Compliance in the Cloud

Compliance in the Cloud

Lucia Bonelli (Engineering Ingegneria Informatica, Italy), Luisa Giudicianni (Engineering Ingegneria Informatica, Italy), Angelo Immediata (Engineering Ingegneria Informatica, Italy) and Antonio Luzzi (Engineering Ingegneria Informatica, Italy)
Copyright: © 2015 |Pages: 23
DOI: 10.4018/978-1-4666-6539-2.ch069
OnDemand PDF Download:
No Current Special Offers


Despite the huge economic, handling, and computational benefits of the cloud technology, the multitenant and geographically distributed nature of clouds hides a large crowd of security and regulatory issues to be addressed. The main reason for these problems is the unavoidable loss of physical control that costumers are forced to accept when opting for the cloud model. This aspect, united with the lack of knowledge (i.e. transparency) of the vendor's infrastructure implementation, represents a nasty question when costumers are asked to respond to audit findings, produce support for forensic investigations, and, more generically, to ensure compliance with information security standards and regulations. Yet, support for security standards compliance is a need for cloud providers to overcome customers hesitancy and meet their expectations. In this context, tracking, auditing, and reporting practices, while transcending the compliance regimes, represent the primary vehicle of assurance for security managers and auditors on the achievement of security and regulatory compliance objectives. The aim of this chapter is to provide a roundup of crucial requirements resulting from common security certification standards and regulation. Then, the chapter reports an overview of approaches and methodologies for addressing compliance coming from the most relevant initiatives on cloud security and a survey of what storage cloud vendors declare to do in terms of compliance. Finally, the SIEM-based approach as a supporting technology for the achievement of security compliance objectives is described and, the architecture of the security compliance component of the VISION Cloud architecture is presented.
Chapter Preview

The Problem Of Being Compliant

Security responsibilities of both the provider and the consumer differ between cloud service models. Security controls, at a glance, can be divided into three macro-areas which directly derive from the corresponding cloud service models defined above. The first ones are Infrastructure-Level (IL) security controls. Controls performed at this level can refer up to the physical, environmental and virtualization layers. The second ones are Platform-Level (PL) security controls. Controls performed at this level can refer up to the operating system and running environment layer. The last ones are Software-Level (SL) security controls. Controls performed at this level can refer up to the application layer.

Complete Chapter List

Search this Book: