Cloud security certifications: a comparison to improve cloud service provider security

The great diffusion of cloud computing applications and services in the last years has brought new threats to security of information. 1 IT Certification and authorization mechanisms try to provide assurance against those threats by leveraging high security standards and controls. Two examples of such certification based on IT security controls are ISO/IEC 27001 and FedRAMP. While these two certifications largely share their scope it is important to note that ISO is a standardization adopted worldwide since 2005 whereas FedRAMP was developed in 2012 specifically for US Government Cloud Service Providers. New frameworks, however, are not always more effective than earlier ones, especially in the fast-moving world of cloud computing where IT security standards need to be constantly updated. This study offers an overview of adequacy and completeness of ISO/IEC 27001 and FedRAMP, bringing to question the level of protection that they provide by comparing them to each other and evaluating both in terms of known threats to cloud computing. The study identifies weaknesses in the certification build process and highlights necessary improvements.

[1]  Reidar Conradi,et al.  Version models for software configuration management , 1998, CSUR.

[2]  André van der Hoek,et al.  Palantir: raising awareness among configuration management workspaces , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[3]  Marianne M. Swanson,et al.  Standards for Security Categorization of Federal Information and Information Systems , 2004 .

[4]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[5]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[6]  Tavis Ormandy An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments Tavis , 2007 .

[7]  Andrea C. Arpaci-Dusseau,et al.  VMM-based hidden process detection and identification using Lycosid , 2008, VEE '08.

[8]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[9]  Constantine Gikas,et al.  A General Comparison of FISMA, HIPAA, ISO 27000 and PCI-DSS Standards , 2010, Inf. Secur. J. A Glob. Perspect..

[10]  Jennifer L. Bayuk The utility of security standards , 2010, 44th Annual 2010 IEEE International Carnahan Conference on Security Technology.

[11]  Vivek Kundra,et al.  25 Point Implementation Plan to Reform Federal Information Technology Management , 2010 .

[12]  Sadie Creese,et al.  Inadequacies of Current Risk Controls for the Cloud , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[13]  Vivek Kundra,et al.  Federal Cloud Computing Strategy , 2011 .

[14]  Jennifer L. Bayuk Systems Security Engineering , 2011, IEEE Security & Privacy.

[15]  Jennifer L. Bayuk Cloud security metrics , 2011, 2011 6th International Conference on System of Systems Engineering.

[16]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[17]  Ali Sunyaev,et al.  Cloud services certification , 2013, CACM.

[18]  Eric A. Fischer,et al.  Overview and Issues for Implementation of the Federal Cloud Computing Initiative: Implications for Federal Information Technology Reform Management , 2013 .

[19]  Joint Task Force Transformation Initiative,et al.  Security and Privacy Controls for Federal Information Systems and Organizations , 2013 .

[20]  Kristian Beckers,et al.  A pattern-based method for establishing a cloud-specific information security management system , 2013, Requirements Engineering.

[21]  Mário M. Freire,et al.  Security issues in cloud environments: a survey , 2014, International Journal of Information Security.

[22]  Z. Zhi-qi Strategy and Action for Cloud Computing of the European Union:Unleashing the Potential of Cloud Computing in Europe , 2013 .

[23]  Steve G. Watkins An Introduction to Information Security and ISO 27001: 2013 A Pocket Guide , 2013 .

[24]  Ian Walden,et al.  'It's a jungle out there'?: Cloud computing, standards and the law , 2014, Eur. J. Law Technol..

[25]  Hassan Rasheed,et al.  Data and infrastructure security auditing in cloud computing environments , 2014, Int. J. Inf. Manag..

[26]  Read Sprabery,et al.  WinWizard: Expanding Xen with a LibVMI Intrusion Detection Tool , 2014, 2014 IEEE 7th International Conference on Cloud Computing.

[27]  Jin Tong,et al.  US Government Cloud Computing Technology Roadmap , 2014 .

[28]  Michael K. Reiter,et al.  Cross-Tenant Side-Channel Attacks in PaaS Clouds , 2014, CCS.

[29]  Stephen D. Gantz IT Audit Processes , 2014 .

[30]  Robert Karl,et al.  Holistic configuration management at Facebook , 2015, SOSP.

[31]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[32]  Ernesto Damiani,et al.  From Security to Assurance in the Cloud , 2015, ACM Comput. Surv..

[33]  Gorka Irazoqui Apecechea,et al.  Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud , 2015, IACR Cryptol. ePrint Arch..

[34]  Karuna Pande Joshi,et al.  A Semantic Approach to Cloud Security and Compliance , 2015, 2015 IEEE 8th International Conference on Cloud Computing.

[35]  Christopher S. Yoo,et al.  Finding Security in the Clouds , 2015 .

[36]  Wei Huang,et al.  The State of Public Infrastructure-as-a-Service Cloud Security , 2015, ACM Comput. Surv..

[37]  Faridl Mughoffar DEVELOPMENT OF INFORMATION SECURITY GOVERNANCE TEMPLATE BASED BASED ON ISO/IEC 27001:2005 AND COMPLY WITH COBIT 5 APO13 MANAGE SECURITY MANAGEMENT PROCESSES , 2016 .