Cloudcontrols.org – Cloud assurance compliance | Building trust in the cloud

New release CloudControls – Dutch Version Available

Written on:June 7, 2013

In September of 2012 we have released the last version of the CloudControls. After getting external feedback on the control mechanisms and definitions a new version is now available.

The controls are based on a comprehensive list of 61 cloud-related risks. The list of risks is also included in the framework. In addition to the risks the framework contains a series of related questions that cloud customers can ask their providers.

This means the controls assume that the customer takes responsibility of the cloud environments and the connection to the cloud. In addition to this, the internal security policies and availability-enhancing measures of the cloud provider are also not considered cloud-specific risks because these risks also occur within in-house IT organisations. A lack of information regarding the security policies and the status of the infrastructure is considered to be a cloud-specific risk however.

Cloud Risk Based

The CloudControls are the measures needed to control the 61 identified risks. They consist of 39 controls related to the outsourcing risks and 5 controls related to multi-tenancy risks. The CloudControls are designed to be implemented and audited next to a security certification like the ISO/IEC 27002 (Information Security Management).

The sheet describing the CloudControls contains a mapping of the controls to the following security standards:
* The draft of the ISO/IEC 27017 (Cloud Security)
* CSA Cloud Controls Matrix
* The Dutch National Cyber Security Center – security measure for web applications

With the help of our partners we have now also translated all the controls, risks and cloud customer questions into Dutch. This will help providers, customers and auditors in this local market.

Next Steps

The next step will be to further improve the CloudControls and to invite more parties that would like to use or implement them. We will also use the CloudControls as input for international certification developments, like the efforts the International Organization for Standardization (ISO) is currently undertaking.

Links:
* Cloud Control Framework (Controls, Risks and Customer Questions) – English (XLSX)
* Cloud Control Framework (Controls, Risks and Customer Questions) – Dutch (XLSX)

Cloud Computing Under Control

Written on:February 26, 2013
Comments
are closed
just the cloud

Aimed at IT and cloud providers (whether internal or external) wanting to get their cloud propositions under control, Michiel Steltman and Peter HJ van Eijk are organizing an afternoon session titled “Cloud Computing under control”. The session will be delivered in Dutch in Utrecht, Netherlands. Multiple frameworks will be discussed, including the CloudControls.

Most cloud providers and online companies still see governance, risk management and compliance (GRC) as a cumbersome and expensive burden. However, it is inevitable to see and organize GRC as a means towards business value. This turns it into a selling proposition and the basis for efficient operational management.

For more information (in Dutch) about the event and a free whitepaper on “scalable cloud compliance in the perception of customers” go to http://www.cloudcomputingondercontrole.nl

First Cloud Provider Completes CloudControls Audit.

Written on:February 25, 2013
Comments
are closed
Logo_CloudVPS_RGB-6

The Dutch cloud provider CloudVPS has become the first cloud provider to finish auditing the CloudControls. CloudVPS has implemented the CloudControls allongside the ISO 27001 control set. This means (potential) customers know that security risks are covered by the ISO 27001 controls while outsourcing the multi-tennancy risks are covered by the 43 CloudControls. On top of this CloudVPS implemented another 9 controls related to availability.

Risk management firm DNV was the auditor and they sent a positive recommendation to UKAS after the stage two audit two weeks ago. Positive feedback from UKAS is expected during March of this year.

Cloudcontrols publishes complementing question list: questions to ask your cloud provider

Written on:November 2, 2012
Comments
are closed
cloud_question-mark

In an ongoing effort to enhance the implementability of the Cloudcontrols, a question list has been compiled based on the risk lists published earlier. Potential customers of cloud services can use this list to validate the cloud provider’s level of security against the customers own security profile and risk appetite. The question list is currently available in English and Dutch. Read more on the Question list.

Cloudcontrols Framework released (version 1.0)

Written on:September 6, 2012
Comments
are closed
Cloudcontrols logo

Today we have released the next version of the cloud controls. These controls need to be implemented by the cloud provider and it covers the risks related to using the shared infrastructure of an IaaS provider. The controls also assume that the customer takes responsibility over the cloud environments and the connection to the cloud.

The controls are structured as an addition to ISO/IEC 27002 (Information Security Management) which is assumed to cover the internal security of the cloud provider. An additional 7 controls are defined that cover the availability of the cloud services.

What is left is are the cloud controls related to the outsourcing risk (38 controls) and controls related to multi tenancy related risk (5 controls). You can download the sheet with all the controls here.

The sheet contains a mapping from the ISO/IEC 27002, availability and the cloud controls to the following security standards:
* The draft of the ISO/IEC 27017 (Cloud Security)
* CSA Cloud Controls Matrix
* The Dutch National Cyber Security Center – security measure for web applications

The next step will be the publication of risks and questions that IaaS buyers should ask potential suppliers. We will also start test implementations and prepare an audit based on the controls. We also welcome any feedback on the cloud controls.

Download Cloudcontrols framework version 1.0.xlsx

 

New ENISA advisory: Data collection and storage in the EU

Written on:June 6, 2012
Comments
are closed
European Union

In this field study of the current state of data collection and storage within the EU, an extensive introduction to the subject of data collection is given and minimal disclosure-principles are shared. Using case-studies of social-networking, transportation sector and the telecommunication sector, the disclosure-principles are explained and mapped to the current level of privacy protection. In contrast to the US market, EU companies are required to work on a basis where the least amount of personally identifiable information (PII) is collected. The study also compares the EU regulations to the Canadian and Australian privacy regulations. The study provides two major insights which cloud service providers often overlook: 1) Data anonymisation and the possibility of re-identification and 2) The right to be forgotten. Ending with recommendations aimed at EU legislators, this article gives a jumpstart into understanding the current state of privacy in Europe. Click here to read the full report (at Enisa)

CSA’s Cloud Security Guidance updated to V3

Written on:December 9, 2011
Comments
are closed
0511.cloud_5F00_security_5F00_alliance_5F00_logo

Leaning even more than before on the industry-accepted Cloud definitions presented by NIST, CSA has updated the security guidance document and has added a new domain on the subject of “Security as a service”. With this document, CSA re-affirms their position as the most important platform for Cloud suppliers and Cloud vendors.

The “Cloud Security Guidance V3″ can be downloaded from the CSA website.

Cloud infrastructure risk list updated with 25 new risks

Written on:November 11, 2011
Comments
are closed
Cloudcontrols logo

After a review by KPMG we have published an updated list of IT infrastructure risks. This list contains special subsections for outsourcing, multitenancy and virtualisation related risks.

The 1.1 version of our risk list contains 25 new risks. We would like to thank Mike Chung of KPMG’s IT Advisory department for his contribution to the framework. The risk list is available on http://www.cloudcontrols.org/cloudcontrols/risks/ and is also downloadable in Excel format: Cloudcontrols-2011-11-04-Risk-list-v1.1.xlsx

The next step we will take is the publication of the controls that can be used to counter the risks specified in the risk list.

NIST releases final Cloud definition (SP800-145)

Written on:November 4, 2011
Comments
are closed
Screen shot 2011-06-17 at 13.15.02

NIST has released the final definition of Cloud as they see it. Even though all standardization bodies and the majority of enterprises already adopted this definition, it is good to see more attention drawn to it. As the cloud computing market is growing, existing cloud deployment models are altered in attempts to create new markets. NIST again manages to stabilize the cloud definition market by re-stating the definition as they see Cloud: saas/paas/iaas services in private/public/hybrid/community deployments with the 5 essential characteristics.

NIST SP800-145 is available on NIST’s website: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

NIST releases Cloud computing reference architecture

Written on:September 18, 2011
Comments
are closed
Screen shot 2011-06-17 at 13.15.02

Already a key player in defining Cloud computing taxonomy, the National Institute of Standards and Technology has now released an extensive overview of cloud computing architecture: SP500-292 “Cloud computing reference architecture”. In an industry dominated by hardware-vendors pushing their own Cloud interpretations, NIST provides examples of cloud computing implementations and deployment models through easy to understand diagrams. A milestone has been created in defining the true cloud.

Read more on SP500-292, “Cloud computing reference architecture