Page 1056 - Cloud computing: From paradigm to operation
P. 1056
7 Security
3.1.3 The following term is defined in ISO/IEC 17203:
– virtual machine: The complete environment that supports the execution of guest software.
NOTE – A virtual machine is a full encapsulation of the virtual hardware, virtual disks, and the metadata associated
with it. Virtual machines allow multiplexing of the underlying physical machine through a software layer called a
hypervisor.
3.2 Abbreviations
For the purposes of this Recommendation | International Standard, the following abbreviations apply:
IaaS Infrastructure as a Service
PaaS Platform as a Service
PII Personally Identifiable Information
SaaS Software as a Service
SLA Service Level Agreement
VM Virtual Machine
4 Cloud sector-specific concepts
4.1 Overview
The use of cloud computing has changed how organizations should assess and mitigate information security
risks because of the significant changes in how computing resources are technically designed, operated and
governed. This Recommendation | International Standard provides additional cloud-specific implementation
guidance based on ISO/IEC 27002 and provides additional controls to address cloud-specific information
security threats and risks considerations.
Users of this Recommendation | International Standard should refer to clauses 5 to 18 in ISO/IEC 27002 for
controls, implementation guidance and other information. Because of the general applicability of
ISO/IEC 27002, many of the controls, implementation guidance and other information apply to both the
general and cloud computing contexts of an organization. For example, "6.1.2 Segregation of duties" of
ISO/IEC 27002 provides a control that can be applied whether the organization is acting as a cloud service
provider or not. Additionally, a cloud service customer can derive requirements for segregation of duties in
the cloud environment from the same control, e.g., segregating the cloud service customers' cloud service
administrators and cloud service users.
As an extension to ISO/IEC 27002, this Recommendation | International Standard further provides cloud
service specific controls, implementation guidance and other information (see clause 4.5) that are intended
to mitigate the risks that accompany the technical and operational features of cloud services (see Annex B).
The cloud service customers and the cloud service providers can refer to ISO/IEC 27002 and this
Recommendation | International Standard to select controls with the implementation guidance, and add
other controls if necessary. This process can be done by performing an information security risk assessment
and risk treatment in the organizational and business context where cloud services are used or provided (see
clause 4.4).
4.2 Supplier relationships in cloud services
ISO/IEC 27002 clause 15 "Supplier relationships" provides controls, implementation guidance and other
information for managing information security in supplier relationships. The provision and use of cloud
services is a kind of supplier relationship, where the cloud service customer is an acquirer, and the cloud
service provider is a supplier. Therefore, the clause applies to cloud service customers and cloud service
providers.
Cloud service customers and cloud service providers can also form a supply chain. Suppose that a cloud
service provider provides an infrastructure capabilities type service. In addition, another cloud service
provider can provide an application capabilities type service. In this case, the second cloud service provider
1048
