What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

IT Security and Privacy Standards in Comparison Improving FedRAMP Authorization for Cloud Service Providers

International Workshop On Assured Cloud Computing And QoS Aware Big Data

(WACC) 2017. Madrid, Spain, May 14, 2017

Authors:

Carlo Di Giulio, University of Illinois at Urbana-Champaign

Read Sprabery, University of Illinois at Urbana-Champaign

Charles Kamhoua, Air Force Research Laboratory

Kevin Kwiat, Air Force Research Laboratory

Roy Campbell, University of Illinois at Urbana-Champaign

Masooda Bashir, University of Illinois at Urbana-Champaign

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

2011 Federal Cloud Computing

Strategy:

Savings (The total IT expenditure

in 2011 at a Federal level was

$75.4 Billion)

High security level in the cloud

Creation of the Federal Risk

Authorization Management Program

(FedRAMP)

Leveraging on NIST 800-53

requirements

Context (1/2)

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

Cloud Computing means easy access to

remote services, but also increased concern

on security and privacy

Certifications and compliance with

standards are the easiest (if not only)

indicator to evaluate a CSP from the

outside

To reassure users on the quality of services

(IT and not), security standards are widely

used by governments and industries

Context (2/2)

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

Source : Adobe (2015) Adobe Security and Privacy Certification. Whitepaper.

http://www.adobe.com/content/dam/Adobe/en/security/pdfs/adobe-ccf-012015.pdf

From a Vendor’s Point of View

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

ISO 27001 Certifications (and percentage variation)

Country 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Japan 3790 4896 4425 5508 6237 6914 7199 7140 7171 8240

United Kingdom 486 519 738 946 1157 1464 1701 1923 2253 2790

India 369 508 813 1240 1281 1427 1611 1931 2168 2490

China 75 146 236 459 509 664 790 965 1210 1469

USA 69 94 168 252 247 315 415 566 654 1247

Romania 4 16 44 303 350 575 866 840 893 1078

Italy 175 148 233 297 374 425 495 901 969 1013

Germany 95 135 239 253 357 424 488 581 634 994

Taipei, Chinese 159 256 702 934 1028 791 855 918 781 939

Spain 23 93 203 483 711 642 805 799 698 676

Netherlands 41 41 56 76 97 125 190 316 335 455

Poland 11 45 75 187 229 233 279 307 310 448

Czech Republic 27 77 88 264 529 301 264 399 276 381

Hungary 54 81 135 146 151 178 199 280 295 323

Korea, Republic of 50 77 94 174 166 191 230 252 288 305

Bulgaria 8 23 60 116 132 208 278 330 273

Turkey 10 27 33 86 117 100 132 181 224 268

Slovakia 4 12 28 50 70 111 127 159 162 232

France 5 9 14 15 31 46 66 94 155 227

Source : ISO (2016) ISO Survey 2015. https://www.iso.org/the-iso-survey.html

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

How effective are current IT security measures and

frameworks at addressing cloud security?

How do standards compare to each other?

Is FedRAMP better than other security frameworks at

protecting information assurance in cloud environments,

and if so, how?

Is it ultimately worth it to invest in new cloud security

standards like FedRAMP?

What can be done to improve current cloud security

standards?

Research Questions

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

ISO/IEC 27001:2005 and 2013

FedRAMP rev. 3 and 4. Moderate and High baseline (DoD Lev 2-4)

AICPA SOC2 (TSPC 2009, 2014, and 2016)

BSI Cloud Computing Compliance Control Catalogue (C5)

Analyzed Standards

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

Methodology

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

Timeline and Missing Controls (CSA CCM)

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

Comparison of Missing Controls

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

Attack Tree (missing controls in CSA CCM)

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

IAM-

08

DCS-

08 SEF-04

HRS-

02

ISO/IEC 27001

FedRAMP

BSI C5

TSPC IAM-

04

IAM-

10

IVS-02 IVS-11

GRM-

08

GRM-

04

EKM-

04

HRS-

10

IVS-13

IVS-05

DSI-02

IPY

BCR-

10

HRS-

04

IVS-07

IAM-

01

MOS

Venn Diagram of Missing Controls

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

Any of the standards is completely secure, and even a

combination of two or more standards could not be enough

Although combining all the standards higher security is

achievable, a small effort is required to improve the

response of one or few of them to current security threats

Insider threats are the greater risk to cloud assurance, and

better measures to assure proper training to employees and

raise their awareness is required

Conclusions and Future Perspectives

What is “Cloud Computing?” ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

For more information:

Roy H. Campbell rhc@illinois.edu