How to Address the Security Risks of Cloud OS
Written by: Xiaoyu Ge, co-chair of the Cloud Component Specifications Working Group
From a user perspective, the cloud is a service. However, for cloud service providers, integrators, and channel partners who construct or build the cloud, it is a system that may comprise many separate components. The most basic cloud component is the cloud OS—a feature with functionality that closely resembles the relationship between Linux and a computer. Through the utilization of virtualization technology, cloud OS virtualizes hardware resources of physical servers and storage area network devices and supports software-defined networking. To help address the security challenges with cloud OS, CSA released version 2 of the Cloud OS Security Specification guidance document today.
What capabilities does Cloud OS provide and what are the security risks?
Along with virtualization, cloud OS also provides management and configuration capabilities on virtualized hardware resources. Furthermore, it affords many other capabilities and functions like disaster recovery, firewalls, load balancers, access control, and backup control to enhance the performance and security of cloud computing systems as well as the user experience of administrators and users. While cloud OS affords convenient, fast access to cloud computing resources, various security challenges may accompany this access that can affect cloud computing systems’ regular operation and threaten the confidentiality, integrity, and availability of user data. As a result, it is vital to specify the security requirements of cloud OS technically.
What security guidance is currently available to address these risks?
Currently, most of the standards related to cloud computing security focus on information security management systems (ISMS), and corresponding certifications only concentrate on cloud services rather than specific cloud components. There is a lack of internationally recognized technical security specifications and certifications for cloud components such as the cloud operating system (OS). This latest research paper from CSA helps fill that gap by defining cloud OS’ security specifications, specifically their technical requirements. We believe the guidance provided in this paper will be useful to help regulate security requirements for the cloud OS to prevent security threats and improve the security capabilities of cloud OS products.
Who should read this report?
We recommend that cloud service providers, integrators, and channel partners who participate in either constructing or building the cloud read this paper. In particular this paper will be helpful for cloud engineers, developers and info security practitioners using these services.
Changes in the new version.
CSA’s Cloud Component Specifications Working Group first published the Cloud OS Security Specification v1 in July 2019. Some of the key changes and revisions in this version are:
The document structure was adjusted to be more in-line with logical architecture. Corresponding content in version 1 was also moved, combined or removed according to the structural adjustment.
New requirements were added in response to cloud security technology developments, including:
Several requirements were improved and revised to be more precise and instructive, such as protocol related to processing/saving sensitive information, identity management, and log functions.
References
While the CSA research paper “Security Guidance for Critical Areas of Focus in Cloud Computing” is one of the key baseline references in specifying this document, it differs from the other in that it takes the additional step to focus on a specific component in cloud computing—cloud OS. The document builds on the foundation provided by ISO/IEC 17788, ISO/IEC 19941, ISO/IEC 27000, NIST SP 500-299, and NIST SP 800-144 in the context of cloud computing security. Security property and functionality presented by cloud service providers such as AWS, Google Cloud, Huawei and Microsoft Azure are also referenced in this document.
Learn more about Cloud OS Security by downloading the full report here.
From a user perspective, the cloud is a service. However, for cloud service providers, integrators, and channel partners who construct or build the cloud, it is a system that may comprise many separate components. The most basic cloud component is the cloud OS—a feature with functionality that closely resembles the relationship between Linux and a computer. Through the utilization of virtualization technology, cloud OS virtualizes hardware resources of physical servers and storage area network devices and supports software-defined networking. To help address the security challenges with cloud OS, CSA released version 2 of the Cloud OS Security Specification guidance document today.
What capabilities does Cloud OS provide and what are the security risks?
Along with virtualization, cloud OS also provides management and configuration capabilities on virtualized hardware resources. Furthermore, it affords many other capabilities and functions like disaster recovery, firewalls, load balancers, access control, and backup control to enhance the performance and security of cloud computing systems as well as the user experience of administrators and users. While cloud OS affords convenient, fast access to cloud computing resources, various security challenges may accompany this access that can affect cloud computing systems’ regular operation and threaten the confidentiality, integrity, and availability of user data. As a result, it is vital to specify the security requirements of cloud OS technically.
What security guidance is currently available to address these risks?
Currently, most of the standards related to cloud computing security focus on information security management systems (ISMS), and corresponding certifications only concentrate on cloud services rather than specific cloud components. There is a lack of internationally recognized technical security specifications and certifications for cloud components such as the cloud operating system (OS). This latest research paper from CSA helps fill that gap by defining cloud OS’ security specifications, specifically their technical requirements. We believe the guidance provided in this paper will be useful to help regulate security requirements for the cloud OS to prevent security threats and improve the security capabilities of cloud OS products.
Who should read this report?
We recommend that cloud service providers, integrators, and channel partners who participate in either constructing or building the cloud read this paper. In particular this paper will be helpful for cloud engineers, developers and info security practitioners using these services.
Changes in the new version.
CSA’s Cloud Component Specifications Working Group first published the Cloud OS Security Specification v1 in July 2019. Some of the key changes and revisions in this version are:
The document structure was adjusted to be more in-line with logical architecture. Corresponding content in version 1 was also moved, combined or removed according to the structural adjustment.
New requirements were added in response to cloud security technology developments, including:
- Micro-segmentation
- Hardware-based encryption
- Virtual machine (VM) high availability
- Backup and recovery capability
- Key management service
- And a cloud bastion host.
Several requirements were improved and revised to be more precise and instructive, such as protocol related to processing/saving sensitive information, identity management, and log functions.
References
While the CSA research paper “Security Guidance for Critical Areas of Focus in Cloud Computing” is one of the key baseline references in specifying this document, it differs from the other in that it takes the additional step to focus on a specific component in cloud computing—cloud OS. The document builds on the foundation provided by ISO/IEC 17788, ISO/IEC 19941, ISO/IEC 27000, NIST SP 500-299, and NIST SP 800-144 in the context of cloud computing security. Security property and functionality presented by cloud service providers such as AWS, Google Cloud, Huawei and Microsoft Azure are also referenced in this document.
Learn more about Cloud OS Security by downloading the full report here.
Like all of CSA research, this report is vendor-neutral and free accessible on our website. Learn more about the Cloud Components Specifications Working Group. Those interested in contributing to the working group’s body of knowledge are invited to join the group.