Enhanced cloud security and compliance reference model for emerging SAAS cloud systems consuming public cloud services

Abstract

Most businesses in operation at present have an online presence. This ranges from an ECommerce application to a business that offers NoSQL database capabilities as a service to its

customers. With the inception of cloud computing, consumers started aligning with a service

model

to obtain cloud computing services. Cloud computing service models fall under three main categories: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Many businesses, especially technologically driven startups, emerge by leveraging cloud service models. Most of those emerging businesses started to offer their services as a Software as a Service model. The growth of this trend has brought up new challenges for emerging startup businesses in managing the security, compliance and privacy of their services. Compliance and privacy have been popular among cloud consumers, cloud service providers, and governments worldwide. Governments have already started taking continuous initiatives to ensure the cloud-based software services comply with the standards, and the users’ privacy is guaranteed in the cloud services offered. These regulations are compulsory for a cloud business to exist in most places. If this is addressed from the perspective of an emerging SaaS business, keeping up with rapidly changing complex compliance standards and privacy regulations while making the cloud services secure has been a difficult task.

This research mainly focuses on identifying methods for creating a threat model for SaaS cloud systems and determining how cloud security and compliance make a SaaS cloud system consuming public cloud services secure and compliant. Based on that, the research proposes an enhanced reference model that consists of patterns and best practices for designing and implementing a safe, compliant SaaS cloud system. Mapping of major categories within that reference model with existing cloud security and compliance standards was also carried out to make the proposed model more relatable to the real world. An implementation phase was conducted to showcase how this proposed model can be successfully applied to the real world. This included two major components: a machine learning model and an API service. The implemented API service allows users to retrieve insights and recommendations about their SaaS system security and compliance status by responding to audit questions. The insights and recommendations were generated based on clusters identified via the implemented machine learning models. The data required to develop the machine learning model were gathered by conducting an open survey among IT professionals working or with experience working at cloud-based software solutions offering companies in Sri Lanka, the majority being startups.

This overall process paved the way for answering the research objectives while creating a solid implementation that enabled continuous and active evolvement of the proposed reference model.