Proceedings of the Fifth International Conference on Internet Technologies and Applications (ITA 13)
Picking Cunningham Houlden Oram Grout Mayers
Proceedings of the
Fifth International Conference on Internet Technologies and Applications (ITA 13)
Editors: ISBN 978-0-946881-81-9
9 780946 881819
Rich Picking, Stuart Cunningham, Nigel Houlden, Denise Oram, Vic Grout, & Julie Mayers Co-editors:
Nathan Clarke, Carlos Guerrero, Raed A Abd-Alhameed, & Susan Liggett Glyndŵr University, Wrexham, North Wales, UK 10-13 September 2013
PROCEEDINGS OF THE FIFTH INTERNATIONAL CONFERENCE ON INTERNET TECHNOLOGIES AND APPLICATIONS (ITA 13) Tuesday 10th – Friday 13th September 2013 Glyndŵr University, Wrexham, Wales, UK http://www.ita13.org
Editors
Rich Picking, Stuart Cunningham, Nigel Houlden, Denise Oram, Vic Grout, Julie Mayers Co-editors
Nathan Clarke, Carlos Guerrero, Raed A Abd-Alhameed, Susan Liggett Hosted by
Creative and Applied Research for the Digital Society (C.A.R.D.S.) Glyndŵr University, Plas Coch Campus, Mold Road, Wrexham, LL11 2AW, UK
i
ISBN: 978-0-946881-81-9
www.cards-uk.org
© Glyndŵr University, 2013 All rights reserved Printed in the United Kingdom No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means – electronic, mechanical, photocopy, recording or otherwise, - without the prior written permission of the publisher or distributor.
iii
FOREWORD Croeso i Ogledd Cymru. Croeso i Wrecsam! Welcome to North Wales. Welcome to Wrexham! These are the proceedings of the Fifth International Conference on Internet Technologies and Applications (ITA 13), hosted by the University Centre for Creative and Applied Research for the Digital Society (C.A.R.D.S.) at Glyndŵr University, Wrexham, North Wales, UK from Tuesday 10th to Friday 13th September 2013. The conference has been sponsored by the British Computer Society (BCS) Chester and North Wales Branch, the British Computer Society (BCS) Health in Wales Group, the European Union 7th Framework Programme (Project Geryon), the UK National Health Service (NHS) Wales Informatics Service (NWIS), ENIAC (Project Artemos), The Applied Computational Electromagnetics Society (ACES) and Modibbo Adama University of Technology, Yola (MAUTECH). We thank them all for their support.
v
SECURITY COMPLIANCE CHALLENGES ON CLOUDS Yury Chemerkin Independent Security Researcher / PhD in progress Russian State University for the Humanities (RSUH) Moscow, Russia
[email protected]
ABSTRACT Today cloud vendors provide amount features of integration and optimization in many fields like business or education; there many way to adopt it for medical purposes, maintaining medical records, or monitoring patients. Not all cloud solutions totally changed an original security paradigm and customers still need to manage the accessibility, monitoring and auditing. An appropriate security level has become very important issue for the customers. The compliance is part of security and a cornerstone when cloud vendors refer to worldwide standards.
KEYWORDS: Cloud security, compliance, amazon web services, aws, csa cloud controls matrix, csa, cmm, caiq, csa consensus assessments initiative questionnaire
1. INTRODUCTION Cloud Computing has been one of the top security topics for the last several years. The clouds increasing popularity [1] is based on flexibility of virtualization as a technology for replacing and improving of complex parts of systems reducing unnecessary computation and usage of existing resources. Besides the well-known threats, the clouds introduce new security and management level. Cloud security vendors (not only cloud vendors, almost of all kind of vendors) claim that the end-user companies prefer a cost reduction instead the security to reduce the operation complexity of their clouds (or systems) that eventually ends with a lower amount of security that the end-user will accept. Some security questions about clouds are: how is it implemented, how are the data or communication channels secured, how are the cloud and application environments secure, etc. For example, the well-known phrase “physical security does not exist in clouds” make no serious sense because it was this way as it had been when the hosting service arrived. Customer must make any improvements than by-default configuration with each new technology. If the virtual OS is a Windows Server, then the OS has the quite similar security and patch management state as Desktop/Server OS. In addition, it is mere trust than downloading and buying third-party solutions and it might be more trustable, than cloud vendor (they are all third-party solutions).The cloud simply uses well-known protocols like SMTP, HTTP, SSL, TCP/IP etc. to communicate, send email, file handling and other activity. The methods that are compliant as a part of the RFC should indicate that they are OK. However, a key problem is a lack of a systematic analysis on the security and privacy for such cloud services. Third party organizations like the Cloud Security Alliance (CSA) promote their recommendations to improve a cloud security and have a registry of cloud vendors' security controls to help the users to make a right choice on security field. This research analyzes security aspects, which the customers rely, are basic for cloud and security standards and represent a minimal set of security state at least. Enterprises need to comply with of the different regulations and standards (PCI, CSA, HIPAA, ISO etc.). The aim of research is gaps in the recommendations of security standards (if they are) let cloud vendors
131
or their customers successfully pass the cloud audit checks and claim about compliance having difference security features between clouds capabilities. The guidelines in such documents operate at the high level that makes unclear them, miss the useful security countermeasures and adding a superfluity in the customer’s vision about the system (cloud).
2. RELATED WORK Nowadays, AWS is one of the most popular cloud platforms. It offers a virtual computing, storage, VPN, archiving, monitoring, health-watching, email and others services environment for a user to run applications, store data, operates with events and deliver event-data due the different services and by different ways. AWS offers many services more accessibility that is important with merging to the cloud. GAE is one more cloud to run web applications written using interpretation and scripts languages like Java/Python but it has limited features (security and the rest). Windows Azure makes a data spreading to the cornerstone, via neither storage nor web-server. These different goals have a huge influence on the security while all of them were built in accordance with best practices, and have security controls are well documented. As we have enough security problems and the greater quantity of security solutions to solve these problems on one hand and standards with best practices that successfully applied to the clouds (according to the cloud vendors) on another hand, it should be analyzed whether it is so difficult to pass the cloud compliance audit in accordance with these documents. In this paper, the AWS services are going to be examined as the most similar to known existing technologies. The modern recommendations for clouds are quite similar to given in the Table I at least but improved to the low details like “you should choose the cloud vendor that offers an encryption and definitely those who offer the strong encryption e.g. AES” the make a little sense. The answer “why” is relied on the customers willingness to see an action-to-do like ‘whether they should rely on this AES encryption or they need encrypt their data before uploading’. It successfully works when the customers need to check clouds to choose those provide the more security but it is bad for clouds are provided many services and security features because it is basic rules only. Table 1 The common security recommendations Object Data Ownership Data Segmentation Data Encryption Backup/Recovery Data Destruction Access Control Log Management Incident Response Security Controls Patch Management
What to do Full rights and access to data An isolation data from other customers’ data A data encryption in transit/memory/storage, at rest An availability for recovery An Ability to securely destroy when no longer needed Who has access to data? A data access that logged and monitored regularly Are there processes and notifications in place for incidents (including breaches) that affect data? An appropriate security and configuration control to data protection Patching for the latest vulnerabilities and exploits?
One more example is how such documents may substitute the customer understanding. NIST [25] talks about cloud limits on security: “the ability to decide who and what is allowed to access subscriber data and programs … the ability to monitor the status of a subscriber’s data and programs …” may follow the idea “no one cloud provides such abilities” by mistake without a knowledge about cloud infrastructure. Another misthought is about cloud firewall takes place with opinion that cloud features are useless due the following statement: a cloud
132
firewall should provide a centralized management, include pre-defined templates for common enterprise server types and enable the following: Source and Destination Addresses & Ports filtering Coverage of protocols, DoS prevention An ability to design policies per network interface Location checks who/where accessed to data Besides such detailed ‘how-to’ sets, there are enough statements that the clouds can’t provide with it, so it is still a security hole, while some of them (ex. AWS) provides these features. The Table II [7] shows a brief difference between AWS and Azure on compliance vs. documented technologies to secure and protect data. As a part of ‘non-transparency’, it is quite interesting that the different offered security features and controls have passed e.g. ISO 27xxxx, while the cloud difference (comparing each other) looks like a medium feature reduction. The cloud attributes examined [2] are backup, encryption, authentication, access controls, data isolation and monitoring, security standards, disaster recovery, client-side protection, etc. This paper provides a medium-detailed comparison and presents the cloud security/privacy attributes mapped to NIST guidelines. The [2-6], [26] give a brief examination of AWS S3 and GAE but a summary comparison over [10], [12], [14], [15] makes clear that AWS offers the most powerful and flexible features and [7][8]. Table 2 Compliance difference between AWS and Azure Type Compliance
Physical Security
Data Privacy
Network Security
Credentials
ISO 27001, CSA, HIPAA PCI DSS, FISMA, FIPS 140-2, NIST Actions, events logging, logs audit Minimum access rights Auto revocation access after N days, role changed, MFA, escort Backup, redundancy across the location Redundancy inside one geo location, encryption, DoD/NIST Destruction MITM Protection, Host-Based Firewall (ip,port,mac), Mandatory Firewall, Hypervisor protection from promiscuous Pentesting offer of services Pentesting offer of apps DDoS Protection, featured firewall Login and Passwords, SSL Cross account IAM, MFA hardware/software, Key Rotation
+ + + +
Cloud Vendor AWS Azure + N/A + +
+
N/A
+
+
+
N/A
+
+
+ + + +
+ N/A +
+
N/A
Such recommendations may also advise the different sanitizing technique to use on client of cloud side. Effective and efficient sanitization is a forensics statement. There are a lot of methods and techniques but some of them rely on brute-force wiping that extremely useless for the clouds due financial matters. The ERASERS proposed in [24] computes the entropy of each data block in the target area and wipes that block specified number of passes and pattern then. Patterns and entropy are valuable because the file types (docx, mp3, odf, pgp, acid*) have a quite different characteristics. It means that ERASERS has many subpopulations which of them applied to certain cases. It gives a faster wiping vs. regular brute force methods of overwriting. As the disk sizes increase up to petabyte scale (recently AWS offer such storage), the brute
133
force methods is becoming near impossible in time. Many drives contain areas do not have data needing overwriting, as known as for SSD that shuffles data between data block every time, but keeps the encrypted area untouched. According to NIST SP800-88 [9], “studies have shown that most of data can be effectively cleared by one overwrite with random data rather than zeroing”. The original version of DoD 5220.22-M (AWS implements this one) recommends a 3-pass wipe with one pass of a uniform character, one pass of its complement, and one pass of random characters, while the current DoD 5220.22-M does not specify the number of passes or the pattern. As ERASERS shows the good results, it should be implemented to AWS EC2 or other cloud VM. The one of the most serious work on AWS security [27] gives results as a "black box" analysis methodology in regards to the control interfaces (AWS EC2 and S3) compromised via the novel signature wrapping and advanced XSS techniques, HTML injections, as well as SOAP issues with validation and man-in-the-middle attacks. Authors examined the possible way of protection and found that AWS EC2 & S3 services do not provide the suitable opportunities to implement their solutions. Despite of that, there was found solutions based on native AWS security features to protect against these attacks [28]: Utilizing the SSL/HTTPS only with certificate validation and utilizing API access mechanisms like REST/Query instead of SOAP Activating access via MFA and creating IAM accounts limited in access, AWS credentials rotation enhanced with Key pairs and X.509 certificates Limiting IP access enhanced with API/SDK & IAM The virtualization refers to a hypervisor, while a virtual machine works with a configured snapshot of an OS image and requires well-known shared resources like memory, storage, or network. It is generally agreed that even isolation these shared resources without affecting other instances, VMs can be trusted in few cases only, while it is vulnerable under the most known XEN attacks. However, no one XEN vulnerability has not applied to AWS services [29]that brings to understanding the term “customize” in regards to clouds. Other ability to control due the AMT commands [30] is applied to VMware but there is not known successful implementations for AWS, Azure, GAE or other clouds. Also may have serious performance problems such as overloading the virtual OS with analysing CPU commands and system calls, regardless of where the trusted/untrusted control agents are, multiplied by known issues the best of all demonstrated in case of GPU [31]. There are security virtualization issues even in clouds, no doubt, and it should be taken in consideration. One exciting example [32] talks about an incorrect behavior in the SSL certificate validation mechanisms of AWS SDK for EC2, ELB, and FPS. Despite of that, AWS has updated all SDK (for all services) to redress it [13].
3. EXAMINATION THE CSA DOCUMENTS ON CLOUDS The CSA documents provide vendors and their customers with a medium-detailed overview what the statements do the cloud security features applied to as it defined in the Consensus Assessments Initiative Questionnaire (CAIQ) and Cloud Control Matrix (CCM). The cloud vendors announce that their services operate in according to them: However, the customers have a responsibility to control their environment and define whether it is really in compliance. In other words, how much are cloud controls and configurations transparent. Here the regulations meet the technical equipment as a public technical proof is going to be examined from that point at first. Each control ID (CID) will be kept to find it CAIQ [33] & CCM [34], while his explanation is rewritten to reduced amount of text and grouped by domain/control group, similar questions/metrics. Some considerations are used in tables III, IV: each abbreviation is reduced name of Control Group ID: CO-Compliance, DG - Data Governance, FS-Facility
134
Security, HR - Human Resource Security, IS - Information Security, RS – Resiliency, SA Security Architecture. Requirements from section [LG–Legal, OP–Operation Management, RI– Risk Management, RM–Release Management] and other non-technical are removed as are compliant in order to ISO 27xxx, SOC, COBIT by independent auditors and reviewers. Table 3 AWS solutions against a CAIQ CID CO-01.1
CO-02.1-7
Questions Any certifications, reports and other relevant documentation in regards to the standards An ability to provide the tenants the 3rd party audit reports, and conduct the network/application cloud penetration tests as well as internal/external audits regularly (in regards to the guidance) with results
CO-03.1-2
An ability to perform the vulnerability tests for customers (means their own tests) on applications and networks.
CO-05.1-2
An ability to logically split the tenants data into the segments (additionally, due the encryption) as well as data recovering for specific customers in case of failure or data loss
DG-01.1
An implementation of structured datalabeling standard An identifying ability of the VM via policy tags/metadata to perform any quality control/restrict actions like identifying hardware via policy & tags/metadata, using the geolocation as an authentication, providing a physical geolocation, allowing to choose suitable geolocations for resources and data routing
DG-02.1-5
DG-03.1
Any policies and mechanisms for labeling, handling and security of data
135
AWS Response AWS has this one and provides it under NDA.
AWS engages with independent auditors reviewing their services and provides the customers with the relevant 3rd party compliance/attestations/certifications reports under NDA. Such audit covers regularly scans of their (non-customer) services for vulnerabilities [22-23] the customers are also available to make pentest [21] of their own instances due the tentative agreement. Customers are able to perform it due the permission (writing email with the instances IDs and period) request via AWS Vulnerability/Penetration Testing Request Form [21] All data stored by the customers has canonical isolation by path and additional security capabilities like the permissions, personal entry points to access the data as well as MFA. AWS encryption mechanisms are available for S3 (Server Side Encryption), EBS (encryption storage for EC2 AMIs), SimpleDB, EC2 (due the EBS plus SSL), VPC (encrypted connections and sessions). Additionally, the customer can use any cloud services offered a backup from and to AWS services like SME Storage for cloud vendors or Veeam Backup Cloud Edition for VMs Depends on the customers’ needs and their requirements. The tenants are featured to apply any metadata and tagging to the EC2 VMs to set the userfriendly names and enhance searchability. AWS offer several regions [19]. Each of them is covered by geo location policy and access as well as is able to be restricted by SSL, IP address and a time of day. They offer move data between each other directly by the customers via API/SDK As the customers retain ownership, they are responsible to implement it.
DG-04.1-2
DG-05.1-2
The technical capabilities to enforce tenant data retention policies and documented policy on government requests A secure deletion (ex. degaussing / cryptographic wiping) and providing the procedures how a cloud vendor handles this deletion
DG-07.1-2
A presence of the controls to prevent data leakage / compromising between AWS’ tenants
DG-08.1
An availability of control health data to implementation a continuous monitoring to validate the services status
FS-04.1
A ability to provide the customers a knowledge which geo locations are under traversing into/out of it in regards law
FS-06.1 FS-07.1
Availability of docs that explain if and where data may be moved between different locations, (e.g. backups) and repurpose equipment as well as sanitizing of resources
IS-04.1-3
An ability to provide the documents with security recommendations per each component, importing the trusted VMs as well as capability to continuously monitor and report the compliance
IS-05.1
An ability to notify the customers on information security/privacy polices changes
IS-08.1-2
A docs described how the cloud vendor grant and approve access to tenant data and if provider & tenant data classification methodologies is aligned with each other A revocation/modification of user access to data upon any change in status of employees, contractors, customers, etc.
IS-09.1-2
136
The customers have capability manage retention, control, and delete their data except case when AWS must comply with law. At the end of a storage useful life, AWS performs a decommissioning process to prevent data exposing via DoD 5220.22M/NIST 800-88 techniques. In additional the device will be degaussed or physically destroyed. There were not known the serious security bugs of AWS environment successfully applied or that cannot ‘patched’ by using the implemented PCI controls [27-29] to make the resources segmented from each other. A hypervisor is designed to restrict non-allowed connections between tenant resources AWS provides the independent auditor reports under NDA and customers on their own systems can build a continuous monitoring of logical controls additionally implementing [19]. AWS imposes not to move a customers' content from them without notifying in compliance the law. The rest is similar to the DG-02.5. AWS imposes control the customers to manage the data locations. Data will not be moved between different regions, only inside that were chosen to prevent failure. The rest is similar the DG-05.1-2 (talks about the AWS side only) Customers are able [11] to use their own VMs due the image importing via AWS VM Import, as well as AWS Import/Export accelerates moving large amounts of data into/out in case of backup or disaster recover. The rest is similar to the DG-08.1 in order to ISO (domain 12.1, 15.2) Despite of AWS provides a lot of how-todocs, binary & sources [10-18], [28-29] are regularly updated, it’s better to subscribe to the news via RSS and email, because there is no other directly way to be notified The customers as data owners are responsible for the development, content, operation, maintenance, and use of their content. Amazon provides enough security control to maintain an appropriate security policy and permissions not to let spreading the data if it is
IS-12.1-2
IS-13.1
IS-17.1-3
IS-18.1-2 IS-19.1-4
A participation in the security groups with benchmarking the controls against standards A documentation clarifying the difference between administrative responsibilities vs. those of the tenant Any policies to address the conflicts of interests on SLA, tamper audit, software integrity, and detect changes of VM configurations Ability to create and manage unique encryption keys per a tenant, to encrypt data to an identity without access to a public key certificate (identity based encryption) as well, to protect a tenant data due the transmission, VMs, DB and other data via encryption, and maintain key management
IS-20.1-6
An ability to perform vulnerability scans in regards to the recommendations on application-layer, network-layer, local OS layer and patching then. Providing the info about issues to AWS who makes it public
IS-23.1-2 IS-24.1-4
An ability of SIEM to merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting. Additional providing an isolation of the certain customers due incident.
IS-28.1-2 IS-29.1
An ability to use an open encryption (3DES, AES, etc.) to let tenants to protect their data on storage and transferring over public networks. As well, an availability of logging, monitoring and restriction any access to the management systems controlled hypervisors, firewalls, APIs, etc.)
IS-34.1-3
An ability to monitor and segment/restrict the key utilities managed virtualized
137
explicitly not allowed that also built by AWS. The rest is similar to the IS-07.1-2 in regards AWS staff AWS policies is based on COBIT, ISO 27001/27002 and PCI DSS AWS provides these roles among the general security documents (it means not among the specific services documents) AWS provides the details SOC 1 Type II report in compliance with ISO 27001 (domain 8.2, 11.3) that validated by independents auditors If keys created on server side, AWS creates the unique keys and utilizes it, if it did on client side due the own or 3rd party solutions, the customers can manage it only. AWS encryption mechanisms are available for S3 (Server Side Encryption), EBS (encryption storage for EC2 AMIs), SimpleDB, EC2 (due the EBS plus SSL), VPC (encrypted connections and sessions), etc. Similar to the CO-03.1-2 but more detail that means the customers are should performing vuln scan and patching despite of the VMs’ OS are coming with the latest updates; they are obliged to come to the agreement with AWS and not violate the Policy. Also similar to the CO-02.6-7 on providing the results [2123] AWS have this one in compliance with ISO and Even the customers’ data stored with strong isolation from AWS side and restrictions made by them all data should be encrypted on client side, because it leads to participation with law directly as AWS does not get the keys in this case. AWS encryption mechanisms are available for S3 (Server Side Encryption), EBS (encryption storage for EC2 AMIs), SimpleDB, EC2 (due the EBS plus SSL), VPC (encrypted connections and sessions). Customers may use third-party encryption technologies too as well as rely on the AWS APIs are available via SSL-protected endpoints. AWS has a logging feature, delineates the minimum standards for logical access to AWS resources and provides details with SOC 1 Type II report AWS has this one and provides details with SOC 1 Type II report. AWS examines such
partitions (ex. shutdown, clone, etc.) as well as ability to detect attacks (blue pill, etc.) to the virtual key components and prevent from them SA-02.1-7
A capability to use the SSO, an identity management system, MFA Policy Enforcement Point capability (ex. XACML), to delegate authentication capabilities, to support identity federation standards (SAML, SPML, WS-Federation, etc.), use 3rd party identity assurance services
SA-03.1 SA-04.1-3 SA-05.1
Any industry standards as a background for a Data Security Architecture standards (NIST) to build-in security for SDLC, tools detecting the security defects and verify the software. An availability of I/O integrity routines for application interfaces, DB to prevent errors and data corruption
SA-06.1-2 SA-08.1 SA-07.1
Environment separation for SaaS/PaaS/IaaS, providing how-to-docs A MFA features are strong requirement for all remote access A segmentation of system and network environments with a compliance, law, protection, and regulatory as well as a protection of a network environment parameter
SA-09.1-4 SA-10.1-3 SA-11.1
SA-12.1
A NTP or other similar services
SA-13.1
An equipment identification is as a method to validate connection authentication integrity based on known location A mobile code authorization before its installation, prevention from executing and using to a clearly defined security policy
SA-15.1-2
138
attacks and provides information if they apply in section “Security Bulletins” [35]. An example of blackbox attack [27],[28] was given in the Section II of this paper with a native security features as a solution AWS IAM [15-18] provides the securely access and roles to the resources with features to control access, create unique entry points of users, cross AWS-accounts access due API/SDK or IAM console, create the permissions with duration and geo auth. AWS offers identity federation and VPC tunnels to utilize existing corporate identities to access. Additionally, customers may avoid the mistakes and risks by using AWS Policy Generator and MFA devices [20]. AWS Security based upon the best practices and standards (ISO 27001/27002, CoBIT, PCI DSS) that certified by independent auditors to build threat modeling and completion of a risk assessment as a part of SDLC. AWS implements this one through all phases including transmission, storage and processing data in compliance to ISO 27001 (domain 12.2) that certified by independent auditors. AWS provides a lot of how-to-docs, binary & sources [10-18],[28-29] MFA is not strong and depends on the customer configuration [20] An internal segmentation is in alignment with ISO and similar to the CO-05.1-2 while external is a part of the customer responsibility. Internally, a traffic restriction is under ‘deny/allow’ control by default. Externally, customers may use SSL, encryption key, encryption solutions, security policies to explicitly approve the security settings AWS services rely on the internal system clocks synchronized via NTP AWS provides such ability, for example due the AWS metadata, geo tags and other tags created by the customers The customers are responsible to manage it to meet their requirements.
Table 4 AWS solutions against a CCM CID CO-01
CO-02
CO-03
CO-06
DG-01
DG-02
DG-03
DG-04
DG-05
DG-06-07
Control Specification Audit plans, activities and operational action items focusing on data duplication, access, and data boundary limitations with aim to minimize the risk of business process disruption. Independent reviews shall be performed annually/planned intervals to aim a high effective compliance policies, standards and regulations (i.e., internal/external audits, certifications, vulnerability and penetration testing) 3rd party service providers shall demonstrate compliance with security due; their reports and services should undergo audit and review. A policy to safeguard intellectual property
All data shall be designated with stewardship with assigned responsibilities defined, documented and communicated. Data, and objects containing data, shall be assigned a classification based on data type, jurisdiction of origin, jurisdiction domiciled, etc. Policies/mechanisms for labeling, handling and security of data and objects which contain data Policies for data retention and storage as well as implementation of backup or redundancy mechanisms to ensure compliance with regulatory and other requirements that validated regularly Policies and mechanisms for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means. Security mechanisms to prevent data leakage.
139
AWS Response AWS has appropriate technical solutions, internal controls to protect customer data against alteration/destruction/loss/etc. Any kind of additional audit information is provided to the customers under NDA AWS shares 3rd audit reports under NDA with their customers. Such audit covers regularly scans of their (non-customer) services for vulnerabilities [22-23] while the customers are allowed to request for a pentest [21] of their own instances AWS requires to meet important privacy and security requirements conducting 3rd parties in alignment ISO 27001 (domain 6.2) AWS will not disclose customer data to a 3rd party unless it is required by law and will not use data except to detect/repair problems affecting the services Customers are responsible for maintaining it regarding their assets AWS allows customers to classify their resources by themselves (ex. applying any metadata and tagging to the EC2 VMs to set the user-friendly names & enhance searchability) Similar to DG-02
AWS infrastructure is validated regularly any purposes in alignment with security standards and featured by AWS EBS and Glacier (for data archiving and backup), but the customers have capability manage it due the API/SDK AWS rely on best practices to wipe data via DoD 5220.22-M/NIST 800-88 techniques; if it is not possible the physical destruction happens AWS has implemented logical (permissions) and physical (segmentation) controls to prevent data leakage. (ex. a hypervisor is designed to restrict non-allowed connections between tenant resources, however the endusers are responsible to manage the right sharing permissions
FS-06 FS-07
FS-08
IS-01 IS-02 IS-03
IS-04
Policies and procedures shall be established for securing and asset management for the use and secure disposal of equipment maintained and used outside the organization's premise. A complete inventory of critical assets shall be maintained with ownership defined and documented.
An implementation of ISMP included administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction An implementation of baseline security requirements for applications / DB / systems / network in compliance with policies / regulations/standards.
IS-05
An information security policy review at planned intervals
IS-07-08
An implementation of user access policies and for granting/revoking access to apps to apps, DB, and the rest in accordance with security, compliance and SLA. Implemented policies / mechanisms allowing data encryption in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as well, key management too
IS-18 IS-19
IS-20
Implemented policies and mechanisms for vulnerability and patch management on side of apps, system, and network devices
IS-21
A capability of AV solutions to detect, remove, and protect against all known types of malicious or unauthorized software with antivirus signature updates at least every 12 hours. Policies and procedures to triage security
IS-22
140
AWS imposes control the customers to manage the data locations. Data will not be moved between different regions, only inside that were chosen to prevent failure. AWS maintains a formal policy that requires assets, the hardware assets monitored by the AWS personnel and maintain the relationships with all AWS suppliers are possible in comply ISO 27001 (domain 7.1) for additional details. AWS implements ISMS to address security/privacy best practices and provides details under NDA the appropriate documentation Baseline security requirements are technically implemented with ‘deny’ configuration by default and documents among the AWS security documents for all services (ex. [1018]) Despite of AWS provides a lot of how-todocs, binary & sources [10-18], [28-29] are regularly updated, it’s better to subscribe to the news via RSS and email, because there is no other directly way to be notified by AWS All AWS services featured by IAM that provides powerful permissions items with predefined templates; If keys created on server side, AWS creates the unique keys and utilizes it, if it did on client side due the own or 3rd party solutions, the customers can manage it only. AWS encryption mechanisms are available for S3 (Server Side Encryption), EBS (encryption storage for EC2 AMIs), SimpleDB, EC2 (due the EBS plus SSL), VPC (encrypted connections and sessions), etc. AWS provides their services with the latest updates, performs analyzing software updates on their criticality as well as customer partially ability to perform vuln scans and patching despite of that and not violate the Policy [21-23] AWS does manage AV solutions & updates in compliance to ISO 27001 that confirmed by independent auditors. Additionally, customers should maintain their own solutions to meet their requirements AWS has defined role responsibilities and
related events and ensure timely and thorough incident management. IS-23 IS-24
IS-26
IS-32 IS-33
RS-01-08
SA-02
SA-06 SA-08
Information security events shall be reported through predefined communications channels in a prompt and expedient manner in compliance with statutory, regulatory and contractual requirements Policies and procedures shall be established for the acceptable use of information assets. Policies and mechanism to limit access to sensitive data (especially an application, program or object source code) from portable and mobile devices Documented policy and procedures defining continuity and disaster recovery shall be put in place to minimize the impact of a realized risk event on the organization to an acceptable level and facilitate recovery of information assets through a combination of preventive and recovery controls, in accordance with regulations and standards. Physical protection against damage from natural causes and disasters as well as deliberate attacks including fire, flood, etc. shall be implemented. An implementation of user credential and password controls for apps, DB, server and network infrastructure, requiring the following minimum standards
A segmentation of production and nonproduction environments to prevent unauthorized access, restrict connections between trusted & untrusted networks for use of all services, protocols, ports allowed
141
incident handling in internal documents in compliance with ISO and provides the SOC 1 Type Report AWS contributes with it over [21-23]
According to AWS, the customers manage and control their data only unless it needs due the law requirements or troubleshooting aimed at fix services issues AWS has this one, delineates the minimum rights for logical access to AWS resources and provides details with SOC 1 Type II report Such policies are in alignment with ISO 27001 ( domain 14.1); AWS provides a Cloudwatch services to monitor the state of AWS EC2, EBS, ELB, SQS, SNS, DynamoDB, Storage Gateways as well as a status history [19]. AWS provides several Availability Zones in each of six regions to prevent failures, but the customers are responsible to manage it across regions or other clouds vendors via API and SDK. A physical protection is in compliance ISO 27001 and 27002. Information about the transport routes is similar to the FS-06.1 AWS IAM [15-18] provides the securely access and roles to the resources with features to control access, create unique entry points of users, cross AWS-accounts access due API/SDK or IAM console, create the powerful permissions with duration and geo auth. AWS offers identity federation and VPC tunnels led to utilizing existing corporate identities to access, temporary security credentials. Additionally, the customers may avoid the mistakes and risks by using an AWS Policy Generator and MFA devices [20]. IAM allows creating and handling the sets defined in accordance with the subrules of SA-02 (in original of CMM). AWS provides a lot of how-to-docs, binary & sources (as an example [10-18],[28-29])
SA-07 SA-09 SA-10 SA-11
SA-12
SA-13
A requirement of MFA for all remote user access. A system and network environments separation via firewalls in regards to isolation of sensitive data, restrict unauthorized traffic, enhanced with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, SNMP community strings, etc.)
An external accurate time to synchronize the system clocks of all informationprocessing systems (US GPS & EU Galileo Satellite) A capability of an automated equipment identification as a part of authentication.
SA-14
Audit logs recording privileged user access activities, shall be retained, complying with applicable policies and regulations, reviewed at least daily and file integrity (host) and network intrusion detection (IDS) tools implemented to help investigation in case of incidents.
SA-15
A mobile code authorization before its installation, prevention from executing and using to a clearly defined security policy
MFA is not by default and depends on the customer configuration [20] An internal segmentation is in alignment with ISO and similar to the CO-05.1-2 while external is a part of the customer responsibility. Internally, a traffic restriction is too and has ‘deny/allow’ option in EC2/S3 by default (but the explicitly cfg is recommended), etc. Externally, the customers are able to use SSL, encryption key, encryption solutions, security policies to explicitly approve the security settings (AWS, 3rd party or their own) AWS services rely on the internal system clocks synchronized via NTP
AWS provides such ability, for example due the metadata, geo tags and other tags created by the customers AWS have this one in compliance with ISO and provides the results with SOC 1 Type II Report. AWS has the incident response program in compliance too. Even the customers’ data stored with strong isolation from AWS side and restrictions made by them, additional materials (SOC 1 Type II report) must be requested to clarify all questions on forensics. All data should be encrypted on client side, because it leads to the customers participation with law directly as AWS do not have the keys in this case. The customers are responsible to manage it to meet their requirements.
4. CONCLUSION Any complex solutions and systems like AWS, Azure, or GAE tend to prone to security compromise, because they have to operate large-scale computations, dynamic configuration. Clouds vendors do usually not disclose the technical details on security to the customers, thus raising question how to verify with appropriate requirements. The cloud security depends on whether the cloud vendors have implemented security controls that documented and enhanced with policy. However, there is a lack visibility into how clouds operate; each of them differs from other in levels of control, monitoring and securing mechanisms that widely known for non-cloud systems. The potential vulnerability requires a high degree of security combined with transparency and compliance. AWS relies on security frameworks based on various standards that certified by auditors and help customers to evaluate if/how AWS meets the requirements. CAIQ/CCM provide equivalent of them over several standards. Partially bad idea is public documents filled by vendors with general explanations referred to NDA reports multiplied by common recommendations.
142
Besides the details from 3rd party audit reports customers may require assurance in order to local laws and regulations. It is quite complicated of reducing the implementation and configuration information as a part of proprietary information (that is not bad or good, just complicated). In other words it may call for specific levels of audit logging, activity reporting, security controlling and data retention that are often not a part of SLA offered by providers. A result of an examination of AWS security controls against security standards/regulations shown in [8] and partially in [7] is successfully passing standards by use of native security features implemented in AWS Console, CLI and API/SDK only. It additionally includes cases that the current AWS security features should to be enhanced via third party security solutions like national encryption on client side before uploading data and ability to indirectly comply with requirements. Talking about security enhance, not only security controls belong to cloud layer (outside the VMs) should be used to protect data, communications, memory etc. but also internal OS controls and 3rd party solutions together. It excludes obsolescent clauses and cases ‘just wait’ a solution from AWS of inability to build and implement appropriate. OS and third party solutions are known for non-clouds system allow protecting critical and confidential information is present in different system, configuration and other files to avoid alteration, exposing, accessing of them. Examination cloud solutions such as Azure, BES with AWS & Azure, and Office365 with Cloud BES against other standards is a part of further research, however the signification direction is improving existing CSA and NIST recommendations in order to enhance transparency via utilization primarily technical requirements: on cloud layer, on inter-VM/DB & inter-cloud-services layer, on VM/DB layer.
5. REFERENCES [1]
Mell P. & Grance T. (2011) The NIST definition of cloud computing. recommendation of the national institute of standards and technology, NIST
[2]
Abuhussein, H. Bedi, S. Shiva, (2012) “Evaluating Security and Privacy in Cloud Computing Services:A Stakeholder’s Perspective”, The 7th International Conference for Internet Technology and Secured Transactions, pp. 388 – 395, Dec 2012
[3]
Feng, J., Chen, Y.& Liu, P. (2010) “Bridging the Missing Link of Cloud Data Storage Security in AWS,” 7th Consumer Communications and networking Conference (CCNC), pp.1-2, Jan 2010
[4]
Hu, Y., Lu F., Khan, I. & Bai, G. (2012) "A Cloud Computing Solution for Sharing Healthcare Information”, The 7th International Conference for Internet Technology and Secured Transactions, pp. 465 – 470, Dec 2012
[5]
“Google cloud services – App Engine”. [Online resource: www.google.com/enterprise/cloud/appengine/, Accessed:23-Nov-12]
[6]
“Technical Overview of the Security Features in the Windows Azure Platform”. [Online resource: www.google.com/enterprise/cloud/appengine/, Accessed:23-Nov-12]
[7]
Chemerkin, Y. (2012) “AWS Cloud Security from the point of view of the Compliance”, PenTest Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa, vol. 2 №10 Issue 10/2012 (12) ISSN 2084-1116, pp. 50-59, Dec 2012
[8]
Chemerkin, Y. “Analysis of Cloud Security against the modern security standards”, draft (is going to be published in PenTest Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa in May
[9]
Kissel, R., Scholl, M., Skolochenko, S. & Li, X. (2006) “Guidelines for media sanitization: Recommendations of the national institute of standards and technology,” in NIST SP 800-88 Report
[10]
“Amazon EC2 Microsoft API Reference. [Online resource: docs.aws.amazon.com/AWSEC2/latest/APIReference/, Accessed:05-Dec-12]
143
[11]
“AWS Import/Export Developer Guide. [Online resource: aws.amazon.com/documentation/importexport/, Accessed:16-Dec-12]
[12]
“Amazon Virtual Private Cloud Network Administrator Guide. [Online resource:docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide, Accessed:05-Dec-12]
[13]
“Reported SSL Certificate Validation Errors in API Tools and SDKs”, [Online resource: aws.amazon.com/security/security-bulletins/reported-ssl-certificate-validation-errors-in-api-toolsand-sdks/, Accessed:15-Jan-13]
[14]
“Amazon S3 API Reference. [Online resource: docs.aws.amazon.com/AmazonS3/latest/API/, Accessed:20-Dec-12]
[15]
“Amazon IAM API Reference. [Online resource: docs.aws.amazon.com/IAM/latest/APIReference/, Accessed:29-Dec-12]
[16]
“Amazon Using Temporary Security Credentials. [Online resource: docs.aws.amazon.com/IAM/latest/UsingSTS/, Accessed:29-Dec-12]
[17]
“Amazon AWS Security Token Service API Reference. [Online resource: docs.aws.amazon.com/STS/latest/APIReference/, Accessed:29-Dec-12]
[18]
“Amazon Command Line Reference. [Online resource: docs.aws.amazon.com/IAM/latest/CLIReference/, Accessed:29-Dec-12]
[19]
“AWS Services Health Status” [Online resource: status.aws.amazon.com/, Accessed:16-Feb-13]
[20]
“AWS MFA” [Online resource: aws.amazon.com/mfa, Accessed:16-Feb-13]
[21]
“AWS Vulnerability/Pentesting Request Form” [Online resource: portal.aws.amazon.com/gp/aws/html-formscontroller/contactus/AWSSecurityPenTestRequest,Accessed:16-Feb-13]
[22]
“AWS Abuses reports (EC2, other AWS services)” [Online resource: portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse, Accessed:16-Feb13]
[23]
“AWS Vulnerability Reporting” [Online resource: aws.amazon.com/security/vulnerabilityreporting/, Accessed:16-Feb-13]
[24]
Medsger, J. & Srinivasan, A. (2012) "ERASE- EntRopy-based SAnitization of SEnsitive Data for Privacy Preservation", The 7th International Conference for Internet Technology and Secured Transactions, pp. 427 – 432, Dec 2012
[25]
“DRAFT Cloud Computing Synopsis and Recommendations,” NIST Special Publication 800-146. [Online resource: csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf, Accessed:06-Jan-13]
[26]
“Security Whitepaper. Google Apps Messaging and Collaboration Products”, [Online resource: cryptome.org/2012/12/google-cloud-sec.pdf, Accessed:23-Nov-13]
[27]
Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N. & Iacono, L.L. (2011) "All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces", 3rd ACM workshop on Cloud computing security workshop (CCSW), pp.3-14, Oct 2011
[28]
“Reported SOAP Request Parsing Vulnerabilities”, [Online resource: aws.amazon.com/security/security-bulletins/reported-soap-request-parsing-vulnerabilities-reso/, Accessed:15-Jan-13]
[29]
“Xen Security Advisories”, [Online resource: aws.amazon.com/security/security-bulletins/xensecurity-advisories/, Accessed:15-Jan-13]
[30]
“The Essential Intelligent Client”, [Online resource: www.vmworld.com/servlet/JiveServlet/downloadBody/5700-102-18823/Intel%20The%20Essential%20Intelligent%20Client.pdf, Accessed:15-Jan-13]
144
[31]
Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR [Online resource: news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html/, Accessed:22-Nov-13]
[32]
“The most dangerous code in the world: validating SSL certificates in non-browser software”, 19th ACM Conference on Computer and Communications Security, pp. 38-49, Oct 2012
[33]
“CSA Consensus Assessments Initiative Questionnaire v1.1” [Online resource: cloudsecurityalliance.org/research/cai/, Accessed:22-Dec-12]
[34]
“CSA Cloud Controls Matrix v1.3” [Online resource: cloudsecurityalliance.org/research/cai/, Accessed:22-Jan-13]
[35]
“AWS Securtiy Bulletins” [Online resource: aws.amazon.com/security/security-bulletins/, Accessed 16-Feb-13]
145
