Security Capability Assessment For Cloud Services And A Prototype Implementation

At present,China's network economy is developing rapidly,good governance of information services has become a top priority for society and people's livelihood.Despite of the progress on credible governance of information services in domestic country,it still lacks integrity.Whereas the achievements from abroad have not been targeted for our national conditions.Therefore,there is an urgent need to improve the comprehensive governance capabilities of China's information services from the perspective of architecture,which provides national regulatory agencies with hierarchical authentication management methods for government affairs cloud services,e-commerce services,financial information services,etc.,therefore improving the efficiency and accuracy of hierarchical management of information services,promoting the establishment of a trusted identity system for information services,creating a good development space for trusted,compliant,and secure information service entities,and increasing the market vitality of cyberspace information services.The research background of this paper comes from the “key technology of service authentication and certification based on domestic cryptographic algorithm” which is the key project of “Cyberspace Security” of the National Key R&D Program of China.The first topic is “Research on the classification system of information service trusted management”.This paper takes the cloud service which is the representative type of “Information Service” as the starting point,studies the security capability evaluation of cloud service,including Security Support Object,Security Category and so on,and implements a prototype system for security capability evaluation of cloud service.The main research work and final results include:(1)This paper researches on the existing national standards,industry standards and related international standards,combines the experience and results of cloud service security assessment at domestic and overseas,then analyze the cloud service model and the various security elements involved in the cloud service process.It is based on the multiple attribute dimensions of security,and measures the potential impact of information services on the operation of the organization,its properties,and individuals through the loss of this attribute.Finally,it establishes the principle of classifying cloud service security capabilities,forms a direct mapping relationship between cloud service security categories and cloud service capability levels,and obtains the scheme and process of cloud service security capability evaluation.(2)The evaluation prototype system is developed on the analysis of cloud service security capabilities.This system takes the perspective of three main roles of cloud service provider,reviewer,and auditor,to complete the system requirements analysis,outline design,and detailed design;In the implementation of the prototype system,the spring boot framework is used to complete the research and development of the main functional modules of cloud service security capability assessment system for the needs of cloud service providers,reviewers and monitors.