Cloud computing

Security for Cloud Computing: 10 Steps to Ensure Success provides a practical reference to help enterprise information technology (IT) and business decision makers analyze the security implications of cloud computing on their business.
 
The guide includes a list of ten steps designed to help decision makers evaluate and compare security and privacy offerings from different cloud providers in key areas, covering:

• Security and privacy challenges pertinent to cloud computing and considerations that organizations should weigh when migrating data, applications, and infrastructure
• Threats, technology risks, and safeguards for cloud computing environments and the insight needed to make informed IT decisions on their treatment
• A Cloud Security Assessment to assess the security capabilities of cloud providers

 
Version 3.0 introduces new and updated security standards, worldwide privacy regulations, and stresses the importance of including security in continuous delivery and deployment approaches, among other things.

Public Cloud Service Agreements: What to Expect and What to Negotiate was written to help cloud customers understand and evaluate public cloud service agreements (CSAs) from different providers.
 
The paper describes the current anatomy of a cloud service agreement, covering the customer agreement, acceptable use policies, cloud service level agreements and privacy policies.
 
The heart of the guide is a series of ten steps that cloud service customers should take to evaluate CSAs in order to compare public cloud service providers or negotiate terms with a provider. The recommendations are based on a thorough assessment of publicly available agreements from leading providers

Migrating Applications to the Cloud: Assessing Performance and Response Time Requirements is a supplement to the CSCC paper, Migrating Applications to Public Cloud Services: Roadmap for Success.
 
Assessing applications and workloads for readiness for migration to cloud computing allows organizations to determine which applications and data can (or cannot) be readily moved to a cloud computing environment and which delivery models (public, private, or hybrid) can be supported.
 
Emphasis is placed on mapping business requirements to the underlying technology to improve decisions regarding the suitability of cloud computing for a particular workload. By testing and quantifying performance and response time implications early on, performance issues can be avoided or mitigated.

ISO/IEC 18384-2 describes a Reference Architecture for SOA Solutions which applies to functional design, performance, development, deployment and management of SOA Solutions. It includes a domain-independent framework, addressing functional requirements and non-functional requirements, as well as capabilities and best practices to support those requirements.

This document:
- Describes a framework for the structured expression of data-related policies and practices in the cloud computing environment, based on the data taxonomy in ISO/IEC 19944:2017;
- provides guidelines on application of the taxonomy for handling of data based on data subcategory and classification;
- covers expression of data-related policies and practices including, but not limited to data geolocation, cross border flow of data, data access and data portability, data use, data management, and data governance;
- describes how the framework can be used in codes of conduct for practices regarding data at rest and in transit, including cross border transfer of data, as well as remote access to data;
- provides use cases for data handling challenges, i.e. control, access and location of data according to ISO/IEC 19944:2017 data categories.
This document is applicable primarily to cloud service providers, cloud service customers and cloud service users, but also to any person or organization involved in legal, policy, technical or other implications of taxonomy based data management in cloud services.
 
Under development

This document provides a consolidate set of concepts, terms, terminology and definitions extracted from the ISO/IEC cloud computing standards, including, but not limited to, ISO/IEC 17788, ISO/IEC 17789, ISO/IEC 19086, ISO/IEC 19941 and ISO/IEC 19944. In addition, relevant and stable terminology from non-cloud computing ISO sources (e.g., Information technology -- Security techniques) and external organization are also included.
This document also contains terms and definitions that are not necessarily contained in other works.
This document also addresses discrepancies and inconsistencies that have been identified in the consolidated terms and definitions to further enhance the usability of the ISO cloud computing terminology.
This document includes additional descriptions and clarifications of cloud computing vocabulary terms, concepts, and their inter-relationships.
 
Under development

This document
- extends the existing cloud computing vocabulary and reference architecture in ISO/IEC 17788 and ISO/IEC 17789 to describe an ecosystem involving devices using cloud services,
- describes the various types of data flowing within the devices and cloud computing ecosystem,
- describes the impact of connected devices on the data that flow within the cloud computing ecosystem,
- describes flows of data between cloud services, cloud service customers and cloud service users,
- provides foundational concepts, including a data taxonomy, and
- identifies the categories of data that flow across the cloud service customer devices and cloud services.
This document is applicable primarily to cloud service providers, cloud service customers and cloud service users, but also to any person or organization involved in legal, policy, technical or other implications of data flows between devices and cloud services.
 
Under development

ISO/IEC TR 30102 describes the general technical principles underlying Service Oriented Architecture (SOA), including principles relating to functional design, performance, development, deployment and management. It provides a vocabulary containing definitions of terms relevant to SOA.
It includes a domain-independent technical framework, addressing functional requirements and non-functional requirements.
 
The standard can be bought here: https://www.iso.org/standard/53222.html
The informative sections of this standard are publicly available here: https://www.iso.org/obp/ui/#iso:std:iso-iec:tr:30102:ed-1:v1:en

This document describes a framework of trust for the processing of multi-sourced data that includes data use obligations and controls, data provenance, chain of custody, security and immutable proof of compliance as elements of the framework.
 
The standard can be bought here: https://www.iso.org/standard/74844.html
The informative sections of the standard are publicly available here: https://www.iso.org/obp/ui/#iso:std:iso-iec:tr:23186:ed-1:v1:en

This document provides guidance on the use of international standards as a tool in the development of those policies that govern or regulate cloud service providers (CSPs) and cloud services, and those policies and practices that govern the use of cloud services in organisations.
This includes material that explains cloud computing concepts and the role of cloud computing international standards in formulating policies and practices.
The document makes references to various international standards. Where possible, these standards are ISO/IEC standards. Where a suitable ISO/IEC standard is not available, references are made to documents published by other WTO-registered standards bodies.
As explained in the WTO Agreement on Technical Barriers to Trade (TBT), standards play a vital role in supporting technical regulations and conformity assessment, however this document does not cover matters of trade.

ISO/IEC 19944
- extends the existing cloud computing vocabulary and reference architecture in ISO/IEC 17788 and ISO/IEC 17789 to describe an ecosystem involving devices using cloud services,
- describes the various types of data flowing within the devices and cloud computing ecosystem,
- describes the impact of connected devices on the data that flow within the cloud computing ecosystem,
- describes flows of data between cloud services, cloud service customers and cloud service users,
- provides foundational concepts, including a data taxonomy, and
- identifies the categories of data that flow across the cloud service customer devices and cloud services.
ISO/IEC 19944 is applicable primarily to cloud service providers, cloud service customers and cloud service users, but also to any person or organization involved in legal, policy, technical or other implications of data flows between devices and cloud services.

ISO/IEC 19941 specifies cloud computing interoperability and portability types, the relationship and interactions between these two cross-cutting aspects of cloud computing and common terminology and concepts used to discuss interoperability and portability, particularly relating to cloud services.
ISO/IEC 19941 is related to other standards, namely, ISO/IEC 17788, ISO/IEC 17789, ISO/IEC 19086‑1, ISO/IEC 19944, and in particular, references the cross-cutting aspects and components identified in ISO/IEC 17788 and ISO/IEC 17789 respectively.
The goal of this document is to ensure that all parties involved in cloud computing, particularly CSCs, CSPs and cloud service partners (CSNs) acting as cloud service developers, have a common understanding of interoperability and portability for their specific needs. This common understanding helps to achieve interoperability and portability in cloud computing by establishing common terminology and concepts.