Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

Transcription

1 Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, CloudeAssurance Page 1

2 Table of Contents Copyright and Disclaimer... 3 Appendix A: Introduction... 4 Appendix B: Methodology & Scoring Guidelines... 5 Appendix C: Cloud Security Benchmark... 7 Appendix D: Glossary Appendix E: References Contact CloudeAssurance Page 2

3 Copyright and Disclaimer 2015 CloudeAssurance All rights reserved. You may download this study, store or display it on your computer, view, print, and also point to the CloudeAssurance website However, (a) this document may ONLY be used solely for personal, informational, and non- commercial use; (b) the document may not be altered or changed in any way from its published form; (c) the document may not be redistributed without the expressed written permission of CloudeAssurance; and (d) the trademark, copyright or any other relevant notices may not be removed at any time. Please see section (b) above. As permitted by the Fair Use provisions of the United States Copyright Act, you may quote segments of the document, but only if due diligence is adhered to by attributing appropriate citations and attributions to CloudeAssurance Cloud Security Benchmark: Top 10 Cloud Service Providers (Q4, 2014). NO WARRANTY. CloudeAssurance makes this document available AS- IS, and makes no warranty as to its accuracy or use. The information contained in this document may include inaccuracies or typographical errors, and may not reflect the most current developments, and CloudeAssurance does not represent, warrant or guarantee that it is complete, accurate, or up- to- date, nor does CloudeAssurance offer any certification or guarantee with respect to any opinions expressed herein or any references provided. Changing circumstances may change the accuracy of the content herein. Opinions presented in this document reflect judgment at the time of publication and are subject to change. Any use of the information contained in this document is at the risk of the user. CloudeAssurance assumes no responsibility for errors, omissions, or damages resulting from the use of or reliance on the information herein. CloudeAssurance reserves the right to make changes at any time without prior notice CloudeAssurance Page 3

4 Appendix A: Introduction This document contains a glossary of definitions that provides insight into the key terms and concepts used within the CloudeAssurance independent study entitled Cloud Security Benchmark: Top 10 Cloud Service Providers, as well as a detailed look at the scoring methodology utilized for the study. This document aims to provide the reader with a clear and concise understanding of the various acronyms, expressions, and language used throughout the study, as well as a comprehensive understanding of the scoring and assessment methodology applied. Cloud computing is a growing industry that was projected to reach $148.8 billion globally by the end of 2014 (source: Gartner, Q4 2012). The technology has successfully introduced the world to the accessibility of near limitless resources, unrivaled scalability, and enormous cost savings for information technology infrastructure and capital expenses for an enterprise. With cloud adoption rates skyrocketing internationally, there can be little doubt that the cloud represents one of the most innovative and efficient service models ever developed. Streamlined processes and unrivaled accessibility both help to explain the ever growing focus on this innovative business model. They also provide a clear understanding of why a seemingly endless number of cloud service providers (CSPs) continue to emerge daily, offering services for everything from simple storage space and processing power to platform and application development and release capabilities. The cloud is the future of business, and has already begun to transform it in its entirety. Yet while the cloud does indeed offer numerous advantages for both the public and private sectors, it also brings with it the responsibility of adequately securing the massive amounts of data that is processed, stored and provisioned within it on a daily basis. Information security and assurance is nothing short of mission critical to organizations and cloud customers because issues surrounding the exchange of information and the handling of data affects every enterprise as they attempt to provide services and achieve their various business goals and objectives. The cloud certainly does provide the most powerful and efficient way to better advance and achieve these various goals, but it also opens the door to increased security threats, risks and exposure as well. Most importantly, because it is a new service model, there is a general lack of experience in securing data within the cloud environment. The efortresses Security Breaches Matrix ( ) clearly indicates that cloud related security breaches are on the rise and have become an unsettling reality in today s world. Major incidents such as the recent Apple icloud, Code Spaces and ebay hacks reveal a clear shift in attacks towards companies providing cloud services and operating within the cloud environment. Additional security breaches such as the Target Corporation hack clearly reveal an increasing trend in attacks on not only organizations, but their supply chains as well. With the rising prevalence of CSPs and their various cloud service offerings, as well as the unique threat landscape that the cloud presents, it is critical that the risks associated with the storage and processing of data in the cloud be adequately managed by the CSPs entrusted with this data. The CloudeAssurance platform and the AlertApp! mobile application was created to bridge the critical security gaps that exist within the cloud industry and provide both the guidance and resources needed to identify, remediate and validate the security of the cloud. This platform enables not only cloud assurance, but also vendor assurance and consumer assurance as well, being a standards based, all- encompassing solution that is capable of addressing not just cloud security concerns, but any information security standard or framework as well (including updated standards such as PCI- DSS 3.0, ISO/IEC 27001:2013 and NIST Cybersecurity Framework 1.0) CloudeAssurance Page 4

5 Appendix B: Methodology & Scoring Guidelines Company profiles referred to as Assessment Profiles were created within CloudeAssurance using publicly available information about each cloud service provider (CSP) included in the study. Each Cloud Service Provider voluntarily submitted self- assessment documents to the Cloud Security Alliance (CSA) STAR Registry to reflect the transparency of their cloud security posture and control maturity, information that served as the primary source material for a given security assessment. The CSA GRC Stack, the standard used for these self- assessments, was imported into the CloudeAssurance platform and used in the scoring process to provide an apples to apples comparison. Please note that while the entries listed within the CSA STAR Registry form the study sample size, not all entries are used, as not all entries include self- assessment information for the cloud service provider. Within an assessment, a CSP s responses to questions within each of the eleven domains for this framework were analyzed and given a YES, NO, Partial, or N/A answer. We also assigned an accompanying maturity level to each response using the CMMI model of maturity, a proven maturity model utilized by many industries to measure process maturity based on a scale of 1-5. It is important to understand that while some cloud service providers provided detailed and thorough self- assessment information, others were overly vague or provided only YES or NO answers, with no control evidence or descriptions to accompany such responses. As a result, it was necessary for researchers to create a uniform scoring system to reflect the differences in approach that CSPs took to their self- assessment documents. Since the purpose of this study is to provide an objective, systematic and fair representation of each CSP s cloud security, assessors agreed that criteria needed to be established that could be applied to all assessments across the board. The result was a simple yet effective set of guidelines: if a CSP has achieved ISO certification, then any YES response is assigned a maturity level of 3, denoting a Defined process on the CMMI scale. However, if the CSP does not hold ISO certification, then any YES responses are assigned a 2 score instead to reflect this difference in maturity, regardless of the level of detail provided with such responses. Partial responses are universally scored a 2, while all NO responses are assigned a 1 score on the CMMI maturity scale to denote a process or control that is in an Initial maturity state. N/A responses are handled in the following manner. If a control is comprised of multiple questions or control areas, for instance three questions requiring three separate answers, and the provider has given two YES responses and one N/A, then the overall response is marked as YES with either a 3 or a 2 score according to the above mentioned criteria. Essentially, N/A responses are subtracted from the other responses when determining a maturity score for that specific control, with the remainder determining the final score. Please note that an abundance of N/A responses does negatively impact a CSP s rating score, to serve as a checks and balances system and prevent CSPs from excluding an abundance of relevant controls and artificially boosting their score. Scoring table 1.1 below provides a simple visual representation of the scoring criteria used by assessors across all CAIQ responses for any given CSP. Please note that a CSP s provisional score is capped at a maximum of 600 unless an independent CAAP validation assessment is performed by an assessor qualified through the HISPI CAAP (Cloud Assurance Assessor Program), which ensures the effective implementation and maturity of controls. Without performing an independent on- site CAAP Validation Assessment, the exact levels of compliance and maturity cannot be validated, which is why capping each CSP s controls at the Defined maturity level (CMMI level 3, the expected maturity level for a CSP with ISO certification) is appropriate for this study. However, it 2015 CloudeAssurance Page 5

6 should be emphasized that when a CSP undertakes CAAP Validation, the validated score can rise above 600 and can be included in the Top 10 CSP study, with the CSP s permission. Table 1.1: Scoring Guidelines CAIQ Response Score Maturity Level Yes 2 or 3 Managed / Defined No 1 Initial Partial 2 Managed N/A None N/A 2015 CloudeAssurance Page 6

7 Appendix C: Cloud Security Benchmark The study was initially performed over a period of three months in the final quarter of 2012, and has been carried out and updated quarterly since that time. This update and release covers Q4 2014, and involved the analysis and evaluation of 87 CSPs using their publicly available self- assessment documents from the CSA STAR Registry. It also utilized publicly available information relating to each CSP s ISO Certification scope. The independent assessment approach used ensures impartiality and objectivity throughout the study. Each CSP s self- assessment information was gathered and entered into the CloudeAssurance platform. Revisions and alterations to the CAIQ response documents creates the need to regularly check for information updates, as any changes or re- submittals can drastically alter the assessment scores. For example, while Firehost did not initially make the Top 10 list in Q4 2012, they achieved ISO certification in early Q and demonstrated continuous improvement in the process, resulting in the CSP making the Top 10 list in Q Dates when assessments were last updated are documented within CloudeAssurance and kept current to establish consistency. The scoring guidelines are applied universally to all assessments and regularly checked for both completeness and accuracy. As a result of these measures, the provisional scores for these CSPs reflect strong objectivity and neutrality in which CloudeAssurance carries out all assessments. The goals of this benchmarking effort are to identify and create a Top 10 list of CSPs, to observe the general cloud security posture of numerous CSPs, identify control weaknesses, and establish a sense of the focus and overall emphasis that CSPs place on the information security concerns and the maturity of their cloud services. The inclusion of additional CSPs in future assessments is expected each quarter, and will provide further insight into the cloud security posture of CSPs, enhancing existing benchmark data available to cloud customers in the process CloudeAssurance Page 7

8 Appendix D: Glossary AlertApp! Powered by CloudeAssurance and the Top 10 Cloud Service Providers independent study, AlertApp! is a mobile application that allows cloud consumers to monitor the safety and security of their data in the cloud. Users can proactively track in real time the cloud security ratings, security breaches, lawsuits and major outages impacting the cloud services that they use and enable them to act accordingly. Assessment The systematic process of analyzing a cloud service provider s (CSP) overall cloud security posture using their own submitted self- assessments performed against the Cloud Security Alliance CAIQ and Cloud Controls Matrix. The assessment data, which is publicly available information, is carefully analyzed, assessed and entered into the CloudeAssurance platform for centralized and automated scoring, tracking, trending and benchmark reporting. Assessor The individual performing the assessment of a CSP s cloud security environment using the CSP s self- assessment information analyzed within the CloudeAssurance platform. Capability Maturity Model Integration (CMMI) A widely used and proven model of process maturity developed by the Carnegie Mellon University that identifies the maturity level of various processes and controls using a scale of 1 5: 1. Initial Processes unpredictable, poorly controlled and REACTIVE. 2. Managed Processes characterized for PROJECTS and is often MANAGABLE. 3. Defined Processes characterized for the ORGANIZATION and is PROACTIVE. 4. Quantitatively Managed Processes QUANTITATIVELY measured and controlled. 5. Optimizing Focus on CONTINUOUS PROCESS improvement. Cloud Controls Matrix (CCM) The Cloud Controls Matrix v1.1, v3.0 and v3.0.1 are the cloud security frameworks developed by the Cloud Security Alliance (CSA) that are leveraged for the study. Cloud Service Provider (CSP) A company offering cloud services whose cloud service is the focus of this study. CloudeAssurance Platform The industry s first truly risk- intelligent rating and continuous monitoring system providing assurance regarding a cloud service provider s cloud security, governance, risk and compliance using a 10- year proven algorithm developed by efortresses, Inc. Customers and end users can know which cloud providers have the best cloud assurance score and history, validated criteria that provides a dependable measure of cloud trust. The platform enables the safe and secure adoption of cloud computing, and includes gap identification, reporting and automated assessment capabilities. CloudeAssurance Rating Score The CloudeAssurance Rating Score is based on an integrated controls framework consisting of the CSA CAIQ, CSA CCM, the HISPI Top 20 Security Breaches Mitigating Controls and 2015 CloudeAssurance Page 8

9 CMMI. The framework used for this Rating System includes ISO 27001, COBIT, PCI- DSS, HIPAA, NIST SP and FedRAMP. This rating score represents a CSP s overall security assessment and control adequacy, similar to a credit worthiness score, and is calculated within the CloudeAssurance platform using a 10- year field proven scoring algorithm. This proprietary algorithm utilizes a mixture of compliance and process maturity to offer a gauge of true security for a cloud service provider, and represents the overall security posture of the CSP s cloud environment. Consensus Assessments Initiative Questionnaire (CAIQ) An extensive and robust questionnaire developed by the Cloud Security Alliance that allows for the documentation and transparency of the various security controls that exist across an organization s cloud infrastructure and service model (IaaS, PaaS, SaaS). The CAIQ directly compliments the CSA s CCM and is the primary source of information used in the assessment process for this study. A CSP s response to the questionnaire is voluntarily submitted and is publicly available information found in the CSA STAR Registry. HISPI The Holistic Information Security Practitioner Institute (HISPI) is a highly respected independent certification organization that consists of numerous industry experts including Chief Information Security Officers (CISOs), Information Security Officers (ISOs), Directors of Information Security, Security Analysts and Security engineers, among other industry professionals. HISPI bridges the vital alignment gaps between technology and business goals with a holistic approach to information security, and is the oversight body of the Cloud Assurance Assessor Program (CAAP). The HISPI CAAP provides assurance of the qualifications for those purporting to have the necessary skills as independent Cloud Assessors. HISPI Top 20 Mitigating Controls The identified top 20 critical or mitigating security controls deemed necessary for an organization to prevent information security breaches. Developed by HISPI, these controls are derived from real world security breach information and research (efortresses security breach matrices, ) and cover people, processes and technology. These controls are updated annually within the platform, and factor heavily into the CloudeAssurance rating and scoring algorithm. Allows CloudeAssurance to stay current and adaptive to the cloud s evolving threat landscape CloudeAssurance Page 9

10 Appendix E: References CloudeAssurance Platform CMMI COBIT CSA STAR Registry efortresses Security Breaches Matrix ( ) Breaches- Matrix.htm FedRAMP Gartner Cloud Computing Services HIPAA HISPI Top 20 Security Breaches Mitigating Controls HISPI Qualified CAAP Assessor ISO/IEC 27001: ISO/IEC 27001: PCI- DSS NIST Cybersecurity Framework Contact Please send all feedback, inquiries and requests to 2015 CloudeAssurance Page 10