Operating System | Semester 1
Independent Certification for Cloud Service Providers
By
Ummey Humayra Poney
George Brown College, Casa Loma Campus
Toronto, ON, Canada
1. Independent Certification for
Cloud Service Providers (CSP)
Winter 2020 || Network and System Security Analysis (T413) || George Brown College, Casa Loma Campus
Presented By : Group 06
Sakhawat Hossain : 101292375
Salem Neaz : 101292698
Ummey Humayra Poney : 101308277
2. Contents
• Objective
• A Brief on Cloud Computing
• Cloud Deployment Model
• Cloud Service Model
• Cloud Architecture
• Certification & Its Importance
• List of Certification
• Comparison
• Certificate Validity and Costing
3. Objective:
Our objective of this term paper assignment is:
• To explore various certification / assurance
framework for Cloud Service Providers (CSPs)
− List names
− Features of these frameworks
− Comparison among them
4. Cloud Computing:
• Definition:
− An operational model
− Set of technologies to manage
resources
− Shared pool of resources
• Motivation:
− Optimize resource utilization
− Cost reduction (pay per use)
− Reduced time for implementation
− Resilience
5. Cloud Deployment Models
− Infrastructure is
owned by CSP
− Available to the
general public or
a large industry
Group
− Infrastructure is
owned by an
organization /
Enterprise
− Managed by that
org or third
party
− Infrastructure is
shared by several
org.
− Supports specific
community
− Meets shared
concern
− Infrastructure is
combination of
two or more types
− Supports resource
portability
10. Certification: What & Why
• Users’ Perspective:
− Selection of CSP
− Who to trust with my data
− Who has the best technology
− Best value of money
− Availability
• CSPs’ Perspective:
− Secured infrastructure
deployment
− Standardized processes in place
− No gap in the design
− Higher brand value
• Certification showcases credibility and assurance
11. 3rd Party Certification: Why
• “Industry Certification” of a CSP indicates
− An independent assessment of the platform
− Confirms the service levels the CSP can offer
• Unbiased
• Strengthen CSP’s brand value
12. List of Certification / Frameworks
Sl No Name of Framework (Provides 3rd Party Certification)
1 AICPA / CICA Trust Services (SysTrust and Web Trust)
2 AICPA Service Organization Control (SOC) Reports
3 CSA STAR Certification
4 ISO 20000
5 ISO / IEC 27001:2005
13. List of Certification / Frameworks
Sl No Name of Framework (no 3rd party certification)
6 Background Intelligent Transfer Service (BITS)
7 Cloud Control Matrix
8 COBIT 5
9 European Network and Information Security Agency (ENISA)
10 Federal Risk and Authorization Management Program (FedRAMP)
11 Jericho Forum® Self-Assessment Scheme (SAS)
12 Leet Security Rating Methodology
13 NIST SP 800-53
14. Comparison
Certification
/ Framework
Description Feature
AICPA / CICA
Trust Service
- CSPs can engage a CPA firm to
perform a Trust Service
Examination
- Assures CSPs’ clients that CSPs’
system control meets one or more of
the Trust Service Principles
(Security, Privacy, Availability,
Confidentiality and Processing
Integrity)
− Offers 3rd Party examination
under the attestation of
AICPA
− Trust service examination
reports can be shared with
prospective clients
− Recognized and well
accepted
AICPA SOC 1
Report
- CSPs can engage a CPA firm to
perform a SOC 1 Report
- SOC 1 report assures customers and
auditors about CSP’s understanding
and reliance on controls that support
clients’ financial reporting processes
and systems.
− Offers 3rd Party examination
under the attestation of
AICPA/CICA
− Recognized and well
accepted
− Not intended to be shared
with customers
15. Comparison
Certification
/ Framework
Description Feature
CSA STAR
Certification
- Allows CSPs to give prospective
customers a greater understanding of
their levels of security controls
- Leverage the requirements of the
ISO/IEC 2700:2005 management
system standard together with the
CSA cloud control Matrix
− Technology – neutral
certification
− Based on a 3rd Party
independent assessment of
the security of a CSP
ISO 20000 &
ISO/IEC
27001/27002
- ISO 20000 provides service process
framework and service process
accreditation relative to the standard
processes
- ISO 2700x provides security
framework and process accreditation
relative to the standard processes
− Can provide independent 3rd
Party certification on which
CSP clients can rely
− Recognized and well
accepted, popular mostly in
Europe
16. Comparison
Certification
/ Framework
Description Feature
Background
Intelligent
Transfer Service
(BITS)
- Used by financial institutions to
evaluate CSPs IT controls of their
platform (security, privacy and
business continuity)
- Financial institutions can provide a
Shared Assessments SIG
questionnaire and may also provide
a Shared Assessments AUP report.
− Recently established but
commonly known
framework for financial
services enterprises
− AUP report can provide an
independent 3rd party
assurance on which users
can rely
Cloud Control
Matrix
- Provides a framework that is
specifically focused and targeted at
cloud security controls
- Based on their industry-accepted
security standards, regulations and
controls frameworks, including
controls from HIPAA,ISO/IEC
27001/27002,COBIT,PCI and NIST
− Not yet commonly
understood or consistently
accepted as a framework for
cloud security
17. Comparison
Certification
/ Framework
Description Feature
COBIT 5 - ISACA’s comprehensive framework
to evaluate cloud environments
through the entire ecosystem
- Mapped to cloud risk and controls
by ISACA
− Commonly understood and
accepted framework
− Not originally created for
cloud specific risk
European
Network and
Information
Security
Agency
(ENISA)
- Provides broader guidance that is
specifically focused and targeted on
cloud risk controls
- IT audit and assurance could readily
translate specific risk points into
control points , then into IT audit
tests
− Not yet commonly
understood or consistently
accepted framework
18. Comparison
Certification
/ Framework
Description Feature
Federal Risk
and
Authorization
Management
Program
(FedRAMP)
- Specifically designed for cloud
computing services
- Common security risk model that
provides a consistent baseline for
cloud-based technologies
- Provides assurance through A&A
− Widely used by US federal
agencies
− Currently limited to
deployment within
government agencies
Jericho Forum®
Self-
Assessment
Scheme (SAS)
- Provides a security framework that
is specifically focused and targeted
on CSPs to self-assess their cloud
offering
- Potential cloud clients can use it to
include security requirements in
their RFPs
− Not yet commonly
understood as a framework
for CSPs
19. Comparison
Certification
/ Framework
Description Feature
Leet Security
Rating
Methodology
- A rating methodology developed by
Leet Security
- Labels CSPs security measures of
CSPs with a unified rating
- Gives customers flexibility to
choose the best fit for their security
requirements
− Not yet commonly accepted
as a rating methodology
NIST SP 800-53 - Provides a broad risk and security
framework to evaluate cloud
environments
− Commonly understood
guidance, highly respected
security standard- setting
body
− Not specifically focused on
unique cloud risk and
standards
20. Certification Validity & Cost
• Validity
− Certification is a continuous process
− Frequent and timely audit means less deviation from standard practices
− Achieve “always-up-to-date” compliance status
− ISO 20000-1:2011 (now 2018) and ISO 27001:2013, valid for 03 years
• Cost
− Varies based on how the certification is achieved
− ISO 2700x certification costs USD 48,000 – USD 80,000
− FedRAMP costs USD 75,000 – USD 125,000 range