A Methodology to Evaluate the Trustworthiness and Security Compliance of Cloud Service Providers Sasko Ristov Ss. Cyril and Methodius University, Skopje,

Slides:



Advertisements
Similar presentations
IT Industry & Cloud Computing. Trends ‘2011- The year of high salaries and immense job opportunities for IT job seekers’ (Source – Blog.Timesjobs.com)
Advertisements

The CCM framework consists of 11 Control Areas that are important to be measured, especially when comparing between different cloud provider offering.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Page 1 Cloud Computing Best Practices and Considerations for Project Managers Mike Lamoureux, PMP, MBA.
GS1 Industry & Standards Event September 2011 Cologne, Germany Creating value together with global standards Cloud Computing Time of Session: 09:00.
AUTHENTICATION IN THE CLOUD Are we really safe in the cloud?
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
A T AXONOMY AND S URVEY OF C LOUD C OMPUTING S YSTEMS Reporter: Steven Chen Date: 2010/10/27 1.
Cloud Computing Will Crowley Monica Lopez Jaimie Morrison.
Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.
BI in the Cloud – Sky is the limit Vishal Agrawal Product Technical Architect Infosys Tech Ltd Anand Govindarajan Principal Technology Architect Infosys.
Oyinkan Adedun Adeleye Caitlyn Carney Tyler Nguyen.
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Cloud Computing Risk Assessments Donald Gallien March 31, 2011.
Cloud Brokers and the Health Industry Andrea Bilobrk.
Plan Introduction What is Cloud Computing?
Consultancy.
Effectively and Securely Using the Cloud Computing Paradigm.
Cloud Computing All Copyrights reserved to Talal Abu-Ghazaleh Organization
MIGRATING INTO A CLOUD P. Sai Kiran. 2 Cloud Computing Definition “It is a techno-business disruptive model of using distributed large-scale data centers.
Osama Shahid ( ) Vishal ( ) BSCS-5B
Jordan Wissel Eric Lewis Sarah Basile. Introduction This presentation will analyze: Overview/History Implementation Advantages/Disadvantages Security.
No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+
Security and Privacy Services Cloud computing point of view October 2012.
© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM Laura Posey, Chair CAIQ.
Lecture 6: Cloud Computing By D. Najla Al-Nabhan 1.
SECURITY Is cloud computing secure? Are Microsoft Online Services secure? Is cloud computing secure? Are Microsoft Online Services secure? PRIVACY What.
Computer Science and Engineering 1 Cloud ComputingSecurity.
IT Pro Day Auditing in SQL Server 2012 Charley Hanania Principal Consultant, QS2 AG – Quality Software Solutions
InfoSecurity Conference 2011 The Challenges of Cloud Computing John R. Robles John R. Robles and Associates
Cloud Computing. Cloud Computing defined Dynamically scalable, device-independent and task-centric computing resources are provided online, with all charges.
1 © 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential Cloud Computing – The Value Proposition Wayne Clark Architect, Intelligent Network.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
System Infrastructure Services (Iaas) Business Services Information Services Application Services (SaaS) Application Infrastructure.
Leveraging the potential of Cloud security SLAs
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
What is the cloud ? IT as a service Cloud allows access to services without user technical knowledge or control of supporting infrastructure Best described.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Speaker: Meng-Ting Tsai Date:2011/04/26 Establishing Trust in Cloud Computing IEEE Computer Society.
© Cloud Security Alliance, 2015 Evelyn de Souza Chair Cloud Security Alliance Data Governance Chair/ Data Privacy and Compliance Leader Cisco Systems.
1© Copyright 2010 EMC Corporation. All rights reserved. Hey Enterprise! I’ve got my OWN Cloud! IAPP 2010 Privacy Academy Wayne Pauley, EMC Corporation.
Speaker: Meng-Ting Tsai Date:2010/11/25 The Information Assurance Practices of Cloud Computing Vendors IEEE Communications Society.
HUSKY CONSULTANTS FRANKLIN VALENCIA WIOLETA MILCZAREK ANTHONY GAGLIARDI JR. BRIAN CONNERY.
3/12/2013Computer Engg, IIT(BHU)1 CLOUD COMPUTING-1.
PRIVACYRELIABILIT Y SECURITY Secures against attacks Protects confidentiality, integrity, and availability of data and systems Helps manage risk Protects.
1 TCS Confidential. 2 Objective : In this session we will be able to learn:  What is Cloud Computing?  Characteristics  Cloud Flavors  Cloud Deployment.
Operational Resilience DR’s Big Data Dilemma September 16, 2015 Datalink IT Resiliency Practice.
Sponsored by: 1 The State of Corporate A Survey of IT Professionals October 2013.
Devices 10 billion Internet- connected devices by 2016 People 1 billion+ people use social media services today Cloud 30 % of data will live in or pass.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
CS 6027 Advanced Networking FINAL PROJECT ​. Cloud Computing KRANTHI ​ CHENNUPATI PRANEETHA VARIGONDA ​ SANGEETHA LAXMAN ​ VARUN ​ DENDUKURI.
Stamatia Bibi1, Dimitris Katsaros2, Panayiotis Bozanis2
Platform as a Service (PaaS)
Conflict Resolution & Policy Compliance in Multi-Cloud Distributed System. Presented By:- Adarsh Pillay Deepak Begrajka Rudra gupta.
Information Technology Controls
Cloud Computing Kelley Raines.
Project proposal for ISO 27001:2013 implementation
Cloud Testing Shilpi Chugh.
Cloud Migration What to Consider When Switching Providers NAME: SYED TARIQ SHAH “WAQIF” REG NO: K1S18MCS0021 SUB: CLUSTER AND CLOUD COMPUTING.
Cloud Computing.
Cloud computing Technology: innovation. Points  Cloud Computing and Social Network Sites have become major trends not only in business but also in various.
Cloud computing Technology: innovation. Points  Cloud Computing and Social Network Sites have become major trends not only in business but also in various.
Cloud Computing: Concepts
Computer Science and Engineering
NIST Cloud Computing Reference Architecture
Compliance in the Cloud
Presentation transcript:

A Methodology to Evaluate the Trustworthiness and Security Compliance of Cloud Service Providers Sasko Ristov Ss. Cyril and Methodius University, Skopje, Macedonia

Abstract  Define a new methodology to evaluate the CSPs in different cloud deployment models  according to the cloud consumers’ needs.  Introduce a factor trustworthiness beside the availability.  quantify the trustworthiness and the security of potential CSPs  Evaluate the security compliance of CSPs with cloud security challenges for different cloud deployment models. CSA CEE Summit 2016, Ljubljana, Slovenia2

Agenda  State of the art  Related work  Methodology for CSP’s Trustworthiness  Evaluation of most common CSPs’ Trustworthiness  A Methodology for Evaluation of CSP Security Compliance  Evaluation of CSP Security Compliance  Putting it all together  On-premise and Cloud Security Compliance Quantification  Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia3

State of the art - Cloud Computing  How to choose a CSP?  Standardisation  Still in infancy period  Bigger players enforce the standards  Many challenges  performance,  security and data privacy,  law compliance,  different cost and indemnification  if the CSP does not meet the SLA conditions CSA CEE Summit 2016, Ljubljana, Slovenia4

Open issues  Interoperability  Portability  multiple server platforms CSA CEE Summit 2016, Ljubljana, Slovenia5

Agenda  State of the art  Related work  Methodology for CSP’s Trustworthiness  Evaluation of most common CSPs’ Trustworthiness  A Methodology for Evaluation of CSP Security Compliance  Evaluation of CSP Security Compliance  Putting it all together  On-premise and Cloud Security Compliance Quantification  Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia6

Evaluate CSP Performance  Performance variability  [Iosup 2011]  Same VM – different performance in various time  [Gusev / Ristov 2013], [Gusev / Ristov 2012]  Vertical scaling horizontal scaling  Superlinear performance  Buy less, achieve more CSA CEE Summit 2016, Ljubljana, Slovenia7

Evaluate CSP Security  CSA Cloud Control Matrix (CCM)   Confidentiality, integrity and availability are concerns  Different cloud deployment models  Different security issues [Bhadauria 2012]  Cloud improves RTO and RPO  Customer must check if a CSP meets its RTO and RPO CSA CEE Summit 2016, Ljubljana, Slovenia8

Evaluate CSP Prices  Pay as you consume  Linear model  Different price for  Windows / Linux  Performance  Traffic CSA CEE Summit 2016, Ljubljana, Slovenia9

Evaluate CSP Trustworthiness  CSPs guarantee very high availability of their services  at least 99.9%  some even 100%  guarantee maximum 8.77 hours of downtime per year.  This high guarantee does not imply that they comply with their SLAs.  CSPs' downtime is much greater  Cloud consumer's costs cannot be indemnified by CSP's.  Service availability is not a decisive factor for many cloud consumers.  interested in lower cost for an acceptable level of availability. CSA CEE Summit 2016, Ljubljana, Slovenia10

CSP Trustworthiness  Improve the trustworthiness  Certify with some security standard  ISO 27001:2005  Ristov / Gusev 2012  New methodology for security evaluation of on-premise systems and cloud computing  IaaS, PaaS and SaaS  Security evaluation of open source cloud frameworks  [Ristov 2013] CSA CEE Summit 2016, Ljubljana, Slovenia11

Other methodologies for Trustworthiness  Cheng 2012  Trusted Cloud Service Platform Architecture  Tanimoto 2011  Risk Avoidance, Risk Mitigation, Risk Acceptance, and Risk Transference  Santos 2009  Trusted cloud computing platform  Bhensook and Senivongse 2012  weighted scoring model CSA CEE Summit 2016, Ljubljana, Slovenia12

Our methodology for Trustworthiness  Pauley 2010 – very comprehensive  CSP transparency scorecard  includes the percent availability in CSPs' SLA,  does not include the percentage of achieved availability CSA CEE Summit 2016, Ljubljana, Slovenia13

Our methodology for Trustworthiness  Achieved availability = reliability  Choose the most reliable and trustworthy CSP, rather than the one that guarantee the greatest availability or indemnification. CSA CEE Summit 2016, Ljubljana, Slovenia14

Agenda  State of the art  Related work  Methodology for CSP’s Trustworthiness  Evaluation of most common CSPs’ Trustworthiness  A Methodology for Evaluation of CSP Security Compliance  Evaluation of CSP Security Compliance  Putting it all together  On-premise and Cloud Security Compliance Quantification  Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia15

Availability CSA CEE Summit 2016, Ljubljana, Slovenia16

Indemnification  Google  offers credits and subscription extension,  Microsoft  offers money reimbursement.  Mission critical data and application unavailability can provide a grater loss than CSP's indemnification. CSA CEE Summit 2016, Ljubljana, Slovenia17

Reliability CSA CEE Summit 2016, Ljubljana, Slovenia18

Trustworthiness CSA CEE Summit 2016, Ljubljana, Slovenia19

Availability evaluation  Evaluation of  Google,  Microsoft,  SalesForce,  Rackspace  Amazon CSA CEE Summit 2016, Ljubljana, Slovenia20

Reliability evaluation CSA CEE Summit 2016, Ljubljana, Slovenia21

Trustworthiness evaluation  Google is the leader in trustworthiness, although it does not guarantee the greatest availability.  The trustworthiness % is smaller than offered availability for each CSP in its SLA CSA CEE Summit 2016, Ljubljana, Slovenia22

CSP overall evaluation  All CSPs achieved the same place for reliability and trustworthiness  downtime in the last year CSA CEE Summit 2016, Ljubljana, Slovenia23

Agenda  State of the art  Related work  Methodology for CSP’s Trustworthiness  Evaluation of most common CSPs’ Trustworthiness  A Methodology for Evaluation of CSP Security Compliance  Evaluation of CSP Security Compliance  Putting it all together  On-premise and Cloud Security Compliance Quantification  Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia24

ISMS  CSPs can mitigate the risks of security incidents if they implement some international security standards  Some CSPs offer security features to their consumers  ISMS Metrics  3  ISO or NIST or equivalent  1  In-depth audit or certified with some audit standard such as SAS70 or COBIT  0  No ISMS implemented CSA CEE Summit 2016, Ljubljana, Slovenia25

CloudCert  Having ISMS is not enough  ISO is not fully compliant with additional cloud security challenges  CloudCert parameter  determining a level of the CSA Security, Trust \& Assurance Registry (STAR) level  Introduce ISO in CloudCert ?! CSA CEE Summit 2016, Ljubljana, Slovenia26

Evaluation of CSP Security Compliance CSA CEE Summit 2016, Ljubljana, Slovenia27

Agenda  State of the art  Related work  Methodology for CSP’s Trustworthiness  Evaluation of most common CSPs’ Trustworthiness  A Methodology for Evaluation of CSP Security Compliance  Evaluation of CSP Security Compliance  Putting it all together  On-premise and Cloud Security Compliance Quantification  Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia28

NIST Cloud deployment models  NIST defined  Three cloud service models:  Four cloud deployment models  CSA CEE Summit 2016, Ljubljana, Slovenia29

CSA Cloud deployment models  CSA defined  Five cloud deployment models  public,  private internal/on-premise,  private external,  community  hybrid  Interested in the first three  if a particular company migrates its services from on-premise into a cloud CSA CEE Summit 2016, Ljubljana, Slovenia30

Deployment models weight factor (WF)  Nist’s classification of the security controls  Management  Operational  Technical  Weight factors for each deployment model that implements the ISO 27001:2005 control objectives  The management control objective WF is independent of whether the services are hosted on-premise or in cloud  Operational is reduced to ½  consumer transfers the responsibilities to its CSP in private external  On-premise is the same as Private internal. CSA CEE Summit 2016, Ljubljana, Slovenia31

ISO Control objective evaluation  17 control objectives are evaluated as operational  9 as technical control objectives CSA CEE Summit 2016, Ljubljana, Slovenia32

ISO Control objective evaluation CSA CEE Summit 2016, Ljubljana, Slovenia33

ISO Control objective evaluation  Example of evaluation  Operating system access control  controls the access to operating systems completely in internal private cloud (both guest and host operating systems).  evaluate with 1;  controls the access to operating systems partially in external private cloud (only guest operating systems) and  evaluate with 1/2  does not control the access to operating systems in public cloud (neither guest nor host)  evaluate it with 0. CSA CEE Summit 2016, Ljubljana, Slovenia34

On-premise Security Quantification  if a CSP security is compliant with its security level  ISMS MAX = 3  Cloud consumer can select / exclude the controls and control objectives to cover the identified requirements CSA CEE Summit 2016, Ljubljana, Slovenia35

CSPs’ Deployment Models Security Compiance Quantification  ISMS C MAX = 6 (3+3) CSA CEE Summit 2016, Ljubljana, Slovenia36

CSPs’ Deployment Models Security Compiance Quantification  Since the cloud consumer transfers some of the responsibilities to CSP, its COTk is opposite, i.e., 1 – COTk CSA CEE Summit 2016, Ljubljana, Slovenia37

Agenda  State of the art  Related work  Methodology for CSP’s Trustworthiness  Evaluation of most common CSPs’ Trustworthiness  A Methodology for Evaluation of CSP Security Compliance  Evaluation of CSP Security Compliance  Putting it all together  On-premise and Cloud Security Compliance Quantification  Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia38

Discussion / Conclusion  ISO is more detailed standard compared to the COBIT certificate  COBIT or other related certificates is evaluated with 1,  ISO or NIST SP with 3.  Do not include the CSPs' employees certificates into our evaluation since implementing the ISMS assures the employee security awareness  all employees should have CISSP, CISM or other security certification; otherwise this control is irrelevant  consumer should trust more on comprehend external audit of relevant certified authorities, rather than CSP's employees  Compliance with different cloud deployment models CSA CEE Summit 2016, Ljubljana, Slovenia39

CSA CEE Summit 2016, Ljubljana, Slovenia40

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.