SLAs and security go together; each is meaningless without the other. As the cloud computing market matures, vendors will differentiate themselves by the security features (and other SLA details) they provide. The spectacular failure of Sidekick/Microsoft-Danger; Amazon and Google’s outages; and the shrug-and-grin policy of Yahoo! are all examples of cloud FAILs due to weak or non-existent SLAs. Referencing existing (i.e., pre-cloud and non-cloud) standards for security, auditability, data retention and destruction, reliability, availability, etc., is an unambiguous way of specifying exactly what the vendor will provide and exactly what the consumer can expect.
If you are a provider or consumer, what standards would we want in the SLAs? Here are three that come to mind:
* PCI DSS: http://bit.ly/b7di9
* SAS 70: http://bit.ly/QO1aG (the actual standard (PDF) is at: http://bit.ly/13HBBS)
* Overview of the TIA-942 Data Center standards: http://bit.ly/2YIzt7 (The TIA Data Center Standards (you have to buy the standards document, but the above is a mostly vendor-neutral overview)
What other standards are out there? Obviously any cloud provider has to follow laws regarding privacy and auditability as well (HIPAA, Sarbanes-Oxley), so those play into the discussion also.
Here is an additional bibliography on Cloud Security, more will be added on other aspects as they are collected:
- The Cloud Security Alliance’s paper (http://cloudsecurityalliance.org/csaguide.pdf)
- The SLA@SOI work from the RESERVOIR project (http://sla-at-soi.eu/ and http://www.reservoir-fp7.eu/; http://sla-at-soi.eu/research/focus-areas/)
- Enca http://www.enisa.europa.eu/ has just released their document on cloud security
- Kantara initiative working identity management issues http://www.kantarainitiative.org
Top Posts