Cloud security certifications: A comparison to improve cloud service provider security

Carlo Di Giulio, Read Sprabery, Charles Kamhoua, Kevin Kwiat, Roy H. Campbell, Masooda N. Bashir

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The great diffusion of cloud computing applications and services in the last years has brought new threats to security of information. 1 IT Certification and authorization mechanisms try to provide assurance against those threats by leveraging high security standards and controls. Two examples of such certification based on IT security controls are ISO/IEC 27001 and FedRAMP. While these two certifications largely share their scope it is important to note that ISO is a standardization adopted worldwide since 2005 whereas FedRAMP was developed in 2012 specifically for US Government Cloud Service Providers. New frameworks, however, are not always more effective than earlier ones, especially in the fast-moving world of cloud computing where IT security standards need to be constantly updated. This study offers an overview of adequacy and completeness of ISO/IEC 27001 and FedRAMP, bringing to question the level of protection that they provide by comparing them to each other and evaluating both in terms of known threats to cloud computing. The study identifies weaknesses in the certification build process and highlights necessary improvements. Copyright is held by the owner/author(s).

Original languageEnglish (US)
Title of host publicationProceedings of the 2nd International Conference on Internet of Things and Cloud Computing, ICC 2017
EditorsHani Hamdan, Djallel Eddine Boubiche, Faouzi Hidoussi
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781450347747
DOIs
StatePublished - Mar 22 2017
Event2nd International Conference on Internet of Things and Cloud Computing, ICC 2017 - Cambridge, United Kingdom
Duration: Mar 22 2017Mar 23 2017

Publication series

NameACM International Conference Proceeding Series

Other

Other2nd International Conference on Internet of Things and Cloud Computing, ICC 2017
CountryUnited Kingdom
CityCambridge
Period3/22/173/23/17

Fingerprint

Cloud computing
Security of data
Standardization

Keywords

  • Certification
  • Cloud
  • FedRAMP
  • Framework
  • ISO
  • Privacy
  • Security
  • Standard

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Cite this

Di Giulio, C., Sprabery, R., Kamhoua, C., Kwiat, K., Campbell, R. H., & Bashir, M. N. (2017). Cloud security certifications: A comparison to improve cloud service provider security. In H. Hamdan, D. E. Boubiche, & F. Hidoussi (Eds.), Proceedings of the 2nd International Conference on Internet of Things and Cloud Computing, ICC 2017 [a120] (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3018896.3025169

Cloud security certifications : A comparison to improve cloud service provider security. / Di Giulio, Carlo; Sprabery, Read; Kamhoua, Charles; Kwiat, Kevin; Campbell, Roy H.; Bashir, Masooda N.

Proceedings of the 2nd International Conference on Internet of Things and Cloud Computing, ICC 2017. ed. / Hani Hamdan; Djallel Eddine Boubiche; Faouzi Hidoussi. Association for Computing Machinery, 2017. a120 (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Di Giulio, C, Sprabery, R, Kamhoua, C, Kwiat, K, Campbell, RH & Bashir, MN 2017, Cloud security certifications: A comparison to improve cloud service provider security. in H Hamdan, DE Boubiche & F Hidoussi (eds), Proceedings of the 2nd International Conference on Internet of Things and Cloud Computing, ICC 2017., a120, ACM International Conference Proceeding Series, Association for Computing Machinery, 2nd International Conference on Internet of Things and Cloud Computing, ICC 2017, Cambridge, United Kingdom, 3/22/17. https://doi.org/10.1145/3018896.3025169
Di Giulio C, Sprabery R, Kamhoua C, Kwiat K, Campbell RH, Bashir MN. Cloud security certifications: A comparison to improve cloud service provider security. In Hamdan H, Boubiche DE, Hidoussi F, editors, Proceedings of the 2nd International Conference on Internet of Things and Cloud Computing, ICC 2017. Association for Computing Machinery. 2017. a120. (ACM International Conference Proceeding Series). https://doi.org/10.1145/3018896.3025169
Di Giulio, Carlo ; Sprabery, Read ; Kamhoua, Charles ; Kwiat, Kevin ; Campbell, Roy H. ; Bashir, Masooda N. / Cloud security certifications : A comparison to improve cloud service provider security. Proceedings of the 2nd International Conference on Internet of Things and Cloud Computing, ICC 2017. editor / Hani Hamdan ; Djallel Eddine Boubiche ; Faouzi Hidoussi. Association for Computing Machinery, 2017. (ACM International Conference Proceeding Series).
@inproceedings{6817aa6dfe86435c82410a72f415bde9,
title = "Cloud security certifications: A comparison to improve cloud service provider security",
abstract = "The great diffusion of cloud computing applications and services in the last years has brought new threats to security of information. 1 IT Certification and authorization mechanisms try to provide assurance against those threats by leveraging high security standards and controls. Two examples of such certification based on IT security controls are ISO/IEC 27001 and FedRAMP. While these two certifications largely share their scope it is important to note that ISO is a standardization adopted worldwide since 2005 whereas FedRAMP was developed in 2012 specifically for US Government Cloud Service Providers. New frameworks, however, are not always more effective than earlier ones, especially in the fast-moving world of cloud computing where IT security standards need to be constantly updated. This study offers an overview of adequacy and completeness of ISO/IEC 27001 and FedRAMP, bringing to question the level of protection that they provide by comparing them to each other and evaluating both in terms of known threats to cloud computing. The study identifies weaknesses in the certification build process and highlights necessary improvements. Copyright is held by the owner/author(s).",
keywords = "Certification, Cloud, FedRAMP, Framework, ISO, Privacy, Security, Standard",
author = "{Di Giulio}, Carlo and Read Sprabery and Charles Kamhoua and Kevin Kwiat and Campbell, {Roy H.} and Bashir, {Masooda N.}",
year = "2017",
month = "3",
day = "22",
doi = "10.1145/3018896.3025169",
language = "English (US)",
series = "ACM International Conference Proceeding Series",
publisher = "Association for Computing Machinery",
editor = "Hani Hamdan and Boubiche, {Djallel Eddine} and Faouzi Hidoussi",
booktitle = "Proceedings of the 2nd International Conference on Internet of Things and Cloud Computing, ICC 2017",

}

TY - GEN

T1 - Cloud security certifications

T2 - A comparison to improve cloud service provider security

AU - Di Giulio, Carlo

AU - Sprabery, Read

AU - Kamhoua, Charles

AU - Kwiat, Kevin

AU - Campbell, Roy H.

AU - Bashir, Masooda N.

PY - 2017/3/22

Y1 - 2017/3/22

N2 - The great diffusion of cloud computing applications and services in the last years has brought new threats to security of information. 1 IT Certification and authorization mechanisms try to provide assurance against those threats by leveraging high security standards and controls. Two examples of such certification based on IT security controls are ISO/IEC 27001 and FedRAMP. While these two certifications largely share their scope it is important to note that ISO is a standardization adopted worldwide since 2005 whereas FedRAMP was developed in 2012 specifically for US Government Cloud Service Providers. New frameworks, however, are not always more effective than earlier ones, especially in the fast-moving world of cloud computing where IT security standards need to be constantly updated. This study offers an overview of adequacy and completeness of ISO/IEC 27001 and FedRAMP, bringing to question the level of protection that they provide by comparing them to each other and evaluating both in terms of known threats to cloud computing. The study identifies weaknesses in the certification build process and highlights necessary improvements. Copyright is held by the owner/author(s).

AB - The great diffusion of cloud computing applications and services in the last years has brought new threats to security of information. 1 IT Certification and authorization mechanisms try to provide assurance against those threats by leveraging high security standards and controls. Two examples of such certification based on IT security controls are ISO/IEC 27001 and FedRAMP. While these two certifications largely share their scope it is important to note that ISO is a standardization adopted worldwide since 2005 whereas FedRAMP was developed in 2012 specifically for US Government Cloud Service Providers. New frameworks, however, are not always more effective than earlier ones, especially in the fast-moving world of cloud computing where IT security standards need to be constantly updated. This study offers an overview of adequacy and completeness of ISO/IEC 27001 and FedRAMP, bringing to question the level of protection that they provide by comparing them to each other and evaluating both in terms of known threats to cloud computing. The study identifies weaknesses in the certification build process and highlights necessary improvements. Copyright is held by the owner/author(s).

KW - Certification

KW - Cloud

KW - FedRAMP

KW - Framework

KW - ISO

KW - Privacy

KW - Security

KW - Standard

UR - http://www.scopus.com/inward/record.url?scp=85032204109&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85032204109&partnerID=8YFLogxK

U2 - 10.1145/3018896.3025169

DO - 10.1145/3018896.3025169

M3 - Conference contribution

AN - SCOPUS:85032204109

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the 2nd International Conference on Internet of Things and Cloud Computing, ICC 2017

A2 - Hamdan, Hani

A2 - Boubiche, Djallel Eddine

A2 - Hidoussi, Faouzi

PB - Association for Computing Machinery

ER -