LII:Choosing and Implementing a Cloud-based Service for Your Laboratory/Standards and security in the cloud

From LIMSWiki
Revision as of 17:52, 21 August 2021 by Shawndouglas (talk | contribs) (Created as needed.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search
-----Return to the beginning of this guide-----

2. Standards and security in the cloud

Figure 3. The NIST Cloud Computing Security Reference Architecture provides a security overlay to the NIST Cloud Computing Reference Architecture, published in 2011.

In a 2010 Cloud Computing Adoption Survey by Mimecast, the leading response (46 percent of surveyed IT managers) to the question "Why did you decide against moving to the cloud?" was "security concerns."[1] In a separate survey published around the same time by the IEEE and Cloud Security Alliance, "93 percent of respondents said the need for cloud computing security standards is important; 82 percent said the need is urgent."[2] Fast-forward to today and it's easy to see worries about cloud security have eased somewhat in comparison. A Cloud Threat Report by Oracle and KPMG in 2020 found that "40% of cybersecurity and IT professionals from private and public businesses perceive public clouds as more secure than on-premise environments ... 12% believe public clouds are no more secure or insecure than what they can deliver with on-premises environments, and 2% think public clouds are less secure."[3] A survey less than a year before found similar numbers, also noting, however, that while confidence in cloud security was strong, a strong majority of respondents (71 percent) still believe there are at least moderate concerns about "malicious activity in cloud systems."[4]

To be sure, there are undoubtedly opportunities for malicious activity within the cloud, which has its own share of complexities. A 2023 collaborative report by Check Point Software Technologies and Cybersecurity Insiders points to annual increases in attack attempts on cloud-based networks, needlessly complex and inadequate security policies, and insufficient and unsecure cloud configurations and interfaces as being drivers of security mishaps in the cloud.[5] Additionally, given that cloud computing is internet-based (i.e., networked), a networking approach based on normal internet and network standards is not sufficient to address the complexities inherent to many cloud computing implementations.[6] From integrating public and private clouds to meeting regulations mandating localized data storage, additional considerations must be made as to how best ensure standardized cloud services remain driven on solid security principles. With the transition to cloud, on-site data storage has moved online, with its own set of security nuances. Additionally, increased scalability, interfacing, and proximity to other networked data and systems adds more complexity to security.[7] As complexity is added, a more standardized approach is called for. Just as the Cloud Native Computing Foundation's (CNCF's) Certified Kubernetes Conformance Program attempts to ensure a standardized conformance of all Kubernetes instances to the Kubernetes application programming interfaces (APIs) for consistency and interoperability across cloud platforms[8], standards organizations like the Institute of Electrical and Electronics Engineers (IEEE), International Organization for Standardization (ISO), and National Institute of Standards and Technology (NIST) develop standards and guidelines to ensure quality and security across all cloud computing platforms.[9][10]

The next few sections examine the various organizations, agencies, and industries developing and promoting standards, guidelines, and recommendations that shape the proper use of cloud computing platforms. Note that you won't see much about laboratories and cloud computing in this chapter, as we pan outward and look at cloud standards and security from up high. We'll focus on how all this information relates to laboratories in the coming chapters.


2.1 Standards and regulations influencing cloud computing

Numerous organizations have taken up the mantle in developing and disseminating cloud compliance standards, guidelines, and recommendations since the late 2000s, some independently (e.g., the Storage Networking Industry Association) and others by government mandate (e.g., National Institute of Standards and Technology). Some organizations have tailored their content to a specific industry (e.g., PCI Security Standards Council and the financial industry), while others have focused on a sector of business (e.g., FedRAMP and the U.S. Federal government). As the development of these standards, guidelines, and recommendations has continued, the groundwork has been created for future updates. NIST's early work with its SP 500-293 NIST Cloud Computing Technology Roadmap, Volume I and II and SP 500-299 NIST Cloud Computing Security Reference Architecture (Figure 3) have gone on to further define a modern approach to categorizing, evaluating, comparing, and selecting cloud services.[11] And those documents were influenced by even earlier work by the Cloud Security Alliance's Enterprise Architecture efforts.[12]

The work to improve and expand upon existing standards continues today, even as new service models for cloud computing emerge. Examples of the prior mentioned and other organizations contributing to these efforts are shown in Table 3.

Table 3. Organizations that have developed and are developing cloud compliance standards, guidelines, recommendations, and frameworks
Organization Description Link to standards, etc.
Crown Commercial Services and G-Cloud Though not a standards organization, the U.K. Crown Commercial Service's (CSS's) G-Cloud program and framework allows companies considering selling cloud-based services to the U.K. government to make their services available "through a front-end catalogue called the Digital Marketplace." The framework agreements place specific requirements on the various services being offered by the provider, and in return, the provider can bid on government opportunities without going through the full procurement process.[13] G-Cloud standards, etc.
DMTF Formerly known as the Distributed Management Task Force, DMTF "creates open manageability standards spanning diverse emerging and traditional IT infrastructures."[14] This includes cloud standards, virtualization standards, networking standards, and more. DMTF standards, etc.
European Telecommunications Standards Institute ETSI "supports the timely development, ratification and testing of globally applicable standards" for information and communications technology (ICT) hardware, software, and services.[15] ETSI standards, etc.
General Services Administration and FedRAMP Though not a standards organization, the U.S. General Services Administration's (GSA's) FedRAMP program "provides a standardized approach to security authorizations for cloud service offerings" for the U.S. Federal government.[16] FedRAMP "standardizes security requirements for the authorization and ongoing cybersecurity of cloud services" as authorized by a number of regulations and policies.[17] FedRAMP standards, etc.
IEEE Computer Society and IEEE Standards Association The IEEE Cloud Computing Standards Committee, which is chartered "to promote the development of standards in all aspects of the cloud computing ecosystem," has four working groups that help develop cloud computing standards for the IEEE Standards Association.[18] IEEE SA standards, etc.
International Organization for Standardization (ISO) The ISO is a primary global standards organization that has been developing a wide variety of standards for decades. Numerous cloud-computing standards have been published under International Classification for Standards (ICS) code 35.210.[19] ISO standards, etc.
International Telecommunication Union (ITU) The ITU is the United Nation's specialized agency for information communication technologies (ICTs). Among their activities, the agency develops technical standards and facilitates international connectivity in communication networks.[20] Many recommendation documents have been developed through its Telecommunication Standardization Sector (ITU-T), SG13 Study Group, including cloud computing recommendations (Y Series). ITU-T standards, etc.
National Institute of Standards and Technology (NIST) NIST is a U.S. Department of Commerce institute which focuses on scientific measurement and standardization. They have developed a numbers roadmaps, guidelines, and definitions through its SAJACC[21] and NCCP[22] initiatives. NIST standards, etc.
OMG Cloud Working Group Previously known as the Cloud Standards Customer Council (CSCC), OMG's Cloud Working Group (CWG) "publishes vendor-neutral guidance on important considerations for cloud computing adoption, highlighting standards, opportunities for standardization, cloud customer requirements, and best practices to foster an ecosystem of open, standards-based cloud computing technologies."[23] CWG standards, etc.
Open Grid Forum (OGF) The OGF is "an open global community committed to driving the rapid evolution and adoption of modern advanced applied distributed computing, including cloud, grid and associated storage, networking and workflow methods."[24] OGF standards, etc.
Organization for the Advancement of Structured Information Standards (OASIS) OASIS Open is a standards body that "offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement."[25] OASIS Open standards, etc.
PCI Security Standards Council (PCI SSC) PCI SSC "is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide."[26] PCI SSC Open standards, etc.
Storage Networking Industry Association (SNIA) SNIA develops and promotes "vendor-neutral architectures, standards, and educational services that facilitate the efficient management, movement, and security of information,"[27] including the Cloud Data Management Interface (CDMI) standard.[28] SNIA standards, etc.
The Open Group This organization attempts "to capture, clarify, and integrate current and emerging requirements, establish standards and policies, and share best practices."[29] Open Group standards, etc.
TM Forum This global alliance attempts "to collaboratively solve complex industry-wide challenges, deploy new services and create technology breakthroughs to accelerate change."[30] As a result of this collaboration, several technical documents and guides related to cloud computing have been developed. TM Forum standards, etc.

However, organizational standards, guidelines, and recommendations alone do not influence how cloud computing services can and should be implemented and operated. Regulatory bodies, legislative bodies, and government agencies also directly or indirectly have an impact on cloud service operations. In some cases, the law, regulation, or guidance coming from such bodies may not even mention "cloud computing," yet because they mandate how specific data and information can be managed, used, and distributed, they ultimately influence what a cloud service provider (CSP) does and how they do it. This can be observed by more than a few of the examples in Table 4. The California Consumer Privacy Act, for example, makes no mention of the word "cloud," but CSPs and cloud users alike must consider aspects of the regulation, e.g., what can and cannot be done with a consumer's information based on location of the stored information.[31]

Table 4. Examples of some common regulations, recommendations, and guidance that shape the proper use of cloud-computing platforms
Regulation, recommendation, or guidance Creator Description Link
California Consumer Privacy Act (CCPA) The State of California The CCPA "provides California consumers with a number of privacy protections, including right to access, delete, and opt-out of the 'sale' of their personal information."[32] Cloud solutions such as Google Cloud attempt to help users meet CCPA obligations, as well as meet their own commitments.[32] Link
Cloud Computing Regulatory Framework (CCRF) Kingdom of Saudi Arabia The KSA's CCRF "is based on international best practices and governs the rights and obligations of cloud service providers (CSPs), individual customers, government entities and businesses."[33] It is one of only a few existing cloud-specific regulatory frameworks created by a government.[33] Link
Cloud Security Principles Government of the United Kingdom The U.K. developed a collection of 14 Cloud Security Principles that "include important considerations such as protection of data in transit, supply chain security, identity and authentication, and secure use of cloud services."[34] This is an example of a national government developing a cloud-specific set of guidance for its public sector. Link
Federal Information Security Modernization Act of 2014 (FISMA) United States Government Amending the prior FISMA 2002, FISMA 2014 achieves several things, chief among them giving Federal government the ability to better respond to cybersecurity attacks on its departments and agencies. Compliance with FISMA means implementing "recommended information security controls for federal information systems as identified in the NIST SP 800-53."[35] Link
General Data Protection Regulation (GDPR) European Union The GDPR is a non-trivial regulatory hurdle with positive intentions, with the goal of strengthening personal data protection in Europe. The regulation "lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe."[36] Cloud vendors like Google may stipulate in their contracts with European clients how they meet that guidance, as well as offer tools, documentation, and other resources to assist with assessment of the vendor's services.[36] Link
Guidance on Outsourcing to Cloud Service Providers Germany's Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) BaFin's Guidance document on cloud service outsourcing "provides specific outsourcing guidance for financial institutions on contractual terms, including information and audit rights, the right to issue instructions, data security / protection, termination and chain outsourcing."[37] Cloud vendors like Google may stipulate in their contracts with German clients how they meet that guidance.[37] Link
Health Insurance Portability and Accountability Act (HIPAA) United States Government The HIPAA Rules "establish important protections for individually identifiable health information ..., including limitations on uses and disclosures of such information, safeguards against inappropriate uses and disclosures, and individuals’ rights with respect to their health information."[38] HIPAA compliance is so vital for some organizations that U.S. government entities like the U.S. Department of Health & Human Services (HHS) have published their own guidance towards how HIPAA covered entities can best comply when using cloud services.[38] Link
Joint Statement: Security in a Cloud Computing Environment Federal Financial Institutions Examination Council (FFIEC) In this document, the FFIEC—an interagency group of federal and state banking regulators—addresses "the use of cloud computing services and security risk management principles in the financial services sector" and "highlights examples of risk management practices for a financial institution’s safe and sound use of cloud computing services and safeguards to protect customers’ sensitive information from risks that pose potential consumer harm."[39][40] Link
OMB Circular A-130, Managing Information as a Strategic Resource United States Government This (revised) Obama-era circular "establishes general policy for the planning, budgeting, governance, acquisition, and management of Federal information, personnel, equipment, funds, IT resources, and supporting infrastructure and services," including cloud services.[41] In addition to FISMA, this circular supports the FedRAMP program and its standardized security requirements.[16] Link
Personal Data Protection Law (KVKK) Government of Turkey Turkey's KVKK (Kişisel Verileri Koruma Kanunu) "regulates the protection of personal data and outlines the obligations that entities and individuals dealing with personal data must comply with."[42] It has significant relevancy to cloud computing efforts in the country.[43] Link
Protective Security Policy Framework Australian Government The PSPF "assists Australian Government entities to protect their people, information, and assets, both at home and overseas." It contains multiple statements about how cloud computing should be handled.[44] Link

While Big Tech was as early as 2010 asking the U.S. government to take a more proactive regulatory approach to cloud computing[45], actual direct regulation of cloud computing by the world's governments has been limited.[46][47] This leads to complicated viewpoints about the value of regulation vs. its drawbacks. Yes, careful regulation can help ensure consistent, affordable, and secure access to cloud services and may even encourage organizations to adopt the technology.[46] However, a headstrong approach to regulations for CSPs, without sector- and industry-specific considerations, may have unintended consequences, e.g., unduly raising compliance costs or forcing insufficient levels of access control on an entity.[46]

At least in the U.S., lawmakers and regulators may soon be pressured to increase regulatory approaches to cloud computing. This may be driven by the increasingly concentrated nature of cloud services in a handful of tech giants, though at the same time hampered by the widely varying approaches to addressing cloud-related issues via policy and regulation at the national and international levels. First, the very nature of these cloud services—and the ever increasing criticality they attain—as centralized services ensures the regulatory eye will increasingly be placed upon those cloud vendors. In fact, discussion about and designation of cloud services as critical infrastructure is already occurring in earnest, as they have "become essential to the performance of a growing swath of other sectors that have not heretofore been massively dependent on centralized cloud functionalities, and hence vulnerable to their disruption."[46][6] A 2023 Digital Forensic Research Lab report by Zuo et al. highlights this further by nodding to the U.S. government's designation of "critical infrastructure" sectors and how their loss would result in a "debilitating effect on security, national economic security, national public health or safety, or any combination of those matters." Their report argues that "the maturation of current [regulatory] policy tools, and creation of others," is vital going forward.[48] These and other such spotlights may lead to policymakers, regulatory bodies, and legislators being left with little choice but to move forward with more policy and regulation.

Second, and consequently, the development of such policy and regulation may not occur in a manner more unified with global perceptions but rather largely based upon localized values, interests, and priorities. The failure here is the lack of recognition of CSPs as being integral to individual, retail, corporate, organizational, and government operations around the globe[48], i.e. their centralized and concentrated position within a changing computing paradigm. As such, greater effort must be made by policymakers, regulators, and legislatures to find at least a minimum level of "compatibility and reconciliation" with other existing governance mechanisms, while carefully addressing both security of operation and operational robustness in tandem, such that there is greater harmonization globally.[46][48] And through government-level support of harmonized controls—as well as a vested interest in promoting the responsible "development, dissemination, and operation of cloud infrastructure"—cloud users will stand a greater chance of reaping the economic benefits of adopting cloud computing.[46]

Current and future regulatory action applies to several areas of cloud computing. How a CSP responds to and notifies affected users of a security breach is one concern. Up until 2022, the U.S. government didn't fully address in a unified fashion aspects of cloud security breaches such as protection obligations, reporting time, and required notification parties, nor any compensation mechanism for those affected.[49] (All U.S. states and most territories did already have their own flavor of breach notification legislation[50], but like cannabis law, this was problematic in the face of a strong divergence with federal law or lack thereof.) In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires covered entities to report substantial cybersecurity incidents and any paid ransom for ransomware attacks, with more scope and definition to come.[51] While this addresses some of the prior-mentioned aspects, its thoroughness towards protection obligations and compensation remains lacking. A year later, however, cybersecurity thought leaders like Viakoo's CEO Bud Broomhead positively acknowledge CIRCIA as "not the destination ... but an important waypoint toward it," with other activities like the creation of the Joint Ransomware Task Forces and Ransomware Vulnerability Warning Pilot Program further promoting stronger federal efforts towards cloud security.[52]

Other areas of cloud security also face regulatory action. For example, the applications and algorithms that drive and collect data from users of cloud-enabled applications may also face regulatory scrutiny or control by a national government, as was seen with both China's and the U.S.'s scrutiny of the TikTok application, its algorithms, and its security.[46][53][54] Data localization also remains a significant area of cloud computing regulation, not just for security concerns but also industrial policy, economic policy, privacy concerns, and human rights concerns.[46] Other areas of concern that may see regulation include interoperability and portability, digital preservation (retention) obligations, and cross-border data transfer.

And then there's the proverbial "elephant in the room": overall data privacy and protection considerations in the cloud. This is a major concern typically because of statutes—like the California Consumer Privacy Act[32]—that broadly protect a collective of affected individuals and how their cloud data is collected, preserved, organized, stored, and used not only within the governing entity (e.g., state, country, political and economic union) but also as its transferred to and from the governing entity. The previously mentioned data localization and cross-border data transfer issues fall under this heading.[55] These often prove to be some of the most challenging regulations to develop, as lawmakers and regulators don't always anticipate the rate of change of technology. They're also difficult for CSPs and organizations to comply with, particularly due to the variance in requirements among all governing entities' laws.[55]

Other approaches to regulation also affect how cloud computing services are implemented and managed. For example, rather than taking a broad approach towards regulation, addressing everyone providing and/or using cloud services, it's possible that regulators and legislators may take a more focused, sector-based approach. But that comes with its own set of problems, as Maurer and Hinck noted in their 2020 Carnegie Endowment paper[6]:

[T]he impact of a cloud security incident usually depends on what type of data or service is affected. Thus, the most suitable potential regulatory requirements with respect to security may differ across sectors that deal with different types of data—from the highly sensitive, fast-moving data common in the financial sector to the more privacy-sensitive personal data used by medical service providers. However, crafting regulation on a sector-by-sector basis would likely create conflicting requirements and incomplete standards.

Finally, as a third option, rather than direct regulation of the broad market or even specific sectors, some governments may simply use their considerable weight to influence how CSPs provide their services, influencing future regulation, as Levite and Kalwani note in their 2020 paper for the Carnegie Endowment[46]:

Finally, some of the efforts to influence CSP behavior may not come through explicit regulation, but rather through exercise of the government’s market power. Cloud adoption strategies and trends in e-governance have made governments some of the largest and most important clients of CSPs. Governments will likely use their market clout and status as a large and powerful consumer as a source of leverage over industry to set standards of contracting fairness and other provisions that transcend the immediate cloud service contracts they enter. While formally these provisions will only apply to government contracts, they could over time cross over to public clouds as well, or at least help set precedents that drive regulatory attention and inform industry standards. Yet over the longer run, government privatization of many services might actually weaken their leverage, given lock-in issues. How the balance between the two parties ultimately will play out remains to be seen.

Whatever direction regulators and legislators continue take, it ideally will be done with thorough consideration of how to implement regulation, as well as the potential effects regulation will have on various markets.


2.2 Security in the cloud

Virtual data room.png

For any organization, managing security is a challenging yet necessary part of operations. This includes deciding on and implementing physical controls like locks, alarms, and security staff, as well as IT controls like passwords, role-based access control, and firewalls. Much of this security is governed by standards, regulations, and common business practices. Yet while those standards, regulations, and practices also play a pivotal role in how cloud services should be rendered and managed, it would be foolish to forget the human element of cloud security. Employees, contractors, and other users who misconfigure cloud resources, fail to implement robust cloud security architecture, fail to practice proper identity and access management, fall for phishing and other account exploitation attacks, poorly design application programming interfaces (APIs), or maliciously access and sabotage resources all pose potential risk to the security of cloud-based system.[56]

While these and other security concerns of CSPs are valid, concerns are beginning to shift more towards how the decisions of an organization’s senior management affect the human element within the organization using and managing cloud services.[56] Fortunately, the traditional management-driven business approaches towards on-premises computing projects—getting management buy-in; developing goals, scope, and responsibility documentation; identifying computing requirements and objectives; identifying risk; documenting and training on processes and procedures; monitoring performance; and employing corrective action[57]—still largely apply to cloud implementation and migration projects.[58][59]

Yet cloud security should be viewed more holistically, as a combination of standards, technologies, policies, and people influencing the end results. This sentiment is reflected in Kaspersky Lab's definition of cloud security, as "the whole bundle of technology, protocols, and best practices that protect cloud computing environments, applications running in the cloud, and data held in the cloud."[7] And as was suggested prior, addressing cloud security requires more than a narrow local networking-based cybersecurity approach. Maurer and Hinck noted in 2020 that "cloud security risks are different from other types of cybersecurity risks because cloud security is networked, concentrated, and shared."[6] The networking is often spread across multiple locations and services; those services are concentrated with only a few major CSPs, with security disruptions having a much broader effect for many customers; and security is a shared responsibility for those services, spread across at least two parties, requiring clear delineation of responsibility for security.[6] With the increased popularity of hybrid and multicloud, these networking challenges also increase complexity, which means more attention to security is required by not only the CSP but also the customer. Adopting security strategies such as the "zero trust" model, which assumes an attempted connection is untrustworthy until proven as trusted, increasingly make sense in these complex cloud environments. Requiring every user and device to verify first "helps security teams protect the enterprise against both sanctioned cloud deployments and shadow IT as well as cloud providers whose own embedded security isn’t as robust as the organization requires."[60]

Additionally, through its recent work on the challenges of conducting digital forensics in the cloud, NIST also highlights data replication, location transparency, and multi-tenancy as "somewhat unique" challenges to cloud computing, and by extension digital forensics in the cloud. Though digital forensics isn't the primary topic of this guide, it's useful to mention because the process of cloud computing forensic science includes determinations of chain of custody, data integrity, and confidentiality status of cloud computing data[61], all critical considerations of using, storing, and transferring regulated, protected data in the cloud, especially for laboratories.

This all leads to the questions of responsibility: who is ultimately responsible for the security of any given cloud service? From a shallow point of view, it may be easy, as a customer, to consider a CSP and say "their service, their responsibility." However, it's more complicated than that. This brings us to the topic of the shared responsibility model.

2.2.1 The shared responsibility model

In December 2019, software as a service (SaaS) cannabis software firm THSuite was discovered to have inadvertently left an Amazon Web Services (AWS) S3 bucket unsecured and unencrypted, exposing the fine details of tens of thousands of medical and recreational cannabis users associated with three dispensary clients in the U.S. Given that protected health information (PHI) was included in the exposed data, serious privacy concerns and legal repercussions were raised in the aftermath of this security failure.[62][63] Today, this inadvertent security failure highlights the shared responsibility model (occasionally referred to as the "shared security model"), a security model that clarifies elements of responsibility between the customer and the CSP.

With its August 2010 update to AWS' Amazon Web Services: Overview of Security Processes documentation, the concept of a "shared responsibility environment" was added. To be sure, the concept of "shared responsibility" appeared before AWS began including it in its cloud security processes, as can be evidenced by 2004 New York State cybersecurity guidance[64] and 2004 Northwestern University IT protocol for data sharing.[65] However, among cloud providers, Amazon arguably brought the concept fully into the world of cloud computing. In their 2010 documentation, they described AWS's shared responsibility environment as such[66]:

An example of this shared responsibility would be that a customer utilizing Amazon EC2 should expect AWS to operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. In this case the customer should assume responsibility and management of, but not limited to, the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services and their integration. It is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of items such as host based firewalls, host based intrusion detection/prevention, encryption and key management.

This statement has since evolved into a full-blown shared responsibility model that not only AWS includes today as an integral component of security-related agreements with clients, but also a model other public cloud service providers have adopted (see the next subsection for examples). Continuing to use AWS as an example, a clear shared security responsibility model differentiates "security of the cloud" and "security in the cloud."[67] According to AWS, security of the cloud states that AWS is responsible for the "hardware, software, networking, and facilities that run AWS Cloud services." Security in the cloud addresses the customer responsibility, based upon the services selected, including client-side data encryption and data integrity authentication, firewall configurations, and platform and application identity and access management. In this way, operating the IT environment is shared in a clearly delineated fashion. Similarly, management, operation, and verification of IT controls are also shared, where the physical and environmental controls are the responsibility of AWS, customer-specific security controls are the responsibility of the customer, and some controls have shared responsibility between both AWS and the customer.[67]

The concept of shared responsibility between a provider and a customer has woven its way into the fabric of most cloud-based services, from SaaS to multicloud. A trusted CSP will make this responsibility clear at every step of the way, from early contract discussions to late-stage changes to customer services. However, pressure also remains solidly on the organization seeking cloud services—including the organization’s legal counsel—when making decisions about contracting for cloud computing services. This includes understanding aspects of consent, security requirements, reporting requirements, and enforcement mechanisms of any laws and regulations in the organization’s operating governing entity (e.g., state, country, political and economic union), as well as in other external governing entities where related data may inevitably be transferred, stored, and managed.[55] And, by extension, the organization will need to verify the provider is able to comply with—and provide mechanisms to help the organization comply with—those laws and regulations. This is typically done by examining the CSP's documented compliance certifications, attestations, alignments, and frameworks (see the next subsection for examples). This includes System and Organization Controls (SOC) 1, 2, and 3 reports (which provide independent third-party assurances about the effectiveness of a CSP's security controls)[68], Federal Risk and Authorization Management Plan (FedRAMP) compliance[15], Coalition of Cloud Infrastructure Services Providers in Europe (CISPE) Code of Conduct compliance[69], and more.

The next subsections examine public cloud, hybrid cloud, multicloud, SaaS, and other cloud services in relation to cloud security, providing examples of major CSPs in those arenas.

2.2.2 Public cloud

"The public cloud services market has more than doubled since 2016," found International Data Corporation (IDC) in 2020, noting that "the worldwide public cloud services market, including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS), grew 26.0% year over year in 2019, with revenues totaling $233.4 billion."[70] In November 2020, Gartner predicted global public cloud computing spend would increase more than 18 percent in 2021, with PaaS growth leading the way due to remote workers needing more powerful, scalable infrastructure to complete their work.[71] Gartner added that "survey data indicates that almost 70% of organizations using cloud services today plan to increase their cloud spending in the wake of the disruption caused by COVID-19."[71] By 2023, Gartner was predicting $600 billion in end-user spend on public cloud.[72]

These statistics highlight the continued transition and investment into the public cloud for organizations, and recent surveys of IT professionals appear to find a matching level of increased confidence in the public cloud.[73][74] But as reliance on the public cloud continues to grow, organizations inevitably discover new security and networking challenges, including difficulties keeping services seamlessly available and scalable, and network costs more affordable while limiting complexity upticks[73], which makes security more difficult.[75]

As of August 2023, the bulk of public cloud market share is represented by 10 companies: Alibaba, Amazon, DigitalOcean, Google, IBM, Linode, Microsoft, Oracle, OVH, and Tencent. From a security perspective, we have to ask at a minimum four questions about these companies:

  • What are their compliance offerings?
  • Where is their SOC 2 audit report?
  • What is their shared responsibility model?
  • What is their architecture framework based upon?

In this context, compliance offerings are the documented compliance certifications, attestations, alignments, and frameworks a public CSP boasts as part of an effort maintain security and compliance for their cloud services. Each of the seven public CSPs has a landing page introducing customers to those compliance offerings (Table 5), though some vendors' pages are more clearly organized than others. Each offering then links off to another page, document, or related certificate explaining compliance. In particular, the SOC 2 audit report should be viewed, though most providers require you to be a customer or inquire with their sales department to obtain it. The SOC 2 audit results outline nearly 200 aspects of a CSP's security, as audited by an independent third party, providing the closest look one can get to a CSP's ability to assist with regulatory compliance (more on this in Chapter 4).[76][77] As previously discussed, a shared responsibility (or shared security) model is the common approach to clarifying who's responsible for what portions of security, and each CSP has indicated somewhere what that model is. (In the case of Tencent, it's unfortunately buried in a 2019 white paper.) Public CSPs also provide some sort of "architecture framework," though this varies from provider to provider. For example, AWS and Google Cloud provide a framework that allows customers to stably and efficiently deploy in the cloud based on both best practices and the organization's unique requirements. Linode, Oracle, and Tencent don't seem to offer this type of framework for customers but still discuss their overall cloud architecture in a broad manner. See Table 5 for links to these four security research aspects for each public CSP.

Table 5. Public cloud providers and their compliance offerings, SOC 2 report, shared responsibility model, and architecture framework
Company and offering Compliance offerings SOC 2 report Shared responsibility model Architecture framework
Akamai (formerly Linode) Link Unknown (Presumably must be customer/contact sales to access) Link Link
Alibaba Cloud Link Link (Must be customer/contact sales to access) Link Link
Amazon Web Services Link Link (Must be customer/contact sales to access) Link Link
DigitalOcean Link Link (Must email company to access) Link Link
Google Cloud Link Link Link Link
IBM Cloud Link Link (Must be customer/contact sales to access) Link Link
Microsoft Azure Link Link (Must be customer/contact sales to access) Link Link
Oracle Cloud Infrastructure Link Unknown (Presumably must be customer/contact sales to access) Link Link
OVHcloud Link Link (Must be customer/contact sales or legal to access) Link Link
Tencent Cloud Link Unknown (Presumably must be customer/contact sales to access) Link Link

Chapter 1 noted that for public cloud services, organizations tied to strong regulatory or security standards "... must thoroughly vet the cloud vendor and its approach to security and compliance, as the provider may not be able to meet regulatory needs." For example, public CSPs will allow you to enter into a Health Insurance Portability and Accountability Act (HIPAA)-compliant business associate agreement (BAA) with them, as required by the U.S. Department of Health & Human Services[38], but that does not mean you'd be running in a HIPAA-compliant fashion. If your organization is handling PHI protected by HIPAA, that organization is still responsible for having internal compliance programs and documented processes that support HIPAA, while also using the CSP's services in ways that align with HIPAA.[78][79] That includes ensuring that the services your organization will utilize are indeed in-scope with HIPAA and other such regulations; not all services offered by a CSP are in-scope to a specific regulation. The BAA should make clear which services are covered for handling PHI and other sensitive or critical information. Additionally, your organization will still need to ensure the correct technical security controls are implemented to ensure compliance.[79] Remember, you're working under the shared responsibility model.

2.2.3 Hybrid cloud and multicloud

The Flexera 2020 State of the Cloud Report and its associated survey found that 87 percent of respondents had already taken a hybrid cloud stance for their organization and 93 percent of respondents had already implemented a multicloud strategy within their organization.[80] A 2020 report by IDC predicted 90 percent of enterprises around the world will be relying on some combination of hybrid or multicloud with existing legacy platforms by 2022, though they may not necessarily have a sufficient investment in in-house skills to navigate the complexities of rolling out those strategies.[81] These complexities were discussed in Chapter 1; hybrid cloud reveals a greater attack surface, complicates security protocols, and raises integration costs,[82][83] while multicloud brings with it differences in technologies between vendors, latency complexities between the services, increased points of attack with more integrations, and load balancing issues between the services.[84] Broadly speaking, these complexities and security challenges arise out of the fact more systems must be integrated. Given these complexities, it's interesting to note that Flexera's survey numbers concerning hybrid/multicloud adoption have been going down since the 2020 report: in 2022 hybrid/multicloud adoption went down to 80/89 percent respectively[85], and in 2023 those numbers were down to 72/87 percent respectively.[86] Comparing the survey results, single public cloud and multiple public cloud adoption has seen increases, taking away from hybrid cloud adoption significantly and multicloud adoption slightly (Table 6). This noticeable slowdown in more complex hybrid adoption for relatively "simpler" single and multiple public cloud options may be the result of a mix of hyper-expansion of complex cloud adoption coming to a close and cost-cutting and optimization efforts by cloud customers due to emerging "economic realities."[87][88]

Table 6. Flexera State of the Cloud Report results for 2020, 2022, and 2023, comparing types of cloud adoption[80][85][86]
Year Single public Single private Multicloud → Multiple public Multiple private Hybrid
2020 6% 1% 93% 6% 0% 87%
2022 9% 2% 89% 7% 2% 80%
2023 11% 2% 87% 13% 2% 72%

As of August 2023, four providers of hybrid and multicloud technology and services stand out: Cisco, Dell, HPE, and VMware. These providers don't provide public cloud services but rather take a service-based approach to supplying hardware, software, and managed services to assist customers adopt a hybrid or multicloud approach for their business. From a security perspective, we have to ask at a minimum three questions about these companies:

  • How do they manage your data and security in a trustworthy way?
  • How are cloud technologies and services developed and audited for security?
  • What public CSPs do they publicly state their technologies and services support or integrate with?

In this context of trust, these companies should have a "trust center" that helps consumers and enterprises find answers to security questions about their cloud technologies and services. A trust center was found for three of the four CSPs; HPE's trust center could not be located. Whether through internal secure development processes or external auditing practices, the security of the technology and services offered by these providers remains vital, and they should be able to demonstrate by explaining their development and auditing processes. Additionally, hybrid and multicloud providers should make clear which public CSPs are supported for or integrated ideally with the provider's hybrid and multicloud services. Not all public clouds are fully supported by these providers. See Table 7 for links to these three security and interoperability aspects for each hybrid/multicloud CSP.

Table 7. Providers of hybrid and multicloud technology and services, their trust center, their development and auditing practices, and supported public clouds
Company and offering Trust center Development and auditing practices Public clouds supported (U.S.)
Cisco CloudCenter and UCS Director (Note: CloudCenter becomes obsolete May 31, 2024.) Link Cisco was "evaluating SOC 2 as a potential roadmap item" for CloudCenter in 2019. Alibaba, Amazon, Google, IBM, Microsoft
Dell Technologies APEX Link Link Alibaba, Amazon, Google, IBM, Microsoft
HPE GreenLake Unknown Unknown Amazon, Google, Microsoft
VMware Cloud Link Link (Must be customer/contact sales to access) Amazon, Google, IBM, Microsoft, Oracle

Managing your share of security in the hybrid cloud has several challenges. Most of those challenges involve attempting to manage and control multiple distributed systems. Giving administrators the ability to see into this complex network of components, at all levels, is critical. This is typically accomplished with a centralized management tool or platform based on open standards, providing automated management and control features that limit human error. Automation is also useful when scanning for and remediating problems detected with security controls, which in turn allows for documented changes and more reproducible processes. Disk encryption and network encryption tools may also need to be more robustly employed to protect data at rest and data in motion between private and public clouds. And of course, segmentation of services based on data sensitivity may be necessary.[7][89]

Multicloud has its issues as well. "The challenge that multicloud presents to security teams continues to grow," said Protiviti cloud consultant Rand Armknecht in December 2020. "The number of services that are being released, the new ways of interacting, the interconnecting of services and systems, all of that continues to advance and all of these add new complexities into the enterprise security model."[60] Given the differences in tools and security approaches between cloud providers, stitching together services cohesively requires strong skills, knowledge, and attentiveness. It also requires a security strategy that is well-defined and unified in its approach to data management, minimization, anonymization, and encryption when considering multiple CSPs. Middleware placed between the enterprise and the CSP—in some cases referred to as a cloud access security broker (CASB)—that can "consolidate and enforce security measures such as authentication, credential mapping, device profiling, encryption and malware detection" adds an additional layer of semi-automated security for multicloud.[60]

2.2.4 Container security and other concerns

Before we move on to discussing SaaS solutions, let's take a quick moment to recognize a few additional security peculiarities particular to using cloud services and developing in the cloud. These peculiarities may not apply to you and your organization, but it's useful to recognize them, if nothing else because they highlight how deeply woven security must be into the thinking of CSPs and their clients.

First, let's look at container security. In Chapter 1, a container was referred to as "a complete runtime environment," but little else was said. In cloud computing, a container—as defined by IBM—is "an executable unit of software in which application code is packaged, along with its libraries and dependencies, in common ways so that it can be run anywhere, whether it be on desktop, traditional IT, or the cloud."[90] These prove beneficial in cloud computing because containers act as a lightweight, portable way of replicating an isolated application across different environments, independent of operating system and underlying hardware. This essentially makes deployment into a cloud environment—or multiple clouds—a much more approachable task.[91]

But with convenience also comes responsibility towards ensuring the security of the container. Unfortunately, the necessary precautions don't always get taken. According to GitLab's 2020 Global DevSecOps Survey, "56% of developers simply don’t run container scans, and a majority of DevOps teams don’t have a security plan in place for containers or many other cutting edge software technologies, including cloud native/serverless, APIs, and microservices."[92] While GitLab reported that container scans were fortunately becoming more common in 2022[93], it would still appear more implementation teams should be updating and implementing revised security plans to address the complexities of container security, including the use of container orchestration, image validation, role-based access management, security testing, and runtime security monitoring. NIST's SP 800-190 Application Container Security Guide, while slightly dated, provides a useful reference for more on the topic of container security.[92][94]

Some concerns also exist within the virtualization environment, which drives cloud computing. The virtualized environment allows containers to be implemented, but their smooth use depends on a virtualization component called a virtual machine monitor (VMM) or hypervisor, which acts as the "management layer between the physical hardware and the virtual machines running above" it, managing system resource allocation to virtual machines—and by extension, containers—in the virtual environment.[95] Since hypervisors are shared in a virtualized environment, a compromised hypervisor (say through a malware attack or a means of gaining root privileges) puts the virtual machines running off the hypervisor at risk, and by extension any data running on those virtual machines.[95] Limiting the risks to a hypervisor and its associated virtualized machines means ensuring de facto encryption is in place to protect copied images and other files, migrated virtual machines are protected at all points along the migration route, and proper encryption and key management mechanisms are in place for effective access management.[95] While the concerns of hypervisor security are largely the responsibility of the public CSPs (Microsoft, for example, touts a multi-layer approach to securing its hypervisors in Azure[96]), those running private clouds will have to be sure their attention given to hypervisor security is similarly strong.

Other areas of security concern are found in the overall networking of a cloud. There, attention to the various layers of firewalls, network traffic controls, transport-level encryption mechanisms, and encapsulation protocols is also recommended.[97]

2.2.5 Software as a service

Finally, we address security when using SaaS. Though not the laboratory space, let's take a look at the financial sector to start. Like laboratories, banks are regulated not only to protect their own assets but also the assets of their customers, including customer data. Given the concerns about security in the cloud early in its history, it has taken some time for the financial sector to warm up to moving some of its functions into the cloud.[98] However, since approximately 2016, banks and financial services firms have begun shifting to the cloud in droves.[99] Writing for the World Economic Forum in December 2020, the CEO of Tenemos, Max Chuard, noted[100]:

Cloud and SaaS present an alternative way of running a bank’s IT infrastructure. Core banking and/or the digital front office operates on a public or private cloud rather than on physical infrastructure in the bank’s premises. Banks pay a subscription to access the solutions. Both cloud and SaaS carries lower infrastructure costs, they allow products to be created, delivered and changed faster, and they offer immense resilience, scalability, and security. Cloud-based SaaS platforms are also continuously updated, meaning banks benefit from the latest innovations.

However, the improved security of cloud and SaaS does not preclude challenges. In the case of financial services firms, finding a balance between client-side encryption to protect financial data and its tendency to constrain overall performance and functionality is a real challenge.[101] And that same challenge exists for other regulated (and less regulated) organizations turning to SaaS cloud solutions.

When moving to a SaaS-based approach to running critical systems, the shared responsibility paradigm says that both CSP and customer should be managing SaaS security. Are access and audit rights in the SaaS implementation as strong as they should be? How is data managed and processed in relation to location requirements? How are risks mitigated if the vendor goes out of business or changes its operational focus? What contingency plans are in place should the organization need to migrate to a new vendor or bring applications back in-house? What assessments and audits have been made of the CSP's security?[98] (These and other questions are addressed further in Chapter 5.)

In 2018, Moody's Analytics pointed out "seven pillars of SaaS security wisdom." While they were looking at these pillars from the perspective of banks and financing, they are equally applicable to any regulated organization moving to SaaS cloud solutions, including laboratories. Those SaaS security pillars are[98]:

1. Access management: Carefully control user access uniformly across the SaaS platform, using strong, vetted business rules (addressing user roles, data requirements, allowed system, allowed workflows, etc.) that have been documented, disseminated, and learned.
2. Network control: Decide what network mechanisms to employ in order to meet security goals, including jump servers, network access control lists, etc. if more granular access control is required.
3. Perimeter network control: Decide whether a simple firewall or set of firewalls is sufficient. Additional perimeter protections include intrusion detection and prevention systems.
4. Virtual machine management: Recognize that while costly, keeping virtual machines up-to-date is vital. Whether this is your responsibility or the CSP's, staying on top of patches and updates better ensures protection from the latest threats.
5. Data protection: Determine if the data encryption is sufficient for your regulatory needs to protect personally identifiable information. Best practices and standards should be guiding the endeavor to protect both data in transit and data at rest.
6. Data governance and incident management: Decide how data governance policies dictate your SaaS services. Data governance determines who has the authority to manage and control data assets and how authorized individuals are able to use those data assets.[102] Not only does this also guide the first pillar, access management, but it also clarifies responsibilities for data management and security. This includes stating who's responsible for incident management and how the organization will go about monitoring, tracking, reporting, and learning from security incidents.
7. Scalability and reliability: Determine how scalable the underlying cloud infrastructure will be to run your SaaS applications. Is it horizontal or vertical scaling? Are proxy servers geographically distributed for a more robust service? And what assurances are in place should disaster strike (i.e., recovery plan)?

Like public, hybrid, and multicloud cloud services, SaaS vendors should make clear the security aspects of their solutions. Most major vendors like SAP[103], Adobe[104], and Atlassian[105] will have a trust center for customers to gauge how the vendor's SaaS products are managed in reference to security and compliance. Some SaaS software vendors, however, will host and manage their solutions in a public cloud. Those SaaS vendors should have at a minimum one or more web pages explaining where their solution is hosted, what security controls are in place with that public cloud provider, and what additional security controls, if any, the vendor applies. Of course, access management and other security controls are still very much the responsibility of the customer.

References

  1. Mimecast (2010). "Cloud Computing Adoption Survey" (PDF). https://system.netsuite.com/core/media/media.nl?id=181214&c=601905&h=2ef3796f7c4d9c8a585e&_xt=.pdf. Retrieved 28 July 2023. 
  2. IEEE; Cloud Security Alliance (1 March 2010). "Survey by IEEE and Cloud Security Alliance Details Importance and Urgency of Cloud Computing Security Standards". Cloud Security Alliance. https://cloudsecurityalliance.org/press-releases/2010/03/01/survey-by-ieee-and-cloud-security-alliance-details-importance-and-urgency-of-cloud-computing-security-standards/. Retrieved 28 July 2023. 
  3. Bizga, A. (19 May 2020). "40% of IT professionals believe that public clouds are more secure than on-premise environments". Security Boulevard. https://securityboulevard.com/2020/05/40-of-it-professionals-believe-that-public-clouds-are-more-secure-than-on-premise-environments/. Retrieved 28 July 2023. 
  4. "Cloud is safer than on-premise say that majority of security leaders". Continuity Central. 4 September 2019. https://www.continuitycentral.com/index.php/news/technology/4384-cloud-is-safer-than-on-premise-say-that-majority-of-security-leaders. Retrieved 28 July 2023. 
  5. "Cloud Security Threats Remain Rampant: Check Point Survey Reveals Heightened Concerns for 76% of Organizations Amid 48% Increase in Cloud-Based Network Attacks". Check Point Software Technologies Ltd. 26 June 2023. https://www.checkpoint.com/press-releases/cloud-security-threats-remain-rampant-check-point-survey-reveals-heightened-concerns-for-76-of-organizations-amid-48-increase-in-cloud-based-network-attacks/. Retrieved 14 August 2023. 
  6. 6.0 6.1 6.2 6.3 6.4 Maurer, T.; Hinck, G. (31 August 2020). "Cloud Security: A Primer for Policymakers". Carnegie Endowment for International Peace. https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597. Retrieved 28 July 2023. 
  7. 7.0 7.1 7.2 "What is Cloud Security?". Resource Center. AO Kaspersky Lab. 2021. https://usa.kaspersky.com/resource-center/definitions/what-is-cloud-security. Retrieved 28 July 2023. 
  8. Sarrel, M. (4 February 2020). "Why cloud-native open source Kubernetes matters". enterprise.nxt. Hewlett Packard Enterprise. Archived from the original on 18 December 2022. https://web.archive.org/web/20221218143215/https://www.hpe.com/us/en/insights/articles/why-cloud-native-open-source-kubernetes-matters-2002.html. Retrieved 28 July 2023. 
  9. "IEEE 2301-2020 - IEEE Guide for Cloud Portability and Interoperability Profiles (CPIP)". IEEE Standards Association. 13 August 2020. https://standards.ieee.org/ieee/2301/5077/. Retrieved 28 July 2023. 
  10. Kirvan, P. (17 December 2020). "Top cloud compliance standards and how to use them". TechTarget SearchCompliance. Archived from the original on 21 December 2020. https://web.archive.org/web/20201221150028/https://searchcompliance.techtarget.com/tip/Top-cloud-compliance-standards-and-how-to-use-them. Retrieved 28 July 2023. 
  11. Simmon, E.D. (23 February 2018). "Evaluation of Cloud Computing Services Based on NIST SP 800-145". NIST. https://www.nist.gov/publications/evaluation-cloud-computing-services-based-nist-sp-800-145. Retrieved 28 July 2023. 
  12. "CSA Enterprise Architecture Reference Guide v2". Cloud Security Alliance. 2020. https://cloudsecurityalliance.org/artifacts/enterprise-architecture-reference-guide-v2/. Retrieved 28 July 2023. 
  13. "Ultimate Guide to G-Cloud". AdviceCloud. https://advice-cloud.co.uk/knowledge-hub/ultimate-guide-to-g-cloud/. Retrieved 28 July 2023. 
  14. "About DMTF". DMTF. https://www.dmtf.org/about. Retrieved 28 July 2023. 
  15. 15.0 15.1 "About ETSI". European Telecommunications Standards Institute. https://www.etsi.org/about. Retrieved 28 July 2023. 
  16. 16.0 16.1 "FedRAMP". General Services Administration. https://www.fedramp.gov/. Retrieved 28 July 2023. 
  17. "Program Basics". General Services Administration. https://www.fedramp.gov/program-basics/. Retrieved 28 July 2023. 
  18. "IEEE Cloud Computing Standards Committee". IEEE Computer Society. https://www.computer.org/volunteering/boards-and-committees/standards-activities/committees/cloud. Retrieved 28 July 2023. 
  19. "ICS > 35: 35.210 Cloud Computing". International Organization for Standardization. https://www.iso.org/ics/35.210/x/. Retrieved 28 July 2023. 
  20. "About International Telecommunication Union (ITU)". International Telecommunication Union. https://www.itu.int/en/about/Pages/default.aspx. Retrieved 28 July 2023. 
  21. "Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC)". National Institute of Standards and Technology. 3 June 2018. https://www.nist.gov/itl/standards-acceleration-jumpstart-adoption-cloud-computing-sajacc. Retrieved 28 July 2023. 
  22. "NIST Cloud Computing Program - NCCP". National Institute of Standards and Technology. 9 July 2019. https://www.nist.gov/programs-projects/nist-cloud-computing-program-nccp. Retrieved 28 July 2023. 
  23. "Cloud Working Group". Object Management Group. https://www.omg.org/cloud/. Retrieved 28 July 2023. 
  24. "Open Grid Forum". Open Grid Forum. https://ogf.org/ogf/doku.html. Retrieved 28 July 2023. 
  25. "About Us". OASIS Open. https://www.oasis-open.org/org/. Retrieved 28 July 2023. 
  26. "About Us". PCI Security Standards Council. https://www.pcisecuritystandards.org/about_us/. Retrieved 28 July 2023. 
  27. "Vision and Mission". Storage Networking Industry Association. https://www.snia.org/about/vision-mission. Retrieved 28 July 2023. 
  28. "Standards Portfolio". Storage Networking Industry Association. https://www.snia.org/tech_activities/standards/curr_standards. Retrieved 28 July 2023. 
  29. "The Open Group". The Open Group. https://www.opengroup.org/. Retrieved 28 July 2023. 
  30. "About Us". TM Forum. https://www.tmforum.org/about-tm-forum/. Retrieved 28 July 2023. 
  31. "TITLE 1.81.5. California Consumer Privacy Act of 2018 [1798.100 - 1798.199.100"]. California Legislative Information. Legislative Counsel Bureau. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5. Retrieved 28 July 2023. 
  32. 32.0 32.1 32.2 "California Consumer Privacy Act (CCPA)". Google Cloud. https://cloud.google.com/security/compliance/ccpa. Retrieved 28 July 2023. 
  33. 33.0 33.1 Guseyva, V. (18 September 2020). "Data residency laws by country: An overview". InCountry. https://incountry.com/blog/data-residency-laws-by-country-overview/. Retrieved 28 July 2023. 
  34. "NCSC - Cloud Security (UK)". Google Cloud. https://cloud.google.com/security/compliance/ncsc-uk. Retrieved 28 July 2023. 
  35. "What is the Difference between FISMA and FedRAMP?". PaloAlto Networks. 2021. https://www.paloaltonetworks.com/cyberpedia/difference-between-fisma-and-fedramp. Retrieved 28 July 2023. 
  36. 36.0 36.1 "Google Cloud & the General Data Protection Regulation (GDPR)". Google Cloud. https://cloud.google.com/privacy/gdpr. Retrieved 28 July 2023. 
  37. 37.0 37.1 "BaFin Cloud Outsourcing Guidance". Google Cloud. https://cloud.google.com/security/compliance/bafin. Retrieved 28 July 2023. 
  38. 38.0 38.1 38.2 Office for Civil Rights (23 December 2022). "Guidance on HIPAA & Cloud Computing". Health Information Privacy. U.S. Department of Health & Human Services. https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html. Retrieved 28 July 2023. 
  39. "Joint Statement: Security in a Cloud Computing Environment" (PDF). 30 April 2020. https://www.ffiec.gov/press/PDF/FFIEC_Cloud_Computing_Statement.pdf. Retrieved 28 July 2023. 
  40. Ross, S.; Scott, K. (6 May 2020). "US bank regulators issue cloud computing security guidance". Financial Services: Regulation Tomorrow. Norton Rose Fulbright. https://www.regulationtomorrow.com/us/us-bank-regulators-issue-cloud-computing-security-guidance/. Retrieved 28 July 2023. 
  41. "OMB Circular A-130, Managing Information as a Strategic Resource" (PDF). The White House. 28 July 2016. https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf. Retrieved 28 July 2023. 
  42. Coos, A. (30 April 2020). "All You Need to Know About Turkey’s Personal Data Protection Law (KVKK)". Endpoint Protector Blog. https://www.endpointprotector.com/blog/everything-you-need-to-know-about-turkeys-personal-data-protection-law/. Retrieved 28 July 2023. 
  43. Ersoy, E.C.; Karakaş, M. (19 June 2020). "Cloud Computing Technologies and Its Legal Dimension". Kılınç Law and Consulting. https://www.kilinclaw.com.tr/en/cloud-computing-technologies-and-its-legal-dimension/. Retrieved 28 July 2023. 
  44. "The Protective Security Policy Framework". Australian Government. https://www.protectivesecurity.gov.au/. Retrieved 28 July 2023. 
  45. Alpern, P. (10 February 2010). "Microsoft to Congress: Time For New Cloud Computing Laws". IndustryWeek. https://www.industryweek.com/innovation/article/21932894/microsoft-to-congress-time-for-new-cloud-computing-laws. Retrieved 28 July 2023. 
  46. 46.0 46.1 46.2 46.3 46.4 46.5 46.6 46.7 46.8 Levite, A.; Kalwani, G. (9 November 2020). "Cloud Governance Challenges: A Survey of Policy and Regulatory Issues". Carnegie Endowment for International Peace. https://carnegieendowment.org/2020/11/09/cloud-governance-challenges-survey-of-policy-and-regulatory-issues-pub-83124. Retrieved 28 July 2023. 
  47. Ali, O.; Osmanaj, V. (2020). "The role of government regulations in the adoption of cloud computing: A case study of local government". Computer Law & Security Review 36: 105396. doi:10.1016/j.clsr.2020.105396. 
  48. 48.0 48.1 48.2 Zuo, T.; Sherman, J.; Hamin, M. et al. (10 July 2023). "Critical Infrastructure and the Cloud: Policy for Emerging Risk". DFRLab. https://dfrlab.org/2023/07/10/critical-infrastructure-and-the-cloud-policy-for-emerging-risk/. Retrieved 14 August 2023. 
  49. Mitnick, D. (10 April 2018). "No more waiting: It’s time for a federal data breach law in the U.S.". Access Now Blog. Access Now. https://www.accessnow.org/no-more-waiting-its-time-for-a-federal-data-breach-law-in-the-u-s/. Retrieved 28 July 2023. 
  50. "Security Breach Notification Laws". National Conference of State Legislatures. 17 January 2022. https://www.ncsl.org/technology-and-communication/security-breach-notification-laws. Retrieved 28 July 2023. 
  51. "Expansive Federal Breach Reporting Requirement Becomes Law". Ropes & Gray. 22 March 2022. https://www.ropesgray.com/en/newsroom/alerts/2022/march/expansive-federal-breach-reporting-requirement-becomes-law. Retrieved 14 August 2023. 
  52. Blair-Frasier, R. (31 March 2023). "Experts weigh in on CIRCIA one year later". Security Magazine. Archived from the original on 31 March 2023. https://web.archive.org/web/20230331233533/https://www.securitymagazine.com/articles/99138-experts-weigh-in-on-circia-one-year-later. Retrieved 14 August 2023. 
  53. Brandom, R. (2 September 2020). "Trump’s TikTok deal has hit a serious roadblock". The Verge. https://www.theverge.com/2020/9/2/21418496/tiktok-for-you-page-algorithm-deal-us-china-trump-microsoft. Retrieved 28 July 2023. 
  54. Cox, K. (10 February 2021). "Oracle’s TikTok acquisition reportedly “shelved” indefinitely". Ars Technica. https://arstechnica.com/tech-policy/2021/02/oracles-tiktok-acquisition-reportedly-shelved-indefinitely/. Retrieved 28 July 2023. 
  55. 55.0 55.1 55.2 Eustice, J.C. (2018). "Understand the intersection between data privacy laws and cloud computing". Legal Technology, Products, and Services. Thomson Reuters. https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing. Retrieved 28 July 2023. 
  56. 56.0 56.1 Cloud Security Alliance (6 August 2019). "Top Threats to Cloud Computing: The Egregious 11" (PDF). https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-egregious-eleven/. Retrieved 28 July 2023. 
  57. Douglas, S. (March 2023). "Comprehensive Guide to Developing and Implementing a Cybersecurity Plan, Second Edition". LIMSwiki. https://www.limswiki.org/index.php/LII:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan. Retrieved 28 July 2023. 
  58. Kearns, D.K. (December 2017). "Planning & Management Methods for Migration to a Cloud Environment". The MITRE Corporation. https://www.mitre.org/news-insights/publication/planning-management-methods-migration-cloud-environment. Retrieved 28 July 2023. 
  59. Sheppard, D. (28 May 2015). "Managing a cloud computing project". IT World Canada. https://www.itworldcanada.com/blog/managing-a-cloud-computing-project/374832. Retrieved 28 July 2023. 
  60. 60.0 60.1 60.2 Pratt, M.K. (14 December 2020). "Building stronger multicloud security: 3 key elements". CSO. https://www.csoonline.com/article/569951/building-stronger-multicloud-security-3-key-elements.html. Retrieved 28 July 2023. 
  61. Herman, M.; Iorga, M.; Salim, A.M. et al. (August 2020). "NISTIR 8006 NIST Cloud Computing Forensic Science Challenges". NIST. https://csrc.nist.gov/pubs/ir/8006/final. Retrieved 28 July 2023. 
  62. Muncaster, P. (23 January 2020). "Data on 30,000 Cannabis Users Exposed in Cloud Leak". Infosecurity. https://www.infosecurity-magazine.com/news/data-30000-cannabis-users-exposed/. Retrieved 28 July 2023. 
  63. "Unsecured AWS S3 Bucket Found Leaking Data of Over 30K Cannabis Dispensary Customers". Trend Micro, Inc. 27 January 2020. https://www.trendmicro.com/vinfo/dk/security/news/virtualization-and-cloud/unsecured-aws-s3-bucket-found-leaking-data-of-over-30k-cannabis-dispensary-customers. Retrieved 28 July 2023. 
  64. "Cyber Security Dos and Don'ts" (PDF). New York State Office of Information Technology and Services. 12 December 2004. Archived from the original on 23 January 2022. https://web.archive.org/web/20220123175134/https://gc.cuny.edu/CUNY_GC/media/CUNY-Graduate-Center/PDF/Policies/IT/Cyber-Security-Dos-and-Don%E2%80%99ts.pdf?ext=.pdf. Retrieved 28 July 2023. 
  65. "Protocol for Exchange and Shared Responsibility for Institutional Data" (PDF). Northwestern University. 15 August 2004. https://www.it.northwestern.edu/docs/ExchangeSharedResponsibilityData.pdf. Retrieved 28 July 2023. 
  66. Amazon Web Services (August 2010). "Amazon Web Services: Overview of Security Processes" (PDF). Amazon Web Services. Archived from the original on 23 August 2010. https://web.archive.org/web/20100823123605/http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf. Retrieved 28 July 2023. 
  67. 67.0 67.1 Amazon Web Services (2021). "Shared Responsibility Model". Amazon Web Services. https://aws.amazon.com/compliance/shared-responsibility-model/?ref=wellarchitected. Retrieved 28 July 2023. 
  68. Mealus, P. (19 December 2018). "The SOC 2 Report Explained for Normal People". Medium. https://medium.com/@paulmealus/the-soc-2-report-explained-for-normal-people-50b4626d6c96. Retrieved 28 July 2023. 
  69. "CISPE". Amazon Web Services. https://aws.amazon.com/compliance/cispe/. Retrieved 28 July 2023. 
  70. International Data Corporation (18 August 2020). "Worldwide Public Cloud Services Market Totaled $233.4 Billion in 2019 with the Top 5 Providers Capturing More Than One Third of the Total, According to IDC". International Data Corporation. Archived from the original on 31 January 2022. https://web.archive.org/web/20220131120937/https://www.idc.com/getdoc.jsp?containerId=prUS46780320. Retrieved 28 July 2023. 
  71. 71.0 71.1 "Gartner Forecasts Worldwide Public Cloud End-User Spending to Grow 18% in 2021". Gartner, Inc. 17 November 2020. https://www.gartner.com/en/newsroom/press-releases/2020-11-17-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-18-percent-in-2021. Retrieved 28 July 2023. 
  72. "Gartner Forecasts Worldwide Public Cloud End-User Spending to Reach Nearly $600 Billion in 2023". Gartner. 19 April 2023. https://www.gartner.com/en/newsroom/press-releases/2023-04-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-reach-nearly-600-billion-in-2023. Retrieved 14 August 2023. 
  73. 73.0 73.1 Barracuda Networks, Inc (14 January 2021). "New research reveals IT professionals' growing confidence in public cloud despite security concerns". PR Newswire. Cision. https://www.prnewswire.com/news-releases/new-research-reveals-it-professionals-growing-confidence-in-public-cloud-despite-security-concerns-301208046.html. Retrieved 28 July 2023. 
  74. "33% of company executives “very confident” to operate in public cloud: Report". The Times of India. 8 June 2023. https://timesofindia.indiatimes.com/gadgets-news/33-of-company-executives-very-confident-to-operate-in-public-cloud-report/articleshow/100855040.cms. Retrieved 14 August 2023. 
  75. Bocetta, S. (9 July 2019). "Problem: Complex Networks Getting Harder to Secure". Network Computing. https://www.networkcomputing.com/network-security/problem-complex-networks-getting-harder-secure. Retrieved 28 July 2023. 
  76. Hemer, N. (18 December 2019). "Trust Services Criteria (formerly Principles) for SOC 2 in 2019". Linford & Company IT Audit & Compliance Blog. Linford and Co. LLP. https://linfordco.com/blog/trust-services-critieria-principles-soc-2/. Retrieved 28 July 2023. 
  77. Tiller, D. (2019). "Is the Cloud a Safe Place for Your Data?: How Life Science Organizations Can Ensure Integrity and Security in a SaaS Environment" (PDF). IDBS. Archived from the original on 08 March 2021. https://web.archive.org/web/20210308231558/https://storage.pardot.com/468401/1614781936jHqdU6H6/Whitepaper_Is_the_cloud_a_safe_place_for_your_data.pdf. Retrieved 28 July 2023. 
  78. "Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HITECH) Act". Microsoft Documentation. Microsoft. 25 April 2023. https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech. Retrieved 28 July 2023. 
  79. 79.0 79.1 "Navigating HIPAA Compliant Cloud Solutions". Dash. 2020. https://www.dashsdk.com/hipaa-compliant-cloud/. Retrieved 28 July 2023. 
  80. 80.0 80.1 Weins, K. (21 May 2020). "Cloud Computing Trends: 2020 State of the Cloud Report". Flexera Blog. Archived from the original on 22 August 2020. https://web.archive.org/web/20200822043605/https://www.flexera.com/blog/industry-trends/trend-of-cloud-computing-2020/. Retrieved 28 July 2023. 
  81. International Data Corporation (31 March 2020). "IDC Expects 2021 to Be the Year of Multi-Cloud as Global COVID-19 Pandemic Reaffirms Critical Need for Business Agility". International Data Corporation. Archived from the original on 03 June 2021. https://web.archive.org/web/20210603182500/https://www.idc.com/getdoc.jsp?containerId=prMETA46165020. Retrieved 28 July 2023. 
  82. "What Is Hybrid Cloud? Hybrid Cloud Definition". Cloudflare, Inc. https://www.cloudflare.com/learning/cloud/what-is-hybrid-cloud/. Retrieved 04 March 2021. 
  83. Hurwitz, J.S.; Kaufman, M.; Halper, F. et al. (2021). "What is Hybrid Cloud Computing?". Dummies.com. John Wiley & Sons, Inc. https://www.dummies.com/article/technology/information-technology/networking/cloud-computing/what-is-hybrid-cloud-computing-174473/. Retrieved 28 July 2023. 
  84. "What Is Multicloud? Multicloud Definition". Cloudflare, Inc. https://www.cloudflare.com/learning/cloud/what-is-multicloud/. Retrieved 28 July 2023. 
  85. 85.0 85.1 "The 2023 Cloud Strategy Workbook" (PDF). Rackspace technology. February 2023. https://www.rackspace.com/sites/default/files/2023-02/Rackspace-Cloud-Strategy-Workbook-2023.pdf. Retrieved 15 August 2023. 
  86. 86.0 86.1 Luxner, T. (5 April 2023). "Cloud computing trends and statistics: Flexera 2023 State of the Cloud Report". Flexera Blog. Archived from the original on 13 August 2023. https://web.archive.org/web/20230813135147/https://www.flexera.com/blog/cloud/cloud-computing-trends-flexera-2023-state-of-the-cloud-report/. Retrieved 15 August 2023. 
  87. Clark, L. (19 January 2023). "Oh dear, AWS. Cloud growth slowing as customers get a dose of cost reality". The Register. https://www.theregister.com/2023/01/19/cloud_growth_slowdown_as_customers/. Retrieved 15 August 2023. 
  88. Donnelly, C. (18 January 2023). "Uptime Institute predicts slower pace of public cloud migrations in 2023". ComputerWeekly.com. https://www.computerweekly.com/news/252529297/Uptime-Institute-predicts-slower-pace-of-public-cloud-migrations-in-2023. Retrieved 15 August 2023. 
  89. Kerner, L. (2018). "4 hybrid-cloud security challenges and how to overcome them". TechNeacon. https://techbeacon.com/security/4-hybrid-cloud-security-challenges-how-overcome-them. Retrieved 28 July 2023. 
  90. IBM Cloud Education. "What are containers?". IBM. https://www.ibm.com/topics/containers. Retrieved 28 July 2023. 
  91. "Containers at Google". Google Cloud. https://cloud.google.com/containers. Retrieved 28 July 2023. 
  92. 92.0 92.1 "A beginner’s guide to container security". GitLab. https://about.gitlab.com/topics/devsecops/beginners-guide-to-container-security/. Retrieved 28 July 2023. 
  93. Silverthorne, V. (23 August 2022). "GitLab's 2022 Global DevSecOps Survey: Security is the top concern, investment". GitLab Blog. https://about.gitlab.com/blog/2022/08/23/gitlabs-2022-global-devsecops-survey-security-is-the-top-concern-investment/. Retrieved 15 August 2023. 
  94. Souppaya, M.; Morello, J.; Scarfone, K. (September 2017). "SP 800-190 Application Container Security Guide". NIST. doi:10.6028/NIST.SP.800-190. https://csrc.nist.gov/pubs/sp/800/190/final. Retrieved 28 July 2023. 
  95. 95.0 95.1 95.2 Barrowclough, J.P.; Asif, R. (2018). "Securing Cloud Hypervisors: A Survey of the Threats, Vulnerabilities, and Countermeasures". Security and Communication Networks 2018: 1681908. doi:10.1155/2018/1681908. 
  96. Sharma, Y.; Lyon, R.; Lanfear, T. et al. (11 November 2022). "Hypervisor security on the Azure fleet". Microsoft Documentation. Microsoft. https://docs.microsoft.com/en-us/azure/security/fundamentals/hypervisor. Retrieved 28 July 2023. 
  97. Boyd, N. (20 July 2018). "Achieving Network Security in Cloud Computing". Cloud HQ. SDxCentral, LLC. Archived from the original on 05 November 2020. https://web.archive.org/web/20201105140448/https://www.sdxcentral.com/cloud/definitions/achieving-network-security-in-cloud-computing/. Retrieved 28 July 2023. 
  98. 98.0 98.1 98.2 "Best Practices for SaaS Security". Moody's Analytics. Moody's Analytics, Inc. April 2018. https://www.moodysanalytics.com/articles/2018/best-practices-for-saas-security. Retrieved 28 July 2023. 
  99. "Cloud banking: More than just a CIO conversation". Deloitte. 1 July 2019. https://www.deloitte.com/global/en/Industries/financial-services/perspectives/bank-2030-financial-services-cloud.html. Retrieved 28 July 2023. 
  100. Chuard, M. (10 December 2020). "Cloud and SaaS technology can drive inclusive banking. Here are 3 reasons how". World Economic Forum. https://www.weforum.org/agenda/2020/12/cloud-and-saas-technology-can-drive-inclusive-banking/. Retrieved 28 July 2023. 
  101. "Getting cloud right: How can banks stay ahead of the curve?" (PDF). Deloitte. 2019. https://www2.deloitte.com/content/dam/Deloitte/ch/Documents/financial-services/deloitte-ch-fs-Cloud-for-Swiss-Banks-report-digital.pdf. Retrieved 28 July 2023. 
  102. Olavsrud, T. (24 March 2023). "What is data governance? A best practices framework for managing data assets". CIO. https://www.cio.com/article/202183/what-is-data-governance-a-best-practices-framework-for-managing-data-assets.html. Retrieved 28 July 2023. 
  103. "SAP Trust Center". SAP America, Inc. https://www.sap.com/about/trust-center/certification-compliance.html. Retrieved 28 July 2023. 
  104. "Adobe Trust Center". Adobe, Inc. https://www.adobe.com/trust.html. Retrieved 28 July 2023. 
  105. "Atlassian Trust Center". Atlassian, Inc. https://www.atlassian.com/trust. Retrieved 28 July 2023. 


-----Go to the next chapter of this guide-----

Citation information for this chapter

Chapter: 2. Standards and security in the cloud

Title: Choosing and Implementing a Cloud-based Service for Your Laboratory

Edition: First edition

Author for citation: Shawn E. Douglas

License for content: Creative Commons Attribution-ShareAlike 4.0 International

Publication date: August 2021