LUP Student Papers

How to meet security standards as a cloud provider - A journey set out to clear the sky of cloud security and certifications

• Mark

Abstract

An upcoming trend in the current IT-landscape is to outsource services to so called Cloud Service Providers (CSPs). However, many companies are still sceptical to this new kind of services, since they bring about a certain loss of control. For this reason, it is important for CSPs to show that their services are secure. There are several options in proving this and it is up to every CSP to choose which of those options, in this report referred to as assessment schemes, that suits them best. The question is, how do they make this choice?

In the starting phase of this thesis project, an extensive information search was carried out. More than 30 different certifications, standards, attestations, ratings, assessments, reports, compliances... (More)

An upcoming trend in the current IT-landscape is to outsource services to so called Cloud Service Providers (CSPs). However, many companies are still sceptical to this new kind of services, since they bring about a certain loss of control. For this reason, it is important for CSPs to show that their services are secure. There are several options in proving this and it is up to every CSP to choose which of those options, in this report referred to as assessment schemes, that suits them best. The question is, how do they make this choice?

In the starting phase of this thesis project, an extensive information search was carried out. More than 30 different certifications, standards, attestations, ratings, assessments, reports, compliances or audits, touching upon this subject were found. Add to the equation that much of the information found was questionable or straight out incorrect, and the question of which assessment scheme to concentrate on becomes quite complex.

The described problem was identified by the Belgian company Ferranti Computer Systems, who just opened up their cloud services to customers. In collaboration with them, the following three goals were defined to solve the problem:

- Create a clear overview of the cloud assessment schemes that exist on the market
- Provide methods to categorize or compare assessment schemes
- Make a case study on Ferranti Computer Systems demonstrating how the accomplishments can be put to practice

To fulfill those goals, three main deliveries were created. First of all an overview including a short explanation of relevant assessment schemes on the market. Second, a comparison of assessment schemes in terms of risk mitigation. Four known cloud risks were put forward and some surprising observations were made. The third delivery was a case study on Ferranti Computer Systems. Previous findings in combination with results from interviews were used to select a suitable assessment scheme for their cloud platform.

The assessment scheme they chose was more or less unknown to everyone at Ferranti Computer Systems. It was the research that opened their eyes to this new assessment scheme and convinced them to try something new, rather than choosing something they knew about by reputation. Seeing how the investigation changed their mind, it became obvious how important it is to create more transparency in the world of assessment schemes. It is essential that companies choose the assessment scheme that is most suitable for them and that they have a clear understanding of why it is suitable. This thesis proves the need for clarity among cloud security assessment schemes and presents methods to achieve this clarity. (Less)