Upload
roberto-lenard
View
215
Download
0
Embed Size (px)
Citation preview
Funded by European Commission
And
rea
s H
erm
sdo
rf
/ p
ixel
io.d
e
Toolbox Workshop:
Cloud Security Scorecard
Compare different Vendors
Scope & Purpose Usage
2
The purpose of this tool is to facilitate SME companies in their assessments of cloud security offerings.
It is intended to help them score (and possibly compare) different cloud solutions against their security functionalities and characteristics.
Furthermore, it helps its users identify important questions they have to ask their (candidate) cloud provider about their offerings.
Answer the presented list of (security-related) questions for each one of the cloud computing providers that you would like to compare or evaluate.
The «Cloud Security Scorecard» will automatically provide an indicative grading of all the cloud computing providers in terms of their security offerings.
Use the scoring questionnaires multiple times in order to compare vendors!
Enter Provider Label
Klick to answer Questions
There is help to every Question
Finish Questions and submit
Result: Your first Scorecard
Enter next Provider …
… and compare
Compare more …
… and more …
Each question carries a weight and each answer option carries a score.
Score: Sum(question.weight * optionSelectedScore)
MaxScore: Sum(question.weight * max(optionScores))
We extract percentage by Score*100/MaxScore.
Basics
12
Principles of scoring algorithm
13
Score > = 70% is characterized as Excellent
Score < 30 % and < 70% is characterized as OK/Fair
Score < 30 % is characterized as Poor
Basics
Principles of scoring algorithm
Score ConfigurationQuestion Weight Option1 Option1
scoreOption2 Option2
scoreOption 3 Option 3
ScoreOption 4 Option 4
score
1. Is the cloud provider's infrastructure audited by third-parties?
3 NO 0 YES 10
2. Does the cloud provider offer data portability as part of its services?
3 NO 0 YES 10
3. Does the cloud provider specify penalties and liabilities for a potential data or system breach?
3 NO 0 YES 10
4. Does the cloud provider allow you to inspect the cloud facility?
3 NO 0 YES 10
5. Does the cloud provider provide encryption and key management?
3 NO 0 YES 10
6. Is the cloud provider implementing single-sign on (i.e. access with one set of credentials) to the applications and services that it provides to you?
3 NO 0 YES 10
7. Can the cloud provider accommodate your own security policies?
3 ΝΟ 0 PARTIALLY 5 YES 10
8. Does the cloud provider make provisions for cross-border data transfers?
3 NO 0 YES 10
9. Does the provider guarantee that your data will remain private?
3 NO 0 YES 10
10. Does the cloud provider offer application firewalls? 3 ΝΟ 0 PARTIALLY 5 YES 10
11. Does the cloud provider implements identity management services (i.e. authentication, single-sign on, data analysis)?
3 NO 0 YES 10
12. Could the cloud provider partition your applications and services from other users/customers?
3 NO 0 ΥΕS 10
13. Are the above issues taken into account and included in the SLA?
3 NONE 0 FEW OF THEM
3 MOST OF THEM
6 ALL OFΤΗΕΜ
10
14. Is the cloud service vendor ISO 27001 certified? 3 NO 0 ΥΕS 10