Cloud Security

SecurityforCloudComputing
10StepstoEnsureSuccess
August,2012
Contents
Acknowledgements....................................................................................................................................... 4
WorkgroupLeaders................................................................................................................................... 4
KeyContributors ....................................................................................................................................... 4
Reviewers.................................................................................................................................................. 4
Introduction .................................................................................................................................................. 5
CloudSecurityLandscape ............................................................................................................................. 5
CloudSecurityGuidance ............................................................................................................................... 7
Step1:Ensureeffectivegovernance,riskandcomplianceprocessesexist ............................................. 8
Step2:Auditoperational&businessprocesses..................................................................................... 11
Step3:Managepeople,rolesandidentities .......................................................................................... 13
Step4:Ensureproperprotectionofdataandinformation.................................................................... 15
Step5:Enforceprivacypolicies .............................................................................................................. 18
Step6:Assessthesecurityprovisionsforcloudapplications................................................................. 19
Step7:Ensurecloudnetworksandconnectionsaresecure .................................................................. 21
Step8:Evaluatesecuritycontrolsonphysicalinfrastructureandfacilities ........................................... 25
Step9:ManagesecuritytermsinthecloudSLA .................................................................................... 26
Step10:Understandthesecurityrequirementsoftheexitprocess...................................................... 28
CloudSecurityAssessment ......................................................................................................................... 28
AdditionalReferences................................................................................................................................. 31
AppendixA:WorldwidePrivacyRegulations.............................................................................................. 32
AppendixB:Acronyms&Abbreviations ..................................................................................................... 34
Copyright2012CloudStandardsCustomerCouncil
Page2
2012CloudStandardsCustomerCouncil.
Allrightsreserved.Youmaydownload,store,displayonyourcomputer,view,print,andlinktothe
SecurityforCloudComputingwhitepaperattheCloudStandardsCustomerCouncilWebsitesubjectto
thefollowing:(a)thedocumentmaybeusedsolelyforyourpersonal,informational,noncommercial
use;(b)thedocumentmaynotbemodifiedoralteredinanyway;(c)thedocumentmaynotbe
redistributed;and(d)thetrademark,copyrightorothernoticesmaynotberemoved.Youmayquote
portionsofthedocumentaspermittedbytheFairUseprovisionsoftheUnitedStatesCopyrightAct,
providedthatyouattributetheportionstotheCloudStandardsCustomerCouncilSecurityforCloud
Computing(2012).
Page3
Acknowledgements
TheSecurityforCloudComputing:10StepstoEnsureSuccessdocumentisacollaborativeeffortthat
bringstogetherdiversecustomerfocusedexperiencesandperspectivesintoasingleguideforITand
businessleaderswhoareconsideringadoptingcloudcomputing.Thefollowingparticipantshave
providedtheirexpertiseandtimetothiseffort.
WorkgroupLeaders
RyanKean(TheKrogerCo.)Workgroupchair;ApplicationSectionLeader
DavidHarris(Boeing)Workgroupchair;CloudSecurityAssessmentSectionLeader
JohnMeegan(IBM)LeadTechnicalEditor;IntroductionandSLASectionLeader
BarryPardee(TailwindAssociates)CurrentLandscapeSectionLeader
YvesLeRoux(CATechnologies)GRCSectionLeader
ChrisDotson(IBM)Network&ConnectionsSectionLeader
EricCohen(PricewaterhouseCoopers)AuditingSectionLeader
MikeEdwards(IBM)DataSectionleader;InfrastructureSectionLeader;ExitProcessSectionLeader
JonathanGershater(TrendMicro)People,Roles&IdentitySectionLeader
KeyContributors
Theworkgroupleaderswishtorecognizethefollowingindividualsfortheiroutstandingeffortsto
providecontent,sharetheirexpertiseandensurecompletenessofthewhitepaper:MattRutkowski
(IBM),ShamunMahmud(DLTSolutions).
Reviewers
Thefollowingreviewersprovidedfeedbackonthewhitepaper:KeithTrippie(DepartmentofHomeland
Security),MichaelChen(ClusterTechnologyLimited),JefferyFinke(TheMITRECorporation),Dave
Russell(IBM),AndrewLow(IBM).
Page4
Introduction
Theaimofthisguideistoprovideapracticalreferencetohelpenterpriseinformationtechnology(IT)
andbusinessdecisionmakersastheyanalyzeandconsiderthesecurityimplicationsofcloudcomputing
ontheirbusiness.Thepaperincludesalistofsteps,alongwithguidanceandstrategies,designedto
helpthesedecisionmakersevaluateandcomparesecurityofferingsinkeyareasfromdifferentcloud
providers.
Whenconsideringamovetousecloudcomputing,consumersmusthaveaclearunderstandingof
potentialsecuritybenefitsandrisksassociatedwithcloudcomputing,andsetrealisticexpectationswith
theircloudprovider.Considerationmustbegiventothedifferentmodelsofservicedelivery:
InfrastructureasaService(IaaS),PlatformasaService(PaaS)andSoftwareasaService(SaaS)aseach
modelbringsdifferentsecurityrequirementsandresponsibilities.Additionally,thispaperhighlightsthe
rolethatstandardsplaytoimprovecloudsecurityandalsoidentifiesareaswherefuturestandardization
couldbeeffective.
ThesectiontitledCurrentCloudSecurityLandscapeprovidesanoverviewofthesecurityandprivacy
challengespertinenttocloudcomputingandpointsoutconsiderationsthatorganizationsshould
weighwhenoutsourcingdata,applications,andinfrastructuretoacloudcomputingenvironment.
ThesectiontitledCloudSecurityGuidanceistheheartoftheguideandincludesthestepsthatcanbe
usedasabasisforevaluationofcloudprovidersecurity.Itdiscussesthethreats,technologyrisks,and
safeguardsforcloudcomputingenvironments,andprovidestheinsightneededtomakeinformedIT
decisionsontheirtreatment.Althoughguidanceisprovided,eachorganizationmustperformitsown
analysisofitsneeds,andassess,select,engage,andoverseethecloudservicesthatcanbestfulfillthose
needs.
ThesectiontitledCloudSecurityAssessmentprovidesconsumerswithanefficientmethodof
assessingthesecuritycapabilitiesofcloudprovidersandassessingtheirindividualrisk.Aquestionnaire
forconsumerstoconducttheirownassessmentacrosseachofthecriticalsecuritydomainsisprovided.
Arelateddocument,thePracticalGuidetoCloudServiceLevelAgreements 1 ,releasedbytheCloud
StandardsCustomerCouncil(CSCC)inApril2012,providesadditionalguidanceonevaluatingsecurity
criteriaincloudSLAs.
CloudSecurityLandscape
Whilesecurityandprivacyconcernswhenusingcloudcomputingservicesaresimilartothoseof
traditionalnoncloudservices,concernsareamplifiedbyexternalcontroloverorganizationalassetsand
thepotentialformismanagementofthoseassets.Transitioningtopubliccloudcomputinginvolvesa
transferofresponsibilityandcontroltothecloudprovideroverinformationaswellassystem
Seehttp://www.cloudstandardscustomercouncil.org/2012_Practical_Guide_to_Cloud_SLAs.pdf
Page5
componentsthatwerepreviouslyundertheorganizationsdirectcontrol.Thetransitionisusually
accompaniedbylossofdirectcontroloverthemanagementofoperationsandalsoalossofinfluence
overdecisionsmadeaboutthecomputingenvironment.
Despitethisinherentlossofcontrol,thecloudserviceconsumerstillneedstotakeresponsibilityfor
theiruseofcloudcomputingservicesinordertomaintainsituationalawareness,weighalternatives,set
priorities,andeffectchangesinsecurityandprivacythatareinthebestinterestoftheorganization.
Theconsumerachievesthisbyensuringthatthecontractwiththeprovideranditsassociatedservice
levelagreement(SLA)hasappropriateprovisionsforsecurityandprivacy.Inparticular,theSLAmust
helpmaintainlegalprotectionsforprivacyrelatingtodatastoredontheprovider'ssystems.The
consumermustalsoensureappropriateintegrationofthecloudcomputingserviceswiththeirown
systemsformanagingsecurityandprivacy.
Cloudcomputingrepresentsaverydynamicareaatthepresenttime,withnewsuppliersandnew
offeringsarrivingallthetime.Thereareanumberofsecurityrisksassociatedwithcloudcomputingthat
mustbeadequatelyaddressed:2
Lossofgovernance.Forpublicclouddeployments,consumersnecessarilycedecontroltothe
cloudprovideroveranumberofissuesthatmayaffectsecurity.Atthesametime,cloudservice
levelagreements(SLA)maynotofferacommitmenttoprovidesuchcapabilitiesonthepartof
thecloudprovider,thusleavinggapsinsecuritydefenses.
Responsibilityambiguity.Giventhatuseofcloudcomputingservicesspansacrossthe
consumerandtheproviderorganizations,responsibilityforaspectsofsecuritycanbespread
acrossbothorganizations,withthepotentialforvitalpartsofthedefensestobeleftunguarded
ifthereisafailuretoallocateresponsibilityclearly.Thesplitofresponsibilitiesbetween
consumerandproviderorganizationsislikelytovarydependingonthemodelbeingusedfor
cloudcomputing(e.g.IaasversusSaaS).
Isolationfailure.Multitenancyandsharedresourcesaredefiningcharacteristicsofpubliccloud
computing.Thisriskcategorycoversthefailureofmechanismsseparatingtheusageofstorage,
memory,routingandevenreputationbetweendifferenttenants(e.g.,socalledguesthopping
attacks).
Vendorlockin.Dependencyonproprietaryservicesofaparticularcloudprovidercouldleadto
theconsumerbeingtiedtothatprovider.Servicesthatdonotsupportportabilityofapplications
anddatatootherprovidersincreasetheriskofdataandserviceunavailability.
Complianceandlegalrisks.Investmentinachievingcertification(e.g.,industrystandardor
regulatoryrequirements)maybeputatriskbymigrationtousecloudcomputingifthecloud
providercannotprovideevidenceoftheirowncompliancewiththerelevantrequirementsorif
thecloudproviderdoesnotpermitauditbythecloudconsumer.Itistheresponsibilityofthe
cloudconsumertocheckthatthecloudproviderhasappropriatecertificationsinplace,butitis
alsonecessaryforthecloudconsumertobeclearaboutthedivisionofsecurityresponsibilities
betweentheconsumerandtheproviderandtoensurethattheconsumer'sresponsibilitiesare
handledappropriatelywhenusingcloudcomputingservices.
CredittoEuropeanNetworkandInformationSecurityAgency(ENISA).Visithttp://www.enisa.europa.eu/for
moreinformation.
Page6
Handlingofsecurityincidents.Thedetection,reportingandsubsequentmanagementof
securitybreachesisaconcernforconsumers,whoarerelyingonproviderstohandlethese
matters.
Managementinterfacevulnerability.Consumermanagementinterfacesofapubliccloud
providerareusuallyaccessiblethroughtheInternetandmediateaccesstolargersetsof
resourcesthantraditionalhostingprovidersandthereforeposeanincreasedrisk,especially
whencombinedwithremoteaccessandwebbrowservulnerabilities.
Dataprotection.Cloudcomputingposesseveraldataprotectionrisksforcloudconsumersand
providers.Themajorconcernsareexposureorreleaseofsensitivedatabutalsoincludelossor
unavailabilityofdata.Insomecases,itmaybedifficultforthecloudconsumer(intheroleof
datacontroller)toeffectivelycheckthedatahandlingpracticesofthecloudproviderandthus
tobesurethatthedataishandledinalawfulway.Thisproblemisexacerbatedincasesof
multipletransfersofdata,e.g.,betweenfederatedcloudservices.
Maliciousbehaviorofinsiders.Damagecausedbythemaliciousactionsofinsidersworking
withinanorganizationcanbesubstantial,giventheaccessandauthorizationstheymayhave.
Thisiscompoundedinthecloudcomputingenvironmentsincesuchactivitymightoccurwithin
eitherorboththeconsumerorganizationandtheproviderorganization.
Businessfailureoftheprovider.Suchfailurescouldrenderdataandapplicationsessentialto
theconsumer'sbusinessunavailable.
Serviceunavailability.Thiscouldbecausedbyahostoffactors,fromequipmentorsoftware
failuresintheprovider'sdatacenter,throughfailuresofthecommunicationsbetweenthe
consumersystemsandtheproviderservices.
Insecureorincompletedatadeletion.Requeststodeletecloudresources,forexample,whena
consumerterminatesservicewithaprovider,maynotresultintruewipingofthedata.
Adequateortimelydatadeletionmayalsobeimpossible(orundesirablefromaconsumer
perspective),eitherbecauseextracopiesofdataarestoredbutarenotavailable,orbecausethe
disktobedeletedalsostoresdatafromotherclients.Inthecaseofmultitenancyandthereuse
ofhardwareresources,thisrepresentsahigherrisktotheconsumerthanisthecasewith
dedicatedhardware.
Whiletheabovesecurityrisksneedtobeaddressed,useofcloudcomputingprovidesopportunitiesfor
innovationinprovisioningsecurityservicesthatholdtheprospectofimprovingtheoverallsecurityof
manyorganizations.Cloudserviceprovidersshouldbeabletoofferadvancedfacilitiesforsupporting
securityandprivacyduetotheireconomiesofscaleandautomationcapabilitiespotentiallyaboonto
allconsumerorganizations,especiallythosewhohavelimitednumbersofpersonnelwithadvanced
securityskills.
CloudSecurityGuidance
Asconsumerstransitiontheirapplicationsanddatatousecloudcomputing,itiscriticallyimportantthat
thelevelofsecurityprovidedinthecloudenvironmentbeequaltoorbetterthanthesecurityprovided
bytheirtraditionalITenvironment.Failuretoensureappropriatesecurityprotectioncouldultimately
resultinhighercostsandpotentiallossofbusinessthuseliminatinganyofthepotentialbenefitsof
cloudcomputing.
Page7
Thissectionprovidesaprescriptiveseriesofstepsthatshouldbetakenbycloudconsumerstoevaluate
andmanagethesecurityoftheircloudenvironmentwiththegoalofmitigatingriskanddeliveringan
appropriatelevelofsupport.Thefollowingstepsarediscussedindetail:
1. Ensureeffectivegovernance,riskandcomplianceprocessesexist
2. Auditoperationalandbusinessprocesses
3. Managepeople,rolesandidentities
4. Ensureproperprotectionofdataandinformation
5. Enforceprivacypolicies
6. Assessthesecurityprovisionsforcloudapplications
7. Ensurecloudnetworksandconnectionsaresecure
8. Evaluatesecuritycontrolsonphysicalinfrastructureandfacilities
9. ManagesecuritytermsinthecloudSLA
10. Understandthesecurityrequirementsoftheexitprocess
Requirementsandbestpracticesarehighlightedforeachstep.Inaddition,eachsteptakesintoaccount
therealitiesoftodayscloudcomputinglandscapeandpostulateshowthisspaceislikelytoevolvein
thefuture,includingtheimportantrolethatstandardswillplaytoimproveinteroperabilityand
comparabilityacrossproviders.
Step1:Ensureeffectivegovernance,riskandcomplianceprocessesexist
Mostorganizationshaveestablishedsecurityandcompliancepoliciesandproceduresthatareusedto
protecttheirintellectualpropertyandcorporateassetsespeciallyintheITspace.Thesepoliciesand
proceduresaredevelopedbaseduponriskanalysestotheorganizationconsideringtheimpactofhaving
theseassetscompromised.Aframeworkofcontrolsandfurtherproceduresareestablishedtomitigate
riskandserveasabenchmarkfortheexecutionandvalidationofcompliance.Theseprinciplesand
policies,theenterprisesecurityplan,andthesurroundingqualityimprovementprocessrepresentthe
enterprisesecuritygovernance,riskmanagement,andcompliancemodel.
SecuritycontrolsincloudcomputingaresimilartothoseintraditionalITenvironments.However,
becauseofthecloudserviceandoperationalmodelsemployedwiththeimpliedorganizationaldivision
ofresponsibilitiesandthetechnologiesusedtoenablecloudservices,cloudcomputingmaypresent
differentriskstoanorganizationthantraditionalITsolutions.Aspartofthetransitiontocloud
computing,itiscriticalthatconsumersunderstandtheirlevelofrisktoleranceandfocusonmitigating
therisksthattheorganizationcannotaffordtoneglect.
Page8
Theprimarymeansaconsumerofcloudservicehastoensuretheircloudhostedapplicationsanddata
willbesecuredinaccordancewithitssecurityandcompliancepoliciesistoverifythatthecontract
betweentheconsumerandtheprovider,alongwithanassociatedservicelevelagreement(SLA),
containalltheirrequirements.Itisvitalforaconsumertounderstandallthetermsrelatedtosecurity
andtoensurethatthosetermsmeettheneedsoftheconsumer.IfasuitablecontractandSLAisnot
available,thenitisinadvisableforanorganizationtoproceedwiththeuseofcloudservices.
Oftenitisnotunderstoodthatthetypeofservicemodelbeingofferedbytheprovider(i.e.IaaS,PaaSor
SaaS)hassignificantimpactontheassumed"splitofresponsibilities"betweentheconsumerandthe
providertomanagesecurityandassociatedrisks.ForIaaS,theproviderissupplying(andresponsiblefor
securing)basicITresourcessuchasmachines,disksandnetworks.Theconsumerisresponsibleforthe
operatingsystemandtheentiresoftwarestacknecessarytorunapplications,plusthedataplacedinto
thecloudcomputingenvironment.Asaresult,mostoftheresponsibilityforsecuringtheapplications
themselvesandthedatatheyusefallsontotheconsumer.Incontrast,forSaaS,theinfrastructure,
softwareanddataareprimarilytheresponsibilityoftheprovider,sincetheconsumerhaslittlecontrol
overanyofthesefeaturesoftheservice.Theseaspectsneedappropriatehandlinginthecontractand
SLA.
Fromageneralgovernanceperspective,cloudprovidersshouldnotifyconsumersabouttheoccurrence
ofanybreachoftheirsystem,regardlessofthepartiesordatadirectlyimpacted.Theprovidershould
includespecificpertinentinformationinthenotification,stopthedatabreachasquicklyaspossible,
restoresecureaccesstotheserviceassoonaspossible,applybestpracticeforensicsininvestigatingthe
circumstancesandcausesofthebreach,andmakelongterminfrastructurechangestocorrecttheroot
causesofthebreachtoensurethatitdoesnotrecur.Duetothehighfinancialandreputationalcosts
resultingfromabreach,consumersmaywanttheprovidertoindemnifythemifthebreachwastheir
fault.
Afundamentaldesignpremiseincloudcomputingisthat,asaconsumer,yourdatacanbestoredby,
processedonandtransmittedtoanyoftheserversordevicesthecloudserviceprovideroperates.In
someinstances,servershostingconsumerdatamaybelocatedinmultipledatacenterswithindifferent
jurisdictions,eitherbecausetheserviceproviderhasmultijurisdictionaloperationsorhas
subcontractedservicestoprovidersthatoperateinotherjurisdictions.Thismeansthatitmaybe
difficultatanyparticularpointintimetoknowwhereyourdataactuallyresides,whichregulatorshave
jurisdictionandwhatregulationsapply.Thismatterssincesomeregulationsrestricttheallowable
locationsfordata.
Thejurisdictionalissuedirectlyinfluencestheprotectionofpersonallyidentifiableinformation(PII)and
thelawenforcementaccesstothisdata.3 Thereisdivergenceacrosscountriesinthelawson
investigationandenforcement,includingaccesstoencrypteddataandinvestigationofextraterritorial
TheBusinessSoftwareAlliance(BSA)GlobalCloudComputingScorecardprovidesanassessmentofsecurityand
privacypoliciesthatcountriesareimplementingforcloudcomputing.Referto
http://portal.bsa.org/cloudscorecard2012/assets/PDFs/BSA_GlobalCloudScorecard.pdffordetails.
Page9
offences.Acourtcanonlyhearamatterifithasjurisdictionoverthepartiesandthesubjectmatterof
theaction,whilelawenforcementagenciescanonlyexercisetheirpowerswithintheirauthorized
jurisdictions.
Beforemigratingservicestoacloudcomputingenvironment,itisimportanttounderstandpreciselythe
specificlawsorregulationsthatapplytotheservicesandwhataretherelevantdutiesorobligations
imposed(e.g.dataretention,dataprotection,interoperability,medicalfilemanagement,disclosureto
authorities).Thisallowsconsumerstoidentifythelegalissuesandtherelatedlegalrisks,and
consequentlytheimpactthesewillhaveontheservicesbeingmigratedtocloudcomputing.
Oneusefulapproachtothesecuritychallengesofcloudcomputingisforacloudproviderto
demonstratethattheyarecompliantwithanestablishedsetofsecuritycontrols.Certificationofthe
providergivesmoreconfidenceinthatprovidertoprospectiveconsumers.Thereareanumberof
differentcertificationswhichcanbeusefulforcloudcomputingserviceswhichoneismostappropriate
dependstosomeextentonthecloudservicemodel(IaaS,PaaS,SaaS)andalsodependsonyourregional
andindustryrequirements.
ThemostwidelyrecognizedinternationalstandardforinformationsecuritycomplianceisISO/IEC
270014 whichincludesnationalvariantsandwelldevelopedcertificationregimes.ISOiscurrently
developingnewstandards,ISO/IEC27017 5 "SecurityinCloudComputing"andISO/IEC27018 6 "Privacy
inCloudComputing",whichwillspecificallyaddresscloudsecurityandprivacyconsiderationsthatbuild
uponISO/IEC27001.
SomeorganizationsprovideframeworksandcertificationsforevaluatingITsecuritywhichcanbe
appliedtocloudserviceproviders,includingtheAmericanInstituteofCertifiedPublicAccountants
(AICPA)andInformationSystemsAuditandControlAssociation(ISACA)whichprovidetheSSAE16 7 and
CoBIT5 8 frameworksrespectively.Otherorganizationsprovidespecializedframeworksforspecific
servicesorindustriessuchasthePaymentCardIndustry(PCI)DataSecurityStandard(DSS). 9
GroupssuchastheCloudSecurityAlliance(CSA)provideguidancewhichincludesaCloudControls
Matrix(CCM),aproviderselfassessmentprogram,ConsensusAssessmentInitiative(CAI),Certificateof
CloudSecurityKnowledge(CCSK),andaregistrytopublishtheselfevaluationresults(STARS). 10
Seehttp://www.iso.org/iso/catalogue_detail?csnumber=42103fordetails.
Seehttp://www.iso27001security.com/html/27017.htmlfordetails.
Seehttp://www.iso27001security.com/html/27018.htmlfordetails.
Seehttp://ssae16.com/SSAE16_overview.htmlfordetails.
Seehttp://www.isaca.org/COBIT/Pages/default.aspxfordetails.
Seehttps://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdffordetails.
10
Refertohttps://cloudsecurityalliance.org/fordetailsontheCSAprograms.
Page10
Step2:Auditoperational&businessprocesses
CompaniesunderstandtheimportanceofauditingthecomplianceofITsystems,whichhosttheir
applicationsanddata,toassesseffectivenessinenforcingtheircorporate,industryorgovernment
requirementsandpolicies.
Asabaseline,consumersshouldexpecttoseeareportofthecloudprovider'soperationsby
independentauditors.Unfetteredaccesstoessentialauditinformationisakeyconsiderationof
contractsandSLAtermswithanycloudprovider.Aspartofanyterms,cloudprovidersshouldoffer
timelyaccesstoandselfmanagementofauditevent,logandreportinformationrelevanttoa
consumer'sspecificdataorapplications.
Securitycompliancetendstobeasignificantelementofanycomplianceframework.Therearethree
significantareaswheretheconsiderationofsecuritymethodsforcloudcomputingareofparticular
interesttocloudconsumersandtoauditors:
1. Understandingtheinternalcontrolenvironmentofacloudprovider,includingrisks,controlsand
othergovernanceissueswhenthatenvironmenttouchestheprovisionofcloudservices.
2. Accesstothecorporateaudittrail,includingworkflowandauthorization,whentheaudittrail
spanscloudservices.
3. Assuranceofthefacilitiesformanagementandcontrolofcloudservicesmadeavailabletocloud
consumersbycloudprovidersandhowsuchfacilitiesaresecured.
Understandingtheinternalcontrolenvironmentofacloudprovider
Usingtheservicesofcloudproviderscreatestheneedforappropriateauditingoftheactivitiesof
personsthatmaybeemployedbythecloudproviderorconsumer(alongwithanyconsumercustomers
andpartners)toensurethatthesecuritycontrolsmeettherequirementsoftheconsumers.Consumers
shouldexpecttoseeauditinformationrelatingtoanycloudprovidertheyplantouse.Thereare
alternativestandardsthatcanbeusedasthebasisforauditingaserviceprovider,suchastheISO27000
series.Thesestandardsaimtoprovidethebasisforassuringconsumersaboutthenatureofthe
controlsenvironmentinplaceatthecloudprovider'sorganization.
Keycontrolsthatrelatetocloudcomputingservicesincludethosewhich
ensureisolationofconsumerapplicationsanddatainshared,multitenantenvironments
provideprotectionofconsumerassetsfromunauthorizedaccessbytheprovider'sstaff
Auditorsmaybeemployedbytheconsumerortheymaybeemployedbytheproviderbutthekey
elementisthattheyshouldbeindependent.Auditorsrequireaccesstoinformationaboutthepolicies
andproceduresofacloudproviderwhichrelatetosecuritycontrols.Auditorsalsorequireaccessto
logsandrecordswhichshowwhetherthepoliciesandproceduresarebeingfollowedcorrectlyandin
somecases,theauditorsmayrequirespecifictestingtotakeplacetodemonstratecompliancewiththe
prescribedpoliciesandprocedures.
Page11
Securityandauthenticationtechnologies,alliedtoeventlogging,inthecloudcomputingenvironment
canhelpauditorsastheydealwithissuesrelatedtoworkflowwerethosewhoentered,approved,
changedorotherwisetoucheddataauthorizedtodoso,onanindividual,grouporrolerelatedbasis?
Wasthatauthorizationappropriateonaonetime,periodicorongoingbasis?
Accesstothecorporateaudittrail
Itisvitalforcloudserviceconsumerstohaveappropriateauditaccesstocloudproviderevents,logsand
audittrailstoproveenforcementofprovidersecuritycontrols.Auditorsneedtoassurecloud
consumersthatallthenecessaryinformationisbeingloggedandstoredappropriatelybycloud
providers,includingauthentication,authorizationandmanagementinformationrelatingtotheuseof
particularapplicationsanddataagainstallsecurityandcompliancepoliciesestablishedbytheprovider
orconsumer.
Forcompleteinsightintosecuritycontrols,astheyrelatetotheconsumer'sapplicationsanddata,
mechanismsfortheroutineflowofauditinformationfromtheprovidertotheconsumeris
recommended.Thisflowmayincludesecurelogsandreportsagainstanagreeduponschedule.There
shouldbemoretimelynotificationofanyexceptionalsecurityalerts,eventsorincidentsandincident
managementprocessesshouldbedocumentedandaudited.Anyauditdatashouldhavethenecessary
associatedinformationtoenableforensicanalysistounderstandhowanyparticularincidentoccurred,
whatassetswerecompromisedandwhatpolicies,proceduresandtechnologiesneedtobechangedto
preventrecurrence,alongwithanyadditionalsecuritycontrolsthatneedtobeestablished. 11
Ideally,thereshouldbeautomated,standardsbased,programmaticaccesstoalloftheseauditfacilities,
toensuretimelyavailabilityofrequireddataandtoremovecostburdensassociatedwithhuman
processingofrequestsforinformation.
Assuranceofthefacilitiesformanagementandcontrolofcloudservices
Inadditiontocontrolswhichapplytocloudservicesthemselves,thereisalsoaneedforprovidersto
enableconsumerstoselfmanageandmorecloselymonitortheusageoftheircloudhostedapplications
andservices.Thesefacilitiesmayinclude:servicecatalogs,subscriptionservices,paymentprocesses,
theprovisionofstreamsofoperationaleventdataandlogs,usagemeteringdata,facilitiesfor
configuringservicesincludingaddingandremovinguseridentitiesandtheconfigurationof
authorizations.
Thesefacilitiesareoftenmoresensitiveinsecuritytermsthantheservicesandapplicationstowhich
theyapply,sincethepotentialforabuseanddamagemaybehigher.Asecurityauditmustextendto
thesefacilitiesaswellastothemainservicesoftheprovider.
TheemergingDMTFCloudAuditDataFederation(CADF)Workgroupisplanningtodevelopanauditeventdata
11
modelandacompatibleinteractionmodelthatisabletodescribeinteractionsbetweenITresourcessuitablefor
clouddeploymentmodels.Refertodmtf.org/sites/default/files/CADFWG_Charter_05022011.pdffordetailson
theworkgroupscharter.
Page12
Auditingisessential
Thesecurityauditofcloudserviceprovidersisanessentialaspectofthesecurityconsiderationsfor
cloudconsumers.Auditsshouldbecarriedoutbyappropriatelyskilledstaff,eitherbelongingtothe
consumerortoanindependentauditingorganization.Securityauditsshouldbecarriedoutonthebasis
ofoneoftheestablishedstandardsforsecuritycontrols.Consumersneedtocheckthatthesetsof
controlsinplacemeettheirsecurityrequirements.
Thereisalsoaneedtoensureproperintegrationofthecloudprovider'sreportingandloggingfacilities
withtheconsumer'ssystems,sothatappropriateoperationalandbusinessdataflowsonatimelybasis
toenableconsumerstomanagetheiruseofproviderservices.
Step3:Managepeople,rolesandidentities
Consumersmustensurethattheircloudproviderhasprocessesandfunctionalitythatgovernswhohas
accesstotheconsumer'sdataandapplications.Thisensuresaccesstotheircloudenvironmentsis
controlledandmanaged.
Organizationsmanagedozenstothousandsofemployeesanduserswhoaccesstheircloudapplications
andservices,eachwithvaryingrolesandentitlements.Cloudprovidersmustallowthecloudconsumer
toassignandmanagetherolesandassociatedlevelsofauthorizationforeachoftheirusersin
accordancewiththeirsecuritypolicies.Theserolesandauthorizationrightsareappliedonaper
resource,serviceorapplicationbasis.Forexample,acloudconsumer,inaccordancewithitssecurity
policies,mayhaveanemployeewhoserolepermitsthemtogenerateapurchaserequest,buta
differentroleandauthorizationrightsisgrantedtoanotheremployeeresponsibleforapprovingthe
request.
Thecloudprovidermusthaveasecuresystemforprovisioningandmanaginguniqueidentitiesfortheir
usersandservices.ThisIdentityManagementfunctionalitymustsupportsimpleresourceaccessesand
robustconsumerapplicationandserviceworkflows.Akeyrequirementformovingaconsumer
applicationtothecloudisassessingtheprovider'sabilitytoallowtheconsumertoassigntheiruser
identitiesintoaccessgroupsandrolesthatreflecttheiroperationalandbusinesssecuritypolicies.
Anyuseraccessorinteractionwiththeprovider'smanagementplatform,regardlessofroleor
entitlement,shouldbemonitoredandloggedtoprovideauditingofallaccesstoconsumerdataand
applications.
Table1highlightsthekeyfeaturesacloudprovidershouldsupportinorderforaconsumertoeffectively
managepeople,rolesandidentitiesinthecloud:
Table1.Cloudprovidersupportforpeople,rolesandidentities
ProviderSupports
ConsumerConsiderationsandQuestions
FederatedIdentityManagement Enterprisesthatarecloudconsumers,inmanycases,already
(FIM),ExternalIdentity
haveanexistingdatabaseofusers,mostlikelystoredinan
Providers(EIP)
enterprisedirectory,andtheywishtoleveragethisuser
Page13
databasewithoutrecreatinguseridentities.
IdentityProvisioningand
Delegation
SingleSignOn(SSO),Single
SignOff
Questiontocloudprovider:CanIintegratemycurrentuser
store(internaldatabaseordirectoryofusers)without
recreatingallmyuserswithinyourcloudenvironment?
Consumerorganizationsneedtoadministertheirownusers;
thecloudprovidershouldsupportdelegatedadministration.
Questiontocloudprovider:Whatprovisioningtoolsdoyou
provideforonboardingandoffboardingusers?
Questiontocloudprovider:Doesyourplatformoffer
delegatedadministrationformyorganizationtoadminister
users?
Consumerorganizationsmaywishtofederateidentityacross
applicationstoprovidesinglesignon(SSO)alongwithsingle
signofftoassureusersessionsgetterminatedproperly.For
example,anorganizationusingseparateSaaSapplicationsfor
CRMandERPwouldlikesinglesignonandsignoffacross
theseapplications(e.g.usingstandardssuchasSAML 12 ,WS
Federation 13 andOAuth 14 ).
Questiontocloudprovider:Doyouoffersinglesignonfor
accessacrossmultipleapplicationsyouofferortrusted
federatedsinglesignonacrossapplicationswithother
vendors?
IdentityandAccessAudit
RobustAuthentication
Consumersneedauditingandloggingreportsrelatingto
serviceusagefortheirownassuranceaswellascompliance
withregulations.
Questiontocloudprovider:Whatauditinglogs,reports,
alertsandnotificationsdoyouprovideinordertomonitor
useraccessbothformyneedsandfortheneedsofmy
auditor?
Foraccesstohighvalueassetshostedinthecloud,cloud
12
Refertohttps://www.oasisopen.org/committees/tc_home.php?wg_abbrev=securityfordetails.
13
Refertohttps://www.oasisopen.org/committees/documents.php?wg_abbrev=wsfedfordetails.
14
Refertohttp://oauth.net/fordetails.
Page14
consumersmayrequirethattheirprovidersupportstrong,
multifactor,mutualand/orevenbiometricauthentication.
Role,EntitlementandPolicy
Management
Questiontocloudprovider:Ifrequired,doesyourplatform
supportstrong,multifactorormutualauthentication?
Cloudconsumersneedtobeabletodescribeandenforce
theirsecuritypolicies,userroles,groupsandentitlementsto
theirbusinessandoperationalapplicationsandassets,with
dueconsiderationforanyindustry,regionalorcorporate
requirements.
Questiontocloudprovider:Doesyourplatformofferfine
grainedaccesscontrolsothatmyuserscanhavedifferent
rolesthatdonotcreateconflictsorviolatecompliance
guidelines?
Cloudprovidersshouldhaveformalizedprocessesformanagingtheirownemployeeaccesstoany
hardwareorsoftwareusedtostore,transmitorexecuteconsumerdataandapplications,whichthey
shoulddiscloseanddemonstratetotheconsumer
Step4:Ensureproperprotectionofdataandinformation
DataareatthecoreofITsecurityconcernsforanyorganization,whatevertheformofinfrastructure
thatisused.Cloudcomputingdoesnotchangethis,butcloudcomputingdoesbringanaddedfocus
becauseofthedistributednatureofthecloudcomputinginfrastructureandthesharedresponsibilities
thatitinvolves.Securityconsiderationsapplybothtodataatrest(heldonsomeformofstorage
system)andalsotodatainmotion(beingtransferredoversomeformofcommunicationlink),bothof
whichmayneedparticularconsiderationwhenusingcloudcomputingservices.
Essentially,thequestionsrelatingtodataforcloudcomputingareaboutvariousformsofrisk:riskof
theftorunauthorizeddisclosureofdata,riskoftamperingorunauthorizedmodificationofdata,riskof
lossorofunavailabilityofdata.Itisalsoworthrememberingthatinthecaseofcloudcomputing,"data
assets"maywellincludethingssuchasapplicationprogramsormachineimages,whichcanhavethe
sameriskconsiderationsasthecontentsofdatabasesordatafiles.
ThegeneralapproachestothesecurityofdataarewelldescribedinspecificationssuchastheISO27002
standardandthesecontrolorientedapproachesapplytotheuseofcloudcomputingservices,with
someadditionalcloudspecificconsiderationsasdescribedintheISO27017standard(currentlyunder
development).SecuritycontrolsasdescribedinISO27002highlightthegeneralfeaturesthatneedto
beaddressed,towhichspecifictechniquesandtechnologiescanthenbeapplied.
Page15
Thetypeofcloudserviceisverylikelytoaffectthekeyquestionofwhoisresponsibleforhandling
particularsecuritycontrols.ForIaaS,moreresponsibilityislikelytobewiththeconsumer(e.g.for
encryptingdatastoredonacloudstoragedevice);forSaaS,moreresponsibilityislikelytobewiththe
provider,sinceboththestoreddataandtheapplicationcodeisnotdirectlyvisibleorcontrollablebythe
consumer.
Table2highlightsthekeystepsconsumersshouldtaketoensurethatdatainvolvedincloudcomputing
activitiesisproperlysecure.
Table2.Controlsforsecuringdataincloudcomputing
Controls
Description
Createadataassetcatalog
Akeyaspectofdatasecurityisthecreationofadataassetcatalog,
identifyingalldataassets,classifyingthosedataassetsintermsof
criticalitytothebusiness(whichcaninvolvefinancialandlegal
considerations,includingcompliancerequirements),specifying
ownershipandresponsibilityforthedataanddescribingthe
location(s)andacceptableuseoftheassets.
Relationshipsbetweendataassetsalsoneedtobecataloged.
Anassociatedaspectisthedescriptionofresponsiblepartiesand
roles,whichinthecaseofcloudcomputingmustspanthecloud
serviceconsumerorganizationandthecloudserviceprovider
organization.
Organizationsareincreasingtheamountofunstructureddataheld
onITsystems,whichcanincludeitemssuchasimagesofscanned
documentsandpicturesofvariouskinds.
Unstructureddatacanbesensitiveandrequirespecifictreatment
forexampleredactionormaskingofpersonalinformationsuchas
signatures,addresses,licenseplates.
Forstructureddata,inamultitenancycloudenvironment,data
heldindatabasesneedsconsideration.Databasesegmentationcan
beofferedinacoupleofvarieties:sharedorisolateddataschema.
Considerallformsofdata
Inashareddataschema,eachcustomersdatais
intermixedwithinthesamedatabase.Thismeansthat
customerA'sdatamayresideinrow1whilecustomerB's
dataresidesinrow2.
Inanisolatedarchitecture,theconsumers'datais
segregatedintoitsowndatabaseinstance.Whilethismay
provideadditionalisolation,italsoimpactstheproviders'
economiesofscaleandcould,potentially,increasethe
Page16
costtotheconsumer.
o
Considerprivacyrequirements
Applyconfidentiality,integrityand
availability
Ineitherscenario,databaseencryptionshouldbe
employedtoprotectalldataatrest.
Dataprivacyofteninvolveslawsandregulationsrelatingtothe
acquisition,storageanduseofpersonallyidentifiableinformation
(PII).
Typically,privacyimplieslimitationsontheuseandaccessibilityof
PII,withassociatedrequirementstotagthedataappropriately,
storeitsecurelyandtopermitaccessonlybyappropriately
authorizedusers.
Thisrequiresappropriatecontrolstobeinplace,particularlywhen
thedataisstoredwithinacloudprovidersinfrastructure.TheISO
27018standard(inpreparation)addressesthecontrolsrequiredfor
PII.Thesecontrolsmayrestrictthegeographicallocationinwhich
thedataisstored,forexample,whichrunscountertooneaspectof
cloudcomputingwhichisthatcloudcomputingresourcescanbe
distributedinmultiplelocations.
Thekeysecurityprinciplesofconfidentiality,integrityand
availabilityareappliedtothehandlingofthedata,throughthe
applicationofasetofpoliciesandprocedures,whichshouldreflect
theclassificationofthedata.
Sensitivedatashouldbeencrypted,bothwhenitisstoredonsome
mediumandalsowhenthedataisintransitacrossanetworkfor
example,betweenstorageandprocessing,orbetweenthe
provider'ssystemandaconsumeruser'ssystem.
o Anextraconsiderationwhenusingcloudcomputing
concernsthehandlingofencryptionkeyswherearethe
keysstoredandhowaretheymadeavailableto
applicationcodethatneedstodecryptthedatafor
processing?Itisnotadvisabletostorethekeysalongside
theencrypteddata,forexample.
Integrityofdatacanbevalidatedusingtechniquessuchasmessage
digestsorsecurehashalgorithms,alliedtodataduplication,
redundancyandbackups.
Availabilitycanbeaddressedthroughbackupsand/orredundant
storageandresilientsystems,andtechniquesrelatedtothe
handlingofdenialofserviceattacks.Thereisalsoaneedfora
failoverstrategy,eitherbyusingaserviceproviderwhooffersthis
aspartoftheirserviceoffering,oriftheproviderdoesnotoffer
resiliencyasafeatureoftheirservicestheconsumermayconsider
selfprovisionoffailoverbyhavingequivalentservicesonstandby
withanotherprovider.
Page17
Applyidentityandaccess
management
Identityandaccessmanagementisavitalaspectofsecuringdata
(refertoStep3:Managepeople,rolesandidentitiesonpage13)
withappropriateauthorizationbeingrequiredbeforeanyuseris
permittedtoaccesssensitivedatainanyway.
Relatedtothisistherequirementforloggingandsecurityevent
management(e.g.thereportingofanysecuritybreaches)relating
totheactivitiestakingplaceinthecloudserviceprovider
environment.
Followingfromthisistheneedforaclearsetofproceduresrelating
todataforensicsintheeventofasecurityincident.Notethatthe
logsandreportingmechanismsarealsoinneedofappropriate
securitytreatment,topreventawrongdoerfrombeingableto
covertheirtracks.
Mostofthesecuritytechniquesandtechnologiesinvolvedarenotnew,althoughcloudcomputingcan
createnewconsiderations.Forexample,ifencryptionisusedonsomedata,howaretheencryption
keysmanagedandused?Inaddition,thewayinwhichsecurityisappliedwillmostlikelydependonthe
natureofthecloudservicebeingoffered.ForIaaS,muchofthesecurityresponsibilityislikelytoliewith
theconsumer.ForSaaS,muchmoreresponsibilityislikelytobeplacedontotheprovider,especially
sincethedatastoragefacilitiesmaybeopaqueasfarastheconsumerisconcerned.
Step5:Enforceprivacypolicies
Privacyisgaininginimportanceacrosstheglobe,ofteninvolvinglawsandregulations,relatingtothe
acquisition,storageanduseofpersonallyidentifiableinformation(PII).Typically,privacyimplies
limitationsontheuseandaccessibilityofPII,withassociatedrequirementstotagthedata
appropriately,storeitsecurelyandtopermitaccessonlybyappropriatelyauthorizedusers.This
requiresappropriatecontrolstobeinplace,particularlywhenthedataisstoredwithinacloud
providersinfrastructure.TheISO27018standard(inpreparation)addressesthecontrolsrequiredfor
PII.
Inmanycountries,numerouslaws,regulationsandothermandatesrequirepublicandprivate
organizationstoprotecttheprivacyofpersonaldataandthesecurityofinformationandcomputer
systems.AppendixAonpage31providesanoverviewoftheworldwideprivacyregulationsthat
currentlyexist.
Whendataistransferredtoacloudcomputingenvironment,theresponsibilityforprotectingand
securingthedatatypicallyremainswiththeconsumer(thedatacontrollerinEUterminology 15 ),evenif
insomecircumstances,thisresponsibilitymaybesharedwithothers.Whenanorganizationreliesona
15
TheEuropeanUnionprovidesaGlossaryoftermsassociatedwithDataProtectionhere:
http://www.edps.europa.eu/EDPSWEB/edps/EDPS/Dataprotection/Glossary
Page18
thirdpartytohostorprocessitsdata,thedatacontrollerremainsliableforanyloss,damage,ormisuse
ofthedata.Itisprudent,andmaybelegallyrequired,thatthedatacontrollerandthecloudprovider
enterintoawritten(legal)agreementthatclearlydefinestheroles,expectationsoftheparties,and
allocatesbetweenthemthemanyresponsibilitiesthatareattachedtothedataatstake.
Itiscriticalthatprivacyissuesareadequatelyaddressedinthecloudcontractandservicelevel
agreement(SLA).Ifnot,thecloudconsumershouldconsideralternatemeansofachievingtheirgoals
includingseekingadifferentprovider,ornotputtingsensitivedataintothecloudcomputing
environment.Forexample,iftheconsumerwishestoplaceHIPAAcoveredinformationintoacloud
computingenvironment,theconsumermustfindacloudserviceproviderthatwillsignaHIPAAbusiness
associateagreementorelsenotputthatdataintothecloudcomputingenvironment.
Enterprisesareresponsiblefordefiningpoliciestoaddressprivacyconcernsandraiseawarenessofdata
protectionwithintheirorganization.Theyarealsoresponsibleforensuringthattheircloudproviders
adheretothedefinedprivacypolicies.Consumershaveanongoingobligationtomonitortheir
providerscompliancewithitspolicies.Thisincludesanauditprogramcoveringallaspectsoftheprivacy
policiesincludingmethodsofensuringthatcorrectiveactionswilltakeplace.
Step6:Assessthesecurityprovisionsforcloudapplications
Organizationsneedtoproactivelyprotecttheirbusinesscriticalapplicationsfromexternalandinternal
threatsthroughouttheirentirelifecycle,fromdesigntoimplementationtoproduction.Clearlydefined
securitypoliciesandprocessesarecriticaltoensuretheapplicationisenablingthebusinessratherthan
introducingadditionalrisk.
Applicationsecurityposesspecificchallengestothecloudproviderandconsumer.Organizationsmust
applythesamediligencetoapplicationsecurityastheydoforphysicalandinfrastructuresecurity.Ifan
applicationiscompromised,itcanpresentliabilityandperceptionissuestoboththecloudproviderand
theconsumer,especiallyiftheultimateendusersoftheapplicationarecustomersoftheconsumer
ratherthanemployees.
Inordertoprotectanapplicationfromvarioustypesofbreaches,itisimportanttounderstandthe
applicationsecuritypolicyconsiderationsbasedonthedifferentclouddeploymentmodels.Table3
highlightstheimpactofclouddeploymentonapplicationsecurity.Alloftheseconsiderationsarein
additiontothoseoutlinedinthiswhitepaper(facilities,network,data,etc).
Table3.Deploymentmodelimpactonapplicationsecurity
DeploymentType
InfrastructureasaService
ApplicationSecurityPolicyConsiderations
Theconsumerhasresponsibilityfordeploymentofthecomplete
softwarestackoperatingsystem,middlewareandapplicationand
forallaspectsofsecuritythatrelatetothisstack.
Theapplicationsecuritypolicyshouldcloselymimicthepolicyof
applicationshostedinternallybytheconsumer.
Theconsumershouldfocusonnetwork,physicalenvironment,
auditing,authorization,andauthenticationconsiderationsas
outlinedinthisdocument.
Page19
PlatformasaService
SoftwareasaService
Theconsumeristypicallyresponsibleforpatchingofoperating
system,middlewareandapplication.
Appropriatedataencryptionstandardsshouldbeapplied.
Theconsumerhasresponsibilityforapplicationdeploymentandfor
securingaccesstotheapplicationitself.
Theproviderhasresponsibilityforproperlysecuringthe
infrastructure,operatingsystemandmiddleware.
Theconsumershouldfocusonaudit,authorization,and
authenticationconsiderationsasoutlinedinthisdocument.
Appropriatedataencryptionstandards.shouldbeapplied.
InaPaaSmodel,theconsumermayormaynothaveknowledgeof
theformatandlocationoftheirdata.Itisimportantthattheyare
knowledgeableofhowtheirdatamaybeaccessedbyindividuals
withadministrativeaccess.
Applicationtiersecuritypolicyconstraintsaremostlythe
responsibilityoftheproviderandaredependentupontermsinthe
contractandSLA.Theconsumermustensurethattheseterms
meettheirconfidentiality,integrityandavailabilityrequirements.
Importanttounderstandproviderspatchingschedule,controlsof
malware,andreleasecycle.
Thresholdpolicieshelptoidentifyunexpectedspikesandreduction
ofuserloadontheapplication.Thresholdsarebasedonresources,
usersanddatarequests.
Typically,theconsumerisonlyabletomodifyparametersofthe
applicationthathavebeenexposedbytheprovider.These
parametersarelikelyindependentofapplicationsecurity
configurations,however,theconsumershouldensurethattheir
configurationchangesaugment;notinhibittheproviderssecurity
model.
Theconsumershouldhaveknowledgeofhowtheirdatais
protectedagainstadministrativeaccessbytheprovider.InaSaaS
model,theconsumerwilllikelynotbeawareofthelocationand
formatofthedatastorage.
Theconsumermustunderstandthedataencryptionstandards
whichareappliedtodataatrestandinmotion.
Itshouldbenotedthatthereisacosttotheconsumertoensurethattheseconsiderationsareapplied.
Thecostsaretypicallybuiltintotechnology,resources,interventions,andaudits.However,thesecosts
will,likely,paleincomparisontothepotentialliabilitydamagesandlossofreputationfroman
applicationsecuritybreach.
Whendevelopinganddeployingapplicationsinacloudenvironmentitiscriticalthatconsumersrealize
thattheymaybeforfeitingsomecontrolandhavetodesigntheircloudapplicationswiththat
considerationinmind.Inaddition,itiscriticalthatconsumersdevelopingsoftwareuseastructured
methodologytoengineersecurityintotheircloudapplicationsfromthegroundup.
Page20
Step7:Ensurecloudnetworksandconnectionsaresecure
Acloudserviceprovidermustattempttoallowlegitimatenetworktrafficanddropmaliciousnetwork
traffic,justasanyotherInternetconnectedorganizationdoes.However,unlikemanyother
organizations,acloudserviceproviderwillnotnecessarilyknowwhatnetworktrafficitsconsumersplan
tosendandreceive.Nevertheless,consumersshouldexpectcertainexternalnetworkperimetersafety
measuresfromtheircloudproviders.
Tousetheanalogyofahotel,weexpectthehoteltoprovidesomelimitedamountofperimetersecurity
notallowinganyoneintothebuildingwithoutakeycardduringcertaintimesofnight,forexample,or
challengingobviouslydangerouspersonseventhoughweshouldnotexpectthehoteltodenyaccess
toeverydangerousperson.
Withthisinmind,itisrecommendedthatconsumersevaluatetheexternalnetworkcontrolsofacloud
providerbasedontheareashighlightedinTable4.
Table4.Externalnetworkrequirements
ProviderResponsibility
Trafficscreening
Intrusion
Description/Guidance
Certaintrafficisalmostneverlegitimateforexample,traffictoknown
malwareports.Theprovidershouldblockthistrafficonbehalfofthe
consumers.
Trafficscreeningisgenerallyperformedbyfirewalldevicesorsoftware.Some
firewallconsiderations:
Doestheproviderpublishastandardperimeterblocklistthataligns
withthetermsofservicefortheoffering?Consumersshouldrequest
acopyoftheblocklist;areasonableblocklistcanprovidea
consumerwithbothassuranceofathoughtfulnetworkprotection
planaswellassomefunctionalguidelinesonwhatisallowed.There
maybesomecauseforconcerniftheblocklistisnotinlinewiththe
termsofservice.
Doestheprovider'sfirewallblockallIPv6access,orprotectagainst
bothIPv4andIPv6attacks?MoreandmoredevicesareIPv6
capable,andsomeprovidersforgettolimitIPv6accesswhichcan
allowanattackeraneasywayaroundtheIPv4firewall.
Isthetrafficscreeningabletowithstandandadapttoattackssuchas
DistributedDenialofServiceattacks?DDOSattacksaremoreand
morecommonlyusedforextortionpurposesbyorganizedcrime,and
theabilityofacloudserviceprovideranditsInternetserviceprovider
toassistinblockingtheunwantedtrafficcanbecrucialto
withstandinganattack.
Sometrafficmaylooklegitimate,butdeeperinspectionindicatesthatitis
carryingmaliciouspayloadsuchasspam,viruses,orknownattacks.The
Page21
detection/prevention
Loggingandnotification
providershouldblockoratleastnotifyconsumersaboutthistraffic.
Intrusiondetectionand/orpreventionsystems(IDS/IPS)maybesoftwareor
devices.Whereasafirewallusuallyonlymakesdecisionsbasedon
source/destination,ports,andexistingconnections,anIDS/IPSlooksatboth
overalltrafficpatternsaswellastheactualcontentsofthemessages.Many
firewallsnowincludeIDS/IPScapabilities.
AlthoughtechnicallynotIDS/IPSdevices,applicationlevelproxies(suchase
mailgateways/relays)willoftenperformsimilarfunctionsforcertaintypesof
networktrafficandareconsideredhereaswell.
AnIDSwilltypicallyonlyflagpotentialproblemsforhumanreview;anIPSwill
takeactiontoblocktheoffendingtrafficautomatically.SomeIDS/IPS
considerations:
o IDS/IPScontentmatchingcandetectorblockknownmalware
attacks,virussignatures,andspamsignatures,butarealsosubjectto
falsepositives.Doesthecloudproviderhaveadocumented
exceptionprocessforallowinglegitimatetrafficthathascontent
similartomalwareattacksorspam?
o Similarly,IDS/IPStrafficpatternanalysiscanoftendetectorblock
attackssuchasadenialofserviceattackoranetworkscan.
However,insomecasesthisisperfectlylegitimatetraffic(suchas
usingcloudinfrastructureforloadtestingorsecuritytesting).Does
thecloudproviderhaveadocumentedexceptionprocessfor
allowinglegitimatetrafficthattheIDS/IPSflagsasanattackpattern?
Forassurancepurposesandtroubleshooting,it'simportantthatconsumers
havesomevisibilityintothenetworkhealth.
Incidentreportingandincidenthandlingproceduresmustbeclearandthe
consumershouldlookforvisibilityintothehandlingprocess.Notethatifany
PIIisstoredinthecloudcomputingenvironment,theremaybelegal
requirementsassociatedwithanyincident.
Somenetworklogginginformationisofasensitivenatureandmayreveal
informationaboutotherclients,soacloudprovidermaynotallowdirect
accesstothisinformation.However,itisrecommendedthatconsumersask
certainquestionsaboutloggingandnotificationpolicies:
o
Whatisthenetworkloggingandretentionpolicy?Intheeventofa
successfulattack,theconsumermaywanttoperformforensicanalysis,
andthenetworklogscanbeveryhelpful.
Whatarethenotificationpolicies?Asacloudconsumer,youshouldbe
notifiedintimelymannerifyourmachinesareattackedorcompromised
andareattackingsomeoneelse.
Arehistoricalstatisticsavailableonthenumberofattacksdetectedand
blocked?Thesestatisticscanhelpaconsumerunderstandhoweffective
theprovider'sdetectionandblockingcapabilitiesactuallyare.
Page22

Cloudcomputingincludesanumberofresourcesthatarenotsharedinatraditionaldatacenter.Oneof
theseresourcesisthecloudprovider'sinternalnetworkinfrastructure,suchastheaccessswitchesand
routersusedtoconnectcloudvirtualmachinestotheprovider'sbackbonenetwork.
Internalnetworksecuritydiffersfromexternalnetworksecurityinthatwepostulatethatanyattackers
havealreadymadeitthroughtheexternaldefenses,eitherviaanattackor,morecommonly,because
theattackersarelegitimatelyauthorizedforadifferentpartofthenetwork.Afterauserisallowed
accesstoaportionofthecloudserviceprovider'snetwork,theproviderhasanumberofadditional
responsibilitieswithrespecttointernalnetworksecurity.
Theprimarycategoriesofinternalnetworkattacksthatconsumersshouldbeconcernedwithinclude:
1. Confidentialitybreaches(disclosureofconfidentialdata)
2. Integritybreaches(unauthorizedmodificationofdata)
3. Availabilitybreaches(denialofservice,eitherintentionalorunintentional)
Consumersmustevaluatethecloudserviceprovider'sinternalnetworkcontrolswithrespecttotheir
requirementsandanyexistingsecuritypoliciestheconsumermayhave.Eachconsumer'srequirements
willbedifferent,butitisrecommendedthatconsumersevaluatetheinternalnetworkcontrolsofa
serviceproviderbasedontheareashighlightedinTable5.
Table5.Internalnetworkrequirements
Provider
Responsibility
Protectclientsfrom
oneanother
Description/Guidance
Cloudprovidersareresponsibleforseparatingtheirclientsinmultitenantsituations.Most
cloudserviceproviderswilluseoneormoreofthefollowingtechnologiesforthispurpose:
1.
DedicatedvirtualLANs,orVLANs,areatechnologythatmakesacollectionofportson
aphysicalEthernetswitchappeartobeaseparateswitch.Intheory,networktraffic
ononeVLANcannotbeseenonadifferentVLANanymorethannetworktrafficon
onephysicalEthernetswitchcanbeseenonadifferent,nonconnectedEthernet
switch.
VLANseparationtechnologyisoftenaprimarycontrolforcloudprovidersandis
generallyveryeffective.However,therearedocumentedVLANhoppingattacks
thatallowunauthorizedtrafficbetweenVLANs,suchasdoubletaggingandswitch
spoofing.
ManycloudprovidersofferdedicatedVLANsforconsumersthatnootherconsumers
shouldbeabletoaccess.Itisrecommendedthatconsumersverifythattheprovider's
VLANcontrolsaddresstheknownVLANhoppingattacks.
2.
VirtualPrivateNetworks(VPNs,andalsosometimesreferredtosimplyastunnels)
canbeusedtoconnectaconsumer'sdedicatedcloudVLANbacktotheconsumer's
network;thisconfigurationiscommonlyknownasasitetositeVPN.
Page23
VPNscanalsobeusedtoallowroamingusersanywhereontheInternettosecurely
accesstheconsumer'sVLAN;thisconfigurationiscommonlycalledclienttosite.
Inbothcases,therearemultipletechnologies(suchasSSLandIPSec)withdifferent
securityimplementations(suchascertificate/credentialbasedorendpoint
authentication).ItisrecommendedthatconsumersdecidewhetherVPNsare
required,andifsoensurethatthecloudprovidersupportstherequiredoperating
mode(clienttositeorsitetosite)andsecurityimplementation.
Protectthe
provider'snetwork
3.
Perinstancesoftwarefirewallsareoneofthelastlinesofdefenseandallow
consumerstoregulatewhattrafficcomesintotheirinstancesbyconfiguringthe
softwarefirewallontheinstanceitself.Ifusingacloudprovider'simages,consumers
shouldensurethattheimagescontainpropersoftwarefirewallcapabilitiesandthat
therulesaresimpletodeployandmodify.Perinstancesoftwarefirewallsare
particularlyimportantwhensharingaVLANwithotherconsumers.
4.
PrivateVLAN(PVLAN)isatermthathastwomeanings.OnemeaningisaVLANthat
isdedicatedtoaparticularconsumer,whichisdefinedsimplyasDedicatedVLAN
above.ThesecondmoretechnicaluseofthetermisaVLANthatprohibitsalltraffic
betweenhostsontheprivateVLANbydefault.WithPrivateVLANtechnology,
consumerAandconsumerBcouldbeonthesameVLAN,butstillbeunableto
communicatewithoneanothertheymayonlybeallowedtotalktotherouterthat
allowsinternetaccess.
PrivateVLANtechnologyiseffectiveaslongastherouter,whichispermittedtotalkto
allstationsonthenetwork,isnotconfiguredtorelaytrafficoriginatingintheVLAN
backintotheVLAN,therebybypassingtheswitch'scontrols.PrivateVLANtechnology
providesgoodisolationbutcanleadtofunctionalproblems,ascloudinstancesoften
needtotalktoothercloudinstancesinadditiontosystemsoutontheInternet.For
thisreason,perinstancefirewallsaremorecommonlyusedforinstanceseparationon
thesameVLAN.
IfPVLANtechnologyisneeded,itisrecommendedthattheconsumertesttoensure
thattherouterisproperlyconfiguredandthattrafficbetweencloudinstancesonthe
sameVLANisblocked.
5.
Hypervisorbasedfilters,suchasebtablesonLinux,arefunctionallysimilartoprivate
VLANsinthattheycanprohibitorallowcommunicationsatthevirtualswitchlevel.
However,thesecanalsobeusedtopreventattackssuchasIPandMACaddress
spoofing.IfdedicatedVLANsarenotused,itisrecommendedthattheconsumerask
whatprotectionsareinplacetopreventanotherconsumer'sinstancefrom
masqueradingasoneofyourinstances.
Separatetheprovider'snetworkfromallclients.Iftheprovider'snetworkisbreached,
itcouldleadtoalmostundetectabledataloss.
Theclientseparationstrategiesaboveareworthlessiftheprovider'scontrolnetworkis
notproperlyprotected.Anattackerwhogainsaccesstotheprovider'scontrol
networkmaybeabletoperformattacksonotherconsumersfromthecontrol
network.
Page24
Monitorfor
intrusionattempts
Consumersshouldaskwhatsecuritycontrolsareinplaceforthecloudinfrastructure
itself.Whilemanycloudproviderswillnotgiveoutindepthdetailsoftheirsecurity
measuresduetovalidsecurityconcerns,thereshouldbeastatedsecuritypolicyand
someassurance(e.g.viaauditandcertification)thatitisfollowed.
Activityauditingandloggingareanimportantpartofpreventivesecuritymeasuresas
wellasincidentresponseandforensics.Auditinformationandlogsshouldbesubject
toappropriatesecuritycontrolstopreventunauthorizedaccess,destructionor
tampering.
Cloudconsumersshouldaskwhattypesofinternalnetworksecurityincidentshave
beenreportedandifthereareanypublishedstatisticsormetrics.
Consumersshouldalsoaskfortheprovider'sprocessesforalertingconsumersabout
bothsuccessfulandunsuccessfulinternalnetworkattacks.
Step8:Evaluatesecuritycontrolsonphysicalinfrastructureandfacilities
AnimportantconsiderationforsecurityofanyITsystemconcernsthesecurityofphysicalinfrastructure
andfacilities.Inthecaseofcloudcomputing,theseconsiderationsapply,butitwilloftenbethecase
thattheinfrastructureandfacilitieswillbeownedandcontrolledbythecloudserviceprovideranditis
theresponsibilityofthecloudconsumertogetassurancefromtheproviderthatappropriatesecurity
controlsareinplace.
Assurancemaybeprovidedbymeansofauditandassessmentreports,demonstratingcomplianceto
suchsecuritystandardsasISO27002.
Abriefdescriptionofthesecuritycontrolsthatshouldapplytothephysicalinfrastructureandfacilities
ofacloudproviderincludes:
PhysicalInfrastructureandfacilitiesshouldbeheldinsecureareas.Aphysicalsecurityperimeter
shouldbeinplacetopreventunauthorizedaccess,alliedtophysicalentrycontrolstoensure
thatonlyauthorizedpersonnelhaveaccesstoareascontainingsensitiveinfrastructure.
Appropriatephysicalsecurityshouldbeinplaceforalloffices,roomsandfacilitieswhichcontain
physicalinfrastructurerelevanttotheprovisionofcloudservices.
Protectionagainstexternalandenvironmentalthreats.Protectionshouldbeprovidedagainst
thingslikefire,floods,earthquakes,civilunrestorotherpotentialthreatswhichcoulddisrupt
cloudservices.
Controlofpersonnelworkinginsecureareas.Suchcontrolsshouldbeappliedtoprevent
maliciousactions.
Equipmentsecuritycontrols.Shouldbeinplacetopreventloss,theft,damageorcompromiseof
assets.
Page25
Supportingutilitiessuchaselectricitysupply,gassupply,andwatersupplyshouldhavecontrols
inplace.Requiredtopreventdisruptioneitherbyfailureofserviceorbymalfunction(e.g.water
leakage).Thismayrequiremultipleroutesandmultipleutilitysuppliers.
Controlsecurityofcabling.Inparticularpowercablingandtelecommunicationscabling,to
preventaccidentalormaliciousdamage.
Properequipmentmaintenance.Shouldbepreformedtoensurethatservicesarenotdisrupted
throughforeseeableequipmentfailures.
Controlofremovalofassets.Requiredtoavoidtheftofvaluableandsensitiveassets.
Securedisposalorreuseofequipment.Particularlyanydeviceswhichmightcontaindatasuch
asstoragemedia.
Humanresourcessecurity.Appropriatecontrolsneedtobeinplaceforthestaffworkingatthe
facilitiesofacloudprovider,includinganytemporaryorcontractstaff.
Backup,RedundancyandContinuityPlans.Theprovidershouldhaveappropriatebackupof
data,redundancyofequipmentandcontinuityplansforhandlingequipmentfailuresituations.
Effectivephysicalsecurityrequiresacentralizedmanagementsystemthatallowsforcorrelationof
inputsfromvarioussources,includingproperty,employees,customers,thegeneralpublic,andlocaland
regionalweather.Formoredetailonthecontrolsandconsiderationsthatapplytoeachoftheseitems,
refertotheISO27002standard.
Step9:ManagesecuritytermsinthecloudSLA
Sincecloudcomputingtypicallyinvolvestwoorganizationstheserviceconsumerandtheservice
provider,securityresponsibilitiesofeachpartymustbemadeclear.Thisistypicallydonebymeansofa
servicelevelagreement(SLA)whichappliestotheservicesprovided,andthetermsofthecontract
betweentheconsumerandtheprovider.TheSLAshouldspecifysecurityresponsibilitiesandshould
includeaspectssuchasthereportingofsecuritybreaches.SLAsforcloudcomputingarediscussedin
moredetailintheCSCCdocument"PracticalGuidetoCloudServiceLevelAgreements,Version1.0".
OnefeatureofanSLArelatingtosecurityisthatanyrequirementsthatareplacedonthecloudprovider
bytheSLAmustalsopassontoanypeercloudserviceprovidersthattheprovidermayuseinorderto
supplyanypartoftheirservice(s).
ItshouldbeexplicitlydocumentedinthecloudSLAthatprovidersmustnotifyconsumersaboutthe
occurrenceofanybreachoftheirsystem,regardlessofthepartiesordatadirectlyimpacted.The
providershouldincludespecificpertinentinformationinthenotification,stopthedatabreachasquickly
aspossible,restoresecureaccesstotheserviceassoonaspossible,applybestpracticeforensicsin
investigatingthecircumstancesandcausesofthebreach,andmakelongterminfrastructurechangesto
correcttherootcausesofthebreachtoensurethatitdoesnotrecur.Duetothehighfinancialand
Page26
reputationalcostsresultingfromabreach,consumersmaywanttheprovidertoindemnifythemifthe
breachwastheirfault.
Metricsandstandardsformeasuringperformanceandeffectivenessofinformationsecurity
managementshouldbeestablishedpriortosubscribingtocloudservicesandshouldbespecifiedinthe
cloudSLA.Ataminimum,organizationsshouldunderstandanddocumenttheircurrentmetricsand
howtheywillchangewhenoperationsmakeuseofcloudcomputingandwhereaprovidermayuse
different(potentiallyincompatible)metrics.Refertothefollowingresourcesforspecificinformationon
securitymetrics:
ISO27004:2009 16
NISTSpecialPublication(SP)80055Rev.1,PerformanceMeasurementGuideforInformation
Security 17
CISConsensusSecurityMetricsv1.1.0 18
Measuringandreportingonaproviderscompliancewithrespecttodataprotectionisatangiblemetric
oftheeffectivenessoftheoverallenterprisesecurityplan.Adatacompliancereportshouldberequired
fromthecloudproviderandreflectsthestrengthorweaknessofcontrols,services,andmechanisms
supportedbytheproviderinallsecuritydomains.
Theimportanceofroleclarityisincreasedwhendiscussingsecurityimplications.Thisisalso
complicatedbythecloudcomputingtechnicalarchitecture.Eachcloudcomputingmodelrequires
distinctresponsibilitiesfortheproviderandconsumer.
IntheIaaSmodel,theonusforsecuringandreportingupontheinfrastructurefallsontheprovider,but
allresponsibilityforthesoftwarestackfromtheoperatingsystemtotheapplicationistheresponsibility
oftheconsumer. 19 InthePaaSmodel,theproviderisresponsibleforsecuringtheinfrastructureand
platform,andtheresponsibilityoftheapplicationlieswiththeconsumer.Finally,intheSaaSmodel,the
providerhastotalresponsibilityforsecurity.Eveninaninstancewheretheproviderbearsall
responsibility,theconsumershouldvalidatethattheproviderhasinstitutedtheappropriatemeasures
toensureasecureenvironment.
16
Seehttp://www.iso.org/iso/catalogue_detail.htm?csnumber=42106.
17
Seehttp://csrc.nist.gov/publications/nistpubs/80055Rev1/SP80055rev1.pdf.
18
Seehttp://benchmarks.cisecurity.org/enus/?route=downloads.show.single.metrics.110.
19
Thecloudproviderisresponsibleforloggingandtimelydataretrievalandprovisiontotheconsumerinan
incidentresponsescenario.
Page27
Step10:Understandthesecurityrequirementsoftheexitprocess
Theexitprocessorterminationoftheuseofacloudservicebyaconsumerrequirescareful
considerationfromasecurityperspective.Theoverallneedforawelldefinedanddocumentedexit
processisdescribedintheCSCCdocument"PracticalGuidetoCloudServiceLevelAgreements,Version
1.0".
Fromasecurityperspective,itisimportantthatoncetheconsumerhascompletedthetermination
process,"reversibility"or"therighttobeforgotten"isachievedi.e.noneoftheconsumer'sdata
shouldremainwiththeprovider.Theprovidermustensurethatanycopiesofthedataarewipedclean
fromtheprovider'senvironment,wherevertheymayhavebeenstored(i.e.includingbackuplocations
aswellasonlinedatastores).Notethatotherdataheldbytheprovidermayneed"cleansing"of
informationrelatingtotheconsumer(e.g.logsandaudittrails),althoughsomejurisdictionsmayrequire
retentionofrecordsofthistypeforspecifiedperiodsbylaw.
Clearly,thereistheoppositeproblemduringtheexitprocessitselftheconsumermustbeableto
ensureasmoothtransition,withoutlossorbreachofdata.Thustheexitprocessmustallowthe
consumertoretrievetheirdatainasuitablysecureform,backupsmustberetainedforagreedperiods
beforebeingeliminatedandassociatedeventlogsandreportingdatamustalsoberetaineduntilthe
exitprocessiscomplete.
CloudSecurityAssessment
Thecriticalquestionsthatcloudconsumersshouldaskthemselvesandtheircloudprovidersduringeach
stepofthesecurityassessmentarehighlightedinTable6.
Table6.CloudSecurityAssessment
SecurityStep
1.Ensureeffectivegovernance,risk
andcomplianceprocessesexist
2.Auditandensureproperreporting
ofoperationalandbusinessprocesses
3.Managepeople,rolesandidentities
AssessmentQuestions
Doestheconsumerhavegovernanceandcomplianceprocessesin
placefortheuseofcloudservices?
Doestheproviderhaveappropriategovernanceandnotification
processesfortheirservices,asrequiredbytheconsumer?
Isitclearwhatlegalandregulatorycontrolsapplytotheprovider's
services?
Isauditinformationavailablefortheproviderservices?Doesthe
auditinformationconformtooneoftheacceptedstandardsfor
securityauditsuchasISO27001?
Doestheproviderhavemechanismsinplacetoprovidereporting
forbothnormalorexceptionbehaviorrelatingtotheirservices?
Isitclearthattheprovider'smanagementinterfaces(foruseby
consumers)haveadequatesecuritycontrolsinplace?
IsthereanIncidentReportingandIncidentHandlingprocessthat
meetstheneedsoftheconsumer?
Dotheproviderservicesofferfinegrainedaccesscontrol?
Issinglesignonpossiblewiththeprovider'sservices?
Cantheprovidergivereportsformonitoringuseraccess?
Isitpossibletointegrateconsumeridentitymanagementwiththe
Page28
4.Ensureproperprotectionofdata
andinformation
5.Enforceprivacypolicies
6.Assessthesecurityprovisionsfor
cloudapplications
7.Ensurecloudnetworksand
connectionsaresecure
8.Evaluatesecuritycontrolson
physicalinfrastructureandfacilities
9.Managesecuritytermsinthecloud
SLA
10.Understandthesecurity
requirementsoftheexitprocess
identitymanagementfacilitiesoftheprovider?
Isthereadataassetcatalogforalldatawhichwillbeusedorstored
inthecloudenvironment?
Isthereadescriptionofresponsiblepartiesandroles?
Hasthehandlingofallformsofdatabeenconsidered,inparticular
unstructureddatasuchasimages?
Forstructureddataheldindatabaseswithinthecloudprovider's
environment,isthereproperseparationofdatabelongingto
differentconsumersinamultitenantenvironment?
Hasappropriateconfidentiality,integrityandavailabilitybeen
appliedtodatausedorstoredinthecloudenvironment?
IsPIIgoingtobestored/processedbythecloudservices?
Dotheprovider'sserviceshaveappropriatecontrolsinplacefor
handlingPII?
AreresponsibilitiesforhandlingPIIstatedintheSLA?
Ifthereisasecuritybreach,areresponsibilitiesforreportingand
resolvingthebreachclear,includingprioritiesandtimescales?
Isitclearwhetherresponsibilityforapplicationsrunningoncloud
infrastructurelieswiththeconsumerorwiththeprovider?
Wheretheresponsibilitylieswiththeconsumer,doestheconsumer
havegovernanceandpoliciesinplacethatensuretheappropriate
securityprovisionsareappliedtoeachapplication?
Wheretheresponsibilitylieswiththeprovider,doestheSLAmake
theprovider'sresponsibilitiesclearandrequirespecificsecurity
provisionstobeappliedtoeachapplicationandalldata?
Isnetworktrafficscreened?
Doestheprovider'snetworkhaveintrusiondetection&prevention
inplace?
Doesthenetworkprovidetheconsumerwithloggingand
notification?
Isthereseparationofnetworktrafficinasharedmultitenant
providerenvironment?
Isconsumernetworkaccessseparatedfromprovidernetwork
access?
Canthecloudserviceproviderdemonstrateappropriatesecurity
controlsappliedtotheirphysicalinfrastructureandfacilities?
Doestheserviceproviderhavefacilitiesinplacetoensure
continuityofserviceinthefaceofenvironmentalthreatsor
equipmentfailures?
Doesthecloudserviceproviderhavenecessarysecuritycontrolson
theirhumanresources?
DoesthecloudSLAspecifysecurityresponsibilitiesoftheprovider
andoftheconsumer?
DoestheSLArequirethatallsecuritytermsmustalsopassdownto
anypeercloudserviceprovidersusedbytheprovider?
DoestheSLAhavemetricsformeasuringperformanceand
effectivenessofsecuritymanagement?
DoestheSLAexplicitlydocumentproceduresfornotificationand
handingofsecurityincidents?
Isthereadocumentedexitprocessaspartofthecontract/SLA?
Isitclearthatallconsumerdataisdeletedfromtheprovider's
Page29
environmentattheendoftheexitprocess?
Isconsumerdataprotectedagainstlossorbreachduringtheexit
process?
Page30
AdditionalReferences
CloudStandardsCustomerCouncil(2011).PracticalGuidetoCloudComputing.
http://www.cloudcouncil.org/10052011.htm
Thisguideprovidesapracticalreferencetohelpenterpriseinformationtechnology(IT)andbusiness
decisionmakersadoptcloudcomputingtosolvebusinesschallenges.
Mell,P.,&Grance,T.(2011).TheNISTDefinitionofCloudComputing(Draft):Recommendationsofthe
NationalInstitute.Gaithersburg:NationalInstituteofStandardsandTechnology.
http://csrc.nist.gov/publications/drafts/800145/DraftSP800145_clouddefinition.pdf
Thiswhitepaperdefinescloudcomputing,thefiveessentialcharacteristics,threeservicemodels,and
fourdeploymentmodels.
Article29DataProtectionWorkingParty.Opinion05/2012onCloudComputing.
http://ec.europa.eu/justice/dataprotection/article29/documentation/opinion
recommendation/files/2012/wp196_en.pdf
InthisOpiniontheArticle29WorkingPartyanalysesallrelevantissuesforcloudcomputingservice
providersoperatingintheEuropeanEconomicArea(EEA)andtheirclientsspecifyingallapplicable
principlesfromtheEUDataProtectionDirective(95/46/EC)andtheeprivacyDirective2002/58/EC(as
revisedby2009/136/EC)whererelevant.
IBM(2011).CraftaCloudServiceSecurityPolicy
http://www.ibm.com/developerworks/cloud/library/clcloudsecurepolicy/
Inthisarticle,theauthorexplainshowtocraftacloudsecuritypolicyformanagingusers,protecting
data,andsecuringvirtualmachines.
Catteddu,D.&Hogben,G.(November2009).CloudComputing:Benefits,risksandrecommendations
forinformationsecurity.EuropeanNetworkandInformationSecurityAgency.
http://www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputingriskassessment.
Thiswhitepaperprovidessecurityguidanceforpotentialandexistingusersofcloudcomputing.
CloudSecurityAlliance(August15,2010).CSAGRCStackincludingCCMv1.1.
https://cloudsecurityalliance.org/research/initiatives/grcstack/
ThisisanintegratedsuiteoffourCSAinitiatives:CloudAudit,CloudControlsMatrix,Consensus
AssessmentsInitiativeQuestionnaireandtheCloudTrustProtocol.
CloudSecurityAlliance(2011).SecurityGuidanceforCriticalAreasofFocusinCloudComputingVersion
3.0.http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
Thisdocumentprovidesanactionable,practicalroadmaptomanagerswantingtoadoptthecloud
paradigmsafelyandsecurely.
Page31
Daskala,B.&Marinos,L.EFR(March,2010).EmergingandFutureRisksFramework,Introductory
Manual.EuropeanNetworkandInformationSecurityAgency.
http://www.enisa.europa.eu/act/rm/files/deliverables/efrframeworkhandbook.
ThishandbookprovidesthedocumentationoftheEFRFrameworkwhichconsistsofascenariobased
processmodeldevelopedinordertoassessandmanageemergingandfuturerisks.
Mather,T.,Kumaraswamy,S.,&Latif,S.(2009).CloudSecurityandPrivacy:AnEnterprisePerspectiveon
RisksandCompliance.OReillyMedia.
http://www.amazon.com/CloudSecurityPrivacyEnterprisePerspective/dp/0596802765.
InsightfromknowledgeableexpertsincludingaformerChiefSecurityStrategistforRSAonhowtokeep
yourvirtualinfrastructureandwebapplicationssecure.
AppendixA:WorldwidePrivacyRegulations
Region
Regulation
AsiaPacificregion,Japan,
Australia,NewZealand,and
others
Theseregionshaveadopteddataprotectionlawsthatrequirethedata
controllertoadoptreasonabletechnical,physical,andadministrativemeasures
inordertoprotectpersonaldatafromloss,misuse,oralteration,basedonthe
PrivacyandSecurityGuidelinesoftheOrganizationforEconomicCooperation
andDevelopment(OECD) 20 ,andtheAsiaPacificEconomicCooperations
(APEC)PrivacyFramework. 21
Japan
InJapan,thePersonalInformationProtectionAct 22 requirestheprivatesectors
toprotectpersonalinformationanddatasecurely.Inthehealthcareindustry,
professionspecificlaws,suchastheMedicalPractitioners'Law 23 ,theLawon
PublicHealthNurses,MidwivesandNurses 24 ,andtheDentistLaw 25 ,require
20
TheOECDGuidelinesontheProtectionofPrivacyandTransborderFlowsofPersonalDatawereadoptedon23
September1980,seehttp://www.oecd.org/document/18/0,3746,en_2649_34255_1815186_1_1_1_1,00.html.
21
In2004,theAPECPrivacyFrameworkwasendorsedbyAPECMinistersformoredetailssee
http://www.worldlii.org/int/other/PrivLRes/2005/4.html.
22
ActontheProtectionofPersonalInformation(ActNo.57of2003)see
http://www.cas.go.jp/jp/seisaku/hourei/data/APPI.pdffordetails.
23
MedicalPractitioners'Law(LawNo.201ofJuly30,1948)http://jalii.law.nagoya
u.ac.jp/official_gazette/pdf/19480730f_eb.00000.010.010_0010.0010.0_a.127600.01217100.pdf
24
LawonPublicHealthNurses,MidwivesandNurses(LawNo.203ofJuly30,1948)http://jalii.law.nagoya
u.ac.jp/official_gazette/pdf/19480730f_eb.00000.010.010_0010.0010.0_a.127600.01217100.pdf
25
DentistsLaw(LawNo.202ofJuly30,1948)seehttp://jalii.law.nagoya
u.ac.jp/official_gazette/pdf/19480730f_eb.00000.010.010_0010.0010.0_a.127600.01217100.pdffordetails.
Page32
registeredhealthprofessionalstoprotecttheconfidentialityofpatient
information.
Europe,Africa,MiddleEast
Americas
TheEuropeanEconomicArea(EEA)30MemberStateshaveenacteddata
protectionlawsthatfollowtheprinciplessetforthinthe1995EuropeanUnion
(EU)DataProtectionDirectiveandthe2002ePrivacyDirective(asamendedin
2009).Theselawsincludeasecuritycomponent,andtheobligationtoprovide
adequatesecuritymustbepasseddowntosubcontractors.
OthercountriesthathaveclosetieswiththeEEA,suchasMoroccoand
TunisiainAfrica,IsraelandDubaiintheMiddleEasthavealsoadoptedsimilar
lawsthatfollowthesameprinciples.
North,Central,andSouthAmericancountriesarealsoadoptingdataprotection
lawsatarapidpace.Eachoftheselawsincludesasecurityrequirementthat
placesonthedatacustodiantheburdenofensuringtheprotectionand
securityofpersonaldatawhereverthedataarelocated,andespeciallywhen
transferringtoathirdparty.
InadditiontothedataprotectionlawsofCanada26 andArgentina 27 whichhave
beeninexistenceforseveralyears,Colombia,Mexico,Uruguay,andPeruhave
recentlypasseddataprotectionlawsthatareinspiredmainlyfromthe
EuropeanmodelandmayincludereferencestotheAPECPrivacyFrameworkas
well.
UnitedStates
ThereisnosingleprivacylawintheUnitesStates.Arangeofgovernment
agencyandindustrysectorlawsimposeprivacyobligationsinspecific
circumstances.Therearenumerousgapsandoverlapsincoverage.
Currentindustrysectorprivacylawsinclude:
o
TheFederalTradeCommissionAct 28 whichprohibitsunfairor
deceptivepracticesthisrequirementhasbeenappliedtocompany
privacypoliciesinseveralprominentcases.
TheElectronicCommunicationsPrivacyActof1986 29 whichprotects
consumersagainstinterceptionoftheirelectroniccommunication
(withnumerousexceptions).
26
PersonalInformationProtectionandElectronicDocumentsAct(PIPEDA)seehttp://laws
lois.justice.gc.ca/eng/acts/P8.6/fordetails.
27
LawfortheProtectionofPersonalData(LPDP),LawNo.25.326see
http://www.protecciondedatos.com.ar/law25326.htmfordetails.
28
Seehttp://www.law.cornell.edu/uscode/text/15/chapter2/subchapterIfordetails.
29
Seehttp://frwebgate.access.gpo.gov/cgi
bin/usc.cgi?ACTION=RETRIEVE&FILE=$$xa$$busc18.wais&start=3919965&SIZE=21304&TYPE=TEXTfordetails.
Page33
o
o
TheHealthInsurancePortabilityandAccountabilityAct(HIPAA) 30
whichcontainsprivacyrulesapplyingtocertaincategoriesofhealth
andmedicalresearchdata.
TheFairCreditReportingAct 31 includesprivacyrulesforcredit
reportingandconsumerreports.
TheGrammLeachBlileyAct(GLBA) 32 governthecollection,
disclosure,andprotectionofconsumersnonpublicpersonal
informationforfinancialinstitutions
Theselawsholdorganizationsresponsiblefortheactsoftheir
subcontractors.Forexample,thesecurityandprivacyrulesunder
GLBAorHIPAArequirethatorganizationscompeltheir
subcontractors,inwrittencontracts,tousereasonablesecurity
measuresandcomplywithdataprivacyprovisions.
Governmentagencies,suchastheFederalTradeCommission(FTC)ortheState
AttorneysGeneralhaveconsistentlyheldorganizationsliablefortheactivities
oftheirsubcontractors.
Worldwide
ThePaymentCardIndustry(PCI)DataSecurityStandards(DSS) 33 ,whichapply
tocreditcarddataanywhereintheworld,includingdataprocessedby
subcontractorshassimilarrequirements.
AppendixB:Acronyms&Abbreviations
Abbreviation
Meaning
AICPA
AmericanInstituteofCertifiedPublicAccountants
CSA
CloudSecurityAlliance
CoBIT
ControlObjectivesforInformationandRelatedTechnologies
AframeworkcreatedbyISACAtosupportgovernanceofITby
definingandaligningbusinessgoalswithITgoalsandITprocesses
30
ThefinalHIPPAregulationandmodificationscanbefoundat
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf.
31
Seehttp://www.ftc.gov/os/statutes/fcradoc.pdffordetails.
32
Seehttp://www.gpo.gov/fdsys/pkg/PLAW106publ102/contentdetail.htmlfordetails.
33
PCIDSSprovidesanactionableframeworkfordevelopingarobustpaymentcarddatasecurityprocess
includingprevention,detectionandappropriatereactiontosecurityincidents.See
https://www.pcisecuritystandards.org/security_standards/fordetails.
Page34
CSCC
CloudStandardsCustomerCouncil
ENISA
EuropeanNetworkandInformationSecurityAgency
IaaS
InfrastructureasaService
IEC
InternationalElectrotechnicalCommission
ISACA
InformationSystemsAuditandControlAssociation
ISO
InternationalStandardsOrganization
PaaS
PlatformasaService
PCI
PaymentCardIndustry(SecurityStandardsCouncil)
PII
Personallyidentifiableinformation
SaaS
SoftwareasaService
SLA
ServiceLevelAgreement
SSAE
StatementonStandardsforAttestationEngagements
Page35

Cloud Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cloud Security

Uploaded by

Copyright:

Available Formats

SecurityforCloudComputing

You might also like