First Draft of V3 of Cloud Computing Use Cases paper - Security in the Cloud

Skip to first unread message


Jan 18, 2010, 5:33:53 PM1/18/10
to A6 (Audit, Assertion, Assessment, and Assurance API) Working Group
We are working towards completing V3 of the Cloud Computing Use Cases
White Paper on or about Jan. 31st (
cloud-computing-use-cases). In order to ensure we have all your
comments, take a look at the first draft and I ask that you post to on the Cloud Computing Use Cases Google Group.


Gang, I've just posted the first draft of Version 3 to the Files
section. I've tried to distill the many thousands of words of
discussion we've had over the last couple of months into a clear,
concise description of security requirements and some use cases. A
couple of questions:

* I put in a couple of cross-reference tables. I always confuse myself
as to which boxes should be checked, so let me know what you think. I
tried to think these through from the perspective of what a cloud
consumer would need, as opposed to what a cloud provider would need to
implement the requirements.

* I mention SLAs very briefly; I think that's the best way to keep
this a manageable size. I think we'll have a lot more discussion on
SLAs in the future, should we put more information in here?

* Is there another use case we could glean from the discussion? Do the
use cases we have already cover all of the requirements and patterns?

As always, thanks for your ideas!
p.s. I'm posting just the Security section; nothing else has changed.

The Draft of the Security section can be found at
and begins as follows:

6 Security Scenarios

Security, in the cloud or elsewhere, is a critical topic that could
fill any number of pages. Our purpose here is to highlight the
security issues that architects and developers should consider as they
move to the cloud.

An important point to keep in mind is that the cloud does not
introduce any new security threats or issues. Security in cloud
computing is more about the loss of control than any particular
technical challenge. With an in-house application, controlling access
to sensitive data and applications is crucial. With a cloud based
application, access control is just as important, but some of the
facilities and individuals involved are in another organization.

Any security requirements must be defined clearly and completely in a
Service Level Agreement. The SLA constitutes a legally-binding
contract between the service provider and the service consumer. To a
large extent, the security requirements discussed represent the
mechanism for implementing the SLA.


Reply all
Reply to author
0 new messages