Cloudcontrols.org is still a pilot project at this point, it aims to find out if it is possible to develop a comprehensive quality standard for infrastructure as a service (IaaS) providers. It was started by a small group of cloud providers, cloud users and consultants in Februari of 2011. We are currently defining risks and controls and if we are able to develop a consistent framework we will invite industry professionals to comment on it. In addition to this, we will seek to implement the controls in a number of trial situations.
We believe a serious standard for cloud providers is necessary for the cloud to become a real alternative for owning or renting single tenant infrastructure. Software developers are getting increasingly comfortable to run their key processes in the cloud, but they have the advantage that they can mitigate many of the risks by adapting the structure of their software. Other companies are having serious reservations to outsource their primary processes to the cloud however. They feel they lose significant control, do not know what risks they are taking and what is being done to control them.
The current IT standards can not be used to provide comfort in this situation as they miss most of the outsourcing and multitenancy related risks. There are a number of organisations currently developing or adapting standards specifically for cloud services. Progress on these activities has been slow however and a comprehensive cloud based standard does not seem to be close to emerging. One important reason for this is that government involvement seems to be lacking, especially in Europe. Another reason could be that most cloud providers seem to take a wait-and-see approach at the moment. Both could be caused by the relative youth of the industry and the rapid changes that still occur.
In order to get companies comfortable outsourcing key processes to the cloud achieving a standard for the Infrastructure as a Service (IaaS) level seems a logical first step. For purposes of this project we will assume the customer takes responsibility for all the software inside the environment as well as for the connection with the cloud.
It should be possible to use the new cloud-related controls in combination with existing standards that opine about the internal IT organisation of a cloud provider. Take for example the Payment Card Industry DSS standard, ISO27001/ISO27002 or Fedramp. This means the cloud-specific part of the cloudcontrols framework can be used as an addition to an existing standard, which might save a significant amount of work in implementing the framework.
All measures documented in this standard will be compiled with auditing aspects in mind and each listed control will be implementable as a SAS70 or ISA3402 audit-able control.
Anyone is free to use the information on this site for their own purposes. We also invite interested parties to contribute and comment.
After receiving feedback from KPMG IT Advisory, we have recently launched the revised 1.1 version of the risk list. The next step will be publication of the first version of the controls.
- July – August 2011: Release the first draft of the risk list
- June – December: Assemble controls and compliancy standards
- December 2011: Release the first draft of the controls
- January – August 2012: Fine-tuning the controls with industry professionals
- August 2012 – December 2012: Test implementations
- January 2013 – February 2013: Test audits
Our approach to creating the cloud controls is detailed below.
1. Defining risks
The first step is to define all the different risks involved with outsourcing to the cloud. We used the ENISA definitions as a starting point and subsequently added items.
The fact that we are only looking at IaaS helps to limit the number of risks involved. Within IaaS we do aim to be completely comprehensive however. This means we are assuming a situation with multitenancy for example.
The 142 risks that resulted from this process can be classified in 6 types. There are 3 normal risk categories related to a traditional IT operation and 3 additional risk categories specifically related to outsourcing to a virtualised, multi-tenant infrastructure.
Traditional IT operation risks:
- Infrastructure risks (34)
- Security risks (44)
- Legal risks (6)
Multi Tenant Cloud related risks:
- Virtualisation risks (3)
- Specific outsourcing risks (45)
- Specific multitenant risks (10)
2. Defining controls
Next we need to define the controls, audit-able measures that can control all the risks defined in step one.
First we defined all processes a cloud provider will have to implement in order to run its service. Within every one of these cloud processes multiple controls were defined until all the risks defined in step one were covered.
We are currently in the process of finalising the list of controls, they will be divided in traditional IT and cloud-related controls. The traditional IT controls will be mapped to existing standards.
3. Selecting controls for trial implementation
When we have the total list of controls we will decide which of the traditional IT controls we will implement for our first implementation trials. We will include all the cloud-related controls but might implement an existing standard to cover only a part of the traditional IT controls.
4. Control Measures
The controls we will choose to implement all imply specific measures that need to be taken. These can be either documents that have to be created and updated, procedures that have to be implemented or changes that have to be made to the IT infrastructure. Properly implementing all different control measures means the service organisation is compliant with the cloud controls.
5. Test Audit
When the framework is implemented in a trial situation the first test audit will be done.