← Patterns / SP-011

Cloud Computing Pattern

Cloud computing security pattern to define security controls required for provision of cloud computing services

Release: 08.02 Authors: Phaedrus Updated: 2025-07-05

Your browser does not support SVG. Download the diagram.

Click on controls in the diagram to view details. Download SVG

Key Control Areas

  • Integration: Boomi, Mule OnDemand, OpSource Connect (OSB), Amazon SQS, Microsoft BizTalk Services
  • Orchestration: ProcessMaker, Appian Anywhere, Skemma, Intensil
  • Billing, Contract Management: OpSource/LeCayla, Aria, eVapt, Amazon DevPay, Zuora
  • Security: OpenID, OAuth, Ping Identity
  • Cloud Deployment: rPath, CohesiveFT, VMWare, Xen, Parallels, Bea Weblogic Server VE, 3Tera AppLogic, Elastra Cloud Server
  • AJAX(Asynchronous JavaScript with XML) is a mechanism for exchanging data between browser and server without refreshing the page
  • RSS(Really simple syndication) allows publication and subscription to frequently changing content
  • JSON(Javascript Object Notation) is a lightweight method to pass serialised data when using Javascript and provides an alternative to XML
  • Flash/Flex/Air/Silverlight/Gears are Client side programming and runtime execution environments that provide a richer browser experience
  • SOAP(Simple Object Access Protocol) is a method for remote proceedure calls using XML over http
  • REST(Representational State Transfer) is a simple architectural style that transfers state information via http resource requests.

When to Use

Organization who will provide some or all of their computing environment via cloud services. Organization has constraints on existing power or space, desire to reduce capital expenditure, need to provision services rapidly, big variations in computing demand, collaboration with wide range of B2B partners.

When NOT to Use

Lack of understanding of your compliance needs or inability to confirm how the supplier will meet your requirements.

Typical Challenges

Trustworthiness of partner-how to establish and track? Lack of certainty on many aspects of controls required. Compliance. Ability to move to other providers. Authentication and authorization across multiple providers and systems.

Threat Resistance

Untrustworthy supplier, eavesdropping, impersonation, data theft, lack of performance and logical and physical disasters are addressed by this pattern. Consider checking supplier applications for Cross-site scripting (XSS) attacks which can be used to log keystrokes and capture data, and propagate web application worms such as Samy. Feed injection for RSS and Atom can allow an attacker to compromise applications, if feeds are not properly secured.

Assumptions

Cloud computing is an evolving area and it is expected that this pattern will be revised within a year to reflect developments. It is likely that for large corporates a prudent and realistic strategy will be to deploy for test and development environments, which give some benefits without the downside of exposing production data sets.

Mapped Controls (54)

AC: 5AT: 3AU: 1CA: 6CM: 5CP: 1IA: 4IR: 1PL: 1PS: 2RA: 2SA: 8SC: 12SI: 3
  • AC-01 Access Control Policies and Procedures
  • AC-02 Account Management
  • AC-03 Access Enforcement
  • AC-04 Information Flow Enforcement
  • AC-13 Supervision And Review -- Access Control
  • AT-01 Security Awareness And Training Policy And Procedures
  • AT-02 Security Awareness
  • AT-03 Security Training
  • AU-06 Audit Monitoring, Analysis, And Reporting
  • CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
  • CA-02 Security Assessments
  • CA-03 Information System Connections
  • CA-04 Security Certification
  • CA-06 Security Accreditation
  • CA-07 Continuous Monitoring
  • CM-01 Configuration Management Policy And Procedures
  • CM-02 Baseline Configuration
  • CM-03 Configuration Change Control
  • CM-04 Monitoring Configuration Changes
  • CM-05 Access Restrictions For Change
  • CP-01 Contingency Planning Policy And Procedures
  • IA-01 Identification And Authentication Policy And Procedures
  • IA-02 User Identification And Authentication
  • IA-03 Device Identification And Authentication
  • IA-05 Authenticator Management
  • IR-01 Incident Response Policy And Procedures
  • PL-01 Security Planning Policy And Procedures
  • PS-06 Access Agreements
  • PS-07 Third-Party Personnel Security
  • RA-03 Risk Assessment
  • RA-04 Risk Assessment Update
  • SA-01 System And Services Acquisition Policy And Procedures
  • SA-02 Allocation Of Resources
  • SA-03 Life Cycle Support
  • SA-04 Acquisitions
  • SA-05 Information System Documentation
  • SA-09 External Information System Services
  • SA-10 Developer Configuration Management
  • SA-11 Developer Security Testing
  • SC-01 System And Communications Protection Policy And Procedures
  • SC-02 Application Partitioning
  • SC-03 Security Function Isolation
  • SC-04 Information Remnance
  • SC-05 Denial Of Service Protection
  • SC-06 Resource Priority
  • SC-07 Boundary Protection
  • SC-08 Transmission Integrity
  • SC-09 Transmission Confidentiality
  • SC-11 Trusted Path
  • SC-12 Cryptographic Key Establishment And Management
  • SC-18 Mobile Code
  • SI-02 Flaw Remediation
  • SI-03 Malicious Code Protection
  • SI-04 Information System Monitoring Tools And Techniques