A. Requiring application users to maintain another password may not be popular. A more fundamental reason is that many cloud service providers expose their services via application programming interfaces (APIs). These APIs are designed to accept tokens, not passwords. Ideally, they use an open standard such as Security Assertion Markup Language (SAML) or WS-Federation for exchanging authentication and authorization information. An authentication scheme needs to take into account the type of application users—organization employees, employees of partner organizations, customers or a combination of user types. Additionally, the increasing trend is for web applications to be accessible by multiple device types. Therefore, the organization may need to employ a “bring your own identity” scheme of authentication. An appropriate mechanism (such as a security token, smart card, one-time password via short message service [SMS] or telephone) based on assessed risk should be used to confirm user identity.

B. In a PaaS cloud computing model, network security remains the responsibility of the cloud service provider. Because multiple tenants use the cloud service provider's infrastructure, insisting on a specific firewall configuration is not practical, although it may be possible to agree to some arrangements when negotiating the service contract. The “deperimeterized” nature of cloud computing enhances the need for strong application security controls to be designed, tested and implemented.

C. With cloud computing, an application does not run on an organization's trusted environment. Instead, it runs on infrastructure shared by other tenants and administered by people not employed by the organization. Therefore, depending on the nature of the data, there may be a greater need to rely on encryption to protect privacy. This may apply not just to data when they are stored in the cloud, but also during transmission. However, careful consideration must be given to the nature of the data to understand what degree of protection is needed. Using encryption can increase complexity and have performance implications. The possibility of using compensating controls, e.g., protecting stored data through database access controls, should also be considered.

D. In a PaaS cloud computing model, the service provider supplies the computing infrastructure and development frameworks. While requirements for basic infrastructure security can be discussed and possibly included as contract terms, responsibility for building a secure application rests with the customer organization. Given that cloud computing enhances some threats present with traditional in-house hosted systems as well as introducing some new threats, it is particularly important that application security controls be given strong focus during application development.