General Security Models for Cloud

There are some very good security models and reference architectures from NIST, COBIT and ISO.  They all serve a different purpose in the IT architecture stack.

NIST is ‘tactical; meaning lower level.  ISO is a checklist to identify security issues at the ops level.  COBIT is good to align security with business strategy.

NIST is useful (though somewhat academic) in that it proposes 5 (very detailed) main areas around cyber or cloud security: Identify, Protect, Detect, Respond and Recover.  Many firms invest efforts into 2 or 3 of these categories, but leave unattended important areas within the other groups.  In particular Respond and Recover are 2 areas that most firms don’t spend much time on.

In the ‘Cloud’ for example, the general Principles covered by NIST and operational Cloud Best Practices Document are the following and these are embedded in a RACI or Responsibility-Accountability-Consult-Inform strategy:

  1. Cloud security planning and design
  2. Governance and operations
  3. Multitenant security
  4. Security in an automated cloud environment
  5. Data in transit and at rest
  6. Identity management and federation
  7. Data sovereignty and on-shore operations
  8. Cloud security standards and certifications
  9. Cloud security best practices




NIST (2017).  NIST Cyber Security Framework.  Available at: (accessed: 10-10-17)

1 thought on “General Security Models for Cloud”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.