ISO/IEC 27001

ISO/IEC 27001 contains the requirements for the design, maintenance, and implementation of an information security system, and it identifies the interested parties and their needs, the security risks and actions.

ISO/IEC 27002

ISO/IEC 27002 discusses the best practices, or security controls, to maintain and implement the security system. These recommendations and best practices are not specifically for cloud computing but they can be applied to cloud services; providers can certify the compliance to the standards for their cloud services. ISO/IEC is currently developing a new standard (ISO/IEC 27017) that deals with cloud computing specifically by mapping the ISO/IEC 27002 to cloud services.

ISO/IEC 27018


ISO/IEC 27018 standard extends the established ISO/IEC 27002 standard to deal with the protection of Personally Identifiable Information (PII) in public clouds, which act as processors of personal data.


OAuth2 is an IETF standard (RFC 6749) for authorisation; it enables the delegation of rights and permissions by creating dynamic credentials to provide a trustworthy communicating infrastructure. On top of OAuth, OpenID Connect provides user authentication via a simple API to verify the identity of the user and obtain basic profile information.

SAML (Security Authorization Markup Language)

SAML (Security Authorization Markup Language) is an XML-based standard by OASIS for exchanging authentication and authorisation information between identity provider and service provider.


Shibboleth is web-based technology from the Internet2 initiative that implements identity management and federated identity-based authentication and authorization.


WS-Federation is a standard proposed by OASIS for implementing federation identity; it enables a security domain to broker for identities, identity attributes and authentication.


WS-Policy is a W3C standard that defines how web services can use XML to express their constraints in terms of policies on security and QoS and how end users can specify their policy requirements (expressed as policy assertions).


WS-Security is an OASIS security standard that extends the Simple Object Access protocol (SOAP) to define how integrity and confidentiality can be enforced on messages by using Extensible Markup Language (XML) Signature and XML Encryption.


X.1601 is an ITU Telecommunication Standardization Sector (ITU-T) family standard that addresses the design security framework for cloud computing. The standard analyses the security threats and challenges in cloud computing, and provides recommendations to mitigate security risks. From these analysis and recommendations, a cloud computing customer should be able to do a risk assessment of adopting cloud computing. Major threats analysed in the standard for cloud customers are: data loss and leakage, insecure service access, and insider threats. The main security challenges for customers are: ambiguity in responsibility due to legal requirements, loss of governance and privacy by outsourcing services to cloud providers, and cloud service provider lock-in. Finally the standard ITU-T X1600 identifies recommendations to address security threats and challenges.