Add to collection(s) Add to saved
  1. Math
  2. Statistics And Probability
  3. Biostatistics

Measuring Cloud Providers’ Transparency: Application of Goal Question

advertisement 
Measuring Cloud Providers’ Transparency: Application of Goal Question
Metric Approach on the “Cloud Controls Matrix” Framework
Mohammed Almanea, Supervisor: Prof. John Fitzgerald
Introduction
GQM Architecture
Cloud computing aims at providing companies with the ability to utilize a tremendous
capacity instantly without the need to invest in establishing new infrastructure, training
new employees or buying a software license. In spite of the potential benefits towards the
adoption of the cloud computing model, it has opened new challenges such as the Lack of
Transparency. Transparent security can be defined as “appropriate disclosure of the
governance aspects of security design, policies, and practices” [2]. It has been argued that
transparency is improving, however, the lack of independent tools that measure the
transparency of the cloud providers is the issue.
Where are my
data and
processing
being
performed?
Who has
access to
my data
now?
Source: Cloud Security Alliance
What
vulnerabilities
exist in my
cloud
configuration
?
What audit
events have
occurred in my
cloud
configuration?
Goal 1
Goal 2
Question
Question
Metric
Question
Metric
Metric
Metric
Question
Metric
Metric
Goal Question Metric Approach [1]
Applying GQM on CCM+
G01: Compliance
G05: Information Security
Aim of the Study
Q-CO-1.2
Q-CO-1.1
A framework “Cloud Controls Matrix” has been developed by Cloud Security Alliance to
encourage transparency in the cloud. it is based on a set of questions that cloud customers
or auditors could ask cloud providers about before migrating to the cloud. Cloud Providers
will submit their responses to these questions on CAIQ “Consensus Assessments Initiative
Questionnaire”. The aim is to augment their framework in order to address issues such as :
(1) Assessing the trustworthiness of the cloud providers, (2) Measuring their level of
transparency using the Goal Question Metric approach (GQM), and (3) to check if the
existing framework has helped cloud customers to make better informed decision towards
migrating to the cloud.
Cloud Controls Matrix +
Registration (1)
CC¹
View (7)
CC²
CCⁿ
T¹
CAIQ Responses
T²
CAIQ
Tⁿ
CAIQ
Responses
Responses
Write (5)
Write
Write
Threshold
?
Score
Computing
Profile Scores
CP¹
CP²
Control area
M-IS-5.2.1
Data Governance
Transparency Score
Profile Trustworthiness Level
CP1 CP2 CP3 CP4 CP5 CP1 CP2 CP3 CP4 CP5
32% 37% 50% 25% 80% 40% 50% 65% 67% 80%
LOW MOD MOD MOD HIGH
45% 35% 70% 55% 70%
Facility Security
15% 37% 55% 75% 75%
HR Security
56% 70% 30% 65% 65%
Information Security
70% 25% 43% 45% 80%
Legal
30% 42% 39% 67% 91%
Operations Management
48% 60% 45% 75% 40%
Risk Management
80% 87% 77% 65% 70%
Release Management
10% 35% 54% 55% 34%
Resiliency
37% 60% 76% 35% 85%
Security Architecture
70% 50% 55% 75% 90%
Compliance
CPⁿ
(3)
Validating Profile
The augmented framework will answer these questions:
•
M-IS-5.1.1
Transparency Comparison
Profile ⁿ
Workflow of the augmented framework:
- [1] Cloud Providers will register in order to create a fine-grained history profile
- [2] Validating the Cloud Providers’ Profile
- [3] Computing a score for the Cloud Providers’ profile.
- [4] A threshold value will determine the trustworthiness level based on their scores.
- [5] Cloud Providers are now eligible to write their responses on the CAIQ
questionnaire. And their T stands for transparency will be measured.
- [6] Cloud Customers will be able to view and evaluate and compare the different
cloud providers’ transparency
•
M-CO-1.3.1
Q-IS-5.2
The CCM framework consists of 11 Control Areas that are important to be measured,
especially when comparing between different cloud provider offering. The method works
as follows:
• Control Areas are defined as the Goals at the Conceptual level
• CAIQ Questions are placed at the Operational level
• Metrics The Quantitative level will define the metrics in order to measure the cloud
providers’ compliance towards Cloud Controls Matrix.
Profile ¹
Profile ²
Trustworthiness
level? High,
Moderate, Low
•
•
M-CO-1.2.2
M-CO-1.2.1
Q-IS-5.1
Create
(2)
Assess CP’s (4)
M-CO-1.1.1
Q-CO-1.3
How can the cloud customer assess the trustworthiness of the cloud providers?
How can the cloud customer measure the cloud provider’s level of
transparency?
How can we measure the privacy risk score when CSPs disclose sensitive
information?
How effective is the framework? by
•
Has it helped them in making better informed decision?
•
Does the framework suite all different types of cloud customers?
Conclusions
As it has been argued that transparency is improving, and there are more emphasise on
the need of the tools for measuring the transparency of the cloud service providers. The
study aims at consolidating an existing framework of transparency developed by the
Cloud Security Alliance by adding other features that would provide methods for
measuring the cloud providers transparency. A tool will be developed letting cloud
customers and providers experiment with the augmented CCM and evaluated against
the existing one. More importantly, to know if the framework has helped cloud
customers to make better informed decisions.
[1] Basili, V. R., Caldiera, G. and Dieter Rombach, H., 1994. The Goal Question Metric Approach,
Chapter in Encyclopedia of Software Engineering, Wiley.
[2] Sun Microsystems, 2009. "BUILDING CUSTOMER TRUST IN CLOUD COMPUTING WITH TRANSPARENT SECURITY", White Paper
Related documents
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
Cloud Based Business Growth Support Processes
Cloud Based Business Growth Support Processes
Security Position
Security Position
Download
advertisement