IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers

Carlo Di Giulio; Read Sprabery; Charles Kamhoua; Kevin Kwiat; Roy Campbell; Masooda N. Bashir

doi:10.1109/CCGRID.2017.137

IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers

Carlo Di Giulio, Read Sprabery, Charles Kamhoua, Kevin Kwiat, Roy Campbell, Masooda N. Bashir

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

To demonstrate compliance with privacy and security principles, information technology (IT) service providers often rely on security standards and certifications. However, the appearance of new service models such as cloud computing has brought new threats to information assurance, weakening the protection that existing standards can provide. In this study, we analyze four highly regarded IT security standards used to assess, improve, and demonstrate information systems assurance and cloud security. ISO/IEC 27001, SOC 2, C5, and FedRAMP are standards adopted worldwide and constantly updated and improved since the first release of ISO in 2005. We examine their adequacy in addressing current threats to cloud security, and provide an overview of the evolution over the years of their ability to cope with threats and vulnerabilities. By comparing the standards alongside each other, we investigate their complementarity, their redundancies, and the level of protection they offer to information stored in cloud systems. We unveil vulnerabilities left unaddressed in the four frameworks, thus questioning the necessity of multiple standards to assess cloud assurance. We suggest necessary improvements to meet the security requirements made indispensable by the current threat landscape.

Original language	English (US)
Title of host publication	Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	1090-1099
Number of pages	10
ISBN (Electronic)	9781509066100
DOIs	https://doi.org/10.1109/CCGRID.2017.137
State	Published - Jul 10 2017
Event	17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017 - Madrid, Spain Duration: May 14 2017 → May 17 2017

Publication series

Name	Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017

Other

Other	17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017
Country/Territory	Spain
City	Madrid
Period	5/14/17 → 5/17/17

Keywords

C5
Certification
Cloud
FedRAMP
Framework
ISO
Privacy
SOC
Security
Standard

ASJC Scopus subject areas

Computer Networks and Communications
Hardware and Architecture

Online availability

10.1109/CCGRID.2017.137

Library availability

Discover UIUC Full Text

Cite this

Giulio, C. D., Sprabery, R., Kamhoua, C., Kwiat, K., Campbell, R., & Bashir, M. N. (2017). IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers. In Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017 (pp. 1090-1099). Article 7973818 (Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CCGRID.2017.137

IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers. / Giulio, Carlo Di; Sprabery, Read; Kamhoua, Charles et al.
Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017. Institute of Electrical and Electronics Engineers Inc., 2017. p. 1090-1099 7973818 (Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Giulio, CD, Sprabery, R, Kamhoua, C, Kwiat, K, Campbell, R & Bashir, MN 2017, IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers. in Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017., 7973818, Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017, Institute of Electrical and Electronics Engineers Inc., pp. 1090-1099, 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017, Madrid, Spain, 5/14/17. https://doi.org/10.1109/CCGRID.2017.137

Giulio CD, Sprabery R, Kamhoua C, Kwiat K, Campbell R , Bashir MN. IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers. In Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 1090-1099. 7973818. (Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017). doi: 10.1109/CCGRID.2017.137

Giulio, Carlo Di ; Sprabery, Read ; Kamhoua, Charles et al. / IT Security and Privacy Standards in Comparison : Improving FedRAMP Authorization for Cloud Service Providers. Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 1090-1099 (Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017).

@inproceedings{d5a71f7ef51e42e1b4715520e0c21ce4,

title = "IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers",

abstract = "To demonstrate compliance with privacy and security principles, information technology (IT) service providers often rely on security standards and certifications. However, the appearance of new service models such as cloud computing has brought new threats to information assurance, weakening the protection that existing standards can provide. In this study, we analyze four highly regarded IT security standards used to assess, improve, and demonstrate information systems assurance and cloud security. ISO/IEC 27001, SOC 2, C5, and FedRAMP are standards adopted worldwide and constantly updated and improved since the first release of ISO in 2005. We examine their adequacy in addressing current threats to cloud security, and provide an overview of the evolution over the years of their ability to cope with threats and vulnerabilities. By comparing the standards alongside each other, we investigate their complementarity, their redundancies, and the level of protection they offer to information stored in cloud systems. We unveil vulnerabilities left unaddressed in the four frameworks, thus questioning the necessity of multiple standards to assess cloud assurance. We suggest necessary improvements to meet the security requirements made indispensable by the current threat landscape.",

keywords = "C5, Certification, Cloud, FedRAMP, Framework, ISO, Privacy, SOC, Security, Standard",

author = "Giulio, {Carlo Di} and Read Sprabery and Charles Kamhoua and Kevin Kwiat and Roy Campbell and Bashir, {Masooda N.}",

note = "Publisher Copyright: {\textcopyright} 2017 IEEE.; 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017 ; Conference date: 14-05-2017 Through 17-05-2017",

year = "2017",

month = jul,

day = "10",

doi = "10.1109/CCGRID.2017.137",

language = "English (US)",

series = "Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "1090--1099",

booktitle = "Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017",

address = "United States",

}

TY - GEN

T1 - IT Security and Privacy Standards in Comparison

T2 - 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017

AU - Giulio, Carlo Di

AU - Sprabery, Read

AU - Kamhoua, Charles

AU - Kwiat, Kevin

AU - Campbell, Roy

AU - Bashir, Masooda N.

PY - 2017/7/10

Y1 - 2017/7/10

N2 - To demonstrate compliance with privacy and security principles, information technology (IT) service providers often rely on security standards and certifications. However, the appearance of new service models such as cloud computing has brought new threats to information assurance, weakening the protection that existing standards can provide. In this study, we analyze four highly regarded IT security standards used to assess, improve, and demonstrate information systems assurance and cloud security. ISO/IEC 27001, SOC 2, C5, and FedRAMP are standards adopted worldwide and constantly updated and improved since the first release of ISO in 2005. We examine their adequacy in addressing current threats to cloud security, and provide an overview of the evolution over the years of their ability to cope with threats and vulnerabilities. By comparing the standards alongside each other, we investigate their complementarity, their redundancies, and the level of protection they offer to information stored in cloud systems. We unveil vulnerabilities left unaddressed in the four frameworks, thus questioning the necessity of multiple standards to assess cloud assurance. We suggest necessary improvements to meet the security requirements made indispensable by the current threat landscape.

AB - To demonstrate compliance with privacy and security principles, information technology (IT) service providers often rely on security standards and certifications. However, the appearance of new service models such as cloud computing has brought new threats to information assurance, weakening the protection that existing standards can provide. In this study, we analyze four highly regarded IT security standards used to assess, improve, and demonstrate information systems assurance and cloud security. ISO/IEC 27001, SOC 2, C5, and FedRAMP are standards adopted worldwide and constantly updated and improved since the first release of ISO in 2005. We examine their adequacy in addressing current threats to cloud security, and provide an overview of the evolution over the years of their ability to cope with threats and vulnerabilities. By comparing the standards alongside each other, we investigate their complementarity, their redundancies, and the level of protection they offer to information stored in cloud systems. We unveil vulnerabilities left unaddressed in the four frameworks, thus questioning the necessity of multiple standards to assess cloud assurance. We suggest necessary improvements to meet the security requirements made indispensable by the current threat landscape.

KW - C5

KW - Certification

KW - Cloud

KW - FedRAMP

KW - Framework

KW - ISO

KW - Privacy

KW - SOC

KW - Security

KW - Standard

UR - http://www.scopus.com/inward/record.url?scp=85027470377&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85027470377&partnerID=8YFLogxK

U2 - 10.1109/CCGRID.2017.137

DO - 10.1109/CCGRID.2017.137

M3 - Conference contribution

AN - SCOPUS:85027470377

T3 - Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017

SP - 1090

EP - 1099

BT - Proceedings - 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID 2017

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 14 May 2017 through 17 May 2017

ER -

IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this