Professional Documents
Culture Documents
Cloud Security
Cloud Security
10StepstoEnsureSuccess
August,2012
Contents
Acknowledgements....................................................................................................................................... 4
WorkgroupLeaders................................................................................................................................... 4
KeyContributors ....................................................................................................................................... 4
Reviewers.................................................................................................................................................. 4
Introduction .................................................................................................................................................. 5
CloudSecurityLandscape ............................................................................................................................. 5
CloudSecurityGuidance ............................................................................................................................... 7
Step1:Ensureeffectivegovernance,riskandcomplianceprocessesexist ............................................. 8
Step2:Auditoperational&businessprocesses..................................................................................... 11
Step3:Managepeople,rolesandidentities .......................................................................................... 13
Step4:Ensureproperprotectionofdataandinformation.................................................................... 15
Step5:Enforceprivacypolicies .............................................................................................................. 18
Step6:Assessthesecurityprovisionsforcloudapplications................................................................. 19
Step7:Ensurecloudnetworksandconnectionsaresecure .................................................................. 21
Step8:Evaluatesecuritycontrolsonphysicalinfrastructureandfacilities ........................................... 25
Step9:ManagesecuritytermsinthecloudSLA .................................................................................... 26
Step10:Understandthesecurityrequirementsoftheexitprocess...................................................... 28
CloudSecurityAssessment ......................................................................................................................... 28
AdditionalReferences................................................................................................................................. 31
AppendixA:WorldwidePrivacyRegulations.............................................................................................. 32
AppendixB:Acronyms&Abbreviations ..................................................................................................... 34
Copyright2012CloudStandardsCustomerCouncil
Page2
2012CloudStandardsCustomerCouncil.
Allrightsreserved.Youmaydownload,store,displayonyourcomputer,view,print,andlinktothe
SecurityforCloudComputingwhitepaperattheCloudStandardsCustomerCouncilWebsitesubjectto
thefollowing:(a)thedocumentmaybeusedsolelyforyourpersonal,informational,noncommercial
use;(b)thedocumentmaynotbemodifiedoralteredinanyway;(c)thedocumentmaynotbe
redistributed;and(d)thetrademark,copyrightorothernoticesmaynotberemoved.Youmayquote
portionsofthedocumentaspermittedbytheFairUseprovisionsoftheUnitedStatesCopyrightAct,
providedthatyouattributetheportionstotheCloudStandardsCustomerCouncilSecurityforCloud
Computing(2012).
Copyright2012CloudStandardsCustomerCouncil
Page3
Acknowledgements
TheSecurityforCloudComputing:10StepstoEnsureSuccessdocumentisacollaborativeeffortthat
bringstogetherdiversecustomerfocusedexperiencesandperspectivesintoasingleguideforITand
businessleaderswhoareconsideringadoptingcloudcomputing.Thefollowingparticipantshave
providedtheirexpertiseandtimetothiseffort.
WorkgroupLeaders
RyanKean(TheKrogerCo.)Workgroupchair;ApplicationSectionLeader
DavidHarris(Boeing)Workgroupchair;CloudSecurityAssessmentSectionLeader
JohnMeegan(IBM)LeadTechnicalEditor;IntroductionandSLASectionLeader
BarryPardee(TailwindAssociates)CurrentLandscapeSectionLeader
YvesLeRoux(CATechnologies)GRCSectionLeader
ChrisDotson(IBM)Network&ConnectionsSectionLeader
EricCohen(PricewaterhouseCoopers)AuditingSectionLeader
MikeEdwards(IBM)DataSectionleader;InfrastructureSectionLeader;ExitProcessSectionLeader
JonathanGershater(TrendMicro)People,Roles&IdentitySectionLeader
KeyContributors
Theworkgroupleaderswishtorecognizethefollowingindividualsfortheiroutstandingeffortsto
providecontent,sharetheirexpertiseandensurecompletenessofthewhitepaper:MattRutkowski
(IBM),ShamunMahmud(DLTSolutions).
Reviewers
Thefollowingreviewersprovidedfeedbackonthewhitepaper:KeithTrippie(DepartmentofHomeland
Security),MichaelChen(ClusterTechnologyLimited),JefferyFinke(TheMITRECorporation),Dave
Russell(IBM),AndrewLow(IBM).
Copyright2012CloudStandardsCustomerCouncil
Page4
Introduction
Theaimofthisguideistoprovideapracticalreferencetohelpenterpriseinformationtechnology(IT)
andbusinessdecisionmakersastheyanalyzeandconsiderthesecurityimplicationsofcloudcomputing
ontheirbusiness.Thepaperincludesalistofsteps,alongwithguidanceandstrategies,designedto
helpthesedecisionmakersevaluateandcomparesecurityofferingsinkeyareasfromdifferentcloud
providers.
Whenconsideringamovetousecloudcomputing,consumersmusthaveaclearunderstandingof
potentialsecuritybenefitsandrisksassociatedwithcloudcomputing,andsetrealisticexpectationswith
theircloudprovider.Considerationmustbegiventothedifferentmodelsofservicedelivery:
InfrastructureasaService(IaaS),PlatformasaService(PaaS)andSoftwareasaService(SaaS)aseach
modelbringsdifferentsecurityrequirementsandresponsibilities.Additionally,thispaperhighlightsthe
rolethatstandardsplaytoimprovecloudsecurityandalsoidentifiesareaswherefuturestandardization
couldbeeffective.
ThesectiontitledCurrentCloudSecurityLandscapeprovidesanoverviewofthesecurityandprivacy
challengespertinenttocloudcomputingandpointsoutconsiderationsthatorganizationsshould
weighwhenoutsourcingdata,applications,andinfrastructuretoacloudcomputingenvironment.
ThesectiontitledCloudSecurityGuidanceistheheartoftheguideandincludesthestepsthatcanbe
usedasabasisforevaluationofcloudprovidersecurity.Itdiscussesthethreats,technologyrisks,and
safeguardsforcloudcomputingenvironments,andprovidestheinsightneededtomakeinformedIT
decisionsontheirtreatment.Althoughguidanceisprovided,eachorganizationmustperformitsown
analysisofitsneeds,andassess,select,engage,andoverseethecloudservicesthatcanbestfulfillthose
needs.
ThesectiontitledCloudSecurityAssessmentprovidesconsumerswithanefficientmethodof
assessingthesecuritycapabilitiesofcloudprovidersandassessingtheirindividualrisk.Aquestionnaire
forconsumerstoconducttheirownassessmentacrosseachofthecriticalsecuritydomainsisprovided.
Arelateddocument,thePracticalGuidetoCloudServiceLevelAgreements 1 ,releasedbytheCloud
StandardsCustomerCouncil(CSCC)inApril2012,providesadditionalguidanceonevaluatingsecurity
criteriaincloudSLAs.
CloudSecurityLandscape
Whilesecurityandprivacyconcernswhenusingcloudcomputingservicesaresimilartothoseof
traditionalnoncloudservices,concernsareamplifiedbyexternalcontroloverorganizationalassetsand
thepotentialformismanagementofthoseassets.Transitioningtopubliccloudcomputinginvolvesa
transferofresponsibilityandcontroltothecloudprovideroverinformationaswellassystem
Seehttp://www.cloudstandardscustomercouncil.org/2012_Practical_Guide_to_Cloud_SLAs.pdf
Copyright2012CloudStandardsCustomerCouncil
Page5
componentsthatwerepreviouslyundertheorganizationsdirectcontrol.Thetransitionisusually
accompaniedbylossofdirectcontroloverthemanagementofoperationsandalsoalossofinfluence
overdecisionsmadeaboutthecomputingenvironment.
Despitethisinherentlossofcontrol,thecloudserviceconsumerstillneedstotakeresponsibilityfor
theiruseofcloudcomputingservicesinordertomaintainsituationalawareness,weighalternatives,set
priorities,andeffectchangesinsecurityandprivacythatareinthebestinterestoftheorganization.
Theconsumerachievesthisbyensuringthatthecontractwiththeprovideranditsassociatedservice
levelagreement(SLA)hasappropriateprovisionsforsecurityandprivacy.Inparticular,theSLAmust
helpmaintainlegalprotectionsforprivacyrelatingtodatastoredontheprovider'ssystems.The
consumermustalsoensureappropriateintegrationofthecloudcomputingserviceswiththeirown
systemsformanagingsecurityandprivacy.
Cloudcomputingrepresentsaverydynamicareaatthepresenttime,withnewsuppliersandnew
offeringsarrivingallthetime.Thereareanumberofsecurityrisksassociatedwithcloudcomputingthat
mustbeadequatelyaddressed:2
Lossofgovernance.Forpublicclouddeployments,consumersnecessarilycedecontroltothe
cloudprovideroveranumberofissuesthatmayaffectsecurity.Atthesametime,cloudservice
levelagreements(SLA)maynotofferacommitmenttoprovidesuchcapabilitiesonthepartof
thecloudprovider,thusleavinggapsinsecuritydefenses.
Responsibilityambiguity.Giventhatuseofcloudcomputingservicesspansacrossthe
consumerandtheproviderorganizations,responsibilityforaspectsofsecuritycanbespread
acrossbothorganizations,withthepotentialforvitalpartsofthedefensestobeleftunguarded
ifthereisafailuretoallocateresponsibilityclearly.Thesplitofresponsibilitiesbetween
consumerandproviderorganizationsislikelytovarydependingonthemodelbeingusedfor
cloudcomputing(e.g.IaasversusSaaS).
Isolationfailure.Multitenancyandsharedresourcesaredefiningcharacteristicsofpubliccloud
computing.Thisriskcategorycoversthefailureofmechanismsseparatingtheusageofstorage,
memory,routingandevenreputationbetweendifferenttenants(e.g.,socalledguesthopping
attacks).
Vendorlockin.Dependencyonproprietaryservicesofaparticularcloudprovidercouldleadto
theconsumerbeingtiedtothatprovider.Servicesthatdonotsupportportabilityofapplications
anddatatootherprovidersincreasetheriskofdataandserviceunavailability.
Complianceandlegalrisks.Investmentinachievingcertification(e.g.,industrystandardor
regulatoryrequirements)maybeputatriskbymigrationtousecloudcomputingifthecloud
providercannotprovideevidenceoftheirowncompliancewiththerelevantrequirementsorif
thecloudproviderdoesnotpermitauditbythecloudconsumer.Itistheresponsibilityofthe
cloudconsumertocheckthatthecloudproviderhasappropriatecertificationsinplace,butitis
alsonecessaryforthecloudconsumertobeclearaboutthedivisionofsecurityresponsibilities
betweentheconsumerandtheproviderandtoensurethattheconsumer'sresponsibilitiesare
handledappropriatelywhenusingcloudcomputingservices.
CredittoEuropeanNetworkandInformationSecurityAgency(ENISA).Visithttp://www.enisa.europa.eu/for
moreinformation.
Copyright2012CloudStandardsCustomerCouncil
Page6
Handlingofsecurityincidents.Thedetection,reportingandsubsequentmanagementof
securitybreachesisaconcernforconsumers,whoarerelyingonproviderstohandlethese
matters.
Managementinterfacevulnerability.Consumermanagementinterfacesofapubliccloud
providerareusuallyaccessiblethroughtheInternetandmediateaccesstolargersetsof
resourcesthantraditionalhostingprovidersandthereforeposeanincreasedrisk,especially
whencombinedwithremoteaccessandwebbrowservulnerabilities.
Dataprotection.Cloudcomputingposesseveraldataprotectionrisksforcloudconsumersand
providers.Themajorconcernsareexposureorreleaseofsensitivedatabutalsoincludelossor
unavailabilityofdata.Insomecases,itmaybedifficultforthecloudconsumer(intheroleof
datacontroller)toeffectivelycheckthedatahandlingpracticesofthecloudproviderandthus
tobesurethatthedataishandledinalawfulway.Thisproblemisexacerbatedincasesof
multipletransfersofdata,e.g.,betweenfederatedcloudservices.
Maliciousbehaviorofinsiders.Damagecausedbythemaliciousactionsofinsidersworking
withinanorganizationcanbesubstantial,giventheaccessandauthorizationstheymayhave.
Thisiscompoundedinthecloudcomputingenvironmentsincesuchactivitymightoccurwithin
eitherorboththeconsumerorganizationandtheproviderorganization.
Businessfailureoftheprovider.Suchfailurescouldrenderdataandapplicationsessentialto
theconsumer'sbusinessunavailable.
Serviceunavailability.Thiscouldbecausedbyahostoffactors,fromequipmentorsoftware
failuresintheprovider'sdatacenter,throughfailuresofthecommunicationsbetweenthe
consumersystemsandtheproviderservices.
Insecureorincompletedatadeletion.Requeststodeletecloudresources,forexample,whena
consumerterminatesservicewithaprovider,maynotresultintruewipingofthedata.
Adequateortimelydatadeletionmayalsobeimpossible(orundesirablefromaconsumer
perspective),eitherbecauseextracopiesofdataarestoredbutarenotavailable,orbecausethe
disktobedeletedalsostoresdatafromotherclients.Inthecaseofmultitenancyandthereuse
ofhardwareresources,thisrepresentsahigherrisktotheconsumerthanisthecasewith
dedicatedhardware.
Whiletheabovesecurityrisksneedtobeaddressed,useofcloudcomputingprovidesopportunitiesfor
innovationinprovisioningsecurityservicesthatholdtheprospectofimprovingtheoverallsecurityof
manyorganizations.Cloudserviceprovidersshouldbeabletoofferadvancedfacilitiesforsupporting
securityandprivacyduetotheireconomiesofscaleandautomationcapabilitiespotentiallyaboonto
allconsumerorganizations,especiallythosewhohavelimitednumbersofpersonnelwithadvanced
securityskills.
CloudSecurityGuidance
Asconsumerstransitiontheirapplicationsanddatatousecloudcomputing,itiscriticallyimportantthat
thelevelofsecurityprovidedinthecloudenvironmentbeequaltoorbetterthanthesecurityprovided
bytheirtraditionalITenvironment.Failuretoensureappropriatesecurityprotectioncouldultimately
resultinhighercostsandpotentiallossofbusinessthuseliminatinganyofthepotentialbenefitsof
cloudcomputing.
Copyright2012CloudStandardsCustomerCouncil
Page7
Thissectionprovidesaprescriptiveseriesofstepsthatshouldbetakenbycloudconsumerstoevaluate
andmanagethesecurityoftheircloudenvironmentwiththegoalofmitigatingriskanddeliveringan
appropriatelevelofsupport.Thefollowingstepsarediscussedindetail:
1. Ensureeffectivegovernance,riskandcomplianceprocessesexist
2. Auditoperationalandbusinessprocesses
3. Managepeople,rolesandidentities
4. Ensureproperprotectionofdataandinformation
5. Enforceprivacypolicies
6. Assessthesecurityprovisionsforcloudapplications
7. Ensurecloudnetworksandconnectionsaresecure
8. Evaluatesecuritycontrolsonphysicalinfrastructureandfacilities
9. ManagesecuritytermsinthecloudSLA
10. Understandthesecurityrequirementsoftheexitprocess
Requirementsandbestpracticesarehighlightedforeachstep.Inaddition,eachsteptakesintoaccount
therealitiesoftodayscloudcomputinglandscapeandpostulateshowthisspaceislikelytoevolvein
thefuture,includingtheimportantrolethatstandardswillplaytoimproveinteroperabilityand
comparabilityacrossproviders.
Step1:Ensureeffectivegovernance,riskandcomplianceprocessesexist
Mostorganizationshaveestablishedsecurityandcompliancepoliciesandproceduresthatareusedto
protecttheirintellectualpropertyandcorporateassetsespeciallyintheITspace.Thesepoliciesand
proceduresaredevelopedbaseduponriskanalysestotheorganizationconsideringtheimpactofhaving
theseassetscompromised.Aframeworkofcontrolsandfurtherproceduresareestablishedtomitigate
riskandserveasabenchmarkfortheexecutionandvalidationofcompliance.Theseprinciplesand
policies,theenterprisesecurityplan,andthesurroundingqualityimprovementprocessrepresentthe
enterprisesecuritygovernance,riskmanagement,andcompliancemodel.
SecuritycontrolsincloudcomputingaresimilartothoseintraditionalITenvironments.However,
becauseofthecloudserviceandoperationalmodelsemployedwiththeimpliedorganizationaldivision
ofresponsibilitiesandthetechnologiesusedtoenablecloudservices,cloudcomputingmaypresent
differentriskstoanorganizationthantraditionalITsolutions.Aspartofthetransitiontocloud
computing,itiscriticalthatconsumersunderstandtheirlevelofrisktoleranceandfocusonmitigating
therisksthattheorganizationcannotaffordtoneglect.
Copyright2012CloudStandardsCustomerCouncil
Page8
Theprimarymeansaconsumerofcloudservicehastoensuretheircloudhostedapplicationsanddata
willbesecuredinaccordancewithitssecurityandcompliancepoliciesistoverifythatthecontract
betweentheconsumerandtheprovider,alongwithanassociatedservicelevelagreement(SLA),
containalltheirrequirements.Itisvitalforaconsumertounderstandallthetermsrelatedtosecurity
andtoensurethatthosetermsmeettheneedsoftheconsumer.IfasuitablecontractandSLAisnot
available,thenitisinadvisableforanorganizationtoproceedwiththeuseofcloudservices.
Oftenitisnotunderstoodthatthetypeofservicemodelbeingofferedbytheprovider(i.e.IaaS,PaaSor
SaaS)hassignificantimpactontheassumed"splitofresponsibilities"betweentheconsumerandthe
providertomanagesecurityandassociatedrisks.ForIaaS,theproviderissupplying(andresponsiblefor
securing)basicITresourcessuchasmachines,disksandnetworks.Theconsumerisresponsibleforthe
operatingsystemandtheentiresoftwarestacknecessarytorunapplications,plusthedataplacedinto
thecloudcomputingenvironment.Asaresult,mostoftheresponsibilityforsecuringtheapplications
themselvesandthedatatheyusefallsontotheconsumer.Incontrast,forSaaS,theinfrastructure,
softwareanddataareprimarilytheresponsibilityoftheprovider,sincetheconsumerhaslittlecontrol
overanyofthesefeaturesoftheservice.Theseaspectsneedappropriatehandlinginthecontractand
SLA.
Fromageneralgovernanceperspective,cloudprovidersshouldnotifyconsumersabouttheoccurrence
ofanybreachoftheirsystem,regardlessofthepartiesordatadirectlyimpacted.Theprovidershould
includespecificpertinentinformationinthenotification,stopthedatabreachasquicklyaspossible,
restoresecureaccesstotheserviceassoonaspossible,applybestpracticeforensicsininvestigatingthe
circumstancesandcausesofthebreach,andmakelongterminfrastructurechangestocorrecttheroot
causesofthebreachtoensurethatitdoesnotrecur.Duetothehighfinancialandreputationalcosts
resultingfromabreach,consumersmaywanttheprovidertoindemnifythemifthebreachwastheir
fault.
Afundamentaldesignpremiseincloudcomputingisthat,asaconsumer,yourdatacanbestoredby,
processedonandtransmittedtoanyoftheserversordevicesthecloudserviceprovideroperates.In
someinstances,servershostingconsumerdatamaybelocatedinmultipledatacenterswithindifferent
jurisdictions,eitherbecausetheserviceproviderhasmultijurisdictionaloperationsorhas
subcontractedservicestoprovidersthatoperateinotherjurisdictions.Thismeansthatitmaybe
difficultatanyparticularpointintimetoknowwhereyourdataactuallyresides,whichregulatorshave
jurisdictionandwhatregulationsapply.Thismatterssincesomeregulationsrestricttheallowable
locationsfordata.
Thejurisdictionalissuedirectlyinfluencestheprotectionofpersonallyidentifiableinformation(PII)and
thelawenforcementaccesstothisdata.3 Thereisdivergenceacrosscountriesinthelawson
investigationandenforcement,includingaccesstoencrypteddataandinvestigationofextraterritorial
TheBusinessSoftwareAlliance(BSA)GlobalCloudComputingScorecardprovidesanassessmentofsecurityand
privacypoliciesthatcountriesareimplementingforcloudcomputing.Referto
http://portal.bsa.org/cloudscorecard2012/assets/PDFs/BSA_GlobalCloudScorecard.pdffordetails.
Copyright2012CloudStandardsCustomerCouncil
Page9
offences.Acourtcanonlyhearamatterifithasjurisdictionoverthepartiesandthesubjectmatterof
theaction,whilelawenforcementagenciescanonlyexercisetheirpowerswithintheirauthorized
jurisdictions.
Beforemigratingservicestoacloudcomputingenvironment,itisimportanttounderstandpreciselythe
specificlawsorregulationsthatapplytotheservicesandwhataretherelevantdutiesorobligations
imposed(e.g.dataretention,dataprotection,interoperability,medicalfilemanagement,disclosureto
authorities).Thisallowsconsumerstoidentifythelegalissuesandtherelatedlegalrisks,and
consequentlytheimpactthesewillhaveontheservicesbeingmigratedtocloudcomputing.
Oneusefulapproachtothesecuritychallengesofcloudcomputingisforacloudproviderto
demonstratethattheyarecompliantwithanestablishedsetofsecuritycontrols.Certificationofthe
providergivesmoreconfidenceinthatprovidertoprospectiveconsumers.Thereareanumberof
differentcertificationswhichcanbeusefulforcloudcomputingserviceswhichoneismostappropriate
dependstosomeextentonthecloudservicemodel(IaaS,PaaS,SaaS)andalsodependsonyourregional
andindustryrequirements.
ThemostwidelyrecognizedinternationalstandardforinformationsecuritycomplianceisISO/IEC
270014 whichincludesnationalvariantsandwelldevelopedcertificationregimes.ISOiscurrently
developingnewstandards,ISO/IEC27017 5 "SecurityinCloudComputing"andISO/IEC27018 6 "Privacy
inCloudComputing",whichwillspecificallyaddresscloudsecurityandprivacyconsiderationsthatbuild
uponISO/IEC27001.
SomeorganizationsprovideframeworksandcertificationsforevaluatingITsecuritywhichcanbe
appliedtocloudserviceproviders,includingtheAmericanInstituteofCertifiedPublicAccountants
(AICPA)andInformationSystemsAuditandControlAssociation(ISACA)whichprovidetheSSAE16 7 and
CoBIT5 8 frameworksrespectively.Otherorganizationsprovidespecializedframeworksforspecific
servicesorindustriessuchasthePaymentCardIndustry(PCI)DataSecurityStandard(DSS). 9
GroupssuchastheCloudSecurityAlliance(CSA)provideguidancewhichincludesaCloudControls
Matrix(CCM),aproviderselfassessmentprogram,ConsensusAssessmentInitiative(CAI),Certificateof
CloudSecurityKnowledge(CCSK),andaregistrytopublishtheselfevaluationresults(STARS). 10
Seehttp://www.iso.org/iso/catalogue_detail?csnumber=42103fordetails.
Seehttp://www.iso27001security.com/html/27017.htmlfordetails.
Seehttp://www.iso27001security.com/html/27018.htmlfordetails.
Seehttp://ssae16.com/SSAE16_overview.htmlfordetails.
Seehttp://www.isaca.org/COBIT/Pages/default.aspxfordetails.
Seehttps://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdffordetails.
10
Refertohttps://cloudsecurityalliance.org/fordetailsontheCSAprograms.
Copyright2012CloudStandardsCustomerCouncil
Page10
Step2:Auditoperational&businessprocesses
CompaniesunderstandtheimportanceofauditingthecomplianceofITsystems,whichhosttheir
applicationsanddata,toassesseffectivenessinenforcingtheircorporate,industryorgovernment
requirementsandpolicies.
Asabaseline,consumersshouldexpecttoseeareportofthecloudprovider'soperationsby
independentauditors.Unfetteredaccesstoessentialauditinformationisakeyconsiderationof
contractsandSLAtermswithanycloudprovider.Aspartofanyterms,cloudprovidersshouldoffer
timelyaccesstoandselfmanagementofauditevent,logandreportinformationrelevanttoa
consumer'sspecificdataorapplications.
Securitycompliancetendstobeasignificantelementofanycomplianceframework.Therearethree
significantareaswheretheconsiderationofsecuritymethodsforcloudcomputingareofparticular
interesttocloudconsumersandtoauditors:
1. Understandingtheinternalcontrolenvironmentofacloudprovider,includingrisks,controlsand
othergovernanceissueswhenthatenvironmenttouchestheprovisionofcloudservices.
2. Accesstothecorporateaudittrail,includingworkflowandauthorization,whentheaudittrail
spanscloudservices.
3. Assuranceofthefacilitiesformanagementandcontrolofcloudservicesmadeavailabletocloud
consumersbycloudprovidersandhowsuchfacilitiesaresecured.
Understandingtheinternalcontrolenvironmentofacloudprovider
Usingtheservicesofcloudproviderscreatestheneedforappropriateauditingoftheactivitiesof
personsthatmaybeemployedbythecloudproviderorconsumer(alongwithanyconsumercustomers
andpartners)toensurethatthesecuritycontrolsmeettherequirementsoftheconsumers.Consumers
shouldexpecttoseeauditinformationrelatingtoanycloudprovidertheyplantouse.Thereare
alternativestandardsthatcanbeusedasthebasisforauditingaserviceprovider,suchastheISO27000
series.Thesestandardsaimtoprovidethebasisforassuringconsumersaboutthenatureofthe
controlsenvironmentinplaceatthecloudprovider'sorganization.
Keycontrolsthatrelatetocloudcomputingservicesincludethosewhich
ensureisolationofconsumerapplicationsanddatainshared,multitenantenvironments
provideprotectionofconsumerassetsfromunauthorizedaccessbytheprovider'sstaff
Auditorsmaybeemployedbytheconsumerortheymaybeemployedbytheproviderbutthekey
elementisthattheyshouldbeindependent.Auditorsrequireaccesstoinformationaboutthepolicies
andproceduresofacloudproviderwhichrelatetosecuritycontrols.Auditorsalsorequireaccessto
logsandrecordswhichshowwhetherthepoliciesandproceduresarebeingfollowedcorrectlyandin
somecases,theauditorsmayrequirespecifictestingtotakeplacetodemonstratecompliancewiththe
prescribedpoliciesandprocedures.
Copyright2012CloudStandardsCustomerCouncil
Page11
Securityandauthenticationtechnologies,alliedtoeventlogging,inthecloudcomputingenvironment
canhelpauditorsastheydealwithissuesrelatedtoworkflowwerethosewhoentered,approved,
changedorotherwisetoucheddataauthorizedtodoso,onanindividual,grouporrolerelatedbasis?
Wasthatauthorizationappropriateonaonetime,periodicorongoingbasis?
Accesstothecorporateaudittrail
Itisvitalforcloudserviceconsumerstohaveappropriateauditaccesstocloudproviderevents,logsand
audittrailstoproveenforcementofprovidersecuritycontrols.Auditorsneedtoassurecloud
consumersthatallthenecessaryinformationisbeingloggedandstoredappropriatelybycloud
providers,includingauthentication,authorizationandmanagementinformationrelatingtotheuseof
particularapplicationsanddataagainstallsecurityandcompliancepoliciesestablishedbytheprovider
orconsumer.
Forcompleteinsightintosecuritycontrols,astheyrelatetotheconsumer'sapplicationsanddata,
mechanismsfortheroutineflowofauditinformationfromtheprovidertotheconsumeris
recommended.Thisflowmayincludesecurelogsandreportsagainstanagreeduponschedule.There
shouldbemoretimelynotificationofanyexceptionalsecurityalerts,eventsorincidentsandincident
managementprocessesshouldbedocumentedandaudited.Anyauditdatashouldhavethenecessary
associatedinformationtoenableforensicanalysistounderstandhowanyparticularincidentoccurred,
whatassetswerecompromisedandwhatpolicies,proceduresandtechnologiesneedtobechangedto
preventrecurrence,alongwithanyadditionalsecuritycontrolsthatneedtobeestablished. 11
Ideally,thereshouldbeautomated,standardsbased,programmaticaccesstoalloftheseauditfacilities,
toensuretimelyavailabilityofrequireddataandtoremovecostburdensassociatedwithhuman
processingofrequestsforinformation.
Assuranceofthefacilitiesformanagementandcontrolofcloudservices
Inadditiontocontrolswhichapplytocloudservicesthemselves,thereisalsoaneedforprovidersto
enableconsumerstoselfmanageandmorecloselymonitortheusageoftheircloudhostedapplications
andservices.Thesefacilitiesmayinclude:servicecatalogs,subscriptionservices,paymentprocesses,
theprovisionofstreamsofoperationaleventdataandlogs,usagemeteringdata,facilitiesfor
configuringservicesincludingaddingandremovinguseridentitiesandtheconfigurationof
authorizations.
Thesefacilitiesareoftenmoresensitiveinsecuritytermsthantheservicesandapplicationstowhich
theyapply,sincethepotentialforabuseanddamagemaybehigher.Asecurityauditmustextendto
thesefacilitiesaswellastothemainservicesoftheprovider.
TheemergingDMTFCloudAuditDataFederation(CADF)Workgroupisplanningtodevelopanauditeventdata
11
modelandacompatibleinteractionmodelthatisabletodescribeinteractionsbetweenITresourcessuitablefor
clouddeploymentmodels.Refertodmtf.org/sites/default/files/CADFWG_Charter_05022011.pdffordetailson
theworkgroupscharter.
Copyright2012CloudStandardsCustomerCouncil
Page12
Auditingisessential
Thesecurityauditofcloudserviceprovidersisanessentialaspectofthesecurityconsiderationsfor
cloudconsumers.Auditsshouldbecarriedoutbyappropriatelyskilledstaff,eitherbelongingtothe
consumerortoanindependentauditingorganization.Securityauditsshouldbecarriedoutonthebasis
ofoneoftheestablishedstandardsforsecuritycontrols.Consumersneedtocheckthatthesetsof
controlsinplacemeettheirsecurityrequirements.
Thereisalsoaneedtoensureproperintegrationofthecloudprovider'sreportingandloggingfacilities
withtheconsumer'ssystems,sothatappropriateoperationalandbusinessdataflowsonatimelybasis
toenableconsumerstomanagetheiruseofproviderservices.
Step3:Managepeople,rolesandidentities
Consumersmustensurethattheircloudproviderhasprocessesandfunctionalitythatgovernswhohas
accesstotheconsumer'sdataandapplications.Thisensuresaccesstotheircloudenvironmentsis
controlledandmanaged.
Organizationsmanagedozenstothousandsofemployeesanduserswhoaccesstheircloudapplications
andservices,eachwithvaryingrolesandentitlements.Cloudprovidersmustallowthecloudconsumer
toassignandmanagetherolesandassociatedlevelsofauthorizationforeachoftheirusersin
accordancewiththeirsecuritypolicies.Theserolesandauthorizationrightsareappliedonaper
resource,serviceorapplicationbasis.Forexample,acloudconsumer,inaccordancewithitssecurity
policies,mayhaveanemployeewhoserolepermitsthemtogenerateapurchaserequest,buta
differentroleandauthorizationrightsisgrantedtoanotheremployeeresponsibleforapprovingthe
request.
Thecloudprovidermusthaveasecuresystemforprovisioningandmanaginguniqueidentitiesfortheir
usersandservices.ThisIdentityManagementfunctionalitymustsupportsimpleresourceaccessesand
robustconsumerapplicationandserviceworkflows.Akeyrequirementformovingaconsumer
applicationtothecloudisassessingtheprovider'sabilitytoallowtheconsumertoassigntheiruser
identitiesintoaccessgroupsandrolesthatreflecttheiroperationalandbusinesssecuritypolicies.
Anyuseraccessorinteractionwiththeprovider'smanagementplatform,regardlessofroleor
entitlement,shouldbemonitoredandloggedtoprovideauditingofallaccesstoconsumerdataand
applications.
Table1highlightsthekeyfeaturesacloudprovidershouldsupportinorderforaconsumertoeffectively
managepeople,rolesandidentitiesinthecloud:
Table1.Cloudprovidersupportforpeople,rolesandidentities
ProviderSupports
ConsumerConsiderationsandQuestions
FederatedIdentityManagement Enterprisesthatarecloudconsumers,inmanycases,already
(FIM),ExternalIdentity
haveanexistingdatabaseofusers,mostlikelystoredinan
Providers(EIP)
enterprisedirectory,andtheywishtoleveragethisuser
Copyright2012CloudStandardsCustomerCouncil
Page13
databasewithoutrecreatinguseridentities.
IdentityProvisioningand
Delegation
SingleSignOn(SSO),Single
SignOff
Questiontocloudprovider:CanIintegratemycurrentuser
store(internaldatabaseordirectoryofusers)without
recreatingallmyuserswithinyourcloudenvironment?
Consumerorganizationsneedtoadministertheirownusers;
thecloudprovidershouldsupportdelegatedadministration.
Questiontocloudprovider:Whatprovisioningtoolsdoyou
provideforonboardingandoffboardingusers?
Questiontocloudprovider:Doesyourplatformoffer
delegatedadministrationformyorganizationtoadminister
users?
Consumerorganizationsmaywishtofederateidentityacross
applicationstoprovidesinglesignon(SSO)alongwithsingle
signofftoassureusersessionsgetterminatedproperly.For
example,anorganizationusingseparateSaaSapplicationsfor
CRMandERPwouldlikesinglesignonandsignoffacross
theseapplications(e.g.usingstandardssuchasSAML 12 ,WS
Federation 13 andOAuth 14 ).
Questiontocloudprovider:Doyouoffersinglesignonfor
accessacrossmultipleapplicationsyouofferortrusted
federatedsinglesignonacrossapplicationswithother
vendors?
IdentityandAccessAudit
RobustAuthentication
Consumersneedauditingandloggingreportsrelatingto
serviceusagefortheirownassuranceaswellascompliance
withregulations.
Questiontocloudprovider:Whatauditinglogs,reports,
alertsandnotificationsdoyouprovideinordertomonitor
useraccessbothformyneedsandfortheneedsofmy
auditor?
Foraccesstohighvalueassetshostedinthecloud,cloud
12
Refertohttps://www.oasisopen.org/committees/tc_home.php?wg_abbrev=securityfordetails.
13
Refertohttps://www.oasisopen.org/committees/documents.php?wg_abbrev=wsfedfordetails.
14
Refertohttp://oauth.net/fordetails.
Copyright2012CloudStandardsCustomerCouncil
Page14
consumersmayrequirethattheirprovidersupportstrong,
multifactor,mutualand/orevenbiometricauthentication.
Role,EntitlementandPolicy
Management
Questiontocloudprovider:Ifrequired,doesyourplatform
supportstrong,multifactorormutualauthentication?
Cloudconsumersneedtobeabletodescribeandenforce
theirsecuritypolicies,userroles,groupsandentitlementsto
theirbusinessandoperationalapplicationsandassets,with
dueconsiderationforanyindustry,regionalorcorporate
requirements.
Questiontocloudprovider:Doesyourplatformofferfine
grainedaccesscontrolsothatmyuserscanhavedifferent
rolesthatdonotcreateconflictsorviolatecompliance
guidelines?
Cloudprovidersshouldhaveformalizedprocessesformanagingtheirownemployeeaccesstoany
hardwareorsoftwareusedtostore,transmitorexecuteconsumerdataandapplications,whichthey
shoulddiscloseanddemonstratetotheconsumer
Step4:Ensureproperprotectionofdataandinformation
DataareatthecoreofITsecurityconcernsforanyorganization,whatevertheformofinfrastructure
thatisused.Cloudcomputingdoesnotchangethis,butcloudcomputingdoesbringanaddedfocus
becauseofthedistributednatureofthecloudcomputinginfrastructureandthesharedresponsibilities
thatitinvolves.Securityconsiderationsapplybothtodataatrest(heldonsomeformofstorage
system)andalsotodatainmotion(beingtransferredoversomeformofcommunicationlink),bothof
whichmayneedparticularconsiderationwhenusingcloudcomputingservices.
Essentially,thequestionsrelatingtodataforcloudcomputingareaboutvariousformsofrisk:riskof
theftorunauthorizeddisclosureofdata,riskoftamperingorunauthorizedmodificationofdata,riskof
lossorofunavailabilityofdata.Itisalsoworthrememberingthatinthecaseofcloudcomputing,"data
assets"maywellincludethingssuchasapplicationprogramsormachineimages,whichcanhavethe
sameriskconsiderationsasthecontentsofdatabasesordatafiles.
ThegeneralapproachestothesecurityofdataarewelldescribedinspecificationssuchastheISO27002
standardandthesecontrolorientedapproachesapplytotheuseofcloudcomputingservices,with
someadditionalcloudspecificconsiderationsasdescribedintheISO27017standard(currentlyunder
development).SecuritycontrolsasdescribedinISO27002highlightthegeneralfeaturesthatneedto
beaddressed,towhichspecifictechniquesandtechnologiescanthenbeapplied.
Copyright2012CloudStandardsCustomerCouncil
Page15
Thetypeofcloudserviceisverylikelytoaffectthekeyquestionofwhoisresponsibleforhandling
particularsecuritycontrols.ForIaaS,moreresponsibilityislikelytobewiththeconsumer(e.g.for
encryptingdatastoredonacloudstoragedevice);forSaaS,moreresponsibilityislikelytobewiththe
provider,sinceboththestoreddataandtheapplicationcodeisnotdirectlyvisibleorcontrollablebythe
consumer.
Table2highlightsthekeystepsconsumersshouldtaketoensurethatdatainvolvedincloudcomputing
activitiesisproperlysecure.
Table2.Controlsforsecuringdataincloudcomputing
Controls
Description
Createadataassetcatalog
Akeyaspectofdatasecurityisthecreationofadataassetcatalog,
identifyingalldataassets,classifyingthosedataassetsintermsof
criticalitytothebusiness(whichcaninvolvefinancialandlegal
considerations,includingcompliancerequirements),specifying
ownershipandresponsibilityforthedataanddescribingthe
location(s)andacceptableuseoftheassets.
Relationshipsbetweendataassetsalsoneedtobecataloged.
Anassociatedaspectisthedescriptionofresponsiblepartiesand
roles,whichinthecaseofcloudcomputingmustspanthecloud
serviceconsumerorganizationandthecloudserviceprovider
organization.
Organizationsareincreasingtheamountofunstructureddataheld
onITsystems,whichcanincludeitemssuchasimagesofscanned
documentsandpicturesofvariouskinds.
Unstructureddatacanbesensitiveandrequirespecifictreatment
forexampleredactionormaskingofpersonalinformationsuchas
signatures,addresses,licenseplates.
Forstructureddata,inamultitenancycloudenvironment,data
heldindatabasesneedsconsideration.Databasesegmentationcan
beofferedinacoupleofvarieties:sharedorisolateddataschema.
Considerallformsofdata
Inashareddataschema,eachcustomersdatais
intermixedwithinthesamedatabase.Thismeansthat
customerA'sdatamayresideinrow1whilecustomerB's
dataresidesinrow2.
Inanisolatedarchitecture,theconsumers'datais
segregatedintoitsowndatabaseinstance.Whilethismay
provideadditionalisolation,italsoimpactstheproviders'
economiesofscaleandcould,potentially,increasethe
Copyright2012CloudStandardsCustomerCouncil
Page16
costtotheconsumer.
o
Considerprivacyrequirements
Applyconfidentiality,integrityand
availability
Ineitherscenario,databaseencryptionshouldbe
employedtoprotectalldataatrest.
Dataprivacyofteninvolveslawsandregulationsrelatingtothe
acquisition,storageanduseofpersonallyidentifiableinformation
(PII).
Typically,privacyimplieslimitationsontheuseandaccessibilityof
PII,withassociatedrequirementstotagthedataappropriately,
storeitsecurelyandtopermitaccessonlybyappropriately
authorizedusers.
Thisrequiresappropriatecontrolstobeinplace,particularlywhen
thedataisstoredwithinacloudprovidersinfrastructure.TheISO
27018standard(inpreparation)addressesthecontrolsrequiredfor
PII.Thesecontrolsmayrestrictthegeographicallocationinwhich
thedataisstored,forexample,whichrunscountertooneaspectof
cloudcomputingwhichisthatcloudcomputingresourcescanbe
distributedinmultiplelocations.
Thekeysecurityprinciplesofconfidentiality,integrityand
availabilityareappliedtothehandlingofthedata,throughthe
applicationofasetofpoliciesandprocedures,whichshouldreflect
theclassificationofthedata.
Sensitivedatashouldbeencrypted,bothwhenitisstoredonsome
mediumandalsowhenthedataisintransitacrossanetworkfor
example,betweenstorageandprocessing,orbetweenthe
provider'ssystemandaconsumeruser'ssystem.
o Anextraconsiderationwhenusingcloudcomputing
concernsthehandlingofencryptionkeyswherearethe
keysstoredandhowaretheymadeavailableto
applicationcodethatneedstodecryptthedatafor
processing?Itisnotadvisabletostorethekeysalongside
theencrypteddata,forexample.
Integrityofdatacanbevalidatedusingtechniquessuchasmessage
digestsorsecurehashalgorithms,alliedtodataduplication,
redundancyandbackups.
Availabilitycanbeaddressedthroughbackupsand/orredundant
storageandresilientsystems,andtechniquesrelatedtothe
handlingofdenialofserviceattacks.Thereisalsoaneedfora
failoverstrategy,eitherbyusingaserviceproviderwhooffersthis
aspartoftheirserviceoffering,oriftheproviderdoesnotoffer
resiliencyasafeatureoftheirservicestheconsumermayconsider
selfprovisionoffailoverbyhavingequivalentservicesonstandby
withanotherprovider.
Copyright2012CloudStandardsCustomerCouncil
Page17
Applyidentityandaccess
management
Identityandaccessmanagementisavitalaspectofsecuringdata
(refertoStep3:Managepeople,rolesandidentitiesonpage13)
withappropriateauthorizationbeingrequiredbeforeanyuseris
permittedtoaccesssensitivedatainanyway.
Relatedtothisistherequirementforloggingandsecurityevent
management(e.g.thereportingofanysecuritybreaches)relating
totheactivitiestakingplaceinthecloudserviceprovider
environment.
Followingfromthisistheneedforaclearsetofproceduresrelating
todataforensicsintheeventofasecurityincident.Notethatthe
logsandreportingmechanismsarealsoinneedofappropriate
securitytreatment,topreventawrongdoerfrombeingableto
covertheirtracks.
Mostofthesecuritytechniquesandtechnologiesinvolvedarenotnew,althoughcloudcomputingcan
createnewconsiderations.Forexample,ifencryptionisusedonsomedata,howaretheencryption
keysmanagedandused?Inaddition,thewayinwhichsecurityisappliedwillmostlikelydependonthe
natureofthecloudservicebeingoffered.ForIaaS,muchofthesecurityresponsibilityislikelytoliewith
theconsumer.ForSaaS,muchmoreresponsibilityislikelytobeplacedontotheprovider,especially
sincethedatastoragefacilitiesmaybeopaqueasfarastheconsumerisconcerned.
Step5:Enforceprivacypolicies
Privacyisgaininginimportanceacrosstheglobe,ofteninvolvinglawsandregulations,relatingtothe
acquisition,storageanduseofpersonallyidentifiableinformation(PII).Typically,privacyimplies
limitationsontheuseandaccessibilityofPII,withassociatedrequirementstotagthedata
appropriately,storeitsecurelyandtopermitaccessonlybyappropriatelyauthorizedusers.This
requiresappropriatecontrolstobeinplace,particularlywhenthedataisstoredwithinacloud
providersinfrastructure.TheISO27018standard(inpreparation)addressesthecontrolsrequiredfor
PII.
Inmanycountries,numerouslaws,regulationsandothermandatesrequirepublicandprivate
organizationstoprotecttheprivacyofpersonaldataandthesecurityofinformationandcomputer
systems.AppendixAonpage31providesanoverviewoftheworldwideprivacyregulationsthat
currentlyexist.
Whendataistransferredtoacloudcomputingenvironment,theresponsibilityforprotectingand
securingthedatatypicallyremainswiththeconsumer(thedatacontrollerinEUterminology 15 ),evenif
insomecircumstances,thisresponsibilitymaybesharedwithothers.Whenanorganizationreliesona
15
TheEuropeanUnionprovidesaGlossaryoftermsassociatedwithDataProtectionhere:
http://www.edps.europa.eu/EDPSWEB/edps/EDPS/Dataprotection/Glossary
Copyright2012CloudStandardsCustomerCouncil
Page18
thirdpartytohostorprocessitsdata,thedatacontrollerremainsliableforanyloss,damage,ormisuse
ofthedata.Itisprudent,andmaybelegallyrequired,thatthedatacontrollerandthecloudprovider
enterintoawritten(legal)agreementthatclearlydefinestheroles,expectationsoftheparties,and
allocatesbetweenthemthemanyresponsibilitiesthatareattachedtothedataatstake.
Itiscriticalthatprivacyissuesareadequatelyaddressedinthecloudcontractandservicelevel
agreement(SLA).Ifnot,thecloudconsumershouldconsideralternatemeansofachievingtheirgoals
includingseekingadifferentprovider,ornotputtingsensitivedataintothecloudcomputing
environment.Forexample,iftheconsumerwishestoplaceHIPAAcoveredinformationintoacloud
computingenvironment,theconsumermustfindacloudserviceproviderthatwillsignaHIPAAbusiness
associateagreementorelsenotputthatdataintothecloudcomputingenvironment.
Enterprisesareresponsiblefordefiningpoliciestoaddressprivacyconcernsandraiseawarenessofdata
protectionwithintheirorganization.Theyarealsoresponsibleforensuringthattheircloudproviders
adheretothedefinedprivacypolicies.Consumershaveanongoingobligationtomonitortheir
providerscompliancewithitspolicies.Thisincludesanauditprogramcoveringallaspectsoftheprivacy
policiesincludingmethodsofensuringthatcorrectiveactionswilltakeplace.
Step6:Assessthesecurityprovisionsforcloudapplications
Organizationsneedtoproactivelyprotecttheirbusinesscriticalapplicationsfromexternalandinternal
threatsthroughouttheirentirelifecycle,fromdesigntoimplementationtoproduction.Clearlydefined
securitypoliciesandprocessesarecriticaltoensuretheapplicationisenablingthebusinessratherthan
introducingadditionalrisk.
Applicationsecurityposesspecificchallengestothecloudproviderandconsumer.Organizationsmust
applythesamediligencetoapplicationsecurityastheydoforphysicalandinfrastructuresecurity.Ifan
applicationiscompromised,itcanpresentliabilityandperceptionissuestoboththecloudproviderand
theconsumer,especiallyiftheultimateendusersoftheapplicationarecustomersoftheconsumer
ratherthanemployees.
Inordertoprotectanapplicationfromvarioustypesofbreaches,itisimportanttounderstandthe
applicationsecuritypolicyconsiderationsbasedonthedifferentclouddeploymentmodels.Table3
highlightstheimpactofclouddeploymentonapplicationsecurity.Alloftheseconsiderationsarein
additiontothoseoutlinedinthiswhitepaper(facilities,network,data,etc).
Table3.Deploymentmodelimpactonapplicationsecurity
DeploymentType
InfrastructureasaService
ApplicationSecurityPolicyConsiderations
Theconsumerhasresponsibilityfordeploymentofthecomplete
softwarestackoperatingsystem,middlewareandapplicationand
forallaspectsofsecuritythatrelatetothisstack.
Theapplicationsecuritypolicyshouldcloselymimicthepolicyof
applicationshostedinternallybytheconsumer.
Theconsumershouldfocusonnetwork,physicalenvironment,
auditing,authorization,andauthenticationconsiderationsas
outlinedinthisdocument.
Copyright2012CloudStandardsCustomerCouncil
Page19
PlatformasaService
SoftwareasaService
Theconsumeristypicallyresponsibleforpatchingofoperating
system,middlewareandapplication.
Appropriatedataencryptionstandardsshouldbeapplied.
Theconsumerhasresponsibilityforapplicationdeploymentandfor
securingaccesstotheapplicationitself.
Theproviderhasresponsibilityforproperlysecuringthe
infrastructure,operatingsystemandmiddleware.
Theconsumershouldfocusonaudit,authorization,and
authenticationconsiderationsasoutlinedinthisdocument.
Appropriatedataencryptionstandards.shouldbeapplied.
InaPaaSmodel,theconsumermayormaynothaveknowledgeof
theformatandlocationoftheirdata.Itisimportantthattheyare
knowledgeableofhowtheirdatamaybeaccessedbyindividuals
withadministrativeaccess.
Applicationtiersecuritypolicyconstraintsaremostlythe
responsibilityoftheproviderandaredependentupontermsinthe
contractandSLA.Theconsumermustensurethattheseterms
meettheirconfidentiality,integrityandavailabilityrequirements.
Importanttounderstandproviderspatchingschedule,controlsof
malware,andreleasecycle.
Thresholdpolicieshelptoidentifyunexpectedspikesandreduction
ofuserloadontheapplication.Thresholdsarebasedonresources,
usersanddatarequests.
Typically,theconsumerisonlyabletomodifyparametersofthe
applicationthathavebeenexposedbytheprovider.These
parametersarelikelyindependentofapplicationsecurity
configurations,however,theconsumershouldensurethattheir
configurationchangesaugment;notinhibittheproviderssecurity
model.
Theconsumershouldhaveknowledgeofhowtheirdatais
protectedagainstadministrativeaccessbytheprovider.InaSaaS
model,theconsumerwilllikelynotbeawareofthelocationand
formatofthedatastorage.
Theconsumermustunderstandthedataencryptionstandards
whichareappliedtodataatrestandinmotion.
Itshouldbenotedthatthereisacosttotheconsumertoensurethattheseconsiderationsareapplied.
Thecostsaretypicallybuiltintotechnology,resources,interventions,andaudits.However,thesecosts
will,likely,paleincomparisontothepotentialliabilitydamagesandlossofreputationfroman
applicationsecuritybreach.
Whendevelopinganddeployingapplicationsinacloudenvironmentitiscriticalthatconsumersrealize
thattheymaybeforfeitingsomecontrolandhavetodesigntheircloudapplicationswiththat
considerationinmind.Inaddition,itiscriticalthatconsumersdevelopingsoftwareuseastructured
methodologytoengineersecurityintotheircloudapplicationsfromthegroundup.
Copyright2012CloudStandardsCustomerCouncil
Page20
Step7:Ensurecloudnetworksandconnectionsaresecure
Acloudserviceprovidermustattempttoallowlegitimatenetworktrafficanddropmaliciousnetwork
traffic,justasanyotherInternetconnectedorganizationdoes.However,unlikemanyother
organizations,acloudserviceproviderwillnotnecessarilyknowwhatnetworktrafficitsconsumersplan
tosendandreceive.Nevertheless,consumersshouldexpectcertainexternalnetworkperimetersafety
measuresfromtheircloudproviders.
Tousetheanalogyofahotel,weexpectthehoteltoprovidesomelimitedamountofperimetersecurity
notallowinganyoneintothebuildingwithoutakeycardduringcertaintimesofnight,forexample,or
challengingobviouslydangerouspersonseventhoughweshouldnotexpectthehoteltodenyaccess
toeverydangerousperson.
Withthisinmind,itisrecommendedthatconsumersevaluatetheexternalnetworkcontrolsofacloud
providerbasedontheareashighlightedinTable4.
Table4.Externalnetworkrequirements
ProviderResponsibility
Trafficscreening
Intrusion
Description/Guidance
Certaintrafficisalmostneverlegitimateforexample,traffictoknown
malwareports.Theprovidershouldblockthistrafficonbehalfofthe
consumers.
Trafficscreeningisgenerallyperformedbyfirewalldevicesorsoftware.Some
firewallconsiderations:
Doestheproviderpublishastandardperimeterblocklistthataligns
withthetermsofservicefortheoffering?Consumersshouldrequest
acopyoftheblocklist;areasonableblocklistcanprovidea
consumerwithbothassuranceofathoughtfulnetworkprotection
planaswellassomefunctionalguidelinesonwhatisallowed.There
maybesomecauseforconcerniftheblocklistisnotinlinewiththe
termsofservice.
Doestheprovider'sfirewallblockallIPv6access,orprotectagainst
bothIPv4andIPv6attacks?MoreandmoredevicesareIPv6
capable,andsomeprovidersforgettolimitIPv6accesswhichcan
allowanattackeraneasywayaroundtheIPv4firewall.
Isthetrafficscreeningabletowithstandandadapttoattackssuchas
DistributedDenialofServiceattacks?DDOSattacksaremoreand
morecommonlyusedforextortionpurposesbyorganizedcrime,and
theabilityofacloudserviceprovideranditsInternetserviceprovider
toassistinblockingtheunwantedtrafficcanbecrucialto
withstandinganattack.
Sometrafficmaylooklegitimate,butdeeperinspectionindicatesthatitis
carryingmaliciouspayloadsuchasspam,viruses,orknownattacks.The
Copyright2012CloudStandardsCustomerCouncil
Page21
detection/prevention
Loggingandnotification
providershouldblockoratleastnotifyconsumersaboutthistraffic.
Intrusiondetectionand/orpreventionsystems(IDS/IPS)maybesoftwareor
devices.Whereasafirewallusuallyonlymakesdecisionsbasedon
source/destination,ports,andexistingconnections,anIDS/IPSlooksatboth
overalltrafficpatternsaswellastheactualcontentsofthemessages.Many
firewallsnowincludeIDS/IPScapabilities.
AlthoughtechnicallynotIDS/IPSdevices,applicationlevelproxies(suchase
mailgateways/relays)willoftenperformsimilarfunctionsforcertaintypesof
networktrafficandareconsideredhereaswell.
AnIDSwilltypicallyonlyflagpotentialproblemsforhumanreview;anIPSwill
takeactiontoblocktheoffendingtrafficautomatically.SomeIDS/IPS
considerations:
o IDS/IPScontentmatchingcandetectorblockknownmalware
attacks,virussignatures,andspamsignatures,butarealsosubjectto
falsepositives.Doesthecloudproviderhaveadocumented
exceptionprocessforallowinglegitimatetrafficthathascontent
similartomalwareattacksorspam?
o Similarly,IDS/IPStrafficpatternanalysiscanoftendetectorblock
attackssuchasadenialofserviceattackoranetworkscan.
However,insomecasesthisisperfectlylegitimatetraffic(suchas
usingcloudinfrastructureforloadtestingorsecuritytesting).Does
thecloudproviderhaveadocumentedexceptionprocessfor
allowinglegitimatetrafficthattheIDS/IPSflagsasanattackpattern?
Forassurancepurposesandtroubleshooting,it'simportantthatconsumers
havesomevisibilityintothenetworkhealth.
Incidentreportingandincidenthandlingproceduresmustbeclearandthe
consumershouldlookforvisibilityintothehandlingprocess.Notethatifany
PIIisstoredinthecloudcomputingenvironment,theremaybelegal
requirementsassociatedwithanyincident.
Somenetworklogginginformationisofasensitivenatureandmayreveal
informationaboutotherclients,soacloudprovidermaynotallowdirect
accesstothisinformation.However,itisrecommendedthatconsumersask
certainquestionsaboutloggingandnotificationpolicies:
o
Whatisthenetworkloggingandretentionpolicy?Intheeventofa
successfulattack,theconsumermaywanttoperformforensicanalysis,
andthenetworklogscanbeveryhelpful.
Whatarethenotificationpolicies?Asacloudconsumer,youshouldbe
notifiedintimelymannerifyourmachinesareattackedorcompromised
andareattackingsomeoneelse.
Arehistoricalstatisticsavailableonthenumberofattacksdetectedand
blocked?Thesestatisticscanhelpaconsumerunderstandhoweffective
theprovider'sdetectionandblockingcapabilitiesactuallyare.
Copyright2012CloudStandardsCustomerCouncil
Page22
Cloudcomputingincludesanumberofresourcesthatarenotsharedinatraditionaldatacenter.Oneof
theseresourcesisthecloudprovider'sinternalnetworkinfrastructure,suchastheaccessswitchesand
routersusedtoconnectcloudvirtualmachinestotheprovider'sbackbonenetwork.
Internalnetworksecuritydiffersfromexternalnetworksecurityinthatwepostulatethatanyattackers
havealreadymadeitthroughtheexternaldefenses,eitherviaanattackor,morecommonly,because
theattackersarelegitimatelyauthorizedforadifferentpartofthenetwork.Afterauserisallowed
accesstoaportionofthecloudserviceprovider'snetwork,theproviderhasanumberofadditional
responsibilitieswithrespecttointernalnetworksecurity.
Theprimarycategoriesofinternalnetworkattacksthatconsumersshouldbeconcernedwithinclude:
1. Confidentialitybreaches(disclosureofconfidentialdata)
2. Integritybreaches(unauthorizedmodificationofdata)
3. Availabilitybreaches(denialofservice,eitherintentionalorunintentional)
Consumersmustevaluatethecloudserviceprovider'sinternalnetworkcontrolswithrespecttotheir
requirementsandanyexistingsecuritypoliciestheconsumermayhave.Eachconsumer'srequirements
willbedifferent,butitisrecommendedthatconsumersevaluatetheinternalnetworkcontrolsofa
serviceproviderbasedontheareashighlightedinTable5.
Table5.Internalnetworkrequirements
Provider
Responsibility
Protectclientsfrom
oneanother
Description/Guidance
Cloudprovidersareresponsibleforseparatingtheirclientsinmultitenantsituations.Most
cloudserviceproviderswilluseoneormoreofthefollowingtechnologiesforthispurpose:
1.
DedicatedvirtualLANs,orVLANs,areatechnologythatmakesacollectionofportson
aphysicalEthernetswitchappeartobeaseparateswitch.Intheory,networktraffic
ononeVLANcannotbeseenonadifferentVLANanymorethannetworktrafficon
onephysicalEthernetswitchcanbeseenonadifferent,nonconnectedEthernet
switch.
VLANseparationtechnologyisoftenaprimarycontrolforcloudprovidersandis
generallyveryeffective.However,therearedocumentedVLANhoppingattacks
thatallowunauthorizedtrafficbetweenVLANs,suchasdoubletaggingandswitch
spoofing.
ManycloudprovidersofferdedicatedVLANsforconsumersthatnootherconsumers
shouldbeabletoaccess.Itisrecommendedthatconsumersverifythattheprovider's
VLANcontrolsaddresstheknownVLANhoppingattacks.
2.
VirtualPrivateNetworks(VPNs,andalsosometimesreferredtosimplyastunnels)
canbeusedtoconnectaconsumer'sdedicatedcloudVLANbacktotheconsumer's
network;thisconfigurationiscommonlyknownasasitetositeVPN.
Copyright2012CloudStandardsCustomerCouncil
Page23
VPNscanalsobeusedtoallowroamingusersanywhereontheInternettosecurely
accesstheconsumer'sVLAN;thisconfigurationiscommonlycalledclienttosite.
Inbothcases,therearemultipletechnologies(suchasSSLandIPSec)withdifferent
securityimplementations(suchascertificate/credentialbasedorendpoint
authentication).ItisrecommendedthatconsumersdecidewhetherVPNsare
required,andifsoensurethatthecloudprovidersupportstherequiredoperating
mode(clienttositeorsitetosite)andsecurityimplementation.
Protectthe
provider'snetwork
3.
Perinstancesoftwarefirewallsareoneofthelastlinesofdefenseandallow
consumerstoregulatewhattrafficcomesintotheirinstancesbyconfiguringthe
softwarefirewallontheinstanceitself.Ifusingacloudprovider'simages,consumers
shouldensurethattheimagescontainpropersoftwarefirewallcapabilitiesandthat
therulesaresimpletodeployandmodify.Perinstancesoftwarefirewallsare
particularlyimportantwhensharingaVLANwithotherconsumers.
4.
PrivateVLAN(PVLAN)isatermthathastwomeanings.OnemeaningisaVLANthat
isdedicatedtoaparticularconsumer,whichisdefinedsimplyasDedicatedVLAN
above.ThesecondmoretechnicaluseofthetermisaVLANthatprohibitsalltraffic
betweenhostsontheprivateVLANbydefault.WithPrivateVLANtechnology,
consumerAandconsumerBcouldbeonthesameVLAN,butstillbeunableto
communicatewithoneanothertheymayonlybeallowedtotalktotherouterthat
allowsinternetaccess.
PrivateVLANtechnologyiseffectiveaslongastherouter,whichispermittedtotalkto
allstationsonthenetwork,isnotconfiguredtorelaytrafficoriginatingintheVLAN
backintotheVLAN,therebybypassingtheswitch'scontrols.PrivateVLANtechnology
providesgoodisolationbutcanleadtofunctionalproblems,ascloudinstancesoften
needtotalktoothercloudinstancesinadditiontosystemsoutontheInternet.For
thisreason,perinstancefirewallsaremorecommonlyusedforinstanceseparationon
thesameVLAN.
IfPVLANtechnologyisneeded,itisrecommendedthattheconsumertesttoensure
thattherouterisproperlyconfiguredandthattrafficbetweencloudinstancesonthe
sameVLANisblocked.
5.
Hypervisorbasedfilters,suchasebtablesonLinux,arefunctionallysimilartoprivate
VLANsinthattheycanprohibitorallowcommunicationsatthevirtualswitchlevel.
However,thesecanalsobeusedtopreventattackssuchasIPandMACaddress
spoofing.IfdedicatedVLANsarenotused,itisrecommendedthattheconsumerask
whatprotectionsareinplacetopreventanotherconsumer'sinstancefrom
masqueradingasoneofyourinstances.
Separatetheprovider'snetworkfromallclients.Iftheprovider'snetworkisbreached,
itcouldleadtoalmostundetectabledataloss.
Theclientseparationstrategiesaboveareworthlessiftheprovider'scontrolnetworkis
notproperlyprotected.Anattackerwhogainsaccesstotheprovider'scontrol
networkmaybeabletoperformattacksonotherconsumersfromthecontrol
network.
Copyright2012CloudStandardsCustomerCouncil
Page24
Monitorfor
intrusionattempts
Consumersshouldaskwhatsecuritycontrolsareinplaceforthecloudinfrastructure
itself.Whilemanycloudproviderswillnotgiveoutindepthdetailsoftheirsecurity
measuresduetovalidsecurityconcerns,thereshouldbeastatedsecuritypolicyand
someassurance(e.g.viaauditandcertification)thatitisfollowed.
Activityauditingandloggingareanimportantpartofpreventivesecuritymeasuresas
wellasincidentresponseandforensics.Auditinformationandlogsshouldbesubject
toappropriatesecuritycontrolstopreventunauthorizedaccess,destructionor
tampering.
Cloudconsumersshouldaskwhattypesofinternalnetworksecurityincidentshave
beenreportedandifthereareanypublishedstatisticsormetrics.
Consumersshouldalsoaskfortheprovider'sprocessesforalertingconsumersabout
bothsuccessfulandunsuccessfulinternalnetworkattacks.
Step8:Evaluatesecuritycontrolsonphysicalinfrastructureandfacilities
AnimportantconsiderationforsecurityofanyITsystemconcernsthesecurityofphysicalinfrastructure
andfacilities.Inthecaseofcloudcomputing,theseconsiderationsapply,butitwilloftenbethecase
thattheinfrastructureandfacilitieswillbeownedandcontrolledbythecloudserviceprovideranditis
theresponsibilityofthecloudconsumertogetassurancefromtheproviderthatappropriatesecurity
controlsareinplace.
Assurancemaybeprovidedbymeansofauditandassessmentreports,demonstratingcomplianceto
suchsecuritystandardsasISO27002.
Abriefdescriptionofthesecuritycontrolsthatshouldapplytothephysicalinfrastructureandfacilities
ofacloudproviderincludes:
PhysicalInfrastructureandfacilitiesshouldbeheldinsecureareas.Aphysicalsecurityperimeter
shouldbeinplacetopreventunauthorizedaccess,alliedtophysicalentrycontrolstoensure
thatonlyauthorizedpersonnelhaveaccesstoareascontainingsensitiveinfrastructure.
Appropriatephysicalsecurityshouldbeinplaceforalloffices,roomsandfacilitieswhichcontain
physicalinfrastructurerelevanttotheprovisionofcloudservices.
Protectionagainstexternalandenvironmentalthreats.Protectionshouldbeprovidedagainst
thingslikefire,floods,earthquakes,civilunrestorotherpotentialthreatswhichcoulddisrupt
cloudservices.
Controlofpersonnelworkinginsecureareas.Suchcontrolsshouldbeappliedtoprevent
maliciousactions.
Equipmentsecuritycontrols.Shouldbeinplacetopreventloss,theft,damageorcompromiseof
assets.
Copyright2012CloudStandardsCustomerCouncil
Page25
Supportingutilitiessuchaselectricitysupply,gassupply,andwatersupplyshouldhavecontrols
inplace.Requiredtopreventdisruptioneitherbyfailureofserviceorbymalfunction(e.g.water
leakage).Thismayrequiremultipleroutesandmultipleutilitysuppliers.
Controlsecurityofcabling.Inparticularpowercablingandtelecommunicationscabling,to
preventaccidentalormaliciousdamage.
Properequipmentmaintenance.Shouldbepreformedtoensurethatservicesarenotdisrupted
throughforeseeableequipmentfailures.
Controlofremovalofassets.Requiredtoavoidtheftofvaluableandsensitiveassets.
Securedisposalorreuseofequipment.Particularlyanydeviceswhichmightcontaindatasuch
asstoragemedia.
Humanresourcessecurity.Appropriatecontrolsneedtobeinplaceforthestaffworkingatthe
facilitiesofacloudprovider,includinganytemporaryorcontractstaff.
Backup,RedundancyandContinuityPlans.Theprovidershouldhaveappropriatebackupof
data,redundancyofequipmentandcontinuityplansforhandlingequipmentfailuresituations.
Effectivephysicalsecurityrequiresacentralizedmanagementsystemthatallowsforcorrelationof
inputsfromvarioussources,includingproperty,employees,customers,thegeneralpublic,andlocaland
regionalweather.Formoredetailonthecontrolsandconsiderationsthatapplytoeachoftheseitems,
refertotheISO27002standard.
Step9:ManagesecuritytermsinthecloudSLA
Sincecloudcomputingtypicallyinvolvestwoorganizationstheserviceconsumerandtheservice
provider,securityresponsibilitiesofeachpartymustbemadeclear.Thisistypicallydonebymeansofa
servicelevelagreement(SLA)whichappliestotheservicesprovided,andthetermsofthecontract
betweentheconsumerandtheprovider.TheSLAshouldspecifysecurityresponsibilitiesandshould
includeaspectssuchasthereportingofsecuritybreaches.SLAsforcloudcomputingarediscussedin
moredetailintheCSCCdocument"PracticalGuidetoCloudServiceLevelAgreements,Version1.0".
OnefeatureofanSLArelatingtosecurityisthatanyrequirementsthatareplacedonthecloudprovider
bytheSLAmustalsopassontoanypeercloudserviceprovidersthattheprovidermayuseinorderto
supplyanypartoftheirservice(s).
ItshouldbeexplicitlydocumentedinthecloudSLAthatprovidersmustnotifyconsumersaboutthe
occurrenceofanybreachoftheirsystem,regardlessofthepartiesordatadirectlyimpacted.The
providershouldincludespecificpertinentinformationinthenotification,stopthedatabreachasquickly
aspossible,restoresecureaccesstotheserviceassoonaspossible,applybestpracticeforensicsin
investigatingthecircumstancesandcausesofthebreach,andmakelongterminfrastructurechangesto
correcttherootcausesofthebreachtoensurethatitdoesnotrecur.Duetothehighfinancialand
Copyright2012CloudStandardsCustomerCouncil
Page26
reputationalcostsresultingfromabreach,consumersmaywanttheprovidertoindemnifythemifthe
breachwastheirfault.
Metricsandstandardsformeasuringperformanceandeffectivenessofinformationsecurity
managementshouldbeestablishedpriortosubscribingtocloudservicesandshouldbespecifiedinthe
cloudSLA.Ataminimum,organizationsshouldunderstandanddocumenttheircurrentmetricsand
howtheywillchangewhenoperationsmakeuseofcloudcomputingandwhereaprovidermayuse
different(potentiallyincompatible)metrics.Refertothefollowingresourcesforspecificinformationon
securitymetrics:
ISO27004:2009 16
NISTSpecialPublication(SP)80055Rev.1,PerformanceMeasurementGuideforInformation
Security 17
CISConsensusSecurityMetricsv1.1.0 18
Measuringandreportingonaproviderscompliancewithrespecttodataprotectionisatangiblemetric
oftheeffectivenessoftheoverallenterprisesecurityplan.Adatacompliancereportshouldberequired
fromthecloudproviderandreflectsthestrengthorweaknessofcontrols,services,andmechanisms
supportedbytheproviderinallsecuritydomains.
Theimportanceofroleclarityisincreasedwhendiscussingsecurityimplications.Thisisalso
complicatedbythecloudcomputingtechnicalarchitecture.Eachcloudcomputingmodelrequires
distinctresponsibilitiesfortheproviderandconsumer.
IntheIaaSmodel,theonusforsecuringandreportingupontheinfrastructurefallsontheprovider,but
allresponsibilityforthesoftwarestackfromtheoperatingsystemtotheapplicationistheresponsibility
oftheconsumer. 19 InthePaaSmodel,theproviderisresponsibleforsecuringtheinfrastructureand
platform,andtheresponsibilityoftheapplicationlieswiththeconsumer.Finally,intheSaaSmodel,the
providerhastotalresponsibilityforsecurity.Eveninaninstancewheretheproviderbearsall
responsibility,theconsumershouldvalidatethattheproviderhasinstitutedtheappropriatemeasures
toensureasecureenvironment.
16
Seehttp://www.iso.org/iso/catalogue_detail.htm?csnumber=42106.
17
Seehttp://csrc.nist.gov/publications/nistpubs/80055Rev1/SP80055rev1.pdf.
18
Seehttp://benchmarks.cisecurity.org/enus/?route=downloads.show.single.metrics.110.
19
Thecloudproviderisresponsibleforloggingandtimelydataretrievalandprovisiontotheconsumerinan
incidentresponsescenario.
Copyright2012CloudStandardsCustomerCouncil
Page27
Step10:Understandthesecurityrequirementsoftheexitprocess
Theexitprocessorterminationoftheuseofacloudservicebyaconsumerrequirescareful
considerationfromasecurityperspective.Theoverallneedforawelldefinedanddocumentedexit
processisdescribedintheCSCCdocument"PracticalGuidetoCloudServiceLevelAgreements,Version
1.0".
Fromasecurityperspective,itisimportantthatoncetheconsumerhascompletedthetermination
process,"reversibility"or"therighttobeforgotten"isachievedi.e.noneoftheconsumer'sdata
shouldremainwiththeprovider.Theprovidermustensurethatanycopiesofthedataarewipedclean
fromtheprovider'senvironment,wherevertheymayhavebeenstored(i.e.includingbackuplocations
aswellasonlinedatastores).Notethatotherdataheldbytheprovidermayneed"cleansing"of
informationrelatingtotheconsumer(e.g.logsandaudittrails),althoughsomejurisdictionsmayrequire
retentionofrecordsofthistypeforspecifiedperiodsbylaw.
Clearly,thereistheoppositeproblemduringtheexitprocessitselftheconsumermustbeableto
ensureasmoothtransition,withoutlossorbreachofdata.Thustheexitprocessmustallowthe
consumertoretrievetheirdatainasuitablysecureform,backupsmustberetainedforagreedperiods
beforebeingeliminatedandassociatedeventlogsandreportingdatamustalsoberetaineduntilthe
exitprocessiscomplete.
CloudSecurityAssessment
Thecriticalquestionsthatcloudconsumersshouldaskthemselvesandtheircloudprovidersduringeach
stepofthesecurityassessmentarehighlightedinTable6.
Table6.CloudSecurityAssessment
SecurityStep
1.Ensureeffectivegovernance,risk
andcomplianceprocessesexist
2.Auditandensureproperreporting
ofoperationalandbusinessprocesses
3.Managepeople,rolesandidentities
AssessmentQuestions
Doestheconsumerhavegovernanceandcomplianceprocessesin
placefortheuseofcloudservices?
Doestheproviderhaveappropriategovernanceandnotification
processesfortheirservices,asrequiredbytheconsumer?
Isitclearwhatlegalandregulatorycontrolsapplytotheprovider's
services?
Isauditinformationavailablefortheproviderservices?Doesthe
auditinformationconformtooneoftheacceptedstandardsfor
securityauditsuchasISO27001?
Doestheproviderhavemechanismsinplacetoprovidereporting
forbothnormalorexceptionbehaviorrelatingtotheirservices?
Isitclearthattheprovider'smanagementinterfaces(foruseby
consumers)haveadequatesecuritycontrolsinplace?
IsthereanIncidentReportingandIncidentHandlingprocessthat
meetstheneedsoftheconsumer?
Dotheproviderservicesofferfinegrainedaccesscontrol?
Issinglesignonpossiblewiththeprovider'sservices?
Cantheprovidergivereportsformonitoringuseraccess?
Isitpossibletointegrateconsumeridentitymanagementwiththe
Copyright2012CloudStandardsCustomerCouncil
Page28
4.Ensureproperprotectionofdata
andinformation
5.Enforceprivacypolicies
6.Assessthesecurityprovisionsfor
cloudapplications
7.Ensurecloudnetworksand
connectionsaresecure
8.Evaluatesecuritycontrolson
physicalinfrastructureandfacilities
9.Managesecuritytermsinthecloud
SLA
10.Understandthesecurity
requirementsoftheexitprocess
identitymanagementfacilitiesoftheprovider?
Isthereadataassetcatalogforalldatawhichwillbeusedorstored
inthecloudenvironment?
Isthereadescriptionofresponsiblepartiesandroles?
Hasthehandlingofallformsofdatabeenconsidered,inparticular
unstructureddatasuchasimages?
Forstructureddataheldindatabaseswithinthecloudprovider's
environment,isthereproperseparationofdatabelongingto
differentconsumersinamultitenantenvironment?
Hasappropriateconfidentiality,integrityandavailabilitybeen
appliedtodatausedorstoredinthecloudenvironment?
IsPIIgoingtobestored/processedbythecloudservices?
Dotheprovider'sserviceshaveappropriatecontrolsinplacefor
handlingPII?
AreresponsibilitiesforhandlingPIIstatedintheSLA?
Ifthereisasecuritybreach,areresponsibilitiesforreportingand
resolvingthebreachclear,includingprioritiesandtimescales?
Isitclearwhetherresponsibilityforapplicationsrunningoncloud
infrastructurelieswiththeconsumerorwiththeprovider?
Wheretheresponsibilitylieswiththeconsumer,doestheconsumer
havegovernanceandpoliciesinplacethatensuretheappropriate
securityprovisionsareappliedtoeachapplication?
Wheretheresponsibilitylieswiththeprovider,doestheSLAmake
theprovider'sresponsibilitiesclearandrequirespecificsecurity
provisionstobeappliedtoeachapplicationandalldata?
Isnetworktrafficscreened?
Doestheprovider'snetworkhaveintrusiondetection&prevention
inplace?
Doesthenetworkprovidetheconsumerwithloggingand
notification?
Isthereseparationofnetworktrafficinasharedmultitenant
providerenvironment?
Isconsumernetworkaccessseparatedfromprovidernetwork
access?
Canthecloudserviceproviderdemonstrateappropriatesecurity
controlsappliedtotheirphysicalinfrastructureandfacilities?
Doestheserviceproviderhavefacilitiesinplacetoensure
continuityofserviceinthefaceofenvironmentalthreatsor
equipmentfailures?
Doesthecloudserviceproviderhavenecessarysecuritycontrolson
theirhumanresources?
DoesthecloudSLAspecifysecurityresponsibilitiesoftheprovider
andoftheconsumer?
DoestheSLArequirethatallsecuritytermsmustalsopassdownto
anypeercloudserviceprovidersusedbytheprovider?
DoestheSLAhavemetricsformeasuringperformanceand
effectivenessofsecuritymanagement?
DoestheSLAexplicitlydocumentproceduresfornotificationand
handingofsecurityincidents?
Isthereadocumentedexitprocessaspartofthecontract/SLA?
Isitclearthatallconsumerdataisdeletedfromtheprovider's
Copyright2012CloudStandardsCustomerCouncil
Page29
environmentattheendoftheexitprocess?
Isconsumerdataprotectedagainstlossorbreachduringtheexit
process?
Copyright2012CloudStandardsCustomerCouncil
Page30
AdditionalReferences
CloudStandardsCustomerCouncil(2011).PracticalGuidetoCloudComputing.
http://www.cloudcouncil.org/10052011.htm
Thisguideprovidesapracticalreferencetohelpenterpriseinformationtechnology(IT)andbusiness
decisionmakersadoptcloudcomputingtosolvebusinesschallenges.
Mell,P.,&Grance,T.(2011).TheNISTDefinitionofCloudComputing(Draft):Recommendationsofthe
NationalInstitute.Gaithersburg:NationalInstituteofStandardsandTechnology.
http://csrc.nist.gov/publications/drafts/800145/DraftSP800145_clouddefinition.pdf
Thiswhitepaperdefinescloudcomputing,thefiveessentialcharacteristics,threeservicemodels,and
fourdeploymentmodels.
Article29DataProtectionWorkingParty.Opinion05/2012onCloudComputing.
http://ec.europa.eu/justice/dataprotection/article29/documentation/opinion
recommendation/files/2012/wp196_en.pdf
InthisOpiniontheArticle29WorkingPartyanalysesallrelevantissuesforcloudcomputingservice
providersoperatingintheEuropeanEconomicArea(EEA)andtheirclientsspecifyingallapplicable
principlesfromtheEUDataProtectionDirective(95/46/EC)andtheeprivacyDirective2002/58/EC(as
revisedby2009/136/EC)whererelevant.
IBM(2011).CraftaCloudServiceSecurityPolicy
http://www.ibm.com/developerworks/cloud/library/clcloudsecurepolicy/
Inthisarticle,theauthorexplainshowtocraftacloudsecuritypolicyformanagingusers,protecting
data,andsecuringvirtualmachines.
Catteddu,D.&Hogben,G.(November2009).CloudComputing:Benefits,risksandrecommendations
forinformationsecurity.EuropeanNetworkandInformationSecurityAgency.
http://www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputingriskassessment.
Thiswhitepaperprovidessecurityguidanceforpotentialandexistingusersofcloudcomputing.
CloudSecurityAlliance(August15,2010).CSAGRCStackincludingCCMv1.1.
https://cloudsecurityalliance.org/research/initiatives/grcstack/
ThisisanintegratedsuiteoffourCSAinitiatives:CloudAudit,CloudControlsMatrix,Consensus
AssessmentsInitiativeQuestionnaireandtheCloudTrustProtocol.
CloudSecurityAlliance(2011).SecurityGuidanceforCriticalAreasofFocusinCloudComputingVersion
3.0.http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
Thisdocumentprovidesanactionable,practicalroadmaptomanagerswantingtoadoptthecloud
paradigmsafelyandsecurely.
Copyright2012CloudStandardsCustomerCouncil
Page31
Daskala,B.&Marinos,L.EFR(March,2010).EmergingandFutureRisksFramework,Introductory
Manual.EuropeanNetworkandInformationSecurityAgency.
http://www.enisa.europa.eu/act/rm/files/deliverables/efrframeworkhandbook.
ThishandbookprovidesthedocumentationoftheEFRFrameworkwhichconsistsofascenariobased
processmodeldevelopedinordertoassessandmanageemergingandfuturerisks.
Mather,T.,Kumaraswamy,S.,&Latif,S.(2009).CloudSecurityandPrivacy:AnEnterprisePerspectiveon
RisksandCompliance.OReillyMedia.
http://www.amazon.com/CloudSecurityPrivacyEnterprisePerspective/dp/0596802765.
InsightfromknowledgeableexpertsincludingaformerChiefSecurityStrategistforRSAonhowtokeep
yourvirtualinfrastructureandwebapplicationssecure.
AppendixA:WorldwidePrivacyRegulations
Region
Regulation
AsiaPacificregion,Japan,
Australia,NewZealand,and
others
Theseregionshaveadopteddataprotectionlawsthatrequirethedata
controllertoadoptreasonabletechnical,physical,andadministrativemeasures
inordertoprotectpersonaldatafromloss,misuse,oralteration,basedonthe
PrivacyandSecurityGuidelinesoftheOrganizationforEconomicCooperation
andDevelopment(OECD) 20 ,andtheAsiaPacificEconomicCooperations
(APEC)PrivacyFramework. 21
Japan
InJapan,thePersonalInformationProtectionAct 22 requirestheprivatesectors
toprotectpersonalinformationanddatasecurely.Inthehealthcareindustry,
professionspecificlaws,suchastheMedicalPractitioners'Law 23 ,theLawon
PublicHealthNurses,MidwivesandNurses 24 ,andtheDentistLaw 25 ,require
20
TheOECDGuidelinesontheProtectionofPrivacyandTransborderFlowsofPersonalDatawereadoptedon23
September1980,seehttp://www.oecd.org/document/18/0,3746,en_2649_34255_1815186_1_1_1_1,00.html.
21
In2004,theAPECPrivacyFrameworkwasendorsedbyAPECMinistersformoredetailssee
http://www.worldlii.org/int/other/PrivLRes/2005/4.html.
22
ActontheProtectionofPersonalInformation(ActNo.57of2003)see
http://www.cas.go.jp/jp/seisaku/hourei/data/APPI.pdffordetails.
23
MedicalPractitioners'Law(LawNo.201ofJuly30,1948)http://jalii.law.nagoya
u.ac.jp/official_gazette/pdf/19480730f_eb.00000.010.010_0010.0010.0_a.127600.01217100.pdf
24
LawonPublicHealthNurses,MidwivesandNurses(LawNo.203ofJuly30,1948)http://jalii.law.nagoya
u.ac.jp/official_gazette/pdf/19480730f_eb.00000.010.010_0010.0010.0_a.127600.01217100.pdf
25
DentistsLaw(LawNo.202ofJuly30,1948)seehttp://jalii.law.nagoya
u.ac.jp/official_gazette/pdf/19480730f_eb.00000.010.010_0010.0010.0_a.127600.01217100.pdffordetails.
Copyright2012CloudStandardsCustomerCouncil
Page32
registeredhealthprofessionalstoprotecttheconfidentialityofpatient
information.
Europe,Africa,MiddleEast
Americas
TheEuropeanEconomicArea(EEA)30MemberStateshaveenacteddata
protectionlawsthatfollowtheprinciplessetforthinthe1995EuropeanUnion
(EU)DataProtectionDirectiveandthe2002ePrivacyDirective(asamendedin
2009).Theselawsincludeasecuritycomponent,andtheobligationtoprovide
adequatesecuritymustbepasseddowntosubcontractors.
OthercountriesthathaveclosetieswiththeEEA,suchasMoroccoand
TunisiainAfrica,IsraelandDubaiintheMiddleEasthavealsoadoptedsimilar
lawsthatfollowthesameprinciples.
North,Central,andSouthAmericancountriesarealsoadoptingdataprotection
lawsatarapidpace.Eachoftheselawsincludesasecurityrequirementthat
placesonthedatacustodiantheburdenofensuringtheprotectionand
securityofpersonaldatawhereverthedataarelocated,andespeciallywhen
transferringtoathirdparty.
InadditiontothedataprotectionlawsofCanada26 andArgentina 27 whichhave
beeninexistenceforseveralyears,Colombia,Mexico,Uruguay,andPeruhave
recentlypasseddataprotectionlawsthatareinspiredmainlyfromthe
EuropeanmodelandmayincludereferencestotheAPECPrivacyFrameworkas
well.
UnitedStates
ThereisnosingleprivacylawintheUnitesStates.Arangeofgovernment
agencyandindustrysectorlawsimposeprivacyobligationsinspecific
circumstances.Therearenumerousgapsandoverlapsincoverage.
Currentindustrysectorprivacylawsinclude:
o
TheFederalTradeCommissionAct 28 whichprohibitsunfairor
deceptivepracticesthisrequirementhasbeenappliedtocompany
privacypoliciesinseveralprominentcases.
TheElectronicCommunicationsPrivacyActof1986 29 whichprotects
consumersagainstinterceptionoftheirelectroniccommunication
(withnumerousexceptions).
26
PersonalInformationProtectionandElectronicDocumentsAct(PIPEDA)seehttp://laws
lois.justice.gc.ca/eng/acts/P8.6/fordetails.
27
LawfortheProtectionofPersonalData(LPDP),LawNo.25.326see
http://www.protecciondedatos.com.ar/law25326.htmfordetails.
28
Seehttp://www.law.cornell.edu/uscode/text/15/chapter2/subchapterIfordetails.
29
Seehttp://frwebgate.access.gpo.gov/cgi
bin/usc.cgi?ACTION=RETRIEVE&FILE=$$xa$$busc18.wais&start=3919965&SIZE=21304&TYPE=TEXTfordetails.
Copyright2012CloudStandardsCustomerCouncil
Page33
o
o
TheHealthInsurancePortabilityandAccountabilityAct(HIPAA) 30
whichcontainsprivacyrulesapplyingtocertaincategoriesofhealth
andmedicalresearchdata.
TheFairCreditReportingAct 31 includesprivacyrulesforcredit
reportingandconsumerreports.
TheGrammLeachBlileyAct(GLBA) 32 governthecollection,
disclosure,andprotectionofconsumersnonpublicpersonal
informationforfinancialinstitutions
Theselawsholdorganizationsresponsiblefortheactsoftheir
subcontractors.Forexample,thesecurityandprivacyrulesunder
GLBAorHIPAArequirethatorganizationscompeltheir
subcontractors,inwrittencontracts,tousereasonablesecurity
measuresandcomplywithdataprivacyprovisions.
Governmentagencies,suchastheFederalTradeCommission(FTC)ortheState
AttorneysGeneralhaveconsistentlyheldorganizationsliablefortheactivities
oftheirsubcontractors.
Worldwide
ThePaymentCardIndustry(PCI)DataSecurityStandards(DSS) 33 ,whichapply
tocreditcarddataanywhereintheworld,includingdataprocessedby
subcontractorshassimilarrequirements.
AppendixB:Acronyms&Abbreviations
Abbreviation
Meaning
AICPA
AmericanInstituteofCertifiedPublicAccountants
CSA
CloudSecurityAlliance
CoBIT
ControlObjectivesforInformationandRelatedTechnologies
AframeworkcreatedbyISACAtosupportgovernanceofITby
definingandaligningbusinessgoalswithITgoalsandITprocesses
30
ThefinalHIPPAregulationandmodificationscanbefoundat
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf.
31
Seehttp://www.ftc.gov/os/statutes/fcradoc.pdffordetails.
32
Seehttp://www.gpo.gov/fdsys/pkg/PLAW106publ102/contentdetail.htmlfordetails.
33
PCIDSSprovidesanactionableframeworkfordevelopingarobustpaymentcarddatasecurityprocess
includingprevention,detectionandappropriatereactiontosecurityincidents.See
https://www.pcisecuritystandards.org/security_standards/fordetails.
Copyright2012CloudStandardsCustomerCouncil
Page34
CSCC
CloudStandardsCustomerCouncil
ENISA
EuropeanNetworkandInformationSecurityAgency
IaaS
InfrastructureasaService
IEC
InternationalElectrotechnicalCommission
ISACA
InformationSystemsAuditandControlAssociation
ISO
InternationalStandardsOrganization
PaaS
PlatformasaService
PCI
PaymentCardIndustry(SecurityStandardsCouncil)
PII
Personallyidentifiableinformation
SaaS
SoftwareasaService
SLA
ServiceLevelAgreement
SSAE
StatementonStandardsforAttestationEngagements
Copyright2012CloudStandardsCustomerCouncil
Page35