assured cloud computing center of excellence … · 2011 federal cloud computing strategy: savings...
TRANSCRIPT
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
IT Security and Privacy Standards in Comparison Improving FedRAMP Authorization for Cloud Service Providers
International Workshop On Assured Cloud Computing And QoS Aware Big Data
(WACC) 2017. Madrid, Spain, May 14, 2017
Authors:
Carlo Di Giulio, University of Illinois at Urbana-Champaign
Read Sprabery, University of Illinois at Urbana-Champaign
Charles Kamhoua, Air Force Research Laboratory
Kevin Kwiat, Air Force Research Laboratory
Roy Campbell, University of Illinois at Urbana-Champaign
Masooda Bashir, University of Illinois at Urbana-Champaign
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
2011 Federal Cloud Computing
Strategy:
Savings (The total IT expenditure
in 2011 at a Federal level was
$75.4 Billion)
High security level in the cloud
Creation of the Federal Risk
Authorization Management Program
(FedRAMP)
Leveraging on NIST 800-53
requirements
Context (1/2)
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Cloud Computing means easy access to
remote services, but also increased concern
on security and privacy
Certifications and compliance with
standards are the easiest (if not only)
indicator to evaluate a CSP from the
outside
To reassure users on the quality of services
(IT and not), security standards are widely
used by governments and industries
Context (2/2)
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Source : Adobe (2015) Adobe Security and Privacy Certification. Whitepaper.
http://www.adobe.com/content/dam/Adobe/en/security/pdfs/adobe-ccf-012015.pdf
From a Vendor’s Point of View
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
ISO 27001 Certifications (and percentage variation)
Country 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Japan 3790 4896 4425 5508 6237 6914 7199 7140 7171 8240
United Kingdom 486 519 738 946 1157 1464 1701 1923 2253 2790
India 369 508 813 1240 1281 1427 1611 1931 2168 2490
China 75 146 236 459 509 664 790 965 1210 1469
USA 69 94 168 252 247 315 415 566 654 1247
Romania 4 16 44 303 350 575 866 840 893 1078
Italy 175 148 233 297 374 425 495 901 969 1013
Germany 95 135 239 253 357 424 488 581 634 994
Taipei, Chinese 159 256 702 934 1028 791 855 918 781 939
Spain 23 93 203 483 711 642 805 799 698 676
Netherlands 41 41 56 76 97 125 190 316 335 455
Poland 11 45 75 187 229 233 279 307 310 448
Czech Republic 27 77 88 264 529 301 264 399 276 381
Hungary 54 81 135 146 151 178 199 280 295 323
Korea, Republic of 50 77 94 174 166 191 230 252 288 305
Bulgaria 8 23 60 116 132 208 278 330 273
Turkey 10 27 33 86 117 100 132 181 224 268
Slovakia 4 12 28 50 70 111 127 159 162 232
France 5 9 14 15 31 46 66 94 155 227
Source : ISO (2016) ISO Survey 2015. https://www.iso.org/the-iso-survey.html
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
How effective are current IT security measures and
frameworks at addressing cloud security?
How do standards compare to each other?
Is FedRAMP better than other security frameworks at
protecting information assurance in cloud environments,
and if so, how?
Is it ultimately worth it to invest in new cloud security
standards like FedRAMP?
What can be done to improve current cloud security
standards?
Research Questions
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
ISO/IEC 27001:2005 and 2013
FedRAMP rev. 3 and 4. Moderate and High baseline (DoD Lev 2-4)
AICPA SOC2 (TSPC 2009, 2014, and 2016)
BSI Cloud Computing Compliance Control Catalogue (C5)
Analyzed Standards
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Methodology
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Timeline and Missing Controls (CSA CCM)
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Comparison of Missing Controls
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Attack Tree (missing controls in CSA CCM)
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
IAM-
08
DCS-
08 SEF-04
HRS-
02
ISO/IEC 27001
FedRAMP
BSI C5
TSPC IAM-
04
IAM-
10
IVS-02 IVS-11
GRM-
08
GRM-
04
EKM-
04
HRS-
10
IVS-13
IVS-05
DSI-02
IPY
BCR-
10
HRS-
04
IVS-07
IAM-
01
MOS
Venn Diagram of Missing Controls
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Any of the standards is completely secure, and even a
combination of two or more standards could not be enough
Although combining all the standards higher security is
achievable, a small effort is required to improve the
response of one or few of them to current security threats
Insider threats are the greater risk to cloud assurance, and
better measures to assure proper training to employees and
raise their awareness is required
Conclusions and Future Perspectives
What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
For more information:
Roy H. Campbell [email protected]