Security and Privacy Mechanisms - Assured Cloud...

ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE

assured-cloud-computing.illinois.edu

Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for

the US Government

Presenter: Carlo Di GiulioAdvisor: Dr. Masooda Bashir

April 13, 2016



Security and privacy risks and pitfalls in commercial cloud services

Help the US Airforce to identify the most secure and “convenient” Cloud Service Providers (CSPs) to the US Government among the selected ones

Spot possible market trends

How service providers are addressing government needs

Focus of the Research



The research currently focuses on 5 major CSPs

Focus of the Research



Structure

The research is organized in three pillars

• Norms, regulations, and guidelines

• Products and services

• General privacy and security policies



Pillar I: Norms and Guidelines

Different level of security, different controls and authorizations



Pillar I: Norms and Guidelines

The authorization process to provide a service to the DoD is rather complex

Image: The FedRAMP and CC SRG Roadmap (1)



Pillar II: Offering

We classified products and services of each service provider into 3 main categories (NIST 500-292):

IaaS PaaS SaaS

Each CSP offers a number of services that may be classified and compared to others



Pillar II: Offering

A few examples…

CSP Service AWS

Microsoft (Azure)

Google CSIBM

SoftlayerVMWare

Data Analytics

Event Hubs BigQueryvRealize

OperationsManager

CloudMonitoring

Amazon CloudWatch

Cloud Monitoring

Monitoring & Reporting

Compute Amazon EC2Cloud

ServicesApp Engine

Virtual Servers

Compute

Relational Database

RedshiftSQL

DatabaseCloud SQL Continuent

Identity Management

AWS IAMActive

DirectoryCloud IAM

Identity Manager



NIST 800 – 53

FedRAMP Baseline medium -high

Frameworks issued by credible NGOs

AICPA (SOC 2 criteria) CSA (CCM 3.0.1)

Pillar III: Policies

In order to classify the policies, standardization and classification are required

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

https://www.fedramp.gov/resources/documents/

https://www.fedramp.gov/resources/documents/

https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/

https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/

http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/DownloadableDocuments/SOC2_CSA_CCM_Report.pdf

http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/DownloadableDocuments/SOC2_CSA_CCM_Report.pdf



Pillar III: Policies - Examples

Do you allow tenants/customers to define password and account lockout policies for their accounts? (IAM 12.9 Indicator, CCM 3.0.1)

AWS Identity and Access Management (IAM) lets [the tenant] manage several types of long-term security credentials for IAM users (2)

(…) must at a minimum meet Microsoft internal IT requirements, but an internal organization can increase the strength past this standard (3)

Not at this time (4)



Pillar III: Policies - Examples

Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? (EKM 03.02 Indicator, CCM 3.0.1)

(…) option of encrypting customer data transmitted to and from Microsoft datacenters over public networks. (…) private networks with encryption for replication of non-public customer data between Microsoft datacenters (3)

"Yes. (…) uses AES-256 encryption to encapsulate in-transit workloads. For in-cloud vMotion activities, a dedicated, secure and encrypted network is used exclusively for this purpose (…) (4)

Tenant Control Consideration (5)



Next Steps

Conclude the policy analysis

Select relevant policy indicators

Cross reference policies and services

Explore features and differences among services more in detail

Collaborate with a Technical SME (CS Grad Student) to specify security criterias for the analysis

https://msdn.microsoft.com/library/azure/dd179428.aspx

https://msdn.microsoft.com/library/azure/dd179428.aspx

http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html#auth-methods-intro

http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html#auth-methods-intro



For more information:

Dr. Masooda [email protected]

Carlo Di Giulio:[email protected]

Thanks for your Attention!



References

(1) Bockelman, P. and McDermott, A. (2015). DoD-Compliant Implementations in the AWS Cloud. Reference Architectures. Amazon Web Services, April 2015. Retrieved from https://aws.amazon.com/compliance/dod/

(2) Amazon WS (2016). Amazon Web Services: Risk and Compliance. White Paper. Retrieved from http://aws.amazon.com/compliance/aws-whitepapers/

(3) Microsoft (2015). Standard Response to Request for Information Microsoft Azure Security, Privacy, and Compliance. White Paper. Retrieved from https://cloudsecurityalliance.org/

(4) Vmware (2015). VMware vCloud Air IaaS CAIQ v1.0 - Consensus Assessments Initiative Questionnaire v3.0.1. Retrieved fromhttps://cloudsecurityalliance.org/

(5) Softlayer (2016) CAIQ V1.0 - Consensus Assessments Initiative Questionnaire V3.0.1. Retrieved from https://cloudsecurityalliance.org/

https://aws.amazon.com/compliance/dod/

http://aws.amazon.com/compliance/aws-whitepapers/

https://cloudsecurityalliance.org/



Security and Privacy Mechanisms - Assured Cloud...

Documents

Transcript of Security and Privacy Mechanisms - Assured Cloud...