A Framework for the Development of Risk-Based Guidelines for Cloud Service Subscribers

Abstract

Cloud computing provides services for Cloud Service Subscriber (CSS) to allow flexible IT solutions to be deployed without the need to procure physical IT infrastructures such as servers, storage, and processing components. Such benefits particularly in terms of cost savings coupled with the need to embrace digitization and a remote workforce have contributed to a surge in cloud service adoption. However, the increase in users and cloud computing service providers’ statistics comes with higher rates of security incidents and cyber-attacks targeting cloud computing infrastructure. Therefore, adequate security controls are essential to ensure the confidentiality, integrity, and availability of customer data can be controlled and protected. This paper presents a framework for developing a risk-based guideline for Cloud Service Subscribers (CSS). This framework aims to formalize a generic set of guidelines on cloud security measures and controls for easy reference by CSS. The framework is based on the analysis of existing cloud security literature and existing ISO/IEC, including other best practices and related activities that have been carried out to generate guidelines for cloud security. The outcome is a cloud security guideline modelled into three (3) main stages and seven (7) activities that detail the set of actions. The framework is focused on an IT security perspective covering pre-subscription, during-subscription, and post-subscription of the cloud services. The framework may also serve as the guidelines for organizations or agencies to develop similar guidelines for different service perspectives or different cloud models.