特に全体を構成する各ドメインはそれぞれビジネスとして考えれば製品がここに存在しうるテーマであり、今後クラウドの業界構造を解説するために使える素材になる。
標準化の遅れているクラウド業界であるが、そろそろ構造的なアプローチについて共通認識が出てきてもいい頃かもしれない。
Cloud Security Alliance Guidance v2 Released
December 23, 2009
Last week, the Cloud Security Alliance (CSA) released its Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. This is a follow-on to first guidance document released only last April, which, gives you a sense of the speed at which cloud technology and techniques are moving. I was one of the contributors to this project.
The guidance explores the issues in cloud security from the perspective of 13 different domains:
Cloud Architecture
- Domain 1: Cloud Computing Architectural Framework
Governing in the Cloud
- Domain 2: Governance and Enterprise Risk Management
- Domain 3: Legal and Electronic Discovery
- Domain 4: Compliance and Audit
- Domain 5: Information Lifecycle Management
- Domain 6: Portability and Interoperability
Operating in the Cloud
- Domain 7: Traditional Security, Business Continuity, and Disaster Recovery
- Domain 8: Data Center Operations
- Domain 9: Incident Response, Notification, and Remediation
- Domain 10: Application Security
- Domain 11: Encryption and Key Management
- Domain 12: Identity and Access Management
- Domain 13: Virtualization
I thought the domain classification was quite good because it serves to remind people that technology is only a small part of a cloud security strategy. I know that's become a terrible security cliche, but there's a difference between saying this and understanding what it really means. The CSA domain structure–even without the benefits of the guidance–at least serves as a concrete reminder of what's behind the slogan.
Have a close look at the guidance. Read it; think about it; disagree with it; change it–but in the end, make it your own. Then share your experiences with the community. The guidance is an evolving document that is a product of a collective, volunteer effort. It's less political than a conventional standards effort (look though the contributors and you will find individuals, not companies). The group can move fast, and it doesn't need to be proscriptive like a standard–it's more a distillation of considerations and best practices. This one is worth tracking.
http://kscottmorrison.com/2009/12/23/cloud-security-alliance-guidance-v2-released/
