• No results found

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

 

 

 

   

 

 

 

Cloud  Security  Benchmark:  Top  10  Cloud  Service  Providers  

Appendix  A  –  E  

 

 

 

 

 

 

January  5,  2015  

   

 

(2)

Table  of  Contents  

 

Copyright  and  Disclaimer  ...  3

Appendix  A:  Introduction  ...  4

Appendix  B:  Methodology  &  Scoring  Guidelines  ...  5

Appendix  C:  Cloud  Security  Benchmark  ...  7

Appendix  D:    Glossary  ...  8-­‐9   Appendix  E:    References  ...  10  

Contact  ...  10    

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(3)

Copyright  and  Disclaimer  

©  2015  CloudeAssurance  

All  rights  reserved.  You  may  download  this  study,  store  or  display  it  on  your  computer,  view,  print,  and  also  

point  to  the  CloudeAssurance  website  www.CloudeAssurance.com.    However,  (a)  this  document  may  ONLY  be  

used   solely   for   personal,   informational,   and   non-­‐commercial   use;   (b)   the   document   may   not   be   altered   or   changed  in  any  way  from  its  published  form;  (c)  the  document  may  not  be  redistributed  without  the  expressed   written  permission  of  CloudeAssurance;  and  (d)  the  trademark,  copyright  or  any  other  relevant  notices  may   not   be   removed   at   any   time.     Please   see   section   (b)   above.   As   permitted   by   the   Fair   Use   provisions   of   the   United  States  Copyright  Act,  you  may  quote  segments  of  the  document,  but  only  if  due  diligence  is  adhered  to   by   attributing   appropriate   citations   and   attributions   to   CloudeAssurance   Cloud   Security   Benchmark:   Top   10   Cloud  Service  Providers  (Q4,  2014).  

NO   WARRANTY.   CloudeAssurance   makes   this   document   available   AS-­‐IS,   and   makes   no   warranty   as   to   its   accuracy  or  use.  The  information  contained  in  this  document  may  include  inaccuracies  or  typographical  errors,   and   may   not   reflect   the   most   current   developments,   and   CloudeAssurance   does   not   represent,   warrant   or   guarantee   that   it   is   complete,   accurate,   or   up-­‐to-­‐date,   nor   does   CloudeAssurance   offer   any   certification   or   guarantee  with  respect  to  any  opinions  expressed  herein  or  any  references  provided.  Changing  circumstances   may  change  the  accuracy  of  the  content  herein.  Opinions  presented  in  this  document  reflect  judgment  at  the   time  of  publication  and  are  subject  to  change.  Any  use  of  the  information  contained  in  this  document  is  at  the   risk  of  the  user.  CloudeAssurance  assumes  no  responsibility  for  errors,  omissions,  or  damages  resulting  from   the  use  of  or  reliance  on  the  information  herein.  CloudeAssurance  reserves  the  right  to  make  changes  at  any   time  without  prior  notice.  

 

 

 

 

 

 

 

 

 

(4)

Appendix  A:  Introduction  

This  document  contains  a  glossary  of  definitions  that  provides  insight  into  the  key  terms  and  concepts  used   within   the   CloudeAssurance   independent   study   entitled   “Cloud   Security   Benchmark:   Top   10   Cloud   Service   Providers”,  as  well  as  a  detailed  look  at  the  scoring  methodology  utilized  for  the  study.    This  document  aims  to   provide  the  reader  with  a  clear  and  concise  understanding  of  the  various  acronyms,  expressions,  and  language   used   throughout   the   study,   as   well   as   a   comprehensive   understanding   of   the   scoring   and   assessment   methodology  applied.    

 

Cloud  computing  is  a  growing  industry  that  was  projected  to  reach  $148.8  billion  globally  by  the  end  of  2014   (source:  Gartner,  Q4  2012).  The  technology  has  successfully  introduced  the  world  to  the  accessibility  of  near   limitless  resources,  unrivaled  scalability,  and  enormous  cost  savings  for  information  technology  infrastructure   and  capital  expenses  for  an  enterprise.  With  cloud  adoption  rates  skyrocketing  internationally,  there  can  be   little  doubt  that  the  cloud  represents  one  of  the  most  innovative  and  efficient  service  models  ever  developed.     Streamlined   processes   and   unrivaled   accessibility   both   help   to   explain   the   ever   growing   focus   on   this   innovative  business  model.  They  also  provide  a  clear  understanding  of  why  a  seemingly  endless  number  of   cloud  service  providers  (CSPs)  continue  to  emerge  daily,  offering  services  for  everything  from  simple  storage   space   and   processing   power   to   platform   and   application   development   and   release   capabilities.      

The  cloud  is  the  future  of  business,  and  has  already  begun  to  transform  it  in  its  entirety.  Yet  while  the  cloud   does   indeed   offer   numerous   advantages   for   both   the   public   and   private   sectors,   it   also   brings   with   it   the   responsibility  of  adequately  securing  the  massive  amounts  of  data  that  is  processed,  stored  and  provisioned   within   it   on   a   daily   basis.   Information   security   and   assurance   is   nothing   short   of   mission   critical   to   organizations  and  cloud  customers  because  issues  surrounding  the  exchange  of  information  and  the  handling   of  data  affects  every  enterprise  as  they  attempt  to  provide  services  and  achieve  their  various  business  goals   and  objectives.  The  cloud  certainly  does  provide  the  most  powerful  and  efficient  way  to  better  advance  and   achieve  these  various  goals,  but  it  also  opens  the  door  to  increased  security  threats,   risks  and  exposure  as   well.  Most  importantly,  because  it  is  a  new  service  model,  there  is  a  general  lack  of  experience  in  securing   data  within  the  cloud  environment.  

 

The   eFortresses   Security   Breaches   Matrix   (2005-­‐2014)   clearly  indicates  that  cloud   related  security  breaches   are  on  the  rise  and  have  become  an  unsettling  reality  in  today’s  world.    Major  incidents  such  as  the  recent   Apple  iCloud,  Code  Spaces  and  eBay  hacks  reveal  a  clear  shift  in  attacks  towards  companies  providing  cloud   services   and   operating   within   the   cloud   environment.   Additional   security   breaches   such   as   the   Target   Corporation   hack   clearly   reveal   an   increasing   trend   in   attacks   on   not   only   organizations,   but   their   supply   chains   as   well.     With   the   rising   prevalence   of   CSPs   and   their   various   cloud   service   offerings,   as   well   as   the   unique  threat  landscape  that  the  cloud  presents,  it  is  critical  that  the  risks  associated  with  the  storage  and   processing  of  data  in  the  cloud  be  adequately  managed  by  the  CSPs  entrusted  with  this  data.      

 

The  CloudeAssurance  platform  and  the  AlertApp!  mobile  application  was  created  to  bridge  the  critical  security   gaps   that   exist   within   the   cloud   industry   and   provide   both   the   guidance   and   resources   needed   to   identify,   remediate  and  validate  the  security  of  the  cloud.    This  platform  enables  not  only  cloud  assurance,  but  also   vendor  assurance  and  consumer  assurance  as  well,  being  a  standards  based,  all-­‐encompassing  solution  that  is   capable  of  addressing  not  just  cloud  security  concerns,  but  any  information  security  standard  or  framework  as   well  (including  updated  standards  such  as  PCI-­‐DSS  3.0,  ISO/IEC  27001:2013  and  NIST  Cybersecurity  Framework   1.0).      

(5)

 

Appendix  B:  Methodology  &  Scoring  Guidelines  

Company   profiles   referred   to   as   “Assessment   Profiles”   were   created   within   CloudeAssurance   using   publicly   available   information   about   each   cloud   service   provider   (CSP)   included   in   the   study.   Each   Cloud   Service   Provider  voluntarily  submitted  self-­‐assessment  documents  to  the  Cloud  Security  Alliance  (CSA)  STAR  Registry   to  reflect  the  transparency  of  their  cloud  security  posture  and  control  maturity,  information  that  served  as  the   primary  source  material  for  a  given  security  assessment.    The  CSA  GRC  Stack,  the  standard  used  for  these  self-­‐ assessments,  was  imported  into  the  CloudeAssurance  platform  and  used  in  the  scoring  process  to  provide  an   “apples  to  apples”  comparison.    Please  note  that  while  the  entries  listed  within  the  CSA  STAR  Registry  form   the  study  sample  size,  not  all  entries  are  used,  as  not  all  entries  include  self-­‐assessment  information  for  the   cloud  service  provider.  

Within  an  assessment,  a  CSP’s  responses  to  questions  within  each  of  the  eleven  domains  for  this  framework   were   analyzed   and   given   a   “YES”,   “NO”,   “Partial”,   or   “N/A”   answer.   We   also   assigned   an   accompanying   maturity  level  to  each  response  using  the  CMMI  model  of  maturity,  a  proven  maturity  model  utilized  by  many   industries  to  measure  process  maturity  based  on  a  scale  of  1-­‐5.    It  is  important  to  understand  that  while  some   cloud   service   providers   provided   detailed   and   thorough   self-­‐assessment   information,   others   were   overly   vague   or   provided   only   YES   or   NO   answers,   with   no   control   evidence   or   descriptions   to   accompany   such   responses.   As   a   result,   it   was   necessary   for   researchers   to   create   a   uniform   scoring   system   to   reflect   the   differences  in  approach  that  CSPs  took  to  their  self-­‐assessment  documents.    

Since  the  purpose  of  this  study  is  to  provide  an  objective,  systematic  and  fair  representation  of  each  CSP’s   cloud  security,  assessors  agreed  that  criteria  needed  to  be  established  that  could  be  applied  to  all  assessments   across   the   board.   The   result   was   a   simple   yet   effective   set   of   guidelines:   if   a   CSP   has   achieved   ISO   27001   certification,  then  any  “YES”  response  is  assigned  a  maturity  level  of  “3”,  denoting  a  “Defined”  process  on  the   CMMI  scale.    However,  if  the  CSP  does  not  hold  ISO  27001  certification,  then  any  “YES”  responses  are  assigned   a  “2”  score  instead  to  reflect  this  difference  in  maturity,  regardless  of  the  level  of  detail  provided  with  such   responses.  “Partial”  responses  are  universally  scored  a  “2”,  while  all  “NO”  responses  are  assigned  a  “1”  score   on   the   CMMI   maturity   scale   to   denote   a   process   or   control   that   is   in   an   “Initial”   maturity   state.    

N/A  responses  are  handled  in  the  following  manner.    If  a  control  is  comprised  of  multiple  questions  or  control   areas,  for  instance  three  questions  requiring  three  separate  answers,  and  the  provider  has  given  two  “YES”   responses   and   one   “N/A”,   then   the   overall   response   is   marked   as   “YES”   with   either   a   “3”   or   a   “2”   score   according   to   the   above   mentioned   criteria.     Essentially,   “N/A”   responses   are   “subtracted”   from   the   other   responses  when  determining  a  maturity  score  for  that  specific  control,  with  the  remainder  determining  the   final  score.    Please  note  that  an  abundance  of  “N/A”  responses  does  negatively  impact  a  CSP’s  rating  score,  to   serve  as  a  checks  and  balances  system  and  prevent  CSPs  from  excluding  an  abundance  of  relevant  controls   and   artificially   boosting   their   score.     Scoring   table   1.1   below   provides   a   simple   visual   representation   of   the   scoring  criteria  used  by  assessors  across  all  CAIQ  responses  for  any  given  CSP.  

Please   note   that   a   CSP’s   provisional   score   is   capped   at   a   maximum   of   600   unless   an   independent   CAAP   validation   assessment   is   performed   by   an   assessor   qualified   through   the   HISPI   CAAP   (Cloud   Assurance   Assessor  Program),  which  ensures  the  effective  implementation  and  maturity  of  controls.    Without  performing   an  independent  on-­‐site  CAAP  Validation  Assessment,  the  exact  levels  of  compliance  and  maturity  cannot  be   validated,   which   is   why   capping   each   CSP’s   controls   at   the   “Defined”   maturity   level   (CMMI   level   3,   the   expected   maturity   level   for   a   CSP   with   ISO   27001   certification)   is   appropriate   for   this   study.     However,   it  

(6)

should  be  emphasized  that  when  a  CSP  undertakes  CAAP  Validation,  the  validated  score  can  rise  above  600   and  can  be  included  in  the  Top  10  CSP  study,  with  the  CSP’s  permission.  

 

 

Table  1.1:  Scoring  Guidelines  

CAIQ  Response   Score   Maturity  Level  

Yes   2  or  3   Managed  /  Defined  

No   1   Initial  

Partial   2   Managed  

N/A   None   N/A  

       

 

 

 

 

(7)

 

Appendix  C:  Cloud  Security  Benchmark

 

The  study  was  initially  performed  over  a  period  of  three  months  in  the  final  quarter  of  2012,  and  has  been   carried  out  and  updated  quarterly  since  that  time.  This  update  and  release  covers  Q4  2014,  and  involved  the   analysis  and  evaluation  of  87  CSPs  using  their  publicly  available  self-­‐assessment  documents  from  the  CSA  STAR   Registry.  It  also  utilized  publicly  available  information  relating  to  each  CSP’s  ISO  27001  Certification  scope.  The   independent  assessment  approach  used  ensures  impartiality  and  objectivity  throughout  the  study.    

 

Each   CSP’s   self-­‐assessment   information   was   gathered   and   entered   into   the   CloudeAssurance   platform.   Revisions  and  alterations  to  the  CAIQ  response  documents  creates  the  need  to  regularly  check  for  information   updates,   as   any   changes   or   re-­‐submittals   can   drastically   alter   the   assessment   scores.   For   example,   while   Firehost  did  not  initially  make  the  Top  10  list  in  Q4  2012,  they  achieved  ISO  27001  certification  in  early  Q1   2013  and  demonstrated  continuous  improvement  in  the  process,  resulting  in  the  CSP  making  the  Top  10  list  in   Q1  2013.    

 

Dates   when   assessments   were   last   updated   are   documented   within   CloudeAssurance   and   kept   current   to   establish  consistency.  The  scoring  guidelines  are  applied  universally  to  all  assessments  and  regularly  checked   for   both   completeness   and   accuracy.   As   a   result   of   these   measures,   the   provisional   scores   for   these   CSPs   reflect  strong  objectivity  and  neutrality  in  which  CloudeAssurance  carries  out  all  assessments.    

 

The  goals  of  this  benchmarking  effort  are  to  identify  and  create  a  Top  10  list  of  CSPs,  to  observe  the  general   cloud  security  posture  of  numerous  CSPs,  identify  control  weaknesses,  and  establish  a  sense  of  the  focus  and   overall  emphasis  that  CSPs  place  on  the  information  security  concerns  and  the  maturity  of  their  cloud  services.   The   inclusion   of   additional   CSPs   in   future   assessments   is   expected   each   quarter,   and   will   provide   further   insight   into   the   cloud   security   posture   of   CSPs,   enhancing   existing   benchmark   data   available   to   cloud   customers  in  the  process.  

   

 

 

 

 

 

 

 

 

 

 

 

 

 

(8)

 

Appendix  D:  Glossary  

 

AlertApp!   –   Powered   by   CloudeAssurance   and   the   Top   10   Cloud   Service   Providers   independent   study,  

AlertApp!  is  a  mobile  application  that  allows  cloud  consumers  to  monitor  the  safety  and  security  of  their  data   in  the  cloud.    Users  can  proactively  track  in  real  time  the  cloud  security  ratings,  security  breaches,  lawsuits  and   major  outages  impacting  the  cloud  services  that  they  use  and  enable  them  to  act  accordingly.  

 

Assessment   –   The   systematic   process   of   analyzing   a   cloud   service   provider’s   (CSP)   overall   cloud   security  

posture  using  their  own  submitted  self-­‐assessments  performed  against  the  Cloud  Security  Alliance  CAIQ  and   Cloud   Controls   Matrix.   The   assessment   data,   which   is   publicly   available   information,   is   carefully   analyzed,   assessed   and   entered   into   the   CloudeAssurance   platform   for   centralized   and   automated   scoring,   tracking,  

trending  and  benchmark  reporting.      

 

Assessor  –  The  individual  performing  the  assessment  of  a  CSP’s  cloud  security  environment  using  the  CSP’s  

self-­‐assessment  information  analyzed  within  the  CloudeAssurance  platform.        

Capability   Maturity   Model   Integration   (CMMI)   –   A   widely   used   and   proven   model   of   process   maturity  

developed   by   the   Carnegie   Mellon   University   that   identifies   the   maturity   level   of   various   processes   and   controls  using  a  scale  of  1  –  5:    

 

1.  Initial  –  Processes  unpredictable,  poorly  controlled  and  REACTIVE.    

2.  Managed  –  Processes  characterized  for  PROJECTS  and  is  often  MANAGABLE.     3.  Defined  –  Processes  characterized  for  the  ORGANIZATION  and  is  PROACTIVE.     4.  Quantitatively  Managed  –  Processes  QUANTITATIVELY  measured  and  controlled.     5.  Optimizing  –  Focus  on  CONTINUOUS  PROCESS  improvement.    

 

Cloud   Controls   Matrix   (CCM)   –   The   Cloud   Controls   Matrix   v1.1,   v3.0   and   v3.0.1   are   the   cloud   security  

frameworks  developed  by  the  Cloud  Security  Alliance  (CSA)  that  are  leveraged  for  the  study.    

Cloud   Service   Provider   (CSP)   –   A   company   offering   cloud   services   whose   cloud   service   is   the   focus   of   this  

study.  

CloudeAssurance  Platform  –  The  industry’s  first  truly  risk-­‐intelligent  rating  and  continuous  monitoring  system  

providing  assurance  regarding  a  cloud  service  provider’s  cloud  security,  governance,  risk  and  compliance  using   a  10-­‐year  proven  algorithm  developed  by  eFortresses,  Inc.  Customers  and  end  users  can  know  which  cloud   providers   have   the   best   cloud   assurance   score   and   history,   validated   criteria   that   provides   a   dependable   measure  of  cloud  trust.    The  platform  enables  the  safe  and  secure  adoption  of  cloud  computing,  and  includes   gap  identification,  reporting  and  automated  assessment  capabilities.    

CloudeAssurance   Rating   Score   –   The   CloudeAssurance   Rating   Score   is   based   on   an   integrated   controls  

(9)

CMMI.  The  framework  used  for  this  Rating  System  includes  ISO  27001,  COBIT,  PCI-­‐DSS,  HIPAA,  NIST  SP  800-­‐53   and  FedRAMP.  This  rating  score  represents  a  CSP’s  overall  security  assessment  and  control  adequacy,  similar   to   a   credit   worthiness   score,   and   is   calculated   within   the   CloudeAssurance   platform   using   a   10-­‐year   field   proven  scoring  algorithm.  This  proprietary  algorithm  utilizes  a  mixture  of  compliance  and  process  maturity  to   offer  a  gauge  of  “true  security”  for  a  cloud  service  provider,  and  represents  the  overall  security  posture  of  the   CSP’s  cloud  environment.  

Consensus  Assessments  Initiative  Questionnaire  (CAIQ)  –  An  extensive  and  robust  questionnaire  developed  

by   the   Cloud   Security   Alliance   that   allows   for   the   documentation   and   transparency   of   the   various   security   controls  that  exist  across  an  organization’s  cloud  infrastructure  and  service  model  (IaaS,  PaaS,  SaaS).  The  CAIQ   directly  compliments  the  CSA’s  CCM  and  is  the  primary  source  of  information  used  in  the  assessment  process   for   this   study.   A   CSP’s   response   to   the   questionnaire   is   voluntarily   submitted   and   is   publicly   available   information  found  in  the  CSA  STAR  Registry.    

 

HISPI   –   The   Holistic   Information   Security   Practitioner   Institute   (HISPI)   is   a   highly   respected   independent  

certification   organization   that   consists   of   numerous   industry   experts   including   Chief   Information   Security   Officers  (CISOs),  Information  Security  Officers  (ISOs),  Directors  of  Information  Security,  Security  Analysts  and   Security   engineers,   among   other   industry   professionals.   HISPI   bridges   the   vital   alignment   gaps   between   technology  and  business  goals  with  a  holistic  approach  to  information  security,  and  is  the  oversight  body  of   the   Cloud   Assurance   Assessor   Program   (CAAP).   The   HISPI   CAAP   provides   assurance   of   the   qualifications   for   those  purporting  to  have  the  necessary  skills  as  independent  Cloud  Assessors.  

 

HISPI   Top   20   Mitigating   Controls   –   The   identified   top   20   critical   or   ”mitigating”   security   controls   deemed  

necessary  for  an  organization  to  prevent  information  security  breaches.  Developed  by  HISPI,  these  controls   are  derived  from  real  world  security  breach  information  and  research  (eFortresses  security  breach  matrices,   2005-­‐2014)   and   cover   people,   processes   and   technology.   These   controls   are   updated   annually   within   the   platform,  and  factor  heavily  into  the  CloudeAssurance  rating  and  scoring  algorithm.    Allows  CloudeAssurance   to  stay  current  and  adaptive  to  the  cloud’s  evolving  threat  landscape.  

(10)

Appendix  E:  References  

CloudeAssurance  Platform  –  https://www.CloudeAssurance.com  

CMMI  –  http://www.sei.cmu.edu/cmmi/      

 

COBIT  –  http://www.isaca.org/COBIT/Pages/default.aspx    

CSA  STAR  Registry  –  https://cloudsecurityalliance.org/    

eFortresses   Security   Breaches   Matrix   (2005-­‐2014)   –  http://www.efortresses.com/2014-­‐Breaches-­‐Matrix.htm    

 

FedRAMP  –  http://www.FedRAMP.gov    

Gartner  Cloud  Computing  Services  –  http://www.gartner.com/it/page.jsp?id=1389313  

 

HIPAA  –  http://www.hhs.gov/ocr/hipaa/    

HISPI  Top  20  Security  Breaches  Mitigating  Controls  –  https://www.hispi.org/memberdownloads.php    

HISPI  Qualified  CAAP  Assessor  –  https://www.hispi.org/CAAP.php  

  ISO/IEC  27001:2005  –  http://www.iso.org/iso/catalogue_detail?csnumber=42103       ISO/IEC  27001:2013  –  http://www.iso.org/iso/iso27001       PCI-­‐DSS  –  https://www.pcisecuritystandards.org/security_standards/      

NIST  Cybersecurity  Framework  http://www.nist.gov/cyberframework/      

Contact  

 

References

Download now ( PDF - 10 Page - 247.61 KB )

Related documents

Summer Math Reinforcement Packet Students Entering into 3rd Grade

After your child has completed the math problems and you feel your child is still struggling on a certain concept and needs further practice, you can have your child play games on

Analytical Design Procedure for Forward Wave Couplers in RGW Technology Based on Hybrid PEC/PMC Waveguide Model

Although the discussed coupler in this section is factitious, this design procedure is found to be very helpful to facili- tate the design of realistic forward wave couplers based

P3 Companion Standard

An instance of the IPv4 setup class handles all information that is related to the IP Address settings associated to a given device and to a lower layer connection on

Cloud Computing Security Issues and Recommendations

Security threats in cloud computing are important issue for cloud service providers and cloud service customers.. Threats usually are related information security

Lise Davidsen. Beethoven Wagner Verdi

„Nicht, dass ich diese Rollen nicht singen wollte, denn natürlich möchte ich die Isolde oder die Brünnhilde eines Tages singen, aber ich möchte sie dann auch über einen

Core-generating approximate minimum entropy discretization for rough set feature selection in pattern classification

The contributions of this paper are as follows: (1) the C-GAME algorithm is improved by adding a new type of constraint to eliminate the possibility that only a single reduct is

A sociological study of parent-teacher relations in public secondary schools in Pakistan

Therefore, the notion of social and cultural capital as broader sociological concepts will aid in how their interplay with and through the habitus, agents negotiate