Benefits, Risks, Security Considerations, Recommended Model .... Benefits of Cloud Computing . ..... A cloud primarily can be private or public (Anon., 2012).
1
Information Systems Security on Cloud Computing Benefits, Risks, Security Considerations, Recommended Model
2
Name of the Contributor An undergraduate student of the Department of Management Information Systems, Faculty of Business Studies, University of Dhaka, Dhaka 1000, Bangladesh.
Mohammad Saidur Rahman Department of Management Information Systems (MIS) Faculty of Business Studies University of Dhaka Dhaka 1000, Bangladesh
3
Table of Contents 1.
Executive Summary............................................................................................................ 6
2.
Introduction ........................................................................................................................ 7
3.
Cloud Computing ............................................................................................................... 7
4.
Arhitecture and Deployment Model ................................................................................... 8 4.1 Architecture of Cloud Computing.................................................................................... 8
Infrastructure as a Service (IaaS)........................................................................................ 8 Platform as a Service (PaaS) .............................................................................................. 8 Software as a Service (SaaS) .............................................................................................. 8 Network as a Service (NaaS) .............................................................................................. 8 Data as a Service (DaaS) .................................................................................................... 8 Hardware as a Service (HaaS) ............................................................................................ 9 4.2 Deployment Model of Cloud Computing ......................................................................... 9
Public Cloud ....................................................................................................................... 9 Private Cloud ...................................................................................................................... 9 Community Cloud .............................................................................................................. 9 Hybrid Cloud .................................................................................................................... 10 5.
6.
Benefits of Cloud Computing ........................................................................................... 11 5.1)
IT Cost Reduction ..................................................................................................... 11
5.2)
Scalability .................................................................................................................. 11
5.3)
Business Continuity .................................................................................................. 11
5.4)
Easy to Implement ..................................................................................................... 11
5.5)
Flexible ...................................................................................................................... 11
5.6)
Access to Automatic Updates ................................................................................... 11
5.7)
Resiliency .................................................................................................................. 11
Risks of Cloud Computing ............................................................................................... 12 6.1
Data Breaches ............................................................................................................ 12
Shared Tenancy Environment .......................................................................................... 12 6.2)
Data Loss ................................................................................................................... 13
6.3)
Account or Service Traffic Hijacking ....................................................................... 13
6.4)
Insecure Interfaces and APIs ..................................................................................... 13
6.5)
Denial of Service ....................................................................................................... 13
6.6)
Malicious Insiders ..................................................................................................... 14
Virtual Machine Based Malware ...................................................................................... 14 6.7)
Abuse of Cloud Services ........................................................................................... 14
Brute Force ....................................................................................................................... 14
4
7.
Security Considerations of Cloud Computing .................................................................. 15 7.1
Maintaining Availability and Business Functionality ............................................. 16
Business Criticality of Data or Functionality ................................................................... 16 Vendor’s Business Continuity and Disaster Recovery Plan ............................................. 16 My Data Backup Plan ....................................................................................................... 16 My Business Continuity and Disaster Recovery Plan ...................................................... 17 My Network Connectivity to the Cloud ........................................................................... 17 Vendor’s Guarantee of Availability ................................................................................. 17 Impact of Outages ......................................................................................................... 17 SLA Inclusion of Scheduled Outages ............................................................................... 17 SLA Compensation........................................................................................................... 18 Data Integrity and Availability ......................................................................................... 18 Data Restoration ............................................................................................................... 18 Scalability ......................................................................................................................... 18 Changing Vendor .............................................................................................................. 18 7.2
Protecting Data from Unauthorized Access by a Third Party ................................... 19
Choice of Cloud Deployment Model................................................................................ 19 Sensitivity of My Data ...................................................................................................... 19 Legislative Obligations ..................................................................................................... 19 Countries with Access to My Data ................................................................................... 19 Data Encryption Technologies ......................................................................................... 20 Media Sanitization ............................................................................................................ 20 Vendor’s Remote Monitoring and Management .............................................................. 20 My Monitoring and Management ............................................................................... 20 Data Ownership .............................................................................................................. 20 Gateway Technologies ..................................................................................................... 21 Gateway Certification ....................................................................................................... 21 Email Content Filtering .................................................................................................... 21 Policies and Processes Supporting the Vendor’s IT security Posture .............................. 21 Technologies Supporting the Vendor’s IT Security Posture ............................................ 21 Auditing the Vendor’s IT Security Posture ...................................................................... 21 User Authentication .......................................................................................................... 22 Centralized Control of Data .............................................................................................. 22 Vendor’s Physical Security Posture ................................................................................. 22 Software and Hardware Procurement ............................................................................... 22 7.3
Protecting Data from Unauthorized Access by the Vendor’s Customers ................. 23
Customer Segregation ..................................................................................................... 23
5
Weakening My Security Posture ................................................................................... 23 Dedicated Servers ............................................................................................................ 24 Media Sanitization .......................................................................................................... 24 7.4
Protecting Data from Unauthorized Access by Rogue Vendor Employees .............. 24
Data Encryption Key Management .................................................................................. 24 Vetting of Vendor’s Employees ....................................................................................... 24 Auditing Vendor’s Employees ......................................................................................... 24 Visitors to Data Centre ..................................................................................................... 24 Physical Tampering by Vendor’s Employees .................................................................. 25 Vendor’s Subcontractors .................................................................................................. 25 7.5
Handling Security Incidents ...................................................................................... 25
Timely Vendor Support .................................................................................................... 25 Vendor’s Incident Response Plan ..................................................................................... 25 Training of Vendor’s Employees ..................................................................................... 25 Notification of Security Incidents..................................................................................... 25 Extent of Vendor Support ................................................................................................. 26 My Access to Logs ........................................................................................................... 26 Security Incident Compensation ....................................................................................... 26 Data Spills......................................................................................................................... 26 8.
Recommended Model for Cloud Computing ................................................................... 27
9.
Conclusion ........................................................................................................................ 28
References ................................................................................................................................ 29
6
1.
Executive Summary
Cloud computing is a new way of delivering computing resources not a new technology (ENISA, November 20th, 2009). It can be defined as on demand self-service having ubiquitous network access, location independent resourcepooling, rapid elasticity and measured service (charges are applicable to the used resources). Cloud computing is not confined only to a computing model rather it is now a widely accepted computing service (typically web-based). A cloud primarily can be private or public (Anon., 2012). Using public cloud model only in the business is very risky because of its security reasons and using private cloud only will not solve our purpose because in that case we will not be able to use advantages of public cloud (Mishra, 2012). Privacy advocates criticize the cloud models because hosting company or cloud vendors posses its control and monitor at their will either lawfully or unlawfully or both. Use of the cloud services are getting popular for various reasons (i.e. cost effective, highly scalable, on-demand service, felexibility). Cloud security issues have become a new concern for the recent odd events of cloud services. For example, Amazon’s cloud went down in December 2009, subscribers on the U.S. east coast were unable to use their systems for several hours (Anon., 2012). Millions of customers of salesforce.com suffered a 38 minutes outage in early January 2009 (Anon., 2012). This paper covers the area of different cloud architecture & deployment models, benefits of cloud service, relevant and related risks, detail security considerations of cloud computing and a recommended model of cloud computing.
7
2.
Introduction
Cloud computing is a new economic model of computing. In this model, resources of computing are located in a virtualstorage even users are barely aware of the identity of the vendors of cloud service and do not know how the data are delivered. Cloud computing informally can be called a utility service like water, electricity, gas, telephony etc. . Cloud service serves a vast area (i.e storage facility, computer processiong, software and other services) as a pool of virtualized resources over a network (primarily over the internet). According to IDC’s analysis, the worldwide forcast for cloud services in 2009 will be in the order of $17.4bn. The estimation for 2013 amounts to $44.2bn, with the European market ranging from €971m in 2008 to €6005m in 2013 (ENISA, November 20th, 2009).
3.
Cloud Computing
It is not clear when the term cloud computing was first introduced. Bartholomew(2009), Bogatin (2006) and several others suggested that ‘cloud computing’ terminology was , perhaps, first coined by Google™ Chief Executive Eric Schmidt in 2006. Kaufman (2009:61) suggests that cloud computing terminology ‘originates from the telecommunications world of the 1990s, when providers began using virtual private network (VPN) services for data communication’. Desisto, Plummer and Smith (2008: 1) state that ‘[t]he first SaaS [Software as a Service] offerings were delivered in the late 1990s, although these offerings weren’t called cloud computing’ (Choo, October 2010). Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management or service provider interaction. This cloud model is composed of five essential characteristics (i.e. on demand self-service, broad network access, resource pooling, rapid elasticity and measured service), six service models [i.e. software as a service (saaS), Platform as a Service (PaaS), infrastructure as a service (IaaS), data as a service (DaaS), hardware as a service (HaaS), network as a service (NaaS)], four deployment models (i.e. private cloud, public cloud, hybrid cloud, community cloud) (Grace, September, 2011) (Anon., November, 2012) (Wikipedia, 31st March, 2013) (Alliance, 2009).
8
4.
Arhitecture and Deployment Model
4.1 Architecture of Cloud Computing Infrastructure as a Service (IaaS) Infrastructure as a Service (IaaS) is the foundation of cloud services. Consumers can take the advantage of processing
accessed using a web browser such as Mozila Firefox, Internet Explorer over the Internet) on Google’s infrastructure (Choo, n.d.).
power, storage, networking components or middleware on-demand. Infrastructure-asa-Service provides virtual server instances with unique IP addresses and blocks of storage on-demand (Mishra, November 2012). Consumers use the providers’ application program interface (API) to start, stop, access and configure their virtual servers and storage. Examples of IaaS providers include: Amazon EC2, Azure Services platform, Google compute engine, HP Cloud, Oracle Infrastructure as a service etc. (Wikipedia, n.d.). Platform as a Service (PaaS) Without buying and managing computing infrastructure, customers can access to the basic OS (Operating System) and optional services to develop and use software application (e.g. database access and payment service) through platform as-aService (PaaS). For example, Google App Engine allows clients to run their web applications (i.e. software that can be
Software as a Service (SaaS) Software as-a-Service (SaaS) builds upon Infrastructure
as-a-Service
(IaaS)
and
Platform as a Service (PaaS), provides clients with integrated access to software applications. For example: Google Apps, Microsoft Office 365, Onlive, GT Nexus etc. (Wikipedia, n.d.). Network as a Service (NaaS) Network as-a-Service (NaaS), provides access to the users to use network connectivity
and
inter-cloud
network
connectivity services. It is a unified service of network and computing resources which involves the optimization of resource allocation. Data as a Service (DaaS) Data as-a-Service (DaaS) is said the cousin of software as a service (SaaS) and a member of ‘as a service (aaS)’ family (Wikipedia, n.d.). It provides data on demand. DaaS offers data in various formats and from various sources can be
9
accessed via services by users on the
Hardware as-a-Service (HaaS). HaaS is
network in a transparent and logical way
flexible, scalable, and manageable to meet
(Mishra, November 2012).
clients’ needs (Mishra, November 2012)
Hardware as a Service (HaaS) Hardware virtualization, IT automation,
(Wikipedia, n.d.)
usage metering and pricing are the offers of
4.2 Deployment Model of Cloud Computing benefits include restriction free network Public Cloud Public cloud is a temporary extension of
bandwidth, data and others resources are
organizational infrastructure in which
organization. In addition, users access and
clients can enjoy reduced risks of their
networks are restricted and designated for
resources in a flexible way. A third party
the selected members of an organization.
providers or vendors offer this service to
Private cloud requires an organization a
clients/customers
Web
higher degree of virtualization and to
Services). Clients get this service via the
reevaluate existing resource decisions
Internet. Public cloud does not mean that
(Wikipedia, n.d.).
(e.g.
Amazon
controlled
and
monitored
within
data are publicly available or accessed, rather data and resources can be accessed through a access mechanism provided by the vendors. Standard cloud computing model is the basement of public cloud computing in which vendors accumulate resources (i.e. applications, storage) and make it available to the general public (through access mechanism) over the Internet.
Community Cloud Community cloud
infrastructure
is
specially provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (i.e. mission, security requirements, policy and compliance considerations) (Grance, September
2011).one
or
more
organizations or a third party or their combined entity can own, manage, monitor
Private Cloud The another name of private cloud is
this community cloud. It is more than a
corporate network of an organization or
which is costly than public cloud.
data center of proprietors. Private cloud
private cloud but less than a public cloud
10
Hybrid Cloud The emergence of hybrid cloud is from the
Hybrid cloud offers to get the benefit of those two basic clouds (i.e. public cloud,
combined form of private, public and
private cloud) including community cloud.
community cloud. Hybrid cloud ensures the
The highly sensitive and critical data and
allocation of resources to different public
service can be deployed on private
cloud is case one of the public clouds
(internal) cloud and less critical ata on
overloads (Vohra, January 19, 2011). The
public cloud and finally by integrating
nature of public cloud is a great issue for
those two can serve us the best. The success
adoption but the control of IT is on the hand
of this hybrid approach depends on how
of third party (vendor) which increases the
public and private cloud interacts and
security concern. On the other hand, private
works together in union (Mishra, 2012)
cloud can rescue us from the headache of
(Grance, n.d.).
security but it is limited in use and costly.
11
5. Benefits of Cloud Computing 5.4) Easy to Implement
5.1) IT Cost Reduction Cloud computing reduces costs of IT systems management and maintenance. Organizations do not have to buy expensive
A customer can use cloud computing without the need to purchase hardware, software licenses or implement services.
systems and equipment; they can reduce
5.5) Flexible
costs by using the resources from cloud
Cloud computing offers flexibility in work.
computing service providers. By moving to
A client gets the access to data from
the
significantly
anywhere he wants (i.e. home, offsite,
operating costs are reduced (i.e. costs of
office) and anytime (via the Internet
systems upgrades, wages for expert staffs).
connection). When a customer is in offsite,
cloud
computing,
he can set up a virtual office quickly and
5.2) Scalability To the consumers, the cloud appears to be infinite and consumer can purchase as much or as little computing power as they need. Cloud computing helps organizations to scale up or scale down operations and storage needs quickly to suit situation (Anon., Last Updated 5th April, 2013).
5.3) Business Continuity Protecting data and systems is a major concern for an organization to continue its business. If natural disaster, power failure
easily with the help of cloud computing service.
5.6) Access to Automatic Updates Access to automatic updates of IT requirements may include service fee. Depending on the cloud computing service provider, systems will be updated regularly with the latest technology. This includes up-to-date versions of software as well as upgrades
to
servers
and
computer
processing power (Government, n.d.).
happens, data stored in cloud ensures the data are backed up and protected in a secure and safe location. Cloud service allows to continue the business again without any loss of productivity.
5.7) Resiliency The potentiality of failure in a highly resilient
computing
environment
is
reduced. The failure of one node of a system is a cloud environment will have no impact on overall information availability
12
impact reducing the risk or perceivable downtime (Government, 2011).
6. Risks of Cloud Computing To identify the top threats, experts conducted a survey of industry experts to compile professional opinion on the greatest vulnerabilities within cloud computing. They identified nine critical threats to cloud computing: data breaches, data loss, account hijacking, insecure APIs, denial of service, malicious insiders, abuse of cloud services, insufficient due diligence, shared technology issues (Group, 2013).
6.1
machine to run concurrently through
Data Breaches
If the secret data of an organization go to
multiple virtual machine.
the hand of competitors, it will the most unexpected news for an organization. Weak design of cloud service database gives access to the attackers not only to single clients data but also every clients data. Experts say though data loss and leakage are both serious threats to cloud computing, the taken measure to mitigate threats can possibly exacerbate the others (group,
In
shared
tenancy
cloud
computing
environment, separate VMs can host data from different clients. The activities of one VM does not affect other even without any influence among different VMs because individual VM is unaware of others activities as all actions of an individual VM is confined to its own address space.
2013). Encryption of data can give the best
In a recent study, a team of computer
solution to avoid data breach but concern is
scientists from the University of California,
the loss of encryption key (loss of
san Diego and MIT examined the widely-
encryption key reflects the loss of data).
used Amazon Compute Cloud (EC2)
Shared Tenancy Environment A virtual machine (VM) works like a
Services. They found that ‘it is possible to map the internal cloud infrastructure,
software
identify where a particular target VM is
implementation of a computer that runs its
likely to reside, and then instantiate new
own operating system and application.
VMs until one is placed co-resident with
Different software application on different
the target (Choo, 2010). It can be stated that
OS (Operating System) in a single physical
they were able to install their own software
physical
machine.
It
is
a
on the targeted websites of the same
13
servers. This opens door for the attackers to
For example, In 2009 numerous Amazon
take control over the cache in order to steal
systems were hijacked to run Zesus botnet
data hosted on the same physical machine.
nodes
Such an attack is known as side-channel
experienced a cross-site scripting (XSS)
attack (Choo, 2010).
bug that allowed attackers to hijack
and in
April
2010, Amazon
credentials from this site (Group, 2013).
6.2) Data Loss In the summer 2012, attackers broke into Mat’s (Mat Honan, writer for Wired
6.4) Insecure Interfaces and APIs
magazine) Apple, Gmail and Twitter
Cloud customers manage and interact with
accounts and they used that accessed to
cloud services through a set of software
erase all of his personal data in those
interfaces or APIs provided by the cloud
accounts including all of the baby pictures
computing service vendors. All activities
Mat had taken of his 18-year-old daughter
(i.e.
(Group, 2013).
orchestration, monitoring) are done with
provisioning,
management,
these interfaces. If those interfaces are not If this happens to one of us, nothing can be
secure, cloud services are insecure to use.
worse than this loss of personal data. Malicious attackers are not the only reasons
Organizations and third parties often build
behind data loss rather various other
upon these interfaces to offer value-added
reasons can be liable for this occurrence.
services
For example, unconsciously cloud service
introduces a complex layer of API
provider can delete file.
including increased risk as organizations
to
their
customers
which
may be required to relinquish their
6.3) Account or Service Traffic Hijacking Though account or service traffic hijack is
credentials to third parties in order to enable their agency.
an old concept. Still attacks like phishing,
6.5) Denial of Service
fraud
software
In practical, denial of a service can be
vulnerabilities get succeed. If attackers get
compared as being caught in a rush-hour
access in the cloud environment by
traffic jam; there is no way to get to
hijacking password, they can control this
destination and nothing to do except just sit
according to their will ( i.e. manipulate
and wait. Attackers prevent users to get
data, return falsified information, redirect
access to cloud service to get stored data
clients to illegitimate sites) and they can use
and use applications. Sometimes DoS
this as their basement.
makes a user so frustrated that he becomes
and
exploitation
of
14
confused whether his decision to reduce
package or installed by an attacker who is
infrastructure costs by moving to cloud is
able to take advantage of the vulnerabilities
right or wrong. This attack slows down
of
system and attackers force victim cloud
AUgust 24, 2011).
service to consume resources such as processing power, memory, disk space or network bandwidth.
malicious
(McDowell,
“VM-based rootkits, as pointed out by Michael Price of the University of Southern attackers to gain complete control of the
an
underlying OS without the compromised
organization is a current or former
OS being aware of their existence and are
employee, contractor, or other business
especially dangerous because they also
partner who has or had authorized access to
control all hardware interfaces. Once VM-
an organizations network system, or data
based rootkits are installed to the machine,
and intentionally exceeded or misused that
they can view key strokes, network packets,
access in a manner that negatively affected
disk state, and memory state, while the
the confidentiality, integrity, or availability
compromised
of
(Choo, 2011).
the
insider
computers”
California, Irvine, could be used by
6.6) Malicious Insiders “A
targeted
organizations
threat
to
information
or
OS
remains
oblivious”
information systems” (Mellon, n.d.).
6.7) Abuse of Cloud Services From IaaS to PaaS and SaaS, the malicious
Cloud computing is available for all kinds
insider has increasing levels of access to
of organization. It gives much benefit to
more critical systems and data as a result
small organizations as they get vast
systems that completely depend on cloud
computing power that could be impossible
service provider (CSP) are at great risk.
to set up by themselves. At the same way,
Virtual Machine Based Malware Malware can attack and control virtual
cloud computing opens favorable doors for hackers and attackers who can use it for
machines for their vulnerabilities. Both
several abuses such as stage a DDoS attack,
server machines and customers can be
serve
exploited by VM-based rootkit.
software. This threat is not a concern for
“A rootkit is a piece of software that can be installed and hidden on a targeted computer without prior knowledge of the client. It may be included in a larger software
malware
or
distribute
pirated
clients rather for cloud vendors mostly. Brute Force A significant abuse of cloud computing is the use of visualized infrastructure as a launching pad for brute force and other
15
attacks. Brute force attack is a strategy used
web service, it would cost more than $US
to break encrypted data by typing all
1.5 million to brute force a 12-character
possible decryption key or password
password containing nothing more than
combinations.
lower-case letters ‘a through z’ but an 11-
Using Amazon EC2 as an example, a security consultant estimated that based on the hourly fees Amazon charges for its EC2
character code costs less than $60,000 to crack and a 10-letter phrase costs less than $23,000 (Choo, 2011).
7. Security Considerations of Cloud Computing In a sense, cloud computing security is not different from regular security. The security considerations of private cloud and public cloud (e.g. Microsoft Office 365) are marginally different. There are only two major distinctions between private and public cloud: geo-location and multi-tenancy. The Information Security Forum (ISF) recommends that cloud service providers should be treated like any other external supplier such as an outsourcer or offshore outsourcer, and should be covered by the same form of contract. To assist in this, the ISF has developed a four-step approach to working with external suppliers, which provides a consistent set of activities that can equally be applied to cloud service providers: ((ISF), 2011) : Step 1: Identify and classify third parties. Step 2: Agree third-party security. Step 3: Validate third-party security. Step 4: Agree termination terms. At the time of evaluation, implementation, management and maintenance of cloud computing solutions, five things must be considered carefully: compliance and risk management, identity and access management, service integrity, endpoint integrity and information protection. These considerations vary according to the use of cloud service.
16
This section of this paper provides a detail consideration guideline of cloud computing security. Five broad areas must be considered as security considerations: maintaining availability and business functionality, protecting data from unauthorized access by a third party, protecting data from unauthorized access by the vendor’s customers, protecting data from unauthorized access by rogue vendor employees and handling security incidents. The considerations are provided as various questions so that the answers of those questions can assist organizations to develop risk assessment. It should not be expected that single cloud service vendor can answer all of the questions; it will differ according to the requirement of organizations use of cloud service. The following considerations are designed by integrating a number of papers and articles of different organizations regarding this area such as National Institute of Standards and Technology(NIST) ((NIST), n.d.), European Network and Information Security Agency (ENISA) ((ENISA), 2009), Cloud Security Alliance (CSA) ((CSA), n.d.) ((CSA), n.d.), Australian Government (Government, Updated, September 2012), Microsoft (Cavit, January 2010), World Privacy Forum (Forum, 2009),International Journal of Advanced Research in Computer Science and Software Engineering (Bhavna Makhija, 2013), Victorian Government (Government, December 2011), TechGenix Ltd (Limited, 2013).
7.1
Maintaining Availability and Business Functionality
Answers to the following questions can reveal mitigations to help manage the risk of business functionality being negatively impacted by the vendor’s cloud services becoming unavailable: Business Criticality of Data or Functionality Am I moving business critical data or functionality to the cloud?
How much time does it take for my data and the services that I use to be recovered after a disaster, and do the vendor’s other customers that are larger and pay more
Vendor’s Business Continuity and Disaster Recovery Plan Can I thoroughly review a copy of the
money than me get prioritization?
vendor’s business continuity and disaster
My Data Backup Plan Will I spend additional
recovery plan that covers the availability
maintain an up to date backup copy of my
and restoration of both my data and the
data located either at my agency’s
vendor’s services that I use?
premises, or stored with a second vendor
money
to
17
that has no common points of failure
vendor that still affects me. Finally,
with the first vendor?
availability may also be affected by
My Business Continuity and Disaster Recovery Plan Will I spend additional money to replicate my data or business functionality
configuration mistakes made by the vendor including
those
resulting
from
poor
software version control and poor change management processes.
with a second vendor that uses a different data center and ideally has no common points of failure with the first vendor? This
replication
should
preferably be
configured to automatically “failover”, so that if one vendor’s services become unavailable, control is automatically and
Impact of Outages Can I tolerate the maximum possible downtime of the SLA? Are
the
scheduled
outage
windows
acceptable both in duration and time of day, or will scheduled outages interfering with my critical business processes?
smoothly transitioned to the other vendor. Typical My Network Connectivity to the Cloud Is the network connectivity between my agency’s users and the vendor’s network adequate in terms of availability, traffic throughput (bandwidth), delays (latency) and packet loss?
SLAs
that
guarantee 99.9%
availability can have up to nine hours of unscheduled outages every year without breaching the SLA. SLA Inclusion of Scheduled Outages Does the SLA guaranteed availability percentage include scheduled outages?
Vendor’s Guarantee of Availability Does the Service Level Agreement (SLA) guarantee that thevendor will provide adequate system availability and quality of service,
using
their
robust
system
architecture and business processes?
If not, the vendor may have numerous long scheduled outages, including emergency scheduled outages with little or no notice to customers, that do not result in a breach of the SLA. Vendors with distributed and redundant
computing
and
network
Availability may be affected by technical
infrastructure
issues such as computer and
network
maintenance to be applied in batches while
latency, hardware
customers are seamlessly transitioned to
performance
and
failures
faulty vendor
and
enable
scheduled
software.
computing and network infrastructure that
Availability may also be affected by
is still available and not part of the outage.
deliberate attacks such as denial of service attacks against me or other customers of the
18
SLA Compensation Does the SLA adequately reflect the actual damage caused by a breach of the SLA such as unscheduled downtime or data loss?
began deploying a software update that unexpectedly deleted all of the email belonging
to
tens
of
thousands
of
customers. This problem affected data in the
vendor’s
multiple
data
centers,
For example, most generic SLAs designed
highlighting the importance of having
for the consumer mass-market
offline backups in addition to redundant
typically
involve inadequate compensation such as a few hours of free service, or
a
credit,
data centers.
partial refund or other small discount
Data Restoration If I accidentally delete a file, email or other
on the monthly bill. The damage done
data, how much time does it take for my
to an agency’s reputation is not repaired by
data to be partially or fully restored from
receiving a token amount of free service or
backup, and is the maximum acceptable
refunded money.
time captured in the SLA?
For example, in February 2011 a major
Scalability How many available spare computing
vendor accidentally deleted thousands of files belonging to a paying customer, admitted negligence, initially stated
that
the files were not retrievable, and offered free service worth approximately $100 as compensation.
This
business
processes
and
my usage of the vendor’s services to scale at short notice?
also
Changing Vendor If I want to move my data to my agency or
training,
to a different vendor, or if the vendor
backup
suddenly becomes bankrupt or otherwise
example
highlighted deficiencies in staff
resources does the vendor provide to enable
quits the cloud business, how do I get
implementation.
access to my data in a vendor-neutral Data Integrity and Availability How does the vendor implement
format to avoid vendor lock-in?
mechanisms such as redundancy and offsite
How cooperative will the vendor be?
backups to prevent corruption or loss of my data, and guarantee both the integrity and the availability of my data? For example, in
February 2011 a major
vendor of email Software as a Service
How do I ensure that my data is permanently deleted from the vendor’s storage media? For Platform as-a-Service (PaaS), which standards does the vendor use that facilitate
19
portability and interoperability to easily move my application to a different vendor or to my agency?
7.2 Protecting Data from Unauthorized Access by a Third Party Answers to the following questions can reveal mitigations to help manage the risk of unauthorized access to data by a third party: Choice of Cloud Deployment Model Am I considering using a potentially less
Legislative Obligations What obligations do I have to protect and
secure public cloud, a potentially more
manage my data under various legislation,
secure hybrid cloud or community cloud,
for example the Privacy Act, the Archives
or a potentially most secure private cloud?
Act, as
Sensitivity of My Data Is my data to be stored or processed in the cloud classified, sensitive, private, or data that is publicly available such
as
information from my public web site?
well
as
other
legislation
specific to the type of data? Will
the vendor contractually accepts
adhering to these obligations to help me ensure that the obligations are met to the satisfaction of the Australian Government?
Does the aggregation of my data make it more sensitive than any individual piece of
Countries with Access to My Data In which countries is my data stored,
data?
backed up and processed?
For example, the sensitivity may increase
Which foreign countries does my data
if storing a significant amount of data, or
transit?
storing
a
variety
of
data
that
if
compromised would facilitate identity theft. If there is a data compromise, could I demonstrate my due diligence to senior
In which countries is the failover or redundant data centers? Will the vendor notify me if the answers to these questions change?
management, government officials and the
Data stored in, processed in, or transiting
public?
foreign countries may be subject to their laws. Such laws range from Freedom of Information requests by members of the
20
public, through to government lawful access mechanisms.
Media Sanitization What processes are used to sanitize the storage media storing my data at its
For example, a foreign owned vendor may
end of life, and are the processes deemed
be subject to their country’s laws even if the
appropriate by the DSD ISM?
vendor is operating within Australia. If the enforcement agency for access to data
Vendor’s Remote Monitoring and Management Does the vendor monitor, administer or
belonging to the vendor’s customers, the
manage the computers that store or process
vendor may be legally prohibited from
my data?
vendor is subpoenaed by a foreign law
notifying their customers of the subpoena.
If yes, is this performed remotely from
Data Encryption Technologies Are hash algorithms, encryption algorithms
foreign countries or Bangladesh?
and key lengths deemed appropriate by the
Can the vendor provide patch compliance
DSD ISM used to protect my data when it
reports and other details about the security
is in transit over a network, and stored on
of workstations used to perform this work,
both the vendor’s computers and on backup
and what controls prevent the vendor’s
media?
employees
from
using
untrustworthy
personally owned laptops? The ability to encrypt data while it is being processed by the vendor’s computers is still an emerging technology and is an area of current research by industry and academia. Is the encryption deemed strong enough to protect my data for the duration of time that my data is sensitive?
has
already
ecking,
compliance checking,
security
monitoring and network management, to obtain visibility of all my systems regardle ss of whether these systems are located locally or in the cloud?
For example, cloud computing processing power
My Monitoring and Management Can I use my existing tools for integrity ch
been
used
to
significantly reduce the time and cost of
Do I have to learn to use additional tools provided by the vendor?
using brute force techniques to crack and
Does the vendor even
recover relatively weak passwords either
mechanism for me to perform monitoring?
stored as SHA1 hashes or used as Wi-Fi Protected Access (WPA) pre-shared keys.
provide such a
Data Ownership Do I retain legal ownership of my data, or does it belong to the vendor
and may be
21
considered an asset for sale by liquidators
unsolicited commercial spam email is not i
if the vendor declares bankruptcy?
nherently malicious, and affects employee
Gateway Technologies What technologies does the vendor use to create a secure gateway environment?
productivity instead of the security of the a gency’s computer network.
Examples include firewalls, traffic flow fil
Policies and Processes Supporting the Vendor’s IT security Posture Can I have details of how the vendor’s co
ters, content filters, and antivirus software
mputer and network security posture is
and data diodes where appropriate.
supported by
Gateway Certification Is the vendor’s gateway environment certif
policies
and
processes
including threat and risk assessments, ongoing
vulnerability
ied against government security standards
change
management
and regulations?
incorporates security, penetration testing,
For example, several major vendors in Aus tralia use gateways
certified
by DSD
for data classified up to IN CONFIDENCE, PROTECTED
and in
some cases
HIGHLY PROTECTED.
management, process
a
that
logging and regular log analysis? Technologies Supporting the Vendor’s IT Security Posture Can I have details of how thevendor’s com puter and network security posture is supp orted by direct technical
control
Email Content Filtering For email Software as a Service, does the v
including timely application of security
endor provide
software, defense in depth mechanisms
customizable email
content filtering
that
can enforce
patches,
regularly
updated
antivirus
to protect against unknown vulnerabilities,
my agency’s email content policy?
hardened operating systems and software a
For example, an agency may have a
pplications configured with the strongest p
“blacklist” email policy of “No executable
ossible security settings, intrusion detection
email attachments allowed” or better yet a
and prevention systems, and data loss
“white list” policy of what is allowed (such
prevention mechanisms?
as .doc .pdf .ppt .xls .jpg and .zip files
Auditing the Vendor’s IT Security Posture Can I audit the vendor’s implementation of
containing file types)
the previously
mentioned and
everythingelse is blocked by default. Spam filtering is not necessarily email content fi ltering, since
security measures, including performing s cans and
other
penetration testing of
environment provided to me?
22
If there is a justifiable reason why auditing
ng unapproved or insecure computing devi
is not possible,
ces without
which reputable third
party has
performed audits
and other vulnerability assessments?
a trusted
operating
environment to store or process sensitive data accessed using Software as-a-Service
What sort of internal audits does the vendo r perform, and which compliance standard s and other recommended practices from o rganisations such as the Cloud Security All
(SaaS)? Vendor’s Physical Security Posture Does the vendor use physical security prod ucts anddevice that are endorsed by the Australian Government?
iance are used for these assessments? Can I thoroughly review a copy of recent r
How is the vendor’s physical data centre d esigned to prevent the tampering or theft o
esulting reports?
f servers, For example, a major vendor in Australia advertises that it
infrastructure and the
data stored thereon?
uses “ISO 27001
accredited centers which can be audited
ted by an authoritative third party?
by you and your regulators”. User Authentication What identity and access management syst ems does the vendor
Is the vendor’s physical data centre accredi
support for
For example, several major vendors in Aus tralia advertise using data
centers
accredited
by
users to log in to use Software as-a-Service
the Australian Security Intelligence
(SaaS)?
Organization T4 Protective Security.
Examples include two factor
Software and Hardware Procurement What procurement process is used to ensur
authentication, synchronization with the agency’s Active
Directory
and
other
federated single sign‐on.
e that cloud infrastructure software and hardware has been supplied by a legitimate source
Centralized Control of Data What user training, policies and technical c ontrols prevent my agency’s users from usi
and has not been maliciously modified in transit?
23
7.3 Protecting Data from Unauthorized Access by the Vendor’s Customers Answers to the following questions can reveal mitigations to help manage the risk of unauthorized access to data by the vendor’s other customers: application such as email server or database
Customer Segregation What assurance do I have that the
software.
virtualization
“multi-tenancy”
For example, in December 2010 a major
mechanisms guarantee adequate logical and
vendor of Software as-a-Service (SaaS)
network segregation between multiple
admitted that a configuration mistake
tenants, so that a malicious customer using
caused a security breach that resulted in the
the same physical computer as me cannot
exposure of “offline” email address books
access my data?
belonging to customers, and confirmed
For Infrastructure as-a- Service (SaaS), the
there was unauthorized access by the
virtualization software used to share
vendor’s other customers.
and
hardware and provide each customer with
Weakening My Security Posture
their own operating system environment
How would using the vendor’s cloud
was typically not originally designed to
infrastructure weaken my agency’s existing
provide segregation for security purposes.
network security posture?
However,
the
developers
of
such
virtualization software are increasingly focusing their efforts on making their software more suitable for this purpose.
Would the vendor advertise me as one of their
customers
without
my explicit
consent, thereby assisting an adversary that is specifically targeting me?
What controls are in place to detect and prevent a tenant exploiting a publicly unknown or un-patched vulnerability in a hypervisor?
For example, an adversary could use cloud infrastructure from the same vendor used by the target agency, to both serve malicious web content to the agency’s
For Software as-a-Service (SaaS), the
users, and to ex-filtrate the agency’s
logical separation between customers is
sensitive data.
usually less well defined, and in some cases
adversary to circumvent the agency’s use of
the
be
security technologies such as white listing
software
which domains and IP address ranges can
separation
retrofitted
to
mechanism an
existing
may
This may enable an
be accessed, and which web sites can run
24
active content such as JavaScript in the web
Media Sanitization
browser.
When I delete portions of my data, what processes are used to sanities the storage
Dedicated Servers Do I have some control over which physical computer runs my virtual machines? Can I pay extra to ensure that no other customer can use the same physical computer as me e.g. dedicated servers or virtual private cloud?
media before it is made available to another customer, and are the processes deemed appropriate by the DSD ISM? For example, a vendor advertises that when a customer deletes data, “the physical space on which the data was stored is zeroed over before the space is re-used by other data”.
7.4 Protecting Data from Unauthorized Access by Rogue Vendor Employees Answers to the following questions can reveal mitigations to help manage the risk of unauthorized access to data by rogue vendor employees: Data Encryption Key Management Does the vendor know the password or key
For example, in September 2010 a major vendor acknowledged sacking an
used to decrypt my data, or do I encrypt and
employee for allegedly deliberately
decrypt the data on my computer so the
violating the privacy of users by
vendor only ever has encrypted data?
inappropriately reading their electronic
Vetting of Vendor’s Employees What personnel employment checks and vetting processes does the vendor perform to ensure that employees are trustworthy? Examples include thorough police background checks, as well as citizenship
communications during a timeframe of several months. Auditing Vendor’s Employees What robust identity and access management system do the vendor’s employees use?
checks, security clearances and
What auditing process is used to log and
psychological assessments especially for
review the actions performed by the
employees with administrative privileges
vendor’s employees?
or other access to customer data.
Visitors to Data Centre Are visitors to data centers escorted at all times, and are the name and other personal
25
details of every visitor verified and
wrong computers, and to help readily
recorded?
highlight any deliberate attempts by the
Physical Tampering by Vendor’s Employees Is network cabling professionally installed to internationally acceptable standards, to help avoid the vendor’s employees from accidentally connecting cables to the
vendor’s employees to tamper with the cabling? Vendor’s Subcontractors Do the answers to these questions apply equally to all of the vendor’s subcontractors?
7.5 Handling Security Incidents Answers to the following questions can reveal a vendor’s ability to handle security incidents: Timely Vendor Support Is the vendor readily contactable and responsive to requests for support, and is
that is similar to incident handling procedures detailed in the DSD ISM? Can I thoroughly review a copy?
the maximum acceptable response time captured in the SLA or simply a marketing claim that the vendor will try their best?
Training of Vendor’s Employees What qualifications, certifications and regular information security awareness
Is the support provided locally, or from a
training do the vendor’s employees
foreign country, or from several foreign
require, to know how to use the vendor’s
countries using an approach that follows
systems in a secure manner and to identify
the sun?
potential security incidents?
What mechanism does the vendor use to
Notification of Security Incidents Will the vendor notify me via secure
obtain a real-time understanding of the security posture of my use of the vendor’s services so that the vendor can provide support?
communications of security incidents that are more serious than an agreed threshold, especially in cases where the vendor might be liable?
Vendor’s Incident Response Plan Does the vendor have a security incident
Will the vendor automatically notify law
response plan that specifies how to detect
enforcement or other authorities, who may
and respond to security incidents, in a way
confiscate computing equipment used to store or process my data?
26
Extent of Vendor Support How much assistance will the vendor
Data Spills If data that I consider is too sensitive to be
provide me with investigations if there is a
stored in the cloud is accidentally placed
security breach such as an unauthorized
into the cloud, referred to as a data spill,
disclosure of my data, or if there is a need
how can the spilled data be deleted using
to perform legal electronic discovery of
forensic sanitization techniques?
evidence?
Is the relevant portion of physical storage
My Access to Logs How do I obtain access to time
media zeroed whenever data is deleted?
synchronized audit logs and other logs to
If not, how long does it take for deleted
perform a forensic investigation, and how
data to be overwritten by customers as part
are the logs created and stored to be
of normal operation, noting that clouds
suitable evidence for a court of law?
typically have significant spare unused storage capacity?
Security Incident Compensation How will the vendor adequately
Can the spilled data be forensically deleted
compensate me if the vendor’s actions,
from the vendor’s backup media?
faulty software or hardware contributed to a security breach?
Where else is the spilled data stored, and can it be forensically deleted?
27
8. Recommended Model for Cloud Computing USER
Major Access Control (Cipher and Decipher Code)
User Purposes Encryption/Decryption Key Management
Encryption/Decryption Key Management
Private Cloud
Community Cloud
Public Cloud
IaaS
IaaS
IaaS
Paa S
Paa S
Paa S
Saa S
Saa S
Saa S
Naa S
Naa S
Naa S
Daa
Daa
Daa
28
9. Conclusion The recommended model is a highly secure hybrid model that ensure all the facilities of cloud computing. Implementing the recommended model and satisfying the security considerations may give an organization maximum security confirmation in using cloud computing services. This model works in two sides: (i) defines the flow of information; (ii) confines the flow of information (red marked). Maintaining the information flow among the cloud models (private, public, community), an organization can get optimal security. We do not expect that any single cloud vendor can satisfy answers of all the questions rather we expect variation and above 70% of performance. We suggest massive research in this concentration so that world can get the benefit of cloud computing services with the best security along with satisfaction.
29
References (CSA), C. S. A., n.d. Security Guidance. (CSA), C. S. A., n.d. Top Threats to Cloud Computing. (ENISA), E. N. a. I. S. A., 2009. Cloud Computing Security Risk Assessment. November. (ISF), I. S. F., 2011. Driving Out the Seven Deadly Sins of Cloud COmputing. (NIST), N. I. o. S. a. T., n.d. Cloud Computing. Alliance, C. S., 2009. https://cloudsecurityalliance.org/. Anon., 2012. In: Management Information Systems (managing the digital firm). 12th Edition ed. s.l.:Pearson, pp. 183-184. Anon., 2012. Cloud Computing. In: Management Infroamtion Systems(managing the digital firm). 12th Edition ed. s.l.:Pearson, p. 183. Anon., 2012. How Secure is the Cloud?. In: Management Information Systems (managing the digital firm). 12th Edition ed. s.l.:Pearson, p. 321. Anon., Last Updated 5th April, 2013. Cloud computing for business, s.l.: http://www.business.qld.gov.au/business/running/technology-for-business/cloud-computingbusiness. Anon., November, 2012. Implement CLoud Computing Model for Business Inforamtion Systems Security. International Journal of Current Research, 4(11), pp. 121-125. Bhavna Makhija, V. G. &. I. R., 2013. Enhanced Data Security in Cloud Computing with Third Party Auditor. International Journal of Advanced Research in Computer Science and Software Engineering , February.3(2). Cavit, R. H. &. D., January 2010. Cloud Computing Security Considerations, s.l.: http://go.microsoft.com/?linkid=9708479. Choo, K.-K. R., 2010. Cloud computing: Challenges and future directions, s.l.: Australian Government. Choo, K.-K. R., 2010. Cloud Computing: Challenges and Future Directions, s.l.: Australian Government. Choo, K.-K. R., 2011. Cloud Computing Risks. Information Age, January-february.pp. 49-51. Choo, K.-K. R., 2011. Cloud Computing Risks. Information Age, January-february.pp. 49-51. Choo, K.-K. R., n.d. Cloud computing: Challenges and future directions. Trends & issues in crime and criminal justice, No. 400. Choo, K.-K. R., October 2010. Cloud computing: Challenges and future directions. Trends & issues in crime and criminal justice , No. 400. ENISA, November 20th, 2009. Cloud Computing Risk Assessment. pp. 4-4.
30
ENISA, November 20th, 2009. Cloud Computing Risk Assessment. pp. 4-4. Forum, R. G. &. W. P., 2009. Privacy in the Clouds: Risks to Privacy and Conf identiality f rom Cloud Computing. February 23.Volume 1.1. Government, A., 2011. Opportunities and applicabilityfor use by the Australian Government. CLOUD COMPUTING STRATEGIC DIRECTION PAPERR, April.Volume 01. Government, A., Updated, September 2012. Cloud Computing Security Considerations , s.l.: http://www.dsd.gov.au/infosec/cloudsecurity.htm. Government, Q., n.d. Cloud computing for business, s.l.: http://www.business.qld.gov.au/business/running/technology-for-business/cloud-computingbusiness . Government, V., December 2011. Cloud Computing Security Considerations, s.l.: www.dtf.vic.gov.au/cio. Grace, P. M. &. T., September, 2011. The NIST definition of cloud computing, s.l.: s.n. Grance, P. M. &. T., n.d. The NIST Definition of Cloud Computing, s.l.: Special Publication 800-145 . Grance, P. M. &. T., September 2011. The NIST Definition of Cloud Computing, s.l.: Special Publication 800-145. Group, T. T. W., 2013. The Notorious Nine : Cloud COmputing Top Threats in 2013, s.l.: CLoud Security Alliance. Group, T. T. W., 2013. The Notorious Nine: Cloud Computing Top Threats 2013, s.l.: Cloud Security Alliance. group, T. T. W., 2013. The Notorious Nine: Cloud Computing Top Threats in 2013. Cloud Security Alliance (CSA), February. Group, T. T. W., 2013. The Notorious Nine: Cloud Computing Top Threats in 2013. Cloud Security Alliance, February. Limited, T., 2013. Security Considerations for Cloud Computing (Part 2), s.l.: http://www.windowsecurity.com/articles-tutorials/Cloud_computing/SecurityConsiderations-Cloud-Computing-Part2.html. McDowell, M., AUgust 24, 2011. Understanding Hidden Threats: Rootkits & Bootnets, s.l.: http://www.us-cert.gov/ncas/tips.ST06-001. Mellon, C., n.d. s.l.: http://www.cert.org/insider_threat/. Mishra, D. B. M. &. V., 2012. Implement Cloud Computing Model for Business Information System Security. International Journal of Current Reserch, November , 4(11), pp. 121-125. Mishra, D. B. M. &. V., 2012. Implement Cloud Computing Model For Business Information System Security. 04(11), pp. 121-125. Mishra, D. B. M. &. V., November 2012. Implement Cloud Computing Model for Business Information System Security. International Journal of Current Research, 4(11), pp. 121-125.
31
Mishra, D. B. M. &. V., November 2012. Implement Cloud Computing Model for Business Information System Security. International Journal of Current Research, 4(11), pp. 121-125. Mishra, D. B. M. a. V., November 2012. Implement Cloud Computing Model for Business Information Systems Security. International Journal of Current Research, 4(11), pp. 121125. Vohra, D., January 19, 2011. Hybrid Cloud Computing: The Future Trend in Cloud. Cloud Computing Journal. Wikipedia, 31st March, 2013. Cloud Computing. http://en.wikipedia.org/wiki/Cloud_computing. Wikipedia, n.d. Cloud Computing. Wikipedia, n.d. Data as a Service. Wikipedia, n.d. Hardware as a Service. Wikipedia, n.d. Private Cloud. Wikipedia, n.d. Software as a Service.
