Dynamic Certification of Cloud Services

Abstract

Cloud computing introduces several characteristics that challenge the effectiveness of current certification approaches. Particularly, the on-demand, automated, location-independent, elastic, and multi-tenant nature of cloud computing systems is in contradiction with the static, manual, and human process-oriented evaluation and certification process designed for traditional IT systems. Cloud-specific certification processes can improve trust in the cloud computing paradigm, and can lead to the wide adoption of cloud services in enterprises by mastery of uncertainty, lack of transparency, and trust. Through third party evaluation cloud customers could receive more unbiased information about cloud-based services and security measures implemented as well as they could compare different cloud service providers much easier. Common certificates are a backward look at the fulfillment of technical and organizational measures at the time of issue and therefore represent a snapshot. This creates a gap between the common certification of one to three years and the high dynamics of the market for cloud services and providers. The proposed dynamic certification approach adopts the common certification process to the increased flexibility and dynamics of cloud computing environments through using of automation potential of security controls and continuous proof of the certification status. Dynamic certification is based on a new semi-automated certification process and the continuous monitoring of critical parameters of cloud services.