Cloud Security Certifications: A Comparison to Improve Cloud Service Provider Security

The great diffusion of cloud computing applications and services in the last years has brought new threats to security of information. 1 IT Certification and authorization mechanisms try to provide assurance against those threats by leveraging high security standards and controls. Two examples of such certification based on IT security controls are ISO/IEC 27001 and FedRAMP. While these two certifications largely share their scope it is important to note that ISO is a standardization adopted worldwide since 2005 whereas FedRAMP was developed in 2012 specifically for US Government Cloud Service Providers. New frameworks, however, are not always more effective than earlier ones, especially in the fast-moving world of cloud computing where IT security standards need to be constantly updated. This study offers an overview of adequacy and completeness of ISO/IEC 27001 and FedRAMP, bringing to question the level of protection that they provide by comparing them to each other and evaluating both in terms of known threats to cloud computing. The study identifies weaknesses in the certification build process and highlights necessary improvements.