Method for evaluating security of Cloud IT-components based on estandards criteria

The analysis of well-known methods for ensuring IT-security is presented, methods for evaluating security of IT-components and Cloud services in general are considered.
An attempt to analyze cloud services not from a commercial position of a popular marketing product, but from a position of system analysis is made. The previously introduced procedure for IT-components evaluation is not stable, since the end user has not a 100% guarantee of access to all IT-components, and even more so to the remote and uncontrolled Cloud service. A number of reviews point at increased efforts to create a secure network architecture and ability to continuously monitor deviations from established business goals. In contrast to the Zero Trust and Zero Trust eXtended models, according to which additional security functions are superimposed on existing IT-components, it is proposed to consider the set of IT-components as a new entity – an Information Processing System. This will allow to move to formal processes for assessing the degree of compliance with the criteria of standards for both existing and prospective IT-components while ensuring security of Cloud services.
A new method for evaluation which is based on the previously developed hybrid methodology using formal procedures based on two systems of criteria — assessment of the degree of compliance of Management systems (based on ISO/IEC 27001 series) and assessment of functional safety requirements (based on IEC 61508 series and ISO/IEC 15408 series) is proposed. This method provides reproducible and objective assessments of security risks of Cloud-based IT-components that can be presented to an independent group of evaluators for verification. The results obtained can be applied in the independent assessment, including critical information infrastructure objects.