Cloud Computing Competence Center
Standards, Guidelines, Reports

Standards, Guidelines, Reports

Standards and guidelines were developed to contain recommendations on cloud computing development and implementation. Issue has a special focus on information security and personal data protection.

International standards and guidelines on Cloud Computing:

  1. ISO/IEC 17788:2014 “Information technology — Cloud computing — Overview and vocabulary”:
    ISO/IEC 17788:2014 provides an overview of cloud computing along with a set of terms and definitions. It is a terminology foundation for cloud computing standards. Standard is applicable to all types of organizations (e.g., commercial enterprises, government agencies, not-for-profit organizations).
  2. ISO/IEC 17789:2014 “Information technology — Cloud computing — Reference architecture”:
    ISO/IEC 17789:2014 specifies the cloud computing reference architecture (CCRA). The reference architecture includes the cloud computing roles, cloud computing activities, and the cloud computing functional components and their relationships.
  3. ISO/IEC DIS 27017 “Information technology – Security techniques – Information security management – Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002” (under development).
  4. ISO/IEC 27018:2014 “Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors”:
    ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
    ISO/IEC 27018:2014 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.
    The guidelines in ISO/IEC 27018:2014 might also be relevant to organizations acting as PII controllers; however, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors. ISO/IEC 27018:2014 is not intended to cover such additional obligations.
  5. ISO/IEC WD 27036-4 “Information technology — Information security for supplier relationships — Part 4: Guidelines for security of Cloud services”.
  6. ISO/IEC 17826:2012 “Information technology — Cloud Data Management Interface (CDMI)”:
    ISO/IEC 17826:2012 specifies the interface to access cloud storage and to manage the data stored therein. It is applicable to developers who are implementing or using cloud storage.
  7. ISO/IEC 19770-1:2012 “Information technology — Software asset management — Part 1: Processes and tiered assessment of conformance”:
    ISO/IEC 19770-1:2012 establishes a baseline for an integrated set of processes for Software Asset Management (SAM), divided into tiers to allow for incremental implementation, assessment and recognition.ISO/IEC 19770-1:2012 applies to SAM processes and can be implemented by organizations to achieve immediate benefits. It can be applied to all software and related assets, regardless of the nature of the software, where related assets are all other assets with characteristics which are necessary to use or manage software. For example, it can be applied to executable software (such as application programs, operating systems and utility programs) and to non-executable software (such as fonts, graphics, audio and video recordings, templates, dictionaries, documents and data). It can be applied to all technological environments and computing platforms (e.g. virtualized software applications, on-premises or software-as-a-service; it is equally relevant in cloud computing as it is in older computing environments).
  8. ISO/IEC 27036-2:2014 “Information technology — Security techniques — Information security for supplier relationships — Part 2: Requirements”:
    ISO/IEC 27036-2:2014 specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships.These requirements cover any procurement and supply of products and services, such as manufacturing or assembly, business process procurement, software and hardware components, knowledge process procurement, Build-Operate-Transfer and cloud computing services.
    These requirements are intended to be applicable to all organizations, regardless of type, size and nature.
    To meet these requirements, an organization should have already internally implemented a number of foundational processes, or be actively planning to do so. These processes include, but are not limited to, the following: governance, business management, risk management, operational and human resources management, and information security.

European reports and recommendations on Cloud Computing:

  1. ENISA manual “Security & Resilience in Governmental Clouds: Making an Informed Decision”:
    Cloud computing offers a host of potential benefits to public bodies, including scalability, elasticity, high performance, resilience and security together with cost efficiency. Understanding and managing risks related to the adoption and integration of cloud computing capabilities into public bodies is a key challenge. Effectively managing the security and resilience issues related to cloud computing capabilities is prompting many public bodies to innovate, and some cases to rethink, their processes for assessing risk and making informed decisions related to this new service delivering model.
    This report identifies a decision-making model that can be used by senior management to determine how operational, legal and information security requirements, as well as budget and time constraints, can drive the identification of the architectural solution that best suits the needs of their organisation. The main objectives of the report are:
    • to highlight the pros and cons, with regard to information security and resilience, of community, private and public cloud computing delivery models;
    • to guide public bodies in the definition of their requirements for information security and resilience when evaluating cloud computing service delivery models;
    Moreover this report wants to indirectly to support European Union Member States in the definition of their national cloud strategy with regards to security and resilience.
  2. ETSI Technical Report 103 125 “Cloud; SLAs for Cloud services”:
    The document aims to review previous work on SLAs including ETSI guides from TC USER and contributions from EuroCIO, etc., and to derive potential requirements for cloud specific SLA standards.
  3. “Sicherheitsempfehlungen für Cloud Computing Anbieter (Min destsicherheitsanforderungen in der Informationssicherheit)”, Bundesamt für Sicherheit in der Informationstechnik (BSI).
  4. BSI manual BIP 0117 “Cloud Computing. A Practical Introduction to the Legal Issues”:
    Cloud computing is not a new imperative for organisations as it has been around in various guises such as outsourcing, data processing and managed services for some years and so the challenges already exist. However, given that the cloud has assumed the status of an industry umbrella term, it is relevant that the issues associated with its implementation have been brought together in the book.The author is a lawyer who has been involved in IT and e-commerce contracts for some years. Whilst it is billed as an introduction to the legal issues, this book does contain a lot of good general management and service management advice.The various definitions of cloud computing are provided and form a useful backdrop to the numerous industry terms that already litter the popular press.
    It covers both sides of the legal contract – provider and recipient – but will be of more interest to customers than to cloud providers who will already have had to consider the terms of supply when forming a service offering.

American standards and reports on Cloud Computing:

  1. Definition of Cloud Computing:
    NIST SP 800-144: Guidelines on Security and Privacy in Public Cloud Computing;
    NIST SP 800-145: The NIST Definition of Cloud Computing;
    NIST SP 800-146: Cloud Computing Synopsis and Recommendations.
  2. US Government Cloud Computing Technology Roadmap Volume I: High-Priority Requirements to Further USG Agency Cloud Computing Adoption; and Volume II: Useful Information for Cloud Adopters:
    NIST SP 500-293: US Government Cloud Computing Technology Roadmap Volume 1, High-Priority requirements to Further USG Agency Cloud Computing Adoption;
    NIST SP 500-293: US Government Cloud Computing Technology Roadmap Volume II, Useful Information for Cloud Adopters;
    NIST SP 500-293: US Government Cloud Computing Technology Roadmap Volume III, Technical Considerations for USG Cloud Computing Deployment Decisions (Draft).
    The National Institute of Standards and Technology (NIST), consistent with its mission, has a technology leadership role in support of United States Government (USG) secure and effective adoption of the Cloud Computing model to reduce costs and improve services. This role is described in the 2011 Federal Cloud Computing Strategy as ,… a central one in defining and advancing standards, and collaborating with USG Agency CIOs, private sector experts, and international bodies to identify and reach consensus on cloud computing technology & standardization priorities.Š This NIST Cloud Computing program and initiative to develop a USG Cloud Computing Technology Roadmap is one of several complementary and parallel USG initiatives defined in the broader Federal Cloud Computing Strategy referenced above. The Federal Cloud Computing Strategy characterizes cloud computing as a ,profound economic and technical shift (with) great potential to reduce the cost of federal Information Technology (IT) systems while , improving IT capabilities and stimulating innovation in IT solutions.Š In the technology vision of Federal Cloud Computing Strategy success, USG agencies will be able to easily locate desired IT services in a mature and competitive marketplace, rapidly procure access to these services, and use them to deliver innovative mission solutions. Cloud services will be secure, interoperable, and reliable. Agencies will be able to switch between providers easily and with minimal cost, and receive equal or superior service.
  3. NIST SP 500-291: Cloud Computing Standards Roadmap;
    NIST SP 500-292: NIST Cloud Computing Reference Architecture;
    NIST SP 500-299: NIST Cloud Computing Security Reference Architecture.