CIO.com

Top cloud compliance standards and how to use them

By Paul Kirvan

Enthusiasm surrounding the rapid growth and acceptance of cloud technology resulted in the creation of numerous standards and open source activity focused on cloud users and their needs. This led to market confusion around which standards are the most appropriate -- a major cloud compliance challenge for enterprises.

It is incumbent upon organizations using cloud technology -- or those contemplating the use of cloud-based services -- to ensure the cloud providers selected comply with established standards and best practices.

IT leaders can use this article to learn about cloud compliance standards and to understand which questions to ask existing and prospective cloud providers about their efforts at complying with specific standards, as well as how to select the appropriate standards for their specific organization.

The organizations developing cloud compliance standards

Numerous professional and technical organizations address various aspects of cloud technology, offering their own standards, recommendations and guidance for successful cloud implementation.

Cloud Standards Customer Council (CSCC)

CSCC is an end-user support group focused on the adoption of cloud technology and examining cloud standards and security and interoperability issues. It has produced numerous white papers and articles on cloud issues. It has been superseded by the Cloud Working Group and addresses cloud standards issues via its Cloud Working Group.

DMTF

DMTF supports the management of existing and new technologies, such as cloud, by developing appropriate standards. Its working groups, such as Open Cloud Standards Incubator, Cloud Management Working Group and Cloud Auditing Data Federation Working Group, address cloud issues in greater detail.

European Telecommunications Standards Institute (ETSI)

ETSI primarily develops telecommunications standards. Among its cloud-focused activities are Technical Committee CLOUD, the Cloud Standards Coordination initiative and Global Inter-Cloud Technology Forum, each of which addresses cloud technology issues.

Open Grid Forum (OGF)

OGF develops standards for grid computing, cloud, and advanced digital networking and distributed computing technologies. Among its cloud-focused activities is the Open Cloud Computing Interface working group, which has developed several cloud operating specifications, including the OCCI Core specification and OCCI Infrastructure extension.

Open Commons Consortium (OCC)

Formerly known as the Open Cloud Consortium, OCC provides management of cloud computing and data commons -- an open knowledge repository -- resources in support of a variety of academic and scientific research initiatives.

Organization for the Advancement of Structured Information Standards (OASIS)

This nonprofit organization develops open standards for security, cloud technology, IoT, content technologies and emergency management. Its various cloud technical committees include OASIS Cloud Application Management for Platforms, OASIS Identity in the Cloud, and OASIS Topology and Orchestration Specification for Cloud Applications.

Storage Networking Industry Association Cloud Data Management Interface

This specification is now an ISO standard, ISO/IEC 17826:2012, Information technology -- Cloud Data Management Interface. Typically used by cloud storage systems developers, it defines an interface to access cloud storage and to manage the data stored within the cloud resource.

The Open Group

This consortium of technology industry organizations develops standards and accreditations for a variety of IT issues. Its Open Platform 3.0 Forum working group's activities focus on mobility, big data analytics and cloud computing.

TM Forum Cloud Services Initiative

TM Forum is a global consortium of technology firms that provides a collaborative platform to address technology issues. Its Cloud Services Initiative provides a resource to develop cloud standards to be used by technology firms and users alike.

Explore widely used cloud compliance standards

Two organizations that have developed a number of cloud-focused standards are NIST and ISO. Here, review a sampling of current, commonly used cloud compliance standards from these respective standards organizations.

NIST

NIST develops and distributes standards primarily for government use but which are widely used by private industry. Its Special Publications (SP) Series of standards, including the following, is used extensively in public and private sectors:

• NIST SP 500-291 (2011), NIST cloud computing standards roadmap. This provides a compilation of available standards on cloud computing and examines standards priorities and where gaps in the standards exist.
• NIST SP 500-293 (2011), U.S. government cloud computing technology roadmap. This provides a detailed framework and structure for cloud computing infrastructures. While designed for government applications, it can also be used in the private sector.
• NIST SP 800-144 (2011), Guidelines on security and privacy in public cloud computing. This standard provides guidance and recommendations for implementing a secure environment in public cloud services.
• NIST SP 800-145 (2011), The NIST definition of cloud computing. This standard describes important aspects of cloud computing and serves as a benchmark for comparing cloud services and deployment strategies. It also provides a foundation for discussions on cloud computing and how to use it.
• NIST Standards acceleration to jumpstart adoption of cloud computing. This group performs three activities that work together to encourage greater use of cloud. First, it recommends existing standards. Second, it coordinates contributions from various organizations into cloud specifications. Third, it identifies gaps in cloud standards and encourages outside firms to fill the gaps.
• NIST Cloud computing program. This program defines a model and framework for building a cloud infrastructure and includes multiple advanced technology characteristics.

ISO

This is one of the primary global standards-making organizations. It develops standards for dozens of different kinds of technologies and systems, including the following:

• ISO/IEC 17789:2014, Information technology -- Cloud computing -- Reference architecture. This standard defines cloud computing roles, activities and functional components, as well as how they interact.
• ISO/IEC 17826:2016, Information technology -- Cloud data management interface. As mentioned above, this standard pertains to systems developers implementing and using cloud storage.
• ISO/IEC 18384:2016, Information technology -- Reference architecture for service oriented architecture (SOA). This standard defines the vocabulary, guidelines and general technical principles underlying SOA, which are often deployed in cloud platforms.
• ISO/IEC 19086-1:2016, Information technology -- Cloud computing -- Service level agreement (SLA) framework. This standard provides the framework for preparing SLAs for cloud services.
• ISO/IEC 19941:2017, Information technology -- Cloud computing -- Interoperability and portability. This standard specifies the interoperability and portability aspects of cloud computing.
• ISO/IEC 19944-1:2020, Cloud computing and distributed platforms -- Data flow, data categories and data use. This standard describes how data moves among cloud service vendors and users of cloud services.
• ISO/IEC Technical Report 22678:2019, Information technology -- Cloud computing -- Guidance for policy development. This standard provides guidance for developing cloud-focused policies.
• ISO/IEC Technical Specification 23167:2020, Information technology -- Cloud computing -- Common technologies and techniques. This standard describes technologies and techniques used in cloud computing, including VMs, hypervisors and containers.
• ISO/IEC 27017:2015, Information technology -- Security techniques -- Code of practice for information security controls based on ISO/IEC 27002 for cloud services. This document provides guidance on the infosec aspects of cloud computing and cloud-specific infosec controls.
• ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. This document specifies guidelines based on ISO/IEC 27002, focusing on the protection of PII in public cloud environments.

How to select an appropriate standard

To determine appropriate cloud compliance standards for their respective companies, IT leaders should conduct research into the various cloud compliance standards, working groups and technical committees described in this article. Examine the standards being used by major cloud service providers, such as AWS and Microsoft. Chances are IT departments will have already performed considerable due diligence in these issues, so achieving compliance with standards will be an important outcome.

Conversely, when using a third party for a cloud implementation, check to see how it achieves cloud standards compliance. This can be incorporated into the evaluation process.

Another way to evaluate cloud providers' compliance efforts is to examine the most recently released Service Organization Control Type 2 (SOC 2) reports. SOC 2 reports examine the controls used by the vendor to protect customer data and verify the operational effectiveness of those controls. For cloud service providers, SOC 2 reports can also document the standards and practices the vendor uses to protect the security and privacy of user data.