search menu icon-carat-right cmu-wordmark

Monitoring Cloud Computing by Layer, Part 2

June 2011 White Paper
Jonathan Spring

In this paper, Jonathan Spring presents a set of recommended restrictions and audits to facilitate cloud security.


Software Engineering Institute


In part 1, I briefly introduced cloud computing and a model of it that has seven layers (facility, network, hardware, OS, middleware, application, and the user).  Each cloud computing deployment must have these layers, but different deployment types give control of them to different parties.  Here, I cover controls that could be implemented in the middleware, application, and user layers to monitor and audit information assurance.

This information is relevant to whichever entity controls the layer; however, the customer is ultimately responsible for ensuring compliance with his or her standards. Often, this must be accomplished through contracts and service-level agreements (SLA). Such agreements must include strong auditing and monitoring powers for the customer. As I discussed in part 1, no technical controls can absolutely prevent fraud because the owner of the information is divorced from the owner of the hardware and facilities. As I discuss here, there's also plenty to monitor and audit in the higher layers. Customers should require in their agreements that the provider demonstrates all the controls it supplies.