Professional Documents
Culture Documents
Case # 10-3208
Information
Security in the
Clouds
Donald Faatz
Lawrence Pizette
August 2010
Executive Summary extended to support cloud-deployed applications.
The cloud provider may offer IdAM capabilities that
Deploying data and applications to a cloud comput- can interface to or federate with the organization’s
ing environment, whether private, community, or capabilities. In this case, the cloud provider capa-
public, changes an organization’s information tech- bilities may readily meet the needs of Government
nology (IT) security posture. Private cloud environ- organizations. However, if the cloud provider’s capa-
ments utilize new software layers, such as virtual- bilities are not adequate, organizational capabilities
ization technologies, within the IT infrastructure. will need to be replicated or extended into the cloud.
While community and public offerings may employ
similar technologies, the security implications of While there are risks with moving capabilities to an
community and public clouds are more complex. external cloud, there also are potential advantages.
Use of these offerings changes the risk profile Cloud providers may be able to better manage infra-
because some security responsibility is transferred structure security concerns such as system configura-
to the cloud provider, and the organization’s secu- tion and patch management. In addition, economies
rity perimeter is extended to include the provider’s of scale and homogeneity of infrastructure can give
computing resources and personnel. Given these providers advantages in terms of cost and timeliness.
changes, organizations need to understand the risks Despite the advantages that the cloud provider gains
and appropriate mitigations. through scale and homogeneity, Government IT
While vendors have many platform-specific security monitoring of community and public cloud-based
controls unique to their own offerings, encryption applications is complicated by the loss of direct
provides a client-controlled mechanism to protect control. Organizational security operations and
data moved outside the organization’s security incident response teams may not have the ability
perimeter to a public or community cloud. Because to deploy sensors on the cloud provider’s system or
encryption replaces physical protection, organiza- collect the data they currently use. Government IT
tions should verify that either the cloud provider’s teams will need to partner with cloud providers and
encryption capabilities meet their data protection adjust their detection and response procedures to
needs or additional encryption capabilities can be include this relationship.
provided. In addition, as encrypted data cannot Given the security changes that result from deploy-
be directly processed by most applications, legacy ing a cloud-based approach, Federal IT leadership
capabilities moved to the cloud may require changes should understand the risks and potential mitiga-
to enable the application to function properly. To tions. While private clouds incorporate new tech-
protect the data, Federal IT leaders should ensure nologies into the IT stack that needs to be secured,
they have out-of-cloud backups or backups provided community and public clouds introduce risks due
by multiple cloud vendors, ensuring no single point to the lack of control and visibility. With these
of failure with a given cloud provider [1]. deployment models, the key to secure use of cloud
For applications accessed from a community or computing is shared understanding of the division
public cloud, the organization’s Identity and Access of security responsibilities between provider and
Management (IdAM) capabilities will need to be Government client, and the ability to verify that
both are meeting their responsibilities.
Conclusions 9
References 10
THE BIG PICTURE: The key to secure use of cloud computing is shared understanding of the division
of security responsibilities between provider and Government client, and the ability to verify that both are
meeting their responsibilities.
2 Cloud Computing
• On-demand service allows Government IT and who has access to the keys. Keys used In IaaS
organizations the ability to provision resources as and PaaS service models should be unique to each
they need them without provider intervention. client and only accessible by client personnel. In all
• Broad network access provides access to cases, key management plans need to ensure keys
resources via standard network mechanisms. are adequately protected when used and include
• Resource pooling allows providers to use the provisions for key escrow to protect against data
same physical resources to provide service simul- loss due to loss of encryption keys. Additionally,
taneously to different clients. for Federal Government clients, encryption and
• Rapid elasticity allows clients to increase or digital signature capabilities need to use crypto-
decrease resources allocated to them possibly graphic algorithms approved by the NIST, and the
without human intervention. implementations need to be Federal Information
• Measured service monitors and controls the deliv- Processing Standard (FIPS) 140-2 validated.
ery of resources to consumers ensuring they “get
Control over encryption varies by service delivery
what they pay for” and “pay for what they get.”
model.
Broad network access and resource pooling are
• With SaaS, clients rely upon the cryptographic
of particular interest from a security perspective.
capabilities the provider has built into the application.
Both contribute to breaking down the enterprise
Clients need to verify that either an SaaS applica-
perimeter and increasing the exposure of data and
tion provides appropriate cryptographic capabili-
applications.
ties or confidentiality protection is not needed for
the data that the application will process.
• With PaaS, clients rely upon the cryptographic
Protecting Data in the Cloud capabilities available in the provider’s application
Use of Encryption and Keys—The fundamental hosting environment. While the PaaS hosting
purpose of information technology (IT) is to store environment may include software development
and process data. Much of this data has some need or scripting capabilities, most do not allow instal-
for confidentiality, integrity, and/or availability lation of third-party products such as encryption
protection. Often, aspects of this protection are software. Therefore, clients need to verify that the
provided by physical location of the resources stor- encryption capabilities of the hosting environ-
ing or processing the data. In traditional IT, those ment will meet the needs of their applications.
resources are in the organization’s computing center. • IaaS offers the most flexibility with respect to
encrypting data. Since the provider supplies a
When moved to a public or community cloud, virtual machine running an operating system,
protections previously provided by physical loca- the client can install and use third-party encryp-
tion of resources no longer apply. The data is stored tion software.
and processed on the cloud provider’s hardware at
the provider’s data center. Further, several differ- Even with encryption, data always will have a
ent tenants use storage and transmission resources window of vulnerability because currently it cannot
concurrently. In this environment, encryption and be processed while it is encrypted.1 Only data and
digital signature replace physical location as a means applications for which this exposure is acceptable
to protect data confidentiality and integrity. are candidates for cloud deployment. The degree
of exposure is dependent on the cloud deployment
Many cloud providers offer some form of encryption model and the relative sophistication of the cloud
for data stored or transmitted within their clouds. provider’s security controls. Assuming equivalent
For example, the Microsoft Windows Azure PaaS security capabilities, public clouds represent the
offering makes Cryptographic Service Providers greatest exposure and private clouds the least. The
available through the .NET Framework APIs [5]. It degree of exposure in a community cloud depends
is important to understand the exact type of pro- on the make-up of the community.
tection that is offered by the provider’s encryption
and how it is administered, before accepting it as 1
IBM research [7] has discovered a technique that might eventually allow
adequate. For example, the Government client orga- computation on encrypted data; however, the technique is not likely to be
nization needs to understand how keys are managed practical for many years [8].
4 Cloud Computing
Initially, the IdAM capabilities from many cloud Protecting Computer and Communications
providers were very basic–often requiring manual
setup using a Web-based interface. However, cloud
Infrastructure
providers’ capabilities are evolving and maturing Software Maintenance and Patching
rapidly. Some providers now offer the ability to fed- Vulnerabilities—Protecting software infrastructure
erate cloud-based IdAM with enterprise capabilities in the cloud is an essential activity for maintaining
using standards-based mechanisms such as Security an appropriate security posture. For cloud providers
Assertion Markup Language tokens. Other provid- and traditional IT alike, it involves activities such as
ers have developed “connectors” that link to client securely configuring operating systems and network
enterprise directories to provide IdAM services. If devices, ensuring software patches are up-to-date,
a provider does not offer federation or connector and tracking the discovery of new vulnerabilities.
capabilities, clients may need to extend portions of
The good news in terms of basic infrastructure secu-
their enterprise IdAM functionality into the cloud.
rity such as configuration and patching is that cloud
Care must be taken in making this extension, since
providers may do a better job than what most client
enterprise IdAM infrastructure data is sensitive. For
organizations currently accomplish. The European
example, an organization’s active directory environ-
Network and Information Security Agency (ENISA)
ment could be replicated to support cloud-based
observes, “… security measures are cheaper when
IdAM, but doing so would expose more information
implemented on a larger scale. Therefore, the same
than necessary. Identity, credential, and authoriza-
amount of investment in security buys better protec-
tion information also may be exposed during pro-
tion [10].” Large cloud providers will benefit from
visioning and use in public or community clouds. A
these economies of scale.
carefully controlled extension of enterprise IdAM
will need to be implemented to control and mini- Cloud providers have an additional benefit—their
mize this exposure. systems are likely to be homogeneous [11], which is
fundamental to delivering commodity resources on
Key Considerations—The key considerations
demand. Hence, the cloud provider can configure
identified in this section for protecting data in cloud
every server identically. Software updates can be
deployments are:
deployed rapidly across the provider’s infrastruc-
• Understanding provider security practices and ture. As a contrasting example, one large Federal
controls is essential for public and community agency has observed that each of its servers is
cloud offerings. unique. Every server has at least one deviation from
• Encryption and digital signatures are the primary defined configuration standards. This heterogeneity
confidentiality and integrity protection for data stored adds to the complexity of maintaining infrastruc-
or transmitted in a public or community cloud. ture security.
• Without appropriate protections, data may be
Homogeneity also has a potential down side.
vulnerable while being processed in a public or
Homogeneity ensures the entire infrastructure has
community cloud.
the same vulnerabilities. An attack that exploits an
• Deleted data may remain in persistent storage
infrastructure vulnerability will affect all systems
when the storage is released back to the cloud
in a homogeneous cloud. The characteristic that
vendor as a shared, multi-tenant resource.
makes routine maintenance easier may increase
• Existing internal applications may need analysis
the impact of a targeted attack. A potential area for
and enhancement to operate securely in a public
future research would be to employ an instance of a
or community cloud.
completely different technology stack for the express
• Data replication provided by a cloud provider is
purpose of validating the integrity of the initial
not a substitute for backing up to another inde-
homogeneous infrastructure.
pendent provider or out of the cloud.
• Privacy protection responsibilities should be Although it may be easier for cloud providers to
reviewed if considering moving PII to the cloud. maintain infrastructure security, Government
• Cloud IdAM capabilities vary widely. Integration clients should ensure that they understand the
of cloud and enterprise IdAM mechanisms may provider’s standards for configuring and maintain-
be challenging. ing the infrastructure used to deliver cloud services.
6 Cloud Computing
Monitoring and Defending Systems response capabilities offered by the cloud provider,
ensure appropriate security SLAs are in place, and
in the Cloud develop new response procedures that couple the
Monitoring and Defending Infrastructure—The cloud provider information with its own data. Given
challenge of monitoring and defending cloud- the difficulty of obtaining provider infrastruc-
based systems depends on the service model and ture information, a Government client’s incident
may increase due to shared control of the IT stack. response team may need to rethink how it detects
Monitoring and defending systems consists of some types of malicious activity. For example, an
detecting and responding to inappropriate or unau- incident response team that provides proactive
thorized use of information or computing resources. services such as vulnerability scanning may not be
Much like Microsoft Windows, which has been the allowed to perform these functions on systems and
dominant desktop operating system and target of applications deployed in the cloud. A cloud pro-
choice for malware, large public clouds and commu- vider’s terms of use may prohibit these activities, as
nity clouds also are high-value targets. Penetrating it would be difficult to distinguish legitimate client
the substrate of a public or community cloud can scanning actions from malicious activities. Standard
provide a foothold from which to attack the applica- incident response actions may not be possible in the
tions of all the organizations running on the cloud. cloud. For example, a Government client’s incident
response team that proactively deletes known mali-
Audit trails from network devices, operating
cious e-mail from users’ inboxes may not have this
systems, and applications are the first source of
ability in a cloud-based SaaS email system. Given
information used to monitor systems and detect
these challenges, it is essential that the appropriate
malicious activity. Some or all of these sources may
contractual relationship with SLAs be established.
not be available to a cloud client. With SaaS, all
audit trails are collected by the cloud provider. With If the organization is creating a private cloud, there
PaaS, application audit trails may be captured by are new challenges that are different from many of
the client, but operating system and network audit the community and public cloud issues. The vir-
trails are captured by the provider. With IaaS, the tualization layer presents a new attack vector, and
Government organization may capture audit trails many components (e.g., switches, firewalls, intru-
from the virtual network, virtual operating systems, sion detection devices) within the IT infrastructure
and applications. The provider collects the audit may become virtualized. The organization’s security
trails for the physical network and the virtualization operations staff must learn how to safely deploy and
layer. Correlation of events across provider-hosted administer the virtualization software, and how to
virtual machines may be difficult, and the ability configure, monitor, and correlate the data from the
to place intrusion detection sensors in the virtual new virtual devices.
machines may be similarly constrained.
While cloud computing may make some aspects
To date, most cloud providers have focused on of incident detection and responses more complex,
monitoring and defending the physical resources it has the potential for simplifying some aspects
that they control. Unlike their clients, cloud provid- of forensics. When a physical computer is com-
ers have the technical ability to collect audit trail promised, a forensic analyst’s first task is to copy
information and place intrusion detection sensors the state of the computer quickly and accurately.
in the infrastructure where their clients cannot. Capturing and storing state quickly is a fundamen-
Although they can do this, cloud providers may not tal capability of many IaaS clouds. Instead of need-
be willing or able to share that data. In clouds that ing special-purpose hardware and tools to capture
host multiple tenants, the provider would need to the contents of system memory and copy disks, the
protect the privacy of all its customers, which com- forensic analyst uses the inherent capabilities of the
plicates the ability to share information. As noted by virtualization layer in the IaaS cloud. Leveraging
Buck and Hanf, service-level agreements (SLAs) that this capability will require the incident response
specify the exact types of information that will be team to develop procedures for capturing and using
shared are essential. this state information and, in the case of community
and public clouds, develop and maintain a working
Incident Response Team—The Government cli- relationship with the cloud provider.
ent’s incident response team will need to learn the
8 Cloud Computing
hypothesis is that the peak resource demands of Conclusions
different clients will not occur simultaneously. For
a public cloud provider with thousands of clients Public and community models of cloud computing
worldwide, this hypothesis is likely true. However, cede direct control of computing resources to cloud
when constructing community and private clouds, service providers and extend the enterprise perim-
it will be necessary to consider the validity of this eter to include the providers’ resources. Therefore,
assumption. A community cloud built and oper- it is essential to have a clear understanding of a pro-
ated for the Federal Government or Department vider’s security obligations when moving capabilities
of Defense could be subject to simultaneous peak to the cloud. These obligations, along with report-
usage by all clients, should a significant national ing and SLAs, should be codified in a contractually
emergency occur. Clients of community and private binding arrangement. The key to secure use of cloud
clouds with highly focused availability concerns computing is a clear, shared understanding of the
must consider and plan for this possibility. division of security responsibilities between the pro-
vider and client, and the ability to verify that both
FedRAMP—To reduce the challenges of cloud are meeting their responsibilities.
computing certification and accreditation(C&A),
the Federal Risk and Authorization Management Multiple options for cloud usage are emerging in
Program (FedRAMP) was recently created. While the marketplace with a variety of shared control and
FedRAMP is currently under development (as security characteristics. For systems that are low risk
of July 2010), its objective is to allow agencies “to and provide information for public consumption,
save significant time and money by leveraging the a public cloud may be a viable option because the
FedRAMP authorizations [18].” The ability to lever- cloud platform can meet system requirements and
age capabilities such as FedRAMP to ease adoption provide adequate security. In these cases, the scale
of cloud computing offerings is an emerging area in and homogeneity of resources of the public cloud
cloud computing that holds significant promise [19]. also may improve infrastructure security posture
over its current instantiation. A community cloud
Key Considerations—The key additional consid- may be an option for capabilities that cannot reside
erations identified in this section for cloud deploy- in a public cloud. The community cloud can provide
ments are: some of the system and financial characteristics of
• On-demand, pay-as-you-go, public clouds a public cloud, while providing enhanced security
resources are attractive, useful tools for malicious characteristics. Finally, for systems used for national
entities. security, a public or community cloud may not be
• Preserving the security posture of cloud- a viable option, due to the loss of control and the
deployed applications will require constant atten- extended enterprise security perimeter. For these
tion to the rapid change in cloud offerings that applications, a private cloud may be an effective
may introduce risks. alternative to harness some of the benefits of cloud
• Government clients of public and community computing, while minimizing the risks and changes
clouds with high availability requirements must to security posture.
consider and plan for the possibility that a national
emergency could cause peak usage of resources.
10 Cloud Computing
MITRE
www.mitre.org
©2010 The MITRE Corporation
All Rights Reserved
Distribution Unlimited
Case Number: 10-3208
MITRE
www.mitre.org