Page 1057 - Cloud computing: From paradigm to operation
P. 1057

Security                                                   7


            is a cloud service customer with respect to the first, and a cloud service provider with respect to the cloud
            service  customer  using  its  service.  This  example  illustrates  the  case  where  this  Recommendation  |
            International Standard applies to an organization both as a cloud service customer and as a cloud service
            provider. Because cloud service customers and cloud service providers form a supply chain through the
            design  and  implementation  of  the  cloud  service(s),  clause  "15.1.3  Information  and  communication
            technology supply chain" of ISO/IEC 27002 applies.
            The  multi-part  International  Standard  ISO/IEC  27036,  "Information  security  for  supplier  relationships",
            provides detailed guidance on the information security in supplier relationships to the acquirer and supplier
            of products and services. ISO/IEC 27036 Part 4 deals directly with the security of cloud services in supplier
            relationships. This  standard  is  also  applicable to  cloud  service  customers  as  acquirers  and  cloud  service
            providers as suppliers.

            4.3     Relationships between cloud service customers and cloud service providers
            In the cloud computing environment, cloud service customer data is stored, transmitted and processed by a
            cloud service. Therefore, a cloud service customer's business processes can depend upon the information
            security of the cloud service. Without sufficient control over the cloud service, the cloud service customer
            might need to take extra precautions with its information security practices.
            Before entering into a supplier relationship, the cloud service customer needs to select a cloud service, taking
            into account the possible gaps between the cloud service customer's information security requirements and
            the information security capabilities offered by the service. Once a cloud service is selected, the cloud service
            customer should manage the use of the cloud service in such a way as to meet its information security
            requirements. In this relationship, the cloud service provider should provide the information and technical
            support that are necessary to meet the cloud service customer's information security requirements. When
            the information security controls provided by the cloud service provider are preset and cannot be changed
            by the cloud service customer, the cloud service customer may need to implement additional controls of its
            own to mitigate risks.


            4.4     Managing information security risks in cloud services
            Cloud service customers and cloud service providers should both have information security risk management
            processes  in  place.  They  are  advised  to  refer  to  ISO/IEC  27001  for  the  requirements  to  conduct  risk
            management in their information security management systems, and to refer to ISO/IEC 27005 for further
            guidance on information security risk management itself. ISO 31000, to which ISO/IEC 27001 and ISO/IEC
            27005 conform, can also help general understanding of risk management.
            In  contrast  to  the  general  applicability  of  the  information  security  risk  management  processes,  cloud
            computing has its own types of risk sources, including threats and vulnerabilities, which are derived from its
            features, e.g., networking, scalability and elasticity of the system, resource sharing, self-service provisioning,
            administration  on-demand,  cross-jurisdictional  service  provisioning,  and  limited  visibility  into  the
            implementation of controls. Annex B provides references that give information on these risk sources and
            associated risks in the provision and use of cloud services.

            The controls and implementation guidance given in clauses 5 to 18 and Annex A of this Recommendation |
            International Standard address cloud computing specific risk sources and risks.

            4.5     Structure of this standard
            This  Recommendation  |  International  Standard  is  structured  in  a  format  similar  to  ISO/IEC  27002.  This
            Recommendation  |  International  Standard  includes  clauses  5  to  18  of  ISO/IEC  27002  by  stating  the
            applicability of its texts at each clause and paragraph.
            When objectives and controls specified in ISO/IEC 27002 are applicable without a need for any additional
            information, only a reference to ISO/IEC 27002 is provided.






                                                                                                        1049
   1052   1053   1054   1055   1056   1057   1058   1059   1060   1061   1062