Experiences Evaluating Cloud Services and Products (A20b)
The market for IT products is constantly evolving. More and more vendors are developing products and services deployed only in the cloud (Cloud Native). This implies a paradigm shift in the way assessments are carried out, in the methodology to be followed and in the tests to be performed.
Today, it is NOT possible to use Common Criteria to evaluate cloud services, despite many administrations are migrating to cloud solutions.
This talk will not talk about Cloud programs such as FedRamp, ENS, C5, SecNumCloud or ENISA EUCS scheme. All these schemes, evaluate the clod infrastructure and the controls specified in the respective standards.
But in those standards, we cannot find assurance requirements related to the product/service itself. e.g. If your WAF (Web Application Firewall) is cloud native and deployed in the cloud, you could obtain those cloud certifications but it would be NOT possible to obtain a CC certification using NIAP PPs.
To solve this problematic, a practical approach has been followed in Spain, evaluating the cloud services using the LINCE methodology but obtaining a qualification mark (instead of a certification). Several vendors such as AWS, Google or Microsoft have already undergone this kind of processes.
In this talk, we want to show jtsec’s hands-on experience evaluating cloud services and discuss the main issues that have been faced and the solutions that have been found (TOE definition, Test environment, TOE identification, permission to test, etc…).
We would like also to discuss how the experience obtained using the LINCE methodology could be extrapolated (or NOT) to the CC World.