Jericho Forum's 11 Commandments Of Cloud Security Design

Enterprises are trying to figure out how to adapt their architectures to secure cloud computing as their vanishing perimeters trail off into wisps. The Jericho Forum's new Self-Assessment Scheme offers new guidance for both organizations and vendors, with a framework that fleshes out the Forum's 11 "commandments." These principles of sound security design are crafted with emphasis on de-perimeterization and externalization, that is, the move towards cloud-based IT.

The self-assessment scheme is aimed first as a guide for enterprises to evaluate vendor security in a cloud environment, and to help vendors to demonstrate that their products and services meet the rigors of information security to the satisfaction of wary customers. Organizations are looking for strong assurance as their data moves to multi-tenancy hosting, often split into multiple data centers across national borders. "Our premise is that you can't assume there are borders in network infrastructure," said Robert West, a member of the Forum's Board of Management, "and based on that assumption, you need to know where crown jewels are and protect them at a more granular level."  

What's thought of as "the cloud" can mean different things to organizations, depending on what aspects of its IT infrastructure is moving to a cloud environment--platform as a service (PaaS), infrastructure as a service (IaaS) and software as a service (SaaS)--and then relinquishing control progressively at each of these layers. The deployment model further complicates a standard approach to security, as organizations move IT to the public cloud, an enterprise or private cloud or an industry cloud created for a group of enterprises with common purpose.

"It's valuable to understand the cloud-as-a-collective concept, in which you recognize that some of its innovative and disruptive aspects--multi-tenancy, virtualization, outsourcing, internet accessibility--all coming together as a new paradigm for delivering IT as a service. But, also recognize that it takes so many forms, so is difficult to talk about in general," said Dan Blum, senior vice president and principal analyst at Burton Group/Gartner. In light of these many permutations and combinations, the self-assessment is also designed as a framework for organizations that want to evaluate their own security implementations and architectures, and/or the security baked into their design plans.

The 11 commandments, released in 2006, include, among other requirements, the need to use open, secure communications protocols; security mechanisms that are pervasive, simple, scalable and easy to manage; authentication, authorization and accountability must work outside an organization's area of control, and required levels of trust. "These principles have been out there for some time," said West. "But, we asked, how do these principals play on Main Street? How do you translate them into something pragmatic and actionable?" So, each commandment now breaks down into several sub-principles and specific explanation of what is "Acceptable" and what is "Good" (best practice) fulfillment. The Forum offers a scorecard, so that an enterprise or vendor can rate itself on each point.In practical terms, an enterprise can use the self-assessment to score its systems or plans internally or perhaps use the framework as the basis for assessing vendor security as part of the RFP process. Vendors might offer it as evidence of their security prowess, either as part of a proposal or even as a marketing device, much as they might cite their product certifications.

These cloud security guidelines are among several available to enterprises, including the Cloud Security Alliance guidance and  the European Network and Security Agency (ENISA) report, Cloud Computing Information Assurance Framework as they adopt their business to the cloud paradigm while adapting security architecture, policy and practice to an environment in which they no longer exercise direct control and struggle with the lack of transparency into vendor security. The Forum principles and self assessment, like other guidance documents, are not a set of directions for achieving cloud security.

"Look at it as a sort of at a conceptual layer as opposed to highly specific control activities," said Blum. "They are architectural principles rather than prescriptive technology guidance. It's a way of thinking about what security architecture should look like in terms of externalization and de-perimeterization in light of cloud computing."