On the 6th of september 2012, we have released the first version of the cloud controls to the public. These controls need to be implemented by the cloud provider and it covers the risks related to using the shared infrastructure of an IaaS provider. The controls also assume that the customer takes responsibility over the cloud environments and the connection to the cloud.
The controls are structured as an addition to ISO/IEC 27002 (Information Security Management) which is assumed to cover the internal security of the cloud provider. An additional 7 controls are defined that cover the availability of the cloud services.
What is left is are the cloud controls related to the outsourcing risk (38 controls) and controls related to multi tenancy related risk (5 controls).
The sheet contains a mapping from the ISO/IEC 27002, availability and the cloud controls to the following security standards:
* The draft of the ISO/IEC 27017 (Cloud Security)
* CSA Cloud Controls Matrix
* The Dutch National Cyber Security Center – security measure for web applications
The next step will be the publication of risks and questions that IaaS buyers should ask potential suppliers. We will also start test implementations and prepare an audit based on the controls. We also welcome any feedback on the cloud controls.