud Security Alliance
The Cloud Security Alliance is an organization focused on the promotion of secured cloud
computing environment.
A group of industry leaders who realized the need for establishing an appropriate guidance for the
implementation and use of cloud computing.
• CSA categorize the cloud security related issues into fourteen different section.
• Cloud Computing Architectural Framework
• Governance and Enterprise Risk Management
• Legal Issues : Contracts and Electronic Discovery
• Compliance and Audit management
• Information management and Data Security

4. • Interoperability and portability
• Traditional Security Business Continuity and Disaster Recovery
• Data Center Operations
• Incident Response
• Application Security
• Encryption and key Management
• Identity, Entitlement and Access Management
• Virtualization
• Security –as-a-Service
Cloud Security Working Groups

5. • Encourage to develop a common level of understanding between cloud service providers and
service consumers regarding the necessary security requirements.
• Developing best practices related to cloud computing security by promoting independent
researches in the field.
• Initiate educational programs to spread awareness about proper usages of the service.
• Generate a list of issues to be agreed upon for cloud security assurance.
Cloud Security Working Groups

6. Elements of Cloud Security Model
• Seven security issues which should be analyzed while moving into cloud.
• Seven issues can be considered as the elements for designing good security policy in computing.
• Cloud consumers must query to the service providers regarding these issues and ensure
maximum protection and security.

7. 1. Privileged user access
2. Regulatory Compliance
3. Data location
4. Data segregation
5. Recovery
6. Investigation support
7. Long-term viability
Elements of Cloud Security Model

8. Privileged user access
• The user mean ‘USERS’ at the provider’s end who are managing the cloud.
• With cloud computing sensitive data of enterprises go out and consumers generally loose physical
control over security of data.
• Consumers must ask for specific information from the provider regarding the people who manage
the cloud.
• The queries may contain as ‘how much access they have over data’ or ‘how their accesses are
being controlled’ and so on.

9. Regulatory Compliance
• Service providers may store and manage data of enterprises in cloud computing but enterprises
are ultimately responsible for integrity and privacy of their own data.
• Consumers should opt for provider who have obtained security certification to prove credentials
and conduct regular audits by reputed external audit firms to check compliance.
• Consumers must not provide their sensitive data to those service providers who deny to undergo
such scrutiny.

10. Data location
• Data in cloud are stored in data centers of the service providers spread over the globe.
• Consumers generally would not have any knowledge about where their data are being stored.
• Even they may not know in which country or region their data is hosted.

11. Data segregation
• Cloud computing is generally a shared service. Storage in cloud are also managed in shared
environment where data of multiple consumers are stored in same place.
• This may pose security threat. Providers must implement mechanism to logically segregate stored
data of different consumers.
• Encryption is one such technique but providers must ensure that any of such technique being
designed by the experts is tested extensively.
• Otherwise undesirable accidents may create problems.

12. Recovery
• Recovery of data in case of any disaster is another crucial issue.
• Cloud service providers must declare what will happen to the data in such cases and how long will
it take for recovery of data as well as for restoration of the services.
• For a complete restoration the provider must maintain data and application infrastructure across
multiple sites

13. Investigation support
• Investigation of inappropriate or illegal activity may be a difficult task in cloud computing.
• This is primarily because data are organized and stored across ever-changing set of nodes.
• Co-location of stored data from multiple consumers is another problem in conducting the
investigation.
• Consumers must ask for contractual commitment from the providers for support in some
particular types of investigation if required.
• Consumers must also check whether the concerned vendor has supported such activities in
previous instances or not.

14. Long-term viability
• Ideally no reputed cloud service provider will shut business or will be acquired by some larger vendor.
• If such thing happens the question will be raised about the consumers data.
Will it remain available?
Consumers must enquire what will happen in such situation in detail.

15. Conclusion
• Satisfactory outcomes of the analysis of these issues indicate towards a secured cloud computing
environment.
• Expertise and qualifications of the cloud designer, developer, policy maker and administrator are
subjects of these reviews.
• Aware consumers must ensure all of these activities while moving in cloud.
• Adoption of services of reputed vendors may eliminate these concerns to a great extent.

16. Cloud Security Reference Model
• The cloud computing community and many organization working in the field of network security
were working for years to develop a model to address cloud security.
• Many among these organization unofficial groups and researchers proposed different models for
the purpose.

17. Cloud Security Reference Model
• The Cloud Cube Model. Purpose was to provide a basis for standardization of a secure
cloud computing.
• The model was originally created to address the issue of de-perimeterization network which was
causing the erosion of network security boundaries among collaborating from beginning of the
current century.
• The model suggests that the consumers should not measure cloud security only depending on the
narrow perspective of ‘internal’ or ‘external’ systems.
• The cloud cube model illustrate different permutations available in cloud offerings and presents
four criteria to differentiate various types of cloud formations.

18. Cloud Security Reference Model
• Primary objective: The cloud cube contributes much in understanding security
perspectives in any formations of cloud.
• Primary objectives behind building the cloud cube model can be listed as follows.
To represent different formations of clouds.
To highlight the key characteristics of each cloud formation.
To represent the benefits and risks associated with each form of cloud.
To focus that traditional non-cloud approach is not totally obsolete and may sometimes be a
suitable choice for operating the particular business functions.
To present a roadmap for more detailed study and to make the environment more secure.

19. The four criteria
• The cloud cube model designed to represent four security criteria.
Whether data will be stored internally within physical boundary of the organization or to some
external location?
Will the cloud be formed using proprietary technology( technology that is property of someone)
of some computing firm or by using open technology that is open to everyone for use? It is to
note that here ‘technology means ‘cloud technology’ or operating standard of cloud.
Whether the cloud will operate within organization network boundary (the logical security
perimeter) only or outside the boundary also?
Will the development and maintenance of the cloud service be outsourced to some third party or
will be done with in-house team?