Commercial, industrial, military, and government IT operations are subject to a variety of regulatory and statutory requirements with regard to the security of sensitive data. Migration from a conventional IT server environment to a cloud paradigm poses new challenges and risks, and provides cost-saving opportunities.

IT organizations have relied on standards and guidelines from a number of organizations, including the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the Open Web Applications Security Project (OWASP), the Organization for the Advancement of Structured Information Standards (OASIS), and the European Telecommunications Standards Institute (ETSI). These standards address life cycle issues, including requirements, architectures, implementation, deployment, and security.

In order for cloud computing to gain acceptance and trust, standards have to be developed for the cloud environment. In addition, important aspects of cloud security such as incident management and response, encryption, key management, and retirement of hardware and software must be addressed and incorporated into cloud computing implementations. This chapter covers these important topics.