Cloud Computing                Cloud Provider Transparency                An Empirical Evaluation      Cloud computing pro...
Cloud Computinginformation about past problems the providers mighthave had related to breaches and downtime.              ...
Cloud Computing              this would be to directly contact the cloud provider’s       that information, other cloud se...
Cloud Computing    Table 1. Cloud provider overview.    Provider/offerings               Service model         Sample cust...
Cloud Computing Preassessment                                           CP1         CP2        CP3         CP4        CP5 ...
Cloud Computing    Table 2. Cloud Provider Transparency Scorecard analysis.                                               ...
Cloud Computing Full assessment                                                                        CP1        CP2     ...
Cloud Computing17. R. Ross et al., “Recommended Security Controls for    Federal Information Systems,” Dec. 2007; http://c...
Upcoming SlideShare
Loading in …5

Cloud provider transparency


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud provider transparency

  1. 1. Cloud Computing Cloud Provider Transparency An Empirical Evaluation Cloud computing promises many enterprise benefits. The author’s study aims to help businesses assess the transparency of a cloud provider’s security, privacy, auditability, and service-level agreements via self-service Web portals and publications. EWayne A. xternal IT services have been in use for sev- Whether a cor­Pauley eral decades now, evolving from time-sharing porate IT de­ art­ pEMC services to application service providers to the ment wants to let its company’s crown jewels reside in current cloud computing phenomena.1 The a public cloud is certainly a question each organization US National Institute of Standards and Technology must answer for itself. For this study’s purposes, let’s has developed a good working definition of cloud assume that IT is being driven to the cloud because computing that breaks it into three service models: of potential economic and time-to-market benefits. software as a service (SaaS), platform as a service IT will need a new assessment process to proactively (PaaS), and infrastructure as a service (IaaS).2 (For evaluate the cloud along four key dimensions—se- a detailed explanation, see the “Cloud Computing curity, privacy, auditability, and service levels. Open Terminology” sidebar.) Cloud computing promises a availability of the information from this type of assess- ubiquitous platform that can automatically scale up, ment provides valuable information for IT to trans- down, or out on demand. It also portends to be self- parently evaluate the environment’s risk. service and highly automated, allowing an enterprise to get started with nothing more than a browser and The Study’s Purpose a credit card. This study has two aims: An important challenge for IT comes from lines of business (LOBs) that are unsatisfied with IT’s re- • to create a scorecard for evaluating a cloud’s trans- sponsiveness and how long it takes to respond to new parency via the cloud provider’s self-service portals application requests. Several decades ago, the main- and published Web content, and frame environment had an acceptable response time • to empirically evaluate a small population of cloud of 12 to 18 months to respond to a request for a new providers to test the scorecard and assess the popula- application. Highly virtualized datacenters can now tion’s transparency. procure and provision an application environment in less than four to six weeks. The challenge facing IT Kim Wüllenweber and Tim Weitzel built on the occurs when the business manager responds to a four- theories of perceived risk and reasoned action to em- to six-week answer from IT by producing a credit pirically show that standardization reduces the per- card and getting something running on Amazon Web ception of risk in outsourced services (what I will call Services (AWS) in a matter of hours. IT must be able transparency).3 In this study, I evaluated cloud providers’ to respond to that kind of dynamic demand internally transparency on the basis of their use of standards, best from the LOB or find ways to insert itself into the practices, policies, procedures, and contractual ser- process of assessing and validating publicly available vice-level guarantees available on their cloud services cloud services. portals. The study also looked at publicly available32 COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES ■ 1540-7993/10/$26.00 © 2010 IEEE ■ NOVEMBER/DECEMBER 2010
  2. 2. Cloud Computinginformation about past problems the providers mighthave had related to breaches and downtime. Cloud Computing Terminology To perform this study, I developed the Cloud Pro-vider Transparency Scorecard, an instrument to as-sess and score the information that I collected frompublished Web sources by or about cloud providers. T he US National Institute of Standards and Technology defines the cloud as including five essential characteristics. On-demand self-service is the consumer’s ability to procure and provisionEach of the four domains I considered included a se- cloud services, such as storage or compute services, via a portal mecha-ries of questions based on key areas outlined by the nism without the cloud service provider’s assistance.Cloud Security Alliance (CSA),4 NIST,2 and the Eu- Broad network access is the ability to connect to cloud services any-ropean Network and Information Security Agency where, with any form of client, such as a mobile phone, laptop, intel-(ENISA).5 Each question equated to a “0 = no, 1 = ligent smart phone, or any Web-enabled device. Depending on the typeyes” value; I totaled each domain and gave an overall of information, where it physically resides can have regulatory ramifica-score based on the total of all scores. I then divided tions—for example, personally identifiable information and personalthe domain-based scores by the total possible score to health records are regulated in the US.provide a simple percentile equivalent. I also divided Resource pooling, or multi-tenancy, is when the provider’s resources arethe overall score by the total possible score to derive a pooled and dynamically allocated based on application demand. Eachpercentile equivalent. physical machine could have multiple tenants (business users) on it—or, if the cloud provider offers it and the customer is willing to pay for it, aWhat Makes physical server could run only the one tenant’s virtual machines.a Cloud Provider Transparent? Rapid elasticity is the ability to scale up, down, or out automaticallyResearchers have addressed trust in e-commerce as workload requirements change. This characteristic lets the customerextensively, showing that it can positively affect e- pay for resources as needed and allows specific demands to be met withcommerce usage by reducing concern, which in turn seemingly unlimited resources. For example, if a business experiencesimproves disclosure, reduces the demand for legisla- peak workloads at the end of the month, the cloud will support thetion, and reduces the perceived risk.6 Business en- demand transparently to the business. Another example would be to usegaging a self-service cloud provider is consuming an the cloud for scale testing.e-commerce–based service that provides infrastruc- Measured service, or fairly fine-grained metering capabilities, becomesture services instead of traditional goods such as books necessary with an on-demand and auto-scaling service with a pay-as-or music. Privacy statements, security policies and you-go financial model. The metering must include monitoring, control-assessments,5 and availability guarantees are effective ling (for example, setting maximums), and reporting.for evaluating trust for e-commerce service providers. A service-level agreement (SLA) between a cloud service providerFor the purpose of this research, I extended the defi- and a business details the expectations for both parties. One examplenition of an e-commerce service provider to include is service availability and the penalties for service loss; another examplecloud providers as a new type of e-commerce. would be response time. In the case of Amazon Web Services (AWS), Simple Storage Service (S3) provides an SLA of 99.9 percent availability,Preassessment which translates to 8.75 hours of downtime a year. The buyer must beOne approach to assessing the cloud would be to use aware that SLAs can vary within a cloud provider. Using Amazon Weba third-party security firm with experience in cloud Services as an example, AWS Elastic Compute Cloud (EC2) guaranteesapplications. Another would be to use internal re- 99.95 percent uptime, which translates into six hours of downtime a year,sources and leverage recently published assessment or 30 consecutive minutes a month.methods from the CSA or ENISA. Both methods One last concept that’s important when evaluating the aggregationprovide steps for security and privacy assessment and of services within a cloud provider is impact of transitivity due to alsodetail focus areas for audit and governance, specifi- aggregating the SLAs. Using the previous examples from AWS, wherecally for cloud infrastructures. The challenge with S3 has a 99.9 percent SLA and EC2 has a 99.95 percent SLA, the result ofexisting methods is that cloud providers rely on the aggregating the services provides the lowest SLA of 99.9 percent to theself-service model for customers to engage them, application that uses both services together.which is based on extensive surveys requiring thecloud provider’s staff involvement. The low-touchself-service model economically benefits both the spective customers search the Web for news articles oncloud provider, which can reduce service costs, and issues, breaches, and outages—for example, Privacythe customer, who is charged less and can directly Rights Clearinghouse keeps a chronology of reportedprocure and provision resources. breach data7—and the cloud provider must track and An alternative approach that matches the cloud report outage data on its website. Another step shouldprovider engagement model is to make all required include inspecting the type of customers using the cloudinformation for assessing clouds via their Web portals provider to validate if its customers have similar applica-publicly available. To preassess cloud providers, pro- tions, scale, and customer base. One way to accomplish 33
  3. 3. Cloud Computing this would be to directly contact the cloud provider’s that information, other cloud service providers such customers to see what their experiences have been. as Terremark, SAVVIS, and Rackspace provide their In addition, does the cloud provider participate in employees’ certifications on their websites and offer cloud standards bodies such as CloudAudit,8 Open specific details to paying customers. Are the employ- Cloud Computing Interface,9 CSA, and ENISA? Par- ees subject to background checks? Cloud providers ticipating in cloud standards activities is one way that often provide this information—for example, AWS the cloud provider can demonstrate that it is interested publishes most of this information on its website and in improving trust and interoperability in the cloud. in its security white paper. The basic business assessment also includes such ques- tions as Privacy Does the cloud provider have a privacy portal? Does it • “What service models do you offer (IaaS, PaaS, and/ publish its privacy policy? Does it manage its privacy or SaaS)?” policy over time? Does the privacy policy apply to all • “Are you public or private?” of the cloud provider’s services, or are there separate • “Are you profitable?” ones for separate services? If the cloud provider uses other providers’ services bundled within its own ser- These are samples of the types of questions that pro- vice, does it have a bilateral agreement to hold the spective customers should ask during the preassess- other providers to the same standard? Does the cloud ment phase to determine if the cloud provider could provider provide a special email or forum for privacy be included in a full assessment and if it’s a good busi- questions or issues? Does it offer professional services ness fit. specific to privacy, such as working with customers on As a final preassessment step, evaluate the cloud Health Insurance Portability and Accountability Act provider as a business entity. How long has it been (HIPAA) compliance? in business? According to the US Small Business Ad- ministration, approximately 50 percent of businesses Audit fail in the first five years.10 Has the cloud provider had If a customer has requirements for financial, healthcare, any financial difficulties? What happens if it’s acquired or personally identifiable information, the customer or shuts down its cloud offering? Does it provide ser- should review the cloud provider’s site for third-party vices in all the locations or countries needed? audit mechanisms. For example, does the cloud provid- er comply with the Statements on Auditing Standards The Detailed Assessment (SAS) No. 70 Type II,13 the Payment Card Industry After preassessing the cloud provider, the next step Data Security Standard,14 HIPAA,15 or Sarbanes-Ox- is to perform a more detailed assessment using the ley?16 Several cloud providers, such as AWS,17 publish CPTS as one of the tools for assessment. the fact that they perform SAS 70 audits, but don’t pub- lish the control groups that they’ve audited. Security To perform a detailed assessment, use a browser to visit Service Levels each cloud site and collect and log the various security, What service-level agreements (SLAs) does the cloud privacy, and service-level policies and procedures. Is provider guarantee? Do they apply to all the cloud pro- all the information located in one place and easy to ac- vider’s services? For example, if you’re using Amazon cess? Are the policies and procedures published? Does Elastic Compute Cloud (EC2), Amazon has a 99.95 the provider offer an email address for additional ques- percent uptime guarantee, but Amazon Simple Queue tions? Does it offer professional services such as secu- Service (SQS) and Amazon Simple Storage Service (S3) rity assessments of customer environments? don’t have an SLA guarantee. If you combine SQS or What kind of security controls does the cloud pro- S3 with EC2, the net SLA is 0 percent. Does the cloud vider have in place? If it publishes its security policy provider use a service-level management process such as and procedures, does it also perform standardized as- the Information Technology Infrastructure Library?18 sessments? Several cloud providers perform security assessments such as COBIT,10 ISO 27000,11 or NIST Next Steps Postassessment SP800-5312 on their environments. Is the cloud pro- Once the customer has gathered this data, the next vider a member of, or does it contribute to, ENISA or step is to contrast the cloud provider’s standards against CSA? Does it use the ENISA or CSA recommenda- corporate policies and the requirements of the appli- tions for governance? cation being provisioned on the cloud. Evaluate the What kind of security education and certifica- cloud policies and practices against internal policies tions does the staff hold? Are their certifications pub- and practices to see if differences exist in the security lished? For example, although AWS doesn’t share and privacy policies. Does the cloud provider meet34 IEEE SECURITY PRIVACY
  4. 4. Cloud Computing Table 1. Cloud provider overview. Provider/offerings Service model Sample customers Comments Google App Engine (GAE) Platform as a Best Buy, Ubisoft, Flickr Appeals to startups, small-to-medium- service (PaaS) sized businesses (SMB), enterprise businesses, and students and schools as an integrated development environment Amazon Web Services (AWS) Infrastructure as a Autodesk, Qualcomm, Second Appeals to startups, SMBs, and enterprise service (IaaS) L ­ ife, Washington Post, Harvard businesses as an operational expense Medical School option for infrastructure with price tiering based on scale and options Microsoft Windows Azure, IaaS and PaaS 3M, Verisign, Associated Press, Appeals to .NET developers and all Microsoft SQL Azure, and Kelly Blue Book, Accenture, businesses; provides a way to bridge Windows Azure platform Siemens Microsoft datacenter apps with the cloud AppFabric IBM Computing on Demand, IaaS, PaaS, and US Air Force, SK Telecom Provides full services for all company sizes IBM Smart Business, IBM Smart software as a with price tiering for scale Analytics, and so on service (SaaS) Terremark Enterprise Cloud and IaaS, Agora Games, Engine Infrastructure services for all company vCloud Express Yard sizes Savvis Cloud Compute, Savvis IaaS Hallmark, Easyjet, Universal Music Infrastructure services for all company Dedicated Cloud, and Savvis Group, Wall Street sizes Open Cloud Computeor exceed the security and privacy policy levels used recently created cloud computing offerings targetinginternally? Does it provide enough information via its IaaS leveraging virtualization technology.self-service model to determine that? In the preassessment (Figure 1), I found that almost all providers had published outages, along with theResults of the Preassessment fault that caused the outage and the corrective action.For this study, I chose a relatively small population of Researching for breaches in the Datalossdb databasesix cloud providers (see Table 1). The offerings and showed no breaches tied to any of the cloud provid-structure vary among providers. NIST defines four ers studied. CP2 did show up in the database owingcloud deployment models: private, public, community, to the loss of a laptop containing CP2 employee data.and hybrid clouds. Private clouds operate specifically Breaches that affect a cloud provider’s customer datafor one organization, while public clouds are available wouldn’t necessarily end up in the Datalossdb unlessto the general public. Community clouds support a regulatory rules required the cloud provider to informspecific community, such as an academic or govern- those harmed. The nature of the public profile and thement function. A hybrid cloud is the federation of sev- services that cloud providers offer have a higher prob-eral clouds composed of either the same deployment ability of being divulged publicly, and as one cloudmodels or different models. The study included only provider posted, full disclosure and transparency is apublic cloud providers that prospective customers could best practice. Microsoft Azure’s loss of Sidekick dataaccess from the Internet and that offered their services in 2009 was highly publicized and analyzed by thevia a self-service method. For simplicity, I make the cloud provider technical community.19 (Cloud pro-six cloud providers (Amazon, Google, Microsoft, IBM, viders aren’t compelled or regulated to share breachTerremark, and Savvis) anonymous by referring to information as long as data protected by regulationstheir results as coming from CP1 through CP6. haven’t been affected.) I also found that all providers Within the public cloud provider category are dif- belonged to at least one cloud standards group, show-ferent classes of providers. From the providers cho- ing common interest in interoperability and gover-sen, I selected Amazon and Google as representative nance standards.of Web-based companies that repurpose and extend Figure 1 has a mixed scoring method designedexisting infrastructure and software to support cloud to create a maximum score of 7 (the best possibleservices. Microsoft and IBM provide various managed score). Several of the questions are negative, makingand application services that they’ve extended as cloud the “yes” answer a negative response, thereby pro-services. Terremark and SAVVIS provide various viding a “0” score for that question. All the cloudmanaged services to commercial customers and have providers I evaluated scored better than 70 percent, 35
  5. 5. Cloud Computing Preassessment CP1 CP2 CP3 CP4 CP5 CP6 Business Length in years in business 16 12 31 114 28 15 Total years factors 1 Length in years in business 5? 1 1 1 1 1 1 0 ≤ 5, 1 ≥ 5 2 Published security 1 1 1 1 1 1 0 = Y, 1 = N or privacy breaches? 3 Published outages? 0 0 0 0 1 0 0 = Y, 1 = N 4 Published data loss? 1 0 0 1 1 1 0 = Y, 1 = N 5 Similar customers? 1 1 1 1 1 1 0 = N, 1 = Y 6 Member of ENISA, CSA, 1 1 1 1 1 1 0 = N, 1 = Y CloudAudit, OCCI, or other cloud standards groups? 7 Profitable or public? 1 1 1 1 1 1 0 = N, 1 = Y Preassessment total score 6 5 5 6 7 6 Total Percentile score 0.86 0.71 0.71 0.86 1.00 0.86 Score/7Figure 1. The Cloud Provider Transparency Scorecard. I used the scorecard to examine a variety of cloud computing providers, assessingtheir business factors, such as years in business and security or privacy breaches, to create a total preassessment transparency score. which I considered adequate for consideration for use from SAS 70, although it was possible to acquire the CPTS assessment. control group information via direct email with one of the cloud providers. CP3, CP5, and CP6 all had Assessment Results perfect scores in the audit section. Having internal I recorded, broke down, and summarized the assess- and external audits and publishing them helps provide ment’s qualitative results by domains of security, pri- proof of capability for specific data types, especially vacy, audits, and SLA, as depicted in Table 2. those that are regulated. Security Scores SLA Scores CP3 had the strongest security score, at 0.80. Two ser- As Table 2 shows, only CP5 scored well, with a 0.79 vice providers, CP5 and CP6, scored 0.70. The lowest on its SLA. The SLA outcomes were skewed by the scores were from CP1 and CP2, primarily due to a use of a weighted value that ranged from 1 to 5 based lack of certifications, professional services, and shar- on a 99.5 to 100 percent. If the cloud provider had ing employee certifications. CP4’s relatively low score several different SLAs for different services, I used of 0.50 is likely due to problems encountered with the lowest SLA for the score. In the case of CP4, I navigating the cloud provider’s website. The study couldn’t find SLA information on the cloud portal. was based on using a self-service method to perform CP5 was the only cloud provider that provided a the assessment as opposed to using email/chat inquiry 100 percent service uptime guarantee. CP5 and CP6 methods or calling the cloud provider. Ease of use and didn’t have any published outage events, which I can navigation of Web portals are important characteris- discount due to the length of time they’ve been offer- tics when a service is designed to be self-service. ing cloud services. Privacy Scores Overall Scores CP6 and CP3 had perfect privacy scores due to their CP3, CP5, and CP6 had the highest overall scores, policies being easy to find, well detailed, and includ- as Table 2 shows, with scores of 0.76, 0.79, and 0.72, ing privacy explanations in white papers. CP2 lost a respectively. CP4’s score (0.38) was brought down by point due to the lack of professional services, which an overall lack of information available on its website. it claims are provided through a partner community. CP1 and CP2 both scored near 50 percent, with 0.48 CP4 had the lowest score of 0.50 due to the lack of and 0.52, respectively—but removing the two profes- an easy-to-find privacy policy for its cloud offerings. sional services questions actually drops their scores to 0.44 and 0.48. Audit Scores All the cloud providers claim to perform SAS 70 Type Cloud-Specific Challenges II audits on their infrastructure. None of them offers The assessment includes a question about specific char- public information about what control groups they acteristics in the cloud from the NIST definition re-36 IEEE SECURITY PRIVACY
  6. 6. Cloud Computing Table 2. Cloud Provider Transparency Scorecard analysis. Maximum CPTS analysis CP1 CP2 CP3 CP4 CP5 CP6 score Security 4 (0.40%) 4 (0.40%) 8 (0.80%) 5 (0.50%) 7 (0.70%) 7 (0.70%) 10 (1.00%) Privacy 4 (0.67%) 5 (0.83%) 6 (1.00%) 3 (0.50%) 4 (0.67%) 6 (1.00%) 6 (1.00%) Audit 3 (0.75%) 1 (0.25%) 4 (1.00%) 2 (0.50%) 4 (1.00%) 4 (1.00%) 4 (1.00%) SLA 3 (0.33%) 5 (0.56%) 4 (0.44%) 1 (0.11%) 8 (0.89%) 4 (0.44%) 9 (1.00%) Total 14 (0.48%) 15 (0.52%) 22 (0.76%) 11 (0.38%) 23 (0.79%) 21 (0.72%) 29 (1.00%)garding resource pooling. Resource pooling is more important for IT to meet its business objectives, the needcommonly called multi-tenancy, and many researchers for transparency will only increase. Standardization,have addressed it. The question concerned whether the open reporting of information in the methodology’ssecurity policy had any specific discussion on multi- sample domain, and making it readily available via thetenancy—none of the cloud providers had any specific self-service model will greatly enhance business abilitysecurity-related documentation. The CSA document to evaluate and engage cloud providers’ services.discusses multi-tenancy and other cloud characteristics,providing guidance on topics such as administration, Acknowledgmentsthreat models, and virtual machine regulatory issues. A special thank you to Randy Bias, CEO, founder, and Cloud Strategist of Cloudscaling, for reviewing the cloud provider instrument for completeness and making sugges-I designed the scorecard shown in Figure 2 to cover the assessment areas frequently raised in the researchand to begin to establish a high-level exemplar for as- tions for improvements. I also thank Mark Rosenbaum, doctoral candidate at Nova Southeastern University, for reviewing the document and, as usual, providing excellentsessing provider transparency. Assessing cloud providers feedback where the document needed improvements.this early in the maturity cycle of cloud as a technologybrings with it the caveat that providers as yet don’t have Referencesestablished transparency standards. Market forces, com- 1. K.S. Candan et al., “Frontiers in Information and Soft-petition, and further research are needed to determine ware as Services,” Proc. 2009 IEEE Conf. Data Eng.,the standard for measuring provider transparency. IEEE CS Press, 2009, pp. 1761–1768. An area for future research would be to evaluate 2. P. Mell and T. Grance, “The NIST Definition of Cloudif the cloud provider offers performance-­ onitoring m Computing,” Nat’l Inst. of Standards and Technologytools such as utilization, response times, and avail- Computer Security Division, 7 Oct. 2009; http://csrc.ability. As an example, AWS recently launched for customers to monitor resource uti- -v15.doc.lization, performance, and demand patterns. Exter- 3. K. Wüllenweber and T. Weitzel, “An Empirical Ex-nal monitors such as also provide ploration of How Process Standardization Reducesperformance data, while companies like Keynote Outsourcing Risk,” Proc. 40th Ann. Hawaii Int’l Conf.perform remote availability and quality testing of System Science, IEEE CS Press, 2007, p. 240c.networked resources. 4. “Security Guidance for Critical Areas of Focus in One assessment method that I didn’t include was Cloud Computing V2.1,” Cloud Security Alliance,Shared Assessments (SA),21 which is supported by 2009; US Federal Financial Institutions Council as a fi- 5. “Cloud Computing Security Risk Assessment,”nancial services industry standard. SA is specifically E ­ uropean Network and Information Security Agency,designed for outsourcing assessment covering the fi- 20 Nov. 2009; services industry’s stringent requirements and deliverables/cloud-computing-risk-assessment.regulations. I didn’t include it because only one cloud 6. H.R. Nemati and T. Van Dyke, “Do Privacy State-provider currently is a member, and this membership ments Really Work? The Effect of Privacy Statementswasn’t connected to the provider’s cloud services. and Fair Information Practices on Trust and Perceived The CPTS provides a guideline of how an organi- Risk in E-Commerce,” Int’l J. Information Security andzation can evaluate the adequacy of a cloud provider’s Privacy, vol. 3, no. 1, 2009, pp. 45–65.transparency. The methodology’s simplicity and high- 7. “Chronology of Data Breaches,” Privacy Rights Clear-level approach might not be adequate for a specific or- inghouse, 2 Mar. 2010;’s requirements. As the cloud becomes more ChronDataBreaches.htm. 37
  7. 7. Cloud Computing Full assessment CP1 CP2 CP3 CP4 CP5 CP6 Security 1 Portal area for security information? 1 1 1 1 0 1 2 Published security policy? 1 1 1 0 0 0 3 White paper on security standards? 1 1 1 1 1 1 4 Does the policy specifically address multi-tenancy issues? 0 0 0 0 0 0 5 Email or online chat for questions? 1 1 1 1 1 1 6 ISO/IEC 27000 certified? 0 0 1 0 1 1 7 COBIT certified? 0 0 1 0 1 1 8 NIST SP800-53 security certified? 0 0 0 0 1 0 9 Offer security professional services (assessment)? 0 0 1 1 1 1 10 Employees CISSP, CISM, or other security certified? 0 0 1 1 1 1 Security subtotal score 4 4 8 5 7 7 Privacy 11 Portal area for privacy information? 1 1 1 0 0 1 12 Published privacy policy? 1 1 1 0 0 1 13 White paper on privacy standards? 1 1 1 1 1 1 14 Email or online chat for questions? 1 1 1 1 1 1 15 Offer privacy professional services (assessment)? 0 0 1 1 1 1 16 Employees CIPP or other privacy certified? 0 1 1 0 1 1 Privacy subtotal score 4 5 6 3 4 6 External 17 SAS 70 Type II 1 1 1 1 1 1 audits or 18 PCI-DSS 0 0 1 1 1 1 certifications 19 SOX 1 0 1 0 1 1 20 HIPAA 1 0 1 0 1 1 Audit subtotal score 3 1 4 2 4 4 Service-level 21 Does it offer an SLA? 1 1 1 0 1 1 agreements 22 Does the SLA apply to all services? 0 1 1 0 1 1 23 99.9 = 1, 99.95 = 2, 99.99 = 3, 99.999 = 4, 100 = 5 1 2 1 0 5 1 24 ITIL-certified employees? 0 0 0 0 1 1 25 Publish outage and remediation? 1 1 1 1 0 0 SLA subtotal score 3 5 4 1 8 4 Total score 14 15 22 11 23 21Figure 2. The Cloud Provider Transparency Scorecard. The assessment examines the cloud provider’s security, privacy, external audits orcertifications, and service-level agreements to create a total transparency score. 8. “CloudAudit and the Automated Audit, Assertion, As- 13. “The Health Insurance Portability and Accountabil- sessment, and Assurance API (A6),” CloudAudit, 2010; ity Act of 1996 (HIPAA) Privacy and Security Rules,” US Dept. of Health and Human Services, 2006; 9. “Open Grid Forum Open Cloud Computing Interface Working Group,” OCCI, 2010; privacyrule/adminsimpregtext.pdf. doku.php. 14. “Sarbanes–Oxley Act of 2002 (Public Company Ac- 10. “Frequently Asked Questions,” Small Business Admin- counting Reform and Investor Protection),” Govern- istration Office of Advocacy, Sept. 2009; ment Accountability Office, 2002. advo/stats/sbfaq.pdf. 15. “COBIT Framework for IT Governance and Con- 11. AU Section 324 Service Organizations: Sources SAS No. 70; trol,” Information Systems Audit and Control Asso- SAS No. 78; SAS No. 88; SAS No. 98, Am. Inst. Cer- ciation, 2007; tified Public Accountants; COBIT/Pages/Overview.aspx. Standards/AuditAttest/DownloadableDocuments/ 16. ISO/IEC 27000:2009: Information Technology, Security AU-00324.pdf. Techniques, Information Security Management Systems, Over- 12. “Payment Card Industry Data Security Standard: Navi- view and Vocabulary, Int’l Org. for Standardization and the gating PCI DSS V1.2,” Payment Card Industry Security Int’l Electrotechnical Commission, 2009; Standards Council, 2008; www.pcisecuritystandards. iso/iso_catalogue/catalogue_tc/catalogue_detail.htm? org/pdfs/pci_dss_saq_navigating_dss.pdf. csnumber=41933.38 IEEE SECURITY PRIVACY
  8. 8. Cloud Computing17. R. Ross et al., “Recommended Security Controls for Federal Information Systems,” Dec. 2007; http://csrc. -53-rev2-fi nal.pdf.18. “AWS Completes SAS70 Type II Audit,” Amazon Web Services,” 2010; whats-new/2009/11/11/aws-completes-sas70-type -ii-audit. Executive Committee Members: Alan Street,19. “Information Technology Infrastructure Library,” President; Dr. Sam Keene, VP Technical Operations; Lou ITIL, 12 Mar. 2010; Gullo, VP Publications; Alfred Stevens, VP Meetings; home.asp. Marsha Abramo, Secretary; Richard Kowalski, Treasurer;20. M.W. Jones, “Microsoft’s Sidekick Cloud Outage Gets Dennis Hoffman, VP Membership and Sr. Past Worse,” Tech.Blorge, 11 Oct. 2009; http://tech.blorge. President; Dr. Jeffrey Voas, Jr. Past President com/Structure:%20/2009/10/11/microsofts-sidekick -cloud-outage-gets-worse. Administrative Committee Members: Lou Gullo,21. “Setting the Standards for Vendor Assessments,” Shared John Healy, Dennis Hoffman, Jim McLinn, Bret Assessments, 13 Mar. 2010; Michael, Bob Stoddard. Joe Childs, Irv Engleson, Sam Keene, Lisa Edge, Todd Weatherford, Eric Wong, ScottWayne A. Pauley is a cloud and security evangelist at EMC B. Abrams, John Harauz, Phil LaPlante, Alfred Stevens,and an executive in its Unified Storage Division. He’s also a Alan Street, Scott Tamashirodoctoral candidate in information systems science at NovaSoutheastern University. His research interests include cloudsecurity and privacy. Pauley has an MS in information tech- management from Franklin Pierce University. Contacthim at The IEEE Reliability Society (RS) is a technical Society within the IEEE, which is the world’s lead- ing professional association for the advancement of Selected CS articles and columns are also available for technology. The RS is engaged in the engineering free at disciplines of hardware, software, and human factors. Its focus on the broad aspects of reliability, allows the RS to be seen as the IEEE Specialty Engineering organization. The IEEE Reliability Society is concerned with attaining and sustaining these design attributes throughout the total life cycle. The Reliability Society has the management, resources, and administrative and technical structures to develop and to provide technical information via publications, training, con- ferences, and technical library (IEEE Xplore) data to its members and the Specialty Engineering community. The IEEE Reliability Society has 22 chapters and mem- COMPUTING bers in 60 countries worldwide. The Reliability Society is the IEEE professional society for Reliability Engineering, along with other THEN Specialty Engineering disciplines. These disciplines are design engineering vfields that apply scientific knowl- edge so that their specific attributes are designed into the system / product / device / process to assure that Learn about computing history it will perform its intended function for the required and the people who shaped it. duration within a given environment, including the ability to test and support it throughout its total life http://computingnow. cycle. This is accomplished concurrently with other design disciplines by contributing to the planning and selection of the system architecture, design imple- mentation, materials, processes, and components; fol- lowed by verifying the selections made by thorough analysis and test and then sustainment. Visit the IEEE Reliability Society Web site as it is the gateway to the many resources that the RS makes available to its members and others interested in the broad aspects of Reliability and Specialty Engineering. w 39