Page 1084 - Cloud computing: From paradigm to operation
P. 1084
7 Security
Implementation guidance for cloud services
Cloud service customer Cloud service provider
The cloud service customer should request a The cloud service provider should provide information
documented description of the termination of service about the arrangements for the return and removal of
process that covers return and removal of cloud service any cloud service customer's assets upon termination of
customer's assets followed by the deletion of all copies the agreement for the use of a cloud service.
of those assets from the cloud service provider's The asset return and removal arrangements should be
systems. documented in the agreement and should be performed
The description should list all the assets and document in a timely manner. The arrangements should specify
the schedule for the termination of service, which the assets to be returned and removed.
should occur in a timely manner.
CLD.9.5 Access control of cloud service customer data in shared virtual environment
Objective: To mitigate information security risks when using the shared virtual environment of cloud computing.
CLD.9.5.1 Segregation in virtual computing environments
Control
A cloud service customer's virtual environment running on a cloud service should be protected from other
cloud service customers and unauthorized persons.
Implementation guidance for cloud services
Cloud service customer Cloud service provider
(no additional implementation guidance) The cloud service provider should enforce appropriate
logical segregation of cloud service customer data,
virtualized applications, operating systems, storage, and
network for:
– the separation of resources used by cloud service
customers in multi-tenant environments;
– the separation of the cloud service provider's
internal administration from resources used by cloud
service customers.
Where the cloud service involves multi-tenancy, the
cloud service provider should implement information
security controls to ensure appropriate isolation of
resources used by different tenants.
The cloud service provider should consider the risks
associated with running cloud service customer-
supplied software within the cloud services offered by
the cloud service provider.
Other information for cloud services
Implementation of the logical segregation depends upon the technologies applied to the virtualization:
– Network and storage configurations can be virtualized when a software virtualization function
provides a virtual environment (e.g., a virtual operating system). In addition, segregation of cloud
service customers in software virtualized environments can be designed and implemented using
segregation functions of the software.
– When a cloud service customer's information is stored in a physically shared storage area with the
"meta-data table" of the cloud service, segregation of information from other cloud service
customers can be implemented with access control on the "meta-data table".
Secure multi-tenancy and related guidance given in "ISO/IEC 27040, Information technology – Security
techniques – Storage security" can apply to the cloud computing environment.
1076
