What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE assured-cloud-computing.illinois.edu IT Security and Privacy Standards in Comparison Improving FedRAMP Authorization for Cloud Service Providers International Workshop On Assured Cloud Computing And QoS Aware Big Data (WACC) 2017. Madrid, Spain, May 14, 2017 Authors: Carlo Di Giulio, University of Illinois at Urbana-Champaign Read Sprabery, University of Illinois at Urbana-Champaign Charles Kamhoua, Air Force Research Laboratory Kevin Kwiat, Air Force Research Laboratory Roy Campbell, University of Illinois at Urbana-Champaign Masooda Bashir, University of Illinois at Urbana-Champaign
14
Embed
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE … · 2011 Federal Cloud Computing Strategy: Savings (The total IT expenditure in 2011 at a Federal level was $75.4 Billion) High security
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
IT Security and Privacy Standards in Comparison Improving FedRAMP Authorization for Cloud Service Providers
International Workshop On Assured Cloud Computing And QoS Aware Big Data
(WACC) 2017. Madrid, Spain, May 14, 2017
Authors:
Carlo Di Giulio, University of Illinois at Urbana-Champaign
Read Sprabery, University of Illinois at Urbana-Champaign
Charles Kamhoua, Air Force Research Laboratory
Kevin Kwiat, Air Force Research Laboratory
Roy Campbell, University of Illinois at Urbana-Champaign
Masooda Bashir, University of Illinois at Urbana-Champaign
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
2011 Federal Cloud Computing
Strategy:
Savings (The total IT expenditure
in 2011 at a Federal level was
$75.4 Billion)
High security level in the cloud
Creation of the Federal Risk
Authorization Management Program
(FedRAMP)
Leveraging on NIST 800-53
requirements
Context (1/2)
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Cloud Computing means easy access to
remote services, but also increased concern
on security and privacy
Certifications and compliance with
standards are the easiest (if not only)
indicator to evaluate a CSP from the
outside
To reassure users on the quality of services
(IT and not), security standards are widely
used by governments and industries
Context (2/2)
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Source : Adobe (2015) Adobe Security and Privacy Certification. Whitepaper.
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
ISO 27001 Certifications (and percentage variation)
Source : ISO (2016) ISO Survey 2015. https://www.iso.org/the-iso-survey.html
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
How effective are current IT security measures and
frameworks at addressing cloud security?
How do standards compare to each other?
Is FedRAMP better than other security frameworks at
protecting information assurance in cloud environments,
and if so, how?
Is it ultimately worth it to invest in new cloud security
standards like FedRAMP?
What can be done to improve current cloud security
standards?
Research Questions
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
ISO/IEC 27001:2005 and 2013
FedRAMP rev. 3 and 4. Moderate and High baseline (DoD Lev 2-4)
AICPA SOC2 (TSPC 2009, 2014, and 2016)
BSI Cloud Computing Compliance Control Catalogue (C5)
Analyzed Standards
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Methodology
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Timeline and Missing Controls (CSA CCM)
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Comparison of Missing Controls
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Attack Tree (missing controls in CSA CCM)
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
IAM-
08
DCS-
08 SEF-04
HRS-
02
ISO/IEC 27001
FedRAMP
BSI C5
TSPC IAM-
04
IAM-
10
IVS-02 IVS-11
GRM-
08
GRM-
04
EKM-
04
HRS-
10
IVS-13
IVS-05
DSI-02
IPY
BCR-
10
HRS-
04
IVS-07
IAM-
01
MOS
Venn Diagram of Missing Controls
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Any of the standards is completely secure, and even a
combination of two or more standards could not be enough
Although combining all the standards higher security is
achievable, a small effort is required to improve the
response of one or few of them to current security threats
Insider threats are the greater risk to cloud assurance, and
better measures to assure proper training to employees and
raise their awareness is required
Conclusions and Future Perspectives
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE