Secure Cloud Computing
In this chapter, we will provide an overview of the guidelines for cloud comput-
ing security. ese guidelines have been developed by the NIST. We have essen-
tially summarized the discussions in the NIST document. For more details of the
guidelines, we will refer the reader to [NIST]. For completion of the guidelines
as discussed by NIST, we have included the deﬁnition of cloud computing, cloud
computing service models, deployment models, and security issues.
e guidelines discussed by NIST cover several topics. ese include the service
and deployment models, architecture governance, data protection, security and pri-
vacy, availability, and incident response. Since secure cloud computing is still evolv-
ing, the reader should note that these guidelines will also evolve. Nevertheless, we
have found these guidelines to be very useful to understand secure cloud comput-
ing. e guidelines discuss the service and deployment models, identity manage-
ment as well as availability.
e organization of this chapter is as follows. e guidelines will be summarized
in Section 19.2. is chapter is summarized in Section 19.3. Figure 19.1 illustrates
the guidelines discussed in this chapter. An overview of secure cloud computing
can be found in [MATH09]. White papers on secure cloud computing have been
posted on the website of the Cloud Security Alliance [CSA].
352 ◾ Developing and Securing the Cloud
19.2 The Guidelines
Deﬁnition: Cloud computing has been deﬁned by NIST as a
model for enabling convenient, on-demand network access to a shared
pool of conﬁgurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and released
with minimal management eﬀort or cloud provider interaction. [NIST]
Deployment models: As stated by [NIST], there are multiple deployment models.
Public cloud is one in which the infrastructure and computational
resources that it comprises are made available to the general public over
the Internet. It is owned and operated by a cloud provider delivering
cloud services to consumers and is external to the customer organiza-
tion. A private cloud is one in which the computing environment is
operated exclusively for a single organization. It may be managed by the
organization or by a third party, and may be hosted within the organiza-
tion’s data center or outside of it. A private cloud may give the organiza-
tion more control over the resources and operation of the cloud. Hybrid
clouds involve a composition of two or more clouds at least one of which
is public and one of which is private. A community cloud is a cloud
managed by a collection of organizations referred to as the community.
Service models: As stated by NIST, the service model speciﬁes the control the
organization has over the cloud resources. ere are three main service models.
Figure 19.1 Guidelines for secure cloud computing.