A Comparative Review of Cloud Security Proposals with ISO/IEC 27002

Oscar Rebollo, Daniel Mellado, Eduardo Fernández-Medina

Abstract

Information Security is considered one of the main reasons why users are reluctant to adopt the new generation of services offered by cloud computing providers. In order to minimize risks, some security proposals have been developed, with the purpose of facing a wide range of security concerns. This paper reviews these existing approaches and defines a security comparative framework, based on ISO/IEC 27002, suitable for the cloud environment. The analysis process of these alternatives shows a partial compliance with the defined requirements as each one is focused on different issues. As a consequence, more investigation is needed to achieve a comprehensive cloud security framework. The results of this paper highlight the gaps and weaknesses of each proposal, so that directions are settled for future work.

References

  1. Gartner: Gartner's Hype Cycle Special Report for 2010. (2010)
  2. McKinsey: Clearing the air on cloud computing. (2009)
  3. Chen, Y., Paxson, V., Katz, R. H.: What's New About Cloud Computing Security? , University of California, Berkeley (2010)
  4. Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., Zaharia, M.: Above the Clouds: A Berkeley view of Cloud Computing. University of California, Berkeley (2009)
  5. Qian, L., Luo, Z., Du, Y., Guo, L.: Cloud Computing: An Overview. Proceedings of the 1st International Conference on Cloud Computing 626-631 (2009)
  6. Vaquero, L. M., Rodero-Merino, L., Caceres, J., Lindner, M.: A Break in the Clouds: Towards a Cloud Definition. SIGCOMM Computer Communication Review 39, 50-55 (2009)
  7. Mell, P., Grance, T.: The NIST Definition of Cloud Computing v15. National Institute of Standards and Technology (NIST) (2009)
  8. IDC: IDC IT Cloud Services Survey: Top Benefits and Challenges. (2009)
  9. Jericho Forum: Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration. (2009)
  10. Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. (2009)
  11. Cloud Computing Use Case Discussion Group: Cloud Computing Use Cases White Paper v4.0, http://cloudusecases.org/. (2010)
  12. Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications 34, 1-11 (2011)
  13. Sloan, K.: Security in a virtualised world. Network Security 15-18 (2009)
  14. Sriram, I., Khajeh-Hosseini, A.: Research Agenda in Cloud Technologies. 1st ACM Symposium on Cloud Computing (2010)
  15. Zissis, D., Lekkas, D.: Addressing cloud computing security issues. Future Generation Computer Systems In Press, Corrected Proof, (2011)
  16. Yildiz, M., Abawajy, J., Ercan, T., Bernoth, A.: A Layered Security Approach for Cloud Computing Infrastructure. Proceedings of the 10th International Symposium on Pervasive Systems, Algorithms, and Networks 763-767 (2009)
  17. Catteddu, D., Hogben, G.: Cloud Computing Security Risk Assessment. European Network and Information Security Agency (ENISA) (2009)
  18. Catteddu, D., Hogben, G.: Cloud Computing Information Assurance Framework. European Network and Information Security Agency (ENISA) (2009)
  19. ISACA: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives. (2009)
  20. ISACA: Cloud Computing Management Audit/Assurance Program (2010)
  21. Jericho Forum: Collaboration Oriented Architecture, http://www.opengroup.org/jericho/ publications.htm. (2008)
  22. Cloud Security Alliance: Governance, Risk Management and Compliance Stack, http://www.cloudsecurityalliance.org/grcstack.html. (2010)
  23. Kandukuri, B. R., V, R. P., Rakshit, A.: Cloud Security Issues. Proceedings of the 2009 IEEE International Conference on Services Computing 517-520 (2009)
  24. Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O'Reilly (2009)
  25. Open Security Architecture: Cloud Computing Pattern, http://www.opensecurityarchitecture.org/cms/library/patternlandscape/251-pattern-cloudcomputing. (2008)
  26. Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., Molina, J.: Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control. Proceedings of the ACM Workshop on Cloud Computing Security 85-90 (2009)
  27. Mell, P., Grance, T.: Effectively and Securely Using the Cloud Computing Paradigm v26. National Institute of Standards and Technology (NIST) (2009)
  28. ISO/IEC: ISO/IEC 27002:2005 Information technology - Security techniques - Code of practice for information security management. (2007)
  29. Ahmad, R., Janczewski, L.: Triangulation theory: An approach to mitigate Governance risks in Clouds. 2nd IEEE International Conference on Cloud Computing Technology and Science (2010)
Download


Paper Citation


in Harvard Style

Rebollo O., Mellado D. and Fernández-Medina E. (2011). A Comparative Review of Cloud Security Proposals with ISO/IEC 27002 . In Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011) ISBN 978-989-8425-61-4, pages 3-12. DOI: 10.5220/0003546900030012


in Bibtex Style

@conference{wosis11,
author={Oscar Rebollo and Daniel Mellado and Eduardo Fernández-Medina},
title={A Comparative Review of Cloud Security Proposals with ISO/IEC 27002},
booktitle={Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)},
year={2011},
pages={3-12},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003546900030012},
isbn={978-989-8425-61-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)
TI - A Comparative Review of Cloud Security Proposals with ISO/IEC 27002
SN - 978-989-8425-61-4
AU - Rebollo O.
AU - Mellado D.
AU - Fernández-Medina E.
PY - 2011
SP - 3
EP - 12
DO - 10.5220/0003546900030012