Cloud Security Risks and Recommendations

<< back Page 3 of 3

Fundamental Security Principles That Should be Followed by Cloud Vendors

The Cloud Security Alliance has developed a cloud computing controls matrix that has been designed to outline the fundamental security principles that should be followed by cloud vendors, as well as to assist prospective cloud customers in assessing the overall security risk of a cloud provider. (“Cloud Controls Matrix," March 8, 2013, Cloud Security Alliance)  

These controls are divided into the areas shown in Table 1.

Table 1: Cloud Computing Control Areas



  • Audit planning
  • Independent audits
  • Third party audits
  • Contact/authority maintenance
  • Information system regulatory mapping
  • Intellectual property

Data governance

  • Ownership/stewardship
  • Classification
  • Handling/labeling/security policy
  • Retention policy
  • Secure disposal
  • Non-production data
  • Information leakage
  • Risk assessments

Facility security

  • Policy
  • User access
  • Controlled access points
  • Secure area authorization
  • Unauthorized persons entry
  • Offsite authorization
  • Offsite equipment
  • Asset management

Human resources security

  • Background screening
  • Employment agreements
  • Employment termination

Information security

  • Management program
  • Management support/involvement
  • Po0licy
  • Baseline requirements
  • Policy reviews
  • Policy enforcement
  • User access policy
  • User access restriction/authorization
  • User access revocation
  • User access reviews
  • Training/awareness
  • Industry knowledge/benchmarking
  • Roles/responsibilities
  • Management oversight
  • Segregation of duties
  • Encryption
  • Encryption key management
  • Vulnerability/patch management
  • Antivirus/malicious software
  • Incident management
  • Incident reporting
  • Incident response legal preparation
  • Incident response metrics
  • Acceptable use
  • Asset returns
  • eCommerce transactions
  • Audit tools access
  • Diagnostic/configuration ports access
  • Network/infrastructure services
  • Portable/mobile devices
  • Source code access restriction
  • Utility programs access


  • Non-disclosure agreements
  • Third party agreements

Operations management

  • Policy
  • Documentation
  • Capacity/resource planning
  • Equipment maintenance

Risk management

  • Program
  • Assessments
  • Mitigation/acceptance
  • Business/policy change impacts
  • Third party access

Release management

  • New development/acquisition
  • Production changes
  • Quality testing
  • Outsourced development
  • Unauthorized software installations


  • Management program
  • Impact analysis
  • Business continuity planning
  • Business continuity testing
  • Environmental risks
  • Equipment location
  • Equipment power failures
  • Power/telecommunications

Security architecture

  • Customer access requirements
  • Data integrity
  • Production/non-production environments
  • Remote user multifactor authentication
  • Network security
  • Segmentation
  • Wireless security
  • Shared networks
  • Clock synchronization
  • Equipment identification
  • Audit logging/intrusion detection
  • Mobile code

Much is written about the risks of using public cloud computing models, but many of those can be assuaged through effective due diligence and risk management. The risks of using private clouds are closer to those associated with traditional data centers. New hybrid models are beginning to be seen, however, with the most sensitive data remaining private. Since these combine private and public cloud models, the risks associated with both models need to be taken into account.

This article was adapted from the Faulkner Information Services library of reports. For more information,contact To subscribe to the Faulkner Information Services visit

<< back Page 3 of 3

Related Articles

There's no doubt that the management at Target had a miserable holiday season at the end of last year, between all the bad PR that came out about the online theft of 40 million customers' data records—later revised to be even higher—and the costs of providing disclosures and working with banks, and the headaches of potentially expensive lawsuits that are being filed. Such is every organization's nightmare, the price of openness and accessibility. According to a new survey of 322 data and IT managers, there is a growing awareness among enterprise executives and managers about the potential issues to enterprise data security.

Posted February 10, 2014

Cloud Databases Rise to Meet the Needs of a More Agile and Data-Driven Enterprise

Posted March 12, 2014