Evaluating Cloud Security Standards in Multi-Regional Markets: Standard Selection for SaaS Implementation
Shaees, Shamoil (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025121335852
https://urn.fi/URN:NBN:fi:amk-2025121335852
Tiivistelmä
Currently, cloud adoption is increasing among public and private sector industries. Especially, document management SaaS companies are using the cloud to host their applications and store customer data. Through the cloud, data can be accessible from anywhere at any time via the internet. Any misconfiguration in the cloud environments may lead to vulnerabilities and data breaches. Therefore, cloud security cannot be neglected, and there is a need to verify the cloud implementation according to specific requirements or controls defined by various cloud security frameworks.
There are various cloud security standards available, which are developed by different organizations or regulatory agencies for verifying cloud security implementation. But finding a suitable security standard that is applicable to a company's cloud implementation is difficult. In this thesis work, the main goal was to perform an analysis of different cloud security standards and find a suitable standard that fulfils the commissioning organization's cloud security implementation requirements. A combination of ISO 27017, CSA, and FedRAMP were identified as the most suitable standard for the commissioning organization cloud implementation, and which fulfils multiple jurisdictions. The goals of this thesis were, perform frameworks analysis and draw a comparison among different cloud security frameworks, identify a suitable standard for the commissioning organization, and finally, find and map controls among the identified frameworks to comply with them.
During this master's thesis work, a detailed analysis of different cloud security frameworks was done. In which controls, strengths, and weaknesses of each standard were identified from a scientific and framework applicability perspective. From this analysis, a comparison was drawn among the analysed frameworks. The comparison was categorised into three categories: standards' geographical applicability, standards' focus area, scope and approach, and finally, standards assurance level and coverage. The detailed analysis and comparison helped to conclude the main aim of the thesis, which was the identification of suitable frameworks for commissioning organization SaaS implementation.
After finding the relevant frameworks, the aim was to find the controls and create a mapping among the proposed frameworks' controls. For this purpose, a thorough analysis of the identified frameworks' documentation was done, and a mapping was performed among the controls of these standards. This mapping will help the organization to reduce the redundancy of work required to comply with each standard.
There are various cloud security standards available, which are developed by different organizations or regulatory agencies for verifying cloud security implementation. But finding a suitable security standard that is applicable to a company's cloud implementation is difficult. In this thesis work, the main goal was to perform an analysis of different cloud security standards and find a suitable standard that fulfils the commissioning organization's cloud security implementation requirements. A combination of ISO 27017, CSA, and FedRAMP were identified as the most suitable standard for the commissioning organization cloud implementation, and which fulfils multiple jurisdictions. The goals of this thesis were, perform frameworks analysis and draw a comparison among different cloud security frameworks, identify a suitable standard for the commissioning organization, and finally, find and map controls among the identified frameworks to comply with them.
During this master's thesis work, a detailed analysis of different cloud security frameworks was done. In which controls, strengths, and weaknesses of each standard were identified from a scientific and framework applicability perspective. From this analysis, a comparison was drawn among the analysed frameworks. The comparison was categorised into three categories: standards' geographical applicability, standards' focus area, scope and approach, and finally, standards assurance level and coverage. The detailed analysis and comparison helped to conclude the main aim of the thesis, which was the identification of suitable frameworks for commissioning organization SaaS implementation.
After finding the relevant frameworks, the aim was to find the controls and create a mapping among the proposed frameworks' controls. For this purpose, a thorough analysis of the identified frameworks' documentation was done, and a mapping was performed among the controls of these standards. This mapping will help the organization to reduce the redundancy of work required to comply with each standard.