Network Computingwww.networkcomputing.com

Jericho Forum's 11 Commandments Of Cloud Security Design

Posted by Neil Roiter
March 15, 2010

Tags: Jericho Forum, cloud computing, risk, risk management, security

Channel: Security, Data Center, Data Protection, Virtualization

Enterprises are trying to figure out how to adapt their architectures to secure cloud computing as their vanishing perimeters trail off into wisps. The Jericho Forum's new Self-Assessment Scheme offers new guidance for both organizations and vendors, with a framework that fleshes out the Forum's 11 "commandments." These principles of sound security design are crafted with emphasis on de-perimeterization and externalization, that is, the move towards cloud-based IT.

The self-assessment scheme is aimed first as a guide for enterprises to evaluate vendor security in a cloud environment, and to help vendors to demonstrate that their products and services meet the rigors of information security to the satisfaction of wary customers. Organizations are looking for strong assurance as their data moves to multi-tenancy hosting, often split into multiple data centers across national borders. "Our premise is that you can't assume there are borders in network infrastructure," said Robert West, a member of the Forum's Board of Management, "and based on that assumption, you need to know where crown jewels are and protect them at a more granular level."  

What's thought of as "the cloud" can mean different things to organizations, depending on what aspects of its IT infrastructure is moving to a cloud environment--platform as a service (PaaS), infrastructure as a service (IaaS) and software as a service (SaaS)--and then relinquishing control progressively at each of these layers. The deployment model further complicates a standard approach to security, as organizations move IT to the public cloud, an enterprise or private cloud or an industry cloud created for a group of enterprises with common purpose.

"It's valuable to understand the cloud-as-a-collective concept, in which you recognize that some of its innovative and disruptive aspects--multi-tenancy, virtualization, outsourcing, internet accessibility--all coming together as a new paradigm for delivering IT as a service. But, also recognize that it takes so many forms, so is difficult to talk about in general," said Dan Blum, senior vice president and principal analyst at Burton Group/Gartner. In light of these many permutations and combinations, the self-assessment is also designed as a framework for organizations that want to evaluate their own security implementations and architectures, and/or the security baked into their design plans.

The 11 commandments, released in 2006, include, among other requirements, the need to use open, secure communications protocols; security mechanisms that are pervasive, simple, scalable and easy to manage; authentication, authorization and accountability must work outside an organization's area of control, and required levels of trust. "These principles have been out there for some time," said West. "But, we asked, how do these principals play on Main Street? How do you translate them into something pragmatic and actionable?" So, each commandment now breaks down into several sub-principles and specific explanation of what is "Acceptable" and what is "Good" (best practice) fulfillment. The Forum offers a scorecard, so that an enterprise or vendor can rate itself on each point.

Related Reading

More data-protection Insights