10 likes | 115 Vues
Measuring Cloud Providers’ Transparency: Application of Goal Question Metric Approach on the “Cloud Controls Matrix” Framework Mohammed Almanea, Supervisor : Prof. John Fitzgerald. G01: Compliance. Goal 1. G05: Information Security. Goal 2. Q-CO-1. 2. Question. Q-CO-1. 1. Question.
E N D
Measuring Cloud Providers’ Transparency: Application of Goal Question Metric Approach on the “Cloud Controls Matrix” Framework Mohammed Almanea, Supervisor: Prof. John Fitzgerald G01:Compliance Goal 1 G05: Information Security Goal 2 Q-CO-1.2 Question Q-CO-1.1 Question Q-CO-1.3 Question Q-IS-5.1 Question Q-IS-5.2 M-CO-1.2.2 M-CO-1.3.1 M-IS-5.1.1 M-IS-5.2.1 M-CO-1.1.1 M-CO-1.2.1 Metric Metric Metric Metric Metric Metric Where are my data and processing being performed? What audit events have occurred in my cloud configuration? What vulnerabilities exist in my cloud configuration? Who has access to my data now? CAIQ Responses GQM Architecture Source: Cloud Security Alliance Introduction Registration (1) CAIQ Responses Cloud computing aims at providing companies with the ability to utilize a tremendous capacity instantly without the need to invest in establishing new infrastructure, training new employees or buying a software license. In spite of the potential benefits towards the adoption of the cloud computing model, it has opened new challenges such as the Lack of Transparency. Transparent security can be defined as “appropriate disclosure of the governance aspects of security design, policies, and practices” [2]. It has been argued that transparency is improving, however, the lack of independent tools that measure the transparency of the cloud providers is the issue. Conceptual level CC¹ CP¹ Create View (7) Write (5) T¹ CAIQ Responses Operational level Profile ¹ Profile ² Profile ⁿ CC² Quantitative level CP² Write T² CCⁿ CPⁿ Write Tⁿ (2) Goal Question Metric Approach [1] Threshold? Computing Profile Scores Validating Profile (3) Assess CP’s (4) Score Applying GQM on CCM+ Trustworthiness level? High, Moderate, Low Aim of the Study • Workflow of the augmented framework: • [1] Cloud Providers will register in order to create a fine-grained history profile • [2] Validating the Cloud Providers’ Profile • [3] Computing a score for the Cloud Providers’ profile. • [4] A threshold value will determine the trustworthiness level based on their scores. • [5] Cloud Providers are now eligible to write their responses on the CAIQ questionnaire. And their T stands for transparency will be measured. • [6] Cloud Customers will be able to view and evaluate and compare the different cloud providers’ transparency • The augmented framework will answer these questions: • How can the cloud customer assess the trustworthiness of the cloud providers? • How can the cloud customer measure the cloud provider’s level of transparency? • How can we measure the privacy risk score when CSPs disclose sensitive information? • How effective is the framework? by • Has it helped them in making better informed decision? • Does the framework suite all different types of cloud customers? A framework “Cloud Controls Matrix” has been developed by Cloud Security Alliance to encourage transparency in the cloud. it is based on a set of questions that cloud customers or auditors could ask cloud providers about before migrating to the cloud. Cloud Providers will submit their responses to these questions on CAIQ “Consensus Assessments Initiative Questionnaire”. The aim is to augment their framework in order to address issues such as : (1) Assessing the trustworthiness of the cloud providers, (2) Measuring their level of transparency using the Goal Question Metric approach (GQM), and (3) to check if the existing framework has helped cloud customers to make better informed decision towards migrating to the cloud. • The CCM framework consists of 11 Control Areas that are important to be measured, especially when comparing between different cloud provider offering. The method works as follows: • Control Areas are defined as the Goals at the Conceptual level • CAIQQuestions are placed at the Operational level • Metrics The Quantitative level will define the metrics in order to measure the cloud providers’ compliance towards Cloud Controls Matrix. Cloud Controls Matrix + Transparency Comparison Conclusions As it has been argued that transparency is improving, and there are more emphasise on the need of the tools for measuring the transparency of the cloud service providers. The study aims at consolidating an existing framework of transparency developed by the Cloud Security Alliance by adding other features that would provide methods for measuring the cloud providers transparency. A tool will be developed letting cloud customers and providers experiment with the augmented CCM and evaluated against the existing one. More importantly, to know if the framework has helped cloud customers to make better informed decisions. [1] Basili, V. R., Caldiera, G. and Dieter Rombach, H., 1994. The Goal Question Metric Approach, Chapter in Encyclopedia of Software Engineering, Wiley. [2] Sun Microsystems, 2009. "BUILDING CUSTOMER TRUST IN CLOUD COMPUTING WITH TRANSPARENT SECURITY", White Paper