Analysis of recommended cloud security controls to validate OpenPMF "policy as a service"

Ulrich Lang, Rudolf Schreiner
2011 Information Security Technical Report  
Security Policy Authorization management Access policy Compliance Model-driven security Accreditation Audit policy Application security XACML OpenPMF NIST 800-53 NIST 800-147 NIST IR 7628 PCI-DSS HIPAA a b s t r a c t This paper describes some of the findings of a cloud research project the authors carried out in Q2/2011. As part of the project, the authors first identified security concerns related to cloud computing, and gaps in cloud-related standards/regulations. The authors then identified
more » ... several hard-to-implement, but highly cloud-relevant, security requirements in numerous cloud (and non-cloud) regulations and guidance documents, especially related to "least privilege", "information flow control", and "incident monitoring/auditing/analysis". Further study revealed that there are significant cloud technology gaps in cloud (and non-cloud) platforms, which make it difficult to effectively implement those security policy requirements. The project concluded that model-driven security policy automation offered as a cloud service and tied into the protected cloud platform is ideally suited to achieve correct, consistent, low-effort/cost policy implementation for cloud applications. ª (R. Schreiner). a v a i l a b l e a t w w w . s c i e n c e d i r e c t . c o m w w w . c o m p s e c o n l i n e . c o m / p u b l i c a t i o n s / p r o d i n f . h t m i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 6 ( 2 0 1 1 ) 1 3 1 e1 4 1 1363-4127/$ e see front matter ª
doi:10.1016/j.istr.2011.08.001 fatcat:5vzc57d4pjhc7lyrrsqjcbfkyu