Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 Prepared

Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 Prepared by the Cloud Security Alliance December 2009 Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 Copyright © 2009 Cloud Security Alliance 2 Introduction The guidance provided herein is the second version of the Cloud Security Alliance document, “Security Guidance for Critical Areas of Focus in Cloud Computing”, which was originally released in April 2009. The permanent archive locations for these documents are: http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf (this document) http://www.cloudsecurityalliance.org/guidance/csaguide.v1.0.pdf (version 1 guidance) In a departure from the first version of our guidance, a decision was made to separate the key guidance from the core domain research. Each domain’s core research is being released as its own white paper. These white papers and their release schedule are located at: http://www.cloudsecurityalliance.org/guidance/domains/ In another change from the first version, Domain 3: Legal and Domain 4: Electronic Discovery were combined into a single domain. Additionally, Domain 6: Information Lifecycle Management and Domain 14: Storage were combined into a single domain, renamed Data Lifecycle Management. This has caused a renumbering of our (now 13) domains. © 2009 Cloud Security Alliance. All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance Guidance at www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf subject to the following: (a) the Guidance may be used solely for your personal, informational, non-commercial use; (b) the Guidance may not be modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Guidance Version 2.1 (2009). Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 Copyright © 2009 Cloud Security Alliance 3 Table of Contents Introduction....................................................................................................................... 2 Foreword............................................................................................................................ 4 Letter from the Editors .................................................................................................... 7 An Editorial Note on Risk................................................................................................ 9 Section I. Cloud Architecture ........................................................................................ 12 Domain 1: Cloud Computing Architectural Framework .............................................. 13 Section II. Governing in the Cloud................................................................................ 30 Domain 2: Governance and Enterprise Risk Management........................................... 31 Domain 3: Legal and Electronic Discovery.................................................................. 35 Domain 4: Compliance and Audit ................................................................................ 37 Domain 5: Information Lifecycle Management ........................................................... 40 Domain 6: Portability and Interoperability................................................................... 46 Section III. Operating in the Cloud............................................................................... 49 Domain 7: Traditional Security, Business Continuity, and Disaster Recovery............ 50 Domain 8: Data Center Operations............................................................................... 52 Domain 9: Incident Response, Notification, and Remediation .................................... 54 Domain 10: Application Security ................................................................................. 57 Domain 11: Encryption and Key Management ............................................................ 60 Domain 12: Identity and Access Management............................................................. 63 Domain 13: Virtualization ............................................................................................ 68 References........................................................................................................................ 70 Copyright © 2009 Cloud Security Alliance 4 Foreword Welcome to the second version of the Cloud Security Alliance’s “Security Guidance for Critical Areas of Focus in Cloud Computing”. As the march of Cloud Computing continues, it brings both new opportunities and new security challenges. We humbly hope to provide you with both guidance and inspiration to support your business needs while managing new risks. While the Cloud Security Alliance might be best known for this guidance, over the course of the next several months you will see a wide range of activities, including international chapters, partnerships, new research, and conference activities geared towards furthering our mission. You can follow our activities at www.cloudsecurityalliance.org. The path to secure cloud computing is surely a long one, requiring the participation of a broad set of stakeholders on a global basis. However, we should happily recognize the progress we are seeing: new cloud security solutions are regularly appearing, enterprises are using our guidance to engage with cloud providers, and a healthy public dialogue over compliance and trust issues has erupted around the world. The most important victory we have achieved is that security professionals are vigorously engaged in securing the future, rather than simply protecting the present. Please stay engaged on this topic, and continue to work with us to complete this important mission. Best Regards, Jerry Archer Alan Boehme Dave Cullinane Paul Kurtz Nils Puhlmann Jim Reavis The Cloud Security Alliance Board of Directors Copyright © 2009 Cloud Security Alliance 5 Acknowledgments Editors Glenn Brunette Rich Mogull Contributors Adrian Seccombe Alex Hutton Alexander Meisel Alexander Windel Anish Mohammed Anthony Licciardi Anton Chuvakin Aradhna Chetal Arthur J. Hedge III Beau Monday Beth Cohen Bikram Barman Brian O’Higgins Carlo Espiritu Christofer Hoff Colin Watson David Jackson David Lingenfelter David Mortman David Sherry David Tyson Dennis Hurst Don Blumenthal Dov Yoran Erick Dahan Erik Peterson Ernie Hayden Francoise Gilbert Geir Arild Engh-Hellesvik Georg Hess Gerhard Eschelbeck Girish Bhat Glenn Brunette Greg Kane Greg Tipps Hadass Harel James Tiller Jean Pawluk Jeff Reich Jeff Spivey Jeffrey Ritter Jens Laundrup Jesus Luna Garcia Jim Arlen Jim Hietala Joe Cupano Joe McDonald Joe Stein Joe Wallace Joel Weise John Arnold Jon Callas Joseph Stein Justin Foster Kathleen Lossau Karen Worstell Lee Newcombe Luis Morales M S Prasad Michael Johnson Michael Reiter Michael Sutton Mike Kavis Nadeem Bukhari Pam Fusco Patrick Sullivan Peter Gregory Peter McLaughlin Philip Cox Ralph Broom Randolph Barr Rich Mogull Richard Austin Richard Zhao Sarabjeet Chugh Scott Giordano Scott Matsumoto Scott Morrison Sean Catlett Sergio Loureiro Copyright © 2009 Cloud Security Alliance 6 Shail Khiyara Shawn Chaput Sitaraman Lakshminarayanan Srijith K. Nair Subra Kumaraswamy Tajeshwar Singh Tanya Forsheit Vern Williams Warren Axelrod Wayne Pauley Werner Streitberger Wing Ko Yvonne Wilson Copyright © 2009 Cloud Security Alliance 7 Letter from the Editors It is hard to believe that just seven short months ago, we pulled together a diverse group of individuals from all corners of the technology industry to publish the first “Security Guidance for Critical Areas in Cloud Computing.” Since its launch, this seminal publication has continued to exceed our expectations for helping organizations around the world make informed decisions regarding if, when, and how they will adopt Cloud Computing services and technologies. But over those seven months our knowledge, and cloud computing technologies, have evolved at an astounding rate. This second version is designed to provide both new knowledge and greater depth to support these challenging decisions. Adopting cloud computing is a complex decision involving many factors. It is our hope that the guidance contained in this work will help you better understand what questions to ask, the current recommended practices, and potential pitfalls to avoid. Through our focus on the central issues of Cloud Computing security, we have attempted to bring greater clarity to an otherwise complicated landscape, which is often filled with incomplete and oversimplified information. Our focus on the original 15 domains (now consolidated into 13) serves to bring context and specificity to the Cloud Computing security discussion: enabling us to go beyond gross generalizations to deliver more insightful and targeted recommendations. On our journey, we have been joined by a growing list of industry organizations, corporations, and individuals who believe in our mission to develop and promote best practices for security assurance within Cloud Computing. Their perspectives and insights have been essential in creating a well-balanced, unbiased work that continues to serve as an excellent foundation upon which we can continue to build. Cloud Computing is still a rapidly evolving landscape; and one that requires us to stay current or fall behind. In this release of version two of our guidance, we drew upon the collective experience and expertise of our large and diverse volunteer community to create a more complete work with greater detail and improved accuracy. Still, we must not be complacent. Just as security professionals have done for ages, we must continue to evolve our processes, methods, and techniques in light of the opportunities that Cloud Computing brings to our industries. This evolution is critical to our long-term success as we find new ways to improve the efficacy and efficiency of our security enforcement and monitoring capabilities. Cloud Computing isn’t necessarily more or less secure than your current environment. As with any new technology, it creates new risks and new opportunities. In some cases moving to the cloud provides an opportunity to re-architect older applications and infrastructure to meet or exceed modern security requirements. At other times the risk of moving sensitive data and applications to an emerging infrastructure might exceed your tolerance. Our goal in this Guidance isn’t to tell you exactly what, where, or how to move into the cloud, but to provide you with practical recommendations and key questions to make that transition as securely as possible, on your own terms. Finally, on behalf of the Cloud Security Alliance and the Editorial Working Group, we would like to thank each and every volunteer for all of their time and effort that was put into the development of this new guidance document. We were consistently inspired by the dedication of the teams to extend and improve their respective areas, and we believe that their efforts have Copyright © 2009 Cloud Security Alliance 8 significantly added real value to this body of work. This document would not be what it is uploads/Litterature/ csa-guide.pdf