Enhancing cloud security standards. Have you ever looked into a, have you ever taken a closer look into cloud security standards?
So I did, but that's too close. You cannot see anything. So what do I know what I do do?
I mean, with cloud security standards, here are some prominent examples of those. There's the C five from the German government. There's a CMM CCM from the cloud security Alliance. There's an Azure that's named standard and there's the guidance from the information security standards, the information security forum. So all these standards are made by experts and these experts have an intention they made, they created these standards for specific purpose. So let's take a look onto the intentions or the expectations first. So these standards may differ.
They can be different because of different expectations or purposes they are made for. First of all, these standards can provide a minimal set of requirements.
On the one hand, you see it on a left or a comprehensive specification. They can provide general advice, advice on the management level or implementation guidance, very technical. They can be a recommendation on the one hand or provide obligations which need to be observed, but also the usage may differ.
So they can simply have the purpose to get certified, to get a certificate that everything is okay with it security or on the other hand, they can provide ActionAlly advice to make the cloud service secure, but also the target group may differ. Is it, are these standards primarily addressing the cloud service providers and here maybe the architects or even the engineers on the technical level, or is it made, are they made for user organizations also called cloud service customers?
There are several options, but also regarding the cloud computing services itself, it's not very clear because here it could be general device for a typical cloud computing service, whatever that means, or it can be very specific and allowing to differentiate between the different offerings in terms of it security and risks. So in the following, I will put myself in the position of being a user organization or representative of a user organization or a cloud service customer.
And I will ask myself, will I get all the information from these cloud cloud security standards, which I am requiring for my business to take decisions and whatever I would, I get all the information which allows me to differ and differentiate between the different offerings from different different organizations.
Okay. So let's take a close a look onto and analyze this in little bit more detail. If the current security standards provide these details, which I require as a user organization, okay.
Differ, differ. I'll do these standards have to differentiate between the different offerings. So they are two down engines, which you all know and head about. That's deployment model and service model. And I will take these examples. So first that's deployment models.
So yeah, the private cloud, they're virtual private cloud, public clouds, community clouds there, these are different, different deployment models. However, in the standards I saw and I have displayed on, on the previous slides, they are not actually considered, they are not even mentioned in most cases, nevertheless, there are differences which relate to it, security and risk.
For instance, the relation, the location where the cloud computing services being produced that could relate to compliance issues, the trustworthy of the users being on share, being on the shared system on my system as a user organization next to me on the same, same, same instance that may affect the risk profile.
But also these types of implementations have provide reside in differences of accessibility, connectivity, and the systems construction may different may be different. And that may reside in differences in the integration into my user organization's environment.
So there are a lot of differences regarding the deployment model. So the deployment model does matter when it comes to it, security and risk.
So second, let's take a look on the service model, which is by the way more critical. So service model, you now all know these as is platform as a service software, as a service, and primarily it's about which party is doing what. So let's call the service model. It's about responsibilities on the right hand side, you see the it stack in the middle. And on the right hand side, you see some of the three service model infrastructure as a server platform, as a server and software as a server.
And it's primarily who is responsible for that.
Is it the user organization providing the application or is it the it service provider, cloud service provider doing this? So this is the major difference in these service models, but the left hand side was monitoring services and management services from old style. So that's old school shows that there are is much more than these constituencies of the it stack is about activities and it service management. So there are more than these differences. So it's about the elements in the stack, but it's also about the parties who is doing what, and two parties is only one example.
It could be three or even more parties being involved in this business, but more important. It's about the practices, the tasks. So who is doing the initial provisioning. So the confirmation things. So these are just examples. And also during operations, there are a lot of practices, it service management activities, and here, for instance, monitoring all the management activities who is doing what.
So when we talk about only I payers and SAS, it's not that simple. So the service model is more complex. Let's take a look on this. So going back 20 years, we had a very simple situation.
And at that point was called the it outsourcing. We had the cloud service provider or it service provider on the one hand and the user organization on the other. And it was very simple because the it service provider, that's number one here on the slide provided the it components and the core service.
Secondly, also he integrated this and configured everything according to the security standards. And then it was operated that's number three, and number four, also during operations, it was fully managed by the service provider. And what was the, the task of the utilization, just defining requirements, and then utilize the service, especially with new cloud services, especially with public cloud services that became different.
So the cloud service provider did number one, of course, the RD technology, or most of the technology comes from the cloud service provider.
And also this is operated, but in the self-service environments, the integration and ation is left to the user organization. Also many service management activities like monitoring incident management are not being covered by the contract with the cloud service provider. The user organization has to take care about this, do it within own it department or user second it service provider. This is by the way called shared responsibility model model that these are shared between the yellow side and the, this blue or green side on the other.
So the provider and the user organization, and maybe some other parties being involved. Okay, of course these cloud security standards are aware of this. That's clear. And here you see some examples. When you look into these standards, you see details about the shared responsibility model, but there's not much detail.
And the reason is very, very easy to understand. There are a lot of options and all these options cannot be explained in this one standard, but what is about on demand cloud on demand. So just click on start. First of all, the user organizations have to yeah.
Investigate and develop a concept for that. That's maybe not the best situation if I would be a user organization. Okay. So obviously cloud security stars cannot specify all the details of all possible cloud computing service because there's a variety and they differ. They differ in terms of the deployment models, but moreover, they differ in terms of the actual service model. Not only covering the it responsibility for it components, but also all these security issues in the it sec it management area.
So what does it mean user organization must live with the lack of information and start with investigations first before using cloud computing services really?
Okay. Where are we? So the current findings organization need to know the activities. They are still responsible for if monitoring is part of the contract, if incident management and what kind of activities are being covered by the service and the cloud service have a lot of options. So they deliver a lot with respect to it, security and compliance risk profiles. So it does matter for the user organization.
They also have to be prepare to take over these these activities. And of course we are security, it security and compliance risks are crucial, crucial features, which may be very interesting to know when taking purchasing decisions, but cloud security standards do not provide enough meat detail to differentiate this, but there's a solution. So if these cloud security standards cannot define every detail, that doesn't mean that this is not existing because our proposal is that cloud security standards should require the provider to deliver this information.
Okay. And how does it work?
So first is what are requesting or proposing the standards to do or comprise the standards should com require that so-called patterns or descriptions are being provided for each and every cloud computing service, a specific description should be delivered. So that's a requirement in the standard.
Second, if a cloud service provider wants to meet this cloud security standard, then he must deliver this description. These patterns, I will describe in a minute why I call this pattern for each cloud service, there will be a description which I call the pattern and these pattern should be in a way that user organization and that's number three can read these and they understand the it security features and the risk profile of the cloud computing service of the specific cloud computing service. They also understand the division of labor.
So they know what the cloud computing cloud computing provider is being is providing and what task remain to the user organization so that they can prepare for.
So that's the idea. So they are, the standards are not specifying everything in detail, but they are requiring this, that the provider provides this material as a description, but that's not enough because then you may have to read 85 pages for each cloud computing service, and it's not easy to compare. That's why that's proposal number two in number two, the standards should do something more.
And this is secondly, they define the structure and rules for delivering this information, which I call the patents and this description, which describes the specifics and characterizing characterizes the cloud computing services should exactly specify what I explained at the very beginning. So for instance, it should define the deployment model. I call this deployment model in pets. So how is the cloud service provided and for whom, what does it mean?
And secondly, and more important, the service model who is responsible for that, and not only relating to the it components, but also the it service management activities and all the it security aspects relating to that.
That should be defined in a structure finally. And this is the reason why I call this pattern that this description needs to be very short and very, to the point and very pre precise in order to allow the user organizations to compare these things.
So they are different offerings from one service provider and different offerings throughout every, so throughout the market, if they are very, to the point, very short and very pre size structured in a defined way, providing defined information, it's easy to compare this and take a purchasing decision and prepare for, for execute, performing these activities left to the user organization. Okay, that's a proposal. Let's take a look onto yeah.
An example, how this could look like that's a key note because cannot go into the very detail, but here, our examples, how these service model patterns could look like. So keep in mind.
So the standard says, okay, you have to provide the patterns. And they should also say how, what, what they should inform about. Let's take a look onto the left hand side. That's about the components. And you see below on the, on the, on the bottom of this, of the slide, we have two options. These components could be either managed by the user organization are by the cloud service provider.
So managed means that can be detailed. I, I will leave this in this general sense. And it lists all the components, virtual machines, for instance, container instances, hypervisors, runtime orchestra, for, for, for container containerized, infrastructures, databases, storage accounts, what, what, whatever the network configuration and so on. So it defines the virtual machine is managed by all the are managed by the user organization or things like that. This is called a result of a pattern and the suns provides the, the, the structure and the rules for it.
And also, and that's on the right hand side about the activities being more important because that's of not very clear. And there are a lot of options also being provided. So he's who is responsible again for the privileged identity management for the key management, for the inventory, costing for the backup and recovery. Very important in, in the area of public cloud services, conservation, hardening security reporting monitoring. There are a lot of activities.
There can be either by the user organization or the cloud service provider are shared so that we have to specify this detail, how the interaction works. Okay. Let's summarize. So especially user organization require detailed information because they are taking the risks in their business. So they need to know things about the it security and compliance. So they need to understand this and they need to in have information about this. So they also need this to take a purchase decision.
They have to know this to prepare, to perform the activities they are still responsible for, and they have to pass, audit, inform their stakeholders and a lot more. So what we are proposing here is that the cloud standards deliver required to deliver user guidance. The standards shall require to deliver these patterns so more specifically. So that means in a structured way. So in a same informal language, I would say, and for this, we should define a glossary things. We need to define things, bringing a taxonomy and everything, and this user guidance need to be yeah.
Open to the user organization. So if you take away two things from this session, that's first, so these standards should require the provider to define things, provide user organizations and the standards should also define a structure and rules for this to ensure compar comparability.
So here, see some references. And with that, I thank you for your attention.
