ISO/IEC 17789 specifies the cloud computing reference architecture (CCRA). The reference architecture includes the cloud computing roles, cloud computing activities, and the cloud computing functional components and their relationships.
ISO/IEC 17788 provides an overview of cloud computing along with a set of terms and definitions. It is a terminology foundation for cloud computing standards.
ISO/IEC 17788 is applicable to all types of organizations (e.g., commercial enterprises, government agencies, not-for-profit organizations).
The Open Virtualization Format (OVF) standard provides the industry with a standard packaging format for software solutions based on virtual systems, solving critical business needs for software vendors and cloud computing service providers.
OVF has been developed by the DMTF (see also the DMTF OVF Standards Watch link).
The standard can be bought here: https://www.iso.org/standard/72081.html
The informative sections of this standard are publicly available here: https://www.iso.org/obp/ui/#iso:std:iso-iec:17203:ed-2:v1:en
ISO/IEC 27036-4 provides cloud service customers and cloud service providers with guidance on
a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and
b) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services.
ISO/IEC 27036-4 does not include business continuity management/resiliency issues involved with the cloud service. ISO/IEC 27031 addresses business continuity.
ISO/IEC 27036-4 does not provide guidance on how a cloud service provider should implement, manage and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017.
The scope of ISO/IEC 27036-4 is to define guidelines supporting the implementation of information security management for the use of cloud services.
This document specifies security and protection of personally identifiable information components, SLOs and SQOs for cloud service level agreements (cloud SLA) including requirements and guidance.
This document is for the benefit and use of both CSPs and CSCs.
The standard can be bought here: https://www.iso.org/standard/68242.html
The informative sections of standards are publicly available https://www.iso.org/obp/ui/#iso:std:iso-iec:19086:-4:ed-1:v1:en
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.
The guidelines in this document can also be relevant to organizations acting as PII controllers. However, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors. This document is not intended to cover such additional obligations.
The standard can be bought here: https://www.iso.org/standard/76559.html
The informative sections of this standard are publicly available here: https://www.iso.org/obp/ui/#iso:std:iso-iec:27018:ed-2:v1:en
ISO/IEC 27017 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.
The standard can be bought here: https://www.iso.org/standard/43757.html
The informative sections of this standard are publicly available here: https://www.iso.org/obp/ui/#iso:std:iso-iec:27017:ed-1:v1:en
This standard defines topology, functions, and governance for cloud-to-cloud interoperability and federation.
Topological elements include clouds, roots, exchanges (which mediate governance between clouds), and gateways (which mediate data exchange between clouds).
Functional elements include name spaces, presence, messaging, resource ontologies (including standardized units of measurement), and trust infrastructure.
Governance elements include registration, geo-independence, trust anchor, and potentially compliance and audit.
The standard does not address intra-cloud (within cloud) operation, as this is cloud implementation-specific, nor does it address proprietary hybrid-cloud implementations.
Under development
Working documents can be found here (prior registration required): https://ieee-sa.imeetcentral.com/2302/home
In addition to interoperability and security that are two recognized key enablers to the development of large IoT systems, a new one is emerging as another key condition of success: virtualization. The deployment of IoT systems will occur not just within closed and secure administrative domains but also over architectures that support the dynamic usage of resources that are provided by virtualization techniques over cloud back-ends.
This new challenge for IoT requires that the elements of an IoT system can work in a fully interoperable, secure and dynamically configurable manner with other elements (devices, gateways, storage, etc.) that are deployed in different operational and contractual conditions. To this extent, the current architectures of IoT will have to be aligned with those that support the deployment of cloud-based systems (private, public, etc.). Moreover, these architectures will have to support very diverse and often stringent non-functional requirements such as scalability, reliability, fault tolerance, massive data, security.
This will require very flexible architectures for the elements (e.g. the application servers) that will support the virtualized IoT services, as well as very efficient and highly modular implementations that will make a massive usage of Open Source components. These architectures and these implementations form a new approach to IoT systems and the solutions that the present document investigates also should be validated: to this extent, a Proof-of-Concept implementation involving a massive number of virtualized elements has been made.
The purpose of this technical report is to expand on the description of the interactions between cloud service partners (CSNs) and cloud service customers (CSCs), and between CSNs and cloud service providers (CSPs).
Cloud computing is in a position to offer solutions to many emerging technologies, and it offers many benefits to all cloud service users (CSUs) and CSCs. The broader requirement for cloud solutions is to ensure organizations have the best capabilities to fulfil their business missions. This has helped to drive the adoption of cloud services and the marketplace is adjusting to the increasing demands.
In finding and applying appropriate solutions and leveraging the many benefits of using cloud services, many CSCs use multiple CSPs and various deployment models, and include a global network. In using, sharing, and assessing data, an understanding and clarification of roles, activities and responsibilities will help to maintain the security, privacy, confidentiality and confidence of cloud services.
Interactions of CSCs and CSPs with the various CSNs have caused a degree of concern and confusion in the cloud service marketplace, in some cases causing harm to CSCs through inappropriate security controls and the lack of proper cloud service agreements relating to the cloud services being used. This is in part caused by an inadequate understanding of the relationships involved and by the lack of standards which might apply to those relationships.
Interactions between CSCs and CSPs have been described in detail in standards documents – ISO/IEC 17789 [2], 19941 [7], 27017 [11], 27018 [12] and the 19086 series. Interactions of CSNs, a key role in the cloud service environment, with CSCs and CSPs have not been described in similar detail. This TR is to provide guidance and descriptions for those interactions.
This document provides clarification of the concepts provided in ISO/IEC 17789, 19086, and 19941 regarding CSNs, and CSN interactions with CSCs and CSPs with the help of a few of exemplary market scenarios. Building on an expanded description of sub-roles and activities, this document provides guidance on using cloud service agreements (CSA) and cloud service level agreements (cloud SLAs) to provide more clarity for CSN interactions.
This document provides an overview of and guidance on interactions between cloud service partners (CSNs), specifically cloud service brokers, cloud service developers and cloud auditors, and other cloud service entities. In addition, the document describes how cloud service agreements (CSAs) and cloud service level agreements (cloud SLAs) should be used to address those interactions including the following:
Define Terms and concepts, and provide an overview for interactions between CSNs and CSCs and CSPs
Description of types of CSN interactions
Description of interactions between CSNs and CSCs
Description of interactions between CSNs and CSPs
Elements of CSAs and Cloud SLAs for CSN interactions, both with CSPs and with CSCs
Under development
The CSA Open Certification WG is an industry initiative to allow global, accredited, trusted certification of cloud providers. It is a program for flexible, incremental and multi-layered cloud provider certification according to the CSA’s industry leading security guidance and control objectives. The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost.
