http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf
So, I read this SP and while it has brought up points omitted by the Cloud Security Alliance's Guide it is not as detailed as I thought it would be. I also find the document structure to be lacking. I expect the authors wanted to differentiate their work from past efforts (e.g. CSA, ENISA). Here are some points in SP 800-144 worth mentioning:
-Composite Services: a great point that cloud providers may use the services of other providers.
-Virtual Network Segmentation: peripherals as well as servers are mentioned here.
-Ancillary Data: account info and virtual images are mentioned, but not log data.
-Attack Vectors: they allude to rootkits and leave room for other nastiness.
No comments:
Post a Comment