Cloud computing security in business information systems

Abstract

Cloud computing providers‘ and customers‘ services are not only exposed to existing security risks, but, due to multi-tenancy, outsourcing the application and data, and virtualization, they are exposed to the emergent, as well. Therefore, both the cloud providers and customers must establish information security system and trustworthiness each other, as well as end users. In this paper we analyze main international and industrial standards targeting information security and their conformity with cloud computing security challenges. We evaluate that almost all main cloud service providers (CSPs) are ISO 27001:2005 certified, at minimum. As a result, we propose an extension to the ISO 27001:2005 standard with new control objective about virtualization, to retain generic, regardless of company’s type, size and nature, that is, to be applicable for cloud systems, as well, where virtualization is its baseline. We also define a quantitative metric and evaluate the importance factor of ISO 27001:2005 control objectives if customer services are hosted on-premise or in cloud. The conclusion is that obtaining the ISO 27001:2005 certificate (or if already obtained) will further improve CSP and CC information security systems, and introduce mutual trust in cloud services but will not cover all relevant issues. In this paper we also continue our efforts in business continuity detriments cloud computing produces, and propose some solutions that mitigate the risks.