Chapter 3. Cloud Computing Software Security Fundamentals
People don't ever seem to realize that doing what's right is no guarantee against misfortune.
Security is a principal concern when entrusting an organization's critical information to geographically dispersed cloud platforms not under the direct control of that organization. In addition to the conventional IT information system security procedures, designing security into cloud software during the software development life cycle can greatly reduce the cloud attack surface.
In the document "Security Guidance for Critical Areas of Focus in Cloud Computing," the Cloud Security Alliance emphasizes the following points relative to the secure software life cycle in their listing of 15 cloud security domains:
Domain 6, Information Life Cycle Management— "Understand cloud provider policies and processes for data retention and destruction and how they compare with internal organizational policy. Be aware that data retention assurance may be easier for the cloud provider to demonstrate, but data destruction may be very difficult. Perform regular backup and recovery tests to assure that logical segregation and controls are effective."
Domain 11, Application Security— "IaaS, PaaS and SaaS create differing trust boundaries for the software development lifecycle, which must be accounted for during the development, testing and production deployment of applications."
Domain 14, Storage— "Understand cloud provider storage retirement ...