Cloud Security Benchmark: Top 10 Cloud Service Providers Executive Summary January 5, 2015

Transcription

1 Cloud Security Benchmark: Top 10 Cloud Service Providers Executive Summary January 5, CloudeAssurance Page 1

2 Table of Contents Copyright and Disclaimer... 3 Results: Top 10 Cloud Service Providers Q Results: Top 10 Control Gaps Q Updates in this Report... 6 Benefits of a CloudeAssurance Rating Score... 6 Continuous Improvement: Addressing Key Issues and Control Gaps The CloudeAssurance Platform... 8 CloudeAssurance AlertApp! Mobile Application Contact CloudeAssurance Page 2

3 Copyright and Disclaimer 2015 CloudeAssurance All rights reserved. You may download this study, store or display it on your computer, view, print, and also point to the CloudeAssurance website However, (a) this document may ONLY be used solely for personal, informational, and non- commercial use; (b) the document may not be altered or changed in any way from its published form; (c) the document may not be redistributed without the expressed written permission of CloudeAssurance; and (d) the trademark, copyright or any other relevant notices may not be removed at any time. Please see section (b) above. As permitted by the Fair Use provisions of the United States Copyright Act, you may quote segments of the document, but only if due diligence is adhered to by attributing appropriate citations and attributions to CloudeAssurance Cloud Security Benchmark: Top 10 Cloud Service Providers (Q4, 2014). NO WARRANTY. CloudeAssurance makes this document available AS- IS, and makes no warranty as to its accuracy or use. The information contained in this document may include inaccuracies or typographical errors, and may not reflect the most current developments, and CloudeAssurance does not represent, warrant or guarantee that it is complete, accurate, or up- to- date, nor does CloudeAssurance offer any certification or guarantee with respect to any opinions expressed herein or any references provided. Changing circumstances may change the accuracy of the content herein. Opinions presented in this document reflect judgment at the time of publication and are subject to change. Any use of the information contained in this document is at the risk of the user. CloudeAssurance assumes no responsibility for errors, omissions, or damages resulting from the use of or reliance on the information herein. CloudeAssurance reserves the right to make changes at any time without prior notice CloudeAssurance Page 3

4 Results: Top 10 Cloud Service Providers Q The following graphics represent the results of this independent study. They disclose the Top 10 Cloud Service Providers for Q4 2014, ranked by their CloudeAssurance cloud rating score. Table 1 lists the Top 10 Cloud Service Providers for Q4 2014, while the bar graph below illustrates the information. *Note: Additional details behind this study and its methodology are provided in a separate document entitled Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E. Table 1: Top 10 Cloud Service Providers 2015 CloudeAssurance Page 4

5 Results: Top 10 Control Gaps Q Table 2 below lists the Top 10 Control Gaps identified in the Top 10 Cloud Service Providers for Q Table 2: Top 10 Control Gaps 2015 CloudeAssurance Page 5

6 Updates in this Report There were no new entries or changes to the Top 10 Cloud Service Provider list in Q4 2014, however please note that New World Telecommunications Limited changed from a score of 569 to 566 as a result of their self- assessing against the updated CAIQ and CCM v3.0.1 standard, but maintained its #7 position on the list. Additionally, while the Top 10 cloud control gaps did not change, the RI- 06 Risk Management Program control, moved from the #7 control gap position to the #10 control gap position. The total amount of CSPs assessed for the study continues to grow, up in Q4 from 76 CSPs to 87 CSPs assessed, an increase in sample size of 14%. Our sample size continues to grow exponentially each quarter and is expected to continue in subsequent releases of this report. Benefits of a CloudeAssurance Rating Score A CloudeAssurance rating score is a valuable asset that can be effectively utilized by a cloud service provider, cloud customer, cloud auditor, cloud broker or cyber liability insurance underwriter. One of the most valuable benefits of a CloudeAssurance rating score is that regardless of whether a CSP attains a high or a low score, it will be remain an essential benchmark because it reflects the overall state of the CSP s security posture, while also exposing areas of possible security concern and highlighting process maturity as well. Additionally, this score also discloses key concerns within a CSP s environment or service that may require or benefit from continuous improvement, and identifies key control weaknesses that may lead to a significant security breach and the loss of sensitive information. This awareness can potentially save both the cloud service provider and their consumers millions of dollars in losses and reactive remediation costs, and also offers the opportunity for the cloud service provider to proactively improve their cloud security score to a desired level to demonstrate transparency, cultivate trust and establish due diligence within the marketplace. A CSP can further differentiate itself by pursuing Cloud Assurance Assessor Program (CAAP) Validation, a 3- step validation process that allows a cloud service provider to clearly demonstrate a commitment to security through a numerical rating similar to a credit score. Once the CAAP Validation process has taken place, the provider can then display their cloud security score to the public, displaying assurance to potential customers and prospects in the market that the CSP takes security seriously and can be trusted to manage their data safely and securely. A validation seal displaying the cloud score, approved by the HISPI CAAP Oversight Board and based on a scale of 0 to 1000, directly supplements existing certifications such as ISO/IEC and FedRAMP, and provides an ongoing measurable level of cloud security and trust to the public. CAAP remains the only cloud specific validation process of its kind in the world today, and continues to increase its global footprint through strong partnership support by authorized validation partners such as SGS and TUV. From the perspective of cloud consumers, every organization faces inherent risk to their information assets on a daily basis, risk that can never be entirely eliminated. Risk can be tolerated, transferred, terminated, or reduced to levels deemed acceptable, but the fact remains that consumers of cloud services will always face emerging cloud security challenges in addition to traditional IT risks that threaten their data at any given time. A cloud consumer can use a CSPs validated rating score to identify, quantify and prioritize risks in a timely manner, and enable the safe and secure adoption of responsible, reliable and secure cloud service providers CloudeAssurance Page 6

7 In turn, this can potentially save the enormous costs associated with security threats to cloud computing services being realized by criminals, as displayed with the recent Google Gmail, Apple icloud, Code Spaces and ebay hacks. A CloudeAssurance cloud security rating score will always help businesses identify where information security associated with cloud adoption could be stronger, and is essential in pinpointing key control weaknesses and areas of possible exposure for an organization. A stronger awareness and education on the cloud security posture of CSPs will help consumers of cloud services, as well as the CSPs themselves, to stay current with the continuously changing threat landscape emerging for this business model. Furthermore, the need for a generally accepted baseline and benchmark for the security of CSPs has become an urgent need within the industry, as such a benchmark will provide transparency into the emphasis being placed in the continuous improvement of cloud security by cloud service providers. In response to these industry needs and the benefits that a cloud security score provides to stakeholders, CloudeAssurance continues to perform this independent study quarterly, with the goal of assessing and understanding the overall cloud security posture of CSPs both in the present and over time. In a cloud computing market where security is the principal barrier to its adoption, this study delivers an essential service to an industry in need of assurance, trust and transparency. Continuous Improvement: Addressing Key Issues and Control Gaps The purpose of this independent study is to create a list of Top 10 CSPs by security rating score to provide not only a snapshot of the cloud security posture of these CSPs, but also to measure and assess the general attitude and emphasis being placed on information security within cloud services and environments by the CSPs that provide and control them. We are hopeful that this research will act as a catalyst for further study and investigation in this area, because it is vital to cloud consumers that the CSPs entrusted with their data embrace the responsibility that comes with it. Continuous improvement is a well- known and valuable business process that forms the cornerstone of information security management and effective data protection. With the cloud, it can be easy for organizations to fall into complacency and assume that being compliant means that their organization is secure. This reliance on compliance alone is a false perception that has become common both within the cloud and non- cloud environments. With highly publicized security breaches at major organizations such as Home Depot and Target Corporation, this mentality continues to cause widespread damage to businesses of all sizes. As such, there is an urgent need for CSPs to obtain, understand and utilize their CloudeAssurance rating scores to the fullest extent possible to mitigate these risks and build trust within the marketplace. This study seeks to provide a valuable service to encourage not only CSPs to actively improve their cloud security and transparency, but also give consumers a reliable method for assessing either prospective or current CSPs to become better equipped to operate safely and securely within the cloud. The cloud is constantly evolving the way in which data is being stored, processed and transmitted, and consumers need to make informed decisions on where and how their data is handled in the cloud. CloudeAssurance is also subject to the same responsibility of providing security, reliability and trust to our customers and the industry as a whole. We are always seeking ways in which we can continuously improve 2015 CloudeAssurance Page 7

8 our platform for the betterment of our industry and we highly value and welcome any feedback from both customers and non- customers alike. We remain committed to and passionate about the industry s need to continuously improve the protection of data entrusted to CSPs by their customers. The CloudeAssurance SaaS Platform The CloudeAssurance SaaS platform plays a vital role in this study. Without it, the study would be extremely difficult, if not impossible, to undertake. The centralized data management, tracking and automated assessment and reporting capabilities made available within the platform allows the study to be performed continuously each quarter. CloudeAssurance AlertApp! Mobile Application The data from this independent study is used in conjunction with the CloudeAssurance mobile application AlertApp!, which provides real time alerts to stakeholders such as consumers, underwriters, auditors and brokers. The alerts include notifications of cloud security ratings, security breaches and class action lawsuits relating to cloud services that are being utilized or considered by stakeholders, thereby allowing users to proactively monitor, measure and quantify the risks related to the use of these cloud services. AlertApp! was first released to Google Play in August 2014 and the Apple Store (itunes) in September Contact Please send all feedback, inquiries and requests to solutions@cloudeassurance.com 2015 CloudeAssurance Page 8