SlideShare a Scribd company logo

G6 independent certification for CSP v3

Ummey Humayra
Ummey Humayra

Operating System | Semester 1 Independent Certification for Cloud Service Providers By Ummey Humayra Poney George Brown College, Casa Loma Campus Toronto, ON, Canada

Technology
1 of 22
Independent Certification for Cloud Service Providers (CSP) Winter 2020 || Network and System Security Analysis (T413) || George Brown College, Casa Loma Campus Presented By : Group 06 Sakhawat Hossain : 101292375 Salem Neaz : 101292698 Ummey Humayra Poney : 101308277
Contents • Objective • A Brief on Cloud Computing • Cloud Deployment Model • Cloud Service Model • Cloud Architecture • Certification & Its Importance • List of Certification • Comparison • Certificate Validity and Costing
Objective: Our objective of this term paper assignment is: • To explore various certification / assurance framework for Cloud Service Providers (CSPs) − List names − Features of these frameworks − Comparison among them
Cloud Computing: • Definition: − An operational model − Set of technologies to manage resources − Shared pool of resources • Motivation: − Optimize resource utilization − Cost reduction (pay per use) − Reduced time for implementation − Resilience
Cloud Deployment Models − Infrastructure is owned by CSP − Available to the general public or a large industry Group − Infrastructure is owned by an organization / Enterprise − Managed by that org or third party − Infrastructure is shared by several org. − Supports specific community − Meets shared concern − Infrastructure is combination of two or more types − Supports resource portability
Cloud Deployment Models
Cloud Service Models
Cloud Service Models
Cloud Architecture Source: Controls and Assurance in the Cloud using COBIT 5 by ISACA
Certification: What & Why • Users’ Perspective: − Selection of CSP − Who to trust with my data − Who has the best technology − Best value of money − Availability • CSPs’ Perspective: − Secured infrastructure deployment − Standardized processes in place − No gap in the design − Higher brand value • Certification showcases credibility and assurance
3rd Party Certification: Why • “Industry Certification” of a CSP indicates − An independent assessment of the platform − Confirms the service levels the CSP can offer • Unbiased • Strengthen CSP’s brand value
List of Certification / Frameworks Sl No Name of Framework (Provides 3rd Party Certification) 1 AICPA / CICA Trust Services (SysTrust and Web Trust) 2 AICPA Service Organization Control (SOC) Reports 3 CSA STAR Certification 4 ISO 20000 5 ISO / IEC 27001:2005
List of Certification / Frameworks Sl No Name of Framework (no 3rd party certification) 6 Background Intelligent Transfer Service (BITS) 7 Cloud Control Matrix 8 COBIT 5 9 European Network and Information Security Agency (ENISA) 10 Federal Risk and Authorization Management Program (FedRAMP) 11 Jericho Forum® Self-Assessment Scheme (SAS) 12 Leet Security Rating Methodology 13 NIST SP 800-53
Comparison Certification / Framework Description Feature AICPA / CICA Trust Service - CSPs can engage a CPA firm to perform a Trust Service Examination - Assures CSPs’ clients that CSPs’ system control meets one or more of the Trust Service Principles (Security, Privacy, Availability, Confidentiality and Processing Integrity) − Offers 3rd Party examination under the attestation of AICPA − Trust service examination reports can be shared with prospective clients − Recognized and well accepted AICPA SOC 1 Report - CSPs can engage a CPA firm to perform a SOC 1 Report - SOC 1 report assures customers and auditors about CSP’s understanding and reliance on controls that support clients’ financial reporting processes and systems. − Offers 3rd Party examination under the attestation of AICPA/CICA − Recognized and well accepted − Not intended to be shared with customers
Comparison Certification / Framework Description Feature CSA STAR Certification - Allows CSPs to give prospective customers a greater understanding of their levels of security controls - Leverage the requirements of the ISO/IEC 2700:2005 management system standard together with the CSA cloud control Matrix − Technology – neutral certification − Based on a 3rd Party independent assessment of the security of a CSP ISO 20000 & ISO/IEC 27001/27002 - ISO 20000 provides service process framework and service process accreditation relative to the standard processes - ISO 2700x provides security framework and process accreditation relative to the standard processes − Can provide independent 3rd Party certification on which CSP clients can rely − Recognized and well accepted, popular mostly in Europe
Comparison Certification / Framework Description Feature Background Intelligent Transfer Service (BITS) - Used by financial institutions to evaluate CSPs IT controls of their platform (security, privacy and business continuity) - Financial institutions can provide a Shared Assessments SIG questionnaire and may also provide a Shared Assessments AUP report. − Recently established but commonly known framework for financial services enterprises − AUP report can provide an independent 3rd party assurance on which users can rely Cloud Control Matrix - Provides a framework that is specifically focused and targeted at cloud security controls - Based on their industry-accepted security standards, regulations and controls frameworks, including controls from HIPAA,ISO/IEC 27001/27002,COBIT,PCI and NIST − Not yet commonly understood or consistently accepted as a framework for cloud security
Comparison Certification / Framework Description Feature COBIT 5 - ISACA’s comprehensive framework to evaluate cloud environments through the entire ecosystem - Mapped to cloud risk and controls by ISACA − Commonly understood and accepted framework − Not originally created for cloud specific risk European Network and Information Security Agency (ENISA) - Provides broader guidance that is specifically focused and targeted on cloud risk controls - IT audit and assurance could readily translate specific risk points into control points , then into IT audit tests − Not yet commonly understood or consistently accepted framework
Comparison Certification / Framework Description Feature Federal Risk and Authorization Management Program (FedRAMP) - Specifically designed for cloud computing services - Common security risk model that provides a consistent baseline for cloud-based technologies - Provides assurance through A&A − Widely used by US federal agencies − Currently limited to deployment within government agencies Jericho Forum® Self- Assessment Scheme (SAS) - Provides a security framework that is specifically focused and targeted on CSPs to self-assess their cloud offering - Potential cloud clients can use it to include security requirements in their RFPs − Not yet commonly understood as a framework for CSPs
Comparison Certification / Framework Description Feature Leet Security Rating Methodology - A rating methodology developed by Leet Security - Labels CSPs security measures of CSPs with a unified rating - Gives customers flexibility to choose the best fit for their security requirements − Not yet commonly accepted as a rating methodology NIST SP 800-53 - Provides a broad risk and security framework to evaluate cloud environments − Commonly understood guidance, highly respected security standard- setting body − Not specifically focused on unique cloud risk and standards
Certification Validity & Cost • Validity − Certification is a continuous process − Frequent and timely audit means less deviation from standard practices − Achieve “always-up-to-date” compliance status − ISO 20000-1:2011 (now 2018) and ISO 27001:2013, valid for 03 years • Cost − Varies based on how the certification is achieved − ISO 2700x certification costs USD 48,000 – USD 80,000 − FedRAMP costs USD 75,000 – USD 125,000 range
Questions?
Thanks

Recommended

Netkit
NetkitNetkit
Netkitdambatbul
 
HR microservices
HR microservicesHR microservices
HR microservicesJohn Macy (FAHRILife)
 
Path to NFV Nirvana
Path to NFV NirvanaPath to NFV Nirvana
Path to NFV NirvanaMallik Tatipamula
 
Service management board (SMB), Service providers’ forum (SPF)
Service management board (SMB), Service providers’ forum (SPF)Service management board (SMB), Service providers’ forum (SPF)
Service management board (SMB), Service providers’ forum (SPF)EOSC-hub project
 
Migration and Security in SOA | Torry Harris Whitepaper
Migration and Security in SOA | Torry Harris WhitepaperMigration and Security in SOA | Torry Harris Whitepaper
Migration and Security in SOA | Torry Harris WhitepaperTorry Harris Business Solutions
 
Nerc Version 3 vs Version5 changes
Nerc Version 3 vs Version5 changesNerc Version 3 vs Version5 changes
Nerc Version 3 vs Version5 changesKen R Anderson CD
 
Service Delivery Network
Service Delivery NetworkService Delivery Network
Service Delivery NetworkFrancesco Chicchiriccò
 
Layer 7: Fine Grained Authorization for Web Services
Layer 7: Fine Grained Authorization for Web ServicesLayer 7: Fine Grained Authorization for Web Services
Layer 7: Fine Grained Authorization for Web ServicesCA API Management
 

Recommended

Netkit
NetkitNetkit
Netkitdambatbul
 
HR microservices
HR microservicesHR microservices
HR microservicesJohn Macy (FAHRILife)
 
Path to NFV Nirvana
Path to NFV NirvanaPath to NFV Nirvana
Path to NFV NirvanaMallik Tatipamula
 
Service management board (SMB), Service providers’ forum (SPF)
Service management board (SMB), Service providers’ forum (SPF)Service management board (SMB), Service providers’ forum (SPF)
Service management board (SMB), Service providers’ forum (SPF)EOSC-hub project
 
Migration and Security in SOA | Torry Harris Whitepaper
Migration and Security in SOA | Torry Harris WhitepaperMigration and Security in SOA | Torry Harris Whitepaper
Migration and Security in SOA | Torry Harris WhitepaperTorry Harris Business Solutions
 
Nerc Version 3 vs Version5 changes
Nerc Version 3 vs Version5 changesNerc Version 3 vs Version5 changes
Nerc Version 3 vs Version5 changesKen R Anderson CD
 
Service Delivery Network
Service Delivery NetworkService Delivery Network
Service Delivery NetworkFrancesco Chicchiriccò
 
Layer 7: Fine Grained Authorization for Web Services
Layer 7: Fine Grained Authorization for Web ServicesLayer 7: Fine Grained Authorization for Web Services
Layer 7: Fine Grained Authorization for Web ServicesCA API Management
 
Datapower Steven Cawn
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven CawnValeri Illescas
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresF5 Networks
 
ICTA Technology Meetup 01 - Enterprise Application Integration
ICTA Technology Meetup 01 - Enterprise Application IntegrationICTA Technology Meetup 01 - Enterprise Application Integration
ICTA Technology Meetup 01 - Enterprise Application IntegrationCrishantha Nanayakkara
 
Case Study of SURE! Unified Communications
Case Study of SURE! Unified CommunicationsCase Study of SURE! Unified Communications
Case Study of SURE! Unified CommunicationsSURE!
 
Managed Services Marketing
Managed Services MarketingManaged Services Marketing
Managed Services MarketingShahzad Khan
 
SaaS Introduction-May2014
SaaS Introduction-May2014SaaS Introduction-May2014
SaaS Introduction-May2014Nguyen Tung
 
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...mfrancis
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfmvfmindia
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 Natalia Kataoka
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixJohn Yeoh
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 
Introduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossIntroduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossCloudSecurityAllianceAustralia
 
Compliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCompliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCloudSecurityAllianceAustralia
 
Practical Guide to Cloud Management Platforms
Practical Guide to Cloud Management PlatformsPractical Guide to Cloud Management Platforms
Practical Guide to Cloud Management PlatformsCloud Standards Customer Council
 
Yongsan presentation 3
Yongsan presentation 3Yongsan presentation 3
Yongsan presentation 3GovCloud Network
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it securityEast Midlands Cyber Security Forum
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
 
Cloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWSCloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWSAmazon Web Services
 

More Related Content

What's hot

Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresF5 Networks
 
ICTA Technology Meetup 01 - Enterprise Application Integration
ICTA Technology Meetup 01 - Enterprise Application IntegrationICTA Technology Meetup 01 - Enterprise Application Integration
ICTA Technology Meetup 01 - Enterprise Application IntegrationCrishantha Nanayakkara
 
Case Study of SURE! Unified Communications
Case Study of SURE! Unified CommunicationsCase Study of SURE! Unified Communications
Case Study of SURE! Unified CommunicationsSURE!
 
Managed Services Marketing
Managed Services MarketingManaged Services Marketing
Managed Services MarketingShahzad Khan
 
SaaS Introduction-May2014
SaaS Introduction-May2014SaaS Introduction-May2014
SaaS Introduction-May2014Nguyen Tung
 
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...mfrancis
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfmvfmindia
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 Natalia Kataoka
 

What's hot (11)

Datapower Steven Cawn
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven Cawn
 
Service Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen InfrastructuresService Delivery Networking for Next-Gen Infrastructures
Service Delivery Networking for Next-Gen Infrastructures
 
ICTA Technology Meetup 01 - Enterprise Application Integration
ICTA Technology Meetup 01 - Enterprise Application IntegrationICTA Technology Meetup 01 - Enterprise Application Integration
ICTA Technology Meetup 01 - Enterprise Application Integration
 
Case Study of SURE! Unified Communications
Case Study of SURE! Unified CommunicationsCase Study of SURE! Unified Communications
Case Study of SURE! Unified Communications
 
Managed Services Marketing
Managed Services MarketingManaged Services Marketing
Managed Services Marketing
 
SaaS Introduction-May2014
SaaS Introduction-May2014SaaS Introduction-May2014
SaaS Introduction-May2014
 
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
 
Services @ vfm
Services @ vfmServices @ vfm
Services @ vfm
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts
 
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17 IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
IBM DataPower Weekly Webcast - The Value of Datapower Frameworks - 11.03.17
 

Similar to G6 independent certification for CSP v3

Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixJohn Yeoh
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
 
Cloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWSCloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWSAmazon Web Services
 
2011-2012 Cloud Assessment Tool (CAT) White Paper
2011-2012 Cloud Assessment Tool (CAT) White Paper2011-2012 Cloud Assessment Tool (CAT) White Paper
2011-2012 Cloud Assessment Tool (CAT) White Paperaccacloud
 
Building and Operating Clouds
Building and Operating CloudsBuilding and Operating Clouds
Building and Operating CloudsBMC Software
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...
Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...
Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...Amazon Web Services
 
Governance Strategies for Cloud Transformation | AWS Public Sector Summit 2016
Governance Strategies for Cloud Transformation | AWS Public Sector Summit 2016Governance Strategies for Cloud Transformation | AWS Public Sector Summit 2016
Governance Strategies for Cloud Transformation | AWS Public Sector Summit 2016Amazon Web Services
 
Forecast 2014: ODCA Cloud Maturity Model V2.0
Forecast 2014: ODCA Cloud Maturity Model V2.0Forecast 2014: ODCA Cloud Maturity Model V2.0
Forecast 2014: ODCA Cloud Maturity Model V2.0Open Data Center Alliance
 
Pre-Con Education: What Is CA Unified Infrastructure Management and what's ne...
Pre-Con Education: What Is CA Unified Infrastructure Management and what's ne...Pre-Con Education: What Is CA Unified Infrastructure Management and what's ne...
Pre-Con Education: What Is CA Unified Infrastructure Management and what's ne...CA Technologies
 
ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?Alvin Integrated Services [AIS]
 

Similar to G6 independent certification for CSP v3 (20)

Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls Matrix
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David Ross
 
Introduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossIntroduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David Ross
 
Compliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCompliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA Framework
 
Practical Guide to Cloud Management Platforms
Practical Guide to Cloud Management PlatformsPractical Guide to Cloud Management Platforms
Practical Guide to Cloud Management Platforms
 
Yongsan presentation 3
Yongsan presentation 3Yongsan presentation 3
Yongsan presentation 3
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
Cloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWSCloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWS
 
2011-2012 Cloud Assessment Tool (CAT) White Paper
2011-2012 Cloud Assessment Tool (CAT) White Paper2011-2012 Cloud Assessment Tool (CAT) White Paper
2011-2012 Cloud Assessment Tool (CAT) White Paper
 
Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023
 
Building and Operating Clouds
Building and Operating CloudsBuilding and Operating Clouds
Building and Operating Clouds
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...
Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...
Automating Compliance Defense in the Cloud - Toronto FSI Symposium - October ...
 
Governance Strategies for Cloud Transformation | AWS Public Sector Summit 2016
Governance Strategies for Cloud Transformation | AWS Public Sector Summit 2016Governance Strategies for Cloud Transformation | AWS Public Sector Summit 2016
Governance Strategies for Cloud Transformation | AWS Public Sector Summit 2016
 
Forecast 2014: ODCA Cloud Maturity Model V2.0
Forecast 2014: ODCA Cloud Maturity Model V2.0Forecast 2014: ODCA Cloud Maturity Model V2.0
Forecast 2014: ODCA Cloud Maturity Model V2.0
 
Pre-Con Education: What Is CA Unified Infrastructure Management and what's ne...
Pre-Con Education: What Is CA Unified Infrastructure Management and what's ne...Pre-Con Education: What Is CA Unified Infrastructure Management and what's ne...
Pre-Con Education: What Is CA Unified Infrastructure Management and what's ne...
 
ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?
 

Recently uploaded

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

G6 independent certification for CSP v3

  • 1. Independent Certification for Cloud Service Providers (CSP) Winter 2020 || Network and System Security Analysis (T413) || George Brown College, Casa Loma Campus Presented By : Group 06 Sakhawat Hossain : 101292375 Salem Neaz : 101292698 Ummey Humayra Poney : 101308277
  • 2. Contents • Objective • A Brief on Cloud Computing • Cloud Deployment Model • Cloud Service Model • Cloud Architecture • Certification & Its Importance • List of Certification • Comparison • Certificate Validity and Costing
  • 3. Objective: Our objective of this term paper assignment is: • To explore various certification / assurance framework for Cloud Service Providers (CSPs) − List names − Features of these frameworks − Comparison among them
  • 4. Cloud Computing: • Definition: − An operational model − Set of technologies to manage resources − Shared pool of resources • Motivation: − Optimize resource utilization − Cost reduction (pay per use) − Reduced time for implementation − Resilience
  • 5. Cloud Deployment Models − Infrastructure is owned by CSP − Available to the general public or a large industry Group − Infrastructure is owned by an organization / Enterprise − Managed by that org or third party − Infrastructure is shared by several org. − Supports specific community − Meets shared concern − Infrastructure is combination of two or more types − Supports resource portability
  • 9. Cloud Architecture Source: Controls and Assurance in the Cloud using COBIT 5 by ISACA
  • 10. Certification: What & Why • Users’ Perspective: − Selection of CSP − Who to trust with my data − Who has the best technology − Best value of money − Availability • CSPs’ Perspective: − Secured infrastructure deployment − Standardized processes in place − No gap in the design − Higher brand value • Certification showcases credibility and assurance
  • 11. 3rd Party Certification: Why • “Industry Certification” of a CSP indicates − An independent assessment of the platform − Confirms the service levels the CSP can offer • Unbiased • Strengthen CSP’s brand value
  • 12. List of Certification / Frameworks Sl No Name of Framework (Provides 3rd Party Certification) 1 AICPA / CICA Trust Services (SysTrust and Web Trust) 2 AICPA Service Organization Control (SOC) Reports 3 CSA STAR Certification 4 ISO 20000 5 ISO / IEC 27001:2005
  • 13. List of Certification / Frameworks Sl No Name of Framework (no 3rd party certification) 6 Background Intelligent Transfer Service (BITS) 7 Cloud Control Matrix 8 COBIT 5 9 European Network and Information Security Agency (ENISA) 10 Federal Risk and Authorization Management Program (FedRAMP) 11 Jericho Forum® Self-Assessment Scheme (SAS) 12 Leet Security Rating Methodology 13 NIST SP 800-53
  • 14. Comparison Certification / Framework Description Feature AICPA / CICA Trust Service - CSPs can engage a CPA firm to perform a Trust Service Examination - Assures CSPs’ clients that CSPs’ system control meets one or more of the Trust Service Principles (Security, Privacy, Availability, Confidentiality and Processing Integrity) − Offers 3rd Party examination under the attestation of AICPA − Trust service examination reports can be shared with prospective clients − Recognized and well accepted AICPA SOC 1 Report - CSPs can engage a CPA firm to perform a SOC 1 Report - SOC 1 report assures customers and auditors about CSP’s understanding and reliance on controls that support clients’ financial reporting processes and systems. − Offers 3rd Party examination under the attestation of AICPA/CICA − Recognized and well accepted − Not intended to be shared with customers
  • 15. Comparison Certification / Framework Description Feature CSA STAR Certification - Allows CSPs to give prospective customers a greater understanding of their levels of security controls - Leverage the requirements of the ISO/IEC 2700:2005 management system standard together with the CSA cloud control Matrix − Technology – neutral certification − Based on a 3rd Party independent assessment of the security of a CSP ISO 20000 & ISO/IEC 27001/27002 - ISO 20000 provides service process framework and service process accreditation relative to the standard processes - ISO 2700x provides security framework and process accreditation relative to the standard processes − Can provide independent 3rd Party certification on which CSP clients can rely − Recognized and well accepted, popular mostly in Europe
  • 16. Comparison Certification / Framework Description Feature Background Intelligent Transfer Service (BITS) - Used by financial institutions to evaluate CSPs IT controls of their platform (security, privacy and business continuity) - Financial institutions can provide a Shared Assessments SIG questionnaire and may also provide a Shared Assessments AUP report. − Recently established but commonly known framework for financial services enterprises − AUP report can provide an independent 3rd party assurance on which users can rely Cloud Control Matrix - Provides a framework that is specifically focused and targeted at cloud security controls - Based on their industry-accepted security standards, regulations and controls frameworks, including controls from HIPAA,ISO/IEC 27001/27002,COBIT,PCI and NIST − Not yet commonly understood or consistently accepted as a framework for cloud security
  • 17. Comparison Certification / Framework Description Feature COBIT 5 - ISACA’s comprehensive framework to evaluate cloud environments through the entire ecosystem - Mapped to cloud risk and controls by ISACA − Commonly understood and accepted framework − Not originally created for cloud specific risk European Network and Information Security Agency (ENISA) - Provides broader guidance that is specifically focused and targeted on cloud risk controls - IT audit and assurance could readily translate specific risk points into control points , then into IT audit tests − Not yet commonly understood or consistently accepted framework
  • 18. Comparison Certification / Framework Description Feature Federal Risk and Authorization Management Program (FedRAMP) - Specifically designed for cloud computing services - Common security risk model that provides a consistent baseline for cloud-based technologies - Provides assurance through A&A − Widely used by US federal agencies − Currently limited to deployment within government agencies Jericho Forum® Self- Assessment Scheme (SAS) - Provides a security framework that is specifically focused and targeted on CSPs to self-assess their cloud offering - Potential cloud clients can use it to include security requirements in their RFPs − Not yet commonly understood as a framework for CSPs
  • 19. Comparison Certification / Framework Description Feature Leet Security Rating Methodology - A rating methodology developed by Leet Security - Labels CSPs security measures of CSPs with a unified rating - Gives customers flexibility to choose the best fit for their security requirements − Not yet commonly accepted as a rating methodology NIST SP 800-53 - Provides a broad risk and security framework to evaluate cloud environments − Commonly understood guidance, highly respected security standard- setting body − Not specifically focused on unique cloud risk and standards
  • 20. Certification Validity & Cost • Validity − Certification is a continuous process − Frequent and timely audit means less deviation from standard practices − Achieve “always-up-to-date” compliance status − ISO 20000-1:2011 (now 2018) and ISO 27001:2013, valid for 03 years • Cost − Varies based on how the certification is achieved − ISO 2700x certification costs USD 48,000 – USD 80,000 − FedRAMP costs USD 75,000 – USD 125,000 range