Security mechanisms in the cloud environment based on international standards

Abstract

A standardized functional approach to the conformity assessment procedure has been improved, based on the specifics of the functioning of cloud technologies. A review of the existing frameworks, which are used for the evaluation and certification of the Cloud Service Provider (further to the СSP), in terms of compliance with the requirements of generally recognized security standards, was carried out. The proposed levels of guarantees provide for the development of special requirements for ensuring the security of information systems of cloud service providers in accordance with the classification of criticality of systems and data of potential consumers of cloud services. Guided by regulatory acts, norms of international standards and already considered national schemes for evaluating the cyber security of cloud products, services and services, a generalized list of requirements for the security of cloud service providers has been formulated, which covers all the necessary conditions and corresponds to the proposed levels of guarantees. An assessment of compliance with security standards was carried out, which is the starting point for determining information security policy and combating threats inherent in cloud services. The division into three levels of security guarantees, which should be met by the СSP when evaluating compliance, is proposed depending on the business needs of users and the criticality of the data processed and stored by the cloud information system. A generalized scheme of security requirements for СSP has been developed, built on the basis of well-known frameworks, which takes into account a multi-level approach to security guarantees, distributed responsibility for compliance with the listed requirements depending on the functioning model and determines the components of the cloud architecture that are sensitive to certain conditions. This article combines all the best standards of the United States and the European Union and the best security practices for using a cloud environment that is considered the most dangerous from the point of view of information security, but convenient to use.

Keywords: service provider; cloud; cloud infrastructure; network.

References
1. Матриця Cloud Controls і CAIQ v4 [Електронний ресурс] // CSA, 07.06.2021. URL: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/.
2. Про хмарні послуги [Електронний ресурс]: Закон України від 17.02.2022 № 2075-IX. URL: https://zakon.rada.gov.ua/laws/show/2075-20#n69.
3. Жилін А., Дівіцький А., Козачок А. Проблематика захисту інформаційних ресурсів при використанні хмарних технологій // Information Technology and Security. 2019. № 7. P. 171–182.
4. The Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 [Електронний ресурс] // CSA, 07.26.2017. URL: https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/security-guidance-v4-FINAL.pdf.
5. NIST Special Publication 500-292, NIST Cloud Computing Reference Architecture [Електронний ресурс]. URL: https://bigdatawg.nist.gov/_uploadfiles/M0008_v1_7256814129.pdf.
6. ISO/IEC 27001. Information technology — Security techniques — Information security management systems — Requirements [Електронний ресурс]. URL: https://www.iso.org/isoiec-27001-informationsecurity.html.
7. ISO/IEC 27017. Information technology - Security techniques - Information security management – Guidelines on information security controls for the use of cloud computing services based on ISO / IEC 27002 [Електронний ресурс]. URL: https://www.iso.org/standard/43757.html.
8. ISO/IEC 27002:2022. Information security, cybersecurity and privacy protection — Information security controls [Електронний ресурс]. URL: https://www.iso.org/standard/75652.html.
9. Про технічні регламенти та оцінку відповідності [Електронний ресурс]: Закон України від 19.02.2022 № 124-VIII. URL: https://zakon.rada.gov.ua/laws/show/124-19#Text.
10. SOC 2 Compliance [Електронний ресурс] // Imperva, 12.07.2021. URL: https://www.imperva.com/learn/data-security/soc-2-compliance/.
11. EUCS – Cloud Services Scheme [Електронний ресурс] // ENISA, 22.12.2020. URL: https://www.enisa.europa.eu/publications/eucscloud-service-scheme.