1 / 40

A Methodology to Evaluate the Trustworthiness and Security Compliance of Cloud Service Providers

This paper introduces a new methodology to evaluate the trustworthiness and security compliance of cloud service providers (CSPs) in different cloud deployment models. It quantifies the trustworthiness and security of potential CSPs and evaluates their security compliance with cloud security challenges. The methodology is aimed at helping cloud consumers choose reliable and secure CSPs based on their specific needs.

jholston
Download Presentation

A Methodology to Evaluate the Trustworthiness and Security Compliance of Cloud Service Providers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Methodology to Evaluate the Trustworthiness and Security Compliance of Cloud Service Providers Sasko Ristov Ss. Cyril and Methodius University, Skopje, Macedonia

  2. Abstract • Define a new methodology to evaluate the CSPs in different cloud deployment models • according to the cloud consumers’ needs. • Introduce a factor trustworthiness beside the availability. • quantify the trustworthiness and the security of potential CSPs • Evaluate the security compliance of CSPs with cloud security challenges for different cloud deployment models. CSA CEE Summit 2016, Ljubljana, Slovenia

  3. Agenda • State of the art • Related work • Methodology for CSP’s Trustworthiness • Evaluation of most common CSPs’ Trustworthiness • A Methodology for Evaluation of CSP Security Compliance • Evaluation of CSP Security Compliance • Putting it all together • On-premise and Cloud Security Compliance Quantification • Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia

  4. State of the art - Cloud Computing • How to choose a CSP? • Standardisation • Still in infancy period • Bigger players enforce the standards • Many challenges • performance, • security and data privacy, • law compliance, • different cost and indemnification • if the CSP does not meet the SLA conditions CSA CEE Summit 2016, Ljubljana, Slovenia

  5. Open issues • Interoperability • Portability • multiple server platforms CSA CEE Summit 2016, Ljubljana, Slovenia

  6. Agenda • State of the art • Related work • Methodology for CSP’s Trustworthiness • Evaluation of most common CSPs’ Trustworthiness • A Methodology for Evaluation of CSP Security Compliance • Evaluation of CSP Security Compliance • Putting it all together • On-premise and Cloud Security Compliance Quantification • Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia

  7. Evaluate CSP Performance • Performance variability • [Iosup 2011] • Same VM – different performance in various time • [Gusev / Ristov 2013], [Gusev / Ristov 2012] • Vertical scaling horizontal scaling • Superlinear performance • Buy less, achieve more CSA CEE Summit 2016, Ljubljana, Slovenia

  8. Evaluate CSP Security • CSA Cloud Control Matrix (CCM) • 3.0.1 • Confidentiality, integrity and availability are concerns • Different cloud deployment models • Different security issues [Bhadauria 2012] • Cloud improves RTO and RPO • Customer must check if a CSP meets its RTO and RPO CSA CEE Summit 2016, Ljubljana, Slovenia

  9. Evaluate CSP Prices • Pay as you consume • Linear model • Different price for • Windows / Linux • Performance • Traffic CSA CEE Summit 2016, Ljubljana, Slovenia

  10. Evaluate CSP Trustworthiness • CSPs guarantee very high availability of their services • at least 99.9% • some even 100% • guarantee maximum 8.77 hours of downtime per year. • This high guarantee does not imply that they comply with their SLAs. • CSPs' downtime is much greater • Cloud consumer's costs cannot be indemnified by CSP's. • Service availability is not a decisive factor for many cloud consumers. • interested in lower cost for an acceptable level of availability. CSA CEE Summit 2016, Ljubljana, Slovenia

  11. CSP Trustworthiness • Improve the trustworthiness • Certify with some security standard • ISO 27001:2005 • Ristov / Gusev 2012 • New methodology for security evaluation of on-premise systems and cloud computing • IaaS, PaaS and SaaS • Security evaluation of open source cloud frameworks • [Ristov 2013] CSA CEE Summit 2016, Ljubljana, Slovenia

  12. Other methodologies for Trustworthiness • Cheng 2012 • Trusted Cloud Service Platform Architecture • Tanimoto 2011 • Risk Avoidance, Risk Mitigation, Risk Acceptance, and Risk Transference • Santos 2009 • Trusted cloud computing platform • Bhensook and Senivongse 2012 • weighted scoring model CSA CEE Summit 2016, Ljubljana, Slovenia

  13. Our methodology for Trustworthiness • Pauley 2010 – very comprehensive • CSP transparency scorecard • includes the percent availability in CSPs' SLA, • does not include the percentage of achieved availability CSA CEE Summit 2016, Ljubljana, Slovenia

  14. Our methodology for Trustworthiness • Achieved availability = reliability • Choose the most reliable and trustworthy CSP, rather than the one that guarantee the greatest availability or indemnification. CSA CEE Summit 2016, Ljubljana, Slovenia

  15. Agenda • State of the art • Related work • Methodology for CSP’s Trustworthiness • Evaluation of most common CSPs’ Trustworthiness • A Methodology for Evaluation of CSP Security Compliance • Evaluation of CSP Security Compliance • Putting it all together • On-premise and Cloud Security Compliance Quantification • Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia

  16. Availability CSA CEE Summit 2016, Ljubljana, Slovenia

  17. Indemnification • Google • offers credits and subscription extension, • Microsoft • offers money reimbursement. • Mission critical data and application unavailability can provide a grater loss than CSP's indemnification. CSA CEE Summit 2016, Ljubljana, Slovenia

  18. Reliability CSA CEE Summit 2016, Ljubljana, Slovenia

  19. Trustworthiness CSA CEE Summit 2016, Ljubljana, Slovenia

  20. Availability evaluation • Evaluation of • Google, • Microsoft, • SalesForce, • Rackspace • Amazon CSA CEE Summit 2016, Ljubljana, Slovenia

  21. Reliability evaluation CSA CEE Summit 2016, Ljubljana, Slovenia

  22. Trustworthiness evaluation • Google is the leader in trustworthiness, although it does not guarantee the greatest availability. • The trustworthiness % is smaller than offered availability for each CSP in its SLA CSA CEE Summit 2016, Ljubljana, Slovenia

  23. CSP overall evaluation • All CSPs achieved the same place for reliability and trustworthiness • downtime in the last year CSA CEE Summit 2016, Ljubljana, Slovenia

  24. Agenda • State of the art • Related work • Methodology for CSP’s Trustworthiness • Evaluation of most common CSPs’ Trustworthiness • A Methodology for Evaluation of CSP Security Compliance • Evaluation of CSP Security Compliance • Putting it all together • On-premise and Cloud Security Compliance Quantification • Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia

  25. ISMS • CSPs can mitigate the risks of security incidents if they implement some international security standards • Some CSPs offer security features to their consumers • ISMS Metrics • 3 • ISO 27001 or NIST 800-53 or equivalent • 1 • In-depth audit or certified with some audit standard such as SAS70 or COBIT • 0 • No ISMS implemented CSA CEE Summit 2016, Ljubljana, Slovenia

  26. CloudCert • Having ISMS is not enough • ISO 27001 is not fully compliant with additional cloud security challenges • CloudCert parameter • determining a level of the CSA Security, Trust \& Assurance Registry (STAR) level • Introduce ISO 27017 in CloudCert ?! CSA CEE Summit 2016, Ljubljana, Slovenia

  27. Evaluation of CSP Security Compliance CSA CEE Summit 2016, Ljubljana, Slovenia

  28. Agenda • State of the art • Related work • Methodology for CSP’s Trustworthiness • Evaluation of most common CSPs’ Trustworthiness • A Methodology for Evaluation of CSP Security Compliance • Evaluation of CSP Security Compliance • Putting it all together • On-premise and Cloud Security Compliance Quantification • Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia

  29. NIST Cloud deployment models • NIST defined • Three cloud service models: • Four cloud deployment models CSA CEE Summit 2016, Ljubljana, Slovenia

  30. CSA Cloud deployment models • CSA defined • Five cloud deployment models • public, • private internal/on-premise, • private external, • community • hybrid • Interested in the first three • if a particular company migrates its services from on-premise into a cloud CSA CEE Summit 2016, Ljubljana, Slovenia

  31. Deployment models weight factor (WF) • Nist’s classification of the security controls • Management • Operational • Technical • Weight factors for each deployment model that implements the ISO 27001:2005 control objectives • The management control objective WF is independent of whether the services are hosted on-premise or in cloud • Operational is reduced to ½ • consumer transfers the responsibilities to its CSP in private external • On-premise is the same as Private internal. CSA CEE Summit 2016, Ljubljana, Slovenia

  32. ISO 27001 Control objective evaluation • 17 control objectives are evaluated as operational • 9 as technical control objectives CSA CEE Summit 2016, Ljubljana, Slovenia

  33. ISO 27001 Control objective evaluation CSA CEE Summit 2016, Ljubljana, Slovenia

  34. ISO 27001 Control objective evaluation • Example of evaluation • Operating system access control • controls the access to operating systems completely in internal private cloud (both guest and host operating systems). • evaluate with 1; • controls the access to operating systems partially in external private cloud (only guest operating systems) and • evaluate with 1/2 • does not control the access to operating systems in public cloud (neither guest nor host) • evaluate it with 0. CSA CEE Summit 2016, Ljubljana, Slovenia

  35. On-premise Security Quantification • if a CSP security is compliant with its security level • ISMSMAX = 3 • Cloud consumer can select / exclude the controls and control objectives to cover the identified requirements CSA CEE Summit 2016, Ljubljana, Slovenia

  36. CSPs’ Deployment Models Security Compiance Quantification • ISMSCMAX = 6 (3+3) CSA CEE Summit 2016, Ljubljana, Slovenia

  37. CSPs’ Deployment Models Security Compiance Quantification • Since the cloud consumer transfers some of the responsibilities to CSP, its COTk is opposite, i.e., 1 – COTk CSA CEE Summit 2016, Ljubljana, Slovenia

  38. Agenda • State of the art • Related work • Methodology for CSP’s Trustworthiness • Evaluation of most common CSPs’ Trustworthiness • A Methodology for Evaluation of CSP Security Compliance • Evaluation of CSP Security Compliance • Putting it all together • On-premise and Cloud Security Compliance Quantification • Conclusion CSA CEE Summit 2016, Ljubljana, Slovenia

  39. Discussion / Conclusion • ISO 27001 is more detailed standard compared to the COBIT certificate • COBIT or other related certificates is evaluated with 1, • ISO 27001 or NIST SP800-53 with 3. • Do not include the CSPs' employees certificates into our evaluation since implementing the ISMS assures the employee security awareness • all employees should have CISSP, CISM or other security certification; otherwise this control is irrelevant • consumer should trust more on comprehend external audit of relevant certified authorities, rather than CSP's employees • Compliance with different cloud deployment models CSA CEE Summit 2016, Ljubljana, Slovenia

  40. CSA CEE Summit 2016, Ljubljana, Slovenia

More Related