2. Cloud Computing
information about past problems the providers might
have had related to breaches and downtime. Cloud Computing Terminology
To perform this study, I developed the Cloud Pro-
vider Transparency Scorecard, an instrument to as-
sess and score the information that I collected from
published Web sources by or about cloud providers.
T he US National Institute of Standards and Technology defines the
cloud as including five essential characteristics.
On-demand self-service is the consumer’s ability to procure and provision
Each of the four domains I considered included a se- cloud services, such as storage or compute services, via a portal mecha-
ries of questions based on key areas outlined by the nism without the cloud service provider’s assistance.
Cloud Security Alliance (CSA),4 NIST,2 and the Eu- Broad network access is the ability to connect to cloud services any-
ropean Network and Information Security Agency where, with any form of client, such as a mobile phone, laptop, intel-
(ENISA).5 Each question equated to a “0 = no, 1 = ligent smart phone, or any Web-enabled device. Depending on the type
yes” value; I totaled each domain and gave an overall of information, where it physically resides can have regulatory ramifica-
score based on the total of all scores. I then divided tions—for example, personally identifiable information and personal
the domain-based scores by the total possible score to health records are regulated in the US.
provide a simple percentile equivalent. I also divided Resource pooling, or multi-tenancy, is when the provider’s resources are
the overall score by the total possible score to derive a pooled and dynamically allocated based on application demand. Each
percentile equivalent. physical machine could have multiple tenants (business users) on it—or,
if the cloud provider offers it and the customer is willing to pay for it, a
What Makes physical server could run only the one tenant’s virtual machines.
a Cloud Provider Transparent? Rapid elasticity is the ability to scale up, down, or out automatically
Researchers have addressed trust in e-commerce as workload requirements change. This characteristic lets the customer
extensively, showing that it can positively affect e- pay for resources as needed and allows specific demands to be met with
commerce usage by reducing concern, which in turn seemingly unlimited resources. For example, if a business experiences
improves disclosure, reduces the demand for legisla- peak workloads at the end of the month, the cloud will support the
tion, and reduces the perceived risk.6 Business en- demand transparently to the business. Another example would be to use
gaging a self-service cloud provider is consuming an the cloud for scale testing.
e-commerce–based service that provides infrastruc- Measured service, or fairly fine-grained metering capabilities, becomes
ture services instead of traditional goods such as books necessary with an on-demand and auto-scaling service with a pay-as-
or music. Privacy statements, security policies and you-go financial model. The metering must include monitoring, control-
assessments,5 and availability guarantees are effective ling (for example, setting maximums), and reporting.
for evaluating trust for e-commerce service providers. A service-level agreement (SLA) between a cloud service provider
For the purpose of this research, I extended the defi- and a business details the expectations for both parties. One example
nition of an e-commerce service provider to include is service availability and the penalties for service loss; another example
cloud providers as a new type of e-commerce. would be response time. In the case of Amazon Web Services (AWS),
Simple Storage Service (S3) provides an SLA of 99.9 percent availability,
Preassessment which translates to 8.75 hours of downtime a year. The buyer must be
One approach to assessing the cloud would be to use aware that SLAs can vary within a cloud provider. Using Amazon Web
a third-party security firm with experience in cloud Services as an example, AWS Elastic Compute Cloud (EC2) guarantees
applications. Another would be to use internal re- 99.95 percent uptime, which translates into six hours of downtime a year,
sources and leverage recently published assessment or 30 consecutive minutes a month.
methods from the CSA or ENISA. Both methods One last concept that’s important when evaluating the aggregation
provide steps for security and privacy assessment and of services within a cloud provider is impact of transitivity due to also
detail focus areas for audit and governance, specifi- aggregating the SLAs. Using the previous examples from AWS, where
cally for cloud infrastructures. The challenge with S3 has a 99.9 percent SLA and EC2 has a 99.95 percent SLA, the result of
existing methods is that cloud providers rely on the aggregating the services provides the lowest SLA of 99.9 percent to the
self-service model for customers to engage them, application that uses both services together.
which is based on extensive surveys requiring the
cloud provider’s staff involvement. The low-touch
self-service model economically benefits both the spective customers search the Web for news articles on
cloud provider, which can reduce service costs, and issues, breaches, and outages—for example, Privacy
the customer, who is charged less and can directly Rights Clearinghouse keeps a chronology of reported
procure and provision resources. breach data7—and the cloud provider must track and
An alternative approach that matches the cloud report outage data on its website. Another step should
provider engagement model is to make all required include inspecting the type of customers using the cloud
information for assessing clouds via their Web portals provider to validate if its customers have similar applica-
publicly available. To preassess cloud providers, pro- tions, scale, and customer base. One way to accomplish
www.computer.org/security 33
3. Cloud Computing
this would be to directly contact the cloud provider’s that information, other cloud service providers such
customers to see what their experiences have been. as Terremark, SAVVIS, and Rackspace provide their
In addition, does the cloud provider participate in employees’ certifications on their websites and offer
cloud standards bodies such as CloudAudit,8 Open specific details to paying customers. Are the employ-
Cloud Computing Interface,9 CSA, and ENISA? Par- ees subject to background checks? Cloud providers
ticipating in cloud standards activities is one way that often provide this information—for example, AWS
the cloud provider can demonstrate that it is interested publishes most of this information on its website and
in improving trust and interoperability in the cloud. in its security white paper.
The basic business assessment also includes such ques-
tions as Privacy
Does the cloud provider have a privacy portal? Does it
• “What service models do you offer (IaaS, PaaS, and/ publish its privacy policy? Does it manage its privacy
or SaaS)?” policy over time? Does the privacy policy apply to all
• “Are you public or private?” of the cloud provider’s services, or are there separate
• “Are you profitable?” ones for separate services? If the cloud provider uses
other providers’ services bundled within its own ser-
These are samples of the types of questions that pro- vice, does it have a bilateral agreement to hold the
spective customers should ask during the preassess- other providers to the same standard? Does the cloud
ment phase to determine if the cloud provider could provider provide a special email or forum for privacy
be included in a full assessment and if it’s a good busi- questions or issues? Does it offer professional services
ness fit. specific to privacy, such as working with customers on
As a final preassessment step, evaluate the cloud Health Insurance Portability and Accountability Act
provider as a business entity. How long has it been (HIPAA) compliance?
in business? According to the US Small Business Ad-
ministration, approximately 50 percent of businesses Audit
fail in the first five years.10 Has the cloud provider had If a customer has requirements for financial, healthcare,
any financial difficulties? What happens if it’s acquired or personally identifiable information, the customer
or shuts down its cloud offering? Does it provide ser- should review the cloud provider’s site for third-party
vices in all the locations or countries needed? audit mechanisms. For example, does the cloud provid-
er comply with the Statements on Auditing Standards
The Detailed Assessment (SAS) No. 70 Type II,13 the Payment Card Industry
After preassessing the cloud provider, the next step Data Security Standard,14 HIPAA,15 or Sarbanes-Ox-
is to perform a more detailed assessment using the ley?16 Several cloud providers, such as AWS,17 publish
CPTS as one of the tools for assessment. the fact that they perform SAS 70 audits, but don’t pub-
lish the control groups that they’ve audited.
Security
To perform a detailed assessment, use a browser to visit Service Levels
each cloud site and collect and log the various security, What service-level agreements (SLAs) does the cloud
privacy, and service-level policies and procedures. Is provider guarantee? Do they apply to all the cloud pro-
all the information located in one place and easy to ac- vider’s services? For example, if you’re using Amazon
cess? Are the policies and procedures published? Does Elastic Compute Cloud (EC2), Amazon has a 99.95
the provider offer an email address for additional ques- percent uptime guarantee, but Amazon Simple Queue
tions? Does it offer professional services such as secu- Service (SQS) and Amazon Simple Storage Service (S3)
rity assessments of customer environments? don’t have an SLA guarantee. If you combine SQS or
What kind of security controls does the cloud pro- S3 with EC2, the net SLA is 0 percent. Does the cloud
vider have in place? If it publishes its security policy provider use a service-level management process such as
and procedures, does it also perform standardized as- the Information Technology Infrastructure Library?18
sessments? Several cloud providers perform security
assessments such as COBIT,10 ISO 27000,11 or NIST Next Steps Postassessment
SP800-5312 on their environments. Is the cloud pro- Once the customer has gathered this data, the next
vider a member of, or does it contribute to, ENISA or step is to contrast the cloud provider’s standards against
CSA? Does it use the ENISA or CSA recommenda- corporate policies and the requirements of the appli-
tions for governance? cation being provisioned on the cloud. Evaluate the
What kind of security education and certifica- cloud policies and practices against internal policies
tions does the staff hold? Are their certifications pub- and practices to see if differences exist in the security
lished? For example, although AWS doesn’t share and privacy policies. Does the cloud provider meet
34 IEEE SECURITY PRIVACY
4. Cloud Computing
Table 1. Cloud provider overview.
Provider/offerings Service model Sample customers Comments
Google App Engine (GAE) Platform as a Best Buy, Ubisoft, Flickr Appeals to startups, small-to-medium-
service (PaaS) sized businesses (SMB), enterprise
businesses, and students and schools as
an integrated development environment
Amazon Web Services (AWS) Infrastructure as a Autodesk, Qualcomm, Second Appeals to startups, SMBs, and enterprise
service (IaaS) L
ife, Washington Post, Harvard businesses as an operational expense
Medical School option for infrastructure with price tiering
based on scale and options
Microsoft Windows Azure, IaaS and PaaS 3M, Verisign, Associated Press, Appeals to .NET developers and all
Microsoft SQL Azure, and Kelly Blue Book, Accenture, businesses; provides a way to bridge
Windows Azure platform Siemens Microsoft datacenter apps with the cloud
AppFabric
IBM Computing on Demand, IaaS, PaaS, and US Air Force, SK Telecom Provides full services for all company sizes
IBM Smart Business, IBM Smart software as a with price tiering for scale
Analytics, and so on service (SaaS)
Terremark Enterprise Cloud and IaaS USA.gov, Agora Games, Engine Infrastructure services for all company
vCloud Express Yard sizes
Savvis Cloud Compute, Savvis IaaS Hallmark, Easyjet, Universal Music Infrastructure services for all company
Dedicated Cloud, and Savvis Group, Wall Street sizes
Open Cloud Compute
or exceed the security and privacy policy levels used recently created cloud computing offerings targeting
internally? Does it provide enough information via its IaaS leveraging virtualization technology.
self-service model to determine that? In the preassessment (Figure 1), I found that almost
all providers had published outages, along with the
Results of the Preassessment fault that caused the outage and the corrective action.
For this study, I chose a relatively small population of Researching for breaches in the Datalossdb database
six cloud providers (see Table 1). The offerings and showed no breaches tied to any of the cloud provid-
structure vary among providers. NIST defines four ers studied. CP2 did show up in the database owing
cloud deployment models: private, public, community, to the loss of a laptop containing CP2 employee data.
and hybrid clouds. Private clouds operate specifically Breaches that affect a cloud provider’s customer data
for one organization, while public clouds are available wouldn’t necessarily end up in the Datalossdb unless
to the general public. Community clouds support a regulatory rules required the cloud provider to inform
specific community, such as an academic or govern- those harmed. The nature of the public profile and the
ment function. A hybrid cloud is the federation of sev- services that cloud providers offer have a higher prob-
eral clouds composed of either the same deployment ability of being divulged publicly, and as one cloud
models or different models. The study included only provider posted, full disclosure and transparency is a
public cloud providers that prospective customers could best practice. Microsoft Azure’s loss of Sidekick data
access from the Internet and that offered their services in 2009 was highly publicized and analyzed by the
via a self-service method. For simplicity, I make the cloud provider technical community.19 (Cloud pro-
six cloud providers (Amazon, Google, Microsoft, IBM, viders aren’t compelled or regulated to share breach
Terremark, and Savvis) anonymous by referring to information as long as data protected by regulations
their results as coming from CP1 through CP6. haven’t been affected.) I also found that all providers
Within the public cloud provider category are dif- belonged to at least one cloud standards group, show-
ferent classes of providers. From the providers cho- ing common interest in interoperability and gover-
sen, I selected Amazon and Google as representative nance standards.
of Web-based companies that repurpose and extend Figure 1 has a mixed scoring method designed
existing infrastructure and software to support cloud to create a maximum score of 7 (the best possible
services. Microsoft and IBM provide various managed score). Several of the questions are negative, making
and application services that they’ve extended as cloud the “yes” answer a negative response, thereby pro-
services. Terremark and SAVVIS provide various viding a “0” score for that question. All the cloud
managed services to commercial customers and have providers I evaluated scored better than 70 percent,
www.computer.org/security 35
5. Cloud Computing
Preassessment CP1 CP2 CP3 CP4 CP5 CP6
Business Length in years in business 16 12 31 114 28 15 Total years
factors 1 Length in years in business 5? 1 1 1 1 1 1 0 ≤ 5, 1 ≥ 5
2 Published security 1 1 1 1 1 1 0 = Y, 1 = N
or privacy breaches?
3 Published outages? 0 0 0 0 1 0 0 = Y, 1 = N
4 Published data loss? 1 0 0 1 1 1 0 = Y, 1 = N
5 Similar customers? 1 1 1 1 1 1 0 = N, 1 = Y
6 Member of ENISA, CSA, 1 1 1 1 1 1 0 = N, 1 = Y
CloudAudit, OCCI, or other
cloud standards groups?
7 Profitable or public? 1 1 1 1 1 1 0 = N, 1 = Y
Preassessment total score 6 5 5 6 7 6 Total
Percentile score 0.86 0.71 0.71 0.86 1.00 0.86 Score/7
Figure 1. The Cloud Provider Transparency Scorecard. I used the scorecard to examine a variety of cloud computing providers, assessing
their business factors, such as years in business and security or privacy breaches, to create a total preassessment transparency score.
which I considered adequate for consideration for use from SAS 70, although it was possible to acquire
the CPTS assessment. control group information via direct email with one
of the cloud providers. CP3, CP5, and CP6 all had
Assessment Results perfect scores in the audit section. Having internal
I recorded, broke down, and summarized the assess- and external audits and publishing them helps provide
ment’s qualitative results by domains of security, pri- proof of capability for specific data types, especially
vacy, audits, and SLA, as depicted in Table 2. those that are regulated.
Security Scores SLA Scores
CP3 had the strongest security score, at 0.80. Two ser- As Table 2 shows, only CP5 scored well, with a 0.79
vice providers, CP5 and CP6, scored 0.70. The lowest on its SLA. The SLA outcomes were skewed by the
scores were from CP1 and CP2, primarily due to a use of a weighted value that ranged from 1 to 5 based
lack of certifications, professional services, and shar- on a 99.5 to 100 percent. If the cloud provider had
ing employee certifications. CP4’s relatively low score several different SLAs for different services, I used
of 0.50 is likely due to problems encountered with the lowest SLA for the score. In the case of CP4, I
navigating the cloud provider’s website. The study couldn’t find SLA information on the cloud portal.
was based on using a self-service method to perform CP5 was the only cloud provider that provided a
the assessment as opposed to using email/chat inquiry 100 percent service uptime guarantee. CP5 and CP6
methods or calling the cloud provider. Ease of use and didn’t have any published outage events, which I can
navigation of Web portals are important characteris- discount due to the length of time they’ve been offer-
tics when a service is designed to be self-service. ing cloud services.
Privacy Scores Overall Scores
CP6 and CP3 had perfect privacy scores due to their CP3, CP5, and CP6 had the highest overall scores,
policies being easy to find, well detailed, and includ- as Table 2 shows, with scores of 0.76, 0.79, and 0.72,
ing privacy explanations in white papers. CP2 lost a respectively. CP4’s score (0.38) was brought down by
point due to the lack of professional services, which an overall lack of information available on its website.
it claims are provided through a partner community. CP1 and CP2 both scored near 50 percent, with 0.48
CP4 had the lowest score of 0.50 due to the lack of and 0.52, respectively—but removing the two profes-
an easy-to-find privacy policy for its cloud offerings. sional services questions actually drops their scores to
0.44 and 0.48.
Audit Scores
All the cloud providers claim to perform SAS 70 Type Cloud-Specific Challenges
II audits on their infrastructure. None of them offers The assessment includes a question about specific char-
public information about what control groups they acteristics in the cloud from the NIST definition re-
36 IEEE SECURITY PRIVACY
6. Cloud Computing
Table 2. Cloud Provider Transparency Scorecard analysis.
Maximum
CPTS analysis CP1 CP2 CP3 CP4 CP5 CP6 score
Security 4 (0.40%) 4 (0.40%) 8 (0.80%) 5 (0.50%) 7 (0.70%) 7 (0.70%) 10 (1.00%)
Privacy 4 (0.67%) 5 (0.83%) 6 (1.00%) 3 (0.50%) 4 (0.67%) 6 (1.00%) 6 (1.00%)
Audit 3 (0.75%) 1 (0.25%) 4 (1.00%) 2 (0.50%) 4 (1.00%) 4 (1.00%) 4 (1.00%)
SLA 3 (0.33%) 5 (0.56%) 4 (0.44%) 1 (0.11%) 8 (0.89%) 4 (0.44%) 9 (1.00%)
Total 14 (0.48%) 15 (0.52%) 22 (0.76%) 11 (0.38%) 23 (0.79%) 21 (0.72%) 29 (1.00%)
garding resource pooling. Resource pooling is more important for IT to meet its business objectives, the need
commonly called multi-tenancy, and many researchers for transparency will only increase. Standardization,
have addressed it. The question concerned whether the open reporting of information in the methodology’s
security policy had any specific discussion on multi- sample domain, and making it readily available via the
tenancy—none of the cloud providers had any specific self-service model will greatly enhance business ability
security-related documentation. The CSA document to evaluate and engage cloud providers’ services.
discusses multi-tenancy and other cloud characteristics,
providing guidance on topics such as administration, Acknowledgments
threat models, and virtual machine regulatory issues. A special thank you to Randy Bias, CEO, founder, and
Cloud Strategist of Cloudscaling, for reviewing the cloud
provider instrument for completeness and making sugges-
I designed the scorecard shown in Figure 2 to cover
the assessment areas frequently raised in the research
and to begin to establish a high-level exemplar for as-
tions for improvements. I also thank Mark Rosenbaum,
doctoral candidate at Nova Southeastern University, for
reviewing the document and, as usual, providing excellent
sessing provider transparency. Assessing cloud providers feedback where the document needed improvements.
this early in the maturity cycle of cloud as a technology
brings with it the caveat that providers as yet don’t have References
established transparency standards. Market forces, com- 1. K.S. Candan et al., “Frontiers in Information and Soft-
petition, and further research are needed to determine ware as Services,” Proc. 2009 IEEE Conf. Data Eng.,
the standard for measuring provider transparency. IEEE CS Press, 2009, pp. 1761–1768.
An area for future research would be to evaluate 2. P. Mell and T. Grance, “The NIST Definition of Cloud
if the cloud provider offers performance- onitoring
m Computing,” Nat’l Inst. of Standards and Technology
tools such as utilization, response times, and avail- Computer Security Division, 7 Oct. 2009; http://csrc.
ability. As an example, AWS recently launched nist.gov/groups/SNS/cloud-computing/cloud-def
CloudWatch for customers to monitor resource uti- -v15.doc.
lization, performance, and demand patterns. Exter- 3. K. Wüllenweber and T. Weitzel, “An Empirical Ex-
nal monitors such as CloudClimate.com also provide ploration of How Process Standardization Reduces
performance data, while companies like Keynote Outsourcing Risk,” Proc. 40th Ann. Hawaii Int’l Conf.
perform remote availability and quality testing of System Science, IEEE CS Press, 2007, p. 240c.
networked resources. 4. “Security Guidance for Critical Areas of Focus in
One assessment method that I didn’t include was Cloud Computing V2.1,” Cloud Security Alliance,
Shared Assessments (SA),21 which is supported by 2009; www.cloudsecurityalliance.org/csaguide.pdf.
the US Federal Financial Institutions Council as a fi- 5. “Cloud Computing Security Risk Assessment,”
nancial services industry standard. SA is specifically E
uropean Network and Information Security Agency,
designed for outsourcing assessment covering the fi- 20 Nov. 2009; www.enisa.europa.eu/act/rm/files/
nancial services industry’s stringent requirements and deliverables/cloud-computing-risk-assessment.
regulations. I didn’t include it because only one cloud 6. H.R. Nemati and T. Van Dyke, “Do Privacy State-
provider currently is a member, and this membership ments Really Work? The Effect of Privacy Statements
wasn’t connected to the provider’s cloud services. and Fair Information Practices on Trust and Perceived
The CPTS provides a guideline of how an organi- Risk in E-Commerce,” Int’l J. Information Security and
zation can evaluate the adequacy of a cloud provider’s Privacy, vol. 3, no. 1, 2009, pp. 45–65.
transparency. The methodology’s simplicity and high- 7. “Chronology of Data Breaches,” Privacy Rights Clear-
level approach might not be adequate for a specific or- inghouse, 2 Mar. 2010; www.privacyrights.org/ar/
ganization’s requirements. As the cloud becomes more ChronDataBreaches.htm.
www.computer.org/security 37
7. Cloud Computing
Full assessment CP1 CP2 CP3 CP4 CP5 CP6
Security 1 Portal area for security information? 1 1 1 1 0 1
2 Published security policy? 1 1 1 0 0 0
3 White paper on security standards? 1 1 1 1 1 1
4 Does the policy specifically address multi-tenancy issues? 0 0 0 0 0 0
5 Email or online chat for questions? 1 1 1 1 1 1
6 ISO/IEC 27000 certified? 0 0 1 0 1 1
7 COBIT certified? 0 0 1 0 1 1
8 NIST SP800-53 security certified? 0 0 0 0 1 0
9 Offer security professional services (assessment)? 0 0 1 1 1 1
10 Employees CISSP, CISM, or other security certified? 0 0 1 1 1 1
Security subtotal score 4 4 8 5 7 7
Privacy 11 Portal area for privacy information? 1 1 1 0 0 1
12 Published privacy policy? 1 1 1 0 0 1
13 White paper on privacy standards? 1 1 1 1 1 1
14 Email or online chat for questions? 1 1 1 1 1 1
15 Offer privacy professional services (assessment)? 0 0 1 1 1 1
16 Employees CIPP or other privacy certified? 0 1 1 0 1 1
Privacy subtotal score 4 5 6 3 4 6
External 17 SAS 70 Type II 1 1 1 1 1 1
audits or 18 PCI-DSS 0 0 1 1 1 1
certifications
19 SOX 1 0 1 0 1 1
20 HIPAA 1 0 1 0 1 1
Audit subtotal score 3 1 4 2 4 4
Service-level 21 Does it offer an SLA? 1 1 1 0 1 1
agreements 22 Does the SLA apply to all services? 0 1 1 0 1 1
23 99.9 = 1, 99.95 = 2, 99.99 = 3, 99.999 = 4, 100 = 5 1 2 1 0 5 1
24 ITIL-certified employees? 0 0 0 0 1 1
25 Publish outage and remediation? 1 1 1 1 0 0
SLA subtotal score 3 5 4 1 8 4
Total score 14 15 22 11 23 21
Figure 2. The Cloud Provider Transparency Scorecard. The assessment examines the cloud provider’s security, privacy, external audits or
certifications, and service-level agreements to create a total transparency score.
8. “CloudAudit and the Automated Audit, Assertion, As- 13. “The Health Insurance Portability and Accountabil-
sessment, and Assurance API (A6),” CloudAudit, 2010; ity Act of 1996 (HIPAA) Privacy and Security Rules,”
www.cloudaudit.org. US Dept. of Health and Human Services, 2006;
9. “Open Grid Forum Open Cloud Computing Interface www.hhs.gov/ocr/privacy/hipaa/administrative/
Working Group,” OCCI, 2010; www.occi-wg.org/ privacyrule/adminsimpregtext.pdf.
doku.php. 14. “Sarbanes–Oxley Act of 2002 (Public Company Ac-
10. “Frequently Asked Questions,” Small Business Admin- counting Reform and Investor Protection),” Govern-
istration Office of Advocacy, Sept. 2009; www.sba.gov/ ment Accountability Office, 2002.
advo/stats/sbfaq.pdf. 15. “COBIT Framework for IT Governance and Con-
11. AU Section 324 Service Organizations: Sources SAS No. 70; trol,” Information Systems Audit and Control Asso-
SAS No. 78; SAS No. 88; SAS No. 98, Am. Inst. Cer- ciation, 2007; www.isaca.org/Knowledge-Center/
tified Public Accountants; www.aicpa.org/Research/ COBIT/Pages/Overview.aspx.
Standards/AuditAttest/DownloadableDocuments/ 16. ISO/IEC 27000:2009: Information Technology, Security
AU-00324.pdf. Techniques, Information Security Management Systems, Over-
12. “Payment Card Industry Data Security Standard: Navi- view and Vocabulary, Int’l Org. for Standardization and the
gating PCI DSS V1.2,” Payment Card Industry Security Int’l Electrotechnical Commission, 2009; www.iso.org/
Standards Council, 2008; www.pcisecuritystandards. iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
org/pdfs/pci_dss_saq_navigating_dss.pdf. csnumber=41933.
38 IEEE SECURITY PRIVACY
8. Cloud Computing
17. R. Ross et al., “Recommended Security Controls for
Federal Information Systems,” Dec. 2007; http://csrc.
nist.gov/publications/nistpubs/800-53-Rev2/sp800
-53-rev2-fi nal.pdf.
18. “AWS Completes SAS70 Type II Audit,” Amazon Web
Services,” 2010; http://aws.amazon.com/about-aws/
whats-new/2009/11/11/aws-completes-sas70-type
-ii-audit. Executive Committee Members: Alan Street,
19. “Information Technology Infrastructure Library,” President; Dr. Sam Keene, VP Technical Operations; Lou
ITIL, 12 Mar. 2010; www.itil-officialsite.com/home/ Gullo, VP Publications; Alfred Stevens, VP Meetings;
home.asp. Marsha Abramo, Secretary; Richard Kowalski, Treasurer;
20. M.W. Jones, “Microsoft’s Sidekick Cloud Outage Gets Dennis Hoffman, VP Membership and Sr. Past
Worse,” Tech.Blorge, 11 Oct. 2009; http://tech.blorge. President; Dr. Jeffrey Voas, Jr. Past President
com/Structure:%20/2009/10/11/microsofts-sidekick
-cloud-outage-gets-worse. Administrative Committee Members: Lou Gullo,
21. “Setting the Standards for Vendor Assessments,” Shared John Healy, Dennis Hoffman, Jim McLinn, Bret
Assessments, 13 Mar. 2010; www.sharedassessments.org. Michael, Bob Stoddard. Joe Childs, Irv Engleson, Sam
Keene, Lisa Edge, Todd Weatherford, Eric Wong, Scott
Wayne A. Pauley is a cloud and security evangelist at EMC B. Abrams, John Harauz, Phil LaPlante, Alfred Stevens,
and an executive in its Unified Storage Division. He’s also a Alan Street, Scott Tamashiro
doctoral candidate in information systems science at Nova
Southeastern University. His research interests include cloud
security and privacy. Pauley has an MS in information tech- www.ieee.org/reliabilitysociety
nology management from Franklin Pierce University. Contact
him at wayne.pauley@gmail.com. The IEEE Reliability Society (RS) is a technical
Society within the IEEE, which is the world’s lead-
ing professional association for the advancement of
Selected CS articles and columns are also available for technology. The RS is engaged in the engineering
free at http://ComputingNow.computer.org. disciplines of hardware, software, and human factors.
Its focus on the broad aspects of reliability, allows
the RS to be seen as the IEEE Specialty Engineering
organization. The IEEE Reliability Society is concerned
with attaining and sustaining these design attributes
throughout the total life cycle. The Reliability Society
has the management, resources, and administrative
and technical structures to develop and to provide
technical information via publications, training, con-
ferences, and technical library (IEEE Xplore) data to its
members and the Specialty Engineering community.
The IEEE Reliability Society has 22 chapters and mem-
COMPUTING bers in 60 countries worldwide.
The Reliability Society is the IEEE professional
society for Reliability Engineering, along with other
THEN Specialty Engineering disciplines. These disciplines are
design engineering vfields that apply scientific knowl-
edge so that their specific attributes are designed into
the system / product / device / process to assure that
Learn about computing history it will perform its intended function for the required
and the people who shaped it. duration within a given environment, including the
ability to test and support it throughout its total life
http://computingnow. cycle. This is accomplished concurrently with other
computer.org/ct design disciplines by contributing to the planning and
selection of the system architecture, design imple-
mentation, materials, processes, and components; fol-
lowed by verifying the selections made by thorough
analysis and test and then sustainment.
Visit the IEEE Reliability Society Web site as it is
the gateway to the many resources that the RS makes
available to its members and others interested in the
broad aspects of Reliability and
Specialty Engineering.
w
ww.computer.org/security 39