SecurityforCloudComputing 10StepstoEnsureSuccess

August,2012

Contents
Acknowledgements....................................................................................................................................... 4 WorkgroupLeaders................................................................................................................................... 4 KeyContributors ....................................................................................................................................... 4 Reviewers.................................................................................................................................................. 4 Introduction .................................................................................................................................................. 5 CloudSecurityLandscape ............................................................................................................................. 5 CloudSecurityGuidance ............................................................................................................................... 7 Step1:Ensureeffectivegovernance,riskandcomplianceprocessesexist ............................................. 8 Step2:Auditoperational&businessprocesses..................................................................................... 11 Step3:Managepeople,rolesandidentities .......................................................................................... 13 Step4:Ensureproperprotectionofdataandinformation.................................................................... 15 Step5:Enforceprivacypolicies .............................................................................................................. 18 Step6:Assessthesecurityprovisionsforcloudapplications................................................................. 19 Step7:Ensurecloudnetworksandconnectionsaresecure .................................................................. 21 Step8:Evaluatesecuritycontrolsonphysicalinfrastructureandfacilities ........................................... 25 Step9:ManagesecuritytermsinthecloudSLA .................................................................................... 26 Step10:Understandthesecurityrequirementsoftheexitprocess...................................................... 28 CloudSecurityAssessment ......................................................................................................................... 28 AdditionalReferences................................................................................................................................. 31 AppendixA:WorldwidePrivacyRegulations.............................................................................................. 32 AppendixB:Acronyms&Abbreviations ..................................................................................................... 34

Copyright2012CloudStandardsCustomerCouncil

Page2

2012CloudStandardsCustomerCouncil. Allrightsreserved.Youmaydownload,store,displayonyourcomputer,view,print,andlinktothe SecurityforCloudComputingwhitepaperattheCloudStandardsCustomerCouncilWebsitesubjectto thefollowing:(a)thedocumentmaybeusedsolelyforyourpersonal,informational,noncommercial use;(b)thedocumentmaynotbemodifiedoralteredinanyway;(c)thedocumentmaynotbe redistributed;and(d)thetrademark,copyrightorothernoticesmaynotberemoved.Youmayquote portionsofthedocumentaspermittedbytheFairUseprovisionsoftheUnitedStatesCopyrightAct, providedthatyouattributetheportionstotheCloudStandardsCustomerCouncilSecurityforCloud Computing(2012).

Copyright2012CloudStandardsCustomerCouncil

Page3

Acknowledgements
TheSecurityforCloudComputing:10StepstoEnsureSuccessdocumentisacollaborativeeffortthat bringstogetherdiversecustomerfocusedexperiencesandperspectivesintoasingleguideforITand businessleaderswhoareconsideringadoptingcloudcomputing.Thefollowingparticipantshave providedtheirexpertiseandtimetothiseffort.

WorkgroupLeaders
RyanKean(TheKrogerCo.)Workgroupchair;ApplicationSectionLeader DavidHarris(Boeing)Workgroupchair;CloudSecurityAssessmentSectionLeader JohnMeegan(IBM)LeadTechnicalEditor;IntroductionandSLASectionLeader BarryPardee(TailwindAssociates)CurrentLandscapeSectionLeader YvesLeRoux(CATechnologies)GRCSectionLeader ChrisDotson(IBM)Network&ConnectionsSectionLeader EricCohen(PricewaterhouseCoopers)AuditingSectionLeader MikeEdwards(IBM)DataSectionleader;InfrastructureSectionLeader;ExitProcessSectionLeader JonathanGershater(TrendMicro)People,Roles&IdentitySectionLeader

KeyContributors
Theworkgroupleaderswishtorecognizethefollowingindividualsfortheiroutstandingeffortsto providecontent,sharetheirexpertiseandensurecompletenessofthewhitepaper:MattRutkowski (IBM),ShamunMahmud(DLTSolutions).

Reviewers
Thefollowingreviewersprovidedfeedbackonthewhitepaper:KeithTrippie(DepartmentofHomeland Security),MichaelChen(ClusterTechnologyLimited),JefferyFinke(TheMITRECorporation),Dave Russell(IBM),AndrewLow(IBM).

Copyright2012CloudStandardsCustomerCouncil

Page4

Introduction
Theaimofthisguideistoprovideapracticalreferencetohelpenterpriseinformationtechnology(IT) andbusinessdecisionmakersastheyanalyzeandconsiderthesecurityimplicationsofcloudcomputing ontheirbusiness.Thepaperincludesalistofsteps,alongwithguidanceandstrategies,designedto helpthesedecisionmakersevaluateandcomparesecurityofferingsinkeyareasfromdifferentcloud providers. Whenconsideringamovetousecloudcomputing,consumersmusthaveaclearunderstandingof potentialsecuritybenefitsandrisksassociatedwithcloudcomputing,andsetrealisticexpectationswith theircloudprovider.Considerationmustbegiventothedifferentmodelsofservicedelivery: InfrastructureasaService(IaaS),PlatformasaService(PaaS)andSoftwareasaService(SaaS)aseach modelbringsdifferentsecurityrequirementsandresponsibilities.Additionally,thispaperhighlightsthe rolethatstandardsplaytoimprovecloudsecurityandalsoidentifiesareaswherefuturestandardization couldbeeffective. ThesectiontitledCurrentCloudSecurityLandscapeprovidesanoverviewofthesecurityandprivacy challengespertinenttocloudcomputingandpointsoutconsiderationsthatorganizationsshould weighwhenoutsourcingdata,applications,andinfrastructuretoacloudcomputingenvironment. ThesectiontitledCloudSecurityGuidanceistheheartoftheguideandincludesthestepsthatcanbe usedasabasisforevaluationofcloudprovidersecurity.Itdiscussesthethreats,technologyrisks,and safeguardsforcloudcomputingenvironments,andprovidestheinsightneededtomakeinformedIT decisionsontheirtreatment.Althoughguidanceisprovided,eachorganizationmustperformitsown analysisofitsneeds,andassess,select,engage,andoverseethecloudservicesthatcanbestfulfillthose needs. ThesectiontitledCloudSecurityAssessmentprovidesconsumerswithanefficientmethodof assessingthesecuritycapabilitiesofcloudprovidersandassessingtheirindividualrisk.Aquestionnaire forconsumerstoconducttheirownassessmentacrosseachofthecriticalsecuritydomainsisprovided. Arelateddocument,thePracticalGuidetoCloudServiceLevelAgreements 1 ,releasedbytheCloud StandardsCustomerCouncil(CSCC)inApril2012,providesadditionalguidanceonevaluatingsecurity criteriaincloudSLAs.

CloudSecurityLandscape
Whilesecurityandprivacyconcernswhenusingcloudcomputingservicesaresimilartothoseof traditionalnoncloudservices,concernsareamplifiedbyexternalcontroloverorganizationalassetsand thepotentialformismanagementofthoseassets.Transitioningtopubliccloudcomputinginvolvesa transferofresponsibilityandcontroltothecloudprovideroverinformationaswellassystem
1

Seehttp://www.cloudstandardscustomercouncil.org/2012_Practical_Guide_to_Cloud_SLAs.pdf

Copyright2012CloudStandardsCustomerCouncil

Page5

componentsthatwerepreviouslyundertheorganizationsdirectcontrol.Thetransitionisusually accompaniedbylossofdirectcontroloverthemanagementofoperationsandalsoalossofinfluence overdecisionsmadeaboutthecomputingenvironment. Despitethisinherentlossofcontrol,thecloudserviceconsumerstillneedstotakeresponsibilityfor theiruseofcloudcomputingservicesinordertomaintainsituationalawareness,weighalternatives,set priorities,andeffectchangesinsecurityandprivacythatareinthebestinterestoftheorganization. Theconsumerachievesthisbyensuringthatthecontractwiththeprovideranditsassociatedservice levelagreement(SLA)hasappropriateprovisionsforsecurityandprivacy.Inparticular,theSLAmust helpmaintainlegalprotectionsforprivacyrelatingtodatastoredontheprovider'ssystems.The consumermustalsoensureappropriateintegrationofthecloudcomputingserviceswiththeirown systemsformanagingsecurityandprivacy. Cloudcomputingrepresentsaverydynamicareaatthepresenttime,withnewsuppliersandnew offeringsarrivingallthetime.Thereareanumberofsecurityrisksassociatedwithcloudcomputingthat mustbeadequatelyaddressed:2 Lossofgovernance.Forpublicclouddeployments,consumersnecessarilycedecontroltothe cloudprovideroveranumberofissuesthatmayaffectsecurity.Atthesametime,cloudservice levelagreements(SLA)maynotofferacommitmenttoprovidesuchcapabilitiesonthepartof thecloudprovider,thusleavinggapsinsecuritydefenses. Responsibilityambiguity.Giventhatuseofcloudcomputingservicesspansacrossthe consumerandtheproviderorganizations,responsibilityforaspectsofsecuritycanbespread acrossbothorganizations,withthepotentialforvitalpartsofthedefensestobeleftunguarded ifthereisafailuretoallocateresponsibilityclearly.Thesplitofresponsibilitiesbetween consumerandproviderorganizationsislikelytovarydependingonthemodelbeingusedfor cloudcomputing(e.g.IaasversusSaaS). Isolationfailure.Multitenancyandsharedresourcesaredefiningcharacteristicsofpubliccloud computing.Thisriskcategorycoversthefailureofmechanismsseparatingtheusageofstorage, memory,routingandevenreputationbetweendifferenttenants(e.g.,socalledguesthopping attacks). Vendorlockin.Dependencyonproprietaryservicesofaparticularcloudprovidercouldleadto theconsumerbeingtiedtothatprovider.Servicesthatdonotsupportportabilityofapplications anddatatootherprovidersincreasetheriskofdataandserviceunavailability. Complianceandlegalrisks.Investmentinachievingcertification(e.g.,industrystandardor regulatoryrequirements)maybeputatriskbymigrationtousecloudcomputingifthecloud providercannotprovideevidenceoftheirowncompliancewiththerelevantrequirementsorif thecloudproviderdoesnotpermitauditbythecloudconsumer.Itistheresponsibilityofthe cloudconsumertocheckthatthecloudproviderhasappropriatecertificationsinplace,butitis alsonecessaryforthecloudconsumertobeclearaboutthedivisionofsecurityresponsibilities betweentheconsumerandtheproviderandtoensurethattheconsumer'sresponsibilitiesare handledappropriatelywhenusingcloudcomputingservices.

CredittoEuropeanNetworkandInformationSecurityAgency(ENISA).Visithttp://www.enisa.europa.eu/for moreinformation.

Copyright2012CloudStandardsCustomerCouncil

Page6

Handlingofsecurityincidents.Thedetection,reportingandsubsequentmanagementof securitybreachesisaconcernforconsumers,whoarerelyingonproviderstohandlethese matters. Managementinterfacevulnerability.Consumermanagementinterfacesofapubliccloud providerareusuallyaccessiblethroughtheInternetandmediateaccesstolargersetsof resourcesthantraditionalhostingprovidersandthereforeposeanincreasedrisk,especially whencombinedwithremoteaccessandwebbrowservulnerabilities. Dataprotection.Cloudcomputingposesseveraldataprotectionrisksforcloudconsumersand providers.Themajorconcernsareexposureorreleaseofsensitivedatabutalsoincludelossor unavailabilityofdata.Insomecases,itmaybedifficultforthecloudconsumer(intheroleof datacontroller)toeffectivelycheckthedatahandlingpracticesofthecloudproviderandthus tobesurethatthedataishandledinalawfulway.Thisproblemisexacerbatedincasesof multipletransfersofdata,e.g.,betweenfederatedcloudservices. Maliciousbehaviorofinsiders.Damagecausedbythemaliciousactionsofinsidersworking withinanorganizationcanbesubstantial,giventheaccessandauthorizationstheymayhave. Thisiscompoundedinthecloudcomputingenvironmentsincesuchactivitymightoccurwithin eitherorboththeconsumerorganizationandtheproviderorganization. Businessfailureoftheprovider.Suchfailurescouldrenderdataandapplicationsessentialto theconsumer'sbusinessunavailable. Serviceunavailability.Thiscouldbecausedbyahostoffactors,fromequipmentorsoftware failuresintheprovider'sdatacenter,throughfailuresofthecommunicationsbetweenthe consumersystemsandtheproviderservices. Insecureorincompletedatadeletion.Requeststodeletecloudresources,forexample,whena consumerterminatesservicewithaprovider,maynotresultintruewipingofthedata. Adequateortimelydatadeletionmayalsobeimpossible(orundesirablefromaconsumer perspective),eitherbecauseextracopiesofdataarestoredbutarenotavailable,orbecausethe disktobedeletedalsostoresdatafromotherclients.Inthecaseofmultitenancyandthereuse ofhardwareresources,thisrepresentsahigherrisktotheconsumerthanisthecasewith dedicatedhardware.

Whiletheabovesecurityrisksneedtobeaddressed,useofcloudcomputingprovidesopportunitiesfor innovationinprovisioningsecurityservicesthatholdtheprospectofimprovingtheoverallsecurityof manyorganizations.Cloudserviceprovidersshouldbeabletoofferadvancedfacilitiesforsupporting securityandprivacyduetotheireconomiesofscaleandautomationcapabilitiespotentiallyaboonto allconsumerorganizations,especiallythosewhohavelimitednumbersofpersonnelwithadvanced securityskills.

CloudSecurityGuidance
Asconsumerstransitiontheirapplicationsanddatatousecloudcomputing,itiscriticallyimportantthat thelevelofsecurityprovidedinthecloudenvironmentbeequaltoorbetterthanthesecurityprovided bytheirtraditionalITenvironment.Failuretoensureappropriatesecurityprotectioncouldultimately resultinhighercostsandpotentiallossofbusinessthuseliminatinganyofthepotentialbenefitsof cloudcomputing.

Copyright2012CloudStandardsCustomerCouncil

Page7

Thissectionprovidesaprescriptiveseriesofstepsthatshouldbetakenbycloudconsumerstoevaluate andmanagethesecurityoftheircloudenvironmentwiththegoalofmitigatingriskanddeliveringan appropriatelevelofsupport.Thefollowingstepsarediscussedindetail: 1. Ensureeffectivegovernance,riskandcomplianceprocessesexist 2. Auditoperationalandbusinessprocesses 3. Managepeople,rolesandidentities 4. Ensureproperprotectionofdataandinformation 5. Enforceprivacypolicies 6. Assessthesecurityprovisionsforcloudapplications 7. Ensurecloudnetworksandconnectionsaresecure 8. Evaluatesecuritycontrolsonphysicalinfrastructureandfacilities 9. ManagesecuritytermsinthecloudSLA 10. Understandthesecurityrequirementsoftheexitprocess Requirementsandbestpracticesarehighlightedforeachstep.Inaddition,eachsteptakesintoaccount therealitiesoftodayscloudcomputinglandscapeandpostulateshowthisspaceislikelytoevolvein thefuture,includingtheimportantrolethatstandardswillplaytoimproveinteroperabilityand comparabilityacrossproviders.

Step1:Ensureeffectivegovernance,riskandcomplianceprocessesexist
Mostorganizationshaveestablishedsecurityandcompliancepoliciesandproceduresthatareusedto protecttheirintellectualpropertyandcorporateassetsespeciallyintheITspace.Thesepoliciesand proceduresaredevelopedbaseduponriskanalysestotheorganizationconsideringtheimpactofhaving theseassetscompromised.Aframeworkofcontrolsandfurtherproceduresareestablishedtomitigate riskandserveasabenchmarkfortheexecutionandvalidationofcompliance.Theseprinciplesand policies,theenterprisesecurityplan,andthesurroundingqualityimprovementprocessrepresentthe enterprisesecuritygovernance,riskmanagement,andcompliancemodel. SecuritycontrolsincloudcomputingaresimilartothoseintraditionalITenvironments.However, becauseofthecloudserviceandoperationalmodelsemployedwiththeimpliedorganizationaldivision ofresponsibilitiesandthetechnologiesusedtoenablecloudservices,cloudcomputingmaypresent differentriskstoanorganizationthantraditionalITsolutions.Aspartofthetransitiontocloud computing,itiscriticalthatconsumersunderstandtheirlevelofrisktoleranceandfocusonmitigating therisksthattheorganizationcannotaffordtoneglect.

Copyright2012CloudStandardsCustomerCouncil

Page8

Theprimarymeansaconsumerofcloudservicehastoensuretheircloudhostedapplicationsanddata willbesecuredinaccordancewithitssecurityandcompliancepoliciesistoverifythatthecontract betweentheconsumerandtheprovider,alongwithanassociatedservicelevelagreement(SLA), containalltheirrequirements.Itisvitalforaconsumertounderstandallthetermsrelatedtosecurity andtoensurethatthosetermsmeettheneedsoftheconsumer.IfasuitablecontractandSLAisnot available,thenitisinadvisableforanorganizationtoproceedwiththeuseofcloudservices. Oftenitisnotunderstoodthatthetypeofservicemodelbeingofferedbytheprovider(i.e.IaaS,PaaSor SaaS)hassignificantimpactontheassumed"splitofresponsibilities"betweentheconsumerandthe providertomanagesecurityandassociatedrisks.ForIaaS,theproviderissupplying(andresponsiblefor securing)basicITresourcessuchasmachines,disksandnetworks.Theconsumerisresponsibleforthe operatingsystemandtheentiresoftwarestacknecessarytorunapplications,plusthedataplacedinto thecloudcomputingenvironment.Asaresult,mostoftheresponsibilityforsecuringtheapplications themselvesandthedatatheyusefallsontotheconsumer.Incontrast,forSaaS,theinfrastructure, softwareanddataareprimarilytheresponsibilityoftheprovider,sincetheconsumerhaslittlecontrol overanyofthesefeaturesoftheservice.Theseaspectsneedappropriatehandlinginthecontractand SLA. Fromageneralgovernanceperspective,cloudprovidersshouldnotifyconsumersabouttheoccurrence ofanybreachoftheirsystem,regardlessofthepartiesordatadirectlyimpacted.Theprovidershould includespecificpertinentinformationinthenotification,stopthedatabreachasquicklyaspossible, restoresecureaccesstotheserviceassoonaspossible,applybestpracticeforensicsininvestigatingthe circumstancesandcausesofthebreach,andmakelongterminfrastructurechangestocorrecttheroot causesofthebreachtoensurethatitdoesnotrecur.Duetothehighfinancialandreputationalcosts resultingfromabreach,consumersmaywanttheprovidertoindemnifythemifthebreachwastheir fault. Afundamentaldesignpremiseincloudcomputingisthat,asaconsumer,yourdatacanbestoredby, processedonandtransmittedtoanyoftheserversordevicesthecloudserviceprovideroperates.In someinstances,servershostingconsumerdatamaybelocatedinmultipledatacenterswithindifferent jurisdictions,eitherbecausetheserviceproviderhasmultijurisdictionaloperationsorhas subcontractedservicestoprovidersthatoperateinotherjurisdictions.Thismeansthatitmaybe difficultatanyparticularpointintimetoknowwhereyourdataactuallyresides,whichregulatorshave jurisdictionandwhatregulationsapply.Thismatterssincesomeregulationsrestricttheallowable locationsfordata. Thejurisdictionalissuedirectlyinfluencestheprotectionofpersonallyidentifiableinformation(PII)and thelawenforcementaccesstothisdata.3 Thereisdivergenceacrosscountriesinthelawson investigationandenforcement,includingaccesstoencrypteddataandinvestigationofextraterritorial
3

TheBusinessSoftwareAlliance(BSA)GlobalCloudComputingScorecardprovidesanassessmentofsecurityand privacypoliciesthatcountriesareimplementingforcloudcomputing.Referto http://portal.bsa.org/cloudscorecard2012/assets/PDFs/BSA_GlobalCloudScorecard.pdffordetails.

Copyright2012CloudStandardsCustomerCouncil

Page9

offences.Acourtcanonlyhearamatterifithasjurisdictionoverthepartiesandthesubjectmatterof theaction,whilelawenforcementagenciescanonlyexercisetheirpowerswithintheirauthorized jurisdictions. Beforemigratingservicestoacloudcomputingenvironment,itisimportanttounderstandpreciselythe specificlawsorregulationsthatapplytotheservicesandwhataretherelevantdutiesorobligations imposed(e.g.dataretention,dataprotection,interoperability,medicalfilemanagement,disclosureto authorities).Thisallowsconsumerstoidentifythelegalissuesandtherelatedlegalrisks,and consequentlytheimpactthesewillhaveontheservicesbeingmigratedtocloudcomputing. Oneusefulapproachtothesecuritychallengesofcloudcomputingisforacloudproviderto demonstratethattheyarecompliantwithanestablishedsetofsecuritycontrols.Certificationofthe providergivesmoreconfidenceinthatprovidertoprospectiveconsumers.Thereareanumberof differentcertificationswhichcanbeusefulforcloudcomputingserviceswhichoneismostappropriate dependstosomeextentonthecloudservicemodel(IaaS,PaaS,SaaS)andalsodependsonyourregional andindustryrequirements. ThemostwidelyrecognizedinternationalstandardforinformationsecuritycomplianceisISO/IEC 270014 whichincludesnationalvariantsandwelldevelopedcertificationregimes.ISOiscurrently developingnewstandards,ISO/IEC27017 5 "SecurityinCloudComputing"andISO/IEC27018 6 "Privacy inCloudComputing",whichwillspecificallyaddresscloudsecurityandprivacyconsiderationsthatbuild uponISO/IEC27001. SomeorganizationsprovideframeworksandcertificationsforevaluatingITsecuritywhichcanbe appliedtocloudserviceproviders,includingtheAmericanInstituteofCertifiedPublicAccountants (AICPA)andInformationSystemsAuditandControlAssociation(ISACA)whichprovidetheSSAE16 7 and CoBIT5 8 frameworksrespectively.Otherorganizationsprovidespecializedframeworksforspecific servicesorindustriessuchasthePaymentCardIndustry(PCI)DataSecurityStandard(DSS). 9 GroupssuchastheCloudSecurityAlliance(CSA)provideguidancewhichincludesaCloudControls Matrix(CCM),aproviderselfassessmentprogram,ConsensusAssessmentInitiative(CAI),Certificateof CloudSecurityKnowledge(CCSK),andaregistrytopublishtheselfevaluationresults(STARS). 10
4

Seehttp://www.iso.org/iso/catalogue_detail?csnumber=42103fordetails. Seehttp://www.iso27001security.com/html/27017.htmlfordetails. Seehttp://www.iso27001security.com/html/27018.htmlfordetails. Seehttp://ssae16.com/SSAE16_overview.htmlfordetails. Seehttp://www.isaca.org/COBIT/Pages/default.aspxfordetails. Seehttps://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdffordetails. Refertohttps://cloudsecurityalliance.org/fordetailsontheCSAprograms.

10

Copyright2012CloudStandardsCustomerCouncil

Page10

Step2:Auditoperational&businessprocesses
CompaniesunderstandtheimportanceofauditingthecomplianceofITsystems,whichhosttheir applicationsanddata,toassesseffectivenessinenforcingtheircorporate,industryorgovernment requirementsandpolicies. Asabaseline,consumersshouldexpecttoseeareportofthecloudprovider'soperationsby independentauditors.Unfetteredaccesstoessentialauditinformationisakeyconsiderationof contractsandSLAtermswithanycloudprovider.Aspartofanyterms,cloudprovidersshouldoffer timelyaccesstoandselfmanagementofauditevent,logandreportinformationrelevanttoa consumer'sspecificdataorapplications. Securitycompliancetendstobeasignificantelementofanycomplianceframework.Therearethree significantareaswheretheconsiderationofsecuritymethodsforcloudcomputingareofparticular interesttocloudconsumersandtoauditors: 1. Understandingtheinternalcontrolenvironmentofacloudprovider,includingrisks,controlsand othergovernanceissueswhenthatenvironmenttouchestheprovisionofcloudservices. 2. Accesstothecorporateaudittrail,includingworkflowandauthorization,whentheaudittrail spanscloudservices. 3. Assuranceofthefacilitiesformanagementandcontrolofcloudservicesmadeavailabletocloud consumersbycloudprovidersandhowsuchfacilitiesaresecured. Understandingtheinternalcontrolenvironmentofacloudprovider Usingtheservicesofcloudproviderscreatestheneedforappropriateauditingoftheactivitiesof personsthatmaybeemployedbythecloudproviderorconsumer(alongwithanyconsumercustomers andpartners)toensurethatthesecuritycontrolsmeettherequirementsoftheconsumers.Consumers shouldexpecttoseeauditinformationrelatingtoanycloudprovidertheyplantouse.Thereare alternativestandardsthatcanbeusedasthebasisforauditingaserviceprovider,suchastheISO27000 series.Thesestandardsaimtoprovidethebasisforassuringconsumersaboutthenatureofthe controlsenvironmentinplaceatthecloudprovider'sorganization. Keycontrolsthatrelatetocloudcomputingservicesincludethosewhich ensureisolationofconsumerapplicationsanddatainshared,multitenantenvironments provideprotectionofconsumerassetsfromunauthorizedaccessbytheprovider'sstaff

Auditorsmaybeemployedbytheconsumerortheymaybeemployedbytheproviderbutthekey elementisthattheyshouldbeindependent.Auditorsrequireaccesstoinformationaboutthepolicies andproceduresofacloudproviderwhichrelatetosecuritycontrols.Auditorsalsorequireaccessto logsandrecordswhichshowwhetherthepoliciesandproceduresarebeingfollowedcorrectlyandin somecases,theauditorsmayrequirespecifictestingtotakeplacetodemonstratecompliancewiththe prescribedpoliciesandprocedures. Copyright2012CloudStandardsCustomerCouncil Page11

Securityandauthenticationtechnologies,alliedtoeventlogging,inthecloudcomputingenvironment canhelpauditorsastheydealwithissuesrelatedtoworkflowwerethosewhoentered,approved, changedorotherwisetoucheddataauthorizedtodoso,onanindividual,grouporrolerelatedbasis? Wasthatauthorizationappropriateonaonetime,periodicorongoingbasis? Accesstothecorporateaudittrail Itisvitalforcloudserviceconsumerstohaveappropriateauditaccesstocloudproviderevents,logsand audittrailstoproveenforcementofprovidersecuritycontrols.Auditorsneedtoassurecloud consumersthatallthenecessaryinformationisbeingloggedandstoredappropriatelybycloud providers,includingauthentication,authorizationandmanagementinformationrelatingtotheuseof particularapplicationsanddataagainstallsecurityandcompliancepoliciesestablishedbytheprovider orconsumer. Forcompleteinsightintosecuritycontrols,astheyrelatetotheconsumer'sapplicationsanddata, mechanismsfortheroutineflowofauditinformationfromtheprovidertotheconsumeris recommended.Thisflowmayincludesecurelogsandreportsagainstanagreeduponschedule.There shouldbemoretimelynotificationofanyexceptionalsecurityalerts,eventsorincidentsandincident managementprocessesshouldbedocumentedandaudited.Anyauditdatashouldhavethenecessary associatedinformationtoenableforensicanalysistounderstandhowanyparticularincidentoccurred, whatassetswerecompromisedandwhatpolicies,proceduresandtechnologiesneedtobechangedto preventrecurrence,alongwithanyadditionalsecuritycontrolsthatneedtobeestablished. 11 Ideally,thereshouldbeautomated,standardsbased,programmaticaccesstoalloftheseauditfacilities, toensuretimelyavailabilityofrequireddataandtoremovecostburdensassociatedwithhuman processingofrequestsforinformation. Assuranceofthefacilitiesformanagementandcontrolofcloudservices Inadditiontocontrolswhichapplytocloudservicesthemselves,thereisalsoaneedforprovidersto enableconsumerstoselfmanageandmorecloselymonitortheusageoftheircloudhostedapplications andservices.Thesefacilitiesmayinclude:servicecatalogs,subscriptionservices,paymentprocesses, theprovisionofstreamsofoperationaleventdataandlogs,usagemeteringdata,facilitiesfor configuringservicesincludingaddingandremovinguseridentitiesandtheconfigurationof authorizations. Thesefacilitiesareoftenmoresensitiveinsecuritytermsthantheservicesandapplicationstowhich theyapply,sincethepotentialforabuseanddamagemaybehigher.Asecurityauditmustextendto thesefacilitiesaswellastothemainservicesoftheprovider.

11

TheemergingDMTFCloudAuditDataFederation(CADF)Workgroupisplanningtodevelopanauditeventdata

modelandacompatibleinteractionmodelthatisabletodescribeinteractionsbetweenITresourcessuitablefor clouddeploymentmodels.Refertodmtf.org/sites/default/files/CADFWG_Charter_05022011.pdffordetailson theworkgroupscharter.

Copyright2012CloudStandardsCustomerCouncil

Page12

Auditingisessential Thesecurityauditofcloudserviceprovidersisanessentialaspectofthesecurityconsiderationsfor cloudconsumers.Auditsshouldbecarriedoutbyappropriatelyskilledstaff,eitherbelongingtothe consumerortoanindependentauditingorganization.Securityauditsshouldbecarriedoutonthebasis ofoneoftheestablishedstandardsforsecuritycontrols.Consumersneedtocheckthatthesetsof controlsinplacemeettheirsecurityrequirements. Thereisalsoaneedtoensureproperintegrationofthecloudprovider'sreportingandloggingfacilities withtheconsumer'ssystems,sothatappropriateoperationalandbusinessdataflowsonatimelybasis toenableconsumerstomanagetheiruseofproviderservices.

Step3:Managepeople,rolesandidentities
Consumersmustensurethattheircloudproviderhasprocessesandfunctionalitythatgovernswhohas accesstotheconsumer'sdataandapplications.Thisensuresaccesstotheircloudenvironmentsis controlledandmanaged. Organizationsmanagedozenstothousandsofemployeesanduserswhoaccesstheircloudapplications andservices,eachwithvaryingrolesandentitlements.Cloudprovidersmustallowthecloudconsumer toassignandmanagetherolesandassociatedlevelsofauthorizationforeachoftheirusersin accordancewiththeirsecuritypolicies.Theserolesandauthorizationrightsareappliedonaper resource,serviceorapplicationbasis.Forexample,acloudconsumer,inaccordancewithitssecurity policies,mayhaveanemployeewhoserolepermitsthemtogenerateapurchaserequest,buta differentroleandauthorizationrightsisgrantedtoanotheremployeeresponsibleforapprovingthe request. Thecloudprovidermusthaveasecuresystemforprovisioningandmanaginguniqueidentitiesfortheir usersandservices.ThisIdentityManagementfunctionalitymustsupportsimpleresourceaccessesand robustconsumerapplicationandserviceworkflows.Akeyrequirementformovingaconsumer applicationtothecloudisassessingtheprovider'sabilitytoallowtheconsumertoassigntheiruser identitiesintoaccessgroupsandrolesthatreflecttheiroperationalandbusinesssecuritypolicies. Anyuseraccessorinteractionwiththeprovider'smanagementplatform,regardlessofroleor entitlement,shouldbemonitoredandloggedtoprovideauditingofallaccesstoconsumerdataand applications. Table1highlightsthekeyfeaturesacloudprovidershouldsupportinorderforaconsumertoeffectively managepeople,rolesandidentitiesinthecloud:
Table1.Cloudprovidersupportforpeople,rolesandidentities

ProviderSupports ConsumerConsiderationsandQuestions FederatedIdentityManagement Enterprisesthatarecloudconsumers,inmanycases,already (FIM),ExternalIdentity haveanexistingdatabaseofusers,mostlikelystoredinan Providers(EIP) enterprisedirectory,andtheywishtoleveragethisuser Copyright2012CloudStandardsCustomerCouncil Page13

databasewithoutrecreatinguseridentities. Questiontocloudprovider:CanIintegratemycurrentuser store(internaldatabaseordirectoryofusers)without recreatingallmyuserswithinyourcloudenvironment? Consumerorganizationsneedtoadministertheirownusers; thecloudprovidershouldsupportdelegatedadministration. Questiontocloudprovider:Whatprovisioningtoolsdoyou provideforonboardingandoffboardingusers? Questiontocloudprovider:Doesyourplatformoffer delegatedadministrationformyorganizationtoadminister users? Consumerorganizationsmaywishtofederateidentityacross applicationstoprovidesinglesignon(SSO)alongwithsingle signofftoassureusersessionsgetterminatedproperly.For example,anorganizationusingseparateSaaSapplicationsfor CRMandERPwouldlikesinglesignonandsignoffacross theseapplications(e.g.usingstandardssuchasSAML 12 ,WS Federation 13 andOAuth 14 ). Questiontocloudprovider:Doyouoffersinglesignonfor accessacrossmultipleapplicationsyouofferortrusted federatedsinglesignonacrossapplicationswithother vendors? Consumersneedauditingandloggingreportsrelatingto serviceusagefortheirownassuranceaswellascompliance withregulations. Questiontocloudprovider:Whatauditinglogs,reports, alertsandnotificationsdoyouprovideinordertomonitor useraccessbothformyneedsandfortheneedsofmy auditor? Foraccesstohighvalueassetshostedinthecloud,cloud

IdentityProvisioningand Delegation

SingleSignOn(SSO),Single SignOff

IdentityandAccessAudit

RobustAuthentication
12

Refertohttps://www.oasisopen.org/committees/tc_home.php?wg_abbrev=securityfordetails. Refertohttps://www.oasisopen.org/committees/documents.php?wg_abbrev=wsfedfordetails. Refertohttp://oauth.net/fordetails.

13

14

Copyright2012CloudStandardsCustomerCouncil

Page14

consumersmayrequirethattheirprovidersupportstrong, multifactor,mutualand/orevenbiometricauthentication. Questiontocloudprovider:Ifrequired,doesyourplatform supportstrong,multifactorormutualauthentication? Cloudconsumersneedtobeabletodescribeandenforce theirsecuritypolicies,userroles,groupsandentitlementsto theirbusinessandoperationalapplicationsandassets,with dueconsiderationforanyindustry,regionalorcorporate requirements. Questiontocloudprovider:Doesyourplatformofferfine grainedaccesscontrolsothatmyuserscanhavedifferent rolesthatdonotcreateconflictsorviolatecompliance guidelines?

Role,EntitlementandPolicy Management

Cloudprovidersshouldhaveformalizedprocessesformanagingtheirownemployeeaccesstoany hardwareorsoftwareusedtostore,transmitorexecuteconsumerdataandapplications,whichthey shoulddiscloseanddemonstratetotheconsumer

Step4:Ensureproperprotectionofdataandinformation
DataareatthecoreofITsecurityconcernsforanyorganization,whatevertheformofinfrastructure thatisused.Cloudcomputingdoesnotchangethis,butcloudcomputingdoesbringanaddedfocus becauseofthedistributednatureofthecloudcomputinginfrastructureandthesharedresponsibilities thatitinvolves.Securityconsiderationsapplybothtodataatrest(heldonsomeformofstorage system)andalsotodatainmotion(beingtransferredoversomeformofcommunicationlink),bothof whichmayneedparticularconsiderationwhenusingcloudcomputingservices. Essentially,thequestionsrelatingtodataforcloudcomputingareaboutvariousformsofrisk:riskof theftorunauthorizeddisclosureofdata,riskoftamperingorunauthorizedmodificationofdata,riskof lossorofunavailabilityofdata.Itisalsoworthrememberingthatinthecaseofcloudcomputing,"data assets"maywellincludethingssuchasapplicationprogramsormachineimages,whichcanhavethe sameriskconsiderationsasthecontentsofdatabasesordatafiles. ThegeneralapproachestothesecurityofdataarewelldescribedinspecificationssuchastheISO27002 standardandthesecontrolorientedapproachesapplytotheuseofcloudcomputingservices,with someadditionalcloudspecificconsiderationsasdescribedintheISO27017standard(currentlyunder development).SecuritycontrolsasdescribedinISO27002highlightthegeneralfeaturesthatneedto beaddressed,towhichspecifictechniquesandtechnologiescanthenbeapplied.

Copyright2012CloudStandardsCustomerCouncil

Page15

Thetypeofcloudserviceisverylikelytoaffectthekeyquestionofwhoisresponsibleforhandling particularsecuritycontrols.ForIaaS,moreresponsibilityislikelytobewiththeconsumer(e.g.for encryptingdatastoredonacloudstoragedevice);forSaaS,moreresponsibilityislikelytobewiththe provider,sinceboththestoreddataandtheapplicationcodeisnotdirectlyvisibleorcontrollablebythe consumer. Table2highlightsthekeystepsconsumersshouldtaketoensurethatdatainvolvedincloudcomputing activitiesisproperlysecure.

Table2.Controlsforsecuringdataincloudcomputing

Controls
Createadataassetcatalog

Description
Akeyaspectofdatasecurityisthecreationofadataassetcatalog, identifyingalldataassets,classifyingthosedataassetsintermsof criticalitytothebusiness(whichcaninvolvefinancialandlegal considerations,includingcompliancerequirements),specifying ownershipandresponsibilityforthedataanddescribingthe location(s)andacceptableuseoftheassets. Relationshipsbetweendataassetsalsoneedtobecataloged. Anassociatedaspectisthedescriptionofresponsiblepartiesand roles,whichinthecaseofcloudcomputingmustspanthecloud serviceconsumerorganizationandthecloudserviceprovider organization. Organizationsareincreasingtheamountofunstructureddataheld onITsystems,whichcanincludeitemssuchasimagesofscanned documentsandpicturesofvariouskinds. Unstructureddatacanbesensitiveandrequirespecifictreatment forexampleredactionormaskingofpersonalinformationsuchas signatures,addresses,licenseplates. Forstructureddata,inamultitenancycloudenvironment,data heldindatabasesneedsconsideration.Databasesegmentationcan beofferedinacoupleofvarieties:sharedorisolateddataschema. o Inashareddataschema,eachcustomersdatais intermixedwithinthesamedatabase.Thismeansthat customerA'sdatamayresideinrow1whilecustomerB's dataresidesinrow2. Inanisolatedarchitecture,theconsumers'datais segregatedintoitsowndatabaseinstance.Whilethismay provideadditionalisolation,italsoimpactstheproviders' economiesofscaleandcould,potentially,increasethe

Considerallformsofdata

Copyright2012CloudStandardsCustomerCouncil

Page16

costtotheconsumer. o Ineitherscenario,databaseencryptionshouldbe employedtoprotectalldataatrest.

Considerprivacyrequirements

Dataprivacyofteninvolveslawsandregulationsrelatingtothe acquisition,storageanduseofpersonallyidentifiableinformation (PII). Typically,privacyimplieslimitationsontheuseandaccessibilityof PII,withassociatedrequirementstotagthedataappropriately, storeitsecurelyandtopermitaccessonlybyappropriately authorizedusers. Thisrequiresappropriatecontrolstobeinplace,particularlywhen thedataisstoredwithinacloudprovidersinfrastructure.TheISO 27018standard(inpreparation)addressesthecontrolsrequiredfor PII.Thesecontrolsmayrestrictthegeographicallocationinwhich thedataisstored,forexample,whichrunscountertooneaspectof cloudcomputingwhichisthatcloudcomputingresourcescanbe distributedinmultiplelocations. Thekeysecurityprinciplesofconfidentiality,integrityand availabilityareappliedtothehandlingofthedata,throughthe applicationofasetofpoliciesandprocedures,whichshouldreflect theclassificationofthedata. Sensitivedatashouldbeencrypted,bothwhenitisstoredonsome mediumandalsowhenthedataisintransitacrossanetworkfor example,betweenstorageandprocessing,orbetweenthe provider'ssystemandaconsumeruser'ssystem. o Anextraconsiderationwhenusingcloudcomputing concernsthehandlingofencryptionkeyswherearethe keysstoredandhowaretheymadeavailableto applicationcodethatneedstodecryptthedatafor processing?Itisnotadvisabletostorethekeysalongside theencrypteddata,forexample. Integrityofdatacanbevalidatedusingtechniquessuchasmessage digestsorsecurehashalgorithms,alliedtodataduplication, redundancyandbackups. Availabilitycanbeaddressedthroughbackupsand/orredundant storageandresilientsystems,andtechniquesrelatedtothe handlingofdenialofserviceattacks.Thereisalsoaneedfora failoverstrategy,eitherbyusingaserviceproviderwhooffersthis aspartoftheirserviceoffering,oriftheproviderdoesnotoffer resiliencyasafeatureoftheirservicestheconsumermayconsider selfprovisionoffailoverbyhavingequivalentservicesonstandby withanotherprovider.

Applyconfidentiality,integrityand availability

Copyright2012CloudStandardsCustomerCouncil

Page17

Applyidentityandaccess management

Identityandaccessmanagementisavitalaspectofsecuringdata (refertoStep3:Managepeople,rolesandidentitiesonpage13) withappropriateauthorizationbeingrequiredbeforeanyuseris permittedtoaccesssensitivedatainanyway. Relatedtothisistherequirementforloggingandsecurityevent management(e.g.thereportingofanysecuritybreaches)relating totheactivitiestakingplaceinthecloudserviceprovider environment. Followingfromthisistheneedforaclearsetofproceduresrelating todataforensicsintheeventofasecurityincident.Notethatthe logsandreportingmechanismsarealsoinneedofappropriate securitytreatment,topreventawrongdoerfrombeingableto covertheirtracks.

Mostofthesecuritytechniquesandtechnologiesinvolvedarenotnew,althoughcloudcomputingcan createnewconsiderations.Forexample,ifencryptionisusedonsomedata,howaretheencryption keysmanagedandused?Inaddition,thewayinwhichsecurityisappliedwillmostlikelydependonthe natureofthecloudservicebeingoffered.ForIaaS,muchofthesecurityresponsibilityislikelytoliewith theconsumer.ForSaaS,muchmoreresponsibilityislikelytobeplacedontotheprovider,especially sincethedatastoragefacilitiesmaybeopaqueasfarastheconsumerisconcerned.

Step5:Enforceprivacypolicies
Privacyisgaininginimportanceacrosstheglobe,ofteninvolvinglawsandregulations,relatingtothe acquisition,storageanduseofpersonallyidentifiableinformation(PII).Typically,privacyimplies limitationsontheuseandaccessibilityofPII,withassociatedrequirementstotagthedata appropriately,storeitsecurelyandtopermitaccessonlybyappropriatelyauthorizedusers.This requiresappropriatecontrolstobeinplace,particularlywhenthedataisstoredwithinacloud providersinfrastructure.TheISO27018standard(inpreparation)addressesthecontrolsrequiredfor PII. Inmanycountries,numerouslaws,regulationsandothermandatesrequirepublicandprivate organizationstoprotecttheprivacyofpersonaldataandthesecurityofinformationandcomputer systems.AppendixAonpage31providesanoverviewoftheworldwideprivacyregulationsthat currentlyexist. Whendataistransferredtoacloudcomputingenvironment,theresponsibilityforprotectingand securingthedatatypicallyremainswiththeconsumer(thedatacontrollerinEUterminology 15 ),evenif insomecircumstances,thisresponsibilitymaybesharedwithothers.Whenanorganizationreliesona
TheEuropeanUnionprovidesaGlossaryoftermsassociatedwithDataProtectionhere: http://www.edps.europa.eu/EDPSWEB/edps/EDPS/Dataprotection/Glossary

15

Copyright2012CloudStandardsCustomerCouncil

Page18

thirdpartytohostorprocessitsdata,thedatacontrollerremainsliableforanyloss,damage,ormisuse ofthedata.Itisprudent,andmaybelegallyrequired,thatthedatacontrollerandthecloudprovider enterintoawritten(legal)agreementthatclearlydefinestheroles,expectationsoftheparties,and allocatesbetweenthemthemanyresponsibilitiesthatareattachedtothedataatstake. Itiscriticalthatprivacyissuesareadequatelyaddressedinthecloudcontractandservicelevel agreement(SLA).Ifnot,thecloudconsumershouldconsideralternatemeansofachievingtheirgoals includingseekingadifferentprovider,ornotputtingsensitivedataintothecloudcomputing environment.Forexample,iftheconsumerwishestoplaceHIPAAcoveredinformationintoacloud computingenvironment,theconsumermustfindacloudserviceproviderthatwillsignaHIPAAbusiness associateagreementorelsenotputthatdataintothecloudcomputingenvironment. Enterprisesareresponsiblefordefiningpoliciestoaddressprivacyconcernsandraiseawarenessofdata protectionwithintheirorganization.Theyarealsoresponsibleforensuringthattheircloudproviders adheretothedefinedprivacypolicies.Consumershaveanongoingobligationtomonitortheir providerscompliancewithitspolicies.Thisincludesanauditprogramcoveringallaspectsoftheprivacy policiesincludingmethodsofensuringthatcorrectiveactionswilltakeplace.

Step6:Assessthesecurityprovisionsforcloudapplications
Organizationsneedtoproactivelyprotecttheirbusinesscriticalapplicationsfromexternalandinternal threatsthroughouttheirentirelifecycle,fromdesigntoimplementationtoproduction.Clearlydefined securitypoliciesandprocessesarecriticaltoensuretheapplicationisenablingthebusinessratherthan introducingadditionalrisk. Applicationsecurityposesspecificchallengestothecloudproviderandconsumer.Organizationsmust applythesamediligencetoapplicationsecurityastheydoforphysicalandinfrastructuresecurity.Ifan applicationiscompromised,itcanpresentliabilityandperceptionissuestoboththecloudproviderand theconsumer,especiallyiftheultimateendusersoftheapplicationarecustomersoftheconsumer ratherthanemployees. Inordertoprotectanapplicationfromvarioustypesofbreaches,itisimportanttounderstandthe applicationsecuritypolicyconsiderationsbasedonthedifferentclouddeploymentmodels.Table3 highlightstheimpactofclouddeploymentonapplicationsecurity.Alloftheseconsiderationsarein additiontothoseoutlinedinthiswhitepaper(facilities,network,data,etc).
Table3.Deploymentmodelimpactonapplicationsecurity DeploymentType InfrastructureasaService ApplicationSecurityPolicyConsiderations Theconsumerhasresponsibilityfordeploymentofthecomplete softwarestackoperatingsystem,middlewareandapplicationand forallaspectsofsecuritythatrelatetothisstack. Theapplicationsecuritypolicyshouldcloselymimicthepolicyof applicationshostedinternallybytheconsumer. Theconsumershouldfocusonnetwork,physicalenvironment, auditing,authorization,andauthenticationconsiderationsas outlinedinthisdocument.

Copyright2012CloudStandardsCustomerCouncil

Page19

PlatformasaService

SoftwareasaService

Theconsumeristypicallyresponsibleforpatchingofoperating system,middlewareandapplication. Appropriatedataencryptionstandardsshouldbeapplied. Theconsumerhasresponsibilityforapplicationdeploymentandfor securingaccesstotheapplicationitself. Theproviderhasresponsibilityforproperlysecuringthe infrastructure,operatingsystemandmiddleware. Theconsumershouldfocusonaudit,authorization,and authenticationconsiderationsasoutlinedinthisdocument. Appropriatedataencryptionstandards.shouldbeapplied. InaPaaSmodel,theconsumermayormaynothaveknowledgeof theformatandlocationoftheirdata.Itisimportantthattheyare knowledgeableofhowtheirdatamaybeaccessedbyindividuals withadministrativeaccess. Applicationtiersecuritypolicyconstraintsaremostlythe responsibilityoftheproviderandaredependentupontermsinthe contractandSLA.Theconsumermustensurethattheseterms meettheirconfidentiality,integrityandavailabilityrequirements. Importanttounderstandproviderspatchingschedule,controlsof malware,andreleasecycle. Thresholdpolicieshelptoidentifyunexpectedspikesandreduction ofuserloadontheapplication.Thresholdsarebasedonresources, usersanddatarequests. Typically,theconsumerisonlyabletomodifyparametersofthe applicationthathavebeenexposedbytheprovider.These parametersarelikelyindependentofapplicationsecurity configurations,however,theconsumershouldensurethattheir configurationchangesaugment;notinhibittheproviderssecurity model. Theconsumershouldhaveknowledgeofhowtheirdatais protectedagainstadministrativeaccessbytheprovider.InaSaaS model,theconsumerwilllikelynotbeawareofthelocationand formatofthedatastorage. Theconsumermustunderstandthedataencryptionstandards whichareappliedtodataatrestandinmotion.

Itshouldbenotedthatthereisacosttotheconsumertoensurethattheseconsiderationsareapplied. Thecostsaretypicallybuiltintotechnology,resources,interventions,andaudits.However,thesecosts will,likely,paleincomparisontothepotentialliabilitydamagesandlossofreputationfroman applicationsecuritybreach. Whendevelopinganddeployingapplicationsinacloudenvironmentitiscriticalthatconsumersrealize thattheymaybeforfeitingsomecontrolandhavetodesigntheircloudapplicationswiththat considerationinmind.Inaddition,itiscriticalthatconsumersdevelopingsoftwareuseastructured methodologytoengineersecurityintotheircloudapplicationsfromthegroundup.

Copyright2012CloudStandardsCustomerCouncil

Page20

Step7:Ensurecloudnetworksandconnectionsaresecure
Acloudserviceprovidermustattempttoallowlegitimatenetworktrafficanddropmaliciousnetwork traffic,justasanyotherInternetconnectedorganizationdoes.However,unlikemanyother organizations,acloudserviceproviderwillnotnecessarilyknowwhatnetworktrafficitsconsumersplan tosendandreceive.Nevertheless,consumersshouldexpectcertainexternalnetworkperimetersafety measuresfromtheircloudproviders. Tousetheanalogyofahotel,weexpectthehoteltoprovidesomelimitedamountofperimetersecurity notallowinganyoneintothebuildingwithoutakeycardduringcertaintimesofnight,forexample,or challengingobviouslydangerouspersonseventhoughweshouldnotexpectthehoteltodenyaccess toeverydangerousperson. Withthisinmind,itisrecommendedthatconsumersevaluatetheexternalnetworkcontrolsofacloud providerbasedontheareashighlightedinTable4.
Table4.Externalnetworkrequirements ProviderResponsibility Trafficscreening Description/Guidance Certaintrafficisalmostneverlegitimateforexample,traffictoknown malwareports.Theprovidershouldblockthistrafficonbehalfofthe consumers. Trafficscreeningisgenerallyperformedbyfirewalldevicesorsoftware.Some firewallconsiderations: o Doestheproviderpublishastandardperimeterblocklistthataligns withthetermsofservicefortheoffering?Consumersshouldrequest acopyoftheblocklist;areasonableblocklistcanprovidea consumerwithbothassuranceofathoughtfulnetworkprotection planaswellassomefunctionalguidelinesonwhatisallowed.There maybesomecauseforconcerniftheblocklistisnotinlinewiththe termsofservice. Doestheprovider'sfirewallblockallIPv6access,orprotectagainst bothIPv4andIPv6attacks?MoreandmoredevicesareIPv6 capable,andsomeprovidersforgettolimitIPv6accesswhichcan allowanattackeraneasywayaroundtheIPv4firewall. Isthetrafficscreeningabletowithstandandadapttoattackssuchas DistributedDenialofServiceattacks?DDOSattacksaremoreand morecommonlyusedforextortionpurposesbyorganizedcrime,and theabilityofacloudserviceprovideranditsInternetserviceprovider toassistinblockingtheunwantedtrafficcanbecrucialto withstandinganattack.

Intrusion

Sometrafficmaylooklegitimate,butdeeperinspectionindicatesthatitis carryingmaliciouspayloadsuchasspam,viruses,orknownattacks.The

Copyright2012CloudStandardsCustomerCouncil

Page21

detection/prevention

providershouldblockoratleastnotifyconsumersaboutthistraffic. Intrusiondetectionand/orpreventionsystems(IDS/IPS)maybesoftwareor devices.Whereasafirewallusuallyonlymakesdecisionsbasedon source/destination,ports,andexistingconnections,anIDS/IPSlooksatboth overalltrafficpatternsaswellastheactualcontentsofthemessages.Many firewallsnowincludeIDS/IPScapabilities. AlthoughtechnicallynotIDS/IPSdevices,applicationlevelproxies(suchase mailgateways/relays)willoftenperformsimilarfunctionsforcertaintypesof networktrafficandareconsideredhereaswell. AnIDSwilltypicallyonlyflagpotentialproblemsforhumanreview;anIPSwill takeactiontoblocktheoffendingtrafficautomatically.SomeIDS/IPS considerations: o IDS/IPScontentmatchingcandetectorblockknownmalware attacks,virussignatures,andspamsignatures,butarealsosubjectto falsepositives.Doesthecloudproviderhaveadocumented exceptionprocessforallowinglegitimatetrafficthathascontent similartomalwareattacksorspam? o Similarly,IDS/IPStrafficpatternanalysiscanoftendetectorblock attackssuchasadenialofserviceattackoranetworkscan. However,insomecasesthisisperfectlylegitimatetraffic(suchas usingcloudinfrastructureforloadtestingorsecuritytesting).Does thecloudproviderhaveadocumentedexceptionprocessfor allowinglegitimatetrafficthattheIDS/IPSflagsasanattackpattern? Forassurancepurposesandtroubleshooting,it'simportantthatconsumers havesomevisibilityintothenetworkhealth. Incidentreportingandincidenthandlingproceduresmustbeclearandthe consumershouldlookforvisibilityintothehandlingprocess.Notethatifany PIIisstoredinthecloudcomputingenvironment,theremaybelegal requirementsassociatedwithanyincident. Somenetworklogginginformationisofasensitivenatureandmayreveal informationaboutotherclients,soacloudprovidermaynotallowdirect accesstothisinformation.However,itisrecommendedthatconsumersask certainquestionsaboutloggingandnotificationpolicies: o Whatisthenetworkloggingandretentionpolicy?Intheeventofa successfulattack,theconsumermaywanttoperformforensicanalysis, andthenetworklogscanbeveryhelpful. Whatarethenotificationpolicies?Asacloudconsumer,youshouldbe notifiedintimelymannerifyourmachinesareattackedorcompromised andareattackingsomeoneelse. Arehistoricalstatisticsavailableonthenumberofattacksdetectedand blocked?Thesestatisticscanhelpaconsumerunderstandhoweffective theprovider'sdetectionandblockingcapabilitiesactuallyare.

Loggingandnotification

Copyright2012CloudStandardsCustomerCouncil

Page22

 Cloudcomputingincludesanumberofresourcesthatarenotsharedinatraditionaldatacenter.Oneof theseresourcesisthecloudprovider'sinternalnetworkinfrastructure,suchastheaccessswitchesand routersusedtoconnectcloudvirtualmachinestotheprovider'sbackbonenetwork. Internalnetworksecuritydiffersfromexternalnetworksecurityinthatwepostulatethatanyattackers havealreadymadeitthroughtheexternaldefenses,eitherviaanattackor,morecommonly,because theattackersarelegitimatelyauthorizedforadifferentpartofthenetwork.Afterauserisallowed accesstoaportionofthecloudserviceprovider'snetwork,theproviderhasanumberofadditional responsibilitieswithrespecttointernalnetworksecurity. Theprimarycategoriesofinternalnetworkattacksthatconsumersshouldbeconcernedwithinclude: 1. Confidentialitybreaches(disclosureofconfidentialdata) 2. Integritybreaches(unauthorizedmodificationofdata) 3. Availabilitybreaches(denialofservice,eitherintentionalorunintentional) Consumersmustevaluatethecloudserviceprovider'sinternalnetworkcontrolswithrespecttotheir requirementsandanyexistingsecuritypoliciestheconsumermayhave.Eachconsumer'srequirements willbedifferent,butitisrecommendedthatconsumersevaluatetheinternalnetworkcontrolsofa serviceproviderbasedontheareashighlightedinTable5.
Table5.Internalnetworkrequirements Provider Responsibility Protectclientsfrom oneanother Description/Guidance

Cloudprovidersareresponsibleforseparatingtheirclientsinmultitenantsituations.Most cloudserviceproviderswilluseoneormoreofthefollowingtechnologiesforthispurpose: 1. DedicatedvirtualLANs,orVLANs,areatechnologythatmakesacollectionofportson aphysicalEthernetswitchappeartobeaseparateswitch.Intheory,networktraffic ononeVLANcannotbeseenonadifferentVLANanymorethannetworktrafficon onephysicalEthernetswitchcanbeseenonadifferent,nonconnectedEthernet switch. VLANseparationtechnologyisoftenaprimarycontrolforcloudprovidersandis generallyveryeffective.However,therearedocumentedVLANhoppingattacks thatallowunauthorizedtrafficbetweenVLANs,suchasdoubletaggingandswitch spoofing. ManycloudprovidersofferdedicatedVLANsforconsumersthatnootherconsumers shouldbeabletoaccess.Itisrecommendedthatconsumersverifythattheprovider's VLANcontrolsaddresstheknownVLANhoppingattacks. VirtualPrivateNetworks(VPNs,andalsosometimesreferredtosimplyastunnels) canbeusedtoconnectaconsumer'sdedicatedcloudVLANbacktotheconsumer's network;thisconfigurationiscommonlyknownasasitetositeVPN.

2.

Copyright2012CloudStandardsCustomerCouncil

Page23

VPNscanalsobeusedtoallowroamingusersanywhereontheInternettosecurely accesstheconsumer'sVLAN;thisconfigurationiscommonlycalledclienttosite. Inbothcases,therearemultipletechnologies(suchasSSLandIPSec)withdifferent securityimplementations(suchascertificate/credentialbasedorendpoint authentication).ItisrecommendedthatconsumersdecidewhetherVPNsare required,andifsoensurethatthecloudprovidersupportstherequiredoperating mode(clienttositeorsitetosite)andsecurityimplementation. 3. Perinstancesoftwarefirewallsareoneofthelastlinesofdefenseandallow consumerstoregulatewhattrafficcomesintotheirinstancesbyconfiguringthe softwarefirewallontheinstanceitself.Ifusingacloudprovider'simages,consumers shouldensurethattheimagescontainpropersoftwarefirewallcapabilitiesandthat therulesaresimpletodeployandmodify.Perinstancesoftwarefirewallsare particularlyimportantwhensharingaVLANwithotherconsumers. PrivateVLAN(PVLAN)isatermthathastwomeanings.OnemeaningisaVLANthat isdedicatedtoaparticularconsumer,whichisdefinedsimplyasDedicatedVLAN above.ThesecondmoretechnicaluseofthetermisaVLANthatprohibitsalltraffic betweenhostsontheprivateVLANbydefault.WithPrivateVLANtechnology, consumerAandconsumerBcouldbeonthesameVLAN,butstillbeunableto communicatewithoneanothertheymayonlybeallowedtotalktotherouterthat allowsinternetaccess. PrivateVLANtechnologyiseffectiveaslongastherouter,whichispermittedtotalkto allstationsonthenetwork,isnotconfiguredtorelaytrafficoriginatingintheVLAN backintotheVLAN,therebybypassingtheswitch'scontrols.PrivateVLANtechnology providesgoodisolationbutcanleadtofunctionalproblems,ascloudinstancesoften needtotalktoothercloudinstancesinadditiontosystemsoutontheInternet.For thisreason,perinstancefirewallsaremorecommonlyusedforinstanceseparationon thesameVLAN. IfPVLANtechnologyisneeded,itisrecommendedthattheconsumertesttoensure thattherouterisproperlyconfiguredandthattrafficbetweencloudinstancesonthe sameVLANisblocked. Hypervisorbasedfilters,suchasebtablesonLinux,arefunctionallysimilartoprivate VLANsinthattheycanprohibitorallowcommunicationsatthevirtualswitchlevel. However,thesecanalsobeusedtopreventattackssuchasIPandMACaddress spoofing.IfdedicatedVLANsarenotused,itisrecommendedthattheconsumerask whatprotectionsareinplacetopreventanotherconsumer'sinstancefrom masqueradingasoneofyourinstances. Separatetheprovider'snetworkfromallclients.Iftheprovider'snetworkisbreached, itcouldleadtoalmostundetectabledataloss. Theclientseparationstrategiesaboveareworthlessiftheprovider'scontrolnetworkis notproperlyprotected.Anattackerwhogainsaccesstotheprovider'scontrol networkmaybeabletoperformattacksonotherconsumersfromthecontrol network.

4.

5.

Protectthe provider'snetwork

Copyright2012CloudStandardsCustomerCouncil

Page24

Consumersshouldaskwhatsecuritycontrolsareinplaceforthecloudinfrastructure itself.Whilemanycloudproviderswillnotgiveoutindepthdetailsoftheirsecurity measuresduetovalidsecurityconcerns,thereshouldbeastatedsecuritypolicyand someassurance(e.g.viaauditandcertification)thatitisfollowed. Activityauditingandloggingareanimportantpartofpreventivesecuritymeasuresas wellasincidentresponseandforensics.Auditinformationandlogsshouldbesubject toappropriatesecuritycontrolstopreventunauthorizedaccess,destructionor tampering. Cloudconsumersshouldaskwhattypesofinternalnetworksecurityincidentshave beenreportedandifthereareanypublishedstatisticsormetrics. Consumersshouldalsoaskfortheprovider'sprocessesforalertingconsumersabout bothsuccessfulandunsuccessfulinternalnetworkattacks.

Monitorfor intrusionattempts

Step8:Evaluatesecuritycontrolsonphysicalinfrastructureandfacilities
AnimportantconsiderationforsecurityofanyITsystemconcernsthesecurityofphysicalinfrastructure andfacilities.Inthecaseofcloudcomputing,theseconsiderationsapply,butitwilloftenbethecase thattheinfrastructureandfacilitieswillbeownedandcontrolledbythecloudserviceprovideranditis theresponsibilityofthecloudconsumertogetassurancefromtheproviderthatappropriatesecurity controlsareinplace. Assurancemaybeprovidedbymeansofauditandassessmentreports,demonstratingcomplianceto suchsecuritystandardsasISO27002. Abriefdescriptionofthesecuritycontrolsthatshouldapplytothephysicalinfrastructureandfacilities ofacloudproviderincludes: PhysicalInfrastructureandfacilitiesshouldbeheldinsecureareas.Aphysicalsecurityperimeter shouldbeinplacetopreventunauthorizedaccess,alliedtophysicalentrycontrolstoensure thatonlyauthorizedpersonnelhaveaccesstoareascontainingsensitiveinfrastructure. Appropriatephysicalsecurityshouldbeinplaceforalloffices,roomsandfacilitieswhichcontain physicalinfrastructurerelevanttotheprovisionofcloudservices. Protectionagainstexternalandenvironmentalthreats.Protectionshouldbeprovidedagainst thingslikefire,floods,earthquakes,civilunrestorotherpotentialthreatswhichcoulddisrupt cloudservices. Controlofpersonnelworkinginsecureareas.Suchcontrolsshouldbeappliedtoprevent maliciousactions. Equipmentsecuritycontrols.Shouldbeinplacetopreventloss,theft,damageorcompromiseof assets. Page25

Copyright2012CloudStandardsCustomerCouncil

Supportingutilitiessuchaselectricitysupply,gassupply,andwatersupplyshouldhavecontrols inplace.Requiredtopreventdisruptioneitherbyfailureofserviceorbymalfunction(e.g.water leakage).Thismayrequiremultipleroutesandmultipleutilitysuppliers. Controlsecurityofcabling.Inparticularpowercablingandtelecommunicationscabling,to preventaccidentalormaliciousdamage. Properequipmentmaintenance.Shouldbepreformedtoensurethatservicesarenotdisrupted throughforeseeableequipmentfailures. Controlofremovalofassets.Requiredtoavoidtheftofvaluableandsensitiveassets. Securedisposalorreuseofequipment.Particularlyanydeviceswhichmightcontaindatasuch asstoragemedia. Humanresourcessecurity.Appropriatecontrolsneedtobeinplaceforthestaffworkingatthe facilitiesofacloudprovider,includinganytemporaryorcontractstaff. Backup,RedundancyandContinuityPlans.Theprovidershouldhaveappropriatebackupof data,redundancyofequipmentandcontinuityplansforhandlingequipmentfailuresituations.

Effectivephysicalsecurityrequiresacentralizedmanagementsystemthatallowsforcorrelationof inputsfromvarioussources,includingproperty,employees,customers,thegeneralpublic,andlocaland regionalweather.Formoredetailonthecontrolsandconsiderationsthatapplytoeachoftheseitems, refertotheISO27002standard.

Step9:ManagesecuritytermsinthecloudSLA
Sincecloudcomputingtypicallyinvolvestwoorganizationstheserviceconsumerandtheservice provider,securityresponsibilitiesofeachpartymustbemadeclear.Thisistypicallydonebymeansofa servicelevelagreement(SLA)whichappliestotheservicesprovided,andthetermsofthecontract betweentheconsumerandtheprovider.TheSLAshouldspecifysecurityresponsibilitiesandshould includeaspectssuchasthereportingofsecuritybreaches.SLAsforcloudcomputingarediscussedin moredetailintheCSCCdocument"PracticalGuidetoCloudServiceLevelAgreements,Version1.0". OnefeatureofanSLArelatingtosecurityisthatanyrequirementsthatareplacedonthecloudprovider bytheSLAmustalsopassontoanypeercloudserviceprovidersthattheprovidermayuseinorderto supplyanypartoftheirservice(s). ItshouldbeexplicitlydocumentedinthecloudSLAthatprovidersmustnotifyconsumersaboutthe occurrenceofanybreachoftheirsystem,regardlessofthepartiesordatadirectlyimpacted.The providershouldincludespecificpertinentinformationinthenotification,stopthedatabreachasquickly aspossible,restoresecureaccesstotheserviceassoonaspossible,applybestpracticeforensicsin investigatingthecircumstancesandcausesofthebreach,andmakelongterminfrastructurechangesto correcttherootcausesofthebreachtoensurethatitdoesnotrecur.Duetothehighfinancialand

Copyright2012CloudStandardsCustomerCouncil

Page26

reputationalcostsresultingfromabreach,consumersmaywanttheprovidertoindemnifythemifthe breachwastheirfault. Metricsandstandardsformeasuringperformanceandeffectivenessofinformationsecurity managementshouldbeestablishedpriortosubscribingtocloudservicesandshouldbespecifiedinthe cloudSLA.Ataminimum,organizationsshouldunderstandanddocumenttheircurrentmetricsand howtheywillchangewhenoperationsmakeuseofcloudcomputingandwhereaprovidermayuse different(potentiallyincompatible)metrics.Refertothefollowingresourcesforspecificinformationon securitymetrics: ISO27004:2009 16 NISTSpecialPublication(SP)80055Rev.1,PerformanceMeasurementGuideforInformation Security 17 CISConsensusSecurityMetricsv1.1.0 18

Measuringandreportingonaproviderscompliancewithrespecttodataprotectionisatangiblemetric oftheeffectivenessoftheoverallenterprisesecurityplan.Adatacompliancereportshouldberequired fromthecloudproviderandreflectsthestrengthorweaknessofcontrols,services,andmechanisms supportedbytheproviderinallsecuritydomains. Theimportanceofroleclarityisincreasedwhendiscussingsecurityimplications.Thisisalso complicatedbythecloudcomputingtechnicalarchitecture.Eachcloudcomputingmodelrequires distinctresponsibilitiesfortheproviderandconsumer. IntheIaaSmodel,theonusforsecuringandreportingupontheinfrastructurefallsontheprovider,but allresponsibilityforthesoftwarestackfromtheoperatingsystemtotheapplicationistheresponsibility oftheconsumer. 19 InthePaaSmodel,theproviderisresponsibleforsecuringtheinfrastructureand platform,andtheresponsibilityoftheapplicationlieswiththeconsumer.Finally,intheSaaSmodel,the providerhastotalresponsibilityforsecurity.Eveninaninstancewheretheproviderbearsall responsibility,theconsumershouldvalidatethattheproviderhasinstitutedtheappropriatemeasures toensureasecureenvironment.

16

Seehttp://www.iso.org/iso/catalogue_detail.htm?csnumber=42106. Seehttp://csrc.nist.gov/publications/nistpubs/80055Rev1/SP80055rev1.pdf. Seehttp://benchmarks.cisecurity.org/enus/?route=downloads.show.single.metrics.110.

17

18

19

Thecloudproviderisresponsibleforloggingandtimelydataretrievalandprovisiontotheconsumerinan incidentresponsescenario.

Copyright2012CloudStandardsCustomerCouncil

Page27

Step10:Understandthesecurityrequirementsoftheexitprocess
Theexitprocessorterminationoftheuseofacloudservicebyaconsumerrequirescareful considerationfromasecurityperspective.Theoverallneedforawelldefinedanddocumentedexit processisdescribedintheCSCCdocument"PracticalGuidetoCloudServiceLevelAgreements,Version 1.0". Fromasecurityperspective,itisimportantthatoncetheconsumerhascompletedthetermination process,"reversibility"or"therighttobeforgotten"isachievedi.e.noneoftheconsumer'sdata shouldremainwiththeprovider.Theprovidermustensurethatanycopiesofthedataarewipedclean fromtheprovider'senvironment,wherevertheymayhavebeenstored(i.e.includingbackuplocations aswellasonlinedatastores).Notethatotherdataheldbytheprovidermayneed"cleansing"of informationrelatingtotheconsumer(e.g.logsandaudittrails),althoughsomejurisdictionsmayrequire retentionofrecordsofthistypeforspecifiedperiodsbylaw. Clearly,thereistheoppositeproblemduringtheexitprocessitselftheconsumermustbeableto ensureasmoothtransition,withoutlossorbreachofdata.Thustheexitprocessmustallowthe consumertoretrievetheirdatainasuitablysecureform,backupsmustberetainedforagreedperiods beforebeingeliminatedandassociatedeventlogsandreportingdatamustalsoberetaineduntilthe exitprocessiscomplete.

CloudSecurityAssessment
Thecriticalquestionsthatcloudconsumersshouldaskthemselvesandtheircloudprovidersduringeach stepofthesecurityassessmentarehighlightedinTable6.
Table6.CloudSecurityAssessment SecurityStep 1.Ensureeffectivegovernance,risk andcomplianceprocessesexist AssessmentQuestions Doestheconsumerhavegovernanceandcomplianceprocessesin placefortheuseofcloudservices? Doestheproviderhaveappropriategovernanceandnotification processesfortheirservices,asrequiredbytheconsumer? Isitclearwhatlegalandregulatorycontrolsapplytotheprovider's services? Isauditinformationavailablefortheproviderservices?Doesthe auditinformationconformtooneoftheacceptedstandardsfor securityauditsuchasISO27001? Doestheproviderhavemechanismsinplacetoprovidereporting forbothnormalorexceptionbehaviorrelatingtotheirservices? Isitclearthattheprovider'smanagementinterfaces(foruseby consumers)haveadequatesecuritycontrolsinplace? IsthereanIncidentReportingandIncidentHandlingprocessthat meetstheneedsoftheconsumer? Dotheproviderservicesofferfinegrainedaccesscontrol? Issinglesignonpossiblewiththeprovider'sservices? Cantheprovidergivereportsformonitoringuseraccess? Isitpossibletointegrateconsumeridentitymanagementwiththe

2.Auditandensureproperreporting ofoperationalandbusinessprocesses

3.Managepeople,rolesandidentities

Copyright2012CloudStandardsCustomerCouncil

Page28

4.Ensureproperprotectionofdata andinformation

5.Enforceprivacypolicies

6.Assessthesecurityprovisionsfor cloudapplications

7.Ensurecloudnetworksand connectionsaresecure

8.Evaluatesecuritycontrolson physicalinfrastructureandfacilities

9.Managesecuritytermsinthecloud SLA

10.Understandthesecurity requirementsoftheexitprocess

identitymanagementfacilitiesoftheprovider? Isthereadataassetcatalogforalldatawhichwillbeusedorstored inthecloudenvironment? Isthereadescriptionofresponsiblepartiesandroles? Hasthehandlingofallformsofdatabeenconsidered,inparticular unstructureddatasuchasimages? Forstructureddataheldindatabaseswithinthecloudprovider's environment,isthereproperseparationofdatabelongingto differentconsumersinamultitenantenvironment? Hasappropriateconfidentiality,integrityandavailabilitybeen appliedtodatausedorstoredinthecloudenvironment? IsPIIgoingtobestored/processedbythecloudservices? Dotheprovider'sserviceshaveappropriatecontrolsinplacefor handlingPII? AreresponsibilitiesforhandlingPIIstatedintheSLA? Ifthereisasecuritybreach,areresponsibilitiesforreportingand resolvingthebreachclear,includingprioritiesandtimescales? Isitclearwhetherresponsibilityforapplicationsrunningoncloud infrastructurelieswiththeconsumerorwiththeprovider? Wheretheresponsibilitylieswiththeconsumer,doestheconsumer havegovernanceandpoliciesinplacethatensuretheappropriate securityprovisionsareappliedtoeachapplication? Wheretheresponsibilitylieswiththeprovider,doestheSLAmake theprovider'sresponsibilitiesclearandrequirespecificsecurity provisionstobeappliedtoeachapplicationandalldata? Isnetworktrafficscreened? Doestheprovider'snetworkhaveintrusiondetection&prevention inplace? Doesthenetworkprovidetheconsumerwithloggingand notification? Isthereseparationofnetworktrafficinasharedmultitenant providerenvironment? Isconsumernetworkaccessseparatedfromprovidernetwork access? Canthecloudserviceproviderdemonstrateappropriatesecurity controlsappliedtotheirphysicalinfrastructureandfacilities? Doestheserviceproviderhavefacilitiesinplacetoensure continuityofserviceinthefaceofenvironmentalthreatsor equipmentfailures? Doesthecloudserviceproviderhavenecessarysecuritycontrolson theirhumanresources? DoesthecloudSLAspecifysecurityresponsibilitiesoftheprovider andoftheconsumer? DoestheSLArequirethatallsecuritytermsmustalsopassdownto anypeercloudserviceprovidersusedbytheprovider? DoestheSLAhavemetricsformeasuringperformanceand effectivenessofsecuritymanagement? DoestheSLAexplicitlydocumentproceduresfornotificationand handingofsecurityincidents? Isthereadocumentedexitprocessaspartofthecontract/SLA? Isitclearthatallconsumerdataisdeletedfromtheprovider's

Copyright2012CloudStandardsCustomerCouncil

Page29

environmentattheendoftheexitprocess? Isconsumerdataprotectedagainstlossorbreachduringtheexit process?

Copyright2012CloudStandardsCustomerCouncil

Page30

AdditionalReferences
CloudStandardsCustomerCouncil(2011).PracticalGuidetoCloudComputing. http://www.cloudcouncil.org/10052011.htm Thisguideprovidesapracticalreferencetohelpenterpriseinformationtechnology(IT)andbusiness decisionmakersadoptcloudcomputingtosolvebusinesschallenges. Mell,P.,&Grance,T.(2011).TheNISTDefinitionofCloudComputing(Draft):Recommendationsofthe NationalInstitute.Gaithersburg:NationalInstituteofStandardsandTechnology. http://csrc.nist.gov/publications/drafts/800145/DraftSP800145_clouddefinition.pdf Thiswhitepaperdefinescloudcomputing,thefiveessentialcharacteristics,threeservicemodels,and fourdeploymentmodels. Article29DataProtectionWorkingParty.Opinion05/2012onCloudComputing. http://ec.europa.eu/justice/dataprotection/article29/documentation/opinion recommendation/files/2012/wp196_en.pdf InthisOpiniontheArticle29WorkingPartyanalysesallrelevantissuesforcloudcomputingservice providersoperatingintheEuropeanEconomicArea(EEA)andtheirclientsspecifyingallapplicable principlesfromtheEUDataProtectionDirective(95/46/EC)andtheeprivacyDirective2002/58/EC(as revisedby2009/136/EC)whererelevant. IBM(2011).CraftaCloudServiceSecurityPolicy http://www.ibm.com/developerworks/cloud/library/clcloudsecurepolicy/ Inthisarticle,theauthorexplainshowtocraftacloudsecuritypolicyformanagingusers,protecting data,andsecuringvirtualmachines. Catteddu,D.&Hogben,G.(November2009).CloudComputing:Benefits,risksandrecommendations forinformationsecurity.EuropeanNetworkandInformationSecurityAgency. http://www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputingriskassessment. Thiswhitepaperprovidessecurityguidanceforpotentialandexistingusersofcloudcomputing. CloudSecurityAlliance(August15,2010).CSAGRCStackincludingCCMv1.1. https://cloudsecurityalliance.org/research/initiatives/grcstack/ ThisisanintegratedsuiteoffourCSAinitiatives:CloudAudit,CloudControlsMatrix,Consensus AssessmentsInitiativeQuestionnaireandtheCloudTrustProtocol. CloudSecurityAlliance(2011).SecurityGuidanceforCriticalAreasofFocusinCloudComputingVersion 3.0.http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf Thisdocumentprovidesanactionable,practicalroadmaptomanagerswantingtoadoptthecloud paradigmsafelyandsecurely.

Copyright2012CloudStandardsCustomerCouncil

Page31

Daskala,B.&Marinos,L.EFR(March,2010).EmergingandFutureRisksFramework,Introductory Manual.EuropeanNetworkandInformationSecurityAgency. http://www.enisa.europa.eu/act/rm/files/deliverables/efrframeworkhandbook. ThishandbookprovidesthedocumentationoftheEFRFrameworkwhichconsistsofascenariobased processmodeldevelopedinordertoassessandmanageemergingandfuturerisks. Mather,T.,Kumaraswamy,S.,&Latif,S.(2009).CloudSecurityandPrivacy:AnEnterprisePerspectiveon RisksandCompliance.OReillyMedia. http://www.amazon.com/CloudSecurityPrivacyEnterprisePerspective/dp/0596802765. InsightfromknowledgeableexpertsincludingaformerChiefSecurityStrategistforRSAonhowtokeep yourvirtualinfrastructureandwebapplicationssecure.

AppendixA:WorldwidePrivacyRegulations

Region AsiaPacificregion,Japan, Australia,NewZealand,and others Regulation Theseregionshaveadopteddataprotectionlawsthatrequirethedata controllertoadoptreasonabletechnical,physical,andadministrativemeasures inordertoprotectpersonaldatafromloss,misuse,oralteration,basedonthe PrivacyandSecurityGuidelinesoftheOrganizationforEconomicCooperation andDevelopment(OECD) 20 ,andtheAsiaPacificEconomicCooperations (APEC)PrivacyFramework. 21 InJapan,thePersonalInformationProtectionAct 22 requirestheprivatesectors toprotectpersonalinformationanddatasecurely.Inthehealthcareindustry, professionspecificlaws,suchastheMedicalPractitioners'Law 23 ,theLawon PublicHealthNurses,MidwivesandNurses 24 ,andtheDentistLaw 25 ,require

Japan

20

TheOECDGuidelinesontheProtectionofPrivacyandTransborderFlowsofPersonalDatawereadoptedon23 September1980,seehttp://www.oecd.org/document/18/0,3746,en_2649_34255_1815186_1_1_1_1,00.html. In2004,theAPECPrivacyFrameworkwasendorsedbyAPECMinistersformoredetailssee http://www.worldlii.org/int/other/PrivLRes/2005/4.html.

21

22

ActontheProtectionofPersonalInformation(ActNo.57of2003)see http://www.cas.go.jp/jp/seisaku/hourei/data/APPI.pdffordetails.

23

MedicalPractitioners'Law(LawNo.201ofJuly30,1948)http://jalii.law.nagoya u.ac.jp/official_gazette/pdf/19480730f_eb.00000.010.010_0010.0010.0_a.127600.01217100.pdf
24

LawonPublicHealthNurses,MidwivesandNurses(LawNo.203ofJuly30,1948)http://jalii.law.nagoya u.ac.jp/official_gazette/pdf/19480730f_eb.00000.010.010_0010.0010.0_a.127600.01217100.pdf
25

DentistsLaw(LawNo.202ofJuly30,1948)seehttp://jalii.law.nagoya u.ac.jp/official_gazette/pdf/19480730f_eb.00000.010.010_0010.0010.0_a.127600.01217100.pdffordetails.

Copyright2012CloudStandardsCustomerCouncil

Page32

registeredhealthprofessionalstoprotecttheconfidentialityofpatient information. Europe,Africa,MiddleEast TheEuropeanEconomicArea(EEA)30MemberStateshaveenacteddata protectionlawsthatfollowtheprinciplessetforthinthe1995EuropeanUnion (EU)DataProtectionDirectiveandthe2002ePrivacyDirective(asamendedin 2009).Theselawsincludeasecuritycomponent,andtheobligationtoprovide adequatesecuritymustbepasseddowntosubcontractors. OthercountriesthathaveclosetieswiththeEEA,suchasMoroccoand TunisiainAfrica,IsraelandDubaiintheMiddleEasthavealsoadoptedsimilar lawsthatfollowthesameprinciples.

Americas

North,Central,andSouthAmericancountriesarealsoadoptingdataprotection lawsatarapidpace.Eachoftheselawsincludesasecurityrequirementthat placesonthedatacustodiantheburdenofensuringtheprotectionand securityofpersonaldatawhereverthedataarelocated,andespeciallywhen transferringtoathirdparty. InadditiontothedataprotectionlawsofCanada26 andArgentina 27 whichhave beeninexistenceforseveralyears,Colombia,Mexico,Uruguay,andPeruhave recentlypasseddataprotectionlawsthatareinspiredmainlyfromthe EuropeanmodelandmayincludereferencestotheAPECPrivacyFrameworkas well.

UnitedStates

ThereisnosingleprivacylawintheUnitesStates.Arangeofgovernment agencyandindustrysectorlawsimposeprivacyobligationsinspecific circumstances.Therearenumerousgapsandoverlapsincoverage. Currentindustrysectorprivacylawsinclude: o TheFederalTradeCommissionAct 28 whichprohibitsunfairor deceptivepracticesthisrequirementhasbeenappliedtocompany privacypoliciesinseveralprominentcases. TheElectronicCommunicationsPrivacyActof1986 29 whichprotects consumersagainstinterceptionoftheirelectroniccommunication (withnumerousexceptions).

26

PersonalInformationProtectionandElectronicDocumentsAct(PIPEDA)seehttp://laws lois.justice.gc.ca/eng/acts/P8.6/fordetails.
27

LawfortheProtectionofPersonalData(LPDP),LawNo.25.326see http://www.protecciondedatos.com.ar/law25326.htmfordetails. Seehttp://www.law.cornell.edu/uscode/text/15/chapter2/subchapterIfordetails.

28

29

Seehttp://frwebgate.access.gpo.gov/cgi bin/usc.cgi?ACTION=RETRIEVE&FILE=$$xa$$busc18.wais&start=3919965&SIZE=21304&TYPE=TEXTfordetails.

Copyright2012CloudStandardsCustomerCouncil

Page33

o o

TheHealthInsurancePortabilityandAccountabilityAct(HIPAA) 30 whichcontainsprivacyrulesapplyingtocertaincategoriesofhealth andmedicalresearchdata. TheFairCreditReportingAct 31 includesprivacyrulesforcredit reportingandconsumerreports. TheGrammLeachBlileyAct(GLBA) 32 governthecollection, disclosure,andprotectionofconsumersnonpublicpersonal informationforfinancialinstitutions Theselawsholdorganizationsresponsiblefortheactsoftheir subcontractors.Forexample,thesecurityandprivacyrulesunder GLBAorHIPAArequirethatorganizationscompeltheir subcontractors,inwrittencontracts,tousereasonablesecurity measuresandcomplywithdataprivacyprovisions.

Governmentagencies,suchastheFederalTradeCommission(FTC)ortheState AttorneysGeneralhaveconsistentlyheldorganizationsliablefortheactivities oftheirsubcontractors. Worldwide ThePaymentCardIndustry(PCI)DataSecurityStandards(DSS) 33 ,whichapply tocreditcarddataanywhereintheworld,includingdataprocessedby subcontractorshassimilarrequirements.

AppendixB:Acronyms&Abbreviations

Abbreviation Meaning

AICPA CSA CoBIT

AmericanInstituteofCertifiedPublicAccountants CloudSecurityAlliance ControlObjectivesforInformationandRelatedTechnologies AframeworkcreatedbyISACAtosupportgovernanceofITby definingandaligningbusinessgoalswithITgoalsandITprocesses

30

ThefinalHIPPAregulationandmodificationscanbefoundat http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf. Seehttp://www.ftc.gov/os/statutes/fcradoc.pdffordetails. Seehttp://www.gpo.gov/fdsys/pkg/PLAW106publ102/contentdetail.htmlfordetails.

31

32

33

PCIDSSprovidesanactionableframeworkfordevelopingarobustpaymentcarddatasecurityprocess includingprevention,detectionandappropriatereactiontosecurityincidents.See https://www.pcisecuritystandards.org/security_standards/fordetails.

Copyright2012CloudStandardsCustomerCouncil

Page34

CSCC ENISA IaaS IEC ISACA ISO PaaS PCI PII SaaS SLA SSAE

CloudStandardsCustomerCouncil EuropeanNetworkandInformationSecurityAgency InfrastructureasaService InternationalElectrotechnicalCommission InformationSystemsAuditandControlAssociation InternationalStandardsOrganization PlatformasaService PaymentCardIndustry(SecurityStandardsCouncil) Personallyidentifiableinformation SoftwareasaService ServiceLevelAgreement StatementonStandardsforAttestationEngagements

Copyright2012CloudStandardsCustomerCouncil

Page35