Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Methodology to Evaluate the Trustworthiness and Security Compliance of Cloud Service Providers Sasko Ristov Ss. Cyril and Methodius University, Skopje,

Published byLinda Rosa Murphy Modified over 8 years ago

Similar presentations

Presentation on theme: "A Methodology to Evaluate the Trustworthiness and Security Compliance of Cloud Service Providers Sasko Ristov Ss. Cyril and Methodius University, Skopje,"— Presentation transcript:

1 A Methodology to Evaluate the Trustworthiness and Security Compliance of Cloud Service Providers Sasko Ristov Ss. Cyril and Methodius University, Skopje, Macedonia

2 Abstract  Define a new methodology to evaluate the CSPs in different cloud deployment models  according to the cloud consumers’ needs.  Introduce a factor trustworthiness beside the availability.  quantify the trustworthiness and the security of potential CSPs  Evaluate the security compliance of CSPs with cloud security challenges for different cloud deployment models. CSA CEE Summit 2016, Ljubljana, Slovenia2

3 Agenda  State of the art  Related work  Methodology for CSP’s Trustworthiness  Evaluation of most common CSPs’ Trustworthiness  A Methodology for Evaluation of CSP Security Compliance  Evaluation of CSP Security Compliance  Putting it all together  On-premise and Cloud Security Compliance Quantification  Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia3

4 State of the art - Cloud Computing  How to choose a CSP?  Standardisation  Still in infancy period  Bigger players enforce the standards  Many challenges  performance,  security and data privacy,  law compliance,  different cost and indemnification  if the CSP does not meet the SLA conditions CSA CEE Summit 2016, Ljubljana, Slovenia4

5 Open issues  Interoperability  Portability  multiple server platforms CSA CEE Summit 2016, Ljubljana, Slovenia5

6 Agenda  State of the art  Related work  Methodology for CSP’s Trustworthiness  Evaluation of most common CSPs’ Trustworthiness  A Methodology for Evaluation of CSP Security Compliance  Evaluation of CSP Security Compliance  Putting it all together  On-premise and Cloud Security Compliance Quantification  Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia6

7 Evaluate CSP Performance  Performance variability  [Iosup 2011]  Same VM – different performance in various time  [Gusev / Ristov 2013], [Gusev / Ristov 2012]  Vertical scaling horizontal scaling  Superlinear performance  Buy less, achieve more CSA CEE Summit 2016, Ljubljana, Slovenia7

8 Evaluate CSP Security  CSA Cloud Control Matrix (CCM)  3.0.1  Confidentiality, integrity and availability are concerns  Different cloud deployment models  Different security issues [Bhadauria 2012]  Cloud improves RTO and RPO  Customer must check if a CSP meets its RTO and RPO CSA CEE Summit 2016, Ljubljana, Slovenia8

9 Evaluate CSP Prices  Pay as you consume  Linear model  Different price for  Windows / Linux  Performance  Traffic CSA CEE Summit 2016, Ljubljana, Slovenia9

10 Evaluate CSP Trustworthiness  CSPs guarantee very high availability of their services  at least 99.9%  some even 100%  guarantee maximum 8.77 hours of downtime per year.  This high guarantee does not imply that they comply with their SLAs.  CSPs' downtime is much greater  Cloud consumer's costs cannot be indemnified by CSP's.  Service availability is not a decisive factor for many cloud consumers.  interested in lower cost for an acceptable level of availability. CSA CEE Summit 2016, Ljubljana, Slovenia10

11 CSP Trustworthiness  Improve the trustworthiness  Certify with some security standard  ISO 27001:2005  Ristov / Gusev 2012  New methodology for security evaluation of on-premise systems and cloud computing  IaaS, PaaS and SaaS  Security evaluation of open source cloud frameworks  [Ristov 2013] CSA CEE Summit 2016, Ljubljana, Slovenia11

12 Other methodologies for Trustworthiness  Cheng 2012  Trusted Cloud Service Platform Architecture  Tanimoto 2011  Risk Avoidance, Risk Mitigation, Risk Acceptance, and Risk Transference  Santos 2009  Trusted cloud computing platform  Bhensook and Senivongse 2012  weighted scoring model CSA CEE Summit 2016, Ljubljana, Slovenia12

13 Our methodology for Trustworthiness  Pauley 2010 – very comprehensive  CSP transparency scorecard  includes the percent availability in CSPs' SLA,  does not include the percentage of achieved availability CSA CEE Summit 2016, Ljubljana, Slovenia13

14 Our methodology for Trustworthiness  Achieved availability = reliability  Choose the most reliable and trustworthy CSP, rather than the one that guarantee the greatest availability or indemnification. CSA CEE Summit 2016, Ljubljana, Slovenia14

15 Agenda  State of the art  Related work  Methodology for CSP’s Trustworthiness  Evaluation of most common CSPs’ Trustworthiness  A Methodology for Evaluation of CSP Security Compliance  Evaluation of CSP Security Compliance  Putting it all together  On-premise and Cloud Security Compliance Quantification  Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia15

16 Availability CSA CEE Summit 2016, Ljubljana, Slovenia16

17 Indemnification  Google  offers credits and subscription extension,  Microsoft  offers money reimbursement.  Mission critical data and application unavailability can provide a grater loss than CSP's indemnification. CSA CEE Summit 2016, Ljubljana, Slovenia17

18 Reliability CSA CEE Summit 2016, Ljubljana, Slovenia18

19 Trustworthiness CSA CEE Summit 2016, Ljubljana, Slovenia19

20 Availability evaluation  Evaluation of  Google,  Microsoft,  SalesForce,  Rackspace  Amazon CSA CEE Summit 2016, Ljubljana, Slovenia20

21 Reliability evaluation CSA CEE Summit 2016, Ljubljana, Slovenia21

22 Trustworthiness evaluation  Google is the leader in trustworthiness, although it does not guarantee the greatest availability.  The trustworthiness % is smaller than offered availability for each CSP in its SLA CSA CEE Summit 2016, Ljubljana, Slovenia22

23 CSP overall evaluation  All CSPs achieved the same place for reliability and trustworthiness  downtime in the last year CSA CEE Summit 2016, Ljubljana, Slovenia23

24 Agenda  State of the art  Related work  Methodology for CSP’s Trustworthiness  Evaluation of most common CSPs’ Trustworthiness  A Methodology for Evaluation of CSP Security Compliance  Evaluation of CSP Security Compliance  Putting it all together  On-premise and Cloud Security Compliance Quantification  Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia24

25 ISMS  CSPs can mitigate the risks of security incidents if they implement some international security standards  Some CSPs offer security features to their consumers  ISMS Metrics  3  ISO 27001 or NIST 800-53 or equivalent  1  In-depth audit or certified with some audit standard such as SAS70 or COBIT  0  No ISMS implemented CSA CEE Summit 2016, Ljubljana, Slovenia25

26 CloudCert  Having ISMS is not enough  ISO 27001 is not fully compliant with additional cloud security challenges  CloudCert parameter  determining a level of the CSA Security, Trust \& Assurance Registry (STAR) level  Introduce ISO 27017 in CloudCert ?! CSA CEE Summit 2016, Ljubljana, Slovenia26

27 Evaluation of CSP Security Compliance CSA CEE Summit 2016, Ljubljana, Slovenia27

28 Agenda  State of the art  Related work  Methodology for CSP’s Trustworthiness  Evaluation of most common CSPs’ Trustworthiness  A Methodology for Evaluation of CSP Security Compliance  Evaluation of CSP Security Compliance  Putting it all together  On-premise and Cloud Security Compliance Quantification  Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia28

29 NIST Cloud deployment models  NIST defined  Three cloud service models:  Four cloud deployment models  CSA CEE Summit 2016, Ljubljana, Slovenia29

30 CSA Cloud deployment models  CSA defined  Five cloud deployment models  public,  private internal/on-premise,  private external,  community  hybrid  Interested in the first three  if a particular company migrates its services from on-premise into a cloud CSA CEE Summit 2016, Ljubljana, Slovenia30

31 Deployment models weight factor (WF)  Nist’s classification of the security controls  Management  Operational  Technical  Weight factors for each deployment model that implements the ISO 27001:2005 control objectives  The management control objective WF is independent of whether the services are hosted on-premise or in cloud  Operational is reduced to ½  consumer transfers the responsibilities to its CSP in private external  On-premise is the same as Private internal. CSA CEE Summit 2016, Ljubljana, Slovenia31

32 ISO 27001 Control objective evaluation  17 control objectives are evaluated as operational  9 as technical control objectives CSA CEE Summit 2016, Ljubljana, Slovenia32

33 ISO 27001 Control objective evaluation CSA CEE Summit 2016, Ljubljana, Slovenia33

34 ISO 27001 Control objective evaluation  Example of evaluation  Operating system access control  controls the access to operating systems completely in internal private cloud (both guest and host operating systems).  evaluate with 1;  controls the access to operating systems partially in external private cloud (only guest operating systems) and  evaluate with 1/2  does not control the access to operating systems in public cloud (neither guest nor host)  evaluate it with 0. CSA CEE Summit 2016, Ljubljana, Slovenia34

35 On-premise Security Quantification  if a CSP security is compliant with its security level  ISMS MAX = 3  Cloud consumer can select / exclude the controls and control objectives to cover the identified requirements CSA CEE Summit 2016, Ljubljana, Slovenia35

36 CSPs’ Deployment Models Security Compiance Quantification  ISMS C MAX = 6 (3+3) CSA CEE Summit 2016, Ljubljana, Slovenia36

37 CSPs’ Deployment Models Security Compiance Quantification  Since the cloud consumer transfers some of the responsibilities to CSP, its COTk is opposite, i.e., 1 – COTk CSA CEE Summit 2016, Ljubljana, Slovenia37

38 Agenda  State of the art  Related work  Methodology for CSP’s Trustworthiness  Evaluation of most common CSPs’ Trustworthiness  A Methodology for Evaluation of CSP Security Compliance  Evaluation of CSP Security Compliance  Putting it all together  On-premise and Cloud Security Compliance Quantification  Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia38

39 Discussion / Conclusion  ISO 27001 is more detailed standard compared to the COBIT certificate  COBIT or other related certificates is evaluated with 1,  ISO 27001 or NIST SP800-53 with 3.  Do not include the CSPs' employees certificates into our evaluation since implementing the ISMS assures the employee security awareness  all employees should have CISSP, CISM or other security certification; otherwise this control is irrelevant  consumer should trust more on comprehend external audit of relevant certified authorities, rather than CSP's employees  Compliance with different cloud deployment models CSA CEE Summit 2016, Ljubljana, Slovenia39

40 CSA CEE Summit 2016, Ljubljana, Slovenia40

Download ppt "A Methodology to Evaluate the Trustworthiness and Security Compliance of Cloud Service Providers Sasko Ristov Ss. Cyril and Methodius University, Skopje,"

Similar presentations

IT Industry & Cloud Computing. Trends ‘2011- The year of high salaries and immense job opportunities for IT job seekers’ (Source – Blog.Timesjobs.com)

IT Industry & Cloud Computing. Trends ‘2011- The year of high salaries and immense job opportunities for IT job seekers’ (Source – Blog.Timesjobs.com)
The CCM framework consists of 11 Control Areas that are important to be measured, especially when comparing between different cloud provider offering.

The CCM framework consists of 11 Control Areas that are important to be measured, especially when comparing between different cloud provider offering.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Page 1 Cloud Computing Best Practices and Considerations for Project Managers Mike Lamoureux, PMP, MBA.

Page 1 Cloud Computing Best Practices and Considerations for Project Managers Mike Lamoureux, PMP, MBA.
GS1 Industry & Standards Event 26-30 September 2011 Cologne, Germany Creating value together with global standards Cloud Computing Time of Session: 09:00.

GS1 Industry & Standards Event September 2011 Cologne, Germany Creating value together with global standards Cloud Computing Time of Session: 09:00.
AUTHENTICATION IN THE CLOUD Are we really safe in the cloud?

AUTHENTICATION IN THE CLOUD Are we really safe in the cloud?
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.

Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.

What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
A T AXONOMY AND S URVEY OF C LOUD C OMPUTING S YSTEMS Reporter: Steven Chen Date: 2010/10/27 1.

A T AXONOMY AND S URVEY OF C LOUD C OMPUTING S YSTEMS Reporter: Steven Chen Date: 2010/10/27 1.
Cloud Computing Will Crowley Monica Lopez Jaimie Morrison.

Cloud Computing Will Crowley Monica Lopez Jaimie Morrison.
Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.

Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.
BI in the Cloud – Sky is the limit Vishal Agrawal Product Technical Architect Infosys Tech Ltd Anand Govindarajan Principal Technology Architect Infosys.

BI in the Cloud – Sky is the limit Vishal Agrawal Product Technical Architect Infosys Tech Ltd Anand Govindarajan Principal Technology Architect Infosys.
Oyinkan Adedun Adeleye Caitlyn Carney Tyler Nguyen.

Oyinkan Adedun Adeleye Caitlyn Carney Tyler Nguyen.
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
Www.isaca.org Cloud Computing Risk Assessments Donald Gallien March 31, 2011.

Cloud Computing Risk Assessments Donald Gallien March 31, 2011.
Cloud Brokers and the Health Industry Andrea Bilobrk.

Cloud Brokers and the Health Industry Andrea Bilobrk.
Plan Introduction What is Cloud Computing?

Plan Introduction What is Cloud Computing?
Consultancy.

Consultancy.

Similar presentations

Ads by Google