2. About Me
Taiye L b CISSP, CISA, CISM, HISP,
T i Lambo CISSP CISA CISM HISP ISO 27001 Auditor
A dit
President & Founder, eFortresses, Inc.
Author Holistic Information Security Practitioner (
y (HISP) Certification Course
)
Founder Holistic Information Security Practitioner (HISP) Institute –
www.hispi.org
Founder UK Honeynet Project – www honeynet org uk
www.honeynet.org.uk
Hybrid technical and business information security practitioner, with 14 years
Information Security experience, including:
Delivered critical BS 7799, ISO 17799, ISO 27002 & ISO 27001 consulting
engagements to various clients in the Manufacturing, Government,
Financial Services and Healthcare sectors in the UK and US.
Presented at security events including conferences organized by organized by
ISSA, InfraGard, ISACA, CPM, HITRUST and SOFE.
2
3. Caveats and Disclaimers
• This presentation provides education on
cloud technology and its benefits to set up a
discussion of cloud security
• It is NOT intended to provide official
eFortresses and/or NIST guidance and NIST
does not make policy
• A mention of a vendor or product is NOT
Any ti f d d ti
an endorsement or recommendation
Citation Note: Most sources for the material in this presentation are included
within the PowerPoint “ slides
3
4. Cloud Computing Quotes from Vivek
Kundra (Federal CIO):
"The cloud will do for government what the
Internet did in the '90s " he said. "We're
90s, said We re
interested in consumer technology for the
enterprise,
enterprise " Kundra added "It's a fundamental
added. It s
change to the way our government operates by
moving to the cloud Rather than owning the
cloud.
infrastructure, we can save millions."
http://www.nextgov.com/nextgov/ng 20081126_1117.php
p g g g_ p p
4
5. Part I: Effective and Secure Use
Understanding Cloud Computing
Cloud Computing
Clo d Comp ting Case St dies
Studies
Part II: Cl d A diti B t P
P t II Cloud Auditing Best Practices
ti
ENISA
AGENDA
CSA
Microsoft
CloudeAssurance
5
7. Understanding Cloud Computing
Origin of the term “Cloud Computing
Cloud Computing”
• “Comes from the early days of the Internet where we drew
y y
the network as a cloud… we didn’t care where the
messages went… the cloud hid it from us” – Kevin Marks,
Google
• First cloud around networking (TCP/IP abstraction)
• Second cloud around documents (WWW data abstraction)
• The emerging cloud abstracts infrastructure complexities
of servers, applications, data, and heterogeneous
platforms
– (“muck” as Amazon’s CEO Jeff Bezos calls it)
Jeff Bezos’ quote: http://news cnet com/8301-13953 3-9977100-80 html?tag=mncol
Bezos http://news.cnet.com/8301 13953_3 9977100 80.html?tag mncol
Kevin Marks quote: http://news.cnet.com/8301-13953_3-9938949-80.html?tag=mncol video
interview
7
8. A Working Definition of Cloud
Computing
• Cl d computing i a model f enabling
Cloud ti is d l for bli
convenient, on-demand network access to a
shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal
management effort or service provider
interaction.
• This cloud model promotes availability and is composed
of five essential characteristics, three service models,
and four deployment models.
models
8
10. Three Cloud Service Models
• Cloud Software as a Service (SaaS)
– Use provider’s applications over a network
• Cloud Platform as a Service (PaaS)
( )
– Deploy customer-created applications to a cloud
• Cloud Infrastructure as a Service (IaaS)
– R t processing, storage, network capacity, and other
Rent i t t k it d th
fundamental computing resources
• To be considered “cloud” they must be deployed on
top of cloud infrastructure that has the key
characteristics
10
11. Service Model Architectures
Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure
IaaS Software as a Service
PaaS PaaS (SaaS)
SaaS SaaS SaaS Architectures
Cloud Infrastructure Cloud Infrastructure
IaaS Platform as a Service (PaaS)
( )
PaaS PaaS Architectures
Cloud Infrastructure
IaaS Infrastructure as a Service (IaaS)
Architectures
11
12. NIST Four Cloud Deployment
Models
• Private cloud
– enterprise owned or leased
• Community cloud
– shared infrastructure for specific community
• Public cloud
– Sold to the public, mega-scale infrastructure
• Hybrid cloud
– composition of two or more clouds
12
13. The NIST Cloud Definition Framework
Hybrid Clouds
Deployment
Models Private Community
C it
Public Cloud
Cloud Cloud
Service Software as a Platform as a Infrastructure as a
Models Service (SaaS) Service (PaaS) Service (IaaS)
On Demand Self-Service
Essential
Broad Network A
B dN k Access Rapid Elasticity
R id El i i
Characteristics
Resource Pooling Measured Service
Massive Scale Resilient Computing
Common Homogeneity Geographic Distribution
Characteristics Virtualization Service Orientation
Low Cost Software Advanced Security
13
15. General Security Advantages
• Shifting public data to a external cloud
reduces the exposure of the internal
sensitive data
• Cloud homogeneity makes security
auditing/testing simpler
• Clouds enable automated security
management t
• Redundancy / Disaster Recovery
15
17. Google Cloud User:
City of Washington D.C.
DC
• Vivek Kundra, Former CTO for the DC (now Federal CIO)
• Migrating 38,000 employees to Google Apps
• Replace office software
– Gmail
– Google Docs (word processing and spreadsheets)
– Google video for business
– Google sites (intranet sites and wikis)
• “It's a fundamental change to the way our government
It s
operates by moving to the cloud. Rather than owning the
infrastructure, we can save millions.”, Mr. Kundra
• 500 000+ organizations use Google Apps
500,000+
17
18. Case Study: Facebook’s Use of Open
Source and Commodity Hardware (8/08)
• Jonathan Heiliger Facebook's vice president of technical operations
Heiliger, Facebook s
• 80 million users + 250,000 new users per day
• 50,000 transactions per second, 10,000+ servers
• Built on open source software
– Web and App tier: Apache, PHP, AJAX
– Middleware tier: Memcached (Open source caching)
– Data tier: MySQL (Open source DB)
y ( p )
• Thousands of DB instances store data in distributed fashion (avoids
collisions of many users accessing the same DB)
• “We don't need fancy graphics chips and PCI cards," he said. “We
need one USB port and optimized power and airflow Give me one
airflow.
CPU, a little memory and one power supply. If it fails, I don't care.
We are solving the redundancy problem in software.”
Data taken from CNET news article and interview 8/18/08
http://news.cnet.com/8301-13953_3-10027064-80.html?tag=mncol
18
19. Amazon Cloud Users:
New York Times and Nasdaq (4/08)
• Both companies used Amazon’s cloud offering
• New York Times
– Didn’t coordinate with Amazon, used a credit card!
– Used EC2 and S3 to convert 15 million scanned news articles to PDF (4TB data)
– Took 100 Linux computers 24 hours (would have taken months on NYT
computers
– “It was cheap experimentation, and the learning curve isn't steep.” – Derrick
Gottfrid, New York Times
• Nasdaq
– Uses S3 to deliver historic stock and fund information
– Millions of files showing price changes of entities over 10 minute segments
– “The expenses of keeping all that data online [in Nasdaq servers] was too high.”
– Claude Courbois, Nasdaq VP
– Created lightweight Adobe AIR application to let users view data
Source: Infoworld article (availability zones and elastic IP)
IP),
http://www.infoworld.com/article/08/03/27/Amazon-adds-resilience-to-cloud-
computing_1.html
19
20. Case Study:
Salesforce.com
Salesforce com in Government
• 5,000+ Public Sector and Nonprofit Customers use
Salesforce Cloud Computing Solutions
• President Obama’s Citizen’s Briefing Book Based on
Salesforce.com Ideas application
– Concept to Live in Three Weeks
– 134,077 Registered Users
– 1.4 M Votes
– 52,015 Ideas
– Peak traffic of 149 hits per second
• US Census Bureau Uses Salesforce.com Cloud
Application
– Project implemented in under 12 weeks
j p
– 2,500+ partnership agents use Salesforce.com for 2010 decennial census
– Allows projects to scale from 200 to 2,000 users overnight to meet peak periods with no
capital expenditure
Source: http://arstechnica.com/software/news/2008/10/washington-dc-latest-to-drop-
p g p
microsoft-for-web-apps.ars
Quote is from http://www.nextgov.com/nextgov/ng_20081126_1117.php
20
21. Case Study:
Salesforce.com
Salesforce com in Government
• New Jersey Transit Wins InfoWorld 100 Award
for its Cloud Computing Project
– Use Salesforce.com to run their call center, incident management, complaint
tracking, and service portal
– 600% More Inquiries Handled
– 0 New Agents Required
– 36% Improved Response Time
• U S Army uses Salesforce CRM for Cloud-based
U.S.
Recruiting
– U.S. Army needed a new tool to track potential recruits who visited its Army
Experience Center
Center.
– Use Salesforce.com to track all core recruitment functions and allows the
Army to save time and resources.
Source: http://arstechnica.com/software/news/2008/10/washington-dc-latest-to-drop-
microsoft-for-web-apps.ars
Quote is from http://www.nextgov.com/nextgov/ng_20081126_1117.php
21
24. ENISA
INFORMATION ASSURANCE REQUIREMENTS
PERSONNEL SECURITY
The majority of questions relating to personnel will be similar to those you would ask your own
IT personnel or other personnel who are dealing with your IT. As with most assessments,
there is a balance between the risks and the cost.
What policies and procedures do you have in place when hiring your IT administrators or
others with system access? Th
th ith t ? These should i l d
h ld include:
o pre-employment checks (identity, nationality or status, employment history and
references, criminal convictions, and vetting (for senior personnel in high privilege
roles)).
Are there diff
A th different policies d
t li i depending on where th d t i stored or applications are run?
di h the data is t d li ti ?
o For example, hiring policies in one region may be different from those in another.
o Practices need to be consistent across regions.
o It may be that sensitive data is stored in one particular region with appropriate personnel.
What security education program do you run for all staff?
Is there a process of continuous evaluation?
o How often does this occur?
o Further interviews
o Security access and privilege reviews
o Policy and procedure reviews.
24
25. ENISA
SUPPLY-CHAIN ASSURANCE
The following questions apply where the cloud provider subcontracts some operations that are
key to the security of the operation to third parties (e.g., a SaaS provider outsourcing the
underling platform to a third party provider, a cloud provider outsourcing the security services
to a managed security services provider, use of an external provider for identity management
of operating systems, etc). It also includes third parties with physical or remote access to the
systems etc)
cloud provider infrastructure. It is assumed that this entire questionnaire may be applied
recursively to third (or nth) party cloud service providers.
Define those services that are outsourced or subcontracted in your service delivery supply
chain which are key to the security (including availability) of your operations.
Detail the procedures used to assure third parties accessing your infrastructure (physical
and/or logical).
o Do you audit your outsourcers and subcontractors and how often?
Are any SLA provisions guaranteed by outsourcers lower than the SLAs you offer to your
customers? If not, do you have supplier redundancy in place?
What
Wh t measures are t k t ensure thi d party service levels are met and maintained?
taken to third t i l l t d i t i d?
Can the cloud provider confirm that security policy and controls are applied (contractually) to
their third party providers?
25
26. ENISA
OPERATIONAL SECURITY
It is expected that any commercial agreement with external providers will include service levels for
all network services. However, in addition to the defined agreements, the end customer should
still ensure that the provider employs appropriate controls to mitigate unauthorized disclosure.
Detail your change control procedure and policy. This should also include the process used to re-
assess risks as a result of changes and clarify whether the outputs are available to end
customers.
c stomers
Define the remote access policy.
Does the provider maintain documented operating procedures for information systems?
Is there a staged environment to reduce risk, e.g., development, test and operational
environments, and are they separated?
Define the host and network controls employed to protect the systems hosting the applications
and information for the end customer. These should include details of certification against
external standards (e.g., ISO 27001/2).
Specify the controls used to protect against malicious code.
S f
Are secure configurations deployed to only allow the execution of authorized mobile code and
authorized functionality (e.g., only execute specific commands)?
Detail policies and procedures for backup. This should include procedures for the management
of removable media and methods f securely d
f bl di d h d for l destroying media no l
i di longer required. (D
i d (Depending
di
on his business requirements, the customer may wish to put in place an independent backup
strategy. This is particularly relevant where time-critical access to back-up is required.)
26
27. ENISA
OPERATIONAL SECURITY
Audit logs are used in the event of an incident requiring investigation; they can also be used for
troubleshooting. For these purposes, the end customer will need assurance that such
information is available:
Can the provider detail what information is recorded within audit logs?
o For what period is this data retained?
o Is it possible to segment data within audit logs so they can be made available to the end
customer and/or law enforcement without compromising other customers and still be
admissible in court?
o What controls are employed to protect logs from unauthorized access or tampering?
o What method is used to check and protect the integrity of audit logs?
How are audit logs reviewed? What recorded events result in action being taken?
What time source is used to synchronize systems and provide accurate audit log time
stamping?
27
28. ENISA
SOFTWARE ASSURANCE
Define controls used to protect the integrity of the operating system and applications software
used. Include any standards that are followed, e.g., OWASP (46), SANS Checklist (47),
SAFECode (48).
How do you validate that new releases are fit-for-purpose or do not have risks (backdoors,
Trojans, etc)? Are these reviewed before use?
What practices are followed to keep the applications safe?
Is a software release penetration tested to ensure it does not contain vulnerabilities? If
vulnerabilities are discovered, what is the process for remedying these?
PATCH MANAGEMENT
Provide details of the patch management procedure followed.
Can you ensure that the patch management process covers all layers of the cloud delivery
technologies – i.e., network (infrastructure components, routers and switches, etc), server
g , ( p , , ),
operating systems, virtualization software, applications and security subsystems (firewalls,
antivirus gateways, intrusion detection systems, etc)?
28
29. ENISA
NETWORK ARCHITECTURE CONTROLS
Define the controls used to mitigate DDoS (distributed denial–of-service) attacks.
o Defense in depth (deep packet analysis, traffic throttling, packet black-holing, etc)
o Do you have defenses against ‘internal’ ( g
y g (originating from the cloud p
g providers networks)
)
attacks as well as external (originating from the Internet or customer networks) attacks?
What levels of isolation are used?
o for virtual machines physical machines network storage (e g storage area networks)
machines, machines, network, (e.g., networks),
management networks and management support systems, etc.
Does the architecture support continued operation from the cloud when the company is
separated from the service provider and vice versa (e g is there a critical dependency on
(e.g.,
the customer LDAP system)?
Is the virtual network infrastructure used by cloud providers (in PVLANs and VLAN tagging
802.1q
802 1q (49) architecture) secured to vendor and/or best practice specific standards (e.g., are
(e g
MAC spoofing, ARP poisoning attacks, etc, prevented via a specific security configuration)?
29
30. ENISA
HOST ARCHITECTURE
Does the provider ensure virtual images are hardened by default?
Is the hardened virtual image p
g protected from unauthorized access?
Can the provider confirm that the virtualized image does not contain the authentication
credentials?
Is the host firewall run with only the minimum ports necessary to support the services within
the virtual instance?
Can a host based intrusion prevention service (IPS) be run in the virtual instance?
host-based
30
31. ENISA
PAAS – APPLICATION SECURITY
Generally speaking, P S service providers are responsible f th security of th platform
G ll ki PaaS i id ibl for the it f the l tf
software stack, and the recommendations throughout this document are a good foundation
for ensuring a PaaS provider has considered security principles when designing and
managing their PaaS platform. It is often difficult to obtain detailed information from PaaS
providers on exactly how they secure their platforms – however the following questions
questions,
along with other sections within this document, should be of assistance in assessing their
offerings.
Request information on how multi-tenanted applications are isolated from each other – a high
multi tenanted
level description of containment and isolation measures is required.
What assurance can the PaaS provider give that access to your data is restricted to your
enterprise users and to the applications you own?
The platform architecture should be classic ‘sandbox’ – does the provider ensure that the
PaaS platform sandbox is monitored for new bugs and vulnerabilities?
PaaS providers should be able to offer a set of security features (re-useable amongst their
(re useable
clients) – do these include user authentication, single sign on, authorization (privilege
management), and SSL/TLS (made available via an API)?
31
32. ENISA
SAAS – APPLICATION SECURITY
The SaaS model dictates that the provider manages the entire suite of applications delivered to
p g pp
end-users. Therefore SaaS providers are mainly responsible for securing these applications.
Customers are normally responsible for operational security processes (user and access
management). However the following questions, along with other sections within this
document, should assist in assessing their offerings:
What d i i
Wh administration controls are provided and can these b used to assign read and write
i l id d d h be d i d d i
privileges to other users?
Is the SaaS access control fine grained and can it be customized to your organizations
policy?
RESOURCE PROVISIONING
In the event of resource overload (processing, memory, storage, network)?
o What information is given about the relative priority assigned to my request in the event
of a failure in provisioning?
o Is there a lead time on service levels and changes in requirements?
How much can you scale up? Does the provider offer guarantees on maximum available
resources within a minimum period?
How fast can you scale up? Does the p
y p provider offer g
guarantees on the availability of
y
supplementary resources within a minimum period?
What processes are in place for handling large-scale trends in resource usage (e.g., seasonal
effects)?
32
33. ENISA
IDENTITY AND ACCESS MANAGEMENT
The following controls apply to the cloud p
g pp y provider’s identity and access management systems
y g y
(those under their control):
AUTHORIZATION
Do any accounts have system wide privileges for the entire cloud system and if so for what
system-wide and, so,
operations (read/write/delete)?
How are the accounts with the highest level of privilege authenticated and managed?
How are the most critical decisions (e g simultaneous de provisioning of large resource
(e.g., de-provisioning
blocks) authorized (single or dual, and by which roles within the organization)?
Are any high-privilege roles allocated to the same person? Does this allocation break the
segregation of duties or least privilege rules?
Do you use role-based access control (RBAC)? Is the principle of least privilege followed?
What changes, if any, are made to administrator privileges and roles to allow for extraordinary
access in the event of an emergency?
Is there an ‘administrator’ role for the c stomer? For e ample does the c stomer
customer? example, customer
administrator have a role in adding new users (but without allowing him to change the
underlying storage!)?
33
34. ENISA
IDENTITY PROVISIONING
What h k
Wh t checks are made on th id tit of user accounts at registration? Are any standards
d the identity f t t i t ti ? A t d d
followed? For example, the e-Government Interoperability Framework?
Are there different levels of identity checks based on the resources required?
What processes are in place for de-provisioning credentials?
Are credentials provisioned and de-provisioned simultaneously throughout the cloud system,
or are there any risks in de-provisioning them across multiple geographically distributed
locations?
MANAGEMENT OF PERSONAL DATA
What data storage and protection controls apply to the user directory (e.g., AD, LDAP) and
access to it?
Is user directory data exportable in an interoperable format?
Is need-to-know the basis for access to customer data within the cloud provider?
34
35. ENISA
KEY MANAGEMENT
For keys under the control of the cloud provider:
Are security controls in place for reading and writing those keys? For example, strong
password policies, keys stored in a separate system, hardware security modules (HSM) for
root certificate keys, smart card based authentication, direct shielded access to storage,
short key lifetime, etc.
Are
A security controls in place f using th
it t l i l for i those k keys t sign and encrypt d t ?
to i d t data?
Are procedures in place in the event of a key compromise? For example, key revocation lists.
Is key revocation able to deal with simultaneity issues for multiple sites?
Are customer system images protected or encrypted?
ENCRYPTION
Encryption can be used in multiple places − where is it used?
o data in transit
o data at rest
o data in processor or memory?
Usernames and passwords?
Is there a well-defined policy for what should be encrypted and what should not be
encrypted?
Who holds the access keys?
How are the keys protected?
35
36. ENISA
AUTHENTICATION
What forms of authentication are used for operations requiring high assurance? This may
include login to management interfaces, key creation, access to multiple-user accounts,
firewall configuration, remote access, etc.
Is two-factor authentication used to manage critical components within the infrastructure, such
two factor infrastructure
as firewalls, etc?
CREDENTIAL COMPROMISE OR THEFT
Do
D you provide anomaly d t ti (th ability t spot unusual and potentially malicious IP
id l detection (the bilit to t l d t ti ll li i
traffic and user or support team behavior)? For example, analysis of failed and successful
logins, unusual time of day, and multiple logins, etc.
What provisions exist in the event of the theft of a customer’s credentials (detection,
revocation,
revocation evidence for actions)?
IDENTITY AND ACCESS MANAGEMENT SYSTEMS OFFERED TO THE CLOUD CUSTOMER
The following questions apply to the identity and access management systems which are offered
by the l d
b th cloud provider f use and control b th cloud customer:
id for d t l by the l d t
36
37. ENISA
IDENTITY MANAGEMENT FRAMEWORKS
Does the system allow for a federated IDM infrastructure which is interoperable both for high
assurance (OTP systems, where required) and low assurance (e.g.. username and
password)?
Is the cloud provider interoperable with third party identity providers?
Is there the ability to incorporate single sign-on?
ACCESS CONTROL
Does the client credential system allow for the separation of roles and responsibilities and for
y p p
multiple domains (or a single key for multiple domains, roles and responsibilities)?
How do you manage access to customer system images – and ensure that the authentication
and cryptographic keys are not contained within in them?
AUTHENTICATION
How does the cloud provider identify itself to the customer (i.e., is there mutual
authentication)?
o when the customer sends API commands?
o when the customer logs into the management interface?
Do you support a federated mechanism for authentication?
37
38. ENISA
ASSET MANAGEMENT
It is important to ensure the provider maintains a current list of hardware and software
(applications) assets under the cloud providers control. This enables checks that all systems
have appropriate controls employed, and that systems cannot be used as a backdoor into
pp p p y y
the infrastructure.
Does the provider have an automated means to inventory all assets, which facilitates their
appropriate management?
pp p g
Is there a list of assets that the customer has used over a specific period of time?
The following questions are to be used where the end customer is deploying data that would
require additional protection (i.e.. deemed as sensitive).
Are assets classified in terms of sensitivity and criticality?
o If so, does the provider employ appropriate segregation between systems with different
classifications and for a single customer who has systems with different security
classifications?
38
39. ENISA
DATA AND SERVICES PORTABILITY
This set of questions should be considered in order to understand the risks related to vendor
lock-in.
Are there d
A th documented procedures and API f exporting d t f
t d d d APIs for ti data from th cloud?
the l d?
Does the vendor provide interoperable export formats for all data stored within the cloud?
In the case of SaaS, are the API interfaces used standardized?
Are there any provisions for exporting user-created applications in a standard format?
Are there processes for testing that data can be exported to another cloud provider – should
the client wish to change provider, for example?
Can the client perform their own data extraction to verify that the format is universal and is
capable of being migrated to another cloud provider?
39
40. ENISA
BUSINESS CONTINUITY MANAGEMENT
Providing continuity is important to an organization. Although it is possible to set service level
agreements detailing the minimum amount of time systems are available, there remain a
number of additional considerations.
Does the provider maintain a documented method that details the impact of a disruption?
o What are the RPO (recovery point objective) and RTO (recovery time objective) for
services? Detail according to the criticality of the service.
o Are information security activities appropriately addressed in the restoration process?
o What are the lines of communication to end customers in the event of a disruption?
o Are the roles and responsibilities of teams clearly identified when dealing with a
disruption?
Has the provider categorized the priority for recovery, and what would be our relative priority
(the end customer) to be restored? Note: this may be a category (HIGH/MED/LOW).
What dependencies relevant to the restoration process exist? Include suppliers and outsource
partners.
partners
In the event of the primary site being made unavailable, what is the minimum separation for
the location of the secondary site?
40
41. ENISA
INCIDENT MANAGEMENT AND RESPONSE
Incident
I id t management and response is a part of business continuity management. The goal of
t d i t fb i ti it t Th l f
this process is to contain the impact of unexpected and potentially disrupting events to an
acceptable level for an organization.
To evaluate the capacity of an organization to minimize the probability of occurrence or reduce
the negative impact of an information security incident the following questions should be
incident,
asked to a cloud provider:
Does the provider have a formal process in place for detecting, identifying, analyzing and
responding to incidents?
Is this process rehearsed to check that incident handling processes are effective? Does the
provider also ensure, during the rehearsal, that everyone within the cloud provider’s support
organization is aware of the processes and of their roles during incident handling (both
during the incident and post analysis)?
How are the detection capabilities structured?
o How can the cloud customer report anomalies and security events to the provider?
o What facilities does the provider allow for customer-selected third party RTSM services to intervene in their systems (where appropriate) or to
co-ordinate incident response capabilities with the cloud provider?
o Is there a real time security monitoring (RTSM) service in place? Is the service outsourced? What kind of parameters and services are
monitored?
o Do you provide (upon request) a periodical report on security incidents (e.g.,. according to the ITIL definition)?
o For how long are the security logs retained? Are those logs securely stored? Who has access to the logs?
o Is it possible for the customer to build a HIPS/HIDS in the virtual machine image? Is it possible to integrate the information collected by the
intrusion detection and prevention systems of the customer into the RTSM service of the cloud provider or that of a third party?
41
42. ENISA
INCIDENT MANAGEMENT AND RESPONSE
How are severity levels defined?
How are escalation procedures defined? When (if ever) is the cloud customer involved?
How are incidents documented and evidence collected?
Besides a thentication accounting and a dit what other controls are in place to pre ent (or
authentication, acco nting audit, hat prevent
minimize the impact of) malicious activities by insiders?
Does the provider offer the customer (upon request) a forensic image of the virtual machine?
Does the provider collect incident metrics and indicators (i.e.,. number of detected or reported
incidents per months number of incidents caused by the cloud provider’s subcontractors and
months,
the total number of such incidents, average time to respond and to resolve, etc)?).
o Which of these does the provider make publicly available (NB not all incident reporting
data can be made public since it may compromise customer confidentiality and reveal
security critical information)??)
How often does the provider test disaster recovery and business continuity plans?
Does the provider collect data on the levels of satisfaction with SLAs?
Does the provider carry out help desk tests? For example:
oIImpersonation tests (is the person at the end of the phone requesting a password reset,
i (i h h d f h h i d
really who they say they are?) or so called ‘social engineering’ attacks.
42
43. ENISA
INCIDENT MANAGEMENT AND RESPONSE
Does the provider carry out penetration testing? How often? What are actually tested during
the penetration test – for example, do they test the security isolation of each image to ensure
it is not possible to ‘break out’ of one image into another and also g
p g gain access to the host
infrastructure?. The tests should also check to see if it is possible to gain access, via the
virtual image, to the cloud providers management and support systems (e.g., example the
provisioning and admin access control systems).
Does the provider carry out vulnerability testing? How often?
What is the process for rectifying vulnerabilities (hot fixes, re-configuration, uplift to later
)
versions of software, etc)?
43
44. ENISA
PHYSICAL SECURITY
As with personnel security, many of the potential issues arise because the IT infrastructure is
under the control of a third party – like traditional outsourcing, the effect of a physical security
breach can have an impact on multiple customers ( g
p p (organizations).
)
What assurance can you provide to the customer regarding the physical security of the
location? Please provide examples, and any standards that are adhered to, e.g.,. Section 9
of ISO 27001/2.
o Who, other than authorized IT personnel, has unescorted (physical) access to IT
infrastructure?
For example, cleaners, managers, ‘physical security’ staff, contractors, consultants,
physical security
vendors, etc.
o How often are access rights reviewed?
How quickly can access rights be revoked?
o Do you assess security risks and evaluate perimeters on a regular basis?
How frequently?
44
45. ENISA
PHYSICAL SECURITY
o Do you assess security risks and evaluate perimeters on a regular basis?
How frequently?
o Do you carry out regular risk assessments which include things such as neighboring
buildings?
o D you control or monitor personnel (i l di thi d parties) who access secure areas?
Do t l it l (including third ti ) h ?
o What policies or procedures do you have for loading, unloading and installing equipment?
o Are deliveries inspected for risks before installation?
o Is there an up-to-date physical inventory of items in the data centre?
o Do network cables run through public access areas?
Do you use armored cabling or conduits?
o Do you regularly survey premises to look for unauthorized equipment?
o Is there any off-site equipment?
How is this protected?
45
46. ENISA
PHYSICAL SECURITY
o Do your personnel use portable equipment (e.g.,. laptops, smart phones) which can give
access to the data centre?
How are these protected?
o What measures are in place to control access cards?
o What processes or procedures are in place to destroy old media or systems when required to
do so?
data overwritten?
physical destruction?
o What authorization processes are in place for the movement of equipment from one site to
another?
How do you identify staff (or contractors) who are authorized to do this?
o How often are equipment audits carried out to monitor for unauthorized equipment removal?
o How often are checks made to ensure that the environment complies with the appropriate
legal and regulatory requirements?
46
47. ENISA
ENVIRONMENTAL CONTROLS
What procedures or policies are in place to ensure that environmental issues do not cause an
interruption to service?
What methods do you use to prevent damage from a fire, flood, earthquake, etc?
o In the event of a disaster what additional security measures are put in place to protect
disaster,
physical access?
o Both at the primary as well as at the secondary sites?
Do you monitor the temperature and humidity in the data centre?
o Air conditioning considerations or monitoring?
Air-conditioning
Do you protect your buildings from lightening strikes?
o Including electrical and communication lines?
Do you have stand-alone generators in the event of a power failure?
o For how long can they run?
o Are there adequate fuel supplies?
o Are there failover generators?
o How often do you check UPS equipment?
o How often do you check your generators?
o Do you have multiple power suppliers?
47
48. ENISA
ENVIRONMENTAL CONTROLS
Are all utilities (electricity, water, etc) capable of supporting your environment?
How often is this re-evaluated and tested?
Is your air-conditioning capable of supporting your environment?
o How often is it tested?
Do you follow manufacturers recommended maintenance schedules?
Do you only allow authorized maintenance or repair staff onto the site?
o How do you check their identity?
When equipment is sent away for repair, is the data cleaned from it first?
o How is this done?
48
49. ENISA
LEGAL REQUIREMENTS
Customers and potential customers of cloud provider services should have regard to their
respective national and supra-national obligations for compliance with regulatory frameworks
and ensure that any such obligations are appropriately complied with.
The key legal questions the customer should ask the cloud provider are:
In what country is the cloud provider located?
Is the cloud provider’s infrastructure located in the same country or in different countries?
Will the cloud provider use other companies whose infrastructure is located outside that of the
cloud provider?
Where will the data be physically located?
Will jurisdiction over the contract terms and over the data be divided?
Will any of the cloud provider’s services be subcontracted out?
Will any of the cloud provider’s services be outsourced?
How will the data provided by the customer and the customer’s customers, be collected,
processed and transferred?
What happens to the data sent to the cloud provider upon termination of the contract?
49
53. Cloud Security Alliance (
y (CSA)
)
Domain 4: Compliance and Audit
With Cloud Computing developing as a viable and cost effective means to outsource entire
systems or even entire business processes, maintaining compliance with your security policy
And the various regulatory and legislative requirements to which your organization is subject
can become more difficult to achieve and even harder to demonstrate to auditors and
assessors.
Of the many regulations touching upon information technology with which organizations must
comply, few were written with Cloud Computing in mind. Auditors and assessors may not be
familiar with Cloud Computing generally or with a given cloud service in particular. That being
the case, it falls upon the cloud customer to understand:
case
• Regulatory applicability for the use of a given cloud service
• Division of compliance responsibilities between cloud provider and cloud customer
•CCloud provider’s ability to produce evidence needed f compliance
’ for
• Cloud customer’s role in bridging the gap between cloud provider and auditor/assessor
53
54. Cloud Security Alliance (
y (CSA)
)
Recommendations
√ Involve Legal and Contracts Teams. The cloud provider’s standard terms of service
may not address your compliance needs; therefore it is beneficial to have both legal and
contracts personnel involved early to ensure that cloud services contract provisions are
adequate for compliance and audit obligations.
√ Right to Audit Clause. Customers will often need the ability to audit the cloud
provider, given the dynamic natures of both the cloud and the regulatory environment.
A right to audit contract clause should be obtained whenever possible, particularly
when using the cloud provider for a service for which the customer has regulatory
compliance responsibilities. Over time, the need for this right should be reduced and in
many cases replaced by appropriate cloud provider certifications related to our
certifications,
recommendation for ISO/IEC 27001 certification scoping later in this section.
√ Analyze Compliance Scope. Determining whether the compliance regulations which
the organization is subject to will be impacted by the use of cloud services, for a given
set of applications and data.
54
55. Cloud Security Alliance (
y (CSA)
)
Recommendations
√ Analyze Impact of Regulations on Data Security. Potential end users of Cloud
Computing services should consider which applications and data they are considering
moving to cloud services, and the extent to which they are subject to compliance
g , y j p
regulations.
√ Review Relevant Partners and Services Providers. This is general guidance for
ensuring that service provider relationships do not negatively impact compliance
compliance.
Assessing which service providers are processing data that is subject to compliance
regulations, and then assessing the security controls provided by those service
providers, is fundamental. Several compliance regulations have specific language about
assessing and managing third party vendor risk. As with non-cloud IT and business
services, organizations need to understand which of their cloud business partners are
processing data subject to compliance regulations.
55
56. Cloud Security Alliance (
y (CSA)
)
Recommendations
Understand Contractual Data Protection Responsibilities and Related Contracts. The
cloud service model to an extent dictates whether the customer or the cloud service
p
provider is responsible for deploying security controls. In an IaaS deployment scenario,
p p y g y p y ,
the customer has a greater degree of control and responsibility than in a SaaS scenario.
From a security control standpoint, this means that IaaS customers will have to deploy
many of the security controls for regulatory compliance. In a SaaS scenario, the cloud
service provider must provide the necessary controls From a contractual perspective
controls. perspective,
understanding the specific requirements, and ensuring that the cloud services contract
and service level agreements adequately address them, are key.
√ Analyze Impact of Regulations on Provider Infrastructure. In the area of infrastructure,
moving to cloud services requires careful analysis as well. Some regulatory
requirements specify controls that are difficult or impossible to achieve in certain cloud
service types.
56
57. Cloud Security Alliance (
y (CSA)
)
√ Analyze Impact of Regulations on Policies and Procedures. Moving data and
applications to cloud services will likely have an impact on policies and procedures.
Customers should assess which policies and procedures related to regulations will have
to change. Examples of impacted policies and procedures include activity reporting,
logging,
logging data retention, incident response, controls testing, and privacy policies
retention response testing policies.
√ Prepare Evidence of How Each Requirement Is Being Met. Collecting evidence of
compliance across the multitude of compliance regulations and requirements is a
challenge. Customers of cloud services should develop p
g p processes to collect and store
compliance evidence including audit logs and activity reports, copies of system
configurations, change management reports, and other test procedure output.
Depending on the cloud service model, the cloud provider may need to provide much
of this information.
information
√ Auditor Qualification and Selection. In many cases the organization has no say in
selecting auditors or security assessors. If an organization does have selection input, it
is highly advisable to pick a “cloud aware” auditor since many might not be familiar
cloud aware
with cloud and virtualization challenges. Asking their familiarity with the IaaS, PaaS,
and SaaS nomenclature is a good starting point.
57
58. Cloud Security Alliance (
y (CSA)
)
√ Cloud Provider’s SAS 70 Type II Providers should have this audit statement at a
Provider s II.
minimum, as it will provide a recognizable point of reference for auditors and
assessors. Since a SAS 70 Type II audit only assures that controls are implemented as
documented, it is equally important to understand the scope of the SAS 70 audit, and
whether these controls meet your requirements.
√ Cloud Provider’s ISO/IEC 27001/27002 Roadmap. Cloud providers seeking to provide
mission critical services should embrace the ISO/IEC 27001 standard for information
security management systems. If the provider has not achieved ISO/IEC 27001
certification, they should demonstrate alignment with ISO 27002 practices.
√ ISO/IEC 27001/27002 Scoping. The Cloud Security Alliance is issuing an industry call
Scoping
to action to align cloud providers behind the ISO/IEC 27001 certification, to assure that
scoping does not omit critical certification criteria.
Contributors: Nadeem Bukhari, Anton Chuvakin, Peter Gregory, Jim Hietala, Greg Kane,
Patrick Sullivan
58
61. Windows Azure Applications,
Storage,
Storage and Roles
n m
LB
Web Role Worker Role
Cloud Storage (blob, table, queue)
Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das
61
62. MICROSOFT
Microsoft provides a t t
Mi ft id trustworthy cloud th
th l d through f
h focus on th
three
areas:
Utilizing a risk-based information security program that assesses and
prioritizes security and operational th t t th b i
i iti it d ti l threats to the business
Maintaining and updating a detailed set of security controls that
mitigate risk
Operating a compliance framework that ensures controls are designed
appropriately and are operating effectively
Microsoft is able to obtain key certifications such as
International Organization for Standardization / International
Society of Electrochemistry 27001:2005 (ISO/IEC
27001:2005) and Statement of Auditing Standard (SAS) 70
Type I and Type II attestations, and to more efficiently pass
attestations
regular audits from independent third parties.
62
68. MICROSOFT
Microsoft Trustworthy Computing, home page: http://www.microsoft.com/twc
Microsoft Online Privacy Notice Highlights: http://www.microsoft.com/privacy
The ISO 27001:2005 certificate for the Global Foundation Services group at Microsoft:
http://www.bsi global.com/en/Assessment and certification services/Client
http://www.bsi-global.com/en/Assessment-and-certification-services/Client-
directory/CertificateClient-Directory-Search-
Results/?pg=1&licencenumber=IS+533913&searchkey=companyXeqXmicrosoft
Microsoft Global Foundation Services, home page: http://www.globalfoundationservices.com
The Microsoft Security Development Lifecycle (SDL): http://msdn.microsoft.com/en-
http://msdn.microsoft.com/en
us/security/cc448177.aspx
Microsoft Security Development Lifecycle (SDL) – version 3.2, process guidance:
http://msdn.microsoft.com/en-us/library/cc307748.aspx
Microsoft Security Response Center: http://www.microsoft.com/security/msrc
The Microsoft SDL Threat Modeling Tool: http://msdn.microsoft.com/en-
us/security/dd206731.aspx
Microsoft Online Services: http://www.microsoft.com/online
68