In September of 2012 we have released the last version of the CloudControls. After getting external feedback on the control mechanisms and definitions a new version is now available.
The controls are based on a comprehensive list of 61 cloud-related risks. The list of risks is also included in the framework. In addition to the risks the framework contains a series of related questions that cloud customers can ask their providers.
This means the controls assume that the customer takes responsibility of the cloud environments and the connection to the cloud. In addition to this, the internal security policies and availability-enhancing measures of the cloud provider are also not considered cloud-specific risks because these risks also occur within in-house IT organisations. A lack of information regarding the security policies and the status of the infrastructure is considered to be a cloud-specific risk however.
Cloud Risk Based
The CloudControls are the measures needed to control the 61 identified risks. They consist of 39 controls related to the outsourcing risks and 5 controls related to multi-tenancy risks. The CloudControls are designed to be implemented and audited next to a security certification like the ISO/IEC 27002 (Information Security Management).
The sheet describing the CloudControls contains a mapping of the controls to the following security standards:
* The draft of the ISO/IEC 27017 (Cloud Security)
* CSA Cloud Controls Matrix
* The Dutch National Cyber Security Center – security measure for web applications
With the help of our partners we have now also translated all the controls, risks and cloud customer questions into Dutch. This will help providers, customers and auditors in this local market.
The next step will be to further improve the CloudControls and to invite more parties that would like to use or implement them. We will also use the CloudControls as input for international certification developments, like the efforts the International Organization for Standardization (ISO) is currently undertaking.